Internet Governance Blog

by kaeru — last modified Oct 18, 2011 06:40 AM

Peering behind the veil of ICANN's DIDP (II)

Posted by Padmini Baruah at Oct 15, 2015 03:14 AM |
Filed under: ,

In a previous blog post, I had introduced the concept of ICANN’s Documentary Information Disclosure Policy (“DIDP”) and their extremely vast grounds for non-disclosure. In this short post, I have made an analysis of every DIDP request that ICANN has ever responded to, to point out the flaws in their policy that need to be urgently remedied.

Read More…

Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India

The European Court of Justice has invalidated a European Commission decision, which had previously concluded that the 'Safe Harbour Privacy Principles' provide adequate protections for European citizens’ privacy rights for the transfer of personal data between European Union and United States. The inadequacies of the framework is not news for the European Commission and action by ECJ has been a long time coming. The ruling raises important questions about how the claims of citizenship are being negotiated in the context of the internet, and how increasingly the contestations of personal data are being employed in the discourse.

Read More…

Hits and Misses With the Draft Encryption Policy

Posted by Sunil Abraham at Sep 26, 2015 04:46 PM |

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

Read More…

Open Governance and Privacy in a Post-Snowden World : Webinar

Posted by Vanya Rakesh at Sep 26, 2015 08:00 AM |

On 10th September 2015, the OGP Support Unit, the Open Government Guide, and the World Bank held a webinar on “Open Governance and Privacy in a Post-Snowden World” presented by Carly Nyst, Independent consultant and former Legal Director of Privacy International and Javier Ruiz, Policy Director of Open Rights Group. This is a summary of the key issues that were discussed by the speakers and the participants.

Read More…

Peering behind the veil of ICANN’s DIDP (I)

Posted by Padmini Baruah at Sep 21, 2015 02:35 AM |
Filed under: ,

One of the key elements of the process of enhancing democracy and furthering transparency in any institution which holds power is open access to information for all the stakeholders. This is critical to ensure that there is accountability for the actions of those in charge of a body which utilises public funds and carries out functions in the public interest.

Read More…

Sustainable Smart Cities India Conference 2015, Bangalore

Posted by Vanya Rakesh at Sep 21, 2015 02:24 AM |
Filed under:

Nispana Innovative Platforms organized a Sustainable Smart Cities India Conference 2015, in Bangalore on 3rd and 4th September, 2015. The event saw participation from people across various sectors including Government Representatives from Ministries, Municipalities, Regulatory Authorities, as well as Project Management Companies, Engineers, Architects, Consultants, Handpicked Technology Solution Providers and Researchers. National and International experts and stakeholders were also present to discuss the opportunities and challenges in creating smart and responsible cities as well as citizens, and creating a roadmap for converting the smart cities vision into a reality that is best suited for India.

Read More…

DIDP Request #12: Revenues

Posted by Aditya Garg at Sep 14, 2015 03:32 PM |
Filed under: ,

The Centre for Internet & Society (CIS) sought information from ICANN on their revenue streams by sending them a second request under their Documentary Information Disclosure Policy. This request and their response have been described in this blog post.

Read More…

DIDP Request #11: NETmundial Principles

Posted by Aditya Garg at Sep 14, 2015 03:08 PM |
Filed under: ,

The Centre for Internet & Society (CIS) followed up on the implementation of the NETmundial Principles that ICANN has been endorsing by sending them a second request under their Documentary Information Disclosure Policy. This request and their response have been described in this blog post.

Read More…

CIS Submission on CCWG-Accountability 2nd Draft Proposal on Work Stream 1 Recommendations

Posted by Pranesh Prakash at Sep 13, 2015 05:00 PM |
Filed under: ,

The Centre for Internet & Society (CIS) submitted the below to ICANN's CCWG-Accountability.

Read More…

Human DNA Profiling Bill 2012 v/s 2015 Bill

Posted by Vanya Rakesh at Sep 06, 2015 02:10 PM |

This entry analyses the Human DNA Profiling Bill introduced in 2012 with the provisions of the 2015 Bill

Read More…

Data Flow in the Unique Identification Scheme of India

Posted by Vidushi Marda at Sep 03, 2015 05:02 PM |

This note analyses the data flow within the UID scheme and aims at highlighting vulnerabilities at each stage. The data flow within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI partners with various Registrars usually a department of the central or state Government, and some private sector agencies like LIC etc– through a Memorandum of Understanding for assisting with the enrollment process of the UID project.

Read More…

Response by the Centre for Internet and Society to the Draft Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration

Posted by Pranesh Prakash at Aug 30, 2015 02:00 AM |

This proposal was made to the Global Multistakeholder Community on August 9, 2015. The proposal was drafted by Pranesh Prakash and Jyoti Panday. The research assistance was provided by Padmini Baruah, Vidushi Marda, and inputs from Sunil Abraham.

Read More…

Supreme Court Order is a Good Start, but is Seeding Necessary?

Posted by Elonnai Hickok and Rohan George at Aug 29, 2015 09:00 PM |

This blog post seeks to unpack the ‘seeding’ process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the court in the context of the seeding process.

Read More…

Are we Throwing our Data Protection Regimes under the Bus?

Posted by Rohan George at Aug 29, 2015 12:00 PM |
Filed under:

In this blog post Rohan examines why the principle of consent is providing us increasingly less of an aegis in protecting our data.

Read More…

CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015

Posted by Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh at Aug 27, 2015 12:00 AM |

The Centre for Internet & Society (CIS) submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015.

Read More…

Responsible Data Forum: Discussion on the Risks and Mitigations of releasing Data

Posted by Vanya Rakesh at Aug 26, 2015 05:00 PM |
Filed under:

The Responsible Data Forum initiated a discussion on 26th August 2015 to discuss the risks and mitigations of releasing data.

The discussion was regarding the question of adoption of adequate measures to mitigate risks to people and communities when some data is prepared to be released or for sharing purposes.

The following concerns entailed the discussion:

  • What is risk- risks in releasing development data and PII
  • What kinds of risks are there
  • Risk to whom?
  • Risks in dealing with PII, discussed by way of several examples
  • What is missing from the world

The first thing to be done is that if a dataset is made, then you have the responsibility that no harm is caused to the people who are connected to the dataset and a balance must be created between good use of the data on one hand and protecting data subjects, sources and managers on the other.

To answer what is risk, it was defined to be the “probability of something happening multiplied by the resulting cost or benefit if it does” (Oxford English Dictionary). So it is based on cost/benefit, probability, and a subject. For probability, all possible risks must be considered and work in terms of how much harm would happen and how likely that is about to happen. These issues must be considered necessarily.

An example in this context was that of the Syrian government where the bakeries were targeted as the bombers knew where the bakeries are, making them easy targets. It was discussed how in this backdrop of secure data release mechanism, local context is an important issue.

Another example of bad practice was the leak of information in the Ashley Madison case wherein several people have committed suicide.

  • Kinds of risk:
  1. physical harm:

The next point of discussion was regarding kinds of the physical risks to data subjects when there is release/sharing of data related to them. Some of them were:

  1. i.  security issues
  2. ii. hate speech
  3. iii. voter issues
  4. iv. police action

Hence PII goes both ways- where some choose to run the risk of PII being identified; on the other hand some run the risk of being identified as the releaser of information.

  1. Legal harms- to explain what can be legal harms posed in releasing or sharing data, an example was discussed of an image marking exercise of a military camp wherein people joined in, marked military equipment and discovered people who are from that country.
  2. Reputational harm as an organization primarily.
  3. Privacy breach- which can lead to all sorts of harms.
  • Risk to whom?

Data subjects – this includes:

  1. i.  Data collectors
  2. ii. Data processing team
  3. iii. Person releasing the data
  4. iv. Person using the data

Also, the likely hood of risk ranges from low, medium and high. We as a community are at a risk at worse.

  • PII:

- Any data which can be used to identify any specific individual. Such information does not only include names, addresses or phone numbers but could also be data sets that don’t in themselves identify an individual.

For example, in some places sharing of social security number is required for HIV+ status check-up; hence, one needs to be aware of the environment of data sets that go into it. In another situation where there is a small population and there is a need to identify people of a street, village or town for the purpose of religion, then even this data set can put them to risk.

Hence, awareness with respect to the demographics is important to ascertain how many people reside in that place, be aware of the environment and accordingly decide what data set must be made.

- Another way to mitigate risks at the time of release/sharing of data is partial release only to some groups, like for the purpose of academics or to data subjects.

- Different examples were discussed to identify how release of data irresponsibly has affected the data subjects and there is a need to work to mitigate harms caused in such cases.

Example- in the New York City taxi case data about every taxi ride was released-including pickup and drop locations, times, fares. Here it becomes more problematic if someone is visiting strip clubs, then re-identification takes place and this necessitates protection of people against such insinuation.

This shows how data sets can lead to re-identification, even when it is not required. Hence, the involved actors must understand the responsibilities when engaging in data collection or release and accordingly mitigate the risks so associated.

- A concern was raised over collection and processing of the information of genetic diseases of a small population since practically it is not possible to guarantee that the information of data subjects to whom the data relates will not be released or exposed or it won’t be re-identifiable. Though best efforts would be made by experts, however, realistically, it is not possible to guarantee people that they will not be identified. So the question of informing people of such risks is highly crucial. It is suggested that one way of mitigating risks is involving the people and letting them know. Awareness regarding potential impact by breach of data or identification is very important.

- Another factor for consideration is the context in which the information was collected. The context for collection of data seems to change over a period of time. For example, many human rights funders want information on their websites changed or removed in the backdrop of changing contexts, circumstances and situation. In this case also, the collection and release of data and the risks associated become important due to changing contexts.

  • What is missing from the world?

Though recognition of risks has been done and is an ongoing process, what is missing from the world are uniform guidelines, rules or law. There are no policies for informed consent or for any means to mitigate risks collectively in a uniform manner. There must be adoption of principles of necessity, proportionality and informed consent.

The seedy underbelly of revenge porn

Posted by Prasad Krishna at Aug 23, 2015 03:00 PM |

Intimate photos posted by angry exes are becoming part of an expanding online body of dirty work.

Read More…

Security: Privacy, Transparency and Technology

Posted by Sunil Abraham at Aug 19, 2015 02:30 AM |

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

Read More…

A Review of the Policy Debate around Big Data and Internet of Things

Posted by Elonnai Hickok at Aug 17, 2015 08:36 AM |

This blog post seeks to review and understand how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things (IoT) from a policy perspective.

Read More…

Right to Privacy in Peril

Posted by Vipul Kharbanda at Aug 13, 2015 03:32 PM |

It seems to have become quite a fad, especially amongst journalists, to use this headline and claim that the right to privacy which we consider so inherent to our being, is under attack. However, when I use this heading in this piece I am not referring to the rampant illegal surveillance being done by the government, or the widely reported recent raids on consenting (unmarried) adults who were staying in hotel rooms in Mumbai. I am talking about the fact that the Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist.

Read More…

Document Actions

Filed under: