The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 5.
What Are The Consumer Protection Concerns With Crypto-Assets?
http://editors.cis-india.org/internet-governance/blog/what-are-the-consumer-protection-concerns-with-crypto-assets
<b>Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.</b>
<p>The article was <a class="external-link" href="https://www.medianama.com/2022/07/223-addressing-the-consumer-protection-concerns-associated-with-crypto-assets/">published in Medianama</a> on July 8, 2022</p>
<hr />
<p style="text-align: justify; ">Crypto-asset regulation is at the forefront of India’s financial regulator’s minds. On the 6th of June, the Securities and Exchange Board of India (SEBI) <a href="https://www.businessinsider.in/investment/news/sebi-raises-concern-on-crypto-says-that-its-decentralised-nature-makes-them-harder-to-regulate/articleshow/92079830.cms">in a response </a>to the Parliamentary Standing Committee on Finance expressed clear consumer protection concerns associated with crypto-assets.</p>
<p style="text-align: justify; ">This statement follows <a href="https://www.rbi.org.in/commonman/English/Scripts/PressReleases.aspx?Id=2474">multiple notices</a> issued by the Reserve Bank of India (RBI) warning consumers of the risks related to crypto-assets, and even a <a href="https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12103">failed attempt</a> to prevent banks from transacting with any individual trading crypto-assets. Yet, in spite of these multiple warnings, and a significant drop in trading volume due to the introduction of a new taxation structure, crypto-assets still have managed to establish themselves as a legitimate financial instrument in the minds of many.</p>
<p style="text-align: justify; ">Recent global developments, however, seem to validate the concerns held by both the RBI and SEBI.</p>
<p style="text-align: justify; ">The bear market that crypto finds itself in has sent shockwaves throughout the ecosystem, crippling some of the most established tokens in the space. Take, for example, the <a href="https://indianexpress.com/article/technology/crypto/luna-terra-crash-a-brief-history-of-failed-algorithmic-stablecoins-7934293/">death spiral</a> of the algorithmic stablecoin Terra USD and its sister token Luna—with Terra USD going from a top-10-traded crypto-token to being practically worthless. The volatility of token prices has had a significant knock-on effect on crypto-related services. Following Terra’s crash, the Centralised Finance Platform (CeFi) Celsius—which provided quasi-banking facilities for crypto holders—also halted all withdrawals. More recently, the crypto-asset hedge fund Three Arrows also filed for bankruptcy following its inability to meet its debt obligations and protect its assets from creditors looking to get their money back.</p>
<p style="text-align: justify; ">Underpinning these stories of failing corporations are the very real experiences of investors and consumers—many of whom have lost a <a href="https://www.bloomberg.com/news/articles/2022-05-14/terra-s-45-billion-face-plant-creates-a-crowd-of-crypto-losers">significant amount of wealth</a>. This has been a direct result of the messaging around crypto-assets. Crypto-assets have been promoted through popular culture as a means of achieving financial freedom and accruing wealth quickly. It is this narrative that lured numerous regular citizens to invest substantial portions of their income into crypto-asset trading. At the same time, the crypto-asset space is littered with a number of scams and schemes designed to trick unaware consumers. These schemes, primarily taking the form of ‘<a href="https://www.investor.gov/introduction-investing/investing-basics/glossary/pump-and-dump-schemes">pump and dump</a>’ schemes, represent a significant issue for investors in the space.</p>
<p style="text-align: justify; ">It seems, therefore, that any attempt to ensure consumer protection in the crypto-space must adopt two key strategies:</p>
<ul>
<li><span>First, it must re-orient the narrative from crypto as a simple means of getting wealthy—and ensure that those consumers who invest in crypto do so with full knowledge of the risks associated with crypto-assets</span></li>
<li><span>Second, it must provide consumers with sufficient recourse in cases where they have been subject to fraud.</span></li>
</ul>
<p style="text-align: justify; ">In this article, we examine the existing regulatory framework around grievance redressal for consumers in India—and whether these safeguards are sufficient to protect consumers trading crypto-assets. We further suggest practical measures that the government can adopt going forward.</p>
<h3 style="text-align: justify; ">What is the Current Consumer Protection Framework Around Crypto-assets?</h3>
<p>Safeguards Under the Consumer Protection Act and E-commerce Rules</p>
<p> </p>
<p style="text-align: justify; "><span>The increased adoption of e-commerce by consumers in India forced legislators to address the lack of regulation for the protection of consumer interests. This legislative expansion may extend to protecting the interests of investors and consumers trading in crypto-assets. </span></p>
<p style="text-align: justify; ">The groundwork for consumer welfare was laid in the new Consumer Protection Act, 2019 which defined e-commerce as the “buying or selling of goods or services including digital products over digital or electronic network.” It also empowered the Union Government to take measures and issue rules for the protection of consumer rights and interests, and the prevention of unfair trade practices in e-commerce.</p>
<p style="text-align: justify; ">Within a year, the Union Government exercised its power to issue operative rules known as the Consumer Protection (E-Commerce) Rules, 2020 (the “Rules”), which amongst other things, sought to prohibit unfair trade practices across all models of e-commerce. The Rules define an e-commerce entity as one which owns, operates or manages a digital or electronic facility or platform (which includes a website as well as mobile applications) for electronic commerce.</p>
<p style="text-align: justify; ">The definition of e-commerce is not limited only to physical goods but also includes services as well as digital products. So, one can plausibly assume that it would be applicable to a number of crypto-exchanges, as well as certain entities offering decentralized finance (DeFi) services. This is because crypto tokens—be it cryptocurrencies like Bitcoin, Ethereum, or Dogecoin—are not considered currency or securities within Indian law, but can be said to be digital products since they are digital goods.</p>
<p style="text-align: justify; ">The fact that the digital products being traded on the e-commerce entity originated outside Indian territory would make no difference as far as the applicability of the Rules is concerned. The Rules apply even to e-commerce entities not established in India, but which systematically offer goods or services to consumers in India. The concept of systematically offering goods or services across territorial boundaries appears to have been taken from the E-evidence Directive of the European Union and seeks to target only those entities which intend to do substantial business within India while excluding those who do not focus on the Indian market and have only a minuscule presence here.</p>
<p style="text-align: justify; ">Additionally, the Rules impose certain duties and obligations on e-commerce entities, such as:</p>
<ul>
<li><span>The appointment of a nodal officer or a senior designated functionary who is resident in India, to ensure compliance with the provisions of the Consumer Protection Act;</span></li>
<li>The prohibition on the adoption of any unfair trading practices, thereby making the most important requirements of consumer protection applicable to e-commerce;</li>
<li>The establishment of a grievance redressal mechanism and specifying an outer limit of one month for redressal of complaints;</li>
<li>The prohibition on imposing cancellation charges on the consumer, unless a similar charge is also borne by the e-commerce entity if it cancels the purchase order unilaterally for any reason;</li>
<li>The prohibition on price manipulation to gain unreasonable profit by imposing an unjustified price on the consumers; </li>
<li>The prohibition on discrimination between consumers of the same class or an arbitrary classification of consumers that affects their rights; etc.</li>
</ul>
<p style="text-align: justify; ">The Rules also impose certain liabilities on e-commerce entities relating to the tracking of shipments, the accuracy of the information on the goods or services being offered, information and ranking of sellers, tracking complaints, and information regarding payment mechanisms. Most importantly, the Rules explicitly make the grievance redressal mechanism under the Consumer Protection Act, 2019 applicable to e-commerce entities in case they violate any of the requirements under the Rules.</p>
<p style="text-align: justify; ">What this means is that at present crypto-exchanges and crypto-service providers clearly fall within the ambit of consumer protection legislation in India. In real terms, this means that consumers can rest assured that in any crypto transaction their rights must be accounted for by the corporation.</p>
<p style="text-align: justify; ">With crypto related scams <a href="https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2022/06/reports-show-scammers-cashing-crypto-craze">exploding globally following 2021</a>, it is likely that Indian investors will come into contact, or be subject to various scams and schemes in the crypto marketplace. Therefore, it is imperative that consumers and investors the steps they can take in case they fall victim to a scam. Currently, any consumer who is the victim of a fraud or scam in the crypto space would as per the current legal regime, have two primary redressal remedies:</p>
<ul>
<li><span>Lodging a criminal complaint with the police, usually the cyber cell, regarding the fraud. It then becomes the police’s responsibility to investigate the case, trace the perpetrators, and ensure that they are held accountable under relevant legal provisions. </span></li>
<li>Lodging a civil complaint before the consumer forum or even the civil courts claiming compensation and damages for the loss caused. In this process, the onus is on the consumer to follow up and prove that they have been defrauded.</li>
</ul>
<p style="text-align: justify; ">Filing a consumer complaint may impose an extra burden on the consumer to prove the fraud—especially if the consumer is unable to get complete and accurate information regarding the transaction. Additionally, in most cases, a consumer complaint is filed when the perpetrator is still accessible and can be located by the consumer. However, in case the perpetrator has absconded, the consumer would have no choice but to lodge a criminal complaint. That said, if the perpetrators have already absconded, it may be difficult even for the police to be of much help considering the anonymity that is built into technology.</p>
<p style="text-align: justify; ">Therefore, perhaps the best protection that can be afforded to the consumer is where the regulatory regime is geared towards the prevention of frauds and scams by establishing a licensing and supervisory regime for crypto businesses.</p>
<h3 style="text-align: justify; ">A Practical Guide to Consumer Protection and Crypto-assets</h3>
<p style="text-align: justify; ">What is apparent is that existing regulations are not sufficient to cover the extent of protection that a crypto-investor would require. Ideally, this gap would be covered by dedicated legislation that looks to cover the range of issues within the crypto-ecosystem. However, in the absence of the (still pending) government crypto bill, we are forced to consider how consumers can currently be protected and made aware of the risks associated with crypto-assets.</p>
<p style="text-align: justify; ">On the question of informing customers of the risks associated, we must address one of the primary means through which consumers become aware of crypto-assets: advertising. Currently, crypto-asset advertising follows a <a href="https://ascionline.in/images/pdf/vda-guidelines-23.02.22.pdf">code</a> set down by the <a href="https://www.google.com/search?client=safari&rls=en&q=Advertising+Council+of+India&ie=UTF-8&oe=UTF-8">Advertising Standards Council of India</a>, a self-regulating, non-government body. As such, there is currently no government body that enforces binding advertising standards on crypto and crypto-service providers.</p>
<p style="text-align: justify; ">While self-regulation has generally been an acceptable practice in the case of advertising, the advertising of financial products has differed slightly. For example, Schedule VI of the <a href="https://www.sebi.gov.in/acts/mfreg96.html#sch6#sch6">Securities and Exchange Board of India (Mutual Funds) Regulations, 1996</a>, lays down detailed guidelines associated with the advertising of mutual funds. Crypto-assets can, depending on their form, perform similar functions to currencies, securities, and assets. Moreover, they carry a clear financial risk—as such their advertising should come under the purview of a recognised financial regulator. In the absence of a dedicated crypto bill, an existing regulator—such as SEBI or the RBI—should use their ad-hoc power to bring crypto-assets and their advertising under their purview.</p>
<p style="text-align: justify; ">This would allow for the government to not only ensure that advertising guidelines are followed, but to dictate the exact nature of these guidelines. This allows it to issue standards pertaining to disclaimers and prevent crypto service providers from advertising crypto as being easy to understand, having a guaranteed return on investment, or other misleading messages.</p>
<p style="text-align: justify; ">Moreover, financial institutions such as the RBI and SEBI may consider increasing efforts to inform consumers of the financial and economic risks associated with crypto-assets by undertaking dedicated public awareness campaigns. Strongly enforced advertising guidelines, coupled with widespread and comprehensive awareness efforts, would allow the average consumer to understand the risks associated with crypto-assets, thereby re-orienting the prevailing narrative around them.</p>
<p style="text-align: justify; ">On the question of providing consumers with clear recourse, current financial regulators might consider setting up a joint working group to examine the extent of financial fraud associated with crypto-assets. Such a body can be tasked with providing consumers with clear information related to crypto-asset scams and schemes, how to spot them, and the next steps they must take in case they fall victim to one.</p>
<hr />
<p style="text-align: justify; "><em>Aman Nair is a policy officer at the Centre for Internet & Society (CIS), India, focusing on fintech, data governance, and digital cooperative research. Vipul Kharbanda is a non-resident fellow at CIS, focusing on the fintech research agenda of the organisation.</em></p>
<ul>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/what-are-the-consumer-protection-concerns-with-crypto-assets'>http://editors.cis-india.org/internet-governance/blog/what-are-the-consumer-protection-concerns-with-crypto-assets</a>
</p>
No publisherAman Nair and Vipul KharbandaConsumer RightsInternet GovernanceCryptography2022-07-18T15:22:02ZBlog EntryThe Ministry And The Trace: Subverting End-To-End Encryption
http://editors.cis-india.org/internet-governance/blog/the-ministry-and-the-trace-subverting-end-to-end-encryption
<b>A legal and technical analysis of the 'traceability' rule and its impact on messaging privacy.</b>
<p> </p>
<p>The paper was published in the <a class="external-link" href="http://nujslawreview.org/2021/07/09/the-ministry-and-the-trace-subverting-end-to-end-encryption/">NUJS Law Review Volume 14 Issue 2 (2021)</a>.</p>
<hr />
<h2>Abstract</h2>
<div class="justify">
<div class="pbs-main-wrapper">
<p>End-to-end
encrypted messaging allows individuals to hold confidential
conversations free from the interference of states and private
corporations. To aid surveillance and prosecution of crimes, the Indian
Government has mandated online messaging providers to enable
identification of originators of messages that traverse their platforms.
This paper establishes how the different ways in which this
‘traceability’ mandate can be implemented (dropping end-to-end
encryption, hashing messages, and attaching originator information to
messages) come with serious costs to usability, security and privacy.
Through a legal and constitutional analysis, we contend that
traceability exceeds the scope of delegated legislation under the
Information Technology Act, and is at odds with the fundamental right to
privacy.</p>
<p> </p>
<p>Click here to read the <a class="external-link" href="http://nujslawreview.org/2021/07/09/the-ministry-and-the-trace-subverting-end-to-end-encryption/">full paper</a>.</p>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-ministry-and-the-trace-subverting-end-to-end-encryption'>http://editors.cis-india.org/internet-governance/blog/the-ministry-and-the-trace-subverting-end-to-end-encryption</a>
</p>
No publisherGurshabad Grover, Tanaya Rajwade and Divyank KatiraCryptographyIntermediary LiabilityConstitutional LawInternet GovernanceMessagingEncryption Policy2021-07-12T08:18:18ZBlog EntryIndia’s dedicated Cryptology centre gets Rs. 115 crore funding
http://editors.cis-india.org/news/search-security-july-28-2014-harichandan-arakali-indias-dedicated-cryptology-centre-gets-funding
<b>Work on India's first dedicated cryptology centre – plans for which were first announced in June 2012 – will likely accelerate as the project has gained initial funding of Rs. 115 crore from the federal government, stepping up the nation's efforts to stay on top of an area critical to its military and financial interests.</b>
<p style="text-align: justify; ">The blog post by Harichandan Arakali was <a class="external-link" href="http://searchsecurity.techtarget.in/news/2240225589/Indias-Dedicated-Cryptology-Centre-Gets-Rs-115-Crore-Funding">published in SearchSecurity.in</a> on July 28, 2014. Sunil Abraham gave his inputs.</p>
<hr />
<p style="text-align: justify; ">The research facility, called the RC Bose Centre For Cryptology and Security, is to be built on the campus of the Indian Statistical Institute at Kolkata, where there is already ongoing cryptology research and consultancy work, albeit on a smaller scale, according to professor Rana Barua, the centre's head.</p>
<p style="text-align: justify; ">In a world where electronic transactions and access to an ever-increasing number of places, installations and objects have made physical borders less relevant, the task of securing them against threats means strong encryption of data is critical to national defense.</p>
<p style="text-align: justify; ">"This centre is of course a welcome initial step, but it can't be the only thing. We will have to, ideally, take a billion dollars from some of the big funds, such as the Universal Service Obligation fund or from the next (wireless) spectrum auctions, and throw it at cryptography," said Sunil Abraham, director for policy at the Centre for Internet and Society, a non-profit research organisation.</p>
<p style="text-align: justify; ">"If the country takes our military superiority seriously, then when it comes to cyber wars, without having an upper hand in cryptography, there is no use discussing anything else," he added.</p>
<p style="text-align: justify; ">The new cryptology centre will focus on basic research, but take on applied work for India's defense needs and those of its financial institutions, professor Barua said, developing algorithms, testing encryption products for robustness, detecting vulnerabilities and so on.</p>
<p style="text-align: justify; ">The center will augment indigenous capabilities in cryptology and information security, Bimal K Roy, director of the India Statistical Institute told India's Press Trust, which reported the funding earlier this month.</p>
<p style="text-align: justify; ">"It is an important element of the overall efforts and framework to enhance capabilities to ensure holistic security of the Indian cyber space. With an eminent body of world class experts, it will act as a hub for all cryptographic requirements, cutting edge research and technology development within the country," Press Trust cited Roy as saying.</p>
<p style="text-align: justify; ">Once centre is up and running and, over the next two years, it will have the infrastructure to allow more than 30 researchers to work, but "the problem of course is to get good researchers in this area," Barua said.</p>
<p style="text-align: justify; ">Pretty much all the best mathematicians in the world today work with the US government either directly or as part of the American academia and via research projects funded by the US government, said the Centre for Internet and Society's Abraham.</p>
<p style="text-align: justify; ">Given that most of the standards used today are those set by the National Institute of Standards and Technology (NIST), the US standard-setting organisation, "we should ensure that our participation at NIST is of the highest quality and we need an army of mathematicians," he said.</p>
<p style="text-align: justify; ">However, in India there may be a small number of mathematicians who are capable of the highest level of cryptology research. Even if there are more, there is another problem for them to keep abreast of the latest advances.</p>
<p style="text-align: justify; ">In the past, maths used to be an open science and all advances would be published and available for peers to learn from each other. With the militarisation of the areas of maths that deal with cryptology, the latest research isn't available and mathematicians have to essentially work things out on their own as well as conjecture what others might be doing.</p>
<p style="text-align: justify; ">Today, every country other than the US faces a shortage of skilled cryptographers, according to Abraham: "Everybody is in the soup, but India is in worse soup because we went with this engineering craze instead of pure sciences and math, we've ignored building capacity in that area."</p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/search-security-july-28-2014-harichandan-arakali-indias-dedicated-cryptology-centre-gets-funding'>http://editors.cis-india.org/news/search-security-july-28-2014-harichandan-arakali-indias-dedicated-cryptology-centre-gets-funding</a>
</p>
No publisherpraskrishnaCryptographyInternet Governance2014-07-29T07:18:08ZNews ItemGood Intentions, Recalcitrant Text - I: Why India’s Proposal at the ITU is Troubling for Internet Freedoms
http://editors.cis-india.org/internet-governance/blog/good-intentions-going-awry-i-why-india2019s-proposal-at-the-itu-is-troubling-for-internet-freedoms
<b>The UN's International Telecommunications Union (ITU) is hosting its Plenipotentiary Conference (PP-14) this year in South Korea. At PP-14, India introduced a new draft resolution on ITU's Role in Realising Secure Information Society. The Draft Resolution has grave implications for human rights and Internet governance. Geetha Hariharan explores.</b>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">At the 2014 Plenipotentiary Conference (‘PP-14’ or ‘Plenipot’) of the International Telecommunications Union (ITU), India has tabled <a href="http://editors.cis-india.org/internet-governance/blog/india-draft-resolution-itus-role-in-securing-information-security/at_download/file">a draft proposal</a> on “ITU’s Role in Realising Secure Information Society” [Document 98, dated 20 October 2014] (“<strong>Draft Resolution</strong>”). India’s proposal has incited a great deal of concern and discussion among Plenipot attendees, governments and civil society alike. Before offering my concerns and comments on the Draft Resolution, let us understand the proposal.</p>
<p style="text-align: justify; ">Our Draft Resolution identifies 3 security concerns with exchange of information and resource allocation on the Internet:</p>
<ul style="text-align: justify; ">
<li><i>First</i>, it is troubling for India that present network architecture has “<i>security weaknesses</i>” such as “<i>camouflaging the identity of the originator of the communication</i>”;<a href="#_ftn1">[1]</a> random IP address distribution also makes “<i>tracing of communication difficult</i>”;<a href="#_ftn2">[2]</a></li>
<li><i>Second</i>, India is concerned that under the present allocation system of naming, numbering and addressing resources on the Internet, it is impossible or at the very least, cumbersome to identify the countries to which IP address are allocated;<a href="#_ftn3">[3]</a> </li>
<li><i>Third</i>, India finds it insecure from the point of view of national security that traffic originating and terminating in the same country (domestic traffic) often routes through networks overseas;<a href="#_ftn4">[4]</a> similarly, local address resolution also routes through IP addresses outside the country or region, which India finds troubling.<a href="#_ftn5">[5]</a></li>
</ul>
<p style="text-align: justify; ">In an effort to address these concerns, the Draft Resolution seeks to instruct the ITU Secretary General:</p>
<ul style="text-align: justify; ">
<li><i>First</i>,<i> </i>to develop and recommend a ‘traffic routing plan’ that can “<i>effectively ensure the traceability of communication</i>”;<a href="#_ftn6">[6]</a></li>
<li><i>Second</i>, to collaborate with relevant international and intergovernmental organisations to develop an<i> </i>“<i>IP address plan</i>”<i> </i>which facilitates identification of locations/countries to which IP addresses are allocated and coordinates allocation accordingly;<a href="#_ftn7">[7]</a></li>
<li><i>Third</i>, to develop and recommend “<i>a public telecom network architecture</i>” that localizes both routing<a href="#_ftn8">[8]</a> as well as address resolution<a href="#_ftn9">[9]</a> for local/domestic traffic to “<i>within the country</i>”.</li>
</ul>
<p style="text-align: justify; ">Admittedly, our Draft Resolution is intended to pave a way for “<i>systematic, fair and equitable allocation</i>” of, <i>inter alia</i>, naming, numbering and addressing resources,<a href="#_ftn10">[10]</a> keeping in mind security and human rights concerns.<a href="#_ftn11">[11]</a> In an informal conversation, members of the Indian delegation echoed these sentiments. Our resolution does not, I was told, raise issues about the “<i>concentration of control over Internet resources</i>”, though “<i>certain governments</i>” have historically exercised more control. It also does not, he clarified, wish to make privacy or human rights a matter for discussion at the ITU. All that the Draft Resolution seeks to do is to equip the ITU with the mandate to prepare and recommend a “<i>roadmap for the systematization</i>” of allocation of naming, numbering and addressing resources, and for local routing of domestic traffic and address resolution. The framework for such mandate is that of security, given the ITU’s role in ‘building confidence and security in the use of ICTs’ under Action Line C5 of the <a href="http://www.itu.int/wsis/docs/geneva/official/poa.html">Geneva Plan of Action</a>, 2003.</p>
<p style="text-align: justify; ">Unfortunately, the text of our Draft Resolution, by dint of imprecision or lack of clarity, undermines India’s intentions. On three issues of utmost importance to the Internet, the Draft Resolution has unintended or unanticipated impacts. <strong><i>First</i></strong>, its text on tracing communication and identity of originators, and systematic allocation of identifiable IP address blocks to particular countries, has impacts on privacy and freedom of expression. Given Edward Snowden’s <a href="http://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded">NSA files</a> and the absence of adequate protections against government incursions or excesses into privacy,<a href="#_ftn12">[12]</a> either in international human rights law or domestic law, such text is troublesome. <strong><i>Second</i></strong>, it has the potential to undermine multi-stakeholder approaches to Internet governance by proposing text that refers almost exclusively to sovereign monopolies over Internet resource allocation, and <strong><i>finally</i></strong>, displays a certain disregard for network architecture and efficiency, and to principles of a free, open and unified Internet, when it seeks to develop global architecture that facilitates (domestic) localization of traffic-routing, address resolution and allocation of naming, numbering and addressing.</p>
<p style="text-align: justify; ">In this post, I will address the first concern of human rights implications of our Draft Resolution.<span> </span></p>
<h3 style="text-align: justify; ">Unintended Implications for Privacy and Freedom of Expression:</h3>
<p style="text-align: justify; ">India’s Draft Resolution has implications for individual privacy. At two different parts of the preamble, India expresses concerns with the impossibility of locating the user at the end of an IP address:</p>
<ul style="text-align: justify; ">
<li>Pream. §(e): “<i>recognizing</i>… that the modern day packet networks, which at present have many security weaknesses, <i>inter alia</i>, camouflaging the identity of originator of the communication”;</li>
<li>Pream. §(h): “<i>recognizing</i>… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.</li>
</ul>
<p style="text-align: justify; ">The concerns here surround difficulties in tracking IP addresses due to the widespread use of NATs, as also the existence of IP anonymisers like Tor. Anonymisers like Tor permit individuals to cover their online tracks; they conceal user location and Internet activity from persons or governments conducting network surveillance or traffic analysis. For this reason, Tor has caused much discomfort to governments. <a href="http://www.wired.com/2014/10/laura-poitras-crypto-tools-made-snowden-film-possible/">Snowden used Tor</a> while communicating with Laura Poitras. Bradley (now Chelsea) Manning of Wikileaks fame is<i> </i><a href="http://belfercenter.ksg.harvard.edu/files/maurer-dp-2011-10-wikileaks-final.pdf">reported</a> to have used Tor (page 24). Crypto is increasingly the safest – perhaps the only safe – avenue for political dissidents across the world; even Internet companies were <a href="http://gizmodo.com/the-nsa-was-going-to-fine-yahoo-250k-a-day-if-it-didnt-1633677548">coerced</a> into governmental compliance. No wonder, then, that governments are doing all they can to dismantle IP anonymisers: the <a href="http://arstechnica.com/security/2013/10/nsa-repeatedly-tries-to-unpeel-tor-anonymity-and-spy-on-users-memos-show/">NSA</a> and <a href="http://www.itproportal.com/2013/10/04/nsa-and-gchq-repeatedly-tried-infiltrate-tor-documents-reveal/">GCHQ</a> have tried to break Tor; the Russian government has <a href="http://www.bloomberg.com/news/2014-07-29/putin-sets-110-000-bounty-for-cracking-tor-as-anonymous-internet-usage-in-russia-surges.html">offered a reward</a> to anyone who can.</p>
<p style="text-align: justify; ">Far be it from me to defend Tor blindly. There are reports <a href="http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption">suggesting</a> that Tor is being <a href="http://news.softpedia.com/news/Tor-Attracts-More-and-More-Cybercriminals-Experts-Warn-430659.shtml">used by offenders</a>, and not merely those of the Snowden variety. But governments must recognize the very obvious trust deficit they face, especially after <a href="http://www.statewatch.org/news/2014/may/ep-LIBE-Inquiry-NSA-Surveillance.pdf">Snowden’s revelations</a>, and consider the implications of seeking traceability and identity/geolocation for every IP address, in a systematic manner. The implications are for privacy, a right guaranteed by Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Privacy has been <a href="http://www.hrw.org/sites/default/files/related_material/UNGA_upload_0.pdf">recognized</a> by the UN General Assembly as applicable in cases of surveillance, interception and data collection, in Pream. §4 of its resolution <i>The Right to Privacy in the Digital Age</i>. But many states do not have robust privacy protections for individuals and data. And while governments may state the necessity to create international policy to further effective criminal investigations, such an aim cannot be used to nullify or destroy the rights of privacy and free speech guaranteed to individuals. Article 5(1), ICCPR, codifies this principle, when it states that States, groups or persons may not “<i>engage in any activity or perform any act aimed at the destruction of any of the rights and freedoms recognized herein…</i>”.</p>
<p style="text-align: justify; "><span>Erosion of privacy has a chilling effect on free speech [</span><i><a href="http://www.law.cornell.edu/supremecourt/text/376/254">New York Times v. Sullivan</a></i><span>, 376 U.S. 254], so free speech suffers too. Particularly with regard to Tor and identification of IP address location and users, anonymity in Internet communications is at issue. At the moment, most states already have anonymity-restrictions, in the form of identification and registration for cybercafés, SIM cards and broadband connections. For instance, Rule 4 of India’s </span><a href="http://deity.gov.in/sites/upload_files/dit/files/GSR315E_10511(1).pdf">Information Technology (Guidelines for Cyber Cafe) Rules, 2011</a><span>, mandates that we cannot not use computers in a cybercafé without establishing our identities. But our ITU Draft Resolution seeks to </span><i>dismantle</i><span> the ability of Internet users to operate anonymously, be they political dissidents, criminals or those merely acting on their expectations of privacy. Such dismantling would be both violative of international human rights law, as well as dangerous for freedom of expression and privacy in principle. Anonymity is integral to democratic discourse, held the US Supreme Court in </span><i><a href="http://www.law.cornell.edu/supct/html/93-986.ZO.html">McIntyre v. Ohio Elections Commission</a></i><span> [514 U.S. 334 (1995)].</span><a href="#_ftn13">[13]</a><span> Restrictions on Internet anonymity facilitate communications surveillance and have a chilling effect on the free expression of opinions and ideas, </span><a href="http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf">wrote Mr. Frank La Rue</a><span>, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (¶¶ 48-49).</span></p>
<p style="text-align: justify; ">So a law or international policy for blanket identification and traceability of IP addresses has grave consequences for and <i>prima facie </i>violates privacy, anonymity and freedom of speech. But these rights are not absolute, and can be validly restricted. And because these human rights are implicated, the ITU with its lack of expertise in the area may not be the adequate forum for discussion or study.</p>
<p style="text-align: justify; "><span>To be valid and justified interference, any law, policy or order interfering with privacy and free speech must meet the standards of reasonableness and proportionality, even if national security were the government’s legitimate aim, laid down in Articles 19(3) and 17 of the Covenant on Civil and Political Rights (CCPR) [</span><i><a href="http://www1.umn.edu/humanrts/undocs/html/vws488.htm">Toonen v. Australia</a></i><span>, Communication No. 488/1992, U.N. Doc CCPR/C/50/D/488/1992 (1994), ¶6.4]. And as the European Court of Human Rights found in </span><i><a href="http://hudoc.echr.coe.int/sites/eng/pages/search.aspx?i=001-76586">Weber & Saravia v. Germany</a></i><span> [Application no. 54934/00, 29 June 2006 (ECHR), ¶95], law or executive procedure that </span><i>enables</i><span> surveillance without sufficient safeguards is </span><i>prima facie</i><span> unreasonable and disproportionate. Re: anonymity, in </span><i><a href="http://hudoc.echr.coe.int/sites/eng/pages/search.aspx?i=001-126635">Delfi AS v. Estonia</a></i><span> [Application no. 64569/09, 17 February 2014, ¶83], while considering the liability of an Internet portal for offensive anonymous comments, the ECHR has emphasized the importance of balancing freedom of expression and privacy. It relied on certain principles such as “</span><i>contribution to a debate of general interest, subject of the report, the content, form and consequences of the publication</i><span>” to test the validity of government’s restrictions.</span></p>
<p style="text-align: justify; ">The implications of the suggested text of India’s Draft Resolution should then be carefully thought out. And this is a good thing. For one must wonder why governments need perfect traceability, geolocation and user identification for <i>all</i> IP addresses. Is such a demand really different from mass or blanket surveillance, in scale and government tracking ability? Would this not tilt the balance of power strongly in favour of governments against individuals (citizens or non-citizens)? This fear must especially arise in the absence of domestic legal protections, both in human rights, and criminal law and procedure. For instance, India’s Information Technology Act, 2000 (amended in 2008) has Section 66A, which criminalizes offensive speech, as well as speech that causes annoyance or inconvenience. Arguably, arrests under Section 66A have been <a href="http://timesofindia.indiatimes.com/city/bangalore/Man-arrested-for-allegedly-sending-offensive-MMS-against-Modi-confirmed-innocent-by-police-released/articleshow/35624351.cms">arbitrary</a>, and traceability may give rise to a host of new worries.</p>
<p style="text-align: justify; "><span>In any event, IP addresses and users can be discerned under existing domestic law frameworks. Regional Internet Registries (RIR) such as APNIC allocate blocks of IP addresses to either National Internet Registries (NIR – such as IRINN for India) or to ISPs directly. The ISPs then allocate IP addresses dynamically to users like you and me. Identifying information for these ISPs is maintained in the form of </span><a href="http://www.irinn.in/whoisSearchform.action">WHOIS records</a><span> and </span><a href="file://localhost/pub/stats/apnic">registries</a><span> with RIRs or NIRs, and this information is public. ISPs of most countries require identifying information from users before Internet connection is given, i.e., IP addresses allocated (mostly by dynamic allocation, for that is more efficient). ISPs of some states are also regulated; in India, for instance, ISPs require a </span><a href="http://www.dot.gov.in/licensing/data-services">licence</a><span> to operate and offer services.</span></p>
<p style="text-align: justify; ">If any government wished, on the basis of some reasonable cause, to identify a particular IP address or its user, then the government could first utilize WHOIS to obtain information about the ISP. Then ISPs may be ordered to release specific IP address locations and user information under executive or judicial order. There are also technical solutions, such as <a href="http://traceroute.monitis.com/">traceroute</a> or <a href="http://ip-lookup.net/">IP look-up</a> that assist in tracing or identifying IP addresses. Coders, governments and law enforcement must surely be aware of better technology than I.</p>
<p style="text-align: justify; ">If we take into account this possibility of geolocation of IP addresses, then the Draft Resolution’s motivation to ‘systematize’ IP address allocations on the basis of states is unclear. I will discuss the implication of this proposal, and that of traffic and address localization, in my next post.</p>
<p style="text-align: justify; "> </p>
<hr size="1" style="text-align: justify; " width="33%" />
<p style="text-align: justify; "><a href="#_ftnref1">[1]</a> Pream. §(e), Draft Resolution: “recognizing… that the modern day packet networks, which at present have many security weaknesses, inter alia, camouflaging the identity of originator of the communication”.</p>
<p style="text-align: justify; "><a href="#_ftnref2">[2]</a> Pream. §(h), Draft Resolution: “recognizing… that IP addresses are distributed randomly, that makes the tracing of communication difficult”.</p>
<p style="text-align: justify; "><a href="#_ftnref3">[3]</a> Op. §1, Draft Resolution: “instructs the Secretary General… to collaborate with all stakeholders including International and intergovernmental organizations, involved in IP addresses management to develop an IP address plan from which IP addresses of different countries are easily discernible and coordinate to ensure distribution of IP addresses accordingly”.</p>
<p style="text-align: justify; "><a href="#_ftnref4">[4]</a> Pream. §(g), Draft Resolution: “recognizing… that communication traffic originating and terminating in a country also many times flows outside the boundary of a country making such communication costly and to some extent insecure from national security point of view”.</p>
<p style="text-align: justify; "><a href="#_ftnref5">[5]</a> Pream. §(f), Draft Resolution: “recognizing… that even for local address resolution at times, system has to use resources outside the country which makes such address resolution costly and to some extent insecure from national security perspective”.</p>
<p style="text-align: justify; "><a href="#_ftnref6">[6]</a> Op. §6, Draft Resolution: “instructs the Secretary General… to develop and recommend a routing plan of traffic for optimizing the network resources that could effectively ensure the traceability of communication”.</p>
<p style="text-align: justify; "><a href="#_ftnref7">[7]</a> Op. §1, Draft Resolution; <i>see</i> note 3.</p>
<p style="text-align: justify; "><a href="#_ftnref8">[8]</a> Op. §5, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures that effectively the traffic meant for the country, traffic originating and terminating in the country remains within the country”.</p>
<p style="text-align: justify; "><a href="#_ftnref9">[9]</a> Op. §4, Draft Resolution: “instructs the Secretary General… to develop and recommend public telecom network architecture which ensures effectively that address resolution for the traffic meant for the country, traffic originating and terminating in the country/region takes place within the country”.</p>
<p style="text-align: justify; "><a href="#_ftnref10">[10]</a> Context Note to Draft Resolution, ¶3: “Planning and distribution of numbering and naming resources in a systematic, equitable, fair and just manner amongst the Member States…”</p>
<p style="text-align: justify; "><a href="#_ftnref11">[11]</a> Context Note to Draft Resolution, ¶2: “…there are certain areas that require critical attention to move in the direction of building the necessary “Trust Framework” for the safe “Information Society”, where privacy, safety are ensured”.</p>
<p style="text-align: left; "><a href="#_ftnref12">[12]</a> <i>See, for instance</i>, Report of the Office of the High Commission for Human Rights (“OHCHR”), <i>Right to Privacy in the Digital Age</i>, A/HRC/27/37 (30 June 2014), ¶34-35, <a href="http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf">http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf</a>. <i>See esp. </i>note 30 of the Report, ¶35.</p>
<p style="text-align: justify; "><a href="#_ftnref13">[13]</a> Many thorny political differences exist between the US and many states (including India and Kenya, who I am told has expressed preliminary support for the Draft Resolution) with regard to Internet governance. Irrespective of this, the US Constitution’s First Amendment and judicial protections to freedom of expression remain a yardstick for many states, including India. India, for instance, has positively referred to the US Supreme Court’s free speech protections in many of its decisions; <i>ex. see</i> Kharak Singh v. State of Uttar Pradesh, 1963 Cri. L.J. 329; R. Rajagopal v. State of Tamil Nadu, AIR 1995 SC 264.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/good-intentions-going-awry-i-why-india2019s-proposal-at-the-itu-is-troubling-for-internet-freedoms'>http://editors.cis-india.org/internet-governance/blog/good-intentions-going-awry-i-why-india2019s-proposal-at-the-itu-is-troubling-for-internet-freedoms</a>
</p>
No publishergeethaCryptographyPrivacyCybersecurityInternet GovernanceFreedom of Speech and ExpressionChilling EffectMulti-stakeholderAnonymityITU2014-11-02T15:13:45ZBlog EntryRegulating the Internet: The Government of India & Standards Development at the IETF
http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf
<b>The institution of open standards has been described as a formidable regulatory regime governing the Internet. Given the regulatory and domestic policy implications that technical standards can have, there is a need for Indian governmental agencies to focus adequate resources geared towards achieving favourable outcomes at standards development fora.</b>
<p>This brief was authored by Aayush Rathi, Gurshabad Grover and Sunil Abraham. Click <a class="external-link" href="http://cis-india.org/internet-governance/files/regulating-the-internet">here</a> to download the policy brief.</p>
<hr />
<h2>Executive Summary</h2>
<div> </div>
<p style="text-align: justify;">The institution of open standards has been described as a formidable regulatory regime governing the Internet. As the Internet has moved to facilitate commerce and communication, governments and corporations find greater incentives to participate and influence the decisions of independent standards development organisations.</p>
<p style="text-align: justify;">While most such bodies have attempted to systematise fair and transparent processes, this brief highlights how they may still be susceptible to compromise. Documented instances of large private companies like Microsoft, and governmental instrumentalities like the US National Security Agency (NSA) exerting disproportionate influence over certain technical standards further the case for increased Indian participation.</p>
<p style="text-align: justify;">The debate around Transport Layer Security (TLS) 1.3 at the Internet Engineering Task Force (IETF) forms an important case for studying how a standards body responded to political developments, and how the Government of India participated in the ensuing discussions. Lasting four years, the debate ended in favour of greater communications security. One of the security improvements in TLS 1.3 over its predecessor is that is makes less information available to networking middleboxes. Considering that Indian intelligence agencies and government departments have expressed fears of foreign-manufactured networking equipment being used by foreign intelligence to eavesdrop on Indian networks, the development is potentially favourable for the security of Indian communication in general, and the security of military and intelligence systems in particular. India has historically procured most networking equipment from foreign manufacturers. While there have been calls for indigenised production of such equipment, achieving these objectives will necessarily be a gradual process. Participating in technical standards can, then, be an effective interim method for intelligence agencies, defence wings and law enforcement for establishing trust in critical networking infrastructure sourced from foreign enterprises.</p>
<p style="text-align: justify;">Outlining some of the existing measures the Indian government has put in place to build capacity for and participate in standard setting, this brief highlights that while these are useful starting points, they need to be harmonised and strengthened to be more fruitful. Given the regulatory and domestic policy implications that technical standards can have, there is a need for Indian governmental agencies to focus adequate resources geared towards achieving favourable outcomes at standards development fora.</p>
<hr />
<p>Click <a class="external-link" href="http://cis-india.org/internet-governance/files/regulating-the-internet">here</a> to download the policy brief.</p>
<p style="text-align: justify;">Note: The recommendations in the brief were updated on 17 December 2018 to reflect the relevance of technical standard-setting in the recent discussions around Indian intelligence concerns about foreign-manufactured networking equipment.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf'>http://editors.cis-india.org/internet-governance/blog/regulating-the-internet-the-government-of-india-standards-development-at-the-ietf</a>
</p>
No publisherAayush Rathi, Gurshabad Grover and Sunil AbrahamOpen StandardsCryptographyCybersecurityInternet GovernanceSurveillanceIETFEncryption Policy2019-01-22T07:29:39ZBlog Entry