Centre for Internet and Society

Prof. Subbiah Arunachalam

sunil — 2008-10-31T09:31:27Z

For more details visit https://cis-india.org/openness/blog-old/uploads/dsc_0395.jpg

Dr. Zakir Thomas

sunil — 2008-10-31T09:33:44Z

For more details visit https://cis-india.org/openness/blog-old/uploads/dsc_0388.jpg

Dr. Andrew Lynn

sunil — 2008-10-31T09:36:55Z

Dr. Andrew Lynn

For more details visit https://cis-india.org/openness/blog-old/uploads/dsc_0384.jpg

Dr. Anshu Bharadwaj

sunil — 2008-10-31T09:38:40Z

Dr. Anshu Bharadwaj

For more details visit https://cis-india.org/openness/blog-old/uploads/dsc_0393.jpg

Privacy vs. Transparency: An Attempt at Resolving the Dichotomy

sunil — 2015-03-08T06:26:21Z

The right to privacy has been articulated in international law and in some national laws. In a few countries where the constitution does not explicitly guarantee such a right, courts have read the right to privacy into other rights (e.g., the right to life, the right to equal treatment under law and also the right to freedom of speech and expression).

With feedback and inputs from Sumandro Chattapadhyay, Elonnai Hickok, Bhairav Acharya and Geetha Hariharan. I would like to apologize for not providing proper citation to Julian Assange when the first version of this blog entry was published. I would also like to thank Micah Sifry for drawing this failure to his attention. The blog post originally published by Omidyar Network can be read here. Also see http://newint.org/features/2015/01/01/privacy-transparency/

In other countries where privacy is not yet an explicit or implicit right, harm to the individual is mitigated using older confidentiality or secrecy law. After the Snowden affair, the rise of social media and the sharing economy, some corporations and governments would like us to believe that “privacy is dead”. Privacy should not and cannot be dead, because that would mean that security is also dead. This is indeed the most dangerous consequence of total surveillance as it is technically impossible to architect a secure information system without privacy as a precondition. And conversely, it is impossible to guarantee privacy without security as a precondition.

The right to transparency [also known as the right to information or access to information] – while unavailable in international law – is increasingly available in national law. Over the last twenty years this right has become encoded in national laws – and across the world it is being used to hold government accountable and to balance the power asymmetry between states and citizens. Independent and autonomous offices of transparency regulators have been established. Apart from increasing government transparency, corporations are also increasingly required to be transparent as part of generic or industry specific regulation in the public interest. For instance, India’s Companies Act, 2013, requires greater transparency from the private sector. Other areas of human endeavor such as science and development are also becoming increasingly transparent though here it is still left up to self-regulation and there isn’t as much established law. Within science and research more generally, the rise of open data accompanied the growth of the Open Access and citizen science movement.

So the question before us is: Are these two rights – the right to transparency and the right to privacy – compatible? Is it a zero-sum game? Do we have to sacrifice one right to enforce the other? Unfortunately, many privacy and transparency activists think this is the case and this has resulted in some conflict. I suggest that these rights are completely compatible when it comes to addressing the question of power. These rights do not have to be balanced against one another. There is no need to settle for a sub-optimal solution. Rather this is an optimization problem and the solution is as follows: privacy protections must be inversely proportionate to power and as Julian Assange says transparency requirements should be directly proportionate to power.[*]

In most privacy laws, the public interest is an exception to privacy. If public interest is being undermined, then an individual privacy can be infringed upon by the state, by researchers, by the media, etc. And in transparency law, privacy is the exception. If the privacy of an individual can be infringed, transparency is not required unless it is in the public interest. In other words, the “public interest” test allows us to use privacy law and transparency law to address power asymmetries rather than exacerbate them. What constitutes “public interest” is of course left to courts, privacy regulators, and transparency regulators to decide. Like privacy, there are many other exceptions in any given transparency regime including confidentiality and secrecy. Given uneven quality of case law there will be a temptation by the corrupt to conflate exceptions. Here the old common-law principle of “there is no confidence as to the disclosure of iniquity” – which prevents confidentiality law from being used to cover malfeasance or illegality – can be adopted in appropriate jurisdictions.

Around 10 years ago, the transparency movement gave birth to yet another movement – the open government data movement. The tension between privacy and transparency is most clearly seen in the open government data movement. The open government data movement in some parts of the world is dominated by ahistorical and apolitical technologists, and some of them seem intent on reinventing the wheel. In India, ever since the enactment of the Right to Information Act, 2003, 30 transparency activists are either killed, beaten or criminally intimidated every year. This is the statistic from media coverage alone. Many more silently suffer. RTI or transparency is without a doubt one of the most dangerous sectors within civil society that you could choose to work in. In contrast, not a single open data activist has ever been killed, beaten or criminally intimidated. I suspect this is because open data activists do not sufficiently challenge power hierarchies. Let us look a little bit closely at their work cycle. When a traditional transparency activist asks a question, that is usually enough to get them into trouble. When an open data activist publishes an answer [a dataset nicely scrubbed and machine readable, or a visualization, or a tool] they are often frustrated because nobody seems interested in using it. Often even the activist is unclear what the question is. This is because open data activist works where data is available. Open data activists are obsessed with big datasets, which are easier to find at the bottom of the pyramid. They contribute to growing surveillance practices [the nexus between Internet giants, states, and the security establishment] rather that focusing on sousveillance [citizen surveillance of the state, also referred to as citizen undersight or inverse surveillance]. They seem to be obsessed only with tools and technologies, rather than power asymmetries and injustices.

Finally, a case study to make my argument easier to understand – Aadhaar or UID, India’s ambitious centralized biometric identity and authentication management system. There are many serious issues with its centralized topology, proprietary technology, and dependence on biometrics as authentication factors – all of which I have written about in the past. In this article, I will explain how my optimization solution can be applied to the project to make it more effective in addressing its primary problem statement that corruption is a necessary outcome of power asymmetries in India.

In its current avatar – the Aadhaar project hopes to assign biometric-based identities to all citizens. The hope is that, by doing authentication in the last mile, corruption within India’s massive subsidy programmes will be reduced. This, in my view, might marginally reduce retail corruption at the bottom of the pyramid. It will do nothing to address wholesale corruption that occurs as subsidies travel from the top to the bottom of the pyramid. I have advocated over the last two years that we should abandon trying to issue biometric identities to all citizens, thereby making them more transparent to the state. Let us instead issue Aadhaar numbers to all politicians and bureaucrats and instead make the state more transparent to citizens. There is no public interest in reducing privacy for ordinary citizens – the powerless – but there are definitely huge public interest benefits to be secured by increasing transparency of politicians and bureaucrats, who are the powerful.

The Indian government has recently introduced a biometric-based attendance system for all bureaucrats and has created a portal that allows Indian citizens to track if their bureaucrats are arriving late or leaving early. This unfortunately is just bean counting [for being corrupt and being punctual are not mutually exclusive] and public access to the national portal was turned off because of legitimate protests from some of the bureaucrats. What bureaucrats do in office, who they meet, and which documents they process is more important than when they arrive at or depart from work. The increased transparency or reduced privacy was not contributing to the public interest.

Instead of first going after small-ticket corruption at the bottom of the pyramid, maximization of public interest requires us to focus on the top, for there is much greater ROI for the anti-corruption rupee. For example: constructing a digital signature based on audit trails that track all funds and subsidies as they move up and down the pyramid. These audit trails must be made public so that ordinary villagers can be supported by open data activists, journalists, social entrepreneurs, and traditional civil society in verification and course correction.

I hope open data activists, data scientists, and big data experts will draw inspiration from the giants of the transparency movement in India. I hope they will turn their attention to power, examine power asymmetries and then ask how the Aadhaar project can be leveraged to make India more rather than less equal.

Videos

Open Up? 2014: Risky Business: Transparency, Technology, Security, and Human Rights

Open Up? 2014: Data Collection and Sharing: Transparency and the Private Sector

The videos can also be watched on Vimeo:

[*].http://prospect.org/article/real-significance-wikileaks “Transparency should be proportional to the power that one has.”

Read the presentation on Risky Business: Transparency, Technology, Security and Privacy made at the Pecha Kucha session here. (ODP File, 35 kb)

Disclaimer: The views, opinions, and positions expressed by the author(s) of this blog are theirs alone, and do not necessarily reflect the views, opinions, or positions of Omidyar Network. We make no representations as to accuracy, completeness, timeliness, suitability or validity of any information presented by individual authors of the blogs and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its display or use.

For more details visit https://cis-india.org/openness/blog-old/privacy-v-transparency

The Five Monkeys & Ice-cold Water

sunil — 2012-10-30T10:43:38Z

The Indian government provides leadership, both domestically and internationally, when it comes to access to knowledge.

This article by Sunil Abraham was published in Deccan Chronicle on September 16, 2012.

Our domestic patent policy ensures that generic medicines are available and largely affordable not only within India but also in Africa and elsewhere. It also allows Indians to consume a wide range of technological innovations without worrying about legal bans that are an otherwise common feature in the developed countries, thanks to phenomena such as the ongoing mobile phone patent wars.

Copyright policy, including the last amendment of the copyright act, has ensured that fair dealing and the rights of students, researchers, disabled, etc., are protected. Texts, audio and video for education and entertainment are relatively affordable, especially in comparison to other countries in the Asia-Pacific.

Even at the World Intellectual Property Organisation, other developing countries look to India for guidance. The interventions of the copyright registrar G.R. Raghavender and the Indian team won praise during the most recent round of negotiations for the Treaty for the Visually Impaired. An excellent example of India's soft power protecting public interest at home and abroad.

In diametrical contrast, India has a terrible track record when it comes to freedom of expression, especially expression mediated by networked technologies such as telecommunications and the Internet.

Our policy-makers seem determined to extinguish the privacy of communications and also anonymous/pseudonymous speech through such devices as Know Your Customer (KYC) and data retention requirements for accessing the Internet through cyber-cafes, mobile phones, dial-up or broadband, ban on open wi-fi networks, plans to tie together Aadhaar and NATGRID and Central Monitoring System (CMS) to track a citizen using his/her UID across devices, networks and intermediaries, and requiring real-time interception equipment to be installed at all network and data centres.

All these without any horizontal privacy law or a data protection law that is compliant with international best practices. Security hawks argue that this pervasive, multi-tiered surveillance regime helps thwart criminal and terrorist attacks, but its poor design extracts a terrible price in terms of freedom of expression.

Citizens who cannot express themselves anonymously and privately begin to censor themselves, seriously undermining our democracy, which is most importantly founded on an anonymous expression, the electoral ballot.

In addition, in April 2011, rules under the amended IT Act were notified for intermediaries that have a chilling effect on free speech via unclear and unconstitutional limits on freedom of expression, encouragement of private censorship without any notice to those impacted, missing procedure for redress, and lack of penalties for those who abuse the rules to target legitimate speech. This was followed by calls for proactive censorship of social media, which caused much outrage amongst the twitterati.

Even when the government had legitimate grounds (the recent exodus of North-East Indians) to censor free speech, it overreached and acted incompetently, cracking down on parody accounts on social media rather than carefully configuring the text message ban. As if that weren't enough, the government beats up a cartoonist and jails him for sedition.

There’s a plan behind such attacks on free speech. The powerful in India, with their fragile egos, can afford expensive lawyers who can ensure that for those who dare to speak their mind, “the process is the punishment”, as Lawrence Liang of the Alternative Law Forum put it. Needless to say, cartoonists and others that dare to speak their mind cannot usually afford the time and expense of courts.

An experiment featuring monkeys, bananas and ice-cold water, commonly attributed to the late American psychologist Harry Harlow, explains what’s being attempted by those who attack free speech. First, five monkeys are put in a cage with bananas hanging from the top that can be reached by climbing a ladder. Every time one of the monkeys try to climb the ladder, ice-cold water is thrown on all of them. Soon, the monkeys learn not to climb the ladder.

Then, one of them is replaced with a monkey that has never been drenched with ice-cold water. When the new monkey tries to climb the ladder, the other four monkeys attack it and prevent it from reaching the banana. This is continued till all the original monkeys are replaced with new ones.

When that’s done, although none of the monkeys left in the cage has ever been drenched with ice-cold water, they continue to enforce the regulation on themselves. This is what has happened in China. This is what is being attempted here – to social engineer the Indian netizen.

For more details visit https://cis-india.org/internet-governance/www-deccan-chronicle-sep-16-2012-sunil-abraham-the-five-monkeys-and-ice-cold-water

Censoring the Internet: A brief manual

sunil — 2012-08-24T09:39:03Z

Blocking websites on the Internet should be proportionate to harm they intend. However, the government of India's approach is against the principles of natural justice.

Published in Tehelka on August 23, 2012.

When: Speech should be regulated when there is harm, or when there is clear and imminent harm. The extent of regulation must be in proportion to the harm.

The mass exodus of people from the Northeast, from certain Indian-cities is clear indication of a ‘public order’ crisis. The government of India, for the very first time, has legitimate reasons for cracking down on intermediaries such as Google and Facebook and their users, unlike in the past when only the egos of politicians, bureaucrats and others in public office or public life were at stake. In most cases temporary restrictions on speech are sufficient to mitigate harm. When potential for harm has dissipated the restrictions should be lifted. Whilst videos and images related to the violations of the human-rights to the Rohingya community might be sensitive material today, there is no reason why such content should be blocked forever, unlike, for example, in the case of child pornography.

How: Does this mean that the Internet rules that were notified in April last year were future-looking policies justified in retrospect? No. When a block is implemented, or a takedown is complied with, three types of notices are required — either immediately or after the imminent harm has been prevented. First, the censored individuals/groups should be informed, so that they can seek redressal and reinstatement; second, those trying to consume the censored material must be warned; and third, the general public has a right to know either immediately or in due course.

Even in authoritarian states like Saudi Arabia, visitors to blocked websites are given clear reasons why the website was blocked along with contact details to seek redressal. There are, also, safe harbour provisions for intermediaries, meaning that they absolve themselves of liability in exchange for acting upon takedown orders sent by non-state actors. Suitable safeguards are required to prevent over-compliance by intermediaries, and the resulting chilling effect on free speech as demonstrated by CIS's research. The intermediary liability rules under the Indian IT Act 2008 have no such safeguards and therefore does not comply with principles of natural justice.

Who: Block and takedown orders need to be very specific. The advisory note issued to Internet intermediaries by the Department of Electronics and Information Technology, Ministry of Communications & Information Technology on the 17 August did not mention details such as URLs, user accounts, group names and content identifiers. Most of the censored material at first glance, appears to be communal in nature. Unfortunately, there are several URLs from mainstream media publications, a few Wikipedia pages and also at least two blog entries debunking rumours in the list, perhaps because of oversight. Images of unrelated human rights violations featuring people with similar racial features are being used to fuel the current rumours. However, blocking all websites featuring such images will not stop such rumour mongering. Censorship must be targeted and proportionate to the potential harm.

Why: Speaking aloud just once in the analog world could either result in harm or good. Imagine shouting “bomb” in a crowded airport. The network effect of technologies such as SMS, social media and micro-blogging amplifies the impact of speech. Article 19(2) of the Constitution of India lists eight reasons for which reasonable restrictions may be applied to the right to free speech. This applies to both analog and speech mediated via networked technologies. Some of these restrictions such as 'public order' and 'incitement to discrimination, hostility or violence' are part of international treaties such as the International Covenant on Civil and Political Rights. Fringe phenomenon and exceptional circumstances should not be the basis for formulating policy. For example — knives used as murder weapons does not necessitate regulations on cutlery. Similarly, criminalising rumour mongering will not prevent false information from going viral, online, and disrupting public order. Videos and photos are doctored and manipulated for a wide variety of legitimate reasons. The existing law regulating speech in the interests of public order are sufficient to deal with the circulation of falsehoods on social media.

Sunil Abraham is the Executive Director of Bangalore based research organisation, the Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/www-tehelka-com-sunil-abraham-august-23-2012-censoring-the-internet

To regulate Net intermediaries or not is the question

sunil — 2012-08-26T06:12:48Z

Given the disruption to public order caused by the mass exodus of North-Eastern Indians from several cities, the government has had for the first time in many years, a legitimate case to crackdown on Internet intermediaries and their users.

Sunil's column was published in the Deccan Herald on August 26, 2012.

There was, of course, much room for improvement in the manner in which the government conducted the censorship. But the policy question that becomes most pertinent now is: do we need to regulate Internet intermediaries further? The answer is yes and no.

There are areas where these intermediaries need to be regulated in order to protect citizen and consumer interest. But to deal with rumour-mongering and hate speech, there is sufficient provisions in Indian law to deal with the current disruption in public order and any similar disruptions in the future.

It is a common misunderstanding to assume that all civil society organisations that advocate civil liberties on networked technologies are regulatory doves that wish to dismantle regulation of the private sector and allow them complete free hand for innovation and, perhaps, causing harm to public interest.

The opposite is also not necessarily true. We are not hawks, those that believe in maximal regulation of the private sector. The state should regulate the private sector in areas where the citizens are unable to protect their own interest and self-regulation is inadequate. But there are many other areas where regulation needs to be dismantled in the interests of citizen and public interest.

Dr Rohan Samarajiva, founder of a Colombo-based regional policy think tank LIRNEasia, explains this best using the ‘law of soft toys’. When his daughter was young he told her that in Sri Lanka there was a law which mandated that every time she got a new soft toy, she would have to necessarily give away another one.

The regulatory lesson here is: the mandate for regulation cannot keep endlessly expanding. As the government moves into new areas of regulation, it should also exit other older areas where regulatory rupee is providing limited returns. These decisions should be based on evidence of harm caused to citizens and consumers. The following are a list of areas where regulation is required for Internet intermediaries:

Privacy: India needs the office of the privacy commissioner established and an articulation of national privacy principles through the enactment of the long awaited Privacy Act. This privacy commissioner should be able to investigate complaints against intermediaries, proactively investigate companies, order remedial action and fine companies that violate the principles and other policies in force. Remedial action could require change in policies, features, data retention policies and services etc.

Competition: Many of these intermediaries have been taken to court on anti-trust complaints, fined and subjected to remedial action by regulators in America and Europe.

Earlier this year, BharatMatrimony.com has filed a complaint against Google at the Competition Commission of India (CCI) alleging anti-competitive practices in its Adwords program. In addition, based on a report submitted by Consumer Unity & Trust Society (CUTS), a civil society organisation, CCI has initiated an investigation into Google's search engine for anti-competitive practices. If they are found guilty of breaking competition law they could be fined up to 10 per cent of their turnover.

Speech: Article 19(2) of the Constitution permits Parliament to enact laws that place eight categories of reasonable restrictions on speech. Unfortunately, the Information Technology Act and its associated rules attempts to expand these restrictions and in addition does not comply with the principles of natural justice. Ideally, all those impacted by the censorship should be informed and should be able to seek redress and reinstatement for the censured speech.

The policy sting operation conducted by the Centre for Internet and Society (CIS) last year demonstrated that intermediaries are risk-averse and tend to over-comply with takedown notices. There is a clear chilling effect on speech online and it is important that the Act and rules be amended at the earliest.

Intellectual Property: Policies that fall under this inappropriate umbrella term for many differently configured laws make the yet unproven fundamental assumption that granting limited monopolies to rights holders, usually corporations, will result in greater innovation. However, citizen and consumer interest is protected through provisions for exceptions and limitations in laws such as copyright, patent, trademarks etc. Some examples of these safeguards that guarantee access to knowledge in Indian law include compulsory licences, patent opposition, fair-dealing etc.

There are many other areas where special treatment may be required for intermediaries. For example tax law needs to handle evasion techniques like the Double Irish and the Dutch Sandwich. Given my lengthy wish-list of regulation of Internet intermediaries, why then has CIS become an NGO member of the Global Network Initiative?

This is because I believe that technological development happen too quickly for us to purely depend on government regulation. Self-regulation has an important role to play in keeping up with these rapid changes. As self-regulatory norms mature they could be formalised into policy by the government.

Therefore, I consider it a privilege that CIS has been accepted as a member of this self-regulatory initiative and we influence GNI norms using our Indian perspective. However, when self-regulation fails to protect public interest, then the government must step in to regulate Internet intermediaries.

For more details visit https://cis-india.org/internet-governance/www-deccan-herald-aug-26-2012-to-regulate-net-intermediaries-or-not-is-the-question

Fixing Aadhaar: Security developers' task is to trim chances of data breach

sunil — 2018-01-10T16:47:59Z

The task before a security developer is not only to reduce the probability of identity breach but to eliminate certain occurrences.

The article was published in Business Standard on January 10, 2017

I feel no joy when my prophecies about digital identity systems come true. This is because from a Popperian perspective these are low-risk prophecies. I had said that that all centralised identity databases will be breached in the future. That may or may not happen within my lifetime so I can go to my grave without worries about being proven wrong. Therefore, the task before a security developer is not only to reduce the probability but more importantly to eliminate the possibility of certain occurrences.

The blame for fragility in digital identity systems today can be partially laid on a World Bank document titled “Ten Principles on Identification for Sustainable Development” which has contributed to the harmonisation of approaches across jurisdictions. Principle three says, “Establishing a robust — unique, secure, and accurate — identity”. The keyword here is “a”. Like The Lord of the Rings, the World Bank wants “one digital ID to rule them all”. For Indians, this approach must be epistemologically repugnant as ours is a land which has recognised the multiplicity of truth since ancient times.

In “Identities Research Project: Final Report” funded by Omidyar Network and published by Caribou Digital — the number one finding is “people have always had, and managed, multiple personal identities”. And the fourth finding is “people select and combine identity elements for transactions during the course of everyday life”. As researchers they have employed indirect language, for layman the key takeaway is a single national ID for all persons and all purposes is an ahistorical and unworkable solution.

Revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers. Photo: Reuters

monoculture can be prevented. The traditional approach is followed in the US - you could have multiple documents that are accepted as valid ID. Or you could have multiple identity providers providing ID artifacts using an interoperable framework as they do in the UK. Another approach is tokenisation. The first time tokenisation was suggested in the Aadhaar context was in an academic paper published in August 2016 by Shweta Agrawal, Subhashis Banerjee and Subodh Sharma from IIT Delhi titled “Privacy and Security of Aadhaar: A Computer Science Perspective”.

Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.

On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.

The paper in its fourth key recommendation says “cryptographically embed Aadhaar ID into Authentication User Agency (AUAs) and KYC User Agency (aka KUAs) — specific IDs making correlation impossible”. The paper considers several designs for such local identifier where — 1) no linking is possible, 2) only unidirectional linking is possible, and 3) bidirectional linking is possible referring to a similar scheme in the LSE identity report.Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar

Data Protection: We can innovate, leapfrog

sunil — 2018-01-22T01:45:46Z

About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent.

The article was published in the Deccan Herald on January 20, 2018.

Even if we can read them, we may not have the necessary legal training to understand them. According to a tweet thread by Pat Walshe (@privacymatters), the Tetris app, a popular video game, has a privacy policy that details the third-party advertising companies that they share data with. These third-parties include "123 Ad Networks; 13 Online Analytics companies; 62 Mobile Advertising Networks; 14 Mobile Analytics companies. The linked privacy policies for Tetris run to 407,000 words, compared to 450,000 words for the entire 'Lord of the Rings trilogy'." The child aged four and above that plays the game and her parents need an intermediary to deal with the corporations hiding behind Tetris.

Unlike the European Union, which has more than 37 years of history when it comes to data protection law, India is starting with a near blank slate after the Supreme Court confirmed that privacy is a constitutionally-guaranteed fundamental right in the Puttaswamy case judgement. While we would want to maintain adequacy and compatibility with the EU General Data Protection Regulation (GDPR) because it has become the global standard, we must realise that there is an opportunity for leapfrogging. This article attempts to introduce the reader to three different visions for intermediaries that have emerged within the Indian data protection debate around the accountability principle. I will also provide a brief sketch of an idea that we are developing at the Centre for Internet and Society. This is an incomplete list as there must be more proposals for regulatory innovation around the accountability principle that I am currently unaware of.

n Account Aggregators: The 'India Stack' ecosystem that has been built around the Aadhaar programme first proposed intermediaries called Account Aggregators. Account Aggregators manage consent artifacts. India Stack has traditionally been described as having four layers -- presenceless, paperless, cashless and consent. The consent layer is supposed to feature Account Aggregators. If, for example, a data subject wanting an insurance policy visits an insurance portal, the portal would collect personal information and a consent artifact from her and pass it on to multiple insurance companies. These insurance companies would send personalised bids to the portal, which would be displayed on a comparative grid to enable empowered selection.

The data structure consent artifact has been provided in the Master Direction from RBI titled "Non-Banking Financial Company Account Aggregator Directions," published in September 2016. How does this work? The fields includes (i) identity and optional contact information; (ii) nature of the financial information requested; (iii) purpose; (iv) the identity of the recipients, if any; (v) URL/address for notifications when the consent artifact is used; (vi) consent artifact creation date, expiry date, identity and signature/digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI. While Account Aggregators make it frictionless for the grant of consent and also for the harvesting of consent by data controllers, it does not make it easy for you to manage and revoke your consent.

n Data Trusts: Most recently, Na.Vijayashankar, a Bengaluru-based cybersecurity and cyberlaw expert, has proposed intermediaries called 'Data Trusts' registered with the regulator and who (i) will work as escrow agents for the personal data (which would be classified by type for different degrees of protection); (ii) will make privacy notices accessible by translating them into accessible language and formats; (iii) disclose data minimally to different data controllers based on the purpose limitation; (iv) issue tokens or pseudonymous identifiers and monetise the data for the benefit of the data subject. To ensure that Data Trusts truly protect the interests of the data subject, Vijayashankar proposes three requirements: (a) public performance reviews (b) audits by the regulator and (c) "an arms-length relationship with the data collectors." In his proposal, Data Trusts are firms with "the ability to process a real-time request from the data subject to supply appropriate data to the data collector."

n Learned Intermediaries: The Takshashila Institution published a paper titled Beyond Consent: A New Paradigm for Data Protection, authored by Rahul Matthan, partner at the law firm Trilegal. Learned Intermediaries would perform mandatory audits on all data controllers above a particular threshold. Like Vijayashankar, Matthan also requires these intermediaries to be certified by an appropriate authority. The main harm that he focuses on is, bias or discrimination. He proposes three stages of audit which are designed for the age of Big Data and Artificial Intelligence: "(i) Database Query Review; (ii) Black Box Audits; and (iii) Algorithm Review". Matthan also tentatively considers a rating system. Learned Intermediaries are a means to address information asymmetry in the market by making data subjects more aware. The impact of churn on their bottom-lines, it is hoped, will force data controllers to behave in an accountable manner, protecting rights and mitigating harms.

n Consent Brokers: Finally, I have proposed the model of a 'Consent Broker' by modifying the concept of the Account Aggregator. Like the Account Aggregator proposal, we would want a competitive set of consent brokers who will manage consent artifacts for data subjects. However, I believe there should be a 1:1 relationship between data subjects and consent brokers so that the latter compete for the business of data subjects. Like Vijayashankar, I believe that the consent broker must have an "arms-length distance" from data controllers and must be prohibited from making any money from them. Consent brokers could also be trusted to take proactive actions for the data subjects, such as access and correction.

The need of the hour is the production of regulatory innovations and robust discussions around them for all the nine privacy principles in the Justice AP Shah committee report -- notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability.

For more details visit https://cis-india.org/internet-governance/blog/deccan-herald-january-20-2018-sunil-abraham-data-protection-we-can-innovate-leapfrog

Privacy worries cloud Facebook's WhatsApp Deal

sunil — 2014-03-20T05:59:28Z

Privacy activists in the United States have asked the competition regulator or the Federal Trade Commission to put on hold Facebook's acquisition of WhatsApp. Why have they done this when Facebook has promised to leave WhatsApp untouched as a standalone app?

Read the original published in the Economic Times on March 14, 2014

Activists have five main concerns.

Facebook has a track record of not keeping its promises to users.
The ethos of both companies when it comes to privacy is diametrically opposite.
The probability that WhatsApp messages and content will be intercepted because of Facebook's participation in NSA's PRISM spying programme.
Facebook slurping WhatsApp's large repository of phone numbers.
Two hundred trackers already monitor your internet use when you are not using Facebook and now they tracking mobile use much more granularly. This week the Indian competition regulator (CCI) also told the media that the acquisition would be subject to scrutiny. However, unlike the US regulator the Indian regulator does not have the mandate to examine the acquisition from a privacy perspective.

LIRNEAsia research in Indonesia paints a very similar picture to one we have in India. When Indonesian mobile phone users were asked if they used Facebook they answered in affirmative. Then the very same users were asked if they used the internet and they replied in negative. A large number of Facebook users in these other similar economies are trapped within what are called "walled gardens."

Walled gardens allow mobile phone subscribers without data connections to get access to a single over-the-top service provider like Facebook because their telcom provider has an arrangement. Software such as Facebook on every phone makes it possible for feature phone users to also enter the walled garden.

According to Facebook it "is a fast and easyto-use native app that works on more than 3,000 different types of feature phones from almost every handset manufacturer that exists today."

Unlike North American and European users of Facebook - who freely roam the "world wild web" and then choose to visit Facebook when they want to many Indian users will first experience data services in a domesticated fashion within a walled garden.

Whether or not they will wander in the wild when they are have full access to the internet remains to be seen. But given our poor rates of penetration, dogmatic insistence on network neutrality at this early stage of internet adoption may not be the right way to maximise welfare and consumer interest.

Fortunately for Facebook and unfortunately for us, India still does not have a comprehensive data protection or horizontal privacy law. The Justice AP Shah Committee that was constituted by the Planning Commission in October 2012 recommended that the Privacy Act articulate national privacy principles and establish the office of the Privacy Commissioner. It further recommended that data protection and surveillance be regulated for both the private sector and the state.

Since then the Department of Personnel and Training has updated the draft bill to implement these recommendations and has been working towards consensus within government.

Since we still don't have our own privacy regulator we will have to depend on foreign data protection authorities and privacy commissioners to protect us from the voracious appetite for personal data of over-the-top service providers like Facebook This is woefully insufficient because they will not act on harm caused to Indian consumers or be aware of how Facebook acts differently in the Indian market.

As we approach the first general election in India when social media will play a small but influential role it would have been excellent if we had someone to look out for our right to privacy.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-march-14-2014-sunil-abraham-privacy-worries-cloud-facebook-whatsapp-deal

Net Freedom Campaign Loses its Way

sunil — 2014-05-27T11:07:04Z

A recent global meet was a victory for governments and the private sector over civil society interests.

The article was published in the Hindu Businessline on May 10, 2014.

One word to describe NetMundial: Disappointing! Why? Because despite the promise, human rights on the Internet are still insufficiently protected. Snowden’s revelations starting last June threw the global Internet governance processes into crisis.

Things came to a head in October, when Brazil’s President Dilma Rousseff, horrified to learn that she was under NSA surveillance for economic reasons, called for the organisation of a global conference called NetMundial to accelerate Internet governance reform.

The NetMundial was held in São Paulo on April 23-24 this year. The result was a statement described as “the non-binding outcome of a bottom-up, open, and participatory process involving … governments, private sector, civil society, technical community, and academia from around the world.” In other words — it is international soft law with no enforcement mechanisms.

The statement emerges from “broad consensus”, meaning governments such as India, Cuba and Russia and civil society representatives expressed deep dissatisfaction at the closing plenary. Unlike an international binding law, only time will tell whether each member of the different stakeholder groups will regulate itself.

Again, not easy, because the outcome document does not specifically prescribe what each stakeholder can or cannot do — it only says what internet governance (IG) should or should not be. And finally, there’s no global consensus yet on the scope of IG. The substantive consensus was disappointing in four important ways:

Mass surveillance : Civil society was hoping that the statement would make mass surveillance illegal. After all, global violation of the right to privacy by the US was the raison d'être of the conference.

Instead, the statement legitimised “mass surveillance, interception and collection” as long as it was done in compliance with international human rights law. This was clearly the most disastrous outcome.

Access to knowledge: The conference was not supposed to expand intellectual property rights (IPR) or enforcement of these rights. After all, a multilateral forum, WIPO, was meant to address these concerns. But in the days before the conference the rights-holders lobby went into overdrive and civil society was caught unprepared.

The end result — “freedom of information and access to information” or right to information in India was qualified “with rights of authors and creators”. The right to information laws across the world, including in India, contains almost a dozen exemptions, including IPR. The only thing to be grateful for is that this limitation did not find its way into the language for freedom of expression.

Intermediary liability: The language that limits liability for intermediaries basically provides for a private censorship regime without judicial oversight, and without explicit language protecting the rights to freedom of expression and privacy. Even though the private sector chants Hillary Clinton's Internet freedom mantra — they only care for their own bottomlines.

Net neutrality: Even though there was little global consensus, some optimistic sections of civil society were hoping that domestic best practice on network neutrality in Brazil’s Internet Bill of Right — also known as Marco Civil, that was signed into law during the inaugural ceremony of NetMundial — would make it to the statement. Unfortunately, this did not happen.

For almost a decade since the debate between the multi-stakeholder and multilateral model started, the multi-stakeholder model had produced absolutely nothing outside ICANN (Internet Corporation for Assigned Names and Numbers, a non-profit body), its technical fraternity and the standard-setting bodies.

The multi-stakeholder model is governance with the participation (and consent — depending on who you ask) of those stakeholders who are governed. In contrast, in the multilateral system, participation is limited to nation-states.

Civil society divisions

The inability of multi-stakeholderism to deliver also resulted in the fragmentation of global civil society regulars at Internet Governance Forums.

But in the run-up to NetMundial more divisions began to appear. If we ignore nuances — we could divide them into three groups. One, the ‘outsiders’ who are best exemplified by Jérémie Zimmermann of the La Quadrature du Net. Jérémie ran an online campaign, organised a protest during the conference and did everything he could to prevent NetMundial from being sanctified by civil society consensus.

Two, the ‘process geeks’ — for these individuals and organisations process was more important than principles. Most of them were as deeply invested in the multi-stakeholder model as ICANN and the US government and some who have been riding the ICANN gravy train for years.

Even worse, some were suspected of being astroturfers bootstrapped by the private sector and the technical community. None of them were willing to rock the boat. For the ‘process geeks’, seeing politicians and bureaucrats queue up like civil society to speak at the mike was the crowning achievement.

Three, the ‘principles geeks’ perhaps best exemplified by the Just Net Coalition who privileged principles over process. Divisions were also beginning to sharpen within the private sector. For example, Neville Roy Singham, CEO of Thoughtworks, agreed more with civil society than he did with other members of the private sector in his interventions.

In short, the ‘outsiders’ couldn't care less about the outcome and will do everything to discredit it, the ‘process geeks’ stood in ovation when the outcome document was read at the closing plenary and the ‘principles geeks’ returned devastated.

For the multi-stakeholder model to survive it must advance democratic values, not undermine them.

This will only happen if there is greater transparency and accountability. Individuals, organisations and consortia that participate in Internet governance processes need to disclose lists of donors including those that sponsor travel to these meetings.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-business-line-may-10-2014-sunil-abraham-net-freedom-campaign-loses-its-way

A trust deficit between advertisers and publishers is leading to fake news

sunil — 2018-10-02T06:44:55Z

Transparency regulations is need of the hour. And urgently for election and political advertising. What do the ads look like? Who paid for them? Who was the target? How many people saw these advertisements? How many times? Transparency around viral content is also required.

The article was published in Hindustan Times on September 24, 2018.

Traditionally, we have depended on the private censorship that intermediaries conduct on their platforms. They enforce, with some degree of success, their own community guidelines and terms of services (TOS). Traditionally, these guidelines and TOS have been drafted keeping in mind US laws since historically most intermediaries, including non-profits like Wikimedia Foundation were founded in the US.

Across the world, this private censorship regime was accepted by governments when they enacted intermediary liability laws (in India we have Section 79A of the IT Act). These laws gave intermediaries immunity from liability emerging from third party content about which they have no “actual knowledge” unless they were informed using takedown notices. Intermediaries set up offices in countries like India, complied with some lawful interception requests, and also conducted geo-blocking to comply with local speech regulation.

For years, the Indian government has been frustrated since policy reforms that it has pursued with the US have yielded little fruit. American policy makers keep citing shortcomings in the Indian justice systems to avoid expediting the MLAT (Mutual Legal Assistance Treaties) process and the signing of an executive agreement under the US Clout Act. This agreement would compel intermediaries to comply with lawful interception and data requests from Indian law enforcement agencies no matter where the data was located.

The data localisation requirement in the draft national data protection law is a result of that frustration. As with the US, a quickly enacted data localisation policy is absolutely non-negotiable when it comes to Indian military, intelligence, law enforcement and e-governance data. For India, it also makes sense in the cases of health and financial data with exceptions under certain circumstances. However, it does not make sense for social media platforms since they, by definition, host international networks of people. Recently an inter ministerial committee recommended that “criminal proceedings against Indian heads of social media giants” also be considered. However, raiding Google’s local servers when a lawful interception request is turned down or arresting Facebook executives will result in retaliatory trade actions from the US.

While the consequences of online recruitment, disinformation in elections and fake news to undermine public order are indeed serious, are there alternatives to such extreme measures for Indian policy makers? Updating intermediary liability law is one place to begin. These social media companies increasingly exercise editorial control, albeit indirectly, via algorithms to claim that they have no “actual knowledge”.

But they are no longer mere conduits or dumb pipes as they are now publishers who collect payments to promote content. Germany passed a law called NetzDG in 2017 which requires expedited compliance with government takedown orders. Unfortunately, this law does not have sufficient safeguards to prevent overzealous private censorship. India should not repeat this mistake, especially given what the Supreme Court said in the Shreya Singhal judgment.

Transparency regulations are imperative. And they are needed urgently for election and political advertising. What do the ads look like? Who paid for them? Who was the target? How many people saw these advertisements? How many times? Transparency around viral content is also required. Anyone should be able to see all public content that has been shared with more than a certain percentage of the population over a historical timeline for any geographic area. This will prevent algorithmic filter bubbles and echo chambers, and also help public and civil society monitor unconstitutional and hate speech that violates terms of service of these platforms. So far the intermediaries have benefitted from surveillance — watching from above. It is time to subject them to sousveillance — watched by the citizens from below.

Data portability mandates and interoperability mandates will allow competition to enter these monopoly markets. Artificial intelligence regulations for algorithms that significantly impact the global networked public sphere could require – one, a right to an explanation and two, a right to influence automated decision making that influences the consumers experience on the platform.

The real solution lies elsewhere. Google and Facebook are primarily advertising networks. They have successfully managed to destroy the business model for real news and replace it with a business model for fake news by taking away most of the advertising revenues from traditional and new news media companies. They were able to do this because there was a trust deficit between advertisers and publishers. Perhaps this trust deficit could be solved by a commons-based solutions based on free software, open standards and collective action by all Indian new media companies.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-sunil-abraham-september-24-2018-a-trust-deficit-between-advertisers-and-publishers-is-leading-to-fake-news

Registering for Aadhaar in 2019

sunil — 2019-01-03T14:59:04Z

It is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.

The article was published in Business Standard on January 2, 2019.

Last November, a global committee of lawmakers from nine countries the UK, Canada, Ireland, Brazil, Argentina, Singapore, Belgium, France and Latvia summoned Mark Zuckerberg to what they called an “international grand committee” in London. Mr. Zuckerberg was too spooked to show up, but Ashkan Soltani, former CTO of the FTC was among those who testified against Facebook. He said “in the US, a lot of the reticence to pass strong policy has been about killing the golden goose” referring to the innovative technology sector. Mr. Soltani went on to argue that “smart legislation will incentivise innovation”. This could be done either intentionally or unintentionally by governments. For example, a poorly thought through blocking of pornography can result in innovative censorship circumvention technologies. On other occasions, this can happen intentionally. I hope to use my inaugural column in these pages to provide an Indian example of such intentional regulatory innovation.

Eight years ago, almost to this date, my colleague Elonnai Hickok wrote an open letter to the Parliamentary Finance Committee on what was then called the UID or Unique Identity. She compared Aadhaar to the digital identity project started by the National Democratic Alliance (NDA) government in 2001. Like the Vajpayee administration which was working in response to the Kargil War, she advocated a decentralised authentication architecture using smart cards based on public key cryptography. Last year, even before the five-judge constitutional bench struck down Section 57 of the Aadhaar Act, the UIDAI preemptively responded to this regulatory development by launching offline Aadhaar cards. This was to be expected especially since from the A.P. Shah Committee report, the Puttaswamy Judgment, the B.N. Srikrishna Committee consultation paper, report and bill, the principle of “privacy by design” was emerging as a key Indian regulatory principle in the domain of data protection.

The introduction of the offline Aadhaar mechanism eliminates the need for biometrics during authentication. I have previously provided 11 reasons why biometrics is inappropriate technology for e-governance applications by democratic governments, and this comes as a massive relief for both human rights activists and security researchers. Second, it decentralises authentication, meaning that there is a no longer a central database that holds a 360-degree view of all incidents of identification and authentication. Third, it dramatically reduces the attack surface for Aadhaar numbers, since only the last four digits remain unmasked on the card. Each data controller using Aadhaar will have to generate his/her own series of unique identifiers to distinguish between residents. If those databases leak or get breached, it won’t tarnish the credibility of Aadhaar or the UIDAI to the same degree. Fourth, it increases the probability of attribution in case a data breach were to occur; if the breached or leaked data contains identifiers issued by a particular data controller, it would become easier to hold them accountable and liable for the associated harms. Fifth, unlike the previous iteration of the Aadhaar “card”, on which the QR code was easy to forge and alter, this mechanism provides for integrity and tamper detection because the demographic information contained within the QR code is digitally signed by the UIDAI. Finally, it retains the earlier benefit of being very cheap to issue, unlike smart cards.

Thanks to the UIDAI, the private sector is also being forced to implement privacy by design. Previously, since everyone was responsible for protecting Aadhaar numbers, nobody was. Data controllers would gladly share the Aadhaar number with their contractors, that is, data processors, since nobody could be held responsible. Now, since their own unique identifiers could be used to trace liability back to them, data controllers will start using tokenisation when they outsource any work that involves processing of the collected data. Skin in the game immediately breeds more responsible behaviour in the ecosystem.

The fintech sector has been rightfully complaining about regulatory and technological uncertainty from last year’s developments. This should be addressed by developing open standards and free software to allow for rapid yet secure implementation of these changes. The QR code standard itself should be an open standard developed by the UIDAI using some of the best practices common to international standard setting organisations like the World Wide Web Consortium, Internet Engineers Task Force and the Institute of Electrical and Electronics Engineers. While the UIDAI might still choose to take the final decision when it comes to various technological choices, it should allow stakeholders to make contributions through comments, mailing lists, wikis and face-to-face meetings. Once a standard has been approved, a reference implementation must be developed by the UIDAI under liberal licences, like the BSD licence that allows for both free software and proprietary software derivative works. For example, a software that can read the QR code as well as send and receive the OTP to authenticate the resident. This would ensure that smaller fintech companies with limited resources can develop secure systems.

Since Justice Dhananjaya Y. Chandrachud’s excellent dissent had no other takers on the bench, holdouts like me must finally register for an Aadhaar number since we cannot delay filing taxes any further. While I would still have preferred a physical digital artefact like a smart card (built on an open standard), I must say it is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019

India’s dreams of web censorship

sunil — 2012-03-26T06:59:36Z

If you are offended by this post, please contact Kapil Sibal, India’s telecoms and IT minister, and he will make sure it is promptly taken down.

Actually, if Sibal has his way and you are offended by this post, the armies of people to be employed by internet companies operating in India to monitor their sites for potentially offensive material – whether it originates in India or abroad – will ensure that it is removed before it can even be published. And good luck to all of them with that.

That, anyway, was the gist of Sibal’s combative press conference in the courtyard of his Delhi home on Tuesday, the day after the New York Times reported he had met executives from Google, Facebook, Yahoo and Microsoft to discuss the preemptive removal of “offensive material”.

The press conference was prompted by uproar that swept Twitter on Monday night – one of the sites, incidentally, that Sibal would like to monitor – and was carried live on all major news channels.

Social networking sites have gained a lot of traction in India and are much used by politicians, celebrities and the burgeoning, young middle class.

"I believe that no reasonable person aware of the sensibilities of large sections of communities in this country and aware of community standards as they are applicable in India would wish to see this content in the public domain," Sibal said, referring to "offensive material" he had shown some reporters prior to the conference. He added that the government did not believe in censorship.

According to the NYT, Sibal showed a group of IT execs a Facebook page that criticized Sonia Gandhi, president of the Congress Party, calling it "unacceptable".

"We will remove any content that violates our terms, which are designed to keep material that is hateful, threatening, incites violence or contains nudity off the service," Facebook said in a statement.

Microsoft did not respond to requests for comment. Google said it would issue a statement later in the day.

Sibal first approached the companies on September 5, giving them four weeks to present proposals for how they might comply with his request, he said. With no response by October 19, the ministry sent a reminder. On November 29, Sibal again met with the IT execs. They responded on Monday, saying they could not comply.

An Indian employee of one of foreign tech company, when asked about Sibal’s demand that each outfit set up dedicated teams to monitor content in real time, let out an extended, almost hysterical laugh, before regaining composure and asking: "Do you know how many users we have?"

Indeed, even in a country with low internet penetration like India – 100m people regularly use the internet, less than 10 per cent of India’s 1.2bn population – the task of monitoring real-time content generated on millions of sites opens up legal wormholes and is technically impossible, Sunil Abraham, executive director of the Bangalore-based Centre for Internet & Society, told beyondbrics.

"Technically what he’s asking for is an impossibility: it’s not possible in the age of web 2.0 to manually curate or censor social media content," he said. “This is obvious to all of us. Isn’t it strange that the minister of IT, who seems to understand a lot of complex issues, is actually in favour of something like this?"

Abraham warned that the focus on blasphemous and vaguely defined "offensive" speech was dangerous, noting that the Hindu profession of belief in multiple gods is blasphemous to Muslims, Christians and Jews.

But Sibal was defiant.

Asked what would be deemed "offensive", he said: “We will define it, don’t worry, certainly, we will evolve guidelines…to ensure that such blasphemous content” is not publicly available in India.

Asked whether his idea was technically feasible, he responded: "It is a feasible proposition, and we will inform you how as and when, we will inform you as and when."

When it was pointed out that the internet was a global phenomenon and that content originating outside of India might be hard to control, Sibal said: "We will certainly ask [companies] to give us information even on content posted outside of India – we will ask them for information, we will evolve guidelines and mechanisms to deal with the issue."

So, again, if you are offended by this post, feel free to drop him a line. And good luck.

The original blog post was published by the Financial Time's beyondbrics on December 6, 2011. Sunil Abraham was quoted in this blog post. Read it here

For more details visit https://cis-india.org/web-censorship