Centre for Internet and Society

Study Tour on Big Data and Privacy

praskrishna — 2016-09-22T23:23:04Z

For more details visit http://editors.cis-india.org/internet-governance/files/study-tour-big-data-privacy.pdf

Law and Economy Policy Conference 2016 (LEPC - 2016)

praskrishna — 2016-09-22T01:48:08Z

The National Institute of Public Finance and Policy (NIPFP) in collaboration with the Institute of New Economic Thinking (INET) is organising India’s first “Law Economics Policy Conference (LEPC-2016)”. The aim is to bring together legal, economic and policy thinkers to consider policy issues in a holistic manner.

The conference is guided by an eminent Steering Committee constituting Mr. Bahram Vakil (Senior Partner, AZB & Partners), Justice B.N. Srikrishna (Former Judge, Supreme Court of India), Prof. Rathin Roy (Director, NIPFP), Mr. Somasekhar Sundaresan (Advocate, Independent Legal Counsel), Mr. Rajeev Kapoor (Director, Lal Bahadur Shastri National Academy of Administration), Ms. Sunanda Nair (Director, INET) and Prof. Ajay Shah (Professor, NIPFP).

The conference will be organized from September 28 to 30, 2016 at India Habitat Centre, Lodhi Road, New Delhi. The draft programme is available here. Keynote Speech will be given by Shri Arun Jaitley - Honourable Minister of Finance, Government of India. Sunil Abraham will be serving as a discussant on the "Towards a privacy framework for India" session of this conference.

For more information, log on to Macro/Finance Group: Meetings

For more details visit http://editors.cis-india.org/a2k/news/law-and-economy-policy-conference-2016

Law Economics Policy Conference

praskrishna — 2016-09-22T01:41:51Z

For more details visit http://editors.cis-india.org/a2k/blogs/law-economics-policy-conference

Tulu Wikipedia Goes 'Live' after 8 Years on Incubator

praskrishna — 2016-09-22T01:33:29Z

Eight years after being created in the Wikimedia Incubator, the Tulu-language Wikipedia is now live as the 23rd Indic language.

The Tulu Wikipedia page is available here. The project has a total of 1285 articles contributed by 198 editors.

Other news in brief:

Ongoing India At Rio Olympics 2016 Edit-a-thon promises to plant one tree for every 20 new articles created.
Wiki Loves Monuments returns to India after three years.
WikiConference India 2016, the largest Wikimedia community gathering of the year in South Asia comes to an end.
Ashutosh Sarangi , the youngest Wikimedian from the oldest Indian-language Wikipedia community.

“Made in India” Innovation Policy

praskrishna — 2016-09-22T01:15:40Z

In this post they emphasize upon the need for data-driven IP policy making in India.

This blog post written by Prof Collen Chien and Prof Contreras, and published this week (September 19, 2016) on SpicyIP mentions CIS' patent landscaping study.

A few weeks ago we were honored to participate in Jindal Global Law School’s Conference on “Innovation for Shared Prosperity”. Much of the conversation was centered on the important topic of how intellectual property (IP) policy can best support manufacturing and entrepreneurship initiatives like the “Startup India” and “Make in India”. In turn, we believe it’s also important to think about how best to foster IP policies that are truly “made in India”. In light of India’s history of implementing certain IP policies because it had to, not because it wanted to, for example recent homegrown commitments to strengthen the patent system by reducing the time to patent are notable.

The record is already replete with examples of indigenous innovation by Indian policymakers. Whether section 3(d), Form 27 patent working disclosures, or the “Middle Path” approach to requiring deposits in standards essential patent disputes – agree or disagree with them, these Indian approaches to innovation policy are themselves innovative.

But one problem that we have observed is that the data available to develop and evaluate Indian IP policies tends to be thin. With respect to patents, for example, it is hard to access patent records, as there are often long delays before patent applications, patent working disclosures and other documents are uploaded to the Indian Patent Office (IPO) web site, notwithstanding statutory requirements and IPO policies. While there have been some published reports of cases and published decisions (Mathur 2007, Ghosh 2012), it is generally hard, as it is in other jurisdictions, to match patent filings to them to court filings, assignment records, citations, prior art and other metrics of interest. This isn’t true just of India but many other countries. But to support world class, data-driven policy making, support for analytical work, combined with data access, is needed. This is particularly important given the demonstrated gap between rules on the books, which may appear harmonized, and rules in practice, which are not.

In developing policy, it is often useful to start with the ultimate policy goal – whether it be further improving the country’s ranking on the Innovation Index or taking a place at the international standard setting table – and then developing data-based metrics to demonstrate progress toward that goal. The assumptions behind conflicting policy positions can then be tested and vetted against actual experience within the Indian setting. It is through these processes that a “made in India” innovation policy will be truly indigenous, reflecting not only political mandates and theories, but the demonstrated experience of India’s technical, business, and legal communities.

Historically, there have been relatively few empirical studies to support data-based policy making. In the non-exhaustive list below, we highlight several studies and reports (some our own) that demonstrate the usefulness and power of empirical data:

One topic about which there have been an exceptional number of empirical studies is the Indian pharmaceutical sector. Duggan and collaborators (2012, 2014) studied the relationship between drug prices and pharmaceutical patent issuances in India, and Lanjouw and Cockburn (2000) and Nandkumar and Srikanth (2011) explored the relationship between Indian patent issuance and strength and R&D spending. Recently Sampat and Shadlen have found that policies to discourage so-called “secondary” drug patents in India and Brazil have had little direct effect.

With the initiation by foreign patent holders a few years ago of infringement suits against a variety of domestic Indian and Chinese smartphone manufacturers, many wondered how much of the Indian mobile device patent landscape was already in the hands of foreign companies. Contreras, together with Rohini Lakshané of the Centre for Internet and Society, conducted a study to find out. Their results were telling: of approximately 23,500 total Indian patents and published patent applications in the mobile device sector, only 50, about 0.00% were owned by Indian companies. It is hoped that this eye-opening result will help mobilize Indian firms and policy makers to address the lack of Indian participation in international technology standardization efforts.

WIPO publishes statistics yearly about India’s relative rank with respect to a number of innovation metrics. While many are aware that India ranked 66th in this year’s Global Innovation Index, up 15 places from 2015 (Switzerland ranked 1st), WIPO’s 2015 IP indicators report contains other findings: that India ranks in the top 15 globally in terms of patent filing activity, that non-residents are using the Indian Patent Office more heavily than are residents (Fig. 2, p. 23) and that recent filings have been dominated by computer technology, organic fine chemistry and pharmaceuticals. Others have relied on WIPO statistics to compare India’s performance with that of China and other BRIC countries.

India is by nature an innovative nation. Its innovative spirit manifests itself both in terms of technology creation as well as policy development. Nevertheless, without robust, reproducible and broadly accessible data, policy decisions will continue to be based on intuition, guesswork and partisan advocacy by those having the most to gain from the system. We encourage the Indian government and academy to continue to devote resources to develop a robust data culture within the Indian intellectual property community and to make the underlying data as widely available as quickly as possible.

For more details visit http://editors.cis-india.org/a2k/news/spicy-ip-september-19-2016-prof-colleen-v-chien-and-prof-jorge-l-contreras-made-in-india-innovation-policy

Is India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No

praskrishna — 2016-09-22T00:57:02Z

From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.

The article by Sushil Kambampati was published in the Wire on September 21, 2016. Pranesh Prakash was quoted.

In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.

However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On May 17, the cyber-security firm Symantec stated in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.

A week later, another cyber-security firm, Kaspersky Lab, announced that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.

Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators reveal the attack, the target of the attack discloses the breach, or because the leaked data shows up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations received tepid coverage in India. A few news organisations published the same wire story that basically rewrote information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause.

Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.

This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government goes on high alert, resources are mobilised and the public is warned. The government then tries to identify the threat and stop it from doing any harm. Citizens demand that in the future the government take proactive steps to catch infiltrators and prevent any future threats.

Weak government response

One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was used to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange.

All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values.

Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, disrupt control systems of electrical grids or nuclear facilities and gain access to everything the government knows about its citizens, including personal details, financial information and identity information. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent attempt to heist $800 million from the central bank of Bangladesh.

A report on risks facing India, published in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have  a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.”

In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.

In the Suckfly case, it took a right-to-information query from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.

The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s Computer Emergency Response Team (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.

CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is registered in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative.

The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification issued on June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an RTI query to get a statement from the RBI, and there it responded that it had no information on the matter.

The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack.

SEBI also issued a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.

What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.

Right or wrong?

The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec.

On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach.

If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India is one of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.

According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”

Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know.

What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first revealed by security reporter Michael Krebs. Target was criticised for not coming forth itself and faced several lawsuits. In the US, most states and jurisdictions have laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must report a breach within 24 hours and other organisations have 72 hours.

India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added.

According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.

Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has grown rapidly in India, a study in 2014 by YourStory and Kalaari Capital found that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase.

When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.

As the KPMG report states, cyber attacks are only going to become more common. Despite multiple warnings, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.

For more details visit http://editors.cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks

India's Aadhaar mandate for smartphone makers may rile global firms

praskrishna — 2016-09-15T02:25:31Z

They are unlikely to oblige to request to make changes in their operating system and devices to ensure Aadhaar authentication is done securely on smartphones.

The article by Alnoor Peermohammed was published in the Business Standard on September 14, 2016. Sunil Abraham was quoted.

India is asking global smartphone makers such asApple and Google to adopt locally designed standards on their devices or operating systems that would allow use of biometric scanners for Aadhaarauthentication, a move that could face resistance from global firms.

Apple, the world’s largest smartphone maker runs its own iOS closed ecosystem and mandates apps built by developers to be certified by the company. Its closest rival Google, which owns the Android operating software that runs on nine out of ten smartphones in India, has directives for device makers to comply with. Firms such as Samsung, Lenovo and Micromax build smartphones on the Android OS that are sold in India.

Most global companies are unlikely to oblige India’s request that would require to make changes in their operating system and devices to ensure Aadhaarauthentication is done securely on smartphones, say analysts.

“There is no clarity so far. As of now, it is impossible that they (global smartphone makers) would oblige for a hardware safe zone baked on the sensors,” says Sunil Abraham, executive director at Centre for Internet and Society, a Bengaluru-based researcher that works on emerging technologies. “Because the biometrics contain sensitive personal information, they (UIDAI) don’t want anybody — vmobile manufacturer, OS vendor, telco or ISP — to intercept it”.

India is hoping that global firms would accept the country’s plea considering that most of India’s population use a mobile phone as their only computing device and need them to authenticate on Aadhaar for using government and banking services.

“Right now we’re in consultation with all these device manufacturers as well as the operating system vendors,” said Ajay Bhushan Pandey, Director General of the Unique Identification Authority of India (UIDAI) in a phone interview. “Basically we’re trying to evolve our system wherein a manufacturer or the devices where those operating systems are being used will have a facility where Aadhaar authentication can be made possible in a secure manner.”

India has over 105 crore people or 98% of adult population with Aadhaar. Most government and private organisations use Aadhaar authentication to issue services or products such as opening a bank account, getting a ration card or buying a mobile connection.

Reliance plans to reduce paperwork and issue connections in less than an hour usingAadhaar and try to get its 100 million target market sooner.

Over a fifth of India’s one billion users own smartphones and as the country sees better mobile internet access, more people are expected to upgrade to smartphones and use apps to access their banks to transfer funds, do online shopping and access government services.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohammed-september-14-2016-indias-aadhaar-mandate-for-smartphone-makers-may-rile-global-firms

SpaceX Explosion Slows Facebook & Israeli Efforts To Control Online Content

praskrishna — 2016-09-14T11:24:47Z

In their ‘space race’ to expand internet access to remote, impoverished areas of the world, Facebook and Google are actually vying for control o fthe online experiences of millions of people.

The article by Kit O' Connell published by Mint Press News on September 13, 2016 has quoted Pranesh Prakash.

When a rocket operated by space startup SpaceX burned up on the launch pad, it was a setback to the prospects of commercial space travel, as well as efforts by Facebook to control the online experiences of millions of rural internet users.

Facebook’s project, Internet.org, is described by founder Mark Zuckerberg in charitable terms, but critics have accused it of spreading “techno-colonialism.”

The Sept. 1 fire in Cape Canaveral, Florida, destroyed a $200 million satellite owned by SpaceCom, an Israeli communications satellite firm, and co-leased by Facebook. The satellite, Amos-6, was built by Israel Aerospace Industries, a government-owned aviation and aerospace manufacturer.

Facebook’s partnership with SpaceCom is another sign of the corporation’s deepening ties with Israel. In June, Facebook appointed Jordana Cutler, a close advisor to Israeli Prime Minister Benjamin Netanyahu, as head of policy and communications at Facebook’s Israeli office.

Another setback for Facebook’s Internet.org

“Facebook was counting on [the satellite] to beam internet service to sub-Saharan Africa as part of its ambitious Internet.org project,” noted Will Oremus, Slate’s senior technology writer.

The Los Angeles Times reported that SpaceCom’s stock fell 9 percent on the Tel Aviv Stock Exchange after the explosion. Zuckerberg shared his dismay in a post on his facebook page, writing:

“As I’m here in Africa, I’m deeply disappointed to hear that SpaceX’s launch failure destroyed our satellite that would have provided connectivity to so many entrepreneurs and everyone else across the continent.”

Internet.org would help users get online in areas lacking conventional internet access, and the service, which works in partnership with local mobile phone companies, has launched, at least provisionally, in 48 countries in Africa, Asia, and Latin America. In addition to satellites, Internet.org plans to use cutting edge solar-powered drones to expand internet access in remote parts of the world.

The service is not without controversy, though. An offering called “Free Basics” would provide users who can’t afford full internet access with a curated selection of websites, tailored for use on low bandwidth devices such as older smartphones. Free Basics generated international protests after it was rolled out in India, and was eventually blocked by the Telecom Regulatory Authority of India in March 2015 for violating the principle of net neutrality.

In a May 12 analysis for The Guardian, Mumbai-based journalist Rahul Bhatia suggested the failure of Free Basics was also due to Zuckerberg’s dismissive attitude toward the Indian government and people.

An unnamed Facebook executive told Bhatia that Zuckerberg made the “mistake of thinking that a third-world country is a banana republic. So institutions, the public, the press — they can be bypassed.”

Colonialism or philanthropy?

Indian students gather for a protest against Facebook’s “Free Basics” in Hyderabad, India. A central element of Facebook’s Internet.org campaign was controversial even before it was shut down in a key market this month. Indian regulators banned one of the pillars of the campaign, a service known as Free Basics, because it provided access only to certain pre-approved services – including Facebook – rather than the full Internet.

Google and its parent company, Alphabet, also intend to spread internet to rural, underserved areas through the unique balloon-based Project Loon. Tech site Pocket-Lint reported in March 2015 that SpaceX hoped to offer internet service through its satellites, in what reporter Luke Edwards called an “internet space race.”

Pranesh Prakash, a representative of the Centre for Internet & Society, an NGO based in Bangalore, India, questioned the company’s motivation in a June 2015 interview with Al-Jazeera.

“They’re doing it out of their self-interest,” Prakash told Tarek Bazley, Al-Jazeera’s science and technology editor.

“They are not doing it because they are charities, because they believe in altruism etc. They’re doing it because having more people online benefits them.”

And Aral Balkan, a human rights activist, told Bazley, “I wouldn’t call it philanthropy I would call it colonialism.”

In an August 2013 post on his homepage, Balkan went into more detail about his “strong reservations about why Google and Facebook want to be the ones providing this service.”

Noting that both tech corporations profit primarily from collecting and selling information about their users, he continued:

“Google and Facebook want to give everyone access to the Internet because they need more raw materials. More data. Your data. So they can cultivate more Digital Serfs to sell to their customers.”

For more details visit http://editors.cis-india.org/internet-governance/news/mint-pressnews-september-13-2016-kit-o-connell-spacex-explosion-slows-facebook-israeli-efforts-to-control-online-content

How does the government track all its legal cases?

praskrishna — 2016-09-14T10:17:07Z

The Legal Information Management and Briefing System , an integral part of the digital India initiative, aims to be a database of all the ongoing cases with the government.

The article by Shreeja Sen published by Livemint on September 13, 2016 has quoted Sunil Abraham.

More than one lakh cases currently exist on a law ministry platform curated in the last 13 months.The Legal Information Management and Briefing System (LIMBS), aimed to be a database of all the ongoing cases with the government as a party, is part of the government’s push towards digital India.

Law secretary Suresh Chandra said this is a big step under the Digital India project, intended to monitor and ultimately reduce spending on government litigation.

“The aim is to conduct cases properly. If our system works, along with the national litigation policy, we will be able to prevent 50% cases before they are even filed,” Chandra said.

According to the government, the project will help reduce delays in filing responses in cases , contempt notices because of such delays and consequent monetary penalties.

The website has also undergone the required security audit under the NIC (national informatics centre), to ensure the data is safe and protected. However, a database like this on the internet comes with its challenges.

“To ensure client confidentiality, communication should be bilateral between lawyer and client and should be encrypted and even watermarked. If this project allows access to documents by multiple stakeholders without encrypting it for the recipient, then if there is any leak, the documents cannot be traced back to the person who was responsible,” said Sunil Abraham, executive director at Centre for Internet and Society, a non-profit research organisation.

The LIMBS project began internally at the ministry of railway sometime in 2013, but was soon expanded as a single platform across ministries. In July 2015, it was hosted on the NIC server. The law ministry, by a gazette notification on 8 February, formally launched LIMBS to monitor cases filed against the Union government.

As of now, there is no special budget allocated for this project, which is being handled in house with a team of eight people – four developers on the technology side and four implementers for the case details. The development of the website is being handled by Ajay Gupta, deputy chief vigilance officer, northern railway. From the law ministry, Spriha Johari is the project director responsible for the website.

As of 12 September, the five ministries with the most uploads on the website were railways (69,469 cases), communications and information technology (7,830), finance (4452), environment (3,189) and defence (2,565).

Every day, nearly 400-500 cases are added to the portal. In all 58 ministries and their 202 departments have been brought under the LIMBS project.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-september-13-2016-shreeja-sen-how-does-govt-track-all-its-legal-cases

CYFY 2016 - The India Conference on Cyber Security and Internet Governance

praskrishna — 2016-09-13T15:23:59Z

Sunil Abraham will participate as a panelist at CYFY 2016 event organized by Observer Research Foundation in New Delhi from September 28 to 30, 2016.

Into its fourth edition this year, CyFy: The India Conference on Cyber Security and Internet Governance has emerged as a global platform to discuss, debate and deliver digital policy solutions. CyFy 2015 featured nearly 110 participants from over 33 countries, with nearly 800 delegates in attendance. Prominently, the conference sessions featured several experts from Africa and the Asia Pacific, who addressed the policy priority of connecting the next billion. The 2016 iteration of CyFy will highlight the political, economic and strategic questions that underpin this imperative.

Download the Agenda

See the announcement on CYFY website or write to Samir Saran at ssaran@orfonline.org or Arun at arun.sukumar@orfonline.org for more details on the conference.

For more details visit http://editors.cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition

CyFy 2016 Agenda

praskrishna — 2016-09-13T15:06:16Z

For more details visit http://editors.cis-india.org/internet-governance/files/cyfy-2016-agenda

The DigiLocker was supposed to cut down paperwork but less than 0.1% of Indians are using it

praskrishna — 2016-09-12T01:59:44Z

The official data shows that the platform has not enthused as many users as the government expected.

The blog post by Mayank Jain was published by Scroll.in on September 12, 2016. Sunil Abraham was quoted.

The government has been working hard to make all of India go digital – but its initiatives don't seem to be having the desired effect. Not yet anyway.

DigiLocker was launched in July last year as a secure platform for Indian citizens to store and access their documents on an electronic repository provided by the government of India. This is one of the major planks of the Digital India programme – which aims to take government services online and make the entire country digitally literate – but it does not seem to have enthused too many so far.

To popularise it further, the government on Wednesday integrated it with the Ministry of Road Transport and Highways to allow people to store a digital version of their driving licence and vehicle documents on the DigiLocker, sparing them the trouble of having to keep the hard copies on them at all times.

More than a year since its release, the platform has about 1.1 million people signed up as users, according to the official statistics on the DigiLocker website.

This might seem like an impressive number – but compare it to the country’s population of about 1.21 billion, or even its internet-using population of 350 million – and it becomes a drop in the ocean.

As this chart shows, only 0.09% of Indians are on DigiLocker – this is less than one user per 1,000 people in the country. DigiLocker is being used by 0.33% of the online population in the country, which implies that there are 33 users per 10,000 people on the internet from India.

Digital dreams

When it was launched by the Department of Electronics and Information Technology, the government had envisaged a cloud-based and secure storage platform that would cover the entire population, make it easier to procure and access important documents – including mark sheets, degrees and tax papers – and reduce paperwork as well as save time.

“In effect Digital Locker will touch every citizen's life by bringing in lot of convenience and therefore fulfilling the government's vision of a citizen centric governance model of providing services at the door-step of citizens,” the government said in a press release when the locker reached one lakh users in the first 100 days of its launch.

While the official website claims that the number of users is now about 2.1 million, the state-wise figures add up to only 1.1 million people on the platform.

Among the states, Maharashtra has most DigiLocker users in absolute numbers (more than 1 lakh), while Arunachal, Nagaland and Mizoram have less than 1,000 users each.

When the population of each state is taken into account, however, the picture changes. When adjusted for population, a mere 0.7% Sikkim’s population uses the service – and this is the highest percentage among Indian states. Maharashtra, with the highest number of DigiLocker users, has a much lower percentage of those on the service – 0.12%. The national capital, meanwhile, has just 0.17% of its population on the service.

Lock up

Citizens can use DigiLocker to store up to 10 megabytes of personal documents online.

Since the 10MB storage isn’t enticing enough, considering that internet users can avail themselves of at least 1GB of storage for free through private services such as Google Drive or Dropbox, the government is trying to push usage by integrating several departments with the service and allowing users to access more documents in real time from anywhere.

Among those enrolled so far include the road transport ministry, Maharashtra’s department of registry and stamps and educational bodies such as the Central Board of Secondary Education, which is now trying to release mark sheets and results of competitive exams online.

Though the government hoped that these initiatives would increase its usage, technical glitches have prevented several people from using the service.

A student who gave her National Engineering Entrance Exam this year spoke to Scroll.in about why she didn't sign up for DigiLocker even though her results were released on the platform.

“They allowed us to access results instantly on the platform but it required a sign up using the Aadhaar number,” a student, said on the condition of anonymity. “I tried signing up thrice using my phone number but never received the one-time password and then my Aadhaar verification didn’t go through so I could never sign up.”

The service is linked to the government's biometric-based Aadhaar identification system, but it is not mandatory to have an Aadhaar number, according to the website.

Privacy concerns

Another reason why people are hesitant to sign up for the service are privacy concerns about storing important and private documents on a central repository.

“Any large linked database with personal information is a serious threat to citizen’s data,” G Nagarjuna, a researcher at the Homi Bhabha Centre for Science Education in Mumbai told Scroll.in earlier. “There exists no agency that could secure their data till date without any possibilities of data theft.”

Experts said storing private information, such as biometric and passport data, on the service could pose security and privacy concerns.

Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society told Scroll.in over email that the project can have serious consequences if it is not encrypted well.

“Unless the cryptography and architecture is organised in such a manner that only the citizens will have access, there can be very serious consequences for the individual’s right to privacy,” he said.

Internal resistance

Those working for the project said the usage of the locker is going to go up if more government departments start issuing documents digitally to the locker, instead of handing over hard copies, as this will prompt users to sign up.

If the usage has to be increased, more departments need to come on board and start releasing documents digitally, said Debabrata Nayak, additional director of the National E-Governance Division, which implemented the project.

“It’s only when more departments start implementing digitisation and issuing digital documents that we will see a jump in the number of users because Digital Locker is pushed like that,” Nayak said, adding that National E-Governance Division is facing a fair bit of resistance from the departments.

“But not all departments are doing it yet because it requires a massive change in their work processes and we are trying to get them on board.”

Aadhaar woes

DigiLocker is designed as a push as well as pull service, which means that it should allow departments to issue as well as request documents from users. For this, users need to link their Aadhaar numbers to the locker. This is proving to be a problem, because most departments are not linking the documents they release to Aadhaar just yet, and not all users are registered with the unique identification system.

Moreover, the validity of Aadhaar is under question in the Supreme Court over privacy concerns voiced by the civil society.

An activist had moved the Supreme Court last year over the government making the Aadhaar number mandatory to sign up for DigiLocker. While the petition was quashed on procedural grounds, the government quickly moved to allow users to sign up without their Aadhaar numbers. However, the usability of the locker is restricted for such users.

Nayak said that non-Aadhaar-linked users can only upload their own documents on the system, without being able to use any other facility that DigiLocker claims to provide.

“Earlier Aadhaar was necessary but we changed it because people demanded access, but for most services, like getting government documents or requesting documents, it’s [Aadhaar] necessary,” he said. Nayak said this is because Aadhaar is the only way the government can identify the person who is being issued documents.

So what can one do without an Aadhaar on the DigiLocker?

“Without Aadhaar you can dump your garbage in it, which means you can upload your own files on the digital locker system,” Nayak said, “but why would you do that if you have Google Drive and Dropbox-like services?”

For more details visit http://editors.cis-india.org/internet-governance/news/scroll.in-mayank-jain-september-12-2016-the-digilocker-was-supposed-to-cut-down-paperwork

Despite SC order, thousands booked under scrapped Sec 66A of IT Act

praskrishna — 2016-09-07T15:31:18Z

College student Danish Mohammed’s arrest this March under the scrapped Section 66A of the Information Technology Act for allegedly sharing a morphed picture of RSS chief Mohan Bhagwat wasn’t an exception.

The article by Aloke Tikku was published in the Hindustan Times on September 7, 2016. Sunil Abraham was quoted.

Police arrested more than 3,000 people under the section in 2015, triggering concerns that the law was abused well after it was struck down by the Supreme Court in March last year. The top court had ruled Section 66A violated the constitutional freedom of speech and expression.

The exact number of people arrested after it was scrapped is not available. But the National Crime Records Bureau’s (NCRB) Crime in India report released last month shows 3,137 arrests under the section in 2015 against 2,423 the previous year.

On an average, four people were arrested every 12 hours in 2015 as compared to three in 2014.

“I am shocked,” said Supreme Court lawyer Karuna Nundy, who represented the People’s Union for Civil Liberties, among the petitioners in Supreme Court seeking removal of Section 66A.

“Making sure that our guardians of law know their law is absolutely basic... Whether it is training or notifying every police officer, we need action on it immediately,” she said.

It is unlikely that all 3,000-plus arrests were made before the provision was struck down in March. Sunil Abraham, executive director of the Bengaluru-headquartered advocacy group Centre for Internet and Society, said it was obvious that the police had not made these arrests before the SC ruling.

Lawyer Manali Singhal said once the Supreme Court struck off a provision of law, “any arrest under that provision would be per se illegal and void”.

Police also appeared to be on an overdrive to file charge sheets against people booked before the SC verdict – in 1,500 cases last year, almost twice the 2014 figure.

NCRB statistics suggest that trials too did not end.

There were 575 people still in jail on January 1, 2016, twice as many as the 275 in prison when the law was in force a year earlier. In 2015, the courts also convicted accused in 143 cases.

For more details visit http://editors.cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-september-7-2016-despite-sc-order-thousands-booked-under-scrapped-sec-66a-of-it-act

August Report 2016

praskrishna — 2016-09-06T14:38:48Z

For more details visit http://editors.cis-india.org/accessibility/blog/august-report-2016

Talking Point: Futile Battle Against Torrents

praskrishna — 2016-09-01T14:36:01Z

Sunil Abraham spoke to Deccan Herald to clear the air about rumours surrounding a jail threat for those logging on to Torrent sites.

Video

This was originally published by Deccan Herald on August 30, 2016

For more details visit http://editors.cis-india.org/internet-governance/news/talking-point-futile-battle-against-torrents