Centre for Internet and Society

NASSCOM-DSCI Annual Information Security Summit 2015 - Notes

sumandro — 2016-01-19T07:58:56Z

NASSCOM-DSCI organised the 10th Annual Information Security Summit (AISS) 2015 in Delhi during December 16-17. Sumandro Chattapadhyay participated in this engaging Summit. He shares a collection of his notes and various tweets from the event.

Details about the Summit

Event page: https://www.dsci.in/events/about/2261.

Agenda: https://www.dsci.in/sites/default/files/Agenda-AISS-2015.pdf.

Notes from the Summit

Mr.G.K.Pillai ,Chairman DSCI addressing the audience @ 10th Annual Information Security Summit '15 #AISS15 pic.twitter.com/JVcwct3HSF
— DSCI (@DSCI_Connect) December 16, 2015

Mr. G. K. Pillai, Chairman of Data Security Council of India (DSCI), set the tone of the Summit at the very first hour by noting that 1) state and private industries in India are working in silos when it comes to preventing cybercrimes, 2) there is a lot of skill among young technologists and entrepreneurs, and the state and the private sectors are often unaware of this, and 3) there is serious lack of (cyber-)capacity among law enforcement agencies.

In his Inaugural Address, Dr. Arvind Gupta (Deputy National Security Advisor and Secretary, NSCS), provided a detailed overview of the emerging challenges and framework of cybersecurity in India. He focused on the following points:

#India Dy NSA Dr Arvind Gupta calls 4 #cybersecurity by #design in #ICT #AISS15 pic.twitter.com/79kq9lWGtk
— Deepak Maheshwari (@dmcorpaffair) December 16, 2015

Security is a key problem in the present era of ICTs as it is not in-built. In the upcoming IoT era, security must be built into ICT systems.
In the next billion addition to internet population, 50% will be from India. Hence cybersecurity is a big concern for India.
ICTs will play a catalytic role in achieving SDGs. Growth of internet is part of the sustainable development agenda.
We need a broad range of critical security services - big data analytics, identity management, etc.
The e-governance initiatives launched by the Indian government are critically dependent on a safe and secure internet.
Darkweb is a key facilitator of cybercrime. Globally there is a growing concern regarding the security of cyberspace.
On the other hand, there exists deep divide in access to ICTs, and also in availability of content in local languages.
The Indian government has initiated bilateral cybersecurity dialogues with various countries.
Indian government is contemplating setting up of centres of excellence in cryptography. It has already partnered with NASSCOM to develop cybersecurity guidelines for smart cities.
While India is a large global market for security technology, it also needs to be self-reliant. Indian private sector should make use of government policies and bilateral trust enjoyed by India with various developing countries in Africa and south America to develop security technology solutions, create meaningful jobs in India, and export services and software to other developing countries.
Strong research and development, and manufacturing base are absolutely necessary for India to be self-reliant in cybersecurity. DSCI should work with private sector, academia, and government to coordinate and realise this agenda.
In the line of the Climate Change Fund, we should create a cybersecurity fund, since it is a global problem.
Silos are our bane in general. Bringing government agencies together is crucial. Trust issues (between government, private sector, and users) remain, and can only be resolved over time.
The demand for cybersecurity solutions in India is so large, that there is space for everyone.
The national cybersecurity centre is being set up.
Thinktanks can play a crucial role in helping the government to develop strategies for global cybersecurity negotiations. Indian negotiators are often capacity constrained.

Rajendra Pawar, Chair of the NASSCOM Cyber Security Task Force, NASSCOM Cybersecurity Initiative, provided glimpses of the emerging business opportunity around cybersecurity in India:

In next 10 years, the IT economy in India will be USD 350 bn, and 10% of that will be the cybersecurity pie. This means a million job only in the cybersecurity space.
Academic institutes are key to creation of new ideas and hence entrepreneurs. Government and private sectors should work closely with academic institutes.

'Companies+Govt+Academia= High growth of the cybersecurity industry' - Rajendra Pawar at #AISS15 @DSCI_Connect
— Shivangi Nadkarni (@shivanginadkarn) December 16, 2015
Globally, cybersecurity innovation and industries happen in clusters. Cities and states must come forward to create such clusters.
2/3rd of the cybersecurity market is provision of services. This is where India has a great advantage, and should build on that to become a global brand in cybersecurity services.
Everyday digital security literacy and cultures need to be created.
Publication of cybersecurity best practices among private companies is a necessity.

Corporate disclosures of breaches being considered with Nasscom under cybersec task force: Rajendra Pawar #AISS15 @DSCI_Connect @ETtech
— Neha Alawadhi (@NehaAlawadhiET) December 16, 2015
Dedicated cybersecurity spending should be made part of the e-governance budget of central and state governments.
DSCI should function as a clearing house of cybersecurity case studies. At present, thought leadership in cybersecurity comes from the criminals. By serving as a use case clearing house, DSCI will inform interested researchers about potential challenges for which solution needs to be created.

Manish Tiwary of Microsoft informed the audience that India is in the top 3 positions globally in terms of malware proliferation, and this ensures that India is a big focus for Microsoft in its global war against malware. Microsoft India looks forward to work closely with CERT-In and other government agencies.

RSA's Kartik Shahani @DSCI_Connect #AISS15 Adopt a Deep & Pervasive Level of True Visibility Everywhere pic.twitter.com/2U8J8WkWsI
— Debjani Gupta (@DebjaniGupta1) December 16, 2015

Data localization; one of the stumbling blocks that undermine investments in #cybersecurity. #AISS15 pic.twitter.com/vrff3Amcv0
— Appvigil (@appvigil_co) December 16, 2015

Trust verification 4 embedded devices isnt complex bt much desired as people lives r dependent on that-cld cause physical damage #AISS15
— Lokesh Mehra (@lokesh_mehra) December 16, 2015

"Most compromised OS in 2k15: iOS"-Riyaz Tambe, Palo Alto Networks #AISS15
— Indira Sen (@drealcharbar) December 16, 2015

Security by default in IOS architecture tho' can't verify code as noṭ open - is it security by obscurity? #AISS15 pic.twitter.com/kbPZgH8oA0
— Lokesh Mehra (@lokesh_mehra) December 16, 2015

The session on Catching Fraudsters had two insightful presentations from Dr. Triveni Singh, Additional SP of Special Task Force of UP Police, and Mr. Manoj Kaushik, IAS, Additional Director of FIU.

Dr. Singh noted that a key challenge faced by police today is that nobody comes to them with a case of online fraud. Most fraud businesses are run by young groups operating BPOs that steal details from individuals. There exists a huge black market of financial and personal data - often collected from financial institutions and job search sites. Almost any personal data can be bought in such markets. Further, SIM cards under fake names are very easy to buy. The fraudsters are effective using all fake identity, and is using operational infrastructures outsourced from legitimate vendors under fake names. Without a central database of all bank customers, it is very difficult for the police to track people across the financial sector. It becomes even more difficult for Indian police to get access to personal data of potential fraudsters when it is stored in a foreign server. which is often the case with usual web services and apps. Many Indian ISPs do not keep IP history data systematically, or do not have the technical expertise to share it in a structured and time-sensitive way.

Mr. Triveni Singh talks about raiding fake call centres in Delhi NCR that scam millions every year #AISS15 pic.twitter.com/EmE4y3jux2
— pradyumn nand (@PradyumnNand) December 16, 2015

Mr. Kaushik explained that no financial fraud is uniquely committed via internet. Many fraud begin with internet but eventually involve physical fraudulent money transaction. Credit/debit card frauds all involve card data theft via various internet-based and physical methods. However, cybercrime is continued to be mistakenly seen as frauds undertaken completely online. Further, mobile-based frauds are yet another category. Almost all apps we use are compromised, or store transaction history in an insecure way, which reveals such data to hackers. FIU is targeting bank accounts to which fraud money is going, and closing them down. Catching the people behind these bank accounts is much more difficult, as account loaning has become a common practice - where valid accounts are loaned out for a small amount of money to fraudsters who return the account after taking out the fraudulent money. Better information sharing between private sector and government will make catching fraudsters easier.

@AkhileshTuteja With data overload and big data being prevalent are we considering privacy elements #AISS15 #KpmgIndiaCyber
— Atul Gupta (@AtulGup15843145) December 16, 2015

'Tech solns today designed to protect security - solns for privacy need to evolve'- @Mayurakshi_Ray #AISS15 @DSCI_Connect
— Shivangi Nadkarni (@shivanginadkarn) December 16, 2015

In-house tools important but community collaboration critical to fight security threats @tata_comm #AISS15 pic.twitter.com/ZjbCnaROXC
— aparna (@aparnag14) December 16, 2015

'Orgns in India have a long way to go b4 they internalise privacy principles' Subhash S, CISO ICICI #AISS15 @DSCI_Connect
— Shivangi Nadkarni (@shivanginadkarn) December 16, 2015

Prof PK giving an interesting brief on Academia role in Cyber Security. @ponguru @DSCI_Connect at #AISS15 pic.twitter.com/MEiO6sCJwu
— Vikas Yadav (@VikasSYadav) December 16, 2015

Potential for interaction between Academia, Government and Industry but not an established reality yet. #AISS15 #MappingCyberEducation
— Indira Sen (@drealcharbar) December 16, 2015

I have figured out why information security is not in any boardroom discussions. Cause there are no good speakers / orators . #AISS15
— Virag Thakkar (@viragthakkar) December 16, 2015

The session on Smart Cities focused on discussing the actual cities coming up India, and the security challenges highlighted by them. There was a presentation on Mahindra World City being built near Jaipur. Presenters talked about the need to stabilise, standardise, and securitise the unique identities of machines and sensors in a smart city context, so as to enable secured machine-to-machine communication. Since 'smartness' comes from connecting various applications and data silos together, the governance of proprietary technology and ensuring inter-operable data standards are crucial in the smart city.

As Special Purposed Vehicles are being planned to realise the smart cities, the presenters warned that finding the right CEOs for these entities will be critical for their success. Legacy processes and infrastructures (and labour unions) are a big challenge when realising smart cities. Hence, the first step towards the smart cities must be taken through connected enforcement of law, order, and social norms.

Privacy-by-design and security-by-design are necessary criteria for smart cities technologies. Along with that regular and automatic software/middleware updating of distributed systems and devices should be ensured, as well as the physical security of the actual devices and cables.

In terms of standards, security service compliance standards and those for protocols need to be established for the internet-of-things sector in India. On the other hand, there is significant interest of international vendors to serve the Indian market. All global data and cloud storage players, including Microsoft Azure cloud, are moving into India, and are working on substantial and complete data localisation efforts.

Session - Why should you hire Women Security Professionals?... Balancing gender diversity #AISS15 #DSCI_Connect pic.twitter.com/uIMfG9PvAb
— Jagan Suri (@jsuri90) December 16, 2015

gender Diversity in cybersecurity critical 4 India's future. @symantec partnered with @nasscom via 1000 women scholarships #AISS15
— Lokesh Mehra (@lokesh_mehra) December 16, 2015

Dialogue with CERT-In .. Starting 2nd Day of #AISS15 .. B J Srinath, DG, CERT @DSCI_Connect #security #privacy pic.twitter.com/cvDcrgkein
— Vinayak Godse (@godvinayak) December 17, 2015

New #problems can't b solved w old #solutions: #India CERT DG BJ Srinath #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

17 entities within #Indian #government engaged in #cybersecurity: #India CERT head #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Scope of activities by CERT in #India way more than its counterparts elsewhere #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

#India CERT looks 8 prediction & #prevention #cybersecurity #emergency not just #response #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

#India CERT willing to #share #information rather than just receiving #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Savita CERTin outlines drill initiatives taken 4 preparedness-detect (protect), defend attacks wth response #AISS15 pic.twitter.com/wXrkgoLzr2
— Lokesh Mehra (@lokesh_mehra) December 17, 2015

CERTin also offers incident predicatibility,Crisis mgmt plans, #cybersecurity assurance ladder (7 levels) besides 24 x 7 prevention #AISS15
— Lokesh Mehra (@lokesh_mehra) December 17, 2015

#India has 7.2 million bot infected #machines: #India CERT DG Srinath #AISS15
— Deepak Maheshwari (@dmcorpaffair) December 17, 2015

Seizure & protection of electronic devices as admissible evidence (certificate u Sec 65B) imperative under Forensics investigation #AISS15
— Lokesh Mehra (@lokesh_mehra) December 17, 2015

'Law enforcement agency&corporate world must collaborate to fight cybercrime'-Atul Gupta,Partner-Risk Adv. @ #AISS15 pic.twitter.com/GwAQWhYMmK
— KPMG India (@KPMGIndia) December 17, 2015

Mr. R. Chandrasekhar, President of NASSCOM, foregrounded the recommendations made by the Cybersecurity Special Task Force of NASSCOM, in his Special Address on the second day. He noted:

There is a great opportunity to brand India as a global security R&D and services hub. Other countries are also quite interested in India becoming such a hub.
The government should set up a cybersecurity startup and innovation fund, in coordination with and working in parallel with the centres of excellence in internet-of-things (being led by DeitY) and the data science/analytics initiative (being led by DST).
There is an immediate need to create a capable workforce for the cybersecurity industry.
Cybersecurity affects everyone but there is almost no public disclosure. This leads to low public awareness and valuation of costs of cybersecurity failures. The government should instruct the Ministry of Corporate Affairs to get corporates to disclose (publicly or directly to the Ministry) security breeches.
With digital India and everyone going online, cyberspace will increasingly be prone to attacks of various kinds, and increasing scale of potential loss. Cybersecurity, hence, must be part of the core national development agenda.
The cybersecurity market in India is big enough and under-served enough for everyone to come and contribute to it.

The Keynote Address by Mr. Rajiv Singh, MD – South Asia of Entrust Datacard, and Mr. Saurabh Airi, Technical Sales Consultant of Entrust Datacard, focused on trustworthiness and security of online identities for financial transactions. They argued that all kinds of transactions require a common form factor, which can be a card or a mobile phone. The key challenge is to make the form factor unique, verified, and secure. While no programme is completely secure, it is necessary to build security into the form factor - security of both the physical and digital kind, from the substrates of the card to the encryption algorithms. Entrust and Datacard have merged in recent past to align their identity management and security transaction workflows, from physical cards to software systems for transactions. The advantages of this joint expertise have allowed them to successfully develop the National Population Register cards of India. Now, with the mobile phone emerging as a key financial transaction form factor, the challenge across the cybersecurity industry is to offer the same level of physical, digital, and network security for the mobile phone, as are provided for ATM cards and cash machines.

The following Keynote Address by Dr. Jared Ragland, Director - Policy of BSA, focused on the cybersecurity investment landscape in India and the neighbouring region. BSA, he explained, is a global trade body of software companies. All major global software companies are members of BSA. Recently, BSA has produced a study on the cybersecurity industry across 10 markets in the Asia Pacific region, titled Asia Pacific Cybersecurity Dashboard. The study provides an overview of cybersecurity policy developments in these countries, and sector-specific opportunities in the region. Dr. Ragland mentioned the following as the key building blocks of cybersecurity policy: legal foundation, establishment of operational entities, building trust and partnerships (PPP), addressing sector-specific requirements, and education and awareness. As for India, he argued that while steady steps have been taken in the cybersecurity policy space by the government, a lot remains to be done. Operationalisation of the policy is especially lacking. PPPs are happening but there is a general lack of persistent formal engagement with the private sector, especially with global software companies. There is almost no sector-specific strategy. Further, the requirement for India-specific testing of technologies, according to domestic and not global standards, is leading to entry barrier for global companies and export barrier for Indian companies. Having said that, Dr. Ragland pointed out that India's cybersecurity experience is quite representative of that of the Asia Pacific region. He noted the following as major stumbling blocks from an international industry perspective: unnecessary and unreasonable testing requirements, setting of domestic standards, and data localisations rules.

The Policy Makers' panel in #AISS15 in progress. Arvind Gupta, Head, BJP IT cell (@buzzindelhi) speaks. pic.twitter.com/9yWR0gMwf5
— Nandkumar Saravadé (@saravade) December 17, 2015

One of the final sessions of the Summit was the Public Policy Dialogue between Prof. M.V. Rajeev Gowda, Member of Parliament, Rajya Sabha, and Mr. Arvind Gupta, Head of IT Cell, BJP.

Prof. Gowda focused on the following concerns:

We often freely give up our information and rights over to owners of websites and applications on the web. We need to ask questions regarding the ownership, storage, and usage of such data.
While Section 66A of Information Technology Act started as a anti-spam rule, it has actually been used to harass people, instead of protecting them from online harassment.
The bill on DNA profiling has raised crucial privacy concerns related to this most personal data. The complexity around the issue is created by the possibility of data leakage and usage for various commercial interests.
We need to ask if western notions of privacy will work in the Indian context.
We need to move towards a cashless economy, which will not only formalise the existing informal economy but also speed up transactions nationally. We need to keep in mind that this will put a substantial demand burden on the communication infrastructure, as all transactions will happen through these.

Mr. Gupta shared his keen insights about the key public policy issues in digital India:

The journey to establish the digital as a key political agenda and strategy within BJP took him more than 6 years. He has been an entrepreneur, and will always remain one. His approached his political journey as an entrepreneur.
While we are producing numerous digitally literate citizens, the companies offering services on the internet often unknowingly acquire data about these citizens, store them, and sometimes even expose them. India perhaps produces the greatest volume of digital exhaust globally.
BJP inherited the Aadhaar national identity management platform from UPA, and has decided to integrate it deeply into its digital India architecture.
Financial and administrative transactions, especially ones undertake by and with governments, are all becoming digital and mostly Aadhaar-linked. We are not sure where all such data is going, and who all has access to such data.
Right now there is an ongoing debate about using biometric system for identification. The debate on privacy is much needed, and a privacy policy is essential to strengthen Aadhaar. We must remember that the benefits of Aadhaar clearly outweigh the risks. Greatest privacy threats today come from many other places, including simple mobile torch apps.
India is rethinking its cybersecurity capacities in a serious manner. After Paris attack it has become obvious that the state should be allowed to look into electronic communication under reasonable guidelines. The challenge is identifying the fine balance between consumers' interest on one hand, and national interest and security concerns on the other. Unfortunately, the concerns of a few is often getting amplified in popular media.
MyGov platform should be used much more effectively for public policy debates. Social media networks, like Twitter, are not the correct platforms for such debates.

#AISS15: @rajivgowda & @buzzindelhi are talking abt proactive disclosure as a key part of #cybersecurity strategy #openData @DataPortalIndia
— sumandro (@ajantriks) December 17, 2015

For more details visit https://cis-india.org/internet-governance/blog/nasscom-dsci-annual-information-security-summit-2015-notes

Mathematisation of the Urban and not Urbanisation of Mathematics: Smart Cities and the Primitive Accumulation of Data - Accepted Abstract

sumandro — 2015-11-13T05:47:13Z

"Many accounts of smart cities recognise the historical coincidence of cybernetic control and neoliberal capital. Even where it is machines which process the vast amounts of data produced by the city so much so that the ruling and managerial classes disappear from view, it is usually the logic of capital that steers the flows of data, people and things. Yet what other futures of the city may be possible within the smart city, what collective intelligence may it bring forth?" The Fibreculture Journal has accepted an abstract of mine for its upcoming issue on 'Computing the City.'

Speaking to Geert Lovink, Wolfgang Ernst explains that '[t]he coupling of machine and mathematics that enables computers occurs as a mathematization of machine, not as machinization of mathematics' [1]. In this paper, I propose that the idea of smart cities be understood not as 'urbanisation of mathematics' – as often described by industry documents, design fictions, and academic analyses – but as 'mathematisation of the urban.' By the notion of 'urbanisation of mathematics,' I indicate at those reports that conceptualise smart cities as data analytics, or civic mathematics, at an urban scale. I explain how this notion is shared by design visions of actors from the networking industry, such as IBM and Cisco, emerging academic practices in urban science and informatics, and calls for urbanising the technologies of regulation and governance, in the sense of making these technologies directly and bi-directionally interact with the urban citizens [2]. Conversely, the 'mathematisation of the urban' perspective foregrounds a specific transformation at hand in the production of urban space itself, which I argue is what is captured in the idea of smart cities. This transformation is not a new thing, and has been heralded by the coming of coded infrastructures and the transduction of urban space through them [3]. The process of 'mathematisation of the urban' refers to a fundamental reorganisation of the urban itself so as to make aspects of it available to mathematical manipulation, most often undertaken by software systems. This mathematisation takes place through the rebuilding of urban infrastructures so as to facilitate sensing and recording of parts of urban lives and processes as mathematical data, and the embedding of coded assemblages that can communicate and act upon the analysis of such data, and also through re-building the relations of property around this newly-obtained and continuously-generated resource of data about the urban.

I propose in this paper that production, circulation, and ownership of data must be considered as a central problematique in the discussions of smart cities. As writings on smart cities have often focused on the dyadic relationships between code and space on one hand, and co-evolution (and splintering) of networked infrastructures and the urban form, the figure of data has remained implicit yet subdued as as an entry point to study the idea of smart cities. Even for commentators who do focus on the implications of data, the category is often treated as a feature or a capacity of new technological assemblages. Instead, I argue in this paper that it is the concerns of production, circulation, and ownership of data that drive the conceptualisation and actual material forms of the visions of smart cities. These technological assemblages, materialisation of which constitute such visions, are implementations of exclusive data collection operations targeting various portions of urban lives and processes. The imagination of 'city 2.0' takes a particularly insightful colour when thought of as an analogy to the 'web 2.0' model of capture and monetisation of user behaviour data. Further, I employ the Marxian theory of 'primitive accumulation' to describe how the material infrastructures of networked sensors and embedded data capture systems create enclosed spaces for conversion of collectively-held-information into data-as-exchangable-and-interoperable-value, through which disparate and distributed knowledge and experiences of the urban is transformed into urban data, which can be centralised and queried, and hence value can be extracted from it.

Footnotes

[1] Lovink, Geert. 2013. Interview with German Media Archeologist Wolfgang Ernst. Nettime-l. February 26. Accessed on April 20, 2015, from http://www.nettime.org/Lists-Archives/nettime-l-0302/msg00132.html.

[2] Sassen, Saskia. 2012. Urbanising Technology. LSE Cities. December. Accessed on April 20, 2015, from http://lsecities.net/media/objects/articles/urbanising-technology/en-gb/.

[3] Dodge, Martin, and Rob Kitchin. 2005. Code and the Transduction of Space. Annals of the Association of American Geographers. 95: 01. Pp. 162-180.

For more details visit https://cis-india.org/raw/smart-cities-and-the-primitive-accumulation-of-data-abstract

Sreedeep_Mock-Calling_04_Resized

sumandro — 2015-07-13T06:44:24Z

For more details visit https://cis-india.org/raw/histories-of-the-internet/Sreedeep_MockCalling_04_Resized.jpg

Sreedeep_Mock-Calling_10_Resized

sumandro — 2015-07-13T07:15:32Z

For more details visit https://cis-india.org/raw/histories-of-the-internet/Sreedeep_MockCalling_10_Resized.jpg

Sreedeep_Mock-Calling_12_Resized

sumandro — 2015-07-13T07:16:57Z

For more details visit https://cis-india.org/raw/histories-of-the-internet/Sreedeep_MockCalling_12_Resized.jpg

International Open Data Charter, Consultation Meeting, Bengaluru, July 28, 5:30 pm

sumandro — 2015-08-21T05:45:53Z

This is to invite you to a consultation meeting on the first public draft of the International Open Data Charter organised by CIS with DataKind and DataMeet at the CIS office in Bengaluru, on Tuesday, July 28, 2015, at 5:30 pm.

The Charter is being developed by the Open Data Working Group of the Open Government Partnership in consultation with a number of international organisations. Meant for approval and implementation by national governments, the Charter has five key principles:

Open by Default;
Quality and Quantity;
Useable by All;
Engagement and Empowerment of Citizens; and
Collaboration for Development and Innovation.

The first public draft of the International Open Data Charter was published in end of May 2015 at the International Open Data Conference in Ottawa, and can be accessed here: http://opendatacharter.net/charter/.

Organisations and individuals are invited to submit comments directly on the Charter page, before July 31.

We are organising this meeting to discuss the context, the drafting process, and the objectives of this document, and to encourage the participants to comment on the existing text of the Charter.

We keenly look forward to your participation in the consultation meeting on Tuesday.

The CIS office address is Number 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bangalore 560071 (opposite Domlur Club and near the TERI building).

Please share this invitation with all relevant individuals, organisations, and networks.

For more details visit https://cis-india.org/openness/international-open-data-charter-consultation-bengaluru-28072015

Studying the Emerging Database State in India: Notes for Critical Data Studies (Accepted Abstract)

sumandro — 2015-11-13T05:54:53Z

"Critical Data Studies (CDS) is a growing field of research that focuses on the unique theoretical, ethical, and epistemological challenges posed by 'Big Data.' Rather than treat Big Data as a scientifically empirical, and therefore largely neutral phenomena, CDS advocates the view that data should be seen as always-already constituted within wider data assemblages." The Big Data and Society journal has provisionally accepted a paper abstract of mine for its upcoming special issue on Critical Data Studies.

Introduction

Through the last decade, the Government of India has given shape to an digital identification infrastructure, developed and operated by the Unique Identification Authority of India (UIDAI). The infrastructure combines the task of assigning unique identification numbers, called Aadhaar numbers, to individuals submitting their biometric and demographic details, and the task of authenticating their identity when provided with an Aadhaar number and associated data (biometric data, One Time Pin sent to the pre-declared mobile number, etc.). The aim of UIDAI is to provide universal authentication-as-a-service for all residents of India who approach any public or private agencies for any kind of service or transaction. Simultaneously, the Aadhaar numbers will function as unique identifiers for joining up databases of different government agencies, and hence allow the Indian government to undertake big data analytics at a governmental scale, and not only at a departmental one.

In this paper, I am primarily motivated by the challenge of finding points and objects to enter into a critical study of such an in-progress data infrastructure. As I proceed with an understanding that data is produced within its specific social and material context, the question then is to read through the data to reflect on its possible social and material context. This is complicated when approaching a big data infrastructure that is meant to produce data for explicitly intra-governmental consumption and circulation. The problem then is not one of reading through available big data, but one of reading through the assemblage and imaginaries of big data to reflect on the kind of data it will give rise to, and thus on the politics of the data assemblage and the database state it enables.

Logic of the Database State

Application of data to inform governmental acts have taken place at least since government has been understood as responsible for the welfare of the population and the territory. The measurement of the population and the territory – the number of people, their demographic features, amounts and locations of natural resources, and so on – have always been integral to the functioning of the modern nation-state. Database state is used in this paper to identify a particular mode of mobilisation of data within governmental acts, which is fundamentally shaped by the possibilities of big data extraction, appropriation, and analytics pioneered by a range of companies since late 1990s. The reason for not using big data state but database dtate is that big data refers to a body of technologies emerging in response to a set of data management and analysis challenges situated in a certain moment of development of information technologies, whereas database refers to a symbolic form (Manovich 1999): a form in which not only the population is made visible to the government (as a collection of visual, textual, numeric, and other forms of records), but also how the acts of government are made visible to the population (as a collection of performance indicators, budget allocation and utilisation tables, and other data visualised through dashboards, analog and digital).

The data production and management logic of this database state is specifically inspired by the notion of platform introduced by the so-called Web 2.0 companies: providing a common service layer upon which various other applications may also run, but under specific arrangements (including distribution of generated user data) with the original common layer provider. Data assemblages of the database state are expected to enable the government to function as a platform, as an intensely data-driven layer that widely gathers data about population individuals and feeds it back selectively to various providers of public and private services. This transforms the data assemblage from one vertical of governmental activities to a horizontal critical infrastructure for modularisation of governmental activities.

Studying the Emerging Database State in India

Government of India is presently debating the legal and technical validity of the digital identity infrastructure programme in the Supreme Court, while simultaneously carrying out the enrollment drive for the same, linking up assignment of unique identity numbers with a national drive for population registration, and rolling out citizen-facing services and applications that implement the Aadhaar number as a necessary key to access them. With the enrollment process going on and the integration with various governmental processes (termed seeding by Aadhaar policy literature) just beginning, I enter this study through two key sets of objects reflecting the imaginaries and the technical specifications of the emerging database state in India. The first entry point is through the various official documents of vision, intentions, plans, and reconsiderations, and the second entry point is through the Application Programming Interface (API) documentations published by UIDAI to specify how its identity authentication platform will collaborate with various public and private services.

The first section of the paper provides a brief survey of pre-UIDAI attempts by the Government of India to deploy unique identification numbers and Smart Cards for specific population groups, so as to understand the initial conceptualisation of this data assemblage of a digital identification platform. The second section foregrounds how this platform undertakes a transformation of the components and relations of the pre-existing data assemblage of the Government of India, as articulated in various official documents of promised utility and proposed collaborations. The third section studies the API documentations to track how such imaginaries are materially interpreted and operationalised through the design of protocols of data interactions with various public and private agencies offering services utilising the identity authentication platform.

Notes for Critical Data Studies

Expanding the early agenda note on Critical Data Studies by Craig Dalton and Jim Thatcher (2014), Rob Kitchin and Tracey P. Lauriault have taken steps towards emphasising the responsibility of this nebulous research strategy to chart and unpack the data assemblages (2014). This is exactly what I propose to do in this paper. While Kitchin and Lauriault provide a detailed list of the components of the apparatus of a data assemblage (2014: 7), I find the concepts of infrastructural components and infrastructural relations very useful in thinking through the emerging infrastructure of authentication. Thus, my approach to these tasks of charting and unpacking is focused on the infrastructural relations that the digital identity infrastructure re-configures, instead of the infrastructural components it mobilises (Bowker et al 2010). This tactical choice of focusing on the infrastructural relations is also necessitated by the practical difficulty in having comprehensive access to the individual components of the data assemblage concerned. Addressing questions of causality and quality becomes difficult when studying the assemblage sans the produced data, and rigorously analysing concerns of security and uncertainty pre-requires an actually existing data assemblage, with a public interface to investigating its leakages, breakages, and internal functioning. In the absence of such points of entry into the data assemblage, which I fear may not be an exceptional case, I attempt an inverted reading. Turning the data infrastructure inside out, in this paper I describe how the digital identity platform is critically reshaping the basis of governmental acts in India, through a specific model of production, extraction and application of big data.

Bibliography

Bowker, Geoffrey C., Karen Baker, Florence Millerand, & David Ribes. 2010. Toward Information Infrastructure Studies: Ways of Knowing in a Networked Environment. Jeremy Hunsinger, Lisbeth Klastrup, & Matthew Allen (Eds.) International Handbook of Internet Research. Springer Dordrecht Heidelberg London New York. Pp. 97-117.

Dalton, Craig, & Jim Thatcher. 2014. What does a Critical Data Studies Look Like, and Why do We Care? Seven Points for a Critical Approach to ‘Big Data.’ Society and Space. May 19. Accessed on July 08, 2015, from http://societyandspace.com/material/commentaries/craig-dalton-and-jim-thatcher-what-does-a-critical-data-studies-look-like-and-why-do-we-care-seven-points-for-a-critical-approach-to-big-data/.

Kitchin, Rob, & Tracey P. Lauriault. 2014. Towards Critical Data Studies: Charting and Unpacking Data Assemblages and their Work. The Programmable City Working Paper 2. July 29. National University of Ireland Maynooth, Ireland. Accessed on July 08, 2015 from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2474112.

Manovich, Lev. 1999. Database as Symbolic Form. Convergence. Volume 5, Number 2. Pp. 80-99.

Note: Call for Papers for the special issue can found here: http://bigdatasoc.blogspot.in/2015/06/call-for-proposals-special-theme-on.html.

For more details visit https://cis-india.org/raw/studying-the-emerging-database-state-in-india-accepted-abstract

Call for Essays: Studying Internet in India

sumandro — 2016-07-04T12:48:15Z

As Internet makes itself comfortable amidst everyday lives in India, it becomes everywhere and everyware, it comes in 40 MBPS Unlimited and in chhota recharges – though no longer in zero flavour – the Researchers at Work (RAW) programme at the Centre for Internet and Society invites abstracts for essays that explore how do we study internet in India today.

Submission deadline extended to Sunday, July 03.

Source: Leonardo Flores.

How do we move beyond a fascination with new digital things and interfaces that we engage with on the internet, which are increasingly becoming the objects and sites of our research and creative practices? How do we engage with these on their own terms, and perhaps also against the grain? What "new" is being brought in, performed, and afforded by these digital artefacts in our daily lives? How can our concerns and practices benefit from developing an awareness of their aesthetics, functions, and politics?

This call is for researchers, workers, and others interested in closely – or from a distance – commenting on these topics and questions.

Please send abstracts (200 words) to raw@cis-india.org by Sunday, July 03, 2016. The subject of the email should be 'Studying Internet in India.'

We will select up to 10 abstracts and announce them on Tuesday, July 05, 2016.

The selected authors will be asked to submit the final longform essay (3,000-4,000 words) by Sunday, July 31, 2016. The final essays will be published on the RAW Blog. The authors will be offered an honourarium of Rs. 6,000.

We understand that not all essays can be measured in words. The authors are very much welcome to work with text, images, sounds, videos, code, and other mediatic forms that the internet offers. We will not be running a Word Count on the final 'essay.' The basic requirement is that the 'essay' must offer an argument – through text, or otherwise.

For more details visit https://cis-india.org/raw/call-for-essays-studying-internet-in-india-2016

Understanding Aadhaar and its New Challenges, May 26-27, 2016

sumandro — 2016-05-26T10:29:43Z

A workshop on “Understanding Aadhaar and its New Challenges” is being organised by the Centre for Studies in Science Policy, Jawaharlal Nehru University, and the Centre for Internet and Society, during May 26-27. It is also supported by the Centre for Communication Governance at NLU Delhi, Free Software Movement of India, Knowledge Commons, PEACE, and Center for Advancement of Public Understanding of Science & Technology. This is a legal and technical workshop to be attended by various key researchers and practitioners to discuss the current status of the implementation of the project, in the context of the passing of the Act and the various ongoing cases.

Workshop Programme

First Day, May 26

9:00-9:30	Registration
9:30-10:00	Prof. Dinesh Abrol - Welcome Self-introduction and expectations of participants Dr. Usha Ramanathan - Overview of the Workshop
10:00-11:00	Current Status of Aadhaar Dr. Usha Ramanathan, Legal Researcher, New Delhi - What the 2016 Law Says, and How it Came into Being S. Prasanna, Advocate, New Delhi - Status and Force of Supreme Court Orders on Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:30	Direct Benefits Transfers Prof. Reetika Khera, Indian Institute of Technology, Delhi - Welfare Needs Aadhaar like a Fish Needs a Bicycle Prof. Ram Kumar, Tata Institute of Social Sciences, Mumbai - Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion Ashok Rao, Delhi Science Forum - Cash Transfers Study Discussion
13:30-14:30	Lunch
14:30-16:00	Aadhaar: Science, Technology, and Security Prof. Subashis Banerjee, Deptt of Computer Science & Engineering, IIT, Delhi - Privacy and Security Issues Related to the Aadhaar Act Pukhraj Singh, former National Cyber Security Manager, Aadhaar, New Delhi - Aadhaar: Security and Surveillance Dimensions Discussion
16:00-16:30	Tea Break
16:30-17:30	Aadhaar - International Dimensions Prof. Chinmayi Arun, Center for Communication Governance, National Law University, Delhi - Biometrics and Mandatory IDs in other parts of the world Dr. Gopal Krishna, Citizens Forum for Civil Liberties - International Dimensions of Aadhaar Discussion
17:30-18:00	High Tea
18:00-19:00	Video Presentations

Second Day, May 27

9:30-11:00	Privacy, Surveillance, and Ethical Dimensions of Aadhaar Prabir Purkayastha, Free Software Movement of India, New Delhi - Surveillance Capitalism and the Commodification of Personal Data Arjun Jayakumar, SFLC - Surveillance Projects Amalgamated Col Mathew Thomas, Bengaluru - The Deceit of Aadhaar Discussion
11:00-11:30	Tea Break
11:30-10:30	Aadhaar: Broad Issues - I Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - How to prevent linked data in the context of Aadhaar Dr. Anupam Saraph, Pune - Aadhaar and Moneylaundering Discussion
13:00-13:30	Video Presentations
13:30-14:30	Lunch
14:30-15:30	Aadhaar: Broad Issues - II Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - Financial lnclusion Nikhil Dey, MKSS, Rajasthan (TBC) - Field witness: Technology on the Ground Prof. Himanshu, Centre for Economic Studies & Planning, JNU - UID Process and Financial Inclusion Discussion
15:30-16:00	Conclusion

For more details visit https://cis-india.org/internet-governance/events/understanding-aadhaar-and-its-new-challenges-may-26-27-2016

Comments on the National Geospatial Policy (Draft, V.1.0), 2016

sumandro — 2016-06-30T09:40:59Z

The Department of Science and Technology published the first public draft of the National Geospatial Policy (v.1.0) on May 05, 2016, and invited comments from the public. CIS submitted the following comments in response. The comments were authored by Adya Garg, Anubha Sinha, and Sumandro Chattapadhyay.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society ("CIS") on the proposed draft of the National Geospatial Policy 2016 ("the draft Policy / the draft NGP") [1]. This submission is based on Version 1.0 of the draft Policy released by the Department of Science and Technology ("DST") on May 5, 2016.

1.2. CIS commends the DST under the aegis of the Ministry of Science and Technology, Government of India, for its efforts at seeking inputs from various stakeholders to draft a National Geospatial Policy. CIS is thankful for this opportunity to provide a clause-by-clause submission.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS, [2] is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the principle of citizens’ right to information, instituting openness-by-default in governmental activities, and the various kinds of public goods that can emerge from greater availability of open (geospatial) data created by both public and private agencies and crucially, by the citizens. The submission is limited to those clauses that most directly have an impact on these principles.

3. Comments and Recommendations

This section presents comments and recommendations directed at the draft policy as a whole, and in certain places, directed at specific clauses of the draft policy.

3.1. The draft policy should make references to five policies applicable to geospatial data, products, services, and solutions

3.1.1. CIS observes that the draft policy lists the key policies related to geospatial information and sharing of government data, namely the National Map Policy 2005, the Civil Aviation Requirement 2012, the Remote Sensing Data Policy 2011 and 2012, and the National Data Sharing and Accessibility Policy 2012 (“NDSAP”).

3.1.2. CIS submits that apart from the policies mentioned above, Geospatial Data,Products, Services and Solutions (“GDPSS”) are also intricately linked to concepts of “open standards,” “open source software,” “open API,” “right to information,” and prohibited places” These concepts are governed by specific acts and policies, and are applicable to geospatial data, as follows:

Adoption of Open Standards: CIS observes that the draft policy captures the importance of open standards in the section 1.4 of the draft policy. It states that “A very high resolution and highly accurate framework to function as a national geospatial standard for all geo-referencing activity through periodically updated National Geospatial Frame [NGF] and National Image Frame [NIF] by ensuring open standards based seamless interoperable geospatial data.”

CIS submits that the Policy on Open Standards for e-Governance [3] which establishes the Guidelines for usage of open standards to ensure seamless interoperability, and the Implementation Guidelines of the National Data Sharing and Accessibility Policy, 2012 [4] listing two key open standards for geospatial data - KML and GML, should be mentioned in the draft policy.

CIS recommends that the final version of the NGP embrace open standards as a key principle of all software projects and infrastructures within the purview of the Policy. This is essential for easier sharing and reuse of open (geospatial) data.
Adoption of Open Source Software: The Policy on Adoption of Open Source Software for Government of India states that the “Government of India shall endeavour to adopt Open Source Software in all e-Governance systems implemented by various Government organisations, as a preferred option in comparison to Closed Source Software” [5]. As the draft policy proposed to guide the development of GDPSS being developed and implemented both by the Government of India and by other agencies (academic, commercial, and otherwise), it must include an explicit reference and embracing of this mandate for adoption of Open Source Software, for reasons of reducing expenses, avoiding vendor lock-ins, re-usability of software components, enabling public accountability, and greater security of software systems.
Implementation of Open APIs: To actualise the stated principle to “[e]nable promotion, adoption and implementation of emerging / state of the art technologies” as well as to ensure the “[a]vailability of all geospatial data collected through public funded mechanism to all users,” CIS suggests that final version of the NGP must refer to and operationalise the Policy on Open Application Programming Interfaces (APIs) for Government of India [6]. This will ensure that the openly available geospatial data is available to the public, as well as to all the government agencies, in a structured digital format that is easy to consume and use on one hand, and is available for various forms of value addition and innovation on the other.
Right to Information Act 2005: The framework for reactive disclosure of information and data collected and held by the Government of India, as well as the basis for proactive disclosure of the same, is enshrined in the Right to Information Act 2005 [7]. The draft NGP, CIS proposes, should refer to this Act, and ensure that whenever an Indian citizen request for such government data and/or information that is of geospatial in nature, and the requested data and/or information is both shareable and non-sensitive, the citizen must be provided with the geospatial data and/or information in an open standard and under open license, as applicable.
Refer to Official Secrets Act, 1923: The Official Secrets Act defines “Prohibited Places” and prohibits all activities involving “sketch, plan, model, or note which is calculated to be or might be or is intended to be, directly; or indirectly, useful to an enemy or (c) obtains collects, records or publishes or communicates to any other person any secret official code or password, or any sketch, plan, model, article or note or other document or information which is calculated to be or might be or is intended to be, directly or indirectly, useful to an enemy” [8]. This provides the fundamental legal basis for regulation, expunging, and stopping circulation of geospatial data containing information about Vulnerable Points and Vulnerable Areas. CIS submits that this Act should be referred to in this context of ensuring non-publication of sensitive geospatial data (that is geospatial data related to Prohibited Places).

3.2. Grant adequate permissions to the public to re-use geospatial data

3.2.1. CIS observes that section 1.4 of the draft policy states that, “Geospatial data of any resolution being disseminated through agencies and service providers, both internationally and nationally be treated as unclassified and made available and accessible by Indian Mapping and imaging agencies.”

3.2.2. CIS recommends the abovementioned section be broadened to include not only availability and accessibility of geospatial data, but also its re-use. Further, such accessibility, availability and re-use should not be only limited to public and private entities such as Indian mapping and imaging agencies, but as well as to Indian people in general.

3.2.3. CIS further submits that section 1.4 be revised as “[g]eospatial data of any resolution being disseminated through agencies and service providers, both internationally and nationally be treated as unclassified and made available, accessible, and reusable by Indian mapping and imaging agencies in particular, and by the people of India in general.”

3.3. Ensure Open Access to shareable and non-sensitive geospatial data

3.3.1. CIS observes that the draft policy directs all “geospatial data generating agencies” to classify their data into “open access,” “registered access,” and “restricted access.” The document, however, neither defines “geospatial data generating agencies”, nor does it clarify what conditions the data must satisfy to be classified as one of the three types. Without a listing of such conditions (at least necessary, and not sufficient, conditions), nothing restricts the agencies from classifying all generated geospatial data as “restricted.”

3.3.2. Further, CIS observes that the draft policy aims to provide geospatial data acquired through public funded mechanism to be made available to the public at free of cost. It is submitted that the policy should not only be made available for free of cost, but it should also be made available in open standard format under an open license.

3.3.3. As defined in the section 1.3, the National Data Sharing and Accessibility Policy (“NDSAP”) applies to “all shareable non-sensitive data available either in digital or analog forms but generated using public funds” [9]. Clearly all shareable [10] and non-sensitive [11] geospatial data, either in digital or analog forms, and generated using public funds should be proactively disclosed by the government agency concerns in accordance to the NDSAP. CIS recommends that the draft policy makes an explicit reference to NDSAP when discussing the topic of Open Access geospatial data, and re-iterates the mandate of proactive publication of shareable and non-sensitive government data.

3.3.4. Further, the process for defining an open government data license to be applied to all open government data sets being published under the NDSAP, and through the Open Government Data Platform India, is in progress. Given this, it is absolutely crucial important that the draft NGP takes this into consideration, and mandates that Open Access geospatial data must be published using the open government data license to be defined by the Implementation Guidelines of the NDSAP, when applicable.

3.4. Lack of clarity regarding the clearances and permits required for data acquisition and dissemination, and the procedures thereof

3.4.1. Section 1.8 of the draft policy states that “[a]ll clearances / permits, as necessary, for data acquisition and dissemination be through a single window, online portal. These clearances be provided within a time span of 30 days of filing the online request.” CIS observes that the draft policy does not specify the kind of clearances/permits needed before a public or private entity, or an individual, can undertake acquisition and dissemination of geospatial data. It neither clarifies under what circumstances and conditions application for such clearance / permits would be required for users.

3.4.2. Since the recently published draft Geospatial Information Regulation Bill (“GIRB”) 2016, directly addresses this topic of clearance / permit required to acquire and share geospatial information [12], it will be effective if the NGP can refer to this Bill and provide an overall governance framework for the same. Further, CIS noted that the time span of 30 days mentioned in the draft policy is inconsistent with the time period specified in the GIRB (which is 90 days).

3.4.3. CIS recommends that the draft policy also be amended suitably to include the circumstances and conditions under which required permissions shall be issued. Accordingly, the draft policy should reference the standardised and time bound security vetting process envisaged in the GIRB.

3.5. Clarification Needed regarding “Cybersecurity is to be ensured through … use of Digital Watermarks for authentication of GDPSS”

3.5.1. CIS submits that the draft policy does not elaborate on the use of “Digital Watermarks” to ensure cybersecurity, neither it is explained who will authenticate GDPSS, under what conditions, and for what reasons. CIS recommends that the draft policy be amended suitably to specify the same.

3.6. Remove Classification of Non-Public (at Present) Satellite / Aerial Imagery as Restricted by Default

3.6.1. CIS observes that the draft policy recommends that “[s]atellite/aerial images of resolution other than those currently made available on websites” should all be “classified for restricted access.”

3.6.2. CIS submits that blanket categorisation of all satellite / aerial imagery of resolution that is not currently available through a public website (for whatever reason it might be) as “restricted access” should be re-evaluated, given the immense importance of such imagery to mapping agencies and industry participants using GDPSS.

3.6.3. CIS recommends that the section be revised to define clear principles for defining satellite /aerial imagery as “open,” “registered,” and “restricted.”

3.7. Governance of User-contributed Geospatial Data

3.7.1. A key resource and feature of contemporary geospatial industry in particular, and the digital economy in general, is the proliferation of user-contributed and user-generated geospatial data and information. CIS observes that this crucial topic, as well as the unique governance concerns that it raises, has not been addressed in the draft policy at all. CIS requests the DST to consider this matter with due attention to the specific nature and values of such user-contributed and user-generated in the digital economy on one hand, and in emergency contexts such as natural disasters on the other, and prepare a framework for its appropriate governance as part of the NGP itself.

3.8. Protect Geospatial Privacy of Citizens by Defining Sensitive Personal Geospatial Data and Information

3.8.1. CIS observes that the draft policy lacks rules for collection, use, storage, and distribution of geospatial data from an individual’s privacy standpoint. Further, neither does the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 address these concerns [13]. Section 3 of the Rules define “Sensitive personal data or information”, which do not include geospatial information.

3.8.2. The argument of violation of constitutional right to privacy was pleaded in a case against Google and other private mapping agencies in 2008 [14]. In the judgment, Madras HIgh Court noted that there existed no legislation/guidelines to prohibit mapping programmes from conducting their activities indiscriminately, and the lack of one thereof prevented the Court from injuncting such activities. Thus, there exists a judicial ambiguity on the aspect of collection and use of geospatial data.

3.8.3. CIS submits that the draft policy may be suitably amended to ensure that collection, processing and dissemination of geospatial information is in consonance with the constitutionally protection of an individual’s privacy.

3.9. Clarification Needed regarding “Mechanisms to be put in place to evaluate / audit GDPSS creation, consumption and distribution”

3.9.1. The draft policy suggests that “mechanisms to be put in place to evaluate/audit GDPSS creation, consumption and distribution” without clarifying the scope, purpose, and purview of this mechanism, and most crucially it does not describe what exactly will be evaluated / audited. CIS submits that this section is revised and expanded.

3.9.2. The same section also identifies the need for a “framework to be put in place to assess the data collection versus its utilization towards government program and socio-economic development.” CIS observes that this is a very promising and much welcome gesture by the DST, but this section must be developed as a separate and detailed mandate. At the least, the NGP may suggest that a more detailed guideline document regarding this framework will be developed in near future.

3.10. Data Taxation and Geospatial Cess

3.10.1. The draft policy refers to imposition of “data taxation (geospatial cess)” and use of “licensing” of geospatial data to raise money for geospatial activities of the Government of India. CIS is of the opinion will severely affect the geospatial industry in the country in particular, and will raise the monetary barrier to public use of geospatial data and maps in general; and hence must be strictly avoided.

3.11. Data Dissemination Cell

3.11.1. CIS submits that instead of development of a separate Data Dissemination Cell within all government agencies to operationalise the mandate of the NGP, the Chief Data Officers within all government agencies identified under the implementation process of the NDSAP be given this complementary responsibility. This would ensure effective channelisation of human and financial resources to take forward the joint mandate of NGP and NDSAP towards greater public availability and use of (shareable and non-sensitive) government data.

3.12. Special Infrastructure for Governance, Management, and Publication of Real-time Geospatial Data

3.12.1. A key term that the draft policy does not talk about is “big data.” The static or much-slowly-changing geospatial data such as national boundaries and details of Vulnerable Points and Vulnerable Areas are really a very small part of of the global geospatial information. The much larger and crucial part is the real-time (that is continuously produced, stored, analysed, and used in almost real-time) big geospatial data – from geo-referenced tweets, to GPS systems of cars, to mobile phones moving through the cities and regions. Addressing such networked data systems, where all data collected by digital devices can quite easily be born-georeferenced, and the security and privacy concerns that are engendered by them, should be the ultimate purpose of, and challenge for, a future-looking NGP.

3.12.2. Further, with increasing number of government assets being geo-referenced for the purpose of more effective and real-time management, especially in the transportation sector, the corresponding agencies (which are often not mapping agencies) are acquiring a vast amount of high-velocity geospatial data, which needs to be analysed and (sometimes) published in the real-time. CIS submits a sincere request to DST to highlight the crucial need for special infrastructure for such data, as well as its governance, and identify the key principles concerned in the next version of the draft NGP.

3.13. Sincere Request for Preparation and Circulation of a Second Public Draft of the National Geospatial Policy

3.13.1. CIS commends the DST for publishing the draft policy, and facilitating a consultation process inviting stakeholders and civil society to submit feedback. The NGP envisages to address crucial concepts of privacy, licensing, intellectual property rights, liability, national security, open data, which cut across and impact various technology platforms, industries and the citizens.

3.13.2. In view of the multifarious issues highlighted that arise at the intersection of various legal and ethical concepts, CIS respectfully requests the DST to conduct another round of consultation after the publication of the second draft of the NGP. Multiple rounds of consultation and feedback would contribute to the robustness of the lawmaking process and ensure that the final policy safeguards the general public interest, and the interests and rights of various stakeholders involved.

3.13.3. CIS is thankful to DST for the opportunity to provide comments, and would be privileged to provide further assistance on the matter to DST.

Endnotes

[1] See: http://www.dst.gov.in/sites/default/files/Draft-NGP-Ver%201%20ammended_05May2016.pdf.

[2] See: http://cis-india.org/.

[3] See: https://egovstandards.gov.in/sites/default/files/Published%20Documents/Policy_on_Open_Standards_for_e-Governance.pdf.

[4] See: http://data.gov.in/sites/default/files/NDSAP.pdf.

[5] See: http://deity.gov.in/sites/upload_files/dit/files/policy_on_adoption_of_oss.pdf.

[6] See: http://deity.gov.in/sites/upload_files/dit/files/Open_APIs_19May2015.pdf.

[7] See: http://rti.gov.in/webactrti.htm.

[8] See: http://www.archive.india.gov.in/allimpfrms/allacts/3314.pdf, sections 2(d) and 3(b).

[9] See: https://data.gov.in/sites/default/files/NDSAP.pdf.

[10] See section 2.11 of NDSAP.

[11] See section 2.10 of NDSAP.

[12] See: http://mha.nic.in/sites/upload_files/mha/files/GeospatialBill_05052016_eve.pdf.

[13] See: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf.

[14] J. Mohanraj v (1) Secretary To Government, Delhi; (2) Indian Space Research Organisation, Bangalore; (3) Google India Private Limited, Bangalore, 2008 Indlaw MAD 3562.

For more details visit https://cis-india.org/openness/comments-on-the-national-geospatial-policy-draft-v-1-0-2016

Comments on the RBI's Consultation Paper on Peer to Peer Lending

sumandro — 2016-06-01T20:21:13Z

The Reserve Bank of India published a Consultation Paper on Peer to Peer Lending on April 28, 2016, and invited comments from the public. CIS submitted the following response, authored by Elonnai Hickok, Pavishka Mittal, Sumandro Chattapadhyay, Vidushi Marda, and Vipul Kharbanda.

1. Preliminary

1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) on the Consultation Paper on Peer to Peer Lending (“the consultation paper”) by the Reserve Bank of India (“RBI”) [1].

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, CIS [2], is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

2.2. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. The comments in this submission aim to further the concerns of citizens’ and users’ rights in the context of products, services, and transactions facilitated by digital media technologies, the , the principle that regulation should be defined around functions of the acts concerned, and not the technologies of delivery. Our comments are limited to the clauses that most directly have an impact on these concerns.

3. Response

3.1. Whether there is a felt need for regulating peer to peer lending platforms?

3.1.1. Peer to peer (“P2P”) lenders are platforms serving as marketplaces for the lenders and the borrowers of funds to connect. Their very business model does not render them as a provider of finance, as they aspire to function as pure intermediaries to enable lending and borrowing.

3.1.2. The Section 45I.(f)(iii) of the RBI Act, 1935 [3], provides RBI the authority to classify any financial institution as a non-banking financial company (“NBFC”) “with the previous approval of the Central Government and by notification in the Official Gazette.” Since the P2P lending platforms do not provide any finance themselves, undertake acquisition of financial instruments, deliver financial and/or insurance services, or collect financial resources directly, the only ground for classifying such companies as “financial institutions” [4] appears to be their involvement in “managing, conducting or supervising, as foreman, agent or in any other capacity, of chits or kuries as defined in any law which is for the time being in force in any State, or any business, which is similar thereto” [5]. P2P lending platforms can be considered to be brokers and thus there are other aspects that merit scrutiny such as antitrust issues, obligations of either party, company activities and the transactional system involved, as we will discuss in this document.

3.1.3. The consultation paper itself states that the balance sheet of the platform cannot indicate any borrowing / lending activity, which entails that the platform cannot itself provide finance or receive any funds for the provision of loans to others. Platforms are not allowed to determine the interest rates as they are not a party to the transaction. Neither would they be liable in cases of default by the borrower. These rules, standard for P2P platforms in other jurisdictions as well, confirm the assumption that the platform itself is not providing finance and thus, cannot be entrusted with any liability, obligation from the transaction.

3.1.4. Further, with RBI raising the threshold asset size for an NBFC to be considered systemically important (NBFC-ND-SI) from Rs. 100 Crores to Rs. 500 Crores [6], and Economic Times reporting that one of the biggest Indian P2P lending platform’s enterprise valuation (which can be taken as indicative of its net assets) is Rs 50 Crores [7], we may assume that most P2P lending platforms will have net assets worth less than 500 crore, at least in the near future; although there is a possibility for exponential growth with some companies.

3.1.5. Given the limited sphere of operation, restricted ability (by design) of these platforms to shape interest rates and other features of financial instruments, and their generally non-systemically-important nature, we would submit that the regulation of such P2P lending platforms are kept to an absolute minimum, so that their economic viability is not undermined, and at the same time the key risks associated with their operations are addressed by RBI.

3.2. Is the assessment of P2P lending and risks associated with it adequate?

3.2.1. CIS observes that the following are the key risks involved with the operations of the P2P lending platforms, and these are being respectively addressed by, or can be addressed by RBI in the following manners.

Insufficient information about the conditions of lending, leading to defrauding of the borrower: The borrower may not receive appropriate information about the terms of the loan, and/or the P2P lending platform may not act in a “fair” manner (say, in case of collusion between the P2P lending platform and the lender, or the lending platform and the borrower), which may lead to defrauding and/or economic loss of either party. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Guidelines on Fair Practices Code for NBFCs [8], which extensively addresses concerns related to this type of risks.
Insufficient information about the borrower, or her/his ability to repay the loan, may lead to non-repayment and economic loss of the lender: If the P2P lending platform allows the lender to offer loans to borrowers without acquiring and/or providing sufficient information to the lender about the borrower’s credit history and/or ability to repay the loan, modes of formulating security for loans, this may heighten the risks of non-repayment of loans. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Master Circular – 'Know Your Customer' (KYC) Guidelines – Anti Money Laundering Standards (AML) - Prevention of Money Laundering Act, 2002 - Obligations of NBFCs [9], which extensively addresses concerns related to this type of risks.
Credit-related information of the lenders and the borrowers collected by P2P lending platforms may not be made available to other financial institutions and that will lead asymmetry in credit information available across various actors in the sector: Credit information, related to both lending and borrowing practices of entities using the platform concerned, is a key asset of the P2P lending platforms. Lack of sharing of such information with Credit Information Companies, for economic reasons or otherwise, may however, lead to information asymmetry within the financial sector, which will structurally weaken the entire sector (with pieces of credit information being distributed across actors and not being shared internally). By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies follow the Credit Information Companies (Regulation) Act, 2005 [10], which extensively addresses concerns related to this type of risks.
P2P lending platforms diversifying their financial operations without informing RBI and hence without appropriate regulatory control: It is possible that P2P lending platforms may decide to diversify their activities. There have been similar examples in other related sectors, say e-commerce marketplaces, that have started their own product re/selling companies that use the same online marketplace concerned. By classifying P2P lending platforms as NBFCs, RBI will ensure that these companies provide RBI with detailed and regular reports of their economic activities and investments, which is expected to address concerns related to this type of risks.

3.3. Are there any other risks which ought to be addressed?

3.3.1. CIS observes that as part of the usual transaction related activities of the P2P lending platforms, the companies will come into possession of what has been defined as “sensitive personal data or information” by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 [11]. The concerns related to this type of risk is directly addressed by the Rules concerned, and may not require additional attention from the RBI.

3.3.2. CIS observes that as borrowers and lenders start using specific P2P lending platforms, the data regarding their credit histories and/or “financial reputation” will be owned by these companies. While such information might be shared internally within the financial sector through the Credit Information Companies, the borrowers and lenders themselves may not get direct access to such data. Hence, the borrowers and lenders will not be able to move easily and smoothly to a new P2P lending platform and make use of their existing credit information and/or “financial reputation” when accessing services offered via the new P2P lending platform. In other words, the borrowers and lenders may face a service provider lock-in, and inability to move between P2P lending platforms easily, without explicit access to their own credit history/reputation, and will not have the ability to migrate such information from one P2P lending platform to another (or to any other agency, for that matter). CIS submits that RBI must provide a mechanism to allow users to migrate between platforms as it has not been discussed in the consultation paper.

3.4. Is the proposed approach to regulating these platforms adequate?

3.4.1. CIS observes that while classification of P2P lending platforms will appropriately address key risks associated with their operations (as listed in 3.2.1. A-D), it will not address a major risk emerging out of their operations that is unique to the technological basis of the business concerned (as mentioned in 3.3.2.), and further, it will impose substantial financial and management obligations that have a very high probability of undermining the economic viability of this emerging and niche sector of intermediated direct lending and borrowing.

3.4.2. CIS observes that these financial and management obligations may involve the following topics among others discussed: 1) minimum net worth requirement for registration, 2) minimum investments required to be made government securities, 3) transferring of minimum percentage of net profits to RBI, 4) guidelines regarding corporate governance [12], etc.

3.4.3. Given this, CIS submits that instead of classifying P2P lending platforms as “Misc NBFCs,” a new sub-classification is created under the category of NBFC for such platforms, that directly addresses the key risks associated with businesses of P2P lending platforms, and protects lenders as well as borrowers while enhancing transparency in operations. This new sub-classification of P2P lending companies should also be divided into systemically-important and non-systemically-important like other NBFCs, and requirements regarding financial operations and corporate management should only be enforced for the former category of P2P lending companies.

3.5. Any other relevant issues pertaining to P2P lending

Beyond the issues already discussed above, CIS seek clarity from the RBI around the following aspects:

Transactional system pertaining to P2P lending:
1. What are the requirements and prerequisites for mandating the collection of user identity?
2. Establishing a maximum sum that can be transferred per transaction.
Company activities:
1. Fees that can be charged by platforms.
2. How data security can be best addressed.
3. How the financial transactions are brokered.
4. Modes of redressal.
5. Restitution to users if something goes amiss in the transaction.
6. Insurance that the company has to buy or capital on hand to support.