Centre for Internet and Society

Essays on 'Offline' - Selected Abstracts

sneha-pp — 2018-09-06T14:14:47Z

In response to a recent call for essays that explore various dimensions of offline lives, we received 22 abstracts. Out of these, we have selected 10 pieces to be published as part of a series titled 'Offline' on the upcoming r@w blog. Please find below the details of the selected abstracts.

1. Chinar Mehta

2. Cole Flor

3. Elishia Vaz

4. Karandeep Mehra

5. Preeti Mudliar

6. Rianka Roy

7. Simiran Lalvani

8. Srikanth Lakshmanan

9. Titiksha Vashist

10. Dr. Yenn Lee

Chinar Mehta

In September 2017, a student of Banaras Hindu University was allegedly sexually harassed by two persons on a motorcycle while she was walking back to her hostel. Taking the discourse around this event as the starting point, the essay argues that the solutions offered for the safety of women align with the patriarchal notions of surveillance of women. The victim is twice violated; once during the act of sexual harassment, and twice when bodily privacy is exchanged for safety (exemplified by security cameras across the BHU campus). In fact, the ubiquitous presence of security cameras in order to control crime rates makes the safety of the woman’s body contingent to her adherence to social rules.

The moral panic around the safety of women encourages ways to offer a technological solution to a sociological problem. The body is granted safety insofar as the body is not ‘deviant’. There is a fusion of a ‘synoptic-panoptic’ vision, where not only a few watch the many, but the many also watch the few. Additionally, the essay then engages with the politics of mobile applications like Harassmap or Safetipin, and how offline spaces become online entities with crowdsourced data about how safe it is. Mapping events like sexual harassment on an online map is inscribed with perceptions about class and caste. The caste-patriarchal ideas of the protection of upper-caste women is maintained within these applications. The location and the people who visit or reside in them often collapse as the same; as being perpetrators of sexual crimes, while decontextualising incidents. Instead of a focus on how to make areas safer for all women, the discourse becomes about the avoidance of certain spaces, which may not be an option for the majority of women, especially those belonging to certain castes and classes. Features in mobile applications, specifically to do with location mapping, like Google Maps or Uber, become vehicles for the narratives about gendered security.

In defining the ‘offline’, the ‘online’ already exists, and the dichotomy is strangely maintained by the use of interactive maps on personal devices. The essay argues for a more nuanced understanding of internalised constructions of safety, and proposes the idea that institutional surveillance has been a way to discipline gendered bodies historically, and that it is continued with the use of technologies. This may be due to state machinery, or even cultural consent, which would then show up the way that features of mobile applications are marketed.

Cole Flor

Deactivating: An Escape From the Realities of the Online World

A friend posts travels, unboxing the latest gadget, trying out makeup products even before theyÕre out in the market, and the audience hit ÔlikeÕ but deep inside suddenly feel inadequate about their own lives and ask, "What am I doing wrong? Why am I not happy like them?"

The year was 2012 when the earliest of studies on how Social Media contributes to Anxiety went viral.

Even with the complicated nature of mental illnesses the taboo of it all that kept people tiptoeing around the topic - the news was able to crack the glossy facade of online spaces. Back then, it was ridiculous to think that online content the very representation of freedom of expression, information-sharing, open communities caused users some level of distress that affects their mental state. However, with every story that comes out these days of or relating to mental illnesses and social media, people are no longer in denial that being online has become the worldÕs default state. With that primary connection comes a full spectrum of emotions and perspectives that shifted how society views the self, their community, and their roles in being a ÔnetizenÕ. The blurring of lines of whatÕs considered appropriate content, the multiple performances of everyday life, and the imagery that constitutes "happiness", "satisfaction", "significance", "purpose", and "validation" can be described as overwhelming, disconcerting, and stressful to an extent. For borderline Millennials like myself the generation Digital Natives being offline is now an escape from the harsh realities of the online society.

These studies shed light on new narratives that recognized how curating the perfect and seamless life online not only affects the users viewing the content but even the content producers themselves, cracking under pressure and giving into the expectation of "Keeping the Image Alive", whatever it takes. Online life gave "peer pressure" a new meaning.

But users can only deal with so much pressure without sacrificing a part of themselves. During the emergence of social media in early 2000s, users felt the need to go online to escape their personal problems and live in another world where everything seemed easy and possible; where anonymity was powerful and so was virtually traveling in a borderless space where a link opens doors for personal, professional, political, and socio-economic transformation. A quick turn of events, users now wish to escape from the clamor of Twitter threads, Instagram stories, Snaps, and political rants and fake news on Facebook. More and more users deactivate and hibernate, get on board a "social media detox" to rid of the "poison" online content and their [e]nvironments has caused them, all in search for a new something to be called "real".

This narrative essay explores several dimensions why users choose to deactivate, and how that very choice is more of a symptom of a societal anomaly rather than a simple "break" from the chaotic world of social media. It is written in the perspective of a Digital Native - a person who has an inextricable affinity to digital devices but at the same time, is in touch with the analog way of life. The choice of going offline is not only to focus on what used to be real (a life away from the Internet), but it is to gather wits together, stay away from perfectly curated lives to keep sane, and ultimately, to chase life's curiosities and ambitions without having the need to validate achievements with a Like.

Elishia Vaz

Dynamics of the ‘offline’ self-diagnosis, exploration of the corporeal and the politics of information

The corpus of information on health and related topics in the online sphere has caused much concern in relation to self-diagnosis. Concepts like cyberchondria have emerged with the medicalisation of behaviour that uses online health information to explore the corporeal disabilities of the body. While literature has largely concentrated on individual susceptibilities to Cyberchondria and corresponding negative and positive results of the behaviour, there is little that explores the politics of information that characterises this trope. The behaviours of self-diagnosis and exploration of the corporeal often challenge the symptomatology of the offline allopathic physician. The physician often deals with an informed patient. Yet, the questions remain. If online information drives such offline corporeal exploration, who is left out? Are behaviours analogous to cyberchondria a privilege when viewed from a lens of digital marginalization? Are only those who have access to and can make sense of the online health discourse afforded simultaneous access to their offline corporeal bodies in ways that the digitally marginalized are not? This article uses semi-structured qualitative in-depth interviews with doctors to explore the dynamics of exploring the offline corporeal in the presence of online health information.

Karandeep Mehra

The Shadow that Social Media Casts: The Doubled Offlines of Online Sociality

In William Gibson’s cyberpunk novel Neuromancer, the protagonist ‘Case’ ‘jacks in’ and ‘jacks out’ of ‘cyberspace’. Yet when ostracized from cyberspace, when there is no more a possibility of jacking in, Case suffers a withdrawal from the ‘SimStim’ – simulated stimulations of cyberspace – and he crumbles in the hollow ache of this isolation “as the dreams came on in the Japanese night like livewire voodoo, and he'd cry for it, cry in his sleep, and wake alone in the dark, curled in his capsule in some coffin hotel, hands clawed into the bedslab, temper foam bunched between his fingers, trying to reach the console that wasn't there.”

Neuromancer has already been deemed prophetic by critics and theorists, yet in beginning with Gibson, this paper seeks to throw into relief a problem that has now begun to receive scholarly and academic attention. Namely, the legitimacy of drawing a line between the online and offline, or the virtual and the real. With Case, the real or the offline only becomes possible within the capacity to access or enter the virtual or online. To think of an offline without this capacity, but after it has become possible, is to confront a detritus, a second offline – a hapless clawing dexterity, with dreams that overrun an articulated, identificatory imagination. Anthropologists like Boellstorff, and media theorists like Yuk Hui, have resolved this problem though they have left unexplained this detritus. Instead they resolve the problem through a tight coupling of the online and offline, and rightly so, dismiss any attempts to think of the real in any way unaffected by the virtual.

The purpose of this paper, though in agreement with the work of Hui and Boellstorff, and drawing from them, is to restage the problem to incorporate the unexplained detritus. That to understand how our conceptions of the subject must be recast to apprehend the transformations that the internet has wrought, must not resolve the opposition between offline and online. We must, instead, attend to the way the two offlines emerge, and the conceptualization of the threshold that oscillates to constitute them.

The paper understands these two offlines as emerging in what are called “shitstorms”, or moments of frenzy across social media that incite a whorl of discourse, where the speaking body becomes a medium for the propagation for viral forms. The threshold that constitutes them is the relation of the technical extension that makes this propagation possible. This relation leaves the body in a perpetual state of information entropy – that is as a disordered source of data - which must be ordered to be communicated successfully. This threshold that marks out the phase shift between disorder to order to make possible propagation, makes possible also the shadow of an incommunicable that it casts behind – an incommunicable that when understood through Walter Benjamin’s idea of “the torso of a symbol” can help us recast the subject of a network society, as a subject grounded on this shadow.

Preeti Mudliar

In WiFi Exile: The Offline Subjectivities of Online Women

In telecom policy imaginations that seek to bridge India’s digital divides, public WiFi hotspots are a particular favourite to ensure last mile Internet connectivity in rural areas. As infrastructures, WiFi networks are thought to privilege democratic notions of freedom and connectivity by rendering space salient as networked areas that only require users to have a WiFi enabled device to get online. However, the kind of spaces that WiFi networks occupy are not always accessible by women even though they are ostensibly public in nature. Social norms that restrict and confine women’s mobilities to certain sanctioned areas do not allow their Internet and digital literacies to be visible in the same way as men who are more easily recognized as active Internet and technology users.

The invisibility of women thus struggles to create a presence as desirable subjects of the Internet that WiFi infrastructures should also address. In a community where WiFi networks was hosted in public spaces, women reported hearing about WiFi and seeing men using WiFi, but had never used it themselves even though they were also active users of the Internet. With its inaccessibility, the WiFi infrastructure was a contradictory presence in the community for the women who found themselves confined to using the Internet with spotty prepaid mobile data plans. Their use and experience of the Internet was thus in many ways diminished and limited and they reported experiencing a state of offlineness in contrast to the men in their community who could frequent the WiFi hotspots and avail of high speed Internet leading to more expansive repertoires of use.

This essay proposes a reflection on how the offline can be relational and constituted by the way infrastructures compose certain user subjectivities even while they exile others from being a part of their networks. It expands on Brian Larkin’s contention that in addition to their technical affordances, infrastructures are also equally semiotic and aesthetic forms that are oriented towards creating and addressing certain subjects. It thus asks, how do public WiFi deployments unwittingly create and constitute, what Bardzell and Bardzell call, as ‘subject positions’ of WiFi Internet users and non-users? How do these subject positions inform subjectivities of felt experience of the WiFi that translate to experiencing the offline even while being online?

Rianka Roy

Information Offline: Labour, Surveillance and Activism in the Indian IT&ITES Industry

In India the public availability of the internet in the nineties coincided with the beginning of liberalisation. Online connectivity brought the aura of globalization to this country. The internet was a privilege of the few. The Information Technology sector (along with the IT-enabled service industry) had an elite status. Its employees visited, and immigrated to western countries. In fact, India still remains one the major suppliers of cheap labour in the global IT sector.

Over the years the aura of the internet waned. In Digital India the State now projects the internet as a necessity. However, IT&ITES companies still identify the labour of their ‘white collar’ employees as a superior vocation. This vague claim to sophistication strips the digitally-connected workforce of various labour rights. Long hours, working from home, and surveillance on personal social media are normative practices in this industry. I conducted a case study on Indian IT&ITES employees for my doctoral research (2013-2018). It showed that protocols of online conduct influence these employees’ offline behaviour. For example, even without digital intervention, employees engage in manual self-surveillance and peer-surveillance to complement the digital surveillance of their organisations. They defend this naturalised practice as employers’ prerogative. Offline attributes like reflective glass walls in the office interior and exterior, reinforce this organisational culture.

Online connectivity is so deeply entrenched in this industry that even dissent seeks digital representation. Activist groups like the Forum for IT Employees (FITE) and the Union for IT & ITES (UNITES) run online campaigns parallel to their offline activism—adopting a hybrid method of protest. They have not abandoned the networks that ensnare them. Paradoxically they embody the same principle of exclusivity that their employers enforce on them. In their interviews, some activists have condemned militant trade unionism prevalent in other industries. For them, their online access sets them apart, and above their industrial couterparts. The “salaried bourgeoisie” (Zizek, p.12) refuse to align themselves with other labour unions.

My paper examines the impact of the near-absence of offline parameters in this industry. On the basis of company policies and interviews of IT&ITES employees, it examines if employees can stand up to digital dominance and secure their rights without conventional modes of offline protests.

Simiran Lalvani

The Offline as a Place of Work: Examining Food Discovery and Delivery by Digital Platforms

Digital platforms for food discovery and delivery are generally viewed as convenient, efficient, allowing discovery of choices beyond the familiar and as reliable sources of information regarding credibility through ratings, comments and photographs.

The digital divide after demonetisation became more stark as those with access to the online abandoned the offline service providers for their digital counterparts. The adverse impact of this digital divide on offline, informal goods and service providers like local kirana stores, autorickshaw drivers, hawkers has been highlighted and the paradox of formalising the financial system while informalising labour has been pointed out too. In a similar vein, this essay examines continuities and changes in the practices of food discovery and delivery in the context of new digital platforms. How do practices of offline food discovery and delivery respond to the introduction of digital platforms?

Recently, the Food Safety and Standards Association of India (FSSAI) found that nearly 40 percent of listings on 10 digital platforms like Swiggy and Zomato were of unlicensed food operators. The FSSAI directed these digital platforms to delist these unlicensed entities and also commented that some of the platforms themselves did not have required licenses.

This essay therefore turns attention away from the impact of digital platforms on offline, informal food operators and towards the digital platforms themselves and the large swathes of informal labour employed in the offline by such platforms. It focuses on location-based gig work4 like delivery to highlight the role of these workers in running the online. It does so in order to avoid obfuscating the role of such workers in making the online seem formal, efficient and reliable. Finally, it asks how working for the online in the offline allows a denial of their status as employees and invisibilisation of such work and workers.

Srikanth Lakshmanan

The Cash Merchant

The paper explores the various reasons for merchants remaining offline and using cash over digital payments, both willingly and without a choice, various factors leading to it, the rationale for their choices, policy responses by the state and industry in furthering promotion of digital payments. Demonetisation not only made everyone including merchants seek alternatives to cash in order to continue the business but also provided a policy window for digital payments industry to get a faster regulatory, policy clearances, get the government to invest in incentivising digital payments. Despite these, the cash to digital shift has not taken place and the demonetisation trends in increased digital payments across modes reversed after cash was back in the system.

The paper attempts to document infrastructural, commercial, social issues preventing the adoption and the responses of merchants, industry to various policy prescription/enablement to increase adoption whose outcomes are unclear and have not been evaluated.

Infrastructural issues include technology, policy, regulatory, industry challenges in expanding the existing infrastructure. The lack of physical, regulatory, legal infrastructure prevents growth and merchants from adopting digital payments. Commercial issues include economics of direct and indirect costs to the merchant incurred in owning, accepting digital payments, commercial considerations of various ecosystem players including banks, payment processors that inhibit adoption. Social issues include awareness, literacy including digital, financial literacy, trust, behaviour shift, convenience, exercising choice towards cash.

Ever since the demonetisation, there is a heightened activity from industry and various arms of the government has been active in promoting digital payments. Industry-led by banks and fintech ecosystem has built a range of mobile-enabled digital payment platforms/products such wallets, BHIM-UPI, BHIM-Aadhaar, BharatQR to enable asset light merchant acceptance infrastructure, expanded merchant base in addition to catering to the surge in demand of card-accepting PoS machines. The government had undertaken a massive awareness program Digidhan soon after demonetisation and had also set up National Digital Payments Mission to promote, oversee the sustainable growth of digital payments. Various ministries are also adopting digital payments in their functioning. It also aided behavioural shift through cashback, incentivisation schemes, some specifically targeted at merchants, reimbursement of card processing charges for smaller merchants and even has in principle proposed a 20% discount on the GST. It has remained light touch on the regulation by not setting up the regulator even after 18 months of announcing the same.

The paper will analyse how the efforts of industry and government have been met by the merchant and look at factors which can and cannot be changed with policy interventions and real scope of digital payments in the merchant ecosystem.

Titiksha Vashist

Byung-Chul Han in his celebrated book “In the Swarm” warns us of the dangers of the mob that is increasingly replacing the ‘crowd’ or collective which constituted the mass of politics. He states that no true politics is possible in the digital era, where online communities lack a sense of spirit, a “we” that is now a swarm of individuals. Despite his theoretical brilliance, Han forgets that he cannot talk of the digital, the online without the offline. Politics has occurred, and continues to exist in the offline space, using the internet to spread its wings. It is not the online as-is, which has become the subject of philosophy, politics, art and aesthetics that characterises itself alone, sealed off as a space where events occur, identities formed and movements created. It is in fact, the offline that brings the online into being and gives it a myriad of meaning. While access, priviledge, commerce and capital are major themes while discussing internet access, we must not forget that the online is not merely a question of choice or access- but one that is often carefully disabled on purpose to control the offline. In India as well as other parts of the world, the internet has been interrupted for long durations to exercise political control and power, often crippling populations. According to a report by the Software Freedom Law Center (SFLC), an organisation that keeps a track on internet shutdowns in the country, India has seen 244 shutdowns in 2012, of which 108 have been enforced on 2018 alone. These have been concentrated in areas such as Jammu and Kashmir and the North-East, and in instances of violence and resistance as well.

An internet shutdown is the digital equivalent of a curfew, and its application raises questions regarding its cause, uses and political intent. The internet as means, as an enabler of political action is seen as threatening, given the shift in the way people today communicate with one another. Internet bans and shutdowns are not only matters of commerce, but also pose the question of politics to understand when and how power is exercised. An offline created out of a shutdown is different- it is curated on purpose and calls for alternative means by which functionalities of daily life, resistance, capital and media occur. This essay aims to explore how the political image of the “sovereign” also enters the digital space to carefully construct, cut- off and marginalized voices, all in the name of state security, and law and order. According to philosopher Carl Schmitt, the sovereign is he who decides on the exception, and the offline is increasingly becoming a space of exception where those who control the digital can influence the political in real time. In this context, how do we understand the relationship of power and digital access? This essay focuses on three broad questions: (a) Is there a community online capable of political action that is facilitated by the internet? (b) How does power function in internet shutdowns and are they threats to democratic freedom of expression? And finally, (c) How do we begin to unpack the ‘online’ and the ‘offline’ in such a context?

Dr. Yenn Lee

Online consequences of being offline: A gendered tale from South Korea

We hear numerous anecdotes of people facing the consequences of their online activity when offline. Some have lost jobs, have been disciplined in school, or have wound up in court for what they have posted online. However, in comparison, there has been somewhat limited discussion of the reverse scenario, where going about one's day-to-day life offline leads to violations of one's online self.

This essay is concerned with a new and unparalleled phenomenon in South Korea, locally termed molka. Literally meaning 'hidden camera', molka refers to the genre of women being filmed in the least expected of situations, including cubicles in public restrooms and in the midst of car accidents, and the footage being traded and consumed as entertainment. This is distinct from revenge porn or cyber-stalking where the perpetrators usually target a known or pre-determined individual with the intention of humiliating them or to exercise control. The subjects of molka are victimised for merely existing offline and are mostly unaware that their privacy has been violated until they are recognised by someone who knows them and informs them (or inflicts further harm). In response to the rising trend of molka, tens of thousands of frustrated and infuriated women have staged monthly protest rallies in central Seoul since May 2018, urging government intervention. Ironically, women gathered offline to protest against molka have been subjected to further molka crimes with unconsented photos of themselves at the rallies surfacing online and many have been the target of misogynous attacks.

Informed by the author's multi-year ethnographic study of technologically mediated and heightened tensions in contemporary South Korean society, this essay provides a succinct yet contextualised account of the molka phenomenon. With particular attention to the ways in which the phenomenon has developed while shifting between offline and online realms, the essay demonstrates the gendered nature of digital privacy and harassment, and the broader implications of this Korean phenomenon for women in other parts of the world.

For more details visit https://cis-india.org/raw/essays-on-offline-selected-abstracts

Essay: Watching Corona or Neighbours? - Introducing ‘Lateral Surveillance’ during COVID-19

Mira Swaminathan and Shubhika Saluja — 2020-05-22T06:39:02Z

Surveillance is already suspected to have become the ‘new normal’ considering the extensive amounts of money that is being invested by governments around the globe. The only way out of this pandemic is to take a humane approach to surveillance wherein the discriminatory tendencies of the people while spreading information about those infected are factored in to prevent excessive harm.

In times of emergency, ‘immature and even dangerous technologies are pressed into service, because the risks of doing nothing are bigger.’ Several mechanisms undertaken by governments worldwide, in response to the COVID-19 pandemic, have been criticized for enabling State sponsored mass surveillance. There are certain long term impacts of these mechanisms, especially mobile applications that arm the State with seemingly accurate and real time data of the individual. In this article, we explore the possibility of these apps becoming tools of lateral surveillance, i.e., the act of citizens surveilling each other and becoming the ‘eyes and ears’ of the State, in the near future. Though these apps may be helpful tools for contract tracing in times of the COVID-19 pandemic, the long term implications of these short term measures may cost the members of the society their anonymity, freedom of speech and create obstacles in the creation of a healthy and friendly society. One such implication is the ‘skill of surveilling thy neighbour’ being enabled by these apps to a certain extent at the present.

The governments across the globe have responded to COVID-19 through aggressive technological measures to trace individuals and enforce quarantine, costing individuals their privacy in exchange for the supposed benefit to the collective public health. In the same week when the Karnataka Government released a PDF with the names and addresses of around nineteen thousand international passengers who were quarantined in Bangalore, a man in Maharashtra was beaten up for sneezing in public. This stigma against anyone who could be potentially infected is not just prevalent in India but also in other countries. For example, in the United States, a man who returned from a Cruise that had a COVID-19 carrier on board, received death threats and personal attacks despite him being tested negative for COVID-19. Though South Korea has been successful in flattening the curve of COVID-19 cases through aggressive contact tracing (using security camera footage, credit card records, even GPS data from cars and cellphones), excessive data was exploited by internet mobs to hound infected individuals leading the government to minimize data sharing with the public. Escalations of a similar nature were evident in India as well when a woman was harassed and boycotted by her neighbours after the Delhi government marked her house with a quarantine sticker. With implicit and explicit forms of ‘watching over your neighbours’, the question then arises, is it the virus we are required to keep a check on or the neighbour next door who is “suspected” of carrying the virus?

What is Lateral Surveillance?

Surveillance, as is used in the hierarchical sense, is a vertical relationship between the person watching and the person being watched, which is usually the State and the citizen. All situations of surveillance involve power relations. In the conventional form of surveillance, there is a direct power hierarchy between the State and the citizens, and the State determines the collection, control and use of data for ‘public good.’ Lateral surveillance, on the other hand is a rather nuanced concept where citizens ‘keep an eye’ on other citizens and be vigilant of their acts. In this setup, there is not a hierarchical relationship where the one being watched is in some way being controlled or is under the authority of the watcher. As described by Mark Andrejevic, surveillance relationships can be mutual, a horizontal relationship between person to person is referred to as lateral or peer to peer surveillance. He further describes it as “the use of surveillance tools by individuals, rather than by agents of institutions public or private, to keep track of one another, covers (but is not limited to) three main categories: romantic interests, family, and friends or acquaintances.”

Sometimes, peer to peer surveillance is used to achieve emotional objectives such as community building and strengthening relationships with neighbours or tackling depression among the lonely. These emotional and social factors act as a driving force for lateral surveillance mechanisms creating a situation where privacy may be undermined for the betterment of the community. Surveillance technologies not only act as a tool for social control, but also as a tool for social exclusion. The mere requirement of Aarogya Setu as a ‘mandatory condition’ to travel via Indian Railways is a massive social exclusion of a large population of people who do not have smartphones. Lateral surveillance thus makes it easier to identify between those who conform to the ‘norms’ and those who don’t. For instance, even silent acts of not conforming with societal norms or opinion of the majority, threaten freedom of expression: during the lockdown to prevent the spread of COVID-19, the citizens who chose not to participate in the activity of lighting of lamps (urged by the Prime Minister) were either forced to conform, or were faced with a potential to be termed as ‘anti-national’ by some of their neighbours. In another instance, in South Korea, the LGBT community came under the scanner after a cluster of Coronavirus cases were reported from a particular area. This resulted in large-scale circulation of homophobic content and comments against the patients who tested positive from the community. This not only made it difficult for authorities to collect information but also increased troubles for the people belonging to the sexual minority in getting tested.

Lateral surveillance creates a culture of suspicion, where everyone is looked at as a potential suspect. In the times of COVID- 19, it translates into instances of being suspicious of the activity of a neighbour who could be potentially carrying the virus or someone who exercises his fundamental right to criticize the government. The practice of lateral surveillance is most harmful as it creates a culture of ‘hate’, ‘fear’ and ‘constant suspicion’ against an ‘enemy’. Lateral surveillance has been used for multiple instances, wherever the State identifies that it “cannot be everywhere”. There have been several campaigns that have been launched to promote lateral surveillance. For example, the “if you see something, say something” campaign launched after 9/11 attacks in the United States of America was an extreme form of lateral surveillance. The campaign encouraged people to report ‘any suspicious activity’ which resulted in creating a culture of xenophobia and racism where innocent individuals were reported by their neighbours for crimes they did not commit. Thus, the culture of lateral surveillance ensures that a system is created wherein everyone has the duty to ‘keep an eye’ for ‘their own safety’ and this heightens the fear of crime in the society.

Potential Lateral Surveillance issues with the Apps tracking Coronavirus

The priority of the government during such times is to take all available resources to address the emergency. However, these measures raise concerns about the invasion of privacy on account of public health considerations and balancing between the two conflicting interests. With the increase in quarantine monitoring and Corona tracking apps, the question is: whether real time collection and availability of (some of this) information secures the safety of the people or build a culture of surveillance?

Among these measures, the most publicised one is the Indian Government’s Aarogya Setu app. The app which was initially released hastily with an incomprehensive/ambiguous privacy policy and later replaced without notice to its users, is now being mandated for not only certain groups who are on the frontline such as journalists, e-commerce employees, delivery personnel but also is increasingly becoming a precondition to access public places. The government and private entities alike are making the app compulsory for entering apartments, travelling by the railways or the metro. The concept of ‘consent’ is seen eroding in the face of social pressure as the acceptance of the terms and conditions of the app is no longer an act free from coercion in the larger public interest. However, the Aarogya Setu app which exists over and above the various State Government apps to track COVID-19, enforce quarantine and spread awareness in the respective states, has come under the radar for not meeting the expected privacy standards such as minimal data collection, transparency to verify encryption techniques among others. The privacy policy of the app reveals that it maintains a record of all the places the user may have visited along with records of contact the user may have made with other users. This exchange of personally identifiable information among people’s devices may become a point of attack for malicious actors as highlighted in the Working Paper of Internet Freedom Foundation. Concerns over the working and information storage of the app were also raised by an ethical hacker who warned that “an attacker can get with a meter precision the health status” of someone anywhere in India. When seen from the lens of lateral surveillance, the information (stored on the server) is vulnerable to unwarranted exposure even though it is only meant to be shared with the government and other departments “formulate or implement an appropriate health response”. What raises deeper issues is the wide scope of the government’s ability to share the response data in de-identified form with several government departments and third parties on a ‘strict necessity’ basis or for research purposes. The possibility of the app being repurposed to meet multiple purposes cannot be overlooked. This potential for excessive sharing and function creep are the basis for concerns over changing forms of surveillance, from traditional to lateral due to higher possibilities of leakage of personal information.

A fundamental problem that can be noticed here is that an implementation of a public good is looked at as a binary. Each individual or organization in this pandemic performs their actions based on an “imaginary binary,” wherein the choice needs to be made between two equally worse options, created by their existing circumstances. Surveillance is regarded as ‘binary’ in nature, a tool used for both protection and control. For example, feminist legal theories have recognized that privacy used at either of the extremes (in the form of a binary) can result in affecting people’s autonomy. These theories acknowledge that while surveillance regimes exist, there are ‘gaps’ created in the system to reinforce newer surveillance mechanisms. This gap can support vulnerable groups while a ‘contextualized situation’ is created to ensure everyone’s rights are equally protected.

It is important to note that implementing 'absolute surveillance’ without basic ethical considerations like how it would affect minority groups (religious minorities, LGBTQIA community etc.) creates a problem of the ‘binary’ between surveillance and privacy, especially since the ‘culture of surveillance’ is involved in the process. Similarly, when the government responds to the pandemic by leveraging technology as its option against protecting the interests of those who may be discriminated against due to such intrusive technologies while ignoring the ethical considerations such as transparency and openness, it creates an air of suspicion. For instance, inaccessibility or absence of privacy policies in the case of Tamil Nadu & West Bengal Quarantine apps, heightens suspicion about the long term implications of such data collection activities. However, if ethical considerations are adopted in the implementation of these apps, lateral surveillance could be potentially avoided.

Apps like Corona Watch and Quarantine Watch, are potential examples of such surveillance apps where the State collects personal data and the citizens are expected to be more vigilant towards each other. As these apps increase the chances of users learning about who could have infected them (by showing the timing when an infected person visited a particular location on interactive maps). Though most of these apps currently available in West Bengal, Tamil Nadu, Maharashtra or Goa are capable of being used as sophisticated tools for State surveillance through creation of heat maps, checking on those quarantined while monitoring containment zones, and potential database for facial recognition because of selfies being sought from individuals at periodic intervals. The problem of lateral surveillance surfaces due to the potential of the same information being leaked to the public due to the lack of safeguards in the app and its design such as excessive data collection, third party exploitation of the data, lack of proper anonymization and encryption measures.

The other problem is that these apps affect the attitude of the people, making them more suspicious and wary as a community member. Since these apps make it more likely for personal information of nearby citizens to be revealed to other citizens, they encourage the practice of ‘watching over others’. They are being encouraged to stay updated about who is a possible threat to them or a vector of the virus, which is similar to the objective of neighbourhood watch schemes and peer surveillance programs. Instead of building a ‘healthy society’, there is increased suspicion, heightened fear of the virus, possibilities of discrimination and ostracisation of those suspected of carrying the virus. Further, intrusive tracking and excessive health messaging can discourage citizens, making them feel bullied and stigmatised. As Sean McDonald writes, when these technologies which enable the use of individual information as a “representative sample for public health risk” can have dangerous unintended consequences “when paired with the kinds of panic, scarcity and desperation”in such public health emergencies.

The need for more security makes people more likely to detect threats in every different action from the normal. This not only heightens the fear among everyone regarding the ‘perceived threat’ of the existence of a quarantined or infected patient, but it also creates a culture of vigilance, i.e. the people start to suspect everything and everyone. As Janet Chan mentions in her work- “such perceived threat has a tendency to ‘increase intolerance, prejudice, ethno-centrism, and xenophobia’. The consequence of the constant contact among neighbours may result in ethnic profiling, increased anxiety, communication overload and create potential tensions among them.” In Seoul where a restaurant manager was “eavesdropping in people’s conversations” just to confirm whether or not they’re infected with the Coronavirus and in India where photos and videos of patients tested positive of COVID are circulated amongst whatsapp groups. Such forms of lateral surveillance in the physical world is already having a negative impact on the society. Especially in India, where the concept of social distancing mirrors and invokes distinct histories of caste hierarchies, even the most diluted form of social distancing is harmful as it reinforces this segregation of ‘touchable’ and ‘untouchable.’ The virus further aids the existing structures of inequality. Hence, social exclusion due to the ‘culture of suspicion’ is deepened further in such a society in times of a crisis.

The potential technological solutionism of it through the aforementioned apps poses greater risks. The problem lies not only in the manner in which the individuals are being encouraged to seek more information but also the way in which the information is being handled by the State. Apart from the aforementioned apps, some States such as Delhi, Kerala and Telangana are using softwares to track cell phone location for the purposes of contact tracing. In Ahmedabad, the MU Corporation map even reveals the names and addresses of patients who tested positive. Further, the attitude of the people that creates social pressure on the State to reveal personal information as was seen in Mohali. The fact that ‘social pressure’ is a justification for making public quarantine lists, the possibility of more information being rolled out through these apps in the future for the sake of one or a few persons’ protection cannot be ignored.

Furthermore, as more personal data is gathered, the State needs to ensure that security standards and safeguards are maintained to prevent leakage of such data on social media as was already witnessed in Karnataka, Delhi and Nagpur. Even if these measures are being flagged as “necessary” to enforce quarantine or contain transmission, they are prima facie violative of the right to privacy of the people whose sensitive personal information is being disclosed like public property. There is no doubt that the right to privacy is not an absolute right, but neither the Epidemic Diseases Act, 1897 nor the National Disaster Management Act 2005 provide any explicit basis to disclose personal information of persons who have either been infected with the virus or who have been quarantined. Even if such disclosures can be justified as an act in good faith to prevent the outbreak of the disease under Section 4 the Epidemic Diseases Act or within the powers of the National Authority to take such measures for the prevention of disaster under Section 6(i) of the National Disaster Management Act, they need to be proportionate in nature and have a rational nexus with the legitimate aim sought to be achieved by the State (test for which was laid down in Puttaswamy Judgment). It is difficult to determine the connection between the careless disclosure of such sensitive information and prevention of the pandemic. There are less intrusive alternatives available. If public knowledge about an infected person’s residence and mobile phone number is going to assist the fight against the pandemic, then it is a clear case of lateral surveillance being encouraged by the State and that is the path to the ‘culture of suspicion’ as explained above.

In the absence of a comprehensive data protection law (particularly where the State is bound and accountable as a data collection entity), there is no judicial recourse available if the data is used for purposes other than those mentioned in the privacy policies. In certain cases, the privacy policies have not even been made public. This raises more concerns about possibilities of the data being disclosed to unauthorised entities or retained and used for other purposes. This data, if made available or leaked to the public in such times, increases the risks of vigilantism and lateral surveillance resulting in potential discrimination and harassment. The State needs to recognize the risk of normalization of these tools which if continued even after the pandemic could negatively affect the right to privacy not only vis-a-vis the State (as is already the case) but also vis-a-vis other members of society.

Measures to Better Implement Contract Tracing and Reduce Lateral Surveillance

1. Rule of Law and implementation of Privacy Principles : Though the measures introduced for tracking Coronavirus are necessary and crucial in the times of a fast spreading pandemic, they also need to be tested against the requirements of legality and doctrine of proportionality as well. The test of legitimate state aim, necessity and proportionality acts as the guiding force for implementation of state actions that constrain privacy. Deployment of excessively intrusive means to further public health while restraining privacy without any legal basis will do more harm than good. If the conflict between common good and individual privacy is resolved, the impact of the surveillance measures on people in general would reduce, thereby limiting the prospects of lateral surveillance. The path to prevent lateral surveillance goes through the path of reducing the scope of vertical surveillance itself. For instance, if the data collecting authority ensures that the system does not or is least likely to reveal any personal information of the user, then the risk of the same being available in public is minimal. In this regard, the privacy policy of Aarogya Setu app states that the data will be stored in “anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required.” Further, it also provides that the personal information will not be shared with any third party.

Although it is easier to brush aside the application of the privacy principles due to the lack of a comprehensive data protection law, a pandemic cannot be an excuse to forgo the application of these principles and the rule of law. Presently, India is witnessing instances of loss of privacy and confidentiality, stigmatization and rights violations which have been identified as harms of public health practice and surveillance by the World Health Organization. In order to minimize the harm from surveillance, preventive measures such as avoiding collection of unnecessary identifiable information, limited access to collected data, secured data storage practices, pseudonymisation of collected data, definite period of retention of data and promotion of transparency, inclusiveness and openness, should be taken. For instance, Singapore’s TraceTogether app provides a good example of application of data protection principles. The app collects only the mobile number and creates a random anonymized user ID, uses bluetooth, instead of the GPS location or WIFI or mobile network, stores data only on the phone of the user, and prevents third parties from identifying or tracking the user (employing privacy-by-design). The Privacy Policy of the app depicts how privacy principles can be put to work, with minimum data collection, allowing withdrawal of consent and minimal retention of data among other principles. Though Aarogya Setu follows most of the aforementioned principles employed at global level as seen in the case of TraceTogether as well, it goes a step ahead to collect even GPS location which may be considered an excessive means.

Finally, it is essential that the use of these apps remains limited to the times of pandemic without paving the way for sophisticated surveillance, traditional or lateral, post the pandemic. And for privacy policy of Aarogya Setu mentions the use of information only for the “management of COVID-19” the concerns over the its use for an unidentifiable period of time in the future are hinting at it becoming a surveillance tool in a world where people will have to live with Coronavirus.

2. Positive initiatives for improving mental health of citizens: We understand and acknowledge that the impact of lateral surveillance cannot be completely eradicated during a pandemic, we can suggest mechanisms in which initiatives encouraging surveillance can be better implemented by the State and the citizens. Since even a “privacy preserving” app cannot comprehensively address the fundamental issues relating to the efficacy of contact tracing, intended or unintended consequences of social exclusion and discriminatory use, lateral surveillance can be turned on its head by ensuring that mutual care and trust is practiced instead of enabling surveillance. The Central Government and several State Governments such as Maharashtra and Kerala among others are trying to deal with the impact of Coronavirus on mental health with innovative campaigns. So instead of a helpline number, an app can be introduced by the State that gives counselling services to quarantined patients which would help in destigmatizing the existing scenario. Further, citizens too can be involved in helping one another, for example, neighbourhoods in England use “innovative placards wherein they identify the quarantined people in need (and their concerns) with a simple showcase of ‘red/yellow/green’ placards outside their houses. They have also introduced the use of “printable postcards” that are used to offer help for the elderly in the communities. These community initiatives are a much better way of approaching this public health crisis instead of a ‘sticker’ or a ‘label’ outside the quarantined person’s house labelling them in a negative way, as though they have committed a crime.

Avoiding the toxic culture created in the ‘new normal'

Citizens need to be made aware of the consequences of this pandemic on the community in a way they can help each other to overcome it , instead of simply alarming or scaring them which would definitely have long term negative impacts on the community. Considering how instances of discrimination against certain communities are already surfacing amidst the pandemic, contact tracing should explored within the bounds of the law while being implemented through these apps. With certain governments using personnel tracking tools such as smart watches for purposes of public services, the increase in the use of these kinds of intrusive technologies is soon going to be a harsh reality. Surveillance is already suspected to have become the ‘new normal’ considering the extensive amounts of money that is being invested by governments around the globe. The only way out of this pandemic is to take a humane approach to surveillance wherein the discriminatory tendencies of the people while spreading information about those infected are factored in to prevent excessive harm. It can only be expected that the State would be wary of the means being deployed to achieve the end, and the citizens act responsibly while participating in these initiatives so as to reduce the negative impacts of vertical or lateral surveillance. We should all move towards a society where we watch the virus and carefully use technology to avoid situations where ordinary citizens are encouraged to watch over their neighbours. We need to unlearn this habit of “watching over someone else” both voluntarily and involuntarily before it becomes too late.

For more details visit https://cis-india.org/internet-governance/blog/essay-watching-corona-or-neighbours-introducing-2018lateral-surveillance2019-during-covid201919

Engaging with the Covid-19 Crisis

pranav — 2020-07-15T09:31:51Z

In the last six months, COVID-19 has had a far-reaching impact on the world, including on the digital sphere, how people interact with it, and its mediation of social and economic exchanges. Researchers and practitioners at the Centre for Internet and Society (CIS) have responded to this dynamic landscape from different lenses.

WikiProject India COVID-19 Task Force

The Access to Knowledge team at CIS, along with the Wikidata editor community has been maintaining a reliable district and state-wise database of COVID-19 case statistics in India (link). If you are a Wikidata editor, please consider contributing or encouraging others to join this effort.

COVID-19 Apps

Based on publicly available information, Pallavi Bedi presents a comparative analysis of COVID-19 apps launched by different state governments in India, and examines their governing policies regarding privacy and data protection (link).
In light of the central-government’s release of the contact tracing app Aarogya Setu, Siddharth Sonkar’s report seeks to constructively engage with privacy concerns surrounding the app and its operations, and works towards making privacy safeguards governing its operability more consistent with international best practices (link).
Amber Sinha examines the false binary between privacy and surveillance created during a pandemic, and proposes a necessary and proportional method of contact tracing (link).
Aman Nair writes about the lack of oversight present in the Kerala government’s deal with Sprinklr Inc, the violations to the right to privacy, and how legislation that is currently being proposed would fail to prevent situations like this in the future (link).

Gig Economy and Labour Rights

With Tandem Research, CIS organized a webinar to interact with unions representing gig workers and researchers studying labour rights and gig work, to uncover the experiences of gig workers during the lockdown. Based on the discussion, a charter of recommendations was prepared with contributions from participants, and was shared with public and private stakeholders (link).
With support from three domestic workers’ unions, the Domestic Workers Rights Union, Bruhat Bangalore Gruhakarmika Sangha, and Manegelasa Kaarmikara Union, Geeta Menon put together a report that shines light on the plight of domestic workers in Bengaluru during the lockdowns, and now as the lockdown eases. It focuses on how government and administrative bodies, and resident welfare associations, have been culpable in further pushing domestic workers to the margins (link).
Aayush Rathi and Sreyan Chatterjee argue how the suspension of labour laws proposed (and enforced) by several states in India as a part of their COVID-19 impact response, have material and discursive impact on the future of work in India (link).
Ambika Tandon discusses the impact of Covid-19 on the gig economy in Asia, especially reflecting on the measures (or lack thereof) taken by companies to support workers (link).
Zothan Mawii, Aayush Rathi and Ambika Tandon spoke with the leaders of four workers' unions and labour researchers, including the Indian Federation of App-based Transport Workers (IFAT) and the Ola and Uber Drivers and Owners’ Association (OTU), to identify recommended actions that public agencies and private companies may undertake to better support the urgent needs of gig workers in India (link).

Lateral Surveillance

Drawing from multifaceted research on surveillance around the world, Mira Swaminathan and Shubhika Saluja analyse the unique domain of lateral surveillance, and its heightened impacts on the ‘culture of suspicion’ created between social classes, especially during a pandemic (link).
On the latest episode of our In Flux podcast, Shweta Reddy and Mira Swaminathan discuss COVID-19 related surveillance with Torsha Sarkar, and talk about balancing a public health objective with protection of our fundamental rights (link).

Misinformation

In an article in The Wire, Mira Swaminathan argues that the only efficient and effective way to prevent the spread of misinformation related to the pandemic is self-verification, which means that people who consume the data on an everyday basis must educate themselves and acquire the skills to tackle it (link).
Torsha Sarkar examines content moderation measures taken by online intermediaries to tackle harmful information related to COVID-19 on their platforms, and the recommended ways in which information around these decisions can be preserved for better research going forward (link).

Gender justice

In light of a large digital divide across the usage of technology by women, Ambika Tandon and Mira Swaminathan examine how effective calls to domestic abuse helplines are during lockdown (link).

Data Protection

As part of The Bastion’s series on the education sector and children’s privacy, Pallavi Bedi writes about protecting the privacy of children on ed-tech platforms, especially as students are now more than ever dependent on such platforms for their learning (link).
Shweta Reddy was a panelist on Medianama’s Roundtable on Privacy in the era of COVID-19, where she spoke about privacy checks for data collection process for the purposes of public health during the pandemic (link).
Gurshabad Grover was a discussant for the webinar on Health, Encryption & COVID-19: Keeping people and countries safer online, organized by Internet Society, Center for Democracy and Technology and Global Partners Digital, where he spoke about recent threats to end-to-end encrypted communications, including ‘traceability’ in India and the EARN IT in the US (link).

For more details visit https://cis-india.org/internet-governance/blog/engaging-with-the-covid-19-crisis

Enforcement of Anti-piracy Laws by the Indian Entertainment Industry

praskrishna — 2011-08-04T04:35:48Z

This brief note by Siddharth Chadha seeks to map out the key actors in enforcement of copyright laws. These bodies not only investigate cases of infringement and piracy relating to the entertainment industry, but tie up with the police and IP law firms to pursue actions against the offenders through raids (many of them illegal) and court cases. Siddharth notes that the discourse on informal networks and circuits of distribution of cultural goods remains hijacked with efforts to contain piracy as the only rhetoric which safeguards the business interests of big, mostly multinational, media corporations.

International Intellectual Property Alliance

The International Intellectual Property Alliance (IIPA) is an international lobby group of US media industries with close ties to the United States Trade Representative. It has in its reports consistently expressed dissatisfaction with Indian efforts to deal with piracy. IIPA works in close cooperation the other US lobby groups like the MPAA (Motion Picture Association of America) and the BSA (Business Software Alliance). The IIPA reports, which place India in a 'danger zone', significantly influence regional and international discourses on piracy. Interestingly, the IIPA in India has been very successful in regionalizing and nationalizing a global discourse. Thus, in the past few years, local industry associations in India in cinema, music and software have independently run highly emotional campaigns against piracy, reminiscent of IIPA's own campaigns.

Motion Pictures Association

The Motion Picture Association of America (MPAA) through its international counterpart, Motion Pictures Association (MPA), has been unofficially operational in India for the last 15 years. Its member companies are Walt Disney, Paramount, Sony Entertainment, Twentieth Century Fox, Universal Studios, and Warner Bros. The MPA's work in India was mostly non-obtrusive till 1994 when MPA Asia-Pacific, based in Singapore, started being represented by the high profile legal firm Lall & Sethi Advocates.

They have collectively worked on forming enforcement teams for coordinated raids in Mumbai and Delhi since 1995. Earlier this year, MPA announced its first India office to be set up in Mumbai, called the Motion Picture Distributor's Association India (Pvt.) Limited (MPDA), under the directorship of Rajiv Dalal. Mr. Dalal had previously directed strategic initiatives from the MPAA's Los Angeles office. The MPDA will engage itself in working jointly with local Indian film industries and the Indian government to promote the protection of motion pictures and television rights.

According to the organization's own assertion, in 2006 the MPA's Asia-Pacific operation investigated more than 30,000 cases of piracy and assisted law enforcement officials in conducting nearly 12,400 raids. These activities resulted in the seizure of more than 35 million illegal optical discs, 50 factory optical disc production lines and 4,482 optical disc burners, as well as the initiation of more than 11,000 legal actions.

Indian Music Industry

The world's second-oldest music companies' association, Indian Music Industry (IMI), was first established as Indian Phonographic Industry in 1936. It was re-formed in its present avatar in 1994, as a non-commercial and non-profit organization affiliated to the International Federation of Phonographic Industry (IFPI) and is registered as a society in West Bengal. IMI members includes major record companies like Saregama, HMV, Universal Music (India), Tips, Venus, Sony BMG (India), Crescendo, Virgin Records, Magnasound, Milestone, Times Music and several other prominent national and regional labels that represent over 75 per cent of the output in corporate recordings.

It was one of the first organizations in the country to start the trend of hiring ex-police officers to lead anti-piracy operations. In 1996, IMI hired Julio Ribeiro (a former Commissioner of Police, Mumbai; Director General of Police, Punjab; and Indian Ambassador to Romania) to head its anti-piracy operations. Their anti-piracy work is split into three specific regions, North and North Eastern, Western and Southern and East, each zone headed by a former senior police officer. IMI operates through offices in Kolkata, Mumbai, New Delhi, Chennai, Bangalore and several other cities and towns across India, focusing on surveillance, law enforcement, and gathering intelligence through an 80 member team hired to tackle piracy. During 2001 to 2004, IMI registered over 5500 cases, seized over 10 lakh music cassettes, and around 25 lakh CDs.

Business Software Alliance

Headquartered in Washington DC, the Business Software Alliance has a regional office in Delhi, and has been instrumental in conducting anti-piracy operations across the country. According to the BSA, India ranks 20 in global software piracy rankings, with a rate of 73 per cent while the Asia Pacific average is 53 per cent. China ranks second with a rate of 92 per cent and annual losses of $3,823 million while Pakistan ranks nine with 83 per cent piracy rate. They have engaged the general public in providing them with information on pirated software through an anti-piracy initiative – The Rewards Programme. Launched in 2005, reward amount up to Rs.50, 000, would be provided for information leading to successful legal action against companies using unlicensed software. The reward program was aimed to encourage people to support the fight against piracy and to report software piracy to the NASSCOM-BSA Anti-Piracy Software Hotline.

In 2006, BSA and NASSCOM got a shot in their arms by winning the largest settlement amount for a copyright case in India, with Netlinx India Pvt. Ltd. The case had emerged after a civil raid was conducted at the premises of Netlinx in December 2000, leading to inspection and impounding of 40 PCs, carrying illegal unlicensed software. The settlement includes damages of US$ 30,000, complete legalization of software used by them, removal of all unlicensed/pirated software and submission to an unannounced audit of computer systems during next 12 months.

Industry Enforcers

Bollywood Film and Music companies, such as T-Series and Yashraj Films, have established anti-piracy arms to combat piracy in specific markets. T-Series has been in the industry for over 15 years, as a brand of Gulshan Kumar founded Super Cassettes Industries Limited, and has often been at the forefront for conducting raids along with police officials to check piracy of its copyrighted content. In its latest announcement earlier this year, T-Series launched an anti-piracy campaign against those stealing digital content. The announcement came after they filed a complaint on June 1 with a police station in Mangalore against Classic Video shop for infringement of its copyright works like Billu, Ghajini, Aap Ka Suroor, Apne, Fashion and Karz that had been illegally downloaded and copied onto multiple discs, card readers and pen-drives.

Yashraj Films, a leading film studio, has long been a part of enforcement activities against piracy, both in the Indian market and internationally. Most recently, it was a key member in the formation of the United Producers and Distributors Forum, which also included chairman Mahesh Bhatt, Ramesh Sippy, Ronnie Screwalla of UTV, Shah Rukh Khan, Aamir Khan and Eros International. This organization is now trying to enforce anti-piracy laws by conducting raids across the country with the help of another ex-cop from Mumbai, A.A. Khan. Yashraj Films has also established anti-piracy offices in the United Kingdom and the United States to curb piracy in those markets, as overseas returns of its films, watched by the desi diaspora is one of its largest revenue earning sources. The website of Yashraj Films lists news reports from across US and Europe of instances of crackdown on pirates.

In the context of intellectual property in the creative industries, these anti-piracy agents have successfully created the halo of illegality around the subject of piracy. The discourse on informal networks and circuits of distribution of cultural goods remains hijacked with efforts to contain piracy as the only rhetoric which safeguards the business interests of big media companies and multinational corporations.

For more details visit https://cis-india.org/a2k/blogs/piracy-and-enforcement

Encryption Standards and Practices

elonnai — 2012-03-22T05:39:16Z

The below note looks at different types of encryption, varying practices of encryption in India, and the relationship between encryption, data security, and national security.

Introduction: Different Types of Encryption

When looking at the informational side of privacy, encryption is an important component to understand. Encryption in itself is a useful tool for protecting data that is highly personal in nature and is being stored, used in a transaction, or shared across multiple databases. The quality of encryption is judged by the ability to prevent an outside party from determining the original content of an encrypted message. There are many different types of encryption including:

Symmetric Key Encryption: Communicating parties share the same private key that is used to encrypt and decrypt the data. This form of encryption is the most basic, and is fast and effective, but there have been problems in the secure exchange of the unique keys between communicating parties over networks [1].

Asymmetric Key Encryption: This system relies on the use of two keys– one public, and one private. In this system only the user knows the private key. In order to ensure security in the system a mathematical algorithm that is easy to calculate in one direction, but nearly impossible to reverse calculate is often used. Use of a public and a private key asymmetric avoids the problem of secure exchange that is experienced by symmetric key encryption. The basis of the two keys should be so different, that it is possible to publicize one without the danger of being able to derive the original data. Decoding of data takes place in a two step process. The first step is to decrypt the symmetric key using the private key. The second step is to decode the data using the symmetric key and interpret the actual data[2].

One-way Hash Functions: One-way hash functions are mathematical algorithms that transform an input message into a message of fixed length. The key to the security of hash functions is that the inverse of the hash function must be impossible to prove[3].

Message Authentication Codes: MACs are data blocks appended to messages to protect the authentication and integrity of messages. MACs typically depend on the use of one-way hash functions[4].

Random Number Generators: An unpredictable sequence of numbers that is produced by a mathematical algorithm[5].

Encryption in India

Encryption in India is a hotly debated and very confusing subject. The government has issued one standard, but individuals and organizations follow completely different standards. According to a note issued by the Department of Telecommunications (“DOT”) in 2007, the use of bulk encryption is not permitted by Licensees, but nevertheless Licensees are still responsible for the privacy of consumers’ data (section 32.1). The same note pointed out that encryption up to 40 bit key length in the symmetric key algorithms is permitted, but any encryption higher than this may be used only with the written permission of the Licensor. Furthermore, if higher encryption is used, the decryption key must be split into two parts and deposited with the Licensor. The 40 bit key standard was previously established in 2002 in a note submitted by the DOT:“License Agreement for Provision of Internet Service (including Internet Telephony)’ issued by Department of Telecommunications”[6] Though a 40 bit standard has been established, there are many sectors that do not adhere to this rule. Below are a few sectoral examples:

A) Banking: ‘Report on Internet Banking’ by the Reserve Bank of India 22 June 2001:

"All transactions must be authenticated using a user ID and password. SSL/128 bit encryption must be used as the minimum level of security. As and when the regulatory framework is in place, all such transactions should be digitally certified by one of the licensed Certification Authorities.”[7]

B).Trade: The following advanced security products are advisable:

"Microprocessor based SMART cards, Dynamic Password (Secure ID Tokens), 64 bit/128 bit encryption"[8]

C).Trains: ‘Terms & Conditions’ for online Railway Booking 2010:

"Credit card details will travel on the Internet in a fully encrypted (128 bit, browser independent encryption) form. To ensure security, your card details are NOT stored in our Website.”[9]

The varying level of standards poses a serious obstacle to Indian business, as foreign countries do not trust that their data will be secure in India. Also, the differing standards will pose a compliance problem for Indian businesses attempting to launch their services on the cloud.

Data Security, Encryption, and Privacy:

To understand how encryption relates to privacy, it is important to begin by looking at data security vs. privacy. Security and privacy have an interesting relationship, because they go hand in hand, and yet at the same time they are opposed to each other. First, data security and privacy are not the same. Breaches in data security occur when information is accessed without authorization. There is no loss of privacy, however, until that information is misused. Though data security is critical for protecting privacy, the principles of data security call for practices that threaten privacy principles. For example, data security focuses on data retention, logging, etc, while privacy focuses on the consent, restricted access to data, limited data retention, and anonymity[10]. If security measures are carried out without privacy interests in mind, surveillance can easily result in severe privacy violations. Thus, data security should influence and support a privacy regime but not drive it. In this context, encryption and data security will create an expectation of privacy, rather than undermine or overshadow privacy. By the same token encryption cannot be seen as the cure for privacy challenges. Encryption cannot adequately protect data, but when supported by a strong privacy and security regime – it can be very effective. It is also a good measuring rod for determining how committed a company has been to protecting a person’s privacy and ensuring the security of his or her data. In light of the symbiotic yet complicated relationship that privacy and data security have with each other, it would make sense for legislation and domestic encryption standards to be merged and addressed together. This would ensure that a) the standard is not archaic (as the current 40 bit one is); b) would take into account the threat to privacy that surveillance can impose and would address decryption when addressing encryption; and c) would anticipate the collection and cataloging of data and ensure security of the data and person as well as national security.

National Security and Encryption

Encryption is a subject that causes governments a great deal of concern. For example in order to preserve foreign policy and in national security interests, the US maintains export controls on encryption items [10]. This means that a license is required to export or re-export identified items. Though the Indian government currently does not have an analogous system, it would be prudent to consider one. Though the government is aware of the connection between encryption and national security, it seems to be addressing it by setting a low standard for the public which enables it to monitor communications etc. easily. It is important to remember though that today we live in a digital age where there are no boundaries. One cannot encrypt data at 40 bits in India and think it is safe, because that encryption can be broken everywhere else in the world. Despite the fact that there are no boundaries in the digital age, users of the internet and communication technologies are subject to different and potentially inconsistent regulatory and self-regulatory data security frameworks and consequently different encryption standards. One way to overcome this problem could be to set in fact a global standard for encryption that would be maximal for the prevention of data leaks. For instance, there are existing algorithms that are royalty free and available to the global public such as the Advanced Encryption Standard algorithm, which is available worldwide. The public disclosure and analysis of the algorithm bolsters the likelihood that it is genuinely secure, and its widespread use will lead to the expedited discovery of vulnerabilities and accelerated efforts to resolve potential weaknesses. Another concern that standardized encryption levels would resolve is the problem of differing export standards and export controls. As seen by the example of the US, industrialized nations often restrict the export of encryption algorithms that are of such strength that they are considered “dual use” – in other words, algorithms that are strong enough to be used for military as well as commercial purposes. Some countries require that the keys be shared, while others take a hands-off approach. In India joining a global standard or creating a national standard of maximum strength would work to address the current issue of inconsistencies among the required encryption levels.

The Relationship between the Market, the Individual, the State, and Encryption

Moving away from the technical language it is useful to break down encryption from a social science point of view. Who are the actors involved – what is their relationship with each other, and how does encryption come into the picture. When one looks at encryption it is possible to conceive of many different scenarios, each with different players. In the first scenario there is an individual and another individual. They are sending information back and forth. The third individual could be an entity, a business, or just another individual. The first two individuals want to keep their information away from this third, unknown person or entity. For that reason, the first two encrypt their communications. Encryption is a tool that has the ability to re-draw the lines between the public and private sphere by giving individuals the ability to form a very private line of communication, and thus a very private relationship in a space that is very non-private - such as the internet. In another scenario between the individuals and the markets – the market wants information about an individual to enhance its effectiveness and profits. To create trust, the market promises that information given is encrypted. Thus, the market is attempting to initiate a trusting relationship with individuals. This relationship though, is forced and false, because individuals must compromise how much information they disclose for a product or service in return.

In the second scenario, there is an individual, another individual, and a Government. In this situation the two individuals again say that they want to have a private conversation in a public space, and so it is encrypted, but the Government – which is worried about national security decides that it wants to listen in on the conversation. This places a new dynamic on the relationship. No longer are the two individuals private. Not only can the government hear their conversation, but they have no choice over whether their conversation is heard or not. This is a relationship based off of the premises of distrust between the government and individuals. It presupposes, and is biased in assuming, that if you have done nothing wrong – you have nothing to hide.Using the same set of actors, perhaps a government requires the collection of information about its citizenry that is sensitive. To ensure the privacy of its people, the government encrypts the information, but the individual has essentially lost control over his/her information. He/she is forced to trust that the Government will not misuse the information given.

In the third scenario there is a market, an, individual, and the government. The market gathers information about an individual on transactional levels, but encrypts it – because in the wrong hands – this information could be misused. The government still wants access to the information and so they demand the information. What does the market say? Does it side with the individual or the Government? If governments sanction the market, they can make it bend to their will. Thus, the government is in a position to control the market and the individual, but to what ends and for what means. In all of these situations the understood role of the market, the government, and the individual has been shifted by the ability to encrypt information. The idea of using encryption as a means to keep information safe speaks to a new relationship that has formed between the government, the market, and the individual.

Bibliography:

Burke, Jerome. McDonald, John. Architectural Support for Fast Symmetric-Key Cryptography
Munro, Paul. Public Key Encrpytion. University of Pittsburgh. 2004
Merkle, Ralph. One Way Hash Functions and DES.
Department of Commerce. Federal information Processing Standards Publication. The Keyed - Hash Message Authentication Code. http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf
http://www.ruskwig.com/random_encryption.htm
http://www.indentvoice.com/other/ISPLicense.pdf
Report on Internet Banking’ by The Reserve Bank of India: 22 June 2001
Internet Trading guidelines issued by Securities & Exchange Board of India: 31 January 2000
Website of IRCTC (a public sector undertaking under the Ministry of Railways)
American Bar Assiociation: International Guide to Privacy.
Department of Commerce: Bureau of Industry and Security – Encryption Export Controls. June 25 2010

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_encryption

Encryption and Anonymity: Rights and Risks

praskrishna — 2015-10-27T02:37:45Z

Internet Governance Forum (IGF) 2015 will be held at Jao Pessoa in Brazil from November 10 to 13, 2015. The theme of IGF 2015 is Evolution of Internet Governance: Empowering Sustainable Development. ARTICLE 19 and Privacy International are organizing a workshop on Encryption and Anonymity on November 12, 2015. Pranesh Prakash is a speaker.

This was published on the IGF website.

Encryption and anonymity are two key aspects of the right to privacy and free expression online. From real-name registration in Iran to the UK Prime Minister's calls for Internet backdoors to encrypted communications, however, the protection of encrypted and anonymous speech is increasingly under threat. Recognising these challenges, the UN Special Rapporteur on freedom of expression, David Kaye, presented a report to the Human Rights Council in June 2015 which highlighted the need for greater protection of encryption and anonymity.

Five months on from the Special Rapporteur’s report, the participants in this roundtable will discuss his recommendations and the latest challenges to the protection of anonymity and encryption. For example, how can law enforcement demands be met while ensuring that individuals still enjoy strong encryption and unfettered access to anonymity tools? What steps should governments, civil society, individuals and the private sector take to avoid the legal and technological fragmentation of a tool now vital to expression and communication? How can individuals protect themselves from mass surveillance in the digital age?

At the end of the session, the participants should have identified areas for future advocacy both at the international and domestic levels as well as areas for further research for the protection of anonymity and encryption on the Internet.

Agenda

Moderator welcomes speakers and audience.
Outline of key issues on encryption and anonymity, including summary of the UN Special Rapporteur's report.
Each speaker speaks for 5-7 mins, giving their perspective re the issues.
Questions from participants, including remote participation via Twitter.
Conclusion and steps for further action.

About IGF 2015

Internet Governance Forum (IGF) is a multistakeholder, democratic and transparent forum which facilitates discussions on public policy issues related to key elements of Internet governance. IGF provides enabling platform for discussions among all stakeholders in the Internet governance ecosystem, including all entities accredited by the World Summit on the Information Society (WSIS), as well as other institutions and individuals with proven expertise and experience in all matters related to Internet governance.

After consulting the wider Internet community and discussing the overarching theme of the 2015 IGF meeting, the Multistakeholder Advisory Group decided to retain the title “Evolution of Internet Governance: Empowering Sustainable Development”. This theme will be supported by eight sub-themes that will frame the discussions at the João Pessoa meeting.

For more details visit https://cis-india.org/internet-governance/news/encryption-and-anonymity-rights-and-risks

En Inde, le biométrique version très grand public

praskrishna — 2017-05-03T16:27:23Z

Initiée en 2010, l’Aadhaar est désormais la plus grande base de données d’empreintes et d’iris au monde. Carte d’identité destinée aux 1,25 milliard d’Indiens, elle sert aussi de moyen de paiement. Mais la sécurité du système et son utilisation à des fins de surveillance posent question.

The article was published by Liberation on April 27, 2017. Sunil Abraham was quoted.

Le front barré d’un signe religieux hindou rouge, Vivek Kumar se tient droit derrière le comptoir de son étroite papeterie située dans une allée obscure d’un quartier populaire du sud-est de New Delhi. Sous le regard bienveillant d’une idole de Ganesh - le dieu qui efface les obstacles -, le commerçant à la fine moustache et à la chemise bleu-gris au col Nehru réalise des photocopies, fournit des tampons ou des stylos à des dizaines de chalands.

Gaurav, un vendeur de légumes de la halle d’à côté, entre acheter du crédit de communication mobile. Au moment de payer, il sort son portefeuille, mais pas pour chercher de la monnaie. Il y prend sa carte d’identité Aadhaar et fournit ses douze chiffres au commerçant. Qui les entre dans un smartphone, sélectionne la banque de Gaurav et indique le montant de l’achat. Le client n’a plus qu’à poser son pouce sur un lecteur biométrique relié au combiné, connecté à Internet. Une lumière rouge s’allume et un son retentit : la transaction est bien passée.

Depuis mars, 32 banques indiennes fournissent ce service novateur de paiement par empreinte digitale. Appelé Aadhaar Pay, il utilise les informations biométriques, à savoir les dix empreintes digitales et celle de l’iris, recueillies par le gouvernement depuis septembre 2010 pour créer la première carte d’identité du pays. Toute personne résidant en Inde depuis plus de six mois, y compris les étrangers, peut s’inscrire et l’obtenir gratuitement.

«Renverser le système»

L’Aadhaar («la fondation» en hindi) représente aujourd’hui la plus grande base de données biométriques au monde, avec 1,13 milliard de personnes enregistrées sur 1,25 milliard, soit 99 % de la population adulte indienne.

L’objectif initial était double : identifier la population - 10% des Indiens n’avaient jusqu’ici aucun papier, et donc aucun droit - et se servir de ces moyens biométriques pour sécuriser l’attribution de nombreuses subventions alimentaires ou énergétiques, dont le détournement coûte plusieurs milliards d’euros chaque année à l’Etat fédéral.

A partir de 2014, la nouvelle majorité nationaliste hindoue du BJP a étendu les usages de l’Aadhaar pour transformer cet outil de reconnaissance en un vrai «passe-partout» de la vie quotidienne indienne : depuis l’ouverture d’une ligne téléphonique à la déclaration de ses impôts, en passant surtout par la création d’un compte en banque, le numéro Aadhaar sera à présent requis. Dans ce dernier cas, l’Aadhaar permet en prime d’utiliser le paiement bancaire par biométrie pour réduire le recours au liquide, qui représente encore plus de 90 % des transactions dans le pays.

Le Premier ministre, Narendra Modi, a fait de cette inclusion financière l’un de ses principaux chevaux de bataille : en 2014, son gouvernement a lancé un énorme programme qui a permis la création de 213 millions de comptes bancaires en deux ans - aujourd’hui, quasiment tous les foyers en possèdent au moins un. Il a continué dans cette voie énergique en démonétisant, en novembre, les principales coupures. But de la manœuvre : convaincre les Indiens de se défaire, au moins temporairement, de leur dépendance aux billets marqués de la tête de Gandhi.

«Le liquide est gratuit, donc il est difficile de pousser les gens à utiliser d’autres moyens de paiement, explique Ragavan Venkatesan, responsable des paiements numériques à la banque IDFC, pionnière dans l’utilisation de l’Aadhaar Pay. Nous avons donc renversé le système pour que le commerçant soit incité à utiliser les moyens numériques.» L’établissement financier a d’abord développé le «microdistributeur de billets» : une tablette que le vendeur peut utiliser pour créer des comptes, recevoir des petits dépôts ou fournir du liquide aux clients au nom de la banque, contre une commission. Comme l’Aadhaar Pay, cette tablette se connecte au lecteur biométrique - fourni par l’entreprise française Safran - pour l’identification et l’authentification. Dans les deux cas, et à la différence des paiements par carte, ni le marchand ni le client ne paient pour l’utilisation de ce réseau. «Le mode traditionnel de paiement par carte va progressivement disparaître», prédit Ragavan Venkatesan.

Défi

Pour l’instant, le système n’en est toutefois qu’à ses débuts. Environ 70 banques - une minorité du réseau indien - sont reliées à l’Aadhaar Pay, et lors de nos visites dans différents magasins de New Delhi, une transaction a été bloquée pendant dix minutes à cause d’un problème de serveur. La connectivité est d’ailleurs un défi dans un pays dont la population est en majorité rurale : le système nécessite au minimum le réseau 2G, dont sont dépourvus environ 8 % des villages, selon le ministère des Télécommunications.

Mais c’est la protection du système qui est surtout en question : «La biométrie réduit fortement le niveau de sécurité, car c’est facile de voler ces données et de les utiliser sans votre accord, explique Sunil Abraham, directeur du Centre pour l’Internet et la société de Bangalore. Il existe maintenant des appareils photo de haute résolution qui permettent de capturer et de répliquer les empreintes ou l’iris», affirme ce spécialiste en cybersécurité.

Le problème tient au caractère irrévocable de ces données biométriques. A la différence d’une carte bancaire qu’on peut annuler et remplacer, on ne peut changer d’empreinte ou d’iris. L’Autorité indienne d’identification unique (UIDAI), qui gère l’Aadhaar, prévoit bien que l’on puisse bloquer l’utilisation de ses propres données biométriques sur demande, ce qui offre une solution de sécurisation temporaire. «Si un fraudeur essaie de les utiliser, on peut le repérer [grâce au réseau internet, ndlr] et l’arrêter», défend Ragavan Venkatesan, de la banque IDFC.

Mais cela risque de ne pas suffire en cas de recel de ces informations : la police vient d’interpeller un groupe de trafiquants qui étaient en possession des données bancaires de 10 millions d’Indiens, récupérées à travers des employés et sous-traitants, données qu’ils revendaient par paquets. Une femme âgée s’était déjà fait dérober 146 000 roupies (un peu plus de 2 000 euros) à cause de cette fraude.

Outil idéal

Le directeur de l’UIDAI assure qu’aucune fuite ni vol de données n’ont été rapportés à ce jour depuis leurs serveurs - ce qui ne garantit pas que cette confidentialité sera respectée par tous les autres acteurs qui y ont accès. En février, un chercheur en cybersécurité a alerté la police sur le fait que 500 000 numéros Aadhaar ainsi que les détails personnels de leurs propriétaires - exclusivement des mineurs - avaient été publiés en ligne. La loi sur l’Aadhaar punit de trois ans de prison le vol ou le recel de ces données. Ce texte adopté l’année dernière - soit six ans après le début de la collecte - empêche également leur utilisation à d’autres fins que l’authentification pour l’attribution de subventions et de services. Et l’UIDAI ne peut y accéder pleinement qu’en cas de risque pour la sécurité nationale, et selon une procédure spéciale.

Reste qu’il n’existe pas d’autorité, comme la Cnil en France, chargée de veiller de manière indépendante à ce que ces lignes rouges ne soient pas franchies par un Etat à la recherche de nouveaux moyens de renseignement. Car les experts s’accordent sur ce point : le biométrique est un outil idéal pour surveiller une population.

En 2010, le gouvernement britannique avait d’ailleurs mis fin à son projet de carte d’identité biométrique, estimant que le taux d’erreurs dans l’authentification était trop élevé et le risque d’atteinte aux libertés trop important. Les Indiens, souvent subjugués par les nouvelles technologies pour résoudre leurs problèmes sociaux, ne semblent pas prêts de revenir en arrière. Surtout si cela peut en plus servir à mieux ficher un pays menacé par un terrorisme régional et local.

For more details visit https://cis-india.org/internet-governance/news/en-inde-le-biometrique-version-tres-grand-public

Emerging Technologies: Issues & Way Forward

Admin — 2018-05-26T00:39:11Z

Aayush Rathi and Gurshabad Grover attended a two day conference on 'Emerging Technologies: Issues & Way Forward' organised by the Technology Policy team at the National Institute of Public Finance and Policy (NIPFP), held on 23rd and 24th May in Bangalore.

The themes for discussion included:

Privacy, surveillance and data protection
Regulation of emerging technologies
Building sound regulators for technology policy, and
Fintech regulation

Click here to read the agenda

For more details visit https://cis-india.org/internet-governance/news/emerging-technologies-issues-way-forward

Emerging Issues in the Internet of Things

Admin — 2017-10-03T01:53:25Z

Andrew Rens will give a talk about research that he is doing at the Internet Governance Lab on October 23, 2017 at the Centre for Internet & Society in Bengaluru.

It seems almost anything can be connected to the Internet: 3D printers, cars, traffic lights and even toasters. This proliferation of Internet enabled devices, the Internet of Things (IoT), raises a cloud of complex problems, of ownership and control, privacy and surveillance, ubiquity and network fragility. IoT doesn't just promise efficiency; cheap sensors and printers might put scientific research and customized manufacturing in the hands of millions more people. The governance of the IoT, exhibits the same super complexity as Internet governance generally; with multiple sites of governance and actors operating across legal borders. Legal regulation, standards and the architecture of technology determine how the IoT is configured and how it will be reconfigured in response to these problems. Where is the technology governance of the IoT currently taking shape? What forces will likely bear on the governance of the IoT? What role will permissionless innovation play, and what its limits? How will intellectual property laws complicate the IoT?"

The event, overall, is expected to be a thought provoking one for discussion on things related to IoT.

For more details visit https://cis-india.org/internet-governance/events/emerging-issues-in-the-internet-of-things

Electoral Databases – Privacy and Security Concerns

snehashish — 2014-01-16T11:07:21Z

In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.

The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.[i] After due consideration, the ECI has decided to drop the plan.[ii]

The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.

Publication of Electoral Rolls
The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.

The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document[iii] given that the roll is published and can be circulated on the direction of the ECI.

With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.[iv] In addition to that, the electoral rolls for the entire country are available on the ECI website.[v] However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.[vi]

Security Concerns
The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.

In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “With Great Computing Power Comes Great Surveillance”[vii] Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain

For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.

Current IT Laws does not mandate the protection of the electoral database
A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”[viii] However, the appropriate Government has not notified the electoral database as a protected system[ix]. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.

The Information Technology Rules (IT Rules) are also not applicable to electoral databases, per se. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (hereinafter Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”[x] and should arguably be made subject to the Rules.

The intent of the ECI for hosting the entire country’s electoral database online inter alia is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”[xi] However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.

The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.

Conclusion
Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.

It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.

[i] Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss

[ii] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

[iii] Section 74, Indian Evidence Act, 1872

[iv] eci.nic.in/eci_main1/the_function.aspx

[v] http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx

[vi] “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at eci.nic.in/eci_main/eroll&epic/ins06012010.pdf

[vii] http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/

[viii] Section 70, Information Technology Act, 2000

[ix] Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure

[x] Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[xi] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

For more details visit https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns

Eight Key Privacy Events in India in the Year 2015

Amber Sinha — 2016-01-03T05:43:42Z

As the year draws to a close, we are enumerating some of the key privacy related events in India that transpired in 2015. Much like the last few years, this year, too, was an eventful one in the context of privacy.

While we did not witness, as one had hoped, any progress in the passage of a privacy law, the year saw significant developments with respect to the ongoing Aadhaar case. The statement by the Attorney General, India's foremost law officer, that there is a lack of clarity over whether the right to privacy is a fundamental right, and the fact the the matter is yet unresolved was a huge setback to the jurisprudence on privacy. [1] However, the court has recognised a purpose limitation as applicable into the Aadhaar scheme, limiting the sharing of any information collected during the enrollment of residents in UID. A draft Encryption Policy was released and almost immediately withdrawn in the face of severe public backlash, and an updated Human DNA Profiling Bill was made available for comments. Prime Minister Narendra Modi's much publicised project "Digital India" was in news throughout the year, and it also attracted its' fair share of criticism in light of the lack of privacy safeguards it offered. Internationally, a lawsuit brought by Maximilian Schrems, an Austrian privacy activist, dealt a body blow to the fifteen year old Safe Harbour Framework in place for data transfers between EU and USA. Below, we look at what were, according to us, the eight most important privacy events in India, in 2015.

1. August 11, 2015 order on Aadhaar not being compulsory

In 2012, a writ petition was filed by Judge K S Puttaswamy challenging the government's policy in its attempt to enroll all residents of India in the UID project and linking the Aadhaar card with various government services. A number of other petitioners who filed cases against the Aadhaar scheme have also been linked with this petition and the court has been hearing them together. On September 11, 2015, the Supreme Court reiterated its position in earlier orders made on September 23, 2013 and March 24, 2014 stating that the Aadhaar card shall not be made compulsory for any government services. [2] Building on its earlier position, the court passed the following orders:

a) The government must give wide publicity in the media that it was not mandatory for a resident to obtain an Aadhaar card,

b) The production of an Aadhaar card would not be a condition for obtaining any benefits otherwise due to a citizen,

c) Aadhaar card would not be used for any purpose other than the PDS Scheme, for distribution of foodgrains and cooking fuel such as kerosene and for the LPG distribution scheme.

d) The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation.[3]

Despite this being the fifth court order given by the Supreme Court[4] stating that the Aadhaar card cannot be a mandatory requirement for access to government services or subsidies, repeated violations continue. One of the violations which has been widely reported is the continued requirement of an Aadhaar number to set up a Digital Locker account which also led to activist, Sudhir Yadav filing a petition in the Supreme Court.[5]

2. No Right to Privacy - Attorney General to SC

The Attorney General, Mukul Rohatgi argued before the Supreme Court in the Aadhaar case that the Constitution of India did not provide for a fundamental Right to Privacy.[6] He referred to the body of case in the Supreme Court dealing with this issue and made a reference to the 1954 case, MP Sharma v. Satish Chandra[7] stating that there was "clear divergence of opinion" on the Right to Privacy and termed it as "a classic case of unclear position of law." He also referred to the discussion on this matter in the Constitutional Assembly Debates and pointed to the fact the framers of the Constitution did not intend for this to be a fundamental right. He said the matter needed to be referred to a nine judge Constitution bench.[8] This raises serious questions over the jurisprudence developed by the Supreme Court on the right to privacy over the last five decades. The matter is currently pending resolution by a larger bench which needs to be constituted by the Chief Justice of India.

3. Shreya Singhal judgment and Section 69A, IT Act

In the much celebrated judgment, Shreya Singhal v. Union of India, in March 2015, the Supreme Court struck down Section 66A of the Information Technology Act, 2000 as unconstitutional and laid down guidelines for online takedowns under the Internet intermediary rules. However, significantly, the court also upheld Section 69A and the blocking rules under this provision. It was held to be a narrowly-drawn provision with adequate safeguards. The rules prescribe a procedure for blocking which involves receipt of a blocking request, examination of the request by the Committee and a review committee which performs oversight functions. However, commentators have pointed to the opacity of the process in the rules under this provisions. While the rules mandate that a hearing is given to the originator of the content, this safeguard is widely disregarded. The judgment did not discuss Section 69 of the Information Technology Act, 2000 which deal with decrypting of electronic communication, however, the Department of Electronic and Information Technology brought up this issue subsequently, through a Draft Encryption Policy, discussed below.

4. Circulation and recall of Draft Encryption Policy

On October 19, 2015, the Department of Electronic and Information Technology (DeitY) released for public comment a draft National Encryption Policy. The draft received an immediate and severe backlash from commentators, and was withdrawn by September 22, 2015. [9] The government blamed a junior official for the poor drafting of the document and noted that it had been released without a review by the Telecom Minister, Ravi Shankar Prasad and other senior officials.[10] The main areas of contention were a requirement that individuals store plain text versions of all encrypted communication for a period of 90 days, to be made available to law enforcement agencies on demand; the government's right to prescribe key-strength, algorithms and ciphers; and only government-notified encryption products and vendors registered with the government being allowed to be used for encryption.[11] The purport of the above was to limit the ways in which citizens could encrypt electronic communication, and to allow adequate access to law enforcement agencies. The requirement to keep all encrypted information in plain text format for a period of 90 days garnered particular criticism as it would allow for creation of a 'honeypot' of unencrypted data, which could attract theft and attacks.[12] The withdrawal of the draft policy is not the final chapter in this story, as the Telecom Minister has promised that the Department will come back with a revised policy. [13] This attempt to put restrictions on use of encryption technologies is not only in line with a host of surveillance initiatives that have mushroomed in India in the last few years,[14] but also finds resonance with a global trend which has seen various governments and law enforcement organisations argue against encryption. [15]

5. Privacy concerns raised about Digital India

The Digital India initiative includes over thirty Mission Mode Projects in various stages of implementation. [16] All of these projects entail collection of vast quantities of personally identifiable information of the citizens. However, most of these initiatives do not have clearly laid down privacy policies.[17] There is also a lack of properly articulated access control mechanisms and doubts over important issues such as data ownership owing to most projects involving public private partnership which involves private organisation collecting, processing and retaining large amounts of data. [18] Ahead of Prime Minister Modi's visit to the US, over 100 hundred prominent US based academics released a statement raising concerns about "lack of safeguards about privacy of information, and thus its potential for abuse" in the Digital India project. [19] It has been pointed out that the initiatives could enable a "cradle-to-grave digital identity that is unique, lifelong, and authenticable, and it plans to widely use the already mired in controversy Aadhaar program as the identification system." [20]

6. Issues with Human DNA Profiling Bill, 2015

The Human DNA Profiling Bill, 2015 envisions the creation of national and regional DNA databases comprising DNA profiles of the categories of persons specified in the Bill.[21] The categories include offenders, suspects, missing persons, unknown deceased persons, volunteers and such other categories specified by the DNA Profiling Board which has oversight over these banks. The Bill grants wide discretionary powers to the Board to introduce new DNA indices and make DNA profiles available for new purposes it may deem fit. [22] These, and the lack of proper safeguards surrounding issues like consent, retention and collection pose serious privacy risks if the Bill becomes a law. Significantly, there is no element of purpose limitation in the proposed law, which would allow the DNA samples to be re-used for unspecified purposes.[23]

7. Impact of the Schrems ruling on India

In Schrems v. Data Protection Commissioner, the Court of Justice in European Union (CJEU) annulled the Commission Decision 2000/520 according to which US data protection rules were deemed sufficient to satisfy EU privacy rules enabling transfers of personal data from EU to US, otherwise known as the 'Safe Harbour' framework. The court ruled that broad formulations of derogations on grounds of national security, public interest and law enforcement in place in the US goes beyond the test of proportionality and necessity under the Data Protection rules.[24] This judgment could also have implications for the data processing industry in India. For a few years now, a framework similar to the Safe Harbour has been under discussion for transfer of data between India and EU. The lack of a privacy legislation has been among the significant hurdles in arriving at a framework.[25] In the absence of a Safe Harbour framework, the companies in India rely on alternate mechanisms such as Binding Corporate Rules (BCR) or Model Contractual Clauses. These contracts impose the obligation on the data exporters and importers to ensure that 'adequate level of data protection' is provided. The Schrems judgement makes it clear that 'adequate level of data protection' entails a regime that is 'essentially equivalent' to that envisioned under Directive 95/46.[26] What this means is that any new framework of protection between EU and other countries like US or India will necessarily have to meet this test of essential equivalence. The PRISM programme in the US and a host of surveillance programmes that have been initiated by the government in India in the last few years could pose problems in satisfying this test of essential equivalence as they do not conform to the proportionality and necessity principles.

8. The definition of "unfair trade practices" in the Consumer Protection Bill, 2015

The Consumer Protection Bill, 2015, tabled in the Parliament towards the end of the monsoon session[27] has introduced an expansive definition of the term "unfair trade practices." The definition as per the Bill includes the disclosure "to any other person any personal information given in confidence by the consumer."[28] This clause exclude from the scope of unfair trade practices, disclosures under provisions of any law in force or in public interest. This provision could have significant impact on the personal data protection law in India. Currently, the only law governing data protection law are the Reasonable security practices and procedures and sensitive personal data or information Rules, 2011[29] prescribed under Section 43A of the Information Technology Act, 2000. Under these rules, sensitive personal data or information is protected in that their disclosure requires prior permission from the data subject. [30] For other kinds of personal information not categorized as sensitive personal data or information, the only recourse of data subjects in case to claim breach of the terms of privacy policy which constitutes a lawful contract. [31] The Consumer Protection Bill, 2015, if enacted as law, could significantly expand the scope of protection available to data subjects. First, unlike the Section 43A rules, the provisions of the Bill would be applicable to physical as well as electronic collection of personal information. Second, disclosure to a third party of personal information other than sensitive personal data or information could also have similar 'prior permission' criteria under the Bill, if it can be shown that the information was shared by the consumer in confidence.

What we see above are events largely built around a few trends that we have been witnessing in the context of privacy in India, in particular and across the world, in general. Lack of privacy safeguards in initiatives like the Aadhaar project and Digital India is symptomatic of policies that are not comprehensive in their scope, and consequently fail to address key concerns. Dr Usha Ramanathan has called these policies "powerpoint based policies" which are implemented based on proposals which are superficial in their scope and do not give due regard to their impact on a host of issues. [32] Second, the privacy concerns posed by the draft Encryption Policy and the Human DNA Profiling Bill point to the motive of surveillance that is in line with other projects introduced with the intent to protect and preserve national security. [33] Third, the incidents that championed the cause of privacy like the Schrems judgment have largely been initiated by activists and civil society actors, and have typically entailed the involvement of the judiciary, often the single recourse of actors in the campaign for the protection of civil rights. It must be noted that jurisprudence on the right to privacy in India has not moved beyond the guidelines set forth by the Supreme Court in PUCL v. Union of India.[34] However, new mass surveillance programmes and massive collection of personal data by both public and private parties through various schemes mandated a re-look at the standards laid down twenty years ago. The privacy issue pending resolution by a larger bench in the Aadhaar case affords an opportunity to revisit those principles in light of how surveillance has changed in the last two decades and strengthen privacy and data protection.

^{^[1]} Right to Privacy not a fundamental right, cannot be invoked to scrap Aadhar: Centre tells Supreme Court, available at http://articles.economictimes.indiatimes.com/2015-07-23/news/64773078_1_fundamental-right-attorney-general-mukul-rohatgi-privacy

^{^[2]} SC allows govt to link Aadhaar card with PDS and LPG subsidies, available at http://timesofindia.indiatimes.com/india/SC-allows-govt-to-link-Aadhaar-card-with-PDS-and-LPG-subsidies/articleshow/48436223.cms

^{^[3]} http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

^{^[4]} Five SC Orders Later, Aadhaar Requirement Continues to Haunt Many, available at http://thewire.in/2015/09/19/five-sc-orders-later-aadhaar-requirement-continues-to-haunt-many-11065/

[5] Digital Locker scheme challenged in Supreme Court, available at http://www.moneylife.in/article/digital-locker-scheme-challenged-in-supreme-court/42607.html

^{^[6]} Privacy not a fundamental right, argues Mukul Rohatgi for Govt as Govt affidavit says otherwise, available at http://www.legallyindia.com/Constitutional-law/privacy-not-a-fundamental-right-argues-mukul-rohatgi-for-govt-as-govt-affidavit-says-otherwise

^{^[7]} 1954 SCR 1077.

^{^[8]} Supra Note 1.

^{^[9]} Government to withdraw draft encryption policy, available at http://www.thehindu.com/news/national/govt-to-withdraw-draft-encryption-policy/article7677348.ece

^{^[10]} Encryption policy poorly worded by officer: Telecom Minister Ravi Shankar Prasad, available at http://economictimes.indiatimes.com/articleshow/49068406.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

^{^[11]} Updated: India's draft encryption policy puts user privacy in danger, available at http://www.medianama.com/2015/09/223-india-draft-encryption-policy/

^{^[12]} Bhairav Acharya, The short-lived adventure of India's encryption policy, available at http://notacoda.net/2015/10/10/the-short-lived-adventure-of-indias-encryption-policy/

^{^[13]} Supra Note 9.

^{^[14]} Maria Xynou, Big democracy, big surveillance: India's surveillance state, available at https://www.opendemocracy.net/opensecurity/maria-xynou/big-democracy-big-surveillance-indias-surveillance-state

^{^[15]} China passes controversial anti-terrorism law to access encrypted user accounts, available at http://www.theverge.com/2015/12/27/10670346/china-passes-law-to-access-encrypted-communications ; Police renew call against encryption technology that can help hide terrorists, available at http://www.washingtontimes.com/news/2015/nov/16/paris-terror-attacks-renew-encryption-technology-s/?page=all .

^{^[16]} http://www.mmp.cips.org.in/digital-india/

[17] http://slides.com/cisindia/big-data-in-indian-governance-preliminary-findings#/

^{^[18]} Indira Jaising, Digital India Schemes Must Be Preceded by a Data Protection and Privacy Law, available at http://thewire.in/2015/07/04/digital-india-schemes-must-be-preceded-by-a-data-protection-and-privacy-law-5471/

^{^[19]} US academics raise privacy concerns over 'Digital India' campaign, available at http://yourstory.com/2015/08/us-digital-india-campaign/

^{^[20]} Lisa Hayes, Digital India's Impact on Privacy: Aadhaar numbers, biometrics, and more, available at https://cdt.org/blog/digital-indias-impact-on-privacy-aadhaar-numbers-biometrics-and-more/

^{^[21]} http://www.prsindia.org/uploads/media//draft/Draft%20Human%20DNA%20Profiling%20Bill%202015.pdf

^{^[22]} Comments on India's Human DNA Profiling Bill (June 2015 version), available at http://www.genewatch.org/uploads/f03c6d66a9b354535738483c1c3d49e4/IndiaDNABill_FGPI_15.pdf

^{^[23]} Elonnai Hickok, Vanya Rakesh and Vipul Kharbanda, CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015, available at http://cis-india.org/internet-governance/blog/cis-comments-and-recommendations-to-human-dna-profiling-bill-2015

^{^[24]} http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

^{^[25]} Jyoti Pandey, Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India, available at http://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india

^{^[26]} Simon Cox, Case Watch: Making Sense of the Schrems Ruling on Data Transfer, available at https://www.opensocietyfoundations.org/voices/case-watch-making-sense-schrems-ruling-data-transfer

^{^[27]} http://www.prsindia.org/billtrack/the-consumer-protection-bill-2015-3965/

^{^[28]} Section 2(41) (I) of the Consumer Protection Bill, 2015.

^{^[29]} http://www.ijlt.in/pdffiles/IT-%28Reasonable%20Security%20Practices%29-Rules-2011.pdf

^{^[30]} Rule 6 of Reasonable security practices and procedures and sensitive personal data or information Rules, 2011

^{^[31]} Rule 4 of Reasonable security practices and procedures and sensitive personal data or information Rules, 2011

^{^[32]} http://cis-india.org/internet-governance/events/communication-rights-in-the-age-of-digital-technology

^{^[33]} Supra Note 11.

^{^[34]} Chaitanya Ramachandra, PUCL V. Union of India Revisited: Why India's Sureveillance Law must be redesigned for the Digital Age, available at http://nujslawreview.org/wp-content/uploads/2015/10/Chaitanya-Ramachandran.pdf

For more details visit https://cis-india.org/internet-governance/blog/eight-key-privacy-events-in-india-in-the-year-2015

Economics of Cyber Security Part I

Admin — 2018-12-31T01:25:46Z

For more details visit https://cis-india.org/internet-governance/files/economics-of-cyber-security-part-i

Economic, social and cultural rights in India: Opportunities for advocacy in intellectual property rights

praskrishna — 2017-04-20T16:36:46Z

For more details visit https://cis-india.org/openness/files/economic-social-and-cultural-rights-in-india-opportunities-for-advocacy-in-intellectual-property-rights

Economic, social and cultural rights in India: FOSS

praskrishna — 2017-04-23T05:14:13Z

For more details visit https://cis-india.org/openness/files/economic-social-and-cultural-rights-in-india-foss

ออกแบบระบบข้อมูลประชาชนดิจิทัล: คุยกับผู้เชี่ยวชาญหาแนวทางเหมาะสม

Admin — 2019-07-21T14:32:25Z

Talk with Sunil Abraham, an expert on the Internet and good governance in the issue of creating a digital identification system.

What should you think before doing a national database? Transparency should be inversely proportional to the power of the person. The state must provide information as well. Not the only store Database technology and public surveillance are not the same. Otherwise the entire system will crash How important is democracy in making good information systems? Read the interview published by Prachatai on July 18, 2019 below

คุยกับสุนิล อับราฮัม ผู้เชี่ยวชาญเรื่องอินเทอร์เน็ตและธรรมาภิบาลในประเด็นการจัดทำระบบข้อมูลประจำตัวประชาชนแบบดิจิทัล ควรคิดอะไรก่อนทำฐานข้อมูลประชาชนระดับชาติ ความโปร่งใสควรแปรผกผันกับอำนาจของบุคคล รัฐต้องให้ข้อมูลด้วย ไม่ใช่เก็บอย่างเดียว เทคโนโลยีฐานข้อมูลกับการสอดส่องประชาชนไม่ใช่เรื่องเดียวกัน ไม่เช่นนั้นพังทั้งระบบ ประชาธิปไตยสำคัญอย่างไรกับการทำระบบข้อมูลที่ดี

หนึ่งในบทสนทนาที่มีในปัจจุบันคือการนำข้อมูลประชาชนขึ้นสู่ระบบดิจิทัล เทคโนโลยีการบริหารจัดการข้อมูลอย่างระบบฐานข้อมูลดิจิทัลไปจนถึงโครงข่ายออนไลน์แบบบลอกเชนทำให้จินตนาการดังกล่าวเป็นรูปเป็นร่างขึ้น

แต่เมื่อถอยกลับไปมองภาพใหญ่จะพบว่าเรื่องทางเทคนิคเป็นเพียงหนึ่งเม็ดทรายบนชายหาด ยังมีข้อควรคำนึงถึงเยอะแยะหยุมหยิมไปหมดทั้งในเรื่องกฎหมาย ความพร้อมของผู้บังคับใช้กฎหมาย ภาคธุรกิจและประชาชนที่ต้องคำนึงถึงเรื่องพฤติกรรม บรรทัดฐานของสังคม และคำถามสำคัญที่ว่าระบบดังกล่าวจะถูกใช้ในการเฝ้าระวัง สอดแนมประชาชนหรือไม่ เพราะประเทศเผด็จการที่คนไทยหลายคนยกย่องอย่างจีน ก็ใช้ข้อมูลอัตลักษณ์ประชาชนถึงขั้นคุมความประพฤติกันด้วยระบบคะแนนได้แล้ว

แม้ยังไม่เกิดในไทยแต่ก็ไม่ได้แปลว่าเป็นไปไม่ได้ ความกังวลของชาว 14 อำเภอและสามจังหวัดชายแดนใต้เมื่อมีข้อความ SMS จากกองอำนวยการรักษาความมั่นคงภายใน (กอ.รมน.) ให้ไปสแกนใบหน้าเพื่อลงทะเบียนซิมการ์ดตามประกาศของ กสทช. เป็นหนึ่งในภาพสะท้อนจากพื้นที่ที่ความมั่นคงหลอมรวมอยู่ในการใช้ชีวิตประจำวันที่ชัดเจน ปัญหาของการทำระบบนั้นยืนอยู่บนคำถามใหญ่ว่า “ทำอย่างไร” และ “เพื่ออะไร” หากกิจวัตรประจำวันของคนทั้งประความมั่นคงจะกลายเป็นองค์ประกอบในเทศ

สุนิล อับบราฮัม ผู้อำนวย (ผอ.) การบริหารจากศูนย์เพื่ออินเทอร์เน็ตและสังคมจากประเทศอินเดีย ให้สัมภาษณ์ประชาไทในเรื่องรูปร่างหน้าตาของระบบพิสูจน์อัตลักษณ์บุคคลดิจิทัลว่าควรเป็นแบบไหน อะไรที่ต้องคำนึงถึงและถามกันบ่อยๆ เมื่อจะออกแบบระบบ การเฝ้าระวังอาชญากรรมและปัญหาความมั่นคงทำได้แค่ไหน และการเป็นประชาธิปไตยเกี่ยวอะไรกับการมีระบบข้อมูลประชาชนดิจิทัลที่ดี

ประชาไท: ระบบข้อมูลประชาชนดิจิทัลคืออะไร

สุนิล: เดิมทีบัตรประชาชนเป็นวัตถุทางกายภาพ ส่วนมากก็เป็นกระดาษและมันก็มีข้อน่าห่วงมากๆ ในเรื่องความปลอดภัย เพราะว่ารัฐและบริษัทเอกชนต่างใช้บัตรประชาชนเพื่อไปถ่ายสำเนา อันนี้ผมได้ยินว่าในบริบทของไทยก็ถือเป็นเรื่องปกติเช่นกัน สิ่งที่คุณต้องการจริงๆ คือวิธีที่จะทำให้ภาครัฐและเอกชนยืนยันตัวตนโดยไม่ต้องเก็บข้อมูลจากคุณมากจนเกินไป

ในทางอุดมคตินั้นระบบเอกสารประจำตัวที่ดี ควรที่จะทำให้การยืนยันรายละเอียดของคุณอย่างพวกที่อยู่ อายุ สถานะจน-รวย โดยไม่ต้องเก็บข้อมูล (อื่นๆ) ที่ไม่จำเป็นรวมถึงเลขบัตรประชาชนด้วย แม้แต่เลขประจำตัวประชาชนของคุณก็ไม่ควรจะถูกเก็บไปโดยองค์กรอื่นๆ โดยไม่มีความจำเป็น

ปัจจุบันเรามีทางเลือกสองแบบ มีตัวอย่างในแคนาดา สหราชอาณาจักร หรือแม้แต่ในไทยที่กำลังทำ โครงการระบบพิสูจน์ตัวตนอิเลกทรอนิคส์แห่งชาติ หรือ National Digital ID (NDID) คุณคิดถึงวิธีแก้ปัญหาเรื่องระบบเอกสารประจำตัวในฐานะระบบนิเวศที่จะให้ตัวแสดงในระบบนิเวศยืนยันข้อมูลประจำตัวและเก็บข้อมูลของปัจเจกผ่านระบบการจัดการการยินยอมที่ดี (consent management)

(แต่) ก็มีหลายประเทศที่มีหน่วยงานจัดทำระบบฐานข้อมูลประชาชนแห่งชาติแบบรวมศูนย์ แล้วก็กลายเป็นจุดล้มเหลวจุดเดียว (Single Point of Failure - SPOF) ของระบบในประเทศ นี่จึงเป็นตัวเลือกใหญ่ๆ ที่แต่ละประเทศมี คือจะใช้วิธีจัดการแบบระบบนิเวศที่คิดถึงทุกอย่างแบบเป็นองค์รวม หรือมองว่าประเทศหนึ่งประเทศก็เหมือนกับบริษัทหรือมหาวิทยาลัย อะไรที่ใช้ได้กับบริษัทหรือมหาวิทยาลัยก็ใช้แบบนั้นกับประเทศทั้งประเทศ

แต่ละวิธีมีข้อเสียต่างกันอย่างไร

ในทางวิทยาศาสตร์คอมพิวเตอร์และวิศวกรรมคอมพิวเตอร์ ผู้เชี่ยวชาญทุกคนจะบอกว่าไม่มีระบบไหนที่ถูกแฮ็กไม่ได้ แต่ระหว่างสองตัวเลือกนี้มีความแตกต่างอย่างมาก ในโมเดลระบบนิเวศจะไม่มีจุดล้มเหลวจุดเดียวและการเจาะระบบนี้ก็มีต้นทุนสูงกว่าระบบแบบรวมศูนย์ แม้แต่การฟื้นฟูและรักษาข้อมูลที่หายไปก็ทำได้ถูกกว่าด้วย แต่ในระบบแบบรวมศูนย์นั้น ทุกคนจะได้รับผลกระทบเมื่อมีการเจาะเข้าไปได้ และส่วนมากการโจมตีจุดที่ล้มเหลวจุดเดียวก็มีต้นทุนน้อยกว่า

กระแสโลกที่มีต่อการทำข้อมูลประชาชนดิจิทัลคืออะไร

แนวโน้มใหญ่ๆ ของโลกคือมีบางบริษัทที่ขายเทคโนโลยีไบโอเมทริกซ์ (การใช้ข้อมูลทางชีวภาพ เช่น ลักษณะทางกายภาพอย่างม่านตา ลายนิ้วมือ ดีเอ็นเอ ใบหน้าเพื่อตรวจสิทธิหรือแสดงตน) ที่โดยพื้นฐานแล้วเป็นเทคโนโลยีแบบควบคุมจากระยะไกลและไม่ต้องใช้ความยินยอมของเจ้าของข้อมูล เพราะเวลาที่มีการสแกนใบหน้าหรือม่านตาเพื่อยืนยันตัวตนนั้น เจ้าของข้อมูลอาจจะไม่รู้ ผู้ใช้งานอาจจะสแกนจากระยะไกลด้วยกล้องความคมชัดสูง และการเก็บข้อมูลอัตลักษณ์ก็เก็บได้ขณะที่เจ้าของนอนหลับหรือหมดสติ

เทคโนโลยีไบโอเมทริกซ์เป็นเทคโนโลยีการเฝ้าระวังที่ดีมากเมื่อรัฐบาลต้องการต่อกรกับอาชญากรรมหรือบังคับใช้กฎหมาย อย่างไรก็ตาม เทคโนโลยีการเฝ้าระวังไม่ใช่เทคโนโลยีข้อมูลประจำตัวที่ดี โชคร้ายที่บริษัทใหญ่ๆ ที่ขายระบบเฝ้าระวังได้เดินทางไปทั่วโลกและบอกกับรัฐบาลต่างๆ ว่าพวกคุณสามารถแก้ปัญหาเรื่องเอกสารข้อมู,และความมั่นคงได้พร้อมกันด้วยเทคโนโลยีเฝ้าระวังซึ่งมันไม่จริง

ถ้าคุณใช้เทคโนโลยีการเฝ้าระวังมาสร้างระบบข้อมูลประชาชน นั่นหมายความว่าคุณยิ่งไปสร้างความเสี่ยงด้านความมั่นคงเข้าไปอีก เพราะคุณสร้างสิ่งที่เรียกว่า ‘ไหน้ำผึ้ง’ หมายถึงว่ามีจุดๆ หนึ่งที่เก็บข้อมูลลายนิ้วมือ ใบหน้าหรือม่านตาของทุกๆ คน แล้วถ้าระบบนั้นมีจุดที่ล้มเหลวขึ้นมาเพียงจุดเดียว ลองนึกถึงระบบอินเทอร์เน็ตที่เก็บพาสเวิร์ดของทุกคนเอาไว้ในเซิฟเวอร์เดียวกัน มันก็เป็นความเสี่ยงนั้น

เทคโนโลยีไบโอเมทริกซ์นั้นควรใช้ในระบบแบบไม่รวมศูนย์ คุณสามารถเก็บข้อมูลทางชีวภาพจากประชาชนได้ แต่ควรเก็บมันเอาไว้ในชิปสมาร์ทการ์ดของแต่ละคน อย่างระบบสแกนใบหน้าของไอโฟนที่ไม่มีเซิฟเวอร์เก็บข้อมูลใบหน้า แต่อาศัยพื้นที่บนโทรศัพท์มือถือของผู้ใช้งานให้เก็บข้อมูลเหล่านั้นเอง

บางประเทศมีสมาร์ทการ์ดที่มีแม้กระทั่งเครื่องอ่านลายนิ้วมือบนบัตร ที่คุณต้องทำก็คือใส่สมาร์ทการ์ดเข้าไปในเครื่องอ่าน จากนั้นคุณก็วางนิ้วมือลงบนสมาร์ทการ์ดโดยไม่ต้องเอานิ้วไปแปะที่อุปกรณ์อื่นของรัฐหรือเอกชน นั่นเป็นวิธีการใช้งานไบโอเมทริกซ์ที่ถูกต้องเพราะคุณใช้โบโอเมทริกซ์แบบที่ไม่อิงอยู่กับการเฝ้าระวัง

แปลว่าแนวโน้มระบบข้อมูลประชาชนของรัฐส่วนใหญ่อยู่กับฐานคิดการเฝ้าระวังใช่ไหม

ใช่แล้ว ความมั่นคงแห่งชาติและการเฝ้าระวังถูกจัดเป็นความสำคัญอันดับต้นๆ ซึ่งนั่นไม่ใช่แนวทางในการออกแบบระบบฐานข้อมูลประจำตัวประชาชนแบบ e-governance (ธรรมาภิบาลอิเล็คโทรนิกส์) การเฝ้าระวังนั้นสำคัญมากสำหรับสังคม แต่มันก็เหมือนเกลือในอาหาร คุณไม่สามารถกินอาหารได้โดยไม่มีเกลืออยู่ในนั้นนิดหน่อย คุณไม่สามารถมีประเทศที่ปลอดภัยหากไม่มีการเฝ้าระวัง แต่ถ้าคุณตัดสินใจตักเกลือห้าช้อนชาใส่ลงไปในอาหารเมื่อไหร่ อาหารก็เป็นพิษ เรื่องการเฝ้าระวังก็เช่นกัน มันจำเป็นในปริมาณน้อย แต่จะมีผลย้อนกลับหากมีมากเกินไป

แล้วแนวทางที่ดีที่สุดควรเป็นแบบไหน

ควรใช้ระบบและมาตรฐานแบบเปิด (open source and open standard) เพราะคุณจะสามารถพิสูจน์และตรวจสอบระบบได้ ถ้าคุณตรวจสอบหรือพิสูจน์ไม่ได้ นั่นหมายความว่าคุณจะไม่รู้ว่ามันทำงานอย่างไร ส่วนต่อไปคือข้อมูลที่ถูกขอและส่งต่อในระบบนิเวศเมื่อทำธุรกรรมจะต้องมีจำนวนน้อยที่สุด

อีกสิ่งที่จำเป็นคือ คุณต้องมี Human in the Loop (ความสัมพันธ์หรือปฏิสัมพันธ์ของมนุษย์ในระบบนั้น) หมายความว่า คุณควรรู้ว่าในขั้นตอนนั้นๆ มีเจ้าหน้าที่รัฐหรือพนักงานเอกชนคนไหนเป็นคนรับผิดชอบ และถ้ามีอะไรผิดพลาดคุณควรจะหาคนรับผิดรับชอบได้

ความรับผิดรับชอบนั้นแยกได้ว่า หนึ่ง เห็นตัวคนที่รับผิดชอบ สื่อมวลชนสามารถชี้นิ้วไปได้และบอกว่าคนนี้รับผิดชอบกับความผิดพลาดนั้น สอง การเป็นผู้จ่ายค่าปรับ ส่วนนี้สำคัญกับภาคเอกชน และสุดท้ายคือคนที่ต้องติดคุกหากมีเรื่องร้ายแรงเกิดขึ้น เช่นสิทธิมนุษยชนของบางคนได้รับผลกระทบ ดังนั้น เมื่อคุณจะออกแบบระบบฐานข้อมูลประจำตัว คุณต้องถามว่า ‘ใครเป็น Human in the loop’ นั่นเป็นกุญแจหลักของการออกแบบ

หลักการต่อไปของระบบข้อมูลประชาชนที่ดีคือต้องกระจายจากศูนย์กลาง ไม่ควรมีจุดล้มเหลวจุดใหญ่จุดเดียว การจัดการข้อมูลแบบระบบนิเวศนั้นดีกว่าการรวมศูนย์ นอกจากนั้นระบบควรจะรับมือและฟื้นตัวจากเหตุร้ายแรงที่สุดได้ ในระหว่างที่คุณออกแบบระบบก็ควรตั้งคำถามไปพลางว่า ถ้าระบบโดนแฮ็กจะทำอย่างไร หรือถ้าอาชญากรเอาระบบนี้ไปใช้ล่ะ คุณจำเป็นต้องคำนึงถึงความเป็นไปได้ที่ร้ายแรงที่สุดและต้องออกแบบระบบมารับมือมัน

แล้วมองในแง่สังคม คนทั่วไป คุณกังวลเรื่องอะไรบ้าง

ปัญหาหลักตอนนี้คือ แนวคิดที่รายล้อมระบบข้อมูลประชาชนดิจิทัลคือการย้ำให้พลเมืองต้องโปร่งใสกับรัฐ พวกเขา (รัฐ) ต้องการให้พลเมืองส่งข้อมูลทุกอย่างให้กับรัฐ แต่ว่ารัฐไม่ให้ข้อมูลใดๆ กับพลเมือง ในระบบข้อมูลประชาชนที่ดี รัฐควรจะมีความโปร่งใสกับพลเมือง

ผมจะยกตัวอย่างให้ฟัง สมมติว่าผมเป็นพนักงานรัฐที่ทุจริต ผมจะเขียนลงไปในบันทึกว่าคุณมาหาผมที่ออฟฟิศในวันนี้ นี่คือเลขประจำตัวประชาชนของคุณที่ขอกู้เงิน หรือไม่ก็ได้รับเงินอุดหนุนจำนวน 2,000 บาท ผมก็สามารถเอาเงิน 2,000 บาทเข้ากระเป๋าผมแบบไม่มีใครพิสูจน์ได้ และคุณก็ปฏิเสธไม่ได้ด้วย เพราะว่าเลขประจำตัวของคุณอยู่ในบันทึกของรัฐ แต่ถ้าคุณใช้มันให้ดี เราจะมีเครื่องอ่านสมาร์ทการ์ดที่พลเมืองจะใส่บัตรและกดรหัส หลังจากคุณดึงบัตรออกเจ้าหน้าที่ก็จะใส่สมาร์ทการ์ดของเขาเข้าไปและกดรหัส นั่นจะทำให้มีบันทึกในระบบอิเล็กโทรนิกส์และถูกเซ็นโดยเจ้าหน้าที่รัฐและพลเมือง จะไม่มีใครปฏิเสธได้แล้วว่ามีการพบกันจริงๆ ในระบบข้อมูลประจำตัวที่ดีนั้น ทั้งคู่จะต้องแสดงตัวตน แต่ในระบบที่ไม่ดีจะมีแต่เจ้าหน้าที่รัฐที่ถามหาหลักฐานประจำตัวและคุณจะไม่มีการบันทึกว่าเกิดอะไรขึ้นบ้าง

ความเป็นส่วนตัวและการคุ้มครองนั้นควรมีสัดส่วนแปรผันกับอำนาจ ความโปร่งใสและการกำกับควบคุมควรมีสัดส่วนโดยตรงกับอำนาจ คนที่มีอำนาจหรือคนรวยต้องมีความโปร่งใสมากกว่าคนอื่นและมีความเป็นส่วนตัวน้อยกว่าคนอื่น คนที่ไม่มีอำนาจหรือคนเปราะบางควรจะมีความเป็นส่วนตัวมากขึ้น

ถ้าคุณดูนโยบายด้านฐานข้อมูลแบบเปิด (โอเพ่นดาต้า) หรือกฎหมายเสรีภาพด้านข้อมูลข่าวสารจะพบว่าข้อมูลส่วนบุคคลเป็นข้อยกเว้นในกฎหมายเหล่านั้น ข้อมูลรัฐที่ไม่เป็นส่วนตัวเท่านั้นที่สามารถถูกแบ่งปันกันได้ในโอเพ่นดาต้า แต่ถ้าคุณไปดูกฎหมายความเป็นส่วนตัวก็จะพบว่ามีข้อยกเว้นในเรื่องประโยชน์ต่อสาธารณะ นั่นหมายความว่า ถ้าคุณเป็นเจ้าหน้าที่รัฐหรือนักการเมืองคนสำคัญ สิ่งที่คุณคุยในห้องนอนก็อาจสำคัญกับประเทศทั้งประเทศ นั่นหมายความว่าคุณไม่มีความเป็นส่วนตัวในการพูดคุยเรื่องลับ

ความเป็นส่วนตัวนั้นเป็นข้อยกเว้น แต่ผลประโยชน์สาธารณะมันเป็นข้อยกเว้นของข้อยกเว้นอีกที สมมติว่านายกฯ มีปัญหาสุขภาพร้ายแรงที่ทำให้เขาหรือเธอไม่เหมาะที่จะดำรงตำแหน่งอีกต่อไป ข้อมูลส่วนตัวนั้นก็เป็นข้อยกเว้นของข้อยกเว้น ถ้าการได้รู้ว่านายกฯ ป่วยหนักเป็นประโยชน์ต่อสาธารณะมันก็ควรถูกเปิดเผย การลองทำบททดสอบด้านผลประโยชน์สาธารณะน่าจะช่วยเรื่องการจัดการแกนสมมาตรเชิงอำนาจระหว่างกฎหมายสองชุด

ในการช่วยเหลือคนจน คุณควรมีกฎหมายความโปร่งใสและนโยบายโอเพ่นดาต้าที่ดี เพื่อคุ้มครองคนจนและคนเปราะบาง คุณต้องมีกฎหมายความเป็นส่วนตัว และถ้าคุณมีการทดสอบเรื่องผลประโยชน์สาธารณะในกฎหมายทั้งสองชุด กฎหมายเหล่านั้นก็จะไม่ถูกใช้ขูดรีดคนจน

ความมั่นคงจะอยู่ร่วมกับเสรีภาพและความเป็นส่วนตัวได้อย่างไร

กฎหมายข้อมูลประจำตัวดิจิทัลจะต้องมีสอดรับกับกฎหมายความเป็นส่วนตัวและนโยบายโอเพ่นดาต้า แต่ปัญหาก็คือกฎหมายความเป็นส่วนตัวยังเป็นเรื่องใหม่มากๆ ในภูมิภาคนี้ ไทยเพิ่งผ่าน พ.ร.บ. คุ้มครองข้อมูลส่วนบุคคล ที่อินเดียยังไม่มีในระดับชาติ ก็ยังคงมีงานที่ต้องทำอยู่ ศาลต้องทำหน้าที่หาคำนิยาม หน่วยงานกำกับดูแลต้องมีแนวทางกำกับที่จำเพาะมากๆ ภาคอุตสาหกรรมต้องมีแนวทางกำกับตัวเองและแนวปฏิบัติที่ดีที่สุด ภาคประชาสังคมเองก็ต้องช่วยภาคส่วนอื่นๆ ด้วยการถามคำถามหนักๆ

มันต้องใช้เวลา อย่างยุโรปก็มีเส้นทางการมีกฎหมายคุ้มครองข้อมูลยาวนานถึง 35 ปี นั่นเป็นเหตุผลที่ยุโรปมีการคุ้มครองที่ดีกว่า ในภูมิภาคของพวกเราก็จะใช้เวลาต่อสู้ถึง 35 ปีเช่นกัน ดังนั้น ประชาสังคมจะต้องเตรียมตัวในการต่อสู้เป็นเวลา 35 ปี และหลังจากนั้น ลูกหรือลูกของลูกเราจะเห็นระบบนิเวศข้อมูลประชาชนที่ปลอดภัยกว่านี้

รัฐบาลควรทำอะไรบ้าง

การผ่านกฎหมายอย่างเดียวนั้นไม่เพียงพอ ที่ (รัฐบาล) ทำในไทยคือแค่ผ่านกฎหมาย ตอนนี้คุณต้องสร้างคณะกรรมการที่เป็นอิสระ มีงบประมาณมากพอที่จะจ้างวิศวกรและนักกฎมายที่ดีที่สุด คณะกรรมการควรเริ่มบังคับใช้ข้อบังคับอย่างช้าๆ ศาลเองก็ควรพัฒนาองค์ความรู้ ผู้พิพากษาจะต้องเรียนรู้ว่าเกิดอะไรขึ้นบ้างในประเทศอื่นๆ ระบบกฎหมายต้องเตรียมพร้อมกับข้อกังวลใหม่ๆ

เทคโนโลยีช่วยได้แค่ไหน

เทคโนโลยีเป็นแค่ส่วนหนึ่งของการแก้ปัญหา คุณยังต้องกังวลเรื่องกฎหมายและบรรทัดฐานทางสังคม อะไรที่คนธรรมดาเขาทำกัน ถ้าทุกคนยังคงยินดีกับการส่งสำเนาบัตรประชาชน คุณก็ต้องไปเปลี่ยนมัน รัฐบาลมีประสบการณ์มากกับการยกระดับบรรทัดฐานทางสังคม

รัฐบาลต้องใช้อำนาจที่มีในการเปลี่ยนแนวปฏิบัติ เรื่องแนวทางการคุ้มครองความเป็นส่วนตัวก็เหมือนการสูบบุหรี่ พวกนักสูบส่วนมากก็รู้อยู่แล้วว่าการสูบบุหรี่นั้นทำให้เกิดมะเร็งและปัญหาอื่นๆ แต่ก็จะยังสูบต่อไปจนกว่าหมอจะบอกว่าเป็นมะเร็ง รัฐบาลก็ต้องทำให้พลเมืองเกิดความกลัวในสิ่งที่จะเกิดขึ้นเพื่อให้ประชาชนเลิกไม่เอาใจใส่เรื่องข้อมูลส่วนบุคคล

ส่วนสุดท้ายคือตลาด บรรษัทก็ต้องเริ่มสร้างนวัตกรรม เช่น ธนาคารควรออกมาพูดได้ว่าระบบของเราดีกว่าที่อื่น เราไม่ใช้ไบโอเมทริกซ์ เป็นต้น กฎหมายต้องทำให้เกิดการแข่งขันระหว่างบรรษัทในเรื่องความปลอดภัย ความเป็นส่วนตัว เมื่อเราเห็นบรรทัดฐาน กฎหมาย เทคโนโลยี และการแข่งขันทางเทคโนโลยี วันนั้นเราจะเริ่มเห็นทางออก ผมถึงบอกว่ามันจะใช้เวลา 30-40 ปี ไม่ก็นานกว่านั้น

ระบบข้อมูลประจำตัวดิจิทัลที่ดีเกี่ยวอะไรกับประเทศเป็นประชาธิปไตยไหม

ผู้คนถามคำถามยากๆ หลายคำถามในระบอบประชาธิปไตย และนั่นเป็นประโยชน์ แต่สิ่งที่เราต้องการจริงๆ คือประชาธิปไตยที่ปกครองโดยรัฐธรรมนูญ (Constitutional democracy) เพราะคุณไม่สามารถเดินไปถามคนทุกคนเพื่อหามติต่อคำถามทางเทคนิค

คุณต้องมีการอภิปรายสาธารณะที่โปร่งใสเยอะๆ แต่คุณไม่สามารถตัดสินใจกันด้วยการโหวต การไปถามว่า ‘มีกี่คนอยากใช้สแกนลายนิ้วมือ มีกี่คนอยากใช้สแกนใบหน้า’ ไม่ใช่วิธีออกแบบระบบข้อมูลประจำตัวดิจิทัล มันจะต้องวางอยู่บนหลักของรัฐธรรมนูญบางประการเช่นความถูกต้องตามกฎหมาย ความจำเป็น ความได้สัดส่วน หลังจากนั้นคุณจะต้องมีแนวทางที่เสนอโดยวิศวกรและนักกฎหมาย จากนั้นจึงให้มีการถกเถียงและอภิปราย

คุณตัดสินโดยอิงเสียงข้างมากไม่ได้เพียงเพราะคนส่วนมากบอกว่าพวกเขารู้สึกว่าการสแกนใบหน้ามันง่ายมาก คุณก็ไม่สามารถบอกว่าจะนำการสแกนใบหน้าไปใช้กับทุกอย่างเพียงเพราะมันปลดล็อกไอโฟนง่ายดี เพราะในวันพรุ่งนี้เทคโนโลยีเดียวกันอาจถูกนำไปใช้เพื่อสลายการชุมนุมก็ได้ แม้ทุกคนจะรักหลงการสแกนใบหน้าในประชาธิปไตยของคุณ แต่รัฐธรรมนูญยังคงต้องปฏิเสธมันและบอกว่ามันไม่จำเป็น ไม่ได้สัดส่วน มันควรถูกแบน หรือไม่ก็ใช้ในวัตถุประสงค์ที่จำเพาะ

ช่วยอธิบายว่าทำไมการเฝ้าระวังอาจเป็นการทำให้คนหลบเข้าไปอยู่ในมุมมืดมากขึ้น

มันเป็นผลที่เกิดขึ้นโดยไม่ตั้งใจ อย่างถ้าคุณไปบล็อกเนื้อหาที่คนชอบมากๆ คนก็อาจจะหันไปใช้ TOR หรือ VPN (วิธีการเข้าถึงเนื้อหาที่ถูกบล็อก) ซึ่งนั่นไม่ใช่ความตั้งใจของคุณ ถ้าคุณไม่พัฒนาระบบข้อมูลประชาชนที่ดี ประชาชนก็จะเริ่มทำตัวเหมือนอาชญากร แต่พวกเขาไม่ใช่อาชญากร เพียงแค่เขาไม่ชอบการออกแบบระบบเท่านั้น คุณไม่สามารถบังคับให้คนทำพฤติกรรมแบบนั้นหรือแบบนี้ได้ ดังนั้นการเป็นประชาธิปไตยจึงสำคัญ ในระหว่างที่คุณพัฒนาเทคโนโลยีคุณก็ควรถามพวกเขา (ผู้ใช้) ไปด้วยว่ามันใช้ได้หรือไม่ ทำให้เกิดการอภิปรายขึ้น

For more details visit https://cis-india.org/internet-governance/news/e2de2de01e41e1ae1ae23e30e1ae1ae02e49e2de21e39e25e1be23e30e0ae32e0ae19e14e34e08e34e17e31e25-e04e38e22e01e31e1ae1ce39e49e40e0ae35e48e22e27e0ae32e0de2be32e41e19e27e17e32e07e40e2be21e32e30e2ae21