Centre for Internet and Society

India Still Trying To Turn Optional Aadhaar Identification Number Into A Mandatory National Identity System

praskrishna — 2016-03-24T06:34:21Z

from the sliding-down-the-slippery-slope-to-disaster dept

The blog post was published by Tech Dirt on March 22, 2016. CIS research on Aadhaar was quoted.

Last year, we wrote about India's attempt to turn the use of its Aadhaar system, which assigns a unique 12-digit number to all Indian citizens, into a requirement for accessing government schemes. An article in the Hindustan Times shows that the Indian government is still pushing to turn Aadhaar into a mandatory national identity system. A Bill has just been passed by both houses of the country's parliament, which seeks to give statutory backing to the scheme -- in the teeth of opposition from India's Supreme Court:

There have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government's argument that Aadhaar is voluntary.

The article notes that in some respects, the new Bill brings improvements over a previous version:

It places stringent restrictions on when and how the UID [Unique Identification] Authority (UIDAI) can share the data, noting that biometric information -- fingerprint and iris scans -- will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But it also contains some huge loopholes:

The government will get sweeping power to access the data collected, ostensibly for "efficient, transparent, and targeted delivery of subsidies, benefits and services" as it pleases "in the interests of national security", thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The fact that an optional national numbering system now seems to be morphing into a way to monitor what people are doing will hardly come as a surprise to Techdirt readers, but this continued slide down the slippery slope is still troubling, as are other aspects of the new legislation. For example, it was introduced as a "Money Bill," which is normally reserved for matters related to taxation, not privacy. That suggests a desire to push it through without real scrutiny. What makes this attempt to give the Aadhaar number a much larger role in Indian society even more dangerous is the possibility that it won't work:

A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the [Centre for Internet and Society], shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

A mandatory national identity system that can't even uniquely identify people: sounds like a recipe for disaster.

For more details visit https://cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system

Encryption policy would have affected emails, operating systems, WiFi

praskrishna — 2015-09-25T01:23:10Z

Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security, said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society.

The article by Amrita Madhukalya was published in DNA on September 23, 2015.

The Draft National Policy on Encryption, withdrawn by the Department of Electronics and Information Technology (DeiTY) after it created a furore on privacy issues, would have had allowed the government access to any form of digital data that required encryption. Not limited to just WhatsApp or Viber data, it would have affected email services, WiFi, phone operating systems, etc.

"Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security," said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society.

The government, criticised heavily for the policy, withdrew it on Tuesday afternoon. It said that a new policy will be brought in its place.

Nikhil Pahwa of internet watchdog Medianama said that data about normal day-to-day activities would have to be stored if the policy was implemented. "The policy would have affected everyday business to consumer data.
This would mean that if a doctor or lawyer had your data digitised, they will be open to access, and would have to be kept for at least 90 days," said Pahwa.

However, he added that a robust encryption is needed. "It is believed that companies like Google, Facebook allow the NSA to access user data in the US, putting our personal security, and the national security largely, at risk," said Pahwa.

For more details visit https://cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi

Open sesame

praskrishna — 2015-09-25T01:31:49Z

The government’s email is shockingly vulnerable.

The article was published in the Hindu on September 22, 2015. CIS research on private email accounts is mentioned.

As the Centre moves towards smart cities and a Digital India, some critics have cited the country’s increased vulnerability to cyber attacks. To be sure, cyber threat groups could disrupt our infrastructure by taking control of many systems. Such attacks could be quite damaging. Yes, they are rare today, but are much more likely to arise in conjunction with traditional armed conflicts. Cyber criminal groups target Indian organisations on a daily basis.

Almost two years ago, the IT minister’s office triggered national outrage when it used a public email service for official communication. There was much hand-wringing about security practices in a ministry responsible for setting the technology direction (secure email policy) for the country. Then in December 2013, the Centre for Internet and Society revealed that up to 90 per cent of Indian government officials used private email accounts for professional purposes.

A big deal

Between then and now, we’ve read about a new email policy and revelations of several cyber attacks on government officials. And FireEye revealed a decade-long cyber espionage operation by a group we call ‘APT30’, which is likely to be sponsored by China. How did they break in? By sending targeted ‘spear-phish’ emails with malware attached.

Email doesn’t sound like a big deal. Most of us have been using it for over a decade, and think we know how to use it right. But when you’re in a position of authority with access to sensitive information, you shouldn’t leave it to chance.

Today, state-sponsored attackers craft these spear-phishing emails after considerable research. APT30 carefully researched their targets and crafted mails which would appear extremely relevant, with interesting content. The moment a victim would open an attachment, an exploit would secretly install a backdoor. Through that backdoor, groups can compromise the employee’s entire network and extricate sensitive data. Groups bent on destruction can deploy malware to destroy the data. They could also take control of systems managing infrastructure or industrial processes and create havoc.

Spear-phishing has an open rate of 70 per cent, while regular mass emails had an open rate of just 3 per cent. Email is the front- door for today’s threat groups. That’s why governments around the world are improving the security of their email systems to fend off these spear-phishing threats.

Public concerns

When government employees use webmail for official business, they trade away their security for convenience. The emails they receive are no longer screened by cyber security solutions, which detect advanced targeted email attacks before they reach the inbox. In addition, because people typically retrieve their webmail in a browser, attackers have a larger attack surface to exploit when carrying out their attacks. For example, attackers can coax victims to click on a link to a website, which delivers an exploit via Adobe Flash.

Webmail opens the door to threats that would otherwise have been intercepted. When our government employees use webmail for official business, they leave the front door wide open to threats. One of the best steps we can take towards improving our government’s cyber security defences is abandoning public email services.

The writer is a software architect at the cyber security firm FireEye

For more details visit https://cis-india.org/internet-governance/news/the-hindu-september-22-2015-atul-kabra-open-sesame

Govt presses 'undo' button on draft encryption policy

praskrishna — 2015-09-25T01:55:57Z

The decision came a day before PM embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla.

The article was published in Business Standard on September 23, 2015. Sunil Abraham gave inputs.

The government on Tuesday scrapped a draft national encryption policy that mandated firms and individuals to allow authorities access to all encrypted information on email, apps, websites and business servers.

The decision came a day before Prime MinisterNarendra Modi embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla. Activists and executives from technology firms had expressed outrage on the draft policy, saying the move would have taken India a step back in technology adoption.

At a meeting of the Union Cabinet on Tuesday, Modi was livid at the controversy generated by the draft policy and directed officials to withdraw it ahead of his US trip, sources said.

The draft had global ramifications, as Facebook,Twitter and messaging apps such as WhatsApp were named in it.

Ravi Shankar Prasad, Union minister for communications and information technology, distanced the government from the draft hosted on the IT department site, but admitted it gave “uncalled-for misgivings”. He directed officials to rework the draft but did not set a timeframe for seeking feedback from the public.

“Yesterday (Monday), it was brought to our notice that the draft had been put in the public domain for, seeking comment. I read the draft. I understand that the manner in which it was written could lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded. I personally feel some of the expressions used in the draft are giving rise to uncalled-for misgivings,” Prasad said. “Experts had framed the draft policy. It is not the government’s final view.”

According to the original draft, the encryption policy sought every message sent by a user, be it through services such as WhatsApp, an SMS or an email, be mandatorily stored in plain text format for 90 days and made available on demand to security agencies. Failure to do so, it added, would draw legal action.

This was because typically, all messaging apps and services such as WhatsApp, Viber, Line, Google Chat and Yahoo! Messenger have high levels of encryption, which security agencies find hard to crack and intercept.

Early on Tuesday, before Prasad announced the withdrawal of the draft policy, the government had issued an addendum to keep social media and web applications such as WhatsApp, Twitter and Facebook out of its purview.

In a three-point clarification, the Department of Electronics and Information Technology (DeitY) said some encryption products were exempt. “Mass-use encryption products, currently being used in web applications, social media sites and social media applications, such as WhatsApp, Facebook and Twitter…SSL/TLS encryption products being used in internet banking and payment gateways, as directed by the Reserve Bank of India”, and SSL/TLS encryption products being used for e-commerce and password based transactions,” it said.

“Ideally, the new policy should only focus on two objectives: It should mandate encryption standards within the government, military, law enforcement and intelligence agencies. It shouldn’t regulate the use of encryption by the private sector; the private sector should be allowed to use whatever it believes is appropriate, as long as it is considered a reasonable security measure by courts, under section 43A of the IT Act,” said Sunil Abraham, director,Centre for Internet and Society (CIS).

Prasad reiterated the government, under the leadership of Prime Minister Narendra Modi, had promoted social media activism. “The right of articulation and freedom we fully respect. But at the same time, we need to acknowledge that cyber space transaction is rising enormously for individuals, businesses, the government and companies,” he said.

Opposition parties slammed the Draft policy. Congress communications in-charge Randeep Surjewala said, “Subjugation of individual freedom, surveillance of the citizen and suppression of dissent have emerged as the DNA of the Narendra Modi-led BJP government. The draft policy on encryption, first circulated, then amended and now, withdrawn with a rider for re-issuing it, is a totalitarian, misconceived and a failed attempt of the Modi government to override all sense of individual freedom of speech and expression and encroach upon the right to privacy of communication…With 243.1 million internet users in India at the end of 2014 (173 million being mobile internet users), 112 million Facebook users, 80 million WhatsApp users, 22 million Twitter users and 950 million mobile connections, the intrusion of individual liberty is fraught with dangerous dimensions under the Modi government.”

Aam Aadmi Party spokesperson Raghav Chadha said, “Only a fascist government can bring such a policy. The draft policy was in violation of the right to personal liberty and the fundamental tenets of freedom of speech and expression…the draft policy was for snooping. It presupposes the 1.2 billion people of India are potential criminals. It reflects the inclination of the government and its intention to turn India into a totalitarian state.”

ABOUT THE NATIONAL ENCRYPTION POLICY

Five things the government draft policy wanted

Information security for individuals, businesses and government agencies
Development of indigenous encryption standards
Use of digital signatures to authenticate transactions
Legal interception and data retention
Service providers to register under appropriate government agency

Things that caused outrage

Regulation of private sector encryption
Storage of all encrypted communications for

90 days

Gaining backdoor into private communications of users

Amendment & withdrawal

Omission of mass encryption products such as those used by social networks
Withdrawal of draft policy following Ravi Shankar Prasad’s statement

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-23-2015-govt-presses-undo-button-on-draft-encryption-policy

Hits and Misses With the Draft Encryption Policy

sunil — 2015-09-26T16:46:53Z

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

The article was published in the Wire on September 26, 2015.

This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.

However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.

Plain-text storage requirement

First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.

Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.

Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.

Regulatory design

Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.

This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.

Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”

The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.

And the good news is…

On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.

Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.

The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.

Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy

Facebook’s Free Internet Access Program in Developing Countries Provokes Backlash

praskrishna — 2015-09-29T16:35:02Z

In India and Indonesia, users criticize Internet.org initiative, saying it violates the principles of net neutrality.

The article by Newley Purnell and Resty Woro Uniar was published in the Wall Street Journal on September 24, 2015. Sunil Abraham gave inputs.

When Muhammad Maiyagy Gery heard about a new mobile app from Facebook Inc. that provides free Internet access in his native Indonesia, he was excited.

But after testing it, the 24-year-old student from a mining town on the eastern edge of Borneo soon deleted the app, called Internet.org, frustrated that he was unable to access Google. com and some local Indonesian sites.

Mr. Gery said Facebook Chief Executive Mark Zuckerberg is an “inspiration in the tech world,” but added that the company’s free Internet effort is “inadequate.”

Mr. Gery’s reaction illustrates the unexpected criticism Facebook has encountered to its bold initiative to bring free Internet access to the world’s four billion people who don’t have it, and to increase connectivity among those with limited access. He is one of many users who say a Facebook-led partnership is providing truncated access to websites, thwarting the principles of what is known in the U.S. as net neutrality—the view that Internet providers shouldn’t be able to dictate consumer access to websites.

Since Mr. Zuckerberg’s announcement of the $1 billion project two years ago, Facebook has launched Internet.org in 19 countries across Asia, Latin America and Africa by teaming up with mobile carriers and technology giants including Samsung Electronics Co. , chip maker Qualcomm Inc. and telecom-equipment firm Ericsson AB. Facebook says that through the initiative, in which it is also experimenting with drones and satellites to deliver Web access, some nine million people have come online.

Users with data-enabled feature phones can access a special website through a mobile browser, while those with smartphones can download the app from Google’s Play Store. Though arrangements vary by country, the Internet.org app typically provides a simplified, low-data version of Facebook, its Messenger service and selected local websites offering services like jobs, health information and sports updates. Facebook says it works with mobile operators, which provide free data, and governments to pick sites for the platform.

While some applaud the Internet initiative, the U.S. company is dealing with a backlash from users in some of its fastest-growing markets like Indonesia and India, which are key to its future expansion.

In response to the criticism, Mr. Zuckerberg earlier this year wrote an opinion article that appeared in two Indian newspapers defending the project. He argued that the initiative is compatible with the principles of net neutrality, and that if people “can’t afford to pay for connectivity, it is always better to have some access and voice than none at all.”

But criticism about the initiative has placed Facebook in an awkward position. The social network along with other tech companies like Amazon.com Inc. and Twitter Inc. are members of the U.S. industry group Internet Association, which advocates for net neutrality, among other issues. In markets like Indonesia and India, critics say Facebook is more interested in controlling which websites users can tap into than in ensuring free Internet access. “It’s not Internet.org. It’s walled garden.org,” said Sunil Abraham, head of the Bangalore, India-based Center for Internet and Society.

Facebook wants to be seen as a pioneer “of the open and free Internet and not the opposite,” said Neha Dharia, an analyst at telecommunications research firm Ovum.

On Thursday, Facebook said it was changing the name of the Internet.org app and mobile website to Free Basics by Facebook in order to better distinguish it from the company’s wider Internet.org initiative. Asked whether the change was related to criticism of the project, a Facebook spokeswoman said that the name will “more intuitively describe the product to consumers.”

Chris Daniels, Facebook’s vice president in charge of the project, said in a recent interview that he has been surprised by the criticism of the project, noting that many people have gained access to the Web.

This spring in India, travel website Cleartrip, news channel NDTV and a mobile news app pulled their content from the platform amid concerns over net neutrality.

Cleartrip referred inquiries about its reasons for leaving the initiative to an April statement it posted on its website. In that statement, the company said the backlash in India “gave us pause to rethink our approach to Internet.org and the idea of large corporations getting involved with picking and choosing who gets access to what and how fast.”

Vishal Anand, chief product officer at mobile news app Dailyhunt, said that “While we appreciate the effort to give people Internet access, we fully support the principles of net neutrality.” He declined to elaborate on the company’s specific objections to Internet.org.

For more details visit https://cis-india.org/internet-governance/news/wsj-september-24-2015-newley-purnell-resty-woro-uniar-facebook-free-internet-access-program-in-developing-countries-provokes-backlash

Understanding and Mitigating Online Hate Speech and Youth Radicalisation

praskrishna — 2015-10-01T01:59:24Z

The tenth annual IGF meeting will be held in João Pessoa, Brazil, on November 10 - 13, 2015. IGF's MAG has decided to retain the title “Evolution of Internet Governance: Empowering Sustainable Development” as the overarching theme. UNESCO as part of the IGF event is organizing a workshop on hate speech and youth radicalisation. Sunil Abraham will be a panelist for this workshop.

Co-organizers: Council of Europe, Oxford University; OHCHR, Google, ISOC

From socializing and entertainment to homework, the Internet is an essential part of life for young people today, opening vast new opportunities for connecting and learning. At the same time, the Internet provides violent extremists with powerful tools to propagate hatred and violence and to identify and groom potential recruits, creating global online communities that promote radicalization.

The emergence and diffusion of hate speech online is a new and fast evolving phenomenon and collective efforts are needed to understand its significance and consequences, as well as to develop effective responses.

UNESCO takes this session to share the initial outcome from its commissioned research on online hate speech including practical recommendations on combating against online hate speech through understanding the challenges, mobilizing civil society, lobbying private sectors and intermediaries and educating individuals with Media and Information Literacy. In related to this, the workshop would also discuss how to help empower youth to address online radicalization and extremism, and realize their aspirations to contribute to a more peaceful and sustainable world.

Chaired by Ms Lidia Brito, Director for UNESCO Office in Montevideo
Frank La Rue, Former Special Rapporteur on Freedom of Expression
Lillian Nalwoga, President ISOC Uganda and rep CIPESA, Technical community
Bridget O’Loughlin, CoE, IGO
Gabrielle Guillemin, Article 19
Iyad Kallas, Radio Souriali
Sunil Abraham executive director of Center for Internet and Society, Bangalore, India
Eve Salomon, global Chairman of the Regulatory Board of RICS (the self-regulatory body for surveyors)
Javier Lesaca Esquiroz, University of Navarra
Representative GNI
Remote Moderator: Xianhong Hu, UNESCO
Rapporteur: Guilherme Canela De Souza Godoi, UNESCO

For more details visit https://cis-india.org/internet-governance/news/understanding-and-mitigating-online-hate-speech-and-youth-radicalisation

Online outcry forces government to withdraw draft encryption policy

praskrishna — 2015-10-01T02:05:01Z

The article by Naina Khedekar discussing encryption policy was published in First Post on September 23, 2015. Pranesh Prakash has been quoted.

Read the original published by First Post here.

Yesterday, the government released a draft encryption policy aimed at keeping a tab on the use of technology by specifying algorithms and length of encryption keys used by ‘all’. It wanted businesses, telcos and Internet companies to store all encrypted data for 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Moreover, failing to do so would mean legal action as per the laws of the country.

After a huge outcry, most of us woke up to the new proposed addendum this morning wherein the government has clarified to exempt products such as social media sites including WhatsApp, Facebook and Twitter; payment gateways; e-commerce and password based transactions and more from the draft policy.

Finally, the government has decided to withdraw the draft encryption policy.

I have written for that draft to be withdrawn, made changes to and then re-released: RS Prasad : ANI pic.twitter.com/W2IP4meEGb

— Firstpost (@firstpost) September 22, 2015

Some sort of encryption policy is there all over the world: Ravishankar Prasad pic.twitter.com/cDvsOWtjcM

— Firstpost (@firstpost) September 22, 2015

What’s fascinating is how the whole process felt like déjà vu. Haven’t we seen the drama unfold before. While the dust on the net neutrality sage has barely settled, we’re already facing newer issues related to encryption and privacy. We never learn from our mistakes, do we? A new draft policy, public outcry, and then comes the much-needed changes.

The Indian government hasn’t just caused anxiety and chaos among the netizens, but the initial draft completely misguided people. According to TheNextWeb, “The Indian government has made a fool of itself and caused anxiety among citizens with a woefully misguided proposal for a national encryption policy that it’s just released to the public for feedback.”

While we sit back and talk about Digital India, smarter cities and so on, the makers of the law seem to be clueless about some major by-products concerning these initiatives such as security, privacy and likewise. Each time the government talks about a new initiative meant to bring in some law and order pertaining to digital rights, it somehow manages to come up with implications that could affect us far worse.

In this case, the Indian government is trying to ensure that its law enforcement agencies have easy access to encrypted information whenever required, but this could easily compromise security and privacy in the process.

Moreover, each time the government releases a proposal for our digital lives, it’s people who remind the government about the adverse implications it could have. Does the expert panel writing these reports know nothing about privacy and how it possibly works? Or is the government simply looking at a trial balloon policy to gauge reactions by people. So, next time we don’t react, a draconian rule might just be governing our digital lives.

The whole net neutrality saga continued for months with assurance from the government on how it supports free and equal Internet, and eventually made ‘certain changes’. This seems headed on a similar path. Though the new addendum comes with changes, it still leaves us as muddled as before.

Pranesh Prakash of the CIS has tweeted out how the new clarification clarifies nothing.

This clarification by the govt does not clarify anything, but further muddles the encryption policy. pic.twitter.com/1KK8AFRp6Q

— Pranesh Prakash (@pranesh_prakash) September 22, 2015

All OSes will be illegal in India (IV.6 + V.3 of draft encryption policy) unless Microsoft, Apple, Red Hat, etc, sign agreement w/ govt.

— Pranesh Prakash (@pranesh_prakash) September 21, 2015

If India enacts that National Encryption Policy, their global back-end and support business will be drastically reduced. If it survives.

— Lin S (@Just_this_time) September 21, 2015

A new Medianama report also points out loopholes in the changes announced. The report adds how any encrypted service would have to sign an agreement with the government. With the heavy mobile penetration and increasing number of encrypted mobile services that people use, it is really feasible for the government to ink an agreement with all the services that are based outside the country.

Problems with the update to India's draft anti-privacy policy http://t.co/gKus1o3uaC pic.twitter.com/adqVJTedFI

— Nikhil Pahwa (@nixxin) September 22, 2015

In the past, we’ve seen the blame game around the laws, usually the ‘hurriedly’ changed laws passed (after the inability to monitor encrypted messages during the Mumbai terrorist attacks) in the winter session of 2008 without any debate or discussion by bears the brunt. Earlier this year, we saw the government crack down the Section 66A of the 2008 Information Technology Act describing it “unconstitutional” and “hit at the root of liberty and freedom of expression, the two cardinal pillars of democracy.”

Why can’t all the thinking be done before drafts are penned down for public review. A well thought out report would help avoid retractions later.

For more details visit https://cis-india.org/internet-governance/news/first-post-naina-khedekar-september-23-2015-online-outcry-forces-government-to-withdraw-draft-encryption-policy

‘By weakening our security, govt is putting us at risk of espionage’

praskrishna — 2015-10-02T03:09:46Z

After the BlackBerry encryption and IT Act fiascos of recent years, the government last week sent yet another cyber policy howler, the Draft National Encryption Policy, only to withdraw it in the face of severe protests. S. Raghotham and Mayukh Mukherjee spoke with Pranesh Prakash, policy director, Centre for Internet & Society, on the government’s continued misadventures with data privacy and encryption.

This interview of Pranesh Prakash was published in Asian Age on September 27, 2015.

First we had Section 66A in the Information Technology Act. Now we have these attempts at breaking encryption and invading privacy. Your comment.
The Draft National Encryption Policy (DNEP) was not only an invasion of privacy and a restriction on anonymous speech, but was, most importantly, a direct assault on national security. It was quite clearly drafted by people who did not understand encryption, who think that encryption is something that only a handful of people do, without realising that encryption is baked into most of our technologies.

It is clear that the government’s cyber-law division needs people who are better versed in both the law (including constitutional rights) as well as technical aspects of IT. It’s not just Section 66A, but a host of other provisions in the IT Act which display a similar cluelessness. For instance, gaining unauthorised access to a protected system for purposes of defamation is, as per Indian law, sufficient to commit the offence of “cyber terrorism”.

How does this compare with the previous government’s attempts to gain access to BlackBerry communications?
L’affaire BlackBerry concluded with the government realising that while they could get BlackBerry to locate a network operations centre in India, they still couldn’t decrypt everything since BlackBerry Enterprise Service allowed enterprises to control the encryption. However, the government seems to have drawn the wrong lesson from that, and wants to prevent end-users from using encryption the way they have already managed with telecom companies and Internet service providers, who are not allowed to deploy bulk encryption which saves their customers’ data from being intercepted by attackers.

The government seems to be saying, if the US National Security Agency (NSA) doesn’t get you, we will. How are we to respond to this?
If you’re using Gmail, Yahoo Mail, Hotmail, etc., you already have opportunistic traffic-level encryption for email. Ironically, no @deity.gov.in or @nic.in address has even this basic level of encryption. This is the shocking state of affairs even many years after National Informatics Centre (NIC) publicly acknowledged that multiple email accounts that they host were hacked into. National security is a collective form of security — we can’t increase national security by making individuals less secure. We can’t, for instance, improve national security by telling people not to use locks on their houses. That will only decrease security, not increase it. And we are in a situation where our government conducts all their email communications using the online equivalent of postcards, rather than using sealed envelopes. The Central government urgently needs to appoint a group of security experts who work with NIC to shore up our defensive security.

A slide on an NSA programme called BOUNDLESSINFO-RMANT showed that in the month of February 2013, the NSA has collected 12.5 billion data records relating to phone calls from India, far more than what they had collected from China. The fact that our government mandates weak telecom security (by restricting bulk encryption) might account for this. By weakening our security, the government is putting us at greater risk of espionage and at the hands of hackers.

What are some of the ramifications for businesses and individuals if the government were to have keys to all encrypted information as it seeks?
The government, in the DNEP, did not even seek key escrow (which is what the debate was about in the 1990s in the US’ “crypto war”). Here the government more or less sought to tell companies and individuals that they have to keep plain text, making storage-level encryption pointless. This means that all your company’s information — emails, passwords and financial records — would be vulnerable to compromise by hackers. It is like telling a company that it is allowed to own a government-approved safe for storing important documents, but it has to keep a copy of all the important documents outside the safe.

Is the encryption policy fiasco some junior bureaucrat’s ignorance of what he was proposing or is it part of the government’s continued efforts to somehow gain control over information flows?
The government intended to gain greater access to everyday transactions. This would violate citizens’ privacy, which the government has been arguing is not a fundamental right. They went about it in a manner that is absurd in its consequences. The policy would have required you to record every mobile phone call and Skype call, to keep a plain text version of communications, which would harm national security. While I don’t believe the government would intentionally weaken national security, as they would have had this draft policy been carried forward, one cannot say that the government wouldn’t do so wantonly, much in the same way that they haven’t even employed basic security in their email systems.

Do you perceive a higher level of desire in the current government to control information flows?
The Indian government’s pursuance of harmful technology policies is nothing new. However, I hope that as a tech-savvy person heading an ostensibly tech-savvy government, Prime Minister Narendra Modi steps in and halts these deleterious policies. One disappointment of the last year has been the lack of progress on the Privacy Act, which seems to have been shelved for the time being. I believe the government’s motivations are genuine and grounded in the public interest. However, as in any constitutional democracy, the citizenry ought to be engaged in both defining the public interest as well as in debating how we best protect and uphold it within the norms laid down in our Constitution, which includes guarantees of fundamental rights which are inviolable except in limited circumstances.

For most of these policy problems, the best way forward is to ensure that the government follow a system of issuing green papers — essentially non-papers meant to stimulate public discussion — before it issues white papers which contain statements of policy intent, based on which it finally formulates policies or laws. Currently, interaction between policymakers and civil society is far too infrequent. The government needs to inject far more subject-matter expertise into policymaking.

For more details visit https://cis-india.org/internet-governance/news/asian-age-september-27-2015-s-raghotham-and-mayukh-mukherjee-by-weakening-our-security-govt-is-putting-us-at-risk-of-espionage

September 2015 Bulletin

praskrishna — 2015-11-25T01:55:25Z

We are happy to share with you the ninth issue of the Centre for Internet and Society (CIS) newsletter (September 2015). It has been a significant month for public debates on the digital future of governance, citizenship, and economy in India, led by conversations around the draft National Encryption Policy, the Aadhaar number as a basis for provision of welfare services, the investigation of Google for potential abuse of market dominance by the Competition Commission of India, and the Guidelines for Examination of Computer Related Inventions released by the Indian Patents Office. We were busy engaging with these issues, and more.

The past editions of the newsletter can be accessed at http://cis-india.org/about/newsletters.

Sumandro Chattapadhyay, Research Director

Internet Researchers' Conference (IRC) 2016 - Studying Internet in India
With great excitement, we are announcing the beginning of an annual conference series titled Internet Researchers' Conference (IRC), the first edition of which is to take place in Delhi during February 25-27, 2016 (yet to be confirmed). We invite you to propose sessions for the conference by Sunday, November 15, 2015.

Highlights

CIS sent an Open Letter to Prime Minister Narendra Modi during his US visit, requesting him to urge USA to ratify the Marrakesh Treaty. During the month, NVDA team organized training programmes for the visually impaired at Kullu, Bangalore and Ranchi. Nehaa Chaudhari in a blog post laid out a series of research questions, potentially seeking to apply actor-network theory as a research methodology. Recently, the Indian Patents Office released the Guidelines for Examination of Computer Related Inventions (“2015 Guidelines/ Guidelines”) in an attempt to clarify examination of software related patents in India. Anubha Sinha analysed the 2015 Guidelines. Read on to understand how the new guidelines will potentially lead to an increase in software patenting activity by expanding the scope of patentable subject matter – in negation of the legislative intent of section 3(k) of the Indian Patents Act, 1970. As a part of its content donation initiative, CIS has brought Nadustunna Charithra magazine under CC BY SA licence. CIS-A2K has received 74 issues as of now from the Telugu Jaati foundation. Sunil Abraham’s article titled Hits and Misses with the Draft Encryption Policy was published in The Wire on September 26, 2015. Vidushi Marda in a blog post titled Data Flow in the Unique Identification Scheme of India analysed the data flow within the UID scheme and highlighted the vulnerabilities at each stage. Vanya Rakesh in a blog post titled Human DNA Profiling Bill 2012 v/s 2015 Bill has analysed the Human DNA Profiling Bill introduced in 2012 with the provisions of the 2015 Bill. CIS sought information from ICANN on their revenue streams by sending them a second request under their Documentary Information Disclosure Policy. This request and their response have been described in a blog post by Aditya Garg. CIS has submitted a joint proposal with DataMeet and Oorvani for the Knight News Challenge 2015. We are proposing the development of "an application for users to search for locally-relevant data, discuss missing data, demand data, explore and respond to data demands by others, and start data crowd-sourcing exercises." CIS made its submission on CCWG-Accountability 2nd Draft Proposal on Work Stream 1 Recommendations to ICANN's CCWG-Accountability. Pranesh Prakash, on behalf of CIS, submitted comments to the Department of Telecom Panel’s report on net neutrality via MyGov. Prakash states that the report displays a far better understanding of the underlying issues than the TRAI consultation paper did, and is overall a good effort at balancing the different sides. Shyam Ponappa’s monthly column titled More on Those Dropped Calls was published by Business Standard.

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing a project on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed here.

NVDA and eSpeak

Monthly Updates

September 2015 Report (Suman Dogra; September 30, 2015).

Event Reports

Training in the use of eSpeak Hindi with NVDA (Organized by CIS and Lakshay for the Differently Abled; September 29 – 30, 2015; Ranchi). The event was conducted online by Dr. Homiyar over skype, with local support from Mritunjay Kumar and Zainab.
5 day TOT for Training in Use of eSpeak Kannada with NVDA (Organized by CIS, Mithra Jyoti, Enable India and NFB, Bangalore; September 21 – 25, 2015; Bangalore).
eSpeak Training in Hindi Language (Organized by CIS and National Association for the Blind; Kullu; September 3 – 4, 2015).
Training in eSpeak Marathi (Organized by CIS; Atmadepam Society; August 22 – 23, 2015). The report was published in the month of September.

Access to Knowledge

As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Pervasive Technologies

Blog Entries

Pervasive Technologies: Working Document Series - Research Questions and a Literature Review on the Actor-Network Theory (Nehaa Chaudhari; September 5, 2015).
FAQ: CIS Proposal for Compulsory Licensing of Critical Mobile Technologies (Rohini Lakshané; September 25, 2015).

Other (Copyright and Patent)

Submission

Comments on the Guidelines for Examination of Computer Related Inventions (CRIs) (Anubha Sinha; September 21, 2015).

Blog Entries

Open Letter to PM Modi on Intellectual Property Rights issues on His Visit to the United States of America in September 2015 (Pranesh Prakash and Nehaa Chaudhari; September 23, 2015).

Participation in Events

National Conference: WTO, FTAs and Investment Treaties: Implications for development policy space (Organized by Focus on the Global South, Institute for Studies in Industrial Development (ISID), Madhyam, MSF Access Campaign, National Working Group on Patent Laws and WTO (NWGPL), Public Services International (PSI) – South Asia, South Solidarity Initiative – ActionAid, Third Word Network (TWN), and Forum against FTAs; September 22 – 23, 2015; Institute for Studies in Industrial Development, New Delhi). Nehaa Chaudhari made a presentation on Copyright: Access to Knowledge in Free Trade Agreements?
IPEX 2015 (Organized by Confederation of Indian Industry, APTDC and TDPC; September 25 - 26, 2015; Chennai). Rohini Lakshané attended the event.

Media Coverage

Open letter from CIS to PM Modi on Intellectual Property Rights issues on his Visit to US (Apoorva Mandhani; LiveLaw; September 23, 2015).

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

CIS brings Nadustunna Charithra magazine under CC BY SA licence (Tanveer Hasan; September 2, 2015).
OCR and OER – update (Subhashish Panigrahi; Open Education Working Group; September 25, 2015).
As Odia Wikipedia turns 13, what happens next? (Subhashish Panigrahi; September 26, 2015). This was originally published on the Wikimedia Blog on August 21. The post was shared on Wikipedia's official Facebook page, and on Twitter handles [1 and 2].
Google's Optical Character Recognition Software Now Works with All South Asian Languages (Subhashish Panigrahi; September 26, 2015).
Wikimedia contributor shares his Linux story (Subhashish Panigrahi; September 27, 2015). This article is part of a series called My Linux Story. To participate and share your Linux story, contact us at: open@opensource.com. Read the original published by Opensource.com on September 3, 2015.

Events Co-organized

Annamaya Library edit-a-thon (Organized by CIS-A2K and Telugu Wikipedia Community; August 6, 2015; Andhra Loyola College; Vijaywada).
International Workshop on Digitization and Archiving (Organized by CIS-A2K and Wikipedia Community; August 19 – 21, 2015). Rahmanuddin Shaik was one of the trainers.

Media Coverage

CIS gave its inputs to the following:

Unable to read Odia on your android device? Don’t fret! (Ruby Nanda; Odisha Sun Times; September 28, 2015).

Openness

The advent of the Internet has radically redefined what it means to be open and collaborative. The Internet itself is built upon open standards and free/libre/open source software. Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Open Data

Submission

As one of the general stewards of the process, CIS was invited to take part in the final drafting meeting of the International Open Data Charter held before Con Datos 2015 in Santiago, Chile, but we could not take part in it. Apart from organising two public consultations on the draft Charter in Bengaluru and Delhi, we also submitted our detailed comments on the document. The final version of the Charter document has been launched at the United Nation General Assembly meeting, on September 27.

Free Software

Blog Entry

Software Freedom Pledge (Pranesh Prakash; September 25, 2015).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and International Development Research Centre (IDRC)) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on studying the restrictions placed on freedom of expression online by the Indian government.

Privacy

Article

Hits and Misses With the Draft Encryption Policy (Sunil Abraham; The Wire; September 26, 2015).

Blog Entries

Data Flow in the Unique Identification Scheme of India (Vidushi Marda; September 3, 2015).
Human DNA Profiling Bill 2012 v/s 2015 Bill (Vanya Rakesh; September 6, 2015).
Open Governance and Privacy in a Post-Snowden World: Webinar (Vanya Rakesh; September 26, 2015).

Participation in Event

The Changing Landscape of ICT Governance and Practice - Convergence and Big Data (Co-organized by Innovation Center for Big Data and Digital Convergence, Yuan Ze University, Taiwan; August 24 – 25, 2015). Sharat Chandra Ram was granted the Young Scholar Award 2015 to attend the Young Scholar Workshop followed by main CPRSouth2015 conference (Communication Policy Research South) conference.

Free Speech and Expression

Submission

CIS Submission on CCWG-Accountability 2nd Draft Proposal on Work Stream 1 Recommendations (Pranesh Prakash; September 13, 2015).

Blog Entries

DIDP Request #11: NETmundial Principles (Aditya Garg; September 14, 2015).
DIDP Request #12: Revenues (Aditya Garg; September 14, 2015).
Peering behind the veil of ICANN’s DIDP (Padmini Baruah; September 21, 2015).

Participation in Event

Asian Regional Consultation on the WSIS+10 Review (Organized by The Internet Democracy Project, Bytes for All, APNIC, the Association for Progressive Communications, ISOC, Global Partners Digital and ICT Watch; September 3 – 5, 2015). Jyoti Panday attended the event.

IGF

The tenth annual IGF meeting will be held in João Pessoa, Brazil, on November 10 - 13, 2015. IGF's MAG has decided to retain the title “Evolution of Internet Governance: Empowering Sustainable Development” as the overarching theme. Sunil Abraham will be a panelist for the following workshops:

Understanding and Mitigating Online Hate Speech and Youth Radicalisation (Organized by Council of Europe, Oxford University, OHCHR, Google and ISOC; November 2015).
Transnational Due Process: A Case Study in Multi-stakeholder Cooperation (Organized by the United Nations; November 2015).

Cyber Security

Event Organized

Bangalore Chapter Meet of DSCI (Co-organized by DSCI and CIS; September 26, 2015). Melissa Hathaway, Commissioner, Global Commission for Internet Governance and Sunil Abraham gave a talk at this event.

Miscellaneous

Sustainable Smart Cities India Conference 2015, Bangalore (Vanya Rakesh; September 21, 2015).

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Submission

Comments on the DoT Panel Report via MyGov (Pranesh Prakash; September 26, 2015).

Op-ed

More on those Dropped Calls (Shyam Ponappa; Business Standard; September 2, 2015 and Organizing India Blogspot; September 3, 2015).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by contemporary concerns to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It is interested in producing local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Submission

Where's My Data? Submission for Knight News Challenge 2015 (Sumandro Chattapadhyay; September 30, 2015). The text of the proposal was prepared by Nisha Thompson of DataMeet, Meera K of Oorvani, and Sumandro Chattapadhyay.

Blog Entries

The Internet in the Indian Judicial Imagination (Divij Joshi; September 9, 2015).
The Many Lives and Sites of Internet in Bhubaneswar (Sailen Routray; September 21, 2015).

News & Media Coverage

CIS gave its inputs to the following media coverage:

Does this click with you? (Parshathy J. Nath; The Hindu; September 1, 2015).
Government may tieup with global police, Interpol to fight child pornography (Surabhi Agarwal; September 3, 2015).
Hiding behind rules on naming sites it banned, govt reveals fears (Harjeet Inder Singh Sahi; September 3, 2015).
Outrage before sharing (Nikhil Verma; The Hindu; September 9, 2015).
Faking a stand (Shweta T. Nanda; The Week; September 20, 2015).
Some Key Words Are Missing (Arindam Mukherjee; Outlook; September 21, 2015).
Open sesame (The Hindu; September 22, 2015).
India encryption policy draft faces backlash (Moulishree Srivastava; September 22, 2015)
Online outcry forces government to withdraw draft encryption policy (Naina Khedekar; First Post; September 23, 2015).
Encryption policy would have affected emails, operating systems, WiFi (Amrita Madhukalya; DNA; September 23, 2015).
Govt presses 'undo' button on draft encryption policy (Business Standard; September 23; 2015).
Huge outcry forces India to backtrack on social media data proposal (Today; September 24, 2015).
Facebook’s Free Internet Access Program in Developing Countries Provokes Backlash (Newley Purnell and Resty Woro Uniar; The Wall Street Journal; September 24, 2015).
Ahead of hosting Modi, Facebook rebrands internet.org as Free Basics (Business Standard; September 26, 2015).
‘By weakening our security, govt is putting us at risk of espionage’ (S. Raghotham and Mayukh Mukherjee; Asian Age; September 27, 2015).
ভারতে পাঁচশোরও বেশি স্টেশনে ফ্রি ওয়াই-ফাই চালু হবে (BBC; September 28, 2015).
Do you agree with our fee hike? Press 1 to answer Yes; or 2 for Yes (Kieren McCarthy; The Register; September 29, 2015).
Indian PM Narendra Modi’s digital dream gets bad reception (Amanda Hodge; September 29, 2015).
What Bengaluru Thinks of the Big Tech Announcements in Silicon Valley (Maya Sharma; NDTV; September 29, 2015).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the mediation and reconfiguration of social and cultural processes and structures by the internet and digital media technologies.

► Follow us elsewhere

CIS - Twitter: http://twitter.com/cis_india
Access to Knowledge - Twitter: https://twitter.com/CISA2K
Access to Knowledge - Facebook: https://www.facebook.com/cisa2k
Access to Knowledge - E-Mail: a2k@cis-india.org
Researchers at Work - E-Mail: raw@cis-india.org
Researchers at Work - Mailing List: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru – 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, Access to Knowledge, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/september-2015-bulletin

Enabling Multi-stakeholder Cooperation - Towards a Transnational Framework for Due Process

praskrishna — 2015-10-14T02:53:07Z

Internet & Jurisdiction Project organized a multi-stakeholder meeting of the global multi-stakeholder dialogue process in 2015 on October 8-9 in Berlin, Germany. Sunil Abraham participated in this meeting.

Since 2012, the Internet & Jurisdiction Project has facilitated a global multi-stakeholder dialogue process to address the tension between the cross-border nature of the Internet and geographically defined national jurisdictions. It provides a neutral platform for states, business, civil society and international organizations to discuss the elaboration of a transnational due process framework to handle the digital coexistence of diverse national laws in shared cross-border online spaces. This pioneering multi-stakeholder cooperation effort seeks to develop a “policy standard” for transnational requests for domain seizures, content takedowns and access to subscriber information.

2015 is an important moment that determines the future of the multi-stakeholder model in global Internet Governance. The Internet & Jurisdiction Project hopes it can provide an opportunity to demonstrate that multi-stakeholder cooperation can produce operational solutions to concrete policy challenges that no stakeholder group can solve on its own.

The meeting will gather key actors from states, Internet companies, technical operators, civil society, academia and international organizations.

This was published on the website of Internet & Jurisdiction Project

For more details visit https://cis-india.org/internet-governance/news/enabling-multi-stakeholder-cooperation-towards-a-transnational-framework-for-due-process

Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India

jyoti — 2015-10-14T14:40:08Z

The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse.

The European Court of Justice (ECJ) has invalidated a European Commission (EC) decision¹ which had previously concluded that the 'Safe Harbor Privacy Principles'² provide adequate protections for European citizens’ privacy rights³ for the transfer of personal data between European Union and United States. This challenge stems from the claim that public law enforcement authorities in America obtain personal data from organisations in safe harbour for incompatible and disproportionate purposes in violation of the Safe Harbour Privacy Principles. The court's judgment follows the advice of the Advocate General of the Court of Justice of the European Union (CJEU) who recently opined⁴ that US practices allow for large-scale collection and transfer of personal data belonging to EU citizens without them benefiting from or having access to judicial protection under US privacy laws. The inadequacies of the framework is not news for the Commission and action by ECJ has been a long time coming. The ruling raises important questions about how increasingly the contestations of personal data are being employed in asserting claims of citizenship in context of the internet.

As the highest court in Europe, the ECJ's decisions are binding on all member states. With this ruling the ECJ has effectively restrained US firms from indiscriminate collection and sharing of European citizens’ data on American soil. The implications of the decision are significant, because it shifts the onus of evaluating protections of personal data for EU citizens from the 4,400 companies⁵ subscribing to the system onto EU privacy watchdogs. Most significantly, in addressing the rights of a citizen against an established global brand, the judgement goes beyond political and legal opinion to challenge the power imbalance that exists with reference to US based firms.

Today, the free movement of data across borders is a critical factor in facilitating trade, financial services, governance, manufacturing, health and development. However, to consider the ruling as merely a clarification of transatlantic mechanisms for data flows misstates the real issue. At the heart of the judgment is the assessment whether US firms apply the tests of ‘necessity and proportionality’ in the collection and surveillance of data for national security purposes. Application of necessity and proportionality test to national security exceptions under safe harbor has been a sticking point that has stalled the renegotiation of the agreement that has been underway between the Commission and the American data protection authorities.⁶

For EU citizens the stake in the case are even higher, as while their right to privacy is enshrined under EU law, they have no administrative or judicial means of redress, if their data is used for reasons they did not intend. In the EU, citizens accessing and agreeing to use of US based firms are presented with a false choice between accessing benefits and giving up on their fundamental right to privacy. In other words, by seeking that governments and private companies provide better data protection for the EU citizens and in restricting collection of personal data on a generalised basis without objective criteria, the ruling is effectively an assertion of ‘data sovereignty’. The term ‘data sovereignty’, while lacking a firm definition, refers to a spectrum of approaches adopted by different states to control data generated in or passing through national internet infrastructure.⁷ Underlying the ruling is the growing policy divide between the US and EU privacy and data protection standards, which may lead to what is referred to as the balkanization⁸ of the internet in the future.

US-EU Data Protection Regime

The safe harbor pact between the EU and US was negotiated in the late 1990s as an attempt to bridge the different approaches to online privacy. Privacy is addressed in the EU as a fundamental human right while in the US it is defined under terms of consumer protection, which allow trade-offs and exceptions when national security seems to be under threat. In order to address the lower standards of data protection prevalent in the US, the pact facilitates data transfers from EU to US by establishing certain safeguards equivalent to the requirements of the EU data protection directive. The safe harbor provisions include firms undertaking not to pass personal information to third parties if the EU data protection standards are not met and giving users right to opt out of data collection.⁹

The agreement was due to be renewed by May 2015¹⁰ and while negotiations have been ongoing for two years, EU discontent on safe harbour came to the fore following the Edward Snowden revelations of collection and monitoring facilitated by large private companies for the PRISM program and after the announcement of the TransAtlantic Trade and Investment Partnership (TTIP).¹¹ EU member states have mostly stayed silent as they run their own surveillance programs often times, in cooperation with the NSA. EU institutions cannot intervene in matters of national security however, they do have authority on data protection matters. European Union officials and Members of Parliament have expressed shock and outrage at the surveillance programs unveiled by Snowden's 2013 revelations. Most recently, following the CJEU Advocate General’s opinion, 50 Members of European Parliament (MEP) sent a strongly worded letter the US Congress hitting back on claims of ‘digital protectionism’ emanating from the US¹². In no uncertain terms the letter clarified that the EU has different ideas on privacy, platforms, net neutrality, encryption, Bitcoin, zero-days, or copyright and will seek to improve and change any proposal from the EC in the interest of our citizens and of all people.

Towards Harmonization

In November 2013, as an attempt to minimize the loss of trust following the Snowden revelations, the European Commission (EC) published recommendations in its report on 'Rebuilding Trust is EU-US Data Flows'.¹³ The recommendations revealed two critical initiatives at the EU level—first was the revision of the EU-US safe harbor agreement¹⁴ and second the adoption of the 'EU-US Umbrella Agreement¹⁵'—a framework for data transfer for the purpose of investigating, detecting, or prosecuting a crime, including terrorism. The Umbrella Agreement was recently initialed by EU and US negotiators and it only addresses the exchange of personal data between law enforcement agencies.¹⁶ The Agreement has gained momentum in the wake of recent cases around issues of territorial duties of providers, enforcement jurisdictions and data localisation.¹⁷ However, the adoption of the Umbrella Act depends on US Congress adoption of the Judicial Redress Act (JRA) as law.¹⁸

Judicial Redress Act

The JRA is a key reform that the EC is pushing for in an attempt to address the gap between privacy rights and remedies available to US citizens and those extended to EU citizens, including allowing EU citizens to sue in American courts. The JRA seeks to extend certain protections under the Privacy Act to records shared by EU and other designated countries with US law enforcement agencies for the purpose of investigating, detecting, or prosecuting criminal offenses. The JRA protections would extend to records shared under the Umbrella Agreement and while it does include civil remedies for violation of data protection, as noted by the Center for Democracy and Technology, the present framework does not provide citizens of EU countries with redress that is at par with that which US persons enjoy under the Privacy Act.¹⁹

For example, the measures outlined under the JRA would only be applicable to countries that have outlined appropriate privacy protections agreements for data sharing for investigations and ‘efficiently share’ such information with the US. Countries that do not have agreements with US cannot seek these protections leaving the personal data of their citizens open for collection and misuse by US agencies. Further, the arrangement leaves determination of 'efficiently sharing' in the hands of US authorities and countries could lose protection if they do not comply with information sharing requests promptly. Finally, JRA protections do not apply to non-US persons nor to records shared for purposes other than law enforcement such as intelligence gathering. JRA is also weakened by allowing heads of agencies to exercise their discretion to seek exemption from the Act and opt out of compliance.

Taken together the JRA, the Umbrella Act and the renegotiation of the Safe Harbor Agreement need considerable improvements. It is worth noting that EU’s acceptance of the redundancy of existing agreements and in establishing the independence of national data protection authorities in investigating and enforcing national laws as demonstrated in the Schrems and in the Weltimmo²⁰ case point to accelerated developments in the broader EU privacy landscape.

Consequences

The ECJ Safe Harbor ruling will have far-reaching consequences for the online industry. Often, costly government rulings solidify the market dominance of big companies. As high regulatory costs restrict the entrance of small and medium businesses the market, competition is gradually wiped out. Further, complying with high standards of data protection means that US firms handling European data will need to consider alternative legal means of transfer of personal data. This could include evolving 'model contracts' binding them to EU data protection standards. As Schrems points out, “Big companies don’t only rely on safe harbour: they also rely on binding corporate rules and standard contractual clauses.”²¹

The ruling is good news for European consumers, who can now approach a national regulator to investigate suspicions of data mishandling. EU data protection regulators may be be inundated with requests from companies seeking authorization of new contracts and with consumer complaints. Some are concerned that the ruling puts a dent in the globalized flow of data²², effectively requiring data localization in Europe.²³ Others have pointed out that it is unclear how this decision sits with other trade treaties such as the TPP that ban data localisation.²⁴ While the implications of the decision will take some time in playing out, what is certain is that US companies will be have to restructure management, storage and use of data. The ruling has created the impetus for India to push for reforms to protect its citizens from harms by US firms and improve trade relations with EU.

The Opportunity for India

Multiple data flows taking place over the internet simultaneously and that has led to ubiquity of data transfers o ver the Internet, exposing individuals to privacy risks. There has also been an enhanced economic importance of data processing as businesses collect and correlate data using analytic tools to create new demands, establish relationships and generate revenue for their services. The primary concern of the Schrems case may be the protection of the rights of EU citizens but by seeking to extend these rights and ensure compliance in other jurisdictions, the case touches upon many underlying contestations around data and sovereignty.

Last year, Mr Ram Narain, India Head of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information through network functionality and global norms will go a long way in increasing the trust and confidence in use of ICT.”²⁵ In the absence of the recognition of privacy as a right and empowering citizens through measures or avenues to seek redressal against misuse of data, the demand of data sovereignty rings empty. The kind of framework which empowered an ordinary citizen in the EU to approach the highest court seeking redressal based on presumed overreach of a foreign government and from harms abetted by private corporations simply does not exist in India. Securing citizen’s data in other jurisdictions and from other governments begins with establishing protection regimes within the country.

The Indian government has also stepped up efforts to restrict transfer of data from India including pushing for private companies to open data centers in India.²⁶ Negotiating data localisation does not restrict the power of private corporations from using data in a broad ways including tailoring ads and promoting products. Also, data transfers impact any organisation with international operations for example, global multinationals who need to coordinate employee data and information. Companies like Facebook, Google and Microsoft transfer and store data belonging to Indian citizens and it is worth remembering that the National Security Agency (NSA) would have access to this data through servers of such private companies. With no existing measures to restrict such indiscriminate access, the ruling purports to the need for India to evolve strong protection mechanisms. Finally, the lack of such measures also have an economic impact, as reported in a recent Nasscom-Data Security Council of India (DSCI) survey²⁷ that pegs revenue losses incurred by the Indian IT-BPO industry at $2-2.5 billion for a sample size of 15 companies. DSCI has further estimated that outsourcing business can further grow by $50 billion per annum once India is granted a “data secure” status by the EU.²⁸ EU’s refusal to grant such a status is understandable given the high standard of privacy as incorporated under the European Union Data Protection Directive a standard to which India does not match up, yet. The lack of this status prevents the flow of data which is vital for Digital India vision and also affects the service industry by restricting the flow of sensitive information to India such as information about patient records.

Data and information structures are controlled and owned by private corporations and networks transcend national borders, therefore the foremost emphasis needs to be on improving national frameworks. While, enforcement mechanisms such as the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation may seem respectful of international borders and principles of sovereignty,²⁹ for users that live in undemocratic or oppressive regimes such agreements are a considerable risk. Data is also increasingly being stored across multiple jurisdictions and therefore merely applying data location lens to protection measures may be too narrow. Further it should be noted that when companies begin taking data storage decisions based on legal considerations it will impact the speed and reliability of services.³⁰ Any future regime must reflect the challenges of data transfers taking place in legal and economic spaces that are not identical and may be in opposition. Fundamentally, the protection of privacy will always act as a barrier to the free flow of information even so, as the Schrems case ruling points out not having adequate privacy protections could also restrict flow of data, as has been the case for India.

The time is right for India to appoint a data controller and put in place national frameworks, based on nuanced understanding of issues of applying jurisdiction to govern users and their data. Establishing better protection measures will not only establish trust and enhance the ability of users to control data about themselves it is also essential for sustaining economic and social value generated from data generation and collection. Suggestions for such frameworks have been considered previously by the Group of Experts on Privacy constituted by the Planning Commission.³¹ By incorporating transparency in mechanisms for data and access requests and premising requests on established necessity and proportionality Indian government can lead the way in data protection standards. This will give the Indian government more teeth to challenge and address both the dangers of theft of data stored on servers located outside of India and restrain indiscriminate access arising from terms and conditions of businesses that grant such rights to third parties.

1 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) Official Journal L 215 , 25/08/2000 P. 0007 -0047 2000/520/EC: http ://eur -lex .europa .eu /LexUriServ /LexUriServ .do ?uri =CELEX :32000 D 0520:EN :HTML

2 Safe Harbour Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

3 Megan Graham, Adding Some Nuance on the European Court ’s Safe Harbor Decision , Just security

https ://www .justsecurity .org /26651/adding -nuance -ecj -safe -harbor -decision /

4 Advocate General’s Opinion in Case C-362/14 Maximillian Schrems v Data Protection Commissioner Court of Justice of the European Union, Press Release, No 106/15 Luxembourg, 23 September 2015 http ://curia .europa .eu /jcms /upload /docs /application /pdf /2015-09/cp 150106 en .pdf

5 Jennifer Baker, ‘EU desperately pushes just-as-dodgy safe harbour alternatives’, The Register, October 7, 2015 http ://www .theregister .co .uk /2015/10/07/eu _pushes _safe _harbour _alternatives /

6 Draft Report, General Data Protection Regulation, Committee on Civil Liberties, Justice and Home Affairs, European Parliament, 2009-2014 http ://www .europarl .europa .eu /meetdocs /2009_2014/documents /libe /pr /922/922387/922387 en .pdf

7 Dana Polatin-Reuben, Joss Wright, ‘An Internet with BRICS Characteristics: Data Sovereignty and the Balkanisation of the Internet’, University of Oxford, July 7, 2014 https ://www .usenix .org /system /files /conference /foci 14/foci 14-polatin -reuben .pdf

8 Sasha Meinrath, The Future of the Internet: Balkanization and Borders, Time, October 2013 http ://ideas .time .com /2013/10/11/the -future -of -the -internet -balkanization -and -borders /

9 Safe Harbour Privacy Principles, Issued by the U.S. Department of Commerce, July 2001 http ://www .export .gov /safeharbor /eu /eg _main _018475.asp

10 Facebook case may force European firms to change data storage practices, The Guardian, September 23, 2015 http ://www .theguardian .com /us -news /2015/sep /23/us -intelligence -services -surveillance -privacy

11 Privacy Tracker, US-EU Safe Harbor Under Pressure, August 2, 2013 https ://iapp .org /news /a /us -eu -safe -harbor -under -pressure

12 Kieren McCarthy, Privacy, net neutrality, security, encryption ... Europe tells Obama, US Congress to back off, The Register, 23 September, 2015 http ://www .theregister .co .uk /2015/09/23/european _politicians _to _congress _back _off /

13 Communication from the Commission to the European Parliament and the Council, Rebuilding Trust in EU-US Data Flows, European Commission, November 2013 http ://ec .europa .eu /justice /data -protection /files /com _2013_846_en .pdf

14 Safe Harbor on trial in the European Union, Access Blog, September 2014 https ://www .accessnow .org /blog /2014/11/13/safe -harbor -on -trial -in -the -european -union

15 European Commission - Fact Sheet Questions and Answers on the EU-US data protection "Umbrella agreement", September 8, 2015 http ://europa .eu /rapid /press -release _MEMO -15-5612_en .htm

16 McGuire Woods, ‘EU and U.S. reach “Umbrella Agreement” on data transfers’, Lexology, September 14, 2015 http ://www .lexology .com /library /detail .aspx ?g =422 bca 41-2 d 54-4648-ae 57-00 d 678515 e 1 f

17 Andrew Woods, Lowering the Temperature on the Microsoft-Ireland Case, Lawfare September, 2015 https ://www .lawfareblog .com /lowering -temperature -microsoft -ireland -case

18 Jens-Henrik Jeppesen, Greg Nojeim, ‘The EU-US Umbrella Agreement and the Judicial Redress Act: Small Steps Forward for EU Citizens’ Privacy Rights’, October 5, 2015 https ://cdt .org /blog /the -eu -us -umbrella -agreement -and -the -judicial -redress -act -small -steps -forward -for -eu -citizens -privacy -rights /

19 Ibid 18.

20 Landmark ECJ data protection ruling could impact Facebook and Google, The Guardian, 2 October, 2015 http ://www .theguardian .com /technology /2015/oct /02/landmark -ecj -data -protection -ruling -facebook -google -weltimmo

21 Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian, Octover 9, 2015 http ://www .theguardian .com /technology /2015/oct /09/facebook -data -privacy -max -schrems -european -court -of -justice

22 Adam Thierer, Unintended Consequences of the EU Safe Harbor Ruling, The Technology Liberation Front, October 6, 2015 http ://techliberation .com /2015/10/06/unintended -consequenses -of -the -eu -safe -harbor -ruling /#more -75831

23 Anupam Chander, Tweeted ECJ #schrems ruling may effectively require data localization within Europe, https ://twitter .com /AnupamChander /status /651369730754801665

24 Lokman Tsui, Tweeted, “If the TPP bans data localization, but the ECJ ruling effectively mandates it, what does that mean for the internet?” https ://twitter .com /lokmantsui /status /651393867376275456

25 Statement from Indian Head of Delegation, Mr Ram Narain for WGPL, Indian statement on ITU and Internet at the Working Group Plenary November 4, 2014 https ://ccgnludelhi .wordpress .com /author /asukum 87/page /2/

26 Sounak Mitra, Xiaomi bets big on India despite problems, Business Standard, December 2014 http ://www .business -standard .com /article /companies /xiaomi -bets -big -on -india -despite -problems -114122201023_1.html

27 Neha Alawadi, Ruling on data flow between EU & US may impact India’s IT sector, Economic Times,October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49250738.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

28 Pranav Menon, Data Protection Laws in India and Data Security- Impact on India and Data Security-Impact on India - EU Free Trade Agreement, CIS Access to Knowledge, 2011 http ://cis -india .org /a 2 k /blogs /data -security -laws -india .pdf

29 Surendra Kumar Sinha, India wants Mutual Legal Assistance treaty with Bangladesh, Economic Times, October 7, 2015 http ://economictimes .indiatimes .com /articleshow /49262294.cms ?utm _source =contentofinterest &utm _medium =text &utm _campaign =cppst

30 Pablo Chavez, Director, Public Policy and Government Affairs, Testifying before the U.S. Senate on transparency legislation, November 3, 2013 http ://googlepublicpolicy .blogspot .in /2013/11/testifying -before -us -senate -on .htm

31 Report of the Group of Experts on Privacy (Chaired by Justice A P Shah, Former Chief Justice, Delhi High Court), Planning Commission, October 2012 http ://planningcommission .nic .in /reports /genrep /rep _privacy .pdf

For more details visit https://cis-india.org/internet-governance/blog/contestations-of-data-ecj-safe-harbor-ruling-and-lessons-for-india

Comments on the Zero Draft of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (WSIS+10)

geetha — 2015-10-16T02:44:16Z

On 9 October 2015, the Zero Draft of the UN General Assembly's Overall Review of implementation of WSIS Outcomes was released. Comments were sought on the Zero Draft from diverse stakeholders. The Centre for Internet & Society's response to the call for comments is below.

These comments were prepared by Geetha Hariharan with inputs from Sumandro Chattapadhyay, Pranesh Prakash, Sunil Abraham, Japreet Grewal and Nehaa Chaudhari. Download the comments here.

The Zero Draft of the UN General Assembly’s Overall Review of the Implementation of WSIS Outcomes (“Zero Draft”) is divided into three sections: (A) ICT for Development; (B) Internet Governance; (C) Implementation and Follow-up. CIS’ comments follow the same structure.
The Zero Draft is a commendable document, covering crucial areas of growth and challenges surrounding the WSIS. The Zero Draft makes detailed references to development-related challenges, noting the persistent digital divide, the importance of universal access, innovation and investment, and of enabling legal and regulatory environments conducive to the same. It also takes note of financial mechanisms, without which principles would remain toothless. Issues surrounding Internet governance, particularly net neutrality, privacy and the continuation of the IGF are included in the Zero Draft.
However, we believe that references to these issues are inadequate to make progress on existing challenges. Issues surrounding ICT for Development and Internet Governance have scarcely changed in the past ten years. Though we may laud the progress so far achieved, universal access and connectivity, the digital divide, insufficient funding, diverse and conflicting legal systems surrounding the Internet, the gender divide and online harassment persist. Moreover, the working of the IGF and the process of Enhanced Cooperation, both laid down with great anticipation in the Tunis Agenda, have been found wanting.
These need to be addressed more clearly and strongly in the Zero Draft. In light of these shortcomings, we suggest the following changes to the Zero Draft, in the hope that they are accepted.
A. ICT for Development
Paragraphs 16-21 elaborate upon the digital divide – both the progresses made and challenges. While the Zero Draft recognizes the disparities in access to the Internet among countries, between men and women, and of the languages of Internet content, it fails to attend to two issues.
First, accessibility for persons with disabilities continues to be an immense challenge. Since the mandate of the WSIS involves universal access and the bridging of the digital divide, it is necessary that the Zero Draft take note of this continuing challenge.
We suggest the insertion of Para 20A after Para 20:
“20A. We draw attention also to the digital divide adversely affecting the accessibility of persons with disabilities. We call on all stakeholders to take immediate measures to ensure accessibility for persons with disabilities by 2020, and to enhance their capacity and access to ICTs.”
Second, while the digital divide among the consumers of ICTs has decreased since 2003-2005, the digital production divide goes unmentioned. The developing world continues to have fewer producers of technology compared to their sheer concentration in the developed world – so much so that countries like India are currently pushing for foreign investment through missions like ‘Digital India’. Of course, the Zero Draft refers to the importance of private sector investment (Para 31). But it fails to point out that currently, such investment originates from corporations in the developed world. For this digital production divide to disappear, restrictions on innovation – restrictive patent or copyright regimes, for instance – should be removed, among other measures. Equitable development is the key.
Ongoing negotiations of plurilateral agreements such as the Trans-Pacific Partnership (TPP) go unmentioned in the Zero Draft. This is shocking. The TPP has been criticized for its excessive leeway and support for IP rightsholders, while incorporating non-binding commitments involving the rights of users (see Clause QQ.G.17 on copyright exceptions and limitations, QQ.H.4 on damages and QQ.C. 12 on ccTLD WHOIS, https://wikileaks.org/tpp-ip3/WikiLeaks-TPP-IP-Chapter/WikiLeaks-TPP-IP-Chapter-051015.pdf). Plaudits for progress make on the digital divide would be lip service if such agreements were not denounced.
Therefore, we propose the addition of Para 20B after Para 20:
“20B. We draw attention also to the digital production divide among countries, recognizing that domestic innovation and production are instrumental in achieving universal connectivity. Taking note of recent negotiations surrounding restrictive and unbalanced plurilateral trade agreements, we call on stakeholders to adopt policies to ensure globally equitable development, removing restrictions on innovation and conducive to fostering domestic and local production.”
Paragraph 22 of the Zero Draft acknowledges that “school curriculum requirements for ICT, open access to data and free flow of information, fostering of competition, access to finance”, etc. have “in many countries, facilitated significant gains in connectivity and sustainable development”.
This is, of course, true. However, as Para 23 also recognises, access to knowledge, data and innovation have come with large costs, particularly for developing countries like India. These costs are heightened by a lack of promotion and adoption of open standards, open access, open educational resources, open data (including open government data), and other free and open source practices. These can help alleviate costs, reduce duplication of efforts, and provide an impetus to innovation and connectivity globally.
Not only this, but the implications of open access to data and knowledge (including open government data), and responsible collection and dissemination of data are much larger in light of the importance of ICTs in today’s world. As Para 7 of the Zero Draft indicates, ICTs are now becoming an indicator of development itself, as well as being a key facilitator for achieving other developmental goals. As Para 56 of the Zero Draft recognizes, in order to measure the impact of ICTs on the ground – undoubtedly within the mandate of WSIS – it is necessary that there be an enabling environment to collect and analyse reliable data. Efforts towards the same have already been undertaken by the United Nations in the form of “Data Revolution for Sustainable Development”. In this light, the Zero Draft rightly calls for enhancement of regional, national and local capacity to collect and conduct analyses of development and ICT statistics (Para 56). Achieving the central goals of the WSIS process requires that such data is collected and disseminated under open standards and open licenses, leading to creation of global open data on the ICT indicators concerned.
As such, we suggest that following clause be inserted as Para 23A to the Zero Draft:

“23A. We recognize the importance of access to open, affordable, and reliable technologies and services, open access to knowledge, and open data, including open government data, and encourage all stakeholders to explore concrete options to facilitate the same.”

15. Paragraph 30 of the Zero Draft laments “the lack of progress on the Digital Solidarity Fund”, and calls “for a review of options for its future”.

16. The Digital Solidarity Fund was established with the objective of “transforming the digital divide into digital opportunities for the developing world” through voluntary contributions [Para 28, Tunis Agenda]. It was an innovative financial mechanism to help bridge the digital divide between developed and developing countries. This divide continues to exist, as the Zero Draft itself recognizes in Paragraphs 16-21.

17. Given the persistent digital divide, a “call for review of options” as to the future of the Digital Solidarity Fund is inadequate to enable developing countries to achieve parity with developed countries. A stronger and more definite commitment is required.

18. As such, we suggest the following language in place of the current Para 30:

“30. We express concern at the lack of progress on the Digital Solidarity Fund, welcomed in Tunis as an innovative financial mechanism of a voluntary nature, and we call for voluntary commitments from States to revive and sustain the Digital Solidarity Fund.”

19. Paragraph 31 of the Zero Draft recognizes the importance of “legal and regulatory frameworks conducive to investment and innovation”. This is eminently laudable. However, a broader vision is more compatible with paving the way for affordable and widespread access to devices and technology necessary for universal connectivity.

20. We suggest the following additions to Para 31:

“31. We recognise the critical importance of private sector investment in ICT access, content and services, and of legal and regulatory frameworks conducive to local investment and expansive, permissionless innovation.”

B. Internet Governance

21. Paragraph 32 of the Zero Draft recognizes the “general agreement that the governance of the Internet should be open, inclusive, and transparent”. Para 37 takes into account “the report of the CSTD Working Group on improvements to the IGF”. Para 37 also affirms the intention of the General Assembly to extend the life of the IGF by (at least) another 5 years, and acknowledges the “unique role of the IGF”.

22. The IGF is, of course, unique and crucial to global Internet governance. In the last 10 years, major strides have been made among diverse stakeholders in beginning and sustaining conversations on issues critical to Internet governance. These include issues such as human rights, inclusiveness and diversity, universal access to connectivity, emerging issues such as net neutrality, the right to be forgotten, and several others. Through its many arms like the Dynamic Coalitions, the Best Practices Forums, Birds-of-a-Feather meetings and Workshops, the IGF has made it possible for stakeholders to connect.

23. However, the constitution and functioning of the IGF have not been without lament and controversy. Foremost among the laments was the IGF’s evident lack of outcome-orientation; this continues to be debatable. Second, the composition and functioning of the MAG, particularly its transparency, have come under the microscope several times. One of the suggestions of the CSTD Working Group on Improvements to the IGF concerned the structure and working methods of the Multistakeholder Advisory Group (MAG). The Working Group recommended that the “process of selection of MAG members should be inclusive, predictable, transparent and fully documented” (Section II.2, Clause 21(a), Page 5 of the Report).

24. Transparency in the structure and working methods of the MAG are critical to the credibility and impact of the IGF. The functioning of the IGF depends, in a large part, on the MAG. The UN Secretary General established the MAG, and it advises the Secretary General on the programme and schedule of the IGF meetings each year (see <http://www.intgovforum.org/cms/mag/44-about-the-mag>). Under its Terms of Reference, the MAG decides the main themes and sub-themes for each IGF, sets or modifies the rules of engagement, organizes the main plenary sessions, coordinates workshop panels and speakers, and crucially, evaluates the many submissions it receives to choose from amongst them the workshops for each IGF meeting. The content of each IGF, then, is in the hands of the MAG.

25. But the MAG is not inclusive or transparent. The MAG itself has lamented its opaque ‘black box approach’ to nomination and selection. Also, CIS’ research has shown that the process of nomination and selection of the MAG continues to be opaque. When CIS sought information on the nominators of the MAG, the IGF Secretariat responded that this information would not be made public (see <http://cis-india.org/internet-governance/blog/mag-analysis>).

26. Further, our analysis of MAG membership shows that since 2006, 26 persons have served for 6 years or more on the MAG. This is astounding, since under the MAG Terms of Reference, MAG members are nominated for a term of 1 year. This 1-year-term is “automatically renewable for 2 more consecutive years”, but such renewal is contingent on an evaluation of the engagement of MAG members in their activities (see <http://www.intgovforum.org/cms/175-igf-2015/2041-mag-terms-of-reference>). MAG members ought not serve for over 3 consecutive years, in accordance with their Terms of Reference. But out of 182 MAG members, around 62 members have served more than the 3-year terms designated by their Terms of Reference (see <http://cis-india.org/internet-governance/blog/mag-analysis>).

27. Not only this, but our research showed 36% of all MAG members since 2006 have hailed from the Western European and Others Group (see <http://cis-india.org/internet-governance/blog/mag-analysis>). This indicates a lack of inclusiveness, though the MAG is certainly more inclusive than the composition and functioning of other I-Star organisations such as ICANN.

28. Tackling these infirmities within the MAG would go a long way in ensuring that the IGF lives up to its purpose. Therefore, we suggest the following additions to Para 37:

“37. We acknowledge the unique role of the Internet Governance Forum (IGF) as a multistakeholder platform for discussion of Internet governance issues, and take note of the report and recommendations of the CSTD Working Group on improvements to the IGF, which was approved by the General Assembly in its resolution, and ongoing work to implement the findings of that report. We reaffirm the principles of openness, inclusiveness and transparency in the constitution, organisation and functioning of the IGF, and in particular, in the nomination and selection of the Multistakeholder Advisory Group (MAG). We extend the IGF mandate for another five years with its current mandate as set out in paragraph 72 of the Tunis Agenda for the Information Society. We recognize that, at the end of this period, progress must be made on Forum outcomes and participation of relevant stakeholders from developing countries.”

29. Paragraphs 32-37 of the Zero Draft make mention of “open, inclusive, and transparent” governance of the Internet. It fails to take note of the lack of inclusiveness and diversity in Internet governance organisations – extending across representation, participation and operations of these organisations. In many cases, mention of inclusiveness and diversity becomes tokenism or formal (but not operational) principle. In substantive terms, the developing world is pitifully represented in standards organisations and in ICANN, and policy discussions in organisations like ISOC occur largely in cities like Geneva and New York. For example, the ‘diversity’ mailing list of IETF has very low traffic. Within ICANN, 307 out of 672 registries listed in ICANN’s registry directory are based in the United States, while 624 of the 1010 ICANN-accredited registrars are US-based. Not only this, but 80% of the responses received by ICANN during the ICG’s call for proposals were male. A truly global and open, inclusive and transparent governance of the Internet must not be so skewed.

30. We propose, therefore, the addition of a Para 37A after Para 37:

“37A. We draw attention to the challenges surrounding diversity and inclusiveness in organisations involved in Internet governance, and call upon these organisations to take immediate measures to ensure diversity and inclusiveness in a substantive manner.”

31. Paragraphs 36 of the Zero Draft notes that “a number of member states have called for an international legal framework for Internet governance.” But it makes no reference to ICANN or the importance of the ongoing IANA transition to global Internet governance. ICANN and its monopoly over several critical Internet resources was one of the key drivers of the WSIS in 2003-2005. Unfortunately, this focus seems to have shifted entirely. Open, inclusive, transparent and global Internet are misnomer-principles when ICANN – and in effect, the United States – continues to have monopoly over critical Internet resources. The allocation and administration of these resources should be decentralized and distributed, and should not be within the disproportionate control of any one jurisdiction.

32. Therefore, we suggest the following Para 37A after Para 37:

“37A. We affirm that the allocation, administration and policy involving critical Internet resources must be inclusive and decentralized, and call upon all stakeholders and in particular, states and organizations responsible for essential tasks associated with the Internet, to take immediate measures to create an environment that facilitates this development.”

33. Paragraph 43 of the Zero Draft encourages “all stakeholders to ensure respect for privacy and the protection of personal information and data”. But the Zero Draft inadvertently leaves out the report of the Office of the UN High Commissioner for Human Rights on digital privacy, ‘The right to privacy in the digital age’ (A/HRC/27/37). This report, adopted by the Human Rights Council in June 2014, affirms the importance of the right to privacy in our increasingly digital age, and offers crucial insight into recent erosions of privacy. It is both fitting and necessary that the General Assembly take note of and affirm the said report in the context of digital privacy.

34. We offer the following suggestion as an addition to Para 43:

“43. We emphasise that no person shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, or correspondence, consistent with countries’ applicable obligations under international human rights law. In this regard, we acknowledge the report of the Office of the UN High Commissioner for Human Rights, ‘The right to privacy in the digital age’ (A/HRC/27/37, 30 June 2014), and take note of its findings. We encourage all stakeholders to ensure respect for privacy and the protection of personal information and data.”

35. Paragraphs 40-44 of the Zero Draft state that communication is a fundamental human need, reaffirming Article 19 of the Covenant on Civil and Political Rights, with its attendant narrow limitations. The Zero Draft also underscores the need to respect the independence of the press. Particularly, it reaffirms the principle that the same rights that people enjoy offline must also be protected online.

36. Further, in Para 31, the Zero Draft recognizes the “critical importance of private sector investment in ICT access, content, and services”. This is true, of course, but corporations also play a crucial role in facilitating the freedom of speech and expression (and all other related rights) on the Internet. As the Internet is led largely by the private sector in the development and distribution of devices, protocols and content-platforms, corporations play a major role in facilitating – and sometimes, in restricting – human rights online. They are, in sum, intermediaries without whom the Internet cannot function.

37. Given this, it is essential that the outcome document of the WSIS+10 Overall Review recognize and affirm the role of the private sector, and crucially, its responsibilities to respect and protect human rights online.

38. We suggest, therefore, the insertion of the following paragraph Para 42A, after Para 42:

“42A. We recognize the critical role played by corporations and the private sector in facilitating human rights online. We affirm, in this regard, the responsibilities of the private sector set out in the Report of the Special Representative of the Secretary General on the issue of human rights and transnational corporations and other business enterprises, A/HRC/17/31 (21 March 2011), and encourage policies and commitments towards respect and remedies for human rights.”

C. Implementation and Follow-up

39. Para 57 of the Zero Draft calls for a review of the WSIS Outcomes, and leaves a black space inviting suggestions for the year of the review. How often, then, should the review of implementation of WSIS+10 Outcomes take place?

40. It is true, of course, that reviews of the implementation of WSIS Outcomes are necessary to take stock of progress and challenges. However, we caution against annual, biennal or other such closely-spaced reviews due to concerns surrounding budgetary allocations.

41. Reviews of implementation of outcomes (typically followed by an Outcome Document) come at considerable cost, which are budgeted and achieved through contributions (sometimes voluntary) from states. Were Reviews to be too closely spaced, budgets that ideally ought to be utilized to bridge digital divides and ensure universal connectivity, particularly for developing states, would be misspent in reviews. Moreover, closely-spaced reviews would only provide superficial quantitative assessments of progress, but would not throw light on longer term or qualitative impacts.

For more details visit https://cis-india.org/internet-governance/blog/comments-on-the-zero-draft-of-the-un-general-assembly2019s-overall-review-of-the-implementation-of-wsis-outcomes-wsis-10

Cyfy 2015: The India Conference on Cyber Security and Internet Governance

praskrishna — 2015-10-17T14:44:42Z

In its third year, Cyfy; South Asia’s biggest internet policy conference is being held in New Delhi, from 14-16 October, 2015. The event is organized by Observer Research Foundation at Hotel Taj Mansingh. Sunil Abraham is a panelist in the session "Protection of Intellectual Property and Business Secrets in the Knowledge Economy".

Building on its scope and scale of the previous year — over 55 speakers, from 12 countries, with 350 attendees — the conference discusses issues that affect the emerging world and developed world alike. The conversations will further and widen the debate around internet governance, security, surveillance, freedom of expression, norms of state behaviour, technology and specific societal challenges that emerging and developing countries seek to address by the effective design and deployment on these technologies. In 2015, Cyfy will bring together more experts from South Asia, in order to present new thought on the specific challenges of internet access, policy and regulation, e-governance, financial inclusion, and bottom of the pyramid solutions.

Along with its growing network of both Indian and international partners, ORF looking forward to hosting another thought-provoking and productive few days, and bridging some digital divides in contemporary internet cyber policy debates.

Protection of Intellectual Property and Business Secrets in the Knowledge Economy

Over the past decade, there has been an exponential rise in cyber-enabled theft of intellectual property, and it has been recognized as an unfair predatory practice. With the rise of the globalized knowledge economy, the stability of open trading systems increasingly depends on cross-border IP protection. What is the relevance of the protection of intellectual property and business secrets for economic development and stability of the international trading system?

Download the agenda For more info visit here.

For more details visit https://cis-india.org/internet-governance/news/cyfy-2015-india-conference-on-cyber-security-and-internet-governance

Digital India: Did Modi get it wrong in Silicon Valley?

praskrishna — 2015-10-18T04:44:52Z

A bear hug, a photo filter and a new debate on net neutrality - Ayeshea Perera examines the domestic fallout of Indian Prime Minister Narendra Modi's Facebook townhall in US.

This was published by BBC News on October 16, 2015. Sunil Abraham was quoted.

It was supposed to be a moment that rocked the virtual world. Mr Modi, widely acknowledged as one of the world's most influential politicians on social media, enveloped a slightly stunned Mark Zuckerberg in a bear hug.

But what was it that really happened in Menlo Park? Why did some people think Mr Modi wasn't acting in India's best digital interests when he hugged Mr Zuckerberg?

India with an internet population of 354 million - which has already grown by 17% in the first six months of 2015 - is an obvious target for not only Facebook, but other Silicon Valley giants. And they have all been more than happy to pledge their support for digital India - a recently launched government initiative aimed at reinvigorating an $18bn (£11.6bn) campaign to strengthen India's digital infrastructure.

Google offered to provide 500 railway stations with free WiFi and Microsoft pledged to connect 500,000 Indian villages with cheap broadband access.

Digitally colonised?

But this huge show of support and the increased interest in India has caused some concern within the country.

"Is Digital India going to only make India a consumer of services offered by global tech companies in lieu of data? Personal data is the currency of the digital world. Are we going to give that away simply to become a giant market for a Facebook or a Google? Look at the way the tech world is skewed. Only China has been able to come up with companies that can take on these MNCs" Prabir Purkayasta, chairman of the Society for Knowledge Commons in India, told the BBC.

"The British ruled the world because they controlled the seas," he said. "Is India going to be content to just be a digital consumer? To being colonised once again?"

And in the aftermath of the Facebook townhall in particular, some talk has begun to surface about what Mr Zuckerberg's real India ambitions are.

Soon after the townhall ended, both Mr Modi and Mr Zuckerberg declared their support for digital India by using a special Facebook filter to tint their profile pictures in the tri-colour of the Indian flag.

Multitudes of Indians followed suit and timelines were awash with snazzy tinted profile pictures, all in support of "Digital India".

'Innocent mistake'

But then a tech website released what it claimed to be a portion of Facebook's source code, which allegedly "proved" that the "Support Digital India" filter was actually a "Support Internet.Org" filter.

Facebook quickly issued a denial, blaming the text in the code on an "engineer mistake" in choosing a shorthand name he used for part of the code.

But the "mistake" which has been coupled with a huge advertising blitz for Internet.Org across television channels and newspapers has raised suspicion about Facebook's motives. A Facebook poll on Internet.Org that frequently appears on Indian user timelines has also been ridiculed for not giving users an option to say no.

Instead the answer options to the poll question "Do you want India to have free basic services?" are "Yes" and "Not now".

Internet.org (now called free basics), aims to extend internet services to the developing world by offering a selection of apps and websites free to consumers.

Facebook's vice-president of infrastructure engineering, Jay Parikh has described the initiative as an "attempt to connect the two-thirds of the world who do not have access to the Internet" by trying to solve issues pertaining to affordability, infrastructure and access.

When Facebook launched the initiative in India in February, it was criticised by Indian activists who expressed concerns that the project threatened freedom of expression, privacy and the principle of net neutrality.

On the other end of the debate, Indian columnist Manu Joseph wrote in the Hindustan Times newspaper, hitting out at the "selfish" stand on net neutrality. He said concerns over the issue should be "subordinate to the fact that the poor have a right to some Internet".

Wrong signal

A massive campaign by India's Save the Internet Coalition exhorting Indians to speak out against initiatives threatening net neutrality caught public imagination and saw more than a million emails to India's regulator, the Telecom Regulatory Authority of India (TRAI), demanding a free and fair internet in the country. Internet.Org was one of the initiatives immediately affected.

TRAI since released a draft policy on net neutrality, but a question that has been asked is whether it was appropriate for Mr Modi to visit Facebook given that the policy was still under consideration.

Mr Purkayasta is of the opinion that it could have been avoided. "It was not the time or the place to go. Even if it was simply a publicity gimmick, it still sends a signal to officials involved in drafting the policy," he said.

However, Sunil Abraham from the Centre for Internet and Society told the BBC he believed that while Facebook's intentions were suspect, Mr Modi's visit had the potential to safeguard net neutrality in India.

"India is a hugely important market for Facebook, and the prime minister has the power to force positive changes to its policies," he said. "We gain nothing by shutting them out."

For more details visit https://cis-india.org/internet-governance/news/bbc-october-16-2015-digital-india-did-modi-get-it-wrong-in-silicon-valley