Centre for Internet and Society

When Whistle Blowers Unite

sunil — 2012-03-21T10:17:48Z

Leaking corporate or government information in public interest through popular Web service providers is risky but Wikileaks.org is one option that you could try out.

Leaking corporate or government information in public interest in the age of Satyam has new challenges. You couldn't just upload it to a blog, social networking website or even a document management system like Google documents. Google, Yahoo and most other Web service providers nearly always comply with the national law and cooperate with enforcement agencies. In India there have been several arrests in connection with alleged illegal email messages and content on social networking websites. It did not take court order – just a request from the local police station. Furthermore, you would have to undertake additional risky activity online to draw media attention to your documents. Also those who stand to lose from the leak can send a couple of copyright take down notices which will lead to deletion. So your only real option is Wikileaks.org, where they boast: Every source protected. No documents censored. All legal attacks defeated.

Launched in December 2006, Wikileaks.org stands alone on the Internet as the last refuge for the truth. Even though the promoters are European and US academic organisations, journalists and NGOs – a near neutral point of view is realised by sparing no one across the political and ideological spectrum. It is the archive of the whistle-blowers of the world and it is ugly: login information and private emails of a holocaust denier, secret documents from the Church of Scientology, Internet block-lists from Thailand and standard operating procedures for US guards at Guantanamo Bay, et cetera. One could safely assume that these guys have very few friends. Unlike Wikipedia.org whose technology it employs, Wikileaks does not have an open and participatory editorial policy. It accepts documents through a trusted journalist–source system.

Leaking controversial documents can result in loss of job, limb and life, so extreme caution is always advised. Remember that India still does not have laws protecting whistle blowers, in spite of a bill being introduced in 2006. What follows is only a very rough guide to digital whistle blowing, so please get expert advice before you try these at home:

Download and install military grade encryption software like Pretty Good Privacy. Generate a pair of keys – a public and a private one. Use your private key in combination to a journalist's public key to send him or her, a 'for your eyes only message' email. Only the journalist will be able to decrypt the message using your public key and his private key. Note however, that an Indian court under the 2008 amendment of the IT Act can ask you to disclose your key-pair.
Step outside. Working from home is a bad idea since DOT mandates that all ISPs retain logs for all users and for all services utilized for an indeterminate time-period. Office is still worse as your network administrator might be also logging your activities.
Find an anonymous public access point. Cyber-cafes, especially in New Delhi, Maharashtra, Karnataka and Tamil Nadu are asking users to provide identity cards and record contact details and in some cases web-cam photographs as well. Using your laptop in a coffee shop may work but DOT is considering cracking down on open wifi networks.
Use an anonymizing service so that the chain of digital evidence leading up to Wikileaks is obliterated. TOR is the anonymizing solution of choice. Several TOR servers that provide private tunnels across the Internet work in unison, to form a cloud of anonymity.

If you were leaking large amounts of data, uploading it may be too risky. Burn the data on DVDs and mail them to Wikileaks. However, do ensure that all digital files have been purged of personal information. For word files this can be done by converting to PDF. Also you may not want to leave any finger-prints on the package. India will soon have a database of finger prints thanks to the National Unique Identity (NUID) project. We know this thanks to the leaked NUID project document on Wikileaks.org, days before the consultation.

For more details visit https://cis-india.org/internet-governance/blog/whistle-blowers-unite

Sense and censorship

sunil — 2012-03-21T10:15:15Z

Sunil Abraham examines Google's crusade against censorship in China in wake of the attacks on its servers in this article published in the Indian Express.

Some believe that Google’s co-founder Sergey Brin’s memories as a six-year-old in the former Soviet Union has inspired Google’s crusade against censorship in China. However, as Siva Vaidhyanathan, author of upcoming book The Googlisation of Everything, notes in a recent blog post — this “isn’t a case of Google standing up for free speech....but about Google standing up against the attacks.”

He was referring to the attacks on Google’s servers that originated from China mid-December last year. Anyone running a multi-billion dollar enterprise online would be well attuned to the security threats posed by anarchists, crackers, spammers and phishers on a daily basis. So what made the recent Google attacks so special? According to Google, intellectual property was stolen and two human-right activists accounts were compromised during the attack. So which was the straw that broke the camel’s back — intellectual property or human rights? Google could have spoken out against censorship years ago — after all it still censors search results in more than 20 countries, including India. Although there is no official channel or protocol guiding censorship practices in India, Google is regularly contacted by government officials and continues to delete web content deemed sensitive according to various ethnic, political and religious groups. Human rights activists note that Google offers some token resistance and then usually complies with the state’s demands. Google’s deputy general counsel, Nicole Wong, justifies her cooperation with the authorities citing the Indian way of torching buses during riots. Therefore it is odd that the US government endorses Google’s selective idealism in China. One week after the attacks, Hillary Clinton decided to lecture the world on Internet freedom. Then, Google and the National Security Agency announced a collaboration to deal with future cyber-attacks. This was followed by Google honouring female bloggers in Iran, forcing cyber-ethnographer, Maximilian Forte to wonder on Twitter, “Is it just me, or is Google consistently joining the causes of the US State Department?” How is Google’s move, and recent White House support for a “free web”, to be understood? How is Google’s move consistent with the Obama administration’s goal of protecting US business interests across the globe? Such questions may tell us why Google is picking a fight with China rather than Saudi Arabia or Burma. The recent privacy disaster incited by the release of Google’s new social networking application Buzz became yet another occasion when many began to doubt Google’s high rhetoric about freedom of expression. When Buzz first made the social connections of Gmail users public without their consent, blogger Evgeny Morozov questioned the company’s logic in protecting the email accounts of Chinese human rights activists (ie, when they are happy to tell the rest of the world who those activists are talking to). According to Morozov, Google has only managed to capture 30 per cent of the Chinese search market, and he believes that Google was willing to sacrifice this market for some much need needed positive PR given after a storm of bad press after projects like Buzz and Wave.

It is clear that Google will have to fight such pressures towards greater control of the internet across the globe, China being no great exception. This week, Google and Yahoo have come out strongly in opposition to Australia’s plan to implement a mandatory ISP filter. Sometimes, a particular form of censorship serves a useful and necessary purpose — for example, Google and Microsoft were forced by the Indian Supreme Court in September 2008 to stop serving advertisements for do-it-yourself foetus sex determination kits. Given our daughter deficit, I would not have it any other way. However, in Thailand, such filtering takes the form of overly expansive lèse majesté laws which force ISPs to reveal details of individuals posting content deemed insulting to the monarch, Bhumibol Adulyadej — this practice leading to self-censorship and over-moderation on forums and mailing lists in Thailand.

Also, soon as traffic was redirected from Google.cn to Google.com.hk, Google advised its enterprise customers in China to use VPN (virtual private networking), SSH (secure shell) tunneling, or a proxy server to access Google Apps. These are circumvention technologies of choice for many Chinese cyber-activists, says Rebecca McKinnion, founder of Global Voices Online. In her recent congressional submission, she also points out that in China, online defiance has a very different history, perhaps best illustrated by the Mud Grass Horse Internet meme which was an obscene pun on a government media campaign aimed at national unity and harmony. In China, aesthetics rather than technology is the primary tool for subversive political speech. Also like in Burma and Saudi Arabia, offline piracy and pirated satellite television ensures that most citizens are able to access censored content. And the average Chinese netizen cannot tell the difference between Google censoring its own results and the Great Firewall censoring Google. Google’s recent actions has very little real impact on the state of censorship in China.

For original article in the Indian Express

For more details visit https://cis-india.org/internet-governance/blog/sense-and-censorship

Does the Government want to enter our homes?

sunil — 2012-03-21T10:12:40Z

When rogue politicians and bureaucrats are granted unrestricted access to information then the very future of democracy and free media will be in jeopardy. In an article published in the Pune Mirror on 10 August, 2010, Sunil Abraham examines this in light of the BlackBerry-to-BlackBerry messenger service that the Government of India plans to block if its makers do not allow the monitoring of messages. He says that civil society should rather resist and insist on suitable checks and balances like governmental transparency and a fair judicial oversight instead of allowing the government to intrude into the privacy and civil liberties of its citizens.

What? Me worry about the blackberry imbroglio?
If Pierre Trudeau were alive today, he would feel similarly about the Canadian innovation that is making news these days. But, given the Indian media's objective take on the ongoing BlackBerry tussle, one would assume that the media is unaffected.

Many internet observers say that the very future of democracy and free media is at stake. If rogue politicians and bureaucrats are able to eavesdrop on the communications of media houses, wouldn't that sound the death knell for sting operations, anonymous informants and whistle-blowers?

And, consequently, free press and democracy? How can the media keep its calm when one of the last bastions of electronic privacy in India is being stormed?

Isn’t this a lost cause already?
Perhaps, our reporters and editors have remained complacent, because they do not want to swim against the tide. After all, governments across the world have used excuses like cyber-terrorism, organised crime, pornography, piracy etc. to justify censorship and surveillance regimes.

The priveleged access that the governments of India, Saudi Arabia and UAE are demanding has already been provided to the governments of USA, Canada and Russia, for example.

We don't know how much they know about us!
The average reader might not be aware of the access that the Indian government has to his/her personal information.

To be clear, the Indian government, like most other governments, is able to intercept, decrypt, monitor and record sms and voice call traffic by working in partnership with ISP and Telecom operators.

This is legalised through ISP licence agreements, which requires ISPs to provide monitoring equipment that can be used to by various law enforcement and intelligence agencies. There is no clear policy on data-retention policies.

Industry insiders say that SMS messages, telephone call logs, email headers, and web requests are archived from anywhere between three months and a year.

Do these ISPs and telecom operators then delete, anonymise or obfuscate this data? Or do they they retain it for posterity for market research?

In the absence of a privacy law — the Indian citizen can only make intelligent guesses.

Encryption is our friend
As a student, when I passed a love note to my lady-love in class, I would use a symmetric key encryption scheme.

She would use the same key as I did to unencrypt the machine, ie, substituting the alphabet with the next/previous one.

If someone was able to intercept the key, then all communication between us in both directions would be compromised.

Asymmetric key encryption solves this problem by giving both parties two keys — a public key and a private key. I would use my lady-love’s public key to encrypt a message meant for her.

Only she would be able to unencrypt the message by using her private key. The size of the key — 40bit, 128bit, 256bit etc. determines the strength of the encryption.

The more bits you have, the longer it will take for someone to break through using a brute force method. The brute force method or dictionary method is when you try every single combination —just as you would with an old suitcase.

The time taken also depends on computing resources — whether you are a jealous boyfriend, or the FBI, or a corporation like Google. These days, governments depend on corporations for hardware and network muscle.

How does Blackberry encrypt differently?
Other smart phone providers like IPhone and Nokia make email and Internet traffic transparent to the ISP and telecom operator, making it easy for governments are able to keep track of Internet users on mobile phones just as they monitor dial-up or broadband users.

Most mobile services come with a basic encryption. Blackberry is different because it introduces an additional level of encryption, and then routes traffic either through corporate servers or through its own servers in Canada and other parts of the world.

The fact that information is routed thus can pose a threat to the Indian government, if officials are using Blackberries to exchange highly classified information.

Then, GoI could be worried if western intelligence agencies are eavesdropping.

How will this end? Will Blackberry leave?
Blackberry has never exited a country, because in the end it has prioritised consumer privacy over commercial compulsions. For example Blackberry has now ‘resolved’ security probwith Saudi Arabia.

I don’t think we should worry about deals or compromises. However, this is not to say that Blackberry should not be applauded.

They have taken a public stand against unrestricted governmental access to their clients’ information; one should always applaud corporates who fight hard for privacy and civil liberties.

What the Blackberry dilemma is showing us is the social cost of the electronic Big Brother will be steep, as it should be.

To protect citizens’ rights, civil society must resist and insist on suitable checks and balances like governmental transparency and fair judicial oversight.

Read the article in Pune Mirror

For more details visit https://cis-india.org/internet-governance/blog/government-enter-homes

We are anonymous, we are legion

sunil — 2012-03-21T09:38:56Z

Online anonymity is vital for creativity and entrepreneurship on the Web, writes Sunil Abraham. The article was published in the Hindu on April 18, 2011.

During his keynote at the International World Wide Web Conference recently, Sir Tim Berners-Lee argued for the preservation of online anonymity as a safeguard against oppression. This resonated with his audience in Hyderabad, given the recent uproar in the Indian blogosphere and twitterverse around the IT Act (Amendment 2008) and the recently published associated rules for intermediaries and cyber cafes.

Over time, there has been a dilution of standards for blanket surveillance. The Telegraph Act allowed for blanket surveillance of phone traffic only as the rarest of exceptions. The IT Act and the ISP licence on the other hand, authorise and require ISPs and cyber cafes to undertake blanket surveillance as the norm in the form of data retention. The transaction database of the UID (Unique Identification Number) project will log of all our interactions with the government, private sector and other citizens; all these are frightening developments for freedom of expression in general and anonymous speech in particular.

Anonymous speech is a necessary pre-condition for democratic and open governance, free media, protection of whistle-blowers and artistic freedom. On many controversial areas of policy formulation, it is usually anonymous officials from various ministries making statements to the press. Would mapping UIDs to IP address compromise the very business of government? A traditional newspaper may solicit anonymous tips regarding an ongoing investigative journalism campaign through their website.

Would data retention by ISPs expose their anonymous sources? Whistle-blowers usually use public Wi-Fi or cyber cafes because they don't want their communications traced back to residential or official IP addresses. Won't the ban on open public Wi-Fi networks and the mandatory requirement for ID documents at cyber cafes jeopardise their safety significantly? Throughout history, great art has been produced anonymously or under a nom de plume. Will the draft Intermediary Due Diligence Rules, which prohibits impersonation even if it is without any criminal intent, result in artists sanitising their art into banality?

Anonymous speech online is facilitated by three forms of sharing — shared standards, shared software and shared identities. Shared or open standards such as asymmetric encryption and digital signatures allow for anonymous, private and yet authenticated communications. Shared software or Free/Open Source Software reassures all parties involved that there is no spy-ware or back door built into tools and technologies built around these standards.

Shared identities, unlike shared software and standards, is a cultural hack and, therefore, almost impossible to protect against. V for Vendetta, the graphic novel by Alan Moore gives us an insight into how this is could be done. The hero, V, hides his identity behind a Guy Fawkes mask. Towards the end of the novel, he couriers thousands of similar masks to the homes of ordinary citizens.

In the final showdown between V and the oppressive regime, these citizens use these masks to form an anonymous mob that confuses the security forces into paralysis. Shared identities online therefore, is the perfect counterfoil to digital surveillance.

As Dr. Berners-Lee spoke in Hyderabad, the Internet Rights and Principles Dynamic Coalition of the Internet Governance Forum released a list of 10 principles for online governance at the meeting convened by the UN Special Rapporteur on Freedom of Expression in Stockholm.

The fifth principle includes “freedom from surveillance, the right to use encryption, and the right to online anonymity”. One hopes that Gulshan Rai of CERT-IN will heed the advice provided by his international peers and amend the IT Act rules before they have a chilling effect on online creativity and entrepreneurship.

Read the article originally published in the Hindu, here

For more details visit https://cis-india.org/internet-governance/blog/online-anonymity

Big Brother is Watching You

sunil — 2012-03-21T09:32:28Z

The government is massively expanding its surveillance power over law-abiding citizens and businesses, says Sunil Abraham in this article published by the Deccan Herald on June 1, 2011.

Imagine: An HIV positive woman calls a help-line from an ISD/STD booth. The booth operator can get to know who she called, when and for how long. But he would not have any idea on who she is or where she lives.

Now, instead of a phone call, imagine that she uses a cyber café to seek help on a website for HIV positive people. The cyber-cafe operator would have a copy of her ID – remember that many ID documents have phone numbers and addresses. He may then take her photograph using his own camera. One can only hope that he will take only a mug-shot without using the zoom lens inappropriately. He would also use a software – to log her Internet activities and make a reasonable guess on her HIV status.

The average Facebook page may have 50 different URLs to display the various images, animations and videos that are linked to that page. Each of those URLs would be stored, regardless of whether she scrolls down to see any of them.

The cyber-cafe operator is obliged under the Cyber Cafe rules to store this information for a period of one year. But there are no clear guidelines on when and how he should dispose of these logs. An unethical operator could leak the logs to a marketeer, a spammer, a neighbourhood Romeo or the local moral police. A careless operator maybe vulnerable to digital or physical theft and before you know it, such logs could end up on the Internet.

Ever since 26/11, cyber-cafes in metros have been photocopying ID documents – but so far not a single terrorist attack has been foiled or a crime solved thanks to this highly intrusive measure. But despite the lack of evidence to prove the efficacy of the current levels of surveillance, the government has decided to expand them exponentially.

Imagine again: A media organisation such as Deccan Herald is investigating a public interest issue with the help of a whistle-blower or an anonymous informant. Deccan Herald reporters may think that by turning the encryption on when using Gmail or Hotmail they are protecting their source.

But the ISP serving Deccan Herald is obliged by the license terms to log all traffic be it broadband, dial-up or mobile users passing through it. Again, there are no clear guidelines on when to delete these logs and none of the Indian ISPs publicly publish a data retention policy. Besides retaining data, the ISPs have to install real-time surveillance equipment within their network infrastructure and make them available for government officials. If a government official wants to track who is talking to Deccan Herald reporters, he just has to ask.

With ISPs and online service providers – all the police have to do is send an information request under Section 92 of the Code of Criminal Procedure. In other words, they don't even have to bother about a court order. Between January 2010 to June 2010 Google received 1,430 information requests from India. Many other companies, for example, Microsoft, are not as transparent as Google about the state surveillance. So we will never know what they are subjected to.

If the whistle-blower was using Blackberry, all traffic would be transferred from the device to the RIM's Network Operation Centre situated outside India in an encrypted tunnel before it travels onto the Internet. This prevents the government from learning which mail server is being used from the logs and surveillance equipment at the ISP premises. And that is why the government has been engaged in a five-year long public fight with RIM over access to Blackberry traffic.

Now, thanks to the IT Act, the government can demand the service providers, including RIM, to hand over the decryption keys by accusing any individual of a variety of vague offenses -- for example engaging in communication that is ‘grossly harmful’ or ‘harms minors in any way’ – under the IT Act. Refusal to hand over the keys is punishable with a jail term of three years.

Finally, imagine that an Indian enterprise is developing trade-secrets or handling trade-secrets on behalf of their international partners. This enterprise is using a VPN or virtual private network for confidential digital communication. As per the ISP license all encryption above 40-bit is only permitted with written permission from DoT along with mandatory deposit of the decryption key.

In the age of wire-tap leaks, only a miniscule minority of international business partners would trust the government of India not to leak or misuse the keys that have been deposited with them. Most individuals, SMEs and large enterprises routinely use encryption higher than 40 bit strength. For example, Gmail uses128 bit and Skype uses 256 bit encryption. Many services use dynamic encryption, that is generate different keys for each session.

So far I have not heard of anyone who has actually secured permission or deposited the keys. In other words, the Indian enterprise has two choices – either break the law to protect business confidentiality or obey it and lose clients.

The IT Act (Amendment 2008) and its associated Rules, notified in April this year are a massive expansion of blanket surveillance on ordinary, law-abiding Indians. They represent a paradigm shift in surveillance and a significant dilution in privacy protections afforded to citizens under the Telegraph Act.

This has terrifying consequences for our plural society, free media and businesses. Department of Information Technology in particular Dr. Gulshan Rai's office has so far only brushed aside these concerns and denied receiving feedback from the industry and civil society. If our media continues to ignore this clamp down on our civil liberties, we will soon have to furnish ID documents before purchasing thumb drives. After all, Bin Laden was found using them in his Abbottabad home.

Read the original here

For more details visit https://cis-india.org/internet-governance/blog/big-brother-watching-you

Wherever you are, whatever you do

sunil — 2012-03-21T10:12:05Z

Facebook recently launched a location-based service called Places. Privacy advocates are resenting to this new development. Sunil Abraham identifies the three prime reasons for this outcry against Facebook. The article was published in the Indian Express on 23 August, 2010.

Privacy activists are up in arms again, at Facebook’s recent launch of a new location-based service called Places. But what’s the new issue here? For years, telecom operators have been able to roughly locate you by triangulating the signal strength between the three nearest cell towers. In India, geo-location is part of the call logs maintained by the operator. That is how the police was able to determine that Bangalore resident Sathish Gupta killed his wife Priyanka. He took her mobile with him during a jog with his friend and then faked a phone call as an alibi. He knew that the time-stamps on the call logs would corroborate his lies. But the location-data nailed him. So, in short, the state and telecom operators know where you are even if you don’t have a smartphone with GPS support.

For those who can afford it? GPS support provides greater accuracy and reliability, independent of telecom signal strength. The immediate and future benefits are huge. For parents, MyKidIsSafe.com, allows them to create a geo-fence and receive automatic notification when the child leaves the safety zone. In combination with RFID, businesses are able to provide their customers with accurate updates regarding status of deliveries. The Karnataka police is able to verify that the police inspector issuing the challan using a Blackberry for a traffic violation is not doing it from home. Seven hundred and fifty thousand gay men from 162 countries use a geo-social network called Grindr to find love. In the future, most car-pooling services will be GPS-enabled. Geo-location-based crowd-sourcing will be used to predict and avoid traffic jams by measuring the density and velocity of mobile phones on various routes.

Privacy advocates worry that after helping the police solve crimes and fight terrrorism, telecom companies retain the logs instead of deleting, anonymising or obfuscating them. Especially so in India, given the lack of privacy laws, telecom operators, web and mobile service providers could retain the logs for customer profiling or worse still, sell the raw data or analysis to third parties. Cyber-stalkers, child molesters and rapists benefit. Cat burglars will know when you are away and be able to clean out your house in a more relaxed fashion. Geo-surveillance by a state, obsessed with terrorism, will have negligible benefits while extracting a huge social cost and significantly undermining national security.

So why this particular outcry against the world’s most successful social networking website? There are three reasons that come immediately to mind. First, Facebook has a terrible record with privacy. In the last five years, the default settings have moved from one where no personal data was available for anonymous access to one with anonymous access to everything except birthday and contact information. And these are settings that affect the majority of the half a billion people who don’t bother changing default settings. So there is no guarantee that Facebook will not get more intrusive with its default geo-location privacy settings.

Second, a friend can geo-tag you without requiring you to approve or confirm this. Once you are geo-tagged, all your common friends will be notified through the friend-feed system. This is similar to the current system of photo sharing. A friend can upload a inappropriate photograph and tag you almost instantly all your work-mates who also happen to be your Facebook friends get a notification via the feed. Of course, you can always untag the photo, change the settings and defriend the culprit but by then the damage is usually done.

Third, the Facebook user-interface for privacy settings is notoriously complex and cumbersome. Many users will think that they have managed to bolt down the security settings when in fact their personal data will remain all up for grabs. The half a million third-party products available today on the Facebook platform only compounds this problem.

Read the original in the Indian Express

For more details visit https://cis-india.org/internet-governance/blog/wherever-you-are-whatever-you-do

Do You Want to be Watched?

sunil — 2012-03-21T09:11:45Z

The new rules under the IT Act are an assault on our freedom, says Sunil Abraham in this article published in Pragati on June 8, 2011.

Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 Amendment of the Information Technology (IT) Act and their associated rules notified April 2011 proposes to eliminate whatever little privacy Indian netizens have had so far. Already as per the internet service provider (ISP) license, citizens using encryption above 40-bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station. With the IT Act’s latest rules things get from bad to worse. (For an analysis of the new rules under the IT Act, see the In Parliament section of this issue).

Now imagine my daughter visits the neighborhood cybercafe, the manager would now be entitled to scan her ID document and take a photograph of her using his own camera. He would also be authorised to capture her browser history including unencrypted credentials and authentication factors. He would then store this information for a period of one year and provide them to any government entity that sends him a letter. He could continue to hold on to the files as there would be no clear guidelines or penalties around deletion. The ISP that provides connectivity to the cybercafe would store a copy of my daughter’s Internet activities for two years. None of our ISPs publish or provide on request a copy of their data retention policies.

Now suppose my daughter used an online peer-production like Wikipedia or social-media platform like MySpace to commit an act of blasphemy by drawing fan-art for her favorite Swedish symphonic black metal band. A neo-Pentecostal Church sends a takedown notice to the website hosting the artwork. Unfortunately, this is a fringe Web 2.0 platform run by Indian entrepreneur who happens to be a friend of yours. When the notice arrived, our entrepreneur was in the middle of a three-week trek in the Himalayas. Even though he had disabled anonymous contributions and started comprehensive data retention of user activity on the site, unfortunately he was not able to delete the offending piece of content within 36 hours. If the honourable judge is convinced, both your friend and my daughter would be sitting in jail for a maximum of three years for the newly christened offence of blasphemous online speech.

You might dismiss my misgivings by saying “after all we are not China, Saudi Arabia or Myanmar”, and that no matter what the law says we are always weak on implementation. But that is completely missing the point. The IT Act appears to be based on the idea that the the Indian public can be bullied into self-censorship via systemic surveillance. Employ tough language in the law and occasionally make public examples of certain minor infringers. There have been news reports of young men being jailed for using expletives against Indian politicians or referring to a head of state as a “rubber stamp.” The message is clear—you are being watched so watch your tongue.

Surveillance capabilities are not a necessary feature of information systems. They have to be engineered into these systems. Once these features exists, they could potentially serve both the legally authorised official and other undesirable elements. Terrorists, cyber-warriors and criminals will all find systems with surveillance capabilities easier to compromise. In other words, surveillance compromises security at the level of system design. There were no internet connections or phone lines in the bin Laden compound—he was depending on store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via master key would have lead the investigators to him earlier? Has the ban on public wi-fi and the current ID requirements at cyber-cafes led to the arrest of any terrorists or criminals in India? Where is the evidence that resource hungry blanket surveillance is providing return on investment? Intelligence work cannot be replaced with resource-hungry blanket surveillance. Unnecessary surveillance distracts the security with irrelevance.

Increase in security levels is not directly proportional to increase in levels of surveillance. A certain amount of surveillance is unavoidable and essential. But after the optimum amount of surveillance has been reached, additional surveillance only undermines security. The multiple levels of data retention at the cybercafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of personal sensitive information only acts as multiple points of failure and leaks—in the age of Niira Radia and Amar Singh one does not have be reminded of authorised and unauthorised surveillance and their associated leaks.

Finally, there is the question of perception management. Perceptions of security does not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems—one, where the fundamental organising principle is trust or second, where the principle is suspicion. Systems based on suspicion usually gives rise to criminal and corrupt behavior. If the state were to repeatedly accuse its law-abiding citizens of being terrorists and criminals, it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies—they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the internet just to download encryption tools and other privacy enabling software. Like the prohibition, this will only result in further insecurity and break-down in the rule of law.

Read the original here

For more details visit https://cis-india.org/internet-governance/blog/want-to-be-watched

Snooping Can Lead to Data Abuse

sunil — 2012-03-21T10:39:22Z

THE NATGRID, aiming to link databases of 21 departments and ministries for better counter- terror measures, adopts blunt policy approach, subjecting every citizen to the same level of blanket surveillance, instead of a targeted approach that intelligently focuses on geographic or demographic areas that are currently important.

All you manage to do with the current approach help software, hardware and biometric equipment vendors achieve their sales targets. It is quite unlikely that security agencies will learn anything insightful by putting everybody under the same degree of surveillance. There is no scientific evidence to show that we will be a safer nation if the government eavesdropped into all aspects of a citizen’s life. Targeted surveillance, on the other hand, is like good old- fashioned detective work. Put a particular section — of potential troublemakers — under surveillance and leave the others alone.

With round- the- clock, 100- per cent, 360- degree surveillance, all the data is scrutinised all the time. The more effective approach is to sample and collect data while maintaining data trails. If anything suspicious is noticed, the rest of the trail can be dug up. Blanket surveillance only leads to leaks and abuse and tremendous distraction. The surveillance infrastructure will be overburdened as 99 per cent of the records and files scanned will be of no interest terms of fighting terrorism, etc.

The 21 databases need to be opened only when there is anything suspicious in any of the extracted and scrutinised samples or subsets. If there is a suspicious pattern, it should lead to opening of subsets in all the databases. Obviously, there should be ways in which the databases can talk to each other — demand for a particular subset, and not for all the records to be available to agencies all the time.

The NATGRID has to be able to let investigators selectively go in and out of the necessary subsets data. No one should be able to have a 360 degree view of all activities of all Indians. AS OF now, the NATGRID design does not appear to have a safeguard for data abuse. And no matter what you see Hollywood movies, this configuration does not exist in Europe or the US. Two important forms of protections that should be available in democracies with robust privacy laws are missing in India. The first is breach notification.

If intelligence agencies and the police have looked up your files, you have a right to be informed. Secondly, you can request for a copy of the information that is maintained on you and request modifications if the data is inaccurate, so as to prevent harassment. Such checks and balances are necessary an intelligent and appropriate surveillance regime.

Merging all 21 databases for 1.2 billion people into a single system only provides a juicy target for any internal or external enemy. From the perspective national security, it is a foolish thing to do. Terrorist groups will be able to target a single failure point destroy over a billion lives. Since the current configuration of the NATGRID only undermines national security, one is forced conclude that national security is a false pretext.

This explains the deep scepticism among many the intelligence agencies involved. The real purpose of the project is to scare citizens in the age of Arab springs. The NATGRID is a disciplinary measure aimed at social engineering of citizens’ behaviour. Unfortunately, our media has been misled by the corporate cheerleaders of this humongous waste of money.

The writer is executive director at the Centre for Internet and Society in Bangalore.
( As told to Max Martin)

Follow on Mail Today

Download the original here

For more details visit https://cis-india.org/internet-governance/blog/snooping-to-data-abuse

Privacy and Security Can Co-exist

sunil — 2012-03-21T09:05:57Z

The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

For more details visit https://cis-india.org/internet-governance/blog/privacy-and-security

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit https://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology