Centre for Internet and Society

Cybercrime and Privacy

praskrishna — 2010-09-14T13:21:20Z

Elonnai Hickok examines privacy in the context of India’s legal provisions on cybercrime. She picks up the relevant provisions of the Information Technology Act as amended in 2008 dealing with cyber crimes and provides a fair analysis of the pros and cons of the amended Act.

What is Cybercrime?

Looking at the recent Facebook ‘break in’ where 100,000 of users’ information was downloaded and made accessible through a simple search engine, , and the new Microsoft virus that attacked 10,000 machines, it is clear that cybercrime is no longer an issue to be taken lightly. Cybercrime is defined as an unlawful act committed using a computer either as a tool or as a target (or both) for facilitating a crime. Although there is an overlap, some are more likely to use the computer as a tool, and others use it as a target. Examples of the former include: fraud, forgery, DOS, consumption of limited resources, cyberterrorism, IPR violations, software piracy, copyright infringement, trademarks violations, patent violations, cyber squatting, credit card frauds, forgery, EFT frauds, pornography, banking/credit card related crimes, sale or purchase of illegal articles, cyberstalking, phishing, theft, and breaches in privacy, and gambling. Crimes where the computer is made a target include: computer theft, physical destruction or alteration of network components, theft of computer source code, hacking, defacing websites, creation of viruses, destruction or alteration of configuration information and email spamming.

What is India's current legislation on cybercrime?

The Information Technology Act 2000 (amended in 2008)

The Information Technology Act was first drawn up in 2000, and has been revised most recently 2008. The Information Technology (Amendment) Bill, 2008 amended sections 43 (data protection), 66 (hacking), 67 (protection against unauthorised access to data), 69 (cyberterrorism), and 72 (privacy and confidentiality) of the Information Technology Act, 2000, which relate to computer/cybercrimes.

Section 43 [Penalty and Compensation for damage to computer, computer system, etc.] amended vide Information Technology Amendment Act 2008 reads as under:

If any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network:

accesses or secures access to such computer, computer system or computer network or computer resource (ITAA2008)
downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
disrupts or causes disruption of any computer, computer system or computer network;
denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means;
provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under;
charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;
destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means (Inserted vide ITAA-2008); and
Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, (Inserted vide ITAA 2008) he shall be liable to pay damages by way of compensation to the person so affected. (change vide ITAA 2008)

Critique: In comparison to the laws enacted in other countries, this provision still falls short of a strong data protection law. In most other countries data protection laws specify:

the definition and classification of data types;
the nature and protection of the categories of data;
that equal protection will be given to data stored offline and data stored manually;
that data controllers and data processors have distinct roles;
clear restrictions on the manner of data collection;
clear guidelines on the purposes for which the data can be put and to whom it can be sent;
standards and technical measures governing the collection, storage, access to, protection, retention, and destruction of data;
that providers of goods or services must have a clear opt - in or opt - out option; and
in addition, most countries provide strong safeguards and penalties against breaches of any of the above

Section 66 [Computer Related Offences] amended vide Information Technology Amendment Act 2008 reads as under:

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

Explanation: For the purpose of this section,-

the word "dishonestly" shall have the meaning assigned to it in section 24 of the Indian Penal Code;
the word "fraudulently" shall have the meaning assigned to it in section 25 of the Indian Penal Code.

[Section 66 A] [Punishment for sending offensive messages through communication service, etc.]

(Introduced vide ITAA 2008):

Any person who sends, by means of a computer resource or a communication device,-

any information that is grossly offensive or has menacing character; or
any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device;
any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008) shall be punishable with imprisonment for a term which may extend to three years and with fine.

Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.

[Section 66 B] [Punishment for dishonestly receiving stolen computer resource or communication device] (Inserted Vide ITA 2008):
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.

[Section 66C] [Punishment for identity theft] (Inserted Vide ITA 2008):

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

[Section 66D] [Punishment for cheating by personation by using computer resource] (Inserted Vide ITA 2008):
Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

[Section 66E] [Punishment for violation of privacy] (Inserted Vide ITA 2008):
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both

Explanation - For the purposes of this section--

“transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;
“capture”, with respect to an image, means to videotape, photograph, film or record by any means;
“private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
“publishes” means reproduction in the printed or electronic form and making it available for public;
“under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that:

he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or
any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.

[Section 66F] [Punishment for cyber terrorism]:
(1) Whoever,-

(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by –

denying or cause the denial of access to any person authorized to access computer resource; or
attempting to penetrate or access a computer resource without authorisation or exceeding authorized access; or
introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or

(B) knowingly or intentionally penetrates or accesses a computer resource without authorization or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life’.

Critique: We find the terminology in multiple sections too vague to ensure consistent and fair enforcement. The concepts of ‘annoyance’ and ‘insult’ are subjective. Clause (d) makes it clear that phishing requests are not permitted, but it is not clear that one cannot ask for information on a class of individuals.

Section 67 [Publishing of information which is obscene in electronic form] amended vide Information Technology Amendment Act 2008 reads as under:

Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.

[Section 67 A] [Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form] (Inserted vide ITAA 2008):
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.

Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science, literature, art, or learning or other objects of general concern; or
which is kept or used bona fide for religious purposes.

[Section 67 B] Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form:

Whoever,-

(a) publishes or transmits or causes to be published or transmitted material in any electronic

form which depicts children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises,

promotes, exchanges or distributes material in any electronic form depicting children in

obscene or indecent or sexually explicit manner or

and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or

(d) facilitates abusing children online or

(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:

Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bonafide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

[Section 67 C] [Preservation and Retention of information by intermediaries]:

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Critique: This provision adequately protects both the corporate and the citizen in a positive way.

Section 69 [Powers to issue directions for interception or monitoring or decryption of any information through any computer resource] amended vide Information Technology Amendment Act 2008 reads as under:

(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be

intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.

(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to –

(a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

(b) intercept or monitor or decrypt the information, as the case may be; or

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

[ Section 69B] Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security:

(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of subsection

(2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Explanation: For the purposes of this section,

(i) "Computer Contaminant" shall have the meaning assigned to it in section 43

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

Critique: Though we recognize how important it is for a government to protect its citizens against cyberterrorism, we are concerned at the friction between these provisions and the guarantees of free dialog, debate, and free speech that are Fundamental Rights under the Constitution of India.

Specifically:

a) there is no clear provision of a link between an intermediary and the information or resource that is to be monitored.

c)the penalties laid out in the clause are believed to be too harsh, and when read in conjunction with provision 66, there is no distinction between minor offenses and serious offenses.

e) the ITA is too broad in its categorization of acts of cyberterrorism by including information that is likely to cause: injury to decency, injury to morality, injury in relation to contempt of court, and injury in relation to defamation.

Section 72 [Breach of confidentiality and privacy] amended vide Information Technology Amendment Act 2008 reads as under:

Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

[Section 72 A] Punishment for Disclosure of information in breach of lawful contract (Inserted vide ITAA-2008):

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.

General Notes and Critiques:

As general notes on the ITA and data protection we find that the Act is lacking in many ways, including:

there is no definition of “sensitive personal data or information” and that term is used indiscriminately without.
the provisions and protections cover only electronic data and not stored data or non-electronic systems of media
in the absence of a data controller, liability is often imposed on persons who are not necessarily in a position to control data
civil liability for data breach arises where negligence is involved
criminal liability only applies to cases of information obtained in the context of a service contract.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-ita2008

Transparency and MDGs: the Role of the Media and Technology

praskrishna — 2011-04-02T10:16:21Z

Key quotes from sixth panel

“We are thinking globally, acting locally. We take the bottom-up approach with radio for people in the community to tell their government what they need and to partake in decision making process.”
— Lucy Maathai, Slums Information Development and Resource Centers, Kenya

“For HIV/AIDS in Botswana during the 1990s, we tried creating big billboards saying ‘get tested’, we tried working through NGOs, but it was not until we also got local churches and local tribal leaders together, that things changed. We had to focus on getting buy-in from the political leadership and every local leader. UNDEF was set up to fill the gaps between UN agencies like UNICEF, UNDP, etc. What I have seen in botswana and 30 years of experience, is that if we always add information and communication at the end, we will fail. Rather we need to make sure that it is integrated all along. Furthermore, people in Botswana are aware of technologies, but they do not feel that they can use it or are supported to use it. Instead they use traditional methods, such as churches, in bars, and with local tribal leaders. The UN are mostly used to dealing with formal institutions, but in order to help the bottom billion in the world, we need to engage with the informal institutions, sometimes even with the ‘bad guys’”.
— Bjoern Ferde, UNDP Oslo Center, Norway

“If a transparency system is based on suspicion rather than trust, it breeds corruption. If your demand for transparency and accountability undermines social safety nets, you will undermine your entire argument. Transparency may seem to add to accountability, but we must understand that it oftens undermines privacy (in the Gujarat genocide, muslims were found and killed by rioters using tax and electoral records). In addition, in india, a name alone reveals a lot of information on caste, area and religion, so what is normal in the west – disclosing names – is not always a good idea. Finally, in many places, particularly those in conflict, disclosing your income may lead to groups turning up at your door and demanding a share.”

— Sunil Abraham, Centre for Internet and Society, India

“It’s great what ARTICLE 19 is doing. There’s often a lot of discussion within communities, but not so often discussions between communities. I want to connect the media too. So little has been done at the international level on how information and communication help development. We do need to acknowledge that the media has massive advantages as an information and transparency mechanism. If you ask politicians what they are worried about in regards to transparency, they are worried about the media. In peru, a report states that Fujimori bribed media executives 100x the amount that he bribed a judge. Indeed, there are so few people paid within UN organisations to focus on understanding and using communication to effect people’s lives. We are operating in a strategic vaccum. It’s hugely exciting to work out where we can go in the future. This event takes us a long way forward.”
— James Deane, BBC World Trust, UK

“There are simple and creative ways to demonstrate information, such as the ‘stone’ test. In Botswana, each person in a village was asked to place a stone in the middle of the group for every person that died due to HIV/AIDS. It created an immediate and devastating effect when people suddenly visualised the effect on their community and then collectively began to think about what that meant in regards to families and society.”
— Bjoern Ferde, UNDP Oslo Center, Norway

“In the south we call the media the fourth estate – a moral and ethical force to protect democracy and the constitution of our country. In the north however, we have a business model which completely removes any sense of ethics. The Indian Express, for example, will only talk about markets, not about people and their lives in poverty. Furthermore, whilst we want information shared, we do not want the information collected by the state to destroy the people.
— Aruna Roy, MKSS

Read the original

For more details visit https://cis-india.org/news/transparency-mdgs-key-quotes

Privacy and the Indian Copyright Act

praskrishna — 2013-08-06T13:37:27Z

India's Copyright Act was established in 1957, and is in the process of being placed before the Parliament in 2010. The provisions in the proposed Bill will work to make the Act WIPO Copyright Treaty (WCT) compliant. When looking at privacy in the context of copyright four key questions arise, says Elonnai Hickock as she analyses privacy in the context of the Indian Copyright Act.

How do DRM technologies undermine privacy and what safeguards are present in the Indian law to protect citizens’ right to privacy?

Technologies such as digital rights management technologies were developed to be used by hardware manufacturers, publishers, copyright holders and individuals to control the mode of use of certain digital devices and contents. DRM technologies pose as a privacy threat, because in their ability to monitor what is happening to a copyrighted work, they are also able to collect personal information and send it back to a host without knowledge of the user. The host is then able to use that data for marketing or commercial purposes. In the Copyright Act, 1957 there are no current provisions against DRM circumvention. In the proposed Copyright Bill 2010 there are two proposed provisions: to prevent anti circumvention of DRM technologies and one provision that clarifies what is a DRM technology.

Proposed Legislation

Section 2 (xa): Defines Rights Management Information – it is important to note that within the definition of RMI the provision specifically excludes any device or procedure intended to identify the user from the definition.

Section 65A (1) : Protection of Technological Measures - Any person who circumvents an effective technological measure applied for the purpose of protecting any of the rights conferred by this Act, with the intention of infringing such rights, shall be punishable with imprisonment which may extend to two years and shall also be liable to fine includes that any person facilitating circumvention by another person of a technological measure, shall maintain a complete record of such other persons including his name, address and all relevant particulars necessary to identify him.

Section 65B: Protection of Rights Management Information – Any person who removes, or distributes, copies, or broadcasts any rights management information without authority shall be by punishable with imprisonment.

Recommendation: We find, not just exclusively to the Copyright Act, but that in all Indian legislation the privacy of an individual is brought into question, because there are no safeguards against the commercialization of information, and no formal process of redress if an individual discovers that his information is being used without his consent/prior knowledge. We would recommend that (perhaps appropriately in legislation on data protection) a provision be included to clearly articulate that the collection and commercialization of information and personal data is prohibited by DRM technologies and host companies, and a method of redress be put in place.

Under the copyright, does a person have the ability to expose privacy infringement?

Because DRM technologies have the ability to collect user information, which could potentially be done through the use of spyware, it is important that an individual has the ability to know if and when their information is being collected. To do this an individual can discover the technological principles of a device, object, or system through a process known as reverse engineering. Currently reverse engineering is permitted under provision 52 (ac). It is further supported by provision 65A (2) (f).

Current Legislation

Provision 52 (ac): Certain acts not to be in infringement of copyright include: the observation, study or test of functioning of the computer programs in order to determine the ideas and principles which underlie any elements of the program while performing such acts necessary for the functions for which the computer program was supplied. The following acts shall not constitute an infringement of copyright, namely:
65A (2) (f): Nothing in sub-section (1) shall prevent any person from, doing anything necessary to circumvent technological measures intended for identification or surveillance of a user.

Recommendation: We have no recommendation, but see this as a positive provision.

How does the proposed exception for the disabled undermine privacy?

In India under the current Copyright Act, 1957 there are no provisions for the benefit of disabled persons, thus currently permission from copyright holders needs to be exclusively sought every time the visually challenged person requires access. Under the Constitution of India and the Bernes Convention, India has committed to enshrining the rights of the disabled.

Proposed Legislation

Section 31B: will grant compulsory license in respect of publication of any copyrighted works not covered by the exception under section 52 (1) (zb). For this a registered intermediary organization that is recognized under The Persons with Disability Act shall apply to the Copyright Board for approval. The board will evaluate the applicant and application, and grant permission if it sees fit. The intermediary will then be responsible for monitoring the usage of the copyrighted work to ensure that copyright law is not violated.

Recommendation: Though currently the Indian legislation does not threaten the privacy of the disabled, we find it concerning that under the WIPO copyright treaty – the anonymity of the disabled would be compromised.

What is On the Horizon?

As copyright and IP is a constantly evolving issue, countries are consistently amending and changing their laws. With the flow of peoples across borders increasing, Indians will be affected by different international policies that could pose to infringe upon their privacy, for example cross-border checks or three strike regimes, which will punish a person if caught infringing copyright three times. For example: France has proposed cutting off Internet to those caught infringing on copyright three times.

Examples of Proposed Legislation: The Anti-Counterfeiting Trade Agreement:

ACTA is a proposed legislation. Its objective is to combat counterfeiting and piracy. Partners in the negotiations include: The United States, Australia, Canada, the European Union, Japan, Mexico, Morocco, New Zealand, Singapore, South Korea, and Switzerland. The treaty will oblige each contracting party to adopt, in accordance with its legal system, the measures necessary to ensure the application of the treaty. Though ACTA has not been enacted, many worry that ACTA would facilitate privacy violations by trademark and copyright holders against private citizens suspected of infringement activities without any sort of legal due process. The Act could allow for random searches of laptops, MP3 players, and cellular phones for illegally downloaded or ripped music and movies.

Recommendation: We find that copyright infringement does not appear to justify cross border searches or other forms of regulating. ACTA and other international treaties raise the question that if India became compliant with certain international standards, would the standards would be too stringent without safeguards, and pose as a risk to a person’s privacy.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-copyright-act

No UID Campaign in New Delhi - A Report

praskrishna — 2012-06-20T03:51:45Z

The Unique Identification (UID) Bill is not pro-citizen. The scheme is deeply undemocratic, expensive and fraught with unforseen consequences. A public meeting on UID was held at the Constitution Club, Rafi Marg in New Delhi on 25 August, 2010. The said Bill came under scrutiny at the meeting which was organised by civil society groups from Mumbai, Bangalore and Delhi campaigning under the banner of "No UID". The speakers brought to light many concerns, unanswered questions and problems of the UID scheme.

Since 2009, when the UID Bill was presented to the general public by Nandan Nilekani, the project has been characterized as a landmark initiative that will transform India, bring in good governance, and provide relief and basic services for the poor. The scheme is rapidly being put in place; the draft Bill has been put before the Parliament of India and the resident numbers and data have been collected.

The UID proposes to take the finger prints and iris scans of every resident of India for authentication of each individual. J. T. D'Souza, an expert in free software technology exposed the flaws of the entire technical aspect of the UID project. He presented the risks and loopholes that technology such as iris and fingerprint scanners pose, and the risks in using a biometric system as a form of identification system. Contrary to the claim of the UID authority, that a scheme based on biometrics is foolproof, he explained how fingerprints are not unchanging, both fingerprints and iris scans can be easily spoofed (with a budget of only $10), and there are many ways in which the technology can break, be inconsistent, or be inaccurate.

From a human rights perspective the lack of democracy in the entire project was stressed. Usha Ramanathan reiterated the fact that no white paper was issued, the Bill has not gone through the Parliament and yet citizens’ data is being collected, citizens were given only a two week period to comment on the Bill, and in practice the UID number will not be voluntary for individuals.

The UID authority has posited the scheme as bringing benefits to the poor, plugging leakages in the Public Distribution System and the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), as well as enabling inclusive growth by providing each citizen with a verifiable and portable identity. These claims were debunked. An identity number will not fix the waste of grain that takes place every day, the portability of the number raises new problems of accessibility and distribution of resources, and the MGNREGS system is already working to be financially inclusive with a majority of its members already having a bank account.

In response to hearing the presentations of the speakers and the comments by the audience, senior Member of Parliament of the Revolutionary Socialist Party of India (RSP), Abani Roy called for the launching of a massive campaign to resist this expensive and dangerous project through which several companies will gain massive contracts from the public exchequer.

The campaigners for No UID plans to hold further meetings across the country and lobby Parliamentarians in the coming months.

For more information contact: Mathew Thomas (Bangalore) mathew111983@gmaill.com, Elonnai Hickok (Bangalore) elonnai@cis-india.org , Sajan Venniyoor (Delhi): +91-9818453483 - Bobby Kunhu (Delhi): +91-9654510398

For more details visit https://cis-india.org/internet-governance/blog/no-uid-campaign

Wherever you are, whatever you do

sunil — 2012-03-21T10:12:05Z

Facebook recently launched a location-based service called Places. Privacy advocates are resenting to this new development. Sunil Abraham identifies the three prime reasons for this outcry against Facebook. The article was published in the Indian Express on 23 August, 2010.

Privacy activists are up in arms again, at Facebook’s recent launch of a new location-based service called Places. But what’s the new issue here? For years, telecom operators have been able to roughly locate you by triangulating the signal strength between the three nearest cell towers. In India, geo-location is part of the call logs maintained by the operator. That is how the police was able to determine that Bangalore resident Sathish Gupta killed his wife Priyanka. He took her mobile with him during a jog with his friend and then faked a phone call as an alibi. He knew that the time-stamps on the call logs would corroborate his lies. But the location-data nailed him. So, in short, the state and telecom operators know where you are even if you don’t have a smartphone with GPS support.

For those who can afford it? GPS support provides greater accuracy and reliability, independent of telecom signal strength. The immediate and future benefits are huge. For parents, MyKidIsSafe.com, allows them to create a geo-fence and receive automatic notification when the child leaves the safety zone. In combination with RFID, businesses are able to provide their customers with accurate updates regarding status of deliveries. The Karnataka police is able to verify that the police inspector issuing the challan using a Blackberry for a traffic violation is not doing it from home. Seven hundred and fifty thousand gay men from 162 countries use a geo-social network called Grindr to find love. In the future, most car-pooling services will be GPS-enabled. Geo-location-based crowd-sourcing will be used to predict and avoid traffic jams by measuring the density and velocity of mobile phones on various routes.

Privacy advocates worry that after helping the police solve crimes and fight terrrorism, telecom companies retain the logs instead of deleting, anonymising or obfuscating them. Especially so in India, given the lack of privacy laws, telecom operators, web and mobile service providers could retain the logs for customer profiling or worse still, sell the raw data or analysis to third parties. Cyber-stalkers, child molesters and rapists benefit. Cat burglars will know when you are away and be able to clean out your house in a more relaxed fashion. Geo-surveillance by a state, obsessed with terrorism, will have negligible benefits while extracting a huge social cost and significantly undermining national security.

So why this particular outcry against the world’s most successful social networking website? There are three reasons that come immediately to mind. First, Facebook has a terrible record with privacy. In the last five years, the default settings have moved from one where no personal data was available for anonymous access to one with anonymous access to everything except birthday and contact information. And these are settings that affect the majority of the half a billion people who don’t bother changing default settings. So there is no guarantee that Facebook will not get more intrusive with its default geo-location privacy settings.

Second, a friend can geo-tag you without requiring you to approve or confirm this. Once you are geo-tagged, all your common friends will be notified through the friend-feed system. This is similar to the current system of photo sharing. A friend can upload a inappropriate photograph and tag you almost instantly all your work-mates who also happen to be your Facebook friends get a notification via the feed. Of course, you can always untag the photo, change the settings and defriend the culprit but by then the damage is usually done.

Third, the Facebook user-interface for privacy settings is notoriously complex and cumbersome. Many users will think that they have managed to bolt down the security settings when in fact their personal data will remain all up for grabs. The half a million third-party products available today on the Facebook platform only compounds this problem.

Read the original in the Indian Express

For more details visit https://cis-india.org/internet-governance/blog/wherever-you-are-whatever-you-do

August 2010 Bulletin

praskrishna — 2012-08-10T10:40:34Z

Greetings from the Centre for Internet and Society. We bring you news and media coverage, research and event updates for the month of August 2010

News Updates

RIM Offered Security Fixes
In India Talks, BlackBerry Maker Said It Could Share Metadata, Notes Show
http://bit.ly/ahT7jD

New Project to Assess Potential of Creating Open Government Data Initiatives in Chile, Ghana and Turkey
Steve Bratt, CEO of the World Wide Web Foundation (founded in 2009 by Tim Berners-Lee) has made an announcement on moving forward with a project to assess the potential of creating open government data
initiatives in Chile, Ghana, and Turkey - the first step of what we hope to be a global initiative focusing on low- and middle-income countries.
http://bit.ly/d337Ex

Govt and BlackBerry firm wait for the other to hang up
Sunil Abraham speaks to Archna Shukla on the stand-off between the Government of India and RIM. The news was published in expressindia.com.
http://bit.ly/cGeipL

Call, text, email complaint against rogue auto driver
Harassed by an auto driver? Helplines give you no relief? Here's the people's way to help you out. Just report your issue online, call or even SMS sitting in a noisy restaurant, and be heard.
http://bit.ly/atiiGW

Call to increase awareness of intellectual property rights
We need more knowledge on IPR itself, says IT Secretary
http://bit.ly/avxY16

Civil Society groups urge State Judicial Academy to restructure agenda for Judges' Roundtable meet
Some of the Civil Society groups in the country have urged the Maharashtra State Judicial Academy to restructure the agenda for the 'Judges Roundtable on Intellectual Property Rights Adjudication' being held in Mumbai on July 24 and 25 to promote public interest and a deeper understanding of intellectual property amongst judicial officers. FICCI is the joint organiser of the event.
http://bit.ly/dCDZl0

More Debate on UID Project Needed
A press conference on UID was held at the Press Club in Bangalore on 26 July, 2010. It was co-organised by Citizen's Action Forum, Alternate Law Forum and the Centre for Internet and Society. Mathew Thomas and Vinay Baindur spoke about the UID. Proceedings from the conference was covered in the Hindu on 27 July, 2010.
http://bit.ly/cSEsaP

UID coverage in Udayavani
A press conference was held at the Press Club in Bangalore on 26 July, 2010. It was co-organised by Citizen's Action Forum, Alternate Law Forum and the Centre for Internet and Society. Mathew Thomas and Vinay Baindur were the speakers. Leading Kannada newspaper Udayavani covered this event.
http://bit.ly/c3AU5s

Open is the Future
The third Open World Forum will gather together decision-makers from the open digital world, in Paris. 1,500 participants from 40 countries will come together to analyze the technological, economic and social impact of Open Source, the invisible engine behind the digital revolution. The aim: to interpret future trends and cross-fertilize initiatives.
http://bit.ly/amY9Qc

Upcoming Events

No UID till Complete Transparency, Accountability and People's Participation: A Public Campaign
An interactive meeting on UID's lack of a feasibility study, cost involved and dangers of abuse is being held in New Delhi at the Constitution Club Auditorium, Rafi Marg on 25 August, 2010. The meeting is jointly organised by INSAF, PEACE, Citizens' Action Forum, People's Union for Civil Liberties - Karnataka, Slum Janandolana - Karnataka, Alternate Law Forum, The Centre for Internet and Society and concerned individuals.
http://bit.ly/8YsBIJ

Internet Governance and Human Rights: Strategies and Collaborations for Empowerment
Leading up to the 2010 IGF, The Association for Progressive Communications (APC), Global Partners, the Centre for Internet and Society (CIS) and the Dynamic Coalition on Internet Rights and Principles are hosting, on 13 September 2010 in Vilnius, an event on 'Internet Governance and Human Rights: Strategies and Collaborations for Empowerment'.
http://bit.ly/aoOkPR

Freedom of Expression or Access to Knowledge: Are We Taking the Necessary Steps Towards an Open and Inclusive Internet?
The Centre for Internet and Society is co-organising a workshop on Freedom of Expression or Access to Knowledge: Are We Taking the Necessary Steps towards an Open and Inclusive Internet? at the Internet
Governance Forum on 14 September, 2010.
http://bit.ly/dl1WRL

Sexual Rights, Openness and Regulatory Systems
The Centre for Internet and Society is co-organising a workshop on Sexual Rights, Openness and Regulatory Systems at the Internet Governance Forum on 14 September, 2010.
http://bit.ly/dl1WRL

Data in the Cloud: Where Do Open Standards Fit In?
The Centre for Internet and Society is co-organising a workshop on Data in the Cloud: Where do Open Standards Fit In? on 16 September, 2010 at the Internet Governance Forum.
http://bit.ly/94AF4h

International Conference on Enabling Access to Education through ICT
The Centre for Internet and Society (CIS), Bangalore in cooperation with the Global Initiative for Inclusive ICT (G3ICT), a flagship advocacy organization of the UN Global Alliance on ICT and Development (UN-GAID), the International Telecommunications Union (ITU), UNESCO, Digital Empowerment Foundation, Society for Promotion of Alternative Computing and Employment and the Deafway Foundation is organizing an international conference, Enabling Access to Education through ICT in New Delhi from
27th to 29th October, 2010....Registrations to begin soon!
http://bit.ly/9flyEK

Research

Political is as Political does
The Talking Back workshop has been an extraordinary experience for me. The questions that I posed for others attending the workshop have hounded me as they went through the course of discussion, analysis and dissection. Strange nuances have emerged, certain presumptions have been questioned, new legacies have been discovered, novel ideas are still playing ping-pong in my mind, and a strange restless excitement – the kind that keeps me awake till dawning morn – has taken over me, as I try and figure out the wherefore and howfore of things. I began the research project on Digital Natives in a condition of not knowing, almost two years ago. Since then, I have taken many detours, rambled on strange paths, discovered unknown territories and reached a mile-stone where I still don’t know, but don’t know what I don’t know, and that is a good beginning.
http://bit.ly/9hY9sR

Digital Natives: Talking Back
One of the most significant transitions in the landscape of social and political movements, is how younger users of technology, in their interaction with new and innovative technologised platforms have taken up responsibility to respond to crises in their local and immediate environments, relying upon their digital networks, virtual communities and platforms. In the last decade or so, the digital natives, in universities as well as in work spaces, as they experimented with the potentials of internet technologies, have launched successful socio-political campaigns which have worked unexpectedly and often without precedent, in the way they mobilised local contexts and global outreach to address issues of deep political and social concern. But what do we really know about this Digital Natives revolution?
http://bit.ly/bZNoSX

Beyond the Digital: Understanding Digital Natives with a Cause
Digital Natives with a cause: the future of activism or slacktivism? Maesy Angelina argues that the debate is premature given the obscured understanding on youth digital activism and contends that an effort to
understand this from the contextualized perspectives of the digital natives themselves is a crucial first step to make. This is the first out of a series of posts on her journey to explore new insights to understand youth digital activism through a research with The Blank Noise Project under the Hivos-CIS Digital Natives Knowledge Programme.
http://bit.ly/b1GS7F

Accessibility

Access to Knowledge: Barriers and Solutions for Persons with Disabilities in India
Consumers International, Kuala Lumpur and Consumers Association of India in association with Madras Library Association organised a seminar on Access to Knowledge on 31st July, 2010 at the Tamil Nadu Pollution Control Auditorium in Guindy, Chennai. The Principal Secretary to the Government of Tamil Nadu Department of Information Technology was the chief guest. Former Central Vigilance Commissioner N. Vittal gave the keynote address. Prof Subbiah Arunachalam, Nirmita Narasimhan and Pranesh Prakash participated in the seminar. Nirmita and Pranesh made presentations on access to knowledge.
http://bit.ly/cJXSX8

Intellectual Property

Privacy and the Indian Copyright Act, 1857 as Amended in 2010
In this post the author examines the issue of privacy in light of the Indian Copyright Act, 1857 as amended by the Copyright Amendment Bill in 2010. Four key questions are examined in detail and the author gives
suitable recommendations for each of the questions that arise.
http://bit.ly/cJXSX8

Internet Governance

Does the Government want to enter our homes?
When rogue politicians and bureaucrats are granted unrestricted access to information then the very future of democracy and free media will be in jeopardy. In an article published in the Pune Mirror on 10 August,
2010, Sunil Abraham examines this in light of the BlackBerry-to-BlackBerry messenger service that the Government of India plans to block if its makers do not allow the monitoring of messages. He says that civil society should rather resist and insist on suitable checks and balances like governmental transparency and a fair judicial oversight instead of allowing the government to intrude into the privacy
and civil liberties of its citizens.
http://bit.ly/dkVHoS

UID Project in India - Some Possible Ramifications
Having a standard for decentralized ID verification rather than a centralized database that would more often than not be misused by various authorities will solve ID problems, writes Liliyan in this blog entry. These blog posts to be published in a series will voice the expert opinions of researchers and critics on the UID project and present its unique shortcomings to the reader.
http://bit.ly/bOyBS8

Civil Liberties and the amended Information Technology Act, 2000
This post examines certain limitations of the Information Technology Act, 2000 (as amended in 2008). Malavika Jayaram points out the fact that when most countries of the world are adopting plain English instead of the conventional legal terminology for better understanding, India seems to be stuck in the old-fashioned method thereby, struggling to maintain a balance between clarity and flexibility in drafting its laws. The present Act, she says, is although an improvement over the old Act and seeks to address and improve on certain areas in the right direction but still comes up short in making necessary changes when it comes to fundamental rights and personal liberties. The new Act retains elements from the previous one making it an abnormal document and this could have been averted if there had been some attention to detail.
http://bit.ly/croc9T

Feedback to the NIA Bill
Malavika Jayaram and Elonnai Hickok introduce the formal submission of CIS to the proposed National Identification Authority of India (NIA) Bill, 2010, which would give every resident a unique identity. The submissions contain the detailed comments on the draft bill and the high level summary of concerns with the NIA Bill submitted to the UIDAI on 13 July, 2010.
http://bit.ly/bhinUB

Openness

Open Access to Science and Scholarship - Why and What Should We Do? The National Institute of Advanced Studies held the eighth NIAS-DST training programme on “Multidisciplinary Perspectives on Science, Technology and Society” from 26 July to 7 August, 2010. The theme of the project was ‘Knowledge Management’. Dr. MG Narasimhan and Dr. Sharada Srinivasan were the coordinators for the event. Professor Subbiah Arunachalam made a presentation on Open Access to Science and Scholarship.
http://bit.ly/ciohYy

Civic Hacking Workshop
CIS, with the UK Government's Foreign Office and the Cabinet Office Team for Digital Engagement, and Google India, is organizing a workshop on open data (or the lack thereof) and 'civic hacking'.
http://bit.ly/c3TF2t

Telecom

'Containing Inflation' - A myth
We need problem-solving, not confused rhetoric or misguided action, says Shyam Ponappa. The article was published in Business Standard on 7 August, 2008.
http://bit.ly/9frC8q

For more details visit https://cis-india.org/about/newsletters/august-2010-bulletin

Information is Beautiful hacks in India with David Cameron

praskrishna — 2011-04-02T10:22:51Z

The Prime Minister took some of the UK's top hackers and data experts with him to India this week. David McCandless was with them.

This week, I was lucky enough to accompany UK Prime Minister's delegation to India.

I was part of a small contingent of politically active programmers and civic-minded dataheads out to explore links between tech, transparency and community-based democracy in India. The raw stuff of David Cameron's 'Big Society' initiative.

(To the businessmen, journos and politicos in the delegation, we were known simply as "The Hackers" - an image we played up by sometimes rebelliously removing our ties)

The key event of the trip was a hackday hosted by Google India in the southern central city of Bangalore.

I have to confess a slight colonial attitude going into the meet. Thinking of the UK as a great hacking nation and leading data port, I was expecting to be helping the collected Indian IT professionals and activists improve their skills and give them fresh ideas on how to bootstrap their democracy.

However, our Indian counterparts very quickly astonished us with brilliant and powerful data projects and grass roots hacks using simple tools and technologies to solve everyday civic issues. Some of which I wanted to exhibit here.

Bus Map Hack

Information designer Arun Ganesh was frustrated by the bus maps in his native Chennai.

Chennai's bus map goes from this…

The official map was incomplete and incomprehensible - and had been 'under construction' for six years.

Passionate about maps and geo-mapping, Arun took it upon himself to design a new map to help the enormous number of people (Chennai has a population of over 4 million) who used the buses every day. Unfortunately, he faced a major challenge: over 5,000 separate buses & bus routes.

… to this

So he turned to crowd-sourcing on the web to gather data on all the routes. Local travellers poured timetables and bus details into his app. And in just 3 days he had compiled enough data to create a fresh map with a clean comprehensible design. And an accompanying interactive app BusRoutes.in for painless route planning.

Then he went further. Using the data - and a fair walking distance of 500 metres - he visualised the areas covered by all the bus routes. The resulting heatmap instantly and cleverly reveals which areas of the city are poorly served by the bus network.

Karnataka Learning Partnership

Education is a big issue in India, where close to 35% of the population are illiterate. The Karnataka Learning Partnership works to improve government schools in Karnataka region by running literacy, maths and library-use programs across the southern Indian state.

Karnataka schools monitored

Mashing Googlemaps and their detailed data through a web interface, the Akshara Foundation provides a dynamic monitoring and look up service for the quality of schools in each area. It's not unlike the recently launched SchooloScope here in the UK.

(Please note: the site is in beta and not live yet. You can see their work at blog.klp.org.in.)

National Election Watch

Using information liberated by the 2006 Right to Information Act in India, Nationalelectionwatch.org tracks the backgrounds of every single politician in India. An incredible feat given the enormity and intricacies of Indian democracy.

Over 1200 NGOs work to collect data from affidavits filed by the candidates on their financial, criminal and educational background. The myneta.info website acts as an instant power check on a system unfortunately tainted by widespread corruption and bribery.

The crime-o-meter

Pages on particularly criminal MPs feature a 'crime dial' visualisation to get the message across.

Missed Calls

Despite a thriving tech-sector, India still has relatively low internet uptake. Just 0.05% of the 1.2 billion population are active internet users. Compared to around 40% in the UK and 29% in China.

But nearly half the population own mobile phones. So SMS and missed calls have become a dominant form of free information exchange, especially when ingeniously hacked together.

In a typical hacked service, information providers set up phone numbers. Information seekers phone the number and then immediately hang up, registering a 'missed call'. The information provider then sends them an SMS with the info they might be seeking. Carpenter jobs or internet cafes in the locality, for example.

Ironically, lax privacy protection - by our standards - in the country actually improves this service. While banned here, triangulation of mobile signals to determine the location of a call is freely permitted in India. So services are able to text back localised information. All for free.

Hacktastic!

Thanks to Harry Metcalfe at TellThemWhatYouThink.Org, Tim Green from DemocracyClub.org.uk, Edmund von der Burg at YourNextMp.com, and Pranesh Prakash at the Centre for Internet and Society for their help and input.

Read the original in the Guardian

For more details visit https://cis-india.org/news/information-beautiful

July 2010 Bulletin

praskrishna — 2012-08-10T09:41:01Z

Greetings from the Centre for Internet & Society. We bring you updates of our research, news and media coverage, information on our events and other updates for the month of July 2010.

News Updates

Call for Case Studies on ICT
CIS invites organisations to participate in a study focusing on best practices in the use of ICTs in education for persons with disabilities.
http://bit.ly/d03jS0

Networking? Not working
Concerns about privacy, wastage of time and trivialized communication are some reasons ‘refuseniks’ are going off sites such as Facebook and MySpace, writes Shreya Ray in Livemint.
http://bit.ly/dpdKhX

Digital them about yourself?
If you’re on Facebook or have a blog, you could be a digital native, says Akhila Seetharaman.
http://bit.ly/ahA6Ts

Next CPOV Conference in Leipzig
Two CPOV conferences have been held so far. The first one in Bangalore and the second one in Amsterdam, the third is to be held in Leipzig.
http://bit.ly/cLN8XE

CIS featured in the Report on Research and Funding Landscape within the Arts and Humanities in India
Centre for Internet and Society has been listed as an area of excellence and innovative research in this report.
http://bit.ly/9GJsJ7

UID Act may be released for debate, may be introduced in monsoon session
An article by Karen Leigh & Surabhi Agarwal in livemint on June 30, 2010.
http://bit.ly/9Hq5dg

A New Age in News
Citizen journalism and online piracy were key topics during the opening day of the Mekong Information and Communication Technology conference. The 2010 Mekong ICT conference in Chang Mai, Thailand, has brought together an experienced crowd of experts from all over the globe. They have gathered to discuss the status, trends and the current situation of the ICT world.
http://bit.ly/bdGzbQ

Activists welcome privacy Bill, but point out concerns
Experts have welcomed the government's move to bring in a law for protecting individual privacy, amid concerns about the potential misuse of personal data it is collecting to execute social welfare and security schemes.
http://bit.ly/bnddaJ

Upcoming Events

Locating Gender Politics in the New Techno-Industrial Complex: A Lecture by Dr. Lisa McLaughlin
The Centre for the Study of Culture and Society (CSCS), IT for Change and the Centre for Internet and Society (CIS) are hosting a lecture by Dr. Lisa McLaughlin, Associate Professor in Media Studies and Women's Studies, Miami University, Ohio, USA at CIS, Bangalore on 23 July, 2010.
http://bit.ly/9zy2Fa

Promoting Education through ICT
ICT workshop in New Delhi from 27th to 29th October, 2010...Registrations to begin soon!
http://bit.ly/9flyEK

Research

The Attention Economy - A Brief Introduction
This post examines attention economy as a brief prelude to a paper and monograph to be published on it. It examines the current theses on attention economy and a few approaches to reading attention economy in gaming besides foregrounding the attention economy and its functions and influence in MMORPGs.
http://bit.ly/OP7QFl

The Making of an Asian City
Nishant Shah attended the conference on 'Pluralism in Asia: Asserting Transnational Identities, Politics, and Perspectives' organised by the Asia Scholarship Foundation, in Bangkok, where he presented the final paper based on his work in Shanghai. The paper, titled 'The Making of an Asian City', consolidates the different case studies and stories collected in this blog, in order to make a larger analyses about questions of cultural production, political interventions and the invisible processes that are a part of the IT Cities.
http://bit.ly/MXxyXP

Internet, Society and Space in Indian City: First Report
This is the first report on the progress of the research on Internet, Society and Space in Indian City. The post is a collection of some of the initial focus of these studies. I have started simultaneously exploring and testing various arguments and have listed some key observations from the ones that are nearing completion.
http://bit.ly/Ndmday

Digital Natives Workshop in Taipei: Only a Few Seats Left!!!
The Centre for Internet and Society in collaboration with the Frontier Foundation is holding a three day Digital Natives workshop in Taipei from 16 to 18 August, 2010. The three day workshop will serve as an ideal platform for the young users of technology to share their knowledge and experience of the digital and Internet world and help them learn from each other’s individual experiences.
http://bit.ly/P4mCKv

Accessibility

NMEICT Funds Book Conversion Project for the Print Disabled
IIT, Kharagpur, Daisy Forum of India, Inclusive Planet and the Centre for Internet and Society have joined hands to undertake a project for the print disabled. The National Mission on Education through Information and Communication Technology (NMEICT) is funding this project.
http://bit.ly/bWHi00

Right to Read: Campaign Updates
A nationwide campaign on Right to Read was co-organised by CIS along with the Daisy Forum of India and Inclusive planet to highlight the lack of content in accessible formats and accelerate change in the provisions of the Indian Copyright Act, 1957, which presently does not permit the conversion of books in accessible formats for the benefits the blind, visually impaired and other reading disabled persons. The campaign is affiliated with the global R2R campaign started by the World Blind Union in April 2008.
http://bit.ly/akoaSj

Intellectual Property

Analysis of the Copyright (Amendment) Bill, 2010
CIS analyses the Copyright (Amendment) Bill, 2010, from a public interest perspective to sift the good from the bad, and importantly to point out what crucial amendments should be considered but have not been so far.
http://bit.ly/KLBQDx

A Guide to Key IPR Provisions of the Proposed India-European Union Free Trade Agreement
The Centre for Internet and Society presents a guide for policymakers and other stakeholders to the latest draft of the India-European Union Free Trade Agreement, which likely will be concluded by the end of the year and may hold serious ramifications for Indian businesses and consumers.
http://bit.ly/Rw7whN

Openness

Open Access to International Agricultural Research
Open access advocates have urged the top management of the Consultative Group on International Agricultural Research to give open access to its research publications. A report by Subbiah Arunachalam on 3 June, 2010 was also circulated to all the signatories of the letter.
http://bit.ly/cspMYY

Telecom

Catching up on broadband
The govt can invest some of the Rs 1,00,000 crore from the spectrum auctions to help India catch up on broadband, says Shyam Ponappa in his latest article published in the Business Standard on July 1, 2010.
http://bit.ly/ag67TU

For more details visit https://cis-india.org/about/newsletters/july-2010-bulletin

Internet Governance and Human Rights: Strategies and Collaborations for Empowerment

praskrishna — 2011-04-05T03:59:50Z

Leading up to the 2010 IGF, The Association for Progressive Communications (APC), Global Partners, the Centre for Internet and Society (CIS), IT for Change, and the Dynamic Coalition on Internet Rights and Principles are hosting, on 13 September 2010 in Vilnius, an event on 'Internet Governance and Human Rights: Strategies and Collaborations for Empowerment'.

Internet governance has significant impact on human rights. This is reflected by the inclusion of human rights considerations in the Geneva Declaration of Principles and the Tunis Agenda, which gave the IGF its mandate. However, human rights discussions have not featured prominently at the IGF. What discussions there have been tended to focus on civil and political rights without also sufficiently considering how the internet relates to cultural, social and economic rights. The indivisibility of rights has not received the attention it requires.

The Internet governance and human rights communities work in different spaces and rarely have the opportunity to interact. The presence of the UN Special Rapporteur on Freedom of Expression, Frank la Rue at the 2009 IGF and again at the 2010 IGF shows that this is beginning to change. The 2010 IGF presents a valuable opportunity to place human rights more firmly on the Internet governance map and to identify opportunities for collaboration with mainstream human rights communities.

With an increasing emphasis on the development agenda in the IGF it is also a good opportunity to look at the links between human rights, development and the Internet.

Join the conversation with human rights, Internet governance and development activists as we review pressing IG issues such as access, diversity, equality, freedom, openness and development with a view to strengthening the human rights agenda at the IGF.

More concretely, we hope to:

continue building effective collaborations promoting human rights in Internet governance, and,
identify appropriate spaces for intervention in the 2010 IGF.

Agenda:

Moderator: Chad Lubelsky. Global Networking, Policy & Advocacy Coordinator,

Association for Progressive Communications (APC)

14:00 Introduction: Background and rationale of the session, aims and objectives. Anriette Esterhuysen (APC)

Keynote speaker : Frank La Rue, UN Special Rapporteur on the Right to Freedom of Opinion and Expression.

Keynote speaker: Arvind Ganesan, Director or Business and Human Rights Program, Human Rights Watch.

14:45 Questions

15:00 Open discussion session on 'Human rights and internet policy: the interconnectedness of economic, social, cultural, civil and political rights'. Moderated by Lisa Horner (Global Partners) and Anja Kovacs (the Centre for Internet and Society).

15:40 Coffee/tea break

16:00 Breakout group discussions

16:40 Report Backs

17:00 Plenary discussion on the way forward (Anriette Esterhuysen, APC and Parminder Jeet Singh, IT for Change)

17:20 Closing remarks

For more details visit https://cis-india.org/events/internet-governance-human-rights

Freedom of Expression or Access to Knowledge: Are We Taking the Necessary Steps Towards an Open and Inclusive Internet?

praskrishna — 2011-04-05T03:59:34Z

The Centre for Internet and Society is co-organising a workshop on Freedom of Expression or Access to Knowledge: Are We Taking the Necessary Steps Towards an Open and Inclusive Internet? at the Internet Governance Forum on

Although cyber-utopian visions have long been discredited, the promise that the Internet contains as a tool to work towards democratisation and greater social justice has not yet lost its attraction. This workshop will consider what kind of Internet architecture is needed, what kind of 'openness' and Internet 'freedom' is required to ensure that such visions can actually translate into reality. While the importance of freedom of expression has been fairly widely acknowledged, a concerted approach to many more Internet governance issue is urgently required if those who are at the forefront of struggles for social justice online are to continue to do their important work. The interplay between access to knowledge (including access to information and access to culture) on the one hand and human rights on the other, too, for example, requires our urgent attention.

The aim of this workshop will be, then, to come to a more in-depth and more rounded understanding of what issues impact the democratising potential of the Internet and how exactly they do so, so that we can also start communicating about these with greater clarity. To reach this aim, the workshop will bring together activists, researchers and other stakeholders with expertise on different regions of the world and, consequently, at times diverging opinions on what the problems and solutions with regard to Internet governance are, and will bring them in debate with each other.

The workshop will be organized in a roundtable format in order to increase the involvement of the participants. Initial remarks of the speakers will be followed by debate, and active moderation will ensure that the discussions are dynamic. The issues raised by the speakers will be grouped under several axes, including: (i) Civic empowerment online: towards a new public sphere?; (ii) governmental and private control over information and personal data; (iii) Cases of tension between copyright protection and access to knowledge online. Cases such as the adoption of laws following the three strikes model and the adoption of open data regulations will be taken into consideration.

Which of the five broad IGF Themes or the Cross-Cutting Priorities does your workshop fall under?
Security, Openness and Privacy

Have you organized an IGF workshop before? Yes
If so, please provide the link to the report:
http://www.intgovforum.org/cms/index.php/component/chronocontact/?chronoformname=Workshopsreports2009View&curr=1&wr=94

Provide the names and affiliations of the panellists you are planning to invite:
Civil Society:
Robert Guerra – Freedom House, US
Anja Kovacs – Centre for Internet and Society, India
Kevin Bankston – EFF, US

Academics:
Marília Maciel - Center for Technology and Society - Brazil
Jeremy Malcolm - Consumers International, Kuala Lumpur, Malaysia

Government:
Johan Hallenborg – Swedish Ministry for Foreign Affairs, Sweden
José Murilo Junior – Brazilian Ministry of Culture, Brazil

Business sector:
Alan Davidson – Director of Public Policy and Government Affairs for the Americas
Cornelia Kutterer, Microsoft, Belgium

Multistakeholder initiative:
Susan Morgan, Global Network Initiative

Remote moderator:
Carlos Affonso Pereira de Souza - Center for Technology and Society, Getulio Vargas Foundation, Brazil

(A moderator is still to be determined but will be chosen from among the civil society and academic speakers. All speakers have confirmed their participation)

Biographies:
There are no panelists biographies associated to this workshop at the moment.

Provide the name of the organizer(s) of the workshop and their affiliation to various stakeholder groups:
Carlos Affonso Pereira de Souza - Center for Technology and Society, Getulio Vargas Foundation – civil society
Johan Hallenborg, Swedish Ministry for Foreign Affairs - government
Anja Kovacs, Centre for Internet and Society - civil society
Jeremy Malcolm. Consumers International - civil society
Marília Maciel - Center for Technology and Society, Getulio Vargas Foundation – civil society

Organization:Centre for Internet and Society, India, and Center for Technology and Society of the Getulio Vargas Foundation, Brazil

Contact Persons: Anja Kovacs and Marília Maciel

For more details visit https://cis-india.org/events/freedom-of-expression

Does the Government want to enter our homes?

sunil — 2012-03-21T10:12:40Z

When rogue politicians and bureaucrats are granted unrestricted access to information then the very future of democracy and free media will be in jeopardy. In an article published in the Pune Mirror on 10 August, 2010, Sunil Abraham examines this in light of the BlackBerry-to-BlackBerry messenger service that the Government of India plans to block if its makers do not allow the monitoring of messages. He says that civil society should rather resist and insist on suitable checks and balances like governmental transparency and a fair judicial oversight instead of allowing the government to intrude into the privacy and civil liberties of its citizens.

What? Me worry about the blackberry imbroglio?
If Pierre Trudeau were alive today, he would feel similarly about the Canadian innovation that is making news these days. But, given the Indian media's objective take on the ongoing BlackBerry tussle, one would assume that the media is unaffected.

Many internet observers say that the very future of democracy and free media is at stake. If rogue politicians and bureaucrats are able to eavesdrop on the communications of media houses, wouldn't that sound the death knell for sting operations, anonymous informants and whistle-blowers?

And, consequently, free press and democracy? How can the media keep its calm when one of the last bastions of electronic privacy in India is being stormed?

Isn’t this a lost cause already?
Perhaps, our reporters and editors have remained complacent, because they do not want to swim against the tide. After all, governments across the world have used excuses like cyber-terrorism, organised crime, pornography, piracy etc. to justify censorship and surveillance regimes.

The priveleged access that the governments of India, Saudi Arabia and UAE are demanding has already been provided to the governments of USA, Canada and Russia, for example.

We don't know how much they know about us!
The average reader might not be aware of the access that the Indian government has to his/her personal information.

To be clear, the Indian government, like most other governments, is able to intercept, decrypt, monitor and record sms and voice call traffic by working in partnership with ISP and Telecom operators.

This is legalised through ISP licence agreements, which requires ISPs to provide monitoring equipment that can be used to by various law enforcement and intelligence agencies. There is no clear policy on data-retention policies.

Industry insiders say that SMS messages, telephone call logs, email headers, and web requests are archived from anywhere between three months and a year.

Do these ISPs and telecom operators then delete, anonymise or obfuscate this data? Or do they they retain it for posterity for market research?

In the absence of a privacy law — the Indian citizen can only make intelligent guesses.

Encryption is our friend
As a student, when I passed a love note to my lady-love in class, I would use a symmetric key encryption scheme.

She would use the same key as I did to unencrypt the machine, ie, substituting the alphabet with the next/previous one.

If someone was able to intercept the key, then all communication between us in both directions would be compromised.

Asymmetric key encryption solves this problem by giving both parties two keys — a public key and a private key. I would use my lady-love’s public key to encrypt a message meant for her.

Only she would be able to unencrypt the message by using her private key. The size of the key — 40bit, 128bit, 256bit etc. determines the strength of the encryption.

The more bits you have, the longer it will take for someone to break through using a brute force method. The brute force method or dictionary method is when you try every single combination —just as you would with an old suitcase.

The time taken also depends on computing resources — whether you are a jealous boyfriend, or the FBI, or a corporation like Google. These days, governments depend on corporations for hardware and network muscle.

How does Blackberry encrypt differently?
Other smart phone providers like IPhone and Nokia make email and Internet traffic transparent to the ISP and telecom operator, making it easy for governments are able to keep track of Internet users on mobile phones just as they monitor dial-up or broadband users.

Most mobile services come with a basic encryption. Blackberry is different because it introduces an additional level of encryption, and then routes traffic either through corporate servers or through its own servers in Canada and other parts of the world.

The fact that information is routed thus can pose a threat to the Indian government, if officials are using Blackberries to exchange highly classified information.

Then, GoI could be worried if western intelligence agencies are eavesdropping.

How will this end? Will Blackberry leave?
Blackberry has never exited a country, because in the end it has prioritised consumer privacy over commercial compulsions. For example Blackberry has now ‘resolved’ security probwith Saudi Arabia.

I don’t think we should worry about deals or compromises. However, this is not to say that Blackberry should not be applauded.

They have taken a public stand against unrestricted governmental access to their clients’ information; one should always applaud corporates who fight hard for privacy and civil liberties.

What the Blackberry dilemma is showing us is the social cost of the electronic Big Brother will be steep, as it should be.

To protect citizens’ rights, civil society must resist and insist on suitable checks and balances like governmental transparency and fair judicial oversight.

Read the article in Pune Mirror

For more details visit https://cis-india.org/internet-governance/blog/government-enter-homes

UID Project in India - Some Possible Ramifications

Liliyan — 2012-03-21T10:13:27Z

Having a standard for decentralized ID verification rather than a centralized database that would more often than not be misused by various authorities will solve ID problems, writes Liliyan in this blog entry. These blog posts to be published in a series will voice the expert opinions of researchers and critics on the UID project and present its unique shortcomings to the reader.

Researchers at CIS have been grappling with the UID project from research, advocacy, and legal standpoints though all approach it from their own perspective and opinions are rarely duplicated. In an attempt to make their expert opinions more accessible to readers, a series of blog posts, this being the first, will be put up. These posts will not, and cannot because of its length and format, try to address all the possible issues the UID poses. However, they will present the bare bones of the arguments and research questions that the independent voices at CIS see as crucial. These posts will also ask many more questions than they answer, in an attempt to spur further dialogue about the UID project.

Central to understanding the nature of the UID project and its possible ramifications is the idea that technology is not merely a tool to be used by an unchanging, monolithic state. In fact, its very adoption can create ripple effects throughout the apparatus of the state. When the state adoptsa mainstream and ubiquitous technology, the structure of the government and methods of governance change. These changes are not always so dramatic as to be immediately noticeable without some informed inspection, but if one considers the way the state and the citizen interact the significance of these changes becomes starkly apparent. Can we trust the government to use touch screen voting machines like the ones we see every day at the bank? Do government surveillance cameras make us safer or introduce worrisome intrusion into our privacy, or both? Technology is not as neutral as it appears. That is not to say that it is inherently good or bad, but that it is not inert, it is transformative in nature.

The nation state as we know it is built on the printed word, or at least analogue technology. The ways in which we codify, distribute, and assimilate information have, for centuries, been dominated by the printing press. With the introduction of “database governance” there will inevitably be a shift, and a radical one at that. The Indian government has announced its intention to move towards “SMART” (simple, moral, accountable, responsive and transparent) governance, and this implies both an acceptance of the neo-liberal philosophy of government and techno-governance. To achieve a new level of transparency, accountability, and responsiveness, the move towards e-governance could be a major turning point, but how does this shift complicate and change the citizen-state relationship in India? How does this change shift the relationship of India with the rest of the international community?

The UID and Shifts in the Citizen-State Relationship

One way that the citizen-state relationship will change with the shift towards techno-governance, specifically in regard to the UID project, is that the UID posits the state as both the safe-keeper and arbiter of identity. Proponents of the UID project are adamant that it is a voluntary program, but even the UID website states that “in time, certain service providers may require a person to have a UID to deliver services”. As the UID becomes increasingly ubiquitous, could not having a number mean being cut off from some or many of the basic privileges of citizenship if one's identity is becoming more difficult to verify? If having a UID number is the most prominent marker of identity, then it is through state definition, arbitration and upon the state's technical capacity that all will rely.

Moreover, how do we begin to address the privacy issues raised by technological advances in relation to non-changing legal structures? What does it mean to capture all this identity data without introducing a new privacy legislation to protect the citizen? Without new legal accommodation, otherwise benign processes like a statistical census can become a potent tool in a shift towards a police state. As state apparatus's shift, there must be some paradigmatic shift in law to accompany these new technologies and government roles.

If the state transforms through the integration of e-governance forms, then there will inevitably be a recalibration of the relationship between the state, the market, and the citizen. Traditionally the separation of these entities creates arbitration and within a development paradigm there is dynamic, active triangulation. One way we can see this triangulation is through government intervention in markets on behalf of the citizen. There are certain spaces of consumption, for example, such as a cinema where state intervention against discrimination creates a marker for citizenship. That is, because I am able to access a cinema without discrimination, as one of my constitutional rights, this demonstrates my citizenship. However, with the introduction of public- private partnerships, or PPPs, the fact of having multiple stake-holders of political economy allows for the state to disinvest in the production and delivery of certain public services. Satisfying the needs of the citizen for services like sanitation, public education, delivery of power and clean water, maintenance of infrastructure like roads and bridges, can be handed over to corporate entities. The Indian government has enthusiastically embraced PPPs as a way to bring needed capital to the infrastructure demands that accompany their economic growth goals. However, how does this kind of task delegation affect transparency and accountability? If the state decides to stop producing or supplying a good or service, and instead turns this over to a corporation, can the mechanisms for state oversight realistically be trusted to make sure quality and accountability are not adversely affected and rectify the situation if they are? Where does the citizen come into all of this, in terms of what they stand to gain and lose?

The Definition of Citizenship and the UID

As the state and the market enters into new relationships the definition of citizenship changes. If the citizen is seen as the intended beneficiary of state programs, this new relationship between state and market begs the question “Who is subject to (or the subject of) the state?” When the corporate sphere creates micro-financing that helps farmers, they may help the people at the bottom of the economic pyramid manage their debt, but does it necessarily address the problems that created the debt in the first place? How does the market mediate the citizen-state dialogue? As the state and the market enter into new relationships there is a recalibration of the citizen-government relationship. Do market demands for an e-literate consumer put pressure on the state to create one where one did not exist before, and if so, can this not have profound implications for the definition of citizenship?

Part of the movement towards e-governance is signalled by the fact that there has been a shift away from state-sponsored literacy campaigns to e-literacy programs. Does this use of information and communications technology for development (or ITC4D) alienate significant portions of the population? Can such programs in fact widen the digital divide? With the introduction of e-governance the state asks the citizen to participate in governance by creating new avenues for civic participation, such as providing databases of information pertaining to the state that is freely accessible for analysis and manipulation by anyone with the skills to do so. But, if this makes it impossible for some portions of the citizenry to communicate effectively with the state, does this run the risk of making certain, traditional forms of citizenship redundant? How are people with low literacy and little or no access to the necessary technologies supposed to communicate with this new high-tech bureaucracy? Will those who cannot navigate the new systems be inadvertently relegated to second-class status?

This is of particular concern when thinking about the UID project. To properly manage and distribute social services, ID management in some form is crucial. However, when trying to make sure services are properly delivered to the uneducated poor the danger for digital-analogue slippage that is not in their favour increases, and accountability is not necessarily adequately addressed. For example, if I am an illiterate farmer entitled to a certain ration and the person conducting the transaction decides to defraud me, they can easily ask me to authenticate my biometrics, make it appear that they have been simply checking my identity when they have actually fooled me into authenticating the “completed” transaction and simply tell me the computer says, I've already received my share, that I'm only entitled to half of the normal amount, or some other such lie. In this scenario, how would I know this person wasn't telling me the truth? If they lie using a simple ledger, I can take the ledger itself or a copy of it to a literate friend and have them help me navigate the situation. I can seek redress and substantiate my claims more easily if I am not alienated by the technologies being used. Technologies can be empowering or dis-empowering depending on their application. How then, do we balance the demands of the market and the duties of the state against the rights of the citizen? Or rather, how do we apply technology in such a way that the demands of the market and the duties of the state mutually balance each other?

Centralization and Cost-effectiveness of the UID

While ID management is indisputably important, it does not require a centralized database. In the US there are multiple pieces of information, stored in separate databases that can be used to authenticate a transaction. No one can open a bank account with just a social security insurance number. You also need a separate form of ID, often two, that can be used to verify identity. In this way, the SSI number is a bit like a “username” and the other forms of ID, driver's license or passport, function like a corresponding “password”. With the UID project, however, the “username” (the number itself) and the “password” (the number holder's biometrics) are stored in the same place. Thereby, should the database be in some way compromised, all the information needed to verify and complete transactions would be available. If storing this information in a central database is really a good idea, then one must also accept the premise that merging all existing email servers into one monolithic server is also a good idea. Furthermore, centralization is not only more dangerous, it is totally unnecessary. Trillions of dollars worth of trade take place every year using PIN numbers issued by banks and verified without the verifying data being centralized. Having a standard for decentralized ID verification, rather than a centralized database would solve ID problems without creating a database that would be vulnerable to attack.

There are lots of examples of governments implementing costly safety measures that don't actually make anyone safer. Take for example the cameras put up all over London to monitor the movements of people. Unfortunately, something as low-tech as a hooded sweatshirt can thwart these attempts at surveillance. Moreover, if I am a criminal, I am going to make it a priority to know where the cameras are so that I can strategically avoid them. Another example is the millions of dollar the U.S. government spent on putting an armed Federal Air Marshal on every flight, post 9/11. While traditional intelligence gather has thwarted other attempted attacks since 9/11, Air Marshals have not been responsible for stopping any. Simply because the UID project is more technologically advanced does not make it more effective. It seems to greatly increase the risk of fraud that there can be so many separate biometrics machines scattered in different places to verify so many transactions. Having the machines sequestered in private businesses where they will not be constantly monitored or regulated seems to be both costly and easily subject to tampering. It seems to make more sense to have, say, one central, monitored machine per so many people that could be used to settle identity disputes when they arise rather than making the technology a part of every transaction.

Infallibility and Circumvention of the UID

The UID is not infallible and circumvention will certainly be a problem with the project. We find an analogy in the field of digital rights management. If I copy an mp3 without permission or payment, that is illegal. Digital rights management law was introduced to stop this practice, but it was circumvented. This legislation has not stopped the first crime. It has merely created a second, that of circumventing the law. The UID, in so far as it may be used to try to stop the crime of illegally siphoning resources such as, for example, grain intended to go to the poor, cannot stop people from circumventing the system. Circumventing the UID will be a crime. If doing so were truly impossible there would be no need to criminalize it. So, instead of preventing the initial crime of siphoning may not prevent the first crime, while introducing another.

There are basically two possible types of circumvention that are possible, though they might present themselves in various different forms. “Type A” or “the Mission Impossible” kind of fraud might involve fake thumb prints and contact lenses being worn by someone trying to fool the person conducting the biometric authentication. “Type B” occurs when the person operating the biometrics machine is working to defraud the system, most likely with one or many accomplices.

“Type A” involves one dishonest person, who is trying to access someone else's account or a ghost account, and there are various proposed methods to prevent against this type of fraud. To prevent against people using fake thumb prints, the biometrics machines will measure the heat of the thumb as well as the image of the thumb. With the iris scan, there will be a pulse of light to cause contraction in the iris so that a contact lens, which cannot adjust for light, can be detected. All of this will drastically raise the price of the machines in question. It is hard to imagine farmers and labourers defrauding the system with elaborate biometric defrauding devices, so these expensive machines are much more appropriate for monitoring the top of the economic pyramid, who steal in larger sums and have more sophisticated technology at their disposal.

“Type B” involves dishonesty either by the person in control of the biometric authentication, or both that person and others. This seems to be a much more likely and problematic scenario. Right now, bank accounts that are not connected to a name are regularly created so that people can cheat the tax man. Since the bank profits from these accounts, it's in the bank's interest to help people set up such accounts. Ghost ID numbers, and things like bank accounts that are connected to them, can still be produced with biometrics. How is this possible? Well, to make it possible for so many biometric authentications to happen every day, the whole set of ten finger prints won't be sent. That would be way too much data. So, instead of overwhelming the channels, only one thumb print will be sent. Even that many thumb prints would be an information overload, so each thumb print's image will be reduced to a set of 30 data points that will be compared against the original scans. So, where is there a possibility for fraud? When the scan of the finger is taken, and image is rendered. If someone wants to create a ghost ID they only have to manipulate this image, like with a Photoshop filter, and alter the data points. Once I've created a set of biometric markers that doesn't connect to anyone, I can conduct transactions for a ghost. One can easily imagine a market emerging for ghost IDs. People might start trying to pay foreign tourists for their biometric information, which could be sold to a local office. There are certain settings where biometrics works well, for example, at an airport. There, everything is under constant video surveillance. If someone were to tamper with or try to replace the machinery it would be quickly noticed by the cameras. Even if it weren't, different people would routinely be operating the same machine and this would be an added safe guard against fraud. However, at a bank, or any place where the machines used for verification are operated behind closed doors it is quite likely that the technology will be abused. This abuse could easily go unnoticed, because the draft UID bill has proposed strict accountability measures for the Authority, and has conveniently overlooked extending these to collecting and enrolling agencies.

Digital/Analogue Slippage

There is always the possibility of digital/analogue slippage or, more simply put, the computer records not reflecting what actually happened even if no fake identity was used. This happens all the time in IT buildings in the form of tailgating. Four people go out to lunch together and as they re-enter the building they're supposed to each swipe their ID card individually. It is easier and faster for one person to swipe for everyone so, despite signs discouraging this behaviour, this is a common occurrence. If you were to try to analyse the data collected after a day of such comings and goings it would be indecipherable.

I can also authenticate my biometrics, in order to authorize a transaction, without the transaction actually being complete. Let's say I'm a poor farmer entitled to a ration of 10 kilos of grain. The person who is supposed to give me the grain is not an honest person and insists that I authenticate the transaction before he or she gives me my ration. I do what I'm told but only receive 5 kilos. The computer record shows that I have gotten my full ration, so I have no grounds to contest. In this scenario, more complex technology does not necessarily mean greater accountability. Furthermore, even if I am illiterate, if there is a simple ledger that has recorded the transaction, I can physically take the ledger or a copy of it and show it to some literate person willing to help me. If the only record of the transaction is in a database that I can't access or can't understand it will be even more difficult for me to seek help. Moreover, if I don't understand the technology and the shop owner decides not to give me the grain at all they can simply say “Oh, I'm sorry, your account has been denied” or “The computer says you've already been given your ration” and I have little chance of successfully negotiating that situation. Built in to this example is the disadvantage that the illiterate and the computer illiterate face when dealing with this technology but, this is not necessarily always present in cases where digital/analogue slippage causes confusion or complication.

Commonly, things are bought by or registered to one person and used by another. For example, in a small office building, all the phone lines and computers may have been bought in the name of one person. Each office worker will not buy their own computer or equipment, but instead the computers will be bought in the name of the person who runs the organization or an administrator with financial authority. If someone in the office uses their computer to make a bomb or store child pornography, who is accountable? This is the problem when there is digital/analogue slippage. There is the digital record of events and then things as they really are, which are not always identical, and there is no accountability or safeguard against mistake. In the context of the UID, the possibility of such slippage is too high, and will work against the goal of delivering benefits to the poor instead of facilitating it.

For more details visit https://cis-india.org/internet-governance/blog/uid-in-india

Call, text, email complaint against rogue auto driver

praskrishna — 2011-04-02T10:45:39Z

Harassed by an auto driver? Helplines give you no relief? Here's the people's way to help you out. Just report your issue online, call or even SMS sitting in a noisy restaurant, and be heard.

Right from drivers with no proper identity cards, to those refusing to ply or those who attempt sexual assault enroute, you can report them all to a team of volunteers who manage a complaint book 24x7. There is also a map online, where you can pinpoint the exact place, time and even upload videos or photographs taken on the spot.

This complaint management system, recently launched by Kiirti (part of the Centre for Internet and Society) is an attempt to help tackle the cases of auto menace in the city. "It's quite like the Fix My Street initiative of the West. This is for the people and maintained by the people. What makes it different from the existing helpline mechanism in Bangalore is that there is better transparency and more options given to people on how they can file their complaint 24x7,'' explains Sudha Nair, project community manager for Kiirti in India.

All the complaints received will be scrutinised and verified by a backend support team of volunteers and then sent across to the department concerned for action. Besides, the complainant will be able to check the status of the complaint.

"Recently, in The Times of India, we read about the sad state of the official helplines provided by the transport department. There is no transparency in it nor is it available all the time, so we decided to launch this system. We are only working as a catalyst. The portal can also be effectively used by various RWAs to help check the problem in their area,'' Sudha added. Various NGOs like Janaagraha, Environment Support Group, Public Affairs Centre and Children's Movement for Civic Action have also come forward to support this initiative.

Read the original in the Times of India

For more details visit https://cis-india.org/news/complaint-against-rogue-auto-driver

Digital Activism and Online Advocacy: Experiences from the Tibetan Freedom Movement – A Talk by Shibayan Raha

praskrishna — 2011-09-23T05:46:27Z

A talk on the role of digital activism, online advocacy and use of social media in the Tibetan freedom struggle by Shibayan Raha at the Centre for Internet and Society, Bangalore on 9 August, 2010.

The Tibetan freedom movement began in the 1950’s when it started its campaign to highlight the sufferings of the Tibetan community under the Chinese regime through conventional means. Today the movement has come a long way in that it engages the Chinese Government on every possible world stage including the online world. Online advocacy and digital activism forms an integral part of this movement as is reflected from the use of advanced e-mailing servers and social media as an activism tool to mobilise people online and press international bodies to extend support for the movement.

Shibayan Raha, a young activist, will talk on the role of digital activism, online advocacy and the use of social media to further the cause of the Tibetan freedom movement.

About Shibayan Raha

Shibayan Raha is the grassroots co-coordinator for ‘Students for a Free Tibet, India’. A native of Kolkata, he did various odd jobs in his hometown before devoting himself to social work, particularly the Tibetan freedom struggle, five years ago. As a grassroots co-coordinator, he takes the Tibetan issue to the youngsters and gathers more people to join the movement. He has been imprisoned thrice, twice in Tihar jail and once in the Colaba police station. Further, he has also been involved in other areas like the Bhopal gas leak tragedy, the Burmese issue and AFSPA.

VIDEO

For more details visit https://cis-india.org/events/talk-by-shibayan-raha

Civil Liberties and the amended Information Technology Act, 2000

Malavika Jayaram — 2012-03-21T10:13:53Z

This post examines certain limitations of the Information Technology Act, 2000 (as amended in 2008). Malavika Jayaram points out the fact that when most countries of the world are adopting plain English instead of the conventional legal terminology for better understanding, India seems to be stuck in the old-fashioned method thereby, struggling to maintain a balance between clarity and flexibility in drafting its laws. The present Act, she says, is although an improvement over the old Act and seeks to address and improve on certain areas in the right direction but still comes up short in making necessary changes when it comes to fundamental rights and personal liberties. The new Act retains elements from the previous one making it an abnormal document and this could have been averted if there had been some attention to detail.

After close to a decade of dealing with English statutes, European directives and pan-European regulations, I was struck anew by the antique style of Indian draftsmanship on my return. Much of the world is moving away from stiff legal speech and towards plain English. Even England has converted to a simpler, more concise legal rhetoric. India, however, has a peculiar genius for imprecision and euphemism that makes the purpose and implications of the law hard to understand and apply. While it may seem quaint, to pepper a law with terms like ‘inconvenience’, ‘nuisance’ or ‘annoyance’, the language fails to convey the seriousness of the offences being defined. A reading of the Information Technology Act, 2008, in its new incarnation incorporating the latest amendments and rules (ITA), is a case in point.

Legal draftsmen inevitably wrestle with the age-old dilemma of the generic versus the specific, the potential dangers of a broad definition versus the built-in obsolescence of a narrow spotlight. The crafters of the ITA, in their admittedly admirable attempts to redress some of the gaps and ambiguity in the original law, appear to have struggled in their efforts to strike a balance between clarity and flexibility. While the new avatar is certainly an improvement in some areas, one can’t help but regret the missed opportunity to make necessary changes. Most importantly is the negative impact of the occasionally sloppy and sometimes overly wide drafting on deeply cherished fundamental rights and personal liberties.

Among other things, the ITA has sought to address and improve aspects such as technology neutrality, data protection, phishing and spam, child pornography, the liability of intermediaries and cyber terrorism. While many of these amendments are a step in the right direction, the actual drafting that implements the high level objectives suffers in many respects. For example, the previous emphasis on ‘digital signatures’ has shifted to the technologically neutral ‘electronic signatures’ but the changes have not been carried out thoroughly enough to expunge the old concept entirely. The current law is a bit of an abnormal document in that it contains elements of both concepts, which some attention to detail could easily have averted. Another example is that the provisions meant to combat spam and phishing end up using the dreaded ‘annoyance’ and ‘inconvenience’ terminology with the effect of casting the net of criminality over far more than is appropriate. For example, mail sent with the purpose of causing ‘annoyance’ or ‘inconvenience’ (not exactly the worst offence in the offline world) could put someone behind bars.

An important set of well intentioned but woefully inadequate provisions are those relating to the protection of data. The absence of a specific law on data protection had, in itself, garnered much criticism both within the country as well as in the context of international transactions and outsourcing. The old Act offered the feeble protection of a single provision (section 43) that dealt with unauthorised access and damage to data. In an attempt to meet industry demands and international market standards, the ITA introduced two sections that address civil and criminal sanctions. While this exercise understandably falls far short of a comprehensive law relating to data (being squeezed into an omnibus piece of technology related legislation, rather than one geared up only to deal with data), there was considerable anticipation of its role in papering over the existing cracks and provide a workable, if temporary, data protection regime.

However, the attempt is such a limited one, and so replete with shortcomings that the need for a ‘proper’ data protection law still stands. Given the proposed initiation of the UID scheme, in particular, there is a compelling need for a robust and intelligent law in this regard. Most other countries’ regimes clearly do at least the following:

define and classify types of data (for example, in most European countries, ‘personal data’ is any data that identifies an individual, ‘sensitive personal data’ is data that reveals details of ethnicity, religion, health, sexuality, political opinion, etc.),
fine-tune the nature of protection to the categories of data (i.e., greater standards of care around sensitive personal data),
apply equally to data stored offline and manually as to data stored on computer systems,
distinguish between a data controller (i.e., one who takes decisions as to data) and a data processor (i.e., one who processes data on the instructions of the data controller),
impose clear restrictions on the manner of data collection (for example, must be obtained fairly and lawfully),
give clear guidelines on the purposes for which that data can be put to and by whom (often involving a consent requirement that gives the individual a great degree of control over their data),
require certain standards and technical measures around the collection, storage, access to, protection, retention and destruction of data,
ensure that the use of data is adequate, relevant and not excessive given the purpose for which it was gathered,
cater for opt-in and opt-out type regimes, again to provide individuals with a measure of control over the use of their data even after the stage of initial collection (which has a huge impact on invasive telemarketing or unsolicited written communication)
impose a knowledge requirement and procedures for allowing individuals to seek information on what data is held on them, and
create safeguards and penalties that are well tailored to breaches of any of the above.

Unfortunately, and perhaps understandably, the ITA barely begins to scratch the surface of what a good data protection regime entails. The provisions that it does introduce (sections 43-A and 72-A) have glaring inadequacies. Briefly:

the term ‘sensitive personal data or information’ is used indiscriminately without any definition,
the provisions only cover electronic data and records, not data stored in non-electronic systems or media,
they offer no guidance on most of the principles set out above such as in relation to accuracy, adequacy, consent, purpose, etc.,
in the absence of the controller-processor distinction, liability is imposed on persons, who are not necessarily in a position to control data, even if it is in their possession,
civil liability for data breaches only arises where ‘negligence’ is involved (i.e., failure to have security procedures or failure to implement them correctly will not automatically result in damages unless negligence is proven),
similarly, criminal liability only applies to cases of information obtained in the context of a service contract, and requires an element of ‘wilfulness’, or a disclosure without consent or in breach of a lawful contract – this is a very limited remit aimed largely at preventing disgruntled or unscrupulous employees from dealing in company/customer data.

For these broad reasons, we can see that even the amended ITA disappoints those who expected a greatly improved regime in relation to data. It is widely anticipated that the UID scheme, which poses so many potential data protection issues, will serve as a catalyst for a standalone law that is on par with the more sophisticated regimes that function very well in other countries. One great feature common to most of those regimes is that they are consumer/individual focused. The freedom and privacy of the individual is the central concern of protection. Our ITA seems far more concerned with providing corporates with a stick to beat errant employees with, and with catering to the needs of the outsourcing and IT industries. It remains to be seen whether the UID scheme will merely galvanise some targeted legal action covering UIDs rather than generating a broad based piece of legislation.

In addition to the criticisms levelled at the data protection provisions, the other large subset of concerns has been in relation to the civil liberties implications of the ITA. There has been some horror expressed in various forums and media about the ITA contributing to the growth of a police state, to severe curtailment of the freedom of speech and expression, to the invasion of privacy, and to the disproportionate severity of penalisation for offences that are placed on crimes committed in cyberspace compared to crimes committed in the hear and now. Sadly, this is true to a large extent given the clunky treatment of ‘cyber terrorism’, the intolerable pre-censorship that is enabled by the blocking of websites, the broad approach to the monitoring and collection of data, and the demanding obligations of intermediaries to cooperate with interception, monitoring and decryption of data for poorly defined reasons.

While our Constitution’s fundamental rights chapter, which enshrines certain basic, democratic, and profound rights, might not have the same vocabulary of due process as we see in the US, it nevertheless requires restrictions to be reasonable. Precedents and the wider jurisprudence in the field have further developed the concepts of checks and balances, procedural safeguards and legitimacy of restraints that a functioning democracy like India must accord to its people. It can be argued that several provisions of the ITA cause significant tension with the right to freedom of speech and expression, the right against self-incrimination, the right to equality before the law, and the right to practice a trade or profession. To briefly deal with the worst offenders in the IT Act, I have divided them into some broader topics:

Pre-censorship

Some of the most excessive provisions relate to the free hand with which public access to websites can be blocked. Previously, there was some hope that the rules yet to be formulated in connection with section 69-A would offer some procedural safeguards. The recently notified rules do contain details – in the bureaucratese that we have come to expect – of the process to be followed by the designated functionaries. They also permit the concerned person or intermediary to submit a reply and clarifications to the committee before the decision to block access is taken.

These rules are to a large extent undermined by rule 9 (“Blocking of information in cases of emergency”), which provides that, “…in any case of an emergency nature, for which no delay is acceptable…”, the process will turn into an internal escalation within the department of IT and interim directions relating to blocking access may be issued without giving (him) an opportunity of hearing. There are those who think that, given the events of 26/11, this is wholly justified but the prospect of abuse fills others with dread. The rules may offer detailed time-frames within which orders are made and approved, require reasons to be recorded in writing, provide that emergency orders may be revoked and information unblocked, etc. Regardless, the nature of the process (executive rather than judicial), the ease with which it can be abused, and the fact that the review committee will only meet once in two months to check for compliance, set aside incorrect orders and unblock information, does not offer much comfort. If a site is incorrectly blocked, it could take up to two months for this to be rectified, which could cause a great damage to the owner of the site, and indeed to the wider public that has an interest in uncensored, free speech.

Given that any person can submit a request, it is not unreasonable to anticipate a certain level of frivolous and malicious requests for blocking sites, especially given that the grounds for blocking are very wide (the often repeated set that we are familiar with, namely, in the interest of sovereignty and integrity of India; relating to defence of India/ security of State/ friendly relations with foreign states/ public order and for preventing incitement to commission of any cognizable offences). Without a review committee constantly monitoring and policing the unbridled use of the provisions, the backlog of blocking decisions that may need to be reversed can become a mountain very quickly. The dangers of pre-censorship and the curtailment of dialogue, debate and free speech are even greater in a country with an increasingly thin-skinned populace. Faced with a volatile backdrop of great diversity of religion, political opinions, views on sexuality, morality, obscenity and other highly subjective values and beliefs, there is immense extra-legal pressure on free speech. Thus, there is now a need for greater vigilance so that the thought police do not wield the stick of harsh penalties under the ITA without reason and due process.

Privacy and surveillance

This topic pulls together concerns around the blanket monitoring and collecting of traffic data or information, the interception and decryption (under duress) by intermediaries (now a large superset of ISPs, search engines, cyber cafes, online auction sites, online market places, etc.) and the wide definition of ‘cyber terrorism’ (which ludicrously even casts defamation as a terrorist activity).

Some of the broad concerns in relation to interception, monitoring and decryption in (section 69) are that:

there is no provision for a clear nexus between an intermediary and the information or resource sought to be monitored or intercepted,
the usual internationally recognised exception to liability where an intermediary operates purely as a conduit and has no control over data flowing through its network is not clearly spelt out,
the penalties for non-cooperation are extremely harsh, especially given the absence of a) and b) above,
these onerous penalties can be said to be in violation of Article 14 as they seem entirely disproportionate. Similar offences and remedies in the Code of Criminal Procedure or the Indian Penal Code prescribe less severe penalties, by an order of magnitude in fact. When the only difference between the offences is the medium in which information is contained, it seems arbitrary to impose a much harsher punishment on an online intermediary than on a member of the public who, for example, furnishes false information to the police in connection with a trial or enquiry.
the rules made in relation to monitoring, interception and decryption, offer some procedural safeguards, in that they impose a time limit on how long a directive for interception or monitoring can remain in force, a ceiling on how long data can be kept before it is required to be destroyed, etc. However, the effect of these is greatly diluted by exceptions “for functional requirements”, etc. The astonishing irony is that rule 20 requires the intermediary to maintain “…extreme secrecy…” and “…utmost care and precaution…” in the matter of interception, monitoring or decryption of information “…as it affects the privacy of citizens…”!!!!

In a similar vein, there are concerns around the monitoring and collection of traffic data (section 69B) as the section contains an unreasonably long list of grounds for monitoring. These include such extreme excesses as “forecasting of imminent cyber incidents”, “monitoring network application with traffic data or information on computer resource”, “identification and determination of viruses/computer contaminant”, and the catch-all “any other matter relating to cyber security”.

Finally, the main criticism of the ITA approach to ‘cyber terrorism’ is the very wide net that it seeks to cast, looking for a game that has little or nothing to do with the named offence. Amongst the cast of creatures unwittingly caught during this fishing expedition, we find some unlikely victims. In addition to the usual grounds of offence against sovereignty, national security, defence of India, etc., which we have seen in relation to other sections, the ITA considers the following as acts of cyber terrorism – broadly speaking, unauthorised access to information that is likely to cause:

injury to decency,
injury to morality,
injury in relation to contempt of court, and
injury in relation to defamation.

This would almost be laughable if these grounds were not enacted unto law, posing a threat to civil liberties by their very existence. Other countries have some notion of political ideology, religious case, etc. in their view of terrorism. That (a) to (d) above have been shoehorned into a clause that imposes the stiffest penalty within the entire ITA (life imprisonment) gives even more cause for concern.

In closing, I should reiterate that the ITA includes other deficiencies and worthwhile improvements alike, but an article focusing largely on the data protection and civil liberties aspects cannot reference them all.

For more details visit https://cis-india.org/internet-governance/blog/information-technology-act