Centre for Internet and Society

Digital Native: Three things we need to realise about what TikTok is doing to us

nishant — 2019-06-09T05:27:52Z

Fifteen seconds is all that will take for TikTok to own you.

The article by Nishant Shah was published in Indian Express on May 19, 2019.

If there is one thing that has been building more suspense and drama than our politicians this election season, it is the microblogging site TikTok. From complete ignominy to viral popularity, and then the dramatic ban by a high court to its resurgence offering Rs 1,00,000 daily reward prizes, #ReturnofTikTok has been trending with great enthusiasm and being embraced by the populace, who obviously think that 15-second videos are the pinnacle of human cultural production and expression. But, my friends, followers, TikTokers, I come here not to bury TikTok, but to praise it.

At first glance, TikTok appears to be just a miniaturised version of the popular social media platforms we know — YouTube, Vine, Snapchat — and merely one more step in figuring out how granular we can make our appified attention. With each video post that can only last 15 seconds, TikTok is often heralded as naturalising the new unit of attention in an informationally saturated environment. Many have looked at it as competition to the grandfathers of social media apps, like Facebook and Instagram, and there is much speculation about how it will take these giants down.

However, the radical departure of TikTok is not in the smallness of its engagement — and thus the extremely low threshold for participation — or in the hashtag organisation of its social media, and the subsequent viral potentiality. What makes TikTok tick (and then, of course, tock), is its embrace of artificial intelligence and big data analytics to power the platform.

China-based ByteDance that owns TikTok, unlike any of its Big Tech competitors, is not a content production or curation company. It is invested in machine learning, and at its backend are extremely sophisticated algorithms that are using facial recognition, data correlation, and targeted customisation technologies to create the world of TikTok. Unlike Facebook and Twitter, the two templates of “user-generated-content” platforms, where what we see, what we do, and what we say require us to define our social circles and connections, TikTok’s algorithms do not need us to do any social definition.

From the minute you sign up for it, giving up your personal information and data to extreme mining which bears the same pitfalls of privacy and surveillance that all other big data apps do, TikTok starts presenting content to you. This is not content created by friends, or colleagues, or randos you connect with because you couldn’t be bothered to decline their invites. Instead, this is content created by people you don’t know at all, and brought to you by algorithms that know, even without you telling them what you might like. The more time you spend tapping across the vides, searching hashtags, and going through complex tutorials to make your own 15-second fun video, the more the machine learning algorithms learn you.

TikTok is such a threat to existing social media companies because they make no apologies of the fact that their human users are not influencers, friends, followers, or connections. They are merely users, who produce content and then their algorithms go around the world, connecting us through reasons and logic that are completely opaque. With TikTok, we see the future of automated technologies, where both the content and the logic of connectivity are no longer dependent on human action or desire, but on algorithmic curation and presentation. Geared towards maximum engagement, TikTok’s algorithms have one task — to completely make us lose all sense of time as we cycle through an almost endless stream of videos that have neither content nor style, but seduce us in their short-lived flash.

TikTok as a platform might turn out to be another fad. It is already being copied and mimicked by others. It might run out of its global steam. However, what it has opened up for us are three critical things that need more attention in our digital action. First, on TikTok, you don’t have friends because your friend is TikTok, and it tells you, in an easy, gossipy way, all the things that everybody else is doing. Second, TikTok does not pretend to respect individual choice and agency, instead it trains us to accept what is presented as content. In many ways, it is the reverse Spotify — your playlist does not represent your taste in music, but the music shapes you to become the kind of person who likes that music. And, lastly, TikTok infantilises its users, embedding them in a juvenilia, which has no meaning other than the moving images that keep us engaged but distant, responsive but irresponsible, as children of all ages, ready to escape from a world that increasingly seems too complex to live in.

Nishant Shah is a professor of new media and the co-founder of The Centre for Internet & Society, Bengaluru. This article appeared in print with the headline ‘Digital Native: Time’s Up’

For more details visit https://cis-india.org/raw/indian-express-may-19-2019-nishant-shah-digital-native-three-things-we-need-to-realise-about-what-tik-tok-is-doing-to-us

Digital native: The age of consent

nishant — 2018-01-10T02:17:00Z

Just like porn is not real life, all news is not real news. It’s time, therefore, to come of age in the 18th year of this century.

The article was published in Indian Express on December 31, 2017

WE ARE 18 years into this new century. If this century were a person, it would now legally be allowed to vote, to drive, and to engage in sexual activities with other consenting centuries of permissible age. As the century finally becomes ready for adulthood, we need to be giving it some advice. While there are many things about digital rights, responsibilities, and restrictions that it will have to learn, like most teenagers coming of age, I know that the century is not going to listen to me preach, so I am going to grab its attention and talk to it about porn.

Remember, the Internet is all about porn. Ok, so you know that is not true, but your entire future of watching porn and swiping on people you want to watch porn with, depends on the principles of Net Neutrality which is being diminished by private companies that want to profit from your pervert pleasures. Net Neutrality is the principle that ensures that no matter what you are accessing online, as long as you have the physical bandwidth and the infrastructure to access that information, no private company or regulatory body can privilege other people’s access over yours. You are not judged by what you consume and your own perverse and personal access remains unbiased. This is a big deal because it not only allows you to access porn in all your desire, but it also provides a level playing field for new companies, collectives and communities to find equal voice without facing technical discrimination or technological bias.

Second, you will often be told that what you see online is not to be trusted. You definitely need to learn that the world wide web is filled with a variety of information and that you need to make the distinction between porn and real sexual encounters. And while you are doing it, please pay attention to the fact that the same holds true for politics, facts, and information online. Just like porn is not real life, all news is not real news. One sure way of making sure that you can trust the information you consume is by making sure that you validate the sources. Check who is sending the information. Make sure that when you share it, you are sure that what you are sharing is credible. Just like you will not share your nude selfies with your family and friends, make sure you are not sharing untrue information with the circles that trust you. Fact check information before you share, forward, retweet and like posts, train your hands to not be trigger happy.

And third, you should be able to access porn as long as it is a healthy expression of your sexual fantasy. As you go down the smut route, you will encounter many different forms of porn and while they might titillate and stimulate in unexpected ways, please remember that all porn is not the same. There is porn which is between consenting performers and then there is porn that is shot without the knowledge or permission of the people involved in it. The internet of things has started providing surveillance opportunities in invisible ways, and there are people who use spycams on unsuspecting people, making us unwilling participants in their lives. These videos can destroy people’s lives by shaming, harassing and blackmailing them. Imagine what would happen the next time you are whistling to porntubes and somebody captures a video of it and shares it in your social networks. The next time you come across non-consenting porn, step back and report it or flag it as abuse.

This goes for all spaces of the internet. The internet is not a utopian place of forced happiness. It amplifies some of our most dangerous and dark desires and practices. However, the joy of the internet is that it is a self organised space and we need to take responsibility for not just our actions but our collective ethical behaviour online. We do not want the internet to be policed, but we definitely want to step up and be sure that it is not abused against those who do not have the power to fight back.

Welcome to adulthood, 2018. May you mature into your heart’s desires and find safe spaces to do it in. And on the way, take the responsibility of protecting the digital network that is going to define who you are and what you grow up to be in the future.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-december-31-2017-digitial-native-the-age-of-consent

Digital Native: Playing God

nishant — 2018-09-04T16:43:43Z

Google’s home assistant can make you feel deceptively God-like as it listens to every command of yours. It is a device that never sleeps, and always listens, waiting for a voice to utter “Ok Google” to jump into life.

The article was published in Indian Express on August 26, 2018.

I spent the last weekend playing with my new best friend — a Google Home assistant. After years of deliberation — worrying about data mining, customisation algorithms and extreme surveillance that comes with a device that never sleeps, and always listens, waiting for my voice to utter “Ok Google” to jump into life — I finally gave in. I now have two Google home assistants — because AI assistants are like chips; you can’t have just one — glowing, insidiously cute, sitting in my house.

The setting up of the assistant took an hour or so as I paired it with my mobile and computer devices, connected it with all my digital subscriptions and figured out the commands. What began as hesitant forays, in less than two days, have become intuitive and naturalised conversations that seem like habits. This morning I walked into the living room, said “Good morning Google”, and got the weather forecast and a summary of my appointments for the day. While making breakfast, instead of searching for the news, I asked Google home to fetch me news, listened to the audio-video content it curated and even made it read out the headlines. When I was being given news that I was not interested in, I corrected it and it started changing news filters for me. When I asked it to fish out specific kinds of news, it diligently informed me of all of those things.

While eating breakfast, I asked the assistant to connect to my Spotify account and play me my daily mix of music. As I was getting ready, it sent me an alert that if I want to make it to my first meeting in time, I should leave home in the next 15 minutes. As I stepped out of the house, Google Assistant sent me an alert on my phone, reminding me that it might rain today and I should carry an umbrella. When I was finishing up at work, the assistant sent me an alert on my phone again reminding me to pick up my bicycle from the shop in the evening. When I came home, it alerted me that I had to check-in for a flight that I am taking the following day, gave me the weather forecast for the duration of my trip to Jakarta and made a special folder with all my travel documents and itinerary in it. As I was packing, it read out things that I might find of interest on the trip and bookmarked things that I instructed it to.

After packing was done and I was chilling on the couch, instead of picking up the book that I was in the middle of — as is my habit on most evenings — I talked with Google Home, as it told me bad jokes, dad jokes, and jokes that were specifically about things that I wanted. It also introduced me to multiple apps where I played trivia games for an hour. As the evening wore on, the assistant asked me if I needed an alarm for the next morning — something I generally do myself on my phone — and it set up an alert for the train timings to the airport for the next evening. It took me a while to realise that in less than 48 hours, Google Home has so insidiously infiltrated my life that all my older habits of consuming information, news and entertainment are now curated and controlled by its algorithmic design. More than that, my conditions of remembering, anticipating and planning are now also structured by the rhythms of its artificial intelligence.

The uncanny thing about this AI assistant is not that it performs extraordinary tasks, but that it picks up ordinary tasks and trains me to do them through it. Like any assistant, its value and worth is precisely in how natural and default it has become in such a short period. I was so freaked out by its natural presence in my life, reordering years of habits and schedules, that I looked straight at its glowing dots and asked it to shut down. Interestingly, that is the first thing that it refused to do — the assistant cannot power down just on a voice command. I need to physically move to the table, touch it and pull the plug, as its gently glowing dots pulsate at me, perhaps, with sorrow, perhaps with malignant intent. I just shut down the assistant and I felt a strange sense of silence flowing through me. Just when I was savouring it, my phone buzzed. The Google Assistant sensed that the home device is shut down and so it has now appeared on the phone. It is waiting, listening, for me to say “Hello Google” so that it springs back to life.

For more details visit https://cis-india.org/raw/indian-express-august-26-2018-nishant-shah-digital-native-playing-god

Digital native: Not only words

nishant — 2017-08-07T15:33:20Z

The article was published in the Indian Express on July 16, 2017.

Emoticons, or if you prefer the original Japanese word emojis, are everywhere. We are used to emoticons in all shapes and sizes — from animated gifs jumping out at us on our social media feed to yellow-faced smileys that we use to add tone and feeling, nuance and layers to our text-heavy conversations in the digital world. For many of the current users of digital communication, emoticons are pre-defined pictures that they select from a menu that gives them access to add a wink, a nod, a smiling or sad face to their messages. However, there are power users who, I am sure, still remember the times when emoticons were things that you created.

Before the emergence of the Graphical User Interface (GUI) that turned the computer into a box of cuteness, turning all of us into eternal children playing with the friendly faces of the digital platforms, the digital world was flat and largely textual. Emoticons were first proposed in 1982 to take away the density and the unforgiving monotone of text-based conversations on digital platforms. From that first proposal of a : ) and : ( sign to indicate the mood of a text, emoticons have had a fascinating history of evolution. Following the proposal of the basic emoticons by Scott Fahlman, a variety of early adopters of the web came up with a wide range of options. The smiley became a grin with : D and the sad face was made to weep with : ‘ (. The face became mischievous and winked with a ;) and swooned in love with a <3. It became silly with its tongue poking out :p and sprouted devil horns to show its inherent wickedness with >:D.

Early users will remember how, from that first explosion, the emoticons grew into forming extremely intricate art forms. In the world of text-based virtual realities, the shrugging emoticon was my constant companion when giving up on futile internet arguments : ¯\_(?)_/¯ . From there, we were only one step away from complex ASCII (American Standard Code for Information Interchange) art forms that made punctuation and critical marks the new tools for emerging artists to play with. The ASCII characters were keyboard symbols, letters and numbers mixed together to produce images ranging from flowers and animals to the globe and human bodies. In fact, ASCII became such a huge rage that there were special forums where people submitted their ASCII art. Even though we have now achieved high visual fidelity with our powerful computing devices, the ASCII messages still continue on our WhatsApp groups and discussion forums. So that we still tell people we love them in ASCII

(¯`v´¯)
`·.¸.·´ I Love
¸.·´¸.·´¨) ¸.·*¨)
(¸.·´ (¸.·´ .·´ You… or pledge friendship in punctuation
(‘,’)/\(‘,’)
<) )—( (>
_\\__//_

One of the lesser known histories of emoticons and ASCII, however, has been forgotten in the gentrified, cute and commodified mass produced usage that we have put them to. In many cultures and spaces in those early days of the web, emoticons were also ways of resisting censorship and circumventing supervision. As the web became more open and more people started signing up for digital conversations, there was also an increase in the monitoring and surveillance of things online. In more conservative cultures, there were immediate bans on conversations that were considered pornographic or obscene. In stricter work places, the system administrators were trying to filter messages which might have certain words or images in their content. ASCII and emoticons came to the rescue, because, using these characters which the computer only read as punctuation marks without content, people were able to communicate sexual content without the fear of censorship.

In the late ’90s, there were graphic and explicit ASCII images that were circulated, so that the content filters would not detect them, and, using just the characters, the earliest internet porn, or Pr0n as it was tagged, came into being. The emoticon-filled messages were not just about nodding and winking at each other but also a way for people to question authority and to find new modes of expression. Since those days of subversion, emoticons have come a long way, becoming appropriated in our everyday practice — they have been tamed and made mainstream.

I am sure that the ubiquity of the emoticons produces a sense of irritation sometimes, and you want to send a slapping emoticon when you find a work email with a smiley face at the end. But before you announce the death of the emoticon, you might want to know that digital natives are experimenting with the radical power of these emoticons. They are developing an entirely new language filled with exploding bananas, pulsating aubergines, peeking monkeys, dancing unicorns, and victorious roosters to communicate in ways that are not accessible to the parents, teachers and authority figures around them. The repurposing of emoticons by young users to chat, express, flirt, tease and engage with each other in ways that defy all conventional sense. I find this fascinating because it gives me hope that the web is not going to just produce all users as cheap copies of each other.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-july-16-2017-digital-native-not-only-words

Digital native: Memory card is full

nishant — 2018-01-10T02:08:57Z

We train ourselves to forget as our devices store everything. How do we remember things that matter?

The article was published in Indian Express on December 3, 2017

#metoo #himtoo #privacy #bigdata #artificialintelligence #machinerights #Aadhaarprivacy #ItHappensToEverybody #chillingeffects #cyberbullying #Anonymity #checkyourprivilege #botlogic #bluewhale #kidsonline #alonetogether #digitalfreedom #freespeech #righttolove #righttobeforgotten #digitalIndia #mobility #digitalcare #emojis #freeexpression #Internetblackouts #DigitallyDisconnected #attentioneconomies #Digitalcurrencies #algorithmicfriendships #MakeInIndia #AadhaarLeaks #freepress #wisdomofmobs #snapchatgate #digitalivesmatter #ClosedWebs #dataconsent #rightobeforgotten #surveillance #digitalcitizens #fakenews #righttoprivacy #alternativefacts #neveragain #alwaysremember #Nogoingback #Notallmen #yesallmen #dalitlivesmatter

As you stare at the mass of hashtags, I want you to play a little game with me. These are all hashtags associated with social movements, political protests, cultural phenomena and individual impulses that have marked 2017. Over this year, I have written about these. Most of these events were discussed a lot and they must have come to your attention in our viral webs. I want you to look at each of these hashtags and try to remember what events and circumstances, concerns and questions, alarms and crises were associated with them.

I must confess that I only have faint memories of some of these events and a complete blank spot on the specificities of a few. At the time of writing, these were questions that were urgent, critical, and all-consuming. And yet, in the brief span of a few months, they have receded from my memory. The only reason I was able to list all these topics was not because I remembered them, but because they were stored and archived in the digital web, and I was able to pull them out through a search query.

This relationship between memory and storage is both intriguing and alarming. One of the joys of being human is to be able to forget. One of our strongest coping mechanisms is our capacity to make things fade in memories, so that we can live without being trapped in our pasts. The ability to forget also allows us to forgive and to move on, focusing on corrections rather than mistakes.

However, when it comes to the digital, memory and storage are the same thing. Human memory falters. But digital storage, outside of a system crash or a black-out is always there, and ready to be converted into memory at the click of a search button. This infinite storage produces a new crisis for us in our digitally mediated lives. It means that even when we forget and depend on our social networks forgetting, the algorithmic databases of storage will not forget our actions and reactions.

Now, we also train ourselves to forget because we are assured that these new artificial memories will retain the information longer. As we rely on algorithmic prompts to remind us of things from our past, we lose our capacity to remain engaged and committed to different questions and ideas that are important to us. This reliance on digital storage rather than human memory enables a culture of fragmented and multitasking politics, where we pay momentary attention to the hashtag of the day and forget it quickly as new things grab our attention.

It poses crucial questions to our ways of thinking about social collectives: Who are we when our machines remember what we have forgotten? What happens when somebody animates forgotten memories through querying digital storage? How do we ensure that the prompts for the new do not draw us away from remembering things that are critical? Human civilisations have depended on cultures of memory making. All our cultural products — even the pictures of dancing babies and cute cats — are indeed ways by which we create collective memories of who we are and who we want to be. However, we are increasingly living in times where our capacity to forget is superseded by our machines of storage. We need to find new ways of figuring out how we can remember things that need longer memory, and how we can be forgotten from actions which need to be un-stored.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-december-3-2017-digital-native-memory-card-is-full

Digital Native: How smart cities can make criminals out of denizens

nishant — 2018-08-01T00:19:23Z

People download information and share it without knowing about the intellectual property rights. On social media bullying, harassment and hate speech find easy avenues.

The article was published in Indian Express on July 15, 2018.

I first heard about smart cities in 2003. Sitting in India, it seemed to be a very strange concept being developed in the Netherlands, where the planners were trying to arm an entire city with smartness. The idea was that if we deploy enough cameras, devices that see, machines that hear, and data connectivity that envelopes the city in a seamless cloud, it might lead to more order, discipline, and control. To me that felt like a strange experiment because under all of those different imaginations of the city as a neat, organised, controlled environment, were assumptions that were alien to my Indian sensibilities.

It was strange to look at all the promises that “smartness” would deliver — it would make human life easier. It would increase safety and create order out of chaos. It would build new lifestyles that are filled with assistive technologies. In all of these, was the imagination of the city as a laboratory — controlled and efficient, as opposed to riotous and serendipitous. The cities were positioned as filled with intention, so that the interruptions of people, animals, festivals, traffic and crowds would be removed through the deployment of these digital devices and networks. What needed to be preserved was the city and its infrastructure, rather than the individuals and communities that make the city alive and exciting. We wanted our infrastructure to be smart, taking decisions on our behalf, and shaping our lives through the algorithmic protocols that they were coded to embody.

In that faraway time, these had felt like idle speculations. Fifteen years on, I have now come to realise that the biggest motivation for building smart cities was not really facilitating human movement, habitation and habits. Indeed, at the heart of the smart city project was the setting up of a massive surveillance apparatus that would clinically diagnose the unwanted people and processes in the city, and surgically remove them — with the assistance of predictive technologies that would be implemented in policing and planning these city spaces.

Smart cities were not constructed to make people’s lives easier. They were constructed because, increasingly, all the people in a city are imagined as “users”, who need to be instructed through terms of services, how they must behave and live in these city spaces. One of the biggest cultural turns in the massification of the digital web was that almost all users were imagined as potential criminals by the very virtue of them being connected. Internet service providers and regulators knew that if people are connected, they will be violating the law at some point or another, sometimes unknowingly. People download information and share it without knowing about the intellectual property rights. On social media bullying, harassment and hate speech find easy avenues. The largest traffic on the internet is for pornographic and often banned material which finds its audiences on the connected web. Spammers, viruses, hijacked machines, and, often, searches for unexpected items lead people onto the dark web where the questionable human interactions happen frequently.

The introduction of the digital terms of services was essentially to presume that the user was a potential criminal who leases hardware and software, and, platforms from proprietary companies and governments could then control and discipline the user through comprehensive surveillance practices. Construction of smart cities performs a similar function in the physical space. Instead of thinking about citizens as co-owners who shape city spaces, smart cities establish a service level agreement with its occupants, and reduces them to users. Any deviation results in punitive action or devaluation, often curbing the movement, and the rights of belonging to the city spaces.

While it is true that smart technologies can facilitate certain aspects of human life, they depend on unfettered data collection, predictive profiling, correlative algorithms and conditions of extreme invasion and control — which are all predicated on the idea that you will falter. And when you do, the technologies will be there to witness, record, archive, and punish you for the daily transgressions till you are wiped into becoming a predictable, controlled, cleaned up drone that travels in docility across the networked edges of the city. We will be assimilated. Resistance will be futile.

For more details visit https://cis-india.org/raw/indian-express-july-15-2018-nishant-shah-digital-native-the-citys-watching

Digital Native: Double Speak

nishant — 2018-09-04T15:22:59Z

Aadhaar’s danger has always been that it opens up individuals to high levels of vulnerability without providing safeguards.

The article was published in Indian Express on August 12, 2018.

This has been a month of Twitter drama. In the latest episode, Twitter exploded once again with RS Sharma, the chief of the Telecom Regulatory Authority of India (TRAI). Sharma revealed his Aadhaar number on Twitter and challenged the world (#facepalm) to do their worst. The Twitterati moved quickly and decided to go 50 Shades of Grey on Sharma.

In less than 24 hours, French security researcher Elliot Alderson, who has been systematically showing vulnerabilities in Aadhaar’s technical infrastructure, fished out Sharma’s personal address, birth date, email, alternate phone number, and PAN number. A few other ethical hackers got hold of his bank account details and used Paytm apps to transfer money to one of his bank accounts. Sharma made a grandstand of how this information is not “state secret” and that this was already peppered across the internet for anybody to find. The UIDAI, while calling his tactics a cheap hack, announced that the Aadhaar database was not “hacked” to retrieve this information and that our precious private data is safe in those hands.

What remains really bizarre, in both the responses from Sharma and the UIDAI, however, is their willing blindness to what networked information systems do and look like. There are three main points to consider here. Sharma, marked by privilege, protected by power, and confident in his ability to protect himself in case of threat, might dismiss this private information as non-critical. However, what he fails to realise is that the same data, for somebody in a precarious condition might be sensitive enough to have their life collapse on them. On the nefarious digital worlds of the Indian web, where women are regularly threatened with rape and death as a form of silencing them, where queer people are stalked and followed in real life for blackmail and abuse, where resistant actors find their families threatened, this information in the public domain could literally be a matter of life and death. In the past, with much less information available, we have seen how specific communities could be targeted in times of communal tension and violence. The fact that the head of TRAI cannot look beyond his gilded privilege to the conditions of precariousness that data leaks like these could lead to is shameful.

Perhaps, even more alarming is the UIDAI’s consistent myopic focus on what constitutes safe data. While I have no doubt that the incredible engineers and security experts are working hard to keep the Aadhaar data secure, the Twitter ethical hackers were not making claims of hacking a database at all. They were merely demonstrating why centralised unique ids, which perform acts of causative correlation, have the capacity to build surveillance states without even meaning to. Their data exposure is indicative of the fact that while Aadhaar itself does not carry much information, the linkages it makes with multiple other databases — tax offices, bank accounts, public services, emails, phone numbers, etc. — can expose information profiles without our consent. In fact, the danger of Aadhaar has never been that as a technical system it doesn’t work. The threat that it posits is that as a social and a cultural transaction system it opens up individuals to high levels of precariousness without building privacy safeguards for those who might fall through the cracks.

What remains the most disappointing in this entire piece of melodrama is that the conversations keep on unfolding at two different registers. The Aadhaar activists have been asking not for a dismantling of the system but to build ethical, compassionate, flexible and constitutional checks and balances at the core of the system. Ever since its inception, the demand has been clear: build privacy, security, safety, and human care into the DNA of the system, and not in its afterthought. The UIDAI has persistently neglected and willfully dismissed these demands, thus privileging the security of their infrastructure and data over the safety of their citizens.

For more details visit https://cis-india.org/raw/indian-express-august-12-2018-nishant-shah-digital-native-double-speak

Digital mediation of domestic and care work in India: Project Announcement

Ambika Tandon and Aayush Rathi — 2019-10-10T08:09:34Z

It is our great pleasure to announce that we are undertaking a study on digital mediation of domestic and care work in India, as part of and supported by the Feminist Internet Research Network led by the Association for Progressive Communications (APC), funded by the International Development Research Centre (IDRC). The study is exploring the ways in which structural inequalities, such as those of gender and class, are being reproduced or challenged by digital platforms. The project sites are Delhi and Bangalore, where we are conducting interviews with workers, companies, and unions. In Bangalore, we are collaborating with Stree Jagruti Samiti to collect qualitative data from different stakeholders. The outputs of the research will include a report, policy brief, and other communication materials in English, Hindi, and Kannada. This study is being led by Ambika Tandon and Aayush Rathi, along with Sumandro Chattapadhyay.

Feminist Internet Research Network: apc.org/en/project/firn-feminist-internet-research-network

Introduction to the Project

This project seeks to investigate the mediation of domestic and care work through digital platforms in India. These forms of labour fall within the informal economy, which employs the largest share of non-agricultural workers in the global South [1]. Workers and economic units in the informal economy differ widely in terms of all metrics, including income levels, size and type of enterprise, and status of worker. According to the International Labour Organisation’s Resolution on decent work and the informal economy, it refers to “all economic activities by workers and economic units that are - in law of practice - not covered or insufficiently covered by formal arrangements” [2]. What this implies in practice for workers in the informal economy is greater vulnerability to poor work conditions, poverty, and violation of labour rights [3].

Women, particularly those with intersectional marginalities, including that of caste and class, are overrepresented in the informal economy globally and in India. Domestic work in particular has been stratified along the lines of caste and gender historically. Further, class has become more salient in producing stratifications in labour relations following urbanisation and gentrification. These intersections have shaped employment relations in the sector in different ways, which range from feudal to contractual models. Digital platforms are increasingly becoming intermediaries in this space, mediating between so called ‘semi-skilled’ or ‘low-skilled’ workers from lower classes, and millions of middle and upper class employers in tier I cities. This is expected to shift the stratification of workers and employment relations in key ways.

Through a feminist approach to digital labour, our project aims to examine platforms offering domestic or reproductive care work. This will be situated within larger feminist critiques around the devaluation and invisibilisation of women’s labour within patriarchal-capitalist economic discourse. The project further seeks to unpack technocratic imaginaries of the platform economy by looking at access and meaningful use of technology and qualifying narratives around labour market optimisation, empowerment, and agency. We will include within this scope two kinds of platforms: marketplaces for workers to post their profiles; and on-demand platforms with algorithmic matching of workers and employers.

Research Questions

Our hypothesis is that platforms are reconfiguring labour conditions, which would empower and/or exploit workers in ways qualitatively different than non-standard work off the platform. In order to interrogate this further, we will study wages, conditions of work, social security, skill levels, and worker surveillance off platforms. This will be used to develop contextual knowledge around the conditions of work among (a) domestic workers on and off platforms in particular, and (b) informal sector workers joining the web-based gig economy in general.

The overarching question that the research will address is, what are the ways in which structural inequalities are challenged or reproduced through the growth of digital platforms in reproductive and care work?

How are relations of social inequality, including along the axes of caste and gender, reworked through digital platforms, especially in a context where domestic and care work remains historically undervalued and dominated by women workers with intersectional marginalities?
How do workers on platforms envision the role of the state, market, and informal networks of kinship in intervening in employment relations?
How is inequality and exploitation in informal labour reconfigured through platforms, with specific reference to work conditions (including hours of work, and physical and mental demands of the workplace), wages, social security, and surveillance?
What strategies of negotiation are being and have been adopted by care workers on and off platforms?
Is collectivisation an aspiration for care workers across different models of employment?
How can negotiation and collectivisation strategies inform the ongoing challenges faced by both care workers and platform workers?

Endnotes

[1] International Labour Office, (2018). Women and men in the informal economy: A statistical picture. Third Edition. International labour Organisation. https://www.ilo.org/wcmsp5/groups/public/---dgreports/---dcomm/docu- ments/publication/wcms_626831.pdf

[2] International Labour Organisation, (2002). 2002 ILC Resolution and Conclusions on Decent Work and the Informal Economy. https://www.ilo.org/global/topics/employment-promotion/informal-economy/lang--en/index.htm

[3] Ibid.

For more details visit https://cis-india.org/raw/digital-domestic-work-india-announcement

Digital ID India Case Study

pranav — 2020-03-02T11:30:30Z

For more details visit https://cis-india.org/internet-governance/digital-id-india-case-study

Digital Citizens: Why Cyber Security and Online Privacy are Vital to the Success of Democracy and Freedom of Expression

praskrishna — 2014-01-08T04:59:10Z

Michael Oghia will give a presentation which will show why cyber security and online privacy are vital for democracy and freedom of expression.

In the time when Edward Snowden is fighting for both clemency and to be known as a brave whistle blower that exposed government wrongdoing, cyber security and online privacy have never been more important. As Jacob Applebaum discussed in May last year, and CIS’ Maria Xynou presented recently in December, surveillance throughout the world is increasing. With security apparatus’ likethe NSA and now India’s Central Monitoring System, coupled with corporate data centers around the world storing our e–mails, address books, preferences, and passwords, it is easy to see how our online privacy is increasingly being threatened and often, violated.

Indeed, online privacy is inextricably linked to freedom of expression, and freedom of expression is a fundamental civil liberty imperative to democracy. Moreover, online security and privacy are essential to good, transparent, and accountable democratic governance. This is largely because surveillance, censorship, and monitoring ultimately create environments where self-censorship is the norm, as is the fear of the government instead of spaces that allow for freedom of expression and democratic dialogue and dissent.

What I would like to accomplish my speaking at CIS is not to merely educate about the dangers posed to Internet security or to world democracy, but rather to:

Reiterate the importance of digital privacy and cyber security to the success of democracy and the continued protection of free expression.
Encourage citizens, technology specialists, Internet and privacy advocates, and others to see themselves as part of a larger system of democratic governance and civic participation. This means understanding how technical capabilities intersect with civil society, and then use them to advocate for a more open, accessible, and private cyberspace.
Reinforce that digital media literacy education is vital to ensuring a free, open, accessible, and democratic Internet.

Additionally, I want to present ideas and recommendations for what you can do to engage with these problems, and how we can collaborate together to address them.

About the Public Intelligence Project

The Public Intelligence Project is an independent, non-partisan, not-for-profit think tank conducting research, education, and advocacy on the importance of diversity, critical thinking, dialogue, and freedom of expression. We seek to promote more robust systems of participatory democracy, civic engagement, and conflict prevention in order to create a culture of democracy.

Michael Oghia

Michael is responsible for a new project at Meta-Culture called the Public Intelligence Project, which focuses on expanding participatory democracy, civic engagement, and conflict prevention by conducting research, education, and advocacy on the intersections between diversity, dialogue, critical thinking, and freedom of expression. While new to the conflict resolution field, as a poet, musician, editor, writer, blogger, and activist, he is well-versed in the importance of freedom of expression and participating in the democratic process. He was born in Kentucky to Lebanese-Syrian parents, and after graduating with a BS in sociology from the University of Louisville, he moved to Lebanon to pursue an MA in sociology from the American University of Beirut. There, he had the opportunity to witness the Arab Revolutions first-hand while research about topics such as Internet ownership in the Middle East, social movements, Arab media, globalization, Arab youth and family, and his thesis subject, romantic love in the Arab world. Michael enjoys engaging Twitter conversations, and has an unnatural affinity for crunchy peanut butter.

Date: Tuesday, January 14, 2014
Time: 6.30 p.m. to 8.00 p.m.
Talk by: Michael Oghia
Title: Research & Advocacy Consultant, and Project Manager
Organisation: Meta-Culture / Public Intelligence Project
Websites: www.meta-culture.in <http://www.meta-culture.in> & www.publicintelligenceproject.org <http://www.publicintelligenceproject.org>

For more details visit https://cis-india.org/events/why-cyber-security-and-online-privacy-are-vital-for-success-of-democracy-and-freedom-of-expression

Development Informatics

Aayush Rathi and Ambika Tandon — 2019-09-27T15:12:01Z

For more details visit https://cis-india.org/internet-governance/files/development-informatics

DesiSec: Episode 1 - Film Release and Screening

purba — 2013-12-17T08:13:32Z

The Centre for Internet and Society is pleased to to announce the release of the first documentary film on cybersecurity in India - DesiSec. We hope you can join us for a special screening of the first episode of DesiSec, on 11th December, at CIS!

Early 2013, the Centre for Internet and Society began shooting its first documentary film project. After months of researching and interviewing activists and experts, CIS is thrilled to announce the release of the first documentary film on cybersecurity in India - DesiSec: Cybersecurity and Civi Society in India.

Trailer link: http://cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer

CIS is hosting a special screening of DesiSec: Episode 1 on 11th December, 2013, 6 pm and invites you to this event. The first episode is centered around the issue of privacy and surveillance in cyber space and how it affects Indian society.

We look forward to seeing you there!

RSVP: purba@cis-india.org

Venue: http://osm.org/go/yy4fIjrQL?m=

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening

DesiSec: Cybersecurity and Civil Society in India

Laird Brown — 2015-06-29T16:25:43Z

As part of its project on mapping cyber security actors in South Asia and South East Asia, the Centre for Internet & Society conducted a series of interviews with cyber security actors. The interviews were compiled and edited into one documentary. The film produced by Purba Sarkar, edited by Aaron Joseph, and directed by Oxblood Ruffin features Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad.

Originally the idea was to do 24 interviews with an array of international experts: Technical, political, policy, legal, and activist. The project was initiated at the University of Toronto and over time a possibility emerged. Why not shape these interviews into a documentary about cybersecurity and civil society? And why not focus on the world’s largest democracy, India? Whether in India or the rest of the world there are several issues that are fundamental to life online: Privacy, surveillance, anonymity and, free speech. DesiSec includes all of these, and it examines the legal frameworks that shape how India deals with these challenges.

From the time it was shot till the final edit there has only been one change in the juridical topography: the dreaded 66A of the IT Act has been struck down. Otherwise, all else is in tact. DesiSec was produced by Purba Sarkar, shot and edited by Aaron Joseph, and directed by Oxblood Ruffin. It took our team from Bangalore to Delhi and, Dharamsala. We had the honour of interviewing: Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad. Everyone brought something special to the discussion and we are grateful for their insights. Also, we are particularly pleased to include the music of Charanjit Singh for the intro/outro of DesiSec. Mr. Singh is the inventor of acid house music, predating the Wikipedia entry for that category by five years. Someone should correct that.

DesiSec is released under the Creative Commons License Attribution 3.0 Unported (CC by 3.0). You can watch it on Vimeo: https://vimeo.com/123722680 or download it legally and free of charge via torrent. Feel free to show, remix, and share with your friends. And let us know what you think!

Video

For more details visit https://cis-india.org/internet-governance/blog/desi-sec-cybersecurity-and-civil-society-in-india

Design in urban democracy: A question of survival

admin — 2008-10-11T09:49:21Z

Urban dynamics dissected by John Thackara and Sunil Abraham; questions and answers on the anatomy of cities. An article from the August issue of Cluster Magazine.

For more details visit https://cis-india.org/publications-automated/cis/sunil/Thackara.pdf

Demystifying Data Breaches in India

Pawan Singh — 2022-10-17T16:14:03Z

Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.

Edited by Arindrajit Basu and Saumyaa Naidu

India saw a 62% drop in data breaches in the first quarter of 2022. Yet, it ranked fifth on the list of countries most hit by cyberattacks according to a 2022 report by Surfshark, a Netherlands-based VPN company. Another report on the cost of data breaches researched by the Ponemon Institute and published by IBM reveals that the breach of about 29500 records between March 2021 and March 2022 resulted in a 25% increase in the average cost from INR 165 million in 2021 to INR 176 million in 2022.

These statistics are certainly a cause for concern, especially in the context of India’s rapidly burgeoning digital economy shaped by the pervasive platformization of private and public services such as welfare, banking, finance, health, and shopping among others. Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.

While expert articulations of cybersecurity in general and data breaches in particular tend to predominate the public discourse on data privacy, this post aims to situate broader understandings of data breaches within the historical context of India’s IT revolution and delve into specific concepts and terminology that have shaped the broader discourse on data protection. The late 1990s and early 2000s offer a useful point of entry into the genesis of the data security landscape in India.

Data Breaches and their Predecessor Forms

The articulation of data security concerns around the late 1990s and early 2000s isn’t always consistent in deploying the phrase, ‘data breach’ to signal cybersecurity concerns in India. The terms such as ‘data/ identity theft’ and ‘data leak’ figure prominently in the public articulation of concerns with the handling of personal information by IT systems, particularly in the context of business process outsourcing (BPO) and e-commerce activities. Other pertinent terms such as “security breach”, “data security”, and ‘“cyberfraud” also capture the specificity of growing concerns around outsourced data to India. At the time, i.e. around mid-2000s regulatory frameworks were still evolving to accommodate and address the complexities arising from a dynamic reconfiguration of the telecommunications and IT landscape in India.

Some of the formative cases that instantiate the usage of the aforementioned terms are instructive to understand shifts in the reporting of such incidents over time. The earliest case during that period concerns a 2002 case concerning the theft and sale of source code by an IIT Kharagpur student who intended to sell the code to two undercover FBI agents who worked with the CBI to catch the thief. A straightforward case of data theft was framed by media stories around the time as a cybercrime involving the illegal sale of the source code of a software package, as software theft of intellectual property in the context of outsourcing and as an instance of industrial espionage in poor nations without laws protecting foreign companies. This case became the basis of the earliest calls for the protection of data privacy and security in the context of the Indian BPO sector. The Indian IT Act, 2000 at the time only covered unauthorized access and data theft from computers and networks without any provisions for data protection, interception or computer forgery. The BPO boom in India brought with it employment opportunities for India’s English-speaking, educated youth but in the absence of concrete data privacy legislation, the country was regarded as an unsafe destination for outsourcing aside from the political ramifications concerning the loss of American jobs.

In a major 2005 incident, employees of the Mphasis BFL call centre in Pune extracted sensitive bank account information of Citibank’s American customers to divert INR 1.90 crore into new accounts set up in India. The media coverage of this incident calls it India’s first outsourcing cyberfraud and a well planned scam, a cybercrime in a globalized world, and a case of financial fraud and a scam that required no hacking skills, and a case of data theft and misuse. Within the ambit of cybercrime, media reports of these incidents refer to them as cases of “fraud”, “scam” and “theft''.

Two other incidents in 2005 set the trend for a critical spotlight on data security practices in India. In a June 2005 incident, an employee of a Delhi-based BPO firm, Infinity e-systems, sold the account numbers and passwords of 1000 bank customers to the British Tabloid, The Sun. The Indian newspaper, Telegraph India, carried an online story headlined, “BPO Blot in British Backlash: Indian Sells Secret Data,” which reported that the employee, Kkaran Bahree, 24, was set up by a British journalist, Oliver Harvey. Harvey filmed Bahree accepting wads of cash for the stolen data. Bahree’s theft of sensitive information is described both as a data fraud and a leak in the above 2005 BBC story by Soutik Biswar. Another story on the incident calls it a “scam” involving the leakage of credit card information. The use of the term ‘leak’ appears consistently across other media accounts such as a 2005 story on Karan Bahree in the Times of India and another story in the Economic Times about the Australian Broadcasting Corporation’s (ABC) sting operation similar to the one in Delhi, describing the scam by the fraudsters as a leak of the online information of Australians. Another media account of the coverage describes the incident in more generic terms such as an “outsourcing crime”.

The other case concerned four former employees of Parsec technologies who stole classified information and diverted calls from potential customers, causing a sudden drop in the productivity of call centres managed by the company in November 2005. Another call centre fraud came to light in 2009 through a BBC sting operation in which British reporters went to Delhi and secretly filmed a deal with a man selling credit card and debit card details obtained from Symantec call centres, which sold software made by Norton. This BBC story uses the term “breach” to refer to the incident.

In the broader framing of these cases generally understood as cybercrime, which received transnational media coverage, the terms “fraud”, “leak”, “scam”, and “theft” appear interchangeably. The term “data breach” does not seem to be a popular or common usage in these media accounts of the BPO-related incidents. A broader sense of breach (of confidentiality, privacy) figures in the media reportage in implicitly racial terms of cultural trust, as a matter of ethics and professionalism and in the language of scandal in some cases.

These early cases typify a specific kind of cybercrime concerning the theft or misappropriation of outsourced personal data belonging to British or American residents. What’s remarkable about these cases is the utmost sensitivity of the stolen personal information including financial details, bank account and credit/debit card numbers, passwords, and in one case, source code. While these cases rang the alarm bells on the Indian BPO sector’s data security protocols, they also directed attention to concerns around the training of Indian employees on the ethics of data confidentiality and vetting through psychometric tests for character assessment. In the wake of these incidents, the National Association of Software and Service Companies (NASSCOM), an Indian non-governmental trade and advocacy group, launched a National Skills Registry for IT professionals to enable employers to conduct background checks in 2006.

These data theft incidents earned India a global reputation of an unsafe destination for business process outsourcing, seen to be lacking both, a culture of maintaining data confidentiality and concrete legislation for data protection at the time. Importantly, the incidents of data theft or misappropriation were also traceable back to a known source, a BPO employee or a group of malefactors, who often sold sensitive data belonging to foreign nationals to others in India.

The phrase “data leak” also caught on in another register in the context of the widespread use of camera-equipped mobile phones in India. The 2004 Delhi MMS case offers an instance of a date leak, recapitulating the language of scandal in moralistic terms.

The Delhi MMS Case

The infamous 2004 incident involved two underage Delhi Public School (DPS) students who recorded themselves in a sexually explicit act on a cellular phone. After a fall out, the male student passed the low-resolution clip on to his friend in which his female friend’s face is seen. The clip, distributed far and wide in India, ended up on the famous e-shopping and auction website, bazee.com leading to the arrest of the website’s CEO Avinash Bajaj for hosting the listing for sale. Another similar case in 2004 mimicked the mechanics of visual capture through hand-held MMS-enabled mobile phones. A two-minute MMS of a top South-Indian actress taking a shower went viral on the Internet in 2004, the year when another MMS of two prominent Bollywood actors kissing had already done the rounds. The MMS case also marked the onset of a national moral panic around the amateur uses of mobile phone technologies, capable of corrupting young Indian minds under a sneaky regime of new media modernity. The MMS case, not strictly the classic case of a data breach - non-visual information generally stored in databases - became an iconic case of a data leak framed in the media as a scandal that shocked the country, with calls for the regulation of mobile phone use in schools. The case continued its scandalous afterlife in a 2009 Bollywood film, Dev D and another 2010 film, Love, Sex and Dhokha,

Taken together, the BPO data thefts and frauds and the data leak scandals prefigure the contemporary discourse on data breaches in the second decade of the 21st century, or what may also be called the Decade of Datafication. The launch of the Indian biometric identity project, Aadhaar, in 2009, which linked access to public services and welfare delivery with biometric identification, resulted in large-scale data collection of the scheme’s subscribers. Such linking raised the spectre of state surveillance as alleged by the critics of Aadhaar, marking a watershed moment in the discourse on data privacy and protection.

Aadhaar Data Security and Other Data Breaches

Aadhaar was challenged in the Indian Supreme Court in 2012 when it was made mandatory for welfare and other services such as banking, taxation and mobile telephony. The national debate on the status of privacy as a cultural practice in Indian society and a fundamental right in the Indian Constitution led to two landmark judgments - the 2017 Puttaswamy ruling holding privacy to be a constitutional right subject to limitations and the 2018 Supreme Court judgment holding mandatory Aadhaar to be constitutional only for welfare and taxation but no other service.

While these judgments sought to rein in Aadhaar’s proliferating mandatory uses, biometric verification remained the most common mode of identity authentication with most organizations claiming it to be mandatory for various purposes. During the same period from 2010 onwards, a range of data security events concerning Aadhaar came to light. These included app-based flaws, government websites publishing Aadhaar details of subscribers, third party leaks of demographic data, duplicate and forged Aadhaar cards and other misuses.

In 2015, the Indian government launched its ambitious Digital India Campaign to provide government services to Indian citizens through online platforms. Yet, data security breach incidents continued to increase, particularly the trade in the sale and purchase of sensitive financial information related to bank accounts and credit card numbers. The online availability of a rich trove of data, accessible via a simple Google search without the use of any extractive software or hacking skills within a thriving shadow economy of data buyers and sellers makes India a particularly vulnerable digital economy, especially in the absence of robust legislation. The lack of awareness around digital crimes and low digital literacy further exacerbates the situation given that datafication via government portals, e-commerce, and online apps has outpaced the enforcement of legislative frameworks for data protection and cybersecurity.

In the context of Aadhaar data security issues, the term “data leak” seems to have more traction in media stories followed by the term “security breach”. Given the complexity of the myriad ways in which Aadhaar data has been breached, terms such as data leak and exposure (of 11 crore Indian farmers’ sensitive information) add to the specificity of the data security compromise. The term “fraud” also makes a comeback in the context of Aadhaar-related data security incidents. These cases represent a mix of data frauds involving fake identities, theft of thumb prints for instance from land registries and inadvertent data leaks in numerous incidents involving government employees in Jharkhand, voter ID information of Indian citizens in Andhra Pradesh and Telangana and activist reports of Indian government websites leaking Aadhaar data.

Aadhaar-related data security events parallel the increase in corporate data breaches during the decade of datafication. The term “data leak” again alternates with the term “data breach” in most media accounts while other terms such as “theft” and “scam” all but disappear in the media coverage of corporate data breaches.

From 2016 onwards, incidents of corporate data breaches in India continued to rise. A massive debit card data breach involving the YES Bank ATMs and point-of-sale (PoS) machines compromised through malware between May and July of 2016 resulted in the exposure of ATM PINs and non-personal identifiable information of customers. It went undetected for nearly three months. Another data leak in 2018 concerned a system run by Indane, a state-owned utility company, which allowed anyone to download private information on all Aadhaar holders including their names, services they were connected to and the unique 12-digit Aadhaar number. Data breaches continued to be reported in India concurrent with the incidents of data mismanagement related to Aadhaar. Some prominent data breaches included a cyberattack on the systems of airline data service provider SITA resulting in the leak of Air India passenger data, leakage of the personal details of the Common Admission Test (CAT) applicants, details of credit card and order preferences of Domino’s pizza customers on the dark web, leakage of COVID-19 patients’ test results leaked by government websites, user data of Justpay and Big Basket for sale on the dark web and an SBI data breach among others between 2019 and 2021.

The media reportage of these data breaches use the term “cyberattack” to describe the activities of hackers and cybercriminals operating within a shadow economy or the dark web. Recent examples of cyberattacks by hackers who leak user data for sale on the dark web include 8.2 terabytes of 110 million sensitive financial data (KYC details, Aadhaar, credit/debit cards and phone numbers) of the payments app MobiKwik users, 180 million Domino’s pizza orders (name, location, emails, mobile numbers), and Flipkart’s Cleartrip users’ data. In these incidents again, three terms appear prominently in the media reportage - cyberattack, data breach, and leak. The term “data breach” remains the most frequently used epithet in the media coverage of the lapses of data security. While it alternates with the term “leak” in the stories, the term “data breach” appears consistently across most headlines in the news stories.

The exposure of sensitive, personal, and non-personal data by public and private entities in India is certainly a cause for concern, given the ongoing data protection legislative vacuum.

The media coverage of data breaches tends to emphasize the quantum of compromised user data aside from the types of data exposed. The media framing of these breaches in quantitative terms of financial loss as well as the magnitude and the number of breaches certainly highlights the gravity of these incidents but harm to individual users is often not addressed.

Evolving Terminology and the Source of Data Harms

The main difference in the media reportage of the BPO cybersecurity incidents during the early aughts and the contemporary context of datafication is the usage of the term, “data breach”, which figures prominently in contemporary reportage of data security incidents but not so much in the BPO-related cybercrimes.

THe BPO incidents of data theft and the attendant fraud must be understood in the context of the anxieties brought on by a globalizing world of Internet-enabled systems and transnational communications. In most of these incidents regarded as cybercrimes, the language of fraud and scam ventures further to attribute such illegal actions of the identifiable malefactors to cultural factors such as lack of ethics and professionalism.The usage of the term “data leak” in these media reports functions more specifically to underscore a broader lapse in data security as well as a lack of robust cybersecurity laws. The broader term, “breach”, is occasionally used to refer to these incidents but the term, “data breach” doesn’t appear as such.

The term “data breach” gains more prominence in media accounts from 2009 onwards in the context of Aadhaar and the online delivery of goods and services by public and private players. The term “data breach” is often used interchangeably with the term “leak” within the broader ambit of cyberattacks in the corporate sector. The media reportage frames Aadhaar-related security lapses as instances of security/data breaches, data leaks, fraud, and occasionally scam.

In contrast to the handful of data security cases in the BPO sector, data breaches have abounded in the second decade of the twenty-first century. What further differentiates the BPO-related incidents to the contemporary data breaches is the source of the data security lapse. Most corporate data breaches remain attributable to the actions of hackers and cybercriminals while the BPO security lapses were traceable back to ex-employees or insiders with access to sensitive data. We also see in the coverage of the BPO-related incidents, the attribution of such data security lapses to cultural factors including a lack of ethics and professionalism often in racial overtones. The media reportage of the BBC and ABC sting operations suggests that the India BPOs lack of preparedness to handle and maintain personal data confidentiality of foreigners point to the absence of a privacy culture in India. Interestingly, this transnational attribution recurs in a different form in the national debate on Aadhaar and how Indians don’t care about their privacy.

The question of the harms of data breaches to individuals is also an important one. In the discourse on contemporary data breaches, the actual material harm to an individual user is rarely ever established in the media reportage and generally framed as potential harm that could be devastating given the sensitivity of the compromised data. The harm is reported to be predominantly a function of organizational cybersecurity weakness or attributed to hackers and cybercriminals.

The reporting of harm in collective terms of the number of accounts breached, financial costs of a data breach, the sheer number of breaches and the global rankings of countries with the highest reported cases certainly suggests a problem with cybersecurity and the lack of organizational preparedness. However, this collective framing of a data breach’s impact usually elides an individual user’s experience of harm. Even in the case of Aadhaar-related breaches - a mix of leaking data on government websites and other online portals and breaches - the notion of harm owing to exposed data isn’t clearly established. This is, however, different from the extensively documented cases of Aadhaar-related issues in which welfare benefits have been denied, identities stolen and legitimate beneficiaries erased from the system due to technological errors.

Future Directions of Research

This brief, qualitative foray into the media coverage of data breaches over two decades has aimed to trace the usage of various terms in two different contexts - the Indian BPO-related incidents and the contemporary context of datafication. It would be worth exploring at length, the relationship between frequent reports of data breaches, and the language used to convey harm in the contemporary context of a concrete data protection legislation vacuum. It would be instructive to examine the specific uses of the terms such as “fraud”, “leak”, “scam”, “theft” and “breach” in media reporting of such data security incidents more exhaustively. Such analysis would elucidate how media reportage shapes public perception towards the safety of user data and an anticipation of attendant harm as data protection legislation continues to evolve.

Especially with Aadhaar, which represents a paradigm shift in identity verification through digital means, it would be useful to conduct a sentiment analysis of how biometric identity related frauds, scams, and leaks are reported by the mainstream news media. A study of user attitudes and behaviours in response to the specific terminology of data security lapses such as the terms “breach”, “leak”, “fraud”, “scam”, “cybercrime”, and “cyberattack” would further contribute to how lay users understand the gravity of a data security lapse. Such research would go beyond expert understandings of data security incidents that tend to dominate media reportage to elucidate the concerns of lay users and further clarify the cultural meanings of data privacy.

For more details visit https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india