Centre for Internet and Society

Report on the 4th Privacy Round Table meeting

maria — 2013-07-12T11:04:25Z

This report entails an overview of the discussions and recommendations of the fourth Privacy Round Table in Mumbai, on 15th June 2013.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

In furtherance of Internet Governance multi-stakeholder Initiatives and Dialogue in 2013, the Centre for Internet and Society (CIS) in collaboration with the Federation of Indian Chambers of Commerce and Industry (FICCI), and the Data Security Council of India (DSCI), is holding a series of six multi-stakeholder round table meetings on “privacy” from April 2013 to August 2013. The CIS is undertaking this initiative as part of their work with Privacy International UK on the SAFEGUARD project.

In 2012, the CIS and DSCI were members of the Justice AP Shah Committee which created the “Report of Groups of Experts on Privacy”. The CIS has recently drafted a Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India. The CIS has also volunteered to champion the session/workshops on “privacy” in the meeting on Internet Governance proposed for October 2013.

At the roundtables the Report of the Group of Experts on Privacy, DSCI´s paper on “Strengthening Privacy Protection through Co-regulation” and the text of the Privacy (Protection) Bill 2013 will be discussed. The discussions and recommendations from the six round table meetings will be presented at the Internet Governance meeting in October 2013.

The dates of the six Privacy Round Table meetings are enlisted below:

New Delhi Roundtable: 13 April 2013
Bangalore Roundtable: 20 April 2013
Chennai Roundtable: 18 May 2013
Mumbai Roundtable: 15 June 2013
Kolkata Roundtable: 13 July 2013
New Delhi Final Roundtable and National Meeting: 17 August 2013

Following the first three Privacy Round Tables in Delhi, Bangalore and Chennai, this report entails an overview of the discussions and recommendations of the fourth Privacy Round Table meeting in Mumbai, on 15th June 2013.

Discussion of the Draft Privacy (Protection) Bill 2013

Discussion of definitions: Chapter 1

The fourth Privacy Round Table meeting began with a discussion of the definitions in Chapter 1 of the draft Privacy (Protection) Bill 2013. In particular, it was stated that in India, the courts argue that the right to privacy indirectly derives from the right to liberty, which is guaranteed in article 21 of the constitution. However, this provision is inadequate to safeguard citizens from potential abuse, as it does not protect their data adequately. Thus, all the participants in the meeting agreed with the initial notion that India needs privacy legislation which will explicitly regulate data protection, the interception of communications and surveillance within India. To this extent, the participants started a thorough discussion of the definitions used in the draft Privacy (Protection) Bill 2013.

It was specified in the beginning of the meeting that the definition of personal data in the Bill applies to natural persons and not to juristic persons. A participant argued that the Information Technology Act refers to personal data and that the draft Privacy (Protection) Bill 2013 should be harmonised with existing rules. This was countered by a participant who argued that the European Union considers the Information Technology Act inadequate in protecting personal data in India and that since India does not have data secure adequacy, the Bill and the IT Act should not be harmonised.

Other participants argued that all other relevant acts should be quoted in the discussion so that it does not overlap with existing provisions in other rules, such as the IT Act. Furthermore, this was supported by the notion that the Bill should not clash with existing legislation, but this was dismissed by the argument that this Bill – if enacted into law – would over right all other competing legislation. Special laws over right general laws in India, but this would be a special law for the specific purpose of data protection.

The definition of sensitive personal data includes biometric data, political affiliation and past criminal history, but does not include ethnicity, caste, religion, financial information and other such information. It was argued that one of the reasons why such categories are excluded from the definition of sensitive personal data is because the government requests such data on a daily basis and that it is not willing to take any additional expense to protect such data. It was stated that the Indian government has argued that such data collection is necessary for caste census and that financial information, such as credit data, should not be included in the definition for sensitive personal data, because a credit Act in India specifically deals with how credit data should be used, shared and stored.

Such arguments were backlashed by participants arguing that definitions are crucial because they are the “building blocks” of the entire Bill and that ethnicity, caste, religion and financial information should not be excluded from the Bill, as they include information which is sensitive within the Indian context. In particular, some participants argued that the Bill would be highly questioned by countries with strong privacy legislation, as certain categories of information, such as ethnicity and caste, are definitely considered to be sensitive personal information within India. The argument that it is too much of a bureaucratic and financial burden for the Indian government to protect such personal data was countered by participants who argued that in that case, the government should not be collecting that information to begin with – if it cannot provide adequate safeguards.

The debate on whether ethnicity, religion, caste and financial information should be included in the definition for sensitive personal data continued with a participant arguing that no cases of discrimination based on such data have been reported and that thus, it is not essential for such information to be included in the definition. This argument was strongly countered by participants who argued that the mere fact that the government is interested in this type of information implies that it is sensitive and that the reasons behind the governments´ interest in this information should be investigated. Furthermore, some participants argued that a new provision for data on ethnicity, religion, caste and financial information should be included, as well as that there is a difference between voluntarily handing over such information and being forced to hand it over.

The inclusion of passwords and encryption keys in the definition of sensitive personal data was highly emphasized by several participants, especially since their disclosure can potentially lead to unauthorised access to volumes of personal data. It was argued that private keys in encryption are extremely sensitive personal data and should definitely be included within the Bill.

In light of the NSA leaks on PRISM, several participants raised the issue of Indian authorities protecting data stored in foreign servers. In particular, some participants argued that the Bill should include provisions for data stored in foreign servers in order to avoid breaches for international third parties. However, a participant argued that although Indian companies are subject to the law, foreign data processors cannot be subject to Indian law, which is why they should instead provide guarantees through contracts.

Several participants strongly argued that the IT industry should not be subject to some of the privacy principles included in the Report of the Group of Experts on Privacy, such as the principle of notice. In particular, they argued that customers choose to use specific services and that by doing so, they trust companies with their data; thus the IT industry should not have to comply with the principle of notice and should not have to inform individuals of how they handle their data.

On the issue of voluntary disclosure of personal data, a participant argued that, apart from the NPR and UID, Android and Google are conducting the largest data collection within India and that citizens should have the jurisdiction to go to court and to seek that data. The issue of data collection was further discussed over the next sessions.

Right to Privacy: Chapter 2

The discussion of the right to privacy, as entailed in chapter 2 of the draft Privacy (Protection) Bill 2013, started with a participant stating that governments own the data citizens hand over to them and that this issue, along with freedom from surveillance and illegal interception, should be included in the Bill.

Following the distinction between exemptions and exceptions to the right to privacy, a participant argued that although it is clear that the right to privacy applies to all natural persons in India, it is unclear if it also applies to organizations. This argument was clarified by a participant who argued that chapter 2 clearly protects natural persons, while preventing organisations from intervening to this right. Other participants argued that the language used in the Bill should be more gender neutral and that the term “residential property” should be broadened within the exemptions to the right to privacy, to also include other physical spaces, such as shops. On this note, a participant argued that the word “family” within the exemptions should be more specifically defined, especially since in many cases husbands have controlled their wives when they have had access to their personal accounts.

The definition of “natural person” was discussed, while a participant raised the question of whether data protection applies to persons who have undergone surgery and who have changed their sexual orientation; it was recommended that such provisions are included within the Bill. The above questions were answered by a participant who argued that the generic European definitions for “natural persons” and “family” could be adopted, as well as that CCTV cameras used in public places, such as shops, should be subject to the law, because they are used to monitor third parties.

Other participants suggested that commercial violations are not excluded from the Bill, as the broadcasting of people, for example, can potentially lead to a violation of the right to privacy. In particular, it was argued that commercial establishments should not be included in the exemptions section of the right to privacy, in contrast to other arguments that were in favour of it. Furthermore, participants argued that the interaction between transparency and freedom of information should be carefully examined and that the exemptions to the right to privacy should be drafted accordingly.

Protection of Personal Data: Chapter 3

Some of the most important discussions in the fourth Privacy Round Table meeting revolved around the protection of personal data.

Collection of personal data

The discussion on the collection of personal data started with a statement that the issue of individual consent prior to data collection is essential and that in every case, the data subject should be informed of its data collection, data processing, data sharing and data retention.

It was pointed out that, unlike most privacy laws around the world, this Bill is affirmative because it states that data can only be collected once the data subject has provided prior consent. It was argued that if this Bill was enacted into law, it would probably be one of the strictest laws in the world in terms of data collection, because data can only be collected with individual consent and a legitimate purpose. Data collection in the EU is not as strict, as there are some exemptions to individual consent; for example, if someone in the EU has a heart attack, other individuals can disclose his or her information. It was emphasized that as this Bill limits data collection to individual consent, it does not serve other cases when data collection may be necessary but individual consent is not possible. A participant pointed out that, although the Justice AP Shah Report of the Group of Experts on Privacy states that “consent may not be acquired in some cases”, such cases are not specified within the Bill.

Other issues that were raised are that the Bill does not specify how individual consent would be obtained as a prerequisite to data collection. In particular, it remains unclear whether such consent would be acquired through documentation, a witness or any other way. Thus it was emphasized that the method for acquiring individual consent should be clearly specified within the Bill, especially since it is practically hard to obtain consent for large portions of the Indian population that live below the line of poverty.

A participant argued that data collection on private detectives, from reality TV shows and on physical movement and location should also be addressed in the Bill. Furthermore, other participants argued that specific explanations to exempt medical cases and state collection of data which is directly related to the provision of welfare should be included in the Bill. Participants recommended that individuals should have the right to opt out from data collection for the purpose of providing welfare programmes and other state-run programmes.

The need to define the term “legitimate purpose” was pointed out to ensure that data is not breached when it is being collected. A participant recommended the introduction of a provision in the Bill for anonymising data in medical case studies and it was pointed out that it is very important to define what type of data can be collected. In particular, it was argued that a large range of personal data is being collected in the name of “public health” and “public security” and that, in many cases, patients may provide misinformed consent, because they may think that the revelation of their personal data is necessary, when actually it might not be. It was recommended that this issue is addressed and that necessary provisions are included in the Bill.

In the cases where data is collected for statistics, individuals may not be informed of their data being collected and may not provide consent. It was also recommended that this issue is addressed and included in the Bill. However, it was also pointed out that in many cases, individuals may choose to use a service, but they may not be able to consent to their data collection and Android is an example of this. Thus it was argued that companies should be transparent about how they handle users´ data and that they should require individuals´ consent prior to data collection.

It was emphasized that governments have a duty of transparency towards their citizens and that the fact that, in many cases, citizens are obliged to hand over their data without giving prior consent to how their data is being used should be taken into consideration. In particular, it was argued that many citizens need to use specific services or welfare programmes and that they are obliged to hand over their personal information. It was recommended that the Bill incorporates provisions which would oblige all services to acquire individual consent prior to data collection. However, the issue that was raised is that often companies provide long and complicated contracts and policy guides which discourage individuals from reading them and thus from providing informed consent; it was recommended that this issue is addressed as well.

Storage and destruction of personal data

The discussion on the storage and destruction of personal data started with a statement that different sectors should have different data retention frameworks. The proposal that a ubiquitous data retention framework should not apply to all sectors was challenged by a participant who stated that the same data retention period should apply to all ISPs and telecoms. Furthermore, it was added that regulators should specify the data retention period based on specific conditions and circumstances. This argument was countered by participants who argued that each sector should define its data retention framework depending on many variables and factors which affect the collection and use of data.

In European laws, no specific data retention periods are established. In particular, European laws generally state that data should only be retained for a period related to the purpose of its collection. Hence it was pointed out that data retention frameworks should vary from sector to sector, as data, for example, may need to be retained longer for medical cases than for other cases. This argument, however, was countered by participants who argued that leaving the prescription of a data retention period to various sectors may not be effective in India.

Questions of how data retention periods are defined were raised, as well as which parties should be authorised to define the various purposes for data retention. One participant recommended that a common central authority is established, which can help define the purpose for data retention and the data retention period for each sector, as well as to ensure that data is destroyed once the data retention period is over. Another participant recommended that a three year data retention period should be applied to all sectors by default and that such periods could be subject to change depending on specific cases.

Security of personal data and duty of confidentiality

Participants recommended that the definition of “data integrity” should be included in Chapter 1 of the draft Privacy (Protection) Bill 2013. Other participants raised the need to define the term “adequacy” in the Bill, as well as to state some parameters for it. It was also suggested that the term “adequacy” could be replaced by the term “reasonable”.

One of the participants raised the issue of storing data in a particular format, then having to transfer that data to another format which could result in the modification of that data. It was pointed out that the form and manner of securing personal data should be specifically defined within the Bill. However, it was argued that the main problem in India is the implementation of the law, and that it would be very difficult to practically implement the draft Privacy (Protection) Bill in India.

Disclosure of personal data

The discussion on the disclosure of personal data started with a participant arguing that the level of detail disclosed within data should be specified within the Bill. Another participant argued that the privacy policies of most Internet services are very generic and that the Bill should prevent such services from publicly disclosing individuals´ data. On this note, a participant recommended that a contract and a subcontract on the disclosure of personal data should be leased in order to ensure that individuals are aware of what they are providing their consent to.

It was recommended that the Bill should explicitly state that data should not be disclosed for any other purpose other than the one for which an individual has provided consent. Data should only be used for its original purpose and if the purpose for accessing data changes within the process, consent from the individual should be acquired prior to the sharing and disclosure of that data. A participant argued that banks are involved with consulting and other advisory services which may also lead to the disclosure of data; all such cases when information is shared and disclosed to (unauthorised) third parties should be addressed in the Bill.

Several participants argued that companies should be responsible for the data they collect and that should not share it or disclose it to unauthorised third parties without individuals´ knowledge or consent. On this note, other participants argued that companies should be legally allowed to share data within a group of companies, as long as that data is not publicly disclosed. An issue that was raised by one of the participants is that online companies, such as Gmail, usually acquire consent from customers through one “click” to a huge document which not only is usually not read by customers, but which vaguely entails all the cases for which individuals would be providing consent for. This creates the potential for abuse, as many specific cases which would require separate, explicit consent, are not included within this consent mechanism.

This argument was countered by a participant who stated that the focus should be on code operations for which individuals sign and provide consent, rather than on the law, because that would have negative implications on business. It was highlighted that individuals choose to use specific services and that by doing so they trust companies with their data. Furthermore, it was argued that the various security assurances and privacy policies provided by companies should suffice and that the legal regulation of data disclosure should be avoided.

Consent-based sharing of data should be taken into consideration, according to certain participants. The factor of “opt in” should also be included when a customer is asked to give informed consent. Participants also recommended that individuals should have the power to “opt out”, which is currently not regulated but deemed to be extremely important. Generally it was argued that the power to “opt in” is a prerequisite to “opt out”, but both are necessary and should be regulated in the Bill.

A participant emphasized the need to regulate phishing in the Bill and to ensure that provisions are in place which could protect individuals´ data from phishing attacks. On the issue of consent when disclosing personal data, participants argued that consent should be required even for a second flow of data and for all other flows of data to follow. In other words, it was recommended that individual consent is acquired every time data is shared and disclosed. Moreover, it was argued that if companies decide to share data, to store it somewhere else or to disclose it to third parties years after its initial collection, the individual should have the right to be informed.

However, such arguments were countered by participants who argued that systems, such as banks, are very complex and that they don´t always have a clear idea of where data flows. Thus, it was argued that in many cases, companies are not in a position to control the flow of data due to a lack of its lack of traceability and hence to inform individuals every time their data is being shared or disclosed.

Participants argued that the phrase “threat to national security” in section 10 of the Bill should be explicitly defined, because national security is a very broad term and its loose interpretation could potentially lead to data breaches. Furthermore, participants argued that it is highly essential to specify which authorities would determine if something is a threat to national security.

The discussion on the disclosure of personal data concluded with a participant arguing that section 10 of the Bill on the non-disclosure of information clashes with the Right to Information Act (RTI Act), which mandates the opposite. It was recommended that the Bill addresses the inevitable clash between the non-disclosure of information and the right to information and that necessary provisions are incorporated in the Bill.

Presentation by Mr. Billy Hawkes – Irish Data Protection Commissioner

The Irish Data Protection Commissioner, Mr. Billy Hawkes, attended the fourth Privacy Round Table meeting in Mumbai and discussed the draft Privacy (Protection) Bill 2013.

In particular, Mr. Hawkes stated that data protection law in Ireland was originally introduced for commercial purposes and that since 2009 privacy has been a fundamental right in the European Union which spells out the basic principles for data protection. Mr. Hawkes argued that India has successful outsourcing businesses, but that there is a concern that data is not properly protected. India has not been given data protection adequacy by the European Union, mainly because the country lacks privacy legislation.

There is a civic society desire for better respect for human rights and there is the industrial desire to be considered adequate by the European Union and to attract more international customers. However, privacy and data protection are not covered adequately in the Information Technology Act, which is why Mr. Hawkes argued that the draft Privacy (Protection) Bill 2013 should be enacted in compliance with the principles from the Justice AP Shah Report on the Group of Experts on Privacy. Enacting privacy legislation in India would, according to Mr. Hawkes, be a prerequisite so that India can potentially be adequate in data protection in the future.

The Irish Data Protection Commissioner referred to the current negotiations taking place in the European Union for the strengthening of the 1995 Directive on Data Protection, which is currently being revisited and which will be implemented across the European Union. Mr. Hawkes emphasized that it is important to have strong enforcement powers and to ask companies to protect data. In particular, he argued that data protection is good customer service and that companies should acknowledge this, especially since data protection reflects respect towards customers.

Mr. Hawkes highlighted that other common law countries, such as Canada and New Zealand, have achieved data secure adequacy and that India can potentially be adequate too. More and more countries in the world are seeking European adequacy. Privacy law in India would not only safeguard human rights, but it´s also good business and would attract more international customers, which is why European adequacy is important. In every outsourcing there needs to be a contract which states that the requirements of the data controller have been met. Mr. Hawkes emphasized that it is a competitive disadvantage in the market to not be data adequate, because most countries will not want their data outsourced to countries which are inadequate in data security.

As a comment to previous arguments stated in the meeting, it was pointed out that in Ireland, if companies and banks are not able to track the flow of data, then they are considered to be behaving irresponsibly. Furthermore, Mr. Hawkes states that data adequacy is a major reputational issue and that inadequacy in data security is bad business. It is necessary to know where the responsibility for data lies, which party initially outsourced the data and how it is currently being used. Data protection is a fundamental right in the European Union and when data flows outside the European Union, the same level of protection should apply. Thus other non-EU countries should comply with regulations for data protection, not only because it is a fundamental human right, but also because it is bad business not to do so.

The Irish Data Protection Commissioner also referred to the “Right to be Forgotten”, which is the right to be told how long data will be retained for and when it will be destroyed. This provides individuals some control over their data and the right to demand this control.

On the funding of data protection authorities, Mr. Hawkes stated that funding varies and that in most cases, the state funds the data protection authority – including Ireland. Data protection authorities are substantially funded by their states across the European Union and they are allocated a budget every year which is supposed to cover all their costs. The Spanish data protection authorities, however, are an exception because a large amount of their activities are funded by fines.The data protection authorities in the UK (ICO) are funded through registration fees paid by companies and other organizations.

When asked about how many employees are working in the Irish data protection commissioner´s office, Mr. Hawkes replied that only thirty individuals are employed. Employees working in the commissioner´s office are responsible for overseeing the protection of the data of Facebook users, for example. Facebook-Ireland is responsible for handling users´ data outside of North America and the commissioner´s office conducted a detailed analysis to ensure that data is protected and that the company meets certain standards. Facebook´s responsibility is limited as a data controller as individuals using the service are normally covered by the so-called "household exemption" which puts them outside the scope of data protection law. The data protection commissioner conducts checks and balances, writes reports and informs companies that if they comply with privacy and data protection, then they will be supported.

Data protection in Ireland covers all the organizations, without exception. Mr. Hawkes stated that EU data protection commissioners meeting in the "Article 29" Working Party spend a significant amount of their time dealing with companies like Google and Facebook and with whether they protect their customers´ data.

The Irish Data Protection Commissioner recommended that India establishes a data protection commission based on the principles included in the Justice AP Shah Report of the Group of Experts on Privacy. In particular, an Indian data protection commission would have to deal with a mix of audit inspections, complaints, greater involvement with sectors, transparency, accountability and liability to the law. Mr. Hawkes emphasized that codes of practice should be implemented and that the focus should not be on bureaucracy, but on accountability. It was recommended that India should adopt an accountability approach, where punishment will be in place when data is breached.

On the recent leaks on the NSA´s surveillance programme, PRISM, Mr. Hawkes commented that he was not surprised. U.S. companies are required to give access to U.S. law enforcement agencies and such access is potentially much looser in the European Union than in the U.S., because in the U.S. a court order is normally required to access data, whereas in the European Union that is not always the case. Mr. Hawkes stated that there needs to be a constant questioning of the proportionality, necessity and utility of surveillance schemes and projects in order to ensure that the right to privacy and other human rights are not violated.

Mr. Hawkes stated that the same privacy law should apply to all organizations and that India should ensure its data adequacy over the next years. The Irish Data Protection Commissioner is responsible for Facebook Ireland and European law is about protecting the rights of any organisation that comes under European jurisdiction, whether it is a bank or a company. Mr. Billy Hawkes emphasized that the focus in India should be on adequacy in data security and in protecting citizens´ rights.

Meeting conclusion

The fourth Privacy Round Table meeting entailed a discussion of the draft Privacy (Protection) Bill 2013 and Mr. Billy Hawkes, the Irish Data Protection Commissioner, gave a presentation on adequacy in data security and on his thoughts on data protection in India. The discussion on the draft Privacy (Protection) Bill 2013 led to a debate and analysis of the definitions used in the Bill, of chapter 2 on the right to privacy, and on data collection, data retention, data sharing and data disclosure. The participants provided a wide range of recommendations for the improvement of the draft Privacy (Protection) Bill and all will be incorporated in the final draft. The Irish Data Protection Commissioner, Mr. Billy Hawkes, stated that the European Union has not given data adequacy to India because it lacks privacy legislation and that data inadequacy is not only a competitive disadvantage in the market, but it also shows a lack of respect towards customers. Mr. Hawkes strongly recommended that privacy legislation in compliance with the Justice AP Shah report is enacted, to ensure that India is potentially adequate in data security in the future and that citizens´ right to privacy and other human rights are guaranteed.

For more details visit https://cis-india.org/internet-governance/blog/report-on-the-4th-privacy-round-table-meeting

Interview with the Citizen Lab on Internet Filtering in India

maria — 2013-06-26T09:47:14Z

Maria Xynou recently interviewed Masashi Crete-Nishihata and Jakub Dalek from the Citizen Lab on internet filtering in India. View this interview and gain an insight on Netsweeper and FinFisher!

A few days ago, Masashi Crete-Nishihata (research manager) and Jakub Dalek (systems administrator) from the Citizen Lab visited the Centre for Internet and Society (CIS) to share their research with us.

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada. The OpenNet Initiative is one of the Citizen Lab's ongoing projects which aims to document patterns of Internet surveillance and censorship around the world. OpenNet.Asia is another ongoing project which focuses on censorship and surveillance in Asia.

The following video entails an interview of both Masashi Crete-Nishihata and Jakub Dalek on the following questions:

1. Why is it important to investigate Internet filtering around the world?

2. How high are the levels of Internet filtering in India, in comparison to the rest of the world?

3. "Censorship and surveillance of the Internet aim at tackling crime and terrorism and in increasing overall security." Please comment.

4. What is Netsweeper and how is it being used in India? What consequences does this have?

5. What is FinFisher and how could it be used in India?

Video

For more details visit https://cis-india.org/internet-governance/blog/interview-with-citizen-lab-on-internet-filtering

Cyber experts suggest using open source software to protect privacy

praskrishna — 2013-07-03T04:32:48Z

Big Brother is watching. With the Central Monitoring System (CMS) at home and PRISM from the US, millions of users worldwide have become vulnerable to online surveillance by state agencies without even realizing it. No surprise, several cyber security experts feel that building one's own personal firewall is a good way of fortifying online privacy.

The article by Kim Arora was published in the Times of India on June 22, 2013. Sunil Abraham is quoted.

One enterprising netizen has compiled a list of services, from social networks to email clients, and even web browsers, that offer better protection from surveillance. They are listed on a web page called prism-break.org.

When asked about steps that a digital native can take to protect his privacy and online data, Sunil Abraham, executive director of Bangalore-based non-profit Center for Internet and Society said, "Stop using proprietary software, shift to free/open source software for your operating system and applications on your computer and phone. Android is not sufficiently free; shift to CyanogenMod. Encrypt all sensitive Internet traffic and email using software like TOR and GNU Privacy Guard. Use community based infrastructure such as Open Street Maps and Wikipedia. Opt for alternatives to mainstream services. For example, replace Google Search with DuckDuckGo."

Use of licensed or proprietary software, which bind users legally when it comes to use and distribution, seems to be losing favour among an informed niche. While alternative software cannot offer absolute protection, it is being seen as a "better-than-nothing" option. Anonymisers like TOR, though also not entirely foolproof, are also a popular option among those who wish to keep their web usage untraceable. Once installed on a browser, anonymisers can hide the route that digital traffic takes when sent from your computer over a network before emerging at an end node.

There is one caveat, though. Some websites can deny service to users operating on certain anonymising networks. Also, anonymisers are known to reduce browsing speeds. In India, where broadband speeds are already abysmally low, anything that slows one down even further would find popularity hard to come by.

Computer and network security expert Aseem Jakhar too recommends open source software since they offer the convenience of customization to suit one's encryption needs and are able to verify the source code. For laypersons, there are other tools. "One can use anonymisers like TOR which encrypt your communication and hide your identity. With these it becomes very difficult to exactly locate the source. For email clients, it is best to use ones that offer end-to-end strong encryption," he says. Jakhar, co-founder of open security community "null", also recommends the use of customized and Linux systems for more advanced users. Default Linux distributions, he points out, may have free online services which can again be analysed by the governments.

The home-bred CMS programme seeks to directly procure data pertaining to call records and internet usage for intelligence purposes without going through telecom service providers. There were fears of abuse when information about the programme, kept under strict wraps by the government, trickled in. Department of Telecom and Ministry of IT and Communication have been reticent about the state of implementation of the 400-crore rupees programme.

PRISM, a similar, international monitoring programme mounted by the US and revealed to the world by the US National Security Authority whistleblower Edward Snowden, has raised concerns of safeguarding digital information the world over.

For more details visit https://cis-india.org/news/times-of-india-june-22-2013-kim-arora-cyber-experts-suggest-open-source-software-to-protect-privacy

Delhi: Learn to secure your online communication!

bernadette — 2013-06-27T11:11:17Z

Having a Cryptoparty in Delhi

"Governments around the world, are greatly increasing their surveillance of the Internet. Alongside a loss of the private sphere, this also represents a clear danger to basic civil liberties. The good news is that we already have the solution: encrypting communications makes it very hard, if not entirely impossible, for others to eavesdrop on our conversations. The bad news is that crypto is largely ignored by the general public, partly because they don't know about it, and partly because even if they do, it seems too much trouble to implement." (Source)

So lets go and have a party, and teach each other how to crypto!

Everyone is invited! Especially do not hesitate to join if you are not using any crypto at all (yet!)

Here is a Flyer / Printout for you to spread the message!

Please add a name on the list here, or RSVP at bernadette@cis-india.org, Thank you!

For more details visit https://cis-india.org/internet-governance/events/cryptoparty-delhi

Cryptoparty Delhi Flyer

bernadette — 2013-06-21T11:53:44Z

For more details visit https://cis-india.org/internet-governance/cryptoparty-delhi-flyer

Cryptoparty bangalore flyer

bernadette — 2013-06-21T11:53:58Z

invitation / flyer for cryptoparty bangalore july

For more details visit https://cis-india.org/internet-governance/cryptoparty-bangalore-flyer

Bangalore: Learn to secure your online communication!

bernadette — 2013-06-27T11:11:32Z

Having a Cryptoparty in Bangalore

So lets go and have a party, and teach each other how to crypto!

Everyone is invited! Especially do not hesitate to join if you are not using any crypto at all (yet!)

Here is a Flyer / Printout for you to spread the message!

Please add your name on the list here, or RSVP at bernadette@cis-india.org, Thank you!

For more details visit https://cis-india.org/internet-governance/events/cryptoparty-bangalore

Annual Report (2012-13)

praskrishna — 2014-10-22T00:04:39Z

For more details visit https://cis-india.org/internet-governance/blog/annual-report-2012-13.pdf

The Stranger with Candy

nishant — 2015-04-17T11:00:04Z

Beware of online threats, as the distinction between friends and foes is false on the internet.

Nishant Shah's column was published in the Indian Express on June 16, 2013.

My parents and I were in Oslo, when after a long day in the city, we returned to an intriguing situation. My father, who is quite a digital migrant and uses the internet for daily exchanges, found an email from an uncle waiting in his inbox. The email begins with the uncle travelling to Madrid, Spain, to help an ailing cousin who needs a surgery and requested that my father help the writer, his cousin, with €2,500. The email ended with a note of urgency, "I will check my email every 30 minutes for your reply".

My father, who was by now rather agitated, asked my brother and me what could be done. People asking for money over email is the modern day equivalent of strangers bearing candy in a car. We were both immediately wary and when we saw the mail, we knew that it was a scam. Somebody had cracked into somebody's account and was now sending out emails to everybody in their contact list, hoping to make a quick buck. The only action we took was to inform the relative that his account seemed to have been compromised and that he needed to protect it.

This incident, in the context of disallowing children below 13 years on Facebook in India, got me thinking. How do we trust somebody, or something online? There is a presumption that digital natives instinctively know how to deal with dubious situations online. True, one seldom hears of a digital native falling for scams of Nigerian princes offering their inheritance or widows of bank managers in Saudi Arabia wanting to transfer millions to their bank accounts. But that might be because digital natives live more in gift and attention economies and have always been suspicious of anybody waving a wad of notes.

However, we do know that the young are often susceptible to other predators on the Web. While it might occasionally seem that the West's paranoia around paedophiles online, preying on young children as sexual victims might have reached the limits of logical absurdity, it remains indisputable that young adults haven't yet developed the codes to trust somebody online. We encounter countless stories of the young who endanger their futures by documenting their follies and foibles in the unforgiving and unforgetting space of the internet. Let us not forget the names of Adnan Patrawala and Koushambi Layek, who fell prey to strangers pretending to be friends and lovers on the social networking site Orkut.

I am not suggesting that the World Wide Web is any more dangerous than the brick and mortar world that we live in. Our flesh- and-bone bodies are under equal danger in our everyday lives. But over time, we have learned and have been taught how to decode conditions that might harm us. We have learned to distance ourselves from strangers with grins, and people who look hostile. The authorities have created visible signposts of danger all around us — from red traffic lights to surveillance cameras — that constantly remind us that safety is not the default mode of our existence but something that we need to incessantly create for ourselves.

The digital world has no such guidelines. The mammoth corporations, which now govern a large part of the cyberspace, individually try to create structures that would save us from falling victim to such attacks. So the filter on your Gmail account is an intelligent system that scans every byte of information that goes in and out of your inbox, learning both your behaviour patterns and your interaction modes, to filter out not only the obvious hoax emails but also things that you might deem as clutter. Smart browsers like Firefox identify IP addresses that are regularly abusive and warn us about installing any software that might originate there. On Facebook, certain pictures and posts with offensive content are censored even before they get into your data stream. The friendship algorithm, further ensures that you increasingly see content from your 'close friends' rather than strangers. In all these mechanisms, which use big data mining tools to recognise harmful patterns as well as encourage you to devise your own vouchsafes, there is an implicit understanding that the people we know will do us less harm. They are designed to keep out unwanted or potentially harmful people because it might lead to danger or conflict.

However, as we saw in the case of the email to my father, the distinctions between strangers and friends on the internet, is a forced one. When all digital avatars are a performance of a kind, it becomes easy for an imposter to take on that identity. The only credentials we have of somebody's authenticity are often their user accounts and email — data which can be stolen and manipulated effortlessly. And increasingly, we have learned that when it comes to the online world, the people who infect us with viruses, rob us of our money and crash our digital worlds are people who are our 'friends'.

While we shall learn through experience and through stories, there remains a need to develop a larger social discussion around trust online. This debate cannot be whether content needs to be censored online or whether certain groups should be allowed to get on to social network systems. Instead, it has to be a debate that realises the notions of friendship and trust, of networks and connections, are not merely extensions of the physical into the digital. On the infobahn, these are new modes of operation and being and it is not going to be easy to create a handbook of online safety. What we will need is an involved and inter-generational debate about the social, political and economic safety online and create signposts that remind us of the dangers of being online.

For more details visit https://cis-india.org/digital-natives/blog/indian-express-june-16-2013-nishant-shah-the-stranger-with-candy

कैसे होती है इंटरनेट पर आपकी जासूसी

praskrishna — 2013-07-02T16:06:48Z

भारत में बैठे आप कब, कहां, क्या लिख रहे हैं, किससे फोन पर क्या बात कर रहे हैं, अमेरिका में बैठे अधिकारी सब देख-सुन रहे हैं. कभी सोचा है कि कैसे हो रहा है यह सब? क्या आपकी कंप्यूटर स्क्रीन उनके कंप्यूटर पर भी खुली है?

This article was published in DW on June 15, 2013. Sunil Abraham is quoted.

अमेरिकी खुफिया एजेंसियों के बड़ी इंटरनेट कंपनियों के जरिए जासूसी करने के मामले ने दुनिया भर में हलचल मचा दी है. भारत में भी नागरिक इस बात से चिंतित हैं कि ना सिर्फ अमेरिकी नागरिकों पर बल्कि भारत में रहने वाले लोगों के हर पल की खबर भी अमेरिका के हाथों में है. कैसे हो सकता है यह सब, क्या यह किसी डाक की तरह है जिसे शक होने पर अधिकारी कभी भी हाथ से खोल सकते हैं? जी नहीं, उससे भी ज्यादा.

(आपका फोन कोई और तो नहीं सुन रहा)

कैसे होती है इंटरनेट जासूसी

भारत में सेंटर फॉर इंटरनेट एंड सोसाइटी के कार्यकारी निदेशक सुनील अब्राहम ने डॉयचे वेले को बताया कि फेसबुक, गूगल और माइक्रोसॉफ्ट जैसी बड़ी कंपनियों के पास आपकी अलग अलग जानकारी होती है. समूची जानकारी को कंपनी का हर सदस्य नहीं देख सकता है. उनके पास आपकी नियमित जानकारी ही है. वे आपके मेसेज नहीं खोल सकते हैं. लेकिन जब खुफिया एजेंसी के पास आपके कंप्यूटर पर चल रहे माइक्रोसॉफ्ट प्रोसेसर से लेकर आपके गूगल, फेसबुक और दूसरे अहम अकाउंट की जानकारी होती है तो उनके पास सब कुछ होता है. वे जब चाहें आपके कंप्यूटर से खुद अपने कंप्यूटर को जोड़ कर आपकी हर हरकत का पता कर सकते हैं.

हालांकि अमेरिकी कांग्रेस द्वारा पारित कानून के अनुसार केवल जिस व्यक्ति पर शक है, उसके अकाउंट से जुड़ी जानकारी के लिए खुफिया एजेंसी को पहले अदालत से अनुमति लेनी होती है जिसके आधार पर उन्हें इंटरनेट कंपनियां सर्वर तक की पहुंच देती हैं. लेकिन अब्राहम ने बताया कि एजेंसी ने ऐसा करने के बजाए कंपनियों के साथ मिलकर एक पीछे का रास्ता निकाला है जिसके तहत उनके पास सभी के अकाउंट का ब्योरा आ गया.

भारतीयों पर भी जासूसी

अब्राहम ने बताया कि भारत में इस्तेमाल हो रहे सभी बड़े सॉफ्टवेयर और फेसबुक और गूगल जैसी सोशल नेटवर्किंग साइटें अमेरिका में रजिस्टर्ड हैं. यानि यहां जो कुछ भी हो रहा है वह सब अमेरिकी सर्वर

	से हो कर गुजर रहा है. ऐसे में उनके लिए भारत में बैठे किसी व्यक्ति के अकाउंट को खोलना और पढ़ना जरा भी मुश्किल नहीं है. जबकि भारत अमेरिकी नागरिकों के साथ ऐसा नहीं कर सकता है. इस तरह कोई भी भारतीय अकाउंट अमेरिका की नजर से छुपा नहीं है. भारत सरकार के लिए जरूरी यह भी है कि उसके बड़े अधिकारियों, सैन्य अधिकारियों और सरकारी विभागों की जानकारी के साथ ऐसा कुछ ना हो सके. भारत के विदेश मंत्रालय ने इस मामले पर आपत्ति जताते हुए अमेरिका को ऐसा करने से रोकने का दावा किया है. यह अमेरिका के हाथों भारतीयों की निजता का हनन है. अब्राहम कहते हैं कि इस बारे में दोनों सरकारों के बीच बातचीत के बाद ही नतीजे सामने आएंगे. हालांकि भारत सरकार ऐसा पूरी तरह रोक पाएगी इस पर संदेह ही है.

से हो कर गुजर रहा है. ऐसे में उनके लिए भारत में बैठे किसी व्यक्ति के अकाउंट को खोलना और पढ़ना जरा भी मुश्किल नहीं है. जबकि भारत अमेरिकी नागरिकों के साथ ऐसा नहीं कर सकता है. इस तरह कोई भी भारतीय अकाउंट अमेरिका की नजर से छुपा नहीं है.

भारत सरकार के लिए जरूरी यह भी है कि उसके बड़े अधिकारियों, सैन्य अधिकारियों और सरकारी विभागों की जानकारी के साथ ऐसा कुछ ना हो सके. भारत के विदेश मंत्रालय ने इस मामले पर आपत्ति जताते हुए अमेरिका को ऐसा करने से रोकने का दावा किया है. यह अमेरिका के हाथों भारतीयों की निजता का हनन है. अब्राहम कहते हैं कि इस बारे में दोनों सरकारों के बीच बातचीत के बाद ही नतीजे सामने आएंगे. हालांकि भारत सरकार ऐसा पूरी तरह रोक पाएगी इस पर संदेह ही है.

(किसने खोला राज)

सभी देश कर रहे हैं जासूसी

सुनील अब्राहम ने बताया कि थोड़ी बहुत इंटरनेट जासूसी सभी देशों की सरकार करती है. यह देश की सुरक्षा के लिए अहम भी है. लेकिन यह कम से कम स्तर तक ही होनी चाहिए. उनका मानना है कि वर्तमान हालात के दौरान हर देश ज्यादा से ज्यादा जानकारी का भूखा होता जा रहा है. ऐसे में निजता का क्या अर्थ है वह भी मिटता जा रहा है. लेकिन ऐसे में भी अमेरिका का भारतीयों पर जासूसी करना सही नहीं है.

इसके लिए जरूरी यह है कि भारत सरकार अपने नागरिकों को इंटरनेट पर अपनी निजता बनाए रखने के तरीकों से अवगत कराए. लेकिन यह इसलिए संभव नहीं हो सकता है, क्योंकि फिर लोगों के बारे में जरूरत पड़ने पर खुद भारत सरकार जासूसी नहीं कर पाएगी.

अब्राहम ने बताया कि ऐसी स्थिति में आईक्लाउड और एयर एंड्रॉयड जैसे सॉफ्टवेयर का इस्तेमाल भी सुरक्षित नहीं है. वह और उनके जैसे दूसरे इंटरनेट एक्सपर्ट और कार्यकर्ता लोगों से अपील करते आए हैं कि वे इन सॉफ्टवेयर का इस्तेमाल अपनी निजी जानकारी को संचित करने के लिए ना करें.

सुनील अब्राहम ने कहा कि यह तो बस शुरुआत है. ऐसा नहीं है कि ये मामले यहीं थम जाएंगे. आगे आने वाले समय में हम इस तरह की जासूसी और जानकारी लीक हो जाने की और बातें सुनें तो हैरान नहीं होना चाहिए. हमारे पास अभी तक ऐसा सिस्टम नहीं है जो निजता को पूरी तरह सुरक्षित रखने के लिए आश्वस्त कर सके.

रिपोर्ट: समरा फातिमा
संपादन: महेश झा

For more details visit https://cis-india.org/news/dw-june-15-report-on-internet-surveillance

World Wide Rule

nishant — 2013-07-01T10:26:24Z

Nishant Shah's review of Schmidt and Cohen's book was published in the Indian Express on June 14, 2013.

Click to read the original published in the Indian Express here

Book: The New Digital Age
Author: Eric Schmidt & Jared Cohen
Publisher: Hachette
Price: Rs 650
Pages: 315

When I first heard that Eric Schmidt the chairman of Google and Jared Cohen, the director of the techno-political think-tank Google Ideas, are co-authoring a book about our future and how it is going to be re-shaped with the emergence of digital technologies, I must confess I was sceptical. When people who do things that you like start writing about those things, it is not always a pretty picture. Or an easy read. However, like all sceptics, I am only a romantic waiting to be validated. So, when I picked up The New Digital Age I was hoping to be entertained, informed and shaken out of my socks as the gurus of the interwebz spin science fiction futures for our times. Sadly, I have been taught my lesson and have slid back into hardened scepticism.

Here is the short version of the book: Technology is good. Technology is going to be exciting. There are loads of people who haven't had it yet. There are not enough people who have figured out how things work. Everybody needs to go online because no matter what, technologies are here to stay and they are going to be the biggest corpus of power. They write, "There is a canyon dividing people who understand technology and people charged with addressing the world's toughest geopolitical issues, and no one has built a bridge…As global connectivity continues its unprecedented advance, many old institutions and hierarchies will have to adapt or risk becoming obsolete, irrelevant to modern society." So the handful who hold the reigns of the digital (states, corporates, artificial intelligence clusters) are either going to rule the world, or, well, write books about it.

The long version is slightly more nuanced, even though it fails to give us what we have grown to expect of all things Google — the bleeding edge of back and beyond. For a lay person, observations that Schmidt and Cohen make about the future of the digital age might be mildly interesting in the way title credits to your favourite movie can be. Once they have convinced us, many, many times, that the internet is fast and fluid and that it makes things fast and fluid and hence the future we imagine is going to be fast and fluid, the authors tell us that the internet is spawning a new "caste system" of haves, have-nots, and wants-but-does-not-haves.

Citing the internet as "the largest experiment involving anarchy in history" they look at the new negotiations of power around the digital. Virulent viruses from the "Middle East" make their appearance. Predictably wars of censorship and free information in China get due attention. Telcos get a big hand for building the infrastructure which can sell Google phones to people in Somalia. The book offers a straightforward (read military) reading of drones and less-than-expected biased views on cyberterrorism, which at least escapes the jingoism that the USA has been passing off in the service of a surveillance state. And more than anything else, the book shows politicos and governments around the world, that the future is messy, anarchy is at hand, but as long as they put their trust in Big Internet Brothers, the world will be a manageable place.

So while you can clearly see where my review for the book is heading, I must give it its due credit.

There are three things about this book that make it interesting. The first is how Schmidt and Cohen seem to be in a seesaw dialogue with themselves. They realise that five billion people are going to get connected online. They gush a little about what this net-universality is going to mean. And then immediately, they also realise that we have to prepare ourselves for a "Brave New World," which is going to be infinitely more messy and scary. They recognise that the days of anonymity on the Web are gone, with real life identities becoming our primary digital avatars. However, they also hint at a potential future of pseudonymity that propels free speech in countries with authoritarian regimes. This oscillation between the good, the bad, the plain and the incredible, keeps their writing grounded without erring too much either on the side of techno-euphoria or dystopic visions of the future.

Second, and perhaps justly so, the book doles out a lot of useful information not just for the techno-neophytes but also the amateur savant. There are stories about "Currygate" in Singapore, or of what Vodaphone did in Egypt after the Arab Spring, or of the "Human Flesh Search Engine" in China, which offer a comprehensive, if not critical, view of the way things are. Schmidt and Cohen have been everywhere on the ether and they have cyberjockeyed for decades to tell us stories that might be familiar but are still worth the effort of writing.

Third, it is a readable book. It doesn't require you to Telnet your way into obscure meaning sets in the history of computing. It is written for people who are still mystified not only about the past of the Net but also its future, and treads a surprisingly balanced ground in both directions. It is a book you can give to your grandmother, and she might be inspired to get herself a Facebook (or maybe a Google +) account.

But all said and done, I expected more. It is almost as if Schmidt and Cohen are sitting on a minefield of ideas which they want to hint at but don't yet want to share because they might be able to turn it into a new app for the Nexus instead. It is a book that could have been. It wasn't. It is ironic how silent the book is about the role that big corporations play in shaping our techno-futures, and the fact that it is printed on dead-tree books with closed licensing so I couldn't get a free copy online. For people claiming to build new and political futures, the fact that this wisdom could not come out in more accessible forms and formats, speaks a lot about how seriously we can take their views of the future.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-june-14-2013-nishant-shah-world-wide-rule

Indian surveillance laws & practices far worse than US

pranesh — 2013-07-12T11:09:39Z

Explosive would be just the word to describe the revelations by National Security Agency (NSA) whistleblower Edward Snowden.

Pranesh Prakash's column was published in the Economic Times on June 13, 2013. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Now, with the American Civil Liberties Union suing the Obama administration over the NSA surveillance programme, more fireworks could be in store. Snowden's expose provides proof of what many working in the field of privacy have long known. The leaks show the NSA (through the FBI) has got a secret court order requiring telecom provider Verizon to hand over "metadata", i.e., non-content data like phone numbers and call durations, relating to millions of US customers (known as dragnet or mass surveillance); that the NSA has a tool called Prism through which it queries at least nine American companies (including Google and Facebook); and that it also has a tool called Boundless Informant (a screenshot of which revealed that, in February 2013, the NSA collected 12.61 billion pieces of metadata from India).

Nothing Quite Private

The outrage in the US has to do with the fact that much of the data the NSA has been granted access to by the court relates to communications between US citizens, something the NSA is not authorised to gain access to. What should be of concern to Indians is that the US government refuses to acknowledge non-Americans as people who also have a fundamental right to privacy, if not under US law, then at least under international laws like the Universal Declaration of Human Rights and the ICCPR.

US companies such as Facebook and Google have had a deleterious effect on privacy. In 2004, there was a public outcry when Gmail announced it was using an algorithm to read through your emails to serve you advertisements. Facebook and Google collect massive amounts of data about you and websites you visit, and by doing so, they make themselves targets for governments wishing to snoop on you, legally or not.

Worse, Indian-Style

That said, Google and Twitter have at least challenged a few of the secretive National Security Letters requiring them to hand over data to the FBI, and have won. Yahoo India has challenged the authority of the Controller of Certifying Authorities, a technical functionary under the IT Act, to ask for user data, and the case is still going on.

To the best of my knowledge, no Indian web company has ever challenged the government in court over a privacy-related matter. Actually, Indian law is far worse than American law on these matters. In the US, the NSA needed a court order to get the Verizon data. In India, the licences under which telecom companies operate require them to provide this. No need for messy court processes.

The law we currently have â€” sections 69 and 69B of the Information Technology Act â€” is far worse than the surveillance law the British imposed on us. Even that lax law has not been followed by our intelligence agencies.

Keeping it Safe

Recent reports reveal India's secretive National Technical Research Organisation (NTRO) â€” created under an executive order and not accountable to Parliament â€” often goes beyond its mandate and, in 2006-07, tried to crack into Google and Skype servers, but failed. It succeeded in cracking Rediffmail and Sify servers, and more recently was accused by the Department of Electronics and IT in a report on unauthorised access to government officials' mails.

While the government argues systems like the Telephone Call Interception System (TCIS), the Central Monitoring System (CMS) and the National Intelligence Grid (Natgrid) will introduce restrictions on misuse of surveillance data, it is a flawed claim. Mass surveillance only increases the size of the haystack, which doesn't help in finding the needle. Targeted surveillance, when necessary and proportional, is required. And no such systems should be introduced without public debate and a legal regime in place for public and parliamentary accountability.

The government should also encourage the usage of end-to-end encryption, ensuring Indian citizens' data remains safe even if stored on foreign servers. Merely requiring those servers to be located in India will not help, since that information is still accessible to American agencies if it is not encrypted. Also, the currently lax Indian laws will also apply, degrading users' privacy even more.

Indians need to be aware they have virtually no privacy when communicating online unless they take proactive measures. Free or open-source software and technologies like Open-PGP can make emails secure, Off-The-Record can secure instant messages, TextSecure for SMSes, and Tor can anonymise internet traffic.

http://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us

For more details visit https://cis-india.org/internet-governance/blog/economic-times-june-13-2013-pranesh-prakash-indian-surveillance-laws-and-practices-far-worse-than-us

India Subject to NSA Dragnet Surveillance! No Longer a Hypothesis — It is Now Officially Confirmed

maria — 2013-11-06T10:20:46Z

As of last week, it is officially confirmed that the metadata of everyone´s communications is under the NSA´s microscope. In fact, the leaked data shows that India is one of the countries which is under NSA surveillance the most!

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC. This blog was cross-posted in Medianama on 24th June 2013.

¨Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, the democratic senator, Ron Wyden, asked James Clapper, the director of national intelligence a few months ago. “No sir”, replied Clapper.

True, the National Security Agency (NSA) does not collect data on millions of Americans. Instead, it collects data on billions of Americans, Indians, Egyptians, Iranians, Pakistanis and others all around the world.

Leaked NSA surveillance

Verizon Court Order

Recently, the Guardian released a top secret order of the secret Foreign Intelligence Surveillance Court (FISA) requiring Verizon on an “ongoing, daily basis” to hand over information to the NSA on all telephone calls in its systems, both within the US and between the US and other countries. Verizon is one of America's largest telecoms providers and under a top secret court order issued on 25 April 2013, the communications records of millions of US citizens are being collected indiscriminately and in bulk supposedly until 19 July 2013. In other words, data collection has nothing to do with whether an individual has been involved in a criminal or terrorist activity or not. Literally everyone is potentially subject to the same type of surveillance.

USA Today reported in 2006 that the NSA had been secretly collecting the phone call records of millions of Americans from various telecom providers. However, the April 25 top secret order is proof that the Obama administration is continuing the data mining programme begun by the Bush administration in the aftermath of the 09/11 terrorist attacks. While content data may not be collected, this dragnet surveillance includes metadata such as the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number and the time and duration of all calls.

Content data may not be collected, but metadata can also be adequate to discover an individual's network of associations and communications patterns. Privacy and human rights concerns rise from the fact that the collection of metadata can result in a highly invasive form of surveillance of citizens´ communications and lives. Metadata records can enable the US government to know the identity of every person with whom an individual communicates electronically, as well as the time, duration and location of the communication. In other words, metadata is aggregate data and it is enough to spy on citizens and to potentially violate their right to privacy and other human rights.

PRISM

Recently, a secret NSA surveillance programme, code-named PRISM, was leaked by The Washington Post. Apparently, not only is the NSA gaining access to the meta data of all phone calls through the Verizon court order, but it is also tapping directly into the servers of nine leading Internet companies: Microsoft, Skype, Google, Facebook, YouTube, Yahoo, PalTalk, AOL and Apple. However, following these allegations, Google, Microsoft and Facebook recently asked the U.S. government to allow them to disclose the security requests they receive for handing over user data. It remains unclear to what extent the U.S. government is tapping into these servers.

Yet it appears that the PRISM online surveillance programme enables the NSA to extract personal material, such as audio and video chats, photographs, emails and documents. The Guardian reported that PRISM appears to allow GCHQ, Britain's equivalent of the NSA, to secretly gather intelligence from the same internet companies. Following allegations that GCHQ tried to circumvent UK law by using the PRISM computer network in the US, the British foreign secretary, William Hague, stated that it is “fanciful nonsense” to suggest that GCHQ would work with an agency in another country to circumvent the law. Most notably, William Hague emphasized that reports that GCHQ are gathering intelligence from photos and online sites should not concern people who have nothing to hide! However, this implies that everyone is guilty until proven innocent...when actually, democracy mandates the opposite.

James R. Clapper, the US Director of National Intelligence, stated:

“Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”

So essentially, Clapper stated that in the name of US national security, the personal data of billions of citizens around the world is being collected. By having access to data stored in the servers of some of the biggest Internet companies in the world, the NSA ultimately has access to the private data of almost all the Internet users in the world.

Boundless Informant

And once the NSA has access to tons of data through the Verizon court order and the PRISM surveillance programme, how does it create patterns of intelligence and generally mine huge volumes of data?

The Guardian released top secret documents about the NSA data mining tool, called Boundless Informant; this tool is used to detail and map by country the volumes of information collected from telephone and computer networks. The focus of the Boundless Informant is to count and categorise the records of communication, known as metadata, and to record and analyse where its intelligence comes from. One of the leaked documents states that the tool is designed to give NSA officials answers to questions like: “What type of coverage do we have on country X”. According to the Boundless Informant documents, the NSA has been collecting 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. During the same month, 97 billion pieces of intelligence from computer networks were collected worldwide.

The following “global heat map” reveals how much data is being collected by the NSA from around the world:

The colour scheme of the above map ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). India is notably orange and is thus subject to some of the highest levels of surveillance by the NSA in the world.

During a mere 30-day period, the largest amount of intelligence was gathered from Iran with more than 14 billion reports, while Pakistan, Jordan and Egypt were next in line in terms of intelligence gathering. Unfortunately, India ranks 5th worldwide in terms of intelligence gathering by the NSA. According to the map above, 6.3 billion pieces of intelligence were collected from India by the NSA from February to March 2013. In other words, India is currently one of the top countries worldwide which is under the US microscope, with 15% of all information being tapped by the NSA coming from India during February-March 2013.

Edward Snowden is the 29-year-old man behind the NSA leaks...who is responsible for one of the most important leaks in US (and one may argue, global) history.

So what does this all mean for India?

In his keynote speech at the 29th Chaos Communications Congress, Jacob Appelbaum stated that surveillance should be an issue which concerns “everyone´s department”, especially in light of the NSA spying on citizens all over the world. True, the U.S. appears to have a history in spying on civilians, and the Corona, Argon, and Lanyard satellites used by the U.S. for photographic surveillance from the late 1950s is proof of that. But how does all this affect India?

By tapping into the servers of some of the biggest Internet companies in the world, such as Google, Facebook and Microsoft, the NSA does not only gain access to the data of American users, but also to that of Indian users. In fact, the “global heat map” of the controversial Boundless Informant data mining tool clearly shows that India ranked 5th worldwide in terms of intelligence gathering, which means that not only is the NSA spying on Indians, but that it is also spying on India more than most countries in the world. Why is that a problem?

India has no privacy law. India lacks privacy legislation which could safeguard citizens from potential abuse by different types of surveillance. But the worst part is that, even if India did have privacy laws, that would still not prevent the NSA from tapping into Indians´ data through the servers of Internet companies, such as Google. Moreover, the fact that India lacks a Privacy Commissioner means that the country lacks an expert authority who could address data breaches.

Recent reports that the NSA is tapping into these servers ultimately means that the U.S. government has access to the data of Indian internet users. However, it remains unclear how the U.S. government is handling Indian data, which other third parties may have access to it, how long it is being retained for, whether it is being shared with other third parties or to what extent U.S. intelligence agencies can predict the behaviour of Indian internet users through pattern matching and data mining.

Many questions remain vague, but one thing is clear: through the NSA´s total surveillance programme, the U.S. government can potentially control the data of billions of internet users around the world, and with this control arises the possibility of oppression. It´s not just about the U.S. government having access to Indians´ data, because access can lead to control and according to security expert, Bruce Schneier:

“Our data reflects our lives...and those who control our data, control our lives”.

How are Indians supposed to control their data, and thus their lives, when it is being stored in foreign servers and the U.S. has the “right” to tap into that data? The NSA leaks mark a significant point in our history, not only because they are resulting in corporations seeking data request transparency, but also because they are unveiling a major global issue: surveillance is a fact and can no longer can be denied. The massive, indiscriminate collection of Indians´ data, without their prior knowledge or consent, and without the provision of guarantees in regards to how such data is being handled, poses major threats to their right to privacy and other human rights. The potential for abuse is real, especially since the larger the database, the larger the probability for error. Mining more data does not necessarily increase security; on the contrary, it increases the potential for abuse, especially since technology is not infallible and data trails are not always accurate.

What does this mean? Well, probably the best case scenario is that an individual is targeted. The worst case scenario is that an individual is imprisoned (or maybe even murdered - remember the drones?) because his or her data “says” that he or she is guilty. Is that the type of world we want to live in?

What can we do now?

Let´s start from the basics. India needs privacy legislation. India needs privacy legislation now. India needs privacy legislation now, more than ever.

Privacy legislation would regulate the collection, access to, sharing of, retention and disclosure of all personal data within India. Such legislation could also regulate surveillance and the interception of communications, in compliance with the right to privacy and other human rights. A Privacy Commissioner would also be established through privacy legislation, and this expert authority would be responsible for overseeing the enforcement of the Privacy Act and addressing data breaches. But clearly, privacy legislation is not enough. The various privacy laws of European countries have not prevented the NSA from tapping into the servers of some of the biggest Internet companies in the world and from gaining access to the data of millions of citizens around the world. Yet, privacy legislation in India should be a basic prerequisite to ensure that data is not breached within India and by those who may potentially gain access to Indian national databases.

As a next- but immediate- step, the Indian government should demand answers from the NSA to the following questions:

What type of data is collected from India and which parties have access to it?
How long is such data retained for? Can the retention period be renewed and if so, for how long?
Is data collected on Indian internet users shared with third parties? If so, which third parties can gain access to this data and under what conditions? Is a judicial warrant required?

In addition to the above questions, the Indian government should also request all other information relating to Indians´ data collected through the PRISM programme, as well as proceed with a dialogue on the matter. Governments are obliged to protect their citizens from the abuse of their human rights, especially in cases when such abuse may occur from foreign agencies. Thus, the Indian government should ensure that the future secret collection of Indians´ data is prevented and that Internet companies are transparent and accountable in regards to who has access to their servers.

On an individual level, Indians can protect their data by using encryption, such as GPG encryption for their emails and OTR encryption for instant messaging. Tor is free software and an open network which enables online anonymity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor is originally short for “The Onion Router” and “onion routing” refers to the layers of encryption used. In particular, data is encrypted and re-encrypted multiple times and is sent to randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal it only to the next relay in the circuit and the final relay decrypts the last “layer” of encryption. Essentially, Tor reduces the possibility of original data being understood in transit and conceals the routing of it.

To avoid surveillance, the use of HTTPS-Everywhere in the Tor Browser is recommended, as well as the use of combinations of additional software, such as TorBirdy and Enigmail, OTR and Diaspora. Tor hidden services are communication endpoints that are resistant to both metadata analysis and surveillance, which is why they are highly recommended in light of the NSA´s surveillance. An XMPP client that ships with an XMPP server and a Tor hidden service is a good example of how to avoid surveillance.

Protecting our data is more important now than ever. Why? Because global, indiscriminate, mass data collection is no longer a hypothesis: it´s a fact. And why is it vital to protect our data? Because if we don´t, we are ultimately sleepwalking into our control and oppression where basic human rights, such as freedom, would be a myth of the past.

The principles formulated by the Electronic Frontier Foundation and Privacy International on communication surveillance should be taken into consideration by governments and law enforcement agencies around the world. In short, these principles are:

Legality: Limitations to the right to privacy must be prescribed by law
Legitimate purpose: Access to communications or communications metadata should be restricted to authorised public authorities for investigative purposes and in pursuit of a legitimate purpose
Necessity: Access to communications or communications metadata by authorised public authorities should be restricted to strictly and demonstrably necessary cases
Adequacy: Public authorities should be restricted from adopting or implementing measures that allow access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose
Competent authority: Authorities must be competent when making determinations relating to communications or communications metadata
Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis
Due process: Governments must respect and guarantee an individual's human rights, that may interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the public
User notification: Service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request
Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public
Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests
Integrity of communications and systems: Service providers are responsible for the secure transmission and retention of communications data or communications metadata
Safeguards for international cooperation: Mutual legal assistance processes between countries and how they are used should be clearly documented and open to the public
Safeguards against illegitimate access: Governments should ensure that authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress
Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation

Applying these above principles is a prerequisite, but may not be enough. Now is the time to resist unlawful and non-transparent surveillance. Now is the time for everyone to fight for their right to be free.

Is a world without freedom worth living in?

For more details visit https://cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance

Indien: Umfangreiche Überwachung von Onlineaktivitäten, Telefonanrufen und Textnachrichten

praskrishna — 2013-07-02T09:40:43Z

This blog post by Von Andrea Jonjic was published in a German website on June 10, 2013. Pranesh Prakash is quoted.

Click to read the original published by Netzpolitik.org

The Times of India berichtete diese Woche von der Errichtung eines Central Monitoring System (CMS), das es staatlichen Stellen ermöglichen soll, alle Onlineaktivitäten, Telefonanrufe und Textnachrichten inklusive Standort von Bürgerinnen und Bürgern zu überwachen. Nach Pranesh Prakash, Direktor am Centre for Internet and Society, könne man das Projekt nur schwer bewerten:

In the absence of a strong privacy law that promotes transparency about surveillance and thus allows us to judge the utility of the surveillance, this kind of development is very worrisome. Further, this has been done with neither public nor parliamentary dialogue, making the government unaccountable to its citizens.

Das Centre for Internet and Society hatte Anfang April eine Analyse über “India’s ‘Big Brother’” angefertigt. Zwei Jahre lang sei das System entwickelt worden und habe insgesamt 4 Milliarden Indische Rupien (ca. 56 Millionen Euro) gekostet. Es wird laut Indian Times direkt bei den Telekommunikationsanbietern installiert, staatliche Behörden haben somit einen direkten Zugang. Dazu gehören laut dem Centre for Internet and Society Bundespolizei, Anti-Terror-Behörde, Anti-Drogen-Behörde und die Steuerbehörde.

Laut Pavan Duggal, Anwalt am Obersten Gerichtshof und spezialisiert auf ‘Cyber Law’, gibt sich die Regierung mit dem CMS beispiellose Befugnisse zur Überwachung der Onlineaktivitäten von Bürgerinnen und Bürgern – und das könne zu enormem Missbrauch führen. Bisher habe sich die Regierung kaum dazu geäußert, was eigentlich in welchem Ausmaß überwacht werden soll. Im Dezember 2012 habe der IT-Minister Milind Deora lediglich geäußert, dass man sich an die Gesetze halten werde.

Wir wollen netzpolitik.org weiter ausbauen. Dafür brauchen wir finanzielle Unterstützung. Investiere in digitale Bürgerrechte.

For more details visit https://cis-india.org/news/netzpolitik-june-10-2013-indien

Facebook, Google deny spying access

praskrishna — 2013-07-02T10:18:48Z

The CEOs of Facebook and Google on Saturday categorically denied that the US National Security Agency had "direct access" to their company servers for snooping on Gmail and Facebook users. But both acknowledged that the companies complied with the 'lawful' requests made by the US government and shared user data with sleuths.

The article by Javed Anwer was published in the Times of India on June 9, 2013. Pranesh Prakash is quoted.

In a post titled "What the ...?" Google's official blog, CEO Larry Page wrote, "We have not joined any program that would give the US governmentâ€”or any other governmentâ€”direct access to our servers. We had not heard of a program called PRISM until yesterday."

A few hours later, Facebook CEO Mark Zuckerberg responded. "Facebook is not and has never been part of any program to give the US or any other government direct access to our servers... We hadn't even heard of PRISM before yesterday," he wrote on his page at the social media site.

According to a few PowerPoint slides allegedly leaked by an NSA official, nine technology companies - Google, AOL, Apple, Yahoo, Microsoft, Skype, Facebook, YouTube and PalTalk - are providing the US government easy access to user data. While all companies have denied being part anything called PRISM, Facebook and Google have been most vocal about it.

A few hours after Facebook and Google statements, the New York Times said in a report that technology companies had "opened discussions with national security officials about developing technical methods to more efficiently and securely share the personal data of foreign users".

"In some cases, they (companies) changed their computer systems to do so," noted the NYT report.

The statements by the CEOs have done little to allay privacy fears. "The denials from the companies look highly coordinated, including similar phrases in all their responses. I don't think they are lying outright, though the NYT report suggests that they are telling a half-truth. They may not provide the US government 'direct access' to all their servers, but may be providing indirect access, or may just be responding to very broad FISA orders," said Pranesh Prakash, a policy director with Centre for Internet and Society in India.

On Friday US president Barack Obama had tacitly acknowledged NSA surveillance programmes aimed at non-US citizens. "You can't have a hundred per cent security and also then have a hundred per cent privacy and zero inconvenience. You know, we're going to have to make some choices as a society," he told reporters in the US.

Page and Zuckerberg also called on the governments to be more open about surveillance programmes. "The level of secrecy around the current legal procedures undermines the freedoms we all cherish," wrote Page.

Added Zuckerberg, "We strongly encourage all governments to be much more transparent about all programs aimed at keeping the public safe. It's the only way to protect everyone's civil liberties and create the safe and free society we all want over the long term."

For more details visit https://cis-india.org/news/times-of-india-javed-anwer-june-9-2013-facebook-google-deny-spying-access