Centre for Internet and Society

Do we need the Aadhar scheme?

sunil — 2012-02-03T10:11:24Z

"Decentralisation and privacy are preconditions for security. Digital signatures don’t require centralised storage and are much more resilient in terms of security", Sunil Abraham in the Business Standard on 1 February 2012.

We don’t need Aadhar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a “billions-of-users” scale on the internet with reasonable security. The Unique Identification (UID) project based on the so-called “infallibility of biometrics” is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies.

Biometrics are poor authentication factors because once they are compromised they cannot be re-secured unlike digital signatures. Additionally, an individual’s biometrics can be harvested remotely without his or her conscious cooperation. The iris can be captured remotely without a person’s knowledge using a high-res digital camera.

Biometrics are poor identification factors in a country where the registrars have commercial motivation to create ghost identities. For example, bank managers trying to achieve targets for deposits by opening benami accounts. Biometrics for these ghost identities can be imported from other countries or generated endlessly using image processing software. The de-duplication engine at the Unique Identification Authority of India (UIDAI) will be fooled into thinking that these are unique residents.

An authentication system does not require a centralised database of authentication factors and transaction details. This is like arguing that the global system of e-commerce needs a centralised database of passwords and logs or, to use an example from the real world, to secure New Delhi, all citizens must deposit duplicate keys to their private property with the police.

Decentralisation and privacy are preconditions for security. The “end-to-end principle” used to design internet security is also in compliance with Gandhian principles of Panchayat Raj. Digital signatures don’t require centralised storage of private keys and are, therefore, much more resilient in terms of security.

Biometrics as authentication factors require the government to store biometrics of all citizens but citizens are not allowed to store biometrics of politicians and bureaucrats. The state authenticates the citizen but the citizen cannot conversely authenticate the state. Digital signatures as an authentication factor, on the other hand, does not require this asymmetry since citizens can store public keys of state actors and authenticate them. The equitable power relationship thus established allows both parties to store a legally non-repudiable audit trail for critical transactions like delivery of welfare services. Biometrics exacerbates the exiting power asymmetry between citizens and state unlike digital signatures, which is peer authentication technology.

Privacy protections should be inversely proportional to power. The transparency demanded of politicians, bureaucrats and large corporations cannot be made mandatory for ordinary citizens. Surveillance must be directed at big-ticket corruption, at the top of the pyramid and not retail fraud at the bottom. Even for retail fraud, the power asymmetry will result in corruption innovating to circumvent technical safeguards. Government officials should be required by law to digitally sign the movement of resources each step of the way till it reaches a citizen. Open data initiatives should make such records available for public scrutiny. With support from civil society and the media, citizens will themselves address retail fraud. To solve corruption, the state should become more transparent to the citizen and not vice versa.

UIDAI’s latest 23-page biometrics report is supposed to dispel the home ministry’s security anxieties. It says “biometric data is collected by software provided by the UIDAI, which immediately encrypts and applies a digital signature.” Surely, what works for UIDAI, that is digital signatures, should work for citizens too. The report does not cover even the most basic attack — for example, the registrar could pretend that UIDAI software is faulty and harvest biometrics again using a parallel set-up. If biometrics are infallible, as the report proclaims, then sections in the draft UID Bill that criminalise attempts to defraud the system should be deleted.

The compromise between UIDAI and the home ministry appears to be a turf battle for states where security concerns trump developmental aspirations. This compromise does nothing to address the issues raised by the Parliamentary Standing Committee on Finance, headed by the Bharatiya Janata Party’s Yashwant Sinha.

Read the original published in the Business Standard on 1 February 2012

For more details visit http://editors.cis-india.org/internet-governance/do-we-need-the-aadhar-scheme

Sense and Censorship

sunil — 2012-01-31T06:15:38Z

The Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) bills, at the US House of Representatives and Senate, respectively, appear to enforce property rights, but are, in fact, trade bills. This article by Sunil Abraham was published in the Indian Express on 20 January 2012.

In developed countries like the US, intellectual property (IP) plays a dominant role in the economy, unlike in economies like India. Countries that have significant IP are keen to increase global and national enforcement activities, while countries with little domestic IP are keen to reduce outgoing royalties in the balance of payments and therefore, keen to expand alternatives, limitations and exceptions like copyleft licensing, compulsory/statutory licensing and fair dealing.

The loss of generic medicines, hardware based on open standards, public domain content, free and open source software, open access journal articles, etc will equally impoverish consumers in the US and in India. SOPA and PIPA, therefore, do not represent the will of the average American but rather the interests of the IP sector, which has tremendous influence in the Hill. There is one more layer of complication for policy-makers to consider as they work towards a compromise of interests in Internet governance — the tension between the old and the new. The incumbents — corporations with business models that have been rendered obsolete by technological developments — versus emerging actors who provide competing products and services, often with greater technological sophistication, higher quality, at a lower cost.

The US, in terms of policy and infrastructure, still controls the global Domain Name System (DNS) and consequently, post-SOPA/PIPA, can take unilateral trade action without worrying about national variations enabled by international law. These bills directly undermine the business models of many Indian companies — generic drug manufacturers like Ranbaxy, software service providers like Infosys, electronics manufacturers like Spice and players in many other sectors dominated by IP rights. So it is baffling that they have not added their voices to the global outcry.

SOPA and PIPA, if passed, will enable the US administration to take three-pronged action against IP infringers — seizure of domain names and DNS filtering, blocking of transactions by financial intermediaries and revocation of hosting by ISPs. While circumvention may still be possible, it will get increasingly laborious — something like the Great Firewall of China, but worse. Unfortunately, the implementation of these blunt policy instruments will require more and more public-funded surveillance and censorship.

The censorship potential of efforts like SOPA and PIPA may appeal to others, as autocratic and democratic regimes across the world have been keen to try technology-mediated social engineering — these efforts have been multiplied in the post-Arab Spring and Occupy Wall Street world. Organised religion, social conservatives and those who have been at the receiving end of free speech would all want to shut down platforms like WikiLeaks and political movements like Anonymous and the Pirate Party.

These are equally dismal times for Internet governance in India. Google, Facebook and 20-odd other intermediaries are trying to avoid jail time at the hands of a Delhi court. However, ever since the IT Act amendments were put in place three years back, digital activists have been requesting intermediaries to register their protests early and often, regarding draconian provisions in the statute and in the associated rules. Their silence is going to be very expensive for all of us. We cannot depend on the private sector alone to defend our constitutional rights. As yet unpublished research from CIS demonstrates that private intermediaries only bother with defending freedom of expression when it undermines their business interests. Working with an independent researcher, we conducted a policy sting operation — faulty take-down notices were served to seven intermediaries asking for legitimate content to be taken down. In six of those cases, the intermediaries over-complied, in one case deleting all comments on a news article instead of just those comments identified in the notice. The only take-down that was resisted was one claiming that sale of diapers was “harmful to minors” under the Indian IT Act (because they caused nappy rash). It is clear that the IT Act and its associated rules have already had a chilling effect on online participation by Indians.

Fortunately for us, during the previous parliamentary session — Jayant Chaudhary, Lok Sabha MP from the Rashtriya Lok Dal, asked for the revision of rules concerning intermediaries, cyber-cafes and reasonable security practices. The next Parliament session is the last opportunity for the House to reject these rules and intervene for a free Internet.

The writer is executive director of the Bangalore-based Centre for Internet and Society

Read the original published in the Indian Express

For more details visit http://editors.cis-india.org/internet-governance/sense-and-censorship

The Quixotic Fight to Clean up the Web

sunil — 2012-01-26T20:53:02Z

The ongoing attempt to pre-screen online content won’t change anything. It will only drive netizens into the arms of criminals, writes Sunil Abraham in this article published in Tehelka Magazine, Vol 9, Issue 04, Dated 28 Jan 2012.

GOOGLE AND Facebook’s ongoing case in the Delhi High Court over offensive online content is curious in three ways. First, the complaint does not mention the IT Act, 2000. Prior to the 2008 amendment, intermediaries (in this case, Google, Facebook, etc) had no immunity. But after the amendment, intermediaries have significant immunity and are not considered liable unless takedown notices are ignored.

Second, it is curious that the complaint does not mention specific individuals or groups directly responsible for authoring the allegedly offensive material. Only intermediaries have been explicitly named. If specific content items have been submitted in court then it is curious that specific accounts and users have not been charged with the same offences.

Three, Delhi-based journalist Vinay Rai claims that takedown notices and requests for user information were ignored by the intermediaries. As yet, unpublished research at the Centre for Internet and Society has reached the exact opposite conclusion. We sent fraudulent takedown notices to seven of the largest intermediaries in India as part of a policy sting operation. Six of them over-complied and demonstrated no interest in protecting freedom of expression. Our takedown notices were complied with even though they were largely nonsensical. It is therefore curious that Rai’s takedown notices were ignored.

Under Section 79 of the IT Act, the intermediary must not “initiate the transmission”, “select the receiver of the transmission” and “select or modify the information contained in the transmission”. In other words, they must not possess “actual knowledge” of the content. This would be absolutely true if intermediaries acted as “dumb pipes” or “mere conduits”. But today, they have reactive “human filters” ensuring conformance to community guidelines that often go beyond constitutional limits on freedom of expression.

For example, Facebook deletes breastfeeding photographs if a certain proportion of the breast is visible, despite numerous protests. Intermediaries also use proactive “machine filters” to purge their networks of pornography and copyright infringing content. In order to retain immunity under the IT Act, intermediaries would have to demonstrate that they have no “actual knowledge”. This would also imply that they cannot proactively filter or pre-screen content without becoming liable for illegal content.

More sophisticated “machine filters” will continue to be built for social media platforms as computing speeds increase and costs decrease dramatically. But there will be significant collateral damage — the vibrancy of online Indian communities will be diminished as legitimate content will be removed and this in turn will retard Internet adoption rates. Free media, democratic governance, research and development, culture and the arts will all be fundamentally undermined. So whether pre-censorship is technically feasible is an irrelevant question. The real question is what limits on freedom of expression are reasonable in the Internet age.

The legal tussle is yet another chance for reflecting on the shortcomings of the IT Act

Censorship is like prohibition, illegal content will persist, the mafia will profit and ordinary citizens will be implicated in criminal networks. Use of anonymising proxies, circumvention tools and encryption technologies will proliferate, frustrating network optimisation efforts and law enforcement activities.

This is yet another opportunity for reflecting on the shortcomings of the ITAct. A lot of the confusion and anxiety today emerges from vague language, unconstitutional limits on freedom of expression, multi-tiered blanket surveillance provisions, blunt security policy measures contained in the statute and its associated rules. The next Parliament session is the last opportunity for MPs to ask for the rules for intermediaries, cyber cafes and reasonable security practices to be revisited. The MP who musters the courage to speak will be dubbed a superhero.

As told to Shonali Ghosal. Sunil Abraham is Executive director, centre for internet and society and can be contacted at sunil@cis-india.org. The original article was published in Tehelka.

Illustration by Sudeep Chaudhuri

For more details visit http://editors.cis-india.org/internet-governance/quixotic-fight-to-clean-the-web

US Clampdown Worse than the Great Firewall

sunil — 2012-01-26T20:42:14Z

If you thought China’s Internet censorship was evil, think again. American moves to clean up the Web could hurt global surfers, writes Sunil Abraham in this article published in Tehelka, Volume 8, Issue 50, 17 December 2011.

TWO PARTICULARLY terrible pieces of legislation — the PROTECT-IP Act and the Stop Online Piracy Act (SOPA) — have been introduced in the US Senate and House of Representatives. If passed, the US administration will be empowered to shut down specific websites using the same four measures it employed in its failed attempt to shut down WikiLeaks — domain name system (DNS) filtering, blocking financial transfers via financial intermediaries, revoking hosting and sanitising search engine results. SOPA represents the perfect policy interest overlap between a State clamping down on freedom of expression and IPR-holders protecting their obsolete business models. After all it was Bono who publicly articulated the unspoken desire of many right-holders: “We know from China’s ignoble effort to suppress online dissent that it’s perfectly possible to track content.”

China fortunately only censors the Internet for its own citizens, the Great Firewall does not, for example, prevent access to knowledge by Indian netizens. SOPA will enable the US to censor the global Internet unilaterally. The Great Firewall can be circumvented using tools like Tor, but SOPA will in many ways make its targets disappear for the average user. DNS filtering, even when implemented in a single country, has global consequences. DNS, one of the foundational mechanisms of the Internet, is an address look-up service that allows users to translate domain names (e.g. cisindia.org — easier for humans to remember) into IP addresses (e.g. 202.190.125.69 — easier for machines). The most critical servers in the global DNS hierarchy are the root servers, or today’s server clusters. Mandated DNS filtering would result in some DNS servers returning different IP addresses than other DNS servers for certain domain names. With PROTECT-IP and SOPA, these global consequences would be at unprecedented levels given that seven of the 13 server clusters that constitute the DNS root fall within US jurisdiction. We already have some indication where this is headed. The US Immigration and Customs Enforcement Agency announced recently that it has seized 150 domain names for alleged IPR infringement.

We must remember that IPR policy in some countries has been configured in public interest to take advantage of the exceptions and limitations afforded by the TRIPS (trade-related aspects of IPR) agreement. In others, even though the letter of the law goes beyond TRIPS requirements, access by ordinary citizens is protected because of poor enforcement of these maximalist policies. E-commerce platforms that sell Micromax, Karbonn, Spice and Lava mobile phones that are manufactured in China may be taken offline because an American court is convinced of patent infringement. An online publisher of George Orwell’s books, which are public domain in Russia, India and South Africa but still under copyright in the US and Europe, may have its Paypal account blocked.

After the witch-hunt against WikiLeaks, policymakers have realised the extent of American hypocrisy

In the recent past, activists in authoritarian regimes and democracies with draconian Internet laws have leveraged US Internet freedom rhetoric. This was first deployed by Hillary Clinton in early 2010 after Google’s melodramatic withdrawal from China. Even then, many observers were convinced that this was just selective tokenism and the real agenda was domination of global markets by US-based MNCs. Today, after the witch-hunts against WikiLeaks and Anonymous, global policymakers have realised the extent of American hypocrisy.

Fortunately, opposition for SOPA has cut across traditional political and ideological divides — libertarians, liberal human rights organisations and political conservatives who believe in small government and also modern- day capitalists like Google, Facebook and Twitter. Let us pray that Kapil Sibal registers his protest with the Obama administration to protect the online aspirations of millions of Indian citizens and entrepreneurs.

Read the original published in Tehelka here

For more details visit http://editors.cis-india.org/internet-governance/us-clampdown

That’s the unkindest cut, Mr Sibal

sunil — 2011-12-12T04:59:00Z

There’s Kolaveri-di on the Internet over Kapil Sibal’s diktat to social media sites to prescreen users’ posts. That diktat goes far beyond the restrictions placed on our freedom of expression by the IT Act. But, says Sunil Abraham of the Centre for Internet and Society, India is not going to be silenced online.

Thanks to leaked reports about unpublicised meetings that communications minister Kapil Sibal had with social media operators – or Internet intermediaries, to use legalese — such as Facebook, Google and Indiatimes.com, censorship policy in India has gained public attention, and caused massive outrage.

According to The New York Times India Ink reportage, quoting unnamed sources from the Internet intermediaries, Mr Sibal demanded proactive and pre-emptive screening of posts that people make on social media sites, ostensibly to filter out or remove “offensive” content and hate speech. In a television interview, however, the minister denied he wanted to censor what Indians thought and shared with others online.

One is tempted to believe him. He was, after all, the amicus for the landmark People’s Union of Civil Liberties (PUCL) wiretapping judgment of 1996, which is pivotal to protecting our civil liberties when using communication technology in India.

Last week, though, Mr Sibal came out in public with his demands, saying that there was a lot of content that risked hurting the sensibilities of people and could lead to violence. “It was brought to my notice some of the images and content on platforms like Facebook, Twitter and Google are extremely offensive to the religious sentiments of people ...”We will not allow Indian sentiments and religious sentiments of large sections of the community to be hurt,” he said.

There was even a threat of state action if Internet companies did not comply with demands to screen content before it was posted online.

The NYT blogpost said, however, quoting executives from the Internet companies Mr Sibal had reportedly met, that the minister showed them a Facebook page that maligned Congress president Sonia Gandhi and told them, “This is unacceptable.”

Google responded to Mr Sibal by releasing its Transparency Report, saying that out of 358 items that it had been requested to remove between January and June 2011, only eight requests pertained to hate speech, while as many as 255 complaints were against “government criticism”.

Indian netizens raged against Mr Sibal, and very quickly #IdiotKapil Sibal was ‘trending’ on Twitter, with thousands posting comments against attempts to ‘censor’ Internet content. Much has changed, in Mr Sibal’s reckoning, between 1996 and 2011.

So, what’s all the fuss over ‘pre-screening’ and what’s at stake here? Critics of Mr Sibal say, our freedom of speech and expression is under threat. They see a pattern in the way the government has sought to impose rules and restrictions on Internet and telecommunications players, with demands on BlackBerry-maker RIM to give it access to its users’ email and messenger content, on telecom players to install electronic surveillance equipment and let the government eavesdrop as it sees fit, and on the likes of Google and Yahoo to part with email content and users’ details.

It all started with the amendments to the Information Tech-nology Act 2000 in 2008. Together, they constitute damaging consequences for citizens, including the creation of a multi-tier blanket surveillance regime, inappropriate security recommendations, and undermining freedom of speech and expression.

The amendments passed in 2008 — without any discussion in Parliament – did solve some existing policy concerns, but simultaneously introduced new ones. For instance, Section 66, introduced during this amendment, criminalises sending offensive messages through any ICT-based communication service.

Offensive messages are described as “grossly offensive, menacing character..... or causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will.” These terms are not defined in the IT Act or in any other existing law, rules or case-law, except for a couple of exceptions such as what constitutes “criminal intimidation”. These limits on the freedom of expression go well beyond Article 19(2) of the Constitution, which only permits “reasonable restrictions...in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.”

If Mr Sibal himself were to don his lawyer’s coat again and launch a legal challenge to Section 66, in all likelihood, courts in India would strike it down as unconstitutional.

Section 79, which was amended, brought into being an intermediary liability regime. This was in part precipitated by the arrest of Avnish Bajaj, the former CEO of bazee.com in December 2004 for the infamous Delhi Public School MMS clip which was being sold on his e-commerce platform. Policy-makers were, however, convinced to follow international best practices and grant intermediaries immunity under certain conditions.

Just as the postal department is not considered liable for the content of letters or telecom operators liable for the content of phone conversations, Internet intermediaries, too, were to be considered “dumb pipes” or “common carriers” of content produced and distributed by users. Intermediaries therefore earned immunity from legal action so long as they acted upon take-down notices, or written requests for deletion of illegal content.

Section 79 was further clarified in April this year when the Intermediaries Guidelines Rules were notified. Stakeholders from the technology industry, media and civil society had sent feedback to the Department of Information Technology under the Ministry of Communication and Information Technology in February, but DIT choose to ignore the feedback and finalised rules with serious flaws in them. For one, a standardised “Terms of Service” that focused on limits on free expression had to be implemented by all intermediaries – forcing a one-size-fits-all approach.

Content that was 'harmful to minors' was not permissible regardless of the target market of the website. All intermediaries were supposed to act upon take-down notices within 36 hours, something that a Google may be able to do, but an average blogger could not.

Two, the vague terms introduced in Section 66A were left undefined. Intermediaries were asked to sit on judgment on the question of whether an article, image or video was causing 'inconvenience'.

Three, all principles of natural justice were ignored – the person responsible for posting the content would not be informed, s/he would not be given an opportunity to file a counter-notice to challenge the intermediary’s decision in court.

Four, the rules left it open for economically or politically motivated actors to seriously damage opponents online using fraudulent take-down notices, instead of treating abuse of the take-down notice system as an offence.

How the take-down system terrorises free expression on the Internet was illustrated when the Centre for Internet and Society, where this author works, undertook a research project. A pro-bono independent researcher who led the exercise sent fraudulent take-down notices to seven Internet companies in India. These included some of the largest and most popular Indian and foreign search engines, news portals and social media platforms.

Although they all employ the most competent lawyers in the country, six of the seven intermediaries over-complied, confirming our worst fears. In one case, a news portal deleted not just the specific comment that was mentioned in the take-down notice but 14 other comments as well. Most importantly, it must be pointed out, the comment identified in the take-down notice was itself an excellent piece of writing that could not be construed as “offensive” by any stretch!

In the single exception to the rule, one e-commerce portal refused to act upon a take-down notice trying to prevent the sale of diapers on the grounds that it was “harmful to minors”, rightly dismissing the notice as frivolous. But that exception simply proved a rule: Private intermediaries use their best lawyers to protect their commercial interests, but are highly risk-averse and do not value freedom of expression, unless it affects their bottomline.

Proactive and pre-emptive screening of social media content, as Mr Sibal has demanded, will only further compromise online civil liberties in what’s already a dismal situation. In short, we move from a post-facto to a pre-emptive censorship regime.

In fact, given the magnitude of the task of pre-screening in a nation with a 100 million Internet users and growing, such an intense censorship regime will mean not only that what Indian citizens say or post will be censored by private companies, but those private companies will, in turn, use machines to screen what humans are saying and doing! After all, otherwise, companies would require armies of human censors to screen the millions of posts that are made on Twitter and Facebook every minute.

But the Supreme Court has held that even the executive arm of government cannot engage in censorship prior to publication, let alone ordering private companies to do so. In any case, it’s a policy that’s bound to fail, for both technical reasons and for its failure to take into account human motivations.

Machines, as we know, continue to be poor judges of the nuances of human expression and will likely cause massive damage to the idea of public debate. Humans, on the other hand, will begin to circumvent machine filters – for example, content labelled as PRON instead of PORN will go through.

Draconian crackdown on certain types of fringe content is likely to have the counterproductive result of the general society developing an unhealthy obsession for exactly such content. Despite the comprehensive censorship controls in Saudi Arabia, for instance, pornography consumption is rampant, usually accessed via pirated satellite TV and circulated using personal computing devices and mobile phones.

But all is not lost yet, perhaps. Faced with the barrage of criticism, Mr Sibal has now called for public consultations on the issue of pre-screening content. There’s hope yet for freedom of speech and expression in India. Thanks to the Internet, a throwback to 1975 simply does not look possible.

Sunil Abraham is executive director of the Centre for Internet and Society, Bengaluru. He wrote this article in the Deccan Chronicle on December 11, 2011. Read the original here

For more details visit http://editors.cis-india.org/internet-governance/unkindest-cut-mr-sibal

India’s dreams of web censorship

sunil — 2012-03-26T06:59:36Z

If you are offended by this post, please contact Kapil Sibal, India’s telecoms and IT minister, and he will make sure it is promptly taken down.

Actually, if Sibal has his way and you are offended by this post, the armies of people to be employed by internet companies operating in India to monitor their sites for potentially offensive material – whether it originates in India or abroad – will ensure that it is removed before it can even be published. And good luck to all of them with that.

That, anyway, was the gist of Sibal’s combative press conference in the courtyard of his Delhi home on Tuesday, the day after the New York Times reported he had met executives from Google, Facebook, Yahoo and Microsoft to discuss the preemptive removal of “offensive material”.

The press conference was prompted by uproar that swept Twitter on Monday night – one of the sites, incidentally, that Sibal would like to monitor – and was carried live on all major news channels.

Social networking sites have gained a lot of traction in India and are much used by politicians, celebrities and the burgeoning, young middle class.

"I believe that no reasonable person aware of the sensibilities of large sections of communities in this country and aware of community standards as they are applicable in India would wish to see this content in the public domain," Sibal said, referring to "offensive material" he had shown some reporters prior to the conference. He added that the government did not believe in censorship.

According to the NYT, Sibal showed a group of IT execs a Facebook page that criticized Sonia Gandhi, president of the Congress Party, calling it "unacceptable".

"We will remove any content that violates our terms, which are designed to keep material that is hateful, threatening, incites violence or contains nudity off the service," Facebook said in a statement.

Microsoft did not respond to requests for comment. Google said it would issue a statement later in the day.

Sibal first approached the companies on September 5, giving them four weeks to present proposals for how they might comply with his request, he said. With no response by October 19, the ministry sent a reminder. On November 29, Sibal again met with the IT execs. They responded on Monday, saying they could not comply.

An Indian employee of one of foreign tech company, when asked about Sibal’s demand that each outfit set up dedicated teams to monitor content in real time, let out an extended, almost hysterical laugh, before regaining composure and asking: "Do you know how many users we have?"

Indeed, even in a country with low internet penetration like India – 100m people regularly use the internet, less than 10 per cent of India’s 1.2bn population – the task of monitoring real-time content generated on millions of sites opens up legal wormholes and is technically impossible, Sunil Abraham, executive director of the Bangalore-based Centre for Internet & Society, told beyondbrics.

"Technically what he’s asking for is an impossibility: it’s not possible in the age of web 2.0 to manually curate or censor social media content," he said. “This is obvious to all of us. Isn’t it strange that the minister of IT, who seems to understand a lot of complex issues, is actually in favour of something like this?"

Abraham warned that the focus on blasphemous and vaguely defined "offensive" speech was dangerous, noting that the Hindu profession of belief in multiple gods is blasphemous to Muslims, Christians and Jews.

But Sibal was defiant.

Asked what would be deemed "offensive", he said: “We will define it, don’t worry, certainly, we will evolve guidelines…to ensure that such blasphemous content” is not publicly available in India.

Asked whether his idea was technically feasible, he responded: "It is a feasible proposition, and we will inform you how as and when, we will inform you as and when."

When it was pointed out that the internet was a global phenomenon and that content originating outside of India might be hard to control, Sibal said: "We will certainly ask [companies] to give us information even on content posted outside of India – we will ask them for information, we will evolve guidelines and mechanisms to deal with the issue."

So, again, if you are offended by this post, feel free to drop him a line. And good luck.

The original blog post was published by the Financial Time's beyondbrics on December 6, 2011. Sunil Abraham was quoted in this blog post. Read it here

For more details visit http://editors.cis-india.org/web-censorship

Photocopying the past

sunil — 2011-09-25T20:06:50Z

There is no single correct position when it comes to intellectual property or IP. In fact, there are at least five correct positions that you could possibly adopt based on who you are — a pro-creator position, a pro-entrepreneur position, a pro-government position, a pro-consumer position and a public interest position.

Therefore, before you progress any further, dear reader, you have to first decide which of the above you are. If you are an average Indian, then you are almost certainly a consumer or a member of the general public. Next, it would only be fair for me to tell you when I am coming from: I work for a policy research organisation that focuses on protecting consumer and public interest in the digital era. Before I proceed any further, also note that not all creators prefer profits to public adulation and therefore creators’ interests are not necessarily always opposed to consumer and public interest.

At this point, popular imagination is captivated by meta-regulation, issues of corruption and transparency. Few seem interested in the configuration details of property regimes that we are all implicated in: tangible property, capital and, in our increasingly dematerialised world, intangible property such as IP or spectrum. Unfortunately the complications of spectrum, banking and IP make our eyes glaze over and there is almost zero attention being paid to the copyright act amendment to be discussed in Parliament this week.

For the government, achieving a compromise is the primary objective, and then, perhaps a distant second, raising taxes. This is not a static compromise, since each generation of new technologies precipitates a new round of negotiations between the stakeholders. So while it is easy to be Anna Hazare, it is difficult to be Kapil Sibal. An optimal compromise position as in the world of capital and tangible property protects the production, circulation and consumption of IP. A sub-optimal position results in practices that are in conflict with policy — anti-competitive behaviour or infringement.

Unfortunately when it comes to evidence-based policy-making, there is little funding for public interest IP research in India and the pockets of the lobbyists of rights-holders are deep. The funded research that they tout claims that government loses significant taxes because of piracy or non-maximalist IP policies. Yet rights-holders, especially multinationals in the software business, are experts at tax avoidance through techniques with names like the “Double Irish” and the “Dutch Sandwich”.

Like any compromise, the latest amendment is a mixed bag for consumers and the general public. With regard to “digital rights management,” — or what consumers’ advocates refer to as “digital restrictions management” — the government has yielded to the TRIPS-plus agenda even though it is not a signatory to the WIPO Internet treaties. And with regard to the exception for the disabled, the Indian exception is both disability- and works-neutral making it much more robust when compared to the treaty for the visually impaired currently being discussed at the WIPO.

However, one particular compromise — the volte-face on Section 2 (m) on parallel imports of books — is particularly distressing for book-lovers and students. As part of the latest amendment, this new section was introduced in 2009. The standing committee report gave the section a thumbs-up, but strangely it has gone missing in the latest version of the bill circulated to the MPs in preparation for the Rajya Sabha debate this Friday.

Section 2 (m) is a provision that would have saved us from the uncertainty created by what some consider flawed jurisprudence around parallel importation of copyrighted works. As the standing committee report on the copyright amendment puts it, “nobody can deny the fact that the interests of students will be best protected if they have access to the latest editions of the books.” To date, I have never met an IIT or IIM graduate untainted by photocopied books. I would claim that the lack of quality education in our country is still at the level of an epidemic. The indigenous publication industry has benefited from our progressive copyright regime.

Wouldn’t it be appropriate to afford them maximum flexibility in a future rife with technological shifts? Are all the books that you wish to read available in the libraries and book shops you have access to? Have you ever been forced to photocopy a book because of time constraints? Would you like to see greater choice via increased free-market competition, and reduced state-sanctioned monopolies and enforcement? Does your definition of human rights include the “right to education” and the the “right to entertainment”? Shouldn’t the disabled in India benefit from the $500 million spent each year making books accessible in the US? And finally, shouldn’t a nation providing leadership to the development agenda at WIPO, walk the talk at home? If your answer to any of these questions is yes, you should demand that people are placed before the profits of foreign publishers.

This article by Sunil Abraham, Executive Director, Centre for Internet and Society was published in the Indian Express on 2 September 2011 in the Indian Express. Please read the original article here.

For more details visit http://editors.cis-india.org/a2k/blogs/photocopying-the-past

Privacy and Security Can Co-exist

sunil — 2012-03-21T09:05:57Z

The blanket surveillance the Centre seeks is not going to make India more secure, writes Sunil Abraham in this article published in Mail Today on June 21, 2011.

TODAY, the national discourse around the “ right to privacy” posits privacy as antithetical to security.

Nothing can be farther from the truth. Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 amendment of the IT Act and their associated rules notified April 2011 propose to eliminate whatever little privacy Indian netizens have had so far. Already as per the Internet Service Provider ( ISP) licence, citizens using encryption above 40- bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station.

Surveillance

Surveillance in any society is like salt in cooking — essential in small quantities but completely counter- productive even slightly in excess. Blanket surveillance makes privacy extinct, it compromises anonymity, essential ingredients for democratic governance, free media, arts and culture, and, most importantly, commerce and enterprise. The Telegraph Act only allowed for blanket surveillance as the rarest of the rare exception. The IT Act, on the other hand, mandates multitiered blanket surveillance of all lawabiding citizens and enterprises.

When your mother visits the local cybercafe to conduct an e- commerce transaction, at the very minimum there are two levels of blanket surveillance. According to the cyber- cafe rules, all her transaction logs will be captured and stored by the operator for a period of one year. This gentleman would also have access to her ID document and photograph. The ISPs would also store her logs for two years to be in compliance with the ISP licence ( even though none of them publish a data- retention policy). Some e- commerce website, to avoid liability, will under the Intermediary Due Diligence rules also retain logs.

Data retention at the cyber- cafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of sensitive personal information only opens up multiple points of failure and leaks — in the age of Nira Radia and Amar Singh no sensible bank would accept such intrusion into their core business processes.

Surveillance capabilities are not a necessary feature of information systems.

They have to be engineered into these systems. Once these features exist they could potentially serve both the legally authorised official and undesirable elements.

Terrorists, cyber- warriors and criminals will all find systems with surveillance capabilities easier to compromise.

In other words, surveillance compromises security at the level of system design. There were no Internet or phone lines in the Bin Laden compound — he was depending on a store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via a master key would have led the investigators to him earlier?

Myth

Increase in security levels is not directly proportional to an increase in levels of surveillance gear. This is only a myth perpetuated by vendors of surveillance software and hardware via the business press. You wouldn't ask the vendors of Xray machines how many you should purchase for an airport, would you? An airport airport with 2,000 X- ray machines is not more secure than one with 20. But in the age of UID and NATGRID, this myth has been the best route for reaching salestargets using tax- payers’ money.

Surveillance must be intelligent, informed by evidence and guided by a scientific method. Has the ban on public WiFi and the current ID requirements at cyber- cafes led to the arrest of terrorists or criminals in India? Where is the evidence that more resource hungry blanket surveillance is going to provide a return on the investment? Unnecessary surveillance is counter- productive and distracts the security agenda with irrelevance.

Finally, there is the question of perception management. Perceptions of security do not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems — one, where the fundamental organising principle is trust and second, where the principle is suspicion.

Systems based on suspicion usually give rise to criminal and corrupt behaviour.

Perception

If the state were to repeatedly accuse its law- abiding citizens of being terrorists and criminals it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies, they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the Internet just to download encryption tools and other privacy enabling software. Like prohibition this will only result in further insecurity and break- down of the rule of law.

The writer is executive director of the Bangalore- based Centre for Internet and Society.

Read the original published in Mail Today here

For more details visit http://editors.cis-india.org/internet-governance/blog/privacy-and-security

Snooping Can Lead to Data Abuse

sunil — 2012-03-21T10:39:22Z

THE NATGRID, aiming to link databases of 21 departments and ministries for better counter- terror measures, adopts blunt policy approach, subjecting every citizen to the same level of blanket surveillance, instead of a targeted approach that intelligently focuses on geographic or demographic areas that are currently important.

All you manage to do with the current approach help software, hardware and biometric equipment vendors achieve their sales targets. It is quite unlikely that security agencies will learn anything insightful by putting everybody under the same degree of surveillance. There is no scientific evidence to show that we will be a safer nation if the government eavesdropped into all aspects of a citizen’s life. Targeted surveillance, on the other hand, is like good old- fashioned detective work. Put a particular section — of potential troublemakers — under surveillance and leave the others alone.

With round- the- clock, 100- per cent, 360- degree surveillance, all the data is scrutinised all the time. The more effective approach is to sample and collect data while maintaining data trails. If anything suspicious is noticed, the rest of the trail can be dug up. Blanket surveillance only leads to leaks and abuse and tremendous distraction. The surveillance infrastructure will be overburdened as 99 per cent of the records and files scanned will be of no interest terms of fighting terrorism, etc.

The 21 databases need to be opened only when there is anything suspicious in any of the extracted and scrutinised samples or subsets. If there is a suspicious pattern, it should lead to opening of subsets in all the databases. Obviously, there should be ways in which the databases can talk to each other — demand for a particular subset, and not for all the records to be available to agencies all the time.

The NATGRID has to be able to let investigators selectively go in and out of the necessary subsets data. No one should be able to have a 360 degree view of all activities of all Indians. AS OF now, the NATGRID design does not appear to have a safeguard for data abuse. And no matter what you see Hollywood movies, this configuration does not exist in Europe or the US. Two important forms of protections that should be available in democracies with robust privacy laws are missing in India. The first is breach notification.

If intelligence agencies and the police have looked up your files, you have a right to be informed. Secondly, you can request for a copy of the information that is maintained on you and request modifications if the data is inaccurate, so as to prevent harassment. Such checks and balances are necessary an intelligent and appropriate surveillance regime.

Merging all 21 databases for 1.2 billion people into a single system only provides a juicy target for any internal or external enemy. From the perspective national security, it is a foolish thing to do. Terrorist groups will be able to target a single failure point destroy over a billion lives. Since the current configuration of the NATGRID only undermines national security, one is forced conclude that national security is a false pretext.

This explains the deep scepticism among many the intelligence agencies involved. The real purpose of the project is to scare citizens in the age of Arab springs. The NATGRID is a disciplinary measure aimed at social engineering of citizens’ behaviour. Unfortunately, our media has been misled by the corporate cheerleaders of this humongous waste of money.

The writer is executive director at the Centre for Internet and Society in Bangalore.
( As told to Max Martin)

Follow on Mail Today

Download the original here

For more details visit http://editors.cis-india.org/internet-governance/blog/snooping-to-data-abuse

Do You Want to be Watched?

sunil — 2012-03-21T09:11:45Z

The new rules under the IT Act are an assault on our freedom, says Sunil Abraham in this article published in Pragati on June 8, 2011.

Privacy is a necessary but not sufficient condition for security. A bank safe is safe only because the keys are held by a trusted few. No one else can access these keys or has the ability to duplicate them. The 2008 Amendment of the Information Technology (IT) Act and their associated rules notified April 2011 proposes to eliminate whatever little privacy Indian netizens have had so far. Already as per the internet service provider (ISP) license, citizens using encryption above 40-bit were expected to deposit the complete decryption key with the Ministry of Communications and Information Technology. This is as intelligent as citizens of a neighbourhood making duplicates of the keys to their homes and handing them over at the local police station. With the IT Act’s latest rules things get from bad to worse. (For an analysis of the new rules under the IT Act, see the In Parliament section of this issue).

Now imagine my daughter visits the neighborhood cybercafe, the manager would now be entitled to scan her ID document and take a photograph of her using his own camera. He would also be authorised to capture her browser history including unencrypted credentials and authentication factors. He would then store this information for a period of one year and provide them to any government entity that sends him a letter. He could continue to hold on to the files as there would be no clear guidelines or penalties around deletion. The ISP that provides connectivity to the cybercafe would store a copy of my daughter’s Internet activities for two years. None of our ISPs publish or provide on request a copy of their data retention policies.

Now suppose my daughter used an online peer-production like Wikipedia or social-media platform like MySpace to commit an act of blasphemy by drawing fan-art for her favorite Swedish symphonic black metal band. A neo-Pentecostal Church sends a takedown notice to the website hosting the artwork. Unfortunately, this is a fringe Web 2.0 platform run by Indian entrepreneur who happens to be a friend of yours. When the notice arrived, our entrepreneur was in the middle of a three-week trek in the Himalayas. Even though he had disabled anonymous contributions and started comprehensive data retention of user activity on the site, unfortunately he was not able to delete the offending piece of content within 36 hours. If the honourable judge is convinced, both your friend and my daughter would be sitting in jail for a maximum of three years for the newly christened offence of blasphemous online speech.

You might dismiss my misgivings by saying “after all we are not China, Saudi Arabia or Myanmar”, and that no matter what the law says we are always weak on implementation. But that is completely missing the point. The IT Act appears to be based on the idea that the the Indian public can be bullied into self-censorship via systemic surveillance. Employ tough language in the law and occasionally make public examples of certain minor infringers. There have been news reports of young men being jailed for using expletives against Indian politicians or referring to a head of state as a “rubber stamp.” The message is clear—you are being watched so watch your tongue.

Surveillance capabilities are not a necessary feature of information systems. They have to be engineered into these systems. Once these features exists, they could potentially serve both the legally authorised official and other undesirable elements. Terrorists, cyber-warriors and criminals will all find systems with surveillance capabilities easier to compromise. In other words, surveillance compromises security at the level of system design. There were no internet connections or phone lines in the bin Laden compound—he was depending on store and forward arrangement based on USB drives. Do we really think that registration of all USB drives, monitoring of their usage and the provision of back doors to these USBs via master key would have lead the investigators to him earlier? Has the ban on public wi-fi and the current ID requirements at cyber-cafes led to the arrest of any terrorists or criminals in India? Where is the evidence that resource hungry blanket surveillance is providing return on investment? Intelligence work cannot be replaced with resource-hungry blanket surveillance. Unnecessary surveillance distracts the security with irrelevance.

Increase in security levels is not directly proportional to increase in levels of surveillance. A certain amount of surveillance is unavoidable and essential. But after the optimum amount of surveillance has been reached, additional surveillance only undermines security. The multiple levels of data retention at the cybercafe, by the ISP and also by the application service provider does not necessarily make Indian cyberspace more secure. On the contrary, redundant storage of personal sensitive information only acts as multiple points of failure and leaks—in the age of Niira Radia and Amar Singh one does not have be reminded of authorised and unauthorised surveillance and their associated leaks.

Finally, there is the question of perception management. Perceptions of security does not only depend on reality but on personal and popular sentiment. There are two possible configurations for information systems—one, where the fundamental organising principle is trust or second, where the principle is suspicion. Systems based on suspicion usually gives rise to criminal and corrupt behavior. If the state were to repeatedly accuse its law-abiding citizens of being terrorists and criminals, it might end up provoking them into living up to these unfortunate expectations. If citizens realise that every moment of their digital lives is being monitored by multiple private and government bodies—they will begin to use anonymisation and encryption technology round the clock even when it is not really necessary. Ordinary citizens will be forced to visit the darker and nastier corners of the internet just to download encryption tools and other privacy enabling software. Like the prohibition, this will only result in further insecurity and break-down in the rule of law.

Read the original here

For more details visit http://editors.cis-india.org/internet-governance/blog/want-to-be-watched

Big Brother is Watching You

sunil — 2012-03-21T09:32:28Z

The government is massively expanding its surveillance power over law-abiding citizens and businesses, says Sunil Abraham in this article published by the Deccan Herald on June 1, 2011.

Imagine: An HIV positive woman calls a help-line from an ISD/STD booth. The booth operator can get to know who she called, when and for how long. But he would not have any idea on who she is or where she lives.

Now, instead of a phone call, imagine that she uses a cyber café to seek help on a website for HIV positive people. The cyber-cafe operator would have a copy of her ID – remember that many ID documents have phone numbers and addresses. He may then take her photograph using his own camera. One can only hope that he will take only a mug-shot without using the zoom lens inappropriately. He would also use a software – to log her Internet activities and make a reasonable guess on her HIV status.

The average Facebook page may have 50 different URLs to display the various images, animations and videos that are linked to that page. Each of those URLs would be stored, regardless of whether she scrolls down to see any of them.

The cyber-cafe operator is obliged under the Cyber Cafe rules to store this information for a period of one year. But there are no clear guidelines on when and how he should dispose of these logs. An unethical operator could leak the logs to a marketeer, a spammer, a neighbourhood Romeo or the local moral police. A careless operator maybe vulnerable to digital or physical theft and before you know it, such logs could end up on the Internet.

Ever since 26/11, cyber-cafes in metros have been photocopying ID documents – but so far not a single terrorist attack has been foiled or a crime solved thanks to this highly intrusive measure. But despite the lack of evidence to prove the efficacy of the current levels of surveillance, the government has decided to expand them exponentially.

Imagine again: A media organisation such as Deccan Herald is investigating a public interest issue with the help of a whistle-blower or an anonymous informant. Deccan Herald reporters may think that by turning the encryption on when using Gmail or Hotmail they are protecting their source.

But the ISP serving Deccan Herald is obliged by the license terms to log all traffic be it broadband, dial-up or mobile users passing through it. Again, there are no clear guidelines on when to delete these logs and none of the Indian ISPs publicly publish a data retention policy. Besides retaining data, the ISPs have to install real-time surveillance equipment within their network infrastructure and make them available for government officials. If a government official wants to track who is talking to Deccan Herald reporters, he just has to ask.

With ISPs and online service providers – all the police have to do is send an information request under Section 92 of the Code of Criminal Procedure. In other words, they don't even have to bother about a court order. Between January 2010 to June 2010 Google received 1,430 information requests from India. Many other companies, for example, Microsoft, are not as transparent as Google about the state surveillance. So we will never know what they are subjected to.

If the whistle-blower was using Blackberry, all traffic would be transferred from the device to the RIM's Network Operation Centre situated outside India in an encrypted tunnel before it travels onto the Internet. This prevents the government from learning which mail server is being used from the logs and surveillance equipment at the ISP premises. And that is why the government has been engaged in a five-year long public fight with RIM over access to Blackberry traffic.

Now, thanks to the IT Act, the government can demand the service providers, including RIM, to hand over the decryption keys by accusing any individual of a variety of vague offenses -- for example engaging in communication that is ‘grossly harmful’ or ‘harms minors in any way’ – under the IT Act. Refusal to hand over the keys is punishable with a jail term of three years.

Finally, imagine that an Indian enterprise is developing trade-secrets or handling trade-secrets on behalf of their international partners. This enterprise is using a VPN or virtual private network for confidential digital communication. As per the ISP license all encryption above 40-bit is only permitted with written permission from DoT along with mandatory deposit of the decryption key.

In the age of wire-tap leaks, only a miniscule minority of international business partners would trust the government of India not to leak or misuse the keys that have been deposited with them. Most individuals, SMEs and large enterprises routinely use encryption higher than 40 bit strength. For example, Gmail uses128 bit and Skype uses 256 bit encryption. Many services use dynamic encryption, that is generate different keys for each session.

So far I have not heard of anyone who has actually secured permission or deposited the keys. In other words, the Indian enterprise has two choices – either break the law to protect business confidentiality or obey it and lose clients.

The IT Act (Amendment 2008) and its associated Rules, notified in April this year are a massive expansion of blanket surveillance on ordinary, law-abiding Indians. They represent a paradigm shift in surveillance and a significant dilution in privacy protections afforded to citizens under the Telegraph Act.

This has terrifying consequences for our plural society, free media and businesses. Department of Information Technology in particular Dr. Gulshan Rai's office has so far only brushed aside these concerns and denied receiving feedback from the industry and civil society. If our media continues to ignore this clamp down on our civil liberties, we will soon have to furnish ID documents before purchasing thumb drives. After all, Bin Laden was found using them in his Abbottabad home.

Read the original here

For more details visit http://editors.cis-india.org/internet-governance/blog/big-brother-watching-you

We are anonymous, we are legion

sunil — 2012-03-21T09:38:56Z

Online anonymity is vital for creativity and entrepreneurship on the Web, writes Sunil Abraham. The article was published in the Hindu on April 18, 2011.

During his keynote at the International World Wide Web Conference recently, Sir Tim Berners-Lee argued for the preservation of online anonymity as a safeguard against oppression. This resonated with his audience in Hyderabad, given the recent uproar in the Indian blogosphere and twitterverse around the IT Act (Amendment 2008) and the recently published associated rules for intermediaries and cyber cafes.

Over time, there has been a dilution of standards for blanket surveillance. The Telegraph Act allowed for blanket surveillance of phone traffic only as the rarest of exceptions. The IT Act and the ISP licence on the other hand, authorise and require ISPs and cyber cafes to undertake blanket surveillance as the norm in the form of data retention. The transaction database of the UID (Unique Identification Number) project will log of all our interactions with the government, private sector and other citizens; all these are frightening developments for freedom of expression in general and anonymous speech in particular.

Anonymous speech is a necessary pre-condition for democratic and open governance, free media, protection of whistle-blowers and artistic freedom. On many controversial areas of policy formulation, it is usually anonymous officials from various ministries making statements to the press. Would mapping UIDs to IP address compromise the very business of government? A traditional newspaper may solicit anonymous tips regarding an ongoing investigative journalism campaign through their website.

Would data retention by ISPs expose their anonymous sources? Whistle-blowers usually use public Wi-Fi or cyber cafes because they don't want their communications traced back to residential or official IP addresses. Won't the ban on open public Wi-Fi networks and the mandatory requirement for ID documents at cyber cafes jeopardise their safety significantly? Throughout history, great art has been produced anonymously or under a nom de plume. Will the draft Intermediary Due Diligence Rules, which prohibits impersonation even if it is without any criminal intent, result in artists sanitising their art into banality?

Anonymous speech online is facilitated by three forms of sharing — shared standards, shared software and shared identities. Shared or open standards such as asymmetric encryption and digital signatures allow for anonymous, private and yet authenticated communications. Shared software or Free/Open Source Software reassures all parties involved that there is no spy-ware or back door built into tools and technologies built around these standards.

Shared identities, unlike shared software and standards, is a cultural hack and, therefore, almost impossible to protect against. V for Vendetta, the graphic novel by Alan Moore gives us an insight into how this is could be done. The hero, V, hides his identity behind a Guy Fawkes mask. Towards the end of the novel, he couriers thousands of similar masks to the homes of ordinary citizens.

In the final showdown between V and the oppressive regime, these citizens use these masks to form an anonymous mob that confuses the security forces into paralysis. Shared identities online therefore, is the perfect counterfoil to digital surveillance.

As Dr. Berners-Lee spoke in Hyderabad, the Internet Rights and Principles Dynamic Coalition of the Internet Governance Forum released a list of 10 principles for online governance at the meeting convened by the UN Special Rapporteur on Freedom of Expression in Stockholm.

The fifth principle includes “freedom from surveillance, the right to use encryption, and the right to online anonymity”. One hopes that Gulshan Rai of CERT-IN will heed the advice provided by his international peers and amend the IT Act rules before they have a chilling effect on online creativity and entrepreneurship.

Read the article originally published in the Hindu, here

For more details visit http://editors.cis-india.org/internet-governance/blog/online-anonymity

Wherever you are, whatever you do

sunil — 2012-03-21T10:12:05Z

Facebook recently launched a location-based service called Places. Privacy advocates are resenting to this new development. Sunil Abraham identifies the three prime reasons for this outcry against Facebook. The article was published in the Indian Express on 23 August, 2010.

Privacy activists are up in arms again, at Facebook’s recent launch of a new location-based service called Places. But what’s the new issue here? For years, telecom operators have been able to roughly locate you by triangulating the signal strength between the three nearest cell towers. In India, geo-location is part of the call logs maintained by the operator. That is how the police was able to determine that Bangalore resident Sathish Gupta killed his wife Priyanka. He took her mobile with him during a jog with his friend and then faked a phone call as an alibi. He knew that the time-stamps on the call logs would corroborate his lies. But the location-data nailed him. So, in short, the state and telecom operators know where you are even if you don’t have a smartphone with GPS support.

For those who can afford it? GPS support provides greater accuracy and reliability, independent of telecom signal strength. The immediate and future benefits are huge. For parents, MyKidIsSafe.com, allows them to create a geo-fence and receive automatic notification when the child leaves the safety zone. In combination with RFID, businesses are able to provide their customers with accurate updates regarding status of deliveries. The Karnataka police is able to verify that the police inspector issuing the challan using a Blackberry for a traffic violation is not doing it from home. Seven hundred and fifty thousand gay men from 162 countries use a geo-social network called Grindr to find love. In the future, most car-pooling services will be GPS-enabled. Geo-location-based crowd-sourcing will be used to predict and avoid traffic jams by measuring the density and velocity of mobile phones on various routes.

Privacy advocates worry that after helping the police solve crimes and fight terrrorism, telecom companies retain the logs instead of deleting, anonymising or obfuscating them. Especially so in India, given the lack of privacy laws, telecom operators, web and mobile service providers could retain the logs for customer profiling or worse still, sell the raw data or analysis to third parties. Cyber-stalkers, child molesters and rapists benefit. Cat burglars will know when you are away and be able to clean out your house in a more relaxed fashion. Geo-surveillance by a state, obsessed with terrorism, will have negligible benefits while extracting a huge social cost and significantly undermining national security.

So why this particular outcry against the world’s most successful social networking website? There are three reasons that come immediately to mind. First, Facebook has a terrible record with privacy. In the last five years, the default settings have moved from one where no personal data was available for anonymous access to one with anonymous access to everything except birthday and contact information. And these are settings that affect the majority of the half a billion people who don’t bother changing default settings. So there is no guarantee that Facebook will not get more intrusive with its default geo-location privacy settings.

Second, a friend can geo-tag you without requiring you to approve or confirm this. Once you are geo-tagged, all your common friends will be notified through the friend-feed system. This is similar to the current system of photo sharing. A friend can upload a inappropriate photograph and tag you almost instantly all your work-mates who also happen to be your Facebook friends get a notification via the feed. Of course, you can always untag the photo, change the settings and defriend the culprit but by then the damage is usually done.

Third, the Facebook user-interface for privacy settings is notoriously complex and cumbersome. Many users will think that they have managed to bolt down the security settings when in fact their personal data will remain all up for grabs. The half a million third-party products available today on the Facebook platform only compounds this problem.

Read the original in the Indian Express

For more details visit http://editors.cis-india.org/internet-governance/blog/wherever-you-are-whatever-you-do

Does the Government want to enter our homes?

sunil — 2012-03-21T10:12:40Z

When rogue politicians and bureaucrats are granted unrestricted access to information then the very future of democracy and free media will be in jeopardy. In an article published in the Pune Mirror on 10 August, 2010, Sunil Abraham examines this in light of the BlackBerry-to-BlackBerry messenger service that the Government of India plans to block if its makers do not allow the monitoring of messages. He says that civil society should rather resist and insist on suitable checks and balances like governmental transparency and a fair judicial oversight instead of allowing the government to intrude into the privacy and civil liberties of its citizens.

What? Me worry about the blackberry imbroglio?
If Pierre Trudeau were alive today, he would feel similarly about the Canadian innovation that is making news these days. But, given the Indian media's objective take on the ongoing BlackBerry tussle, one would assume that the media is unaffected.

Many internet observers say that the very future of democracy and free media is at stake. If rogue politicians and bureaucrats are able to eavesdrop on the communications of media houses, wouldn't that sound the death knell for sting operations, anonymous informants and whistle-blowers?

And, consequently, free press and democracy? How can the media keep its calm when one of the last bastions of electronic privacy in India is being stormed?

Isn’t this a lost cause already?
Perhaps, our reporters and editors have remained complacent, because they do not want to swim against the tide. After all, governments across the world have used excuses like cyber-terrorism, organised crime, pornography, piracy etc. to justify censorship and surveillance regimes.

The priveleged access that the governments of India, Saudi Arabia and UAE are demanding has already been provided to the governments of USA, Canada and Russia, for example.

We don't know how much they know about us!
The average reader might not be aware of the access that the Indian government has to his/her personal information.

To be clear, the Indian government, like most other governments, is able to intercept, decrypt, monitor and record sms and voice call traffic by working in partnership with ISP and Telecom operators.

This is legalised through ISP licence agreements, which requires ISPs to provide monitoring equipment that can be used to by various law enforcement and intelligence agencies. There is no clear policy on data-retention policies.

Industry insiders say that SMS messages, telephone call logs, email headers, and web requests are archived from anywhere between three months and a year.

Do these ISPs and telecom operators then delete, anonymise or obfuscate this data? Or do they they retain it for posterity for market research?

In the absence of a privacy law — the Indian citizen can only make intelligent guesses.

Encryption is our friend
As a student, when I passed a love note to my lady-love in class, I would use a symmetric key encryption scheme.

She would use the same key as I did to unencrypt the machine, ie, substituting the alphabet with the next/previous one.

If someone was able to intercept the key, then all communication between us in both directions would be compromised.

Asymmetric key encryption solves this problem by giving both parties two keys — a public key and a private key. I would use my lady-love’s public key to encrypt a message meant for her.

Only she would be able to unencrypt the message by using her private key. The size of the key — 40bit, 128bit, 256bit etc. determines the strength of the encryption.

The more bits you have, the longer it will take for someone to break through using a brute force method. The brute force method or dictionary method is when you try every single combination —just as you would with an old suitcase.

The time taken also depends on computing resources — whether you are a jealous boyfriend, or the FBI, or a corporation like Google. These days, governments depend on corporations for hardware and network muscle.

How does Blackberry encrypt differently?
Other smart phone providers like IPhone and Nokia make email and Internet traffic transparent to the ISP and telecom operator, making it easy for governments are able to keep track of Internet users on mobile phones just as they monitor dial-up or broadband users.

Most mobile services come with a basic encryption. Blackberry is different because it introduces an additional level of encryption, and then routes traffic either through corporate servers or through its own servers in Canada and other parts of the world.

The fact that information is routed thus can pose a threat to the Indian government, if officials are using Blackberries to exchange highly classified information.

Then, GoI could be worried if western intelligence agencies are eavesdropping.

How will this end? Will Blackberry leave?
Blackberry has never exited a country, because in the end it has prioritised consumer privacy over commercial compulsions. For example Blackberry has now ‘resolved’ security probwith Saudi Arabia.

I don’t think we should worry about deals or compromises. However, this is not to say that Blackberry should not be applauded.

They have taken a public stand against unrestricted governmental access to their clients’ information; one should always applaud corporates who fight hard for privacy and civil liberties.

What the Blackberry dilemma is showing us is the social cost of the electronic Big Brother will be steep, as it should be.

To protect citizens’ rights, civil society must resist and insist on suitable checks and balances like governmental transparency and fair judicial oversight.

Read the article in Pune Mirror

For more details visit http://editors.cis-india.org/internet-governance/blog/government-enter-homes

Facebook, privacy and India

sunil — 2013-09-26T11:40:00Z

Does Facebook's decision to open out user information and data to third party websites amount to an invasion of privacy and should users' seriously consider getting out of the site? Sunil Abraham doesn't think so.

Even if you aren’t a Facebook user (and most likely than not you are), chances are that you’ve at least heard that there are problems related to privacy settings on the site. The net has been abuzz with indignation over a decision by Facebook to open out user information and data to third party websites. A number of high profile Facebook users (and many more low profile ones) completely deactivated their accounts after the changes were announced by Founder and Chief executive Mark Zuckerberg and critics immediately pointed out that users were losing control of their personal information.

There have been a slew of articles condemning the move, and highlighting “dramatic” changes to the sites privacy policy. Most alarming perhaps being this slideshow compiled by Matt McKeon.

All these are legitimate concerns, but how worried should we be really? Should you be seriously considering getting off the site? “As long as you are a little smart about what you upload on Facebook, there is no need to do anything as drastic as deleting your account”, says Sunil Abraham the executive director of the Centre for Internet & society, based out of Bangalore. Abraham said that the issue has shown people the risk of uploading certain types of photographs and content on to the net, but most importantly highlights the need for a privacy commission in India.

“The EU has a commission which makes certain directives to sites like Facebook from time to time, which are then adhered to. India should also seriously consider setting up a similar commission, he said.

Facebook has mantained that its privacy settings are prominently displayed and can be easily accessed by users. But critics say that it is much too long and convoluted. The BBC reports that the policy in its current form has 50 different settings, 170 options and runs to 5,830 words, making it longer than the US Constitution. And the sheer volume of outrage has prompted a rethink of the privacy policy by Facebook, which since held an internal meeting to discuss the affair.

Abraham agrees that the issue of privacy is a complex one, but noted that the definition of what constituted “privacy” varied from culture to culture. “In India, it is perfectly normal for someone to ask someone else how much they earn, while such a question would be completely outside the boundaries of propriety in most Western countries”, he said. The issue with Facebook, he says, is that its desicion to change its privacy settings was tantamount to a breach of contract. “People who joined Facebook did so because they were comfortable with the settings and regulations available on the site. For Facebook to suddenly change that violates the spirit of that contract”, he said.

Meanwhile the founder and chief executive of Facebook Mark Zuckerberg has written an article in the Washington Post today directly addressing issues relating to privacy controls on the popular social networking site.

“The biggest message we have heard recently is that people want easier control over their information. Simply put, many of you thought our controls were too complex. Our intention was to give you lots of granular controls; but that may not have been what many of you wanted. We just missed the mark,”said Zuckerberg.

Read the article in Livemint

For more details visit http://editors.cis-india.org/news/facebook-privacy-india