Centre for Internet and Society

Zomato hack: You need to enhance online security with a password manager

praskrishna — 2017-05-23T15:54:50Z

Hacking incident at Zomato underlines need to employ different passwords for different accounts.

The article by Sanjay Kumar Singh was published in the Business Standard on May 23, 2017.

Recently, food-tech company Zomato suffered a security breach where 17 million user records were stolen, including email addresses and passwords. Such hacking incidents can have wider consequences, including, in the gravest of scenarios, financial losses. They emphasise the need for people to adopt newer protection mechanisms, such as password managers.

In Zomato's case, the passwords are said to be hashed, which means they were converted into unintelligible characters. However, experts say that depending on the hashing protocol used, hashes can be re-engineered to generate the password.

The hacking of one account can have wider ramifications. "By hacking one account, hackers get access to your email ID and password. To save themselves the bother of remembering many passwords, users often use the same password in all their accounts. So, the hackers get access to your email and other accounts. Sometimes, they use your email account to reset the passwords in your other accounts," explains Shomiron Das Gupta of NetMonastery, a threat management provider. He adds that people often store sensitive information, including their net banking and credit card numbers and passwords within their email accounts. Also, on a website like Amazon, you can only view the last four digits of your credit card number. Other websites may not blur this information, in which case hackers would get access to this and other sensitive information.

Experts recommend you create complex passwords and use different ones for different accounts. Since generating complex passwords and remembering them all is difficult, you should use a password manager. Some of the good ones are LastPass, 1Password, Dashlane and TrueKey.

Password managers can generate long and complex passwords that are difficult to replicate. They also remember on your behalf the passwords on all the sites and apps you use. Also, hackers sometimes steal passwords by inserting a malware that copies keystrokes. Since a password manager inputs the password, you don't have to type them in, thereby doing away with the risk of your keystrokes being captured and stolen.

A password manager is a secure vault that stores all your passwords. You get access to the vault with a master password. Instead of remembering many passwords, you have to remember just one.

Browsers like Google Chrome and Mozilla Firefox also offer password managers. However, if you wish to use your password manager across browsers and apps, use a third-party one like those mentioned above. And while a password manager that is stored locally is safer, one that is cloud-based is more convenient, since you can use it across devices having internet connection. Password managers also offer two-factor authentication. They either send a password to your phone or generate it on your device. Unless your device also gets stolen, the password manager is difficult to break into.

As for whether password managers are themselves safe, experts concede they are a prime target for hackers who know that the information stored within will be valuable. "The password manager is safe provided you set a strong master password. Your password should have at least 13 characters of which two should be small, two should be in capital, two should be random numbers, and two should be special characters. Using a word that is not there in the dictionary will enhance its strength. Keep changing your master password every three-six months," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru. Since their primary job is to provide security, most password managers do have strong security practices, he adds.

Most password managers offer a free account but you have to pay to use their advanced security features.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager

WWW: The Hackers’ Haven

praskrishna — 2015-02-05T02:20:04Z

In an increasingly connected world, it pays to be careful when sharing personal information

This story by Abraham C. Mathews was published in BW | Businessworld Issue Dated 09-02-2015. Sunil Abraham gave his inputs.

Last year, Whatsapp changed its encryption algorithm several times and, every time, it was breached,” says Saket Modi, hacker, entrepreneur and CEO of Lucideus Technologies, which just created an app that monitors wayward activity on your smartphone. That’s geekspeak for: “Your WhatsApp chats, including deleted ones, would have been accessible to any hacker worth his salt”. And we are talking about a company that was valued at $19 billion at some point during the year. Only in November 2014 did WhatsApp finally embrace end-to-end encryption, which will ostensibly address the issue.

Or take the sales claim that every smartphone purchaser has heard — “Android is safe from virus.” That’s not, however, what a joint study by security solutions company Kaspersky and Interpol found. In the first half of 2014, 1,75,442 unique malicious programmes targeted at Android were discovered. Clearly a tribute to the platform on which 85 per cent of smartphones run.

In a TEDx talk last year titled ‘What’s physically possible in the virtual world’, Modi demonstrated how, with access to your smartphone for barely 20 seconds, he can see everything that has ever happened on your phone — text messages, call log, browsing history, and so on. He also showed how fraudulent emails could be disguised so as to appear to have come from a yahoo.com email address, and how you could be hacked even without being connected to the Internet. “There are only two kinds of people in the world,” he says. “Those who know they have been hacked and those who don’t.”

Epidemic Proportions
For cyber security, 2014 was annus horribilis. From celebrities whose intimate pictures were dumped on the Internet, to corporates such as Sony, JP Morgan and Target whose records were hacked into and personal information of millions of their customers compromised, it was the year when the proverbial shit hit the fan. Details (names, numbers, even favourite pizza toppings) of six lakh customers of Domino’s Pizza in France and Belgium were stolen for a $40,000 ransom. One hundred and ten million records (credit card details, social security numbers, along with addresses) from Target were stolen. The company later admitted that its sales were “meaningfully weaker” after the data theft was disclosed. One hundred and forty-five million records were stolen from eBay, 109 million from Home Depot and 83 million from JP Morgan during the year.

In 2013, a group that calls itself the Syrian Electronic Army hacked into Swedish company TrueCaller’s database. TrueCaller, an app, allows you to identify phone numbers. The data is collected from the contact list of those who download the app, which means, it even has details of those who haven’t downloaded or used the app in any way. Estimates put the number of Indians whose numbers could have been stolen at a million.

Cyber security is not yet a boardroom topic, says Anil Bhasin, MD, India & Saarc, Palo Alto Networks, which claims to create comprehensive security solutions for users but is fast becoming one with the increase in security breach incidents. Enterprises still use legacy technology that at times is 20 years old, he says, giving the example of banks that sometimes have a layer-3 staple inspection firewall, when they should ideally be running on layer-7.

When companies store your information, you also benefit. For example, when an e-commerce company does so, online shopping becomes faster and easier. But these companies should invest in measures to protect the information, says Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore. But then again, he says, a lot of breaches, like the celebrity iCloud hack, happen because users are negligent with measures designed to protect them. Passwords, for instance.

A Pew Research report found that only four out of 10 Internet users changed passwords after the ‘heartbleed’ virus (which found a way to unlock encrypted data) was uncovered in April 2014. Only 6 per cent thought their information was stolen. But, in August, it emerged that a Russian crime ring had amassed 1.2 billion user name-password combinations of 500 million email addresses from 4,20,000 websites. A Kaspersky study found that the number of malicious programmes detected rose 10 times in just six months to 6,44,000 in March 2014. This shows the call for vigil cannot not be more critical.

Interestingly, your online financial payments may be relatively more secure, thanks to Reserve Bank of India’s dogged persistence in continuing with the two-step verification process for electronic payments (a one-time password and PIN verification). The central bank drew a lot of flak for barring taxi app Uber from storing payment information and automatically deducting charges at the end of a ride. But Modi isn’t impressed. He likens the two-step verification to a batsman going onto the pitch wearing just a helmet. “The rest of your body is still exposed,” he says.

Easy Targets
Here’s one easy hack that Modi describes. Any app that you download from the app store on your phone asks for a set of permissions, which mostly come as an ‘all or nothing’ option. You either grant all the access it asks for, or you can’t download the app. Suppose, you grant a scrabble app access to your text messages. Your number can then be accessed by the app provider. Now think about how your banking transactions are verified — with a one-time password sent as a text message. With access to your text messages, entering that password would hardly be a challenge for hackers, says Modi. Or, suppose you were to set up a new WhatsApp account with that same number. The verification, like we all know, comes through a one-time password sent to your number. With access to your text messages, the hacker is given a virtual key to your entire WhatsApp history.

Or, take for instance, an app that requests access to your SD card (the storage card in your phone). With that permission, the app gets access to everything on your SD card, including your most private photos. Modi’s company Lucideus recently came out with an app, UnHack, that scans your phone to see which apps can access what data. If you use the app, you will find that not only can Facebook access the call logs on your phone, but apps like Wunderlist (which organises to-do lists) and Pocket (which stores articles for future offline reading) can access your contacts as well. The apps from TED (of TED Talks fame) as well as Flipkart can see as well as edit your personal photos and documents.

Companies —Uber, for instance — have in the past been found to be frivolous with data collected. Late last year, Uber greeted a Buzzfeed reporter who had arrived at the company’s New York headquarters with “There you are — I was tracking you”. No prior permission was sought. A venture capitalist, Peter Sims, had written earlier that his exact whereabouts in New York were displayed to a room full of people as part of a demonstration at a company event in Chicago.

Information Overload
Adam Tanner, a Harvard fellow and a Forbes columnist, was at an annual conference of the Direct Marketers Association, where he noticed a list of names of 1.8 million people with erectile dysfunction (ED), along with their email addresses and numbers. The organisers claimed the details were volunteered by the people themselves. Knowing that ED is something that men rarely admit to, he made the organisers an offer — “Let me purchase a list of a thousand people, and write to them to see if they know that they are on such a list.” The organisers refused, saying it would be an immoral use of their data. From this, one can tell that the information came from websites that took their details, promising a cure.

This, and other similar anecdotes made their way to his recent book, What Stays in Vegas, which deals with the world of personal data and the end of privacy as we know it. When Tanner meets Indians, he brings up matrimonial websites. What surprises him is the volume of information that people disclose. To westerners, details such as sub-caste or blood type, as well as in many cases the admission that a person is HIV+ is an outright breach of privacy. That people would volunteer to put this out in public is shocking. “When you are looking for a suitable match, giving the information may be important at the moment, but you must not forget that once something is on the Internet, it can never be completely deleted,” he warns.

But what is the problem if somebody has all the details, you may ask. Is the potential risk greater than the possibility of a perfect match? A PTI report from 2009 talks about a confession by an Indian Mujahideen operative who used information from such sites to get a student identity card as well as a driving licence. Mukul Shrivastava, a partner in the forensic practice at EY, gives you another alarming scenario. Let’s say somebody trawls your Facebook, what is the amount of information that such a person can get access to? Your daily routine, your physical movement, your favourite restaurant or whether you will be at home at a certain time (from a status message like “Can’t wait to watch the Devils trouncing Liverpool at ManU Café tonight!”). Even if a physical attack is not on the agenda, much of the information can be used to guess security questions (favourite cat, first school) and find out required details for phone banking (date of birth, email address, mother’s name). An HDFC Bank official says there is a rise in vishing (the voice equivalent of phishing) attacks, where people with access to bank account numbers as well as personal details pose as bank executives and lure customers with special benefits and convince them to divulge their banking passwords.

Security is an individual’s responsibility, says Sunil Abraham. “You have to remember that you have volunteered to put the information online,” he says. Information once put online is not private anymore. It’s like making an announcement in a large hall that is broadcast on TV. That’s what the Internet is. And once the Internet gets to know, it can never really be forgotten, says Vishnu Gopal, chief technology officer at MobME, a mobile value-added services provider. It will be available on some weblink or at least on archive.org, which claims to have ‘435 billion pages saved over time’.

While reclaiming lost information might be difficult, one can still reclaim privacy. Both Facebook and Gmail have options to disable monitoring by other applications. It might be worthwhile to pay the permissions page a visit. Routine password changes, as well as keying them in every time (rather than saving them on the system) might be worth the trouble. That said, nothing works like caution.

An Attacking Refrigerator!
A year ago, Proofpoint, a US-based security solutions provider, noticed an unusual type of cyber attack. Emails were sent in batches of about a lakh, thrice a day, aimed at slowing down large enterprises. What was unique about this attack was that upto 25 per cent of the volume was sent by devices other than computers, laptops, mobile phones or such devices. Instead, the emails came from everyday consumer electronic items like network routers, televisions, and at least one refrigerator, according to the company, with not more than 10 emails from any one device, making the attack difficult to block. This is now known as the first Internet of Things or IoT-based attack, where connected everyday-use devices are hacked into and used as cyber weaponry.

With the IoT, you have devices talking to one another, opening up multiple places to be breached, says MobME’s Gopal. From your shoe to T-shirt, everything becomes a potential bot. India should be concerned. Research by securities provider Symantec says India tops the list of countries wherein Distributed Denial of Service (DDoS) attacks originate. DDoS attacks are those where hundreds of bots target a website (say, an e-commerce company) on its big discount day, thereby slowing down traffic to the site. The report says a bot’s services can be bought for as low as Rs 300 to bring down a site for a few minutes. Monthly subscription plans are available for lengthier attacks.

Corporates can never be too careful, feels Shrivastava who, as part of his investigations, comes across several instances where companies are hacked into because of lack of best practices. How many companies have blocked pen drives on office machinery, he asks. In a tiny device, a humungous amount of data can be stolen. Till the first incident happens, nobody realises the importance of security, he says. For example, at EY, the IT security does not permit copying of the text of emails by the recipient. Recent reports suggest that the JP Morgan security breach was the result of neglect of one of its servers in terms of a security upgrade.

According to a study by Microsoft, the estimated loss to enterprises from lost data in 2014 was $491 billion.

You Against The Mafia
The fight really is about who’s weaker, says Altaf Halde, managing director, Kaspersky Lab-South Asia. “The problem here is the consumer.” Nothing excuses us from not protecting ourselves. That includes getting an anti-virus installed, but most people often disable it when it flags a particular activity that we want to pursue online.

Halde also brings up the BYOD (bring your own device) culture that is taking root. Asking employees to bring their own devices could help cut costs for a company, but that also brings in their inadequate protection, which could potentially translate into a much higher cost to the company, he says.

On the other side of the ring is the virtual underground mafia that profits from all types of data that get compromised — details of one’s sexual preferences, favourite restaurants or credit card details. Modi says in underground circles, the going rate for a stolen credit card number is $2.2 for a Visa, $2.5 for a MasterCard and $3 for an AmEx number. Transactions are made through crypto-currencies such as bitcoins, making them virtually untraceable.

As Modi says, the ideal scenario would be for all of us to throw away our smartphones and live an entirely offline existence. “But since that isn’t feasible, let’s embrace the risk, but with adequate measures to ensure that we are not affected.”

For more details visit https://cis-india.org/internet-governance/news/business-world-9-2-2015-abraham-c-mathews-www-the-hackers-haven

Workshop on Cyber-Ethics: Values-driven Innovative Solutions

Admin — 2019-07-06T00:51:20Z

Arindrajit Basu moderated a discussion on Cyber-Ethics at Swiss Nex (Consulate General of Switzerland, Bangalore on 28 June 2019. The event was organized by the Embassy of Switzerland.

Cyber-space – the virtual reality – influences all countries in the world and all sectors of society. The cyber-world of e-mails, e-commerce, e-government, e-education, e-music, e-prosecutors, artificial intelligence, crypto-currencies are daily reality, with new opportunities. On the other hand, cyber-bullying, cyber-criminality, cyber-security, cyber-war etc. are great challenges.

Cyber-ethics looks for values-driven innovative solutions to these challenges and opportunities between freedom and privacy, security and peace. Switzerland is a world leader in innovation, India is a world leader in information technologies. How can both countries strengthen ethical, values-driven solutions for the cyber-world? Indian and Swiss Experts present challenges and solutions.

Programme

10.00 Registration & welcome tea n coffee

10:30 Welcome remarks

Mr.Sebastien Hug, CEO, swissnex India and Consul General of Switzerland

10:35 Keynote address: Cyber-Ethics between Global Values and Contextual Interests

Prof. Dr. H.C. Christoph Stückelberger, Founder and President of Globethics.net, Visiting Professor of Ethics in Nigeria, Russia, China

11:05 Moderated panel discussion

Moderator: Arindrajit Basu, Senior Policy Officer, Center for Internet and Society,

Panelists:

Dr. Pavan Duggal, Founder and President of the International Commission on Cyber Security Law, Advocate at Supreme Court of India

Dr Siobhán Martin, Deputy Head, Leadership, Crisis and Conflict Management, Geneva Centre for Security Policy

Mr Sameer Chothani, Managing Director - Group Technology, India, UBS

12:15 Q&A

12:45 Networking lunch

For more details visit https://cis-india.org/internet-governance/news/workshop-on-cyber-ethics-values-driven-innovative-solutions

What’s Hard To Digest About The Zomato Hacking

praskrishna — 2017-05-19T09:22:37Z

Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.

The blog post by Aayush Ailawadi was published by Bloomberg Quint on May 19, 2017. Pranesh Prakash was quoted.

The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in its blog that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.

Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.

In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”

But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.

Late on Thursday night, the story took an interesting turn when the company updated its blog post yet again. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.

Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.

But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.

Disclose To Confuse?

Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.

What’s So Scary About The Zomato Hacking?

Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.

What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.

Genuine Disclosures Vs False Promises

Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.

Where’s My Privacy And Security?

Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.

Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”

For more details visit https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking

The trouble with trolls

praskrishna — 2014-07-28T05:42:36Z

Social networking sites give trolls the ability to hide their real identity and cause grief to others. Here is what you need to do if you face an online attack.

The article by Vishal Mathur was published in Livemint on July 22, 2014. Sunil Abraham gave his inputs.

Social networking sites give trolls the ability to hide their real identity and cause grief to others. Here is what you need to do if you face an online attack.

Though social networks were not designed with the intention of letting someone anonymously abuse another online, the reality is that people utilize the ability to hide behind online identities to threaten other users. These could be veiled attacks, direct abuse, or even threats to “cause bodily harm”. What can you do if you’re trolled and threatened on any social network? Follow our five-step guide. Avoid conversation if you can The responses could come in relation to something you may have just posted online. Or perhaps it could be just a random trolling attempt, to get a response from you. It is important to understand and identify such intentions. And as difficult as it may be, do not respond. Getting into a direct interaction with a bully only makes things worse. Report to the social network You should report any instance of cyber bullying or harassment to the host social network—the website or forum on which the interaction happened. There are various methods of getting in touch with the moderators—customer support email, contact submission forms or even via phone, in certain locations. Describe the problem in detail, and persist till the offending account is blocked from the platform. “Most social networks have systems that allow you to report abusive content and users. However, there is great variance in the speed with which they respond across different platforms, jurisdictions, etc.,” says Sunil Abraham, executive director at the Bangalore-based non-profit research organization Centre for Internet and Society. New Delhi-based Anja Kovacs, project director, at civil society organization Internet Democracy Project, adds: “Blocking and reporting an account can be two ways to stop harassment on some social networks, but on other platforms, such as Twitter, it is possible for the person to immediately make a new account under a different username, meaning that these measures do not necessarily stop the harassment.” Ankhi Das, director, public policy, India and South Asia at social network Facebook, says: “Every reported piece of content is reviewed. Serial offenders are notified for non-compliance.” Facebook’s Community Standards, that prevent harassment and offensive posts, have an 11-point categorization for reported content—violence and threats, hate speech, graphic content, bullying and harassment, to name some. Raheel Khursheed, head of news, politics and government at Twitter India, did not respond to our mail about how Twitter handles trolls at the time of going to press. On blogs and forums, it may be a bit easier to deal with trolling and abuse. If it is your own blog, you can delete comments and block users. If it is a forum, the administrator can do it for you. But, with social networks having millions of users, it is not possible to have one administrator managing it all. And it is not just Facebook and Twitter, all social networks have a method by which you can register your complaint. LinkedIn, for example, automatically blocks a user who gets multiple “I don’t know” responses to invitations to connect. There is a strong monitoring policy where any reported content (recommendations or direct messages) is examined and immediate warnings are sent out to offending parties. Keep a copy of the offensive posts Be it a post, or a series of posts, direct message or even an offending photograph, always save it for future reference. Never assume that the matter will end soon, and always prepare for the worst. Don’t ignore privacy settings Most people start using Facebook, Twitter and other social networks without paying much attention to the privacy settings—what content people can see on your page, and who can directly contact you. Be conservative in sharing information—the less you share, the lower the chances of someone picking on you. “Avoid friending or linking to people whom you don’t know in real life unless you are certain of the chain of trust that exists between you and the unknown person,” says Abraham. New Delhi-based cyber lawyer Apar Gupta, adds: “The privacy settings on most social networking platforms allow users to prevent (restrict) the audience for their posts as well as strangers from contacting them. This will prevent most cases of online harassment.” Get help from the law In case social networks are not able to effectively block a user, or are in some way unwilling to do so, take help from the law-enforcement authorities. File an FIR in the nearest police station. Unfortunately, the progress may not be very smooth. The reality is that not every law-enforcement officer may know about social networking sites. “You could try and go to the police, but without support from the social network platform, they are often at a loss to do much themselves,” warns Kovacs. The police may look for hints of threat to cause bodily harm or worse still, to life. In such cases, they may recommend the case to the Cyber Crime Cell of the Central Bureau of Investigation. “Generally, while the substantive offences do exist under law, the process for having them enforced is deficient. These are deeper structural problems of delay, investigation and conviction which are prevalent across criminal justice or civil litigation,” clarifies Gupta. Officials at the Cyber Crime Cell say they take up cases after reference from the local police, who file the report first and do a preliminary level of investigation. But it is important to realize that only the police and the law-enforcement agencies have the right to demand further details about the perpetrator from the social networks, starting with profile details and Internet Protocol (IP) addresses, which will help track the person down. Das clarifies: “Facebook has a point-of-contact system through which the law-enforcement agencies tell us what the actual case is, depending on severity. The police may ask us to take down particular content, or even ask for user information like IP info, to prevent real crime.” According to Facebook’s Government Requests Report for July-December 2013, the network restricted access to 4,765 pieces of content after requests from the Indian government and law-enforcement agencies.

Though social networks were not designed with the intention of letting someone anonymously abuse another online, the reality is that people utilize the ability to hide behind online identities to threaten other users. These could be veiled attacks, direct abuse, or even threats to “cause bodily harm”. What can you do if you’re trolled and threatened on any social network? Follow our five-step guide.

Avoid conversation if you can
The responses could come in relation to something you may have just posted online. Or perhaps it could be just a random trolling attempt, to get a response from you. It is important to understand and identify such intentions. And as difficult as it may be, do not respond. Getting into a direct interaction with a bully only makes things worse.

Report to the social network
You should report any instance of cyber bullying or harassment to the host social network—the website or forum on which the interaction happened. There are various methods of getting in touch with the moderators—customer support email, contact submission forms or even via phone, in certain locations. Describe the problem in detail, and persist till the offending account is blocked from the platform. “Most social networks have systems that allow you to report abusive content and users. However, there is great variance in the speed with which they respond across different platforms, jurisdictions, etc.,” says Sunil Abraham, executive director at the Bangalore-based non-profit research organization Centre for Internet and Society. New Delhi-based Anja Kovacs, project director, at civil society organization Internet Democracy Project, adds: “Blocking and reporting an account can be two ways to stop harassment on some social networks, but on other platforms, such as Twitter, it is possible for the person to immediately make a new account under a different username, meaning that these measures do not necessarily stop the harassment.” Ankhi Das, director, public policy, India and South Asia at social network Facebook, says: “Every reported piece of content is reviewed. Serial offenders are notified for non-compliance.” Facebook’s Community Standards, that prevent harassment and offensive posts, have an 11-point categorization for reported content—violence and threats, hate speech, graphic content, bullying and harassment, to name some. Raheel Khursheed, head of news, politics and government at Twitter India, did not respond to our mail about how Twitter handles trolls at the time of going to press. On blogs and forums, it may be a bit easier to deal with trolling and abuse. If it is your own blog, you can delete comments and block users. If it is a forum, the administrator can do it for you. But, with social networks having millions of users, it is not possible to have one administrator managing it all. And it is not just Facebook and Twitter, all social networks have a method by which you can register your complaint. LinkedIn, for example, automatically blocks a user who gets multiple “I don’t know” responses to invitations to connect. There is a strong monitoring policy where any reported content (recommendations or direct messages) is examined and immediate warnings are sent out to offending parties.

Keep a copy of the offensive posts
Be it a post, or a series of posts, direct message or even an offending photograph, always save it for future reference. Never assume that the matter will end soon, and always prepare for the worst.

Don’t ignore privacy settings
Most people start using Facebook, Twitter and other social networks without paying much attention to the privacy settings—what content people can see on your page, and who can directly contact you. Be conservative in sharing information—the less you share, the lower the chances of someone picking on you. “Avoid friending or linking to people whom you don’t know in real life unless you are certain of the chain of trust that exists between you and the unknown person,” says Abraham. New Delhi-based cyber lawyer Apar Gupta, adds: “The privacy settings on most social networking platforms allow users to prevent (restrict) the audience for their posts as well as strangers from contacting them. This will prevent most cases of online harassment.”

Get help from the law
In case social networks are not able to effectively block a user, or are in some way unwilling to do so, take help from the law-enforcement authorities. File an FIR in the nearest police station. Unfortunately, the progress may not be very smooth. The reality is that not every law-enforcement officer may know about social networking sites. “You could try and go to the police, but without support from the social network platform, they are often at a loss to do much themselves,” warns Kovacs. The police may look for hints of threat to cause bodily harm or worse still, to life. In such cases, they may recommend the case to the Cyber Crime Cell of the Central Bureau of Investigation. “Generally, while the substantive offences do exist under law, the process for having them enforced is deficient. These are deeper structural problems of delay, investigation and conviction which are prevalent across criminal justice or civil litigation,” clarifies Gupta. Officials at the Cyber Crime Cell say they take up cases after reference from the local police, who file the report first and do a preliminary level of investigation. But it is important to realize that only the police and the law-enforcement agencies have the right to demand further details about the perpetrator from the social networks, starting with profile details and Internet Protocol (IP) addresses, which will help track the person down. Das clarifies: “Facebook has a point-of-contact system through which the law-enforcement agencies tell us what the actual case is, depending on severity. The police may ask us to take down particular content, or even ask for user information like IP info, to prevent real crime.” According to Facebook’s Government Requests Report for July-December 2013, the network restricted access to 4,765 pieces of content after requests from the Indian government and law-enforcement agencies.

For more details visit https://cis-india.org/news/livemint-july-22-2014-vishal-mathur-the-trouble-with-trolls

The thrill of saving India from cybercrime

praskrishna — 2016-11-21T02:42:48Z

Geeks seize the chance to help the government, defence forces and banks draw up fences against tech crimes.

The article by Peerzada Abrar was published in the Hindu on November 20, 2016.

Saket Modi loves long flights. The 26-year-old hacker likes to do most of his reasoning while criss-crossing the world. It was on one such flight from the United States to India that the co-founder of cybersecurity start-up Lucideus Tech read about India's largest data security breaches. While surfing the in-flight Internet he came to know that the security of about 3.2 million debit cards had been compromised.

“I was not surprised but I started thinking about how it would have happened. What was the ‘exploit’ used, how long was it there,” said Mr. Modi. Soon after reaching New Delhi, he received multiple requests from several banks and organisations to protect them from the hacking incident, which is just one of the thousands of cybercrimes that the country is facing.

In India, there has been a surge of approximately 350 per cent of cybercrime cases registered under the Information Technology (IT) Act, 2000 from the year of 2011 to 2014, according to a joint study by The Associated Chambers of Commerce and Industry of India and consulting firm PricewaterhouseCoopers. The Indian Computer Emergency Response Team (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents in 2015, noted the Assocham-PwC joint study.

Ethical hackers

Mr. Modi is among a new breed of ethical hackers-turned-entrepreneurs who are betting big on this opportunity. An ethical hacker is a computer expert who hacks into a computer network on the behalf of its owner in order to test or evaluate its security, rather than with malicious or criminal intent.

“You cannot live in a world where you think that you can't be hacked. It doesn’t matter who you are,” said Mr. Modi who cofounded Lucideus four years ago. The company clocked revenues of Rs.4 crore in the last fiscal. This compares with the Rs.2.5 lakh revenues in the first year. The New Delhi-based firm now counts Reserve Bank of India, Ministry of Defence and Standard Chartered among its top clients.

Mr. Modi, who is also a pianist, discovered his skills for hacking into secure computer systems while preparing for his board exams. He hacked into his school computer and stole the chemistry question paper, after realising that he would not be able to clear the test conducted by his school. However, a guilty conscience compelled him to confess to his teacher who permitted him to still take the test. The incident transformed him to use his skills to protect and not misuse them. This year, Lucideus was hired by National Payments Corporation of India (NPCI) along with other information security specialists to protect its most ambitious project, the Unified Payment Interface (UPI) platform, from cyber attacks. UPI aims to bring digital banking to 1.2 billion people in the country. Lucideus has a team of 70 people mostly fresh college graduates who do hacking with authorisation.

“The reason behind choosing Lucideus was their young, energetic and knowledgeable team," said Bhavesh Lakhani, chief technology officer of DSP BlackRock, one of the premier asset management companies. Mr. Lakhani said that India is currently the epicentre of financial and technological advancements which make it a probable target of cyber-attacks.

Hacking lifeline

Indeed, a new breed of cyber criminals has emerged, whose main aim is not just financial gains but also cause disruption and chaos to businesses in particular and the nation at large, according to the Assocham-PwC study. Attackers can gain control of vital systems such as nuclear plants, railways, transportation and hospitals. This can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life, noted the study.

“The hacker doesn’t care whether he is attacking an Indian or a U.S. company. It is bread and butter for him and he wants to eat it wherever he gets it from,” said Trishneet Arora, a 22-year-old ethical hacker. In an office tucked away in Mohali, a commercial hub lying adjacent to the city of Chandigarh in Punjab, Mr.Arora fights these cyberattacks on a daily basis to protect his clients. His start-up TAC Security provides an emergency service to customers who have been hacked or are anticipating a cyberattack. It alerted a hospital in the U.S. after detecting vulnerabilities in their computer network.

Mr.Arora said that the hackers could have easily shut down the intensive care unit which was connected to it and remotely killed the patients. TAC said the data server of a bank in the UAE containing critical information got hacked recently. The bank also lost access to the server. TAC said that it not only helped the organisation to get back access to the server but also traced the hacker’s identity.

A school drop out, Mr.Arora founded TAC three years ago. But he initially found it tough to convince enterprises about his special skills. “I was a backbencher in the classroom and not good in studies, but I loved playing video games and hacking,” he said. He conducted workshops on hacking and provided his expertise to law enforcement agencies such as the Central Bureau of Investigation and various State police departments. His firm now provides its services to customers such as Reliance Industries, dairy brand Amul and tractor manufacturer Sonalika.

“We were surprised by their expertise,” said R.S. Sodhi, managing director of Amul. “We wanted to be sure that the company’s vital IT infrastructure is in the right hands – the big question was, ‘Who can that be?’ In TAC, we found that team.”

TAC expects to cross revenues of $5 million (Rs.33 crore) and employ about 100 ethical hackers by next year.

Budget woes

Security watchers such as Sunil Abraham, executive director of Bengaluru-based think tank Centre for Internet and Society said that India’s cybersecurity budget is woefully inadequate when compared to the spending by other countries. In 2014-15, the government doubled its cybersecurity budget by earmarking Rs.116 crore. “We require a budget of $1 billion per annum or every two years to build the cybersecurity infrastructure. The current cyber security policy has no such budget,” said Mr. Abraham.

According to Data Security Council of India (DSCI), India's cybersecurity market is expected to grow nine-fold to $35 billion by 2025, from about $4 billion. This would mainly be driven by an ecosystem to promote the growth of indigenous security product and services start-up companies.

The Cyber Security Task Force (CSTF) set up by DSCI and industry body Nasscom expects to create a trained base of one million certified and skilled cybersecurity professionals. It also aims to build more than 100 successful security product companies from India. Investors who normally focus on e-commerce ventures or public markets are now taking note of this opportunity and are betting on such ventures. Amit Choudhary, director, MotilalOswal Private Equity and an investor in Lucideus, said he saw tremendous opportunity in the cybersecurity market as hackers are shifting their focus from developed countries to emerging countries like India.

“There is a huge opportunity. The recent security breaches of a few Indian banks are an example,” said Vijay Kedia an ace stock picker and an investor in TAC Security. He said that organisations are still unaware of the widespread damage that can be caused by hackers. “The next war will be a ‘cyberwar’,” he said.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime

The National Cyber Security Policy: Not a Real Policy

bhairav — 2013-09-25T09:49:11Z

Cyber security in India is still a nascent field without an organised law and policy framework. Several actors participate in and are affected by India's still inchoate cyber security regime. The National Cyber Security Policy (NCSP) presented the government and other stakeholders with an opportune moment to understand existing legal limitations before devising a future framework. Unfortunately, the NCSP's poor drafting and meaningless provisions do not advance the field.

This article was published in the Observer Research Foundation's Cyber Security Monitor Vol. I, Issue.1, August 2013.

For some time now, law and policy observers in India have been noticing a definite decline in the quality of national policies emanating from the Central Government. Unlike legislation, which is notionally subject to debate in the Parliament of India, policies face no public evaluation before they are brought in to force. Since, unlike legislation, policies are neither binding nor enforceable, there has been no principled ground for demanding public deliberation of significant national policies. While Parliament’s falling standard of competence has been almost unanimously condemned, there has been nearly no criticism of the corresponding failure of the Centre to invigilate the quality of the official policies of its ministries. Luckily for the drafters of the National Cyber Security Policy (NCSP), the rest of the country has also mostly failed to notice its poor content.

The NCSP was notified into effect on 2 July 2013 by the Department of Electronics and Information Technology – which calls itself DeitY – of the Ministry of Communications and Information Technology. As far as legislation and legal drafting go, DeitY has a dubious record. In March 2013, in a parliamentary appraisal of subordinate law framed by DeitY, a Lok Sabha committee found ambiguity, invasions of privacy and potentially illegal clauses. Apprehensions about statutory law administered by DeitY have also found their way to the Supreme Court of India, where a constitutional challenge to certain provisions of the Information Technology Act, 2000 (IT Act) continues. On more than one occasion, owing to poor drafting, DeitY has been forced to issue advisories and press releases to clarify the meaning of its laws. Ironically, the legal validity of these clarifications is also questionable.

A national policy must set out, in real and quantifiable terms, the objectives of the government in a particular field within a specified time frame. To do that, the policy must provide the social, economic, political and legal context prevalent at the time of its issue as well as a normative statement of factual conditions it seeks to achieve at the time of its expiry. Between these two points in time, the policy must identify and explain all the particular social, economic, political and legal measures it intends to implement to secure its success. Albeit concerned solely with economic growth, the Five-Year Plans – the Second and Tenth Plans in particular, without prejudice to their success or failure, are samples of policies that are well-drafted. In this background, the NCSP should be judged on the basis of how it addresses, in no particular order, national security, democratic freedoms, economic growth and knowledge development. Let us restrict ourselves to the first two issues.

There are broadly two intersections between national security and information technology; these are: (i) the security of networked communications used by the armed forces and intelligence services, and (ii) the storage of civil information of national importance. While the NCSP makes no mention of it, the adoption of the doctrine of network-centric warfare by the three armed forces is underway. Understanding the doctrine is simple – an intensive use of information technology to create networks of information aids situational awareness and enables collaboration to bestow an advantage in combat. However, the doctrine is vulnerable to asymmetric attack using both primitive and highly sophisticated means. Pre-empting such attacks should be a primary policy concern; not so, apparently, for the NCSP which is completely silent on this issue. The NCSP is slightly more forthcoming on the protection of critical information infrastructure of a civil nature. Critical information infrastructure, such as the national power grid or the Aadhar database, is narrowly defined in section 70 of the IT Act where it used to describe a protected system. Other provisions of the IT Act also deal with the protection of critical information infrastructure. The NCSP does not explain how these statutory provisions have worked or failed, as the case may be, to necessitate further mention in a policy document. For instance, section 70A of the IT Act, inserted in 2008, enables the creation of a national nodal agency to undertake research and development and other activities in respect of critical information infrastructure. Despite this, five years later, the NCSP makes a similar recommendation to operate a National Critical Information Infrastructure Protection Centre to undertake the same activities. In the absence of any meaningful explanation of intended policy measures, there is no reason to expect that the NCSP will succeed where an Act of Parliament has failed.

But, putting aside the shortcomings of its piece-meal provisions, the NCSP also fails to address high-level conceptual policy concerns. As information repositories and governance services through information technology become increasingly integrated and centralised, the security of the information that is stored or distributed decreases. Whether by intent or error, if these consolidated repositories of information are compromised, the quantity of information susceptible to damage is greater leading to higher insecurity. Simply put, if power transmission is centrally controlled instead of zonally, a single attack could black out the entire country instead of only a part of it. Or if personal data of citizens is centrally stored, a single leak could compromise the privacy of millions of people instead of only hundreds. Therefore, a credible policy must, before it advocates greater centralisation of information, examine the merits of diffused information storage to protect national security. The NCSP utterly fails in this regard.

Concerns short of national security, such as the maintenance of law and order, are also in issue because crime is often planned and perpetrated using information technology. The prevention of crime before it is committed and its prosecution afterwards is a key policy concern. While the specific context may vary depending on the nature of the crime – the facts of terrorism are different from those of insurance fraud – the principles of constitutional and criminal law continue to apply. However, the NCSP neither examines the present framework of cybersecurity-related offences nor suggests any changes in existing law. It merely calls for a “dynamic legal framework and its periodic review to address the cyber security challenges” (sic). This is self-evident, there was no need for a new national policy to make this discovery; and, ironically, it fails to conduct the very periodic review that it envisages. This is worrying because the NCSP presented DeitY with an opportunity to review existing laws and learn from past mistakes. There are concerns that cybersecurity laws, especially relevant provisions of the IT Act and its rules, betray a lack of understanding of India’s constitutional scheme. This is exemplified by the insertion, in 2008, of section 66A into the IT Act that criminalises the sending of annoying, offensive and inconvenient electronic messages without regard for the fact that free speech that is annoying is constitutionally protected.

In India, cybersecurity law and policy attempts to compensate for the state’s inability to regulate the internet by overreaching into and encroaching upon democratic freedoms. The Central Monitoring System (CMS) that is being assembled by the Centre is a case in point. Alarmed at its inability to be privy to private communications, the Centre proposes to build systems to intercept, in real time, all voice and data traffic in India. Whereas liberal democracies around the world require such interceptions to be judicially sanctioned, warranted and supported by probable cause, India does not even have statutory law to regulate such an enterprise. Given that, once completed, the CMS will represent the largest domestic interception effort in the world, the failure of the NCSP to examine the effect of such an exercise on daily cybersecurity is bewildering. This is made worse by the fact that the state does not possess the technological competence to build such a system by itself and is currently tendering private companies for equipment. The state’s incompetence is best portrayed by the activities of the Indian Computer Emergency Response Team (CERT-In) that was constituted under section 70B of the IT Act to respond to “cyber incidents”. CERT-In has repeatedly engaged in extra-judicial censorship and has ham-handedly responded to allegedly objectionable blogs or websites by blocking access to entire domains. Unfortunately, the NCSP, while reiterating the operations of CERT-In, attempts no evaluation of its activities precluding the scope for any meaningful policy measures.

The NCSP’s poor drafting, meaningless provisions, deficiency of analysis and lack of stated measures renders it hollow. Its notification into force adds little to the public or intellectual debate about cybersecurity and does nothing to further the trajectory of either national security or democratic freedoms in India. In fairness, this problem afflicts many other national policies. There is a need to revisit the high intellectual and practical standards set by most national policies that were issued in the years following Independence.

For more details visit https://cis-india.org/internet-governance/blog/orfonline-bhairav-acharya-observer-research-foundation-cyber-security-monitor-august-2013-nsp-not-a-real-policy

The Global Nature of Cybersecurity in a Changing World

Admin — 2019-07-05T02:26:52Z

Arindrajit Basu represented CIS at the annual grantee convening of the Hewlett Foundation held at San Diego from 20 - 22 June 2019.

Cybersecurity knows no borders and is not limited to any one geography or culture. The challenges and opportunities facing cybersecurity experts, policymakers and the public areglobal in nature and require globally-minded solutions at all levels. At the same time, rapid changes in technology have a direct impact on societies around the world and the changingthreat environment. The Hewlett Foundation’s 2019 Cyber Initiative Grantee Convening will focus on two pillars: (1) the global nature of cyberspace and (2) emerging technologychallenges and solutions. We will come together to share our work in this space and identify opportunities for meaningful collaboration.

For more info, click here.

For more details visit https://cis-india.org/telecom/news/the-global-nature-of-cybersecurity-in-a-changing-world

The Geopolitics of Cyberspace: A Compendium of CIS Research

arindrajit — 2021-11-15T14:48:49Z

Cyberspace is undoubtedly shaping and disrupting commerce, defence and human relationships all over the world. Opportunities such as improved access to knowledge, connectivity, and innovative business models have been equally met with nefarious risks including cyber-attacks, disinformation campaigns, government driven digital repression, and rabid profit-making by ‘Big Tech.’ Governments have scrambled to create and update global rules that can regulate the fair and equitable uses of technology while preserving their own strategic interests.

With a rapidly digitizing economy and clear interests in shaping global rules that favour its strategic interests, India stands at a crucial juncture on various facets of this debate. How India governs and harnesses technology, coupled with how India translates these values and negotiates its interests globally, will surely have an impact on how similarly placed emerging economies devise their own strategies. The challenge here is to ensure that domestic technology governance as well as global engagements genuinely uphold and further India’s democratic fibre and constitutional vision.

Since 2018, researchers at the Centre for Internet and Society have produced a body of research including academic writing, at the intersection of geopolitics and technology covering global governance regimes on trade and cybersecurity, including their attendant international law concerns, the digital factor in bilateral relationships (with a focus on the Indo-US and Sino-Indian relationships). We have paid close focus to the role of emerging technologies in this debate, including AI and 5G as well as how private actors in the technology domain, operating across national jurisdictions, are challenging and upending traditionally accepted norms of international law, global governance, and geopolitics.

The global fissures in this space matter fundamentally for individuals who increasingly use digital spaces to carry out day to day activities: from being unwitting victims of state surveillance to harnessing social media for causes of empowerment to falling prey to state-sponsored cyber attacks, the rules of cyber governance, and its underlying politics. Yet, the rules are set by a limited set of public officials and technology lawyers within restricted corridors of power. Better global governance needs more to be participatory and accessible. CIS’s research and writing has been cognizant of this, and attempted to merge questions of global governance with constitutional and technical questions that put individuals and communities centre-stage.

Research and writing produced by CIS researchers and external collaborators from 2018 onward is detailed in the appended compendium.

Compendium

Global cybersecurity governance and cyber norms

Two decades since a treaty governing state behaviour in cyberspace was mooted by Russia, global governance processes have meandered along. The security debate has often been polarised along “Cold War” lines but the recent amplification of cyberspace governance as developmental, social and economic has seen several new vectors added to this debate. This past year two parallel processes at the United Nations General Assembly’s First Committee on Disarmament and International Security-United Nations Group of Governmental Experts (UN-GGE) and the United Nations Open Ended Working Group managed to produce consensus reports but several questions on international law, norms and geopolitical co-operation remain. India has been a participant at these crucial governance debates. Both the substance of the contribution, along with its implications remain a key focus area for our research.

Edited Volumes

Karthik Nachiappan and Arindrajit Basu India and Digital World-Making, Seminar 731, 1 July 2020 (featuring contributions from Manoj Kewalramani, Gunjan Chawla, Torsha Sarkar, Trisha Ray, Sameer Patil, Arun Vishwanathan, Vidushi Marda, Divij Joshi, Asoke Mukerji, Pallavi Raghavan, Karishma Mehrotra, Malavika Raghavan, Constantino Xavier, Rajen Harshe' and Suman Bery)

Long-Form Articles

Arindrajit Basu and Elonnai Hickok, Cyberspace and External Affairs: A Memorandum for India (Memorandum, Centre for Internet and Society, 30 Nov 2018)
The Potential for the Normative Regulation of Cyberspace (White Paper, Centre for Internet and Society, 30 July 2018)
Arindrajit Basu and Elonnai Hickok Conceptualizing an International Security Architecture for cyberspace (Briefings of the Global Commission on the Stability of Cyberspace, Bratislava, Slovakia, May 2018)
Sunil Abraham, Mukta Batra, Geetha Hariharan, Swaraj Barooah, and Akriti Bopanna, India's contribution to internet governance debates (NLUD Student Law Journal, 2018)

Blog Posts and Op-eds

Arindrajit Basu, Irene Poetranto, and Justin Lau, The UN struggles to make progress in cyberspace, Carnegie Endowment for International Peace, May 19th, 2021
Andre’ Barrinha and Arindrajit Basu, Could cyber diplomacy learn from outer space, EU Cyber Direct, 20th April 2021
Arindrajit Basu and Pranesh Prakash, Patching the gaps in India’s cybersecurity, The Hindu, 6th March 2021
Arindrajit Basu and Karthik Nachiappan, Will India negotiate in cyberspace?, Leiden Security and Global Affairs blog,December 16, 2020
Elizabeth Dominic, The debate over internet governance and cybercrimes: West vs the rest?, Centre for Internet and Society, June 08, 2020
Arindrajit Basu, India’s role in Global Cyber Policy Formulation, Lawfare, Nov 7, 2019
Pukhraj Singh, Before cyber norms,let's talk about disanalogy and disintermediation, Centre for Internet and Society, Nov 15th, 2019
Arindrajit Basu and Karan Saini, Setting International Norms of Cyber Conflict is Hard, But that Doesn’t Mean that We Should Stop Trying, Modern War Institute, 30th Sept, 2019
Arindrajit Basu, Politics by other means: Fostering positive contestation and charting red lines through global governance in cyberspace (Digital Debates, Volume 6, 2019)
Arindrajit Basu, Will the WTO Finally Tackle the ‘Trump’ Card of National Security? (The Wire, 8th May 2019)

Policy Submissions

Arindrajit Basu, CIS Submission to OEWG (Centre for Internet and Society, Policy Submission, 2020)
Aayush Rathi, Ambika Tandon, Elonnai Hickok, and Arindrajit Basu. “CIS Submission to UN High-Level Panel on Digital Cooperation.” Policy submission. Centre for Internet and Society, January 2019.
Arindrajit Basu,Gurshabad Grover, and Elonnai Hickok. “Response to GCSC on Request for Consultation: Norm Package Singapore.” Centre for Internet and Society, January 17, 2019.
Arindrajit Basu and Elonnai Hickok. Submission of Comments to the GCSC Definition of ‘Stability of Cyberspace (Centre for Internet and Society, September 6, 2019)

Digital Trade and India's Political Economy

The modern trading regime and its institutions were born largely into a world bereft of the internet and its implications for cross-border flow and commerce. Therefore, regulatory ambitions at the WTO have played catch up with the technological innovation that has underpinned the modern global digital economy. Driven by tech giants, the “developed” world has sought to restrict the policy space available to the emerging world to impose mandates regarding data localisation, source code disclosure, and taxation - among other initiatives central to development. At the same time emerging economies have pushed back, making for a tussle that continues to this day. Our research has focussed both on issues of domestic political economy and data governance,and the implications these domestic issues have on how India and other emerging economies negotiate at the world stage.

Long-Form articles and essays

Arindrajit Basu, Elonnai Hickok and Aditya Chawla, T he Localisation Gambit: Unpacking policy moves for the sovereign control of data in India (Centre for Internet and Society, March 19, 2019)
Arindrajit Basu,Sovereignty in a datafied world: A framework for Indian diplomacy in Navdeep Suri and Malancha Chakrabarty (eds) A 2030 Vision for India’s Economic Diplomacy (Observer Research Foundation 2021)
Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu, Cross Border Data-Sharing and India (Centre for Internet and Society, 2018)

Blog posts and op-eds

Arindrajit Basu, Can the WTO build consensus on digital trade, Hinrich Foundation,October 05,2021
Amber Sinha, The power politics behind Twitter versus Government of India, The Wire, June 03, 2021
Karthik Nachiappan and Arindrajit Basu, Shaping the Digital World, The Hindu, 30th July 2020
Arindrajit Basu and Karthik Nachiappan, India and the global battle for data governance, Seminar 731, 1st July 2020
Amber Sinha and Arindrajit Basu, Reliance Jio-Facebook deal highlights India’s need to revisit competition regulations, Scroll, 30th April 2020
Arindrajit Basu and Amber Sinha, The realpolitik of the Reliance-Jio Facebook deal, The Diplomat, 29th April 2020
Arindrajit Basu, The Retreat of the Data Localization Brigade: India, Indonesia, Vietnam, The Diplomat, Jan 10, 2020
Amber Sinha and Arindrajit Basu, The Politics of India’s Data Protection Ecosystem, EPW Engage, 27 Dec 2019
Arindrajit Basu and Justin Sherman, Key Global Takeaways from India’s Revised Personal Data Protection Bill, Lawfare, Jan 23, 2020
Nikhil Dave,“Geo-Economic Impacts of the Coronavirus: Global Supply Chains.” Centre for Internet and Society , June 16, 2020.

International Law and Human Rights

International law and human rights are ostensibly technology neutral, and should lay the edifice for digital governance and cybersecurity today. Our research on international human rights has focussed on global surveillance practices and other internet restrictions employed by a variety of nations, and the implications this has for citizens and communities in India and similarly placed emerging economies. CIS researchers have also contributed to, and commented on World Intellectual Property Organization negotiations at the intersection of international Intellectual Property (IP) rules and the human rights.

Long-form article

Arindrajit Basu, Extra Territorial Surveillance and the incapacitation of international human rights law, 12 NUJS LAW REVIEW 2 (2019)
Gurshabad Grover and Arindrajit Basu, ”Internet Blockage”(Scenario contribution to NATO CCDCOE Cyber Law Toolkit,2021)
Arindrajit Basu and Elonnai Hickok, Conceptualizing an international framework for active private cyber defence (Indian Journal of Law and Technology, 2020)
Arindrajit Basu,Challenging the dogmatic inevitability of extraterritorial state surveillance in Trisha Ray and Rajeswari Pillai Rajagopalan (eds) Digital Debates: CyFy Journal 2021 (New Delhi:ORF and Global Policy Journal,2021)

Blog Posts and op-eds

Arindrajit Basu, “Unpacking US Law And Practice On Extraterritorial Mass Surveillance In Light Of Schrems II”, Medianama, 24th August 2020
Anubha Sinha, “World Intellectual Property Organisation: Notes from the Standing Committee on Copyright Negotiations (Day 1, Day 2, Day 3 and 4)”, July 2021
Raghav Ahooja and Torsha Sarkar,How (not) to regulate the internet:Lessons from the Indian Subcontinent,Lawfare,September 23,2021,

Bilateral Relationships

Technology has become a crucial factor in shaping bilateral and plurilateral co-operation and competition. Given the geopolitical fissures and opportunities since 2020, our research has focussed on how technology governance and cybersecurity could impact the larger ecosystem of Indo-China and India-US relations. Going forward, we hope to undertake more research on technology in plurilateral arrangements, including the Quadrilateral Security Dialogue.

Arindrajit Basu and Justin Sherman, The Huawei Factor in US-India Relations,The Diplomat, 22 March 2021
Aman Nair, “TIkTok: It’s Time for Biden to Make a Decision on His Digital Policy with China,” Centre for Internet and Society, January 22, 2021,
Arindrajit Basu and Gurshabad Grover, India Needs a Digital Lawfare Strategy to Counter China, The Diplomat, 8th October 2020
Anam Ajmal, The app ban will have an impact on the holding companies...global power projection begins at home, Times of India, July 7th, 2020 (Interview with Arindrajit Basu)
Justin Sherman and Arindrajit Basu, Trump and Modi embrace, but remain digitally divided, The Diplomat, March 05th, 2020

Emerging Technologies

Governance needs to keep pace with the technological challenges posed by emerging technologies, including 5G and AI. To do so an interdisciplinary approach that evaluates these scientific advances in line with the regimes that govern them is of utmost importance. While each country will need to regulate technology through the lens of their strategic interests and public policy priorities, it is clear that geopolitical tensions on standard-setting and governance models compels a more global outlook.

Long-Form reports

Anoushka Soni and Elizabeth Dominic, Legal and Policy implications of Autonomous weapons systems (Centre for Internet and Society, 2020)
Aayush Rathi, Gurshabad Grover, and Sunil Abraham, Regulating the internet: The Government of India & Standards Development at the IETF (Centre for Internet and Society, 2018)

Blog posts and op-eds

Aman Nair, Would banning Chinese telecom companies make India 5G secure in India? Centre for Internet and Society, 22nd December 2020
Arindrajit Basu and Justin Sherman, Two New Democratic Coalitions on 5G and AI Technologies, Lawfare, 6th August 2020
Nikhil Dave, The 5G Factor: A Primer, Centre for Internet and Society, July 20, 2020.
Gurshabad Grover, The Huawei bogey Indian Express, May 30th, 2019
Arindrajit Basu and Pranav MB, What is the problem with 'Ethical AI'?:An Indian perspective, Centre for Internet and Society, July 21, 2019

(This compendium was drafted by Arindrajit Basu with contributions from Anubha Sinha. Aman Nair, Gurshabad Grover, and Pranav MB reviewed the draft and provided vital insight towards its conceptualization and compilation. Dishani Mondal and Anand Badola provided important inputs at earlier stages of the process towards creating this compendium)

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-september-24-2021-the-geopolitics-of-cyberspace-compendium-of-cis-research

The Evolving Cyber Threat and How to Address It

praskrishna — 2013-11-18T10:49:15Z

Larry Clinton, the President and Chief Executive Officer of the Internet Security Alliance will give a talk on cyber threat and how to address the same. The talk will be held at the office of the Centre for Internet and Society in Bangalore on November 22, 2.30 p.m. to 3.30 p.m.

The talk will broadly cover the following:

Using Public-Private Partnerships to Enhance Cyber Security
Ongoing Threat of Cyber-attacks Must be Fought on Both a Technical and Economic Basis
Targeted Education's Critical Role in Cyber security
Combating the Persistent Cyber Security Threat in the Manufacturing Industry / Cyber Security Threats to the Supply Chain
Economics of Cyber Security

Larry Clinton

Larry Clinton is the President and Chief Executive Officer of the Internet Security Alliance (ISA). ISA is a multi-sector trade association with membership from virtually every one of the designated critical industry sectors. The mission of the ISA is to combine advanced technology with economics and public policy to create a sustainable system of cyber security.

Mr. Clinton is regularly called upon to testify before both the U.S. House and Senate. In 2008, ISA published its Cyber Security “Social Contract,” which is both the first and last source cited in the Executive Summary of President Obama’s “Cyberspace Policy Review” (click here for report). This report also cited more than a dozen of ISA’s white papers – far more than any other source. Recently, these ISA documents were also the inspiration for many of the recommendations in the House Republican Cyber Security Task Force Report (click here for report).

Mr. Clinton is known for his ability to take the complicated issues in this space and explain them clearly to a wide range of audiences: professional, policy makers and the general public. He has been featured in mass media such as USA Today, the PBS News Hour, the Morning Show on CBS, Fox News, CNN’s Situation Room, C-SPAN, and CNBC. He has also authored numerous professional journal articles on cyber security. This year he has published articles in the Cutter IT Journal, the Journal of Strategic Security and the Journal of Software Technology (click here for a full list of articles and other ISA news appearances).

The ISA’s pro-market, incentives-based approach to cyber security, rather than regulation, is outlined in its numerous publications, including the ISA Cyber Security Social Contract and Financial Management of Cyber Security series, which were written by the ISA Board of Directors and edited by Mr. Clinton (click here for the full list of ISA Publications).

For more details visit https://cis-india.org/internet-governance/events/evolving-cyber-threat-and-how-to-address-it

The Big Debit Card Breach: Three Things Card Holders Need To Understand

praskrishna — 2016-10-21T13:43:17Z

A total of 32 lakh debit cards across 19 banks could have been compromised on account of a purported fraud, the National Payment Corporation of India said in a statement.

The article by Alex Mathew was published by Bloomberg on October 20, 2016. Udbhav Tiwari was quoted.

The issue was brought to light when State Bank of India blocked the debit cards of 6 lakh customers on October 14. This was done after the bank was alerted to a possible fraud by the National Payment Corporation of India, MasterCard and Visa, said Managing Director Rajnish Kumar in a telephonic interview with BloombergQuint.

In a statement released on Thursday evening, the NPCI clarified that the problem was brought to their attention when they received complaints from a few banks that customers’ cards were used fraudulently, mainly in China and the U.S., while those cardholders were in India.

“The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers. The total amount involved is Rs 1.3 crore as reported by various affected banks to NPCI,” the payments corporation said.

SISA Security, a Bengaluru-based company is currently undertaking a forensic study to identify the extent of the problem and will submit a final report in November.

Based on the advisory issued by NPCI and other schemes, it is gathered that banks have advised their customers to change their debit card PIN. In situations where customers could not be contacted, the cards have been blocked and fresh cards are being issued by member banks.

NPCI statement

State Bank of India has blocked 6 lakh cards, while other banks have sent notifications to customers advising them to change their personal identification numbers.

How The Breach Could Have Occured

The breach that has apparently given hackers access to the PIN codes of several bank customers is likely to be on account of a malware attack. This attack is believed to have originated at an ATM.

The actual modus operandi of the hackers will only become clear once the forensic audit is released in November, but BloombergQuint spoke to cyber security expert Udbhav Tiwari to find out how the attack could have been orchestrated.

First, the hacker would have had to gain physical access to an ATM. The malware was then likely injected by connecting a laptop or another special device to a port on the cash disbursing machine, said Tiwari, a consultant at Centre For Internet & Society in Bengaluru.

Once the malware is injected, it automatically spreads across the network and infects other devices that are not protected against it. In this case, the malware could have infected a payment switch provider’s network.

A payment switch provider is an entity that facilitates a transaction either from an ATM or an online payment gateway. The service provider decides to whom the request for authorisation will be sent and then transmits the request back to the merchant or the ATM where the transaction originated.

In this case, one payment switch provider, Hitachi Payment Services, which manages close to 50,000 ATMs across the country, was asked by banks to investigate 30 of its ATMs on account of around 400 suspicious transactions that took place outside India, Managing Director Loney Antony told BloombergQuint in a telephonic interview.

The company had earlier said in a statement that an interim report by the audit agency does not suggest any breach or compromise in its systems.

The Scale Of The Breach

According to a study conducted by NPCI in collaboration with the banks, the number of debit cards that were infected by the malware has been set at 32 lakh. But Tiwari said this number could be higher.

The hypothetical limit to how much the malware can spread is dependent on the vulnerability of the systems, and if one of the payment switch provider’s systems was vulnerable and they still haven’t decided how many systems are vulnerable, it is quite possible that the malware is spreading at this point.

Udbhav Tiwari, Consultant, Centre For Internet & Society

What A Customer Should Do

The first, and most important step a customer should take is to immediately change their debit card PIN, Tiwari pointed out.

State Bank of India has said that its customers can opt to restrict the usage of their debit cards, for example whether it can be used both internationally and domestically or only domestically. Also, the daily limit of the debit card can be changed.

Once these steps have been taken, according to Tiwari, it is most important that customers stay vigilant and keep monitoring their bank statements. If an unauthorised transaction takes place, a customer should immediately contact their bank and block their card.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-alex-mathew-october-20-2016-the-big-debit-card-breach

Symposium on India’s Cyber Strategy

Admin — 2018-10-02T06:02:59Z

CIS organised a Symposium on India’s Cyber Strategy.

The event saw a total of around 30 participants from industry, academia, law/policy, media, and civil society, and had a panel comprised of Asoke Mukerji, Madhulika Srikumar, and Parminder Jeet Singh.

Presentations

India’s Strategic Interests in the Norms Setting Process in Cyberspace (Presentation by Ambassador Asoke Kumar Mukerji, Former Permanent Representative of India to the United Nations)
The Potential for the Normative Regulation of Cyberspace (Presentation by Arindrajit Basu)

For more details visit https://cis-india.org/internet-governance/events/symposium-on-india2019s-cyber-strategy

Summary Report Internet Governance Forum 2015

jyoti — 2015-11-30T10:47:13Z

Centre for Internet and Society (CIS), India participated in the Internet Governance Forum (IGF) held at Poeta Ronaldo Cunha Lima Conference Center, Joao Pessoa in Brazil from 10 November 2015 to 13 November 2015. The theme of IGF 2015 was ‘Evolution of Internet Governance: Empowering Sustainable Development’. Sunil Abraham, Pranesh Prakash & Jyoti Panday from CIS actively engaged and made substantive contributions to several key issues affecting internet governance at the IGF 2015. The issue-wise detail of their engagement is set out below.

INTERNET GOVERNANCE

I. The Multi-stakeholder Advisory Group to the IGF organised a discussion on Sustainable Development Goals (SDGs) and Internet Economy at the Main Meeting Hall from 9:00 am to 12:30 pm on 11 November, 2015. The discussions at this session focused on the importance of Internet Economy enabling policies and eco-system for the fulfilment of different SDGs. Several concerns relating to internet entrepreneurship, effective ICT capacity building, protection of intellectual property within and across borders were availability of local applications and content were addressed. The panel also discussed the need to identify SDGs where internet based technologies could make the most effective contribution. Sunil Abraham contributed to the panel discussions by addressing the issue of development and promotion of local content and applications. List of speakers included:

Lenni Montiel, Assistant-Secretary-General for Development, United Nations
Helani Galpaya, CEO LIRNEasia
Sergio Quiroga da Cunha, Head of Latin America, Ericsson
Raúl L. Katz, Adjunct Professor, Division of Finance and Economics, Columbia Institute of Tele-information
Jimson Olufuye, Chairman, Africa ICT Alliance (AfICTA)
Lydia Brito, Director of the Office in Montevideo, UNESCO
H.E. Rudiantara, Minister of Communication & Information Technology, Indonesia
Daniel Sepulveda, Deputy Assistant Secretary, U.S. Coordinator for International and Communications Policy at the U.S. Department of State
Deputy Minister Department of Telecommunications and Postal Services for the republic of South Africa
Sunil Abraham, Executive Director, Centre for Internet and Society, India
H.E. Junaid Ahmed Palak, Information and Communication Technology Minister of Bangladesh
Jari Arkko, Chairman, IETF
Silvia Rabello, President, Rio Film Trade Association
Gary Fowlie, Head of Member State Relations & Intergovernmental Organizations, ITU

Detailed description of the workshop is available here http ://www .intgovforum .org /cms /igf 2015-main -sessions

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2327-2015-11-11-internet-economy-and-sustainable-development-main-meeting-room

Video link Internet economy and Sustainable Development here https://www.youtube.com/watch?v=D6obkLehVE8

II. Public Knowledge organised a workshop on The Benefits and Challenges of the Free Flow of Data at Workshop Room 5 from 11:00 am to 12:00 pm on 12 November, 2015. The discussions in the workshop focused on the benefits and challenges of the free flow of data and also the concerns relating to data flow restrictions including ways to address them. Sunil Abraham contributed to the panel discussions by addressing the issue of jurisdiction of data on the internet. The panel for the workshop included the following.

Vint Cerf, Google
Lawrence Strickling, U.S. Department of Commerce, NTIA
Richard Leaning, European Cyber Crime Centre (EC3), Europol
Marietje Schaake, European Parliament
Nasser Kettani, Microsoft
Sunil Abraham, CIS India

Detailed description of the workshop is available here http ://www .intgovforum .org /cms /workshops /list -of -published -workshop -proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2467-2015-11-12-ws65-the-benefits-and-challenges-of-the-free-flow-of-data-workshop-room-5

Video link https://www.youtube.com/watch?v=KtjnHkOn7EQ

III. Article 19 and Privacy International organised a workshop on Encryption and Anonymity: Rights and Risks at Workshop Room 1 from 11:00 am to 12:30 pm on 12 November, 2015. The workshop fostered a discussion about the latest challenges to protection of anonymity and encryption and ways in which law enforcement demands could be met while ensuring that individuals still enjoyed strong encryption and unfettered access to anonymity tools. Pranesh Prakash contributed to the panel discussions by addressing concerns about existing south Asian regulatory framework on encryption and anonymity and emphasizing the need for pervasive encryption. The panel for this workshop included the following.

David Kaye, UN Special Rapporteur on Freedom of Expression
Juan Diego Castañeda, Fundación Karisma, Colombia
Edison Lanza, Organisation of American States Special Rapporteur
Pranesh Prakash, CIS India
Ted Hardie, Google
Elvana Thaci, Council of Europe
Professor Chris Marsden, Oxford Internet Institute
Alexandrine Pirlot de Corbion, Privacy International

Detailed description of the workshop is available here http ://www .intgovforum .org /cms /worksh o ps /list -of -published -workshop -proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2407-2015-11-12-ws-155-encryption-and-anonymity-rights-and-risks-workshop-room-1

Video link available here https://www.youtube.com/watch?v=hUrBP4PsfJo

IV. Chalmers & Associates organised a session on A Dialogue on Zero Rating and Network Neutrality at the Main Meeting Hall from 2:00 pm to 4:00 pm on 12 November, 2015. The Dialogue provided access to expert insight on zero-rating and a full spectrum of diverse views on this issue. The Dialogue also explored alternative approaches to zero rating such as use of community networks. Pranesh Prakash provided a detailed explanation of harms and benefits related to different approaches to zero-rating. The panellists for this session were the following.

Jochai Ben-Avie, Senior Global Policy Manager, Mozilla, USA
Igor Vilas Boas de Freitas, Commissioner, ANATEL, Brazil
Dušan Caf, Chairman, Electronic Communications Council, Republic of Slovenia
Silvia Elaluf-Calderwood, Research Fellow, London School of Economics, UK/Peru
Belinda Exelby, Director, Institutional Relations, GSMA, UK
Helani Galpaya, CEO, LIRNEasia, Sri Lanka
Anka Kovacs, Director, Internet Democracy Project, India
Kevin Martin, VP, Mobile and Global Access Policy, Facebook, USA
Pranesh Prakash, Policy Director, CIS India
Steve Song, Founder, Village Telco, South Africa/Canada
Dhanaraj Thakur, Research Manager, Alliance for Affordable Internet, USA/West Indies
Christopher Yoo, Professor of Law, Communication, and Computer & Information Science, University of Pennsylvania, USA

Detailed description of the workshop is available here http://www.intgovforum.org/cms/igf2015-main-sessions

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2457-2015-11-12-a-dialogue-on-zero-rating-and-network-neutrality-main-meeting-hall-2

V. The Internet & Jurisdiction Project organised a workshop on Transnational Due Process: A Case Study in MS Cooperation at Workshop Room 4 from 11:00 am to 12:00 pm on 13 November, 2015. The workshop discussion focused on the challenges in developing an enforcement framework for the internet that guarantees transnational due process and legal interoperability. The discussion also focused on innovative approaches to multi-stakeholder cooperation such as issue-based networks, inter-sessional work methods and transnational policy standards. The panellists for this discussion were the following.

Anne Carblanc Head of Division, Directorate for Science, Technology and Industry, OECD
Eileen Donahoe Director Global Affairs, Human Rights Watch
Byron Holland President and CEO, CIRA (Canadian ccTLD)
Christopher Painter Coordinator for Cyber Issues, US Department of State
Sunil Abraham Executive Director, CIS India
Alice Munyua Lead dotAfrica Initiative and GAC representative, African Union Commission
Will Hudsen Senior Advisor for International Policy, Google
Dunja Mijatovic Representative on Freedom of the Media, OSCE
Thomas Fitschen Director for the United Nations, for International Cooperation against Terrorism and for Cyber Foreign Policy, German Federal Foreign Office
Hartmut Glaser Executive Secretary, Brazilian Internet Steering Committee
Matt Perault, Head of Policy Development Facebook

Detailed description of the workshop is available here http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2475-2015-11-13-ws-132-transnational-due-process-a-case-study-in-ms-cooperation-workshop-room-4

Video link Transnational Due Process: A Case Study in MS Cooperation available here https://www.youtube.com/watch?v=M9jVovhQhd0

VI. The Internet Governance Project organised a meeting of the Dynamic Coalition on Accountability of Internet Governance Venues at Workshop Room 2 from 14:00 – 15:30 on 12 November, 2015. The coalition brought together panelists to highlight the challenges in developing an accountability framework for internet governance venues that include setting up standards and developing a set of concrete criteria. Jyoti Panday provided the perspective of civil society on why acountability is necessary in internet governance processes and organizations. The panelists for this workshop included the following.

Robin Gross, IP Justice
Jeanette Hofmann, Director Alexander von Humboldt Institute for Internet and Society
Farzaneh Badiei, Internet Governance Project
Erika Mann, Managing Director Public PolicyPolicy Facebook and Board of Directors ICANN
Paul Wilson, APNIC
Izumi Okutani, Japan Network Information Center (JPNIC)
Keith Drazek , Verisign
Jyoti Panday, CIS
Jorge Cancio, GAC representative

Detailed description of the workshop is available here http://igf2015.sched.org/event/4c23/dynamic-coalition-on-accountability-of-internet-governance-venues?iframe=no&w=&sidebar=yes&bg=no

Video link https://www.youtube.com/watch?v=UIxyGhnch7w

VII. Digital Infrastructure Netherlands Foundation organized an open forum at Workshop Room 3 from 11:00 – 12:00 on 10 November, 2015. The open forum discussed the increase in government engagement with “the internet” to protect their citizens against crime and abuse and to protect economic interests and critical infrastructures. It brought together panelists topresent ideas about an agenda for the international protection of ‘the public core of the internet’ and to collect and discuss ideas for the formulation of norms and principles and for the identification of practical steps towards that goal. Pranesh Prakash participated in the e open forum. Other speakers included

Bastiaan Goslings AMS-IX, NL
Pranesh Prakash CIS, India
Marilia Maciel (FGV, Brasil
Dennis Broeders (NL Scientific Council for Government Policy)

Detailed description of the open forum is available here http://schd.ws/hosted_files/igf2015/3d/DINL_IGF_Open%20Forum_The_public_core_of_the_internet.pdf

Video link available here https://www.youtube.com/watch?v=joPQaMQasDQ

VIII. UNESCO, Council of Europe, Oxford University, Office of the High Commissioner on Human Rights, Google, Internet Society organised a workshop on hate speech and youth radicalisation at Room 9 on Thursday, November 12. UNESCO shared the initial outcome from its commissioned research on online hate speech including practical recommendations on combating against online hate speech through understanding the challenges, mobilizing civil society, lobbying private sectors and intermediaries and educating individuals with media and information literacy. The workshop also discussed how to help empower youth to address online radicalization and extremism, and realize their aspirations to contribute to a more peaceful and sustainable world. Sunil Abraham provided his inputs. Other speakers include

1. Chaired by Ms Lidia Brito, Director for UNESCO Office in Montevideo

2.Frank La Rue, Former Special Rapporteur on Freedom of Expression

3. Lillian Nalwoga, President ISOC Uganda and rep CIPESA, Technical community

4. Bridget O’Loughlin, CoE, IGO

5. Gabrielle Guillemin, Article 19

6. Iyad Kallas, Radio Souriali

7. Sunil Abraham executive director of Center for Internet and Society, Bangalore, India

8. Eve Salomon, global Chairman of the Regulatory Board of RICS

9. Javier Lesaca Esquiroz, University of Navarra

10. Representative GNI

11. Remote Moderator: Xianhong Hu, UNESCO

12. Rapporteur: Guilherme Canela De Souza Godoi, UNESCO

Detailed description of the workshop is available here http://igf2015.sched.org/event/4c1X/ws-128-mitigate-online-hate-speech-and-youth-radicalisation?iframe=no&w=&sidebar=yes&bg=no

Video link to the panel is available here https://www.youtube.com/watch?v=eIO1z4EjRG0

INTERMEDIARY LIABILITY

IX. Electronic Frontier Foundation, Centre for Internet Society India, Open Net Korea and Article 19 collaborated to organize a workshop on the Manila Principles on Intermediary Liability at Workshop Room 9 from 11:00 am to 12:00 pm on 13 November 2015. The workshop elaborated on the Manila Principles, a high level principle framework of best practices and safeguards for content restriction practices and addressing liability for intermediaries for third party content. The workshop saw particpants engaged in over lapping projects considering restriction practices coming togetehr to give feedback and highlight recent developments across liability regimes. Jyoti Panday laid down the key details of the Manila Principles framework in this session. The panelists for this workshop included the following.

Kelly Kim Open Net Korea,
Jyoti Panday, CIS India,
Gabrielle Guillemin, Article 19,
Rebecca McKinnon on behalf of UNESCO
Giancarlo Frosio, Center for Internet and Society, Stanford Law School
Nicolo Zingales, Tilburg University
Will Hudson, Google

Detailed description of the workshop is available here http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2423-2015-11-13-ws-242-the-manila-principles-on-intermediary-liability-workshop-room-9

Video link available here https://www.youtube.com/watch?v=kFLmzxXodjs

ACCESSIBILITY

X. Dynamic Coalition on Accessibility and Disability and Global Initiative for Inclusive ICTs organised a workshop on Empowering the Next Billion by Improving Accessibility at Workshop Room 6 from 9:00 am to 10:30 am on 13 November, 2015. The discussion focused on the need and ways to remove accessibility barriers which prevent over one billion potential users to benefit from the Internet, including for essential services. Sunil Abraham specifically spoke about the lack of compliance of existing ICT infrastructure with well established accessibility standards specifically relating to accessibility barriers in the disaster management process. He discussed the barriers faced by persons with physical or psychosocial disabilities. The panelists for this discussion were the following.

Francesca Cesa Bianchi, G3ICT
Cid Torquato, Government of Brazil
Carlos Lauria, Microsoft Brazil
Sunil Abraham, CIS India
Derrick L. Cogburn, Institute on Disability and Public Policy (IDPP) for the ASEAN(Association of Southeast Asian Nations) Region
Fernando H. F. Botelho, F123 Consulting
Gunela Astbrink, GSA InfoComm

Detailed description of the workshop is available here http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2438-2015-11-13-ws-253-empowering-the-next-billion-by-improving-accessibility-workshop-room-3

Video Link Empowering the next billion by improving accessibility https://www.youtube.com/watch?v=7RZlWvJAXxs

OPENNESS

XI. A workshop on FOSS & a Free, Open Internet: Synergies for Development was organized at Workshop Room 7 from 2:00 pm to 3:30 pm on 13 November, 2015. The discussion was focused on the increasing risk to openness of the internet and the ability of present & future generations to use technology to improve their lives. The panel shred different perspectives about the future co-development of FOSS and a free, open Internet; the threats that are emerging; and ways for communities to surmount these. Sunil Abraham emphasised the importance of free software, open standards, open access and access to knowledge and the lack of this mandate in the draft outcome document for upcoming WSIS+10 review and called for inclusion of the same. Pranesh Prakash further contributed to the discussion by emphasizing the need for free open source software with end‑to‑end encryption and traffic level encryption based on open standards which are decentralized and work through federated networks. The panellists for this discussion were the following.

Satish Babu, Technical Community, Chair, ISOC-TRV, Kerala, India
Judy Okite, Civil Society, FOSS Foundation for Africa
Mishi Choudhary, Private Sector, Software Freedom Law Centre, New York
Fernando Botelho, Private Sector, heads F123 Systems, Brazil
Sunil Abraham, CIS India
Pranesh Prakash, CIS India
Nnenna Nwakanma- WWW.Foundation
Yves MIEZAN EZO, Open Source strategy consultant
Corinto Meffe, Advisor to the President and Directors, SERPRO, Brazil
Frank Coelho de Alcantara, Professor, Universidade Positivo, Brazil
Caroline Burle, Institutional and International Relations, W3C Brazil Office and Center of Studies on Web Technologies

Detailed description of the workshop is available here http://www.intgovforum.org/cms/workshops/list-of-published-workshop-proposals

Transcript of the workshop is available here http://www.intgovforum.org/cms/187-igf-2015/transcripts-igf-2015/2468-2015-11-13-ws10-foss-and-a-free-open-internet-synergies-for-development-workshop-room-7

Video link available here https://www.youtube.com/watch?v=lwUq0LTLnDs

For more details visit https://cis-india.org/internet-governance/blog/summary-report-internet-governance-forum-2015

Shining light into darkness: Encouraging greater transparency of government offensive practices in cyberspace

Admin — 2019-06-05T06:53:31Z

RightsCon is organizing a summit on human rights in the digital age in Tunis in June 2019. Sunil Abraham will be attending a conversation on encouraging greater transparency of government offensive practices in cyberspace on June 12.

In the plethora of different cybersecurity benchmark reports today, one is conspicuously missing. No entity has so far found a way to highlight and measure the different cyber offensive and deterrence doctrines, policies, or capabilities on a country-by-country basis. Similarly, there have been limited attempts to not only map, but monitor adherence to, international law and emerging international norms of behaviour in cyberspace.

During this session, pulled together by Microsoft, the Hewlett Foundation and Mastercard, we will explore whether there is value in developing either one or the other product, and assess how difficult they would be to realize. Would such a report encourage greater transparency of these policies and as a result drive international discussion about responsible behaviour in cyberspace? What would data would be required for it to generate a meaningful impact?

We will also examine whether there are lessons that can be learnt on the development, use, and impact of seminal benchmarking reports, such as the Global Peace Index, the Nuclear Security Index, Human Rights Watch’s World Report, and others. This gap is being examined in the light of the potential creation of a CyberPeace Institute, an independent non-profit organization to empower the global community with the knowledge and capabilities to protect civilians in cyberspace from sophisticated systemic cyber-attacks. It is envisioned that the CyberPeace Institute would perform three key functions: a) increase transparency of information on cyberattacks that are perpetrated by sophisticated actors and have significant, direct harm on civilians and civilian infrastructure; b) advance the role of international law and norms in governing the behavior of states and other actors in cyberspace; and c) deliver assistance at scale to the most vulnerable victims of qualifying cyberattacks, accelerating victims’ recovery and increasing their resilience. More information on the proposed Institute can be find in the attached overview.

The conversation will take place at RightsCon, in the Erythrean room on Wednesday, June 12 from 4:30 p.m - 5:30 p.m.

For more details visit https://cis-india.org/internet-governance/news/shining-light-into-darkness-encouraging-greater-transparency-of-government-offensive-practices-in-cyberspace

Roundtable on Enhancing Indian Cyber Security through Multi-Stakeholder Cooperation

Admin — 2018-02-01T14:04:36Z

A closed door round-table on enhancing Indian cyber security is being organized on 4 November 2017 at Indian Islamic Centre, Lodhi Road in New Delhi.

With the proliferation of digital technologies and the central role they play in national infrastructure and governance, security of systems and services is fundamental to the economic, political, and social development and success of a nation. Digital India, the National Payments Corporation of India, IndiaStack, and the Aadhaar ecosystem are just a few examples of such digital infrastructure. Yet the digital realm is increasingly becoming more complex and difficult to secure and monitor for vulnerabilities, threats, breaches, and attacks. The responsibility of identifying and monitoring such vulnerabilities can be spearheaded by designated governmental bodies like CERT-IN and NCIIPC, but for effective identification of threats and vulnerabilities, collaboration is needed across stakeholder groups including security researchers, industry, and government bodies. Transparency about breaches and attacks is also key in enabling consumer awareness and building trust with the public. Examples of such mechanisms include bug bounty programs and breach notification frameworks.

This closed door roundtable will seek to bring together government, industry, civil society, academia, and security researchers to identify different areas and tools of collaboration between stakeholders towards enhancing Indian cyber security. It will broadly focus on vulnerability identification and reporting and vulnerability/breach notification. This will include a reflection on:

Existing frameworks, forms of collaborations, policies and practices in India.
Practices, standards, certifications, and programmes adopted in other jurisdictions.
The way forward for India addressing issues like establishing trust, harmonization and communication across stakeholders and sectors, and ensuring quality and response.

RSVP: pranav@cis-india.org

Download the Invite

See the Report

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-enhancing-indian-cyber-security-through-multi-stakeholder-cooperation