The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
How to make EVMs hack-proof, and elections more trustworthy
http://editors.cis-india.org/internet-governance/blog/the-times-of-india-december-9-2018-pranesh-prakash-how-to-make-evms-hack-proof-and-elections-more-trustworthy
<b>Free and fair elections are the expression of democratic emancipation. India has always led by example: the Nehru Committee sought universal adult franchise in 1928, at a time when France didnât let women vote, and laws in the USA allowed disqualification of poor, illiterate, and African-American voters. But how reliable are our voting systems, particularly in terms of security?</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://timesofindia.indiatimes.com/home/sunday-times/all-that-matters/how-to-make-evms-hack-proof-and-elections-more-trustworthy/articleshow/67004651.cms">Times of India</a> on December 9, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><br />Electronic voting machines (EVM) have been in use for general elections in India since 1999 having been first introduced in 1982 for a by-election in Kerala. The EVMs we use are indigenous, having been designed jointly by two public-sector organisations: the Electronics Corporation of India Ltd. and Bharat Electronics Ltd. In 1999, the Karnataka High Court upheld their use, as did the Madras High Court in 2001.<br /><br />Since then a number of other challenges have been levelled at EVMs, but the only one that was successful was the petition filed by Subramanian Swamy before the Supreme Court in 2013. But before we get to Swamy's case and its importance, we should understand what EVMs are and how they are used.<br /><br />The EVM used in India are standardised and extremely simple machines. From a security standpoint this makes them far better than the myriad different, and some notoriously insecure machines used in elections in the USA. Are they 'hack-proof' and 'infallible' as has been claimed by the ECI? Not at all.<br /><br />Similarly simple voting machines in the Netherlands and Germany were found to have vulnerabilities, leading both those countries to go back to paper ballots.<br /><br />Because the ECI doesn't provide security researchers free and unfettered access to the EVMs, there had been no independent scrutiny until 2010. That year, an anonymous source provided a Hyderabad-based technologist an original EVM. That technologist, Hari Prasad, and his team worked with some of the world's foremost voting security experts from the Netherlands and the US, and demonstrated several actual live hacks of the EVM itself and several theoretical hacks of the election process, and recommended going back to paper ballots. Further, EVMs have often malfunctioned, as news reports tell us. Instead of working on fixing these flaws, the ECI arrested Prasad (for being in possession of a stolen EVM) and denied Princeton Prof Alex Halderman entry into India when he flew to Delhi to publicly discuss their research. Even in 2017, when the ECI challenged political parties to âhackâ EVMs, it did not provide unfettered access to the machines.<br /><br />While paper ballots may work well in countries like Germany, they hadn't in India, where in some parts ballot-stuffing and booth-capturing were rampant. The solution as recognised by international experts, and as the ECI eventually realised, was to have the best of both worlds and to add a printer to the EVMs.<br /><br />These would print out a small slip of paper containing the serial number and name of the candidate, and the symbol of the political party, so that the sighted voter could verify that her vote has been cast correctly. This paper would then be deposited in a sealed box, which would provide a paper trail that could be used to audit the correctness of the EVM. They called this VVPAT: voter-verifiable paper audit trail. Swamy, in his PIL, asked for VVPAT to be introduced. The Supreme Court noted that the ECI had already done trials with VVPAT, and made them mandatory.<br /><br />However, VVPATs are of no use unless they are actually counted to ensure that the EVM tally and the paper tally do match. The most advanced and efficient way of doing this has been proposed by Lindeman & Stark, through a methodology called (RLAs), in which you keep auditing until either you've done a full hand count or you have strong evidence that continuing is pointless. The ECI could request the Indian Statistical Institute for its recommendations in implementing RLAs. Also, it must be remembered, current VVPAT technology are inaccessible for persons with visual impairments.<br /><br />While in some cases, the ECI has conducted audits of the printed paper slips, in 2017 it officially noted that only the High Court can order an audit and that the ECI doesn't have the power to do so under election law. Rule 93 of the Conduct of Election Rules needs to be amended to make audits mandatory.<br /><br />The ECI should also create separate security procedures for handling of VVPATs and EVMs, since there are now reports of EVMs being replaced 'after' voting has ended. Having separate handling of EVMs and VVPATs would ensure that two different safe-houses would need to be broken into to change the results of the vote. Implementing these two changes, changing election law to make risk-limiting audits mandatory, and improving physical security practices would make Indian elections much more trustworthy than they are now, while far more needs to be done to make them inclusive and accessible to all.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-times-of-india-december-9-2018-pranesh-prakash-how-to-make-evms-hack-proof-and-elections-more-trustworthy'>http://editors.cis-india.org/internet-governance/blog/the-times-of-india-december-9-2018-pranesh-prakash-how-to-make-evms-hack-proof-and-elections-more-trustworthy</a>
</p>
No publisherpraneshInternet Governance2019-01-14T15:34:48ZBlog EntryWhy Data Localisation Might Lead To Unchecked Surveillance
http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance
<b>In recent times, there has been a rash of policies and regulations that propose that the data that Indian entities handle be physically stored on servers in India, in some cases exclusively. In other cases, only a copy needs to be stored.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.bloombergquint.com/opinion/why-data-localisation-might-lead-to-unchecked-surveillance">Bloomberg Quint</a> on October 15, 2018 and also mirrored in the <a class="external-link" href="https://www.thequint.com/voices/opinion/why-data-localisation-might-lead-to-unchecked-surveillance">Quint</a>.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In April 2018, the Reserve Bank of India put out a<a href="https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244&Mode=0" target="_blank"> circular </a>requiring that all “data relating to payment systems operated by them are stored in a system only in India” <a href="https://www.bloombergquint.com/business/rbi-sticks-to-oct-15-deadline-for-data-localisation" target="_blank">within six months</a>. Lesser requirements have been imposed on all Indian companies’ accounting data since 2014 (the back-up of the books of account and other books that are stored electronically must be stored in India, the broadcasting sector under the Foreign Direct Investment policy, must locally store subscriber information, and the telecom sector under the Unified Access licence, may not transfer their subscriber data outside India).</p>
<p style="text-align: justify; ">The draft e-commerce policy has a wide-ranging requirement of exclusive local storage for “community data collected by Internet of Things devices in public space” and “data generated by users in India from various sources including e-commerce platforms, social media, search engines, etc.”, as does the draft e-pharmacy regulations, which stipulate that “the data generated” by e-pharmacy portals be stored only locally.</p>
<p style="text-align: justify; ">While companies such as Airtel, Reliance, PhonePe (majority-owned by Walmart) and Alibaba, have spoken up in support the government’s data localisation efforts, others like Facebook, Amazon, Microsoft, and Mastercard have led the way in opposing it.</p>
<p style="text-align: justify; ">Just this week, two U.S. Senators <a href="https://www.bloombergquint.com/business/us-senators-write-to-pm-modi-seek-soft-stance-on-indias-data-localisation" target="_blank">wrote to</a> the Prime Minister’s office arguing that the RBI’s data localisation regulations along with the proposals in the draft e-commerce and cloud computing policies are “key trade barriers”. In her dissenting note to the Srikrishna Committee's report, Rama Vedashree of the Data Security Council of India notes that, “mandating localisation may potentially become a trade barrier and the key markets for the industry could mandate similar barriers on data flow to India, which could disrupt the IT-BPM (information technology-business process management) industry.”</p>
<h2 style="text-align: justify; ">Justification For Data Localisation</h2>
<p style="text-align: justify; ">What are the reasons for these moves towards data localisation?</p>
<blockquote style="text-align: justify; ">Given the opacity of policymaking in India, many of the policies and regulations provide no justification at all. Even the ones that do, don’t provide cogent reasoning.</blockquote>
<p style="text-align: justify; ">The RBI says it needs “unfettered supervisory access” and hence needs data to be stored in India. However, it fails to state why such unfettered access is not possible for data stored outside of India.</p>
<blockquote style="text-align: justify; ">As long as an entity can be compelled by Indian laws to engage in local data storage, that same entity can also be compelled by that same law to provide access to their non-local data, which would be just as effective.</blockquote>
<p style="text-align: justify; ">What if they don’t provide such access? Would they be blacklisted from operating in India, just as they would if they didn’t engage in local data storage? Is there any investigatory benefit to storing data in India? As any data forensic expert would note, chain of custody and data integrity are what are most important components of data handling in fraud investigation, and not physical access to hard drives. It would be difficult for the government to say that it will block all Google services if the company doesn’t provide all the data that Indian law enforcement agencies request from it. However, it would be facile for the RBI to bar Google Pay from operating in India if Google doesn’t provide it “unfettered supervisory access” to data.</p>
<p style="text-align: justify; ">The most exhaustive justification of data localisation in any official Indian policy document is that contained in the <a href="http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf" target="_blank">Srikrishna Committee’s report</a> on data protection. The report argues that there are several benefits to data localisation:</p>
<ol style="text-align: justify; ">
<li>Effective enforcement,</li>
<li>Avoiding reliance on undersea cables,</li>
<li>Avoiding foreign surveillance on data stored outside India,</li>
<li>Building an “Artificial Intelligence ecosystem”</li>
</ol>
<p style="text-align: justify; ">Of these, the last three reasons are risible.</p>
<h2 style="text-align: justify; ">Not A Barrier To Surveillance</h2>
<p style="text-align: justify; ">Requiring mirroring of personal data on Indian servers will not magically give rise to experts skilled in statistics, machine learning, or artificial intelligence, nor will it somehow lead to the development of the infrastructure needed for AI.</p>
<p style="text-align: justify; ">The United States and China are both global leaders in AI, yet no one would argue that China’s data localisation policies have helped it or that America’s lack of data localisation polices have hampered it.</p>
<blockquote style="text-align: justify; ">On the question of foreign surveillance, data mirroring will not have any impact, since the Srikrishna Committee’s recommendation would not prevent companies from storing most personal data outside of India.</blockquote>
<p style="text-align: justify; ">Even for “sensitive personal data” and for “critical personal data”, which may be required to be stored in India alone, such measures are unlikely to prevent agencies like the U.S. National Security Agency or the United Kingdom’s Government Communications Headquarters from being able to indulge in extraterritorial surveillance.</p>
<p style="text-align: justify; ">In 2013, slides from an NSA presentation that were leaked by Edward Snowden showed that the NSA’s “BOUNDLESSINFORMANT” programme collected 12.6 billion instances of telephony and Internet metadata (for instance, which websites you visited and who all you called) from India in just one month, making India one of the top 5 targets.</p>
<p style="text-align: justify; ">This shows that technically, surveillance in India is not a challenge for the NSA.</p>
<p style="text-align: justify; ">So, forcing data mirroring enhances Indian domestic intelligence agencies’ abilities to engage in surveillance, without doing much to diminish the abilities of skilled foreign intelligence agencies.</p>
<p style="text-align: justify; ">As I have <a href="https://slides.com/pranesh/digital-security-for-journalists#/5/1" target="_blank">noted in the past</a>, the technological solution to reducing mass surveillance is to use decentralised and federated services with built-in encryption, using open standards and open source software.</p>
<p style="text-align: justify; ">Reducing reliance on undersea cables is, just like reducing foreign surveillance on Indians’ data, a laudable goal. However, a mandate of mirroring personal data in India, which is what the draft Data Protection Bill proposes for all non-sensitive personal data, will not help. Data will stay within India if the processing happens within India. However, if the processing happens outside of India, as is often the case, then undersea cables will still need to be relied upon.</p>
<p style="text-align: justify; ">The better way to keep data within India is to incentivise the creation of data centres and working towards reducing the cost of internet interconnection by encouraging more peering among Internet connectivity providers.</p>
<blockquote style="text-align: justify; ">While data mirroring will not help in improving the enforcement of any data protection or privacy law, it will aid Indian law enforcement agencies in gaining easier access to personal data.</blockquote>
<h2 style="text-align: justify; ">The MLAT Route</h2>
<p style="text-align: justify; ">Currently, many forms of law enforcement agency requests for data have to go through onerous channels called ‘mutual legal assistance treaties’. These MLAT requests take time and are ill-suited to the needs of modern criminal investigations. However, the U.S., recognising this, passed a law called the CLOUD Act in March 2018. While the CLOUD Act compels companies like Google and Amazon, which have data stored in Indian data centres, to provide that data upon receiving legal requests from U.S. law enforcement agencies, it also enables easier access to foreign law enforcement agencies to data stored in the U.S. as long as they fulfill certain procedural and rule-of-law checks.</p>
<blockquote style="text-align: justify; ">While the Srikrishna Committee does acknowledge the CLOUD Act in a footnote, it doesn’t analyse its impact, doesn’t provide suggestions on how India can do this, and only outlines the negative consequences of MLATs.</blockquote>
<p style="text-align: justify; ">Further, it is inconceivable that the millions of foreign services that Indians access and provide their personal data to will suddenly find a data centre in India and will start keeping such personal data in India. Instead, a much likelier outcome, one which the Srikrishna Committee doesn’t even examine, is that many smaller web services may find such requirements too onerous and opt to block users from India, similar to the way that Indiatimes and the Los Angeles Times opted to block all readers from the European Union due to the coming into force of the new data protection law.</p>
<p style="text-align: justify; ">The government could be spending its political will on finding solutions to the law enforcement agency data access question, and negotiating solutions at the international level, especially with the U.S. government. However it is not doing so.</p>
<p style="text-align: justify; ">Given this, the recent spate of data localisation policies and regulation can only be seen as part of an attempt to increase the scope and ease of the Indian government’s surveillance activities, while India’s privacy laws still remain very weak and offer inadequate legal protection against privacy-violating surveillance. Because of this, we should be wary of such requirements, as well as of the companies that are vocal in embracing data localisation.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance'>http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-pranesh-prakash-october-15-2018-why-data-localisation-might-lead-to-unchecked-surveillance</a>
</p>
No publisherpraneshSurveillanceInternet GovernancePrivacy2018-10-16T14:08:34ZBlog EntryCIS Funding 2008 - 2018
http://editors.cis-india.org/internet-governance/files/cis-funding-2008-2018.xlsx
<b></b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/files/cis-funding-2008-2018.xlsx'>http://editors.cis-india.org/internet-governance/files/cis-funding-2008-2018.xlsx</a>
</p>
No publisherpranesh2018-07-07T01:17:05ZFileThe Right to Information, The Right to Knowledge (Talk by Sam Pitroda & Carl Malamud)
http://editors.cis-india.org/events/the-right-to-information-the-right-to-knowledge
<b>On October 15, 2017, Sam Pitroda and Carl Malamud will speak on open data and knowledge in India.</b>
<p>HasGeek and NUMA Bangalore are co-organizing a talk by two eminent internet pioneers — Sam Pitroda and Carl Malamud — on open data and knowledge in India. Pranesh Prakash of CIS will introduce the speakers and their work.</p>
<h2>The Right to Information, The Right to Knowledge</h2>
<p>Sam Pitroda and Carl Malamud will talk about their efforts in India, the U.S., and many other countries to help promote universal access to knowledge. They'll discuss the constitutional underpinnings of this right in India and some of the information they've been making available, including 3 lakh books from the Digital Library of India, 19,000 official standards from the Bureau of Indian Standards, and a raft of other resources such as the entire Collected Works of Mahatma Gandhi.</p>
<p>They will discuss how key laws such as the Right to Information make this possible but will focus more on how the world of open source and the Internet can turn that promise into a reality. Universal access to knowledge is the great unmet promise of our times, and they will talk about what we can all do to make this dream possible.</p>
<h3>About the speakers</h3>
<p>Dr. Sam Pitroda was a senior advisor to Prime Ministers Rajiv Gandhi and Manmohan Singh and is widely credited for having led India’s telecommunications and technology revolutions in the 1980s. Dr. Pitroda holds 20 honorary PhDs, close to 100 worldwide patents, and helped create the first digital PBXs in the 1960s.</p>
<p>Carl Malamud started the first radio station on the Internet and is considered one of the pioneers of the U.S. open government movement. Carl runs Public.Resource.Org, an NGO which has placed hundreds of millions of pages of government information online, including all 19,000 Indian Standards. </p>
<p>
For more details visit <a href='http://editors.cis-india.org/events/the-right-to-information-the-right-to-knowledge'>http://editors.cis-india.org/events/the-right-to-information-the-right-to-knowledge</a>
</p>
No publisherpranesh2018-02-14T12:19:16ZEventSubmission to TRAI Consultation on "Inputs for Formulation of National Telecom Policy - 2018"
http://editors.cis-india.org/telecom/blog/submission-to-trai-consultation-on-inputs-for-formulation-of-national-telecom-policy-2018
<b>Centre for Internet and Society (CIS) made a submission to TRAI Consultation on inputs to the National Telecom Policy. </b>
<h3 style="text-align: justify; ">Preliminary</h3>
<p style="text-align: justify; ">We welcome the TRAI consultation on the National Telecom Policy 2018.</p>
<p style="text-align: justify; ">We believe these should be among the objectives of the next NTP.</p>
<div id="_mcePaste" style="text-align: justify; ">
<ul>
<li>To enable inclusion through the provision of telecommunications infrastructure and services that are accessible to all, especially for the most marginalized.</li>
<li>To maximize the utility of telecom networks by increasing their capacity and throughput.</li>
<li>To maximize the socio-economic utility of of spectrum and rationalize the regulatory regime.</li>
<li>To re-energize the telecom sector, and to bring about a shift to a revenue-sharing model of revenue-generation for the exchequer.</li>
</ul>
</div>
<p style="text-align: justify; ">NTP-12 does not include any policy mandate for providing accessibility for person with disabilities. The Policy should mandate implementation of systems that would enable better a<span>ccessibility for persons with disabilities. This could have included formulation of a Code of good practice for manufactures and service providers, conduct surveys and gather statistics on </span><span>use of telecommunication services by persons with disabilities, etc. </span></p>
<h3 style="text-align: justify; ">Resource and infrastructure sharing</h3>
<p style="text-align: justify; ">Resource- and infrastructure-sharing among telecommunications companies and applications is crucial to ensure both eiciency of usage of a limited resource (whether it is cabling in <span>underground ducts, or spectrum, or telecom towers), as well as to lower telecommunications costs (especially capital expenditure cost) and lowering barriers to entry, reducing </span>environmental costs, and to maximize the beneits for consumers.<a href="#ftn1">[1]</a></p>
<p style="text-align: justify; ">Eforts must be taken to enable greater sharing of resources and infrastructure, without there being a negative impact on competition.<a href="#ftn2">[2]</a></p>
<p style="text-align: justify; ">As a telecom scholar points out, “[O]perators will sometimes share the cost of digging or deploying passive infrastructure, but will lay their own iber lines, which allows <span>them to engage in full, facility-based competition. In these cases, there is no risk of coordination, as networks based on multiple iber lines ensure that access seekers can obtain </span><span>full control over them. Under such conditions, co-investment agreements are more likely to lead to timelier and more intense competition on the downstream market.”</span><a href="#ftn3">[3]</a></p>
<p style="text-align: justify; ">For this, the separation between infrastructure and service must be maintained, with focus of competition at the service end with infrastructure being largely common. This is managed differently in <span>different countries.</span><a href="#ftn4">[4]</a></p>
<p style="text-align: justify; ">Keeping all this in mind, we suggest that Strategies E(b) and F(c) be reworded to say, "By promoting both passive and active sharing of telecom infrastructure and <span>resources among telecom service providers, while ensuring that doesn’t lead to a decrease in competition, and where appropriate making certain forms of infrastructure sharing </span><span>mandatory."</span></p>
<p style="text-align: justify; ">Among the resources that require sharing is spectrum. In 2015, DoT guidelines allowed liberalised spectrum to be shared among operators.</p>
<h3 style="text-align: justify; ">Modernizing spectrum management</h3>
<p style="text-align: justify; ">We are happy to note that the strategy of “ensuring adequate availability of contiguous, broader and globally harmonised spectrum” is listed under Strategy D(u). There are many <span>opportunities for harmonisation of spectrum usage in India vis-a-vis global usage. For instance, currently in India, only 50 MHz of spectrum has been earmarked for unlicenced use </span><span>outdoors in the 5 GHz band (5.825 GHz to 5.875 GHz). There is no rationale for this distinction between indoor and outdoor use, and this limits the usage of Wi-Fi outdoors. The US has </span><span>delicensed 580 MHz in the 5GHz band which allows for the IEEE 802.11ac standard to be used on it, whereas India has only delicensed 300 MHz, whereas 1280 MHz is what is dictated by </span><span>needs.</span><a href="#ftn5">[5]</a> <span>At a minimum 580 MHz (3x160 MHz) ought to be made available for unlicensed used. </span></p>
<p style="text-align: justify; ">Additionally, delicensing the 60 GHz band would bring us in line with global regimes,<a href="#ftn6">[6]</a> <span>where at least </span> 19 countries have delicensed the 60 Ghz band for both access as well as backhaul purposes.<a href="#ftn7">[7]</a></p>
<p style="text-align: justify; ">The 60GHz band is ideal for delicensing since it there is virtually no interference since due to oxygen absorption and narrow antenna beam width the transmission distances</p>
<p style="text-align: justify; ">are short. We also need to liberalize the 70 and 80 GHz bands to enabling lower cost access for these frequencies to extend ibre connectivity where necessary by using other means, including <span>through aerial systems.</span></p>
<p style="text-align: justify; ">While under Strategy D(v), TRAI proposes the “earmarking [of] unlicensed frequency bands periodically for operation of low power devices for public use”, it should instead be <span>“earmarking unused, underused, and unlicensed frequency bands periodically for public use, with licence-exemption and light-licensing where possible, with safeguards to prevent </span><span>interference”. </span></p>
<p style="text-align: justify; ">Even bands that have been allocated under the NFAP and licensed may lie unused or underused as well. According to a study by IIT-Hyderabad, unused TV spectrum in <span>India amounts to between 85%-95% of the total TV spectrum. A large swath of 115 MHz — from 470 to 585 MHz — lies unused, and is available for alternative uses. Waiting for an </span><span>ecosystem to develop around the 470- 698 MHz band,<a href="#ftn8">[8]</a> </span><span>is harming the government’s vision of Digital India and an urgent course correction is needed. As we have argued in the past, </span><span>“[w]hereas Digital India needs low-cost wireless broadband, especially for long-distance links in rural India, because of the high cost and diiculty of building and maintaining ibre or wired </span><span>networks in diicult terrain, and/or in sparsely populated areas. Therefore, access to TVWS needs to be bundled with BharatNet, and other shared backbone networks like ERNET.</span></p>
<p style="text-align: justify; ">Policies should permit diferent network design scenarios including transmission power and purpose. Point-to-point links are needed over long distances in place of ibre or microwave, <span>and broad coverage is needed for contiguous areas like industrial developments, campuses, commercial complexes, or rural communities … TVWS does need tight radio ilters (unlike </span><span>Wi-Fi) to minimise interference, the underlying consideration that drives spectrum management. There's also need for varying power speciications depending on the network </span><span>design and purpose as described above, and policies for unlicensed sharing using geolocation databases, as deined by the US FCC."<a href="#ftn9">[9]</a></span></p>
<p style="text-align: justify; ">Further, following the lead of the FCC in the USA, and Ofcom in the UK, we in India should exempt low-power usage across all spectrum bands. The approach followed by Ofcom (which <span>allows for powers between -90 dBm/MHz to -41 dBm/MHz (and on a sloping gradient from 10.6 GHz onwards), may be recommended. To reflect this, a strategy statement to “explore greater </span><span>exemptions from licensing requirements where possible, including for low-power spectrum usage”, would be helpful.</span></p>
<p style="text-align: justify; ">The NTP should also lead the way in encouraging the government and the regulator to look to new ways of managing licence-exempt use of spectrum, as has been done, for example, in the <span>UK.<a href="#ftn10">[10]</a></span></p>
<p style="text-align: justify; ">This allows for a movement away from power-oriented regulations to regulation on the basis of interference. For instance, shared spectrum databases may allow for coordinated usage <span>of higher power but without interference. Further, this allows for bands to be categorized not by usage, but by transmit powers and duty cycles.</span></p>
<h3><span>Accessibility</span></h3>
<p style="text-align: justify; ">One of the lacunae in the NTP-12 is its lack of any policy mandate for providing accessibility for person with disabilities.<a href="#ftn11">[11]</a> <span>NTP-18 should not make the same mistake. The NTP should </span><span>mandate implementation of systems that would enable better accessibility for persons with disabilities. This should include formulation of a code of good practice for manufactures and </span><span>service providers, conducting surveys and gathering statistics on use of telecommunication services by persons with disabilities, etc.</span></p>
<h3><span>Revenue maximization</span></h3>
<p style="text-align: justify; ">We believe that Strategy D(r) (“reviewing the objectives of spectrum management to maximise socio-economic gains”) should explicitly mention that revenue maximization should not itself <span>be a goal, since that may harm the socio-economic gains to be had from optimal usage of spectrum. We believe that it should be made explict that “ensuring revenue maximization for </span><span>the exchequer will not be the main aim of spectrum management policy”.</span></p>
<p style="text-align: justify; "><span>Auctions, which ind mention in TRAI’s recommendations, ne — to favour a model of revenue sharing<a href="#ftn12">[12]</a> </span><span>— and at the least they need to be structured in such a manner as to avoid the “winner’s curse”.<a href="#ftn13">[13]</a> </span><span>Revenue-sharing, which was followed after NTP-99, allows for a more sustainable form of revenue generation for the government, while having transparent allocation systems or </span><span>auctions designed in a manner not oriented towards maximizing the generation of auction proceeds for the government.<a href="#ftn14">[14]</a> </span><span>Just as increasing the USO fund by itself cannot be a goal — ensuring universal service is the goal — similarly, the generation of tax revenue by itself </span><span>cannot be a goal.</span></p>
<h3>Patents pools, local manufacturing, and cost of devices</h3>
<p style="text-align: justify; ">Under “Strategies to become net positive in international trade of telecommunication systems and services”, the consultation paper proposes inancial incentives for development of SEPs, as <span>well as “incentivising local manufacturing of network equipment and devices” as strategies. One concrete strategy to incentivise local manufacturing of telecommunications equipment </span><span>and devices is to create government-controlled patent pools,<a href="#ftn15">[15]</a> </span><span>which can be used to ensure that patent-holders are paid a royalty on SEPs while also lowering the transaction costs and legal </span><span>uncertainty for local device manufacturers, and ultimately lowering the price of devices for customers.<a href="#ftn16">[16]</a></span></p>
<p style="text-align: justify; ">Private patent pools do not suiciently take care of the legal risks created to manufacturers. If government intervention is not done, then Indian manufacturers will end <span>up embroiled in legal battles as we have seen with Micromax, and others. CIS has provided a very detailed submission on TRAI’s Consultation Paper on Promoting Local Telecom </span><span>Equipment Manufacturing.<a href="#ftn17">[17]</a></span></p>
<h3><span>Internet connection and data centres</span></h3>
<p style="text-align: justify; ">While under “Strategies to establish India as a global hub for data communication systems and services”, the problem of Internet interconnection is brought up, but the strategies don’t <span>mention what needs to be done. One of the problems facing India currently is a low level of peering interconnection agreements and a high cost of transit interconnection agreements. </span><span>This results in a higher cost of Internet for everyone. This needn’t be so. The NTP could establish that there should be no licensing required for running an interconnection point. </span><span>Currently, there is a lack of clarity on the matter, with contrary suggestions having been provided by Trai in the past. Further, the NTP and that existing interconnection exchanges </span><span>like NIXI should not discriminate between licensed telecom operators and unlicensed content </span>providers, since it is crucial that the latter also be present at interconnection exchanges, and interconnection exchanges will not lourish unless the hurdles put in place, which favour <span>incumbents, are reduced.</span></p>
<p style="text-align: justify; ">It is worrying that TRAI has suggested establishing a “licensing and regulatory framework for cloud service providers” (Strategy H(a)). While cloud service providers are subject to the <span>regulations provided in the IT Act, and other legislations in India, they currently are not subject to any licensing requirements. No rationale has been provided by TRAI for this </span><span>suggestion, and it would kill innovation in the sector, and would inhibit the emergence of India as a global hub for data communications systems and services. Similarly, while an </span><span>overarching data protection and security legislation needs to be in place, the suggestion of a “licensing and regulatory framework for IoT/ M2M service providers” (Strategy G(a)) is </span><span>worrying, and there is no suitable rationale for having licensing in this space, which will only serve to curb innovation without any corresponding or suitable benefit accruing to the public.</span></p>
<p style="text-align: justify; ">Given that telecommunications isn’t an end in itself, but is a means to an end, one of the missions of the NTP could be:</p>
<ul>
<li style="text-align: justify; ">To enable inclusion through the provision of telecommunications infrastructure and services that is accessible for all, especially for the most marginalized, including those <span>who are disabled, those who live in remote areas, those who are illiterate, scheduled castes and scheduled tribes, women, and transgender communities.</span></li>
</ul>
<p>Once again, we are grateful to TRAI for having provided this opportunity to comment.</p>
<hr />
<p style="text-align: justify; ">[<a name="fn1"></a>]. GSMA, “Mobile Infrastructure Sharing,” 2008, https://www.gsma.com/publicpolicy/wpcontent/uploads/2012/09/Mobile-Infrastructure-sharing.pdf.</p>
<p style="text-align: justify; ">[<a name="fn2"></a>]. José Carlos Laguna de Paz, “How Cooperation Between Telecom Firms Can Improve Efficiency,” The Regulatory Review, June 25, 2015, https://www.theregreview.org/2015/06/25/laguna-telecoms-cooperation/.</p>
<p style="text-align: justify; ">[<a name="fn3"></a>]. Ibid.</p>
<p style="text-align: justify; ">[<a name="fn4"></a>]. Jan Markendahl, Amirhossein Ghanbari, and Bengt G. Mölleryd, “Network Cooperation between Mobile Operators : Why and How Competitors Cooperate?,” in DIVA, 2013, http://urn.kb.se/resolve? urn=urn:nbn:se:kth:diva-134358.</p>
<p style="text-align: justify; ">[<a name="fn5"></a>]. Parag Kar, “Response to TRAI’s Consultation Paper on Proliferation of Broadband through Public Wi-Fi Networks” (Qualcomm, August 10, 2016), http://www.trai.gov.in/sites/default/files/201609011022542916621Qualcomm_india_pvt_ltd.pdf.</p>
<p style="text-align: justify; ">[<a name="fn6"></a>]. See ITU-R Report “ITU-R M.2227 (11/2011)” and ITU-R Recommendation “ITU-R M.2003-1 (01/2015)” on “Multiple Gigabit Wireless Systems in frequencies around 60 GHz”.</p>
<p style="text-align: justify; ">[<a name="fn7"></a>]. Broadband India Forum, “V Band - 60 GHz: The Key to Affordable Broadband in India” (Broadband India Forum, 2016), http://www.broadbandindiaforum.com/img/White%20Paper%20on%20V-BAND%20Revised%20Final.pdf.</p>
<p style="text-align: justify; ">[<a name="fn8"></a>]. Varun Aggarwal, “DoT Says No to Releasing TV White Space Spectrum, Clarifies It Is for Experiments,” The Hindu Business Line, June 16, 2016, http://www.thehindubusinessline.com/info-tech/dot-says-no-to-releasing-tvwhite-space-spectrum-clarifies-it-is-for-experiments/article8737575.ece</p>
<p style="text-align: justify; ">[<a name="fn9"></a>]. Shyam Ponappa, “The Buzz around TV White Space,” Business Standard, November 4, 2015, http://www.businessstandard.com/article/opinion/shyam-ponappa-the-buzz-around-tv-white-space-115110401618_1.html.</p>
<p style="text-align: justify; ">[<a name="fn10"></a>]. “Better Managing Licence-Exempt Usage,” Ofcom, October 7, 2016, https://www.ofcom.org.uk/research-anddata/technology/radio-spectrum/exempt.</p>
<p style="text-align: justify; ">[<a name="fn11"></a>]. Snehashish Ghosh, “National Telecom Policy 2012 — Issues and Concerns,” The Centre for Internet and Society, June 30, 2012, https://cis-india.org/telecom/national-telecom-policy-2012.</p>
<p style="text-align: justify; ">[<a name="fn12"></a>]. David E. M. Sappington and Dennis L. Weisman, “Revenue Sharing in Incentive Regulation Plans,” Information Economics and Policy 8, no. 3 (September 1, 1996): 229–48, https://doi.org/10.1016/0167-6245(96)00010-8.</p>
<p style="text-align: justify; ">[<a name="fn13"></a>]. Shyam Ponappa, “Richard Thaler’s Views on Auctions,” Business Standard, November 1, 2017, http://www.business-standard.com/article/opinion/richard-thaler-s-views-on-auctions-117110101558_1.html.</p>
<p style="text-align: justify; ">[<a name="fn14"></a>]. Shyam Ponappa, “Breakthroughs Needed for Digital India,” Business Standard, April 6, 2016, http://www.businessstandard.com/article/opinion/shyam-ponappa-breakthroughs-needed-for-digital-india-116040601241_1.html.</p>
<p style="text-align: justify; ">[<a name="fn15"></a>]. Sunil Abraham, “Letter for Establishment of Patent Pool for Low-Cost Access Devices through Compulsory Licenses,” The Centre for Internet and Society, accessed January 19, 2018, https://cis-india.org/a2k/blogs/letter-forestablishment-of-patent-pool-for-low-cost-access-devices</p>
<p style="text-align: justify; ">[<a name="fn16"></a>]. Nehaa Chaudhari, “Pervasive Technologies: Patent Pools,” The Centre for Internet and Society, accessed January 19, 2018, https://cis-india.org/a2k/blogs/patent-pools</p>
<p style="text-align: justify; ">[<a name="fn17"></a>]. Anubha Sinha, “Comments on TRAI’s Consultation Paper on Promoting Local Telecom Equipment Manufacturing” (Centre for Internet and Society, November 13, 2017), http://www.trai.gov.in/sites/default/files/CentreInternetSocietyIndia_CP_PLTEM.pdf.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/telecom/blog/submission-to-trai-consultation-on-inputs-for-formulation-of-national-telecom-policy-2018'>http://editors.cis-india.org/telecom/blog/submission-to-trai-consultation-on-inputs-for-formulation-of-national-telecom-policy-2018</a>
</p>
No publisherpraneshTelecom2018-01-25T14:46:48ZBlog EntryKilling of Yameen Rasheed Reveals Worsening Human Rights Situation in the Maldives
http://editors.cis-india.org/internet-governance/blog/yameen-rasheed-human-rights-maldives
<b>A courageous liberal blogger in the Maldives was murdered for his words. The international community needs to act.</b>
<p>The fight for freedom of expression is often abstract. On Sunday, it became personal for me: Yameen Rasheed, a courageous human rights defender and blogger in the Maldives, <a href="https://www.nytimes.com/2017/04/23/world/asia/yameen-rasheed-dead-maldives-blogger-dead.html?smid=tw-nytimesworld&smtyp=cur&_r=0">was brutally murdered just outside his apartment</a>. Yameen ran the popular blog <a href="http://thedailypanic.com">The Daily Panic</a> in which he sought to "cover and comment upon the news, satirize the frequently unsatirizable politics of Maldives, and also provide a platform to capture and highlight the diversity of Maldivian opinion". In this blog he often ended up rubbing the powerful the wrong way, with politicians and religious bigots often finding themselves at the receiving end of his satire.</p>
<p>Yameen wasn't the first human rights activist to be attacked. He also led the campaign to force the police to conduct a proper investigation on the <a href="http://findmoyameehaa.com/">forced disappearance in August 2014</a> of journalist Ahmed Rilwan <a href="https://twitter.com/moyameeha">@moyameehaa</a>, whom he counted as his closest friend. This campaign made him a target as well.</p>
<p>When there was a crackdown on the largest pro-democracy rally in Malé on 1st May 2015, <a href="http://thedailypanic.com/2015/06/dhoonidhoo-diaries-part-1-arrest-and-incarceration/">Yameen became a political prisoner</a>: he was remanded in jail for 17 days, and then moved to house arrest. Hundreds of others were also arrested then. Some opposition leaders continue to remain in jail. Sheikh Imran Abdulla, the leader of the [Adhaalath Party] who spoke at that rally, was convicted on charges of terrorism and <a href="https://www.theguardian.com/world/2016/feb/17/maldives-court-jails-opposition-figure-sheikh-imran-abdulla-for-12-years">sentenced to 12 years' imprisonment</a>.</p>
<p>As a result of his advocacy for freedom of religion and freedom of expression in the Maldives, Yameen <a href="https://twitter.com/yaamyn/status/711796772985659392">received death threats</a> on multiple occasions that he reported to the police, who refused to do anything about those complaints.</p>
<p>Why, despite receiving death threats did Yameen continue to voice his opinions fearlessly? When asked, "Do you have a death wish?", <a href="https://twitter.com/yaamyn/status/630344675958718464">he replied</a>: "No. I have a dignified life wish."</p>
<p>Amnesty International has called upon the Maldivian authorities to conduct a full investigation into this killing. I, however, believe that there is no hope for justice from the very police that refused to protect Yameen, and whom he held to be complicit in the disappearance of Rilwan. As Yameen said in 2015, <a href="https://twitter.com/yaamyn/status/569766158926131200">it is time for the international community to act</a>. I hope each of you reading this contacts your external affairs ministry and asks them to apply pressure on the Maldivian authorities, and push for an international investigation into the breakdown of human rights in the Maldives.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/yameen-rasheed-human-rights-maldives'>http://editors.cis-india.org/internet-governance/blog/yameen-rasheed-human-rights-maldives</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionMaldives2017-04-25T10:12:48ZBlog EntryAadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’
http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations
<b>Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.</b>
<p>The article was published in the <a class="external-link" href="http://www.hindustantimes.com/india-news/what-s-really-happening-when-you-swipe-your-aadhaar-card-to-make-a-payment/story-2fLTO5oNPhq1wyvZrwgNgJ.html">Hindustan Times</a> on April 3, 2017.</p>
<hr />
<p> </p>
<p style="text-align: center; "><img src="http://editors.cis-india.org/home-images/Aaadhaar.png" alt="Aadhaar" class="image-inline" title="Aadhaar" /><br />Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.<br />(Siddhant Jumde / HT Illustration)</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.<br /><br />OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.<br /><br />Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.</p>
<p style="text-align: justify; ">The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).<br /><br />It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.<br /><br />It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).</p>
<p style="text-align: justify; ">But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.<br /><br />In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.<br /><br />The citizen must be transparent to the state, while the state will become more opaque to the citizen.</p>
<h2 style="text-align: justify; ">How Did Aadhaar Change?</h2>
<table class="invisible">
<tbody>
<tr>
<td style="text-align: justify; ">
<p> </p>
<p>How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?</p>
<p>The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.</p>
</td>
<td><img src="http://www.hindustantimes.com/rf/image_size_960x540/HT/p2/2017/04/01/Pictures/_36723476-16e4-11e7-85c6-0f0e633c038c.jpg" /></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.</p>
<blockquote class="pullquote" style="text-align: justify; ">Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.</blockquote>
<p style="text-align: justify; ">Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.</p>
<p style="text-align: justify; ">At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.</p>
<p style="text-align: justify; ">UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.</p>
<p style="text-align: justify; ">With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.</p>
<h3 style="text-align: justify; ">Security Concerns</h3>
<p style="text-align: justify; ">With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.</p>
<p style="text-align: justify; ">Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?</p>
<p style="text-align: justify; ">In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.</p>
<blockquote class="pullquote" style="text-align: justify; ">Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?</blockquote>
<p style="text-align: justify; ">In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.</p>
<p style="text-align: justify; ">All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.</p>
<p style="text-align: justify; ">The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.</p>
<p style="text-align: justify; ">Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations'>http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations</a>
</p>
No publisherpraneshBiometricsAadhaarInternet GovernancePrivacy2017-04-04T16:10:06ZBlog EntryDeveloper team fixed vulnerabilities in Honorable PM's app and API
http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog EntryInternet Rights and Wrongs
http://editors.cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs
<b>With a rise in PIL's for unwarranted censorship, do we need to step back and inspect if it's about time unreasonable trends are checked?</b>
<p style="text-align: justify; ">The article was published in India Today on September 1, 2016. The original piece <a class="external-link" href="http://indiatoday.intoday.in/story/internet-isp-websites-censorship/1/754038.html">can be read here</a>.</p>
<hr />
<p style="text-align: justify; ">Over the last few weeks, there have been a number of cases of egregious censorship of websites in India. Many people started seeing notices that (incorrectly) gave an impression that they may end up in jail if they visited certain websites. However, these notices weren't an isolated phenomenon, nor one that is new. Worryingly, the higher judiciary has been drawn into these questionable moves to block websites as well.</p>
<p style="text-align: justify; ">Since 2011, numerous torrent search engines and communities have been blocked by Indian internet service providers (ISPs). Torrent search engines provide the same functionality for torrents that Google provides for websites. Are copyright infringing materials indexed and made searchable by Google? Yes. Do we shut down Google for this reason? No. However, that is precisely what private entertainment companies have done over the past five years in India. Companies hired by the producers of Tamil movies Singham and 3 managed to get video-sharing websites like Vimeo, Dailymotion and numerous torrent search engines blocked even before the movies released, without showing even a single case of copyright infringement existed on any of them. During the FIFA World Cup, Sony even managed to get Google Docs blocked. In some cases, these entertainment companies have abused 'John Doe' orders (generic orders that allow copyright enforcement against unnamed persons) and have asked ISPs to block websites. The ISPs, instead of ignoring such requests as instances of private censorship, have also complied. In other cases (like Sony's FIFA World Cup case), courts have ordered ISPs to block hundreds of websites without any copyright infringement proven against them. High court judges haven't even developed a coherent theory on whether or how Indian law allows them to block websites for alleged copyright infringement. Still they have gone ahead and blocked.</p>
<p style="text-align: justify; ">In 2012, hackers got into Reliance Communications servers and released a list of websites blocked by them. The list contained multiple links that sought to connect Satish Seth-a group MD in Reliance ADA Group-to the 2G scam: a clear case of secretive private censorship by RCom. Further, visiting some of the YouTube links which pertained to Satish Seth showed that they had been removed by YouTube due to dubious copyright infringement complaints filed by Reliance BIG Entertainment. Did the department of telecom, whose licences forbid ISPs from engaging in private censorship, take any action against RCom? No. Earlier this year, Tata Sky filed a complaint against YouTube in the Delhi High Court, noting that there were videos on it that taught people how to tweak their set-top boxes to get around the technological locks that Tata Sky had placed. The Delhi HC ordered YouTube "not to host content that violates any law for the time being in force", presuming that the videos in question did in fact violate Indian law. They cite two sections: Section 65A of the Copyright Act and Section 66 of the Information Technology Act. The first explicitly allows a user to break technological locks of the kind that Tata Sky has placed for dozens of reasons (and allows a person to teach others how to engage in such breaking), whereas the second requires finding of "dishonesty" or "fraud" along with "damage to a computer system, etc", and an intention to violate the law-none of which were found. The court effectively blocked videos on YouTube without any finding of illegality, thus once again siding with censorial corporations.</p>
<p style="text-align: justify; ">In 2013, Indore-based lawyer Kamlesh Vaswani filed a PIL in the Supreme Court calling for the government to undertake proactive blocking of all online pornography. Normally, a PIL is only admittable under Article 32 of the Constitution, on the basis of a violation of a fundamental right (which are listed in Part III of our Constitution). Vaswani's petition-which I have had the misfortune of having read carefully-does not at any point complain that the state is violating a fundamental right by not blocking pornography. Yet the petition wants to curb the fundamental right to freedom of expression, since the government is by no means in a position to determine what constitutes illegal pornography and what doesn't.</p>
<p style="text-align: justify; ">The larger problem extends to the now-discredited censor board (headed by the notorious Pahlaj Nihalani), as also the self-censorship practised on TV by the private Indian Broadcasters Federation (which even bleeps out words and phrases like 'Jesus', 'period', 'breast cancer' and 'beef'). 'Swachh Bharat' should not mean sanitising all media to be unobjectionable to the person with the lowest outrage threshold. So who will file a PIL against excessive censorship?</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs'>http://editors.cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionIT ActInternet GovernanceCensorship2016-09-22T23:36:14ZBlog EntryGlaring Errors in UIDAI's Rebuttal
http://editors.cis-india.org/internet-governance/blog/glaring-errors-in-uidai-rebuttal-epw
<b>This response note by Pranesh Prakash questions Unique Identification Authority of India’s reply to Hans Verghese Mathews' article titled “Flaws in the UIDAI Process” (EPW, March 12, 2016), which found “serious mathematical errors” in the article.</b>
<p> </p>
<p>The article was <a class="external-link" href="http://www.epw.in/journal/2016/36/documents/glaring-errors-uidais-rebuttal.html">published in Economic & Political Weekly</a> Vol. 51, Issue No. 36, September 3, 2016.</p>
<hr />
<p style="text-align: justify;">While I am not a statistician, I have followed the technical debate between Hans Verghese Mathews and the UIDAI closely, and see a number of glaring errors in the latter’s so-called rebuttal in EPW (March 12, 2016).</p>
<p style="text-align: justify;">The UIDAI alleges Mathews to have ignored the evidence that the Receiver Operating Characteristic (ROC) "flattens" with more factors. However, Mathews cannot be accused of ignorance if the flattening of the ROC is not relevant to his argument. To explain this in simple terms, the ROC curve is used to choose the appropriate "threshold distance" which determines false positives and false negatives, and belongs to a stage which precedes the estimation of the false positive identification rates (FPIR).</p>
<p style="text-align: justify;">However, Mathews has used the FPIR estimates provided by the UIDAI (based on evidence from the enrolment of 84 million persons), and calculated how the FPIR changes when extrapolated for a population of 1.2 billion persons. In other words, he did not need to look at the ROC curve as that factor is not relevant to his argument, since he has used UIDAI data (which has presumably been estimated on the basis of all 12 factors : 10 fingerprints and 2 irises). <br /><br />Further, UIDAI asks why Mathews has assumed a linear curve for his extrapolation. Mathews has done no such thing. In fact, in their paper "Role of Biometric Technology in Aadhaar Enrollment," the UIDAI states: "FPIR rate grows linearly with the database size" (nd, 19). Thus, this is an assumption formerly made by them (without providing rationale for it to be a linear curve as opposed to anything else). Mathews mathematically derives bounds for the FPIR in his paper, that is, the range within which the FPIR lies. One gets a linear curve only if they use the upper bound and not on the usage of anything else. So while Mathews does, as he explains, provide the results of the calculation based on the upper bound for the sake of simplicity, he nowhere asserts nor assumes a linear curve.<br /><br />If, as the UIDAI claims, one cannot perform such an extrapolation and needs to depend on “empirical evidence” instead, the question arises as to how the UIDAI decided to scale up the programme to 1.3 billion people given the error rates. One could also ask if the machines being used to capture biometrics are good enough for the enlargement. Surely they would have performed some extrapolations to decide this.</p>
<p style="text-align: justify;">In their paper they note that "although it [FPIR] is expected to grow as the database size increases, it is not expected to exceed manageable values even at full enrolment of 120 crores" (UIDAI nd, 13). They do not illustrate the extent to which the FPIR is expected to grow—neither in their initial paper, nor in their rebuttal to Mathews—whereas Mathews provides a method of estimating the increase of FPIR. Even if UIDAI is correct in its appraisal of FPIR and that it will not exceed "manageable values," they need to either exemplify their calculations or release the latest data. They have done neither, and that is quite unfortunate.</p>
<hr />
<p style="text-align: justify;"><strong>References</strong></p>
<div id="stcpDiv" style="text-align: justify;">UIDAI (nd): “Role of Biometric Technology in Aadhaar Enrollment,” Unique Identification Authority of India, Government of India, New Delhi, viewed on 18 August 2016, <a class="external-link" href="https://uidai.gov.in/images/FrontPageUpdates/role_of_biometric_technology">https://uidai.gov.in/images/FrontPageUpdates/role_of_biometric_technology</a></div>
<div style="text-align: justify;"> </div>
<div style="text-align: justify;"><strong>Related Links</strong></div>
<div style="text-align: justify;"> </div>
<div style="text-align: justify;">
<div id="stcpDiv">
<ol>
<li>Flaws in the UIDAI Process <a href="http://www.epw.in/journal/2016/9/special-articles/flaws-uidai-process.html">http://www.epw.in/journal/2016/9/special-articles/flaws-uidai-process.html</a></li>
<li>Erring on Aadhaar <a href="http://www.epw.in/journal/2016/11/discussion/erring-aadhaar.html">http://www.epw.in/journal/2016/11/discussion/erring-aadhaar.html</a></li>
<li>Request for Specifics <a href="http://www.epw.in/journal/2016/36/documents/request-specifics-rebuttal-uidai.html">http://www.epw.in/journal/2016/36/documents/request-specifics-rebuttal-u...</a></li>
<li>Glaring Errors in UIDAI's Rebuttal <a href="http://www.epw.in/journal/2016/36/documents/glaring-errors-uidais-rebuttal.html">http://www.epw.in/journal/2016/36/documents/glaring-errors-uidais-rebutt...</a></li>
<li>Overlooking the UIDAI Process <a href="http://www.epw.in/journal/2016/36/documents/response-hans-verghese-mathews-and-pranesh-prakashs-rebuttal.html">http://www.epw.in/journal/2016/36/documents/response-hans-verghese-mathe...</a></li></ol>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/glaring-errors-in-uidai-rebuttal-epw'>http://editors.cis-india.org/internet-governance/blog/glaring-errors-in-uidai-rebuttal-epw</a>
</p>
No publisherpraneshUIDAadhaarInternet GovernancePrivacy2016-09-18T03:22:32ZBlog EntryCIS Submission to TRAI Consultation on Free Data
http://editors.cis-india.org/internet-governance/blog/cis-submission-trai-consultation-free-data
<b>The Telecom Regulatory Authority of India (TRAI) held a consultation on Free Data, for which CIS sent in the following comments.</b>
<p> </p>
<p>The Telecom Regulatory Authority of India (TRAI) asked for <a href="http://trai.gov.in/WriteReadData/ConsultationPaper/Document/CP_07_free_data_consultation.pdf">public comments on free data</a>. Below are the comments that CIS submitted to the four questions that it posed.</p>
<p> </p>
<h2 id="question-1">Question 1
<p><em>Is there a need to have TSP agnostic platform to provide free data or suitable reimbursement to users, without violating the principles of Differential Pricing for Data laid down in TRAI Regulation? Please suggest the most suitable model to achieve the objective.</em></p>
</h2>
<h3 id="is-there-a-need-for-free-data">Is There a Need for Free Data?</h3>
<p>No, there is no <em>need</em> for free data, just as there is no <em>need</em> for telephony or Internet. However, making provisions for free data would increase the amount of innovation in the Internet and telecom sector, and there is a good probability that it would lead to faster adoption of the Internet, and thus be beneficial in terms of commerce, freedom of expression, freedom of association, and many other ways.</p>
<p>Thus the question that a telecom regulator should ask is not whether there is a <em>need</em> for TSP agnostic platforms, but whether such platforms are harmful for competition, for consumers, and for innovation. The telecom regulator ought not undertake regulation unless there is evidence to show that harm has been caused or that harm is likely to be caused. In short, TRAI should not follow the precautionary principle, since the telecom and Internet sectors are greatly divergent from environmental protection: the burden of proof for showing that something ought to be prohibited ought to be on those calling for prohibition.</p>
<h3 id="goal-regulating-gatekeeping">Goal: Regulating Gatekeeping</h3>
<p>TRAI wouldn’t need to regulate price discrimination or Net neutrality if ISPs were not “gatekeepers” for last-mile access. “Gatekeeping” occurs when a single entity establishes itself as an exclusive route to reach a large number of people and businesses or, in network terms, nodes. It is not possible for Internet services to reach their end customers without passing through ISPs (generally telecom networks). The situation is very different in the middle-mile and for backhaul. Even though anti-competitive terms may exist in the middle-mile, especially given the opacity of terms in “transit agreements”, a packet is usually able to travel through multiple routes if one route is too expensive (even if that is not the shortest network path, and is thus inefficient in a way). However, this multiplicity of routes is generally not possible in the last mile.<a id="fnref1" class="footnoteRef" href="#fn1"><sup>1</sup></a> This leaves last mile telecom operators (ISPs) in a position to unfairly discriminate between different Internet services or destinations or applications, while harming consumer choice.</p>
<p>However, the aim of regulation by TRAI cannot be to prevent gatekeeping, since that is not possible as long as there are a limited number of ISPs. For instance, even by the very act of charging money for access to the Internet, ISPs are guilty of “gatekeeping” since they are controlling who can and cannot access an Internet service that way. Instead, the aim of regulation by TRAI should be to “regulate gatekeepers to ensure they do not use their gatekeeping power to unjustly discriminate between similarly situated persons, content or traffic”, as we proposed in our submission to TRAI (on OTTs) last year.</p>
<h3 id="models-for-free-data">Models for Free Data</h3>
<p>There are multiple models possible for free data, none of which TRAI should prohibit unless it would enable OTTs to abuse their gatekeeping powers.</p>
<h4 id="government-incentives-for-non-differentiated-free-data">Government Incentives For Non-Differentiated Free Data</h4>
<p>The government may opt to require all ISPs to provide free Internet to all at a minimum QoS in exchange for exemption from paying part of their USO contributions, or the government may pay ISPs for such access using their USO contributions.</p>
<p>TRAI should recommend to DoT that it set up a committee to study the feasibility of this model.</p>
<h4 id="isp-subsidies">ISP subsidies</h4>
<p>ISP subsidies of Internet access only make economic sense for the ISP under the following ‘Goldilocks’ condition is met: the experience with the subsidised service is ‘good enough’ for the consumers to want to continue to use such services, but ‘bad enough’ for a large number of them to want to move to unsubsidised, paid access.</p>
<ol style="list-style-type: decimal;">
<li>Providing free Internet to all at a low speed.
<ol style="list-style-type: lower-alpha;">
<li>This naturally discriminates against services and applications such as video streaming, but does not technically bar access to them.</li></ol>
</li>
<li>Providing free access to the Internet with other restrictions on quality that aren’t discriminatory with respect to content, services, or applications.</li></ol>
<h4 id="rewards-model">Rewards model</h4>
<p>A TSP-agnostic rewards platform will only come within the scope of TRAI regulation if the platform has some form of agreement with the TSPs, even if it is collectively. If the rewards platform doesn’t have any agreement with any TSP, then TRAI does not have the power to regulate it. However, if the rewards platform has an agreement with any TSP, it is unclear whether it would be allowed under the Differential Data Tariff Regulation, since the clause 3(2) read with paragraph 30 of the Explanatory Memorandum might disallow such an agreement.</p>
<p>Assuming for the sake of argument that platforms with such agreements are not disallowed, such platforms can engage in either post-purchase credits or pre-purchase credits, or both. In other words, it could be a situation where a person has to purchase a data pack, engage in some activity relating to the platform (answer surveys, use particular apps, etc.) and thereupon get credit of some form transferred to one’s SIM, or it could be a situation where even without purchasing a data pack, a consumer can earn credits and thereupon use those credits towards data.</p>
<p>The former kind of rewards platform is not as useful when it comes to encouraging people to use the Internet, since only those who already see worth in using in the Internet (and can afford it) will purchase a data pack in the first place. The second form, on the other hand is quite useful, and could be encouraged. However, this second model is not as easily workable, economically, for fixed line connections, since there is a higher initial investment involved.</p>
<h4 id="recharge-api">Recharge API</h4>
<p>A recharge API could be fashioned in one of two ways: (1) via the operating system on the phone, allowing a TSP or third parties (whether OTTs or other intermediaries) to transfer credit to the SIM card on the phone which have been bought wholesale. Another model could be that of all TSPs providing a recharge API for the use of third parties. Only the second model is likely to result in a “toll-free” experience since in the first model, like in the case of a rewards platform that requires up-front purchase of data packs, there has to be a investment made first before that amount is recouped. This is likely to hamper the utility of such a model.</p>
<p>Further, in the first case, TRAI would probably not have the powers to regulate such transactions, as there would be no need for any involvement by the TSP. If anti-competitive agreements or abuse of dominant position seems to be taking place, it would be up to the Competition Commission of India to investigate.</p>
<p>However, the second model would have to be overseen by TRAI to ensure that the recharge APIs don’t impose additional costs on OTTs, or unduly harm competition and innovation. For instance, there ought to be an open specification for such an API, which all the TSPs should use in order to reduce the costs on OTTs. Further, there should be no exclusivity, and no preferential treatment provided for the TSPs sister concerns or partners.</p>
<h4 id="example-sites">“0.example” sites</h4>
<p>Other forms of free data, for instance by TSPs choosing not to charge for low-bandwidth traffic should be allowed, as long as it is not discriminatory, nor does it impose increased barriers to entry for OTTs. For instance, if a website self-certifies that it is low-bandwidth and optimized for Internet-enabled feature phones and uses 0.example.tld to signal this (just as wap.* were used in for WAP sites and m.* are used for mobile-optimized versions of many sites), then there is no reason why TSPs should be prohibited from not charging for the data consumed by such websites, as long as the TSP does so uniformly without discrimination. In such cases, the TSP is not harming competition, harming consumers, nor abusing its gatekeeping powers.</p>
<h4 id="ott-agnostic-free-data">OTT-agnostic free data</h4>
<p>If a TSP decides not to charge for specific forms of traffic (for example, video, or for locally-peered traffic) regardless of the Internet service from which that traffic emanates, as as long as it does so with the end customer’s consent, then there is no question of the TSP harming competition, harming consumers, nor abusing its gatekeeping powers. There is no reason such schemes should be prohibited by TRAI unless they distort markets and harm innovation.</p>
<h4 id="unified-marketplace">Unified marketplace</h4>
<p>One other way to do what is proposed as the “recharge API” model is to create a highly-regulated market where the gatekeeping powers of the ISP are diminished, and the ISP’s ability to leverage its exclusive access over its customers are curtailed. A comparison may be drawn here to the rules that are often set by standard-setting bodies where patents are involved: given that these patents are essential inputs, access to them must be allowed through fair, reasonable, and non-discriminatory licences. Access to the Internet and common carriers like telecom networks, being even more important (since alternatives exist to particular standards, but not to the Internet itself), must be placed at an even higher pedestal and thus even stricter regulation to ensure fair competition.</p>
<p>A marketplace of this sort would impose some regulatory burdens on TRAI and place burdens on innovations by the ISPs, but a regulated marketplace harms ISP innovation less than not allowing a market at all.</p>
<p>At a minimum, such a marketplace must ensure non-exclusivity, non-discrimination, and transparency. Thus, at a minimum, a telecom provider cannot discriminate between any OTTs who want similar access to zero-rating. Further, a telecom provider cannot prevent any OTT from zero-rating with any other telecom provider. To ensure that telecom providers are actually following this stipulation, transparency is needed, as a minimum.</p>
<p>Transparency can take one of two forms: transparency to the regulator alone and transparency to the public. Transparency to the regulator alone would enable OTTs and ISPs to keep the terms of their commercial transactions secret from their competitors, but enable the regulator, upon request, to ensure that this doesn’t lead to anti-competitive practices. This model would increase the burden on the regulator, but would be more palatable to OTTs and ISPs, and more comparable to the wholesale data market where the terms of such agreements are strictly-guarded commercial secrets. On the other hand, requiring transparency to the public would reduce the burden on the regulator, despite coming at a cost of secrecy of commercial terms, and is far more preferable.</p>
<p>Beyond transparency, a regulation could take the form of insisting on standard rates and terms for all OTT players, with differential usage tiers if need be, to ensure that access is truly non-discriminatory. This is how the market is structured on the retail side.</p>
<p>Since there are transaction costs in individually approaching each telecom provider for such zero-rating, the market would greatly benefit from a single marketplace where OTTs can come and enter into agreements with multiple telecom providers.</p>
<p>Even in this model, telecom networks will be charging based not only on the fact of the number of customers they have, but on the basis of them having exclusive routing to those customers. Further, even under the standard-rates based single-market model, a particular zero-rated site may be accessible for free from one network, but not across all networks: unlike the situation with a toll-free number in which no such distinction exists.</p>
<p>To resolve this, the regulator may propose that if an OTT wishes to engage in paid zero-rating, it will need to do so across all networks, since if it doesn’t there is risk of providing an unfair advantage to one network over another and increasing the gatekeeper effect rather than decreasing it.</p>
<h2 id="question-2">Question 2</h2>
<p><em>Whether such platforms need to be regulated by the TRAI or market be allowed to develop these platforms?</em></p>
<p>In many cases, TRAI would have no powers over such platforms, so the question of TRAI regulating does not arise. In all other cases, TRAI can allow the market to develop such platforms, and then see if any of them violates the Discriminatory Data Tariffs Regualation. For government-incentivised schemes that are proposed above, TRAI should take proactive measure in getting their feasibility evaluated.</p>
<h2 id="question-3">Question 3</h2>
<p><em>Whether free data or suitable reimbursement to users should be limited to mobile data users only or could it be extended through technical means to subscribers of fixed line broadband or leased line?</em></p>
<p>Spectrum is naturally a scarce resource, though technological advances (as dictated by Cooper’s Law) and more efficient management of spectrum make it less so. However, we have seen that fixed-line broadband has more or less stagnated for the past many years, while mobile access has increased. So the market distortionary power of fixed-line providers is far less than that of mobile providers. However, competition is far less in fixed-line Internet access services, while it is far higher in mobile Internet access. Switching costs in fixed-line Internet access services are also far higher than in mobile services. Given these differences, the regulation with regard to price discrimination might justifiably be different.</p>
<p>All in all, for this particular issue, it is unclear why different rules should apply to mobile users and fixed line users.</p>
<h2 id="question-4">Question 4</h2>
<p><em>Any other issue related to the matter of Consultation.</em></p>
<p>None.</p>
<div class="footnotes">
<hr />
<ol>
<li id="fn1">
<p>In India’s mobile telecom sector, according to a Nielsen study, an estimated 15% of mobile users are multi-SIM users, meaning the “gatekeeping” effect is significantly reduced in both directions: Internet services can reach them via multiple ISPs, and conversely they can reach Internet services via multiple ISPs. <em>See</em> Nielsen, ‘Telecom Transitions: Tracking the Multi-SIM Phenomena in India’, http://www.nielsen.com/in/en/insights/reports/2015/telecom-transitions-tracking-the-multi-sim-phenomena-in-india.html<a href="#fnref1">↩</a></p>
</li></ol>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-submission-trai-consultation-free-data'>http://editors.cis-india.org/internet-governance/blog/cis-submission-trai-consultation-free-data</a>
</p>
No publisherpraneshTelecomHomepageTRAINet NeutralityFeaturedInternet GovernanceSubmissions2016-07-01T16:04:27ZBlog EntryJurisdiction: The Taboo Topic at ICANN
http://editors.cis-india.org/internet-governance/blog/jurisdiction-the-taboo-topic-at-icann
<b>The "IANA Transition" that is currently underway is a sham since it doesn't address the most important question: that of jurisdiction. This article explores why the issue of jurisdiction is the most important question, and why it remains unaddressed.</b>
<br />
<p>In March 2014, the <a href="https://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions">US government announced</a> that they were going to end the contract they have with ICANN to run the <a href="https://www.iana.org/">Internet Assigned Numbers Authority</a> (IANA), and hand over control to the “global multistakeholder community”. They insisted that the plan for transition had to come through a multistakeholder process and have stakeholders “across the global Internet community”.</p>
<h2 id="why-is-the-u.s.-government-removing-the-ntia-contract">Why is the U.S. government removing the NTIA contract?</h2>
<p>The main reason for the U.S. government's action is that it will get rid of a political thorn in the U.S. government's side: keeping the contract allows them to be called out as having a special role in Internet governance (with the Affirmation of Commitments between the U.S. Department of Commerce and ICANN, the IANA contract, and the cooperative agreement with Verisign), and engaging in unilateralism with regard to the operation of the root servers of the Internet naming system, while repeatedly declaring that they support a multistakeholder model of Internet governance.</p>
<p>This contradiction is what they are hoping to address. Doing away with the NTIA contract will also increase — ever so marginally — ICANN’s global legitimacy: this is something that world governments, civil society organizations, and some American academics have been asking for nearly since ICANN’s inception in 1998. For instance, here are some demands made <a href="https://www.itu.int/net/wsis/docs2/pc3/contributions/sca/hbf-29.doc">in a declaration by the Civil Society Internet Governance Caucus at WSIS, in 2005</a>:</p>
<blockquote>
<p>“ICANN will negotiate an appropriate host country agreement to replace its California Incorporation, being careful to retain those aspects of its California Incorporation that enhance its accountability to the global Internet user community. "ICANN's decisions, and any host country agreement, must be required to comply with public policy requirements negotiated through international treaties in regard to, inter alia, human rights treaties, privacy rights, gender agreements and trade rules. … "It is also expected that the multi-stakeholder community will observe and comment on the progress made in this process through the proposed [Internet Governance] Forum."</p>
</blockquote>
<p>In short: the objective of the transition is political, <a href="http://editors.cis-india.org/internet-governance/blog/">not technical</a>. In an ideal world, we <em>should</em> aim at reducing U.S. state control over the core of the Internet's domain name system.<a href="#fn1" class="footnoteRef" id="fnref1"><sup>1</sup></a></p>
<p>It is our contention that <strong>U.S. state control over the core of the Internet's domain name system is <em>not</em> being removed</strong> by the transition that is currently underway.</p>
<h2 id="why-is-the-transition-happening-now">Why is the Transition Happening Now?</h2>
<p>Despite the U.S. government having given commitments in the past that were going to finish the IANA transition by "September 30, 2000", (the <a href="https://www.icann.org/resources/unthemed-pages/white-paper-2012-02-25-en">White Paper on Management of Internet Names and Addresses</a> states: "The U.S. Government would prefer that this transition be complete before the year 2000. To the extent that the new corporation is established and operationally stable, September 30, 2000 is intended to be, and remains, an 'outside' date.") and later by "fall of 2006",<a href="#fn2" class="footnoteRef" id="fnref2"><sup>2</sup></a> those turned out to be empty promises. However, this time, the transition seems to be going through, unless the U.S. Congress manages to halt it.</p>
<p>However, in order to answer the question of "why now?" fully, one has to look a bit at the past.</p>
<p>In 1998, through the <a href="https://www.icann.org/resources/unthemed-pages/white-paper-2012-02-25-en">White Paper on Management of Internet Names and Addresses</a> the U.S. government <a href="http://www.icannwatch.org/archive/mueller_icann_and_internet_governance.pdf">asserted it’s control over the root</a>, and asserted — some would say arrogated to itself — the power to put out contracts for both the IANA functions as well as the 'A' Root (i.e., the Root Zone Maintainer function that Network Solutions Inc. then performed, and continues to perform to date in its current avatar as Verisign). The IANA functions contract — a periodically renewable contract — was awarded to ICANN, a California-based non-profit corporation that was set up exclusively for this purpose, but which evolved around the existing IANA (to placate the Internet Society).</p>
<p>Meanwhile, of course, there were criticisms of ICANN from multiple foreign governments and civil society organizations. Further, despite it being a California-based non-profit on contract with the government, domestically within the U.S., there was pushback from constituencies that felt that more direct U.S. control of the DNS was important.</p>
<p>As Goldsmith and Wu summarize:</p>
<blockquote>
<p>"Milton Mueller and others have shown that ICANN’s spirit of “self-regulation” was an appealing label for a process that could be more accurately described as the U.S. government brokering a behind-the-scenes deal that best suited its policy preferences ... the United States wanted to ensure the stability of the Internet, to fend off the regulatory efforts of foreign governments and international organizations, and to maintain ultimate control. The easiest way to do that was to maintain formal control while turning over day-to-day control of the root to ICANN and the Internet Society, which had close ties to the regulation-shy American technology industry." [footnotes omitted]</p>
</blockquote>
<p>And that brings us to the first reason that the NTIA announced the transition in 2014, rather than earlier.</p>
<h3 id="icann-adjudged-mature-enough">ICANN Adjudged Mature Enough</h3>
<p>The NTIA now sees ICANN as being mature enough: the final transition was announced 16 years after ICANN's creation, and complaints about ICANN and its legitimacy had largely died down in the international arena in that while. Nowadays, governments across the world send their representatives to ICANN, thus legitimizing ICANN. States have largely been satisfied by participating in the Government Advisory Council, which, as its name suggests, only has advisory powers. Further, unlike in the early days, there is <a href="http://www.internetgovernance.org/2012/05/24/threat-analysis-of-itus-wcit-part-1-historical-context/">no serious push for states assuming control of ICANN</a>. Of course they grumble about the ICANN Board not following their advice, but no government, as far as I am aware, has walked out or refused to participate.</p>
<h3 id="laffaire-snowden">L'affaire Snowden</h3>
<p>Many within the United States, and some without, believe that the United States not only plays an exceptional role to play in the running of the Internet — by dint of historical development and dominance of American companies — but that <em>it ought to</em> have an exceptional role because it is the best country to exercise 'oversight' over 'the Internet' (often coming from <a href="http://www.wsj.com/articles/SB10001424052702303563304579447362610955656">clueless commentators</a>), and from dinosaurs of the Internet era, like <a href="http://www.circleid.com/posts/20140316_if_the_stakeholders_already_control_the_internet_netmundial_iana/">American IP lawyers</a> and <a href="http://www.lawfareblog.com/2014/03/who-controls-the-internet-address-book-icann-ntia-and-iana/">American 'homeland' security hawks</a>, Jones Day, who are ICANN's lawyers, and other <a href="http://homepages.wmich.edu/~cooneys/poems/cummings.nextto.html">jingoists</a> and those policymakers who are controlled by these narrow-minded interests.</p>
<p>The Snowden revelations were, in that way, a godsend for the NTIA, as it allowed them a fig-leaf of <a href="http://www.ft.com/cms/s/0/4529516c-c713-11e3-889e-00144feabdc0.html">international</a> <a href="https://www.rt.com/usa/nsa-fallout-relinquish-internet-oversight-002/">criticism</a> <a href="https://twitter.com/carolinegreer/status/454253411576598528">with which</a> to counter these domestic critics and carry on with a transition that they have been seeking to put into motion for a while. The Snowden revelations led Dilma Rousseff, President of Brazil, to state in September 2013, at the 68th U.N. General Assembly, that Brazil would "present proposals for the establishment of a <a href="https://gadebate.un.org/sites/default/files/gastatements/68/BR_en.pdf">civilian multilateral framework for the governance and use of the Internet</a>", and as <a href="https://icannwiki.com/Diego_Canabarro">Diego Canabarro</a> points out this catalysed the U.S. government and the technical community into taking action.</p>
<p>Given this context, a few months after the Snowden revelations, the so-called <a href="https://www.apnic.net/community/ecosystem/i*orgs">I* organizations</a> met — seemingly with the blessing of the U.S. government<a href="#fn3" class="footnoteRef" id="fnref3"><sup>3</sup></a> — in Montevideo, and put out a <a href="https://www.apnic.net/publications/news/2013/montevideo-statement-on-future-of-internet-cooperation">'Statement on the Future of Internet Governance'</a> that sought to link the Snowden revelations on pervasive surveillance with the need to urgently transition the IANA stewardship role away from the U.S. government. Of course, the signatories to that statement knew fully well, as did most of the readers of that statement, that there is no linkage between the Snowden revelations about pervasive surveillance and the operations of the DNS root, but still they, and others, linked them together. Specifically, the I* organizations called for "accelerating the globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing."</p>
<p>One could posit the existence of two other contributing factors as well.</p>
<p>Given political realities in the United States, a transition of this sort is probably best done before an ultra-jingoistic President steps into office.</p>
<p>Lastly, the ten-yearly review of the World Summit on Information Society was currently underway. At the original WSIS (as seen from the civil society quoted above) the issue of US control over the root was a major issue of contention. At that point (and during where the 2006 date for globalization of ICANN was emphasized by the US government).</p>
<h2 id="why-jurisdiction-is-important">Why Jurisdiction is Important</h2>
<p>Jurisdiction has a great many aspects. <em>Inter alia</em>, these are:</p>
<ul>
<li>Legal sanctions applicable to changes in the root zone (for instance, what happens if a country under US sanctions requests a change to the root zone file?)</li>
<li>Law applicable to resolution of contractual disputes with registries, registrars, etc.</li>
<li>Law applicable to labour disputes.</li>
<li>Law applicable to competition / antitrust law that applies to ICANN policies and regulations.</li>
<li>Law applicable to disputes regarding ICANN decisions, such as allocation of gTLDs, or non-renewal of a contract.</li>
<li>Law applicable to consumer protection concerns.</li>
<li>Law applicable to financial transparency of the organization.</li>
<li>Law applicable to corporate condition of the organization, including membership rights.</li>
<li>Law applicable to data protection-related policies & regulations.</li>
<li>Law applicable to trademark and other speech-related policies & regulations.</li>
<li>Law applicable to legal sanctions imposed by a country against another.</li>
</ul>
<p>Some of these, but not all, depend on where bodies like ICANN [the policy-making body], the IANA functions operator [the proposed "Post-Transition IANA"], and the root zone maintainer are incorporated or maintain their primary office, while others depend on the location of the office [for instance, Turkish labour law applies for the ICANN office in Istanbul], while yet others depend on what's decided by ICANN in contracts (for instance, the resolution of contractual disputes with ICANN, filing of suits with regard to disputes over new generic TLDs, etc.).</p>
<p>However, an issue like sanctions, for instance, depends on where ICANN/PTI/RMZ are incorporated and maintain their primary office.</p>
<p>As <a href="http://content.netmundial.br/contribution/roadmap-for-globalizing-iana-four-principles-and-a-proposal-for-reform-a-submission-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/96">Milton Mueller notes</a>, the current IANA contract "requires ICANN to be incorporated in, maintain a physical address in, and perform the IANA functions in the U.S. This makes IANA subject to U.S. law and provides America with greater political influence over ICANN."</p>
<p>He further notes that:</p>
<blockquote>
<p>While it is common to assert that the U.S. has never abused its authority and has always taken the role of a neutral steward, this is not quite true. During the controversy over the .xxx domain, the Bush administration caved in to domestic political pressure and threatened to block entry of the domain into the root if ICANN approved it (Declaration of the Independent Review Panel, 2010). It took five years, an independent review challenge and the threat of litigation from a businessman willing to spend millions to get the .xxx domain into the root.</p>
</blockquote>
<p>Thus it is clear that even if the NTIA's role in the IANA contract goes away, jurisdiction remains an important issue.</p>
<h2 id="u.s.-doublespeak-on-jurisdiction">U.S. Doublespeak on Jurisdiction</h2>
<p>In March 2014, when NTIA finally announced that they would hand over the reins to “the global multistakeholder community”. They’ve laid down two procedural condition: that it be developed by stakeholders across the global Internet community and have broad community consensus, and they have proposed 5 substantive conditions that any proposal must meet:</p>
<ul>
<li>Support and enhance the multistakeholder model;</li>
<li>Maintain the security, stability, and resiliency of the Internet DNS;</li>
<li>Meet the needs and expectation of the global customers and partners of the IANA services; and,</li>
<li>Maintain the openness of the Internet.</li>
<li>Must not replace the NTIA role with a solution that is government-led or an inter-governmental organization.</li>
</ul>
<p>In that announcement there is no explicit restriction on the jurisdiction of ICANN (whether it relate to its incorporation, the resolution of contractual disputes, resolution of labour disputes, antitrust/competition law, tort law, consumer protection law, privacy law, or speech law, and more, all of which impact ICANN and many, but not all, of which are predicated on the jurisdiction of ICANN’s incorporation), the jurisdiction(s) of the IANA Functions Operator(s) (i.e., which executive, court, or legislature’s orders would it need to obey), and the jurisdiction of the Root Zone Maintainer (i.e., which executive, court, or legislature’s orders would it need to obey).</p>
<p>However, Mr. Larry Strickling, the head of the NTIA, in his <a href="https://www.youtube.com/watch?v=8v-yWye5I0w&feature=youtu.be">testimony before the U.S. House Subcommittee on Communications and Technology</a>, made it clear that,</p>
<blockquote>
<p>“Frankly, if [shifting ICANN or IANA jurisdiction] were being proposed, I don't think that such a proposal would satisfy our criteria, specifically the one that requires that security and stability be maintained.”</p>
</blockquote>
<p>Possibly, that argument made sense in 1998, due to the significant concentration of DNS expertise in the United States. However, in 2015, that argument is hardly convincing, and is frankly laughable.<a href="#fn4" class="footnoteRef" id="fnref4"><sup>4</sup></a></p>
<p>Targetting that remark, in ICANN 54 at Dublin, we asked Mr. Strickling:</p>
<blockquote>
<p>"So as we understand it, the technical stability of the DNS doesn't necessarily depend on ICANN's jurisdiction being in the United States. So I wanted to ask would the US Congress support a multistakeholder and continuing in the event that it's shifting jurisdiction."</p>
</blockquote>
<p>Mr. Strickling's response was:</p>
<blockquote>
<p>"No. I think Congress has made it very clear and at every hearing they have extracted from Fadi a commitment that ICANN will remain incorporated in the United States. Now the jurisdictional question though, as I understand it having been raised from some other countries, is not so much jurisdiction in terms of where ICANN is located. It's much more jurisdiction over the resolution of disputes.</p>
<p>"And that I think is an open issue, and that's an appropriate one to be discussed. And it's one I think where ICANN has made some movement over time anyway.</p>
<p>"So I think you have to ... when people use the word jurisdiction, we need to be very precise about over what issues because where disputes are resolved and under what law they're resolved, those are separate questions from where the corporation may have a physical headquarters."</p>
</blockquote>
<p>As we have shown above, jurisdiction is not only about the jurisdiction of "resolution of disputes", but also, as Mueller reminds us, about the requirement that ICANN (and now, the PTI) be "incorporated in, maintain a physical address in, and perform the IANA functions in the U.S. This makes IANA subject to U.S. law and provides America with greater political influence over ICANN."</p>
<p>In essence, the U.S. government has essentially said that they would veto the transition if the jurisdiction of ICANN or PTI's incorporation were to move out of the U.S., and they can prevent that from happening <em>after</em> the transition, since as things stand ICANN and PTI will still come within the U.S. Congress's jurisdiction.</p>
<h2 id="why-has-the-icg-failed-to-consider-jurisdiction">Why Has the ICG Failed to Consider Jurisdiction?</h2>
<p>Will the ICG proposal or the proposed new ICANN by-laws reduce existing U.S. control? No, they won't. (In fact, as we will argue below, the proposed new ICANN by-laws make this problem even worse.) The proposal by the names community ("the CWG proposal") still has a requirement (in Annex S) that the Post-Transition IANA (PTI) be incorporated in the United States, and a similar suggestion hidden away as a footnote. Further, the proposed by-laws for ICANN include the requirement that PTI be a California corporation. There was no discussion specifically on this issue, nor any documented community agreement on the specific issue of jurisdiction of PTI's incorporation.</p>
<p>Why wasn't there greater discussion and consideration of this issue? Because of two reasons: First, there were many that argued that the transition would be vetoed by the U.S. government and the U.S. Congress if ICANN and PTI were not to remain in the U.S. Secondly, the ICANN-formed ICG saw the US government’s actions very narrowly, as though the government were acting in isolation, ignoring the rich dialogue and debate that’s gone on earlier about the transition since the incorporation of ICANN itself.</p>
<p>While it would be no one’s case that political considerations should be given greater weightage than technical considerations such as security, stability, and resilience of the domain name system, it is shocking that political considerations have been completely absent in the discussions in the number and protocol parameters communities, and have been extremely limited in the discussions in the names community. This is even more shocking considering that the main reason for this transition is, as has been argued above, political.</p>
<p>It can be also argued that the certain IANA functions such as Root Zone Management function have a considerable political implication. It is imperative that the political nature of the function is duly acknowledged and dealt with, in accordance with the wishes of the global community. In the current process the political aspects of the IANA function has been completely overlooked and sidelined. It is important to note that this transition has not been a necessitated by any technical considerations. It is primarily motivated by political and legal considerations. However, the questions that the ICG asked the customer communities to consider were solely technical. Indeed, the communities could have chosen to overlook that, but they did not choose to do so. For instance, while the IANA customer community proposals reflected on existing jurisdictional arrangements, they did not reflect on how the jurisdictional arrangements should be post-transition , while this is one of the questions at the heart of the entire transition. There were no discussions and decisions as to the jurisdiction of the Post-Transition IANA: the Accountability CCWG's lawyers, Sidley Austin, recommended that the PTI ought to be a California non-profit corporation, and this finds mention in a footnote without even having been debated by the "global multistakeholder community", and subsequently in the proposed new by-laws for ICANN.</p>
<h2 id="why-the-by-laws-make-things-worse-why-work-stream-2-cant-address-most-jurisdiction-issues">Why the By-Laws Make Things Worse & Why "Work Stream 2" Can't Address Most Jurisdiction Issues</h2>
<p>The by-laws could have chosen to simply stayed silent on the matter of what law PTI would be incorporated under, but instead the by-law make the requirement of PTI being a California non-profit public benefit corporation part of the <em>fundamental by-laws</em>, which are close to impossible to amend.</p>
<p>While "Work Stream 2" (the post-transition work related to improving ICANN's accountability) has jurisdiction as a topic of consideration, the scope of that must necessarily discount any consideration of shifting the jurisdiction of incorporation of ICANN, since all of the work done as part of CCWG Accountability's "Work Stream 1", which are now reflected in the proposed new by-laws, assume Californian jurisdiction (including the legal model of the "Empowered Community"). Is ICANN prepared to re-do all the work done in WS1 in WS2 as well? If the answer is yes, then the issue of jurisdiction can actually be addressed in WS2. If the answer is no — and realistically it is — then, the issue of jurisdiction can only be very partially addressed in WS2.</p>
<p>Keeping this in mind, we recommended specific changes in the by-laws, all of which were rejected by CCWG's lawyers.</p>
<h2 id="the-transition-plan-fails-the-netmundial-statement">The Transition Plan Fails the NETmundial Statement</h2>
<p>The <a href="http://netmundial.br/wp-content/uploads/2014/04/NETmundial-Multistakeholder-Document.pdf">NETmundial Multistakeholder Document</a>, which was an outcome of the NETmundial process, states:</p>
<blockquote>
<p>In the follow up to the recent and welcomed announcement of US Government with regard to its intent to transition the stewardship of IANA functions, the discussion about mechanisms for guaranteeing the transparency and accountability of those functions after the US Government role ends, has to take place through an open process with the participation of all stakeholders extending beyond the ICANN community</p>
<p>[...]</p>
<p>It is expected that the process of globalization of ICANN speeds up leading to a truly international and global organization serving the public interest with clearly implementable and verifiable accountability and transparency mechanisms that satisfy requirements from both internal stakeholders and the global community.</p>
<p>The active representation from all stakeholders in the ICANN structure from all regions is a key issue in the process of a successful globalization.</p>
</blockquote>
<p>As our past analysis has shown, the IANA transition process and the discussions on the mailing lists that shaped it <a href="http://editors.cis-india.org/internet-governance/blog/cis-india.org/internet-governance/blog/global-multistakeholder-community-neither-global-nor-multistakeholder">were neither global nor multistakeholder</a>. The DNS industry represented in ICANN is largely US-based. 3 in 5 registrars are from the United States of America, whereas less than 1% of ICANN-registered registrars are from Africa. Two-thirds of the Business Constituency in ICANN is from the USA. While ICANN-the-corporation has sought to become more global, the ICANN community has remained insular, and this will not change until the commercial interests involved in ICANN can become more diverse, reflecting the diversity of users of the Internet, and a TLD like .COM can be owned by a non-American corporation and the PTI can be a non-American entity.</p>
<h2 id="what-we-need-jurisdictional-resilience">What We Need: Jurisdictional Resilience</h2>
<p>It is no one's case that the United States is less fit than any other country as a base for ICANN, PTI, or the Root Zone Maintainer, or even as the headquarters for 9 of the world's 12 root zone operators (Verisign runs both the A and J root servers). However, just as having multiplicity of root servers is important for ensuring technical resilience of the DNS system (and this is shown in the uptake of Anycast by root server operators), it is equally important to have immunity of core DNS functioning from political pressures of the country or countries where core DNS infrastructure is legally situated and to ensure that we have diversity in terms of legal jurisdiction.</p>
<p>Towards this end, we at CIS have pushed for the concept of "jurisdictional resilience", encompassing three crucial points:</p>
<ul>
<li>Legal immunity for core technical operators of Internet functions (as opposed to policymaking venues) from legal sanctions or orders from the state in which they are legally situated.</li>
<li>Division of core Internet operators among multiple jurisdictions</li>
<li>Jurisdictional division of policymaking functions from technical implementation functions</li>
</ul>
<p>Of these, the most important is the limited legal immunity (akin to a greatly limited form of the immunity that UN organizations get from the laws of their host countries). This kind of immunity could be provided through a variety of different means: a host-country agreement; a law passed by the legislature; a U.N. General Assembly Resolution; a U.N.-backed treaty; and other such options exist. We are currently investigating which of these options would be the best option.</p>
<p>And apart from limited legal immunity, distribution of jurisdictional control is also valuable. As we noted in our submission to the ICG in September 2015:</p>
<blockquote>
<p>Following the above precepts would, for instance, mean that the entity that performs the role of the Root Zone Maintainer should not be situated in the same legal jurisdiction as the entity that functions as the policymaking venue. This would in turn mean that either the Root Zone Maintainer function be taken up Netnod (Sweden-headquartered) or the WIDE Project (Japan-headquartered) [or RIPE-NCC, headquartered in the Netherlands], or that if the IANA Functions Operator(s) is to be merged with the RZM, then the IFO be relocated to a jurisdiction other than those of ISOC and ICANN. This, as has been stated earlier, has been a demand of the Civil Society Internet Governance Caucus. Further, it would also mean that root zone servers operators be spread across multiple jurisdictions (which the creation of mirror servers in multiple jurisdictions will not address).</p>
</blockquote>
<p>However, the issue of jurisdiction seems to be dead-on-arrival, having been killed by the United States government.</p>
<p>Unfortunately, despite the primary motivation for demands for the IANA transition being those of removing the power the U.S. government exercises over the core of the Internet's operations in the form of the DNS, what has ended up happening through the IANA transition is that these powers have not only not been removed, but in some ways they have been entrenched further! While earlier, the U.S. had to specify that the IANA functions operator had to be located in the U.S., now ICANN's by-laws themselves will state that the post-transition IANA will be a California corporation. Notably, while the Montevideo Declaration speaks of "globalization" of ICANN and of the IANA functions, as does the NETmundial statement, the NTIA announcement on their acceptance of the transition proposals speaks of "privatization" of ICANN, and not "globalization".</p>
<p>All in all, the "independence" that IANA is gaining from the U.S. is akin to the "independence" that Brazil gained from Portugal in 1822. Dom Pedro of Brazil was then ruling Brazil as the Prince Regent since his father Dom João VI, the King of United Kingdom of Portugal, Brazil and the Algarves had returned to Portugal. In 1822, Brazil declared independence from Portugal (which was formally recognized through a treaty in 1825). Even after this "independence", Dom Pedro continued to rule Portugal just as he had before indepedence, and Dom João VI was provided the title of "Emperor of Brazil", aside from being King of the United Kingdom of Portugal and the Algarves. The "indepedence" didn't make a whit of a difference to the self-sufficiency of Brazil: Portugal continued to be its largest trading partner. The "independence" didn't change anything for the nearly 1 million slaves in Brazil, or to the lot of the indigenous peoples of Brazil, none of whom were recognized as "free". It had very little consequence not just in terms of ground conditions of day-to-day living, but even in political terms.</p>
<p>Such is the case with the IANA Transition: U.S. power over the core functioning of the Domain Name System do not stand diminished after the transition, and they can even arguably be said to have become even more entrenched. Meet the new boss: same as the old boss.</p>
<div class="footnotes">
<hr />
<ol>
<li id="fn1"><p>It is an allied but logically distinct issue that U.S. businesses — registries and registrars — dominate the global DNS industry, and as a result hold the reins at ICANN.<a href="#fnref1">↩</a></p></li>
<li id="fn2"><p>As Goldsmith & Wu note in their book <em>Who Controls the Internet</em>: "Back in 1998 the U.S. Department of Commerce promised to relinquish root authority by the fall of 2006, but in June 2005, the United States reversed course. “The United States Government intends to preserve the security and stability of the Internet’s Domain Name and Addressing System (DNS),” announced Michael D. Gallagher, a Department of Commerce official. “The United States” he announced, will “maintain its historic role in authorizing changes or modifications to the authoritative root zone file.”<a href="#fnref2">↩</a></p></li>
<li id="fn3"><p>Mr. Fadi Chehadé revealed in an interaction with Indian participants at ICANN 54 that he had a meeting "at the White House" about the U.S. plans for transition of the IANA contract before he spoke about that when <a href="http://articles.economictimes.indiatimes.com/2013-10-22/news/43288531_1_icann-internet-corporation-us-centric-internet">he visited India in October 2013</a> making the timing of his White House visit around the time of the Montevideo Statement.<a href="#fnref3">↩</a></p></li>
<li id="fn4"><p>As an example, <a href="https://www.nlnetlabs.nl/projects/nsd/">NSD</a>, software that is used on multiple root servers, is funded by a Dutch foundation and a Dutch corporation, and written mostly by European coders.<a href="#fnref4">↩</a></p></li>
</ol>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/jurisdiction-the-taboo-topic-at-icann'>http://editors.cis-india.org/internet-governance/blog/jurisdiction-the-taboo-topic-at-icann</a>
</p>
No publisherpraneshIANAInternet GovernanceFeaturedICANNIANA Transition2016-06-29T07:51:05ZBlog EntryList of Blocked 'Escort Service' Websites
http://editors.cis-india.org/internet-governance/blog/list-of-blocked-escort-service-websites
<b>Here is the full list of URLs that Indian ISPs were asked to block on Monday, June 13, 2016.</b>
<p>On April 20, 2016, DNA carried a report on <a href="http://www.dnaindia.com/india/report-pil-seeks-police-action-against-website-ads-on-escort-services-2204362">a PIL seeking action against advertisements for prostitution in newspapers and on websites</a>. That report noted that the Mumbai Police had obtained an order from a magistrates court to block 174 objectionable websites, and had sent a list to the "Group Coordinator (Cyber Laws)" within the Department of Electronics and IT. On June 13, 2016, some news agencies carried reports about <a href="http://www.business-standard.com/article/current-affairs/govt-bans-240-websites-offering-escort-services-116061400561_1.html">the Ministry of Communications and IT having ordered ISPs to block 240 websites</a>.</p>
<p>As far as we know, the Mumbai Police has not proceeded against any of the people who run these websites, whose phone numbers are available, and whose names and addresses are also available in many cases through WHOIS queries on the domain names.</p>
<p>Unfortunately, the government does not make available publicly the list of websites they have ordered ISPs to block. Given that knowledge of what is censored by the government is crucial in a democracy, we are publishing the entire list of blocked websites.</p>
<p>Those of these websites that use TLS (i.e., those with 'https'), still appear to be available on multiple Indian ISPs, and others can be accessed by using a proxy VPN from outside India or by using Tor.</p>
<p>Notes:</p>
<ul>
<li>The list circulated to ISPs has two sub-lists, numbered from 1-174 (but containing 175 entries, with a numbering mistake), and 1-64, for a total of 239 URLs.</li>
<li>4 URLs are repeated in the list ("www.salini.in/navi-mumbai-independent-escort-service.php", "exmumbai.in", "www.mansimathur.in/pinkyagarwal", "www.mumbaifunclubs.com")</li>
<li>For one website, both the domain name and a specific web page within it are listed (""www.mumbaiwali.in" and "www.mumbaiwali.in/navi-mumbai-escort-service.php")</li>
<li>One URL is incomplete (No. 214: "www.independentescortservicemumbai.com/mumbai%20escort%20servi..")</li>
<li>There are thus 235 unique URLs, targetting 234 websites and web pages.</li>
</ul>
<p><br />
<br />
<hr /></p>
<h2>Full List of Blocked URLs</h2>
<ol>
<li>www.sterlingbioscience.com</li>
<li>rawpoint.biz</li>
<li>www.onemillionbabes.com</li>
<li>www.mumbaihotcollection.in</li>
<li>simranoberoi.in</li>
<li>rubinakapoor.biz</li>
<li>talita.biz</li>
<li>www.mumbaiescortsagency.net</li>
<li>www.mumbaifunclubs.com</li>
<li>www.alishajain.co.in</li>
<li>www.ankitatalwar.co.in</li>
<li>https://www.jennyarora.ind.in</li>
<li>www.riya-kapoor.com</li>
<li>shneha.in</li>
<li>missinimi.in</li>
<li>www.mumbaiglamour.in</li>
<li>kalyn.in</li>
<li>www.saumyagiri.co.in/city/mumbai/</li>
<li>bookerotic.com</li>
<li>www.divyamalik.in</li>
<li>www.suhanisharma.co.in</li>
<li>www.ruhi.biz</li>
<li>umbaiqueens.in</li>
<li>www.aliyaghosh.com</li>
<li>priyasen.in</li>
<li>www.highprofilemumbaiescorts.co.in</li>
<li>charmingmumbai.com</li>
<li>www.poojamehata.in</li>
<li>kiiran.in/</li>
<li>mansikher.in</li>
<li>www.newmumbaiescorts.in</li>
<li>www.mumbaifunclubs.com</li>
<li>www.punarbas.in</li>
<li>www.discreetbabes.in</li>
<li>www.alisharoy.in</li>
<li>www.arpitarai.in</li>
<li>www.nidhipatel.in</li>
<li>navimumbailescort.com</li>
<li>www.zoyaescorts.com</li>
<li>www.juhioberoi.in</li>
<li>shoniya.in</li>
<li>panchibora.in</li>
<li>rehu.in</li>
<li>www.nehaanand.com</li>
<li>www.aditiray.co.in</li>
<li>www.rakhibajaj.in</li>
<li>www.alianoidaescorts.in</li>
<li>www.sobiya.in</li>
<li>www.alishaparul.in</li>
<li>mumbai-escorts.leathercurrency.com</li>
<li>ankita-ahuja.in</li>
<li>www.yamika.in</li>
<li>mumbailescort.co</li>
<li>www.ranjika.in</li>
<li>www.aditiray.com</li>
<li>www.alinamumbailescort.in</li>
<li>www.sonikaa.com/services/</li>
<li>riyamodel.in</li>
<li>mumbai-escorts.info</li>
<li>soonam.in</li>
<li>www.sejalthakkar.com</li>
<li>www.yomika-tandon.in</li>
<li>www.asika.in</li>
<li>www.siyasharma.org/</li>
<li>www.rubikamathur.in</li>
<li>www.mumbaiescortslady.com</li>
<li>www.sexyshe.in</li>
<li>www.indepandentescorts.com</li>
<li>www.saanvichopra.co.in</li>
<li>www.goswamipatel.in</li>
<li>ojaloberoi.in</li>
<li>www.naincy.in</li>
<li>www.sonyamehra.com</li>
<li>www.pinkgrapes.in</li>
<li>anjalitomar.in/</li>
<li>www.nishakohli.com/</li>
<li>sagentia.co.in</li>
<li>mumbai.vivastreet.co.in/escort+mumbai</li>
<li>www.deseescortgirls.in</li>
<li>guides.wonobo.com/mumbai/mumbai-escorts-service/.4299</li>
<li>jasmineescorts.com</li>
<li>www.shalinisethi.com</li>
<li>www.highclassmumbailescort.com</li>
<li>www.vipescortsinmumbai.com</li>
<li>www.mumbaiescorts69.co.in</li>
<li>monikabas.co.in</li>
<li>www.riyasehgal.com</li>
<li>onlycelebrity.in</li>
<li>www.greatmumbaiescorts.com/escort-service-mumbai.html</li>
<li>www.aishamumbailescort.com</li>
<li>www.jennydsouzaescort.com</li>
<li>www.desifun.in</li>
<li>www.siyaescort.co.in</li>
<li>masti—escort.in</li>
<li>www.sofya.in</li>
<li>www.mumbaiwali.in/navi-mumbai-escort-service.php</li>
<li>www.mumbaiwali.in</li>
<li>www.calldaina.com</li>
<li>www.mumbaiescortsservice.co.in</li>
<li>www.escortsgirlsinmumbai.com</li>
<li>www.passionmumbai.escorts.com</li>
<li>www.nehakapoor.in</li>
<li>meerakapoor.com</li>
<li>www.dianamumbaiescorts.net .in</li>
<li>www.allmumbailescort.in</li>
<li>www.rakhiarora.in</li>
<li>www.ritikasingh.com</li>
<li>www.rekhapatil.com</li>
<li>www.mumbaidolls.com</li>
<li>www.piapandey.com</li>
<li>www.mumbaicuteescorts.in</li>
<li>www.mumbaiescortssevice.com</li>
<li>www.onlycelebrity.com</li>
<li>www.meetescortservice.com</li>
<li>onlyoneescorts.com</li>
<li>simirai.org</li>
<li>www.riyamumbaiescorts.in</li>
<li>www.neharana.in</li>
<li>www.tanyaroy.com</li>
<li>www.mumbaihiprofilegirls.in</li>
<li>www.sexyescortsmumbai.in</li>
<li>www.sexymumbai.escorts.com</li>
<li>www.four-seasons—escort.in</li>
<li>www.mumbaiescortsgirl.com</li>
<li>www.vdreamescorts.com</li>
<li>www.passionatemumbaiescorts.in</li>
<li>www.payalmalhotra.in</li>
<li>www.shrutisinha.com</li>
<li>www.juliemumbaiescorts.com</li>
<li>www.indiasexservices.com/mumbai.html</li>
<li>www.mumbai-escorts.co.in</li>
<li>www.aliyamumbaiescorts.net.in</li>
<li>shivaniarora.co.in/escort–service-mumbai.html</li>
<li>www.pinkisingh.com</li>
<li>soyam.in</li>
<li>www.arpitaray.com</li>
<li>www.localescorts.in</li>
<li>www.jennifermumbaiescorts.com</li>
<li>www.yanaroy.com</li>
<li>escorts18.in/mumbai—escorts.html</li>
<li>www.tinamumbaiescorts.com</li>
<li>www.mumbaijannatescorts.com</li>
<li>www.deepikaroy.com</li>
<li>www.nancy.co.in</li>
<li>www.pearlpatel.in</li>
<li>30minsmumbaiescorts.in</li>
<li>www.datinghopes.com</li>
<li>https://www.riyaroy.com/services.html</li>
<li>www.sonalikajain.com</li>
<li>www.zainakapoor.co.in</li>
<li>kavyajain.in</li>
<li>www.kinnu.co.in</li>
<li>exmumbai.in/</li>
<li>www.mansimathur.in/pinkyagarwal</li>
<li>exmumbai.in</li>
<li>www.mansimathur.in/pinkyagarwal</li>
<li>www.devikabatra.in</li>
<li>katlin.in</li>
<li>riyaverma.in</li>
<li>escortsinindia.co/</li>
<li>www.snehamumbaiescorts.in</li>
<li>shimi.in</li>
<li>www.mumbaiescortsforu.com/about</li>
<li>www.chetnagaur.co.in/chetna-gaur.html</li>
<li>www.escortspoint.in</li>
<li>www.rupalikakkar.in</li>
<li>www.hemangisinha.co.in</li>
<li>1escorts.in/location/mumbai.html</li>
<li>www.salini.in/navi-mumbai-independent—escort-service.php</li>
<li>www.salini.in/navi-mumbai-independent-escort-service.php</li>
<li>www.mumbaibella.in</li>
<li>mohitescortservicesmumbai.com</li>
<li>www.anchu.in</li>
<li>www.aliyaroy.co.in</li>
<li>jaanu.co.in/mumbai-escorts-service-call-girls.html</li>
<li>www.andyverma.com</li>
<li>dreams-come-true.biz</li>
<li>feel–better.biz</li>
<li>jellyroll.biz</li>
<li>dreamgirlmumbai.com</li>
<li>role-play.biz</li>
<li>mansi—mathur.com</li>
<li>www.zarinmumbaiescorts.com</li>
<li>mymumbai.escortss.com</li>
<li>www.goldentouchescorts.com</li>
<li>www.mumbaipassion.biz</li>
<li>ishitamalhotra.com</li>
<li>happy-ending.biz</li>
<li>juicylips.biz</li>
<li>www.escortsmumbai.name</li>
<li>www.kirstygbasai.net</li>
<li>www.hiremumbaiescorts.com</li>
<li>www.meeraescorts.com/mumbai-escorts.php</li>
<li>3–5–7star.biz</li>
<li>www.pranjaltiwari.com</li>
<li>www.richagupta.biz</li>
<li>way2heaven.biz</li>
<li>piya.co/</li>
<li>pinkflowers.info</li>
<li>www.beautifulmumbaiescorts.com</li>
<li>www.bestescortsinmumbai.com/charges-html</li>
<li>www.mumbaiescorts.me</li>
<li>www.tanikatondon.com</li>
<li>www.escortsinmumbai.biz</li>
<li>www.escortgirlmumbai.com</li>
<li>www.mumbaicallgrils.com</li>
<li>www.quickescort4u.com</li>
<li>www.mayamalhotra.com</li>
<li>www.legal-escort.com</li>
<li>escortsbaba.com/mumbai-escorts.html</li>
<li>rupa.biz</li>
<li>www.mumbaiescorts.agency/erotic-service-mumbai.html</li>
<li>www.escortscelebrity.com</li>
<li>www.independentescortservicemumbai.com/mumbai%20escort%20servi..</li>
<li>garimachopra.com</li>
<li>kajalgupta.biz</li>
<li>lipkiss.site</li>
<li>aanu.in</li>
<li>bombayescort.in</li>
<li>hotkiran.co.in</li>
<li>khushikapoor.in</li>
<li>joyapatel.in</li>
<li>rici.in</li>
<li>aaditi.in</li>
<li>andheriescorts.org.in</li>
<li>www.jiyapatel.in</li>
<li>spicymumbai.in</li>
<li>rimpyarora.in</li>
<li>lovemaking.co.in</li>
<li>riyadubey.co.in</li>
<li>escortservicesmumbai.in</li>
<li>mumbaiescorts.co.in</li>
<li>midnightprincess.in/</li>
<li>vashiescorts.co.in/</li>
<li>angee.in/</li>
<li>www.rozakhan.in/</li>
<li>www.mumbaiescortsvilla.in/</li>
<li>kylie.co.in/</li>
<li>escortservicemumbai.co.in</li>
</ol>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/list-of-blocked-escort-service-websites'>http://editors.cis-india.org/internet-governance/blog/list-of-blocked-escort-service-websites</a>
</p>
No publisherpraneshFreedom of Speech and Expression69ABlockingCensorship2016-06-15T08:33:31ZBlog EntryCIS's Comments on the Draft Geospatial Information Regulation Bill, 2016
http://editors.cis-india.org/internet-governance/blog/comments-draft-geospatial-information-regulation-bill-2016
<b>The Centre for Internet and Society is alarmed by the Draft Geospatial Information Regulation Bill, 2016, and has recommended that the proposed law be withdrawn in its entirety. It offered the following detailed comments as its submission.</b>
<h1>Comments on the Draft Geospatial Information Regulation Bill, 2016</h1>
<p>by
<em>the Centre for Internet and Society</em></p>
<h2>1. Preliminary</h2>
<p>1.1. This submission presents comments and recommendations by the Centre for Internet and Society (“CIS”) on the <a href="http://mha.nic.in/sites/upload_files/mha/files/GeospatialBill_05052016_eve.pdf">draft Geospatial Information Regulation Bill, 2016</a> (“the draft bill” / “the proposed bill” / “the bill”).</p>
<h2>2. Centre for Internet and Society</h2>
<p><strong>2.1.</strong> The Centre for Internet and Society is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from the perspectives of policy and academic research. The areas of focus include accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.</p>
<p><strong>2.2.</strong> This submission is consistent with CIS’ commitment to safeguarding the public interest, and particularly the representing the interests of ordinary citizens and consumers. The comments in this submission aim to further the principles of people’s <em>right to information</em> regarding their own country, <em>openness-by-default</em> in governmental activities, <em>freedom of speech and expression</em>, and the various forms of <em>public good</em> that can emerge from greater availability of <em>open (geospatial) data</em> created by both public and private agencies, and the <em>innovations</em> made possible as a result.</p>
<h2>3. Comments</h2>
<h3>3.1. General Remarks</h3>
<p><strong>3.1.1.</strong> While CIS welcomes the intentions of the government to prevent use of geospatial information to undermine national security, the proposed bill completely fails to do so, infringes upon Constitutional rights, harms innovation, undermines the national initiatives of Digital India and Startup India, is completely impractical and unworkable, and it will lead to a range of substantial harms if the government actually seeks to enforce it.</p>
<p><strong>3.1.2.</strong> There are already laws in place that prevent the use of geospatial information to undermine national security. For instance, the <a href="http://www.archive.india.gov.in/allimpfrms/allacts/3314.pdf">Official Secrets Act, 1923</a> (“OSA”) already contains provisions — sections 3(2)(a), (b), and (c) — all of which would prevent a person from creating maps that undermine national security and would penalise their doing so. Section 5 of the OSA contains multiple provisions that penalise the possession and communication of maps that undermine “national security.” The penalties under the OSA range from imprisonment of up to 3 years all the way to imprisonment up to 14 years. Given this, there is absolutely no need to create yet another law to deal with maps that undermine “national security.” Indeed, it is the government’s stated policy to reduce the number of laws in India, whereas the proposed bill introduces a redundant new law that adds multiple layers of bureaucracy.</p>
<p><strong>3.1.3.</strong> The <a href="http://surveyofindia.gov.in/files/nmp/National%20Map%20Policy.pdf">National Mapping Policy, 2005</a>, already puts in place restrictions on wrongful depictions of India’s international boundaries, and as we explain below in section 3.4 of this document, even the National Mapping Policy is over-broad. Even if the government wishes to provide statutory backing to the policy, it should be a very different law that is far more limited in scope, and restricts itself to criminalising those who misrepresent India’s international boundary with an intention to mislead people into thinking that that is the official boundary of India as recognised by the Survey of India. CIS would support a law of such limited scope and mandate, provided it has an appropriate penalty.</p>
<p><strong>3.1.4.</strong> There would be much utility in a law that creates a duty on the Survey of India to make available, in the form of an open standard, an official electronic version of the maps that it creates, and expressly allows and encourages citizens and startups to reuse such official maps, however the Ministry of Home Affairs would not be the nodal ministry for such a law.</p>
<p><strong>3.1.5.</strong> <strong>We recommend that the proposed law be scrapped in its entirety.</strong></p>
<p><strong>3.1.6.</strong> We additionally provide an alternative manner of reducing the harms caused by this bill, in our comments below. By no means should these further comments be seen as a repudiation of our above position, since we do not feel the proposed bill, even with the inclusion of all of our recommendations, would truly further its stated aims. All our below recommendations would do is to reduce the bill’s harmful, and often unintended, consequences.</p>
<h3>3.2. Definition of “Geospatial Information” is over-broad, all- encompassing</h3>
<p><strong>3.2.1.</strong> The second part of the definition of “geospatial information” refers to all “graphic or digital data depicting natural or man-made physical features, phenomenon or boundaries of the earth or any information related thereto” that are “referenced to a co-ordinate system and having attributes.” (Section 2(1)(e)) As per the definition, this will include all geo-referenced information, and data, that is produced by everyday users as an integral part of various everyday uses of digital technologies. This will also include geo-referenced tweets and messages, location of public and private vehicles shared in the real-time with agencies tracking their location (from public transport authorities, to insurance agencies, etc.), location data of mobile phones collected and used by telecommunication service providers, location of mobile phones shared by the user with various kinds of service providers (from taxi companies to delivery agencies), etc.</p>
<p><strong>3.2.2.</strong> We recommend that instead of regulating all kinds of geospatial information, and giving rise to a range of possible harms, the draft bill be revised to specifically address “sensitive geospatial information,” defined as geospatial information related to the “Prohibited Places” as defined in the Official Secrets Act 1923 (section 2(8)) which will allow the bill to effectively respond to its key stated concerns of ensuring “security, sovereignty and integrity of India.” Since the National Map Policy defines “Vulnerable Points” and “Vulnerable Areas” (para 3(b)) as the two main types of geospatial units associated with “Prohibited Places”, these terms should also be referred to in the revised version of the draft bill.</p>
<h3>3.3. Unreasonable regulation of acquiring and end-use of geospatial information</h3>
<p><strong>3.3.1.</strong> Section 3 of the draft bill states that “[s]ave as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geospatial imagery or data including value addition” and “[e]very person who has already acquired any geospatial imagery or data ... including value addition prior to coming of this Act into effect, shall within one year from the commencement of this Act, make an application alongwith requisite fees to the Security Vetting Authority.” This effectively makes it illegal to acquire and maintain ownership of geospatial information that has not been subjected to security vetting.</p>
<p><strong>3.3.2.</strong> This draft bill doesn’t apply just to geospatial information that may undermine national security but covers all manners of geospatial information and modern geospatial technologies embedded in everyday digital devices and intimately connected to various electronic products and services, from cars to mobile phones, result in the creation and acquiring of various kinds of geo-referenced information, ranging from the geo-referenced photographs to locations shared with friends. Even ordinary users who are unknowingly looking at maps that contain sensitive geospatial information, which are illegal under the Official Secrets Act, are committing an illegal act under the draft bill, because the users temporarily acquires such sensitive geospatial information in her/his digital device, as part of the very act of browsing the map concerned. This clearly cannot be the intention of the bill. Thus we recommend deletion of the word “acquire.”</p>
<p><strong>3.3.3.</strong> Further, the insertion of the phrase “including value addition” in both Section 3(1) and 3(2) appears to suggest that all users who have created derivative products using geospatial information that includes sensitive data (that is data related to Prohibited Places) may be held liable under this draft bill, even if these users have not themselves collected or created such sensitive geospatial information, which was part of the original geospatial information published by the source map agency. This too cannot be the intention of the bill. Thus, we recommend deletion of the phrase “including value addition.”</p>
<p><strong>3.3.4.</strong> In the definition of the “Security Vetting of Geospatial Information” itself, it is mentioned that the process will include “screening of the credentials of the end-users and end-use applications, with the sole objective of protecting national security, sovereignty, safety and integrity.” (Section 2(1)(o)) This appears to indicate that all end-users of all electronic and analog services and products using geospatial information will have to be individually vetted before such services and products are used, which would cover a large proportion of the Indian population. This imposes an enormous and impractical burden on the Indian digital economy in particular, and the entire national economy in general, without improving national security. This too cannot be the intention of the draft bill. Thus, we recommend deletion of this phrase, and ensure that end users are not covered by the law.</p>
<p><strong>3.3.5.</strong> Given these specific characteristics of how modern geospatial technologies work, and how they provide a basis for various kinds of everyday use of electronic products and services, we would like to submit that the regulatory focus should be on large-scale and/or commercial dissemination, publication, or distribution of geospatial information, and not on the acts of acquiring, possessing, sharing, and using geospatial information. Further, the regulation in general should be aimed at the party owning the geospatial information in question, and not at the parties involved in its dissemination (say, Internet Service Providers) or in its generation or use (say, end-users).</p>
<h3>3.4. Removal of journalistic, political, artistic, creative, and speculative depictions of India from the scope of Section 6</h3>
<p><strong>3.4.1.</strong> Section 6 of the draft bill states that “[n]o person shall depict, disseminate, publish or distribute any wrong or false topographic information of India including international boundaries through internet platforms or online services or in any electronic or physical form.” Section 15 imposes a penalty for such wrong depiction of maps of India.</p>
<p><strong>3.4.2.</strong> Depictions of India, which do not purport to accurately represent the international boundaries as recognised by the Indian government should not be penalised. For instance, a map published in a newspaper article about India’s border disputes that shows the incorrect claims that the Chinese government has made over Indian territory would also be penalised as “wrong or false topographic information of India”, since there is a clear intention to depict the boundary as claimed by China. Criminalising such journalism cannot be the legitimate intent of such a provision.</p>
<p><strong>3.4.3.</strong> There are numerous instances which have been willfully depicting inaccurate and inauthentic maps of India with international borders for political ends. For instance, there are often depictions of India which show territories within present day Pakistan, Bangladesh, Bhutan, Nepal and Sri Lanka as part of an “Akhand Bharat.” Depictions of this sort should not be penalised. In doing so, would contradict the freedom of expression guaranteed under Article 19(1)(a) without being a reasonable restriction under Article 19(2).</p>
<p><strong>3.4.4.</strong> Even depictions of India for purposes of speculative fiction would be penalised under this proposed bill unless they depict the official borders. This is clearly undesirable and would not be allowed as a reasonable restriction under Article 19(2).</p>
<p><strong><em>*3.4.5.</em></strong>* Even geography students in schools and colleges who mis-draw the official map of India would be liable to penalties under the draft bill. This plainly, cannot be the intention of the drafters of this bill. The creator of a rough and inaccurate tourist map of an Indian city can also be identified as committing a criminal act under the proposed bill as she would be depicting “… wrong or false topographic information of India …”</p>
<p><strong>3.4.6.</strong> In brief: Merely depicting, disseminating, publishing or distributing any “wrong or false topographic information of India” should not be penalised. unless a person publishes and widely circulates an incorrect map of India while claiming that that represents the official international boundaries of India, such should not be penalised.</p>
<p><strong>3.4.7.</strong> CIS recommends that the bill should instead state: “No person shall depict, disseminate, publish, or distribute any topographic information purporting to accurately depict the international boundaries of India as recognised by the Survey of India unless he is authorised to do so by the Surveyor General of India; provided that usage by any person of the international boundaries as is electronically and in print made available by the Survey of India shall deemed to be usage that is authorised by the Surveyor General of India.”</p>
<h3>3.5. Absence of Publicly Available and Openly Reusable Standardised National Boundary of India</h3>
<p><strong>3.5.1.</strong> Given the lack of an reusable versions of maps of India, including of India’s official boundary as recognised by the Survey of India, it becomes impossible for people to accurately depict the boundary of India. We recommend that the bill requires the Survey of India to publish all “Open Series Maps,”as defined in the National Mapping Policy, 2005, including maps depicting the official international and subnational political and administrative boundaries of India, using open geospatial standards and under an open licence allowing such geospatial data to be used by citizens and all companies.</p>
<h3>3.6. Remove Requirement for Prior License for Acquire, Dissemination, Publication, or Distribution of Geospatial Information</h3>
<p><strong>3.6.1.</strong> Section 9 of the draft bill refers to “any person who wants to acquire, disseminate, publish, or distribute any geospatial information of India” (emphasis added), which can be interpreted as the need for a prior license before any person decides to acquire (including creation, collection, generation, and buying) geospatial information. This creates at least two problems:</p>
<ul>
<li>
<p>modern digital geospatial technologies have enabled everyday digital devices (like smartphones) to instantaneously acquire, disseminate, publish, and distribute geospatial information all the time when the person holding that device is looking at online digital maps, say Google Maps, or sharing location with their friends, online platforms and services and service providers (both local and foreign); and</p>
</li>
<li>
<p>the requirement of prior license involves payment of a “requisite fees” to the Security Vetting Authority, which may act as an arbitrary (since the fee might be based upon the volume of geospatial information to be acquired that one may not know fully determine before acquiring) and effective barrier to acquiring, dissemination, publication, or distribution of geospatial information even if it does not violate the concerns of “security, sovereignty, and integrity” in any manner. This requirement also impedes competition in the market, because new entrants to the geospatial industry may not have enough upfront capital to procure licenses.</p>
</li>
</ul>
<p><strong>3.6.2.</strong> Further, the requirement of necessary prior license for acquiring geospatial information does not seem to be a crucial component of the security vetting process, since the geospatial information, once acquired by the agency concerned, is in any case directed to be shared with the Security Vetting Authority for undertaking necessary expunging of sensitive or incorrect information.</p>
<p><strong>3.6.3.</strong> We recommend revision of this section so that no prior license and/or permission is required for collection, acquiring, distribution, and/or use of geospatial information; instead, a framework may be established for monitoring of published geospatial information for purposes of ensuring geospatial information pertaining to “Prohibited Places,” as defined under the Official Secrets Act, is not made available to the general public by any person or entity under Indian jurisdiction, including, for instance, Indian subsidiaries and branches of foreign corporations.. Such a framework must not address the end-user of such geospatial information, but its publishers.</p>
<h3>3.7. Unenforceable jurisdictional scope</h3>
<p><strong>3.7.1.</strong> Section 5 of the draft bill states “[s]ave as otherwise provided in any international convention, treaty or agreement of which India is signatory or as provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall, in any manner, make use of, disseminate, publish or distribute any geospatial information of India, outside India, without prior permission from the Security Vetting Authority.”</p>
<p><strong>3.7.2.</strong> In compliance with this section, domestic and foreign companies and platforms will be required to obtain permission from the Security Vetting Authority of India prior to publishing, distributing etc. geospatial information. Similarly in the preliminary, the draft bill holds in person who commits an offence beyond India under the scope of the bill. The bill is thus proposing extraterritorial applicability of its provisions, yet the extent and method of enforcement of the same on other jurisdictions are kept unclear.</p>
<h3>3.8. Negative implications for rights of citizens</h3>
<p><strong>3.8.1.</strong> There are a number of sections in the draft bill which have negative implications for the rights of all users and potentially impinge on the constitutional rights of Indian citizens. These include:</p>
<p>a. Section 18(2) which empowers the Enforcement Authority to conduct a search without a judicial search order;</p>
<p>b. Section 17(3) which empowers the Enforcement Authority to conduct undefined surveillance and monitoring to enforce the Act;</p>
<p>c. Chapter (V) which penalises individuals with Rs. 1-100 Crores and/or seven years in prison for an offence under the act;</p>
<p>d. Section 22 which allows the government to take ownership of a person’s land if a financial penalty has not been paid;</p>
<p>e. Section 30(1) which holds, in the case of the offense being committed by a company, every person in charge of and responsible for the conduct of business of the company, guilty and liable.</p>
<h3>3.9. Overly broad powers and responsibilities of the Apex Committee and Enforcement Authority, and lack of adequate oversight</h3>
<p><strong>3.9.1.</strong> Section 7(2) states that “[t]he Apex Committee shall do all such acts and deeds that may be necessary or otherwise desirable to achieve the objectives of the Act, including the following functions:...” The wording in this section is broad and open ended, and allows for the responsibilities of the Apex Committee to be expanded without clear oversight of such expansion.</p>
<p><strong>3.9.2.</strong> Similarly, section 17 established an “Enforcement Authority” for the purpose of carrying out surveillance and monitoring for enforcement of the draft bill. The Authority has been given a number of powers including the power of inquiry, the power to adjudicate, and the power to give directions. These powers have direct implications on the rights of individuals, yet the Authority is not subject to oversight or accountability requirements.</p>
<p><strong>3.9.3.</strong> We recommend that the powers and responsibilities of the Apex Committee and Enforcement Authority are narrowly defined in the draft bill itself, limited by the principle of necessity, and subject to independent oversight and accountability requirements.</p>
<h3>3.10. Remove the Security Vetting Authority’s power of delegation</h3>
<p><strong>3.10.1.</strong> Section 8(3) allows the Security Vetting Authority to delegate to any constituent member of the Authority, other subordinate committee, or officer powers and functions as it may deem necessary except the power to grant a licence. In practice, this will allow security vetting to be done by another institution and risks potential involvement of private agencies and/or quasi-governmental bodies.</p>
<p><strong>3.10.2.</strong> We recommend that the power of delegation should not be granted to the Security Vetting Authority.</p>
<h3>3.11. Negative implications for innovation and India’s digital economy</h3>
<p><strong>3.11.1.</strong> Section 3 of the draft bill states “[s]ave as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geospatial imagery or data including value addition of any part of India either through any space or aerial platforms such as satellite, aircrafts, airships, balloons, unmanned aerial vehicles or terrestrial vehicles, or any other means whatsoever”. This effectively ensures that each and every user of geospatial data, products, services, and solutions — since all of these either include or are derivatives of geospatial information — would require prior permission from the Security Vetting Authority. This will substantially affect the existing and emerging digital economy in particular, and the entire economy in general.</p>
<p><strong>3.11.2.</strong> Further, Section 9 of the draft bill mandates that any person submitting an application for geospatial information to be vetted must pay a fee. As the provisions of the bill mandate that users approach the Security Vetting Authority for license to use geospatial information, this will impose an immense burden on all users of digital devices in and outside of India. CIS submits that imposition of this fee for security vetting be removed.</p>
<h3>3.12. Disproportionate penalty for acquisition of geospatial information</h3>
<p><strong>3.12.1.</strong> Section 12 states that “<em>[p]enalty for illegal acquisition of geospatial information of India.- Whoever acquires any geospatial information of India in contravention of section 3, shall be punished with a fine ranging from Rupees one crore to Rupees one hundred crore and/or imprisonment for a period upto seven years</em>.” Seven years in prison is disproportionate to the offense of acquiring geospatial information without vetting by the authority concerned. This is particularly true given the broad and all-encompassing definition of “geospatial information” in the draft bill, and the fact that the bill applies to individuals and companies both within and outside of India.</p>
<h3>3.13. Improper and inconsistent usage of terms in the draft bill</h3>
<p><strong>3.13.1.</strong> Section 4 of the draft bill regulates the visualization, publication, dissemination and distribution of geospatial information of India, while section 5 regulates use, dissemination, publication, and distribution of geospatial information outside of India. The definition of “visualization” remains unclear, and the act is only regulated in section 4. The section 6 of the draft bill uses the term ‘depict’, which is undefined as well. We submit that in this context terms are interchangeable, and the draft bill should either define them expressly to avoid ambiguity in interpretations, or consistently use only one throughout the draft bill.</p>
<p><strong>3.13.2.</strong> Section 11 (3) of the draft bill requires licensees to “[d]isplay the insignia of the clearance of the Security Vetting Authority on the security-vetted geospatial information by appropriate means such as water-marking or licence as relevant, while disseminating or distributing of such geospatial information.” We observe that geospatial information includes graphical representation, location coordinates, inter alia. While the former may be represented visually on an “as is” basis after the completion of the vetting, the latter may be used to perform other complex functions at the “back-end” (i.e., vendor-facing side) in various technologies. Water-marking and/or displaying of insignia would place undue burden on the licensee, depending on the kind of platform, service, or individual.</p>
<h3>3.14. Lack of reference to technical implementation guidance</h3>
<p><strong>3.14.1.</strong> The regulation, harmonisation, and standardisation of the collection, generation, dissemination etc. of geospatial information is a complex process that goes beyond a process of security vetting and that will require extensive technical implementation guidance from the government. At a minimum this could include quality assurance considerations and standard operating procedures, yet the draft bill makes no reference to the need for technical standards or guidance.</p>
<p><em>Comments prepared by Sumandro Chattapadhyay, Adya Garg, Pranesh Prakash, Anubha Sinha, and Elonnai Hickok.</em>
<em>Submitted by the Centre for Internet and Society, on June 3, 2016.</em></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comments-draft-geospatial-information-regulation-bill-2016'>http://editors.cis-india.org/internet-governance/blog/comments-draft-geospatial-information-regulation-bill-2016</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionGeospatial Information Regulation BillGeospatial DataNational Geospatial Policy2016-06-05T15:06:09ZBlog EntryAccessible ICT Procurement
http://editors.cis-india.org/accessibility/blog/accessible-ict-procurement
<b>Today in India there is an excellent opportunity to address the needs of persons with disabilities through accessible ICT procurement. There is a growing body of evidence globally to demonstrate that governments are successfully using accessible procurement as a means of ensuring the human rights of persons with disabilities,. They are amongst the largest purchasers of IT in any country and by requiring accessible products and services, ensure that all citizens with disabilities and government employees who are disabled are able to access and use public infrastructure and communication. CIS along with 20 other organisations petition the Ministry of Social Justice & Empowerment, Ministry of Finance and the Ministry of Information Technology to bring in accessibility considerations within the draft Procurement Bill. </b>
<p style="text-align: justify; "><span>To<br /></span><span>The Secretary,<br /></span><span>Department of Empowerment of Persons with Disabilities (DEPwD)<br /></span><span>Ministry of Social Justice & Empowerment,<br /></span><span>Room No: 525, 5</span><sup>th</sup><span> Floor, <br /></span><span>Paryavaran Bhawan, CGO Complex, Lodhi Road,<br /></span><span>New Delhi - 110003</span></p>
<p style="text-align: justify; "><span> </span><span>The Secretary<br /></span><span>Ministry of Finance<br /></span><span>North Block, New Delhi- 110001</span></p>
<p style="text-align: justify; "><span>The Secretary<br /></span><span>Ministry of Information Technology<br /></span><span>Electronics Niketan, 6,<br /></span><span>CGO Complex, Lodhi Road, New Delhi - 110003</span></p>
<p style="text-align: justify; "><span>Dear Sir/ Madam,</span></p>
<p style="text-align: justify; "><span><span>Subject: Urgent opportunity to address the needs of persons with disabilities through accessible ICT procurement in the draft procurement bill</span><span>.</span></span></p>
<p style="text-align: justify; "><span>We are a group of organisations working to protect and promote the rights of persons with disabilities in India. You may be aware that persons with disabilities are the world’s largest minority, comprising over a billion persons of the world population as of 2011. We give below some important points which outline the need to consider accessible procurement for your consideration:</span></p>
<ol style="text-align: justify; ">
<li>Demographic need: As per the census<a name="_ftnref1"></a> of India in 2011, there are 2.21 per cent or 26 million persons with disabilities living in India. However, there is an inconsistency between the estimates of the Census and the NSS surveys due to various reasons such as different definitions, different methodologies, traditional diagnostic techniques, varied reporting responses and even the 11<sup>th</sup> five year plan opines that these numbers may be under representative and the actual number may be closer to approximately 5-6%. A World Bank report pegs the number at about 5-8% or approximately 55-90 million in India.<a name="_ftnref2"></a> Hence, there is a large constituency of persons with disabilities and possibly an equally large number of persons having special needs and requiring accommodations who are not necessarily identified within this group. The needs of these persons must be taken into account in order to achieve complete national development.</li>
<li>Need for accessible IT infrastructure: With the increasing emphasis and reliance on IT for administration, governance, communication and information through the ‘Digital India’ and ‘Smart Initiatives’, there is a need for the IT infrastructure to be accessible to enable use by all, i.e. a product or service should be usable to its maximum potential by all persons with ease and comfort irrespective of ability. For instance: Persons with disabilities cannot be given productive work in a bank if banking is not usable with the help of assistive technology; and Persons with special needs will not be able to pay bills or do banking or avail services rendered by e-governance platforms if ICT infrastructure is not usable with assistive technology. This need has already been recognized by the Government of India (GoI) through its ‘Accessible India Campaign’. Accessible ICT Procurement will be a vehicle to achieving this.</li>
<li>Legal imperative: India is strongly committed towards creating a barrier free world with equal opportunities and without discrimination, and facilitating enjoyment of all fundamental and human rights for persons with disabilities and complete digital inclusion. India has signed and ratified the UN Convention on the Rights of Persons with Disabilities (UNCRPD) which identifies access to information and information and communication technologies as a human right and requires governments to facilitate enjoyment of these rights on an equal basis and without discrimination through various measures, such as encouraging private organisations to provide accessible services and information and provide other forms of assistance to facilitate access to information and adopting minimum standards of accessibility and design for accessibility at early stage of production to reduce cost.</li>
</ol>
<p style="text-align: justify; ">Article 4(a)-(d) requires states parties to act in conformance with the convention. Accessibility is an underlying principle of the CRPD and integral for persons with disabilities to enjoy all the other human rights such as access to education, employment, assistive technologies, political participation, health, independent living and cultural materials.</p>
<p style="text-align: justify; ">India has also signed other national and international instruments in this regard, such as the Inchen strategy to make the rights real for persons with disabilities, the Marrakesh Treaty to facilitate access to published works for persons who are blind, visually impaired or otherwise reading disabled, the Biwako Millineum framework and the Biwako plus 5, enacting various legislations related to disability, including the upcoming Bill on the Rights of persons with disabilities, the National Universal Electronic Accessibility Policy and Guidelines for Indian Government Websites (GIGW) which prescribes accessibility requirements. The Sustainable Development Goals (SDGs) – which were finalised in September 2015 and by which India is bound, also call for inclusiveness in all its goals such as education, inequality reduction, infrastructure building, economy, habitation, institutions, poverty reduction and sustainability. Hence there is a very strong legal case for implementing accessible ICT procurement, as the driver for achieving complete inclusion and participation of persons with disabilities.</p>
<ol style="text-align: justify; ">
<li>Proven effective mechanism: Public procurement has been identified as a very effective tool in the hands of policy makers to implement accessibility and significant strides have been made by different countries such as USA, Australia and countries in the European Union. Statistics reveal that governments are amongst the largest purchasers of IT products and services and hence well positioned to leverage this power to ensure that all products and services developed, delivered and maintained out of public money and for the use of the public or government employees are accessible. The Government of India (GoI) is also one of the largest employers of persons with disabilities, hence the absence of accessible public infrastructure hinders efficient functioning of the government itself.</li>
<li>Standards for accessible ICT procurement: Today accessible procurement has proven a successful tool in the hands of policy makers and there are evolved standards in this domain. The two major standards are that of section 508<a name="_ftnref3"></a> in USA and the En 301-549<a name="_ftnref4"></a> (EN) in Europe. The latter is the most comprehensive and updated standard and there is a global move to develop a harmonized standard based on the EN. Hence, there is a readily available framework and standard in the form of the En for India to adopt and base its framework.</li>
</ol>
<h2 style="text-align: justify; ">Key Global Initiatives</h2>
<p style="text-align: justify; ">We’d like to draw your attention to the accessible public procurement initiative and charter<a name="_ftnref5"></a> launched by G3ict and to the arguments in the G3ict white paper<a name="_ftnref6"></a> for adoption of this policy. We strongly support the arguments made therein and recommend that GoI embrace accessible public procurement in the draft Procurement Bill of 2014. Some key points from the charter and initiative which argue strongly for the case of having an accessible ICT procurement policy in India are extracted and given below:</p>
<ul style="text-align: justify; ">
<li>“Accessible procurement is relevant for the enjoyment of human rights as set out in the UNCRPD, which has been signed by 160 countries.</li>
<li>Public procurement accounts for 10-15% of a country’s GDP and up to 16 per cent in countries in the EU, In USA, the federal government alone purchases 25 per cent of ICTs and the purchase of the federal and state governments together account for 40 per cent of the total ICT purchases of the country.</li>
<li>Public procurement policy is a strong instrument to achieve digital inclusion and serves to incentivize accessible design from the start of the development process.</li>
<li>It strengthens the local technology industry of a country and creates positive ripple effects into the broader consumer ICT marketplace.</li>
<li>It develops the national accessibility ecosystem, capacity, and expertise to develop and deliver accessible products and services and lowers costs through harmonized standards & competition. It also drives the creation of new development tools for accessible technology and better accessibility training for technology professionals.”</li>
</ul>
<h2 style="text-align: justify; ">Conclusion and Recommendations:</h2>
<p style="text-align: justify; ">Access to public services and information are critical for citizens to participate in the nation building process. The development of India hinges on the progress and inclusion of all its citizens. India has already recognized the criticality of building smart cities and the need to create an accessible India. Hence, the adoption of accessible procurement falls directly within the mandate of the GoI as it is a fundamental step to achieving India’s goals. Accessible procurement is not an option, but a necessity. We hence request the GoI to take immediate steps to rectify the lapse and include accessibility as a key consideration within the procurement Bill. Accordingly, we propose the following approach for GoI’s consideration:</p>
<ul style="text-align: justify; ">
<li>Preparation and circulation of a note explaining the need to include accessibility as a key component of the procurement process within the government, describing rationale, business case and best practices.</li>
<li>Inclusion of suitable provisions in the present draft Procurement Bill covering the following:</li>
</ul>
<ol style="text-align: justify; ">
<li>Identifying accessibility as a key requirement of procurement</li>
<li>Including definitions of accessibility and accessibility standard within the definition section. (We recommend that a national standard be adopted which is similar to or in line with the European standard EN 301-549 since it is extremely evolved and being widely adopted by countries within and outside Europe.</li>
<li>Requiring accessibility experts and persons with disabilities to be part of all committees set up towards implementation of the Act and procurement related processes at the central and state levels.</li>
<li>Including a distinct and comprehensive section in the procurement rules notified after enactment of the Act dealing with accessible procurement processes and communication which may include the following: identification of accessibility as a selection/ award criteria, inclusion of accessibility at different stages of the procurement process, such as preparatory study, pre-qualification documents, contracts for design, development, delivery and maintenance of products and services, purchase of off the shelf products, requirement of attestation and verification procedures, self-declaration by vendors, training requirements, exemption cases, transparent bidding processes to ensure inclusion of accessibility, accessible communication, and implementation and audit mechanisms.</li>
<li>Requiring procuring entities to include accessibility implementation within their reporting requirements.</li>
</ol>
<ul style="text-align: justify; ">
<li>GoI may undertake capacity building activities to raise awareness amongst procuring entities on accessibility.</li>
<li>GoI may draw up a plan with time lines for implementation which may be in two phases. Phase 1 may relate to setting in the process for all present and future procurement and phase 2 may relate to a plan for legacy systems which will not necessarily be replaced anew.</li>
</ul>
<p style="text-align: justify; ">We would be happy to provide further inputs in this regard.</p>
<p style="text-align: justify; ">Thanking you</p>
<p style="text-align: justify; ">Yours sincerely</p>
<p style="text-align: justify; "><span>Mr. Pranesh Prakash<br /></span><span>Policy Director<br /></span><span>Centre for Internet and Society</span></p>
<p style="text-align: justify; "><br /> <strong><span>List of Signatories </span></strong></p>
<table style="text-align: justify; ">
<tbody>
<tr>
<td>
<p><strong>Sl. No</strong></p>
</td>
<td>
<p><strong>Name of the Person</strong></p>
</td>
<td>
<p><strong>Designation</strong></p>
</td>
<td>
<p><strong>Organisation</strong></p>
</td>
<td>
<p><strong>Email id</strong></p>
</td>
</tr>
<tr>
<td>
<p>1</p>
</td>
<td>
<p>Dr. Nirmita Narasimhan</p>
</td>
<td>
<p>Policy Director</p>
</td>
<td>
<p>Centre for Internet and Society, Bangalore</p>
</td>
<td>
<p><a href="mailto:Nirmita@cis-india.org">nirmita@cis-india.org</a></p>
</td>
</tr>
<tr>
<td>
<p>2</p>
</td>
<td>
<p>Mr. Dipendra Manocha</p>
</td>
<td>
<p>President</p>
</td>
<td>
<p>Daisy Forum of India and President, National Association for the Blind(Delhi)</p>
</td>
<td>
<p><a href="mailto:Dipendra.manocha@gmail.com">dipendra.manocha@gmail.com</a></p>
</td>
</tr>
<tr>
<td>
<p>3</p>
</td>
<td>
<p>Mr. Muralidharan</p>
</td>
<td>
<p>Convener</p>
</td>
<td>
<p>National Platform for the Rights of the Disabled (NPRD)</p>
</td>
<td>
<p><a href="mailto:nprd.in@gmail.com">nprd.in@gmail.com</a></p>
</td>
</tr>
<tr>
<td>
<p>4</p>
</td>
<td>
<p>Mr. Praful Vyas</p>
</td>
<td>
<p>Secretary</p>
</td>
<td>
<p>Andhjan Kalyan Trust</p>
</td>
<td>
<p><a href="mailto:aktrust.drj@gmail.com">aktrust.drj@gmail.com</a></p>
<p><a href="mailto:prafulnvyas@gmail.com">prafulnvyas@gmail.com</a></p>
</td>
</tr>
<tr>
<td>
<p>5</p>
</td>
<td>
<p>Mr. Nilesh Singit</p>
</td>
<td>
<p>Advocacy & Research Officer</p>
</td>
<td>
<p>Centre for Disability Studies, NALSAR</p>
</td>
<td>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>6</p>
</td>
<td>
<p>Ms. Charudatta Jadhav</p>
</td>
<td>
<p> </p>
</td>
<td>
<p>Techenvision</p>
</td>
<td>
<p><a href="mailto:charudatta.chess@gmail.com">charudatta.chess@gmail.com</a></p>
</td>
</tr>
<tr>
<td>
<p>7</p>
</td>
<td>
<p>Dr. Beula Christy</p>
</td>
<td>
<p>HOD-Vision</p>
</td>
<td>
<p>Rehabilitation Centres, L V Prasad Eye Institute</p>
</td>
<td>
<p><a href="mailto:beula@lvpei.org">beula@lvpei.org</a></p>
</td>
</tr>
<tr>
<td>
<p>8</p>
</td>
<td>
<p>Dr. Ramesh C Gaur</p>
</td>
<td>
<p>University Librarian</p>
</td>
<td>
<p>Jawaharlal Nehru University(JNU)</p>
</td>
<td>
<p>1. <a href="mailto:rcgaur@mail.jnu.ac.in">rcgaur@mail.jnu.ac.in</a></p>
<p> </p>
<p>2. <a href="mailto:rcgaur66@gmail.com">rcgaur66@gmail.com</a></p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>9</p>
</td>
<td>
<p>Dr. Homiyar Mobedji</p>
</td>
<td>
<p> </p>
</td>
<td>
<p>Bookshare</p>
</td>
<td>
<p><a href="mailto:dr.homiyar@gmail.com">dr.homiyar@gmail.com</a></p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>10</p>
</td>
<td>
<p>Dr. Sam Taraporewala</p>
</td>
<td>
<p>Director</p>
</td>
<td>
<p>Xavier’s Resource Centre for the Visually Challenged</p>
</td>
<td>
<p><a href="mailto:sam@xrcvc.org">sam@xrcvc.org</a></p>
<p> </p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>11</p>
</td>
<td>
<p>Mr. Srinivasu Chakravarthula,</p>
</td>
<td>
<p>Hon. Joint Secretary</p>
<p> </p>
</td>
<td>
<p>The National Association for the Blind, Karnataka</p>
<p> </p>
</td>
<td>
<p><a href="mailto:srinivasu@srinivasu.org">srinivasu@srinivasu.org</a></p>
<p> </p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>12</p>
</td>
<td>
<p>Mr. K Raghuraman</p>
</td>
<td>
<p> </p>
</td>
<td>
<p>Karna Vidya Foundation</p>
</td>
<td>
<p><a href="mailto:raghuram.mcc@gmail.com">raghuram.mcc@gmail.com</a></p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>13</p>
</td>
<td>
<p>Mr. Dhanajay Bhole</p>
</td>
<td>
<p>Coordinator</p>
</td>
<td>
<p>Acc Savitribai Phule Pune university</p>
<p> </p>
</td>
<td>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>14</p>
</td>
<td>
<p>Mr. Prashant Ranjan Verma</p>
</td>
<td>
<p>Joint Secretary</p>
</td>
<td>
<p>National Association for the Blind – Delhi</p>
</td>
<td>
<p><a href="mailto:Pr_verma@hotmail.com">Pr_verma@hotmail.com</a></p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>15</p>
</td>
<td>
<p>Mr. N S Sastry</p>
</td>
<td>
<p> </p>
</td>
<td>
<p>Samrita Trust</p>
</td>
<td>
<p><a href="mailto:samritatrust2006@gmail.com">samritatrust2006@gmail.com</a>, <a href="mailto:norisastry@gmail.com">norisastry@gmail.com</a></p>
</td>
</tr>
<tr>
<td>
<p>16</p>
</td>
<td>
<p>Ms. Madhu Singhal</p>
</td>
<td>
<p> </p>
</td>
<td>
<p>Mitrajyothi</p>
</td>
<td>
<p><a href="mailto:admin.office@mitrajyothi.org">admin.office@mitrajyothi.org</a></p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>17</p>
</td>
<td>
<p>Mr. Bhushan Punani</p>
</td>
<td>
<p> </p>
</td>
<td>
<p>Blind People’s Association (BPA)</p>
<p> </p>
</td>
<td>
<p><a href="mailto:blinabad1@bsnl.in">blinabad1@bsnl.in</a></p>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>18</p>
</td>
<td>
<p>Mr. Anil Mudgal</p>
</td>
<td>
<p>Secretary</p>
</td>
<td>
<p>Arushi</p>
</td>
<td>
<p><a href="mailto:arushiorg@gmail.com">arushiorg@gmail.com</a></p>
</td>
</tr>
<tr>
<td>
<p>19</p>
</td>
<td>
<p>Ms. Poonam Tyagi</p>
</td>
<td>
<p>General Secretary</p>
</td>
<td>
<p>National Association for the Blind, Meerut</p>
</td>
<td>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>20</p>
</td>
<td>
<p>Dr. Vimal Dengla</p>
</td>
<td>
<p> </p>
</td>
<td>
<p>National Association for the Blind</p>
</td>
<td>
<p> </p>
</td>
</tr>
<tr>
<td>
<p>21</p>
</td>
<td>
<p>Mr. V S Sunder</p>
</td>
<td>
<p>Member</p>
</td>
<td>
<p>DRA India</p>
</td>
<td>
<p><a href="mailto:sunder@imsc.res.in">sunder@imsc.res.in</a></p>
</td>
</tr>
<tr>
<td>
<p>22</p>
</td>
<td>
<p>Mr. Mohith B P</p>
</td>
<td>
<p> </p>
</td>
<td>
<p> </p>
</td>
<td>
<p><a href="mailto:Bpmohith.ckm@gmail.com">Bpmohith.ckm@gmail.com</a></p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; "><a name="_ftn1"></a></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">[1]. Available at http://censusindia.gov.in/Census_And_You/disabled_population.aspx<br /> [2]. Please see<br /> <a href="http://mospi.nic.in/Mospi_New/upload/disablity_india_statistical_data_11mar2011/Chapter%204-Dimension_Disability.pdf"> http://mospi.nic.in/Mospi_New/upload/disablity_india_statistical_data_11mar2011/Chapter%204-Dimension_Disability.pdf</a><a name="_ftn3"></a><br /> [3]. Available at http://www.section508.gov/<a name="_ftn4"></a><br /> [4]. Available at <br /> https://www.etsi.org/deliver/etsi_en/301500_301599/301549/01.00.00_20/en_301549v010000c.pdf<a name="_ftn5"></a><br /> [5]. Global Charter: Promoting Global Digital Inclusion through ICT Procurement Policies & Accessibility Standards, G3ict; URL:<br /> <a href="http://g3ict.org/resource_center/g3ict_global_charter"> http://g3ict.org/resource_center/g3ict_global_charter</a><a name="_ftn6"></a><br /> [6]. CRPD Implementation: Promoting Global Digital Inclusion through ICT Procurement Policies & Accessibility Standards, G3ict <em>available at</em>: <a href="http://g3ict.org/resource_center/publications_and_reports/p/productCategory_whitepapers/subCat_7/id_339/">http://g3ict.org/resource_center/publications_and_reports/p/productCategory_whitepapers/subCat_7/id_339/</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/accessibility/blog/accessible-ict-procurement'>http://editors.cis-india.org/accessibility/blog/accessible-ict-procurement</a>
</p>
No publisherpraneshAccessibility2016-05-09T14:48:49ZBlog Entry