Centre for Internet and Society

July 2013 Bulletin

praskrishna — 2013-08-21T09:30:32Z

Our newsletter for the month of July 2013 can be accessed below.

The Centre for Internet & Society (CIS) welcomes you to the seventh issue of its newsletter for the year 2013. In this issue we bring you a report on the Institute on Internet and Society held in the month of June, comments submitted by us to the Office of the Controller General of Patents Designs and Trademarks on the draft guidelines on computer related inventions, report from the fifth privacy roundtable meeting held in Kolkata, updates from Kannada Wikipedia workshops held in Hubli and Sagara, a report on Digital Humanities for higher education, media coverage, and information on our forthcoming events.

Archives of our newsletters are here. Our policies on Ethical Research Guidelines, Non-Discrimination and Equal Opportunities, Privacy, Terms of Website Use and Travel can be accessed here.

Jobs
CIS is inviting applications for the posts of Developer (NVDA Screen Reader Project). To apply for this post, send in your resume to Nirmita Narasimhan (nirmita@cis-india.org). CIS is also seeking applications for the post of Policy Associate (Internet Governance). To apply send your resume to Sunil Abraham (sunil@cis-india.org) and Pranesh Prakash (pranesh@cis-india.org).

Accessibility

CIS is doing two projects in partnership with the Hans Foundation. One is to create a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India and another for developing a screen reader and text-to- speech synthesizer for Indian languages:

National Resource Kit for Persons with Disabilities
CIS and the Centre for Law and Policy Research (CLPR) are working in this project. Draft chapters have been published. Feedback and comments are invited from readers for the chapters on Punjab, Uttarakhand, Maharashtra and Chandigarh:

The Punjab Chapter (by Anandhi Viswanathan, July 31, 2013).
The Uttarakhand Chapter (by Anandhi Viswanathan, July 31, 2013).
The Chandigarh Chapter (by CLPR, July 31, 2013).
The Maharashtra Chapter (by Anandhi Viswanathan, July 31, 2013).

Note: All the chapters published on the website are early drafts and will be reviewed and updated.

Access to Knowledge and Openness

The Wikimedia Foundation has given a grant to CIS to support and develop the growth of Indic language communities and projects by community collaborations and partnerships. This is being carried out by the Access to Knowledge team based in Delhi. CIS is also doing a project (Pervasive Technologies) on examining the relationship between production of pervasive technologies and intellectual property. CIS also promotes openness including open government data, open standards, open access, and free/libre/open source software through its Openness programme.

Access to Knowledge (Previously IP Reforms)

Comments

Comments on the Draft Guidelines for Computer Related Inventions (by Puneeth Nagaraj, July 31, 2013). The comments were submitted to the office of the Controller General of Patents Designs & Trademarks, Mumbai on July 26, 2013.

Event Participated

An International Conference on Interface between Intellectual Property and Competition Law (organized by ASSOCHAM, July 12, 2013). Nehaa Chaudhari participated in the conference and shares select notes in a blog post.

Access to Knowledge (Wikipedia)
The A2K team consists of three members based in Bangalore: T. Vishnu Vardhan, Dr. U.B. Pavanaja and Subhashish Panigrahi and one team member Nitika Tandon who is working from Delhi office.

Event Organised

A Kannada Wikipedia Workshop (organized by CIS-A2K team, July 21, 2013, Hubli). Dr. U.B. Pavanaja gave training to the participants on Wikipedia. Leading newspapers like the Times of India, Vijaya Karnataka, Deccan Herald, VijayaVani, Prajavani, Samyukta Karnataka and HosaDiganta covered the event. Scanned versions of the published articles can be viewed here.
A Kannada Wikipedia Workshop at Sagara (organized by CIS-A2K team, Sagara, July 28, 2013). Dr. U.B. Pavanaja gave a talk on Wikipedia and Kannada Wikipedia.

Event Co-organised

Telugu Wiki Academy at Centre for Good Governance (organized by CIS-A2K and Telegu Wikipedia Community, Centre for Good Governance, Jubilee Hills, Hyderabad, April 9, 2013). T. Vishnu Vardhan participated in this event.

Note: The event was organized in April but report got published only in July.

Event Participated

Free Software (organized by Free Software Movement of Karnataka in partnership with Jnana Vikas Institute of Technology, Bidadi, July 24, 2013). Dr. U.B. Pavanaja made a presentation on Wikipedia.

Ongoing Event

A Workshop on Posting Articles in Kannada on Wikipedia (organised by the Centre for Proficiency Development Placement Service, University of Mysore, CPDPS premises, Manasagangotri, August 6, 2013). Dr. U.B. Pavanaja is conducting a workshop. The announcement was made in an article by R. Krishna Kumar in the Hindu on August 2, 2013.

Press Coverage

Konkani Wikipedia next? (by Diana Fernandes, OHeralO, July 27, 2013). T. Vishnu Vardhan is quoted.

Openness

Events Organised

Delhi: Digital Activism in Europe (The Sarai Programme, Centre for the Study of Developing Societies, New Delhi, July 8, 2013). Bernadette Längle gave a talk about the hacker scene and digital activism in Europe, with a focus on the Chaos Computer Club.
Open Hardware Lab: Play & Invent + Bonus Film Screening (CIS, Bangalore, August 4, 2013). There was a film screening of Theremin: An Electronic Odyssey at the event.

Internet Governance

CIS began two projects earlier this year. The first one on facilitating research and events on surveillance and freedom of expression is with Privacy International and support from the International Development Research Centre, Canada. The second one on mapping cyber security actors in South Asia and South East Asia is with the Citizen Lab, Munk School of Global Affairs, University of Toronto and support from the International Development Research Centre, Canada:

SAFEGUARDS Project
Events Organised

Delhi: Learn to Secure Your Online Communication! (IIC, DU Campus, Delhi, July 6, 2013). A cryptoparty was held in Delhi.
Dharamsala: Learn to Secure Your Online Communication! (Dharamsala, July 13, 2013). A cryptoparty was held in Dharamsala. This was also covered in an article published in the Caravan on August 1, 2013.
Privacy Roundtable Meeting (co-organized by CIS, DSCI, and FICCI, Kolkata, July 13, 2013). An event report was written by Maria Xynou.
The Hackers Way of Reshaping Policies (CIS, Bangalore, August 2, 2012). Bernadette Langle gave a talk on privacy.

Events Participated In

Biometrics or bust? India's Identity Crisis (organised by the Oxford Internet Institute, Oxford University Press, July 2, 2013). Malavika Jayaram participated as a speaker on UID and Privacy.
DSCI Best Practices Meet 2013 (organized by DSCI, Anna Salai, Chennai, July 12, 2013). Kovey Coles attended the meeting.
Achieve Cyber Security Together (organized by the Confederation of Indian Industries, Chennai, July 13, 2013). Kovey Coles attended this event.

Ongoing / Upcoming Events

The Phishing Society: Why 'Facebook' is more dangerous than the Government Spying on You - A Talk by Maria Xynou (CIS, Bangalore, August 7, 2013). Maria Xynou will give a talk on phishing society.
Learn to Protect your Online Activities! (ACJ - Asian College of Journalism, Second Main Road (Behind M.S. Swaminathan Research Foundation), Taramani, Chennai, August 7, 2013).
Privacy Meeting: Brussels – Bangalore (CIS, Bangalore, August 14, 2013). Gertjan Boulet and Dariusz Kloza will give a talk on privacy.
Privacy Round Table, New Delhi (co-organised with FICCI and DSCI, FICCI, Federation House, Tansen Marg, New Delhi, August 24, 2013).

Columns

How Surveillance Works in India (by Pranesh Prakash, New York Times, July 10, 2013).
Can India Trust Its Government on Privacy? (by Pranesh Prakash, New York Times, July 11, 2013).
Parsing the Cyber Security Policy (by Chinmayi Arun, The Hoot, and cross-posted in Free Speech Initiative, July 13, 2013).

Blog Entries

The Difficult Balance of Transparent Surveillance (by Kovey Coles, July 10, 2013).
Moving Towards a Surveillance State (by Srinivas Atreya, July 15, 2013).
More than a Hundred Global Groups Make a Principled Stand against Surveillance (by Elonnai Hickok, July 31, 2013).
The Audacious ‘Right to Be Forgotten’ (by Kovey Coles, July 31, 2013).

Interview

An Interview with Reijo Aarnio: Maria Xynou conducted an interview with Reijo, the Finnish Data Protection Ombudsman.

Media Coverage

Google brings tabs to sneak advertisements into your inbox (by Indu Nandakumar, Economic Times, July 30, 2013). Sunil Abraham is quoted.
How the world’s largest democracy is preparing to snoop on its citizens (by Leslie D' Monte and Joji Thomas Philip, July 3, 2013). Sunil Abraham is quoted.
Geeks have a solution to digital surveillance in India: Cryptography (by Joanna Lobo, DNA, July 7, 2013). Pranesh Prakash is quoted.
India's centralised snooping system facing big delays (by Phil Muncaster, The Register, July 9, 2013). CIS is mentioned in this article.
India’s Central Monitoring System: Security can’t come at cost of privacy (by Danish Raza, FirstPost, July 10, 2013). Sunil Abraham is quoted.
Is CMS a Compromise of Your Security? (by Rohin Dharmakumar, Forbes India magazine, July 12, 2013). Sunil Abraham is quoted.
Snooping technology: Will CMS work in India? (by Pierre Fitter, FirstPost, July 17, 2013). Pranesh Prakash is quoted.
सावधान आपके प्रोफ़ाइल पर है पुलिस की नज़र! (by Parul Aggarwal, BBC, July 18, 2013). Pranesh Prakash is quoted.
Your life's an open Facebook (by Shikha Kumar, DNA, July 21, 2013). Sunil Abraham is quoted.
Concerns over central snoop (by Aloke Tikku, Hindustan Times, June 28, 2013). Sunil Abraham is quoted.
Your telco could help spy on you (by Joji Thomas Philip, Leslie D'Monte and Shauvik Ghosh, LiveMint, July 30, 2013). Sunil Abraham is quoted.

DNA Profiling Bill
A sub-committee has been constituted as per the recommendations of the Expert Committee of DNA Profiling Bill. The sub-committee will have a meeting in Hyderabad on August 6, 2013. Sunil Abraham is one of the members of the sub-committee.

Cyber Stewards Project
Laird Brown, a strategic planner and writer with core competencies on brand analysis, public relations and resource management and Purba Sarkar who in the past worked as a strategic advisor in the field of SAP Retail are working in this project.

Video Interviews

Part 3: Interview with Eva Galperin (July 10, 2013).
Part 4: Interview with Marietje Schaake (July 11, 2013).
Part 5: Interview with Amelia Andersdotter (July 12, 2013).
Part 6: Interview with Lhadon Tethong (July 15, 2013).
Part 7: Interview with Jochem de Groot (July 18, 2013).
Part 8: Interview with Jeff Moss (July, 23, 2013).

Cyber Security
Blog Entries

India's National Cyber Security Policy in Review (by Jonathan Diamond, July 31, 2013).
Guidelines for the Protection of National Critical Information Infrastructure: How Much Regulation? (by Jonathan Diamond, July 31, 2013).

Free Speech, Expression and Censorship
Column

You Have the Right to Remain Silent (by Nishant Shah, July 22, 2013).

Event Participated In

Connaught Summer Institute on Monitoring Internet Openness and Rights (organized by the Munk School of Global Affairs, Bloor Street West, July 23, 2013). Malavika Jayaram participated in this event and spoke on "India's Civil Liberties Crisis: Digital Free Will in Free Fall".

Knowledge Repository on Internet Access

CIS in partnership with the Ford Foundation is executing a project to create a knowledge repository on Internet and society. This repository will comprise content targeted primarily at civil society with a view to enabling their informed participation in the Indian Internet and ICT policy space. The repository is available at www.internet-institute.in.

Event Organised

Institute on Internet and Society: Event Report (supported by Ford Foundation, Golden Palms Resort, Bangalore, June 8 – 14, 2013). Pranesh Prakash, Bernadette Längle, Vir Kamal Chopra, AK Bhargava, Ananth Guruswamy, Archana Gulati, Chakshu Roy, Elonnai Hickok, Gaurab Raj Upadhaya, Helani Galpaya, Michael Ginguld, Dr. Nadeem Akhtar, C. Nandini, Dr. Nirmita Narasimhan, Dr. Nishant Shah, Parminder Jeet Singh, Ravikiran Annaswamy, Dr. Ravina Aggarwal, Satyen Gupta, Dr. Subbiah Arunachalam, Sunil Abraham, Tulika Pandey and T. Vishnu Vardhan were speakers at the event. The presentations and videos can now be accessed in this report.

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

Building Up vs Tearing Down (by Shyam Ponappa, July 3, 2013, originally published in the Business Standard, and also mirrored in Organizing India Blogspot).

Digital Humanities

We are building research clusters in the field of Digital Humanities. The Digital will be used as a way of unpacking the debates in humanities and social sciences and look at the new frameworks, concepts and ideas that emerge in our engagement with the digital. The clusters aim to produce and document new conversations and debates that shape the contours of Digital Humanities in Asia.

Event Co-organised

Digital Humanities for Indian Higher Education (co-organised by HEIRA, CSCS, Tumkur University, Tata Institute of Social Sciences, Mumbai and CIS, Indian Institute of Science, Bangalore, July 13, 2013).

Event Organised

Digital Humanities Talk (CIS, Bangalore, July 31, 2013). Sara Morais gave a talk on the advantages and problems in doing digital humanities work.

Event Participated In

Political Economy, Activism and Alternative Economic Strategies (organized by the International Institute of Social Studies, Erasmus University of Rotterdam, The Hague, July 9 – 13, 2013). Nishant Shah presented his paper on paper on Citizen Action in the Time of Network.

Blog Entries

Designing Change? Gatekeepers in Digital Humanities (by Sara Morais, July 2, 2013).
Towards Critical Tool-building (by Sara Morais, July 12, 2013).

About CIS

The Centre for Internet and Society is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness (including open government, FOSS, open standards, etc.), and engages in academic research on digital natives and digital humanities.

Get short, timely messages from us on Twitter
Join the CIS group on Facebook
Visit us at http://cis-india.org

Support Us
Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

Request for Collaboration
We invite researchers, practitioners, and theoreticians, both organisationally and as individuals, to collaboratively engage with Internet and society and improve our understanding of this new field. To discuss the research collaborations, write to Sunil Abraham, Executive Director, at sunil@cis-india.org or Nishant Shah, Director – Research, at nishant@cis-india.org

CIS is grateful to its donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation and the Kusuma Trust which was founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin, for its core funding and support for most of its projects.

For more details visit https://cis-india.org/about/newsletters/july-2013-bulletin

International Principles on the Application of Human Rights to Communications Surveillance

praskrishna — 2013-07-31T09:02:12Z

For more details visit https://cis-india.org/internet-governance/blog/necessary-and-proportionate.pdf

Chennai: Learn to Protect your Online Activities!

bernadette — 2013-08-01T12:16:52Z

The Centre for Internet and Society cordially invites you to a Crypto Party at Asian College of Journalism Second main Road (Behind M.S. Swaminathan Research Foundation) Taramani in Chennai on August 7, 2013, 4.30 p.m. to 6.30 p.m.

"Governments around the world, are greatly increasing their surveillance of the Internet. Alongside a loss of the private sphere, this also represents a clear danger to basic civil liberties. The good news is that we already have the solution: encrypting communications makes it very hard, if not entirely impossible, for others to eavesdrop on our conversations. The bad news is that crypto is largely ignored by the general public, partly because they don't know about it, and partly because even if they do, it seems too much trouble to implement." (Source)

So lets go and have a party, and teach each other how to crypto!

Everyone is invited! Especially do not hesitate to join if you are not using any crypto at all (yet!)

Here is a Flyer / Printout for you to spread the message!

For more details visit https://cis-india.org/internet-governance/cryptoparty-chennai

Your telco could help spy on you

praskrishna — 2013-07-30T06:13:07Z

Telecom minister gives approval to changes in rules for mobile licences to enable such mass surveillance.

The article by Joji Thomas Philip, Leslie D'Monte and Shauvik Ghosh was originally published in Livemint on July 30, 2013. Sunil Abraham is quoted.

Telecom companies and Internet service providers will soon help the government monitor every call made, every email sent and every website visited, with the Centre deciding to connect their networks to its automated surveillance platform known as the Centralised Monitoring System (CMS).

Communications minister Kapil Sibal has approved changes in existing rules and new clauses to be inserted in mobile licences for enabling such mass surveillance, copies of documents reviewed by Mint reveal.

	The department of telecommunications (DoT) will shortly send a letter to all telcos asking them to connect their “lawful interception system (LIS)” to the CMS “at a regional monitoring centre through an interception, store and forward (ISF) server placed in the licensee’s premises”, according to the documents. Telcos including Bharat Sanchar Nigam Ltd (BSNL), Mahanagar Telephone Nigam Ltd (MTNL), Reliance Communications Ltd, Bharti Airtel Ltd, Vodafone India Ltd and Tata TeleServices Ltd declined to comment on questions emailed in this regard.

The department of telecommunications (DoT) will shortly send a letter to all telcos asking them to connect their “lawful interception system (LIS)” to the CMS “at a regional monitoring centre through an interception, store and forward (ISF) server placed in the licensee’s premises”, according to the documents.

Telcos including Bharat Sanchar Nigam Ltd (BSNL), Mahanagar Telephone Nigam Ltd (MTNL), Reliance Communications Ltd, Bharti Airtel Ltd, Vodafone India Ltd and Tata TeleServices Ltd declined to comment on questions emailed in this regard.

“The automated process of the CMS will be subjected to the same regulatory scrutiny as is available in the present manual system under Section 5(2) of Indian Telegraph Act and Rules 419-A thereunder, with the added advantage of having a safeguard against any illegal provisioning by the telecom service providers in the present system, however, remote it may be,” DoT said in an email reply to a questionnaire with a brief on CMS.

“Safeguard has also been built against any unauthorized provisioning by having a different interception provisioning agency than the interception requisitioning and monitoring agencies thus having an inbuilt system of checks and balances. Further, a non-erasable command log will be maintained by the system, which can be examined anytime for misuse, thus having an additional safeguard,” DoT said.

The CMS was approved by the cabinet committee on security (CCS) on 16 June 2011, with government funding of Rs.400 crore. It is expected to enable the government to monitor all forms of communication, from emails to online activity to phone calls, text messages and faxes by automating the existing process of interception and monitoring. The government completed a pilot project in September 2011 under which the Centre for Development of Telematics (C-DoT) installed two ISF servers, one of them for MTNL.

“The interception services have been integrated and tested successfully for these two telecom services providers (TSPs),” the note said, referring to MTNL and Tata Communications Ltd. MTNL officials declined to comment. There was no response to queries by Tata Communications.

It added that training had been imparted to six law enforcement agencies—the Intelligence Bureau, the Central Bureau of Investigation, the Directorate of Revenue Intelligence, the Research and Analysis Wing, the Delhi Police and the National Investigation Agency.

However, the documents also reveal that the CMS project is getting delayed over technical issues such as lawful interception systems sending the intercept-related information (IRI) in “their own proprietary format”; difficulty in tracing the movement of “the target from the home network to the roaming network”; and how to independently provision voice and data interception of mobile users.

The government is simultaneously devising a strategy to counter criticism from the media and privacy lobby groups that this surveillance platform has no privacy safeguards. Mint reported on 13 July that fresh questions were raised on the CMS infringing on the rights of individuals, especially in the wake of the US government’s PRISM surveillance project.

In an internal note on 16 July to help Sibal brief the media, DoT said even as the CMS will automate the existing process of interception and monitoring “... all safeguards that are currently in place in the manual mode of interception will continue”.

The note argued that implementation of the CMS “will rather enhance the privacy of the citizens” since it will not be necessary to take the authorization (for tapping) to the nodal officer of the telecom service providers “who comes to know whose or which phone is being intercepted”. The note added that after the CMS is implemented, provisioning of interception will be done by a CMS authority, who would be different from the law enforcement agency authorities.

“The law enforcement agency (LEA) cannot provision for interception and monitoring and the CMS authority cannot see the content but would be able to provision the request from the LEA.Hence, complete check and balance will be ensured. Further, a non-erasable command log will be maintained by the system, which can be examined anytime for misuse, thus having an additional safeguard,” added the department’s note briefing the minister.

Also, acknowledging that “questions were being asked about the practices of Indian agencies and the privacy and rights of its citizens”, national security adviser Shivshankar Menon in a 23 June note to the ministries of home, external affairs and telecom, the department of electronics and information technology, and the cabinet secretary said: “Only home secretaries of the Centre and states can authorize such monitoring; orders are valid for two months, are not extendable beyond six months; records are to be maintained, use of storage is limited and a review committee of cabinet secretary, law secretary and secretary of the telecom department regularly screens all cases.”

Menon also admitted that when it came to individual privacy rights, there were “larger issues that needed serious consideration and wider consultation with industry, advocacy groups and NGOs (non-governmental organizations) as has been the case so far in the draft privacy Bill... For data protection and retention in India, however, there may be a need to consider legislation or strengthening existing legislation, as the march of technology has made most present laws irrelevant.”

Privacy experts are convinced that safeguards are needed, especially since India does not have a privacy law.

“To safeguard public interest, the government should also draft a law that will make it a criminal offence if a CMS authority is found in possession of any personal information culled through the CMS. That will prove to be a deterrent,” said Sunil Abraham, executive director of the Centre for Internet and Society, a privacy lobby body. “Also, the government must build an audit trail using PKI (public key encryption) and people as an additional safeguard.”

“As I understand it, there is also no clear statutory backing for the CMS,” said Apar Gupta, a partner at law firm Advani and Co. that specializes in information technology (IT) law. “What is important is that every tapping order should be backed by a reason. This was the case with the manual process. Will this be possible in an automated surveillance system such as the CMS?”

“What is disturbing is that there is no transparency with regard to the CMS. Everything is happening under the radar with media reports periodically giving us glimpses into the project,” he said. “A state should protect its interests but should do so in a manner that safeguards privacy and limits abuse.”

According to the Freedom on the Net 2012 report by Freedom House, an independent privacy watchdog body, of the 47 countries analysed, 19 had introduced new laws or other directives since January 2011 that could affect free speech online, violate users’ privacy, or punish individuals who post certain types of content. India, which scored 39 points out of 100 (score achieved out of 100 for censoring the Internet), was termed partly free by the report, which was released on 24 September.

Globally, 79% of the respondents in another study said they were concerned about their privacy online, with India (94%), Brazil (90%) and Spain (90%) showing the highest level of concern, according to a June survey undertaken by research firm ComRes, and commissioned by Big Brother Watch, an online privacy campaign.

For more details visit https://cis-india.org/news/livemint-july-30-2013-joji-thomas-philip-leslie-d-monte-shauvik-ghosh-your-telco-could-help-spy-on-you

Institute on Internet & Society: Event Report

srividya — 2013-10-15T06:48:00Z

The Institute on Internet and Society organized by the Centre for Internet and Society (CIS) with grant supported by the Ford Foundation took place from June 8 to 14, 2013 at the Golden Palms Resort in Bangalore.

A total of 20 participants spent the seven days in a residential institute, learning about the fundamental technologies of the Internet and topics on which CIS has expertise on such as Accessibility, Openness, Privacy, Digital Natives and Internet Governance.

The participants belonged to various stakeholder groups and it provided a common forum (first of its kind in India) to discuss and share ideas. Twenty-four expert speakers from various domains came to share their knowledge and speak about their work, so as to encourage activity in the field and supply resources from which participants could learn to increase their accessibility, range and funding possibilities, as well as network with the speakers and amongst themselves.

The Institute has triggered a number of follow-up events — those that the participants organized themselves with the help of CIS staff, including Crypto Parties in Bangalore, Delhi and Mumbai, that taught netizens to keep their online communication private. In addition to that, the CIS Access2Knowledge (A2K) team could rope in eight new Wikipedians who will contribute to Wikipedia in Indic languages.

The day wise talks and activities that took place are listed below:

Day 1: June 8, 2013

The seven day residential Institute began on Saturday, the 8th of June with a warm welcome by Dr. Ravina Aggarwal and Dr. Nirmita Narasimhan. They outlined the purpose of the residential institute and briefly went over the topics which would get covered over the week long duration. This was followed by each of the participants introducing themselves briefly and also stating their expectations from the Institute, why they were attending the same and what they hope to get at the end.

Session 1: History of the Internet

(by Pranesh Prakash and Bernadette Längle)

Above is a picture of Pranesh Prakash speaking about the History of the Internet during the first session on Day 1.	The Institute proceedings kicked off with the first session, History of the Internet by Pranesh Prakash and Bernadette Längle. Participants learned where the Internet originally came from and how it is organized, as well as different technologies surrounding the Internet. Pranesh Prakash and Bernadette Längle set the start point of the Internet in the late 50's when the Russians send the first satellite in space (Sputnik) and the US founded the DARPA(Defense Advanced Research Projects Agency), a research agency that was tasked with creating new technologies for military use. DARPA is credited with development of many technologies which have had a major effect on the world, including computer networking, as well as NLS, which was both the first hypertext system, and an important precursor to the contemporary ubiquitous graphical user interface (GUI). A few years later the first four computers were connected to a network.

After the Network Control Protocol (NCP, later replaced by the TCP/IP) was invented in 1970, the first applications were made: email (connecting people), telnet (connecting computers) and the file transport protocol (FTP) (connecting information) — all of these are still in use today. Participants were surprised to learn that the Web, most commonly used today, known to be invented by one single person in the 90's, actually existed for a long time prior to the '90s.

VIDEO

Session 2: Domestic Bodies and Mechanisms

(by Pranesh Prakash)
After lunch, Pranesh Prakash led the second session about Domestic Bodies and Mechanisms and he started with some of the problems associated with the Domestic Regulatory Bodies:

Lack of coherence and consistency in Internet related policies
Rather than co-operating, the different agencies compete with each other.
Communication with the public is of different degrees and openness of different agencies varies.

Department of Electronics and Information Technology (DEITY), is one of the most important public agencies & the CERT-in focuses on issues like malware and content regulation. There is also the STQC (Standard Setting and Quality Setting Body).
The work of these organizations is to govern the Internet, bring about better privacy policies and ensure freedom of speech.
Other governing bodies include DOT (Department of Telecommunications) which governs the telecom and internet policies of India. In India, certain content regulation takes place under a notification as part of the IT Act, 2003.
TRAI (Telecom Regulatory Authority of India) also looks into the tariff, interconnections and quality of telecom sector, spectrum regulation and so on.
The USOF (Universal Service Obligation Fund) seeks to provide funds for setting up telecom services in rural areas.
Ministry of Information and Broadcasting (MIB) has been extending copyright restrictions to online publications.

VIDEO

Session 3: Emerging trends in Internet usage in India

(by Nandini C and Vir Kamal Chopra)
Emerging Trends in Internet Usage with specific focus on BSNL offerings (by Vir Kamal Chopra)
Some of the salient points discussed were:

In 1995, the VSNL provided internet in 4 metros of India, by 1998 DOT had provided internet in 42 cities.
Some of the facilities internet provides include Tele-education, Tele-medicine, mobile banking, payment of bills via mobile internet, etc.
BSNL has got maximum broadband market share in India.
Present Scenario, there are 900 million mobiles in India, 430 million wireless connections with capability to access data.
The total broadband connections are 15 million in country, 10 million provided by BSNL.
Total internet users are 120 million with a growth rate of 30%.
Public access is not only about network intermediaries but about info-mediaries who understand internet.
BSNL lost Rs 18,000 crores from 3G license.
2G to 3G shifting is not seamless and leads to lot of packet loss, and 3G coverage is not as extensive as 2G. Thus 3G is not efficient however; the government has made a lot of money from selling 3G licenses.
Future trends include technology trends for internet access, optical fiber technologies, fiber to the curb, fibre to the home, metro Ethernet, etc.
Internet has created an online Public sphere.
In 2000 Parliament passed the Information Technology Act 2000 and the dot.com boom is seen.

Making internet access meaningful in the Indian Context (by Nandini.C)
(Click to see the presentation slides)
Some of the salient points discussed were:

Status of internet access today sees low level of overall penetration of internet, high rate of household mobile penetration and huge rural-urban divide in internet access.
Relationship b/w women and internet in India
8.4% of women in India have access to internet in India and 43% of women using internet in India perceived it as being an important part of their life.
Some area of concerns include ensuring adequate access of internet for the women, entrenched patriarchies, contextual relevance, the imaginary of ‘public access’.
The importance of an existing strong social support network, ITC itself cannot open up economic/social empowerment opportunities for women
ICT-enabled micro-enterprises may also force the burden of double work on women, who undertake both productive activities for the micro-enterprise and re/productive activities for the household.
The Internet today has created an online public sphere.
Countering the threat of online violence.
Censorship and content regulation.
Women’s rights and the spaces of internet governance.
Arbitrary censorship and self-regulation by the corporate and slide towards an illusory freedom; state is used as a bogeyman by corporate to create an online culture that is suitable to the corporate values.

VIDEO

Activity
Day 1 featured an interesting activity called the Creative Handshake. The goal of the game was to teach the participants the concept of "Handshake" in Internet terms and why it is important to make sure that integrity of data transferred is maintained.

Day 2: June 9, 2013

The focus of the second day was more on the nuts and bolts behind the working of the Internet by Dr. Nadeem Akhtar, Wireless Technologies and a case-study in Air Jaldi by Michael Ginguld, Collaborative Knowledge base building by Vishnu Vardhan and Affordable Devices on the Internet by Ravikiran Annaswamy.

The salient points of each of the talks are listed below.

Session 1: How Internet Works

(by Nadeem Akhtar)
Click to read the presentation slides

Internet structure and hierarchy:
1. Data Networks comprise of set of nodes, connected by transmission links, for exchange of data between nodes.
2. Some of the key principles which underpin data networks include digital transmission, multiplexing and data forwarding/routing.
Data networks through ownership include public and private networks.
Data networks through coverage include local area networks (small area), metro area networks (may comprise of a city) and wide area networks (wide geographic area across cities).
Protocols include:
1. Open systems interconnection (OSI) model divides a communication system into smaller parts. Each part is referred to as a layer. Similar communication functions are grouped into logical layers.
2. OSI model defines the different stages that data must go through to travel from one device to another over a network & this enables a modular approach towards developing complex system functionality i.e. functionality at layer X does not depend on how layer Y is implemented.
Above is a picture of Dr. Nadeem Akhtar speaking on the working of the internet on Day 2
Internet networks or connections.
Internet backbone refers to the principal data routes between large, strategically interconnected networks and core routers on the internet and these data routes are hosted by commercial, government, academic and other high-capacity network centers, the internet exchange points and network access points. The internet back bone is decentralized.
Transit Service - Passing information from small ISP to large ISP.
Peering Service - The passing of information between two similar ISP’s os similar size to let network traffic pass.
Three levels of network Tier1, Tier2 and Tier 3. TATA Company is the only Tier 1 Indian Company.
Backhaul- Transport Links which connects access edge networks with the ‘core’ network. The transmitters have to be mounted on a high level.


Above is a picture of Dr. Nadeem Akhtar speaking on the working of the internet on Day 2

VIDEO

Session 2: Wireless Technologies

(by Michael Ginguld)
Click to read the presentation slides

We are surrounded by electromagnetic radiation
All about transmission waves and there are both advantages and disadvantages of the same:
1. Pros: higher reach for lower price, overcomes topographic challenges, lower maintenance, less to damage/lose
2. Cons: limited resources, maintenance (energy), physical limitations to transfer rates.
Satellite/VSAT is a very small aperture tech: a small satellite dish that connects to a geo-static satellite.
Strength: globally usable, can connect from anywhere.
Weakness: signal problems, relatively high installation charge, upstream connection is lower than the downstream, transmitter on satellite is extremely expensive, hence limitation on transmission capacity of the satellite.
VSATs are not scalable. It is a dead-end tech for usages where data transmission volume is expected to grow.
2G Technology for mobile connection.
Limitation in transfer of data, due to technology and encryption limitations but great availability and reasonable price.
3G Technology has a problem in India; low uptake, leading to low investment, leading to low speed, leading to low uptake. The technology allows for high-speed data transfer but the market condition in India still does not make adequate infrastructural support feasible.
4G license auction.
A company bought the country-wide 4G license in the auction. Mukesh Ambani bought the company after some days.
The present legislation does not allow for VoIP-based Telco operation but that is expected to change soon.
Wifi technology is wireless technology. It is low cost wireless transfer of data. The Public dissemination of the ranges in which data transfer using the WiFi protocol can take place. It was made public in India in January 2005.
1. Limitations: needs line of sight, limit to data transfer.
2. Strength: cheap, de-licensed spectrum usage, easily deployable.
2G spectrum, 3G spectrum and now 4G spectrum all are part of the wireless technology.
Air Jaldi started in Dharamshala; building wifi connection spanning campuses.
Three types of consumer categories: (1) no coverage, (2) under-served, and (3) ‘deserving clients’. #2 is the most common group. #3 are people who should be served but cannot pay fully for the service, hence are cross-subsidised by group #2.
Deployed and managed by local staff, trained by AirJaldi.
Customer premise equipment: Rs. 3-4k.
User charges: Rs 975 per month for 512 kbps, Rs 1500 per month for 1 mbps.
Content: by and large, AirJaldi brings infrastructure on which content can ride on, teams with various content providers (like e-learning, rural BPOs, local e-banking etc) for the content side. The biggest drivers are local BPO, banking and retail. The next big driver coming up is entertainment.
WiMax includes 4g spectrum.

VIDEO

Session 3: Building Knowledge Bases and Platform via Mass Collaboration on the Internet

Click to read the presentation slides

The session started off with some physical activity in the form of "Kasa Kasa Warte, Chan Chan Warte" to break off the lunch induced sleep and a mental activity where the participants were divided into two groups and both the groups were asked to collect information on "Water". One group was left to itself while the other had some expert inputs from Vishnu Vardhan on how to collaborate and organize the data. After the activity, both teams presented the information that they had collected on "Water". The benefits of collaborative authoring such as "everyone's voice is heard", "various inputs leading to a multi-dimensional thinking" etc were evident as against a single dimensional thought process that was seen from the group that was un-assisted.	Given above is a picture of the participants involved in a group activity

Salient points discussed during the presentation:

The Concept of Knowledge today is not something of modern phenomena, but it is something which has been existent since print culture was developed. Print technology shapes what we consider as knowledge, and hence as knowledge platform
Techno-sociality of knowledge production
The Concept of Knowledge today is not something of modern phenomena, but it is something which has been existent since print culture was developed. Print technology shapes what we consider as knowledge, and hence as knowledge platform
Techno-sociality of knowledge production
Examples of knowledge platforms:
1. Baidu baike
2. English wikipedia
3. Hudong
4. Catawiki
5. Wikieducator
6. Open street map
7. Pad.ma
8. Sahapedia
9. Internet archive
10. Jstor
11. Dsal
12. Dli
In 1994 Cunningham developed the ‘Wiki Wiki Web’ also known as the ‘Ward Wiki’. Basically it is a knowledge platform.
Internet since then has been used for dissemination of information especially in the education sector. Digital Archived have developed over the years which provide information across various platforms like Wikipedia.
The spread of the internet has made possible the building of knowledge bases by seamless and mass collaboration.

Generic challenges for Wikipedia

Quality, relevance, consistency of knowledge
Suitable motivation of the contributors
Another issue is the scalability

Some of the problems faced by Indian Wikipedian pages:

Technical infrastructure for Indian languages
Typing in the regional language
OCR: complexity of Indian language scripts
Various other technical troubles like browser compatibility, font display, etc., which deter new users
Dearth of quality content available in digital format
Different standards/formats/generations (gov.in/DLI)
Relative lack of research/academic standards, which is transferred on to Indic wikipedias.
Lack of knowledge sharing culture.
Building a mass knowledge platform is the need of the hour.
The platform should be user friendly, easily available and adoptable; offline outreach is key to effective use of online platforms.
The programme should have feedback loop key, behavior statistics data, reinvent and replicate the programme, multi-channel awareness, ‘user connect’ programmes.
The people should communicate knowledge sharing objectives, make knowledge sharing fun, appoint ambassadors; virtual volunteer community building looks simple but its complex and leads to failure.

VIDEO

Session: 4 Affordable Devices to access the Internet

(by Ravikiran Annaswamy)
Click to read the presentation slides


Given above is a picture of the speaker Ravikiran Annaswamy giving a demo of the low cost Akash tablet.

Overview of Affordable Mobile Phones such as Lava Iris, Karbonn A1, Nokia Asha, etc.
Overview of Affordable Tablets such as Aakash, Ubislate, Karbonn Smart A34, etc.
The number of Internet users in India is expected to nearly triple from 125 million in 2011 to 330 million by 2016, says a report by Boston Consulting Group.
How Internet Penetration impacts society.
Demo of the devices.
Need for Mobile Internet
Sugata Mitra & Arvind Eye Care examples.

VIDEO

Day 3: June 10, 2013

The third day of the Institute focussed on Wired means of accessing the Internet, the technology involved followed by an assignment time where the participants were introduced to 2 topics and asked to work on an assignment. This was followed by a site visit in the afternoon to MapUnity. MapUnity develops technology to tackle social problems and development challenges. Their GIS, MIS and mobile technologies are used mostly by government departments and civil society organisations and in the R&D initiatives of commercial ventures.

Session 1: Wired Access Technology

(by Dr. Nadeem Akhtar)
Click to read the presentation slides

Some of the salient points discussed were:

Wired and Wireless

Wired:

Separate communication channel for each users
Low signal attenuation
No interference
Fixed point-of-attachment

Wireless:

Shared medium of communication
Signal is attenuated by a number of factors
Interference between adjacent channels
Points-of-attachment can be changed on-the-fly

Ethernet:

A family of computer networking technologies for LANs which was Invented in 1973 and commercially introduced in 1980. The systems communicating over ethernet divide a stream o data into individual packets called frames. Each frame contains source and destination addresses and error-checking data so that damaged data can be detected and re-transmitted.
Ethernet, by definition, is a broadcast protocol
Any signal can be received by all hosts
Switching enables individual hosts to communicate

Digital subscriber line (DSL):

DSL uses existing telephone lines to transport data to internet subscribers and the term xDSL is used to refer to a number of similar yet competing forms of DSL technologies which includes ADSL, SDSL, HDSL, HDSL-2, G.SHDL, IDSL, and VDSL. DSL service is delivered simultaneously with wired telephone service on the same telephone line and this is possible because DSL uses higher frequency bands for data.

Asymmetric DSL (ADSL):

ADSL is the most commonly installed technology and an ADSL tech can provide maximum downstream speeds of up to 8 mbps.

Modem and router:

Modem is specific to a technology
Modem is de/modulator, it takes bits coming from one protocol/technology, demodulates it (converts it into original data), and re-modulated the original data to another protocol/technology.
Router allows creation of a local area network, allowing multiple devices to connect to the network and access internet together through the router. It has very high bitrate DSL (VDSL) and goes up to 52 mbps downstream and 16 mbps upstream. The length of the physical connection is limited to 300 meters and the second generation VDSL (CDSL2) provides data rates up to 100 mbps simultaneously in both direction, but maximum available bit rate is still achieved about 300 meters.

Cable:

Cable broadband uses existing CATV infrastructure to provide high-access internet access; uses channels specifically reserved for data transfer
Support simultaneous access to broadband and TV programs
Cable access tech is built for one-way transmission; hence some congestion takes place for bi-way data transfer, leading to much lower upstream connection relative to downstream connection for data.

Fiber:

It is a generic term for any broadband network architecture using optical fiber; fiber to the neighborhood; fiber to the curb; the street cabinet is much closer to the user’s premises, typically within 300m, thus allowing ethernet or radio-based connection to the final users; fiber to the basement; fiber to the home (BSNL already providing); fiber to the desktop
Passive optical networks (PON)

Advantages of fiber:

Immunity to electromagnetic interference.
Provides very high data rates at long distances.
When network links run over several 1000s of meters (e.g., metro area networks), fiber significantly outperforms copper.
Replacing at least part of these links with fiber shortens the remaining copper segments and allows them to run much faster.
The data rate of a fiber link is typically limited by the terminal equipment rather than the fiber itself.

Assignment
Participants were given two options for an assignment to work on in the coming days and they could choose either one.

Assignment A
The Universal Service Obligation Fund of India has put out a Call for Proposals under two schemes:

Mobile Connectivity and ICT related livelihood skills for womens’ SHGs (http://www.usof.gov.in/usof-cms/pdf21may/Concept_Paper.pdf), and

Access to ICTs and ICT enabled services for persons with disabilities in rural India. (http://www.usof.gov.in/usof-cms/usofsub/Concept%20paper_USOF%20Scheme_PwDs_A.G.Gulati.pdf)

Your NGO is committed to the task of facilitating access to the Internet for women/ persons with disabilities in rural parts of Kerala and wishes to submit a proposal/ project idea in partnership with a service provider to the USOF.

Assignment B
You are a member of the ancient tribe of Meithis residing in Manipur. Over the years, there is a strong feeling in your community that although the Government has rolled out projects to connect the rural areas throughout India, these have not been successful for your tribe and there is still even a lack of basic fixed telephony, let alone mobile and broadband services. You have hence come to the conclusion that there is a need for focused efforts to target such communities as yours and have decided to submit a concept note to the USOF requesting that ‘ethnic and rural tribal communities’ be specifically included within the mandate of the USOF’s activities by defining them as an ‘underserved community’.


Given above is a picture of the participants engaged in a discussion.

Field Trip - Destination: MapUnity.
MapUnity develops technology to tackle social problems and development challenges. Their GIS, MIS and mobile technologies are used mostly by government departments and civil society organisations, and in the R&D initiatives of commercial ventures. MapUnity presented their product offerings to the participants.

VIDEO

Day 4: June 11, 2013

Session 1: Universal Access

(by Archana Gulati)
Click to read the presentation slides

Given above is a picture of Archana Gulati speaking on Universal Access.	Tuesday revolved around questions of access and openness. The day kicked off with Archana Gulati, a policy expert in access to ICTs for people with disabilities talking on Universal Access. Ms. Gulati stressed the importance of ICTs for social development. ICTs are a necessary aid in development structures including education, health and increased citizen participation in national affairs & they provide crucial knowledge inputs into productive activities. However, even with the Telecom boom, there still exists an access gap in India, which cannot be covered by commercially viable systems.

This 'actual access gap' exists because of geographic (scattered population, low income, low perceived utility of service, lack of commercial/industrial customers, lack of roads, power, difficult terrain, insurgency), economic (urban poor) and social inequality (gender, disabilities) differences. To achieve Universal Access or Universal Service, additional efforts must be made, so as to include these groups. However, Universal Access and Universal Service, while they may imply the same thing, are very different approaches to deal with the problematic access gap.

Universal service, a term coined by Theodore Vail, president of AT&T in 1906, argued that the government should enforce the usage of only one network. This approach suggests a monopolization of the market and goes against the liberal market principle.

Universal access on the other hand suggests cross-subsidizing the low and no profit service areas by high profit service areas. However, this results in the urban population to get over-charged while the rich rural areas benefit from rural subsidizing.

So how do we enable a fair and inexpensive network to be able to create access for a large number of people equally?
Ms. Archana Gulati went on to introduce the Sanchar Shakti scheme as a contribution to national access in India. It was initiated with the objective of improving rural SHG access skills, knowledge, financial services and markets through mobile connections and involved several stakeholders like NABARD, handset/modem manufacturers, DoT USOF, Mobile VAS Providers, Lead NGOs, Mobile Service Providers.

This scheme shows how important is, for the commercial, private and public sector to work together on obtaining accessibility to ITCs.

Session 2: Free and Open Internet

(by Pranesh Prakash)
The following session by Pranesh Prakash on Free and Open Internet showed how the internet can still be a restrictive place which does not allow for internet equality. His talk focussed on the concepts of free and open Internet. Prakash started by stating the Freedom of Speech and Expression Article of the Indian Constitution and in an interactive round it was discussed, how these articles are fundamental for securing other basic human rights. This was demonstrated by an example in which the distribution of food did not proceed equally, as misinformation and restrictions led to an inappropriate hoarding of goods. Therefore, it is important for everyone to have that right. In fact, the Indian constitution formulates Article 19 in a positive way, implying not only everyone should have that right, but that the government must promote the upholding of these rights.

However, in the case of Article 66a, the law actually caused a problem with freedom of speech in itself, as it penalizes sending false and offensive messages through communication services. This is a massive impediment on free speech, as outsiders decide upon what is offensive and what is false.

The other side of freedom of speech and expression is censorship. Online, the removal of websites and editing of content often happens quietly and obscures the fact that someone or something is being censored. Unlike book burnings in the past, which were always made a big political spectacle, often websites are simply removed without a trace, or one is faced with a 404 error, when trying to access it. Because of the offensive content law, journals and magazines are quick to remove supposedly offensive content, as it seems more difficult to engage in argument with the people claiming offense. The CIS proposed a counter-law to secure for this to happen less, as freedom of speech includes the freedom to receive that speech.

VIDEO

Session 3: Openness

(by Sunil Abraham)

Next to ensuring freedom of speech and access, the third session of the day focussed on Openness in terms of Open Source software. Sunil Abraham, CIS executive director, stated the importance of free software and open access of data, as they ensure what he called the four freedoms of internet usage, namely the freedom to use for any purpose, the freedom to study, to modify and to share (freely or for a fee). Proprietary software imposes on these freedoms, as it only has restrictive use and a strong copyright. However, there are alternatives that have moderate copyrights, or so-called copy centred perspectives, or even copyleft, including the above mentioned rights into the terms of the software usage.	Above is a picture of Sunil Abraham speaking on Openness

In alignment with Sunil Abraham’s talk Pranesh Prakash criticized copyright law cutting into accessibility rights, as copyright infringements include translation into other languages, audio versions and also integral parts of education. The key is not to have a "one size fits all" copyright solution, as it is impossible to treat twitter content the same as a blockbuster movie. However, the government of India is doing exactly that and needs to interlink questions of access with copyright law.

VIDEO

Session 4: Open Content

(by Prof. Subbiah Arunachalam)
Prof. Subbiah Arunachalam, who led the next session, discussed Open Content. He had seen during the course of his experience India's poor performance in Science & Technology and outlined the reasons for the same. The lack of access to information essential in scientific research and knowledge production, he said, was the major limiting cause.

VIDEO

Session 5: Quick Talk on Copyright Law and Access

This short session dealt with implications of copyright law on internet access.

Activity

The participants were divided into two groups, and they were asked build as huge a network as possible with their personal belongings and present their creations. The participants had good ideas. One group placed their mobiles and laptops into the network to have them as nodes. The other group implemented the re-routing around censorship.

VIDEO


Given above is a picture of the participants in an activity making the longest network possible with their personal belongings.

Day 5: (June 12, 2013)

Session 1: Privacy on the Internet in India

(by Sunil Abraham and Elonnai Hickok)

Click to view the presentation slides

Given above is a picture of Elonnai Hickock speaking about privacy	The following day, June 12th started off with “Privacy” as the theme. The session Privacy on the Internet in India was led by CIS privacy experts Sunil Abraham and Elonnai Hickock. In an exchange of anecdotes, it was made clear how there needs to be a certain degree of state surveillance to secure the citizens safety. This can happen through off air interception and active or passive cell phone towers that can track mobile devices. However, encryption is an important tool to secure one’s own privacy against cyber espionage.

Some of the salient points discussed were:

Off-the Air Interception
Possible to set up active or passive cell phone tower.
The signal strength will be strong and everyone looks for it.
Capacity to identify itself as a service provider.
Interception can begin with encryption Technology today used by security agencies.
NTRO- national technical Research Org and Outlook

VIDEO

Session 2: E-Accessibility

(by Nirmita Narasimhan)
Click to view the presentation slides


Given above is a picture of Dr. Nirmita Narasimhan speaking on e-accessibility

The second session was on “E-Accessibility” led by Dr. Nirmita Narasimhan. Some of the salient points discussed were:

Problems arising out of disability
Accessibility-Infrastructure and ICT
Assistive technologies for PWD’s.
Reasonable accommodation (not available or cannot be and requires extra effort and putting up an accessible copy up) and universal Design (for both for PWD’s and non-PWD’s).
Web Content Accessibility is operable and easily understandable.
Accessibility standards include; Daisy (6 types of books including audio and text books) is all about marking up the documents. Really a good way to read but is expensive and time consuming, also need Daisy tools and player to make it work.
In 1808 the first typewriter was developed to help the blind.
Considerations involved in Web Accessibility
Overlap b/w mobile accessibility and web accessibility.
Example- Raku Raku phone captured 60% of market share in Japan. It has many assistive features.
Relay Services has a middle man who passes on the message b/w different PWD’s in many countries, but it is not yet available in India.
PWD’s communicating with customer care – the issues involved.
Accessibility Policy- very few people are adopting accessible technologies. There is a need to have a strong policy. U.K. and U.S. already have strong policies related to accessible and assistive technology for PWD’s.

Video

Session 3: International Bodies and Mechanisms

(by Tulika Pandey and Gaurab Raj Upadhyay)
Activity
Gaurab incorporated an Activity into his talk to enable the students to have a clearer understanding of International Bodies and Mechanisms.


Given above is a picture of the speaker Gaurab Raj Upadhaya explaining the International Bodies and Mechanisms

Some of the salient points discussed during his talk were:

Definition: “Internet Governance is the development and application by Govt., the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures and programmes which shape the evolution and use of internet.”
It should be multilateral, transparent and democratic
Enhanced cooperation means to enable govt…

Technical issues to keep in mind while talking about internet:

Critical internet resources
Root server locations
Open Standards (CIS leads the initiative)
Interoperability
Search Engines
Internationalized Domain names (in own script & language)
Content

Virtual yet real space and most important question to be understood is that whether, the governance of internet is possible?
Public Policy- to monitor cross-border data flow, Openness vs Privacy
India’s Outlook in internet policies-Pillars of Internet which is not fully addressed by the Indian government today.
Established an Inter- Ministerial Group by including various government departments into the arena.
Layer 0-7 Names and Numbers
Layer 8 and above
Applications and Usage
Legal business, policy, etc.

Session-4: E-Governance

(by Tulika Pandey and Sunil Abraham)


Given above is a picture of the speaker Tulika Pandey speaking about e-Governance

Some of the salient points discussed were:

Making policies in India is difficult because the population is huge and implementation at rural level is difficult.
Bombarded by Techno utopians- who believe in technology’s ability to change lives.
Techno determinants- Corruption solved through technology through open government data. More technology is better, the most sophisticated ones are the best are gross misconceptions.
Bhoomi project tried to deal with corruption at village level. Important policy change made all paper work illegal and digitized the land records etc. every action and request will be logged. But this led to creation of new corruption. Bribes were taken even before data was logged!
UID Project (Cobra Post Scam) around 20 public sector and 30 private banks were involved in money laundering scams.
People who design the systems in Delhi prepare sub-contracts.

VIDEO

Day 6: (June 13, 2013)

Session 1: Critical Perspectives of the Internet

(by Dr. Nishant Shah)
Click to view the presentation slides

The sixth day of the Institute kicked off with Nishant Shah, director of research at CIS, looking into Critical Perspectives of the Internet. Nishant made a very important distinction between the internet as infrastructure and as social network constructing alternative universes. Nonetheless it was important to stress that technology should not be alienated in the process of this separation but seen as an integral part of it, as the digital is as much part of reality as any other technology and has become essential as a technology of change that it brings about not only in scientific but also in social development. Quoting Michel Foucault, Shah argued that technology becomes influential when it changes life, labour and language, which is why research in the field should involve critical ways of thinking about body, space and community.	Above is a picture of Dr. Nishant Shah speaking on Critical Perspectives of the Internet.

The body perception can be perceived through the way bodily agencies change through technology. Technology does not necessarily taint or corrupt the body, but can also be a way to escape its confines. To put it to a point, we are all born into technology and cannot free ourselves from them, as for example pregnancy already starts with nutritional supplements, regulatory diets and exercise and essentially ends with birth technologies that do not necessarily involve only the digital - we must remember, speech is one of the oldest technologies available today.

VIDEO

Session 2: Strategies for Policy Intervention

(by Chakshu Roy)
The second session on “Strategies for Policy Intervention” was led by Chakshu Roy. This session dealt with various ways in which policy intervention can be made and the various factors necessary to successfully engage in policy forums.

VIDEO

Session 3: Profile of Internet Service Providers

(by Satyen Gupta)
Click to view the presentation slides


Given above is a picture of Satyen Gupta speaking about Internet Service Providers

Satyen Gupta during his talk on “Profile of Internet Service Providers” discussed the nature, offerings and profile of various ISPs in India, their market share and dynamics.

The salient points discussed were:

National Broadband Plans
Spectrum Issues “Management”
Reality check of Indian ISPs
Broadband Definition & Penetration
Roadblocks for Broadband in India, Governments Role, Regulation
Institutional Framework for the Indian Telecom
Broadband Access in India- Technology-Neutrality
Satellite based DTH Services offer alternate for the Broadband via Receive Only Internet Service (ROIS)
Broadband using DTH for Receive-only Internet
VSAT has the potential for significant impact on Broadband Penetration in Remote Areas
Fixed Wireless Access- an important access technology
Facilitating Radio Spectrum for Broadband Access
Fiscal measures to reduce the cost of access devices, infrastructure and broadband service
Reduction in the cost of connectivity
National Internet Exchange of India (NIXI) -National Internet Exchange of India (NIXI) has been set up on recommendation of TRAI by DIT, Government of India to ensure that Internet traffic, originating and destined for India, should be routed within India.
Emerging Broadband Services
Broadband Commission for Digital Development (BCDD)-UN Targets for Universal Broadband,2015
NOFN India-Existing Fiber Infrastructure and Coverage by Various Service Providers
National Telecom Policy (NTP) 2012- Salient Features
State of Internet Services and ISPs in India:
1. India’s Ranking on Key Broadband Indicators
2. Regulator’s Report – Growth of Internet in India
3. Internet Subscribers Base & Market share of top 10 ISPs
4. Technology trends for Internet/Broadband Access
5. Internet/broadband Subscribers for top 10 states
6. Tariff Plans for USO funded Broadband
7. Contribution of Telcos in Development of Internet Services
8. Incumbent’s Role in Growth of Broadband
9. Plugging rural missing link- BBNL
Internet Subscribers Base & Market share of top 10 ISPs

VIDEO

Session 4: Competition in the Market by Helani Galpaya

Helani Galpaya during her talk on “Competition in the Market” discussed about what competition meant, Herfindahl–Hirschman Index to measure how competitive a market is, what are the dangers of monopoly markets and the landscape of the Telecom market in India.


Above is a picture of Helani Galpaya speaking about Competition in the Market

Day 7: (June 14, 2013)

The final day of the Institute focussed on how the Internet can be used to effect change on society – Activism was the theme.

Session 1: Leveraging Internet for activism

(by Ananth Guruswamy)
Click to read the presentation slides


Above is a picture of Ananth Guruswamy speaking during the session on leveraging internet for activism

Some of the salient points discussed were:

Digital Activism
Target Omar Abdullah. It is about an act called Administrative detention Act. One can be detained without act i.e. The Preventive Detention Act. He directly responded to the threat.
Twitter seems to be a place where the political leaders are actually accessible. This kind of access was not possible in day to day life earlier if one was a common man. This phenomenon is developing. Even in Corporate setup writing a mail directly to the CEO seems possible.
Strengths: Wide reach, Freedom of speech, Data collection is made easy, Issues can be tackled swiftly, Global communities, singular identities have lot of power. Eg: 190 Million people stood up against Poverty; this kind of mobilization impossible without internet.
Besides local issues even Global issues are addressed an collection of funds becomes easy. Onion.com once a struggling publication in U.S., but now with a global audience it is thriving and it has a healthy reader base today.
The Earth Hour helps people connect across space and time.
Weakness: More popularity, more attention; Traditional/Real Protest has become rare and a threat; There is no real action beyond internet, threat of movement is low, there is no real commitment involved in digital activism and just one click is enough to make one ‘feel good’.
Opportunities: Recruitment of protestors for real protests. Diff. b/w real and virtual blurred; anything that affects the mind space is real. The intersection is interesting.
Threats: Total removal of privacy, Government intervention in private issues and there could be misinterpretation of people’s thoughts by certain people.
Traditional vs Digital activism: Traditional fails to provide results whereas clicking a button is as easy as wearing a badge.
Facebook activism: ‘Like Buttons’, People moving away from reading emails, a shift towards use of facebook; creates a sense of belongingness which the traditional activism failed to achieve.
India against Corruption: used mobile phone effectively.
Social Media has changed the way protests happen globally and in India, one example is Twitter. Change.org is a website which gives freedom to anybody to start a petition without any external source; Awaaz.org another such petition website.
Green Peace launched a Green peace X which was a runaway success. YouTube is another platform for the masses. People today are more interested in watching rather than reading.
Pakistan in 2007: “Flash protests”; Free Fraizan Movement on Twitter.
Something to keep in mind regarding while launching a campaign online is to think who the audience is and what we want them to do and how will the campaign help our objectives?
How to measure success of a social media campaign?
Reach
Engagement- likes, tweets, comments, etc.
Influence
Attrition Score

VIDEO

Session 2: Internet Access Activism

(by Parminder Jeet Singh)
The next session on “INTERNET ACCESS” ACTIVISM by Parminder Jeet Singh dealt with how people can contribute to initiatives for improving internet access amongst masses.

VIDEO

Session 3: Ensuring Access to the Internet

(by A.K. Bhargava)
Click to view the presentation
The last session on “Ensuring Access to the Internet” by A.K. Bhargava discussed strategies to enhance access to the Internet in India with special focus on National Optical Fibre Network.

The salient points discussed were:

-    Role of Broadband in Nation Building
-    Policy Aspiration of Broadband - How do we meet aspiration?
-    Telecom Network Layers‐Gaps in OFC Reach
-    BBNL Interconnection
-    NOFN - Bridging The Gap
-    Digital Knowledge Centres (DKCs)
-    Architecture of BBNL
-    NOFN Impact

Societal
- Bridging the digital divide
Business
- Job creation, indigenous industry growth
Sectoral
- Improved connectivity, data growth
Technological
- Differentiators
VIDEO

Speaker Presentation Slides
All the presentation aids/slide shows barring a few have been uploaded to the website at http://internet-institute.in/repository

Presentation of Assignments
The participants presented their assignments which were given to them to work on the 3rd day. The participants were presented with Wikipedia T-Shirts as a token of appreciation.


Given above is a picture of the participants presenting their assignments

Participant Feedback
All participants were asked to fill a "Session Feedback Form" for each of the sessions and also an "Overall Feedback Form". They were also constantly encouraged to come up with suggestions and inputs on how to make the Institute more interesting.

The key findings from the Quantitative Feedback provided are:
(The figures below are averaged scores (out of 5) provided by participants in the Overall Feedback Forms)

S.No.	Parameter	Score (Out of 5)
1	Relevance of Content	3.6
2	Comprehensiveness of Content	3.44
3	Easy to Understand	3.55
4	Well Paced	3.33
5	Sufficient Breaks	3
6	Duration of Talks	3.2
7	Mix between Learning & Activities	3

The key findings from the Qualitative Feedback provided are:

S.No.	Points observed
1	Presentations – Participants felt sessions with accompanying slides/aids were most helpful. Some felt that accompanying notes could also be useful for future reference.
2	Use of Examples/Case Studies – Participants felt concepts can be better assimilated if case-studies/examples are used. Some also felt that for the technological advancements discussed, it would have been better had the social/economic impact of the same was discussed too.
3	Implementation Gaps– One participant, who is working at the field level in Kolkata had a specific thing to say about the talk about BSNL and its offerings– Although BSNL has so many options available on paper to connect to the Internet, common service centres in West Bengal are mostly run on Tata Indicom’s network even though the board outside says “BSNL” etc. She felt that the reality is far different from what exists on paper.
4	Interactive sessions were most appreciated than speaker led sessions.
5	There were many responses to the question “How will you apply this new information in the future” and it is very encouraging. People have given thought to contributing to Wikipedia in their mother tongue, take the knowledge to the field work that they are associated with, continue with their research, change their Internet connections, to help file RTIs, to adopt more open source software, sharing with students, advocacy efforts, etc
6	The responses to the question “What did you learn from the session/workshop that was new?” elicited more responses for the following sessions Domestic Bodies and Mechanisms Case-studies such as Air Jaldi Low cost devices in India USOF Free & Open Internet Copyright laws Privacy Accessibility Digital Natives ISPs
7	Field Trip – One participant said “One or two of the persons from MapUnity could have made the presentation at the institute venue itself. A visit to an underserved or un-served community with interactions with the people there could also have given a good understanding of on-ground challenges and needs.”
8	Follow-up Session –One participant had ideas about having a follow-up session “A follow-up call [webinar?] after 6 months to see if any of these concepts were useful would be an interesting exercise to take up”
9	Assignment – Participants felt that the assignments were good but they needed more time to work on the same.

Other Feedback:

The food and the facilities were enjoyed and appreciated by all.
The remote location of the Golden Palms Resort was a concern for most of the participants.

Participation Certificates
Participation Certificates (template shown below) have been mailed to all the participants in the third week of July 2013.


Given above is the certificate declaring the successful completion of the event

Institute Expenses

A total of Rs. 19, 91,889 (Rupees nineteen lakhs ninety one thousand eight hundred and eighty nine only) was spent towards organizing and conducting the Internet Institute. A breakup of the Institute Expenditures is given below:

S.No.	Type of Expense	Description	Total
1	Venue – Golden Palms Resort	Accommodation for participants, speakers and food	12,91,176
2	Travel	Cost of Air tickets	2,94,515
3	Local Travel	Airport Pickup/Drop, Local City Travel	1,41,001
4	Gifts & Printing	Gifts for speakers and ad hoc document printing charges	24,000
5	Infrastructure	Telephony, Audio, Video, Stage	1,05,000
6	Participant Bags		10,650
7	Reimbursements	Reimbursements to participants and speakers	1,25,547
Total Expenses			19,91,889

What the participants had to say

Sangh Priya Rahul – “One of my organisation's work is more or less related to empowerment of rural areas so knowledge about USOF will be useful there.” (On USOF)

Rashmi. M – “Makes me more sensitized towards the disabled people.” (On e-Accessibility)

Preethi Ayyaluswamy – “Would help me in strategically planning for an online campaign” (On digital activism).

Conclusion

The Institute was highly engaging and enabled the participants to explore the various facets of Internet & Society. As was evident from the feedback forms, participants had given thought to contributing to Wikipedia in their mother tongue, take the knowledge to the field work that they are associated with, continue with their research, change their Internet connections, help file RTIs, adopt more open source software, sharing with students, advocacy efforts etc. There was a very high level of expertise amongst speakers at the Institute which was apparent from the participatory discussions and a lot of insightful perspectives were brought forth. There was a common consensus amongst all participants that inclusive growth across all dimensions would take efforts from all stakeholders.

We hope to learn from the findings of this Institute and work towards a better second Institute.


Above is a group picture of all the participants and the organizers

For more details visit https://cis-india.org/telecom/knowledge-repository-on-internet-access/institute-on-internet-and-society-event-report

Privacy Meeting: Brussels – Bangalore

praskrishna — 2013-09-12T07:56:53Z

The Centre for Internet and Society, Bangalore welcomes you to a talk on privacy by Gertjan Boulet and Dariusz Kloza on August 14, 2013, 5.00 p.m. to 8.00 p.m.

Slides from the talk can be accessed here.

Draft Agenda

Time	Detail
17.00 17.15	Brief presentation of the Research Group on Law, Science, Technology and Society (LSTS) at the Vrije Universiteit Brussel (VUB), Belgium
17.15 18.15	Session on "new tools" to protect privacy and personal data. A case-study on (European) approach to privacy impact assessment This session will provide an overview to the main findings of the projects carried out by VUB-LSTS (predominantly) with regard to privacy impact assessments (PIA), starting with the EU co-funded PIAF (“A Privacy Impact Assessment Framework for data protection and privacy rights”; 2011-2012), which reviewed existing PIA frameworks worldwide, surveyed opinions of national data protection authorities (DPAs) on an optimal PIA policy and, finally, provided a set of recommendations for PIA policy-makers and practitioners. This session will be concluded by proposing adaptation of the so-called environmental democracy to the needs and reality of privacy. The points in this session will be contrasted with the experience of India.
18.15 18.45	Session on co-operation of data protection authorities "Improving Practical and Helpful cooperation between Data Protection Authorities", 2013-15. This session will provide a preliminary analysis of the (legal) factors that pose as obstacles to and/or encourage co-operation between DPAs worldwide in enforcing privacy and data protection laws. Such an analysis aims at creating a 'wish-list', i.e. at identifying what measures could be taken to reduce barriers and to further foster co-operation. This session will be concluded by discussing what DPAs' can learn about co-operation from European and international competition law. The points in this session will be contrasted with the experience of India.
18.45 19.00	Break
19.00 19.15	Small session on big data The focus of this session will be on the challenges posed to sovereignty by cross-border law enforcement access to big data. The Belgian Yahoo-case will be discussed as it is emblematic of a reality with broad national claims to access data in a trans-border context. Indian perspectives on this topic will be taken into account.
19.15 20.00	Open discussion

Materials

Wright, David, Kush Wadhwa, Paul De Hert, and Dariusz Kloza, A Privacy Impact Assessment Framework for Data Protection and Privacy Rights, 2011. http://piafproject.eu/ref/PIAF_D1_21_Sept2011Revlogo.pdf
Hosein, Gus, and Simon Davies, Empirical Research of Contextual Factors Affecting the Introduction of Privacy Impact Assessment Frameworks in the Member States of the European Union, 2012. http://piafproject.eu/ref/PIAF_deliverable_d2_final.pdf
De Hert, Paul, Dariusz Kloza, and David Wright, Recommendations for a Privacy Impact Assessment Framework for the European Union, 2012. http://piafproject.eu/ref/PIAF_D3_final.pdf
Kloza Dariusz, Moscibroda Anna, Boulet Gertjan, “Improving Co-operation Between Data Protection Authorities: First Lessons from Competition Law.” in Jusletter IT. Die Zeitschrift für IT und Recht, published by Weblaw AG. http://jusletter-it.weblaw.ch/issues/2013/20-Februar-2013/2128.html
Kloza Dariusz, “Public voice in privacy governance: lessons from environmental democracy”, in Erich Schweighofer (ed.), KnowRight 2012 conference proceedings [forthcoming].

Other resources

PHAEDRA project: http://www.phaedra-project.eu

PIAF project: http://piafproject.eu
PIAw@tch, the PIA observatory: http://piawatch.eu

The Speakers

Gertjan Boulet

Gertjan Boulet holds a joint LL.M/MPhil (2010) from Leuven University (Belgium) and Tilburg University (the Netherlands) where he successfully completed a Research Master of Laws programme focused on legal methods and interdisciplinary research. He started to work as a doctoral researcher at the Research Group on Law, Science, Technology and Society (LSTS) at the Vrije Universiteit Brussel in January 2013 for the EU-funded research project 'Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities' (PHAEDRA). Before, he was a freelance researcher at VUB, and became a member of the programming committee of the annual conference 'Computers, Privacy & Data Protection' (CPDP). Prior to joining the Vrije Universiteit Brussel, Gertjan worked for the Brussels Airport Company (2010) and the law firm DLA Piper (2011). He also completed internships at the Belgian Public Prosecutor (2007), the Constitutional Court of Belgium (2012) and the Belgian Privacy Commission (2013).

Gertjan Boulet

Dariusz Kloza

Dariusz (Darek) Kloza is a doctoral researcher at the Research Group on Law, Science, Technology, and Society (LSTS) and the Institute for European Studies (IES) at Vrije Universiteit Brussel (VUB). He holds both an LL.M. in Law and Technology (2010) from the Tilburg Institute for Law, Technology, and Society (TILT) at Tilburg University (with distinction) and a master degree in law from University of Białystok (2008). He was also an exchange student at University of Copenhagen (2007-2008). His research is focused on fundamental rights in the digital era (especially privacy and data protection), liability of intermediary service providers and private international law. His doctoral research focuses on positive procedural obligations for privacy and data protection from the European perspective.

He has been involved in researching privacy and data protection issues in a number of EU co-funded projects, such as PIAF (Privacy Impact Assessment Framework for data protection and privacy rights), PHAEDRA (Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities) and ADVISE (Advanced Video Surveillance archives search Engine for security applications). He has also contributed to the work of the European Commission’s Task Force for Smart Grids, aimed at ensuring high level of privacy and personal data protection in smart grids/metering.

Dariusz Kloza

For more details visit https://cis-india.org/internet-governance/events/privacy-meeting-brussels-bangalore

Connaught Summer Institute on Monitoring Internet Openness and Rights

praskrishna — 2013-07-26T09:17:45Z

Malavika Jayaram is a speaker at this event being held at the Munk School of Global Affairs, Bloor Street West.

Click to read the original posted on Citizen Lab website

Monday, July 22, 2013

Location: Munk School of Global Affairs (Observatory Site), 315 Bloor Street West (map)

14:00 - 17:00	Meet and Greet at the Citizen Lab Participants are free to drop by the Lab between 2:00-5:00 pm to see the space and meet with Citizen Lab researchers. Participants should go to the reception desk on the first floor and have the receptionist call the Lab.

Tuesday, July 23, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 09:15	Opening Remarks
09:15 - 10:45	Tutorial "Welcome to Oz: Beyond a Black and White Debate on Internet Regulation (and Control)" – Jon Penney (Berkman Centre/Oxford Internet Institute/Citizen Lab) and Ryan Budish (Berkman Centre/Herdict)
10:45 - 11:00	Break
11:00 - 12:00	Commercialization of Information Controls "Regulators, Politicians, and Deep Packet Inspection: Who's Driving What and Why" – Chris Parsons (University of Victoria) "Fingerprinting Internet Filtering Products" – Jakub Dalek (Citizen Lab) "Cash Rules Everything Around Me: The Commercialization of Online Spying" – Bill Marczak (UC Berkeley)
12:00 - 13:45	Lunch
13:45 - 14:45	Circumvention / Attacks 1 "Collateral Freedom" – David Robinson (Robinson + Yu) "Remedy: Relays Monitoring and Deployment" – KheOps (Telecomix) "Fake Domain Attacks on Civil Society Groups" – Michael Carbone (Access)
14:45 - 15:45	Characterization / Measurement 1 "Iran through the Eyes of Big Data" – Collin Anderson (Independent Researcher) "Measurement, Detection, and Comparison of Surveillance Data" – Praveen Selvasekaran (Simple Tech Life) "Filbaan: What is Filtered Today?"
15:45 - 16:00	Break
16:00 - 16:45	Identity Systems and Monitoring "Desperately Seeking the Names: Examining the Historical Progression of Real Name Policies on the Chinese Internet" – Lianrui Jia (Carleton University) "India's Civil Liberties Crisis: Digital Free Will in Free Fall" – Malavika Jayaram (Centre for Internet and Society, Bangalore)
17:00 - 18:30	Poster and Demo Session Light refreshments will be served "User-side Approach for Censorship Detection: Home-router and Client-based Platforms" – Giuseppe Aceto (University of Naples Federico II) "The Cyber Losers" – Aaron Brantly and Katrin Verclas (National Democratic Institute) "What is the Impact of Internet Censorship in China?" – Carlotta James (Psiphon Inc.) "Open Integrity Index" – Jun Matsushita "M-Lab: Exploring the Possibilities for Open, Global Censorship and Surveillance Detection" – Stephen Soltesz (Open Technology Institute) and Meredith Whittaker (Google Research) "Mapping Google: Global Business Infrastructure and Implications for Openness " – John Harris Stevenson (University of Toronto) "Chat Program Censorship and Surveillance in China: Tracking TOM-Skype and Sina UC" – Greg Wiseman (Citizen Lab) "The Growth and Spread of Cyberspace Controls" – Benjamin Zaiser (Free University of Berlin)

Wednesday, July 24, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 10:20	Characterization / Methodology 2 "Refining the Tor Censorship Detector" – Sam Burnett (Georgia Tech) "From Internet Security to Internet Freedom: The case of the RPKI" – Sharon Goldberg (Boston University) "Running Software in Albuquerque to Measure Censorship Anywhere" – Jeffrey Knockel (University of New Mexico) "Social Media as Labratory: What We Can Learn about Chinese Politics from Sina Weibo Censorship and Online Discussion" – Jason Q. Ng (Citizen Lab)
10:20 - 11:00	Break
11:00 - 12:00	Circumvention 2 "VPNthnography: Hacking the Great Firewall for Fun and Profit" "Economics of Web Proxy Networks" – Bennett Haselton (Peace Fire/Citizen Lab) "Censors Working Overtime" – Karl Kathuria (Psiphon Inc.)
12:00 - 14:00	Lunch
14:00 - 15:30	Tutorial "Network Censorship Techniques, Detection, and Localization" – Nick Weaver (ICSI)
15:30 - 16:00	Break
16:00 - 17:30	Panel: Bridging Activism and Research (5 minute talks + discussion) Ali Bangi (ASL19 / Citizen Lab) Stefania Milan (Tillburg University) Deji Olukotun (PEN) John Scott-Railton (Citizen Lab / UCLA) 'Gbenga Sesan (Paradigm Initiative Nigeria)

Thursday, July 25, 2013

Location: Campbell Conference Room, South House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

08:00 - 09:00	Breakfast
09:00 - 10:20	Jurisdictions and Borders Online "Cyberconflict and the Legal-Territorial Paradox" – Cameran Ashraf (UCLA) "Beyond Borders: Legislative Challenges to the Management of Records in the Cloud" – Elaine Goh (University of British Columbia) "Civil Society 2.0: The Global Struggle to Govern the Democratic Impacts of ICTs" – Muzammil M. Hussain (University of Michigan) "The Anti-Counterfeiting Trade Agreement and the Networked Public Sphere: How to avoid a Convergent Crisis" – James Losey (Open Technology Institute)
10:20 - 10:40	Break
10:40 - 12:10	Tutorial "Ranking Companies on Digital Rights: Challenges and Synergies" – Rebecca MacKinnon (New America Foundation)
12:10 - 14:00	Lunch
14:00 - 15:30	Surveillance and Monitoring "Revisiting Webtapping: Learning From Five Years’ of U.S. Cyber and Intel Policy" – Chris Bronk (Rice University) "Who Watches the Watchmen?: Detecting Stealth and Unattributed Information Controls" – Herve Saint Louis (University of Toronto) "IX Maps" – Andrew Clement (University of Toronto) "Technologies of Control, ‘National Security’ and Systemic Abuse of Minorities in the East and Horn of Africa" – Clara Gutteridge (Equal Justice Forum)
15:30 - 15:45	Break
15:45 - 16:30	Closing Discussion on Interdisciplinary Research and Information Controls

Friday, July 26, 2013

Location: Rooms 108, 208 and Basement, North House, Munk School of Global Affairs (Trinity site), 1 Devonshire Place (map)

10:00 - 14:00

Breakout Sessions

Light refreshments will be served

The half day will be dedicated to giving participants the opportunity to break into small groups to further discuss, share, and hack on topics raised during the workshop.

Sponsor

The workshop is sponsored by University of Toronto's Connaught Fund. Since it was founded in 1972, the fund has invested more than $1 million in projects that span across the disciplines.

For more details visit https://cis-india.org/news/citizenlab-summer-institute-on-monitoring-internet-openness-and-rights

Report on the 5th Privacy Round Table meeting

maria — 2013-07-26T08:24:27Z

This report entails an overview of the discussions and recommendations of the fifth Privacy Round Table in Calcutta, on 13th July 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

In 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of seven multi-stakeholder round table meetings on “privacy” from April 2013 to October 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the seven Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Roundtable: 24 August 2013
New Delhi Final Roundtable and National Meeting: 19 October 2013

Following the first four Privacy Round Tables in Delhi, Bangalore, Chennai and Mumbai, this report entails an overview of the discussions and recommendations of the fifth Privacy Round Table meeting in Kolkata, on 13th July 2013.

Presentation by Mr. Reijo Aarnio – Finnish Data Protection Ombudsman

The fifth Privacy Round Table meeting began with a presentation by Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman. In particular, Mr. Aarnio initiated his presentation by distinguishing privacy and data protection and by emphasizing the need to protect both equally within a legal framework. Mr. Aarnio proceeded by highlighting that 96 percent of the Finnish community believes that data protection is necessary, especially since it is considered to play an essential role in the enhancement of the self-determination of the individual. Fuerthermore, Mr. Aarnio pointed out that the right to privacy in Finland in guaranteed under section 10 of the Finnish constitution.

The Finnish Data Protection Ombudsman argued that in order for India to gain European data protection adequacy, the implementation of a regulation for data protection in the country is a necessary prerequisite. Mr. Aarnio argued that although the draft Privacy (Protection) Bill 2013 provides a decisive step in regulating the use of data, the interception of communications and surveillance in India, it lacks in defining the data controller and the data subject, both of which should be legally specified.

In order to support his argument that India needs privacy legislation, the Ombudsman clarified the term “data protection” by stating that it relates to the following:

individual autonomy
the right to know
the right to live without undue interference
the right to be evaluated on the basis of correct and relevant information
the right to know the criteria automatic decision-making systems are based on
the right to trust data security
the right to receive assistance from independent authorities
the right to be treated in accordance with all other basic rights in a democracy
the right to have access to public documents
the freedom of speech

In addition to the above, Mr. Aarnio argued that the reason why data protection is important is because it ensures the respect for human dignity, individual autonomy and honor.

The Finnish Data Protection Ombudsman gave a brief overview of the development and history of data protection, by citing the oathe of Hippokrates, the Great Revolutions and World War II, all throughout which data protection has gained increased significance. Mr. Aarnio pointed out that as a result of the development and proliferation of technology, societies have evolved and that data protection is a major component of the contemporary Information Society. The Ombudsman stated that in the Information Society, information is money and open data and big data are products which are being commercialised and commodified. Hence, in order to ensure that human rights are not commericalised and commodified in the process, it is necessary to establish legal safeguards which can prevent potential abuse.

Article 8 of the European Charter of Fundamental Rights guarantees the protection of personal data. Mr. Aarnio argued that the Parliament is the most important data protection authority in Europe and that privacy is legally guaranteed on three levels:

Protection of personal life: The Criminal Code (chapter 24) addresses and protects freedom of speech and secrecy regulations
Communication: Protection of content and traffic data
Data Protection: The Personal Data Act creates Right to Know and to affect/impact, the right to organise one's personal life, automatic processing of personal data and maintenance of register

The Ombudsman also referred to the Directive 95/46/EC of the European Parliament of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

Mr. Aarnio argued that in the contemporary ecosystem of the Information Society, countries need “Privacy by Design”, which entails the description of the processing of personal data and the evaluation of its lawfulness. In particular, the purpose for the collection and processing of data should be legally defined, as well as whether such data will be shared with third parties, disclosed and/or retained. The Ombudsman argued that India needs to define its data controllers and to legally specify their roles, in order to ensure that the management of data does not result in the infringement upon the right to privacy and other human rights.

The Finnish Data Protection Ombudsman concluded his presentation by stating that data security is not only a technological matter, but also – and in some cases, mostly – a legal issue, which is why India should enact the draft Privacy (Protection) Bill 2013.

Discussion of the draft Privacy (Protection) Bill 2013

Chapter I: Definitions

The discussion of the draft Privacy (Protection) Bill 2013 commenced with a debate on whether such a Bill is necessary at all, given that section 43 of the IT Act is considered (by participants at the round table) to regulate the protection of data. It was pointed out that although section 43 of the Information Technology Act provides some rules for data protection, the Committee has stated that these rules are inadequate. In particular, India currently lacks statutory provisions dealing with data protection and rules are inadequate because they are subject to parliamentary debate, and the Parliament does not have the right to vote on rules. The Parliament does not have the right to amend rules, which means that it does not have the right to amend the rules on data protection under the IT Act. Since the rules under section 43 of the IT Act are not subject to parliamentary review, India needs a seperate privacy statutue. Hence, the round table reached a consensus on the discussion of the draft Privacy (Protection) Bill 2013.

Personal data is defined in the draft Privacy (Protection) Bill 2013 as any data which relates to a natural person, while sensitive personal data is defined as a subset of personal data, such as biometric data, medical history, sexual preference, political affiliation and criminal history. It was pointed out that race, religion and caste are not included in the Bill's definition for sensitive personal data because the Government of India refuses to acknowledge these types of information as personal data. According to the Government, the collection of such data is routine and there have been no cases when such data has been breached, which is why race, religion and caste should not be included in the definition for sensitive personal information. However, the last caste sensus took place in 1931 and since then there has been no caste sensus, because it is considered to be a sensitive issue. This contradictory fact to the government's position was pointed out during the round table meeting.

A participant argued that financial information should be included within the definition for sensitive personal data. This was countered by a participant who argued that India has the Credit Information Companies Act which covers credit information and sets out specific information for the protection of credit data by banks and relevant companies. Yet the question of whether general financial information should be included in the definition for sensitive personal data was further discussed, and many participants supported its inclusion in the definition.

The question of whether IP addresses should be included in the definition for personal data was raised. The response to this question was that IP addresses should be included in the definition since they relate to the identification of a natural person. However, the question of whether a specific IP address is considered personal data, as many individuals use the Web through the same IP address, remained unclear. Other participants raised the question of whether unborn humans and deceased persons should have privacy rights. The response to this was that in India, only the court can decide if a deceased person can have the right to privacy.

The controversy between the UID project and the protection of biometric data under the definition for sensitive personal information was discussed in the round table. In particular, it was pointed out that because the UID scheme requires the mass biometric collection in India is contradictory to the protection of such data under the Bill. As the UID scheme remains unregulated, it is unclear who will have access to the biometric data, who it will be shared with, whether it will be disclosed and retained and if so, for how long. All the questions which revolve around the implementation of the UID scheme and the use of the biometric data collected raise concerns in regards to what extent such data can realistically be protected under privacy legislation.

On this note, a participant mentioned that under EU regulation, an ID number is included in the definition for sensitive personal information and it was recommended that the same is added in India's draft Privacy (Protection) Bill 2013. Furthermore, a participant recommended that fingerprints are also included in the definition for sensitive personal data, especially in light of the NPR and UID scheme.

A participant argued that passwords should also be included in the definition for sensitive personal data, as well as private keys which are used for encryption and decryption. It was pointed out that section 69 of the IT Act requires the disclosure of encryption keys upon the request from authorities, which potentially can lead to the violation of privacy and other human rights. Hence the significance of protecting passwords and encryption keys which can safeguard data was highly emphasized and it was argued that they should definitely be included in the definition for sensitive personal data. This position was countered by a participant who argued that the Government of India should have access to private encyrption keys for national security purposes.

On the definition of sensitive personal data, it was emphasized that this term should relate to all data which can be used for discrimination, which is why it needs to be protected. It was further emphasized that it took Europe twelve years to reach a definition for personal data, which is why India still needs to look at the issue in depth and encounter all the possible violations which may potentially occur from the non-regulation of various types of data. Most participants agreed that financial information, passwords and private encryption keys should be added in the definition for sensitive personal data.

The fifth round table entailed a debate on whether political affiliation should be included in the definition for sensitive personal data. In particular, one participant argued that political parties disclose the names of their members and that in many cases they are required to do in order to show their source of income. Hence, it was argued that political affiliation should not be included in the definition for sensitive personal data, since it is not realistic to expect political parties to protect their members' privacy. This was countered by other participants who argued that anonymity in political communications is important, especially when an individual is in a minority position, which is why the term political affiliation should be included in the definition for sensitive personal data.

The discussion on the definitions in the draft Privacy (Protection) Bill 2013 concluded with comments that the definiton for surveillance is very exclusive of many types of surveillance. In particular, it was argued that the definition for surveillance does not appear to cover artificial intelligence, screen shots and various other forms of surveillance, all of which should be regulated.

Chapter II: Right to Privacy

Section 4 of the draft Privacy (Protection) Bill 2013 states that all natural persons have a right to privacy. Section 5 of the Bill includes exemptions to the right to privacy. On this note, it was pointed out that during the round table that there is no universal definition of privacy and thus it is challenging to define the term and to regulate it. Furthermore, the rapid pace at which technology is proliferating was emphasized, along with its impact on the right to privacy. For example, it was mentioned that emails were not covered by privacy legislation in the past, but this needs to be amended accordingly. The European Data Protection Directive was established in 1995 and does not regulate many privacy issues which arise through the Internet, which is why it is currently being reviewed. Similarily, it was argued that privacy legislation in India should encompass provisions for potential data breaches which may occur through the Internet and various forms of technology.

A participant argued that the draft Privacy (Protection) Bill 2013 should include provisions for data subjects, which enable them to address their rights. In particular, it was argued that data subjects should have the right to access information collected and retained about them and that they should have the right to make corrections. The reponse to this comment was that the Bill may be split into two seperate Bills, where the one would regulate data protection and the other would regulate the interception of communications and surveillance, while the data subject would be addressed extensively. Furthermore, participants raised questions of how to define the data controller and the data subjects within the Indian context.

Other questions which were raised during the round table included whether spam should be addressed by the Bill. Several participants argued that spam should not be regulated, as it is not necessarily harmful to data subjects. Other participants argued that the isse of access to data should be addressed prior to the definition of privacy. Another argument was that commerical surveillance should not be conducted within restrictions, which is why it should not be inlcuded in the exemptions to the right to privacy. It was also pointed out that residential surveillance should be allowed, as long as the cameras are pointed inwards and do not capture footage of third parties outside of a residence. On this note, it was argued that surveillance in the work place should also be exempted from the right to privacy, as that too can be considered the private property of the owner. Moreover, it was emphasized that the surveillance of specific categories of people should also be excluded from the exemptions to the right to privacy.

A participant argued that in some cases, NGOs may be collecting information for some “beneficial purpose” and that such cases should be excluded from the exemptions to the right to privacy. Other participants argued that in many cases, data needs to be collected for market research and that the Bill should regulate what applies in such cases. All such arguments were countered by a participant, who argued that Section 5 of the Bill on the exemptions to the right to privacy should be deleted, as it creates to many complications. This recommendation was backed up by the example of a husband capturing a photograph of his wife and then publishing the image without her consent.

During this discussion, a participant raised the question of to what extent the right to privacy applies to minors. This question was supported by the example of Facebook, where many minors have profiles but the extent to which this data is protected remains ambiguous. Furthermore, it was pointed out that it remains unclear whether privacy legislation can practically safeguard minors who choose to share their data online. A participant responded to these concerns by stating that Facebook is a data controller and has to comply with privacy law to protect its customers' data. It was pointed out that it does not matter if the data controller is a company or an NGO; in every case, the data controller is obliged to comply with data protection law and regulations.

Furthermore, it was pointed out that Facebook allows for minors aged 13 to create a profile, while it remains unclear how minors can enforce their privacy rights. In particular, it remains unclear how the mediated collection of minors' data can be regulated and it was recommended that this is addressed by the Bill. A participant replied to this by stating that Indian laws rule in favour of minors, but that this simultaneously remains a grey area. In particular, it was pointed out that rules under section 43 of the Information Technology (IT) Act cover Internet access by minors, but this still remains an unclear area which needs further debate and analysis.

The question which prevailed at the end of the discussion of Chapter 2 of the Bill was on the social media and minors, and on how minors' data can be protected when it is being published immediately through the social media, such as Facebook. Furthermore, it was recommended that the Bill addresses the practical operationalisation of the right to privacy within the Indian context.

Chapter III: Protection of Personal Data

The discussion of Chapter 3 of the draft Privacy (Protection) Bill 2013 on the protection of personal data commenced with a reference to the nine privacy principles of the Justice AP Shah Justice Committee. The significance of the principles of notice and consent were outlined, as it was argued that individuals should have the right to be informed about the data collected about them, as well as to have the rigt to access such data and make possible corrections.

Collection of Personal Data

The discussion on the collection of personal data (as outlined in Section 6 of Chapter 3 of the Bill) commenced with a participant arguing that a company seeking to collect personal data should always have a stated function. In particular, a company selling technological products or services should not collect biometric data, for example, unless it serves a specified function. It was pointed out that data collection should be restricted to the specified purposes. For example, a hospital should be able to collect medical data because it relates to its stated function, but an online company which provides services should not be eligible to collect such data, as it deviates from its stated function.

During the discussion, it was emphasized that individuals should have the right to be informed when their data is being collected, which data is being collected, the conditions for the disclosure of such data and everything else that revolves around the use of their data once it has been collected. However, a participant questioned whether it is practically feasible for individuals to provide consent to the collection of their data every time it is being collected, especially since the privacy policies of companies keep changing. Moreover, it was questioned whether companies can or should resume the consent of their customers once their privacy policy has changed. On this note, a participant argued that companies should be obliged to notify their customers every time their privacy policy changes and every time the purpose behind their data collection changes.

On the issue of consent for data collection, a participant argued that individuals should have the right to withdraw their consent, even after their data has been collected and in such cases, such data should be destroyed. This was countered by another participant who argued that it is not realistic to expect companies to acquire individual consent every time the purpose behind data collection changes, nor is it feasible to allow for the withdrawal of consent without probable cause.

The issue of indirect consent to the collection of personal data was raised and, in particular, several participants argued that the Bill should have provisions which would regulate circumstances where indirect consent can be obtained for the collection of personal data. Furthermore, it was emphasized that the Bill should also include a notice for all potential purposes of data collection which may arise in the future; if the purpose for data collection changes based on conditions specified, then companies should not be mandated to notify individuals. Moreover, a participant argued that the Bill should include provisions which would enable individuals to opt-in and/or opt-out from data collection.

On the issue of consent, it was further outlined that consent provides a legitimate purpose to process data and that the data subject should have the right to be informed prior to the collection of his or her data. However, it was emphasized that the draft Privacy (Protection) Bill 2013 is a very strict regulation, as consent cannot always be acquired prior to data collection, because there are many cases where this is not practically feasible. It was pointed out that in the European Data Protection Directive, it is clear that consent cannot always be acquired prior to data collection. The example of medical cases was mentioned, as patients may not always be capable to provide consent to data collection which may be necessary.

In particular, it was highlighted that the European Data Protection Directive includes provisions for the processing of personal data, as well as exceptions for when consent is not required prior to data collection. The Directive guarantees the legitimate interest of the data controller and data processing is based upon the provisions of privacy legislation. The outsourcing of data is regulated in the European Union, and it was recommended that India regulates it too. Following this comment, it was stated that the recent leaks on the NSA's surveillance raise the issue of non-consentual state collection of data and non-consentual private disclosure of data and a brief debate revolved around these issues in the round table.

On the issue of mediated data collection, the situations in which collected data is mediated by third parties was analysed. It was recommended that the law is flexible to address the various types of cases when collected data is mediated, such as when a guardian needs to handle and take decisions for data of a mentally disabled person being collected. However, it was pointed out that mediated data collection should be addressed sectorally, as a doctor, for example, would address mediated data in a different manner than a company. It was emphasized that specific cases – such a parent taking a mediated decision on the data collection of his or her child – should be enabled, whereas all other cases should be prohibited. Thus it was recommended that language to address the mediated collection of data should be included in the Bill.

A participant raised the question of whether there should be seperate laws for the private collection of data and state collection of data. It was mentioned that this is the case in Canada. Another question which was raised was what happens when state collectors hire private contractors. The UID was brought as an example of state collection of data, while private contractors have been hired and are involved in the process of data collection. This could potentially enable the collection and access of data by unauthorised third parties, to which individuals may have not given their consent to. Thus it was strongly recommended that the Bill addresses such cases and prevents unauthorised collection and access of data.

The discussion on the collection of personal data ended with an interesting test case study for privacy: should the media have the right to disclose individuals' personal data? A debate revolved around this question and participants recommended that the Bill regulates the collection, processing, sharing, disclosure and retention of personal data by the media.

Retention of Personal Data

The discussion on the retention of personal data commenced with the statement that there are various exceptions to the retention of data in India, which are outlined in various court cases. It was pointed out that data should be retained in compliance with the law, but this is problematic as, in various occasions, a verbal order by a policeman can be considered adequate, but this can potentially increase the probability for abuse. A question which was raised was whether an Act of Parliament should allow for the long term storage of data, especially when there is inadequate data to support its long-term retention. It was pointed out that in some cases there are laws which allow for the storage of data for up to ten years, without the knowledge – let alone the consent – of the individual. Thus, the issue of data retention in India remains vague and should be addressed by the draft Privacy (Protection) Bill 2013.

Questions were raised on the duration of data retention periods and on whether there should be one general data retention law or several sectoral data retention laws. The participants disagreed on whether an Act of Parliament should regulate data retention or whether data retention should be regulated by sectoral authorities. A participant recommended “privacy by design” and stated that the question of data retention should be addressed by data controllers. Other participants raised the question of purpose limitation, especially for cases when data is being re-retained after the end of its retention period. A participant recommended that requirements for the anonymisation of data once it has exceeed its retention period should be established. However, this proposal was countered by participants who argued that the pracitcal enforcement of the anonymisation of retained data is not feasible within India.

Destruction of Personal Data

The retention of personal data can be prevented once data has been destroyed. However, participants argued that various types of data are being collected through surveillance products which are controlled by private parties. In such cases, it was argued that it remains unclear how it will be verified that data has indeed being destroyed.

A participant argued that the main problem with data destruction is that even if data has been deleted, it can be retrieved up to seven times; thus the question which arises is how can individuals know if their data has been permanently destroyed, or if it is being secretly retrieved. Questions were raised on how the permanent retention of data can be prevented, especially when even deleted data can be retrieved. Hence it was recommended that information security experts cooperate with data controllers and the Privacy Commissioner, to ensure that data is permanently destroyed and/or that data is not being accessed after the end of its retention period. Such experts would ensure that data is actually being destroyed.

Another participant pointed out the difference between the wiping of data and the deletion of data. In particular, the participant argued that data is being deleted when it is being overwritten by other data, and can potentially be recovered. Wiping of data, on the other hand, involves the wiping out of data which can never be recovered. The participant recommended that the Bill explicitly states that data is wiped out in order to ensure that data is not being indirectly retained.

Processing of Personal Data

The dicsussion on the processing of personal data began with the question of national archives. In particular, participants argued that if the processing of data is strictly regulated, that would restrict access to national archives and the draft Privacy (Protection) Bill 2013 should address this issue.

Questions were raised on the non-consentual processing of personal data and on how individual consent should be acquired prior to the processing of personal data. It was pointed out that the Article 29 Working Party has published an Opinion on purpose limitation with regards to data processing and it was recommended that a similar approach is adopted in India.

Furthermore, it was stated that IT companies are processing data from the EU and the U.S., but it remains unclear how individual consent can be obtained in such cases. A debate evolved on how to bind foreign data processors to meet the data requirements of India, as a minimum prerequisite to ensure that outsourced data is not breached. In light of the Edward Snowden leaks of NSA surveillance, many questions were raised on how Indian data outsourced and stored abroad can be protected.

It was highlighted during the round table that all data processing in India requires certification, but since the enforceability of the contracts relies on individuals, this raises issues of data security. Moreover, questions were raised on how Indian companies can protect the data of their foreign data subjects. Thus, it was recommended that the processing of data is strictly regulated through the draft Privacy (Protection) Bill 2013 to ensure that outsourced data and data processed in the country is not breached.

Security of Personal Data

On the issue of data security, the participants argued that the data subject should always be informed in cases when the confidentiality of their personal data is violated. Confidentiality is usually contractually limited, whereas secrecy is not, which is why both terms are included in the draft Privacy (Protection) Bill 2013. In particular, secrecy is usually used for public information, whereas confidentiality is not.

Participants argued that the Bill should include restrictions on the media, in order to ensure that the confidentiality and integrity of their sources' data is preserved. Several participants stated that the Bill should also include provisions for whistleblowers which would provide security and confidentiality for their data. The participants of the round table engaged in a debate on whether the media should be strictly regulated in order to ensure the confidentiality of their sources' data. On the one hand, it was argued that numerous data breaches have occured as a result of the media mishandling their sources' data. On the other hand, it was stated that all duties of secrecy are subject to the public interest, which is why the media reports on them and which is why the media should not be restricted.

Disclosure of Personal Data

The discussion on the disclosure of personal data commenced with participants pointing out that the draft Privacy (Protection) Bill 2013 does not include requirements for consent prior to the disclosure of personal data, which may potentially lead to abuse. Questions were raised on the outsourcing of Indian data abroad and on the consequences of its foreign disclosure. Once data is outsourced, it remains unclear how the lawful disclosure or non-disclosure of data can be preserved, which is why it was recommended that the Bill addresses such issues.

A participant argued that there is a binding relationship between the data controller and the data subject and that disclosure should be regulated on a contractual level. Another participant raised the question of enforcement: How can regulations on the disclosure of personal data be enforced? The response to this question was that the law should focus on the data controller and that when Indian data is being outsourced abroad, the Indian data controller should ensure that the data subjects' data is not breached. However, other participants raised the question of how data can be protected when it is outsourced to countries where the rule of law is not strong and when the country is considered inadequate in terms of data protection.

With an increased transnational flow of information, questions arise on how individuals can protect their information. A participant recommended that it should be mandatory for companies to state in their contracts who they are outsourcing data to and whether such data will be disclosed to third parties. However, this proposal as countered by a participant who argued that even if this was inforced, it is still not possible to enforce the rights of an Indian data subject in a country which does not have a strong rule of law or which generally has weak legislation. A specific example was mentioned, where E.G. Infosys and Wipro Singapore have a contractual agreement and Indian data is outsourced. It was pointed out that if such data is breached, it remains unclear if the individual should address this issue to Wipro India, as well as which law should apply in this case and whether companies should be liable.

A participant suggested that the data controller discloses data without having acquired prior consent, if the Government of India requests it. However, this was countered by a participant who argued that even in such a case, the question of regulating access to data still remains. Other participants argued that the Right to Information Act has been misused and that too much information is currently being disclosed. It was recommended that the Right to Information Act is amended and that the Bill includes strict regulations for the disclosure of personal data.

Meeting Conclusion

The fifth Privacy Round Table meeting commenced with a presentation on privacy and data protection by Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, and proceeded with a discussion of the draft Privacy (Protection) Bill 2013. The participants engaged in a heated debate and provided recommendations for the definitions used in the Bill, as well as for the regulation of data protection. The recommendations for the improvement of the draft Privacy (Protection) Bill 2013 will be considered and incorporated in the final draft.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-5th-privacy-round-table

Snooping technology: Will CMS work in India?

praskrishna — 2013-07-22T07:19:02Z

The Indian government plans to spend $132 million on setting up its brand new Central Monitoring System this year.

Pierre Fitter's article was published in FirstPost on July 17, 2013. Pranesh Prakash is quoted.

Several articles have raised valid questions about privacy violations, including this one by Danish Raza. Elsewhere, Pranesh Prakash has raised important points about how CMS may actually violate several laws and at least one Supreme Court verdict.

I ask a much more basic question: will CMS work? Can it really help security agencies eavesdrop on criminals and terrorists, despite several known technical hurdles?

	Encryption In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

Encryption

In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

This story illustrates a fundamental loophole at the heart of CMS. A criminal, using free and easy-to-use software, can protect his data from even the most advanced surveillance tools available in law enforcement. NSA whistle blower Edward Snowden himself used encrypted email to communicate with journalists at the Guardian. In an online chat where he took questions from the public, Snowden noted that encryption was “one of the few things that you can rely on” to protect you from the eavesdropping behemoth created of the NSA.

It should hardly be surprising then, that terror groups have been encrypting their emails and data for at least the last five years. In fact Al Qaeda developed its own encryption software called ‘Mujahideen Secrets’, to encrypt emails, chat sessions and files. Version two of Mujahideen Secrets even included a tool to delete files securely so that they could not be recovered using special software if the computer was captured. Al Qaeda’s links to several terror groups operating in India has been widely reported in the past. It is not inconceivable that they have shared their encryption software with their comrades-in-arms.

Over the years it has become easier to encrypt one’s communication. YouTube tutorials train even novice users to set up email encryption within minutes. Phone calls, text messages and online chats can also be encrypted with free, easy-to-install apps.

The biggest problem with encryption is that it is virtually impossible to break the code in a time frame that’s useful for law-enforcement purposes. Without getting too technical, modern encryption relies calculating the prime factors of very, very large integers. In 2009, a group of some of the world’s best-known mathematicians and cryptographers reported that it took them four years to factor a 768-bit integer. They estimated it would take 1,000 times longer to factorise a 1024-bit integer. GPG, which is the most widely-used email encryption software, allows users up to 4096-bit encryption. Unless you have the password to the encrypted files, it would take you a very long time to crack the encryption.

Here’s an example to help you understand why encryption makes CMS redundant. Let’s say the system intercepts an encrypted email sent by a LeT handler in Karachi to a sleeper cell in Mumbai. The email contains instructions to detonate a bomb in a specific market at a specific time four days from now. Even if India’s intelligence agencies managed to link up every computer they had available to process the encryption, they would still not be able to crack it in time to learn the details and stop the attack.

What about ‘Metadata’?

It should be noted that encryption only protects the body of the email. The metadata, including the sender’s and receiver’s email addresses remain unencrypted, else the service provider would be unable to send the email to its destination. Law enforcement agencies often partner with email providers to track down the exact computer on which tell-tale emails were read.

However, this method of tracing criminals has a limitation. Programs such as TOR and Hotspot Shield disguise the IP address of a user’s PC. For example, when I use TOR, Facebook will often ask me to confirm my identity as it sees me as logging in from an unfamiliar location. TOR has thousands of servers around the world through which it bounces your data before sending it to its destination.

There is another limitation to using metadata. Due to obvious legal hurdles, CMS will only be deployed to capture communication within India. If terrorists were planning an attack from elsewhere in India’s neighbourhood (as happened with 26/11), we would have to rely on that country’s intelligence services for an alert. Good luck with that!

To make untraceable phone calls, terrorists have been known to use “burner” phones. These are pre-paid phones that are easily available in the US and other countries that do not require an ID for such mobile connections. They can be topped up using cash, which makes their prolonged using even more untraceable.

Even if CMS allowed spooks to listen to these calls, it would not be able to tell who was talking to whom. From details that emerged following the Abbottabad operation that killed Osama bin Laden, we also know that terrorists have been trained to turn off their phones and remove the battery to prevent being tracked even while not on a call.

So what is CMS good for?

If terrorist communications can easily be hidden from CMS, you have to wonder why the government is going through all the effort and expense to set up such a system. What good can come off the mass hoovering of data of ordinary citizens’?

Imagine if CMS intercepted a ‘BBM chat’ between two businessmen, who were discussing a contract that could affect the business interests of a government MP.

Imagine the government getting access to emails exchanged between a journalist and a source in the IAS who wants to expose a major corruption scandal involving a cabinet minister.

Imagine if the government had access to phone calls between two opposition politicians discussing election strategies.

What if CMS tracks a PhD candidate who is researching Naxal terror and has downloaded Naxal pamphlets? What if this researcher has been able to establish contact with Naxals for an interview. Can the government use such data to charge him with participating in a Naxal conspiracy, even if his only intention was to research their motivations? In a country where chief ministers label their critics as “Naxals” for merely raising questions, are we certain we want such unmitigated power in the government’s hands?

These are all questions well worth asking, especially since the ostensible reason for setting up the CMS—monitoring terrorists and criminals—is a fool’s errand at best.

For more details visit https://cis-india.org/news/firstpost-pierre-fitter-july-17-2013-snooping-technology

You Have the Right to Remain Silent

nishant — 2013-07-22T06:59:53Z

Reflecting upon the state of freedom of speech and expression in India, in the wake of the shut-down of the political satire website narendramodiplans.com.

Nishant Shah's column was published in Down to Earth on July 17, 2013.

It took less than a day for narendramodiplans.com, a political satire website that had more than 60,000 hits in the 20 hours of its existence, to be taken down. A simple webpage that showed a smiling picture of Narendra Modi, the touted candidate for India’s next Prime Ministerial campaign, flashing his now trademark ‘V’ for ~~Vengeance~~ Victory sign. At the first glimpse it looked like another smart media campaign by the net-savvy minister who has already made use of the social web quite effectively, to connect with his constituencies and influence the younger voting population in the country. Below the image of Mr. Modi was a text that said, "For a detailed explanation of how Mr. Narendra Modi plans to run the nation if elected to the house as a Prime Minister and also for his view/perspective on 2002 riots please click the link below." The button, reminiscent of 'sale' signs on shops that offer permanent discounts, promised to reveal, for once and for all, the puppy plight of Mr. Modi's politics and his plans for the country that he seeks to lead.

However, when one tried to click on the button, hoping, at least for a manifesto that combined the powers of Machiavelli with the sinister beauty of Kafka, it proved to be an impossible task. The button wiggled, and jiggled, and slithered all over the page, running away from the mouse following it. Referencing the layers of evasive answers, the engineered Public Relations campaigns that try to obfuscate the history to some of the most pointed questions that have been posited to the Modi government through judicial and public forums, the button never stayed still enough to actually reveal the promised answers. For people who are familiar with the history of such political satire and protest online would immediately recognise that this wasn’t the most original of ideas. In fact, it was borrowed from another website - http://www.thepmlnvision.com/ that levelled similar accusations of lack of transparency and accountability on the part of Nawaz Sharif of Pakistan. Another instance, which is now also shut down, had a similar deployment where the webpage claimed to give a comprehensive view into Rahul Gandhi’s achievements, to question his proclaimed intentions of being the next prime-minister. In short, this is an internet meme, where a simple web page and a java script allowed for a critical commentary on the future of the next elections and the strengthening battle between #feku and #pappu that has already taken epic proportions on Twitter.

The early demise of these two websites (please do note, when you click on the links that the Nawaz Sharif website is still working) warns us of the tightening noose around freedom of speech and expression that politicos are responsible for in India. It has been a dreary last couple of years already, with the passing of the Intermediaries Liabilities Rules as an amendment to the IT Act of India, Dr. Sibal proposing to pre-censor the social web in a quest to save the face of erring political figures, teenagers being arrested for voicing political dissent, and artists being prosecuted for exercising their rights to question the state of governance in our country. Despite battles to keep the web an open space that embodies the democratic potentials and the constitutional rights of freedom of speech and expression in the country, it has been a losing fight to keep up with the ad hoc and dictatorial mandates that seem to govern the web.


Above is a screen shot from narendramodiplans.com website

We have no indication of why this latest piece of satirical expression, which should be granted immunity as a work of art, if not as an individual’s right to free speech, was suddenly taken down. The website now has a message that says, “I quit. In a country with freedom of speech, I assumed that I was allowed to make decent satire on any politician more particularly if it is constructive. Clearly, I was wrong.” The web is already abuzz with conspiracy theories, each sounding scarier than the other because they seem so plausible and possible in a country that has easily sacrificed our right to free speech and expression at the altar of political egos. And whether you subscribe to any of the theories or not, whether your sympathies lie with the BJP or with the UPA, whether or not you approve of the political directions that the country seems to be headed in, there is no doubt that you should be as agitated as I am, about the fact that we are in a fast-car to blanket censorship, and we are going there in style.

What happens online is not just about this one website or the one person or the one political party – it is a reflection on the rising surveillance and bully state that presumes that making voices (and sometimes people) invisible, is enough to resolve the problems that they create. And what happens on the web is soon going to also affect the ways in which we live our everyday lives. So the next time, you call some friends over for dinner, and then sit arguing about the state of politics in the country, make sure your windows are all shut, you are wearing tin-foil hats and if possible, direct all conversations to the task of finally finding Mamta Kulkarni. Because anything else that you say might either be censored or land you in a soup, and the only recourse you might have would be a website that shows the glorious political figures of the country, with a sign that says “To defend your right to free speech and expression, please click here”. And you know that you are never going to be able to click on that sign. Ever.

For more details visit https://cis-india.org/internet-governance/blog/down-to-earth-july-17-2013-nishant-shah-you-have-the-right-to-remain-silent

Can India Trust Its Government on Privacy?

pranesh — 2013-07-15T10:35:33Z

In response to criticisms of the Centralized Monitoring System, India’s new surveillance program, the government could contend that merely having the capability to engage in mass surveillance won’t mean that it will. Officials will argue that they will still abide by the law and will ensure that each instance of interception will be authorized.

Pranesh Prakash's article was published in the New York Times on July 11, 2013.

In fact, they will argue that the program, known as C.M.S., will better safeguard citizens’ privacy: it will cut out the telecommunications companies, which can be sources of privacy leaks; it will ensure that each interception request is tracked and the recorded content duly destroyed within six months as is required under the law; and it will enable quicker interception, which will save more lives. But there are a host of reasons why the citizens of India should be skeptical of those official claims.

Cutting out telecoms will not help protect citizens from electronic snooping since these companies still have the requisite infrastructure to conduct surveillance. As long as the infrastructure exists, telecom employees will misuse it. In a 2010 report, the journalist M.A. Arun noted that “alarmingly, this correspondent also came across several instances of service providers’ employees accessing personal communication of subscribers without authorization.” Some years back, K.K. Paul, a top Delhi Police officer and now the Governor of Meghalaya, drafted a memo in which he noted mobile operators’ complaints that private individuals were misusing police contacts to tap phone calls of “opponents in trade or estranged spouses.”

India does not need to have centralized interception facilities to have centralized tracking of interception requests. To prevent unauthorized access to communications content that has been intercepted, at all points of time, the files should be encrypted using public key infrastructure. Mechanisms also exist to securely allow a chain of custody to be tracked, and to ensure the timely destruction of intercepted material after six months, as required by the law. Such technological means need to be made mandatory to prevent unauthorized access, rather than centralizing all interception capabilities.

At the moment, interception orders are given by the federal Home Secretary of India and by state home secretaries without adequate consideration. Every month at the federal level 7,000 to 9,000 phone taps are authorized or re-authorized. Even if it took just three minutes to evaluate each case, it would take 15 hours each day (without any weekends or holidays) to go through 9,000 requests. The numbers in Indian states could be worse, but one can’t be certain as statistics on surveillance across India are not available. It indicates bureaucratic callousness and indifference toward following the procedure laid down in the Telegraph Act.

In a 1975 case, the Supreme Court held that an “economic emergency” may not amount to a “public emergency.” Yet we find that of the nine central government agencies empowered to conduct interception in India, according to press reports — Central Board of Direct Taxes, Intelligence Bureau, Central Bureau of Investigation, Narcotics Control Bureau, Directorate of Revenue Intelligence, Enforcement Directorate, Research & Analysis Wing, National Investigation Agency and the Defense Intelligence Agency — three are exclusively dedicated to economic offenses.

Suspicion of tax evasion cannot legally justify a wiretap, which is why the government said it had believed that Nira Radia, a corporate lobbyist, was a spy when it defended putting a wiretap on her phone in 2008 and 2009. A 2011 report by the cabinet secretary pointed out that economic offenses might not be counted as “public emergencies,” and that the Central Board of Direct Taxes should not be empowered to intercept communications. Yet the tax department continues to be on the list of agencies empowered to conduct interceptions.

India has arrived at a scary juncture, where the multiple departments of the Indian government don’t even trust each other. India’s Department of Information Technology recently complained to the National Security Advisor that the National Technical Research Organization had hacked into National Informatics Center infrastructure and extracted sensitive data connected to various ministries. The National Technical Research Organization denied it had hacked into the servers but said hundreds of e-mail accounts of top government officials were compromised in 2012, including those of “the home secretary, the naval attaché to Tehran, several Indian missions abroad, top investigators of the Central Bureau of Investigation and the armed forces,” The Mint newspaper reported. Such incidents aggravate the fear that the Indian government might not be willing and able to protect the enormous amounts of information it is about to collect through the C.M.S.

Simply put, government entities have engaged in unofficial and illegal surveillance, and the C.M.S. is not likely to change this. In a 2010 article in Outlook, the journalist Saikat Datta described how various central and state intelligence organizations across India are illegally using off-the-air interception devices. “These systems are frequently deployed in Muslim-dominated areas of cities like Delhi, Lucknow and Hyderabad,” Mr. Datta wrote. “The systems, mounted inside cars, are sent on ‘fishing expeditions,’ randomly tuning into conversations of citizens in a bid to track down terrorists.”

The National Technical Research Organization, which is not even on the list of entities authorized to conduct interception, is one of the largest surveillance organizations in India. The Mint reported last year that the organization’s surveillance devices, “contrary to norms, were deployed more often in the national capital than in border areas” and that under new standard operating procedures issued in early 2012, the organization can only intercept signals at the international borders. The organization runs multiple facilities in Mumbai, Bangalore, Delhi, Hyderabad, Lucknow and Kolkata, in which monumental amounts of Internet traffic are captured. In Mumbai, all the traffic passing through the undersea cables there is captured, Mr. Datta found.

In the western state of Gujarat, a recent investigation by Amitabh Pathak, the director general of police, revealed that in a period of less than six months, more than 90,000 requests were made for call detail records, including for the phones of senior police and civil service officers. This high a number could not possibly have been generated from criminal investigations alone. Again, these do not seem to have led to any criminal charges against any of the people whose records were obtained. The information seems to have been collected for purposes other than national security.

India is struggling to keep track of the location of its proliferating interception devices. More than 73,000 devices to intercept mobile phone calls have been imported into India since 2005. In 2011, the federal government asked various state governments, private corporations, the army and intelligence agencies to surrender these to the government, noting that usage of any such equipment for surveillance was illegal. We don’t know how many devices were actually turned in.

These kinds of violations of privacy can have very dangerous consequences. According to the former Intelligence Bureau head in the western state of Gujarat, R.B. Sreekumar, the call records of a mobile number used by Haren Pandya, the former Gujarat home minister, were used to confirm that it was he who had provided secret testimony to the Citizens’ Tribunal, which was conducting an independent investigation of the 2002 sectarian riots in the state. Mr. Pandya was murdered in 2003.

The limited efforts to make India’s intelligence agencies more accountable have gone nowhere. In 2012, the Planning Commission of India formed a group of experts under Justice A.P. Shah, a retired Chief Justice of the Delhi High Court, to look into existing projects of the government and to suggest principles to guide a privacy law in light of international experience. (Centre for Internet and Society, where I work was part of the group). However, the government has yet to introduce a bill to protect citizens’ privacy, even though the governmental and private sector violations of Indian citizens’ privacy is growing at an alarming rate.

In February, after frequent calls by privacy activists and lawyers for greater accountability and parliamentary oversight of intelligence agencies, the Centre for Public Interest Litigation filed a case in the Supreme Court. This would, one hopes, lead to reform.

Citizens must also demand that a strong Privacy Act be enacted. In 1991, the leak of a Central Bureau of Investigation report titled “Tapping of Politicians’ Phones” prompted the rights groups, People’s Union of Civil Liberties to file a writ petition, which eventually led to a Supreme Court of India ruling that recognized the right to privacy of communications for all citizens as part of the fundamental rights of freedom of speech and of life and personal liberty. However, through the 2008 amendments to the Information Technology Act, the IT Rules framed in 2011 and the telecom licenses, the government has greatly weakened the right to privacy as recognized by the Supreme Court. The damage must be undone through a strong privacy law that safeguards the privacy of Indian citizens against both the state and corporations. The law should not only provide legal procedures, but also ensure that the government should not employ technologies that erode legal procedures.

A strong privacy law should provide strong grounds on which to hold the National Security Advisor’s mass surveillance of Indians (over 12.1 billion pieces of intelligence in one month) as unlawful. The law should ensure that Parliament, and Indian citizens, are regularly provided information on the scale of surveillance across India, and the convictions resulting from that surveillance. Individuals whose communications metadata or content is monitored or intercepted should be told about it after the passage of a reasonable amount of time. After all, the data should only be gathered if it is to charge a person of committing a crime. If such charges are not being brought, the person should be told of the incursion into his or her privacy.

The privacy law should ensure that all surveillance follows the following principles: legitimacy (is the surveillance for a legitimate, democratic purpose?), necessity (is this necessary to further that purpose? does a less invasive means exist?), proportionality and harm minimization (is this the minimum level of intrusion into privacy?), specificity (is this surveillance order limited to a specific case?) transparency (is this intrusion into privacy recorded and also eventually revealed to the data subject?), purpose limitation (is the data collected only used for the stated purpose?), and independent oversight (is the surveillance reported to a legislative committee or a privacy commissioner, and are statistics kept on surveillance conducted and criminal prosecution filings?). Constitutional courts such as the Supreme Court of India or the High Courts in the Indian states should make such determinations. Citizens should have a right to civil and criminal remedies for violations of surveillance laws.

Indian citizens should also take greater care of their own privacy and safeguard the security of their communications. The solution is to minimize usage of mobile phones and to use anonymizing technologies and end-to-end encryption while communicating on the Internet. Free and open-source software like OpenPGP can make e-mails secure. Technologies like off-the-record messaging used in apps like ChatSecure and Pidgin chat conversations, TextSecure for text messages, HTTPS Everywhere and Virtual Private Networks can prevent Internet service providers from being able to snoop, and make Internet communications anonymous.

Indian government, and especially our intelligence agencies, violate Indian citizens’ privacy without legal authority on a routine basis. It is time India stops itself from sleepwalking into a surveillance state.

For more details visit https://cis-india.org/internet-governance/blog/new-york-times-july-11-2013-can-india-trust-its-government-on-piracy

How Surveillance Works in India

pranesh — 2013-07-15T10:20:45Z

When the Indian government announced it would start a Centralized Monitoring System in 2009 to monitor telecommunications in the country, the public seemed unconcerned. When the government announced that the system, also known as C.M.S., commenced in April, the news didn’t receive much attention.

This article by Pranesh Prakash was published in the New York Times on July 10, 2013.

After a colleague at the Centre for Internet and Society wrote about the program and it was lambasted by Human Rights Watch, more reporters started covering it as a privacy issue. But it was ultimately the revelations by Edward J. Snowden about American surveillance that prompted Indians to ask questions about its own government’s surveillance programs.

In India, we have a strange mix of great amounts of transparency and very little accountability when it comes to surveillance and intelligence agencies. Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament.

This lack of accountability is seen both in the way the Big-Brother acronyms (C.M.S., Natgrid, T.C.I.S., C.C.T.N.S., etc.) have been rolled out, as well as the murky status of the intelligence agencies. No intelligence agency in India has been created under an act of Parliament with clearly established roles and limitations on powers, and hence there is no public accountability whatsoever.

The absence of accountability has meant that the government has since 2006 been working on the C.M.S., which will integrate with the Telephone Call Interception System that is also being rolled out. The cost: around 8 billion rupees ($132 million) — more than four times the initial estimate of 1.7 billion — and even more important, our privacy and personal liberty. Under their licensing terms, all Internet service providers and telecom providers are required to provide the government direct access to all communications passing through them. However, this currently happens in a decentralized fashion, and the government in most cases has to ask the telecoms for metadata, like call detail records, visited Web sites, IP address assignments, or to carry out the interception and provide the recordings to the government. Apart from this, the government uses equipment to gain access to vast quantities of raw data traversing the Internet across multiple cities, including the data going through the undersea cables that land in Mumbai.

With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.


A man surfing a Facebook page at an internet cafe in Guwahati, Assam, on Dec. 6, 2011. Image Credit: Anupam Nath/Associated Press

You might ask: Why is this a problem when the government already had the same access, albeit in a decentralized fashion? To answer that question, one has to first examine the law.

There are no laws that allow for mass surveillance in India. The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception.The targeted interception both these laws allow ordinarily requires case-by-case authorization by either the home secretary or the secretary of the department of information technology.

Interestingly, the colonial government framed better privacy safeguards into communications interception than did the post-independence democratic Indian state. The Telegraph Act mandates that interception of communications can only be done on account of a public emergency or for public safety. If either of those two preconditions is satisfied, then the government may cite any of the following five reasons: “the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense.” In 2008, the Information Technology Act copied much of the interception provision of the Telegraph Act but removed the preconditions of public emergency or public safety, and expands the power of the government to order interception for “investigation of any offense.” The IT Act thus very substantially lowers the bar for wiretapping.

Apart from these two provisions, which apply to interception, there are many laws that cover recorded metadata, all of which have far lower standards. Under the Code of Criminal Procedure, no court order is required unless the entity is seen to be a “postal or telegraph authority” — and generally e-mail providers and social networking sites are not seen as such.

Unauthorized access to communications data is not punishable per se, which is why a private detective who gained access to the cellphone records of Arun Jaitley, a Bharatiya Janata Party leader, has been charged under the weak provision on fraud, rather than invasion of privacy. While there is a provision in the Telegraph Act to punish unlawful interception, it carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).

To put the ridiculousness of the penalty in Sections 69 and 69 B of the IT Act provision in perspective, an Intelligence Bureau officer who spills national secrets may be imprisoned up to three years. And under the Indian Penal Code, failing to provide a document one is legally bound to provide to a public servant, the punishment can be up to one month’s imprisonment. Further, a citizen who refuses to assist an authority in decryption, as one is required to under Section 69, may simply be exercising her constitutional right against self-incrimination. For these reasons and more, these provisions of the IT Act are arguably unconstitutional.

As bad as the IT Act is, legally the government has done far worse. In the licenses that the Department of Telecommunications grants Internet service providers, cellular providers and telecoms, there are provisions that require them to provide direct access to all communications data and content even without a warrant, which is not permitted by the existing laws on interception. The licenses also force cellular providers to have ‘bulk encryption’ of less than 40 bits. (Since G.S.M. network encryption systems like A5/1, A5/2, and A5/3 have a fixed encryption bit length of 64 bits, providers in India have been known use A5/0, that is, no encryption, thus meaning any person — not just the government — can use off-the-air interception techniques to listen to your calls.)

Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year. Under the rules designed as India’s data protection law (oh, the irony!), sensitive personal data has to be shared with government agencies, if required for “purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses.”

Along similar lines, in the rules meant to say when an Internet intermediary may be held liable for a user’s actions, there is a provision requiring the Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity.” (Incoherent, vague and grammatically incorrect sentences are a consistent feature of laws drafted by the Ministry of Communications and IT; one of the telecom licenses states: “The licensee should make arrangement for monitoring simultaneous calls by government security agencies,” when clearly they meant “for simultaneous monitoring of calls.”)

In a landmark 1996 judgment, the Indian Supreme Court held that telephone tapping is a serious invasion of an individual’s privacy and that the citizens’ right to privacy has to be protected from abuse by the authorities. Given this, undoubtedly governments must have explicit permission from their legislatures to engage in any kind of broadening of electronic surveillance powers. Yet, without introducing any new laws, the government has surreptitiously granted itself powers — powers that Parliament hasn’t authorized it to exercise — by sneaking such powers into provisions in contracts and in subordinate legislation.

For more details visit https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india

How the world’s largest democracy is preparing to snoop on its citizens

praskrishna — 2013-07-15T09:41:21Z

Monitoring system will allow govt to snoop on voice calls, SMSes, and access Internet data.

The article by Leslie D' Monte and Joji Thomas Philip was published in Livemint on July 3, 2013. Sunil Abraham is quoted.

Nothing will be secret or private.

Every conversation on landlines and mobile phones will be heard; some will be recorded. Every move you make on the Internet will be tracked.

Fiction?

By December, when the Nanny State goes live, it will be fact.

Once the government’s innocuously named CMS (communication monitoring system) is in place, the state will be able to snoop on your voice calls, fax messages, SMSes and MMSes, across all phone networks. It will be able to access your Internet data, and see not just what sites you visit but even build a cache of your inbox, to decrypt at leisure.

The process began more than a couple of years ago.

On 29 April 2011, India’s home ministry called for bids to set up communications monitoring systems in all state capitals. The notice, which was published on its website and went almost unnoticed, specified that the system should be able to monitor voice calls, fax messages, SMSes and MMSes, and work across terrestrial networks, GSM and CDMA (the dominant mobile telephony platforms), and the Internet.

	The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”. The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT). A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”.

The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT).

A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

Subsequent media reports, which have cited internal government documents, peg the cost of the CMS at around Rs.400 crore, but there is hardly any official data from the government about the implementation of the CMS.

In its 2012-13 annual report, DoT said the government has decided to set up the CMS for lawful interception and monitoring by law enforcement agencies, “reducing the manual intervention at many stages as well as saving of time”.

The system, according to the report, was to be installed by C-DoT after which the Telecom Enforcement, Resource and Monitoring (TERM) cells would take over. As on 31 March, there were 34 such TERM cells in the country. The current number could not be ascertained.

How does the government justify this invasive system? Its purpose is unclear, but national security is always a handy spectre. And so what if such a system can be misused to bully, spy and curtail the freedom of individuals? Indeed, India’s track record of using existing laws doesn’t inspire confidence.

Student Shaheen Dhada was arrested (under the law) for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray on her personal Facebook account. Her friend, Renu Srinivasan, who had “liked” the comment was also arrested. The two were later freed, on bail.

No known safeguards

But how does the CMS work? According to the government official cited above, the Central Bureau for Investigation (CBI), for instance, is likely to be provided interception facilities through the CMS in Delhi initially.

“CBI shall enter data related to target in the CMS system and approach the telecom services provider”, at which point the process is automated, and the provider simply sends the data to a server which forwards the requested information, he explained.

He didn’t mention any safeguards, nor have any been made public, which means that there are likely none. In a Q&A session on the popular social network Reddit on Tuesday, academic and activist Lawrence Lessig, the co-founder of Creative Commons, wrote on the subject of snooping in the US, “I’m really troubled by national security programmes. We don’t know what protections are built into the system.”

That has become the subject of much debate following the leaks by whistleblower Edward Snowden about the US National Security Agency’s surveillance programme.

Lessig pointed out that protection based on code is the only real protection from misuse, as other safeguards are dependent on people choosing not to violate reasonable expectations of privacy.

Which is the heart of the problem. From what we know, the list of agencies with access to data in India is already large: the Research and Analysis Wing, CBI, the National Investigation Agency, the Central Board of Direct Taxes, the Narcotics Control Bureau, and the Enforcement Directorate. More may be added.

For the system to be useful in any practical fashion, access will have to be given to a large number of officials in each of these agencies. And in the absence of safeguards, one must assume that all data is accessible to all officials.

To be sure, some of this information is already being tracked by Internet companies.

Ravina Kothari, a 22-year-old student at Cardiff University, said she learnt a bitter lesson “last year when I Googled my name”. “It revealed all the personal details I had put up on social media sites. My childhood school photos popped up on Google image search results. Worse, I had not put them there. My friends had tagged me in—all so scary. And I can’t do anything about it.”

She has since stopped uploading personal details such as videos, pictures or telephone numbers.

Twenty-one-year-old Shruti Lodha, studying to be a chartered accountant, feels a similar discomfort.

“I am definitely not comfortable with Google, and how every time I Google myself it reveals my identity and shows information that is on social media sites.”

In 2011, 24-year-old Max Schrems of Vienna, Austria, asked the world’s largest social networking site Facebook Inc. for a copy of every piece of information it had collected on him since he had created an account with it two years earlier.

Schrems was delivered a CD packing a 1,222-page file that included information he had deleted, but had been stored on Facebook’s servers, according to ThreatPost, a publication on information technology (IT) security run by Kaspersky Lab, a leading maker of antivirus software.

Had Schrems been a resident of India, he could not have known how much personal information Facebook had on him. Every person in the European Union (EU) has the right to access all the data that a company holds on him or her.

With the CMS, all this information, and much more, can be called up by just about anyone—the taxman, CBI officials, Assam Police (which will also monitor the network according to some reports)—and the old bogey of national security may not even be raised.

Need for a privacy law

Publicly at least, companies agree that the new monitoring systems infringe on our rights. Subho Ray, president, Internet and Mobile Association of India said, “Without any prior permission, government should not take or use any information which is considered private. The biggest challenge for us is that we do not have a privacy law in India.”

Cyber law experts and privacy lobby groups caution that the world’s largest democracy’s attempt to snoop on its citizens with the CMS, ostensibly for security reasons, could be abused in the absence of a transparent process and a privacy law.

The issue has become alarming, they add, with the US admitting to be collecting billions of pieces of information on immigrants—6.3 billion from Indian citizens alone under the Foreign Intelligence Surveillance Act, according to an 8 June report in the UK-based The Guardian newspaper.

“We don’t know much about the CMS, except that when implemented, it could be plugged directly into telecom nodes and lead to widespread tapping,” said Apar Gupta, a partner at law firm Advani and Co. specializing in IT law.

“There’s no legal sanction as of now for any type of mass surveillance, such as the one that the CMS suggests,” said Pavan Duggal, a Supreme Court lawyer and cyberlaw expert.

Gupta added that since India lacks privacy legislation, which obliges companies to maintain privacy standards when they export the data which they’ve gathered in India overseas, “this poses a problem”.

N.S. Nappinai, a Bombay high court advocate, said, “India has lived without any codified laws to protect privacy all these years and has relied primarily on Article 21 of the Constitution. Protecting privacy has just become more complicated with the humongous quantity of data being uploaded online. People seem totally unaware of the trouble they are inviting upon themselves.”

Current laws are already compromised

The lack of a privacy law makes it easier for the government to take such extreme steps. The Indian Telegraph Act and the IT Act, 2008 (amendments introduced in the IT Act, 2000), already gives the government the power to monitor, intercept and even block online conversations and websites. The addition of the CMS will greatly widen the number of sources and could simplify access to these records as well.

On 25 April 2011, the government admitted that the existing laws include provisions for interception and pointed out that the Supreme Court had, on 18 December 1996, upheld the constitutional validity of interceptions and monitoring.

While the court had added that telephone tapping infringes on the right to life and the right to freedom of speech and expression, unless permitted under special procedures, these guidelines are not usually implemented, according to activists.

The shortcomings of the existing laws already make it possible to misuse the vast amount of information that is available today. These laws were written at a time when the Internet was not a fact of life, and where the lines between public and private were not already blurred. Given that, the perspectives on privacy can be worrisome.

In a report presented to the Lok Sabha on 13 December 2011, the ministry of planning said, “Collection of information without a privacy law in place does not violate the right to privacy of the individual…There is no bar on collecting information, the only requirement to be fulfilled with respect to the protection of the privacy of an individual is that care should be taken in collection and use of information, consent of individual would be relevant, information should be kept safe and confidential.”

This proposed Right to Privacy Bill was leaked to the public, and eventually nothing came of it.

On 16 October 2012, a commission headed by justice (retired) A.P. Shah issued a report that included the study of privacy laws and related Bills from around the world. The report noted that with the “increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons”.

Despite the report being given to the Planning Commission, the government has continued with its plans.

Early this year, a privacy lobby body, the Centre for Internet and Society (CIS) drafted the Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India.

CIS worked with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India and held round table meetings around the country to bring about a privacy law.

Sunil Abraham, executive director, CIS, said, “While the government sets out to protect national interests, it’s also very important to protect the rights of individuals.”

The way ahead

Human Rights Watch, in a 7 June media release, described the CMS as “chilling, given its (India’s) reckless and irresponsible use of sedition and Internet laws”.

According to Freedom on the Net 2012, released on 24 September, India—which scored 39 points out of 100—was termed “partly-free”. But India is not alone. Around 40 countries filter the Internet in varying degrees, including democratic and non-democratic governments.

YouTube and Gmail (both owned by Google Inc.), BlackBerry, WikiLeaks, Skype (owned by Microsoft Corp.), Twitter and Facebook have all been censored, at different times, in countries such as China, Iran, Egypt and India.

European Union countries have strong privacy laws as is evident from the Schrems case.

Australia is engaged in putting similar safeguards in place. On 24 June, a Senate committee recommended that Australia’s proposed data retention scheme only be considered if it just collected metadata, avoided capture of browser histories and contained rigorous privacy controls and oversight.

Indian politicians could take a cue from such countries when balancing national interest with protecting the privacy of individuals.

Gopal Sathe in New Delhi and Zahra Khan in Mumbai contributed to this story.

For more details visit https://cis-india.org/news/livemint-leslie-d-monte-joji-thomas-philip-july-3-2013-how-the-worlds-largest-democracy-is-preparing-to-snoop-on-its-citizens

India’s Central Monitoring System: Security can’t come at cost of privacy

praskrishna — 2013-07-15T06:43:21Z

During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).

Danish Raza's article was published in FirstPost on July 10, 2013. Sunil Abraham is quoted.

The surveillance project, described as the Indian version of PRISM, will allow the government to monitor online and telephone data of citizens. prism-milind-deora-cms-central-monitoring-system/” target=”_blank”>

The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.

A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It merely states that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”

One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.

“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.

There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.

Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”

Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”

Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?

“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”

Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”

For more details visit https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy

Is CMS a Compromise of Your Security?

praskrishna — 2013-07-15T06:27:05Z

By secretly monitoring and recording all Indians through a Central Monitoring System, our government will end up making citizens and businesses less safe.

This article appeared in the Forbes India magazine of 12 July, 2013. Sunil Abraham is quoted.

Are you reading this article on your PC or smartphone? No? Do you own a smartphone? Surely a phone then?

If you also happen to live in Delhi, Haryana or Karnataka, then from April this year nearly all your electronic communication—telephony, emails, VOIP, social networking—has been sucked up under an innocuous sounding programme called the Central Monitoring System, or CMS.

There’s no way to tell if you are being watched really, because telecom service providers aren’t part of the set-up. In most cases, they may not even be aware which of their users is being monitored. Neither can you approach a government agency or court to find out more, because there’s practically very little oversight or disclosure. What the government does with the data—how it is stored, secured, accessed or deleted—we don’t know.

Unlike the US and other Western democracies where even for a large scale programme like Prism (leaked recently by 29-year-old whistleblower and now fugitive Edward Snowden), surveillance orders need to be signed by a judge. But in India most orders are signed by either the Central or state home secretary, says Sunil Abraham, executive director for Centre for Internet and Society, Bangalore. This leads to a conflict of interest as the executive branch is both undertaking law enforcement and providing oversight on its own work.

In most cases, the officials are overwhelmed with other work, and don’t have the time to apply their minds to each request. “There is supposed to be an oversight committee that reviews the decisions of home secretaries, but we don’t have any idea about that committee either,” says Abraham.

Meanwhile, government bodies like the R&AW, Central Bureau of Investigation, National Investigation Agency, Central Board of Direct Taxes, Narcotics Control Bureau and the Enforcement Directorate will have the right to look up your data. Starting next year, all mobile telephony operators will also need to track and store the geographical location from which subscribers make or receive calls.

“I see it as the rise of techno-determinism in our security apparatus. Previously, our philosophy was to avoid infringing on individual privacy, and monitor a small set of individuals directly suspected of engaging in illegal activities. Now, thanks to the Utopianism being offered up by ‘Big Data’ infrastructure, putting everybody under blanket surveillance seems like a better way to serve our security and law enforcement agendas more effectively,” says Abraham.

There is a real risk that CMS and the numerous other monitoring programmes that will subsequently connect to it will end up harming more Indians than protecting them.

The biggest risk is that these programmes will turn into lucrative ‘honey pots’ for hackers, criminals and rival countries. Why bother hacking individuals and companies if you can attack the CMS? We’ve seen private corporations and government agencies in the US, Israel and the UK getting hacked. So let’s not have any illusions that India is going to fare much better.

Another consequence is that sooner or later innocent citizens will be wrongly accused of being criminals based on mistaken data patterns. While searching for matches in any database with hundreds of millions of records, the risk of a ‘false positive’ increases disproportionately because there are exponentially more innocents than there are guilty. And in the near-Dystopian construct of the CMS, it will take months or years for such errors to be rectified.

As more Indians become aware of these programmes, they will adopt encryption and masking tools to hide their digital selves. In the process, numerous ‘unintended consequences’ of failing to differentiate law-abiding citizens from criminals will be created. What answer will a normal citizen offer to a law enforcement official who wants to know why he or she has encrypted all communications and hosted a personal server in, say, Sweden?

But arguably the biggest threat of 24x7 surveillance is to businesses. Security and trust are the foundations atop which most modern businesses are built. From your purchase of a gadget on an ecommerce site to a large conglomerate’s secret bid in a government auction to discussions within a company on future business strategies to patent applications—everything requires secrecy and security. All an unscrupulous competitor, whether it be a company or a country, has to do to go one-up on you is to attack the CMS and other central databases.

“The reason why the USA historically decided not to impose blanket surveillance wasn’t because of human rights, but to protect its businesses and intellectual property. Because while we may be able to live in a society without human rights, we cannot be in one without functional markets,” says Abraham.

He goes on to say that the recent disclosures around the various spying programmes run by the US have made the private surveillance and security industry very happy. “Each incident becomes a case-study to pit one country against another, forcing each one to cherry-pick the worst global practices in a dangerous race to the bottom. Civil society and privacy activists don’t have the resources to fight large vendors and so the only thing that will stop this is the leak of large databases, like that of 9 million Israeli biometric records a few years back.”

Recollecting the news about a family-business break-up some years ago, where two brothers agreed to split their businesses, the net result was one brother opted out of telephony services offered by the other. All of that is now moot. “There are no more shadows now. Nobody will have refuge and everybody will be exposed,” says Abraham.

For more details visit https://cis-india.org/news/forbesindia-article-real-issue-july9-2013-rohin-dharmakumar-is-cms-a-compromise-of-your-security