Centre for Internet and Society

Online Censorship: How Government should Approach Regulation of Speech

sunil — 2012-12-05T07:06:52Z

Why is there a constant brouhaha in India about online censorship? What must be done to address this?

Sunil Abraham's article was published in the Economic Times on December 2, 2012.

Of course, we must get the basics right â€” bad law has to be amended, read down by courts or repealed, and bad implementation of law should be addressed via reform and capacity building for the police. But most importantly those in power must understand how to approach the regulation of speech.

To begin with, speech is regulated across the world. Even in the US â€” contrary to popular impression in India â€” speech is regulated both online and offline.

However, law is not the basis of most of this regulation. Speech is largely regulated by social norms. Different corners of our online and offline society have quite complex forms of self-regulation.

The harm caused by speech is often proportionate to the power of the person speaking â€” it maybe unacceptable for a politician or a filmstar to make an inflammatory remark but that very same utterance from an ordinary citizen may be totally fine.

To complicate matters, the very same speech by the very same person could be harmful or harmless based on context. A newspaper editor may share obscene jokes with friends in a bar, but may not take similar liberties in an editorial.

The legal scholar Alan Dershowitz tells us, "The best answer to bad speech is good speech." More recently the quote has been amended, with "more speech" replacing "good speech".

Censorship by the state has to be reserved for the rarest of rare circumstances. This is because censorship usually results in unintended consequences.

The "Streisand Effect", named after the singer-actor Barbra Streisand, is one of these consequences wherein attempts to hide or censor information only result in wider circulation and greater publicity.

The Maharashtra police's attempt to censor the voices of two women has resulted in their speech being broadcast across the nation on social and mainstream media. If the state had instead focused on producing good speech and more speech, nobody would have even heard of these women.

Circumventing Censorship

Peer-to-peer technologies on the internet mimic the topology of human networks and can also precipitate unintended consequences when subject to regulation. John Gilmore, a respected free software developer, puts it succinctly: "The Net interprets censorship as damage and routes around it."

Most of the internet censorship in the US is due to IPR-enforcement activities. This is why Christopher Soghoian, a leading privacy activist, attributes the massive adoption of privacy-enhancing technologies such as proxies and VPNs (virtual private networks) by American consumers to the crackdown on online piracy.

In India, and even when the government has had legitimate reasons to regulate speech, there have been unintended consequences.

During the exodus of people from the North-east, the five SMS per day restriction imposed by the government resulted in another exodus from SMS to alternative messaging platforms such as BlackBerry Messenger (BBM), WhatsApp and Twitter.

In both cases the circumvention of censorship by the users has resulted in a worsening situation for law-enforcement organisations â€” VPNs and applications like WhatsApp are much more difficult to monitor and regulate.

Mixed Memes

Regulation of speech also cannot be confused with cyber war or security. Speech can occasionally have security implications but that cannot be the basis for enlightened regulation.

A cyber war expert may be tempted to think of censored content as weapons, but unlike weapons that usually remain lethal, content that can cause harm today may become completely harmless tomorrow. This is unlike a computer virus or malware. For example, during the exodus, the online edition of ET featured the complete list of 309 URLs that were in the four block orders issued by the government to ISPs.

However, this did not result in fresh harm, demonstrating the fallacy of cyber war analogies. A cyber security expert, on the other hand, may be tempted to implement a 360Â° blanket surveillance to regulate speech, but as Gilmore again puts it, "If you're watching everybody, you're watching nobody."

In short, if your answer to bad speech is more censorship, more surveillance and more regulation, then as the internet meme goes, "You're Doing It Wrong".

For more details visit https://cis-india.org/internet-governance/blog/economic-times-december-2-2012-sunil-abraham-online-censorship

Why NPCI and Facebook need urgent regulatory attention

sunil — 2018-06-12T02:07:42Z

The world’s oldest networked infrastructure, money, is increasingly dematerialising and fusing with the world’s latest networked infrastructure, the Internet.

The article was published in the Economic Times on June 10, 2018.

As the network effects compound, disruptive acceleration hurtle us towards financial utopia, or dystopia. Our fate depends on what we get right and what we get wrong with the law, code and architecture, and the market.

The Internet, unfortunately, has completely transformed from how it was first architected. From a federated, generative network based on free software and open standards, into a centralised, environment with an increasing dependency on proprietary technologies.

In countries like Myanmar, some citizens misconstrue a single social media website, Facebook, for the internet, according to LirneAsia research. India is another market where Facebook could still get its brand mistaken for access itself by some users coming online. This is Facebook put so many resources into the battle over Basics, in the run-up to India’s network neutrality regulation. an odd corporation.

On hand, its business model is what some term surveillance capitalism. On the other hand, by acquiring WhatsApp and by keeping end-toend (E2E) encryption “on”, it has ensured that one and a half billion users can concretely exercise their right to privacy. At the time of the acquisition, WhatsApp founders believed Facebook’s promise that it would never compromise on their high standards of privacy and security. But 18 months later, Facebook started harvesting data and diluting E2E.

In April this year, my colleague Ayush Rathi and I wrote in Asia Times that WhatsApp no longer deletes multimedia on download but continues to store it on its servers. Theoretically, using the very same mechanism, Facebook could also be retaining encrypted text messages and comprehensive metadata from WhatsApp users indefinitely without making this obvious.

My friend, Srikanth Lakshmanan, founder of the CashlessConsumer collective, is a keen observer of this space. He says in India, “we are seeing an increasing push towards a bank-led model, thanks to National Payments Corporation of India (NPCI) and its control over Unified Payments Interface (UPI), which is also known as the cashless layer of the India Stack.”

NPCI is best understood as a shape shifter. Arundhati Ramanathan puts it best when she says “depending on the time and context, NPCI is a competitor. It is a platform. It is a regulator. It is an industry association. It is a profitable non-profit. It is a rule maker. It is a judge. It is a bystander.”

This results in UPI becoming, what Lakshmanan calls, a NPCI-club-good rather than a new generation digital public good. He also points out that NPCI has an additional challenge of opacity — “it doesn’t provide any metrics on transaction failures, and being a private body, is not subject to proactive or reactive disclosure requirements under the RTI.”

Technically, he says, UPI increases fragility in our financial ecosystem since it “is a centralised data maximisation network where NPCI will always have the superset of data.” Given that NPCI has opted for a bank-led model in India, it is very unlikely that Facebook able to leverage its monopoly the social media market duopoly it shares with in the digital advertising market to become a digital payments monopoly.

However, NCPI and Facebook both share the following traits — one, an insatiable appetite for personal information; two, a fetish for hypercentralisation; three, a marginal commitment to transparency, and four, poor track record as a custodian of consumer trust. The marriage between these like-minded entities has already had a dubious beginning.

Previously, every financial technology wanting direct access to the NPCI infrastructure had to have a tie-up with a bank. But for Facebook and Google, as they are large players, it was decided to introduce a multi-bank model. This was definitely the right thing to do from a competition perspective. But, unfortunately, the marriage between the banks and the internet giant was arranged by NPCI in an opaque process and WhatsApp was exempted from the full NPCI certification process for its beta launch.

Both NPCI and Facebook need urgent regulatory attention. A modern data protection law and a more proactive competition regulator is required for Facebook. The NPCI will hopefully also be subjected to the upcoming data protection law. But it also requires a range of design, policy and governance fixes to ensure greater privacy and security via data minimisation and decentralisation; greater accountability and transparency to the public; separation of powers for better governance and open access policies to prevent anti-competitive behaviour.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-june-10-2018-sunil-abraham-why-npci-and-facebook-need-urgent-regulatory-attention

Photocopying the past

sunil — 2011-09-25T20:06:50Z

There is no single correct position when it comes to intellectual property or IP. In fact, there are at least five correct positions that you could possibly adopt based on who you are — a pro-creator position, a pro-entrepreneur position, a pro-government position, a pro-consumer position and a public interest position.

Therefore, before you progress any further, dear reader, you have to first decide which of the above you are. If you are an average Indian, then you are almost certainly a consumer or a member of the general public. Next, it would only be fair for me to tell you when I am coming from: I work for a policy research organisation that focuses on protecting consumer and public interest in the digital era. Before I proceed any further, also note that not all creators prefer profits to public adulation and therefore creators’ interests are not necessarily always opposed to consumer and public interest.

At this point, popular imagination is captivated by meta-regulation, issues of corruption and transparency. Few seem interested in the configuration details of property regimes that we are all implicated in: tangible property, capital and, in our increasingly dematerialised world, intangible property such as IP or spectrum. Unfortunately the complications of spectrum, banking and IP make our eyes glaze over and there is almost zero attention being paid to the copyright act amendment to be discussed in Parliament this week.

For the government, achieving a compromise is the primary objective, and then, perhaps a distant second, raising taxes. This is not a static compromise, since each generation of new technologies precipitates a new round of negotiations between the stakeholders. So while it is easy to be Anna Hazare, it is difficult to be Kapil Sibal. An optimal compromise position as in the world of capital and tangible property protects the production, circulation and consumption of IP. A sub-optimal position results in practices that are in conflict with policy — anti-competitive behaviour or infringement.

Unfortunately when it comes to evidence-based policy-making, there is little funding for public interest IP research in India and the pockets of the lobbyists of rights-holders are deep. The funded research that they tout claims that government loses significant taxes because of piracy or non-maximalist IP policies. Yet rights-holders, especially multinationals in the software business, are experts at tax avoidance through techniques with names like the “Double Irish” and the “Dutch Sandwich”.

Like any compromise, the latest amendment is a mixed bag for consumers and the general public. With regard to “digital rights management,” — or what consumers’ advocates refer to as “digital restrictions management” — the government has yielded to the TRIPS-plus agenda even though it is not a signatory to the WIPO Internet treaties. And with regard to the exception for the disabled, the Indian exception is both disability- and works-neutral making it much more robust when compared to the treaty for the visually impaired currently being discussed at the WIPO.

However, one particular compromise — the volte-face on Section 2 (m) on parallel imports of books — is particularly distressing for book-lovers and students. As part of the latest amendment, this new section was introduced in 2009. The standing committee report gave the section a thumbs-up, but strangely it has gone missing in the latest version of the bill circulated to the MPs in preparation for the Rajya Sabha debate this Friday.

Section 2 (m) is a provision that would have saved us from the uncertainty created by what some consider flawed jurisprudence around parallel importation of copyrighted works. As the standing committee report on the copyright amendment puts it, “nobody can deny the fact that the interests of students will be best protected if they have access to the latest editions of the books.” To date, I have never met an IIT or IIM graduate untainted by photocopied books. I would claim that the lack of quality education in our country is still at the level of an epidemic. The indigenous publication industry has benefited from our progressive copyright regime.

Wouldn’t it be appropriate to afford them maximum flexibility in a future rife with technological shifts? Are all the books that you wish to read available in the libraries and book shops you have access to? Have you ever been forced to photocopy a book because of time constraints? Would you like to see greater choice via increased free-market competition, and reduced state-sanctioned monopolies and enforcement? Does your definition of human rights include the “right to education” and the the “right to entertainment”? Shouldn’t the disabled in India benefit from the $500 million spent each year making books accessible in the US? And finally, shouldn’t a nation providing leadership to the development agenda at WIPO, walk the talk at home? If your answer to any of these questions is yes, you should demand that people are placed before the profits of foreign publishers.

This article by Sunil Abraham, Executive Director, Centre for Internet and Society was published in the Indian Express on 2 September 2011 in the Indian Express. Please read the original article here.

For more details visit https://cis-india.org/a2k/blogs/photocopying-the-past

Distinguished Fellows

sunil — 2020-07-27T12:50:59Z

Prof. Subbiah Arunachalam is based in Chennai. Rishab Aiyer Ghosh is based at UNU-MERIT at Maastricht. Hans Varghese Mathews is based in Bangalore. Shyam Ponappa is based in New Delhi. Prof. Tejaswini Niranjana is based in Bangalore and Mumbai.

Hans Varghese Mathews

Prof. Subbiah Arunachalam (known to friends as Arun) started his career as a research chemist, but found his calling in information science. In the past four decades, he has been a student of chemistry, a laboratory researcher (at the Central Electrochemical Research Institute and the Indian Institute of Science), an editor of scientific journals (at the Publications and Information Directorate of the Council for Scientific and Industrial Research and the Indian Academy of Sciences), the secretary of a scholarly academy of sciences (IASc), a teacher of information science (at the Indian National Scientific Documentation Centre), and a development researcher (at the M.S. Swaminathan Research Foundation and the Indian Institute of Technology Madras). While working with M.S. Swaminathan Research Foundation, he initiated the South-South Exchange Traveling Workshop to facilitate hands on cross-cultural learning for knowledge workers from Africa, Asia and Latin America engaged in ICT-enabled development.

Arun is on the editorial boards of six international refereed journals including Journal of Information Science, Scientometrics, and Journal of Community Informatics; a member of the international advisory board of IICD, The Hague, a trustee of the Electronic Publishing Trust for Development, and a Trustee of the Voicing the Voiceless Foundation. Improving information access both for scientists and for the rural poor; scientometrics, ICT-enabled development and open access are among his current research interests.

Rishab Aiyer Ghosh is a researcher based in Maastricht. He is an Open Source Initiative board member, the founding international and managing editor of the peer-reviewed journal First Monday, and the Programme Leader of FLOSS at UNU-MERIT. He has undertaken several global, high-profile studies on Free Software. He is a jury member for Global Bangemann Challenge (now Stockholm Challenge Award), a prestigious prize awarded to IT projects with socio-economic impact by the mayor of Stockholm and founder member of the GII Internet Commerce Brain Trust. From 1995–1999, Rishab has worked as an editor at The Indian Techonomist, an analytical newsletter on Indian media and communications targeted at a global audience, an analyst and newsletter contributor for US-based Paul Kagan Associates, and a weekly columnist on Internet society (Electric Dreams). He still writes regularly, with over half a million words published in journals, newspapers and magazines worldwide, from PC Quest India to Wired Magazine, USA. From 2008, he heads the Collaborative Creativity Group at UNU-MERIT.

Shyam Ponappa is a Distinguished Fellow whose work is in the areas of broadband, telecommunications, and spectrum policy, from management, systems, and technology perspectives.

Beginning his career at the State Bank of India, he was a Senior Manager, Management Consulting Services, at Price Waterhouse in San Francisco, M&A Head for Citibank in India, and thereafter managed a partnership doing alliances, business strategy, and financial placements in New Delhi for major international and domestic clients. Subsequently, he was an independent consultant in India and abroad. His experience is in financial placements, M&A, and business strategy for clients in IT, telecommunications, power, oil/energy, airlines, biotechnology, banking/financial services, hotels, shipping, railroads, manufacturing, agri-business, law firms, and retail enterprises.

He has advised the government on public policy since 1990, primarily in telecommunications. As a columnist for the Business Standard, he writes on infrastructure and managing economic reforms (http://organizing-india.blogspot.com). He has an MBA from the University of California at Berkeley, an MA (History) and a BSc (Physics) from Madras Christian College."

Tejaswini Niranjana is presently a Senior Fellow at the Centre for the Study of Culture and Society (CSCS), Bangalore, and Visiting Professor at Tata Institute of Social Sciences (TISS), Mumbai.

At CSCS (www.cscs.res.in), Tejaswini helped set up in 2001 an inter-disciplinary doctoral programme in Cultural Studies, and many of her Ph.D. students have brought Indian language materials into their research and writing. At TISS (www.tiss.edu), Tejaswini is incubating the Centre for Indian languages in Higher Education, which will anchor a multi-institutional programme for Indian languages in higher education, including production of new resources, curriculum strengthening, research training, digitisation and archiving. On the anvil is the creation at TISS of a digital hub for Indian language resources for tertiary education.

She is also Lead Researcher of the Higher Education Innovation and Research Applications (HEIRA) Programme at CSCS (http://heira.in). HEIRA works towards sectoral transformation in higher education, working with private and public institutions to design and field-test new methods for curriculum development, teacher training and institutional change at the undergraduate and post-graduate levels. Tejaswini is co-author of a policy note on quality education in Indian languages, the recommendations of which are now part of the final 12^th Plan document (http://www.ugc.ac.in/ugcpdf/740315_12FYP.pdf).

Select publications are available from cscs.academia.edu. Her best-known book is Siting Translation: History, Post-structuralism and the Colonial Context (Berkeley: University of California Press, 1992). More recently, she published Mobilizing India: Women, Music and Migration across India and Trinidad (Durham: Duke University Press, 2006).

Tejaswini is the Adviser (since February 2013) to the 'Access to Knowledge' programme of CIS and will guide the A2K team in expanding the Indian language Wikipedias and in increasing the number of active editors through strategic partnerships with Higher Education institutions across India.

For more details visit https://cis-india.org/about/people/distinguished-fellows

Members

sunil — 2009-06-19T14:16:51Z

The members of the Society registered under Karnataka Societies Act are Vibodh Parthasarathi, Atul Ramachandra, Achal Prabhala, Lawrence Liang, Subbiah Arunachalam, Nishant Shah, and Sunil Abraham.

Vibodh Parthasarathi

Vibodh Parthasarathi maintains a multidisciplinary interest in the creative industries, cross-national communication policy, business history of the media and governance of media infrastructure. Currently at the Centre for Culture, Media & Governance, Jamia Millia Islamia, he has held positions at the Centre for Jawaharlal Nehru Studies, also at Jamia, Centre for Co-operative Research in Social Sciences, and Manipal Institute of Communication. He is the co-editor of L’idiot du Village Mondial (Editions Luc Pire/ECLM, 2004), Media and Mediation (Sage, 2005) and The Social and the Symbolic (Sage, 2007). His work has attracted support variously from the India Foundation for the Arts, Netherlands Fellowship Programme, Charles Leopold Mayer Foundation, Prince Klaus Fund, Charles Wallace India Trust and Commonwealth Fund for Technical Co-operation. Periodically on assignments in business development and television production with the media industry, his last documentary Crosscurrents: A Fijian Travelogue (2001) explored the underbelly of ‘reconciliation’ following a decade of military coups in Fiji. Vibodh’s nominations include Non Executive Director, Kadam Films Ltd. (New Delhi); Independent Director, Centre for Social Ecology (Jaipur); Founding International Member, Intercultural Library for the Future (Paris); Associate, South Asian Poverty Network Association (Colombo); and, Member, Academic Council, Institute of Social Studies (The Hague).

Atul Ramachandra

Atul Ramachandra has a background in New Media having worked for 8 years with Explocity, a News Corp company, joining them at the set-up of their expansion with VC funding, looking after operations, budget control, management and selection of technology and technology providers with an accent on open source platforms. He completed his stint at Explocity as VP - Digital, having been in charge of developing new digital media products for the Internet and Mobile phones.

He is currently Project Director setting up a self-sustaining news and information service on mobile phones, for the urban slums of Kolkata. The project is funded by the European Commission through a grant to Internews Europe, a non-profit International news agency. Prior to this, he has over a decade of experience in the solar and renewable energy sector and has worked on product development and technical marketing. A graduate in applied physics (5 year MS) from IIT Delhi (1981), Atul specialised in Solar Energy and he has 3 years of post-graduate work at Southern Illinois University at Carbondale, USA. His interests are product development and innovation, new trends in technology and web enabling of products and services. He continues to be interested in the area of new and renewable energy sources and new applications powered by them and technology for the supply of potable water powered by solar energy.

Achal Prabhala

Achal Prabhala is a writer and researcher based in Bangalore. He works primarily on intellectual property; previously, he worked in media, mainly in television and print. From 2004-2006, he coordinated the Access to Learning Materials Project in Southern Africa from Johannesburg. He works on aspects of patent and copyright systems, in relation to access to medicines and access to knowledge. Some representative publications by him include Battling HIV/AIDS – A Decision Maker's Guide to the Procurement of Medicines and Related Supplies, Intellectual Property, Education and Access to Knowledge in Southern Africa, Response to Indian Copyright Law Amendment, and Reconsidering the Pirate Nation: Notes from South Africa and India.

For more details visit https://cis-india.org/about/people/members

People

sunil — 2011-12-04T15:26:14Z

For more details visit https://cis-india.org/about/people

Anonymity and Privacy

sunil — 2009-01-26T09:42:08Z

Context

The first two waves of cyberculture celebrated the anonymous conditions within which the different actors in interaction were introjected in different practices online. There was a significant attention given to the nature of presence, absence, being, and the schism between the corporeal and the digital bodies and reality.

However, with an increased amount of State regulation, governance and attention to the nature of life on the screen, the condition of anonymity has quickly been replaced by a condition of pseudonymity. The pseudonymous structures within cyberspace offer a world of role-playing, fantasising and narrativisation that, while still effective, are no longer merely in the domains of the aesthetic or the performative but enter serious domains of legislation, regulation, control, and politics.

New modes of sanitising the behaviour of users online and the construction of the ethical techno-social subject have led on one hand to some very disturbing behaviour on the part of powerful agencies, and to strong political mobilisation and the advent of the public sphere on the other. As the market, the State and the public all inflect users to reiterate their physical boundaries and geo-political status, it becomes interesting to see what role anonymity still has to play online and what is the political investment in being pseudonymous online.

Research Agenda

With the increasing regulation of cyberspaces, are anonymous spaces being lost, and with them, the voices and the people that belonged to these spaces?
How do we sustain the paradox of safety in recognition on one hand and the safety in being invisible on the other?
Is the question of anonymity universal across different kinds of cyberspaces? With occurrences like the ‘Orkut Deaths’ and the ‘National Emblems Defamation’ cases on the one hand and the construction of cyber-terrorism on the other, do we need to delve deeper into what it means to be anonymous online and the negotiations that one enters into when role-playing online?
The debates around anonymity often create an artificial distinction between the physical and the digital worlds, treating one as more authentic than the other. This aesthetic paradigm further enters debates around piracy, copying and the digital media. How do questions of authenticity and the construction of an ethical subject intersect with the debates around anonymity?
How does anonymity enable the demonisation of various cyberspatial practices? What are the kind of public education systems which should be in place so that we can find safety and freedom (often antithetical to each other) in cyberspaces without excessive control and regulation?
If anonymity is an inescapable condition of being online, how does it affect new forms of behaviour and community formations that we see in the contemporary urban?

For more details visit https://cis-india.org/about/substantive-areas/new-pedagogies/anonymity-and-privacy

Substantive Areas

sunil — 2011-12-04T15:26:47Z

For more details visit https://cis-india.org/about/substantive-areas

It’s the technology, stupid

sunil — 2017-04-07T12:53:21Z

Eleven reasons why the Aadhaar is not just non-smart but also insecure.

The article was published in Hindu Businessline on March 31, 2017.

Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:

One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.

Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.

Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.

Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.

Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.

Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.

Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.

Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.

Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.

Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.

Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.

Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.

The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.

Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.

This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.

In other words, you cannot fix using the law what you have broken using technology.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid

Hits and Misses With the Draft Encryption Policy

sunil — 2015-09-26T16:46:53Z

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

The article was published in the Wire on September 26, 2015.

This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.

However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.

Plain-text storage requirement

First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.

Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.

Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.

Regulatory design

Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.

This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.

Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”

The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.

And the good news is…

On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.

Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.

The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.

Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy

Anonymity in Cyberspace

sunil — 2015-09-09T01:31:03Z

While security threats require one to be identified in the Cyberspace, on the other hand, the need for privacy and freedom of speech without being targeted, calls for providing means for anonymous browsing and ability to express without being identified. Where do we draw the line , and how do we balance it? The group will dwell on need for anonymity in various sectors such as government, commercial, employers etc. Apart from security & privacy, the presentation will also cover social and technological perspectives.

For more details visit https://cis-india.org/internet-governance/blog/anonymity-in-cyberspace

Bangalore Chapter Meet of DSCI

sunil — 2015-09-09T01:40:56Z

The Centre for Internet & Society (CIS) will host the Bangalore Chapter Meeting of Data Security Council of India (DSCI) on September 26, 2015 at its Bangalore office in Domlur. The event will be held from 2.30 p.m. to 5.30 p.m.

After the Nasscom cyber security task force meeting held at Wipro in June, followed by DSCI Best Practices meet in July, we now have the next chapter meeting at CIS.

Speakers

The first speaker will be Melissa Hathaway, Commissioner, Global Commission for Internet Governance. She is an internationally distinguished cyber security expert and has worked as cyber security adviser in two US Presidential Administrations, and is the former acting Senior Director for cyberspace at the National Security Council in the US. The topic she will be speaking on is "Connected Choices".

The second speaker will be Sunil Abraham, Executive Director, CIS (Center for internet & Society). Sunil is a renowned thought leader when it comes to internet governance, cyber space & its interface with civil society and actively contributes to DSCI and other forums. He will be presenting on "Anonymity in Cyberspace" - the SIG that he led over last 8 months along with a diverse group of members from the industry in Bangalore.

Agenda

Time	Topic
2.30 p.m. - 2.45 p.m.	Recent Developments and Updates from DSCI
2.45 p.m. - 4.00 p.m.	Srinivas P. (Anchor): DSCI Bangalore Chapter
4.00 p.m. - 5.00 p.m.	Melissa Hathaway: Connected Choices
5.00 p.m. - 5.30 p.m.	Sunil Abraham: Anonymity in Cyberspace

This will be followed by High Tea & Networking.

For participation, please send your email confirmation to Rajesh of Infosys at Rajesh_K18@infosys.com

Since seats are limited, the participation will be restricted to first 50 confirmations. We had to organize it on a Saturday, due to Melissa’s availability – I’m sure many of you who know about her as expert security speaker, will not see weekend as a constraint to attend. Look forward to meeting you at CIS.

For more details visit https://cis-india.org/internet-governance/events/bangalore-chapter-meet-of-dsci-september-26-2015

India’s digital check

sunil — 2015-09-15T14:55:47Z

All nine pillars of Digital India directly correlate with policy research conducted at the Centre for Internet and Society, where I have worked for the last seven years. This allows our research outputs to speak directly to the priorities of the government when it comes to digital transformation.

The article was originally published by DNA on July 8, 2015.

Broadband Highways and Universal Access to Mobile Connectivity: The first two pillars have been combined in this paragraph because they both require spectrum policy and governance fixes. Shyam Ponappa, a distinguished fellow at our Centre calls for the leveraging of shared spectrum and also shared backhaul infrastructure. Plurality in spectrum management, for eg, unlicensed spectrum should be promoted for accelerating backhaul or last mile connectivity, and also for community or local government broadband efforts. Other ideas that have been considered by Ponappa include getting state owned telcos to exit completely from the last mile and only focus on running an open access backhaul through Bharat Broadband Limited. Network neutrality regulations are also required to mitigate free speech, diversity and competition harms as ISPs and TSPs innovate with business models such as zero-rating.

Public Internet Access Programme: Continuing investments into Common Service Centres (CSCs) for almost a decade may be questionable and therefore a citizen’s audit should be undertaken to determine how the programme may be redesigned. The reinventing of post offices is very welcome, however public libraries are also in need urgent reinventing. CSCs, post offices and public libraries should all leverage long range WiFi for Internet and intranet, empowering BYOD [Bring Your Own Device] users. Applications will take time to develop and therefore immediate emphasis should be on locally caching Indic language content. State Public Library Acts need to be amended to allow for borrowing of digital content. Flat-fee licensing regimes must be explored to increase access to knowledge and culture. Commons-based peer production efforts like Wikipedia and Wikisource need to be encouraged.

e-Governance: Reforming Government through Technology: DeitY, under the leadership of free software advocate Secretary RS Sharma, has accelerated adoption and implementation of policies supporting non-proprietary approaches to intellectual property in e-governance. Policies exist and are being implemented for free and open source software, open standards and electronic accessibility for the disabled. The proprietary software lobby headed by Microsoft and industry associations like NASSCOM have tried to undermine these policies but have failed so far.

The government should continue to resist such pressures. Universal adoption of electronic signatures within government so that there is a proper audit trail for all communications and transactions should be made an immediate priority. Adherence to globally accepted data protection principles such as minimisation via “form simplification and field reduction” for Digital India should be applauded. But on the other hand the mandatory requirement of Aadhaar for DigiLocker and eSign amounts to contempt of the Supreme Court order in this regard.

e-Kranti — Electronic Delivery of Services: The 41 mission mode projects listed are within the top-down planning paradigm with a high risk of failure — the funds reserved for these projects should instead be converted into incentives for those public, private and public private partnerships that accelerate adoption of e-governance. The dependency on the National Informatics Centre (NIC) for implementation of e-governance needs to be reduced, SMEs need to be able to participate in the development of e-governance applications. The funds allocated for this area to DeitY have also produced a draft bill for Electronic Services Delivery. This bill was supposed to give RTI-like teeth to e-governance service by requiring each government department and ministry to publish service level agreements [SLAs] for each of their services and prescribing punitive action for responsible institutions and individuals when there was no compliance with the SLAs.

Information for All: The open data community and the Right to Information movement in India are not happy with the rate of implementation of National Data Sharing and Accessibility Policy (NDSAP). Many of the datasets on the Open Data Portal are of low value to citizens and cannot be leveraged commercially by enterprise. Publication of high-value datasets needs to be expedited by amending the proactive disclosure section of the Right to Information Act 2005.

Electronics Manufacturing: Mobile patent wars have begun in India with seven big ticket cases filed at the Delhi High Court. Our Centre has written an open letter to the previous minister for HRD and the current PM requesting them to establish a device level patent pool with a compulsory license of 5%. Thereby replicating India’s success at becoming the pharmacy of the developing world and becoming the lead provider of generic medicines through enabling patent policy established in the 1970s. In a forthcoming paper with Prof Jorge Contreras, my colleague Rohini Lakshané will map around fifty thousand patents associated with mobile technologies. We estimate around a billion USD being collected in royalties for the rights-holders whilst eliminating legal uncertainties for manufacturers of mobile technologies.

IT for Jobs: Centralised, top-down, government run human resource development programmes are not useful. Instead the government needs to focus on curriculum reform and restructuring of the education system. Mandatory introduction of free and open source software will give Indian students the opportunity to learn by reading world-class software. They will then grow up to become computer scientists rather than computer operators. All projects at academic institutions should be contributions to existing free software projects — these projects could be global or national, for eg, a local government’s e-governance application. The budget allocated for this pillar should instead be used to incentivise research by giving micro-grants and prizes to those students who make key software contributions or publish in peer-reviewed academic journals or participate in competitions. This would be a more systemic approach to dealing with the skills and knowledge deficit amongst Indian software professionals.

Early Harvest Programmes: Many of the ideas here are very important. For example, secure email for government officials — if this was developed and deployed in a decentralised manner it would prevent future surveillance of the Indian government by the NSA. But a few of the other low-hanging fruit identified here don’t really contribute to governance. For example, biometric attendance for bureaucrats is just glorified bean-counting — it does not really contribute to more accountability, transparency or better governance.

The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation that has zero-rating alliances with telecom operators in many countries across the world

For more details visit https://cis-india.org/internet-governance/blog/dna-sunil-abraham-july-8-2015-india-digital-check

How Aadhaar compromises privacy? And how to fix it?

sunil — 2017-04-01T07:00:06Z

Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

The op-ed was published in the Hindu on March 31, 2017.

When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.

Shift from biometrics to smart cards: In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database: The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.

Prohibit the use of Aadhaar number in other databases: We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it

Lining up the data on the Srikrishna Privacy Draft Bill

sunil — 2018-07-31T02:52:23Z

In the run-up to the Justice BN Srikrishna committee report, some stakeholders have advocated that consent be eliminated and replaced with stronger accountability obligations. This was rejected and the committee has released a draft bill that has consent as the bedrock just like the GDPR. And like the GDPR there exists legal basis for nonconsensual processing of data for the “functions of the state”. What does this mean for lawabiding persons?

The article was published in Economic Times on July 30, 2018

Non-consensual processing is permitted in the bill as long it is “necessary for any function of the” Parliament or any state legislature. These functions need not be authorised by law.

Or alternatively “necessary for any function of the state authorised by law” for the provision of a service or benefit, issuance of any certification, licence or permit.
Fortunately, however, the state remains bound by the eight obligations in chapter two i.e., fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice and data quality and data storage limitations and accountability. This ground in the GDPR has two sub-clauses: one, the task passes the public interest test and two, the loophole like the Indian bill that possibly includes all interactions the state has with all persons.

The “necessary” test appears both on the grounds for non-consensual processing, and in the “collection limitation” obligation in chapter two of the bill. For sensitive personal data, the test is raised to “strictly necessary”. But the difference is not clarified and the word “necessary” is used in multiple senses.

Under the “collection limitation” obligation the bill says “necessary for the purposes of processing” which indicates a connection to the “purpose limitation” obligation. The “purpose limitation” obligation, however, only requires the state to have a purpose that is “clear, specific and lawful” and processing limited to the “specific purpose” and “any other incidental purpose that the data principal would reasonably expect the personal data to be used for”. It is perhaps important at this point to note that the phrase “data minimisation” does not appear anywhere in the bill.

Therefore “necessary” could broadly understood to mean data Parliament or the state legislature requires to perform some function unauthorised by law, and data the citizen might reasonably expect a state authority to consider incidental to the provision of a service or benefit, issuance of a certificate, licence or permit.

Or alternatively more conservatively understood to mean data without which it would be impossible for Parliament and state legislature to carry out functions mandated by the law, and data without it would be impossible for the state to provide the specific service or benefit or issue certificates, licences and permits. It is completely unclear like with the GDPR why an additional test of “strictly necessary” is — if you will forgive the redundancy — necessary.

After 10 years of Aadhaar, the average citizen “reasonably expects” the state to ask for biometric data to provide subsidised grain. But it is not impossible to provide subsidised grain in a corruption-free manner without using surveillance technology that can be used to remotely, covertly and non-consensually identify persons. Smart cards, for example, implement privacy by design. Therefore a “reasonable expectation” test is not inappropriate since this is not a question about changing social mores.

When it comes to persons that are not law abiding the bill has two exceptions — “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”. Here the “necessary” test is combined with the “proportionate” test.

The proportionate test further constrains processing. For example, GPS data may be necessary for detecting someone has jumped a traffic signal but it might not be a proportionate response for a minor violation. Along with the requirement for “procedure established by law”, this is indeed a well carved out exception if the “necessary” test is interpreted conservatively. The only points of concern here is that the infringement of a fundamental right for minor offences and also the “prevention” of offences which implies processing of personal data of innocent persons.

Ideally consent should be introduced for law-abiding citizens even if it is merely tokenism because you cannot revoke consent if you have not granted it in the first place. Or alternatively, a less protective option would be to admit that all egovernance in India will be based on surveillance, therefore “necessary” should be conservatively defined and the “proportionate” test should be introduced as an additional safeguard.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-july-30-2018-sunil-abraham-lining-up-data-on-srikrishna-privacy-draft-bill