Centre for Internet and Society

The scariest bill in Parliament is getting no attention – here’s what you need to know about it

sunil — 2015-09-13T07:56:42Z

A bill proposes creation of a national DNA data bank, without requisite safeguards for privacy, and opens the information to everything from civic disputes to compilation of statistics.

The blog post by Nayantara Narayanan was published in Scroll.in on July 24, 2015.

On Wednesday, the Narendra Modi government told the Supreme Court that India's citizens have no fundamental right to privacy. Attorney General Mukul Rohatgi referred to a 1950 court verdict which held that the right to privacy was not a fundamental right while defending the constitutional validity of the Aadhar scheme, a massive database of information of individual citizens including biometrics and bank accounts. At the same time, the government is planning another big database.

In the ongoing stormy monsoon session of Parliament, where the government and opposition have locked horns over several proposed legislation, Human DNA Profiling Bill 2015 has been making little noise but can have widespread impact on India’s criminal justice system and the privacy of citizens. The bill aims to regulate the collection and use of genetic material from crime scenes, and also proposes the creation of a national DNA databank that might be used for non-forensic purposes.

DNA is a mighty tool, especially in criminal forensics, but access to a person’s genetic information can be highly intrusive and dangerous. DNA contains information about health and genetic relationships that can influence employment, insurance. It can be tampered with and planted at crime scenes.

Law and poverty expert Usha Ramanathan and Centre for Internet and Society executive director Sunil Abraham, who are members of an expert committee on DNA profiling constituted by the government, have written dissent notes against the final draft of the Human DNA Profiling Bill. Ramanathan and Abraham are of the opinion that there aren’t adequate safeguards to privacy and too much power rests with the proposed DNA Profiling Board.

Ramanathan notes that one of the biggest challenges of a DNA database is function creep – the gradual widening of the use of a technology beyond the purpose for which it was originally intended. As this DNA profiling bill enters Parliament, here are some questions we should be asking.

Is DNA evidence infallible?

The short answer is “no”. Despite all the crime shows and murder movies we have seen where DNA evidence nails the perpetrator to the crime, DNA evidence is far from absolute. Genetic material recovered from a crime scene is likely to be only a partial strand of DNA. Analysing this partial strand can lead to a match with the person that left the DNA behind but can also lead to a coincidental match with people who happen to have a similar gene sequence in their DNA. False incriminations can happen when more than one person’s DNA get mixed at the crime scene, from DNA contamination, mislabelling and even degradation over time.

In the Aarushi Talwar murder case, for instance, the Hyderabad-based Centre for DNA Fingerprinting and Diagnostics altered its 2008 report in 2013 and admitted to typographical errors in the description of its DNA samples. The evidence could have changed the course of the investigation.

What will the national DNA database look like?

The bill proposes to set up a national DNA data bank and a number of state or regional data banks that will feed into the national data pool. Every data bank will have six categories under which DNA profiles will be filed – crime scene index, suspects’ index, offenders’ index, missing persons’ index, unknown deceased persons’ index, and volunteers’ index. The DNA profiling board will have the power to include more categories. In the offenders’ index, the DNA information will be linked to the name of the person from whom it was collected. All others will be linked to a case reference number.

What happens when my genetic material is on the database?

The bill gives sanction for broad use of DNA profiles and samples – to identify victims of accidents or disasters, to identify missing persons, for civil disputes and other offences. It also allows the information to be used to create population statistics, identification research, parental disputes, issues relating to reproductive technologies and migration. In his dissent note, Abraham argues that all non-forensic use should be rejected.

Cases like whether paternity should be determined, unwed mothers leaving their children and adopted children looking for their natural parents are hugely contestable things, said Ramanathan. “You are changing multiple structures and not recognising any of them,” she added.

Even though the bill allows for DNA information of offenders to be expunged once a court acquits them or sets aside a conviction, it makes no provision for removing other kinds of profiles.

The CDFD, which will be instrumental in building and processing DNA profiles, is using the CODIS software bought from the US's Federal Bureau of Investigation an compatible with their systems. The FBI used CODIS to identify victims of the terrorist attacks on the World Trade Center in 2001. More recently, the CDFD used CODIS to identify some who died in the Uttarakhand floods of 2013 after asking for 5,000 people who were possibly relatives of the deceased to undertake DNA testing.

Can the DNA profiling board protect our genetic information?

The bill grants the board vast powers to allow the use of DNA profiles in any civil and criminal proceedings that it deems necessary. “Ideally these powers would lie with the legislative or judicial branch,” Abraham said, in his dissent note. “Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board.”

Ramanathan questions the constitution of the board itself, her worry being that the board is not a body of disinterested officials. The secretary of the board is supposed to be from the Centre for DNA Fingerprinting and Diagnostics, an autonomous institute that will get a lot of work from the creation of the national DNA data bank.

Why does a DNA fingerprinting consent form ask for caste?

One of the most troubling features of the creation of a databank is the consent form to be signed by a person donating blood for DNA analysis. Along with name, gender and address, the form also asks for caste to be listed.

India has a history of unwarrantedly linking caste and community with criminality. Members of decriminalised tribes regularly report being harassed by the police and even having false cases foisted on them simply because they are linked to a certain community. Tagging caste onto genetic data can result in unfair profiling and identification errors.

The United Kingdom set up its national criminal DNA database in 1995. The database expanded over a decade by including genetic information of anyone who was arrested till more than one million innocent people were on it – including a grandmother who didn’t return a football to children who kicked it into her garden. The dangers of a genetic database are too much state oversight, false implication in crimes and a loss of privacy – none of which should come to pass without at least a debate.

For more details visit https://cis-india.org/internet-governance/news/the-scariest-bill-in-parliament-is-getting-no-attention-2013-here2019s-what-you-need-to-know-about-it

Why the DNA Bill is open to misuse: Sunil Abraham

sunil — 2015-09-13T08:37:44Z

The Human DNA Profiling Bill, the law that regulates the collection, storage and use of the human genetic code, has attracted some strong criticism from civil liberties groups including the Bengaluru-based Centre for Internet and Society (CIS) which had participated in the expert committee for DNA profiling constituted by the Department of Biotechnology in 2012.

CIS circulated a detailed dissent note earlier this year on the draft of the Bill. As the government gets ready to table the Bill in Parliament, CIS Executive Director Sunil Abraham tells Kanika Datta why the provisions of the Bill are open to misuse and invasion of privacy. Edited excerpts:

Why does Centre for Internet and Society reject using DNA analysis for non-forensic use as set out in the Human DNA Profiling Bill in its current form? What are the possible risks involved here?

The problem here is that the introduction to the Bill talks of DNA matches "without a doubt". But the way we understand it, biometric technology depends on approximate matching and not discrete matching. Unlike, say, the technology used for matching digital signatures, machines for matching DNA, fingerprints or the iris specify a false positive ratio when they leave the factory - that's what created the controversy in the O J Simpson trial, for example. This means you have to be very conservative in populating the database. For a given false positive ratio - the larger the database the greater the incidence of mistaken identification. That is why we think that for purposes other than forensic use, it would be better to create other databases.

Let me clear: we are not Luddites but neither are we naïve techno-enthusiasts. After all, the Innocence Project in the US has managed to overturn the convictions of many people who were held guilty through DNA evidence. But it is a myth that the more sophisticated the technology the more secure and accurate it is. In fact, the reverse is often true. For instance, the voter machines we use in India are primitive technology but they are much harder to compromise compared to the voting machines used in the US. Given all this, we believe that there should be "process fixes", such as sending DNA collected from a crime scene to two laboratories as a check and balance against the fallibility of human beings and machines.

CIS made the point that the powers of the DNA Board are too wide. In what possible way could these powers be misused since the Board is to be an independent authority?

When this exercise was started, the DNA Board had 26 functions. We proposed that this be cut this down to ten, which was accepted by a sub-committee. But when the final Bill came back it rejected the consensus view and restored the 26 functions, including things like "raising the general awareness". All this detracts from the Board's primary role and efficiency and expands its discretionary powers. It is true that a good regulator needs some amount of discretion but this should be a limited discretion within a tightly defined scope -- this is true for any regulator, not just the DNA Board.

The provision that no civil suit can be entertained on any matter on which the DNA Board is empowered under the Act looks excessive. Is there any precedent that explains why this provision was introduced? What kind of oversight and checks and balances are there in other jurisdictions that could be incorporated in the Indian law?

I can understand the logic here; the government is trying to ensure that the regulator has final say. After all, if you look at telecom, the decisions of the TDSAT (Telecom Dispute Settlement & Appellate Tribunal) can be appealed in the High Court and the Supreme Court. But eliminating judicial appeal as this Bill has state amounts to a violation of classic regulatory design by circumventing the appellate process. Ideally, we need a tripartite separation of law in which the executive frames policies, the DNA board implements them and the courts adjudicate upon them.

You have said the term "DNA Analysis" has not been defined. Could you explain the possible risks of the absence of a definition?

DNA analysis is of many types and some of them allow you to get to know a person quite intimately in terms of their medical history, genetic traits and so on. But forensic analysis looks at a limited set of markers which are essentially privacy-protecting and from which no genetic traits can be determined. You can't, for instance, do a study on the genetic make-up of criminals from this analysis. Now, if this Bill is around law enforcement - which we know is the policy intention - then the DNA analysis should be limited to those markers. That would reduce the chances of abuse.

You have also criticised the low standards of information disclosure and suggest the issue should be vested in an independent third party rather than the DNA Bank Manager. Could you explain how this would help?

In information and technology and telecom there is an executive authorisation mechanism in place for information sharing that requires the home secretary's permission for non-emergency situations and the head of the police station in the case of an emergency. We want a similar authorisation process - say, a judge and an established paper trail so that there are proper checks and balances. When personal information is involved, even the DNA Board is not well placed because its members are scientists whereas disclosure of personal information is a question of the law.

You have said the Bill has not been brought in line with the nine national privacy principles set out by an expert committee in 2012. Shouldn't a privacy law precede the passing of the DNA Bill in any case?

It's not a chicken-and-egg situation, but the point to consider is that the world is moving towards European data protection principles, and something like 100 countries have adopted it. If we in India want to trade in European personal information (via our BPO and outsourcing businesses) we must have a law that is adequate from the data protection perspective. This means, among other things, mandating that anyone whose DNA profile is accessed receives a notice to this effect, for instance. We know that the Department of Personnel and Training has incorporated the principles set out in the Justice Shah report in the privacy Bill two years ago but we haven't heard anything about it since. If and when this Bill is enacted, it will have overriding powers over a host of laws. But where the DNA Bill is concerned, there is no reason for it not to take cognisance of a later law.

What has been the government's reaction to this dissent note?

No reaction!

For more details visit https://cis-india.org/internet-governance/news/business-standard-kanika-datta-august-1-2015-why-the-dna-bill-is-open-to-misuse-sunil-abraham

Linking Aadhaar with social media or ending encryption is counterproductive

sunil — 2019-08-28T01:39:47Z

Should Aadhaar be used as KYC for social media accounts? We have recently seen a debate on this question with even the courts hearing arguments in favour and against such a move.

The article was published in Prime Time on August 26, 2019.

The case began in Madras High Court and later Facebook moved the SC seeking transfer of the petition to the Apex court. The original petition was filed in July, 2018 and sought linking of Aadhaar numbers with user accounts to further traceability of messages.

Before we try and answer this question, we need to first understand the differences between the different types of data on social media and messaging platforms. If a crime happens on an end to end cryptographically secure channel like WhatsApp the police may request the following from the provider to help solve the case:

Identity data: Phone numbers of the accused. Names and addresses of the accused.
Metadata: Sender, receiver(s), time, size of message, flag identifying a forwarded messages, delivery status, read status, etc.
Payload Data: Actual content of the text and multimedia messages.

Different countries have taken different approaches to solving different layers of the surveillance problem. Let us start with identity data. Some like India require KYC for sale of SIM cards while others like the UK allow anonymous purchases. Corporations also have policies when it comes to anonymous speech on their platforms – Facebook for instance enforces a soft real ID policy while Twitter does not crack down on anonymous speech. The trouble with KYC the old fashioned way is that it exposes citizens to further risk. Every possessor of your identity documents is a potential attack surface. Indian regulation should not result in Indian identity documents being available in the millions to foreign corporations. Technical innovations are possible, like tokenisation, Aadhaar paperless local e-KYC or Aadhaar offline QR code along with one time passwords. These privacy protective alternatives must be mandatory for all and the Aadhaar numbers must be deleted from previously seeded databases. Countries that don’t require KYC have an alternative approach to security and law enforcement. They know that if someone like me commits a crime, it would be easy to catch me because I have been using the same telecom provider for the last fifteen years. This is true of long term customers regardless if they are pre-paid or post-paid. The security risk lies in the new numbers without this history that confirms identity. These countries use targeted big data analytics to determine risk and direct surveillance operations to target new SIM cards. My current understanding is that when it comes to basic user data – all the internet giants in India comply with what they consider as legitimate law enforcement requests. Some proprietary and free and open source [FOSS] alternatives to services offered by the giants don’t provide such direct cooperation in India.

When it comes to payload data – it is almost impossible (meaning you will need supercomputers) to access the data unless the service/software provider breaks end-to-end cryptography. It is unwise, like some policy-makers are proposing, to prohibit end-to-end cryptography or mandate back doors because our national sovereignty and our capacity for technological self-determination depends on strong cryptography. A targeted ban or prohibition against proprietary providers might have a counterproductive consequence with users migrating to FOSS alternatives like Signal which won’t even give the police identity data. As a supporter of the free software movement, I would see this as a positive development but as a citizen I am aware that the fight against crime and terror will become harder. So government must pursue other strategies to getting payload data such as a comprehensive government hacking programme.

Meta-data is critical when it comes to separating the guilty from the innocent and apportioning blame during an investigation. For example, who was the originator of a message? Who got it and read it last? WhatsApp claims that it has implemented the Signal protocol faithfully meaning that they hold no meta-data when it comes to the messages and calls. Currently there is no regulation which mandates data retention for over the top providers but such requirements do exist for telecom providers. Just like access to meta-data provides some visibility into illegal activities it also provides visibility into legal activities. Therefore those using end-to-end cryptography on platforms with comprehensive meta-data retention policies will have their privacy compromised even though the payload data remains secure. Here is a parallel example to understand why this is important. Early last year, the Internet Engineering Task Force chose a version of TLS 1.3 that revealed less meta-data over one that provided greater visibility into the communications. This hardening of global open standards, through the elimination of availability of meta-data for middle-boxes, makes it harder for foreign governments to intercept Indian military and diplomatic communications via imported telecom infrastructure. Courts and policy makers across the world have to grapple with the following question: Are meta-data retention mandates for the entire population of users a “necessary and proportionate” legal measure to combat crime and terror. For me, it should not be illegal for a provider who voluntarily wishes to retain data, provided it is within legally sanctioned limits but it should not be requirement under law.

There are technical solutions that are yet to be properly discussed and developed as an alternative to blanket meta-data retention measures. For example, Dr. V Kamakoti has made a traceability proposal at the Madras High Court. This proposal has been critiqued by Anand Venkatanarayanan as being violative in spirit of the principles of end-to-end cryptography. Other technical solutions are required for those seeking justice and for those who wish to serve as informers for terror plots. I have proposed client side metadata retention. If a person who has been subjected to financial fraud wishes to provide all the evidence from their client, it should be possible for them to create a digital signed archive of messages for the police. This could be signed by the sender, the provider and also the receiver so that technical non-repudiation raises the evidentiary quality of the digital evidence. However, there may be other legal requirements such as the provision of notice to the sender so that they know that client side data retention has been turned on.

The need of the hour is sustained research and development of privacy protecting surveillance mechanisms. These solutions need to be debated thoroughly amongst mathematicians, cryptographers, scientists, technologists, lawyers, social scientists and designers so that solutions with the least negative impact can be rolled out either voluntarily by providers or as a result of regulation.

For more details visit https://cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive

Artificial Intelligence: a Full-Spectrum Regulatory Challenge [Working Draft]

sunil — 2020-08-04T06:10:13Z

Today, there are certain misconceptions regarding the regulation of AI. Some corporations would like us to believe that AI is being developed and used in a regulatory vacuum. Others in civil society organisations believe that AI is a regulatory circumvention strategy deployed by corporations. As a result, these organisations call for onerous regulations targeting corporations. However, some uses of AI by corporations can be completely benign and some uses AI by the state can result in the most egregious human rights violations. Therefore policy makers need to throw every regulatory tool from their arsenal to unlock the benefits of AI and mitigate its harms.

This policy brief proposes a granular, full spectrum approach to the regulation of AI depending on who is using AI, who is impacted by that use and what human rights are impacted. Everything from deregulation, to forbearance, to updated regulations, to absolute and blanket prohibitions needs to be considered depending on the specifics. This approach stands in contrast to approaches of ethics, omnibus law, homogeneous principles, and human rights, which will result in inappropriate under-regulation or over-regulation of the sector.

Find a copy of the working draft here.

For more details visit https://cis-india.org/internet-governance/artificial-intelligence-a-full-spectrum-regulatory-challenge-working-draft

Surveillance Project

sunil — 2016-04-05T15:21:27Z

The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.

The article will be published in Frontline, April 15, 2016 print edition.

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.

Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.

Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”

Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.

Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology

One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”

Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.

One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?

Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

For more details visit https://cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project

Nishant Shah

sunil — 2008-11-01T07:57:58Z

For more details visit https://cis-india.org/internet-governance/blog/uploads/nishantshah1.gif

Connected Trouble

sunil — 2015-10-28T16:47:58Z

The internet of things phenomenon is based on a paradigm shift from thinking of the internet merely as a means to connect individuals, corporations and other institutions to an internet where all devices in (insulin pumps and pacemakers), on (wearable technology) and around (domestic appliances and vehicles) humans beings are connected.

The guest column was published in the Week, issue dated November 1, 2015.

Proponents of IoT are clear that the network effects, efficiency gains, and scientific and technological progress unlocked would be unprecedented, much like the internet itself.

Privacy and security are two sides of the same coin―you cannot have one without the other. The age of IoT is going to be less secure thanks to big data. Globally accepted privacy principles articulated in privacy and data protection laws across the world are in conflict with the big data ideology. As a consequence, the age of internet of things is going to be less stable, secure and resilient. Three privacy principles are violated by most IoT products and services.

Data minimisation

According to this privacy principle, the less the personal information about the data subject that is collected and stored by the data controller, the more the data subject's right to privacy is protected. But, big data by definition requires more volume, more variety and more velocity and IoT products usually collect a lot of data, thereby multiplying risk.

Purpose limitation

This privacy principle is a consequence of the data minimisation principle. If only the bare minimum of personal information is collected, then it can only be put to a limited number of uses. But, going beyond that would harm the data subject. IoT innovators and entrepreneurs are trying to rapidly increase features, efficiency gains and convenience. Therefore, they don't know what future purposes their technology will be put to tomorrow and, again by definition, resist the principle of purpose limitation.

Privacy by design

Data protection regulation required that products and services be secure and protect privacy by design and not as a superficial afterthought. IoT products are increasingly being built by startups that are disrupting markets and taking down large technology incumbents. The trouble, however, is that most of these startups do not have sufficient internal security expertise and in their tearing hurry to take products to the market, many IoT products may not be comprehensively tested or audited from a privacy perspective.

There are other cyber security principles and internet design principles that are disregarded by the IoT phenomenon, further compromising security and privacy of users.

Centralisation

Most of the network effects that IoT products contribute to require centralisation of data collected from users and their devices. For instance, if users of a wearable physical activity tracker would like to use gamification to keep each other motivated during exercise, the vendor of that device has to collect and store information about all its users. Since some users always wear them, they become highly granular stores of data that can also be used to inflict privacy harms.

Decentralisation was a key design principle when the internet was first built. The argument was that you can never take down a decentralised network by bombing any of the nodes. Unfortunately, because of the rise of internet monopolies like Google, the age of cloud computing, and the success of social media giants, the internet is increasingly becoming centralised and, therefore, is much more fragile than it used be. IoT is going to make this worse.

Complexity

The more complex a particular technology is, the more fragile and vulnerable it is. This is not necessarily true but is usually the case given that more complex technology needs more quality control, more testing and more fixes. IoT technology raises complexity exponentially because the devices that are being connected are complex themselves and were not originally engineered to be connected to the internet. The networks they constitute are nothing like the internet which till now consisted of clients, web servers, chat servers, file servers and database servers, usually quite removed from the physical world. Compromised IoT devices, on the other hand, could be used to inflict direct harm on life and property.

Death of the air gap

The things that will be connected to the internet were previously separated from the internet through the means of an air gap. This kept them secure but also less useful and usable. In other words, the very act of connecting devices that were previously unconnected will expose them to a range of attacks. Security and privacy related laws, standards, audits and enforcement measures are the best way to address these potential pitfalls. Governments, privacy commissioners and data protections authorities across the world need to act so that the privacy of people and the security of our information society are protected.

For more details visit https://cis-india.org/internet-governance/blog/the-week-november-1-2015-sunil-abraham-connected-trouble

Facebook, privacy and India

sunil — 2013-09-26T11:40:00Z

Does Facebook's decision to open out user information and data to third party websites amount to an invasion of privacy and should users' seriously consider getting out of the site? Sunil Abraham doesn't think so.

Even if you aren’t a Facebook user (and most likely than not you are), chances are that you’ve at least heard that there are problems related to privacy settings on the site. The net has been abuzz with indignation over a decision by Facebook to open out user information and data to third party websites. A number of high profile Facebook users (and many more low profile ones) completely deactivated their accounts after the changes were announced by Founder and Chief executive Mark Zuckerberg and critics immediately pointed out that users were losing control of their personal information.

There have been a slew of articles condemning the move, and highlighting “dramatic” changes to the sites privacy policy. Most alarming perhaps being this slideshow compiled by Matt McKeon.

All these are legitimate concerns, but how worried should we be really? Should you be seriously considering getting off the site? “As long as you are a little smart about what you upload on Facebook, there is no need to do anything as drastic as deleting your account”, says Sunil Abraham the executive director of the Centre for Internet & society, based out of Bangalore. Abraham said that the issue has shown people the risk of uploading certain types of photographs and content on to the net, but most importantly highlights the need for a privacy commission in India.

“The EU has a commission which makes certain directives to sites like Facebook from time to time, which are then adhered to. India should also seriously consider setting up a similar commission, he said.

Facebook has mantained that its privacy settings are prominently displayed and can be easily accessed by users. But critics say that it is much too long and convoluted. The BBC reports that the policy in its current form has 50 different settings, 170 options and runs to 5,830 words, making it longer than the US Constitution. And the sheer volume of outrage has prompted a rethink of the privacy policy by Facebook, which since held an internal meeting to discuss the affair.

Abraham agrees that the issue of privacy is a complex one, but noted that the definition of what constituted “privacy” varied from culture to culture. “In India, it is perfectly normal for someone to ask someone else how much they earn, while such a question would be completely outside the boundaries of propriety in most Western countries”, he said. The issue with Facebook, he says, is that its desicion to change its privacy settings was tantamount to a breach of contract. “People who joined Facebook did so because they were comfortable with the settings and regulations available on the site. For Facebook to suddenly change that violates the spirit of that contract”, he said.

Meanwhile the founder and chief executive of Facebook Mark Zuckerberg has written an article in the Washington Post today directly addressing issues relating to privacy controls on the popular social networking site.

“The biggest message we have heard recently is that people want easier control over their information. Simply put, many of you thought our controls were too complex. Our intention was to give you lots of granular controls; but that may not have been what many of you wanted. We just missed the mark,”said Zuckerberg.

Read the article in Livemint

For more details visit https://cis-india.org/news/facebook-privacy-india

Newspapers should empower citizen journalism

sunil — 2012-10-23T08:47:50Z

A single content-management system can be used to publish highly-targeted and customised content. Sunil Abraham, director, Centre for Internet and Society (CIS India), believes traditional newspapers should expose their primary research databases such as photos, video and audio recordings, and documents to the public using web technologies.

With every generation of technology, businesses are affected and have to reinvent themselves along with their business models. Today, this is very true of traditional newspapers and the Internet. To begin with, there is the opportunity and threat presented for traditional media by the rise of citizen journalists. Given the penetration of mobile phones, and the emergence of micro-blogging services like Twitter, it is possible for ordinary citizen to create press-worthy reportage.
Some initial experiments like Scoopt.com, Spy Media and Cell Journalist, which allowed citizen journalists to sell content to traditional media, have, by and large, failed, but I am certain there will be many commercial and non-commercial services emerging in this area, like — Demotix.com.

Demotix currently has 8,300 reporters from 110 countries. The second opportunity is the plurality of delivery mechanisms available, thanks to digital technologies. A single content-management system can be used to publish highly targeted and customised content across several digital technologies such as SMS, GPRS, Twitter, RSS, Email, HTML, etc. Some of these formats like LATEX and PDF allow readers to print out personalised individual and institutional newspapers.

Most of these technology options are not exercised because of the conservatism of the marketing departments. Those responsible for collecting advertisement revenues and maintaining sales target keep asking 'how can we monetise that piece of content'. Their traditional business model only allows them to target subscribers and advertisers.

Once they account for their role in public attention aggregation and bandwidth consumption they could try and generate income from Internet service providers and telecom operators.

The third opportunity is interactivity. These days, a story no longer ends when the ink hits the paper. That is only considered the beginning, and there is sufficient discussion today about the transformative role played by citizens on mailing lists, discussion forums, blogs and wiki, ensuring that the story continues. I would like to focus on the process before the story hits the press or the content-management system, especially those stories that need sustained investigation or exhaustive time-consuming research. I believe traditional newspapers should expose their primary research databases such as photos, video and audio recordings, and documents to the public using web technologies.

If this is done in a truly open and transparent manner, online volunteer energy will lend a much-needed shoulder to traditional journalism. As a consequence, the reader will be engaged even before the story.

Link to the original article (Page 12)

For more details visit https://cis-india.org/news/newspapers-should-empower-citizen-journalism

Wiki's worth, on a different turf

sunil — 2012-10-23T08:33:56Z

An Indian duo–a programmer and a mathematician–have developed a tool to expose anonymous writers and cleanse Wikipedia of rogue editors

Bangalore-based Kiran Jonnalagadda, a Web programming guru, and Hans Varghese Mathews, a mathematician, are the new entrants to the emerging field of Wikipedia research. The duo is credited with building Wiki Analysis, a tool that helps researchers understand the growing phenomenon of astroturfing, the practice of faking grass-roots support on Wikipedia and other websites. Wikipedia is the first Google result for most searches and this has made it a popular destination for those trying to manipulate public opinion on the Internet. Corporations, governments and even pop artists have been caught astroturfing in the past.

Jonnalagadda and Mathews are among 34 researchers from 17 countries attending a two-day conference in Bangalore, WikiWars, which is concluding today. WikiWars is taking a fresh look at many different aspects of the world’s biggest encyclopaedia, the sixth most popular website on the Internet.

The first generation of astroturfing on Wikipedia has been, thus far, largely unsophisticated, with little attention paid to covering up digital evidence. Remember the campaign Avril Lavigne’s fans launched last year that turned her music video Girlfriend into the most viewed clip on YouTube? Wal-Mart Stores Inc. contracted its public relations firm Edelman to maintain a fake website called “Working Families for Wal-Mart”. They pretended to be ordinary citizens who opposed the views of the firm’s labour union.

It is well known that platforms such as Twitter and Facebook, with opaque management procedures, are susceptible to astroturf campaigns. Supporters of open licensing and peer production have always held that Wikipedia and other community-managed platforms are protected thanks to their transparency in policies and practices. But as far as Wikipedia researchers are concerned, the jury is still out.

Microsoft tried to pay technology blogger Rick Jelliffe to work on Wikipedia connected to OOXML (Office Open XML) during the ISO (International Organization for Standardization) approval process in an attempt to influence the global vote. OOXML was the new file format for MS Office documents that urgently needed approval to check the growing popularity of Open Office. A user called “Ril_editor”, active between September 2007 and May 2008, who claimed to be working out of Reliance Industries Ltd’s chief Mukesh Ambani’s offices, tried to expunge pages connected to negative publicity about Reliance. Scientologists were blocked by Wikipedia’s arbitration committee when they were found trying to systematically undermine Wikipedia’s NPOV (neutral point of view) policy. NPOV is Wikipedia’s particular spin on non-partisanship, providing equal space to all opinions. However, some Wikipedia researchers such as Geert Lovink, head of the Institute of Network Cultures, Amsterdam, and co-organizer of the WikiWars conference, believes that the dominance of English and textual citation requirements has meant that NPOV is never translated into practice.

An American team based out of the Santa Fe Institute, US, has developed WikiScanner, a public database of IP addresses that helps reveal the organizations behind anonymous edits on Wikipedia. WikiScanner has been used to expose the US Central Intelligence Agency’s manipulation of pages. WikiScanner doesn’t yet work for edits by authenticated users. The WikiScanner team has also developed another tool called Potential Sock Puppetry, which exposes those who use multiple user accounts from the same IP address. However, both tools could be circumvented by purchasing multiple data cards or getting people to work from public access points such as coffee shops and cyber cafés.

It is this gap the Indian duo’s tool tries to plug. The first version of their Wiki Analysis tool clusters users into potential lobbies based on the pages they edit within a date range. The tool’s next version will cluster users into lobbies based on the words they consistently add and delete across pages. Says Jonnalagadda, “Wikipedia is now close to a decade old and has many articles that have existed since its earliest days and have been edited by thousands of individuals.” It is now the primary encyclopaedic destination for Internet users, and that makes it a ripe target for astroturfing. At no point in the history of human civilization have so many collaborated over so long to produce one canonical document on any article of human knowledge.

“Wikipedia users rarely bother to check how a page was edited, but that information is all there, available to anyone who cares to look. We’re building the tools to help make sense of it,” Jonnalagadda says. Once Wiki Analysis is ready, you will be able to check if, for example, the editors of the climate change page on Wikipedia are more interested in ecology or energy.

Original article on Livemint

For more details visit https://cis-india.org/news/wiki-worth-different-turf

When Whistle Blowers Unite

sunil — 2012-03-21T10:17:48Z

Leaking corporate or government information in public interest through popular Web service providers is risky but Wikileaks.org is one option that you could try out.

Leaking corporate or government information in public interest in the age of Satyam has new challenges. You couldn't just upload it to a blog, social networking website or even a document management system like Google documents. Google, Yahoo and most other Web service providers nearly always comply with the national law and cooperate with enforcement agencies. In India there have been several arrests in connection with alleged illegal email messages and content on social networking websites. It did not take court order – just a request from the local police station. Furthermore, you would have to undertake additional risky activity online to draw media attention to your documents. Also those who stand to lose from the leak can send a couple of copyright take down notices which will lead to deletion. So your only real option is Wikileaks.org, where they boast: Every source protected. No documents censored. All legal attacks defeated.

Launched in December 2006, Wikileaks.org stands alone on the Internet as the last refuge for the truth. Even though the promoters are European and US academic organisations, journalists and NGOs – a near neutral point of view is realised by sparing no one across the political and ideological spectrum. It is the archive of the whistle-blowers of the world and it is ugly: login information and private emails of a holocaust denier, secret documents from the Church of Scientology, Internet block-lists from Thailand and standard operating procedures for US guards at Guantanamo Bay, et cetera. One could safely assume that these guys have very few friends. Unlike Wikipedia.org whose technology it employs, Wikileaks does not have an open and participatory editorial policy. It accepts documents through a trusted journalist–source system.

Leaking controversial documents can result in loss of job, limb and life, so extreme caution is always advised. Remember that India still does not have laws protecting whistle blowers, in spite of a bill being introduced in 2006. What follows is only a very rough guide to digital whistle blowing, so please get expert advice before you try these at home:

Download and install military grade encryption software like Pretty Good Privacy. Generate a pair of keys – a public and a private one. Use your private key in combination to a journalist's public key to send him or her, a 'for your eyes only message' email. Only the journalist will be able to decrypt the message using your public key and his private key. Note however, that an Indian court under the 2008 amendment of the IT Act can ask you to disclose your key-pair.
Step outside. Working from home is a bad idea since DOT mandates that all ISPs retain logs for all users and for all services utilized for an indeterminate time-period. Office is still worse as your network administrator might be also logging your activities.
Find an anonymous public access point. Cyber-cafes, especially in New Delhi, Maharashtra, Karnataka and Tamil Nadu are asking users to provide identity cards and record contact details and in some cases web-cam photographs as well. Using your laptop in a coffee shop may work but DOT is considering cracking down on open wifi networks.
Use an anonymizing service so that the chain of digital evidence leading up to Wikileaks is obliterated. TOR is the anonymizing solution of choice. Several TOR servers that provide private tunnels across the Internet work in unison, to form a cloud of anonymity.

If you were leaking large amounts of data, uploading it may be too risky. Burn the data on DVDs and mail them to Wikileaks. However, do ensure that all digital files have been purged of personal information. For word files this can be done by converting to PDF. Also you may not want to leave any finger-prints on the package. India will soon have a database of finger prints thanks to the National Unique Identity (NUID) project. We know this thanks to the leaked NUID project document on Wikileaks.org, days before the consultation.

For more details visit https://cis-india.org/internet-governance/blog/whistle-blowers-unite

Sense and censorship

sunil — 2012-03-21T10:15:15Z

Sunil Abraham examines Google's crusade against censorship in China in wake of the attacks on its servers in this article published in the Indian Express.

Some believe that Google’s co-founder Sergey Brin’s memories as a six-year-old in the former Soviet Union has inspired Google’s crusade against censorship in China. However, as Siva Vaidhyanathan, author of upcoming book The Googlisation of Everything, notes in a recent blog post — this “isn’t a case of Google standing up for free speech....but about Google standing up against the attacks.”

He was referring to the attacks on Google’s servers that originated from China mid-December last year. Anyone running a multi-billion dollar enterprise online would be well attuned to the security threats posed by anarchists, crackers, spammers and phishers on a daily basis. So what made the recent Google attacks so special? According to Google, intellectual property was stolen and two human-right activists accounts were compromised during the attack. So which was the straw that broke the camel’s back — intellectual property or human rights? Google could have spoken out against censorship years ago — after all it still censors search results in more than 20 countries, including India. Although there is no official channel or protocol guiding censorship practices in India, Google is regularly contacted by government officials and continues to delete web content deemed sensitive according to various ethnic, political and religious groups. Human rights activists note that Google offers some token resistance and then usually complies with the state’s demands. Google’s deputy general counsel, Nicole Wong, justifies her cooperation with the authorities citing the Indian way of torching buses during riots. Therefore it is odd that the US government endorses Google’s selective idealism in China. One week after the attacks, Hillary Clinton decided to lecture the world on Internet freedom. Then, Google and the National Security Agency announced a collaboration to deal with future cyber-attacks. This was followed by Google honouring female bloggers in Iran, forcing cyber-ethnographer, Maximilian Forte to wonder on Twitter, “Is it just me, or is Google consistently joining the causes of the US State Department?” How is Google’s move, and recent White House support for a “free web”, to be understood? How is Google’s move consistent with the Obama administration’s goal of protecting US business interests across the globe? Such questions may tell us why Google is picking a fight with China rather than Saudi Arabia or Burma. The recent privacy disaster incited by the release of Google’s new social networking application Buzz became yet another occasion when many began to doubt Google’s high rhetoric about freedom of expression. When Buzz first made the social connections of Gmail users public without their consent, blogger Evgeny Morozov questioned the company’s logic in protecting the email accounts of Chinese human rights activists (ie, when they are happy to tell the rest of the world who those activists are talking to). According to Morozov, Google has only managed to capture 30 per cent of the Chinese search market, and he believes that Google was willing to sacrifice this market for some much need needed positive PR given after a storm of bad press after projects like Buzz and Wave.

It is clear that Google will have to fight such pressures towards greater control of the internet across the globe, China being no great exception. This week, Google and Yahoo have come out strongly in opposition to Australia’s plan to implement a mandatory ISP filter. Sometimes, a particular form of censorship serves a useful and necessary purpose — for example, Google and Microsoft were forced by the Indian Supreme Court in September 2008 to stop serving advertisements for do-it-yourself foetus sex determination kits. Given our daughter deficit, I would not have it any other way. However, in Thailand, such filtering takes the form of overly expansive lèse majesté laws which force ISPs to reveal details of individuals posting content deemed insulting to the monarch, Bhumibol Adulyadej — this practice leading to self-censorship and over-moderation on forums and mailing lists in Thailand.

Also, soon as traffic was redirected from Google.cn to Google.com.hk, Google advised its enterprise customers in China to use VPN (virtual private networking), SSH (secure shell) tunneling, or a proxy server to access Google Apps. These are circumvention technologies of choice for many Chinese cyber-activists, says Rebecca McKinnion, founder of Global Voices Online. In her recent congressional submission, she also points out that in China, online defiance has a very different history, perhaps best illustrated by the Mud Grass Horse Internet meme which was an obscene pun on a government media campaign aimed at national unity and harmony. In China, aesthetics rather than technology is the primary tool for subversive political speech. Also like in Burma and Saudi Arabia, offline piracy and pirated satellite television ensures that most citizens are able to access censored content. And the average Chinese netizen cannot tell the difference between Google censoring its own results and the Great Firewall censoring Google. Google’s recent actions has very little real impact on the state of censorship in China.

For original article in the Indian Express

For more details visit https://cis-india.org/internet-governance/blog/sense-and-censorship

Does the Government want to enter our homes?

sunil — 2012-03-21T10:12:40Z

When rogue politicians and bureaucrats are granted unrestricted access to information then the very future of democracy and free media will be in jeopardy. In an article published in the Pune Mirror on 10 August, 2010, Sunil Abraham examines this in light of the BlackBerry-to-BlackBerry messenger service that the Government of India plans to block if its makers do not allow the monitoring of messages. He says that civil society should rather resist and insist on suitable checks and balances like governmental transparency and a fair judicial oversight instead of allowing the government to intrude into the privacy and civil liberties of its citizens.

What? Me worry about the blackberry imbroglio?
If Pierre Trudeau were alive today, he would feel similarly about the Canadian innovation that is making news these days. But, given the Indian media's objective take on the ongoing BlackBerry tussle, one would assume that the media is unaffected.

Many internet observers say that the very future of democracy and free media is at stake. If rogue politicians and bureaucrats are able to eavesdrop on the communications of media houses, wouldn't that sound the death knell for sting operations, anonymous informants and whistle-blowers?

And, consequently, free press and democracy? How can the media keep its calm when one of the last bastions of electronic privacy in India is being stormed?

Isn’t this a lost cause already?
Perhaps, our reporters and editors have remained complacent, because they do not want to swim against the tide. After all, governments across the world have used excuses like cyber-terrorism, organised crime, pornography, piracy etc. to justify censorship and surveillance regimes.

The priveleged access that the governments of India, Saudi Arabia and UAE are demanding has already been provided to the governments of USA, Canada and Russia, for example.

We don't know how much they know about us!
The average reader might not be aware of the access that the Indian government has to his/her personal information.

To be clear, the Indian government, like most other governments, is able to intercept, decrypt, monitor and record sms and voice call traffic by working in partnership with ISP and Telecom operators.

This is legalised through ISP licence agreements, which requires ISPs to provide monitoring equipment that can be used to by various law enforcement and intelligence agencies. There is no clear policy on data-retention policies.

Industry insiders say that SMS messages, telephone call logs, email headers, and web requests are archived from anywhere between three months and a year.

Do these ISPs and telecom operators then delete, anonymise or obfuscate this data? Or do they they retain it for posterity for market research?

In the absence of a privacy law — the Indian citizen can only make intelligent guesses.

Encryption is our friend
As a student, when I passed a love note to my lady-love in class, I would use a symmetric key encryption scheme.

She would use the same key as I did to unencrypt the machine, ie, substituting the alphabet with the next/previous one.

If someone was able to intercept the key, then all communication between us in both directions would be compromised.

Asymmetric key encryption solves this problem by giving both parties two keys — a public key and a private key. I would use my lady-love’s public key to encrypt a message meant for her.

Only she would be able to unencrypt the message by using her private key. The size of the key — 40bit, 128bit, 256bit etc. determines the strength of the encryption.

The more bits you have, the longer it will take for someone to break through using a brute force method. The brute force method or dictionary method is when you try every single combination —just as you would with an old suitcase.

The time taken also depends on computing resources — whether you are a jealous boyfriend, or the FBI, or a corporation like Google. These days, governments depend on corporations for hardware and network muscle.

How does Blackberry encrypt differently?
Other smart phone providers like IPhone and Nokia make email and Internet traffic transparent to the ISP and telecom operator, making it easy for governments are able to keep track of Internet users on mobile phones just as they monitor dial-up or broadband users.

Most mobile services come with a basic encryption. Blackberry is different because it introduces an additional level of encryption, and then routes traffic either through corporate servers or through its own servers in Canada and other parts of the world.

The fact that information is routed thus can pose a threat to the Indian government, if officials are using Blackberries to exchange highly classified information.

Then, GoI could be worried if western intelligence agencies are eavesdropping.

How will this end? Will Blackberry leave?
Blackberry has never exited a country, because in the end it has prioritised consumer privacy over commercial compulsions. For example Blackberry has now ‘resolved’ security probwith Saudi Arabia.

I don’t think we should worry about deals or compromises. However, this is not to say that Blackberry should not be applauded.

They have taken a public stand against unrestricted governmental access to their clients’ information; one should always applaud corporates who fight hard for privacy and civil liberties.

What the Blackberry dilemma is showing us is the social cost of the electronic Big Brother will be steep, as it should be.

To protect citizens’ rights, civil society must resist and insist on suitable checks and balances like governmental transparency and fair judicial oversight.

Read the article in Pune Mirror

For more details visit https://cis-india.org/internet-governance/blog/government-enter-homes

We are anonymous, we are legion

sunil — 2012-03-21T09:38:56Z

Online anonymity is vital for creativity and entrepreneurship on the Web, writes Sunil Abraham. The article was published in the Hindu on April 18, 2011.

During his keynote at the International World Wide Web Conference recently, Sir Tim Berners-Lee argued for the preservation of online anonymity as a safeguard against oppression. This resonated with his audience in Hyderabad, given the recent uproar in the Indian blogosphere and twitterverse around the IT Act (Amendment 2008) and the recently published associated rules for intermediaries and cyber cafes.

Over time, there has been a dilution of standards for blanket surveillance. The Telegraph Act allowed for blanket surveillance of phone traffic only as the rarest of exceptions. The IT Act and the ISP licence on the other hand, authorise and require ISPs and cyber cafes to undertake blanket surveillance as the norm in the form of data retention. The transaction database of the UID (Unique Identification Number) project will log of all our interactions with the government, private sector and other citizens; all these are frightening developments for freedom of expression in general and anonymous speech in particular.

Anonymous speech is a necessary pre-condition for democratic and open governance, free media, protection of whistle-blowers and artistic freedom. On many controversial areas of policy formulation, it is usually anonymous officials from various ministries making statements to the press. Would mapping UIDs to IP address compromise the very business of government? A traditional newspaper may solicit anonymous tips regarding an ongoing investigative journalism campaign through their website.

Would data retention by ISPs expose their anonymous sources? Whistle-blowers usually use public Wi-Fi or cyber cafes because they don't want their communications traced back to residential or official IP addresses. Won't the ban on open public Wi-Fi networks and the mandatory requirement for ID documents at cyber cafes jeopardise their safety significantly? Throughout history, great art has been produced anonymously or under a nom de plume. Will the draft Intermediary Due Diligence Rules, which prohibits impersonation even if it is without any criminal intent, result in artists sanitising their art into banality?

Anonymous speech online is facilitated by three forms of sharing — shared standards, shared software and shared identities. Shared or open standards such as asymmetric encryption and digital signatures allow for anonymous, private and yet authenticated communications. Shared software or Free/Open Source Software reassures all parties involved that there is no spy-ware or back door built into tools and technologies built around these standards.

Shared identities, unlike shared software and standards, is a cultural hack and, therefore, almost impossible to protect against. V for Vendetta, the graphic novel by Alan Moore gives us an insight into how this is could be done. The hero, V, hides his identity behind a Guy Fawkes mask. Towards the end of the novel, he couriers thousands of similar masks to the homes of ordinary citizens.

In the final showdown between V and the oppressive regime, these citizens use these masks to form an anonymous mob that confuses the security forces into paralysis. Shared identities online therefore, is the perfect counterfoil to digital surveillance.

As Dr. Berners-Lee spoke in Hyderabad, the Internet Rights and Principles Dynamic Coalition of the Internet Governance Forum released a list of 10 principles for online governance at the meeting convened by the UN Special Rapporteur on Freedom of Expression in Stockholm.

The fifth principle includes “freedom from surveillance, the right to use encryption, and the right to online anonymity”. One hopes that Gulshan Rai of CERT-IN will heed the advice provided by his international peers and amend the IT Act rules before they have a chilling effect on online creativity and entrepreneurship.

Read the article originally published in the Hindu, here

For more details visit https://cis-india.org/internet-governance/blog/online-anonymity

Big Brother is Watching You

sunil — 2012-03-21T09:32:28Z

The government is massively expanding its surveillance power over law-abiding citizens and businesses, says Sunil Abraham in this article published by the Deccan Herald on June 1, 2011.

Imagine: An HIV positive woman calls a help-line from an ISD/STD booth. The booth operator can get to know who she called, when and for how long. But he would not have any idea on who she is or where she lives.

Now, instead of a phone call, imagine that she uses a cyber café to seek help on a website for HIV positive people. The cyber-cafe operator would have a copy of her ID – remember that many ID documents have phone numbers and addresses. He may then take her photograph using his own camera. One can only hope that he will take only a mug-shot without using the zoom lens inappropriately. He would also use a software – to log her Internet activities and make a reasonable guess on her HIV status.

The average Facebook page may have 50 different URLs to display the various images, animations and videos that are linked to that page. Each of those URLs would be stored, regardless of whether she scrolls down to see any of them.

The cyber-cafe operator is obliged under the Cyber Cafe rules to store this information for a period of one year. But there are no clear guidelines on when and how he should dispose of these logs. An unethical operator could leak the logs to a marketeer, a spammer, a neighbourhood Romeo or the local moral police. A careless operator maybe vulnerable to digital or physical theft and before you know it, such logs could end up on the Internet.

Ever since 26/11, cyber-cafes in metros have been photocopying ID documents – but so far not a single terrorist attack has been foiled or a crime solved thanks to this highly intrusive measure. But despite the lack of evidence to prove the efficacy of the current levels of surveillance, the government has decided to expand them exponentially.

Imagine again: A media organisation such as Deccan Herald is investigating a public interest issue with the help of a whistle-blower or an anonymous informant. Deccan Herald reporters may think that by turning the encryption on when using Gmail or Hotmail they are protecting their source.

But the ISP serving Deccan Herald is obliged by the license terms to log all traffic be it broadband, dial-up or mobile users passing through it. Again, there are no clear guidelines on when to delete these logs and none of the Indian ISPs publicly publish a data retention policy. Besides retaining data, the ISPs have to install real-time surveillance equipment within their network infrastructure and make them available for government officials. If a government official wants to track who is talking to Deccan Herald reporters, he just has to ask.

With ISPs and online service providers – all the police have to do is send an information request under Section 92 of the Code of Criminal Procedure. In other words, they don't even have to bother about a court order. Between January 2010 to June 2010 Google received 1,430 information requests from India. Many other companies, for example, Microsoft, are not as transparent as Google about the state surveillance. So we will never know what they are subjected to.

If the whistle-blower was using Blackberry, all traffic would be transferred from the device to the RIM's Network Operation Centre situated outside India in an encrypted tunnel before it travels onto the Internet. This prevents the government from learning which mail server is being used from the logs and surveillance equipment at the ISP premises. And that is why the government has been engaged in a five-year long public fight with RIM over access to Blackberry traffic.

Now, thanks to the IT Act, the government can demand the service providers, including RIM, to hand over the decryption keys by accusing any individual of a variety of vague offenses -- for example engaging in communication that is ‘grossly harmful’ or ‘harms minors in any way’ – under the IT Act. Refusal to hand over the keys is punishable with a jail term of three years.

Finally, imagine that an Indian enterprise is developing trade-secrets or handling trade-secrets on behalf of their international partners. This enterprise is using a VPN or virtual private network for confidential digital communication. As per the ISP license all encryption above 40-bit is only permitted with written permission from DoT along with mandatory deposit of the decryption key.

In the age of wire-tap leaks, only a miniscule minority of international business partners would trust the government of India not to leak or misuse the keys that have been deposited with them. Most individuals, SMEs and large enterprises routinely use encryption higher than 40 bit strength. For example, Gmail uses128 bit and Skype uses 256 bit encryption. Many services use dynamic encryption, that is generate different keys for each session.

So far I have not heard of anyone who has actually secured permission or deposited the keys. In other words, the Indian enterprise has two choices – either break the law to protect business confidentiality or obey it and lose clients.

The IT Act (Amendment 2008) and its associated Rules, notified in April this year are a massive expansion of blanket surveillance on ordinary, law-abiding Indians. They represent a paradigm shift in surveillance and a significant dilution in privacy protections afforded to citizens under the Telegraph Act.

This has terrifying consequences for our plural society, free media and businesses. Department of Information Technology in particular Dr. Gulshan Rai's office has so far only brushed aside these concerns and denied receiving feedback from the industry and civil society. If our media continues to ignore this clamp down on our civil liberties, we will soon have to furnish ID documents before purchasing thumb drives. After all, Bin Laden was found using them in his Abbottabad home.

Read the original here

For more details visit https://cis-india.org/internet-governance/blog/big-brother-watching-you