Centre for Internet and Society

The Government’s Increased Focus on Regulating Non-Personal Data: A Look at the Draft National Data Governance Framework Policy

Digvijay Chaudhary and Anamika Kundu — 2022-06-30T13:24:35Z

Digvijay Chaudhary and Anamika Kundu wrote an article on the National Data Governance Framework Policy. It was edited by Shweta Mohandas.

Introduction

Non Personal Data (‘NPD’) can be understood as any information not relating to an identified or identifiable natural person. The origin of such data can be both human and non-human. Human NPD would be such data which has been anonymised in such a way that the person to whom the data relates cannot be re-identified. Non-human NPD would mean any such data that did not relate to a human being in the first place, for example, weather data. There has been a gradual demonstrated interest in NPD by the government in recent times. This new focus on regulating non personal data can be owed to the economic incentive it provides. In its report, the Sri Krishna committee, released in 2018 agreed that NPD holds considerable strategic or economic interest for the nation, however, it left the questions surrounding NPD to a future committee.

History of NPD Regulation

In 2020, the Ministry of Electronics and Information Technology (‘MEITY’) constituted an expert committee (‘NPD Committee’) to study various issues relating to NPD and to make suggestions on the regulation of non-personal data. The NPD Committee differentiated NPD into human and non-human NPD, based on the data’s origin. Human NPD would include all information that has been stripped of any personally identifiable information and non-human NPD meant any information that did not contain any personally identifiable information in the first place (eg. weather data). The final report of the NPD Committee is awaited but the Committee came out with a revised draft of its recommendations in December 2020. In its December 2020 report, the NPD Committee proposed the creation of a National Data Protection Authority (‘NPDA’) as it felt this is a new and emerging area of regulation. Thereafter, the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 (‘JPC’) came out with its version of the Data Protection Bill where it amended the short title of the PDP Bill 2019 to Data Protection Bill, 2021 widening the ambit of the Bill to include all types of data. The JPC report focuses only on human NPD, noting that non-personal data is essentially derived from one of the three sets of data - personal data, sensitive personal data, critical personal data - which is either anonymized or is in some way converted into non-re-identifiable data.

On February 21, 2022, the Ministry of Electronics and Information Technology (‘MEITY’) came out with the Draft India Data Accessibility and Use Policy, 2022 (‘Draft Policy’). The Draft Policy was strongly criticised mainly due to its aims to monetise data through its sale and licensing to body corporates. The Draft Policy had stated that anonymised and non-personal data collected by the State that has “undergone value addition” could be sold for an “appropriate price”. During the Draft Policy’s consultation process, it had been withdrawn several times and then finally removed from the website. The National Data Governance Framework Policy (‘NDGF Policy’) is a successor to this Draft Policy. There is a change in the language put forth in the NDGF Policy from the Draft Policy, where the latter mainly focused on monetary growth. The new NDGF Policy aims to regulate anonymised non-personal data (‘NPD’) kept with governmental authorities and make it accessible for research and improving governance. It wishes to create an ‘India Datasets programme’ which will consist of the aforementioned datasets. While MEITY has opened the draft for public comments, is a need to spell out the procedure in some ways for stakeholders to draft recommendations for the NDGF policies in an informed manner. Through this piece, we discuss the NDGF Policy in terms of issues related to the absence of a comprehensive Data Protection Framework in India and the jurisdictional overlap of authorities under the NDGF Policy and DPB.

What the National Data Governance Framework Policy Says

Presently in India, NPD is stored in a variety of governmental departments and bodies. It is difficult to access and use this stored data for governmental functions without modernising collection and management of governmental data. Through the NDGF Policy, the government aims to build an Indian data storehouse of anonymised non-personal datasets and make it accessible for both improving governance and encouraging research. It imagines the establishment of an Indian Data Office (‘IDO’) set up by MEITY , which shall be responsible for consolidating data access and sharing of non-personal data across the government. In addition, it also mandates a Data Management Unit for every Ministry/department that would work closely with the IDO. IDO will also be responsible for issuing protocols for sharing NPD. The policy further imagines an Indian Data Council (‘IDC’) whose function would be to define frameworks for important datasets, finalise data standards, and Metadata standards and also review the implementation of the policy. The NDGF Policy has provided a broad structure concerning the setting up of anonymisation standards, data retention policies, data quality, and data sharing toolkit. The NDGF Policy states that these standards shall be developed and notified by the IDO or MEITY or the Ministry in question and need to be adhered to by all entities.

The Data Protection Framework in India

The report adopted by the JPC, felt that it is simpler to enact a single law and a single regulator to oversee all the data that originates from any data principal and is in the custody of any data fiduciary. According to the JPC, the draft Bill deals with various kinds of data at various levels of security. The JPC also recommended that since the Data Protection Bill (‘DPB’) will handle both personal and non-personal data, any further policy / legal framework on non-personal data may be made a part of the same enactment instead of any separate legislation. The draft DPB states that what is to be done with the NDP shall be decided by the government from time to time according to its policy. As such, neither the DPB, 2021 nor the NDGF Policy go into details of regulating NPD but only provide a broad structure of facilitating free-flow of NPD, without taking into account the specific concerns that have been raised since the NPD committee came out with its draft report on regulating NPD dated December 2020.

Jurisdictional overlaps among authorities and other concerns

Under the NDGF policy, all guidelines and rules shall be published by a body known as the Indian Data Management Office (‘IDMO’). The IDMO is set to function under the MEITY and work with the Central government, state governments and other stakeholders to set standards. Currently, there is no sign of when the DPB will be passed as law. According to the JPC, the reason for including NPD within the DPB was because of the impossibility to differentiate between PD and NPD. There are also certain overlaps between the DPB and the NDGF which are not discussed by the NDGF. NDGF does not discuss the overlap between the IDMO and Data Protection Authority (‘DPA’) established under the DPB 2021.

Under the DPB, the DPA is tasked with specifying codes of practice under clause 49. On the other hand, the NDGF has imagined the setting up of IDO, IDMO, and the IDC, which shall be responsible for issuing codes of practice such as data retention, and data anonymisation, and data quality standards. As such, there appears to be some overlap in the functions of the to-be-constituted DPA and the NDGF Policy.

Furthermore, while the NDGF Policy aims to promote openness with respect to government data, there is a conflict with open government data (‘OGD’) principles when there is a price attached to such data. OGD is data which is collected and processed by the government for free use, reuse and distribution. Any database created by the government must be publicly accessible to ensure compliance with the OGD principles.

Conclusion

Streamlining datasets across different authorities is a huge challenge for the government and hence the NGDF policy in its current draft requires a lot of clarification. The government can take inspiration from the European Union which in 2018, came out with a principles-based approach coupled with self-regulation on the framework of the free flow of non-personal data. The guidance on the free-flow of non-personal data defines non-personal data based on the origin of data - data which originally did not relate to any personal data (non-human NPD) and data which originated from personal data but was subsequently anonymised (human NPD). The regulation further realises the reality of mixed data sets and regulates only the non-personal part of such datasets and where the datasets are inextricably linked, the GDPR would apply to such datasets. Moreover, any policy that seeks to govern the free flow of NPD ought to make it clear that in case of re-identification of anonymised data, such re-identified data would be considered personal data. The DPB, 2021 and the NGDF, both fail to take into account this difference.

For more details visit https://cis-india.org/internet-governance/blog/national-data-governance-framework-policy

What Are The Consumer Protection Concerns With Crypto-Assets?

Aman Nair and Vipul Kharbanda — 2022-07-18T15:22:02Z

Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

The article was published in Medianama on July 8, 2022

Crypto-asset regulation is at the forefront of India’s financial regulator’s minds. On the 6th of June, the Securities and Exchange Board of India (SEBI) in a response to the Parliamentary Standing Committee on Finance expressed clear consumer protection concerns associated with crypto-assets.

This statement follows multiple notices issued by the Reserve Bank of India (RBI) warning consumers of the risks related to crypto-assets, and even a failed attempt to prevent banks from transacting with any individual trading crypto-assets. Yet, in spite of these multiple warnings, and a significant drop in trading volume due to the introduction of a new taxation structure, crypto-assets still have managed to establish themselves as a legitimate financial instrument in the minds of many.

Recent global developments, however, seem to validate the concerns held by both the RBI and SEBI.

The bear market that crypto finds itself in has sent shockwaves throughout the ecosystem, crippling some of the most established tokens in the space. Take, for example, the death spiral of the algorithmic stablecoin Terra USD and its sister token Luna—with Terra USD going from a top-10-traded crypto-token to being practically worthless. The volatility of token prices has had a significant knock-on effect on crypto-related services. Following Terra’s crash, the Centralised Finance Platform (CeFi) Celsius—which provided quasi-banking facilities for crypto holders—also halted all withdrawals. More recently, the crypto-asset hedge fund Three Arrows also filed for bankruptcy following its inability to meet its debt obligations and protect its assets from creditors looking to get their money back.

Underpinning these stories of failing corporations are the very real experiences of investors and consumers—many of whom have lost a significant amount of wealth. This has been a direct result of the messaging around crypto-assets. Crypto-assets have been promoted through popular culture as a means of achieving financial freedom and accruing wealth quickly. It is this narrative that lured numerous regular citizens to invest substantial portions of their income into crypto-asset trading. At the same time, the crypto-asset space is littered with a number of scams and schemes designed to trick unaware consumers. These schemes, primarily taking the form of ‘pump and dump’ schemes, represent a significant issue for investors in the space.

It seems, therefore, that any attempt to ensure consumer protection in the crypto-space must adopt two key strategies:

First, it must re-orient the narrative from crypto as a simple means of getting wealthy—and ensure that those consumers who invest in crypto do so with full knowledge of the risks associated with crypto-assets
Second, it must provide consumers with sufficient recourse in cases where they have been subject to fraud.

In this article, we examine the existing regulatory framework around grievance redressal for consumers in India—and whether these safeguards are sufficient to protect consumers trading crypto-assets. We further suggest practical measures that the government can adopt going forward.

What is the Current Consumer Protection Framework Around Crypto-assets?

Safeguards Under the Consumer Protection Act and E-commerce Rules

The increased adoption of e-commerce by consumers in India forced legislators to address the lack of regulation for the protection of consumer interests. This legislative expansion may extend to protecting the interests of investors and consumers trading in crypto-assets.

The groundwork for consumer welfare was laid in the new Consumer Protection Act, 2019 which defined e-commerce as the “buying or selling of goods or services including digital products over digital or electronic network.” It also empowered the Union Government to take measures and issue rules for the protection of consumer rights and interests, and the prevention of unfair trade practices in e-commerce.

Within a year, the Union Government exercised its power to issue operative rules known as the Consumer Protection (E-Commerce) Rules, 2020 (the “Rules”), which amongst other things, sought to prohibit unfair trade practices across all models of e-commerce. The Rules define an e-commerce entity as one which owns, operates or manages a digital or electronic facility or platform (which includes a website as well as mobile applications) for electronic commerce.

The definition of e-commerce is not limited only to physical goods but also includes services as well as digital products. So, one can plausibly assume that it would be applicable to a number of crypto-exchanges, as well as certain entities offering decentralized finance (DeFi) services. This is because crypto tokens—be it cryptocurrencies like Bitcoin, Ethereum, or Dogecoin—are not considered currency or securities within Indian law, but can be said to be digital products since they are digital goods.

The fact that the digital products being traded on the e-commerce entity originated outside Indian territory would make no difference as far as the applicability of the Rules is concerned. The Rules apply even to e-commerce entities not established in India, but which systematically offer goods or services to consumers in India. The concept of systematically offering goods or services across territorial boundaries appears to have been taken from the E-evidence Directive of the European Union and seeks to target only those entities which intend to do substantial business within India while excluding those who do not focus on the Indian market and have only a minuscule presence here.

Additionally, the Rules impose certain duties and obligations on e-commerce entities, such as:

The appointment of a nodal officer or a senior designated functionary who is resident in India, to ensure compliance with the provisions of the Consumer Protection Act;
The prohibition on the adoption of any unfair trading practices, thereby making the most important requirements of consumer protection applicable to e-commerce;
The establishment of a grievance redressal mechanism and specifying an outer limit of one month for redressal of complaints;
The prohibition on imposing cancellation charges on the consumer, unless a similar charge is also borne by the e-commerce entity if it cancels the purchase order unilaterally for any reason;
The prohibition on price manipulation to gain unreasonable profit by imposing an unjustified price on the consumers;
The prohibition on discrimination between consumers of the same class or an arbitrary classification of consumers that affects their rights; etc.

The Rules also impose certain liabilities on e-commerce entities relating to the tracking of shipments, the accuracy of the information on the goods or services being offered, information and ranking of sellers, tracking complaints, and information regarding payment mechanisms. Most importantly, the Rules explicitly make the grievance redressal mechanism under the Consumer Protection Act, 2019 applicable to e-commerce entities in case they violate any of the requirements under the Rules.

What this means is that at present crypto-exchanges and crypto-service providers clearly fall within the ambit of consumer protection legislation in India. In real terms, this means that consumers can rest assured that in any crypto transaction their rights must be accounted for by the corporation.

With crypto related scams exploding globally following 2021, it is likely that Indian investors will come into contact, or be subject to various scams and schemes in the crypto marketplace. Therefore, it is imperative that consumers and investors the steps they can take in case they fall victim to a scam. Currently, any consumer who is the victim of a fraud or scam in the crypto space would as per the current legal regime, have two primary redressal remedies:

Lodging a criminal complaint with the police, usually the cyber cell, regarding the fraud. It then becomes the police’s responsibility to investigate the case, trace the perpetrators, and ensure that they are held accountable under relevant legal provisions.
Lodging a civil complaint before the consumer forum or even the civil courts claiming compensation and damages for the loss caused. In this process, the onus is on the consumer to follow up and prove that they have been defrauded.

Filing a consumer complaint may impose an extra burden on the consumer to prove the fraud—especially if the consumer is unable to get complete and accurate information regarding the transaction. Additionally, in most cases, a consumer complaint is filed when the perpetrator is still accessible and can be located by the consumer. However, in case the perpetrator has absconded, the consumer would have no choice but to lodge a criminal complaint. That said, if the perpetrators have already absconded, it may be difficult even for the police to be of much help considering the anonymity that is built into technology.

Therefore, perhaps the best protection that can be afforded to the consumer is where the regulatory regime is geared towards the prevention of frauds and scams by establishing a licensing and supervisory regime for crypto businesses.

A Practical Guide to Consumer Protection and Crypto-assets

What is apparent is that existing regulations are not sufficient to cover the extent of protection that a crypto-investor would require. Ideally, this gap would be covered by dedicated legislation that looks to cover the range of issues within the crypto-ecosystem. However, in the absence of the (still pending) government crypto bill, we are forced to consider how consumers can currently be protected and made aware of the risks associated with crypto-assets.

On the question of informing customers of the risks associated, we must address one of the primary means through which consumers become aware of crypto-assets: advertising. Currently, crypto-asset advertising follows a code set down by the Advertising Standards Council of India, a self-regulating, non-government body. As such, there is currently no government body that enforces binding advertising standards on crypto and crypto-service providers.

While self-regulation has generally been an acceptable practice in the case of advertising, the advertising of financial products has differed slightly. For example, Schedule VI of the Securities and Exchange Board of India (Mutual Funds) Regulations, 1996, lays down detailed guidelines associated with the advertising of mutual funds. Crypto-assets can, depending on their form, perform similar functions to currencies, securities, and assets. Moreover, they carry a clear financial risk—as such their advertising should come under the purview of a recognised financial regulator. In the absence of a dedicated crypto bill, an existing regulator—such as SEBI or the RBI—should use their ad-hoc power to bring crypto-assets and their advertising under their purview.

This would allow for the government to not only ensure that advertising guidelines are followed, but to dictate the exact nature of these guidelines. This allows it to issue standards pertaining to disclaimers and prevent crypto service providers from advertising crypto as being easy to understand, having a guaranteed return on investment, or other misleading messages.

Moreover, financial institutions such as the RBI and SEBI may consider increasing efforts to inform consumers of the financial and economic risks associated with crypto-assets by undertaking dedicated public awareness campaigns. Strongly enforced advertising guidelines, coupled with widespread and comprehensive awareness efforts, would allow the average consumer to understand the risks associated with crypto-assets, thereby re-orienting the prevailing narrative around them.

On the question of providing consumers with clear recourse, current financial regulators might consider setting up a joint working group to examine the extent of financial fraud associated with crypto-assets. Such a body can be tasked with providing consumers with clear information related to crypto-asset scams and schemes, how to spot them, and the next steps they must take in case they fall victim to one.

Aman Nair is a policy officer at the Centre for Internet & Society (CIS), India, focusing on fintech, data governance, and digital cooperative research. Vipul Kharbanda is a non-resident fellow at CIS, focusing on the fintech research agenda of the organisation.

For more details visit https://cis-india.org/internet-governance/blog/what-are-the-consumer-protection-concerns-with-crypto-assets

Deployment of Digital Health Policies and Technologies: During Covid-19

pallavi — 2022-07-21T14:49:56Z

In the last twenty years or so, the Indian government has adopted several digital mechanisms to deliver services to its citizens.

Digitisation of public services in India began with taxation, land record keeping, and passport details recording, but it was soon extended to cover most governmental services - with the latest being public health. The digitisation of healthcare system in India had begun prior to the pandemic. However, given the push digital health has received in recent years especially with an increase in the intensity of activity during the pandemic, we thought it is important to undertake a comprehensive study of India's digital health policies and implementation. The project report comprises a desk-based research review of the existing literature on digital health technologies in India and interviews with on-field healthcare professionals who are responsible for implementing technologies on the ground.

The report by Privacy International and the Centre for Internet & Society can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/deployment-of-digital-health-policies-and-technologies-during-covid-19

Surveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar

Shruti Trikanad and Vrinda Bhandari — 2022-08-09T08:17:32Z

Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.

In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report here.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar

Internet opens doors to trillions more Net addresses with IPv6

praskrishna — 2012-06-14T05:12:25Z

The global Internet industry reached a key milestone on June 6 when a group of Web sites, Internet service providers (ISPs) and router manufacturers banded together to participate in the World IPv6 Launch.

This blog post by Aaron Tan was published in techgoondu. Nishant Shah is quoted in this.

Google, Facebook and Yahoo have flipped the switch to the new Internet addressing system, while ISPs such as Japan’s KDDI and India’s HNS will permanently enable IPv6 for a significant portion of their residential wireline subscribers. Home networking equipment manufacturers will also turn on IPv6 by default in home router products.

The World IPv6 Launch was organised by the Internet Society as part of its mission to ensure that the Internet remains open and accessible for everyone, including five billion people who have yet to connect to the Internet.

“The support of IPv6 from these thousands of organizations delivers a critical message to the world: IPv6 is not just a ‘nice to have’; it is ready for business today and will very soon be a ‘must have’,” said Leslie Daigle, chief Internet technology officer of Internet Society in a statement Wednesday.

Last April, Asia-Pacific became the first region in the world to run out of IPv4 addresses. Europe will deplete its allocation of IPv4 addresses later this year, followed by the U.S. in 2013, and Latin America and Africa in 2014. With IPv6, the Internet can now support over 340 trillion, trillion, trillion addresses compared with 4.3 billion addresses for IPv4.

“Understanding the importance of IPv6, some governments in Asia Pacific have committed to enable IPv6 in their internal networks with set deadlines and, given that they run such large networks, having them on IPv6 is a big step in itself,” said Rajnesh Singh, regional director of the Internet Society’s Asia-Pacific bureau.

The Singapore Government, for instance, has spearheaded an initiative to make e-government services accessible via IPv6. The Infocomm Development Authority (IDA) has also started an IPv6 transition programme that offers grants and information for companies that intend to implement IPv6 on their networks.

With the launch of IPv6, consumers can expect to see applications and services that take advantage of IPv6′s features. Microsoft’s upcoming Windows 8 operating system will also favour IPv6 connectivity over IPv4.

According to Nishant Shah, research director at the Bangalore-based Centre for Internet and Society, IPv6 has an in-built security protocol called IPSec, which authenticates and secures all IP data. The data carrying capacity of IPv6 networks is also going to be higher.

“This means that more devices with more features will be able to work seamlessly through these networks. Despite the larger load of information, IPv6 packets are easier to handle and route, just like postcards with pincodes in their addresses are easier to deliver than those without”, Shah said in a joint statement with Tata Communications.

As an example, every aspect of the Beijing Olympics – from security surveillance to managing vehicles and media coverage – was done over IPv6. “The Chinese government, in fact, has already launched a ‘China Next Generation Internet’ project to build IPv6 networks which are going to radically change the face of high-speed internet in the country,” Shah revealed.

With all these benefits, why does IPv6 only command two percent of the world’s Internet traffic? Shah offers two clear reasons:

The first one is that of costs and infrastructure. The IPv6 platforms do not communicate easily with the IPv4 networks. We have the choice of a mammoth transition of all IPv4 websites and networks to new IPv6 protocols. This idea of abandoning IPv4 and moving to a new protocol is not only redundant; it is also futile, because IPv4 is already running the largest network in human history quite efficiently.

What we need are translators which will be able to speak to both the different versions and help our devices work through them seamlessly. Older, more successful technologies have been able to do this. So, television, for instance, whether it receives terrestrial data, satellite images or data transferred via cable, is able to translate and render them into images and sounds which we can consume with ease. However, the translators for the IPv4 – IPv6 are still expensive and we need more resources diverted towards making them affordable.

The second reason is linked to the first. In order for IPv6 to become popular, it needs a minimum threshold of service providers and users riding that network. As long as the deployment remains nascent, there will be no concentrated energy to actually try and make the bridges between versions 4 and 6. While global technology organisations like Tata Communications are ready for the transition, we are going to need a systemic change among all stakeholders to make IPv6 a reality, towards a faster, safer and more robust Internet.

For more details visit https://cis-india.org/news/internet-opens-doors-to-trillions-more-net-addresses

IPv6: The First Steps

nishant — 2012-06-05T07:18:16Z

The Centre for Internet & Society has entered into a small collaboration with Tata Telecommunications in India to celebrate the IPv6 day on June 6th. We will write 5500 word vignettes, which will be sent to their global database consisting of more than 900,000 users in the Asia-Pacific.

It is commonplace to interchange the words Internet and Cyberspace. However, we should make a distinction between the two. Cyberspace is an experiential phenomenon, supported by the Internet but smaller. It refers to the actions, transactions, negotiations performed within the digital network.

The Internet is a protocol – a set of rules that allows for a digitally connected network of databases to interact with each other. This happens through a standard set of commonly accepted rules, Internet Protocol version 4 – IPv4. IPv4 allows differently configured networks, working on different platforms, and designed through different technologies to communicate effectively by agreeing on a bare minimum of universally accepted codes for data to navigate cyberspace with the least bit of effort.

IPv4 was defined in 1981, when there were few computers in the world with even fewer connected to networks. It was the protocol that assigned a computer on the Internet, with an IP address, the unique name of a connected device which can be recognised by digital networks. Packets of data transmitted over the Internet need an unique IP address associated to their origin and destination, so that information can travel smoothly. IPv4 was developed so that 4,294,967,296 (2^32) unique IP addresses could be accommodated within the network. When it was designed, it looked like an almost infinite system. No one had ever imagined that the World Wide Web would emerge so quickly! We have reached a point now, where the last free IP addresses have been allotted in February of 2012, and we are now reaching a ‘real-estate’ crisis on the Internet.

Since every device with Internet connectivity has a unique IP address – computers, servers, tablets, smart-phones, e-book readers and even alarm clocks – we need a lot more IP addresses. IPv6 – or Internet Protocol version 6 – is a new standard by which we are now going to expand the ‘land’ upon which the Internet can grow. IPv6 is an overhaul of the existing system which will be able to handle 340 undecillion (2^128) unique addresses. Leading global Internet Service Providers and technology companies like Tata Communications have recognised this as the need of the hour since increasingly we are living in digital information societies. However, IPv6 is going to have a range of serious implications for our hardware and software needs as well as our usage patterns and how the Internet is going to expand in the future.

This communique is brought to you by Tata Communications and the Centre for Internet and Society.

If you would like any further information on IPv6 at Tata Communications, please reach out to: divya.anand@tatacommunications.com or write to Nishant Shah, Director-Research at the Bangalore based Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/ip-v-6

Towards a Multi-Stakeholder Consultation on ‘Internet Rights, Accessibility, Regulation & Ethics’

praskrishna — 2012-05-31T07:14:42Z

This event was organised by Digital Empowerment Foundation, National Internet Exchange of India and Association for Progressive Communications at Mirza Ghalib Hall, SCOPE Complex, New Delhi from 9.00 a.m. to 2.30 p.m. on May 3, 2012. Pranesh Prakash participated as a speaker in the session on Access to Internet: Right to Information.

9.00 a.m. to 9.30 a.m. (Registration)

9.30 a.m. to 11.00 a.m.

Inauguration & Plenary: Internet Rights, Accessibility, Regulation & Ethics

Introduction: Osama Manzar, Founder & Director, Digital Empowerment Foundation
Chair: Aruna Roy, Head, Mazdoor Kisan Shakti Sangathan (MKSS) & Member, National Advisory Council (NAC), Govt. of India
Co-Chair: Ajay Kumar, Joint Secretary, DIT, Govt. of India
Plenary Speakers:

Honey Tan, Human Rights Lawyer, Malaysia, APC
Venkatesh Nayak, Co-convener, Secretary, National Campaign for Peoples’ Right to Information
Jitendra Kohli, Executive Member, Transparency International India Summary of the Session by the Chair

11.00 to 11.15 a.m. (Tea break)

11.15 a.m. to 12.30 p.m.

Working Session I - Access to Internet: Right to Information

Chairperson: Basheerhamad Shadrach, Development Consultant
Plenary Speakers:

Pranesh Prakash, Programme Manager, Centre for Internet & Society
NA Vijayashankar, E-Business Consultant, Founder Secretary of Cyber Society of India, Founder Trustee of International Institute of Information Technology Law
Pavan Duggal, Advocate, Supreme Court of India
Varsha Iyenger, Member, Centre for Law and Policy Research
Amitabh Singhal, Former CEO, National Internet Exchange of India (NIXI)
Prof Jagdeep Chhokar, Founding Member, Association for Democratic Reforms

12.30 p.m. to 1.30 p.m.
Working Session II - Internet Right as Human Right: Need for a Holistic Framework towards Universal Access in India

Chairperson: Dr. Govind, CEO, National Internet Exchange of India (NIXI), Govt. of India
Co-chair & Moderator: R. Sukumar , Managing Editor, Live Mint Newspaper
Panel Members:

Subho Ray, President, Internet & Mobile Association of India (IMAI)
Deepak Maheshwari, Vice President - Public Policy, South Asia, MasterCard
Ravina Agarwal, Program Officer, Ford Foundation
Honey Tan, Human Rights Lawyer, Malaysia, APC
Suhas Chakma, Director, Asian Centre for Human Rights
Anoop Saha, Co-Founder, CGNet Swara
Shivam Vij, Writer, Kafila.org

Click to see the original

For more details visit https://cis-india.org/news/towards-a-multi-stakeholder-consultation

Prime Security: The Mathematics of RSA Encryption

elonnai hickok — 2011-09-22T07:13:19Z

Based on simple properties of prime numbers, RSA encryption protects our money and digital identity. But how does it actually work? The Centre for Internet and Society invites you to a one-day workshop by Rohit Gupta on 9 September 2011.

Workshop

As remarked by one of its inventors, RSA is the scheme that "protects 95 per cent of the electronic commerce in the world". The recent breach of 40 million RSA Secure ID tokens ( widely used in Bangalore ) makes this an urgent issue. Apart from the proposed use of 2048-bit RSA keys in the UIDAI project by the government of India, we unknowingly use this algorithm every time we use a credit card, ATM or provide any kind of digital authentication.

Surprisingly enough, to understand the basic mechanism one need not have any more mathematical background than high school - the concept of prime numbers. From that basic knowledge this hands-on workshop will show the way RSA works in reality, under the hood in most networks, computers and smart devices. We will focus on the core mathematical idea rather than any specific software implementations.

For more information, please click here.

Convener:

Rohit Gupta is a mathematician working in the area of 'group theory' which is a fundamental part of physics, puzzles and cryptography. He is also a columnist for the Sunday Guardian and tweets as @fadesingh.

Registration:

The fees for the workshop ( Rs. 1500/- per person, cash only) is to be paid on arrival at the venue. No prior registration is required but the seats are limited to 15-20 people. Everyone who is interested is welcome.

Workshop Schedule:

Session I:

11.30 a.m. to 1:00 p.m.

Lunch:

1:00 p.m. to 2.30 p.m.

Session II:

2.30 p.m. to 4.00 p.m.

VIDEO

For more details visit https://cis-india.org/internet-governance/events/workshop-rsa-encryption

Indian net service providers too play censorship tricks

praskrishna — 2013-02-13T04:20:53Z

The study by a Canadian university has found that some major Indian ISPs have deployed web-censorship and filtering technology.

The article by T Ramachandran was published in the Hindu on February 9, 2013. Sunil Abraham is quoted.

Your internet service provider (ISP) could be blocking some content. A study conducted by a Canadian university has found that some major Indian ISPs have deployed web-censorship and filtering technology widely used in China and some West Asian countries.

The findings, published on January 15, were the result of a search for censorship software and hardware on public networks like those operated by ISPs.

A research team at Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, found a software-hardware combo package called PacketShaper being used in many parts of the world, including India.

The study identified the presence of four PacketShaper installations on the networks of three major ISPs in India during the period of study in late 2012. These ISPs had been earlier “implicated in filtering to some degree,” the report said.

The deployment of such traffic management technologies by ISPs could threaten privacy, freedom of expression and competition, said Sunil Abraham, Executive Director of the Bangalore-based NGO, Centre for Internet and Society.

He said tools like PacketShaper could be used by ISPs for two types of censorship —“to block entire websites or choke traffic on certain services or destinations in a highly granular fashion.”

The U.S.-based producers of the technology, Blue Coat Systems, are quite open about the product features on the company’s website. They say it could be used to control and weed out undesirable content. It could also be used to slow down or speed up the operation of programmes and content flow to achieve the goals set by the operators of the networks.

Transparency is the key

Technology experts said such products could be used to exercise legitimate control over the internet traffic and prioritise the use of bandwidth and resources, if used ethically.

“If done in a transparent manner that does not discriminate against different actors within a class it does benefit the collective interest of the ISP’s clients. However, it could also be used to engage in hidden censorship against legitimate speech and also for anti-competitive behaviour,” said Mr. Abraham.

The study focussed on countries where concerns exist over “compliance with international human rights law, legal due process, freedom of speech, surveillance, and censorship.”

For more details visit https://cis-india.org/news/the-hindu-feb-9-2013-t-ramachandran-indian-net-service-providers-too-play-censorship-tricks

Hate speech: ban or ignore?

praskrishna — 2013-02-13T09:40:37Z

The Social Network discusses the hate speeches: whether they should be banned or ignored. Why does the state take action against some and not against some others. This on a day when Togadia and Owaisi were simultaneously trending on the social media.

This discussion was aired on NDTV on February 5, 2013

Pranesh Prakash, Policy Director, Centre for Internet and Society, and Shivam Vij of Kafila.com joined NDTV in the studio while actor and standup comic Sanjay Rajoura joined via webcam.

Pranesh said that the talk of banning these videos is foolish. He added, I don't think that is a solution. But the issue is one of criminal prosecution – whether that should happen or not, and with regard to the interesting dichotomy that Shivam pointed out some people are calling for somethings to be banned but not others. I think that kind of hypocrisy should be pointed out. I am happy that these small incidents of hate mongering are actually being blown out of proportion on social media because it actually gets people to react...to say wait a second...that is not right I might have a certain leanings towards Hindutva but that kind of speech is not what I support, or I might have a certain leanings towards what is called "pseudo-secularism" but that kind of speech is not what I support. So getting out that discussion out is important.

If we were on one hand a society where we had communal peace and then social media were focusing on these small kinds of incidents and blowing it out of proportion then that would be a problem.

Watch the full discussion aired on NDTV

For more details visit https://cis-india.org/news/ndtv-video-the-social-network-feb-5-2013-hate-speech-ban-or-ignore

Freedom of Expression Gagged

chinmayi — 2013-02-18T08:55:36Z

The use of law to bully people into silence, called ‘heckler’s veto’, is not unique to India, writes Chinmayi Arun in this op-ed published in Business Line on February 15, 2013.

Click to read the original published in the Business Line.

Freedom of expression in India is under threat. This year we have the Tamil Nadu government’s ban on Vishwaroopam, the Ashis Nandy FIR, the smothering of Kashmir’s first all girls rock band’s music, and the removal of semi-nude paintings of Hindu deities from an art gallery upon the police’s ‘suggestion’. Another Rushdie-banning controversy is upon us, and yet another Facebook user’s arrest has made the news.

Clearly, our right to freedom of expression is under an ongoing siege. The onslaught comes in varied forms: bullying by members of society, informal government action with the overhanging threat of the law, and direct use of the law (and of a variety of legislations within it). Each form is encouraged, exacerbated even, by our problematic interpretation of freedom of expression principles. Our law allows a group of intolerant people to silence a speaker by creating a threat to public order or by threatening the speaker directly, and our state is proving utterly ineffectual in protecting speech from intolerance.

Instruments Deployed

India’s first Kashmiri all-girls band is tragic proof of horizontal attacks on speech – their music was silenced by the grandmufti’s declaring it ‘un-Islamic’, and the attendant social pressure that tends to follow. They were not protected from this horizontal attack. The Palghar incident also had echoes of horizontal pressure, which was used to directly bully Shaheen Dhada, via friends advising her to apologise and strangers slapping her, before the instrument of the law was used to bully her further.

The instrument of the law can be used in invisible, informal ways, as Bangalore’s Chitrakala Parishath incident illustrates. Here, the pressure of police ‘suggestion’, carrying the implied threat of the force of the law, was used to ensure that semi-nude paintings of Hindu deities were removed from an exhibition. It appears that this police ‘suggestion’ was motivated by the fear that those paintings could trigger law and order problems.

Vishwaroopam was banned using the law, specifically section 144 of the Code of Criminal Procedure, which empowers the government to issue orders “in urgent cases of nuisance or apprehended danger”. However, orders issued under section 144 would still need to observe the boundaries drawn for it in Article 19(2) of the Constitution.

Freedom and Public Order

Some may argue that controversial or offensive speech can legitimately be restricted since “public order” is one of the grounds for which our Constitution permits the restriction of the freedom of expression. However the original text of the Constitution did not include “public order” among its permissible grounds for restriction. This was inserted in the First Amendment of the Constitution, but was fortunately accompanied by the word ‘reasonable’ before restriction, thus ensuring that the freedom of expression can only be reasonably restricted under the exceptional circumstances listed in the Constitution.

This insertion of ‘public order’ came after the Supreme Court’s invalidation of government pre-censorship of speech on public order grounds in Romesh Thapar v. State of Madras (1950), declaring that the Constitution required that “nothing less than endangering the foundations of the State or threatening its overthrow could justify curtailment of the rights to freedom of speech and expression”. Therefore, Parliament amended the Constitution to expand the grounds on which the state could restrict speech, and included ‘public order’ among the expanded grounds. The trouble with this is that the intolerant are now able to create a public order problem to silence speakers.

The Supreme Court of India, in Babulal Parate vs State Of Maharashtra (1961) found that public order must be “maintained in advance in order to ensure it”, and ruled that restriction of Article 19 freedoms of expression and assembly in the interests of public order is permissible. However, all such restrictions must continue to satisfy the reasonability test laid down in the Constitution, providing our judiciary with the opportunity to ensure that intolerance does not continue to oppress speech.

The Heckler's Veto

The use of law to bully people into silence is not unique to India. Harry Kalven termed this ‘the hecklers’ veto’: if police action silences speakers for fear that the offended listeners might create a law and order problem, this effectively allows the listeners to veto what the speaker can say. There was a time when the heckler’s veto held sway in the United States and the United Kingdom. However, both countries’ legal principles have evolved to stop pandering to the intolerant, and it is time that India does the same.

Justice Hugo Black of the US Supreme Court, in his Feiner v. New York (1951) dissent, argued that the police must make all reasonable efforts to protect the speaker’s constitutional right to speak before interfering with this right. This dissenting opinion was later hailed as visionary. The US Supreme Court subsequently gradually recognised the evils of the heckler’s veto, which privileges and encourages intolerance. The United Kingdom also progressively narrowed its reading of the Public Order Act to ensure that speech is not restricted unless immediate violence is feared, and is now decriminalising insults which are not directed at a clearly identifiable victim.

The Indian Supreme Court’s judgment in the Rangarajan v. P. Jagjivan Ram (1989) echoes Justice Black’s denouncement of the heckler’s veto. It declares, “freedom of expression cannot be suppressed on account of threat of demonstration and processions or threats of violence. That would tantamount to …surrender to blackmail and intimidation. It is the duty of the State to protect the freedom of expression since it is a liberty guaranteed against the State. The State cannot plead its inability to handle the hostile audience problem”. However other judgments have shied away from confronting the fact that speech-related public order problems created by intolerance, not by speech.

Our legal system needs to take a firm, consistent stand against the heckler’s veto. We need to stop mirroring the evils of outdated law in fresh legislations like the Information Technology Act, and work instead to remove law and practices that institutionalise intolerance.

(The author teaches at National Law University, Delhi and is Fellow, Centre for Internet and Society.)

For more details visit https://cis-india.org/internet-governance/blog/the-hindubusinessline-feb-15-2013-chinmayi-arun-freedom-of-expression-gagged

Unique Identity Number (UID), National Population Register (NPR), and Governance

praskrishna — 2013-03-01T04:32:06Z

The Centre for Internet and Society and the Say No to UID campaign invite you to a workshop to discuss and learn about the present state of the UID and the NPR schemes. The event will be held on Saturday, March 2, 2013, at TERI, Bangalore, from 10.30 a.m. to 2.00 p.m.

Among other questions, the workshop will address:

What is the UID and NPR?
How do the UID and NPR impact citizenship?
Will NPR and UID schemes transform governance?
Why and how is national security linked with UID / NPR?
What is the relationship between UID and Big Data?

Speakers:

Usha Ramanathan, Independent Law Researcher and Human Rights Activist
Anant Maringanti, Hyderabad Urban Labs & Right to the City Foundation
Kaveri R, Researcher, CES, IISc

For more details visit https://cis-india.org/internet-governance/events/uid-and-npr

Foreign Funding of NGOs

praskrishna — 2013-03-04T23:52:31Z

Should FDI in India’s thinktank sector worry us? It is a debate long overdue.

This article by Prashant Reddy was published in the March issue of Open Magazine.

In 1976, at the height of the Emergency imposed by Indira Gandhi, India’s Parliament enacted a piece of legislation called the Foreign Regulation Contribution Act. It prohibited political parties and ‘organisations of a political nature’, civil servants and judges, as also correspondents, columnists and editors/owners of registered newspapers and news broadcasting organisations— and even cartoonists—from receiving foreign contributions.

The very fact that the Act makes a specific reference to cartoonists should be hint enough of the establishment’s paranoia vis-à-vis the ‘invisible hand’ of foreign powers back then. During a Rajya Sabha debate on the proposed bill on 9 March 1976, the term ‘CIA’ (Central Intelligence Agency) was mentioned at least 30 times by different legislators, while ‘Lockheed Martin’ (a military aerospace corporation) came up at least six times in the context of alleged instances of Americans pumping dollars into governments worldwide to buy influence during the Cold War.

The sentiment of the times was captured by the following statement made during that debate by Khurshid Alam Khan, father of India’s present Minister for External Affairs: “The CIA’s doings all over the world have very clearly indicated as to what could be done by foreign money and foreign interference.”

In 2010, a different parliament, with opposition members who had not been imprisoned like those in 1976, unanimously voted to update the law by passing the Foreign Contribution Regulation Act (FCRA). In fact, the Parliamentary Standing Committee that examined the bill was headed by the BJP’s Leader of Opposition in the Lok Sabha Sushma Swaraj, and it had no major objections.

This time round, there was no talk of the CIA or Lockheed Martin. Instead, concern was focused on the increasingly influential role of Non-Governmental Organisations (NGOs) as institutions of civil society in India. The term ‘NGO’ found at least 40 mentions during the Rajya Sabha debate on the 2010 bill. The main concern of the Upper House appeared to be a lack of transparency among NGOs receiving foreign contributions. Hence the calls to strengthen the monitoring regime, although several MPs expressed worry that the new law would give the Centre too much discretionary power to crack down on dissenting NGOs.

Worries about the 2010 Act’s overreach were validated last year when the Government used it to clamp down on NGOs involved in anti-corruption and anti-nuclear protests. As part of that exercise, at least four NGOs were booked under the FCRA for allegedly diverting foreign funds to aid the organisation of protests against the Koodankulam nuclear power plant in Tamil Nadu. Their bank accounts were frozen. The protests, however, did not end.

Perhaps the most ironic use of the FCRA was when the Ministry of Home Affairs reportedly held back potential funding from the US-based Ford Foundation for the Mumbai-based Institute for Policy Research Studies (IPRS), a thinktank that runs Parliamentary Research Service (PRS).

Incubated at the Centre for Policy Research (CPR), a Delhi-based thinktank, PRS was spun off and institutionalised as IPRS in 2010 as a Section 25 non-profit company with a registered office in Mumbai. The main aim of PRS was to provide non-partisan legislative research services to parliamentarians, most of whom are starved of resources to conduct independent research required to hold the Executive accountable in Parliament. The service’s popularity among MPs was obvious from the fact that several of them reportedly made individual representations to the Home Ministry against blocking foreign funds for its parent institute.

The tragedy of why Parliament does not have a public-funded service like PRS is a debate for another day, but choking the IPRS of foreign funds raises a question of hypocrisy since the Central Government routinely collaborates with a wide range of civil society thinktanks that receive funds from the West.

Let’s start with the Indian Council for Research on International Economic Relations (ICRIER). According to its filings with the MHA, accessible on the FCRA website (http://mha.nic.in/fcra.htm), ICRIER has received over Rs 11.5 crore in foreign donations from a range of international institutions such as the Asian Development Bank, World Bank, International Monetary Fund (IMF) and Sasakawa Peace Foundation between 2007 and 2012. This council, currently headed by Dr Isher Judge Ahluwalia, wife of Planning Commission Vice-chairperson Dr Montek Singh Ahluwalia, appears to have a cosy relationship with the present establishment. When the Government was in a fix over the contentious General Anti- Avoidance Rules (GAAR) of taxation, for example, it delegated the task of ironing out its problems to a four-member committee headed by Dr Parthasarathi Shome, a well-known economic policy expert at ICRIER. There are several other projects on which the Council’s faculty collaborates closely with the Government of India.

That thinktanks are well networked goes without saying. In fact, ICRIER and PRS were involved in quite a controversy during last year’s Parliament vote on Foreign Direct Investment in India’s multi-brand retail sector. As reported by India Today, (‘Foreign Direct Instruction for our MPs?’ 6 December 2012), IPRS had organised a ‘close-door’ meeting at Delhi’s Constitution Club the day before the vote, where MPs were briefed on the benefits of FDI by Professor Arpita Mukherjee of ICRIER. Some MPs had publicly labelled this a ‘lobbying’ effort.

Another example of close collaboration between the Centre and a thinktank that gets significant foreign funding is the one between the Government and the CPR, headed by Dr Pratap Bhanu Mehta. Between 2007 and 2012, according to its filings with the MHA, this thinktank received foreign funds of over Rs 40.8 crore from a range of donors such as the Ford Foundation, Google Foundation, International Development Research Centre, Economic and Social Research Council, Hewlett Foundation and IKEA Social Initiative.

Environmental policy is another area in which foreign-funded thinktanks have a significant impact. The Centre for Science and Environment (CSE), headed by Sunita Narain with a governing board that has Ela Bhatt, BG Verghese, Dr MS Swaminathan and Dr NC Saxena among others, has received over Rs 67.7 crore in foreign funds between 2006 and 2012. The CSE’s main donors, according to FCRA records, include the Denmark- based Dan Church Aid, Germany-based Evangelischer Entwicklungsdienst EV, Heinrich Boll Foundation and the Swedish International Development Cooperation Agency. Other donors include the Commission of European Communities and Government of India.

Going by the media coverage that CSE receives, it is safe to say that this thinktank has a profound influence on India’s environmental policy. An indication of its ties with the Government is the fact that the two had their own ‘side-event’ at the recently concluded Doha talks on climate change.

The other green thinktank with generous foreign contributions that works closely with the Government is The Energy and Resources Institute (TERI). Consider this: the International Bioenergy Summit of 2012 held in New Delhi was organised by TERI and sponsored by the Department of Biotechnology (DBT). According to its FCRA filings, TERI, with a staff of over 900, has received about Rs 155.9 crore between 2006 and 2012 from a vast variety of donors.

In the field of health policy, one of the most influential thinktanks is the Public Health Foundation of India (PHFI). Since it was founded in 2006, it has received a total of Rs 219 crore in funds, its biggest foreign donor being the Bill and Melinda Gates Foundation and biggest Indian donor being the Government of India. Other foreign donors, according to FCRA filings, include the National Institutes of Health (of the US government), Welcome Trust, International Development Research Centre and MacArthur Foundation.

A public-private initiative, the PHFI is expected to shape India’s approach to public health policy over the next decade. An example of its influence on India’s health policy is the fact that its secretariat has been thanked and praised in a report of the High Level Expert Group constituted by the Planning Commission to frame a new policy on ‘universal health coverage’ for all Indians.

On matters of internet policy, the Centre for Internet and Society (CIS), a Bangalore-based thinktank focused on internet governance and intellectual property issues, has been a member of some key government committees, like the one under Justice AP Shah to study privacy laws in India. The CIS also receives foreign funding. According to its website, it has received over Rs 8.3 crore in funds, a significant portion of it from foreign donors like the UK-based Kusuma Trust, which was founded by Anurag Dikshit, an Indian businessman who made a fortune selling his stake in a popular online gambling website. He eventually donated most of his wealth to the Kusuma Trust, which funds various charities across the world.

In the human rights space, there is the famous Lawyers Collective, which, apart from its human rights advocacy, also provides legal aid to members of disadvantaged communities. Although this collective does not appear to work all that closely with the Government, it is interesting to note that it was founded by Indira Jaising, who is currently one of the Centre’s Additional Solicitor Generals. Since 2006, according to its FCRA filings, the organisation has received around Rs 21.8 crore in foreign funds from the Ford, Levi Strauss and Open Society foundations and from the Campaign for Tobacco Free Kids, Swedish International Development Cooperation Agency, among others.

Another thinktank that deserves a mention is the Centre for Civil Society (CCS), which was founded by Dr Parth J Shah and has a ‘Board of Scholars’ with Isher Judge Ahluwalia, Jagdish Bhagwati, Lord Meghnad Desai and Swaminathan Anklesaria Aiyar, among others, as members. While it is not clear from its website whether it works closely with the Government, it was ranked 51st in a recent global survey of thinktanks by University of Pennsylvania. According to a CCS press release, these rankings were ‘based on not just our research and analysis, but also on our engagement with policy makers and ability to influence policy decisions’. The CCS’s rank was quite a surprise, given its modest resources. According to its FCRA filings, between 2006 and 2011, it received about Rs 6.2 crore from foreign donors such as the Atlas Economic Research Foundation, John Templeton Foundation and International Policy Network. As per its audited accounts, available on its website, donations from Indian donors were equally modest.

The above examples demonstrate the influence of foreign funded thinktanks on almost every major aspect of Indian policy today, be it economic or environmental, related to public health or internet governance.

Is this good or bad for India as a country? Given that most sectors of the economy are now open to foreign investment, does it make sense to regulate and restrict foreign funds for such thinktanks under laws like the FCRA?

The answer depends on what Indian society expects of them. Do we expect them to be completely independent of donors in their views? Would an organisation like the CSE still get foreign funds from European donors if it were to readily welcome genetically modified (GM) food in India? In such circumstances, how independent should we expect these thinktanks to be in the arena of policy?

Absolute objectivity—or at a least public perception of it—is an absolute myth. No matter who funds a thinktank, be it foreigners or Indians, it is impossible to be seen as such. The more pressing issue is of transparency. Are Indian policymakers aware of the details of foreign funds received by these thinktanks?

Take, for example, a recent Parliamentary Standing Committee report that expressed serious reservations about GM food. The Committee repeatedly quotes with approval the deposition of Dr Vandana Shiva against GM food. A little-known fact about Dr Shiva is that her organisation, Navdanya, according to its FCRA filings, has received a total of Rs 16.7 crore between 2006 and 2012 in foreign donations from mainly European organisations (some of which also contribute to the CSE) like Bread for the World, Diakonie Emergency Aid, Hivos Foundation, Evangelischer Entwicklungsdienst EV, RSF Innovations in Social Finance, and even from the European Union itself.

Would a Parliamentary Standing Committee headed by an MP of the CPM, a party that is always suspicious of the ‘foreign hand’, show the same deference to Dr Shiva’s views if its members knew of Navdanya’s European donors, several of which are also Christian churches?

In an op-ed article in The Indian Express (‘Do not disagree’, 29 February 2012), Dr Pratap Bhanu Mehta while criticising the FCRA, states, ‘Of course, NGOs should be transparent and accountable in terms of their sources of funding.’ Yet, the CPR, of which Dr Mehta is president, only discloses the names of its donors in its annual report, and that too without revealing the amounts received from each. Similarly, Navdanya offers no information on either of its websites, Indian and Italian (navdanyainternational.it), on any of its funding. Other thinktanks like the PHFI and CIS offer a more detailed breakup of their different sources of funding, while some like the CSE and CCS provide only a roll of donor names and a figure of cumulative funding with no breakup of individual contributions. So, while these thinktanks are forced to disclose their foreign funding sources to the MHA under the FCRA, why do they not volunteer exhaustive information on their own websites?

An amusing facet of this is that the Central Government and Corporate India are more transparent (even if forced to be) than these civil society institutions, thanks to the Right to Information Act, 2005, and the extensive disclosure requirements under the Companies Act, 1956. Of companies in particular, information is accessible over the internet on the MCA21 website of the Ministry of Corporate Affairs. This contrast is amusing because some of these thinktanks never tire of demanding transparency of the State and corporate sector.

For several thinktanks, it is often hard to figure out something as basic as the nature of the legal entity through which they conduct their activities. Are they societies, associations or trusts? More pertinently, why is the Government not pushing for a stricter transparency regime? A major stumbling block may be the fact that these thinktanks are set up under state laws and it is difficult for the Central Government to coordinate a nationwide transparency regime. However, given that most are beneficiaries of income tax exemptions, it may be possible for the Centre to use the Income Tax Act to demand comprehensive disclosures. Since they enjoy tax benefits, they might also qualify as ‘public authorities’ under the Right To Information Act, 2005.

Another reason that disclosure of funding is important is to inform the analysis of people who usually see NGOs as selfless entities dedicated to nothing but a higher cause. While this may be true of some NGOs, many leaders of these set-ups have personal stakes in ensuring certain outcomes. After all, future donor grants often depend on sustaining one’s influence in the policy space. Many of the institutions described in this article have been regular recipients of funds from the same sources year after year.

Another question is the volume of funds coming in and where it will leave India’s public institutions that were originally meant to aid policymaking with unbiased intellectual inputs. How are cash-strapped Indian universities to compete with these well-funded thinktanks?

Government-run institutions of higher learning are supposed to have an inbuilt guarantee of academic independence, but would their scholarly voices be drowned out by those backed by bigger resources?

Also, given the frequency with which a few foreign funders appear on donor lists, is it time to worry about their influence on Indian policies? After all, generous funding lets the faculty of these thinktanks jetset around the world to attend conferences, organise seminars in India and network with officials at a level that most public universities cannot afford. How does this impact our civil society discourse? Should Parliament limit the amount that a single foreign entity can donate, or are we better off sticking to a regulatory regime that only insists on a set of disclosure norms?

On a concluding note, let us not forget that a large part of the credit for the RTI Act of 2005—the country’s most empowering piece of legislation since the Constitution of 1950—goes to the advocacy efforts of the Mazdoor Kisan Shakti Sangathan (MKSS), a farmers group in Rajasthan that does not accept institutional funding from either India or overseas. Bank interest on its corpus and donations by individuals are the MKSS’s only sources of funding. Together, the two gave it Rs 30 lakh for the financial year 2010-11, details of which are available on its website.

For more details visit https://cis-india.org/news/openmagazine-article-business-prashant-reddy-march-2-2013-foreign-funding-of-ngos

Cyber security, surveillance and the right to privacy: country perspectives

praskrishna — 2013-01-23T12:10:23Z

This blog post is fourth in a series of eight blog posts to report on the “Third South Asian Meeting on the Internet and Freedom of Expression” recently concluded in Dhaka, Bangladesh.

This post was published in the Internet Democracy Project Website on January 22, 2013. All the blog posts in this series are written by Richa Kaul Padte, the official rapporteur at the meeting.

'The best way to protect people’s rights is to enable people to protect their rights themselves' – Chinmayi Arun

Pranesh Prakash, CIS India	Opening the session on cyber security, surveillance and privacy, moderator Pranesh Prakash from the Centre for Internet and Society (India) frames the debate by talking about how the principles raised by discussions on security, privacy and surveillance are always in tension with each other. ‘The boundaries that have been drawn in a pre-digital era don’t apply online always [and] the classic model of state-controlled surveillance is not as relevant [today].’

Taking forward the discussion by setting both a global and national framework around the issue, Assistant Professor at the Delhi-based National Law University Chinmayi Arun brings to light the ways in which cyber security is consistently tabled on several global agendas; however, with little to no meaningful parallel discussions around the right to privacy. She also connects the idea of surveillance to notions of censorship vis a vis freedom of expression, and poignantly states: ‘surveillance is a lot more insidious than censorship – [so much] more can take place before people realise it is happening.’ Prakash furthers this idea in his transition between country perspectives by highlighting the ways in which surveillance measures are already established and heavily pervasive, with both Prakash and Arun advocating greater transparency in areas where these measures are in place. As Arun says, ‘it’s not true that every instance of surveillance needs to be secret until it’s done’, and distinguishing between necessary surveillance measures (in the case of crime investigations, for example) and those that position all people as criminals who must be monitored, is key to taking the discussion forward.

Chinmayi Arun, National Law University Delhi, India

Mohammed Nazmuzzaman Bhuian, Dhaka University

Mohammad Nazmuzzaman Bhuian, an Associate Professor from the University of Dhaka, opens a Bangladeshi country perspective with the question, ‘how does a cyber security act become a surveillance act?’ A cyber crime refers to any crime that involves a computer or a network, and the crimes under this can play out in two ways. The computer itself may be a target, or it may be used to carry out a crime. It is when it is used to carry out a crime that the question of online surveillance arises

Offering another perspective from Bangladesh, Head of the Centre for IT Security and Privacy and Assistant Professor, University of Asia Pacific, Mohammad Shahriar Rahman, discusses the manipulation of security and surveillance laws by the State in order to create greater security for itself. He cites the ban of YouTube in the country in response to a US-produced video ridiculing the Prophet Mohammed and the attacks on bloggers who have advocated for free speech on the Internet, including speech that may be anti-authoritarian or anti-religious. These examples echo Mariyath Mohamed’s perspectives on the interplay between religion, politics and censorship from the previous session, which clearly resound through many South Asian countries.

Mohammad Shahriar Rahman, University of Asia Pacific, Bangladesh

Kailash Prasad Neupane, Nepal Telecommunications Authority	Perspectives from Nepal, offered by speaker Kailash Prasad Neupane from the Nepal Telecommunications Authority, highlight the acute similarities between the laws in different South Asian countries, which all position the freedom of expression as ‘subject to certain restrictions’, where the subjectivity of the clause tends to be interpreted by a powerful and majority State against its minority citizens, thus undermining both democracy and citizens’ rights. As Rahman says, ‘if the government wants to be seen as democratic in these times, they need to realise you can’t jail everyone who is critical of the Prime Minister.’

Speaking from the floor, Bishakha Datta, from Mumbai-based women’s media organisation Point of View, expands on the speakers’ views by highlighting the ways in which, given the extensive measures of State security and surveillance, societies themselves become structured around a culture of surveillance that citizens in turn internalise and see as a necessary part of their lives. She asks, ‘when we talk about the right to privacy, are we saying that we are willing to accept surveillance as long as our privacy is maintained, or are we opposing it on the grounds of privacy?’ Echoing Prakash’s idea that ‘the way in which security and privacy are portrayed as being at loggerheads is false’, Arun responds to Datta by advocating privacy as the starting point for all discussions surrounding security. In summary she states, ‘we must underline our right to privacy,and that right must always dominate. One must always start with that right, and then narrow the circumstances in which, only when it is absolutely necessary and to the extent absolutely necessary, it may be violated.’ And it is through this consistent demand for the right to privacy, and the placing of citizens and individuals (rather than the interests of the State) at the heart of these conversations, that we can see security and privacy as co-existing notions that work to ensure, rather than suppress, freedom of expression.	Bishakha Datta, Point of View, India

For more details visit https://cis-india.org/news/internet-democracy-richa-kaul-padte-jan-22-2013-cyber-security-surveillance-and-the-right-to-privacy

Electoral Databases – Privacy and Security Concerns

snehashish — 2014-01-16T11:07:21Z

In this blogpost, Snehashish Ghosh analyzes privacy and security concerns which have surfaced with the digitization, centralization and standardization of the electoral database and argues that even though the law provides the scope for protection of electoral databases, the State has not taken any steps to ensure its safety.

The recent move by the Election Commission of India (ECI) to tie-up with Google for providing electoral look-up services for citizens and electoral information services has faced heavy criticism on the grounds of data security and privacy.[i] After due consideration, the ECI has decided to drop the plan.[ii]

The plan to partner with Google has led to much apprehension regarding Google gaining access to the database of 790 million voters including, personal information such as age, place of birth and residence. It could have also gained access to cell phone numbers and email addresses had the voter chosen to enroll via the online portal on the ECI website. Although, the plan has been cancelled, it does not necessarily mean that the largest database of citizens of India is safe from any kind of security breach or abuse. In fact, the personal information of each voter in a constituency can be accessed by anyone through the ECI website and the publication of electoral rolls is mandated by the law.

Publication of Electoral Rolls
The electoral roll essentially contains the name of the voter, name of the relationship (son of/wife of, etc.), age, sex, address and the photo identity card number. The main objective of creation and maintenance of electoral rolls and the issue of Electoral Photo Identity Card (EPIC) was to ensure a free and fair election where the voter would have been able to cast his own vote as per his own choice. In other words, the main purpose of the exercise was to curtail bogus voting. This is achieved by cross referencing the EPIC with the electoral roll.

The process of creation and maintenance of electoral rolls is governed by the Registration of Electors Rules, 1960. Rule 22 requires the registration officer to publish the roll with list of amendments at his office for inspection and public information. Furthermore, ECI may direct the registration officer to send two copies of the electoral roll to every political party for which a symbol has exclusively been reserved by the ECI. It can be safely concluded that the electoral roll of a constituency is a public document[iii] given that the roll is published and can be circulated on the direction of the ECI.

With the computational turn, in 1998 the ECI took the decision to digitize the electoral databases. Furthermore, printed electoral rolls and compact discs containing the rolls are available for sale to general public.[iv] In addition to that, the electoral rolls for the entire country are available on the ECI website.[v] However, the current database is not uniform and standardized, and entries in some constituencies are available only in the local language. The ECI has taken steps to make the database uniform, standardized and centralized.[vi]

Security Concerns
The Registration of Electoral Rules, 1960 is an archaic piece of delegated legislation which is still in force and casts a statutory duty on the ECI to publish the electoral rolls. The publication of electoral rolls is not a threat to security when it is distributed in hard copies and the availability of electoral rolls is limited. The security risks emerge only after the digitization of electoral database, which allows for uniformity, standardization and centralization of the database which in turn makes it vulnerable and subject to abuse. The law has failed to evolve with the change in technology.

In a recent article, Bill Davidow analyzes "the dark side of Moore’s Law" and argues that with the growth processing power there has been a growth in surveillance capabilities and on this note the article is titled, “With Great Computing Power Comes Great Surveillance”[vii] Drawing from Davidow’s argument, with the exponential growth in computing power, search has become convenient, faster and cheap. A uniform, standardized and centralized database bearing the personal information of 790 million voters can be searched and categorized in accordance with the search terms. The personal information of the voters can be used for good, but it can be equally abused if it falls into the wrong hands. Big data analysis or the computing power makes it easier to target voters, as bits and pieces of personal information give a bigger picture of an individual, a community, etc. This can be considered intrusive on individual’s privacy since the personal information of every voter is made available in the public domain

For example, the availability of a centralized, searchable database of voters along with their age would allow the appropriate authorities to identify wards or constituencies, which has a high population of voters above the age of 65. This would help the authority to set up polling booths at closer location with special amenities. However, the same database can be used to search for density of members of a particular community in a ward or constituency based on the name, age, sex of the voters. This information can be used to disrupt elections, target vulnerable communities during an election and rig elections.

Current IT Laws does not mandate the protection of the electoral database
A centralized electoral database of the entire country can be considered as a critical information infrastructure (CII) given the impact it may have on the election which is the cornerstone of any democracy. Under Section 70 of the Information Technology Act, 2000 (IT Act) CII means “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy.”[viii] However, the appropriate Government has not notified the electoral database as a protected system[ix]. Therefore, information security practices and procedures for a protected system are not applicable to the electoral database.

The Information Technology Rules (IT Rules) are also not applicable to electoral databases, per se. Since, ECI is not a body corporate, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), Rules, 2011 (hereinafter Reasonable Security Practices Rules) do not apply to electoral databases. Ignoring that Reasonable Security Practices Rules only apply to a body corporate, the electoral database does fall within the ambit of definition of “personal information”[x] and should arguably be made subject to the Rules.

The intent of the ECI for hosting the entire country’s electoral database online inter alia is to provide electronic service delivery to the citizens. It seeks to provide “electoral look up services for citizens ... for better electoral information services.”[xi] However, the Information Technology (Electronic Service Delivery) Rules, 2011 are not applicable to the electoral database given that it is not notified by the appropriate Government as a service to be delivered electronically. Hence, the encryption and security standards for electronic service delivery are not applicable to electoral rolls.

The IT Act and the IT Rules provide a reasonable scope for the appropriate Government to include electoral databases within the ambit of protected system and electronic service delivery. However, the appropriate government has not taken any steps to notify electoral database as protected system or a mode of electronic service delivery under the existing laws.

Conclusion
Publication of electoral rolls is a necessary part of an election process. It ensures free and fair election and promotes transparency and accountability. But unfettered access to electronic electoral databases may have an adverse effect and would endanger the very goal it seeks to achieve because the electronic database may pose threat to privacy of the voters and also lead to security breach. It may be argued that the ECI is mandated by the law to publish the electoral database and hence, it is beyond the operation of the IT Act. But Section 81 of the IT Act has an overriding effect on any law inconsistent, therewith. The appropriate Government should take necessary steps under the IT Act and notify electoral databases as a protected system.

It is recommended that the Electors Registration Rules, 1960 should be amended, taking into account the advancement in technology. Therefore, the Rules should aim at restricting the unfettered electronic access to the electoral database and also introduce purposive limitation on the use of the electoral database. It should also be noted that more adequate and robust data protection and privacy laws should be put in place, which would regulate the collection, use, storage and processing of databases which are critical to national security.

[i] Pratap Vikram Singh, Post-uproar, EC’s Google tie-up plan may go for a toss, Governance Now, January 7, 2014 available at http://www.governancenow.com/news/regular-story/post-uproar-ecs-google-tie-plan-may-go-toss

[ii] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

[iii] Section 74, Indian Evidence Act, 1872

[iv] eci.nic.in/eci_main1/the_function.aspx

[v] http://eci.nic.in/eci_main1/Linkto_erollpdf.aspx

[vi] “At present, in most States and UTs the Electoral Database is kept at the district level. In some cases it is kept even with the vendors. In most States/UTs it is maintained in MS Access, while in some cases it is on a primitive technology like FoxPro and in some other cases on advanced RDBMS like Oracle or Sql Server. The database is not kept in bilingual form in some of the States/UTs, despite instructions of the Commission. In most cases Unicode fonts are not used. The database structure not being uniform in the country, makes it almost impossible for the different databases to talk to each other” – Election Commission of India, Revision of Electoral Rolls with reference to 01-01-2010 as the qualifying date – Integration and Standardization of the database- reg., No. 23/2009-ERS, January 6, 2010 available at eci.nic.in/eci_main/eroll&epic/ins06012010.pdf

[vii] http://www.theatlantic.com/technology/archive/2014/01/with-great-computing-power-comes-great-surveillance/282933/

[viii] Section 70, Information Technology Act, 2000

[ix] Computer resource which directly or indirectly affects the facility of Critical Information Infrastructure

[x] Rule 2(1)(i), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

[xi] Press Note No.ECI/PN/1/2014, Election Commission of India , January 9, 2014 available at http://eci.nic.in/eci_main1/current/PN09012014.pdf

For more details visit https://cis-india.org/internet-governance/blog/electoral-databases-2013-privacy-and-security-concerns