Centre for Internet and Society

Cambridge Analytica scandal: How India can save democracy from Facebook

sunil — 2018-03-28T15:44:00Z

Hegemonic incumbents like Google and Facebook need to be tackled with regulation; govt should use procurement power to fund open source alternatives.

The article was published in the Business Standard on March 28, 2018

The Cambridge Analytica scandal came to light when whistleblower Wylie accused Cambridge Analytica of gathering details of 50 million Facebook users. Cambridge Analytica used this data to psychologically profile these users and manipulated their opinion in favour of Donald Trump. BJP and Congress have accused each other of using the services of Cambridge Analytica in India as well. How can India safeguard the democratic process against such intervention? The author tries to answer this question in this Business Standard Special.

Those that celebrate the big data/artificial intelligence moment claim that traditional approaches to data protection are no longer relevant and therefore must be abandoned. The Cambridge Analytica episode, if anything, demonstrates how wrong they are. The principles of data protection need to be reinvented and weaponized, not discarded. In this article I shall discuss the reinvention of three such data protection principles. Apart from this I shall also briefly explore competition law solutions.

Collect data only if mandated by regulation

One, data minimization is the principle that requires the data controller to collect data only if mandated to do so by regulation or because it is a prerequisite for providing a functionality. For example, Facebook’s messenger app on Android harvests call records and meta-data, without any consumer facing feature on the app that justifies such collection. Therefore, this is a clear violation of the data minimization principle. One of the ways to reinvent this principle is by borrowing from the best practices around warnings and labels on packaging introduced by the global anti-tobacco campaign. A permanent bar could be required in all apps, stating ‘Facebook holds W number of records across X databases over the time period Y, which totals Z Gb’. Each of these alphabets could be a hyperlink, allowing the user to easily drill down to the individual data record.

Consent must be explicit, informed and voluntary

Two, the principle of consent requires that the data controller secure explicit, informed and voluntary consent from the data subject unless there are exceptional circumstances. Unfortunately, consent has been reduced to a mockery today through obfuscation by lawyers in verbose “privacy notices” and “terms of services”. To reinvent consent we need to bring ‘Do Not Dial’ registries into the era of big data. A website maintained by the future Indian data protection regulator could allow individuals to check against their unique identifiers (email, phone number, Aadhaar). The website would provide a list of all data controllers that are holding personal information against a particular unique identifier. The data subject should then be able to revoke consent with one-click. Once consent is revoked, the data controller would have to delete all personal information that they hold, unless retention of such information is required under law (for example, in banking law). One-click revocation of consent will make data controllers like Facebook treat data subjects with greater respect.

There must be a right to explanation

Three, the right to explanation, most commonly associated with the General Data Protection Directive from the EU, is a principle that requires the data controller to make transparent the automated decision-making process when personal information is implicated. So far it has been seen as a reactive measure for user empowerment. In other words, the explanation is provided only when there is a demand for it.

The Facebook feeds that were used for manipulation through micro-targeting of content is an example of such automated decision making. Regulation in India should require a user empowerment panel accessible through a prominent icon that appears repeatedly in the feed. On clicking the icon the user will be able to modify the objectives that the algorithm is maximizing for. She can then choose to see content that targets a bisexual rather than a heterosexual, a Muslim rather than a Hindu, a conservative rather a liberal, etc. At the moment, Facebook only allows the user to stop being targeted for advertisements based on certain categories. However, to be less susceptible to psychological manipulation, the user should be allowed to define these categories, for both content and advertisements.

How to fix the business model?

From a competition perspective, Google and Facebook have destroyed the business model for real news, and replaced it with a business model for fake news, by monopolizing digital advertising revenues. Their algorithms are designed to maximize the amount of time that users spend on their platforms, and therefore, don’t have any incentive to distinguish between truth and falsehood. This contemporary crisis requires three types of interventions: one, appropriate taxation and transparency to the public, so that the revenue streams for fake news factories can be ended; two, the construction of a common infrastructure that can be shared by all traditional and new media companies in order to recapture digital advertising revenues; and three, immediate action by the competition regulator to protect competition between advertising networks operating in India.

The Google challenge

With Google, the situation is even worse, since Google has dominance in both the ad network market and in the operating system market. During the birth of competition law, policy-makers and decision-makers acted to protect competition per se. This is because they saw competition as an essential component of democracy, open society, innovation, and a functioning market. When the economists from the Chicago school began to influence competition policy in the USA, they advocated for a singular focus on the maximization of consumer interest. The adoption of this ideology has resulted in competition regulators standing powerlessly by while internet giants wreck our economy and polity. We need to return to the foundational principles of competition law, which might even mean breaking Google into two companies. The operating system should be divorced from other services and products to prevent them from taking advantage of vertical integration. We as a nation need to start discussing the possible end stages of such a breakup.

In conclusion, all the fixes that have been listed above require either the enactment of a data protection law, or the amendment of our existing competition law. This, as we all know, can take many years. However, there is an opportunity for the government to act immediately if it wishes to. By utilizing procurement power, the central and state governments of India could support free and open source software alternatives to Google’s products especially in the education sector. The government could also stop using Facebook, Google and Twitter for e-governance, and thereby stop providing free advertising for these companies for print and broadcast media. This will make it easier for emerging firms to dislodge hegemonic incumbents.

For more details visit http://editors.cis-india.org/internet-governance/blog/business-standard-march-28-2018-sunil-abraham-cambridge-analytica-scandal-how-india-can-save-democracy-from-facebook

ICANN Analysis

sunil — 2018-03-15T06:35:45Z

For more details visit http://editors.cis-india.org/internet-governance/files/icann-analysis

Data Protection: We can innovate, leapfrog

sunil — 2018-01-22T01:45:46Z

About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent.

The article was published in the Deccan Herald on January 20, 2018.

Even if we can read them, we may not have the necessary legal training to understand them. According to a tweet thread by Pat Walshe (@privacymatters), the Tetris app, a popular video game, has a privacy policy that details the third-party advertising companies that they share data with. These third-parties include "123 Ad Networks; 13 Online Analytics companies; 62 Mobile Advertising Networks; 14 Mobile Analytics companies. The linked privacy policies for Tetris run to 407,000 words, compared to 450,000 words for the entire 'Lord of the Rings trilogy'." The child aged four and above that plays the game and her parents need an intermediary to deal with the corporations hiding behind Tetris.

Unlike the European Union, which has more than 37 years of history when it comes to data protection law, India is starting with a near blank slate after the Supreme Court confirmed that privacy is a constitutionally-guaranteed fundamental right in the Puttaswamy case judgement. While we would want to maintain adequacy and compatibility with the EU General Data Protection Regulation (GDPR) because it has become the global standard, we must realise that there is an opportunity for leapfrogging. This article attempts to introduce the reader to three different visions for intermediaries that have emerged within the Indian data protection debate around the accountability principle. I will also provide a brief sketch of an idea that we are developing at the Centre for Internet and Society. This is an incomplete list as there must be more proposals for regulatory innovation around the accountability principle that I am currently unaware of.

n Account Aggregators: The 'India Stack' ecosystem that has been built around the Aadhaar programme first proposed intermediaries called Account Aggregators. Account Aggregators manage consent artifacts. India Stack has traditionally been described as having four layers -- presenceless, paperless, cashless and consent. The consent layer is supposed to feature Account Aggregators. If, for example, a data subject wanting an insurance policy visits an insurance portal, the portal would collect personal information and a consent artifact from her and pass it on to multiple insurance companies. These insurance companies would send personalised bids to the portal, which would be displayed on a comparative grid to enable empowered selection.

The data structure consent artifact has been provided in the Master Direction from RBI titled "Non-Banking Financial Company Account Aggregator Directions," published in September 2016. How does this work? The fields includes (i) identity and optional contact information; (ii) nature of the financial information requested; (iii) purpose; (iv) the identity of the recipients, if any; (v) URL/address for notifications when the consent artifact is used; (vi) consent artifact creation date, expiry date, identity and signature/digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI. While Account Aggregators make it frictionless for the grant of consent and also for the harvesting of consent by data controllers, it does not make it easy for you to manage and revoke your consent.

n Data Trusts: Most recently, Na.Vijayashankar, a Bengaluru-based cybersecurity and cyberlaw expert, has proposed intermediaries called 'Data Trusts' registered with the regulator and who (i) will work as escrow agents for the personal data (which would be classified by type for different degrees of protection); (ii) will make privacy notices accessible by translating them into accessible language and formats; (iii) disclose data minimally to different data controllers based on the purpose limitation; (iv) issue tokens or pseudonymous identifiers and monetise the data for the benefit of the data subject. To ensure that Data Trusts truly protect the interests of the data subject, Vijayashankar proposes three requirements: (a) public performance reviews (b) audits by the regulator and (c) "an arms-length relationship with the data collectors." In his proposal, Data Trusts are firms with "the ability to process a real-time request from the data subject to supply appropriate data to the data collector."

n Learned Intermediaries: The Takshashila Institution published a paper titled Beyond Consent: A New Paradigm for Data Protection, authored by Rahul Matthan, partner at the law firm Trilegal. Learned Intermediaries would perform mandatory audits on all data controllers above a particular threshold. Like Vijayashankar, Matthan also requires these intermediaries to be certified by an appropriate authority. The main harm that he focuses on is, bias or discrimination. He proposes three stages of audit which are designed for the age of Big Data and Artificial Intelligence: "(i) Database Query Review; (ii) Black Box Audits; and (iii) Algorithm Review". Matthan also tentatively considers a rating system. Learned Intermediaries are a means to address information asymmetry in the market by making data subjects more aware. The impact of churn on their bottom-lines, it is hoped, will force data controllers to behave in an accountable manner, protecting rights and mitigating harms.

n Consent Brokers: Finally, I have proposed the model of a 'Consent Broker' by modifying the concept of the Account Aggregator. Like the Account Aggregator proposal, we would want a competitive set of consent brokers who will manage consent artifacts for data subjects. However, I believe there should be a 1:1 relationship between data subjects and consent brokers so that the latter compete for the business of data subjects. Like Vijayashankar, I believe that the consent broker must have an "arms-length distance" from data controllers and must be prohibited from making any money from them. Consent brokers could also be trusted to take proactive actions for the data subjects, such as access and correction.

The need of the hour is the production of regulatory innovations and robust discussions around them for all the nine privacy principles in the Justice AP Shah committee report -- notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability.

For more details visit http://editors.cis-india.org/internet-governance/blog/deccan-herald-january-20-2018-sunil-abraham-data-protection-we-can-innovate-leapfrog

Fixing Aadhaar: Security developers' task is to trim chances of data breach

sunil — 2018-01-10T16:47:59Z

The task before a security developer is not only to reduce the probability of identity breach but to eliminate certain occurrences.

The article was published in Business Standard on January 10, 2017

I feel no joy when my prophecies about digital identity systems come true. This is because from a Popperian perspective these are low-risk prophecies. I had said that that all centralised identity databases will be breached in the future. That may or may not happen within my lifetime so I can go to my grave without worries about being proven wrong. Therefore, the task before a security developer is not only to reduce the probability but more importantly to eliminate the possibility of certain occurrences.

The blame for fragility in digital identity systems today can be partially laid on a World Bank document titled “Ten Principles on Identification for Sustainable Development” which has contributed to the harmonisation of approaches across jurisdictions. Principle three says, “Establishing a robust — unique, secure, and accurate — identity”. The keyword here is “a”. Like The Lord of the Rings, the World Bank wants “one digital ID to rule them all”. For Indians, this approach must be epistemologically repugnant as ours is a land which has recognised the multiplicity of truth since ancient times.

In “Identities Research Project: Final Report” funded by Omidyar Network and published by Caribou Digital — the number one finding is “people have always had, and managed, multiple personal identities”. And the fourth finding is “people select and combine identity elements for transactions during the course of everyday life”. As researchers they have employed indirect language, for layman the key takeaway is a single national ID for all persons and all purposes is an ahistorical and unworkable solution.

Revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers. Photo: Reuters

monoculture can be prevented. The traditional approach is followed in the US - you could have multiple documents that are accepted as valid ID. Or you could have multiple identity providers providing ID artifacts using an interoperable framework as they do in the UK. Another approach is tokenisation. The first time tokenisation was suggested in the Aadhaar context was in an academic paper published in August 2016 by Shweta Agrawal, Subhashis Banerjee and Subodh Sharma from IIT Delhi titled “Privacy and Security of Aadhaar: A Computer Science Perspective”.

Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.

On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.

The paper in its fourth key recommendation says “cryptographically embed Aadhaar ID into Authentication User Agency (AUAs) and KYC User Agency (aka KUAs) — specific IDs making correlation impossible”. The paper considers several designs for such local identifier where — 1) no linking is possible, 2) only unidirectional linking is possible, and 3) bidirectional linking is possible referring to a similar scheme in the LSE identity report.Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.

For more details visit http://editors.cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar

It’s the technology, stupid

sunil — 2017-04-07T12:53:21Z

Eleven reasons why the Aadhaar is not just non-smart but also insecure.

The article was published in Hindu Businessline on March 31, 2017.

Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:

One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.

Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.

Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.

Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.

Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.

Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.

Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.

Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.

Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.

Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.

Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.

Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.

The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.

Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.

This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.

In other words, you cannot fix using the law what you have broken using technology.

For more details visit http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid

How Aadhaar compromises privacy? And how to fix it?

sunil — 2017-04-01T07:00:06Z

Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

The op-ed was published in the Hindu on March 31, 2017.

When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.

Shift from biometrics to smart cards: In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database: The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.

Prohibit the use of Aadhaar number in other databases: We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

For more details visit http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it

Services like TwitterSeva aren’t the silver bullets they are made out to be

sunil — 2016-10-06T16:31:51Z

TwitterSeva is great, but it should not be considered a sufficient replacement for proper e-governance systems. This is because there are several serious shortcomings with the TwitterSeva approach, and it is no wonder that enthusiastic police officers and bureaucrats are somewhat upset with the slow deployment of e-governance applications. They are also right in being frustrated with the lack of usability and scalability of existing applications that hold out the promise of adopting private sector platforms to serve citizens better.

Sunil Abraham, executive director of the Centre for Internet and Society, wrote this in response to the FactorDaily story on TwitterSeva, a special feature developed by Twitter’s India team to help citizens connect better with government services. Sunil's article in FactorDaily can be read here.

Let’s take a look at why the TwitterSeva approach is not adequate:

1. Vendor and Technology Neutrality: Providing a level ground for competing technologies in e-governance has been a globally accepted best practice for about 15 years now. This is usually done by using open standards policies and interoperability frameworks.

India does have a national open standards policy, but the National Informatics Centre (NIC) has only published one chapter of the Interoperability Framework for e-Governance .

The thing is, while Twitter might be the preferred choice for urban elites and the middle class, it might not be the choice of millions of Indians coming online. By implicitly signaling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter. Ideally, all interactions that the state has with citizens should be such that citizens can choose which vendor and technology they would like to use. Ideally, the government should have its own work-flow so that it can harvest complaints, feedback and other communications from all social media platforms be it Twitter or Identica, Facebook or Diaspora, and publish responses back onto them.

By implicitly signalling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter

Apart from undermining the power of choice for citizens, lack of vendor and technology neutrality in government use of technology undermines the efficient functioning of a competitive free market, which is the bedrock of future innovation.

When it comes to micro-blogging, Twitter has established a near monopoly in India. There are no clear signs of harm and therefore it would not be wise to advocate that the Competition Commission of India investigate Twitter. However, if the government helps Twitter tighten its grip over the Indian market, it is preventing the next cycle of creative destruction and disruption. Therefore, e-governance applications should ideally only “loosely couple” with the APIs of private firms so that competition and innovation are protected.

2. Holistic Approach and Accountability: Ideally, as the Electronic Service Delivery Bill 2011 had envisaged, every agency within the government was supposed to (within 180 days of the enactment of the Act) do several things: publish a list of services that will be delivered electronically with a deadline for each service; commit to service-level agreements for each service and provide details of the manner of delivery; provide an agency-level grievance redressal mechanism for citizens unhappy with the delivery of these electronic services.

Notwithstanding the 180-day commitment, the Bill required that “all public services shall be delivered in electronic mode within five years” after the enactment of the Bill with a potential three-year extension if the original deadline was not met. The Bill also envisaged the constitution of a Central Electronic Service Delivery Commission with a team of commissioners who “monitor the implementation of this Bill on a regular basis” and publish an annual report which would include “the number of electronic service requests in response to which service was provided in accordance with the applicable service levels and an analysis of the remaining cases.”

The Electronic Service Delivery Bill 2011 had a much more comprehensive and accountable plan for e-governance adoption in the country

Citizens suffering from non-compliance with the provisions of the Bill and unsatisfied with the response from the agency level grievance redressal mechanism could appeal to the Commission. The state or central commissioners after giving the government officials an opportunity to be heard were empowered to impose a fine of Rs 5000.

Unlike the piecemeal approach of TwitterSeva, the Bill had a much more comprehensive and accountable plan for e-governance adoption in the country.

3. Right To Transparency: Some of the interactions that the government has with citizens and firms may have to be disclosed under the obligation emerging from the Right to Information Act for disclosure to the public or to the requesting party. Therefore it is important that the government take its own steps for the retention of all data and records — independent of the goodwill and lifecycles of private firms.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests? Even if the government is not keen on pushing for data portablity as a right for consumers (just like mobile number portability in telecom, so that consumers can seamlessly shift between competing service providers), it absolutely should insist on data portability for all government use.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests?

This will allow it to shift to a) support multiple services, b) shift to competing/emerging services c) incrementally build its own infrastructure and also comply with the requirements of the Right to Information Act.

4. Privacy: Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology.” There is an obsession with collecting as much data as possible from citizens, storing it in centralized databases and providing “dashboards” to bureaucrats and politicians. This is diametrically opposed to the view of the security community.

Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology”

For example, Bruce Schneier posted on his blog in March this year (in a piece titled ‘Data is a Toxic Asset‘) saying: “What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous. This idea has always been part of the data protection law starting with the 2005 EU Data Protection Directive expressed as the principle of “Data Minimization” or “Collection Limitation”. More recently technologists and policy makers also use the phrase “Privacy by Design”. Introducing an unnecessary intermediary or gate-keeper between what is essentially transactions between citizens and the state is an egregious violation of a key privacy principle.”

5. Middle Class and Elite Capture: The use of Twitter amplifies the voices of the English-speaking, elite, and middle class citizens at the expense of the voices of the poor. While elites don’t exhibit fear when tagging police IDs and making public complaints from the comforts of their gated communities with private security guards shielding them the violence of the state, this might be a very intimidating option for the poor and disempowered.

While elites don’t fear tagging police IDs and making public complaints from the comforts of their gated communities, it’s intimidating for the disempowered

While the system may not be discriminatory in its design, it will have disparate impact on different sections of our society. In other words, the introduction of TwitterSeva will exacerbate power asymmetries in our society rather than ameliorating them.

The canonical scholarly reference for this is Kate Crawford’s analysis of City of Boston’s StreetBump smartphone, which resulted in an over-reporting of potholes in elite neighbourhoods and under-reporting from poor and elderly residents. This meant that efficiency in the allocation of the city’s resources was only a cover for increased discrimination against the powerless.

6. Security: The most important conclusion to draw from the Snowden disclosure is that the tin-foil conspiracy theorists who we used to dismiss as lunatics were correct. What has been established beyond doubt is that the United States of America is the world leader when it comes to conducting mass surveillance on netizens across the globe. It is still completely unclear how much access the NSA has to the databases of American social media giants. When the complete police force of a state starts to use Twitter for the delivery of services to the public, then it may be possible for foreign intelligence agencies to use this information to undermine our sovereignty and national security.

For more details visit http://editors.cis-india.org/internet-governance/blog/factordaily-sunil-abraham-october-6-2016-services-like-twitterseva-are-not-the-silver-bullets-they-are-made-out-to-be

April 2016 Newsletter

sunil — 2016-05-10T06:26:09Z

Welcome to the CIS newsletter for April 2016. The key issues we worked on this month included the Aadhaar Act 2016, Standard Essential Patents, cyber security of smart grids, and involvement of international agencies in the smart cities project in India.

Early last year, thanks to the fund raising efforts of a friend of CIS - Suhail Kazi, we received Rs. 1.9 lakhs as donations from 19 individuals. In January this year, we set up an online giving feature on our website which would ease the donation process, but we haven’t got a single donation so far! This could be because many of you may be under a false impression that CIS is very wealthy and does not need more support. Unfortunately, this is no longer true. Today, we are unable to find a single donor who is interested in our Accessibility, Telecom, or RAW programmes. In other words, we need your support. Would you to consider making a small donation to CIS? Click here to donate.

Previous issues of the newsletters can be accessed here: http://cis-india.org/about/newsletters.

Highlights
CIS prepared an FAQ on the Aadhaar / UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. Further, two infographics were produced to highlight on the questions of "Can the Aadhaar Act 2016 be Classified as a Money Bill?" and "Can the Matters Dealt with in the Aadhaar Act be the Objects of a Money Bill?". NVDA team prepared a report on the progress of the project for the month of April 2016. CIS submitted its comments to the Department of Industrial Policy and Promotion's Discussion Paper on Standard Essential Patents and their Availability on FRAND Terms. CIS has offered its assistance on other matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards the sustained innovation, manufacture and availability of mobile technologies in India. A summary of the comments can be accessed here. Responses to the Discussion Paper is available here. Rohini Lakshané's paper titled Patents and Mobile Devices in India: An Empirical Survey has been accepted for publication by the Vanderbilt Journal of Transnational Law. Kiran A.B. in a blog post has documented the availability and openness of data sets in India that are relevant for monitoring the targets under the SDGs. Low-cost Aakash tablet and its previous iterations in India have gone through several phases of technological changes and ideological experiments wrote Sumandro Chattapadhyay and Jahnavi Phalkey in an article published in the Economic and Political Weekly.

-----------------------------------
CIS in the News
-----------------------------------

CIS gave inputs to the following media coverage:

India's biometric database crosses billion-member mark (AFP and Daily Mail, UK; April 4, 2016).
The Panama Papers and the question of privacy (Big News Network; April 6, 2016). This was originally published by Privacyinternational.org.
Daunting task ahead for investigative agencies with WhatsApp's end-to-end encryption (Neha Alawadhi; Economic Times; April 8, 2016).
PMO’s no to smart cards, insists on Aadhaar (Somesh Jha; Hindu; April 10, 2016).
2014 showed the power of Twitter, now every Indian politician wants a handle (T.V. Jayan, Smitha Verma,Sonia Sarkar and V. Kumara Swamy; Telegraph; April 10, 2016).
Why is the UIDAI cracking down on individuals that hoard Aadhaar data? (Alnoor Peermohamed; Business Standard; April 13, 2016).
You will need a license to create a WhatsApp group in Kashmir (Governance Now; April 19, 2016).
Will Facebook, Twitter relocate servers to India? (Taru Bhatia; Governance Now; April 23, 2016).
Government keeps experts out of cyber security discussions (Amrita Madhukalya; DNA; April 23, 2016).
CCTV plays Sherlock (Raj Shekhar, Arun Dev, V Narayan & A Selvaraj with inputs from Sindhu Kannan and Somreet Bhattacharya; The Times of India; April 24, 2016).

CIS members wrote the following pieces:

Sunil Abraham wrote an article in the July 15 edition of Frontline arguing that the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.
Amber Sinha wrote an article in The Wire arguing that the Aaddhaar Act is not a money bill, and the Supreme Court may very well question the decision by the Lok Sabha speaker to classify it as such.
Sumandro Chattapadhyay also wrote on The Wire arguing that "the last chance for a welfare state doesn’t rest in the Aadhaar system."
Subhashish Panigrahi's article on the 8 challenges that Indian language Wikipedias have to overcome was published by Global Voices. The article had earlier been published in the Wire.
Elonnai Hickok and Vanya Rakesh co-authored an article on Cyber Security of Smart Grids in India that was published by Dataquest.
Shyam Ponappa in his monthly column published in the Business Standard tell us that it's time the government accepts that current policies are not enough to bring about Digital India.

-------------------------------------
Accessibility & Inclusion
-------------------------------------
India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities, we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

►NVDA and eSpeak

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Pervasive Technologies

Comments

Comments on Department of Industrial Policy and Promotion Discussion Paper on Standard Essential Patents and their Availability on Frand Terms (Anubha Sinha, Nehaa Chaudhari and Rohini Lakshané; April 23, 2016).
Responses to the DIPP's Discussion Paper on SEPs and their Availability on FRAND Terms (Anubha Sinha, Nehaa Chaudhari and Rohini Lakshané; April 23, 2016).
Summary of CIS Comments to DIPP’s Discussion Paper on SEPs and their availability on FRAND terms (Anubha Sinha; April 26, 2016).

Blog Entries

Global Congress 2015 - A Collection of Resources (Pervasive Technologies Team; April 1, 2016).
Compilation of Mobile Phone Patent Litigation Cases in India (Rohini Lakshané; updated on April 15, 2016).
Joining the Dots in India's Big-Ticket Mobile Phone Patent Litigation (Rohini Lakshané; updated on April 29, 2016).
MHRD IPR Chair Series: Information Received from Tezpur University (Karan Tripathi; April 26, 2016).
National IPR Policy Series : Sectoral Innovation Councils on Intellectual Property Rights – RTI Requests + DIPP Responses (Nehaa Chaudhari and Saahil Dama; April 30, 2016). Nisha S. Kumar assisted in compilation of the document.

Participation in Events

Fifth Annual IP Teaching Workshop (Organised by the Centre for Innovation, Intellectual Property and Competition at National Law University Delhi in association with National Academy of Law Teaching, NLU-D; Delhi; March 31 and April 1, 2016). Nehaa Chaudhari was a speaker.
First Round-table on Innovation, IP and Competition (Organized by the Centre for Innovation, Intellectual Property & Competition (CIIPC) at the National Law University, Delhi; India Habitat Centre; New Delhi; April 1-2, 2016). Nehaa Chaudhari and Anubha Sinha attended the round-table.
Brainstorming Workshop on PG Programme on Media Studies for UGC E-Pathshala Programme (Organized by Jamia Milla Islamia; New Delhi; April 5, 2016).
Sensitization Seminar on IPR for Electronics & ICT Sectors (Organized by Andhra Pradesh Technology Development & Promotion Centre (APTDC) of Confederation of Indian Industry (CII), in association with Department of Electronics and Information Technology (DeitY); Vishakhapatnam; April 21, 2016).

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Work Plan

CIS - A2K Work Plan: July 2016 - June 2017 (CIS-A2K Team; April 2, 2016): We have revised the work plan template taking into account the changed proposal plan sent out by WMF and in light of the feedback that we have received from FDC assessment during last proposal application. The FDC feedback is taken into account at the level of design, RoI and ensuring quality for all our activities.

Article

Eight Challenges Indian-Language Wikipedias Need to Overcome (Subhashish Panigrahi; Global Voices; April 21, 2016). A version of this post was previously published on The Wire.

Media Coverage

Odia gets more space in e-world (Anwesha Ambaly; The Telegraph; April 7, 2016).
Exercise to Correct articles in Tulu Wikipedia begins (Raviprasad Kamila; The Hindu; April 28, 2016).

Event Organized

Tulu Wikipedia Editathon to Improve Quality of Articles in Tulu Wikipedia (Shri Ramakrishna PU College; Mangaluru; April 26 - 30, 2016).

-----------------------------------
Openness
-----------------------------------

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Monitoring Sustainable Development Goals in India: Availability and Openness of Data (Part II) (Kiran A.B.; April 12, 2016).

-----------------------------------
Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Cyber Security

Cyber Security of Smart Grids in India (Elonnai Hickok and Vanya Rakesh; April 25, 2016).

►Big Data

Blog Entry

RTI regarding Smart Cities Mission in India (Paul Thottan; April 21, 2016).

►Privacy

Blog Entries

FAQ on the Aadhaar Project and the Bill (Elonnai Hickok, Vanya Rakesh, and Vipul Kharbanda; April 13, 2016).
Aadhaar Act and its Non-compliance with Data Protection Law in India (Vanya Rakesh; April 14, 2016).
Can the Matters Dealt with in the Aadhaar Act be the Objects of a Money Bill? (Pooja Saxena; April 24, 2016).

Articles

Will Aadhaar Act Address India’s Dire Need For a Privacy Law? (Nehaa Chaudhari; Quint; March 31, 2016).
The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System (Sumandro Chattapadhyay; April 19, 2016).
The Aadhaar Act is Not a Money Bill (Amber Sinha; April 25, 2016).

Participation in Events

RightsCon Silicon Valley 2016 (Organized by RightsCon; March 31 and April 1, 2016). Elonnai Hickok attended the event.
Panel Discussion on UID/ Aadhar act 2016 and its impact on Social, Security (Organized by Students Christian Movement of India at SCM House; Bangalore; April 25, 2016). Sunil Abraham was a panelist.
The Centre for the Study of Law and Governance (CSLG), Jawaharlal Nehru University (JNU), organised a roundtable discussion on Tuesday, April 26, to discuss the Aadhaar project and Act. Along with Prasanna S, Apar Gupta, and Dr. Chirashree Dasgupta, Sumandro Chattapadhyay was one of the discussants.
Aadhaar by Numbers (Organized by National Institute of Public Finance and Policy; New Delhi; April 29, 2016). Sunil Abraham was a speaker.

-----------------------------------
Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

Breakthroughs Needed For Digital India (Shyam Ponappa; Business Standard; April 6, 2016 and Organizing India BlogSpot; April 7, 2016).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Article

Buying into the Aakash Dream - A Tablet’s Tale of Mass Education (Sumandro Chattapadhyay and Jahnavi Phalkey; Economic & Political Weekly; April 23, 2016).

Announcement

Call for Proposal: Big Data for Development – Initial Field Studies (Sumandro Chattapadhyay; April 29, 2016).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit http://editors.cis-india.org/about/newsletters/april-2016-newsletter

Surveillance Project

sunil — 2016-04-05T15:21:27Z

The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.

The article will be published in Frontline, April 15, 2016 print edition.

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.

Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.

Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”

Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.

Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology

One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”

Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.

One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?

Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

For more details visit http://editors.cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project

CIS - A2K Work Plan: July 2016 - June 2017

sunil — 2016-04-29T09:36:45Z

One of the key mandates of the Access to Knowledge (A2K) program at the Centre for Internet and Society (CIS) is to work towards catalyzing the growth of the free and open knowledge movement in Indic languages. CIS has been a steward of the Wikimedia movement in India since December 2008. Since September 2012, we at CIS-A2K, have been actively involved in growing the movement in India through (i) a grant received from the Wikimedia Foundation (WMF) for the period September 2012 - June 2014, (ii) the FDC Grant received for the period July 2014 - June 2015 and (iii) the FDC Grant received for the period July 2015 - June 2016. Based on the productive experience of working with various Indic Wikimedia communities, CIS-A2K has developed this work plan for July 2016 to June 2017.

This was originally published on Meta-wiki on April 2, 2016.

We have revised the work plan template taking into account the changed proposal plan sent out by WMF and in light of the feedback that we have received from FDC assessment during last proposal application. The FDC feedback is taken into account at the level of design, RoI and ensuring quality for all our activities.

CIS-A2K responses towards Indic communities concerns

During the last plan period CIS-A2K received the following complaints, suggestions, and feedback. We have attempted to address the concerns under redesigned CIS-A2K 2.0. This table was first prepared during our progress report for the current grant and A2K would like to acknowledge the learnings derived out of the suggestions and feedback it received during the last plan. Please see the table here.

Background to CIS-A2K Program

CIS-A2K is working with the Indic Wikimedia communities since December 2008, when Jimbo Wales came to India and visited Bangalore. In mid-2012 CIS-A2K received a financial grant from the Wikimedia Foundation (WMF) and since then it has been actively involved in growing the Wikimedia and free knowledge movement in India. Following a grant received from WMF for the period September 2012 to June 2014, CIS-A2K received FDC Grant for the periods July 2014 to June 2015 and July 2015 to June 2016. Based on the 41-month experience of working with various Indic Wikimedia communities, CIS-A2K has prepared this year's work plan for July 2016 to June 2017.

Objective

CIS-A2K is committed to improve Wikimedia movement in India by supporting Indic Wikimedia communities and working on Wikimedia projects and collaborating with FOSS and other like minded movement partners. It also strives to catalyse the growth of open and free knowledge movement in South Asia and especially in India. Our main objectives are:

Bringing content under Creative Commons and similar free licenses;
Supporting and empowering Indic Wikimedia communities;
Building and maintaining institutional partnerships in order to support the open knowledge movement and creation of open knowledge resources;
Planning and executing Wikimedia projects with wider community participations and effective consultation;
Fostering and enabling an appropriate legal and technological ecosystem;
Building sustainable communities and grooming potential leaders to represent the communities and projects globally.

Context

CIS-A2K has focussed on creating sustainable programmes and capacity development for communities in the last few years. CIS-A2K intends to continue its work during the proposed grant period and would continue to focus on the following Indian language Wikimedia projects: Kannada, Konkani, Marathi, Odia, Telugu (Focus Language Areas, FLA). In order to achieve higher RoI, A2K will be including Tulu in its language plan from this plan period.

CIS-A2K will continue to provide general support and service to all other Indian language Wikimedia communities for all Wikimedia projects as necessary and as requested by the communities or individuals from the community through its request page and needs assessment workshops.

Community strengthening initiatives will be prioritised in order to address the poor participation of Wikimedians from Indian sub continent in particular and global south in general. CIS-A2K has rolled out initiatives such as Train the Trainer and MediaWiki training, focused edit-a-thons and GLAM activities.

CIS-A2K and Indian language Wikimedia communities would greatly benefit from collaborating with these initiatives and CIS-A2K during this grant period would attempt to bring these communities closer with a series of interactions, hack-a-thons and training sessions.

Our institutional partnerships have played a very important role in content donation, generation of content, attracting new readers and editors and collaborating opportunities with existing community members. They have provided much needed press coverage towards Indian language Wikimedia projects. The institution partnerships and WEP have been redesigned as per community suggestions.

Methodology

This work plan has been prepared based on an extensive engagement with various Wikimedia movement participants and enthusiasts in India. These include:

Wikimedia community members across all Indic communities: We have talked to a large number of Indic Wikimedia community members and specially community members of our focused language areas;
Institutional Partners of CIS-A2K: We have taken feedback and suggestions from our institutional partners regarding the challenges of conducting WEP;
Like-minded advocates of free and open knowledge;
Surveys and Interviews.

Performance against plans and projected targets

Overall

Kannada

Konkani

Marathi

Odia

Telugu

Progress against goals set

Language Area Work Plans

CIS-A2K has put in significant efforts across four focus language areas Kannada, Konkani, Odia and Telugu during the previous work plans. CIS-A2K proposed and initiated Marathi as a focus language project during the last proposal plan. As A2K's strategy of working with FLA has resulted in community building and sustainable outreach efforts, we intend to work with the nascent Tulu community towards making Tulu Wikipedia live.

The Tulu Wikipedia plan is a 'minimal cost program' and is not budgeted same as the other FLA. A2K has been able to build a strong community in Mangalore for the Kannada and Konkani Wikimedia projects. Tulu community draws its editor base and institutional support from Mangalore, hence A2K's plans towards Kannada and Konkani Wikimedia projects can also have the added dimension of Tulu Wikipedia incubation activities.

Detailed work-plan for each of these language areas may be seen here (in alphabetical order):

Woman's day editathon at Christ University

Some of the key factors that determined the July 2016-June 2017 work plan:

Development of Focus Language Area Plan: A2K's strategy of building a plan along with the consultation of the community and further customised as per the feedback received by communities and FDC Staff have resulted well across five languages. CIS-A2K is pleased to inform that during July 2015-June 2016 it engaged with all the five focus language area plans as it has been able to recruit program officers and program associates for the vacant positions. It is important to note that while we are engaging with Tulu Wikipedia community with intentions of making Tulu Wikipedia live, it is also a 'minimal cost' program. It helps A2K in acheiving higher RoI for monetary resources and optimisation of staff and volunteer expertise.
A2K 2.0 as a response to FDC and Indic Wikimedians' Feedback: As a learning derived out of FDC, WMF Board and Indic Wikimedians suggestions, CIS-A2K has revised its program structure and composition of work. Please find details of revised divisional of responsibilities of A2K team.
Partnership and networking with institutions and groups: CIS-A2K has had the privilege of partnering with educational institutions and developmental organisations. These partnerships and collaborations not only resulted in significant quality-content contributions, but also lead to the diversification and expansion of that particular language Wikimedia community. In order to strengthen the communities, increase participation and conduct GLAM activities and attract content donation A2K would look out for possible institutional partnerships.
Providing sustainability and developing leadership skills: A2K has always worked towards enabling Indian Language Wikimedia communities to achieve sustainability and visibility amongst the global communities. We have been greatly privilege to work with the Focus Language Communities and would like to pass on our learning through collaborations with other language communities, while exiting few of our current FLA programs. Through our skill building initiatives such as Train-the-Trainer, Media Wiki Training and Train-a-Wikipedian A2K has also been able to support growth of a new community of volunteers to support the existing community.

Community Strengthening Initiatives

CIS-A2K started two community strengthening initiatives— Train-the-Trainer and MediaWiki Training to grow and strengthen the Indic Wikimedia projects and the associated communities, both qualitatively and quantitatively. The earlier iteration of these two programs played an important role in connecting the Indian language Wikimedia communities and fostering multi-lingual projects. This year also CIS-A2K proposes to undertake these two successful community strengthening initiatives. In mid-March 2016, CIS-A2K conducted a 2-day-long nationwide Wikipedia Education Program review workshop that brought students and faculty members from institutions that are running WEP in partnership with CIS-A2K and several important topics such as structural challenges such as academic schedule, institutional interest, faculty buy-in and more importantly response by the students were discussed. This year also CIS-A2K proposes to conduct such a workshop.

Creating Movement Resources

CIS-A2K has been creating resources to help Indic Wikimedia communities. All the resources are created after assessing the communities' need assessment and close interactions with many of the active community members.

CIS-A2K proposed to create the following resources (this also include printed resources):

Wikipedia editing tutorials
PEG and IEG application handbooks;
Handbook on how apply for various WMF scholarships;
Handbook on best practices for Wiki-events, workshops, meetup, outreach and other programs;
FAQ for content donors –give this job to a law school intern. No need of this handbook to be translated to Indian languages.
Bookmarks creation to increase awareness about Indian Wikimedia Projects;

General Support and Service to the Movement

CIS-A2K regularly supports Indic-language Wikimedia communities to conduct workshops, edit-a-thons and events to improve their projects. All these requests are placed at CIS-A2K request page and fulfilled after extensive community discussion and needs assessment.

Currently CIS-A2K is working on a program named Train-a-Wikipedian (TAW) to identify enthusiastic Indic Wikipedians and train and groom them to develop their editing skills. We'll continue empowering Indic Wikimedia community members through this program.

Learning and Evaluation

Following the Global metrics and discussions some members of the Wikimedia community, the A2K program had put together some evaluation tools to assess the impact of its work during the last year. We have included some more metrics for evaluation this year.

Evaluation tools

Participation

Number of active editors involved
Number of newly registered users
Number of individuals involved

Content

Number of new images/media added to Wikimedia article pages
Number of new images/media uploaded to Wikimedia Commons
Number of articles added or improved on Wikimedia projects
Number of bytes added to and/or deleted from Wikimedia projects

Reports

CIS-A2K will undertake monthly and annually review of our work using the above evaluation tools. CIS-A2K report activities and progress to Wikimedia foundation in monthly meetings.^[1] CIS-A2K team will also report the successes and learnings to the Wikimedia India & the Global Community. CIS-A2K team will actively review progress of each language area plan in collaboration with the respective Wikimedia community. Based on this feedback we will undertake mid-course corrections, should there be a need. To summarize following reports will be published in the year of 2016 - 2017:

Progress report (for the current grant)
Impact Report (July 2016 - June 2017)
Monthly report to Wikimedia foundation;
Monthly Newsletters
Annual report to CIS

Monthly Review and Learning Sessions

Last year we wrote about conducting monthly review and learning sessions. Currently CIS-A2K is conducting monthly learning sessions to critically reflect on the successes and failures of our work internally. The learnings are shared with Wikimedia Foundation for their feedback and suggestion. We'll continue conducting monthly reviews and learnings and progress will be shared with Wikimedia Foundation. We will try to share the same the Wikimedia India members.

Budget

Please find link to CIS-A2K program budget for proposed grant period July 2016-June 2017 here

Feedback

We appreciate your valuable feedback. However, for the sake of structured engagement by everyone, we request you to consider the following before you share your feedback.

For feedback on the overall A2K Work Plan you can write here.
For feedback on respective Language area plans, please write on the discussion page of the respective language plan.

Alternatively you could also share your feedback over e-mail at tanveer@cis-india.org. Please use the subject line Feedback on Work Plan.
Should you feel the need to discuss any aspect of the plan before sharing your feedback, please write to us and we can set up a telephone/Skype call.

For more details visit http://editors.cis-india.org/a2k/blogs/cis-a2k-work-plan-july-2016-june-2017

Facebook's Fall from Grace: Arab Spring to Indian Winter

sunil — 2016-02-11T15:51:34Z

Facebook’s Free Basics has been permanently banned in India! The Indian telecom regulator, TRAI has issued the world’s most stringent net neutrality regulation! To be more accurate, there is more to come from TRAI in terms of net neutrality regulations especially for throttling and blocking but if the discriminatory tariff regulation is anything to go by we can expect quite a tough regulatory stance against other net neutrality violations as well.

The article was published in First Post on February 9, 2016. It can be read here.

Even the regulations it cites in the Explanatory Memorandum don’t go as far as it does. The Dutch regulation will have to be reformulated in light of the new EU regulations and the Chilean regulator has opened the discussion on an additional non-profit exception by allowing Wikipedia to zero-rate its content in partnership with telecom operators.

Bravo to Nikhil Pahwa, Apar Gupta, Raman Chima, Kiran Jonnalagadda and the thousands of volunteers at Save The Internet and associated NGOs, movements, entrepreneurs and activists who mobilized millions of Indians to stand up and petition TRAI to preserve some of the foundational underpinnings of the Internet. And finally bravo to Facebook for having completely undermined any claim to responsible stewardship of our information society through their relentless, shrill and manipulative campaign filled with the staggeringly preposterous lies. Having completely lost the trust of the Indian public and policy-makers, Facebook only has itself to blame for polarizing what was quite a nuanced debate in India through its hyperbole and setting the stage for this firm action by TRAI.

And most importantly bravo to RS Sharma and his team at TRAI for several reasons for the notification of “Prohibition of Discriminatory Tariffs for Data Services Regulations, 2016” aka differential pricing regulations. The regulation exemplifies six regulatory best practices that I briefly explore below.

Transparency and Agility: Two months from start to finish, what an amazing turn around! TRAI was faced with unprecedented public outcry and also comments and counter-comments. Despite visible and invisible pressures, from the initial temporary ban on Free Basics to RS Sharma’s calm, collected and clear interactions with different stakeholders resulted in him regaining the credibility which was lost during the publication of the earlier consultation paper on Regulatory Framework for Over-the-top (OTTs) services. Despite being completely snowed over electronically by what Rohin Dharmakumar dubbed as Facebook’s DDOS attack, he gave Facebook one last opportunity to do the right thing which they of course spectacularly blew.

Brevity and Clarity: The regulation fits onto three A4-sized pages and is a joy to read. Clarity is often a result of brevity but is not necessarily always the case. At the core of this regulation is a single sentence which prohibits discriminatory tariffs on the basis of content unless it is a “data service over closed electronic communications network”. And unlike many other laws and regulations, this regulation has only one exemption for offering or charging of discriminatory tariffs and that is for “emergency services” or during “grave public emergency”. Even the best lawyers will find it difficult to drive trucks through that one. Even if imaginative engineers architect a technical circumvention, TRAI says “if such a closed network is used for the purpose of evading these regulations, the prohibition will nonetheless apply”. Again clear signal that the spirit is more important than the letter of the regulation when it comes to enforcement.

Certainty and Equity: Referencing the noted scholar Barbara Van Schewick, TRAI explains that a case-by-case approach based on principles [standards] or rules would “fail to provide much needed certainty to industry participants…..service providers may refrain from deploying network technology” and perversely “lead to further uncertainty as service providers undergoing [the] investigation would logically try to differentiate their case from earlier precedents”. Our submission from the Centre for Internet and Society had called for more exemptions but TRAI went with a much cleaner solution as it did not want to provide “a relative advantage to well-financed actors and will tilt the playing field against those who do not have the resources to pursue regulatory or legal actions”.

What next? Hopefully the telecom operators and Facebook will have the grace to abide with the regulation without launching a legal challenge. And hopefully TRAI will issue equally clear regulations on throttling and blocking to conclude the “Regulatory Framework for Over-the-top Services” consultation process. Critically, TRAI must forbear from introducing any additional regulatory burdens on OTTs, a.k.a Internet companies based on unfounded allegations of regulatory arbitrage. There are some legitimate concerns around issues like taxation and liability but that has to be addressed by other arms of the government. To address the digital divide, there are other issues outside net neutrality such as shared spectrum, unlicensed spectrum and shared backhaul infrastructure that TRAI must also prioritize for regulation and deregulation.

Without doubt other regulators from the global south will be inspired by India’s example and will hopefully take firm steps to prevent the rise of additional and unnecessary gatekeepers and gatekeeping practices on the Internet. The democratic potential of the Internet must be preserved through enlightened and appropriate regulation informed by principles and evidence.

The writer is Executive Director, Centre for Internet and Society, Bengaluru. He says CIS receives about $200,000 a year from WMF, the organisation behind Wikipedia, a site featured in Free Basics and zero-rated by many access providers across the world).

For more details visit http://editors.cis-india.org/internet-governance/blog/first-post-february-9-2016-sunil-abraham-facebook-fall-from-grace-arab-spring-to-indian-winter

Free Basics: Negating net parity

sunil — 2016-01-03T05:58:00Z

Researchers funded by Facebook were apparently told by 92 per cent of Indians they surveyed from large cities, with Internet connection and college degree, that the Internet “is a human right and that Free Basics can help bring Internet to all of India.” What a strange way to frame the question given that the Internet is not a human right in most jurisdictions.

The article was published in the Deccan Herald on January 3, 2016.

Free Basics is gratis service offered by Facebook in partnership with telcos in 37 countries. It is a mobile app that features less than a 100 of the 1 billion odd websites that are currently available on the WWW which in turn is only a sub-set of the Internet. Free Basics violates Net Neutrality because it introduces an unnecessary gatekeeper who gets to decide on “who is in” and “who is out”. Services like Free Basics could permanently alienate the poor from the full choice of the Internet because it creates price discrimination hurdles that discourage those who want to leave the walled garden.

Inika Charles and Arhant Madhyala, two interns at Centre for Internet and Society (CIS), surveyed 1/100th of the Facebook sample, that is, 30 persons with the very same question at a café near our office in Bengaluru. Seventy per cent agreed with Facebook that the Internet was a human right but only 26 per cent thought Free Basics would achieve universal connectivity. My real point here is that numbers don’t matter. At least not in the typical way they do. Facebook dismissed Amba Kak’s independent, unfunded, qualitative research in Delhi, in their second public rebuttal, saying the sample size was only 20.

That was truly ironical. The whole point of her research was the importance of small numbers. Kak says, “For some, it was the idea of an ‘emergency’ which made all-access plans valuable.” A respondent stated: “But maybe once or twice a month, I need some information which only Google can give me... like the other day my sister needed to know results to her entrance exams.” If you consider that too mundane, take a moment to picture yourself stranded in the recent Chennai flood. The statistical rarity of a Black Swan does not reduce its importance. A more neutral network is usually a more resilient network. When we do have our next national disaster, do we want to be one of the few countries on the planet who, thanks to our flawed regulation, have ended up with a splinternet?

Telecom Regulatory Authority of India (Trai) chairman R S Sharma rightly expressed some scepticism around numbers when he said “the consultation paper is not an opinion poll.” He elaborated: “The issue here is some sites are being offered to one person free of cost while another is paying for it. Is this a good thing and can operators have such powers?” Had he instead asked “Is this the best option?” my answer would be “no”. Given the way he has formulated the question, our answer is a lawyerly “it depends”. The CIS believes that differential pricing should be prohibited. However, it can be allowed under certain exceptional standards when it is done in a manner that can be justified by the regulator against four axes of sometimes orthogonal policy objectives. They are increased access, enhanced competition, increased user choice and contribution to openness. For example, a permanent ban on Free Basics makes sense in the Netherlands but regulation may be sufficient for India.

Gatekeeping powers

To the second and more important part to Trai chairman’s second question on gatekeeping powers of operators, our answer is a simple “no”. But then, do we have any evidence that gatekeeping powers have been abused to the detriment of consumer and public interest? No. What do we do when we cannot, like Russell’s chicken, use induction to explain our future? Prof Simon Wren-Lew says, “If Bertrand Russell’s chicken had been an economist ...(it would have)... asked a crucial additional question: Why is the farmer doing this? What is in it for him?” There were five serious problems with Free Basics that Facebook has at least partially fixed, thanks mostly to criticism from consumers in India and Brazil. One, exclusivity with access provider; two, exclusivity with a set of web services; three, lack of transparency regarding retention of personal information; four, misrepresentation through the name of the service, Internet.org and five, lack of support for encrypted traffic. But how do we know these problems will stay fixed? Emerging markets guru Jan Chipchase tweeted asking “Do you trust Facebook? Today? Tomorrow? When its share price is under pressure and it wants to wring more $$$ from the platform?”

Zero. Facebook pays telecom operators zero. The operators pay Facebook zero. The consumers pay zero. Why do we need to regulate philanthropy? Because these freebies are not purely the fruit of private capital. They are only possible thanks to an artificial state-supported oligopoly dependent on public resources like spectrum and wires (over and under public property). Therefore, these oligopolies much serve the public interest and also ensure that users are treated in a non-discriminatory fashion.

Also provision of a free service should not allow powerful corporations to escape regulation–in jurisdictions like Brazil it is clear that Facebook has to comply with consumer protection law even if users are not paying for the service. Given that big data is the new oil, Facebook could pay the access provider in advertisements or manipulation of public discourse or by tweaking software defaults such as autoplay for videos which could increase bills of paying consumers quite dramatically.

India needs a Net Neutrality regime that allows for business models and technological innovation as long as they don’t discriminate between users and competitors. The Trai should begin regulation based on principles as it has rightly done with the pre-emptive temporary ban. But there is a need to bring “numbers we can trust” to the regulatory debate. We as citizens need to establish a peer-to-peer Internet monitoring infrastructure across mobile and fixed lines in India that we can use to crowd source data.

(The writer is Executive Director, Centre for Internet and Society, Bengaluru. He says CIS receives about $200,000 a year from WMF, the organisation behind Wikipedia, a site featured in Free Basics and zero-rated by many access providers across the world)

For more details visit http://editors.cis-india.org/internet-governance/blog/deccan-herald-january-3-2016-sunil-abraham-free-basics-negating-net-parity

The Free Basics debate: Trai has a point in imposing temporary ban on net neutrality

sunil — 2015-12-25T14:58:30Z

The argument against net neutrality in India is simple. Regulation cannot be based on dogma – evidence of harm must be provided before you can advocate for rules for ISPs and telecom operators.

The article was published in FirstPost on December 24, 2015.

But net neutrality regardless of your preferred definition is a very complex regulatory question and there is no global or even national consensus on what counts as relevant evidence. To demonstrate the chain of causality between network neutrality violations and a variety of potential harms - expertise in a wide variety of fields such as economics, competition law, telecom policy, spectrum allocation, communications engineering and traffic management is required. Even with a very large research budget and a multidisciplinary team it would be impossible to predict with confidence what the impact of a particular regulatory option will be on the digital divide or innovation. And therefore the advocates of forbearance say that the Indian telecom regulator — Trai — should not regulate unprecedented technical and business model innovations like Facebook's Free Basics since we don't understand them.

Till recently I agreed with this empirical line of argument. But increasingly I am less convinced that scientific experiment and evidence is the only basis for regulation. Perhaps there is a small but necessary role for principles or ideology. Like the subtitle of Nassim Nicholas Taleb's book, we need to ask: How to Live in a World We Don't Understand. Let us take another area of technological regulation – cyber security. Do we really need to build a centralised database containing the passwords of all netizens and perform scientific experiments on it to establish that it can be compromised? A 100 percent centralised system has a single point of failure and therefore from a security perspective centralisation is almost always a bad idea. How are we so sure that such a system will be compromised at some date? To quote Sherlock Holmes: “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” Decentralisation eliminates the possibility of a single point of failure thereby growing resilience. The Internet is perhaps the most famous example. It is not necessarily true that all decentralized systems are more secure than all centralised system of a decentralized network but it is usually the case. In other words, the principle of decentralisation in cyber security does not require repeated experimental confirmation across
markets and technologies.

To complicate matters, the most optimal solutions developed using economics and engineering may not be acceptable to most stakeholders. Professor Vishal Misra has provided a Shapley Value solution using cooperative game theory in the multi-sided market to determine how surplus should be divided between three types of ISPs [eyeball, transit and content] and Internet companies using transparent paid transit arrangements. But a migration from the current opaque arrangement to the Misra solution may never happen because Internet companies will resist such proposals and are increasingly getting into access provision themselves through projects like Google Fibre and Loom. Walter Brown from South African Communications Forum proposes that billing by minutes for phone calls and billing by message for SMSes should be prohibited because on 4G networks voice and text messages are carried as data and price is the best signal to consumers to ensure optimum use of network resources. This according to Walter Brown will eliminate the incentive for telcos to throttle or block or charge differently for VOIP traffic. Again this solution will not be adopted by any regulator because regulators prefer incremental changes with the least amount of disruption.

So given that we only have numbers that we can't trust - what should be some of the principles that form the bedrock of our net neutrality policy? To begin with there is the obvious principle of non-discrimination. The premise is simple – anyone who has gate-keeping powers might abuse it. Therefore we need to eliminate the possibility through regulation. Non-exclusivity is the result of non-discrimination and transparency is its precondition. That can also be considered as a principle and now we have three core principles to work with. Maybe that is sufficient since we should keep principles to the bare minimum to keep regulation and compliance with regulation simple. Some net
neutrality experts have also identified fairness and proportionality as additional principles. How do we settle this? Through transparent and participatory policy development as has been the case so far. Once we have principles articulated in law - how can we apply them to a specific case such as Facebook's Free Basics? Through the office of the appropriate regulator. As Chris Marsden advocates, net neutrality regulations should ideally be positive and forward looking. Positive in the sense that there should be more positive obligations and incentives than prohibitions and punitive measures. Forward looking in the sense that that the regulations should not retard or block technological and business model innovations. For example zero-rated walled gardens could be regulated by requiring that promoters such as Facebook also provide 50Mb of data per day to all users of Free Basics and also by requiring that Reliance provides the very same free service to other parties that want to compete with Facebook with similar offerings. Alternatively, users of Free Basics should get access to the whole Internet every other hour. All these proposal ensure that Facebook and it business partners have a incentive to innovate but at the same time ensures that resultant harms are mitigated.

Just to be absolutely clear, my defense of principle based regulation does not mean that I see no role for evidence and research. As regulation gets under way – further regulation or forbearance should be informed by evidence. But lack of evidence of harm is not an excuse for regulatory forbearance. India is the last market on the planet where the walled garden can be bigger than the Internet – and Facebook is sure giving it its very best shot. Fortunately for us Trai has acted and acted appropriately by issuing a temporary prohibition till regulation has been finalised. Like the US, coming up with stable regulation may take 10 years and we cannot let Facebook shape the market till then.

For more details visit http://editors.cis-india.org/telecom/blog/the-free-basics-debate-trai-has-a-point-in-imposing-temporary-ban-on-net-neutrality

Facebook Shares 10 Key Facts about Free Basics. Here's What's Wrong with All 10 of Them.

sunil — 2015-12-25T14:59:10Z

Shweta Sengar of Catch News spoke to Sunil Abraham about the recent advertisement by Facebook titled "What Net Neutrality Activists won't Tell You or, the Top 10 Facts about Free Basics". Sunil argued against the validity of all the 'top 10 facts'.

Facebook has rebranded internet.org as Free Basics. After suffering from several harsh blows from the net neutrality activists in India, the social media behemoth is positioning a movement in order to capture user attention.

Apart from a mammoth two page advertisement on Free Basics on 23 December in a leading English daily, we spotted a numerous hoardings across the capital.

Unlike Facebook, Wikipedia has a rather upfront approach for raising funds. You must have noticed a pop-up as you open Wikipedia when they are in need of funds. What Facebook has done is branded Free Basics as 'free' as the basic needs of life.

The newspaper advertisement by Facebook was aimed at clearing all the doubts about Free Basics. The 10 facts highlighted a connected India and urging users to take the "first step towards digital equality."

In an interview with Catch, Sunil Abraham, Executive Director of Bangalore based research organisation, the Centre for Internet and Society, shared his thoughts on the controversial subject. Abraham countered each of Facebook's ten arguments. Take a look:

01 Free basics is open to any carriers. Any mobile operator can join us in connecting India.

Sunil Abraham: Free Basics was initially exclusive to only one telecom operator in most markets that it was available in.

The non-exclusivity was introduced only after activists in India complained. But now the arrangement is exclusive to Free Basics as a walled garden provider. But discrimination harms remain until other Internet services can also have what Facebook has from telecom operators ie. free access to their destinations.

02 We do not charge anyone anything for Free Basics. Period.

SA: As Bruce Schneier says "surveillance is the business model of the Internet". Free basics users are subject to an additional layer of surveillance ie. the data retention by the Facebook proxy server. Just as Facebook cannot say that they are ignoring Data Protection law because Facebook is a free product - they cannot say that Free Basics can violate network neutrality law because it is a free service. For ex. Flipkart should get Flipkart Basic on all Indian ISPs and Telcos.

03 We do not pay for the data consumed in Free Basics. Operators participate because the program has proven to bring more people online. Free Basics has brought new people onto mobile networks on average over 50% faster since launching the service.

SA: Facebook has been quoting statistics as evidence to influence the policy formulation process. But we need the absolute numbers and we also need them to be independently verifiable. At the very least we need the means to cross verify these numbers with numbers that telcos and ISPs routinely submit to TRAI.

Theoretical harms must be addressed through net neutrality regulation. For example, you don't have to build a single, centralised database of all Indian citizens to know that it can be compromised - from a security design perspective centralisation is always a bad idea. Gatekeeping powers given to any powerful entity will be compromised. While evidence is useful, regulation can already begin based on well established regulatory principles. After scientific evidence has been made available - the regulation can be tweaked.

04 Any developer or publisher can have their content on Free Basics. There are clear technical specs openly published here ... and we have never rejected an app or publisher who has me these tech specs.

SA: Again this was only done as a retrospective fix after network neutrality activists in India complained about exclusive arrangements. For example, the music streaming service Hungama is not a low-bandwidth destination but since it was included the technical specifications only mentions large images and video files. Many of the other sites are indistinguishable from their web equivalents clearly indicating that this was just an afterthought. At the moment Free Basics has become controversial so most developers and publishers are not approaching them so there is no way for us to verify Facebook's claim.

05 Nearly 800 developers in India have signed their support for Free Basics.

SA: I guess these are software developers working in the services industry who don't see themselves as potential competition to Facebook or any of the services within Free Basics. Also since Facebook as been completely disingenuous when it comes to soliciting support for their campaigns it is very hard to believe these claims. It has tried to change the meaning of the phrase "net neutrality" and has framed the debate in an inaccurate manner - therefore I could quite confidently say that these developers must have been fooled into supporting Free Basics.

06 It is not a walled garden: In India, 40% of people who come online through Free Basics are paying for data and accessing the full internet within the first 30 days. In the same time period, 8 times more people are paying versus staying on just

SA: Again, no absolute numbers and also no granularity in the data that makes it impossible for anyone to verify these numbers. Also there is no way to compare these numbers to access options that are respectful of network neutrality such as equal rating. If the numbers are roughly the same for equal rating and zero-rating then there is no strong case to be made for zero-rating.

07 Free Basics is growing and popular in 36 other countries, which have welcomed the program with open arms and seen the enormous benefits it has brought.

SA: Free Basics was one of the most controversial topics at the last Internet Governance Forum. A gratis service is definitely going to be popular but that does not mean forbearance is the only option for the regulator. In countries with strong civil society and/or a strong regulator, Free Basics has ran into trouble. Facebook has been able to launch Free Basics only in jurisdictions where regulators are still undecided about net neutrality. India and Brazil are the last battle grounds for net neutrality and that is why Facebook is spending advertising dollar and using it's infrastructure to win the global south.

08 In a recent representative poll, 86% of Indians supported Free Basics by Facebook, and the idea that everyone deserves access to free basic internet services.

SA: This is the poll which was framed in alarmist language where Indian were asked to choose between perpetuating or bridging the digital divide. This is a false choice that Facebook is perpetuating - with forward-looking positive Network Neutrality rules as advocated by Dr. Chris Marsden it should be possible to bridge digital divide without incurring any free speech, competition, innovation and diversity harms.

09 In the past several days, 3.2 million people have petitioned the TRAI in support of Free Basics.

SA: Obviously - since Free Basics is better than nothing. But the real choice should have been - are you a) against network neutrality ie. would you like to see Facebook play gatekeeper on the Internet OR b) for network neutrality ie. would you like to see Free Basics forced to comply with network neutrality rules and expand access without harms to consumers and innovators.

10 There are no ads in the version of Facebook on Free Basics. Facebook produces no revenue. We are doing this to connect India, and the benefits to do are clear.

SA: As someone who has watched the Internet economy since the first dot com boom - it is absolutely clear that consumer acquisition is as important as revenues. They are doing it to connect people to Facebook and as a result some people will also connect to the Internet. But India is the last market on the planet where the walled garden can be bigger than the Internet, and therefore Facebook is manipulating the discourse through it's dominance of the networked public sphere.

Bravo to TRAI and network neutrality activists for taking Facebook on.

Originally published by Catch News, on December 24, 2015.

For more details visit http://editors.cis-india.org/internet-governance/news/facebook-shares-10-key-facts-about-free-basics-heres-whats-wrong-with-all-10-of-them

CIS's Position on Net Neutrality

sunil — 2015-12-09T13:06:06Z

As researchers committed to the principle of pluralism we rarely produce institutional positions. This is also because we tend to update our positions based on research outputs. But the lack of clarity around our position on network neutrality has led some stakeholders to believe that we are advocating for forbearance. Nothing can be farther from the truth. Please see below for the current articulation of our common institutional position.

Net Neutrality violations can potentially have multiple categories of harms — competition harms, free speech harms, privacy harms, innovation and ‘generativity’ harms, harms to consumer choice and user freedoms, and diversity harms thanks to unjust discrimination and gatekeeping by Internet service providers.
Net Neutrality violations (including some those forms of zero-rating that violate net neutrality) can also have different kinds benefits — enabling the right to freedom of expression, and the freedom of association, especially when access to communication and publishing technologies is increased; increased competition [by enabling product differentiation, can potentially allow small ISPs compete against market incumbents]; increased access [usually to a subset of the Internet] by those without any access because they cannot afford it, increased access [usually to a subset of the Internet] by those who don't see any value in the Internet, reduced payments by those who already have access to the Internet especially if their usage is dominated by certain services and destinations.
Given the magnitude and variety of potential harms, complete forbearance from all regulation is not an option for regulators nor is self-regulation sufficient to address all the harms emerging from Net Neutrality violations, since incumbent telecom companies cannot be trusted to effectively self-regulate. Therefore, CIS calls for the immediate formulation of Net Neutrality regulation by the telecom regulator [TRAI] and the notification thereof by the government [Department of Telecom of the Ministry of Information and Communication Technology]. CIS also calls for the eventual enactment of statutory law on Net Neutrality. All such policy must be developed in a transparent fashion after proper consultation with all relevant stakeholders, and after giving citizens an opportunity to comment on draft regulations.
Even though some of these harms may be large, CIS believes that a government cannot apply the precautionary principle in the case of Net Neutrality violations. Banning technical innovations and business model innovations is not an appropriate policy option. The regulation must toe a careful line to solve the optimization problem: refraining from over-regulation of ISPs and harming innovation at the carrier level (and benefits of net neutrality violations mentioned above) while preventing ISPs from harming innovation and user choice. ISPs must be regulated to limit harms from unjust discrimination towards consumers as well as to limit harms from unjust discrimination towards the services they carry on their networks.
Based on regulatory theory, we believe that a regulatory framework that is technologically neutral, that factors in differences in technological context, as well as market realities and existing regulation, and which is able to respond to new evidence is what is ideal.

This means that we need a framework that has some bright-line rules based, but which allows for flexibility in determining the scope of exceptions and in the application of the rules. Candidate principles to be embodied in the regulation include: transparency, non-exclusivity, limiting unjust discrimination.
The harms emerging from walled gardens can be mitigated in a number of ways. On zero-rating the form of regulation must depend on the specific model and the potential harms that result from that model. Zero-rating can be: paid for by the end consumer or subsidized by ISPs or subsidized by content providers or subsidized by government or a combination of these; deal-based or criteria-based or government-imposed; ISP-imposed or offered by the ISP and chosen by consumers; Transparent and understood by consumers vs. non-transparent; based on content-type or agnostic to content-type; service-specific or service-class/protocol-specific or service-agnostic; available on one ISP or on all ISPs. Zero-rating by a small ISP with 2% penetration will not have the same harms as zero-rating by the largest incumbent ISP. For service-agnostic / content-type agnostic zero-rating, which Mozilla terms ‘equal rating’, CIS advocates for no regulation.
CIS believes that Net Neutrality regulation for mobile and fixed-line access must be different recognizing the fundamental differences in technologies.
On specialized services CIS believes that there should be logical separation and that all details of such specialized services and their impact on the Internet must be made transparent to consumers both individual and institutional, the general public and to the regulator. Further, such services should be available to the user only upon request, and not without their active choice, with the requirement that the service cannot be reasonably provided with ‘best efforts’ delivery guarantee that is available over the Internet, and hence requires discriminatory treatment, or that the discriminatory treatment does not unduly harm the provision of the rest of the Internet to other customers.
On incentives for telecom operators, CIS believes that the government should consider different models such as waiving contribution to the Universal Service Obligation Fund for prepaid consumers, and freeing up additional spectrum for telecom use without royalty using a shared spectrum paradigm, as well as freeing up more spectrum for use without a licence.
On reasonable network management CIS still does not have a common institutional position.

For more details visit http://editors.cis-india.org/internet-governance/blog/cis-position-on-net-neutrality