The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
Cyberspying: Government may ban Gmail for official communication
http://editors.cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication
<b>The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyberspying by the US.
</b>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">This article was <a class="external-link" href="http://timesofindia.indiatimes.com/tech/tech-news/internet/Cyberspying-Government-employees-may-face-Gmail-ban/articleshow/22156529.cms">published in the Times of India </a>on August 30, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">A senior official in the ministry of communications and information technology said the government plans to send a formal notification to nearly 5 lakh employees barring them from email service providers such as Gmail that have their servers in the US, and instead asking them to stick to the official email service provided by India's National Informatics Centre.<br /><br />"Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data," said J Satyanarayana, secretary in the department of electronics and information technology.</p>
<p style="text-align: justify; "><span style="float:left; "><br /></span></p>
<p style="text-align: justify; "><span style="float:left; "> </span></p>
<p style="text-align: justify; "><span style="float:left; "><br /></span></p>
<h3 style="text-align: justify; ">Snowden fallout</h3>
<p style="text-align: justify; "><span id="advenueINTEXT" style="float:left; ">The move comes in the wake of revelations by former US <a href="http://timesofindia.indiatimes.com/topic/National-Security-Agency">National Security Agency</a> contractor Edward <a href="http://timesofindia.indiatimes.com/topic/Snowden-%28musician%29">Snowden</a> that the <a href="http://timesofindia.indiatimes.com/topic/US-Government">US government</a> had direct access to large amounts of personal data on the internet such as emails and chat messages from companies like Google, Facebook and Apple through a programme called <a href="http://timesofindia.indiatimes.com/topic/PRISM">PRISM</a>. <br /><br /> Documents leaked by Snowden showed that NSA may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Even as the new policy is being formulated, there has been no mention yet of how compliance will be ensured. <br /><br /> Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email. <br /><br /> A <a href="http://timesofindia.indiatimes.com/topic/Google-India">Google India</a> spokeswoman said the company has not been informed about the ban, and hence it cannot comment on speculation. "Nothing is documented so far, so for us, it is still speculation," Google said in an email response. <br /><br /> A senior official in the IT department admitted on condition of anonymity that employees turn to service providers such as Gmail because of the ease of use compared with official email services, as well as the bureaucratic processes that govern creation of new accounts. <br /><br /> "You can just go and create an account in Gmail easily, whereas for a government account, you have to go through a process because we have to ensure that he is a genuine government user." <br /><br /> Last week, IT Minister Kapil Sibal said the new policy would require all government officials living abroad to use NIC servers that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India. <br /><br /> Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agrees with the government's decision to ban Gmail for official communication and that any official violating this needs to be punished. <br /><br /> "After Snowden's revelations, we can never be sure to what extent foreign governments are intercepting government emails," he said. Abraham, however, called the government's decision a "late reaction", as the use of Gmail and other free email services by bureaucrats has increased in the past. <br /><br /> "Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance." </span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication'>http://editors.cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernanceSurveillance2013-09-02T04:19:53ZNews ItemDesiSec: Episode 1 - Film Release and Screening
http://editors.cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening
<b>The Centre for Internet and Society is pleased to to announce the release of the first documentary film on cybersecurity in India - DesiSec.
We hope you can join us for a special screening of the first episode of DesiSec, on 11th December, at CIS!</b>
<div>Early 2013, the Centre for Internet and Society began shooting its first documentary film project. After months of researching and interviewing activists and experts, CIS is thrilled to announce the release of the first documentary film on cybersecurity in India - <strong>DesiSec: Cybersecurity and Civi Society in India</strong>.</div>
<div> </div>
<div>Trailer link: <a href="http://editors.cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer">http://cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer</a></div>
<div> </div>
<div>CIS is hosting a special screening of <strong>DesiSec: Episode 1</strong> on <strong>11th December, 2013, 6 pm</strong> and invites you to this event. The first episode is centered around the issue of privacy and surveillance in cyber space and how it affects Indian society.</div>
<div> </div>
<div>We look forward to seeing you there!</div>
<div> </div>
<div>RSVP: <a href="mailto:purba@cis-india.org" target="_blank">purba@cis-india.org</a></div>
<div>Venue: http://osm.org/go/yy4fIjrQL?m=</div>
<div> </div>
<div><strong><em>This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.</em></strong></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening'>http://editors.cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening</a>
</p>
No publisherpurbaCyberspacePrivacyCybersecurityInternet GovernanceSurveillanceCyber Security FilmCyber SecurityEvent2013-12-17T08:13:32ZEventInternet users enraged over US online spying
http://editors.cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying
<b>India is the fifth most tracked nation by American intelligence agencies.</b>
<hr />
<p style="text-align: justify; ">The article by Maitreyee Boruah was <a class="external-link" href="http://articles.timesofindia.indiatimes.com/2013-06-29/people/40256468_1_privacy-private-information-sunil-abraham">published in the Times of India</a> on June 29, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">Have you been posting pictures and messages with gay abandon on your social networking sites or having personal discussions on instant chat or video messaging and thinking that no one other than the intended recipient(s) has access to it? Well, going by the recent revelation that government agencies, and that too from the US, have been spying on our internet usage and collating private information, even the most hardcore security settings for your online data are apparently of no use.</p>
<p style="text-align: justify; ">According to former US <a href="http://timesofindia.indiatimes.com/topic/Central-Intelligence-Agency">Central Intelligence Agency</a> (CIA) employee Edward Snowden's testimony, the US National Security Agency ( <a href="http://timesofindia.indiatimes.com/topic/National-Security-Agency">NSA</a>) has been using major tech giants to spy on private information of users around the world. And India is the fifth most tracked nation by the US intelligence system. But isn't this a direct infringement on our right to privacy? Or are such measures the need of the hour, given the increasing incidences of terror acts across the world?</p>
<p style="text-align: justify; "><b>What should the <a href="http://timesofindia.indiatimes.com/topic/Indian-Government">Indian government</a> do?</b></p>
<p style="text-align: justify; ">Recently, a PIL (Public Interest Litigation) was filed in the Indian Supreme Court on the issue of the web snooping by the US. The PIL sought the Centre to initiate action against internet companies for sharing information with foreign authorities, which amounts to breach of contract and violation of the right to privacy.</p>
<p style="text-align: justify; ">"First, we need to urgently enact a horizontal privacy law, which articulates privacy principles and institutes <a href="http://timesofindia.indiatimes.com/topic/The-Office">the office</a> of the <a href="http://timesofindia.indiatimes.com/topic/Privacy-Commissioner">privacy commissioner</a>. Second, we need to promote the use of encryption and other privacy-enhancing technologies. The use of foreign internet infrastructure by those in public offices should be banned, except in the case of public dissemination. And last, but not the least, take action against online firms that have access to personal data of users and violate the privacy of Indian citizens through the office of the regulator," suggests Sunil Abraham, executive director of Bangalore-based research organization, Centre for Internet and Society.</p>
<p style="text-align: justify; ">Anja Kovacs, project director at the Internet Democracy Project in India, meanwhile, wants the Indian government to assert itself. "The best the Indian government can do is to demand that this kind of snooping does not happen. However, it can't ensure that such episodes won't happen in the future, as there is no enforceable global legal framework to deal with online snooping."</p>
<p><b>Era of the Big Brother?</b></p>
<p style="text-align: justify; ">Given the lack of legal support, does it mean that internet users have no right to privacy? "We do have a right to privacy. Unfortunately, our right is not respected. By and large, unless they use special tools to protect themselves, internet users do not have any real privacy in many countries, including India," says Anja, adding, "The right to privacy is not explicitly included in the Constitution, and the Privacy Bill continues to be pending. Also, Indian intelligence agencies are not under supervision of the Parliament, which is an important weakness in the accountability system." Echoing Anja, Sunil says, "In India, unfortunately, our right to privacy is not sufficiently protected. Indian laws are not strong enough to safeguard privacy of Internet users."</p>
<p><b>Anger in the online community</b></p>
<p style="text-align: justify; ">A large number of internet users who we spoke to said they were "shocked" after hearing about the US government's spying mechanism. "The recent revelation of snooping by the <a href="http://timesofindia.indiatimes.com/topic/US-Government">US government</a> is a clear case of intrusion into our privacy. It is absolutely illegal," says 24-year-old IT professional Subodh Gupta.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying'>http://editors.cis-india.org/news/times-of-india-maitreyee-boruah-june-29-2013-internet-users-enraged-over-us-online-spying</a>
</p>
No publisherpraskrishnaSurveillanceInternet GovernancePrivacy2013-07-01T04:10:05ZNews ItemIn India, Prism-like Surveillance Slips Under the Radar
http://editors.cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar
<b>Prism, the contentious U.S. data-collection surveillance program, has captured the world’s attention ever since whistle-blower Edward Snowden leaked details of global spying to the Guardian and Washington Post.
</b>
<p>The article by Anjan Trivedi was <a class="external-link" href="http://world.time.com/2013/06/30/in-india-prism-like-surveillance-slips-under-the-radar/#ixzz2XoCbrn00">published in Time World </a>on June 30, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">However, it turns out <a href="http://topics.time.com/india/">India</a>, the world’s largest democracy, is building its own version to monitor internal communications in the name of national security. Yet India’s Central Monitoring System, or CMS, was not shrouded in secrecy — New Delhi <a href="http://www.dot.gov.in/sites/default/files/AR%20Englsih%2011-12_0.pdf">announced</a> its intentions to watch over its citizens, however mutedly, in <a href="http://pib.nic.in/newsite/erelease.aspx?relid=70747">2011</a>, and rollout is slated for August. And while reports that the American system collected 6.3 billion <a href="http://www.guardian.co.uk/world/2013/jun/08/nsa-boundless-informant-global-datamining">intelligence reports</a> in India led to a <a href="http://m.indianexpress.com/news/supreme-court-agrees-to-hear-pil-on-us-surveillance-of-internet-data/1131011/">lawsuit</a> at the nation’s <a href="http://topics.time.com/supreme-court/">Supreme Court</a>, comparable indignation has been conspicuously lacking with the domestic equivalent.</p>
<p style="text-align: justify; ">CMS is an ambitious surveillance system that monitors text messages, social-media engagement and phone calls on landlines and cell phones, among other communications. That means 900 million landline and cell-phone users and 125 million Internet users. The project, which is being implemented by the government’s <a href="http://www.cdot.in/about_us/berif_history.htm">Centre for Development of Telematics</a> (<a href="http://pib.nic.in/newsite/erelease.aspx?relid=78145">C-DOT</a>), is meant to help national law-enforcement agencies save time and avoid manual intervention, according to the Department of Telecommunications’ <a href="http://www.dot.gov.in/sites/default/files/Telecom%20Annual%20Report-2012-13%20%28English%29%20_For%20web%20%281%29.pdf">annual report</a>. This has been in the works since 2008, when C-DOT started working on a proof-of-concept, according to an older report. The government <a href="http://planningcommission.nic.in/aboutus/committee/wrkgrp12/cit/wgrep_telecom.pdf">set aside</a> approximately $150 million for the system as part of its 12th five-year plan, although the Cabinet ultimately approved a higher amount.</p>
<p style="text-align: justify; ">Within the internal-security ministry though, the surveillance system remains a relatively “hush-hush” topic, a project official unauthorized to speak to the press tells TIME. In April 2011, the Police Modernisation Division of the Home Affairs Ministry put out a 90-page tender to solicit bidders for communication-interception systems in every state and union territory of India. The system requirements included “live listening, recording, storage, playback, analysis, postprocessing” and voice recognition.</p>
<p style="text-align: justify; ">Civil-liberties groups concede that states often need to undertake targeted-monitoring operations. However, the move toward extensive “surveillance capabilities enabled by digital communications,” suggests that governments are now “casting the net wide, enabling intrusions into private lives,” according to Meenakshi Ganguly, South Asia director for Human Rights Watch. This extensive communications surveillance through the likes of Prism and CMS are “out of the realm of judicial authorization and allow unregulated, secret surveillance, eliminating any transparency or accountability on the part of the state,” a recent U.N. <a href="http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf">report</a> stated.</p>
<p style="text-align: justify; ">India is no stranger to censorship and monitoring — tweets, blogs, books or songs are frequently blocked and banned. India ranked second only to the U.S. on Google’s list of user-data requests with 4,750 queries, up <a href="http://www.google.com/transparencyreport/userdatarequests/IN/">52% from two years back</a>, and removal requests from the government <a href="http://www.google.com/transparencyreport/removals/government/IN/?metric=items&p=2012-12">increased by 90%</a> over the previous reporting period. While these were largely made through police or court orders, the new system will not require such a legal process. In recent times, India’s democratically elected government has barred access to certain websites and Twitter handles, restricted the number of outgoing text messages to five per person per day and arrested citizens for liking Facebook posts and tweeting. Historically too, censorship has been India’s preferred means of policing social unrest. “Freedom of expression, while broadly available in theory,” Ganguly tells TIME, “is endangered by abuse of various India laws.”</p>
<p style="text-align: justify; ">There is a growing discrepancy and power imbalance between citizens and the state, says Anja Kovacs of the Internet Democracy Project. And, in an environment like India where “no checks and balances [are] in place,” that is troubling. The potential for misuse and misunderstanding, Kovacs believes, is increasing enormously. Currently, India’s laws relevant to interception “disempower citizens by relying heavily on the executive to safeguard individuals’ constitutional rights,” a recent <a href="http://www.indianexpress.com/news/way-to-watch/1133737/0">editorial</a> noted. The power imbalance is often noticeable at public protests, as in the case of the New Delhi gang-rape incident in December, when the government shut down public transport near protest grounds and unlawfully detained demonstrators.</p>
<p style="text-align: justify; ">With an already sizeable and growing population of Internet users, the government’s worries too are on the rise. Netizens in India are set to triple to 330 million by 2016, <a href="http://startupcatalyst.in/wp-content/uploads/2013/05/From_Buzz_to_Bucks_Apr_2013_tcm80-132875.pdf">according to a recent report</a>. “As [governments] around the world grapple with the power of social media that can enable spontaneous street protests, there appears to be increasing surveillance,” Ganguly explains.</p>
<p style="text-align: justify; ">India’s junior minister for telecommunications attempted to explain the benefits of this system during a <a href="http://www.youtube.com/watch?v=rwTsek5WUfE">recent Google+ Hangout</a> session. He acknowledged that CMS is something that “most people may not be aware of” because it’s “slightly technical.” A participant noted that the idea of such an intrusive system was worrying and he did not feel safe. The minister, though, insisted that it would “safeguard your privacy” and national security. Given the high-tech nature of CMS, he noted that telecom companies would no longer be part of the government’s surveillance process. India currently does <a href="http://www.hrw.org/news/2013/06/07/india-new-monitoring-system-threatens-rights">not</a> have formal privacy legislation to prohibit arbitrary monitoring. The new system comes under the <a href="http://pib.nic.in/newsite/erelease.aspx?relid=71791">jurisdiction</a> of the Indian Telegraph Act of 1885, which allows for monitoring communication in the “interest of public safety.”</p>
<p style="text-align: justify; ">The surveillance system is not only an “abuse of privacy rights and security-agency overreach,” critics say, but also counterproductive in terms of security. In the process of collecting data to monitor criminal activity, the data itself may become a target for terrorists and criminals — a “honeypot,” according to Sunil Abraham, executive director of India’s Centre for Internet and Society. Additionally, the wide-ranging tapping undermines financial markets, Abraham says, by compromising confidentiality, trade secrets and intellectual property. What’s more, vulnerabilities will have to be built into the existing cyberinfrastructure to make way for such a system. Whether the nation’s patchy infrastructure will be able to handle a complex web of surveillance and networks, no one can say. That, Abraham contends, is what attackers will target.</p>
<p style="text-align: justify; ">National security has widely been cited as the reason for this system, but no one can say whether it will actually help avert terrorist activity. India’s own 9/11 is a case in point: the Indian government was handed intelligence by foreign agencies about the possibility of the 2008 Mumbai terrorist attacks, but did not act. This is a “clear indication that having access to massive amounts of data is not necessarily going to make people safer,” Kovacs tells TIME. However, officers familiar with the new system say it will not increase surveillance or enhance intrusion beyond current levels; it will only strengthen the policy framework of privacy and increase <a href="http://pib.nic.in/newsite/erelease.aspx?relid=80829">operational efficiency</a>. Spokespersons and officials in the internal-security and telecom departments did not respond to requests or declined to comment.</p>
<p style="text-align: justify; ">The government has been cagey about details on implementation and <a href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=70791">extent</a>. This ability to act however the authorities deems fit “just makes it really easy to slide into authoritarianism, and that is not acceptable for any democratic country,” Kovacs says. Indeed, India has seen that before — almost four decades ago, Indira Gandhi declared a state of emergency for 19 months, which suspended all civil liberties. Indians complaining about Prism may want to look a little closer to home.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar'>http://editors.cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar</a>
</p>
No publisherpraskrishnaSurveillanceInternet GovernancePrivacy2013-07-03T09:31:18ZNews ItemHits and Misses With the Draft Encryption Policy
http://editors.cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy
<b>Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.
</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://thewire.in/2015/09/26/hits-and-misses-with-the-draft-encryption-policy-11708/">published in the Wire</a> on September 26, 2015.</p>
<hr />
<p style="text-align: justify; ">This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.<br /><br />However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.</p>
<h3 style="text-align: justify; ">Plain-text storage requirement</h3>
<p style="text-align: justify; ">First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.<br /><br />Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.<br /><br />Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.</p>
<h3 style="text-align: justify; ">Regulatory design</h3>
<p style="text-align: justify; ">Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.<br /><br />This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.<br /><br />Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”<br /><br />The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.</p>
<h3 style="text-align: justify; ">And the good news is…</h3>
<p style="text-align: justify; ">On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.<br /><br />Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.<br /><br />The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.<br /><br />Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy'>http://editors.cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy</a>
</p>
No publishersunilOpen StandardsInternet GovernanceSurveillanceFOSSB2B2015-09-26T16:46:53ZBlog EntrySurveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar
http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar
<b>Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.</b>
<p style="text-align: justify; ">In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report <a href="http://editors.cis-india.org/internet-governance/surveillance-enabling-identity-systems-in-africa" class="internal-link">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar'>http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar</a>
</p>
No publisherShruti Trikanad and Vrinda BhandariSurveillanceAadhaarInternet GovernancePrivacy2022-08-09T08:17:32ZBlog EntryIndia's Central Monitoring System (CMS): Something to Worry About?
http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about
<b>In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!</b>
<p style="text-align: justify; ">The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as <span class="internal-link">a project run by the Centre for Communication Security Research and Monitoring (CCSRM)</span>, along with the Telecom Testing and Security Certification (TTSC) project.</p>
<p align="JUSTIFY">The Central Monitoring System (CMS), which was <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/">largely covered by the media in 2013</a>, was actually <span class="internal-link">approved by the Cabinet Committee on Security (CCS) on 16th June 2011</span> and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, <span class="internal-link">government funding of the CMS has reached at least Rs. 450 crore</span> (around $72 million).</p>
<p align="JUSTIFY">In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">clause 41.10 of the Unified Access Services (UAS) License Agreement was amended</a> in June 2013. In particular, the amended clause includes the following:</p>
<blockquote class="italized">“<i>But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”</i></blockquote>
<p align="JUSTIFY">Furthermore, <span class="internal-link">draft Rule 419B</span> under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. <a class="external-link" href="http://books.google.gr/books?id=dO2wCCB7w9sC&pg=PA111&dq=%22Call+detail+record%22&hl=en&sa=X&ei=s-iUUO6gHseX0QGXzoGADw&redir_esc=y#v=onepage&q=%22Call%20detail%20record%22&f=false">Call Data Records</a>, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to <span class="internal-link">draft Rule 419B</span>, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.</p>
<p align="JUSTIFY">Other than this draft Rule and the <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amendment to clause 41.10 of the UAS License Agreement</a>, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:</p>
<ul>
<li>
<p align="JUSTIFY">the interests of the sovereignty and integrity of India</p>
</li>
<li>
<p align="JUSTIFY">the security of the State</p>
</li>
<li>
<p align="JUSTIFY">friendly relations with foreign states</p>
</li>
<li>
<p align="JUSTIFY">public order</p>
</li>
<li>
<p align="JUSTIFY">for preventing incitement to the commission of an offense</p>
</li>
</ul>
<p align="JUSTIFY">However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.</p>
<h2><b>So how does the Central Monitoring System (CMS) actually work?</b></h2>
<p align="JUSTIFY">We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized <a href="http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system" class="external-link">access to the country's telecommunications network</a>. The question, though, is how.</p>
<p align="JUSTIFY">Well, prior to the CMS, all service providers in India were required to have <a class="external-link" href="http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet-traffic/article5107682.ece">Lawful Interception Systems</a> installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are <span class="internal-link">required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems</span>. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.</p>
<p align="JUSTIFY">In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the authority can also bypass service providers in gaining such access</a>. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.</p>
<p align="JUSTIFY">The above is illustrated in the following chart:</p>
<p align="JUSTIFY"><img src="http://editors.cis-india.org/chart_11.png" title="CMS chart" height="372" width="689" alt="CMS chart" class="image-inline" /></p>
<p align="JUSTIFY">The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, <span class="internal-link">70 ISF servers have been purchased for six License Service Areas</span> and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.</p>
<p align="JUSTIFY">The Centre for Development of Telematics plans to <span class="internal-link">integrate ISF servers which connect with the CMS in the premises of service providers </span>in the following regions:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Maharashtra</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (West)</p>
</li>
<li>
<p align="JUSTIFY">Andhra Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Uttar Pradesh (East)</p>
</li>
<li>
<p align="JUSTIFY">Kerala</p>
</li>
<li>
<p align="JUSTIFY">Gujarat</p>
</li>
<li>
<p align="JUSTIFY">Madhya Pradesh</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
</ul>
<p align="JUSTIFY">With regards to the UAS License Agreement that TSPs are required to comply with, <a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">amended clause 41.10</a> specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a <span class="internal-link">Memorandum of Understanding (MoU) for MPLS connectivity</span> has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, <span class="internal-link">Rs. 4.8 crore have been given to BSNL</span> for interconnecting 81 CMS locations of the following License Service Areas:</p>
<ul>
<li>
<p align="JUSTIFY">Delhi</p>
</li>
<li>
<p align="JUSTIFY">Mumbai</p>
</li>
<li>
<p align="JUSTIFY">Haryana</p>
</li>
<li>
<p align="JUSTIFY">Rajasthan</p>
</li>
<li>
<p align="JUSTIFY">Kolkata</p>
</li>
<li>
<p align="JUSTIFY">Karnataka</p>
</li>
<li>
<p align="JUSTIFY">Chennai</p>
</li>
<li>
<p align="JUSTIFY">Punjab</p>
</li>
</ul>
<p align="JUSTIFY"><a href="http://editors.cis-india.org/internet-governance/blog/uas-license-agreement-amendment" class="internal-link">Clause 41.10 of the UAS License Agreement</a> also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor <i>at least 30 simultaneous calls</i> for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:</p>
<ul>
<li>
<p align="JUSTIFY">Called/calling party mobile/PSTN numbers</p>
</li>
<li>
<p align="JUSTIFY">Time/date and duration of interception</p>
</li>
<li>
<p align="JUSTIFY">Location of target subscribers (Cell ID & GPS)</p>
</li>
<li>
<p align="JUSTIFY">Data records for failed call attempts</p>
</li>
<li>
<p align="JUSTIFY">CDR (Call Data Records) of Roaming Subscriber</p>
</li>
<li>
<p align="JUSTIFY">Forwarded telephone numbers by target subscriber</p>
</li>
</ul>
<p align="JUSTIFY">Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, <span class="internal-link">80% of the CMS Physical Data Centre has been built so far</span>.</p>
<p align="JUSTIFY">In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. <span class="internal-link">Training has been imparted to the following law enforcement agencies</span>:</p>
<ul>
<li>
<p align="JUSTIFY">Intelligence Bureau (IB)</p>
</li>
<li>
<p align="JUSTIFY">Central Bureau of Investigation (CBI)</p>
</li>
<li>
<p align="JUSTIFY">Directorate of Revenue Intelligence (DRI)</p>
</li>
<li>
<p align="JUSTIFY">Research & Analysis Wing (RAW)</p>
</li>
<li>
<p align="JUSTIFY">National Investigation Agency (NIA)</p>
</li>
<li>
<p align="JUSTIFY">Delhi Police</p>
</li>
</ul>
<h2><b>And should we even be worried about the Central Monitoring System?</b></h2>
<p align="JUSTIFY">Well, according to the <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">brief material for the Honourable MOC and IT Press Briefing</a> on 16th July 2013, we should <i>not</i> be worried about the Central Monitoring System. Over the last year, <a class="external-link" href="http://www.livemint.com/Politics/pR5zc8hCD1sn3NWQwa7cQJ/The-new-surveillance-state.html">media reports</a> have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However,<a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link"> Indian authorities have argued that the Central Monitoring System will <i>better protect</i> the privacy of individuals </a>and maintain their security due to the following reasons:</p>
<ol>
<li>
<p align="JUSTIFY">The CMS will <i>just automate</i> the existing process of interception and monitoring, and all the existing safeguards will continue to exist</p>
</li>
<li>
<p align="JUSTIFY">The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A</p>
</li>
<li>
<p align="JUSTIFY">The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted</p>
</li>
<li>
<p align="JUSTIFY">The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data</p>
</li>
<li>
<p align="JUSTIFY">A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard</p>
</li>
</ol>
<p align="JUSTIFY">While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.</p>
<p align="JUSTIFY">The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will <i>“just” </i>be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Information Technology (Amendment) Act, 2008</a>, and the <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Indian Telegraph Act, 1885</a>, potentially <a class="external-link" href="http://www.outlookindia.com/article.aspx?283149">infringe upon individual's right to privacy</a> and other human rights.</p>
<p align="JUSTIFY">May I remind you of <a class="external-link" href="http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20%28amendment%29.pdf">Section 69 of the Information Technology (Amendment) Act, 2008</a>, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an <a class="external-link" href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/?_php=true&_type=blogs&_r=0">ambiguous matter</a>. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”</p>
<p align="JUSTIFY">The second argument appears inadequate too. <a class="external-link" href="http://www.ijlt.in/pdffiles/Indian-Telegraph-Act-1885.pdf">Section 5(2) of the Indian Telegraph Act, 1885</a>, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates <i>targeted</i> surveillance, while the Central Monitoring System could potentially undertake <i>mass</i> surveillance. Since the process of interception is automated and, under clause 41.16 of the <a class="external-link" href="http://www.dot.gov.in/sites/default/files/DOC270613-013.pdf">Unified License (Access Services) Agreement</a>, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.</p>
<p align="JUSTIFY">As for the third argument, it is not clear how <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">bypassing the nodal officers of TSPs</a> will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?</p>
<p align="JUSTIFY">While the fourth argument makes a point about <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">differentiating the provisioning and requesting entities</a> with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.</p>
<p align="JUSTIFY">Furthermore, this argument states that the <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">CMS authority will not have access to content data</a>, but does not specify if it will have access to metadata. What's concerning is that <a href="http://editors.cis-india.org/internet-governance/blog/fin-fisher-in-india-and-myth-of-harmless-metadata" class="external-link">metadata can potentially be more useful for tracking individuals than content data</a>, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.</p>
<p align="JUSTIFY">The final argument appears to provide some promise, since <a href="http://editors.cis-india.org/internet-governance/blog/new-cms-doc-2" class="internal-link">the maintenance of a command log of all provisioning activities</a> could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.</p>
<p align="JUSTIFY">In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it <a class="external-link" href="https://www.schneier.com/blog/archives/2008/03/privacy_and_pow.html">protects individuals from abuse by those in power</a> and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.</p>
<p align="JUSTIFY">If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.</p>
<p align="JUSTIFY">After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.</p>
<p align="JUSTIFY"><i>How can we not be worried about the Central Monitoring System?</i></p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.</p>
<ul>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about'>http://editors.cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about</a>
</p>
No publishermariaSurveillanceInternet GovernanceSAFEGUARDS2014-02-22T13:50:37ZBlog EntryWorkshop on 'Privacy after Big Data' (Delhi, November 12)
http://editors.cis-india.org/internet-governance/events/privacy-after-big-data-delhi-nov-12-2016
<b>The Centre for Internet and Society (CIS) and the Sarai programme, CSDS, invite you to a workshop on 'Privacy after Big Data: What Changes? What should Change?' on Saturday, November 12. This workshop aims to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy. It is an open event. Please register to participate.</b>
<p> </p>
<h4>Invitation note and agenda: <a href="https://github.com/cis-india/website/raw/master/docs/CIS-Sarai_PrivacyAfterBigData_ConceptAgenda.pdf">Download</a> (PDF)</h4>
<hr />
<h3>Venue and RSVP</h3>
<p><strong>Venue:</strong> Centre for the Study of Developing Societies 29, Rajpur Road, Civil Lines, Delhi 110054.</p>
<p><strong>Location on Google Maps:</strong> <a href="https://www.google.com/maps/place/CSDS/@28.677775,77.2162523,17z/">https://www.google.com/maps/place/CSDS/@28.677775,77.2162523,17z/</a>.</p>
<p><strong>Registration:</strong> <a href="https://goo.gl/forms/py0Q0u8rMppu4smE3">Complete this form</a>.</p>
<h3>Concept Note</h3>
<p>In this age of big data, discussions about privacy are intertwined with the use of technology and the data deluge. Though big data possesses enormous value for driving innovation and contributing to productivity and efficiency, privacy concerns have gained significance in the dialogue around regulated use of data and the means by which individual privacy might be compromised through means such as surveillance, or protected. The tremendous opportunities big data creates in varied sectors ranges from financial technology, governance, education, health, welfare schemes, smart cities to name a few.</p>
<p>With the UID (“Aadhaar”) project re-animating the Right to Privacy debate in India, and the financial technology ecosystem growing rapidly, striking a balance between benefits of big data and privacy concerns is a critical policy question that demands public dialogue and research to inform an evidence based decision.</p>
<p>Also, with the advent of potential big data initiatives like the ambitious Smart Cities Mission under the Digital India Scheme, which would rely on harvesting large data sets and the use of analytics in city subsystems to make public utilities and services efficient, the tasks of ensuring data security on one hand and protecting individual privacy on the other become harder.</p>
<p>As key privacy principles are at loggerheads with big data activities, it is important to consider privacy as an embedded component in the processes, systems and projects, rather than being considered as an afterthought. These examples highlight the current state of discourse around data protection and privacy in India and the shapes they are likely to take in near future.</p>
<p>This workshop aims to build a dialogue around some of the key government-led big data initiatives in India and elsewhere that are contributing significant new challenges and concerns to the ongoing debates on the right to privacy.</p>
<h3>Agenda</h3>
<h4>09:00-09:30 Tea and Coffee</h4>
<h4>09:30-10:00 Introduction</h4>
<p><a href="#amber">Mr. Amber Sinha</a> and <a href="#sandeep">Mr. Sandeep Mertia</a><br />
<em>This session will introduce the topic of the workshop in the context of the ongoing works at CIS and Sarai.</em></p>
<h4>10:00-11:00 From Privacy Bill(s) to ‘Habeas Data’</h4>
<p><a href="#usha">Dr. Usha Ramanathan</a> and <a href="#vipul">Mr. Vipul Kharbanda</a><br />
<em>This session will present a brief history of the privacy bill(s) in India and end with reflections on ‘habeas data’ as a lens for thinking and actualising privacy after big data.</em></p>
<h4>11:00-11:30 Tea and Coffee</h4>
<h4>11:30-12:30 Digital ID, Data Protection, and Exclusion</h4>
<p><a href="#amelia">Ms. Amelia Andersdotter</a> and <a href="#srikanth">Mr. Srikanth Lakshmanan</a><br />
<em>This session will discuss national centralised digital ID systems, often operating at a cross-functional scale, and highlight its implications for discussions on data protection, welfare governance, and exclusion from public and private services.</em></p>
<h4>12:30-13:30 Digital Money and Financial Inclusion</h4>
<p><a href="#anupam">Dr. Anupam Saraph</a> and <a href="#astha">Ms. Astha Kapoor</a><br />
<em>This session will focus on the rise of digital banking and online payments as core instruments of financial inclusion in India, especially in the context of the Jan Dhan Yojana and UPI, and reflect on the concerns around privacy and financial data.</em></p>
<h4>13:30-14:30 Lunch</h4>
<h4>14:30-15:30 Big Data and Mass Surveillance</h4>
<p><a href="#anja">Dr. Anja Kovacs</a> and <a href="#matthew">Mr. Matthew Rice</a><br />
<em>This session will reflect on the rise of mass communication surveillance across the world, and the evolving challenges of regulating il/legal surveillance by government agencies.</em></p>
<h4>15:30-16:15 Privacy is (a) Right</h4>
<p><a href="#apar">Mr. Apar Gupta</a> and <a href="#kritika">Ms. Kritika Bhardwaj</a><br />
<em>This brief session is to share initial ideas and strategies for articulating and actualising a constitutional right to privacy in India.</em></p>
<h4>16:15-16:30 Tea and Coffee</h4>
<h4>16:30-17:30 Round Table</h4>
<p><em>An open discussion session to conclude the workshop.</em></p>
<h3>Speakers</h3>
<h4 id="amber">Mr. Amber Sinha</h4>
<p>Amber works on issues surrounding privacy, big data, and cyber security. He is interested in the impact of emerging technologies like artificial intelligence and learning algorithms on existing legal frameworks, and how they need to evolve in response. Amber studied humanities and law at National Law School of India University, Bangalore.</p>
<p>E-mail: amber at cis-india dot org.</p>
<p>Twitter: <a href="https://twitter.com/ambersinha07">@ambersinha07</a>.</p>
<h4 id="amelia">Ms. Amelia Andersdotter</h4>
<p>Amelia Andersdotter has been a Member of the European Parliament. She works on practical implications of data protection laws and consumer information security in Sweden, and digital rights in the Europe in general. Presently she is residing in Bangalore, where she is a visiting scholar with Centre for Internet and Society. She holds a BSc in Mathematics.</p>
<p>URL: <a href="https://dataskydd.net">https://dataskydd.net</a>.</p>
<p>Twitter: <a href="https://twitter.com/teirdes">@teirdes</a>.</p>
<h4 id="anja">Dr. Anja Kovacs</h4>
<p>Dr. Anja Kovacs directs the Internet Democracy Project in Delhi, India, which works for an Internet that supports free speech, democracy and social justice in India and beyond. Anja’s research and advocacy focuses especially on questions regarding freedom of expression, cybersecurity and the architecture of Internet governance. She has been a member of the of the Investment Committee of the Digital Defenders Partnership and of the Steering Committee of Best Bits, a global network of civil society members. She has also worked as an international consultant on Internet issues, including for the Independent Commission on Multilateralism, the United Nations Development Programme Asia Pacific and the UN Special Rapporteur on Freedom of Expression, Mr. Frank La Rue, as well as having been a Fellow at the Centre for Internet and Society in Bangalore, India.</p>
<p>Internet Democracy Project: <a href="https://internetdemocracy.in/">https://internetdemocracy.in</a>.</p>
<p>Twitter: <a href="https://twitter.com/anjakovacs">@anjakovacs</a>.</p>
<h4 id="anupam">Dr. Anupam Saraph</h4>
<p>Anupam Saraph has extensively researched India's UID number that has been widely regarded as the game changer in development programs. It has come to be linked with both public and private databases and become the requirement for access to entitlements, benefits, services and rights. Dr. Saraph, who has the design of at least two identification programs to his credit has researched the UID’s functional creep since its inception.</p>
<p>He has been dissecting the myths of what the UID is or is not. He has also tracked the consequences of its linkages on databases that protect national security, sovereignty, democratic status and the entire banking and money system in India. He has also highlighted the implications of its use for targeted delivery of cash subsidies from the Consolidated Fund of India. He has written and lectured widely about the devastating impact of the UID number on development programs, national security and the governability of India.</p>
<p>As a Professor of Systems, Governance and Decision Sciences, Environmental Systems and Business he mentors students and teaches systems, information systems, environmental systems and sustainable development at universities in Europe, Asia and the Americas. He has worked with the Rensselaer Polytechnic Institute, Rijksuniversitiet Groningen, RIVM, University of Edinburgh, Resource Use Institute, Systems Research Institute among others. Dr. Saraph has had the unique distinction of being India’s only person who has held the only office of a City CIO in India, in a PPP arrangement with government, industry and himself. He has also been the first e-governance Advisor to a State government. Dr. Saraph has held CxO and ministerial level positions and serves as an independent director on the boards of Public and Private Sector companies and NGOs. He is also the President of the Nagrik Chetna Manch, an NGO charged with the mission to bring accountability in governance.</p>
<p>Dr. Saraph is also actively engaged in civil society where he participates in several environmental, resource and nature conservation initiatives, has authored draft legislations for river and natural resource conservation, right to good governance and has contributed to governance, election and democratic reforms. Dr. Saraph is a regular columnist in newspapers and writes on issues of governance, future design, technology and education from a systems perspective.</p>
<p>Dr. Saraph is also actively engaged in civil society where he participates in several environmental, resource and nature conservation initiatives, has authored draft legislations for river and natural resource conservation, right to good governance and has contributed to governance, election and democratic reforms. Dr. Saraph is a regular columnist in newspapers and writes on issues of governance, future design, technology and education from a systems perspective.</p>
<p>Dr. Saraph is also actively engaged in civil society where he participates in several environmental, resource and nature conservation initiatives, has authored draft legislations for river and natural resource conservation, right to good governance and has contributed to governance, election and democratic reforms. Dr. Saraph is a regular columnist in newspapers and writes on issues of governance, future design, technology and education from a systems perspective.</p>
<p>As a future designer and recognized as a global expert on complex systems he helps individuals and organisations understand and design the future of their worlds. Together they address the toughest challenges, accomplish missions and achieve business goals. He also supports building capacity to address the challenges of today as well as to build future designs through teams and effective leadership. Since the eighties Dr. Saraph has modeled complex systems of cities, countries, regions and even the planet. His models have been awarded internationally and even placed in 10-year permanent exhibitions.</p>
<p>Dr Saraph works with business and government executives, civil society leaders, politicians, generals, civil servants, police, trade unionists, community activists, United Nations and ASEAN officials, judges, writers, media, architects, designers, technologists, scientists, entrepreneurs, board members and business leaders of small, mid and large single and trans-national companies, religious leaders and artists across a dozen countries and various industry sectors to help them and their organisations succeed in their missions. He advises the World Economic Forum through its Global Agenda Council for Complex Systems and the Club of Rome, Indian National Association as a founder life member.</p>
<p>Dr Saraph holds a PhD in designing sustainable systems from the faculty of Mathematics and Natural Sciences of the Rijksuniversiteit Groningen, the Netherlands.</p>
<p>Website: <a href="http://anupam.saraph.in/">http://anupam.saraph.in</a>.</p>
<p>Twitter: <a href="https://twitter.com/anupamsaraph">@anupamsaraph</a>.</p>
<h4 id="apar">Mr. Apar Gupta</h4>
<p>Apar Gupta practices law in Delhi. He is also one of the co-founders of the Internet Freedom Foundation. His work and writing on public interest issues can be accessed at his personal website <a href="http://www.apargupta.com/">www.apargupta.com</a>.</p>
<p>Twitter: <a href="https://twitter.com/aparatbar">@aparatbar</a>.</p>
<h4 id="astha">Ms. Astha Kapoor</h4>
<p>Astha Kapoor is a public policy strategy consultant working on financial inclusion and digital payments. Currently, she is working with MicroSave. Her tasks involve a focus on government to people (G2P) payments - and her work spans strategy, advisory and evaluation with the DBT Mission, Office of the Chief Economic Advisor, NITI Aayog and ministries pertaining to food, fuel and fertilizer. She recently designed a pilot to digitize uptake of fertilizers in Krishna district, and evaluated the newly introduced coupon system in the Public Distribution System in Bengaluru.</p>
<p>Twitter: <a href="https://twitter.com/kapoorastha">@kapoorastha</a>.</p>
<h4 id="kritika">Ms. Kritika Bhardwaj</h4>
<p>Kritika Bhardwaj works as a Programme Officer at the Centre for Communication Governance (CCG), National Law University, Delhi. Her main areas of research are privacy and data protection. At CCG, she has written about the privacy implications of several contemporary issues such as Aadhaar (India's unique identification project), cloud computing and the right to be forgotten. A lawyer by training, Kritika has a keen interest in information law and human rights law.</p>
<p>Centre for Communication Governance, NLU Delhi: <a href="http://ccgdelhi.org/">http://ccgdelhi.org</a>.</p>
<p>Twitter: <a href="https://twitter.com/Kritika12">@Kritika12</a>.</p>
<h4 id="matthew">Mr. Matthew Rice</h4>
<p>Matthew Rice is an Advocacy Officer at Privacy International working across the organisation engaging with international partners and strengthening their capacity on communications surveillance issues. He has previously worked at Privacy International as a consultant building the Surveillance Industry Index, the largest publicly available database on the private surveillance sector ever assembled. Matthew graduated from University of Aberdeen with an LLB (Hons.) and also has an MA in Human Rights from University College London.</p>
<p>Privacy International: <a href="https://privacyinternational.org/">https://privacyinternational.org</a>.</p>
<p>Twitter: <a href="https://twitter.com/mattr3">@mattr3</a>.</p>
<h4 id="sandeep">Mr. Sandeep Mertia</h4>
<p>Sandeep Mertia is a Research Associate at The Sarai Programme, Centre for the Study of Developing Societies, Delhi. He is an ICT engineer by training with research interests in Science & Technology Studies, Software Studies
and Anthropology. He is conducting an ethnographic study of emerging modes of data-driven knowledge production in the social sector.</p>
<p>Sarai: <a href="http://sarai.net/">http://sarai.net</a>.</p>
<p>Twitter: <a href="https://twitter.com/SandeepMertia">@SandeepMertia</a>.</p>
<p>Academia: <a href="https://daiict.academia.edu/SandeepMertia">https://daiict.academia.edu/SandeepMertia</a>.</p>
<h4 id="srikanth">Mr. Srikanth Lakshmanan</h4>
<p>Srikanth is a software professional with interests in Internet, follower of Internet policy discussions, volunteers for multiple online campaigns related to Internet. He is also fascinated by FOSS, opendata, localization,
Wikipedia, maps, public transit, civic tech and occasionally contributes to them.</p>
<p>Site: <a href="http://www.srik.me/">http://www.srik.me</a>.</p>
<p>Twitter: <a href="https://twitter.com/logic">@logic</a>.</p>
<h4 id="vipul">Mr. Vipul Kharbanda</h4>
<p>Vipul Kharbanda is a consultant with the Center for Internet and Society, Bangalore. After finishing his BA.LLB.(Hons.) from National Law School of India University in Bangalore, he worked for India’s largest corporate law firm for two and a half years in their Mumbai office for two years working primarily on the financing of various infrastructure projects such as Power Plants, Roads, Airports, etc. Since quitting his corporate law job, Vipul has been working as the Associate Editor in a legal publishing house which has been publishing legal books and journals for the last 90 years in India. He has also been involved with the Center for Internet and Society as a Consultant working primarily on issues related to privacy and surveillance.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/privacy-after-big-data-delhi-nov-12-2016'>http://editors.cis-india.org/internet-governance/events/privacy-after-big-data-delhi-nov-12-2016</a>
</p>
No publishersumandroData SystemsDigital GovernancePrivacyData RevolutionSurveillanceBig DataDigital IndiaInternet GovernanceBig Data for DevelopmentDigital Rights2016-11-12T10:14:52ZEventSecurity and Surveillance: A public discussion on Optimizing Security while Safeguarding Human Rights
http://editors.cis-india.org/internet-governance/events/security-and-surveillance-optimizing-security-human-rights
<b>The Centre for Internet and Society (CIS) invites you to a public discussion on optimizing security and safeguarding human rights at its Bangalore office on Friday, December 19th, 2014, 16:00 to 18:00.</b>
<p> </p>
<p>The Centre for Internet and Society, in collaboration with Privacy International UK, has undertaken exploratory research into surveillance, security, and the security market in India.</p>
<p><span>Through this research, we hope to understand and document policy and law associated with security, surveillance, and the security market in India and learn about the regulation of security and related technologies such as encryption, filtering, monitoring software, and interception equipment. We also hope to understand the import and export policy regime for dual use technologies.</span></p>
<p><span>Such findings will be critical in creating evidence based research to inform security policy and regulation in India and work towards enabling regulatory frameworks that optimize the nation’s security while protecting the rights of citizens.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/security-and-surveillance-optimizing-security-human-rights'>http://editors.cis-india.org/internet-governance/events/security-and-surveillance-optimizing-security-human-rights</a>
</p>
No publisherpraskrishnaSurveillanceEventInternet GovernancePrivacy2014-12-19T08:46:34ZEventIndian government to bar politicians from using Gmail for official business
http://editors.cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business
<b>US-based email services seen as too risky.</b>
<p style="text-align: justify; ">This article by Neil McAllister was <a class="external-link" href="http://www.theregister.co.uk/2013/08/30/india_government_gmail_ban/">published in the Register on August 30, 2013</a>. Sunil Abraham is quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The government of India is reportedly planning to bar its employees from using Gmail and other foreign-based email services, amid concerns over surveillance by US spy agencies.</p>
<p style="text-align: justify; ">"Gmail data of Indian users resides in other countries as the servers are located outside," J Satyanarayana, India's secretary of electronics and information technology, <a href="http://timesofindia.indiatimes.com/tech/tech-news/internet/Cyberspying-Government-may-ban-Gmail-for-official-communication/articleshow/22156529.cms" target="_blank">told</a> the <i>Times of India</i>. "Currently, we are looking to address this in the government domain, where there are large amounts of critical data."</p>
<div class="not_moved article_side_content" style="text-align: justify; ">
<div id="article-mpu-container">
<div class="adu" id="ad-mu1-spot">
<div id="ad-mu1-spot_ad_container"><ins><ins></ins></ins></div>
</div>
</div>
</div>
<p style="text-align: justify; ">The Indian government currently employs some 500,000 people, many of whom use Gmail for their primary email addresses. A quick glance at the <a href="http://deity.gov.in/content/people-and-offices" target="_blank">contact page</a> for the country's Department of Electronics and Information Technology reveals at least eight senior officials using Gmail, and still others with Yahoo! addresses.</p>
<p style="text-align: justify; ">Under the new directive, government employees will be asked to stick to official email addresses provided by India's National Informatics Centre (NIC). But an unnamed senior government IT official told the <i>Times of India</i> that many government workers choose Gmail and other foreign services because they are easier to use, and setting up accounts is much faster than working within the bureaucratic process of the NIC.</p>
<p style="text-align: justify; ">The move toward locally run email for Indian government workers comes in the wake of a string of revelations from documents leaked by Edward Snowden. Among the recent disclosures has been details of US electronic surveillance of foreign governments on US soil, where the National Security Agency even went as far as to snoop encrypted communications from <a href="http://www.theregister.co.uk/2013/08/27/un_to_question_us_on_nsa/">United Nations headquarters</a> in New York City.</p>
<p style="text-align: justify; ">No doubt equally concerning was a motion filed by Google in a US district court earlier this month, in which the Chocolate Factory <a href="http://www.theregister.co.uk/2013/08/14/google_cloud_users_have_no_legitimate_expectation_of_privacy/">asserted</a> that "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" such as Gmail.</p>
<p style="text-align: justify; ">But Sunil Abraham of the Bangalore-based think tank the Centre for Internet and Society said that foreign spying wasn't the only reason why government officials should be required to use a homegrown email.</p>
<p style="text-align: justify; ">"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives," Abraham told the paper. "Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."</p>
<p style="text-align: justify; ">When contacted for comment, a spokeswoman for Google India said the company had not been informed of the proposed ban, adding, "Nothing is documented so far, so for us, it is still speculation." ®</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business'>http://editors.cis-india.org/internet-governance/news/the-register-neil-mc-allister-august-30-2013-indian-govt-to-bar-politicians-from-using-gmail-for-official-business</a>
</p>
No publisherpraskrishnaInternet GovernanceSurveillance2013-09-05T09:52:17ZBlog EntryHow Aadhaar compromises privacy? And how to fix it?
http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it
<b>Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens. </b>
<p style="text-align: justify; ">The op-ed was published in the <a class="external-link" href="http://www.thehindu.com/opinion/op-ed/is-aadhaar-a-breach-of-privacy/article17745615.ece">Hindu</a> on March 31, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.</p>
<p style="text-align: justify; "><b>Shift from biometrics to smart cards:</b><span> In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.</span></p>
<p style="text-align: justify; "><b>Destroy the authentication transaction database:</b><span> The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.</span></p>
<p style="text-align: justify; "><b>Prohibit the use of Aadhaar number in other databases:</b><span> We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.</span></p>
<p style="text-align: justify; "><span>To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it'>http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it</a>
</p>
No publishersunilSurveillanceAadhaarInternet GovernancePrivacy2017-04-01T07:00:06ZBlog EntryCommunication Rights in the Age of Digital Technology
http://editors.cis-india.org/internet-governance/events/communication-rights-in-the-age-of-digital-technology
<b>The Centre for Internet & Society (CIS) invites you to a conference to discuss the evolution of privacy and surveillance in India on Friday, October 30, 2015 at Deck Suite Hall, 5th Floor, Habitat Centre, Lodhi Road, Near Air Force Bal Bharti School, New Delhi - 110003, from 11 a.m. to 5 p.m.</b>
<p>The conference will be conducted in a round-table format. Topics to be discussed shall include, among others, the Human DNA Profiling Bill, 2012, the PIL questioning the data collection under the UID scheme, the draft National Encryption Policy and the Supreme Court judgement in Shreya Singhal v. Union of India, in the context of privacy and surveillance in India. The conference will be a forum for discussion, knowledge exchange and agenda building.</p>
<hr />
<h3 style="text-align: justify; ">Background Note</h3>
<p style="text-align: justify; ">In India, the Right to Privacy has been interpreted to mean an individuals’ right to be left alone. In the age of massive use of Information and Communications Technology, it has become imperative to have this right protected. The Supreme Court has held in a number of its decisions that the right to privacy is implicit in the fundamental right to life and personal liberty under Article 21 of the Indian Constitution, though Part III does not explicitly mention this right. Since the 1960s, the Apex Court has been dealing with this issue, primarily with respect to privacy being recognised as a fundamental or common law right and the standards that need to be satisfied in order to impose any restrictions on it.</p>
<p style="text-align: justify; ">In the year 2012, the Planning Commission constituted a Group of Experts under the chairmanship of Justice AP Shah, Former Chief Justice of the Delhi High Court to recommend a <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">potential privacy framework</a> for privacy in India. Previously in 2011 the Department of Personnel and Training had prepared a <a href="https://bourgeoisinspirations.files.wordpress.com/2010/03/draft_right-to-privacy.pdf">draft Bill on Right to Privacy </a>which has yet to materialize into a comprehensive legislation on privacy. In 2014, a version of the revised Right to Privacy Bill was <a href="http://cis-india.org/internet-governance/blog/leaked-privacy-bill-2014-v-2011">leaked</a>. Amendments to the Bill aim to protect individuals against misuse of their data by the government or private agencies, and is in the process of being <a href="http://www.newindianexpress.com/nation/Centre-Giving-Final-Touches-to-Right-to-Privacy-Bill/2015/03/17/article2717271.ece">finalized by the Indian Government</a><a href="http://www.newindianexpress.com/nation/Centre-Giving-Final-Touches-to-Right-to-Privacy-Bill/2015/03/17/article2717271.ece">. </a></p>
<p style="text-align: justify; ">Of late, privacy concerns have gained importance in India due to the initiation of national programmes like the UID Scheme, DNA Profiling, the National Encryption Policy, etc. attracting criticism for their impact on the right to privacy. For example, DeitY introduced a draft National Encryption Policy in September this year to prescribe methods for encryption. However, the policy would have posed significant restriction on the ability of citizens to encrypt online communication. Backlash from the citizens, industry, social media and privacy experts led the Government to withdraw the policy as the measures included made the information system vulnerable in every sense.</p>
<p style="text-align: justify; ">Earlier this year, the Apex Court gave a <a href="http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf">historical</a><a href="http://supremecourtofindia.nic.in/FileServer/2015-03-24_1427183283.pdf"> judgement</a> by striking down section 66A of the IT (Amendment) Act 2008. The Court upheld section 69A and the Information Technology (Procedure & Safeguards for Blocking for Access of Information by Public) Rules 2009 to be constitutionally valid, which accords the government with the authority to block transmission of information and websites when it deems it as necessary for reasons like sovereignty and integrity of India, public order, etc.</p>
<p style="text-align: justify; ">Another government initiative which has generated considerable controversy for its threat to privacy is the UID project which aims to issue a unique identification number to all citizens by the Unique Identification Authority of India, which can be authenticated and verified online. In August this year, the Supreme Court, <a href="http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841">vide an interim order</a>, restricted the use of Aadhaar by declaring it to be optional for availing government benefits and services. Though the Government contended the right to privacy as a fundamental right in India, the Court deferred this issue to a larger Constitutional Bench, and the Supreme Court upheld its decision yet again in the month of October.</p>
<p style="text-align: justify; ">Similarly, the <a href="http://www.dbtindia.nic.in/wp-content/uploads/Human-DNA-Profiling-Bill.pdf">d</a><a href="http://www.dbtindia.nic.in/wp-content/uploads/Human-DNA-Profiling-Bill.pdf">raft</a><a href="http://www.dbtindia.nic.in/wp-content/uploads/Human-DNA-Profiling-Bill.pdf"> Human DNA </a><a href="http://www.dbtindia.nic.in/wp-content/uploads/Human-DNA-Profiling-Bill.pdf">P</a><a href="http://www.dbtindia.nic.in/wp-content/uploads/Human-DNA-Profiling-Bill.pdf">rofiling </a><a href="http://www.dbtindia.nic.in/wp-content/uploads/Human-DNA-Profiling-Bill.pdf">B</a><a href="http://www.dbtindia.nic.in/wp-content/uploads/Human-DNA-Profiling-Bill.pdf">ill 2015</a> is being questioned on grounds of privacy invasion on a massive scale as it aims to collect and store the DNA samples of criminals, suspects, volunteers, and victims and regulate DNA laboratories and DNA sampling for use by law enforcement agencies. The Bill also fails to include comprehensive privacy safeguards and provisions regarding collection of DNA samples with or without the consent of an individual, making individual privacy an important concern.</p>
<p style="text-align: justify; ">Going by these ongoing debates, one can say that Privacy as a right has primarily evolved by way of judicial interpretation and continues to evolve in light of several controversial Government policies, projects and schemes. However its development is often undermined by tension between several competing national interests which calls for clear guidelines to protect this inviolable right of the citizens.</p>
<h3><a href="http://editors.cis-india.org/internet-governance/blog/gsma-conference-invite.pdf" class="internal-link">
<hr />
<b>Download the Invite</b></a></h3>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/communication-rights-in-the-age-of-digital-technology'>http://editors.cis-india.org/internet-governance/events/communication-rights-in-the-age-of-digital-technology</a>
</p>
No publisherrakeshSurveillanceEventInternet GovernancePrivacy2015-10-24T07:45:26ZEventCounter Surveillance Panel: DiscoTech & Hackathon
http://editors.cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon
<b>We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.</b>
<h2>Overview</h2>
<p style="text-align: justify; ">Mirroring the call by MIT Civic Media Lab <a href="http://codesign.mit.edu/discotechs/">Co-Design Studio</a>, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of <a href="http://codesign.mit.edu/discotechs/">DiscoTech</a>.(Discovering Technology)<b> </b></p>
<h2 style="text-align: justify; ">Agenda</h2>
<p class="Default" style="text-align: justify; ">We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator <a href="http://en.wikipedia.org/wiki/Sm%C3%A1ri_McCarthy"><b>Smari McCarthy</b></a> , titled "<b>Privacy for Humanity</b>" at 5.00 p.m.</p>
<h3 class="Default" style="text-align: justify; ">Introductory Catalyst Sessions</h3>
<ul>
<li style="text-align: justify; "><b>Malavika Jayaram</b>: Fellow at <a class="external-link" href="http://cyber.law.harvard.edu/people/mjayaram">Berkman Center for Internet and Society at Harvard University</a> and the <a class="external-link" href="http://www.cis-india.org/">Centre for Internet and Society, Bangalore</a></li>
<li style="text-align: justify; "><b>Laird Brown</b>: DesiSec Project at the <a href="http://editors.cis-india.org/" class="external-link">Centre for Internet and Society, Bangalore</a> and University of Toronto</li>
<li style="text-align: justify; "><b>Kaustubh Srikant</b>: Head of Technology, <a class="external-link" href="https://tacticaltech.org/kaustubh-srikanth-head-technology">Tactical Technology Collective</a> and <b>Maya Indira Ganesh</b> (Program Director)</li>
<li style="text-align: justify; "><b>Abhay Raj Naik</b>: Assistant Professor,<a class="external-link" href="http://www.azimpremjiuniversity.edu.in/abhayraj-naik"> Azim Premji University</a></li>
</ul>
<h3>Design and Hackathon Lead Catalysts</h3>
<ul>
<li style="text-align: justify; "><a href="http://hackteria.org/?p=278"><b>Yashas</b></a><a href="http://hackteria.org/?p=278"><b> </b></a><a href="http://hackteria.org/?p=278"><b>Shetty</b></a>:Faculty@ <a href="http://www.srishti.ac.in/">www.srishti.ac.in</a> and Co-Founder <a href="http://www.hackteria.org/">Hackteria.org</a> (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Hari Dilip Kumar</b>: Co, Founder, <a class="external-link" href="http://www.fluxgentech.com/people">FluxGen</a>: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )</li>
</ul>
<ul>
<li style="text-align: justify; "><b>Sharath Chandra Ram</b>: Researcher @ CIS <a class="external-link" href="http://dorkbot.org/dorkbotbangalore/">Open Lab</a> and Faculty@<a class="external-link" href="http://www.srishti.ac.in/">Srishti</a> (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing) </li>
</ul>
<h3 style="text-align: justify; ">Featured Talk and Interactive Closing Session by <a class="external-link" href="http://en.wikipedia.org/wiki/Sm%C3%A1ri_McCarthy">Smari McCarthy</a><b><a class="external-link" href="http://en.wikipedia.org/wiki/Sm%C3%A1ri_McCarthy"> </a></b></h3>
<p style="text-align: justify; "><b>(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)</b><b></b></p>
<p class="callout" style="text-align: justify; "><b>Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.<br /></b></p>
<hr />
<p><a href="http://editors.cis-india.org/internet-governance/blog/counter-surveillance.pdf" class="internal-link"> </a><b><a href="http://editors.cis-india.org/internet-governance/blog/counter-surveillance.pdf" class="internal-link">Click to download the flyer invite</a></b><br />Date: Saturday, March 1, 2014<br />Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)<br />Venue: Centre for Internet and Society, Bangalore<br />Map : <a href="http://bit.ly/1fcDDLG">http://</a><a href="http://bit.ly/1fcDDLG">bit.ly</a><a href="http://bit.ly/1fcDDLG">/1fcDDLG</a><b><br /></b><a href="mailto:sharath@cis-india.org"><br /></a><i>Please RSVP due to limited space and logistics for lunch and refreshments</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon'>http://editors.cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon</a>
</p>
No publisherpraskrishnaSurveillanceEventInternet GovernancePrivacy2014-02-28T05:36:15ZEventSpreadsheet data on sample of 50 security companies
http://editors.cis-india.org/internet-governance/blog/data-on-surveillance-technology-companies
<b></b>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/data-on-surveillance-technology-companies'>http://editors.cis-india.org/internet-governance/blog/data-on-surveillance-technology-companies</a>
</p>
No publishermariaInternet GovernanceSurveillance2014-02-28T16:13:39ZFileAre we Losing the Right to Privacy and Freedom of Speech on Indian Internet?
http://editors.cis-india.org/internet-governance/blog/dna-amber-sinha-march-10-2016-are-we-losing-right-to-privacy-and-freedom-of-speech-on-indian-internet
<b>The article was published in DNA on March 10, 2016.</b>
<p style="text-align: justify; ">Last month, it was reported that National Security Council Secretariat (NSCS) had proposed the <a href="http://www.dnaindia.com/scitech/report-watch-what-you-post-soon-govt-to-install-media-cell-to-track-counter-negative-content-online-2181460"><strong><span style="text-decoration: underline;">setting up of a National Media Analytics Centre</span></strong><span style="text-decoration: underline;"> </span></a>(NMAC). This centre’s mandate would be to monitor blogs, media channels, news outlets and social media platforms. Sources were quoted as stating that the centre would rely upon a tracking software built by Ponnurangam Kumaraguru, an Assistant Professor at the Indraprastha Institute of Information Technology in Delhi. The NMAC seems to mirror other similar efforts in countries such as <strong><a rel="nofollow" href="https://www.govtrack.us/congress/bills/114/hr3654/text" target="_blank"><span style="text-decoration: underline;">US</span></a></strong>, <strong><a rel="nofollow" href="https://www.thestar.com/news/canada/2013/11/29/social_media_to_be_monitored_by_federal_government.html" target="_blank"><span style="text-decoration: underline;">Canada</span></a></strong>, <strong><a rel="nofollow" href="http://www.smh.com.au/technology/technology-news/data-retention-and-the-end-of-australians-digital-privacy-20150827-gj96kq.html" target="_blank"><span style="text-decoration: underline;">Australia</span></a><a rel="nofollow" href="http://www.smh.com.au/technology/technology-news/data-retention-and-the-end-of-australians-digital-privacy-20150827-gj96kq.html" target="_blank"><span style="text-decoration: underline;"> </span></a></strong>and <strong><a rel="nofollow" href="http://www.independent.co.uk/news/uk/politics/government-awards-contracts-to-monitor-social-media-and-give-whitehall-real-time-updates-on-public-10298255.html" target="_blank"><strong><span style="text-decoration: underline;">UK</span></strong></a></strong>, to monitor online content for the reasons as varied as prevention of terrorist activities, disaster relief and criminal investigation.</p>
<p style="text-align: justify; ">The NSCS, the parent body that this centre will fall under, is a part of the National Security Council, India’s highest agency looking to integrate policy-making and intelligence analysis, and advising the Prime Minister’s Office on strategic issues as well as domestic and international threats. The NSCS represents the Joint Intelligence Committee and its duties include the assessment of intelligence from the Intelligence Bureau, Research and Analysis Wing (R&AW) and Directorates of Military, Air and Naval Intelligence, and the coordination of the functioning of intelligence agencies.</p>
<p style="text-align: justify; ">From limited reports available, it appears that the tracking software used by NMAC will generate tags to classify post and comments on social media into negative, positive and neutral categories, paying special attention to “belligerent” comments. The reports say that the software will also try to determine if the comments are factually correct or not. The idea of a government agency systematically tracking social media, blogs and news outlets and categorising content as desirable and undesirable is bound to create a chilling effect on free speech online. The most disturbing part of the report suggested that the past pattern of writers’ posts would be analysed to see how often her posts fell under the negative category, and whether she was attempting to create trouble or disturbance, and appropriate feedback would be sent to security agencies based on it. Viewed alongside the recent events where actors critical of the government and holding divergent views have expressed concerns about attempts to suppress dissenting opinions, this initiative sounds even more dangerous, putting at risk individuals categorised as “negative” or “belligerent”, for exercising their constitutionally protected right to free speech.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy2_of_FB.jpg" alt="FB" class="image-inline" title="FB" /></p>
<p style="text-align: justify; "><i>Getty Images</i></p>
<p style="text-align: justify; ">It has been argued that the Internet is a public space, and should be treated as subject to monitoring by the government as any other space. Further, this kind of analysis does not concern itself with private communication between two or more parties but only with publicly available information. Why must we raise eyebrows if the government is accessing and analysing it for the purposes of legitimate state interests? There are two problems with this argument. First, any surveillance of communication must always be limited in scope, specific to individuals, necessary and proportionate, and subject to oversight. There are no laws passed by the Parliament in India which allow for mass surveillance measures. Such activities are being conducted through bodies like NSC which came into existence through an Executive Order and have no clear oversight mechanisms built into its functioning. A quick look at the history of intelligence and surveillance agencies in India will show that none of them have been created through a legislation. A host of surveillance agencies have come up in the last few years including the Central Monitoring System, which was set up to monitor telecommunications, and the absence of legislative pedigree translates into lack of appropriate controls and safeguards, and zero public accountability.</p>
<p style="text-align: justify; ">The second and the larger issue is that the scale and level of granularity of personal information available now is unprecedented. Earlier, our communications with friends and acquaintances, our movements, our association, political or otherwise, were not observable in the manner it is today. It would be remiss to underestimate the importance of personal information merely because it exists in the public domain. The ability to act without being subject to monitoring and surveillance is key to the right to free speech and expression. While we accept the importance of free speech and the value of an open internet and newer technologies to enable it, we do not give sufficient importance to how these technologies are affecting the right to privacy.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweets.jpg" alt="Tweets" class="image-inline" title="Tweets" /></p>
<p style="text-align: justify; ">Getty Images</p>
<p style="text-align: justify; ">In the last few years, the social media scene in India has been characterised by extreme polemic with epithets such as ‘bhakt’, ‘sanghi’, ‘sickular’ and ‘presstitutes’ thrown around liberally, turning political discussions into a mess of ugliness. It remains to be seen whether the NMAC intends to deal with the professional trolls who rely on a barrage of abuse to disrupt public conversations online. However, the appropriate response would not be greater surveillance, let alone a body like NMAC, with a sweeping mandate and little accountability.</p>
<p style="text-align: justify; ">Link to the original <a class="external-link" href="http://www.dnaindia.com/scitech/column-are-we-losing-the-right-to-privacy-and-freedom-of-speech-on-indian-internet-2187527">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/dna-amber-sinha-march-10-2016-are-we-losing-right-to-privacy-and-freedom-of-speech-on-indian-internet'>http://editors.cis-india.org/internet-governance/blog/dna-amber-sinha-march-10-2016-are-we-losing-right-to-privacy-and-freedom-of-speech-on-indian-internet</a>
</p>
No publisherAmber SinhaFreedom of Speech and ExpressionSurveillanceInternet GovernancePrivacy2016-03-16T14:44:19ZBlog Entry