Centre for Internet and Society

The Online Video Environment in India: A Survey Report

pranesh — 2010-12-21T07:27:34Z

Report on online for the Open Video Alliance, Centre for Internet and Society, and iCommons by Siddharth Chadha, Ben Moskowitz and Pranesh Prakash.

For more details visit https://cis-india.org/a2k/publications/online-video-environment-india

IPR Chapter of India-EU FTA (July 2010)

pranesh — 2011-01-12T08:17:38Z

IPR Chapter of India-EU FTA (July 2010)

For more details visit https://cis-india.org/a2k/publications/india-eu-fta-ipr-july-2010

Proposed Copyright Amendments from 2006

pranesh — 2010-01-09T15:06:53Z

The version of the proposed Copyright Act amendments that was released for public comments in 2006. Archived here, since it has since been removed from the Indian Copyright Office's website.

For more details visit https://cis-india.org/a2k/publications/copyright-amendments-2006

Route to Tagore Hall, CCMG, JMI.

pranesh — 2008-10-13T12:18:45Z

A map detailing the location of CCMG and Tagore House, Jamia Millia Islamia.

For more details visit https://cis-india.org/openness/publications/content-access/map.jpg

Prabir Purkayastha

pranesh — 2008-10-07T11:55:30Z

Prabir speaking at the event.

For more details visit https://cis-india.org/openness/publications/software-patents/NMoSP%20005.jpg

Prashant Iyengar

pranesh — 2008-10-07T12:22:01Z

Prashant addressing the gathering.

For more details visit https://cis-india.org/openness/publications/software-patents/PrashantIyengar.jpg

Three reasons why 66A verdict is momentous

pranesh — 2015-03-29T16:22:51Z

Earlier this week, the fundamental right to freedom of expression posted a momentous victory. The nation's top court struck down the much-reviled Section 66A of the IT Act — which criminalized communications that are "grossly offensive", cause "annoyance", etc — as "unconstitutionally vague", "arbitrarily, excessively, and disproportionately" encumbering freedom of speech, and likely to have a "chilling effect" on legitimate speech.

The article was published in the Times of India on March 29, 2015.

It also struck down Sec 118(d) of the Kerala Police Act on similar grounds. This is a landmark judgment, as it's possibly the first time since 1973's Bennett Coleman case that statutory law was struck down by the Supreme Court for violating our right to free expression.

The SC also significantly 'read down' the draconian 'Intermediary Guidelines Rules' which specify when intermediaries — website hosts and search engines — may be held liable for what is said online by their users. The SC held that intermediaries should not be forced to decide whether the online speech of their users is lawful or not. While the judgment leaves unresolved many questions — phrases like "grossly offensive", which the SC ruled were vague in 66A, occur in the Rules as well — the court's insistence on requiring either a court or a government order to be able to compel an intermediary to remove speech reduces the 'invisible censorship' that results from privatized speech regulation.

The SC upheld the constitutional validity of Sec 69A and the Website Blocking Rules, noting they had several safeguards: providing a hearing to the website owner, providing written reasons for the blocking, etc. However, these safeguards are not practised by courts. Na Vijayashankar, a legal academic in Bengaluru, found a blogpost of his — ironically, on the topic of website blocking — had been blocked by a Delhi court without even informing him. He only got to find out when I published the government response to my RTI on blocked websites. Last December, Github, Vimeo and some other websites were blocked without being given a chance to contest it. As long as lower courts don't follow "principles of natural justice" and due process, we'll continue to see such absurd website blocking, especially in cases of copyright complaints, without any way of opposing or correcting them.

There are three main outcomes of this judgment. First is the legal victory: SC's analysis while striking down 66A is a masterclass of legal clarity and a significant contribution to free speech jurisprudence. This benefits not only future cases in India, but all jurisdictions whose laws are similar to ours, such as Bangladesh, Malaysia and the UK.

Second is the moral victory for free speech. Sec 66A was not merely a badly written law, it became a totem of governmental excess and hubris. Even when political parties realized they had passed 66A without a debate, they did not apologize to the public and revise it; instead, they defended it. Only a few MPs, such as P Rajeev and Baijayant Panda, challenged it. Even the NDA, which condemned the law in the UPA era, supported it in court. By striking down this totem, the SC has restored the primacy of the Constitution. For instance, while this ruling doesn't directly affect the censor board's arbitrary rules, it does morally undermine them.

Third, this verdict shows that given proper judicial reading, the Indian constitutional system of allowing for a specific list of purposes for which reasonable restrictions are permissible, might in fact be as good or even better in some cases, than the American First Amendment. The US law baldly states that Congress shall make no law abridging freedom of speech or of the press. However, the US Supreme Court has never held the opinion that freedom of speech is absolute. The limits of Congress's powers are entirely judicially constructed, and till the 1930s, the US court never struck down a law for violating freedom of speech, and has upheld laws banning obscenity, public indecency, offensive speech in public, etc. However, in India, the Constitution itself places hard limits on Parliament's powers, and also, since the first amendment to our Constitution, allows the judiciary to determine if the restrictions placed by Parliament are "reasonable". In the judgment Justice Nariman quotes Mark Antony from Julius Caesar. He could also have quoted Cassius: "The fault, dear Brutus, is not in our stars, but in ourselves." Judges like Justice Nariman show the constitutional limits to free speech can be read both narrowly and judiciously: we can no longer complain about the Constitution as the primary reason we have so many restrictions on freedom of expression.

For more details visit https://cis-india.org/internet-governance/blog/times-of-india-march-29-2015-pranesh-prakash-three-reasons-why-66a-is-momentous

Developer team fixed vulnerabilities in Honorable PM's app and API

pranesh — 2016-12-04T19:08:56Z

The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.
There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.
The API was still being served over HTTP instead of HTTPS.

Fixed

The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

Feedback to Draft Copyright Rules, 2012

pranesh — 2012-10-04T04:53:47Z

The Centre for Internet & Society submitted its written comments on the Draft Copyright Rules, 2012 to Mr. G.R. Raghavender, Registrar of Copyrights & Director (BP&CR), Ministry of Human Resource Development.

G.R. Raghavender
Registrar of Copyrights & Director (BP&CR)
Copyright Office
Department of Higher Education
Ministry of Human Resource Development
4th floor, Jeevan Deep Building,
Parliament Street
New Delhi — 110001

Dear Sir,

This submission contains comments from the Centre for Internet and Society on the Draft Copyright Rules, 2012. I apologize for the slight delay in submitting these.

Yours sincerely,
Pranesh Prakash
Policy Director
Centre for Internet and Society

Relinquishment of Copyright

Analysis

The law in India allows anonymously and pseudonymously created works to be copyrighted as well, as is clear from section 23 of the Copyright Act. However, rule 8 as it currently is does not allow such authors to relinquish copyright. Relinquishment of copyright is a very different kind of act from registration of copyright, and hence it is not necessary to seek the same categories of information from both. Certain categories of information sought during registration of copyright ("class of work", "language of the work", "nationality of author") are required not because they help identify a work, but because they help in indexing the work ("class of work", "language of work") or in ensuring that the work is copyrightable in India ("nationality of author"). Such considerations do not matter when it comes to relinquishment of copyright, i.e., when a work is allowed to pass into the public domain. Further, technological progress has made it difficult to determine the answer to a question like "country of first publication", "nationality of the publisher", etc. If a work has been uploaded by an author on to his blog, is the publisher the author or the person hosting the blog? If an Indian author residing in India first publishes a work on the server located in Argentina, is the country of first publication India or Argentina? The answer to these questions does not make a difference to the issue of relinquishment of copyright. The only information that is required for relinquishment of rights is a) what work is being put in the public domain, b) by whom, c) from when.

Furthermore, the current requirements of rule 8 cannot easily be satisfied by using most of the popular means of relinquishing copyright (such as the CC0 — Creative Commons Zero — licence).

Recommendations

Rule 8 be modified to read: A public notice issued by an author relinquishing his or her rights as per subsection (1) of section 21 of the Copyright Act, shall include the following details: (a) Title of the work (b) Full name, or pseudonym, in case the work has not been created anonymously (c) Date of issuance of the notice (d) If copyright in the work is registered under section 45, the registration number.

Rule 9 be modified to read: Any one of the following shall constitute public notice of relinquishment of copyright: i. Mentioning of the notice on the work, or cover of the work, or in the metadata of the work if the work is electronic; or ii. Publication in a newspaper; or iii. Publication by the author on a publicly-accessible website

Rule 10 be modified to add the following sentence: The author shall forward a copy of the public notice to the Registrar of Copyright if copyright in the work has been registered under section 45 and on receiving such notice, the Registrar of Copyright shall post the same on the website of the Copyright Office.

Statutory Licence for Cover Versions

Analysis

Rule 34(2) is redundant and does not contain any detail not already present in the existing proviso to section 31C(1) of the Copyright Act. Additionally, Rule 35 also does not contain any detail not already present in the existing parent provision, section 31C of the Copyright Act.

Recommendations

Rules 34(2) and 35 be deleted.
Rule 37 should be modified to add a sub-rule requiring maintenance of records online.

Indexes

Analysis

In rule 71(3), it requires that the indexes be maintained in the form of cards. These are presumably physical cards. It is unclear why the rule should not require the maintenance of these indexes online to facilitate search by the public. Further entries 13 and 14 of Schedule II are from a time when the transaction costs incurred by the Registrar of Copyright for providing extracts from an Index were non-negligible, and hence it would have been necessary to charge a person for such services. With the capabilities of electronic systems, such retrievals are almost costless, and can be done without the intervention of the Registrar of Copyright. Hence entries 13 and 14 should not be made applicable to online retrievals. If copyright societies can be required to provide information free of costs on their websites (as per rule 65), the Registrar of Copyright should be required to do so too.

Recommendation

Modify sub-rule (3) of rule 71 to read: "Every Index shall be available online as a downloadable database, with an online search facility."

Modify the second sentence in rule 72 to read: "The online search or inspection of the Register of Copyrights and Indexes can be utilised free of cost."

Storage of Transient or Incidental Copies of a Work

Analysis

It is not clear enough from the language of rule 74 that it applies only to s.52(1)(c) and not to s.52(1)(b). Since only s.52(1)(c) has a complaints mechanism, this should be made clear.

Importantly, to protect the interest of the public, the intermediaries should be asked to give public notice regarding the alleged infringing copy to ensure that the take-down mechanism is not abused, and secondly to ensure that the public can independently verify that intermediaries are following the requirement in rule 74(4) of restoring storage of the work if no court order is forthcoming within 21 days.

Lastly, there is no clear precedent in India to treat a uniform resource identifier (URI) as 'place' for purposes of section 51(a)(ii) of the Copyright Act, 1957. Therefore it is necessary to further clarify the meaning of the term 'place' as used in current Rule 74(2)(d). This would be best served by using the correct technological term ("URI") instead of the word "place".

Recommendation

Modify sub-rule (1) of rule 74 to: "Any owner of copyright may give a written complaint as per clause (c) of subsection (1) of section 52 of the Copyright Act to a person who has facilitated..."

Add sub-rule (6) to rule 74: "The person responsible for storage shall put up a public notice thereby notifying all persons requesting access to the alleged infringing copy by stating reasons for restraining such access whether during the period of 21 days from the complaint from the copyright owner, or pursuant to an order from a competent court."

Modify rule 74(2) to read: "Details of the specific uniform resource identifier (URI) where transient or incidental storage of the work may be taking place."

Making or Adapting the Work by Organizations Working for the Benefit of Persons with Disabilities

Analysis

Rule 75 requires organizations making use of the exception granted under s.52(1)(zb) to maintain records. This could not have been the intention of the legislature in passing s.52(1)(zb), since that provision does not require any maintenance of records. Indeed, none of the exceptions ennume-rated in s.52(1) require the maintenance of records. This is in contrast with s.31B, which is also applicable to organizations working for the benefit of persons with disabilities, but only those that are doing so as a for-profit venture. Rule 29(6) already requires the Registrar of Copyright to notify the grant of a licence under s.31B in the Official Gazette. That provision may be modified to add that the Registrar of Copyright maintains these records in a centralized database that can be queried online.

Recommendations

Delete rule 75, and modify rule 29(6) to include a centralized database.

Technological Protection Measures

Analysis

Most experts seem to hold that s.65A of the Indian Copyright Act does not affect circumvention tools, as it only deals with the act of unauthorized circumvention and not with the tools, in sharp contrast with s.1201(a)(2) of the Digital Millennium Copyright Act in the US, which criminalises the "manufacture, import, offer to the public, provision, or otherwise trafficking in any [circumvention] technology, product, service, device, component, or part thereof". The Indian law has conciously chosen not to emulate the DMCA in this respect, as the WIPO Copyright Treaty does not require it.

The broad understanding of "facilitation" contained the Copyright Rules unfortunately seem to undermine this clear distinction. If facilitation is understood to include offer to the public, provision, or distribution, as seems to be the case in Rule 79(3) and 79(4), then law becomes unworkable with each and every website that allows for the downloading of any software that can be used to play DVDs, etc., must specifically keep a register of downloaders from India. This is unnecessary, and goes beyond the intent of s.65A, which is to cover those who actively facilitate circumvention and not those who make available the tools to circumvent. This distinction should not be blurred.

Recommendation

Delete sub-rules (3) and (4) of rule 79.

For more details visit https://cis-india.org/a2k/feedback-to-draft-copyright-rules-2012

Submission by Indian Civil Society Organisations on Proposals for the Future ITRs and Related Processes

pranesh — 2012-12-07T08:00:19Z

The Centre for Internet & Society was one of the signatories of this submission which was sent in November 2012, in response to the International Telecommunication Union's call for public comments in relation to the revision of International Telecommunication Regulations that are to take place at the ITU's World Conference on International Telecommunications in Dubai from December 3 to 14, 2012.

We, the undersigned civil society organisations from India, respectfully acknowledge the important role that the ITU has played in the spread of telecommunications around the world. However, we are concerned about the lack of transparency and openness of the processes related to the WCIT: the WCIT/ITU excludes civil society, academia and other stakeholders from participation in and access to most dialogues and documents. The documents that are publicly available show that some of the proposals might deal with Internet governance. According to established principles as laid down in the Tunis Agenda - which process the ITU helped to lead - Internet governance processes are required to be multistakeholder in nature. The WCIT and ITU processes require urgent improvement with regard to openness, inclusiveness and transparency. While we appreciate the current opportunity to share our comments, we would like to encourage the ITU and its Member States to adopt a genuine multistakeholder approach at the earliest.

As mentioned, we do welcome the current opportunity to share our thoughts. Though this list is not exhaustive, some of our major concerns are as follows:

We believe that, given the historical development of present methods of internet regulation, aspects of Internet governance that have been and are presently addressed by bodies other than ITU should not be brought under the mandate of the ITU through the ITRs.

We therefore strongly recommend that the ITRs continue to be restricted to aspects of the physical layer that have traditionally been the areas of its focus. The ITRs scope should not be expanded to other layers, nor to content - any measure that impinges on these layers should be kept out of ITRs and taken up at other appropriate (multi-stakeholder) fora. In addition, it is crucial that “ICTs” and the term “processing” be excluded from the definition of telecommunication as this clearly opens up the possibility for Member States to regulate/attempt to regulate the “content/“application” layer on the internet at the ITU.

We also recommend that provisions regarding international naming, numbering, addressing and identification resources will be restricted to telephony, as should provisions regarding transit rate, originating identification and end-to-end QoS. Provisions regarding the routing of Internet traffic should not find a place in the ITRs at all.

We recognise that concerns regarding cyber security, spam, fraud, etc. are real and that some of these concerns require to be addressed at the global level. However, as these are being discussed in many other fora, we believe that the ITRs are not the best place to address these. Their inclusion here could inhibit the further evolution and expansion of the Internet. We also believe that any fora discussing cyber security should be multistakeholder, open and transparent.

We note that the proposal ARB/7/24 defines an “operating agency” as “any individual, company, corporation or governmental agency which operates a telecommunication installation intended for an international telecommunication service or capable of causing harmful interference with such a service” and believe that this definition is too broad in scope and ambit. Inclusion of such a term would broaden the mandate of the ITU to regulate numerous actors in the Internet sphere who do not fall under the infrastructure layer of the Internet. The term “operating agency” should be defined in a narrower or more restrictive manner and, irrespective of its exact definition, only be used in exceptional cases. Normally, the obligations of member states should be with respect to “recognised operating agencies” and not omnibus all “operating agencies”.

Signed:

Centre for Internet and Society
Delhi Science Forum
Free Software Movement India
Internet Democracy Project
Knowledge Commons (India)

For more details visit https://cis-india.org/internet-governance/blog/submission-on-proposals-for-future-itrs-and-related-processes

Statement of Civil Society Members and Groups Participating in the "Best Bits" pre-IGF meeting at Baku in 2012

pranesh — 2012-12-07T08:06:25Z

The Centre for Internet & Society was one of the signatories for this submission made to the ITU on November 16, 2012.

Read the statement of civil society members and groups participating in the “Best Bits” pre-IGF meeting at Baku in 2012

We thank the Secretariat of the ITU for making the opportunity to submit our views.

Nevertheless, the process of the revision of the International Telecommunication Regulations (ITRs) has not been sufficiently inclusive and transparent, despite some recent efforts to facilitate public participation. Fundamental to the framing of public policy must be the pursuit of the public interest and fundamental human rights, and we urge Member States to uphold and protect these values.

We as civil society organizations wish to engage with the World Conference on International Telecommunication (WCIT) process in this spirit. Member States, in most cases, have not held open, broad-based, public consultations in the lead up to the WCIT, nor have they indicated such a process for the WCIT itself.

In order to address this deficiency, and at a minimum, we would urge:

All Member States and regional groups to make their proposals available to the public in sufficient time to allow for meaningfulpublic participation;
All delegates to support proposals to open sessions of the WCIT meeting to the public;
The ITU Secretariat to increase transparency of the WCIT including live webcast with the video, audio, and text transcripts, as far as possible, to enable participation by all, including persons with disabilities;
The ITU Secretariat, Member States, and regional groups to make as much documentation publicly available as possible on the ITU's website, so that civil society can provide substantive input on proposals as they are made available;
Member States to encourage and facilitate civil society participation in their national delegations;
The ITU to create spaces during the WCIT for civil society to express their views, as was done during the WSIS process.

Given the uncertainty about the nature of final proposals that will be presented, we urge delegates that the following criteria be applied to any proposed revisions of the ITRs.

That any proposed revisions are confined to the traditional scope of the ITRs, where international regulation is required around technical issues is limited to telecommunications networks and interoperability standards.
There should be no revisions to the ITRs that involve regulation of the Internet Protocol and the layers above.
There should be no revisions that could have a negative impact on affordable access to the Internet or the public's rights to privacy and freedom of expression.

More generally we call upon the ITU to promote principles of net neutrality, open standards, affordable access and universal service, and effective competition.

Signatories:

Access (Global)
Association for Progressive Communications (Global)
Bangladesh NGOs Network for Radio and Communication (Bangladesh)
Bytes for All (Pakistan)
Center for Democracy and Technology (United States of America)
Centre for Community Informatics Research (Canada)
Centre for Internet and Society (India)
Collaboration on International ICT Policy for East and Southern Africa (Eastern and Southern Africa)
Consumer Council of Fiji (Fiji)
Consumers International (Global)
Dynamic Coalition on Internet Rights and Principles (IRP) (Global)
Electronic Frontier Finland (Finland)
Imagining the Internet Center (United States of America)
Instituto Nupef (Brazil)
Internet Democracy Project (India)
Internet Research Project (Pakistan)
Global Partners and Associates (United Kingdom)
GobernanzadeInternet.co (Colombia)
ICT Watch Indonesia (Indonesia)
Instituto Brasileiro de Defesa do Consumidor / Brazilian Institute for
Consumer Defense (Brazil)
InternetNZ (New Zealand)
IT for Change (India)
Media Education Center (Armenia)
ONG Derechos Digitales (Chile)
OpenMedia (Canada)
Public Knowledge (United States of America)
Thai Netizen Network (Thailand)
Ginger Paque (Venezuala)
Nnenna Nwakanma (Côte d'Ivoire)
Sonigitu Ekpe (Nigeria)
Wolfgang Kleinwächter (Denmark)

For more details visit https://cis-india.org/internet-governance/blog/statement-of-civil-society-members-and-groups-at-best-bits-pre-igf-meeting

Submission on India's Draft Comments on Proposed Changes to the ITU's ITRs

pranesh — 2012-12-07T04:15:56Z

Given below are the responses from the representatives of civil society in India (The Society for Knowledge Commons, Centre for Internet & Society, The Delhi Science Forum, Free Software Movement of India, Internet Democracy Project and Media for Change) to the Government of India's proposals for the upcoming WCIT meeting, in December 2012, in Dubai.

Our detailed comments on India's draft proposals can be found here. Also read the final version of Indian Government's submission to ITU on November 3, 2012.

Background

We believe that, aspects of Internet governance that have been and are presently addressed by bodies other than ITU should not be brought under the mandate of the ITU through the ITRs.

Some of the proposed changes to the ITR's could have a significant negative impact on the openness of the Internet.

In addition, the processes related to the WCIT lack openness and transparency: the WCIT / ITU excludes civil society, academia and other stakeholders from participation in and access to most dialogues and documents, contrary to established principles of Internet governance as laid down in the Tunis Agenda and as supported by the Indian government at several national and international fora. The WCIT process needs to be improved both at the domestic and global level. We urge the Indian government to support a more open process in the future, with respect to deliberations that will have a significant impact on the people.

We recognise that concerns regarding cyber-security, spam, fraud, etc. are real and that some of these concerns require to be addressed at the global level. However, we believe that as a number of parallel processes are working on these specific issues, these need not be brought under the ITRs.

We therefore strongly recommend that the ITRs continue to be restricted to the infrastructure layer that has traditionally been the area of its focus and not the content or the application layer of the Internet. Any measure that impinges on these layers should be kept out of ITRs and taken up at other appropriate (multi-stakeholder) fora.

We note that the proposal ARB/7/24 defines an "operating agency" as "any individual, company, corporation or governmental agency which operates a telecommunication installation intended for an international telecommunication service or capable of causing harmful interference with such a service" and believe that this definition is too broad in scope and ambit. Inclusion of such a term would broaden the mandate of the ITU to regulate numerous actors in the Internet sphere who do not fall under the infrastructure layer of the Internet. We call on the Indian government to ensure that the term "operating agency" is defined in a narrower or more restrictive manner and only used in exceptional cases. Normally, the obligations of member states should be with respect to "recognised operating agencies" and not omnibus all "operating agencies".

Follow-up

We would like to note that we have never officially received this document directly from the Indian government. In view of the support the Indian government continually espouses for multi-stakeholder Internet governance, this is a matter of deep regret.

We are aware that the official closing date for proposals is early November. However, we also know that several governments intend to submit proposals right upto the beginning of the WCIT meeting. In addition, several governments have included civil society representatives on their official delegation.

We therefore call upon the Department of Telecommunications to organise an open consultation with civil society representatives, to discuss both India's proposals and the comments of various civil society representatives on them, in greater depth, as part of DoT’s preparation for the WCIT meeting and in line with India's espoused commitment to multi-stakeholderism. We look forward to discussing our inputs with the Government to make the decision making process on governance more participatory and inclusive.

For more details visit https://cis-india.org/internet-governance/blog/submission-on-indias-draft-comments-on-proposed-changes-to-itus-itrs

Will The International Telecommunication Regulations (ITRs) Impact Internet Governance? A Multistakeholder Perspective

pranesh — 2012-12-10T04:40:11Z

Pranesh Prakash made a presentation at the India Internet Governance Conference (IIGC) held at the FICCI, Federation House, Tansen Marg, New Delhi on October 4 and 5, 2012. The event was organised by the Ministry of Communications & Information Technology, FICCI and Internet Society. CIS was one of the supporting organisations.

Principles

I'll outline some broad principles that should be kept in mind while deciding on proposals for the International Telecommunications Regulations (ITR).

Any proposal should be considered for the ITR if an only if it satisfies all the below criteria:

Only if international regulation is needed

If only national regulation is sufficient, then ITR is not the right place for it.
International roaming price transparency, for instance, is an issue where international cooperation is required.

Only if it is a technical issue limited to telecommunications networks and interoperability

On the issues of 'security', if it is strictly about network security, then it is fine.

ITU already does some standard setting work around this.

If it about security of root server operations, or DNS, etc., that's not around telecommunications, despite being a technical issue.
If it is about criminal activities on telecommunications networks, that is not a technical issue.

Only if it is something that can be decided at the level of states.

Multistakeholder issues should not end up at the ITU, since the ITU is not a multistakeholder body.
This principle has been accepted by the ITU itself in the Geneva Declaration as well as the Tunis Agenda.

Only if it proposes to address a proven harm

The ETNO proposal, for instance, does not make it very clear why they think current interconnection system is a problem.

Though the ETNO proposal says that it is required to enable "fair compensation", "sustainable development of telecom", it does so without showing why the current payment mechanisms are unsustainable, or how telecom industry has changed lately, or even how moving from voice to data (even for voice) is going to affect "sustainable development of telecom".
Geoff Huston provides the wonderful example of how ten years ago, content providers were asking for fair compensation from telecom providers ("content is being provided free, while ISPs charge customers; ISPs are worthless without content, hence ISPs need to share revenue with content providers"). Now the opposite argument is being made by telecom operators.

Airtel in India has publicly asked Google and Facebook for revenue sharing.

Rohan Samarajiva of LIRNEasia

He believes ETNO proposal is bad for developing countries.

Adverse unintended effect of ETNO proposal ("sending-party network pays") is that less traffic will be directed towards poorer regions without the ability (whether through ad sales, or otherwise) to justify that expenditure by the sender.

ISOC paper is one of the most in-depth analysis so far.

They strongly believe it is going to be bad for Internet

Truth is that there has been no clear economic study so far of the potential impact. Hence counting benefits without proper analysis is risky.

Only if there's no better place than ITU

If another existing organization like ICANN or IETF can look at it, then ITU should not take over.

If all the above principles are satisfied, then the question becomes:

Does the proposal further substantive principles, such as:
Development
Competition and prevention of monopolies
Etc.

If the proposal does advance such substantive principles, then we should ask what kind of regulation is needed: Whether mandatory or not whether it is the minimal amount required to achieve the policy objectives.

Conclusion

Indian government's positions on the specific proposals to the ITR haven't yet been made public.

But the India government has taken a public position on the larger issue before: the IBSA statement on Enhanced Cooperation from December 2010. the IBSA reaffirms its commitment to the stability and security of the Internet as a global facility based on the full participation of all stakeholders, from both developed and developing countries, within their respective roles and responsibilities in line with paragraph 35 of the Tunis Agenda.

"The management of the Internet encompasses both technical and public policy issues and should involve all stakeholders and relevant intergovernmental and international organizations."

Demonization of the ITU is not good, though some in civil society have engaged in it, and is not the issue here. * After all, ITU was a core part of the WSIS process that led to the multistakeholder system. * ITU does have its own role to play in Internet governance.

Importantly, transparency and public participation is required. * We have signed an international civil society letter asking ITU to be more transparent. This has had a little impact; more documents are now out in the public. And there's now WCITLeaks.org * The Indian government must hold inclusive meetings with all relevant experts and stakeholders, including civil society organizations and academics.

For more details visit https://cis-india.org/internet-governance/blog/will-the-international-telecommunication-regulations-itrs-impact-internet-governance-a-multistakeholder-perspective

Draft nonsense

pranesh — 2012-12-03T09:08:10Z

Seriously flawed and dodgily drafted provisions in the IT Act provide the state a stick to beat its citizens with.

Pranesh Prakash's op-ed was published in the Times of India on November 24, 2012.

Section 66A of the Information Technology Act once again finds itself in the middle of a brewing storm. It has been used in cases ranging from the Mamata Banerjee cartoon case, the Aseem Trivedi case, the Karti Chidambaram case, the Chinmayi case, to the current Bal Thackeray-Facebook comments case. In all except the Karti Chidambaram case (which is actually a case of defamation where 's. 66A' is inapplicable), it was used in conjunction with another penal provision, showing that existing laws are more than adequate for regulation of online speech. That everything from online threats wishing sexual assault (the Chinmayi case) to harmless cartoons are sought to be covered under this should give one cause for concern. Importantly, this provision is cognisable (though bailable), meaning an arrest warrant isn't required. This makes it a favourite for those wishing to harass others into not speaking.

Section 66A prohibits the sending "by means of a computer resource or a communication device" certain kinds of messages. These messages are divided into three sub-parts : (a) anything that is "grossly offensive or has menacing character";(b) information known to be false for the purposes of "causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will" and is sent persistently;or (c) "for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages". This carries with it a punishment of up to three years in jail and a fine without an upper limit. As even non-lawyers can see, these are very broadly worded, with use of 'or' everywhere instead of 'and', and the punishment is excessive. The lawyers amongst the readers will note that while some of the words used are familiar from other laws (such as the Indian Penal Code), they are never used this loosely. And all should hopefully be able to conclude that large parts of section 66A are plainly unconstitutional.

If that is so obvious, how did we end up getting this law? We copied (and badly at that) from the UK. The sad part is that the modifications that were introduced while copying are the bits that cause the most trouble. The most noteworthy of these changes are the increase in term of punishment to 3 years (in the UK it's 6 months); the late introduction (on December 16, 2008 by A Raja) of sub-section (c), meant as an anti-spam provision, but covering everything in the world except spam;and the mangling up of sub-section (b) to become a witches brew of all the evil intentions in this world.

Further, we must recognise that our Constitution is much stronger when it comes to issues like free speech than the UK's unwritten constitution, and our high courts and Supreme Court have the power to strike down laws for being unconstitutional, unlike in the UK where Parliament reigns supreme. The most the courts can do there is accommodate the European Convention on Human Rights by 'reading down' laws rather than striking them down.

Lastly, even if we do decide to engage in policy-laundering, we need to do so intelligently. The way the government messed up section 66A should serve as a fine lesson on how not to do so. While one should fault the ministry of communications and IT for messing up the IT Act so badly, it is apparent that the law ministry deserves equal blame as well for being the sleeping partner in this deplorable joint venture. For instance, wrongfully accessing a computer to remove material which one believes can be used for defamation can be considered 'cyber-terrorism'. Where have all our fine legal drafters gone? In a meeting, former SEBI chairman M Damodaran noted how bad drafters make our policies seem far dumber than they are. We wouldn't be in this soup if we had good drafters who clearly understand the fundamental rights guaranteed by our constitution.

There are a great many things flawed in this unconstitutional provision, from the disproportionality of the punishment to the non-existence of the crime. The 2008 amendment to the IT Act was one of eight laws passed in 15 minutes without any debate in the 2008 winter session of Parliament. For far too long the Indian government has spoken about "multi-stakeholder" governance of the internet at international fora (meaning that civil society and industry must be seen as equal to governments when it comes to policymaking for the governance of the internet). It is about time we implemented multi-stakeholder internet governance domestically. The way to go forward in changing this would be to set up a multi-stakeholder body (including civil society and industry) which can remedy this and other ridiculously unconstitutional provisions of our IT Act.

For more details visit https://cis-india.org/internet-governance/blog/times-crest-pranesh-prakash-november-24-2012-draft-nonsense

Fixing India’s anarchic IT Act

pranesh — 2012-11-30T06:33:58Z

Section 66A of the Information Technology (IT) Act criminalizes “causing annoyance or inconvenience” online, among other things. A conviction for such an offence can attract a prison sentence of as many as three years.

Pranesh Prakash's article was published in LiveMint on November 28, 2012.

How could the ministry of communications and information technology draft such a loosely-worded provision that’s clearly unconstitutional? How could the ministry of law allow such shoddy drafting with such disproportionate penalties to pass through? Were any senior governmental legal officers—such as the attorney general—consulted? If so, what advice did they tender, and did they consider this restriction “reasonable”? These are some of the questions that arise, and they raise issues both of substance and of process.

When the intermediary guidelines rules were passed last year, the government did not hold consultations in anything but name. Industry and non-governmental organizations (NGOs) sent in submissions warning against the rules, as can be seen from the submissions we retrieved under the Right to Information Act and posted on our website. However, almost none of our concerns, including the legality of the rules, were paid heed to.

Earlier this year, parliamentarians employed a little-used power to challenge the law passed by the government, leading communications minister Kapil Sibal to state that he would call a meeting with “all stakeholders”, and will revise the rules based on inputs. A meeting was called in August, where only select industry bodies and members of Parliament were present, and from which a promise emerged of larger public consultations. That promise hasn’t been fulfilled.

Substantively, there is much that is rotten in the IT Act and the various rules passed under it, and a few illustrations—a longer analysis of which is available on the Centre for Internet and Society (CIS) website—should suffice to indicate the extent of the malaise.

Some of the secondary legislation (rules) cannot be passed under the section of the IT Act they claim as their authority. The intermediary guidelines violate all semblance of due process by not even requiring that a person whose content is removed is told about it and given a chance to defend herself. (Any content that is complained about under those rules is required to be removed within 36 hours, with no penalties for wilful abuse of the process. We even tested this by sending frivolous complaints, which resulted in removal.)

The definition of “cyber terrorism” in section 66F(1)(B) of the IT Act includes wrongfully accessing restricted information that one believes can be used for defamation, and this is punishable by imprisonment for life. Phone-tapping requires the existence of a “public emergency” or threat to “public safety”, but thanks to the IT Act, online surveillance doesn’t. The telecom licence prohibits “bulk encryption” over 40 bits without key escrow, but these are violated by all, including the Reserve Bank of India, which requires that 128-bit encryption be used by banks. These are but a few of the myriad examples of careless drafting present in the IT Act, which lead directly to wrongful impingement of our civil and political liberties. While we agree with the minister for communications, that the mere fact of a law being misused cannot be reason for throwing it out, we believe that many provisions of the IT Act are prone to misuse because they are badly drafted, not to mention the fact that some of them display constitutional infirmities. That should be the reason they are amended, not merely misuse.

What can be done? First, the IT Act and its rules need to be fixed. Either a court-appointed amicus curiae (who would be a respected senior lawyer) or a committee with adequate representation from senior lawyers, Internet policy organizations, government and industry must be constituted to review and suggest revisions to the IT Act. The IT Act (in section 88) has a provision for such a multi-stakeholder advisory committee, but it was filled with mainly government officials and became defunct soon after it was created, more than a decade ago. This ought to be reconstituted. Importantly, businesses cannot claim to represent ordinary users, since except when it comes to regulation of things such as e-commerce and copyright, industry has little to lose when its users’ rights to privacy and freedom of expression are curbed.

Second, there must be informal processes and platforms created for continual discussions and constructive dialogue among civil society, industry and government (states and central) about Internet regulation (even apart from the IT Act). The current antagonism does not benefit anyone, and in this regard it is very heartening to see Sibal pushing for greater openness and consultation with stakeholders. As he noted on the sidelines of the Internet Governance Forum in Baku, different stakeholders must work together to craft better policies and laws for everything from cyber security to accountability of international corporations to Indian laws. In his plenary note at the forum, he stated: “Issues of public policy related to the Internet have to be dealt with by adopting a multi-stakeholder, democratic and transparent approach” which is “collaborative, consultative, inclusive and consensual”. I could not have put it better myself. Now is the time to convert those most excellent intentions into action by engaging in an open reform of our laws.

Pranesh Prakash is policy director at the Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/blog/livemint-opinion-november-28-2012-pranesh-prakash-fixing-indias-anarchic-it-act