Centre for Internet and Society

Bangalore Chapter Meet of DSCI

sunil — 2015-09-09T01:40:56Z

The Centre for Internet & Society (CIS) will host the Bangalore Chapter Meeting of Data Security Council of India (DSCI) on September 26, 2015 at its Bangalore office in Domlur. The event will be held from 2.30 p.m. to 5.30 p.m.

After the Nasscom cyber security task force meeting held at Wipro in June, followed by DSCI Best Practices meet in July, we now have the next chapter meeting at CIS.

Speakers

The first speaker will be Melissa Hathaway, Commissioner, Global Commission for Internet Governance. She is an internationally distinguished cyber security expert and has worked as cyber security adviser in two US Presidential Administrations, and is the former acting Senior Director for cyberspace at the National Security Council in the US. The topic she will be speaking on is "Connected Choices".

The second speaker will be Sunil Abraham, Executive Director, CIS (Center for internet & Society). Sunil is a renowned thought leader when it comes to internet governance, cyber space & its interface with civil society and actively contributes to DSCI and other forums. He will be presenting on "Anonymity in Cyberspace" - the SIG that he led over last 8 months along with a diverse group of members from the industry in Bangalore.

Agenda

Time	Topic
2.30 p.m. - 2.45 p.m.	Recent Developments and Updates from DSCI
2.45 p.m. - 4.00 p.m.	Srinivas P. (Anchor): DSCI Bangalore Chapter
4.00 p.m. - 5.00 p.m.	Melissa Hathaway: Connected Choices
5.00 p.m. - 5.30 p.m.	Sunil Abraham: Anonymity in Cyberspace

This will be followed by High Tea & Networking.

For participation, please send your email confirmation to Rajesh of Infosys at Rajesh_K18@infosys.com

Since seats are limited, the participation will be restricted to first 50 confirmations. We had to organize it on a Saturday, due to Melissa’s availability – I’m sure many of you who know about her as expert security speaker, will not see weekend as a constraint to attend. Look forward to meeting you at CIS.

For more details visit https://cis-india.org/internet-governance/events/bangalore-chapter-meet-of-dsci-september-26-2015

Anonymity in Cyberspace

sunil — 2015-09-09T01:31:03Z

While security threats require one to be identified in the Cyberspace, on the other hand, the need for privacy and freedom of speech without being targeted, calls for providing means for anonymous browsing and ability to express without being identified. Where do we draw the line , and how do we balance it? The group will dwell on need for anonymity in various sectors such as government, commercial, employers etc. Apart from security & privacy, the presentation will also cover social and technological perspectives.

For more details visit https://cis-india.org/internet-governance/blog/anonymity-in-cyberspace

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit https://cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology

The generation of e-Emergency

sunil — 2015-06-29T16:40:54Z

The next generation of censorship technology is expected to be ‘real-time content manipulation’ through ISPs and Internet companies.

The article was published in Livemint on June 22, 2015.

Censorship during the Emergency in the 1970s was done by clamping down on the media by intimidating editors and journalists, and installing a human censor at every news agency with a red pencil. In the age of both multicast and broadcast media, thought and speech control is more expensive and complicated but still possible to do. What governments across the world have realized is that traditional web censorship methods such as filtering and blocking are not effective because of circumvention technologies and the Streisand effect (a phenomenon in which an attempt to hide or censor information proves to be counter-productive). New methods to manipulate the networked public sphere have evolved accordingly. India, despite claims to the contrary, still does not have the budget and technological wherewithal to successfully pull off some of the censorship and surveillance techniques described below, but thanks to Moore’s law and to the global lack of export controls on such technologies, this might change in the future.

First, mass technological-enabled surveillance resulting in self-censorship and self-policing. The coordinated monitoring of Occupy protests in the US by the Department of Homeland Security, the Federal Bureau of Investigation (FBI) counter-terrorism units, police departments and the private sector showcased the bleeding edge of surveillance technologies. Stingrays or IMSI catchers are fake mobile towers that were used to monitor calls, Internet traffic and SMSes. Footage from helicopters, drones, high-res on-ground cameras and the existing CCTV network was matched with images available on social media using facial recognition technology. This intelligence was combined with data from the global-scale Internet surveillance that we know about thanks to the National Security Agency (NSA) whistle-blower Edward Snowden, and what is dubbed “open source intelligence” gleaned by monitoring public social media activity; and then used by police during visits to intimidate activists and scare them off the protests.

Second, mass technological gaming—again, according to documents released by Snowden, the British spy agency, GCHQ (Government Communications Headquarters), has developed tools to seed false information online, cast fake votes in web polls, inflate visitor counts on sites, automatically discover content on video-hosting platform and send takedown notices, permanently disable accounts on computers, find private photographs on Facebook, monitor Skype activity in real time and harvest Skype contacts, prevent access to certain websites by using peer-to-peer based distributed denial of service attacks, spoof any email address and amplify propaganda on social media. According to The Intercept, a secret unit of GCHQ called the Joint Threat Research Intelligence Group (JTRIG) combined technology with psychology and other social sciences to “not only understand, but shape and control how online activism and discourse unfolds”. The JTRIG used fake victim blog posts, false flag operations and honey traps to discredit and manipulate activists.

Third, mass human manipulation. The exact size of the Kremlin troll army is unknown. But in an interview with Radio Liberty, St. Petersburg blogger Marat Burkhard (who spent two months working for Internet Research Agency) said, “there are about 40 rooms with about 20 people sitting in each, and each person has their assignments.” The room he worked in had each employee produce 135 comments on social media in every 12-hour shift for a monthly remuneration of 45,000 rubles. According to Burkhard, in order to bring a “feeling of authenticity”, his department was divided into teams of three—one of them would be a villain troll who would represent the voice of dissent, the other two would be the picture troll and the link troll. The picture troll would use images to counter the villain troll’s point of view by appealing to emotion while the link troll would use arguments and references to appeal to reason. In a day, the “troika” would cover 35 forums.

The next generation of censorship technology is expected to be “real-time content manipulation” through ISPs and Internet companies. We have already seen word filters where blacklisted words or phrases are automatically expunged. Last week, Bengaluru-based activist Thejesh GN detected that Airtel was injecting javascript into every web page that you download using a 3G connection. Airtel claims that it is injecting code developed by the Israeli firm Flash Networks to monitor data usage but the very same method can be used to make subtle personalized changes to web content. In China, according to a paper by Tao Zhu et al titled The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions, “Weibo also sometimes makes it appear to a user that their post was successfully posted, but other users are not able to see the post. The poster receives no warning message in this case.”

More than two decades ago, John Gilmore, of Electronic Frontier Foundation, famously said, “the Net interprets censorship as damage and routes around it.” That was when the topology of the Internet was highly decentralized and there were hundreds of ISPs that competed with each other to provide access. Given the information diet of the average netizen today, the Internet is, for all practical purposes, highly centralized and therefore governments find it easier and easier to control.

For more details visit https://cis-india.org/internet-governance/blog/livemint-june-22-2015-sunil-abraham-the-generation-of-e-emergency

Shreya Singhal and 66A

sunil — 2015-04-19T08:09:42Z

Most software code has dependencies. Simple and reproducible methods exist for mapping and understanding the impact of these dependencies. Legal code also has dependencies --across court orders and within a single court order. And since court orders are not produced using a structured mark-up language, experts are required to understand the precedential value of a court order.

The article was published in the Economic and Political Weekly Vol-L No.15. Vidushi Marda, programme officer at the Centre for Internet and Society, was responsible for all the research that went into this article. PDF version here.

As a non–lawyer and engineer, I cannot authoritatively comment on the Supreme Court’s order in Shreya Singhal vs Union of India (2015) on sections of the Information Technology Act of 2000, so I have tried to summarise a variety of views of experts in this article. The Shreya Singhal order is said to be unprecedented at least for the last four decades and also precedent setting as its lucidity, some believe, will cause a ripple effect in opposition to a restrictive understanding of freedom of speech and expression, and an expansiveness around reasonable restrictions. Let us examine each of the three sections that the bench dealt with.

The Section in Question

Section 66A of the IT Act was introduced in a hastily-passed amendment. Unfortunately, the language used in this section was a pastiche of outdated foreign laws such as the UK Communications Act of 2003, Malicious Communications Act of 1988 and the US Telecommunications Act, 1996.¹ Since the amendment, this section has been misused to make public examples out of innocent, yet uncomfortable speech, in order to socially engineer all Indian netizens into self-censorship.²

Summary: The Court struck down Section 66A of the IT Act in its entirety holding that it was not saved by Article 19(2) of the Constitution on account of the expressions used in the section, such as "annoying," "grossly offensive," "menacing,", "causing annoyance." The Court justified this by going through the reasonable restrictions that it considered relevant to the arguments and testing them against S66A. Apart from not falling within any of the categories for which speech may be restricted, S66A was struck down on the grounds of vagueness, over-breadth and chilling effect. The Court considered whether some parts of the section could be saved, and then concluded that no part of S66A was severable and declared the entire section unconstitutional. When it comes to regulating speech in the interest of public order, the Court distinguished between discussion, advocacy and incitement. It considered the first two to fall under the freedom of speech and expression granted under Article 19(1)(a), and held that it was only incitement that attracted Article 19(2).

Between Speech and Harm

Gautam Bhatia, a constitutional law expert, has an optimistic reading of the judgment that will have value for precipitating the ripple effect. According to him, there were two incompatible strands of jurisprudence which have been harmonised by collapsing tendency into imminence.³ The first strand, exemplified by Ramjilal Modi vs State of UP⁴ and Kedar Nath Singh vs State of Bihar,⁵ imported an older and weaker American standard, that is, the tendency test, between the speech and public order consequences. The second strand exemplified byRam Manohar Lohia vs State of UP,⁶ S Rangarajan vs P Jagjivan Ram,⁷ andArup Bhuyan vs Union of India,⁸ all require greater proximity between the speech and the disorder anticipated. In Shreya Singhal, the Supreme Court held that at the stage of incitement, the reasonable restrictions will step in to curb speech that has a tendency to cause disorder. Other experts are of the opinion that Justice Nariman was doing no such thing, and was only sequentially applying all the tests for free speech that have been developed within both these strands of precedent. In legal activist Lawrence Liang's analysis, "Ramjilal Modi was decided by a seven judge bench and Kedarnath by a constitutional bench. As is often the case in India, when subsequent benches of a lower strength want to distinguish themselves from older precedent but are unable to overrule them, they overcome this constraint through a doctrinal development by stealth. This is achieved by creative interpretations that chip away at archaic doctrinal standards without explicitly discarding them."⁹

Compatibility with US Jurisprudence

United States (US) jurisprudence has been imported by the Indian Supreme Court in an inconsistent manner. Some judgments hold that the American first amendment harbours no exception and hence is incompatible with Indian jurisprudence, while other judgments have used American precedent when convenient. Indian courts have on occasion imported an additional restriction beyond the eight available in 19(2)-the ground of public interest, best exemplified by the cases of K A Abbas¹⁰ and Ranjit Udeshi.¹¹ The bench in its judgment-which has been characterised by Pranesh Prakash as a masterclass in free speech jurisprudence¹²-clarifies that while the American first amendment jurisprudence is applicable in India, the only area where a difference is made is in the "sub serving of general public interest" made under the US law. This eloquent judgment will hopefully instruct judges in the future on how they should import precedent from American free speech jurisprudence.

Article 14 Challenge

The Article 14 challenge brought forward by the petitioners contended that Section 66A violated their fundamental right to equality because it differentiated between offline and online speech in terms of the length of maximum sentence, and was hence unconstitutional. The Court held that an intelligible differentia, indeed, did exist. It found so on two grounds. First, the internet offered people a medium through which they can express views at negligible or no cost. Second, the Court likened the rate of dissemination of information on the internet to the speed of lightning and could potentially reach millions of people all over the world. Before Shreya Singhal, the Supreme Court had already accepted medium-specific regulation. For example in K A Abbas, the Court made a distinction between films and other media, stating that the impact of films on an average illiterate Indian viewer was more profound than other forms of communication. The pessimistic reading of Shreya Singhal is that Parliament can enact medium-specific law as long as there is an intelligible differentia which could even be a technical difference-speed of transmission. However, the optimistic interpretation is that medium-specific law can only be enacted if there are medium-specific harms, e g, phishing, which has no offline equivalent. If the executive adopts the pessimistic reading, then draconian sections like 66A will find their way back into the IT Act. Instead, if they choose the optimistic reading, they will introduce bills that fill the regulatory vacuum that has been created by the striking down of S66A, that is, spam and cyberbullying.

Section 79

Section 79 was partially read down. This section, again introduced during the 2008 amendment, was supposed to give legal immunity to intermediaries for third party content by giving a quick redressal for those affected by providing a mechanism for takedown notices in the Intermediaries Guidelines Rules notified in April 2011. But the section and rules had enabled unchecked invisible censorship¹³ in India and has had a demonstrated chilling effect on speech¹⁴ because of the following reasons:

One, there are additional unconstitutional restrictions on speech and expression. Rule 3(2) required a standard "rules and regulation, terms and condition or user agreement" that would have to be incorporated by all intermediaries. Under these rules, users are prohibited from hosting, displaying, uploading, modifying, publishing, transmitting, updating or sharing any information that falls into different content categories, a majority of which are restrictions on speech which are completely out of the scope of Article 19(2). For example, there is an overly broad category which contains information that harms minors in any way. Information that "belongs to another person and to which the user does not have any right to" could be personal information or could be intellectual property. A much better intermediary liability provision was introduced into the Copyright Act with the 2013 amendment. Under the Copyright Act, content could be reinstated if the takedown notice was not followed up with a court order within 21 days.¹⁵ A counter-proposal drafted by the Centre for Internet and Society for "Intermediary Due Diligence and Information Removal," has a further requirement for reinstatement that is not seen in the Copyright Act.¹⁶

Two, a state-mandated private censorship regime is created. You could ban speech online without approaching the court or the government. Risk-aversive private intermediaries who do not have the legal resources to subjectively determine the legitimacy of a legal claim err on the side of caution and takedown content.

Three, the principles of natural justice are not observed by the rules of the new censorship regime. The creator of information is not required to be notified nor given a chance to be heard by the intermediary. There is no requirement for the intermediary to give a reasoned decision.

Four, different classes of intermediaries are all treated alike. Since the internet is not an uniform assemblage of homogeneous components, but rather a complex ecosystem of diverse entities, the different classes of intermediaries perform different functions and therefore contribute differently to the causal chain of harm to the affected person. If upstream intermediaries like registrars for domain names are treated exactly like a web-hosting service or social media service then there will be over-blocking of content.

Five, there are no safeguards to prevent abuse of takedown notices. Frivolous complaints could be used to suppress legitimate expressions without any fear of repercussions and given that it is not possible to expedite reinstatement of content, the harm to the creator of information may be irreversible if the information is perishable. Transparency requirements with sufficient amounts of detail are also necessary given that a human right was being circumscribed. There is no procedure to have the removed information reinstated by filing a counter notice or by appealing to a higher authority.

The judgment has solved half the problem by only making intermediaries lose immunity if they ignore government orders or court orders. Private takedown notices sent directly to the intermediary without accompanying government orders or courts order no longer have basis in law. The bench made note of the Additional Solicitor General's argument that user agreement requirements as in Rule 3(2) were common practice across the globe and then went ahead to read down Rule 3(4) from the perspective of private takedown notices. One way of reading this would be to say that the requirement for standardised "rules and regulation, terms and condition or user agreement" remains. The other more consistent way of reading this part of the order in conjunction with the striking down of 66A would be to say those parts of the user agreement that are in violation of Article 19(2) have also been read down.

This would have also been an excellent opportunity to raise the transparency requirements both for the State and for intermediaries: for (i) the person whose speech is being censored, (ii) the persons interested in consuming that speech, and (iii) the general public. It is completely unclear whether transparency in the case of India has reduced the state appetite for censorship. Transparency reports from Facebook, Google and Twitter claim that takedown notices from the Indian government are on the rise.¹⁷ However, on the other hand, the Department of Electronics and Information Technology (DEITY) claims that government statistics for takedowns do not match the numbers in these transparency reports.¹⁸ The best way to address this uncertainty would be to require each takedown notice and court order to be made available by the State, intermediary and also third-party monitors of free speech like the Chilling Effects Project.

Section 69A

The Court upheld S69A which deals with website blocking, and found that it was a narrowly-drawn provision with adequate safeguards, and, hence, not constitutionally infirm. In reality, unfortunately, website blocking usually by internet service providers (ISPs) is an opaque process in India. Blocking under S69A has been growing steadily over the years. In its latest response to an RTI (right to information)¹⁹ query from the Software Freedom Law Centre, DEITY said that 708 URLs were blocked in 2012, 1,349 URLs in 2013, and 2,341 URLs in 2014. On 30 December 2014 alone, the centre blocked 32 websites to curb Islamic State of Iraq and Syria propaganda, among which were "pastebin" websites, code repository (Github) and generic video hosting sites (Vimeo and Daily Motion).²⁰ Analysis of leaked block lists and lists received as responses to RTI requests have revealed that the block orders are full of errors (some items do not exist, some items are not technically valid web addresses), in some cases counter speech which hopes to reverse the harm of illegal speech has also been included, web pages from mainstream media houses have also been blocked and some URLs are base URLs which would result in thousands of pages getting blocked when only a few pages might contain allegedly illegal content.²¹

Pre-decisional Hearing

The central problem with the law as it stands today is that it allows for the originator of information to be isolated from the process of censorship. The Website Blocking Rules provide that all "reasonable efforts" must be made to identify the originator or the intermediary who hosted the content. However, Gautam Bhatia offers an optimistic reading of the judgment, he claims that the Court has read into this "or" and made it an "and"-thus requiring that the originator must also be notified of blocks when he or she can be identified.²²

Transparency

Usually, the reasons for blocking a website are unknown both to the originator of material as well as those trying to access the blocked URL. The general public also get no information about the nature and scale of censorship unlike offline censorship where the court orders banning books and movies are usually part of public discourse. In spite of the Court choosing to leave Section 69A intact, it stressed the importance of a written order for blocking, so that a writ may be filed before a high court under Article 226 of the Constitution. While citing this as an existing safeguard, the Court seems to have been under the impression that either the intermediary or the originator is normally informed, but according to Apar Gupta, a lawyer for the People's Union for Civil Liberties, "While the rules indicate that a hearing is given to the originator of the content, this safeguard is not evidenced in practice. Not even a single instance exists on record for such a hearing."²³ Even worse, block orders have been unevenly implemented by ISPs with variations across telecom circles, connectivity technologies, making it impossible for anyone to independently monitor and reach a conclusion whether an internet resource is inaccessible as a result of a S69A block order or due to a network anomaly.

Rule 16 under S69A requires confidentiality with respect to blocking requests and complaints, and actions taken in that regard. The Court notes that this was argued to be unconstitutional, but does not state their opinion on this question. Gautam Bhatia holds the opinion that this, by implication, requires that requests cannot be confidential. Chinmayi Arun, from the Centre for Communication Governance at National Law University Delhi, one of the academics supporting the petitioners, holds the opinion that it is optimism carried too far to claim that the Court noted the challenge to Rule 16 but just forgot about it in a lack of attention to detail that is belied by the rest of the judgment.

Free speech researchers and advocates have thus far used the RTI Act to understand the censorship under S69A. The Centre for Internet and Society has filed a number of RTI queries about websites blocked under S69A and has never been denied information on grounds of Rule 16.²⁴ However, there has been an uneven treatment of RTI queries by DEITY in this respect, with the Software Freedom Law Centre²⁵ being denied blocking orders on the basis of Rule 16. The Court could have protected free speech and expression by reading down Rule 16 except for a really narrow set of exceptions wherein only aggregate information would be made available to affected parties and members of the public.

Conclusions

In Shreya Singhal, the Court gave us great news: S66A has been struck down; good news: S79(3) and its rules have been read down; and bad news: S69A has been upheld. When it comes to each section, the impact of this judgment can either be read optimistically or pessimistically, and therefore we must wait for constitutional experts to weigh in on the ripple effect that this order will produce in other areas of free speech jurisprudence in India. But even as free speech activists celebrate Shreya Singhal, some are bemoaning the judgment as throwing the baby away with the bathwater, and wish to reintroduce another variant of S66A. Thus, we must remain vigilant.

Notes

1 G S Mudur (2012): "66A 'Cut and Paste Job,'" The Telegraph, 3 December, visited on 3 April, 2015, http://www.telegraphindia.com/1121 203/jsp/frontpage/story_16268138.jsp

2 Sunil Abraham (2012): "The Five Monkeys and Ice Cold Water," Centre for Internet and Society, 26 September, visited on 3 April 2015, http://cis-india.org/internet-governance/www-deccan-chronicle-sep-16-201...

3 Gautam Bhatia (2015): "The Striking Down of 66A: How Free Speech Jurisprudence in India Found Its Soul Again," Indian Constitutional Law and Philosophy, 26 March, visited on 4 April 2015, https://indconlawphil.wordpress.com/2015/03/26/the-striking-down-of-sect...

4 Ramjilal Modi vs State of UP, 1957, SCR 860.

5 Kedar Nath Singh vs State of Bihar, 1962, AIR 955.

6 Ram Manohar Lohia vs State of UP, AIR, 1968 All 100.

7 S Rangarajan vs P Jagjivan Ram, 1989, SCC(2), 574.

8 Arup Bhuyan vs Union of India, (2011), 3 SCC 377.

9 Lawrence Liang, Alternative Law Forum, personal communication to author, 6 April 2015.

10 K A Abbas vs Union of India, 1971 SCR (2), 446.

11 Ranjit Udeshi vs State of Maharashtra,1965 SCR (1) 65.

12 Pranesh Prakash (2015): "Three Reasons Why 66A Verdict Is Momentous"/ Times of India/(29 March). Visited on 6 April 2015, http://timesofindia.indiatimes.com/home/sunday-times/all-that-matters/Th...

13 Pranesh Prakash (2011): "Invisble Censorship: How the Government Censors Without Being Seen," The Centre for Internet and Society, 14 December, visited on 6 April 2015, http://cis-india.org/internet-governance/blog/invisible-censorship

14 Rishabh Dara (2012): "Intermediary Liability in India: Chilling Effects on Free Expression on the Internet," The Centre for Internet and Society, 27 April, visited on 6 April 2015, http://cis-india.org/internet-governance/chilling-effects-on-free-expres... .

15 Rule 75, Copyright Rules, 2013.

16 The Draft Counter Proposal is available at http://cis-india.org/internet-governance/counter-proposal-by-cis-draft-i...

17 According to Facebook's transparency report, there were 4,599 requests in the first half of 2014, followed by 5,473 requests in the latter half. Available at https://govtrequests.facebook. com/country/India/2014-H2/ also see Google's transparency report available at http: //www.google. com/transparencyreport/removals/government/IN/?hl=en and Twitter's report, available at https:// transparency.twitter.com/country/in

18 Surabhi Agarwal (2015): "Transparency Reports of Internet Companies are Skewed: Gulashan Rai," Business Standard, 31 March, viewed on 5 April 2015, http://www.business-standard.com/article/current-affairs/transparency-re... .

19 http://sflc.in/deity-says-2341-urls-were-blocked-in-2014-refuses-to-reve...

20 "32 Websites Go Blank," The Hindu, 1 January 2015, viewed on 6 April 2015, http://www.thehindu.com/news/national/now-modi-govt-blocks-32-websites/a...

21 Pranesh Prakash (2012): "Analysing Latest List of Blocked Sites (Communalism and Rioting Edition)," 22 August, viewed on 6 April 2015, http://cis-india.org/internet-governance/blog/analysing-blocked-sites-ri... . Also, see Part II of the same series at http://cis-india.org/internet-governance/analyzing-the-latest-list-of-bl... and analysis of blocking in February 2013, at http://cis-india.org/internet-governance/blog/analyzing-latest-list-of-b...

22 Gautam Bhatia (2015): "The Supreme Court's IT Act Judgment, and Secret Blocking," Indian Constitutional Law and Philosophy, 25 March, viewed on 6 April 2015, https://indconlawphil.wordpress.com/2015/03/25/the-supreme-courts-it-act...

23 Apar Gupta (2015): "But What about Section 69A?," Indian Express, 27 March, viewed on 5 April 2015, http://indianexpress. com/article/opinion/ columns/but-what-about-section-69a/

24 Pranesh Prakash (2011): DIT's Response to RTI on Website Blocking, The Centre for Internet and Society, 7 April, viewed on 6 April 2015, http://cis-india.org/internet-governance/blog/rti-response-dit-blocking ). Also see http://cis-india.org/internet-governance/blog/analysis-dit-response-2nd-... and http://cis-india.org/internet-governance/resources/reply-to-rti-applicat...

25 http://sflc.in/wp-content/uploads/2015/04/RTI-blocking-final-reply-from-...

For more details visit https://cis-india.org/internet-governance/blog/economic-and-political-weekly-sunil-abraham-april-11-2015-shreya-singhal-and-66a

Fear, Uncertainty and Doubt

sunil — 2015-04-17T01:44:39Z

Much confusion has resulted from the Section 66A verdict. Some people are convinced that online speech is now without any reasonable restrictions under Article 19 (2) of the Constitution. This is completely false.

There are many other provisions within the IT Act that still regulate speech online, for example the section on obscenity (Sec. 67) and also the data protection provision (Sec. 43A). Additionally there are provisions within the Indian Penal Code and other Acts that regulate speech both online and offline. For example, defamation remains a criminal offence under the IPC (Sec. 499), and disclosing information about children in a manner that lowers their reputation or infringes their privacy is also prohibited under the Protection of Children from Sexual Offences Act, 2012 (Sec. 23).

Others are afraid that the striking down of Section 66A results in a regulatory vacuum where it will be possible for bad actors to wreak havoc online because the following has been left unaddressed by the IT Act.

Criminal Intimidation: The phrase "criminal intimidation" was included in Sec. 66A(b), but the requirement was that intimidation should be carried out using "information which he knows to be false". Sec. 506 of the IPC which punishes criminal intimidation does not have this requirement and is therefore a better legal route for affected individuals, even though the maximum punishment is a year shorter than the three years possible under the IT Act.
Cyber-stalking: A new section for stalking - Sec. 345 D - was added into the IPC in 2013 which also recognised cyber stalking. The definition within Sec.345D is more precise compared to the nebulous phrasing in Sec. 66A, which read - "monitors the use by a woman of the internet, email or any other form of electronic communication, commits the offence of stalking".
Phishing: Sec. 66A (c) dealt with punishment to people who "deceive or mislead the addressee or recipient about the origin of such messages". Sec.66D, which will be the operative section after this verdict, deals with "cheating by impersonation" and forms a more effective safeguard against phishing.

Cyber-bulling of children is arguably left unaddressed. Most importantly, spam, the original intention behind 66A, now cannot be tackled using any existing provision of the law. However, the poorly drafted section made it impossible for law enforcement to crack down on spammers. A 2005 attempt by the ITU to produce model law for spam based on a comparative analysis of national laws resulted in several important best practices that were ignored during the 2008 Amendment of the Act. For example, the definition of spam must cover the following characteristics - mass, unsolicited and commercial. All of which was missing in 66A.

Good quality law must be drafted by an open, participatory process where all relevant stakeholders are consulted and responded to before bills are introduced in parliament.

A scanned copy of the article was published in the Deccan Chronicle on March 26, 2015.

For more details visit https://cis-india.org/internet-governance/blog/deccan-chronicle-march-26-2015-sunil-abraham-fear-uncertainty-doubt

Multiple Aspects Need to be Addressed as the Clamour Grows for Network Neutrality

sunil — 2015-04-16T13:33:03Z

In the global debate there are four violations of Network Neutrality that are considered particularly egregious.

The article was published in DNA on April 16, 2015.

One — blocking of destinations or services in order to force the consumer to pay extra charges for access, two — not charging or zero-rating of certain destinations and services with or without extraction of payment from the sender or destination, and three — throttling or prioritisation of traffic between competing destinations or services and four — specialised services wherein the very same Internet infrastructure is used to provide non-Internet but IP based services such as IP-TV.

The main harms of network neutrality violations are as follows: one, censorship by private parties without legal basis; two, innovation harms because the economic threshold for new entrants is raised significantly; three, competition harms as monopolies become more entrenched and then are able to abuse their dominant position; four, harms to diversity because of the nudge effect that free access to certain services and destinations has on consumers reducing the infinite plurality of the Internet to a set of menu options. The first and fourth harm could result in the Internet being reduced to a walled garden.

It is insufficient to try and address this with networking rules for engineers such as “all packets should be treated equally.” But a set of principles could be developed that can help us grow access without violating network neutrality. Wikimedia Foundation has already developed their principles which they call “Wikipedia Zero Operating Principles”. In India our principles could include the following. One, no blocking without legal basis. Two, transparency — all technical and commercial arrangements are to be disclosed to the public. Three, non-exclusivity — all arrangements should be available to all parties, no special deals for those you favour. Four, non-discrimination between equals — technologies and entities that are alike should be treated alike. Five, necessity — whilst some measure may be required occasionally when there is network congestion they should be rolled back in a time-bound fashion.

Once these principles are enforced through a network neutrality regulation, ISPs and telecom operators will be allowed to innovate with business and payment models. Steve Song, inventor of Village Telco says “My preferred take on zero-rating would be to zero-rate gprs/edge data in general so that there is a minimum basic access for all.” My colleague Pranesh Prakash says “One possibility, of many, is to create a single marketplace or exchange for zero-rating, through which one can zero-rate on all telecom networks for standard tiered rates that they publish, and terms that are known to the regulator. Banning is akin to a brahmastra in a regulator's arsenal: it should not be used lightly” Jochai Ben-Avie of Mozilla told me yesterday of experiments in Bangladesh where consumers watch an advertisement everyday in exchange for 5Mb of data. My own suggestion to address the harms caused by walled gardens would be to make them leak – mandate that unfettered access to the Internet be provided every other hour.

There is many other ways in which the Internet has been transformed in India and other countries but these are not commonly considered network neutrality violations. Here are some examples. One, blocking of port 25 — a port that is commonly used to relay email spam. Two, blocking of port 80 – so that domestic connections cannot be used to host web servers. Three, the use of private IP addresses, ISPs who are delaying migration to IPv6 infrastructure because of cost implications leverage their IPv4 address inventory by using Carrier Grade — Network Address Translators [CG-NATs]. Four, asymmetric connections where download speeds for consumers are faster than upload speeds. With the exception of the first example — all of them affect end users negatively but do not usually impact corporations and therefore have been unfortunately sidelined in the global debate.

The TRAI consultation paper reveals many of the concerns of the telecom operators that go beyond the scope of network neutrality. Many of these concerns are very legitimate. There is a scarcity of spectrum — this could partially be addressed by auctioning more spectrum, scientific management of spectrum, promotion of shared spectrum and unlicensed spectrum. Their profit margins are thinning – this could be addressed by dismantling the Universal Service Obligation Fund, it is after all as Rohan Samarajiva puts it “a tax on the poor.” Internet companies don't pay taxes – this could be addressed by the Indian government, by adopting the best practices from the OECD around preventing tax avoidance. But some of their concerns cannot be addressed because of the technological differences between telecom and Internet networks. While it is relatively easy to require telecom companies to provide personal information and allow for interception of communications, those Internet companies that use end-to-end encryption cannot divulge personal information or facilitate interception because it is technologically impossible. While the first two concerns could be addressed by TRAI, the last two should be addressed by other ministries and departments in the Indian government.

There are other concerns that are much more difficult to address without the deep understanding of latest advancements in radio communication, signal processing and congestion control techniques in packet switched networks. A telecom expert who did not wish to be identified told me that “even 2G TDM voice is 10 to 15 times more efficient when compared to VOIP. IP was developed to carry data, and is therefore not an efficient mode to carry voice as overhead requirement for packets destroys the efficiency on voice. Voice is best carried close to the physical layer where the overheads are lowest.” He claims that since “VOIP calls are spectrally inefficient they should be discouraged” through differential pricing. We need accessible scientific literature and monitoring infrastructure so that an evidence base around concerns like this can be created so as to address them effectively through regulatory interventions.

You know you have reached a policy solution when all concerned stakeholders are equally unhappy. Unfortunately, the TRAI consultation paper assumes that Internet companies operate in a regulatory vacuum and therefore places much unnecessary focus on the licensing of these companies. This is a disastrous proposal since the Internet today is the result of “permission-less innovation”. The real issue is network neutrality and one hopes that after rigorous debate informed by scientific evidence TRAI finds a way to spread unhappiness around equally.

The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation which has zero-rating alliances with telecom operators in many countries across the world.

For more details visit https://cis-india.org/internet-governance/blog/dna-april-16-2015-sunil-abraham-multiple-aspects-need-to-be-addressed-as-the-clamour-grows-for-network-neutrality

Big win for freedom of speech. Really?

sunil — 2015-03-29T01:20:51Z

The 66A ruling was historic, but what about the provisions regulating speech online and offline that still exist within the ITA, the IPC and other laws.

The article was published in Bangalore Mirror on March 29, 2015.

The Shreya Singhal v. Union of India ruling on the Information Technology Act 2000 (ITA) was truly a historic moment in Indian free speech jurisprudence. Few anticipated the striking down of the draconian Sec. 66A in its entirety, for introducing additional unconstitutional limits to free speech through its vague and imprecise language. The Supreme Court also read down Sec. 79(3)(b) and the intermediary liability rules — requiring a court order or a government notification to take down content and relieving intermediaries of the responsibility for determining legality of content. However, the court left the provision for website blocking, 69A, as it stood.

66A criminalised those that use a computer resource or a communication device to send one of the three classes of information listed below — some of which was redundant as they were already offences under the IPC (sections indicated in brackets below) or other sections of the ITA:

Information that was grossly offensive or menacing in character;
False information for causing annoyance, inconvenience, danger, obstruction, insult, injury [44], criminal intimidation [506], enmity, hatred [295A] or ill will.
Annoying or inconvenient message - to deal spam OR to deceive or to mislead the addressee or recipient about the origin of such messages - presumably for phishing, which incidentally is dealt with more properly in Sec. 66D of ITA.

The regulatory vacuum created by the striking down of 66A can be addressed by parliament by ITA to reintroduce a well-crafted anti-spam provision that does not infringe upon human rights.

The intermediary liability section 79 and the associated rules were introduced to encourage free speech by granting immunity to intermediaries for content created by their users, unless they failed to act on take down notices. However, this provision proved to have a chilling effect on free speech, with risk-aversive intermediaries over-complying with takedown notices as they were unable to distinguish between legal and illegal content. Shreya Singhal solves half the problem - whether intermediaries decide either to remove or retain content in response to take down notices sent by non-government entities and individuals they remain immune from liability. But government entities can continue to censor speech using takedown notices without any oversight, transparency or adherence to the principles of natural justice. The recently launched Manila Principles developed by the CIS and others gives a more complete set of best practices that could be used to fix Sec. 79 through an amendment. For example - "abusive or bad take down notices should be penalized."

Website-blocking under 69a is mostly an opaque procedure as per the letter of the law as it does not require the user to be informed [because the alternative of informing the intermediary is deemed sufficient], and given a chance to be heard, and a secrecy rule prevents all documentation related to the procedure from being disclosed to the public. There is both an optimistic and a pessimistic view on what the bench has said when it upheld this section. Constitutional law expert Gautam Bhatia is of the view that the judge has made informing the user mandatory and has also overridden the secrecy provision by requiring a written order that can be assailed through writ petitions. But a more pessimistic reading is that the bench found the section constitutional and was satisfied with the safeguards and was only reiterating the procedure in the judgment. The trouble is the opacity of the procedure is worse than the current text of the law - there is no evidence that users have ever been notified and RTI requests for documentation related to block orders have been rejected using the secrecy rule.

Does the striking down of 66A mean that speech on the internet is completely free and completely unregulated? No, several provisions that regulate speech online and offline still exist within the ITA, the IPC and other laws. Within the ITA - infringing the privacy of individuals [ 66E], transmission of obscene material [67], including sexually explicit material [Sec. 67A], and also child pornography [67B], the Cyber Cafe Rules which require intermediaries to install web filters.

In the IPC, several sections regulate speech that define closely the intent and ingredients required in a precise way, something 66A did not do. Sedition is defined in Sec. 124A, with restrictions on speech in the case of causing hatred, contempt or disaffection towards the state. Promoting enmity between different groups on grounds of religion, race, place of birth, residence, language etc is criminalised [153A], and imputations or assertions prejudicial to national integration are also prohibited [153B]. Certain restrictions on speech have also been made in terms of protecting the privacy and dignity of individuals for ex. disclosure of a victim's identity in sensitive cases [228], insulting the modesty of a woman [509]. Defamation [499] and conduct intended to cause public mischief by way of statements, rumours, reports [505] remain criminalized; and in 2013 cyber stalking [354D] has also been added.

[with inputs from Vidushi Marda] The author is the director of The Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/bangalore-mirror-march-29-2015-sunil-abraham-big-win-for-freedom-of-speech-really

Internet censorship will continue in opaque fashion

sunil — 2015-03-26T02:07:28Z

A division bench of the Supreme Court has ruled on three sections of the Information Technology Act 2000 - Section 66A, Section 79 and Section 69A. The draconian Section 66A was originally meant to tackle spam and cyber-stalking but was used by the powerful elite to crack down on online dissent and criticism.

The article by Sunil Abraham was published in the Times of India on March 25, 2015.

Section 79 was meant to give immunity to internet intermediaries for liability emerging from third-party speech, but it had a chilling effect on free speech because intermediaries erred on the side of caution when it came to deciding whether the content was legal or illegal.

And Section 69A was the web blocking or internet censorship provision, but the procedure prescribed did not adhere to the principles of natural justice and transparency. For instance, when books are banned by courts, the public is informed of such bans but when websites are banned in India, there's no clear message from the Internet Service Provider.

The Supreme Court upheld 69A, so web blocking and internet censorship in India will continue to happen in an opaque fashion which is worrying. But on 66A and 79, the landmark judgment protects the right to free speech and expression. It struck down 66A in entirety, saying the vague and imprecise language made the provision unconstitutional and it interfered with "the right of the people to know - the market place of ideas - which the internet provides to persons of all kinds". However, it only read down Section 79 saying "unlawful acts beyond what is laid down" as reasonable restrictions to the right to free speech in the Constitution "obviously cannot form any part" of the section. In short, the court has eliminated any additional restrictions for speech online even though it admitted that the internet is "intelligibly different" from traditional media and might require additional laws to be passed by the Indian Parliament."

For more details visit https://cis-india.org/internet-governance/blog/the-times-of-india-march-25-2015-sunil-abraham-internet-censorship-will-continue-in-opaque-fashion

Availability and Accessibility of Government Information in Public Domain

sunil — 2014-12-30T01:25:12Z

The information provided on most Government websites such as Acts, notifications, rules, orders, minutes of meetings and consultations, etc. is usually in the form of electronic documents. However, these lack authenticity and accessibility and cannot be (text) searched., This policy brief identifies the problem areas with the current work flow being used to publish documents and proposes suitable modifications to make them easy to locate, authentic and accessible.

Prepared by Sunil Abraham, Nirmita Narasimhan, Beliappa, and Anandhi Viswanathan and with inputs from Dipendra Manocha, Saksham, and Deepak Maheshwari, Symantec. Download the text as PDF here. (96 Kb)

Problem Statement: The information published on most government websites exist in the form of document files [including but not limited to the Acts, Rules and Regulations, Government Orders and Notifications, Consultation Papers, Reports etc.] which, even when published, more often than not lack authenticity and accessibility and cannot be (text) searched.

Analysis: The current workflow towards publishing documents on government websites is broadly as follows:

The document is born digital – that means it is created on a computer.
The document is printed.
The document is stamped with the official seal and signed in ink by the authorized person(s).
The paper document is scanned.
The scanned image is converted into a PDF file.
The document is uploaded on the website and thereby published in the public domain.

In fact, at times, even gazette notifications and other printed documents are also scanned as images.

This approach has numerous problems, including the following:

First and foremost, such a practice is against the letter and spirit of Section 4 (1) (a) of the Right to Information Act, 2005.[1] that inter alia, mandates every public authority to “maintain all its records duly catalogued and indexed in a manner and form which facilitates the right to information under this Act and ensure that all records that are appropriate to be computerised are, within a reasonable time and subject to availability of resources, computerised and connected through a network all over the country on different systems so that access to such records is facilitated”.
This does not realize the enabling provision of the Information Technology Act, 2000[2] which gives legal sanctity to digital signatures. The digital image of a physical signature is not a digital signature in the eye of the law, though at times it is mistakenly believed to be so.
This does not address the problem of repudiation. That means a government official can say “I didn't sign that document” and there is no way to tell whether what he or she is saying is true. One of the key features of digital signatures is non-repudiability.
Scanned images of printed text cannot be searched for specific text (character, word or phrase) even by people without disabilities but for people with disabilities, the documents become totally inaccessible since the accessibility software cannot parse such scanned images – against the underlying tenets and objectives of the National Universal Electronic Accessibility Policy 2013.[3]
As an extension, content of such documents cannot be indexed by search engines (such as Google, Bing and Raftaar, etc.) and hence, unlikely to be located even if technically the same are in the public domain.

Proposed Solution: The following work flow is proposed for publishing documents electronically on government websites:

The document is born digital by preparing it in or through a computer system. Documents in Indian languages should be produced using Unicode based fonts.
The government official authorized to sign the same, must sign it digitally.
The document is uploaded in an open standard based format such as EPUB using a content management system and made available on the website such that it is available, accessible, indexable and searchable.

This will ensure democratization of information in its truest sense – making available information to the public at large and ensuring that it can be easily located and remains accessible to one and all.

The process of formatting should be standardized in such a way that semantics (such as heading styles, lists and tables) can be added to the text of the document. The Web Style Guide provides information on good practices for creating well-structured documents:

Standardizing the formatting process by creating different templates for different types of documents will ensure uniform accessibility of the documents as well as provide a standard look and feel across government documents.

India became a global pioneer by making the legal provision for computerised, indexed and duly catalogued public records. It is high time that India takes the lead by living up to the legislative intent under the Right to Information Act, Information Technology Act and the National University of Educational Planning and Administration, and thereby establishes a global best practice.

Admittedly, legacy documents should also be converted electronically to accessible formats though before such a rendering, due editorial oversight may be necessary along with use of technologies such as Optical Character Recognition (OCR).

[1]. Government of India. The Right to Information Act, 2005. No. 22 of 2005. Retrieved on November 30, 2014 from http://rti.gov.in/webactrti.htm.

[2]. Government of India. The Information Technology Act, 2000. No. 21 of 2000. Retrieved on November 30, 2014 from http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/itbill2000.pdf

[3]. Government of India. National Policy on Universal Electronic Accessibility. 2013. Retrieved on November 30, 2014 from http://deity.gov.in/sites/upload_files/dit/files/National Policy on Universal Electronics(1).pdf

For more details visit https://cis-india.org/accessibility/blog/availability-and-accessibility-of-government-information-in-public-domain

Privacy vs. Transparency: An Attempt at Resolving the Dichotomy

sunil — 2015-03-08T06:26:21Z

The right to privacy has been articulated in international law and in some national laws. In a few countries where the constitution does not explicitly guarantee such a right, courts have read the right to privacy into other rights (e.g., the right to life, the right to equal treatment under law and also the right to freedom of speech and expression).

With feedback and inputs from Sumandro Chattapadhyay, Elonnai Hickok, Bhairav Acharya and Geetha Hariharan. I would like to apologize for not providing proper citation to Julian Assange when the first version of this blog entry was published. I would also like to thank Micah Sifry for drawing this failure to his attention. The blog post originally published by Omidyar Network can be read here. Also see http://newint.org/features/2015/01/01/privacy-transparency/

In other countries where privacy is not yet an explicit or implicit right, harm to the individual is mitigated using older confidentiality or secrecy law. After the Snowden affair, the rise of social media and the sharing economy, some corporations and governments would like us to believe that “privacy is dead”. Privacy should not and cannot be dead, because that would mean that security is also dead. This is indeed the most dangerous consequence of total surveillance as it is technically impossible to architect a secure information system without privacy as a precondition. And conversely, it is impossible to guarantee privacy without security as a precondition.

The right to transparency [also known as the right to information or access to information] – while unavailable in international law – is increasingly available in national law. Over the last twenty years this right has become encoded in national laws – and across the world it is being used to hold government accountable and to balance the power asymmetry between states and citizens. Independent and autonomous offices of transparency regulators have been established. Apart from increasing government transparency, corporations are also increasingly required to be transparent as part of generic or industry specific regulation in the public interest. For instance, India’s Companies Act, 2013, requires greater transparency from the private sector. Other areas of human endeavor such as science and development are also becoming increasingly transparent though here it is still left up to self-regulation and there isn’t as much established law. Within science and research more generally, the rise of open data accompanied the growth of the Open Access and citizen science movement.

So the question before us is: Are these two rights – the right to transparency and the right to privacy – compatible? Is it a zero-sum game? Do we have to sacrifice one right to enforce the other? Unfortunately, many privacy and transparency activists think this is the case and this has resulted in some conflict. I suggest that these rights are completely compatible when it comes to addressing the question of power. These rights do not have to be balanced against one another. There is no need to settle for a sub-optimal solution. Rather this is an optimization problem and the solution is as follows: privacy protections must be inversely proportionate to power and as Julian Assange says transparency requirements should be directly proportionate to power.[*]

In most privacy laws, the public interest is an exception to privacy. If public interest is being undermined, then an individual privacy can be infringed upon by the state, by researchers, by the media, etc. And in transparency law, privacy is the exception. If the privacy of an individual can be infringed, transparency is not required unless it is in the public interest. In other words, the “public interest” test allows us to use privacy law and transparency law to address power asymmetries rather than exacerbate them. What constitutes “public interest” is of course left to courts, privacy regulators, and transparency regulators to decide. Like privacy, there are many other exceptions in any given transparency regime including confidentiality and secrecy. Given uneven quality of case law there will be a temptation by the corrupt to conflate exceptions. Here the old common-law principle of “there is no confidence as to the disclosure of iniquity” – which prevents confidentiality law from being used to cover malfeasance or illegality – can be adopted in appropriate jurisdictions.

Around 10 years ago, the transparency movement gave birth to yet another movement – the open government data movement. The tension between privacy and transparency is most clearly seen in the open government data movement. The open government data movement in some parts of the world is dominated by ahistorical and apolitical technologists, and some of them seem intent on reinventing the wheel. In India, ever since the enactment of the Right to Information Act, 2003, 30 transparency activists are either killed, beaten or criminally intimidated every year. This is the statistic from media coverage alone. Many more silently suffer. RTI or transparency is without a doubt one of the most dangerous sectors within civil society that you could choose to work in. In contrast, not a single open data activist has ever been killed, beaten or criminally intimidated. I suspect this is because open data activists do not sufficiently challenge power hierarchies. Let us look a little bit closely at their work cycle. When a traditional transparency activist asks a question, that is usually enough to get them into trouble. When an open data activist publishes an answer [a dataset nicely scrubbed and machine readable, or a visualization, or a tool] they are often frustrated because nobody seems interested in using it. Often even the activist is unclear what the question is. This is because open data activist works where data is available. Open data activists are obsessed with big datasets, which are easier to find at the bottom of the pyramid. They contribute to growing surveillance practices [the nexus between Internet giants, states, and the security establishment] rather that focusing on sousveillance [citizen surveillance of the state, also referred to as citizen undersight or inverse surveillance]. They seem to be obsessed only with tools and technologies, rather than power asymmetries and injustices.

Finally, a case study to make my argument easier to understand – Aadhaar or UID, India’s ambitious centralized biometric identity and authentication management system. There are many serious issues with its centralized topology, proprietary technology, and dependence on biometrics as authentication factors – all of which I have written about in the past. In this article, I will explain how my optimization solution can be applied to the project to make it more effective in addressing its primary problem statement that corruption is a necessary outcome of power asymmetries in India.

In its current avatar – the Aadhaar project hopes to assign biometric-based identities to all citizens. The hope is that, by doing authentication in the last mile, corruption within India’s massive subsidy programmes will be reduced. This, in my view, might marginally reduce retail corruption at the bottom of the pyramid. It will do nothing to address wholesale corruption that occurs as subsidies travel from the top to the bottom of the pyramid. I have advocated over the last two years that we should abandon trying to issue biometric identities to all citizens, thereby making them more transparent to the state. Let us instead issue Aadhaar numbers to all politicians and bureaucrats and instead make the state more transparent to citizens. There is no public interest in reducing privacy for ordinary citizens – the powerless – but there are definitely huge public interest benefits to be secured by increasing transparency of politicians and bureaucrats, who are the powerful.

The Indian government has recently introduced a biometric-based attendance system for all bureaucrats and has created a portal that allows Indian citizens to track if their bureaucrats are arriving late or leaving early. This unfortunately is just bean counting [for being corrupt and being punctual are not mutually exclusive] and public access to the national portal was turned off because of legitimate protests from some of the bureaucrats. What bureaucrats do in office, who they meet, and which documents they process is more important than when they arrive at or depart from work. The increased transparency or reduced privacy was not contributing to the public interest.

Instead of first going after small-ticket corruption at the bottom of the pyramid, maximization of public interest requires us to focus on the top, for there is much greater ROI for the anti-corruption rupee. For example: constructing a digital signature based on audit trails that track all funds and subsidies as they move up and down the pyramid. These audit trails must be made public so that ordinary villagers can be supported by open data activists, journalists, social entrepreneurs, and traditional civil society in verification and course correction.

I hope open data activists, data scientists, and big data experts will draw inspiration from the giants of the transparency movement in India. I hope they will turn their attention to power, examine power asymmetries and then ask how the Aadhaar project can be leveraged to make India more rather than less equal.

Videos

Open Up? 2014: Risky Business: Transparency, Technology, Security, and Human Rights

Open Up? 2014: Data Collection and Sharing: Transparency and the Private Sector

The videos can also be watched on Vimeo:

[*].http://prospect.org/article/real-significance-wikileaks “Transparency should be proportional to the power that one has.”

Read the presentation on Risky Business: Transparency, Technology, Security and Privacy made at the Pecha Kucha session here. (ODP File, 35 kb)

Disclaimer: The views, opinions, and positions expressed by the author(s) of this blog are theirs alone, and do not necessarily reflect the views, opinions, or positions of Omidyar Network. We make no representations as to accuracy, completeness, timeliness, suitability or validity of any information presented by individual authors of the blogs and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its display or use.

For more details visit https://cis-india.org/openness/blog-old/privacy-v-transparency

Net Freedom Campaign Loses its Way

sunil — 2014-05-27T11:07:04Z

A recent global meet was a victory for governments and the private sector over civil society interests.

The article was published in the Hindu Businessline on May 10, 2014.

One word to describe NetMundial: Disappointing! Why? Because despite the promise, human rights on the Internet are still insufficiently protected. Snowden’s revelations starting last June threw the global Internet governance processes into crisis.

Things came to a head in October, when Brazil’s President Dilma Rousseff, horrified to learn that she was under NSA surveillance for economic reasons, called for the organisation of a global conference called NetMundial to accelerate Internet governance reform.

The NetMundial was held in São Paulo on April 23-24 this year. The result was a statement described as “the non-binding outcome of a bottom-up, open, and participatory process involving … governments, private sector, civil society, technical community, and academia from around the world.” In other words — it is international soft law with no enforcement mechanisms.

The statement emerges from “broad consensus”, meaning governments such as India, Cuba and Russia and civil society representatives expressed deep dissatisfaction at the closing plenary. Unlike an international binding law, only time will tell whether each member of the different stakeholder groups will regulate itself.

Again, not easy, because the outcome document does not specifically prescribe what each stakeholder can or cannot do — it only says what internet governance (IG) should or should not be. And finally, there’s no global consensus yet on the scope of IG. The substantive consensus was disappointing in four important ways:

Mass surveillance : Civil society was hoping that the statement would make mass surveillance illegal. After all, global violation of the right to privacy by the US was the raison d'être of the conference.

Instead, the statement legitimised “mass surveillance, interception and collection” as long as it was done in compliance with international human rights law. This was clearly the most disastrous outcome.

Access to knowledge: The conference was not supposed to expand intellectual property rights (IPR) or enforcement of these rights. After all, a multilateral forum, WIPO, was meant to address these concerns. But in the days before the conference the rights-holders lobby went into overdrive and civil society was caught unprepared.

The end result — “freedom of information and access to information” or right to information in India was qualified “with rights of authors and creators”. The right to information laws across the world, including in India, contains almost a dozen exemptions, including IPR. The only thing to be grateful for is that this limitation did not find its way into the language for freedom of expression.

Intermediary liability: The language that limits liability for intermediaries basically provides for a private censorship regime without judicial oversight, and without explicit language protecting the rights to freedom of expression and privacy. Even though the private sector chants Hillary Clinton's Internet freedom mantra — they only care for their own bottomlines.

Net neutrality: Even though there was little global consensus, some optimistic sections of civil society were hoping that domestic best practice on network neutrality in Brazil’s Internet Bill of Right — also known as Marco Civil, that was signed into law during the inaugural ceremony of NetMundial — would make it to the statement. Unfortunately, this did not happen.

For almost a decade since the debate between the multi-stakeholder and multilateral model started, the multi-stakeholder model had produced absolutely nothing outside ICANN (Internet Corporation for Assigned Names and Numbers, a non-profit body), its technical fraternity and the standard-setting bodies.

The multi-stakeholder model is governance with the participation (and consent — depending on who you ask) of those stakeholders who are governed. In contrast, in the multilateral system, participation is limited to nation-states.

Civil society divisions

The inability of multi-stakeholderism to deliver also resulted in the fragmentation of global civil society regulars at Internet Governance Forums.

But in the run-up to NetMundial more divisions began to appear. If we ignore nuances — we could divide them into three groups. One, the ‘outsiders’ who are best exemplified by Jérémie Zimmermann of the La Quadrature du Net. Jérémie ran an online campaign, organised a protest during the conference and did everything he could to prevent NetMundial from being sanctified by civil society consensus.

Two, the ‘process geeks’ — for these individuals and organisations process was more important than principles. Most of them were as deeply invested in the multi-stakeholder model as ICANN and the US government and some who have been riding the ICANN gravy train for years.

Even worse, some were suspected of being astroturfers bootstrapped by the private sector and the technical community. None of them were willing to rock the boat. For the ‘process geeks’, seeing politicians and bureaucrats queue up like civil society to speak at the mike was the crowning achievement.

Three, the ‘principles geeks’ perhaps best exemplified by the Just Net Coalition who privileged principles over process. Divisions were also beginning to sharpen within the private sector. For example, Neville Roy Singham, CEO of Thoughtworks, agreed more with civil society than he did with other members of the private sector in his interventions.

In short, the ‘outsiders’ couldn't care less about the outcome and will do everything to discredit it, the ‘process geeks’ stood in ovation when the outcome document was read at the closing plenary and the ‘principles geeks’ returned devastated.

For the multi-stakeholder model to survive it must advance democratic values, not undermine them.

This will only happen if there is greater transparency and accountability. Individuals, organisations and consortia that participate in Internet governance processes need to disclose lists of donors including those that sponsor travel to these meetings.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-business-line-may-10-2014-sunil-abraham-net-freedom-campaign-loses-its-way

Very Big Brother

sunil — 2014-04-14T11:39:09Z

The Centre for Internet and Society, the organization I work for, currently serves on a committee established by the Government of India's Department of Biotechnology, Ministry of Science and Technology in January 2013. The committee has been charged with preparing a report on the draft Human DNA Profiling Bill.

The article was originally published in GeneWatch (January - April 2014) issue.

Why should an organization that focuses on the Internet be invited to such a committee? There are some obvious reasons related to data protection and big data. CIS had previously served on the Justice AP Shah committee that was tasked by the Planning Commission to make recommendations on the draft Privacy Bill in 2012. There are also some less obvious connections, such as academic research into cyborgs wherein the distinction between human and machine/technology is blurred; where an insulin pump makes one realize that the Internet of Things could include the Internet of Body Parts. But for this note I will focus on biometrics - quantifiable data related to individual human characteristics - and their gate-keeping function on the Internet.

The bouquet of biometric options available to technologists is steadily expanding - fingerprint, palm print, face recognition, DNA, iris, retina, scent, typing rhythm, gait, and voice. Biometrics could be used as authentication or identification to ensure security and privacy. However, biometrics are different from other types of authentication and identification factors in three important ways that have implications for human rights in information societies and the Internet.

Firstly, biometrics allow for non-consensual authentication and identification. Newer, more advanced and more expensive biometric technologies usually violate human rights more extensively and intensively than older, more rudimentary and inexpensive biometrics. For example, it is possible to remotely harvest iris information when a person is wide awake without even being aware that their identification or authentication factors have been compromised. It isn't difficult to imagine ways to harvest someone's fingerprints and palm prints without their knowledge, and you cannot prevent a security camera from capturing your gait. You could use specialized software like Tor to surf the World Wide Web anonymously and cover your digital tracks, but it is much harder to leave no trail of DNA material in the real world.

Secondly, biometrics rely on probabilistic matching rather than discrete matching - unlike, for example, a password that you use on a social media platform. In the 2007 draft of India's current Human DNA Profiling Bill, the preamble said "the Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead, without any doubt." This extract from the bill was quoted in an ongoing court case to use tampered chain of custody for DNA as the means to seek exoneration of the accused. And the scientists on the committee insist that the DNA Data Bank Manager "...shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency ... as to whether the DNA profile received is already contained in the Data Bank" - in other words, a "yes" or "no" answer. This is indeed odd for those who come from the world of Internet policy - especially when one DNA lab worker confidentially shared that after a DNA profile was generated the "standard operating procedure" included checking it against the DNA profile of the lab worker to ensure that there was no contamination during the process of generating the profile. This would not be necessary for older forms of biometrics such as the process of developing a photograph. In other words, chain of custody issues with every generation of biometric technology are getting more and more complex. In the developing world, the disillusioned want to believe that "technology is the solution." The fallibility of technology must determine its evidentiary status.

Finally, biometrics are only machine-scrutable. This means machines and not human beings will determine whether you are guilty or innocent; whether you should get subsidized medicine, grain, or fuel; whether you can connect to the Internet via mobile phone, cybercafe or broadband. DNA evidence is not directly observable by judges and therefore the technology and equipment have to be made increasingly transparent so that ordinary citizens as well as the scientific community can audit their effectiveness. In 2009, the Second District Court of Appeal and Circuit Court in Florida upheld a 2005 ruling requiring CMI Inc, the manufacturer of Intoxilyzer 5000, to release source code, failing which evidence from the breathalyzer would be rendered inadmissible in more than 100 drunk driving cases. If the transparency of machines is important when prosecuting misdemeanors then surely this is something we must advocate for when culpability for serious crimes is determined through DNA evidence and other types of biometric technologies. This could be accomplished by the triad of mandates for free/open source software, open standards and open hardware. This is not necessary for all DNA technology and equipment that is used in the market, but only for a small sub-set of these technologies that impinge on our rights as human beings via law enforcement and the judicial system.

It has been nine years since India started the process of drafting this bill. We hope that the delays will only result in a robust law that upholds human rights, justice and scientific progress.

Sunil Abraham is Executive Director of the Centre for Internet and Society, based in Bangalore, India.

For more details visit https://cis-india.org/internet-governance/blog/council-for-responsible-genetics-april-2014-sunil-abraham-very-big-brother

Who Governs the Internet? Implications for Freedom and National Security

sunil — 2014-04-05T16:23:36Z

The second half of last year has been quite momentous for Internet governance thanks to Edward Snowden. German Chancellor Angela Merkel and Brazilian President Dilma Rousseff became aware that they were targets of US surveillance for economic not security reasons. They protested loudly.

The article was published in Yojana (April 2014 Issue). Click to download the original here. (PDF, 177 Kb)

The role of the US perceived by some as the benevolent dictator or primary steward of the Internet because of history, technology, topology and commerce came under scrutiny again. The I star bodies also known as the technical community - Internet Corporation for Assigned Names and Numbers (ICANN); five Regional Internet Registries (RIRs) ie. African, American, Asia-Pacific, European and Latin American; two standard setting organisations - World Wide Web Consortium (W3C) & Internet Engineering Task Force (IETF); the Internet Architecture Board (IAB); and Internet Society (ISOC) responded by issuing the Montevideo Statement [1] on the 7th of October. The statement expressed "strong concern over the undermining of the trust and confidence of Internet users globally due to recent revelations of pervasive monitoring and surveillance." It called for "accelerating the globalization of ICANN and IANA functions..." - did this mean that the I star bodies were finally willing to end the special role that US played in Internet governance? However, that dramatic shift in position was followed with the following qualifier "...towards an environment in which all stakeholders, including all governments, participate on an equal footing." Clearly indicating that for the I star bodies multistakeholderism was non-negotiable. Two days later President Rousseff after a meeting with Fadi Chehadé, announced on Twitter that Brazil would host "an international summit of governments, industry, civil society and academia." [2] The meeting has now been dubbed Net Mundial and 188 proposals for “principles” or “roadmaps for the further evolution of the Internet governance ecosystem” have been submitted for discussion in São Paulo on the 23rd and 24th of April. The meeting will definitely be an important milestone for multilateral and multi-stakeholder mechanisms in the ecosystem.

It has been more than a decade since this debate between multilateralism and multi-stakeholderism has ignited. Multistakeholderism is a form of governance that seeks to ensure that every stakeholder is guaranteed a seat at the policy formulation table (either in consultative capacity or in decision making capacity depending who you ask). The Tunis Agenda, which was the end result of the 2003-05 WSIS upheld the multistakeholder mode. The 2003–2005 World Summit on the Information Society process was seen by those favouring the status quo at that time as the first attempt by the UN bodies or multilateralism - to takeover the Internet. However, the end result i.e. Tunis Agenda [3] clarified and reaffirmed multi-stakeholderism as the way forward even though multilateral governance mechanisms were also accepted as a valid component of Internet governance. The list of stakeholders included states, the private sector, civil society, intergovernmental organisations, international standards organisations and the “academic and technical communities within those stakeholder groups mentioned” above. The Tunis Agenda also constituted the Internet Governance Forum (IGF) and the process of Enhanced Cooperation.

The IGF was defined in detail with a twelve point mandate including to “identify emerging issues, bring them to the attention of the relevant bodies and the general public, and, where appropriate, make recommendations.” In brief it was to be a learning Forum, a talk shop and a venue for developing soft law not international treaties. Enhanced Cooperation was defined as “to enable governments, on an equal footing, to carry out their roles and responsibilities, in international public policy issues pertaining to the Internet, but not in the day-to-day technical and operational matters, that do not impact on international public policy issues” – and to this day, efforts are on to define it more clearly.

Seven years later, during the World Conference on Telecommunication in Dubai, the status quoists dubbed it another attempt by the UN to take over the Internet. Even those non-American civil society actors who were uncomfortable with US dominance were willing to settle for the status quo because they were convinced that US court would uphold human rights online more robustly than most other countries. In fact, the US administration had laid a good foundation for the demonization of the UN and other nation states that preferred an international regime. "Internet freedom" was State Department doctrine under the leadership of Hillary Clinton. As per her rhetoric – there were good states, bad states and swing states. The US, UK and some Scandinavian countries were the defenders of freedom. China, Russia and Saudi Arabia were examples of authoritarian states that were balkanizing the Internet. And India, Brazil and Indonesia were examples of swing states – in other words, they could go either way – join the good side or the dark side.

But Internet freedom rhetoric was deeply flawed. The US censorship regime is really no better than China’s. China censors political speech – US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby that has tremendous influence on the Hill. Statistics of television viewership across channels around the world will tell us how the majority privileges cultural speech over political speech on any average day. The great firewall of China only affects its citizens – netizens from other jurisdictions are not impacted by Chinese censorship. On the other hand, the US acts of censorship are usually near global in impact.

This is because the censorship regime is not predominantly based on blocking or filtering but by placing pressure on identification, technology and financial intermediaries thereby forcing their targets offline. When it comes to surveillance, one could argue that the US is worse than China. Again, as was the case with censorship, China only conducts pervasive blanket surveillance upon its citizens – unlike US surveillance, which not only affects its citizens but targets every single user of the Internet through a multi-layered approach with an accompanying acronym soup of programmes and initiatives that include malware, trojans, software vulnerabilities, back doors in encryption standards, over the top service providers, telcos, ISPs, national backbone infrastructure and submarine fibre optic cables.

Security guru Bruce Schneier tells us that "there is no security without privacy. And liberty requires both security and privacy.” Blanket surveillance therefore undermines the security imperative and compromises functioning markets by make e-commerce, e-banking, intellectual property, personal information and confidential information vulnerable. Building a secure Internet and information society will require ending mass surveillance by states and private actors.

The Opportunity for India

Unlike the America with its straitjacketed IP regime, India believes that access to knowledge is a precondition for freedom of speech and expression. As global intellectual property policy or access to knowledge policy is concerned, India is considered a leader both when it comes to domestic policy and international policy development at the World Intellectual Property Organisation. From the 70s our policy-makers have defended the right to health in the form of access to medicines. More recently, India played a critical role in securing the Marrakesh Treaty for Visually Impaired Persons in June 2013 which introduces a user right [also referred to as an exception, flexibility or limitation] which allows the visually impaired to convert books to accessible formats without paying the copyright-holder if an accessible version has not been made available. The Marrakesh Treaty is disability specific [only for the visually impaired] and works specific [only for copyright]. This is the first instance of India successfully exporting policy best practices. India's exception for the disabled in the Copyright Act unlike the Marrakesh Treaty, however, is both disability-neutral and works-neutral.

Given that the Internet is critical to the successful implementation of the Treaty ie. cross border sharing of works that have been made accessible to disabled persons in one country with the global community, it is perhaps time for India to broaden its influence into the sphere of Internet governance and the governance of information societies more broadly.

Post-Snowden, the so called swing states occupy the higher moral ground. It is time for these states to capitalize on this moment using strong political will. Instead of just being a friendly jurisdiction from the perspective of access to medicine, it is time for India to also be the enabling jurisdiction for access to knowledge more broadly. We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware [especially mobile phones] to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit from India going beyond being the pharmacy of the world to becoming the electronics store of the world. We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content [text, images, video, audio, games and software] at affordable rates and rights-holders get some royalty from all Internet users in India. This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy – we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media. Given that privacy is a precondition for security, this will also make India very secure from a cyber security perspective. Of course this is a fanciful pipe dream given our current circumstances but is definitely a possible future for us as a nation to pursue.

What is the scope of Internet Governance?

Part of the tension between multi-stakeholderism and multilateralism is that there is no single, universally accepted definition of Internet governance. The conservative definitions of Internet Governance limits it to management of critical Internet resources, including the domain name system, IP addresses and root servers – in other words, the ICANN, IANA functions, regional registries and other I* bodies. This is where US dominance has historically been most explicit. This is also where the multi-stakeholder model has clearly delivered so far and therefore we must be most careful about dismantling existing governance arrangements. There are very broadly four approaches for reducing US dominance here – a) globalization [giving other nation-states a role equal to the US within the existing multi-stakeholder paradigm], b) internationalization [bring ICANN, IANA functions, registries and I* bodies under UN control or oversight], c) eliminating the role for nation states in the IANA functions[4] and d) introducing competitors for names and numbers management. Regardless of the final solution, it is clear that those that control domain names and allocate IP addresses will be able to impact the freedom of speech and expression. The impact on the national security of India is very limited given that there are three root servers [5] within national borders and it would be near impossible for the US to shut down the Internet in India.

For a more expansive definition – The Working Group on Internet Governance report[6] has four categories for public policy issues that are relevant to Internet governance:

“(a) Issues relating to infrastructure and the management of critical Internet resources, including administration of the domain name system and Internet protocol addresses (IP addresses), administration of the root server system, technical standards, peering and interconnection, telecommunications infrastructure, including innovative and convergent technologies, as well as multilingualization. These issues are matters of direct relevance to Internet governance and fall within the ambit of existing organizations with responsibility for these matters;

(b) Issues relating to the use of the Internet, including spam, network security and cybercrime. While these issues are directly related to Internet governance, the nature of global cooperation required is not well defined;

(c)Issues that are relevant to the Internet but have an impact much wider than the Internet and for which existing organizations are responsible, such as intellectual property rights (IPRs) or international trade. ...;

(d) Issues relating to the developmental aspects of Internet governance, in particular capacity-building in developing countries.”

Some of these categories are addressed via state regulation that has cascaded from multilateral bodies that are associated with the United Nations such as the World Intellectual Property Organisation for "intellectual property rights" and the International Telecommunication Union for “telecommunications infrastructure”. Other policy issues such as "cyber crime" are currently addressed via plurilateral instruments – for example the Budapest Convention on Cybercrime – and bilateral arrangements like Mutual Legal Assistance Treaties. "Spam" is currently being handled through self-regulatory efforts by the private sector such as Messaging, Malware and Mobile Anti-Abuse Working Group.[7] Other areas where there is insufficient international or global cooperation include "peering and interconnection" - the private arrangements that exist are confidential and it is unclear whether the public interest is being adequately protected.

So who really governs the Internet?

So in conclusion, who governs the Internet is not really a useful question. This is because nobody governs the Internet per se. The Internet is a diffuse collection of standards, technologies and actors and dramatically different across layers, geographies and services. Different Internet actors – the government, the private sector, civil society and the technical and academic community are already regulated using a multiplicity of fora and governance regimes – self regulation, coregulation and state regulation. Is more regulation always the right answer? Do we need to choose between multilateralism and multi-stakeholderism? Do we need stable definitions to process? Do we need different version of multi-stakeholderism for different areas of governance for ex. standards vs. names and numbers? Ideally no, no, no and yes. In my view an appropriate global governance system will be decentralized, diverse or plural in nature yet interoperable, will have both multilateral and multistakeholder institutions and mechanisms and will be as interested in deregulation for the public interest as it is in regulation for the public interest.

[1]. Montevideo Statement on the Future of Internet Cooperation https://www.icann.org/en/news/announcements/announcement-07oct13-en.htm

[2]. Brazil to host global internet summit in ongoing fight against NSA surveillance http://rt.com/news/brazil-internet-summit-fight-nsa-006/

[3]. Tunis Agenda For The Information Society http://www.itu.int/wsis/docs2/tunis/off/6rev1.html

[4]. Roadmap for globalizing IANA: Four principles and a proposal for reform: a submission to the Global Multistakeholder Meeting on the Future of Internet Governance by Milton Mueller and Brenden Kuerbis March 3rd 2014 See: http://www.internetgovernance.org/wordpress/wp-content/uploads/ICANNreformglobalizingIANAfinal.pdf

[5]. Mumbai (I Root), Delhi (K Root) and Chennai (F Root). See: http://nixi.in/en/component/content/article/36-other-activities-/77-root-servers

[6]. Report of the Working Group on Internet Governance to the President of the Preparatory Committee of the World Summit on the Information Society, Ambassador Janis Karklins, and the WSIS Secretary-General, Mr Yoshio Utsumi. Dated: 14 July 2005 See: http://www.wgig.org/WGIG-Report.html

[7].Messaging, Malware and Mobile Anti-Abuse Working Group website See: http://www.maawg.org/

The author is is the Executive Director of the Centre for Internet and Society (CIS), Bangalore. He is also the founder of Mahiti, a 15 year old social enterprise aiming to reduce the cost and complexity of information and communication technology for the voluntary sector by using free software. He is an Ashoka fellow. For three years, he also managed the International Open Source Network, a project of United Nations Development Programme's Asia-Pacific Development Information Programme, serving 42 countries in the Asia-Pacific region.

For more details visit https://cis-india.org/internet-governance/blog/yojana-april-2014-sunil-abraham-who-governs-the-internet-implications-for-freedom-and-national-security

Privacy worries cloud Facebook's WhatsApp Deal

sunil — 2014-03-20T05:59:28Z

Privacy activists in the United States have asked the competition regulator or the Federal Trade Commission to put on hold Facebook's acquisition of WhatsApp. Why have they done this when Facebook has promised to leave WhatsApp untouched as a standalone app?

Read the original published in the Economic Times on March 14, 2014

Activists have five main concerns.

Facebook has a track record of not keeping its promises to users.
The ethos of both companies when it comes to privacy is diametrically opposite.
The probability that WhatsApp messages and content will be intercepted because of Facebook's participation in NSA's PRISM spying programme.
Facebook slurping WhatsApp's large repository of phone numbers.
Two hundred trackers already monitor your internet use when you are not using Facebook and now they tracking mobile use much more granularly. This week the Indian competition regulator (CCI) also told the media that the acquisition would be subject to scrutiny. However, unlike the US regulator the Indian regulator does not have the mandate to examine the acquisition from a privacy perspective.

LIRNEAsia research in Indonesia paints a very similar picture to one we have in India. When Indonesian mobile phone users were asked if they used Facebook they answered in affirmative. Then the very same users were asked if they used the internet and they replied in negative. A large number of Facebook users in these other similar economies are trapped within what are called "walled gardens."

Walled gardens allow mobile phone subscribers without data connections to get access to a single over-the-top service provider like Facebook because their telcom provider has an arrangement. Software such as Facebook on every phone makes it possible for feature phone users to also enter the walled garden.

According to Facebook it "is a fast and easyto-use native app that works on more than 3,000 different types of feature phones from almost every handset manufacturer that exists today."

Unlike North American and European users of Facebook - who freely roam the "world wild web" and then choose to visit Facebook when they want to many Indian users will first experience data services in a domesticated fashion within a walled garden.

Whether or not they will wander in the wild when they are have full access to the internet remains to be seen. But given our poor rates of penetration, dogmatic insistence on network neutrality at this early stage of internet adoption may not be the right way to maximise welfare and consumer interest.

Fortunately for Facebook and unfortunately for us, India still does not have a comprehensive data protection or horizontal privacy law. The Justice AP Shah Committee that was constituted by the Planning Commission in October 2012 recommended that the Privacy Act articulate national privacy principles and establish the office of the Privacy Commissioner. It further recommended that data protection and surveillance be regulated for both the private sector and the state.

Since then the Department of Personnel and Training has updated the draft bill to implement these recommendations and has been working towards consensus within government.

Since we still don't have our own privacy regulator we will have to depend on foreign data protection authorities and privacy commissioners to protect us from the voracious appetite for personal data of over-the-top service providers like Facebook This is woefully insufficient because they will not act on harm caused to Indian consumers or be aware of how Facebook acts differently in the Indian market.

As we approach the first general election in India when social media will play a small but influential role it would have been excellent if we had someone to look out for our right to privacy.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-march-14-2014-sunil-abraham-privacy-worries-cloud-facebook-whatsapp-deal