Centre for Internet and Society

TV versus Social Media: The Rights and Wrongs

sunil — 2013-01-21T03:09:56Z

For most ordinary Netizens, everyday speech on social media has as much impact as graffiti in a toilet, and therefore employing the 'principle of equivalence' will result in overregulation of new media.

Sunil Abraham's guest column was published in the Tribune on January 20, 2013.

Many in traditional media, especially television, look at social media with a mixture of envy and trepidation. They have been at the receiving end of various unsavoury characters online and consequently support regulation of social media. A common question asked by television anchors is "shouldn't they be subject to the same regulation as us?" This is because they employ the 'principle of equivalence', according to which speech that is illegal on broadcast media should also be illegal on social media and vice versa. According to this principle, criticising a bandh on national TV or in a newspaper op-ed or on social media should not result in jail time and, conversely, publishing obscene content, in either new or old media, should render you a guest of the state.

Given that Section 66-A of the Information Technology Act, 2000, places more draconian and arguably unconstitutional limits on free speech when compared to the regulation of traditional and broadcast media, those in favour of civil liberties may be tempted to agree with the 'principle of equivalence' since that will mean a great improvement from status quo. However, we must remember that this compromise goes too far since potential for harm through social media is usually very limited when compared to traditional media, especially when it comes to hate speech, defamation and infringement of privacy. A Facebook update or 'like' or a tweet from an ordinary citizen usually passes completely unnoticed. On rare occasion, an expression on social media originating from an ordinary citizen goes viral and then the potential for harm increases dramatically. But since this is the fringe case we cannot design policy based on it. On the other hand, public persons (those occupying public office and those in public life), including television journalists, usually have tens and hundreds of thousands friends and followers on these social networks and, therefore, can more consistently cause harm through their speech online. For most ordinary Netizens, everyday speech on social media has as much impact as graffiti in a public or residential toilet and therefore employing the 'principle of equivalence' will result in overregulation of new media.

Ideally speech regulation should address the asymmetries in the global attention economy by constantly examining the potential for harm. This applies to both 'speech about' public persons and also 'speech by' them. Since 'speech about' public persons is necessary for transparent and accountable governance and public discourse, such speech must be regulated less than 'speech about' ordinary citizens. Let us understand this using two examples: One, a bunch of school kids referring to a classmate as an idiot on a social network is bullying, but citizens using the very same term to criticise a minister or television anchor must be permitted. Two, an ordinary citizen should be allowed to photograph or video-record the acts of a film or sports star at a public location and upload it to a social network, but this exception to the right of privacy based on public interest will not imply that the same ordinary citizen can publish photographs or videos of other ordinary citizens. Public scrutiny and criticism is part of the price to be paid for occupying public office or public life. If speech regulation is configured to prevent damage to the fragile egos of public persons, then it would have a chilling effect on many types of speech that are critical in a democracy and an open society.

When it comes to 'speech by' those in public office or in public life - given the greater potential for harm - they should be held more liable for their actions online. For example, an ordinary citizen with less than 100 followers causes very limited harm to the reputation of a particular person through a defamatory tweet. However, if the very same tweet is retweeted by a television anchor with millions of followers, there can be more severe damage to that particular person's reputation.

Many in television also wish to put an end to anonymous and pseudonymous speech online. They would readily agree with Nandan Nilekani's vision of tagging all - visits to the cyber cafe, purchases of broadband connections and SIM cards and, therefore, all activities from social media accounts with the UID number. I have been following coverage of the Aadhaar project for the past three years. Often I see a 'senior official from the UIDAI' make a controversial point. If anonymous speech is critical to protect India's identity project then surely it is an important form of speech. But, unlike the print media, which more regularly uses anonymous sources for their stories, television doesn't see clearly the connection between anonymous speech and free media. This is because many of the trolls that harass them online often hide behind pseudonymous identities. Television forgets that anonymous speech is at the very foundation of our democracy, i.e., the electoral ballot.

For more details visit http://editors.cis-india.org/internet-governance/blog/sunday-tribune-january-20-2013-sunil-abraham-tv-vs-social-media

To regulate Net intermediaries or not is the question

sunil — 2012-08-26T06:12:48Z

Given the disruption to public order caused by the mass exodus of North-Eastern Indians from several cities, the government has had for the first time in many years, a legitimate case to crackdown on Internet intermediaries and their users.

Sunil's column was published in the Deccan Herald on August 26, 2012.

There was, of course, much room for improvement in the manner in which the government conducted the censorship. But the policy question that becomes most pertinent now is: do we need to regulate Internet intermediaries further? The answer is yes and no.

There are areas where these intermediaries need to be regulated in order to protect citizen and consumer interest. But to deal with rumour-mongering and hate speech, there is sufficient provisions in Indian law to deal with the current disruption in public order and any similar disruptions in the future.

It is a common misunderstanding to assume that all civil society organisations that advocate civil liberties on networked technologies are regulatory doves that wish to dismantle regulation of the private sector and allow them complete free hand for innovation and, perhaps, causing harm to public interest.

The opposite is also not necessarily true. We are not hawks, those that believe in maximal regulation of the private sector. The state should regulate the private sector in areas where the citizens are unable to protect their own interest and self-regulation is inadequate. But there are many other areas where regulation needs to be dismantled in the interests of citizen and public interest.

Dr Rohan Samarajiva, founder of a Colombo-based regional policy think tank LIRNEasia, explains this best using the ‘law of soft toys’. When his daughter was young he told her that in Sri Lanka there was a law which mandated that every time she got a new soft toy, she would have to necessarily give away another one.

The regulatory lesson here is: the mandate for regulation cannot keep endlessly expanding. As the government moves into new areas of regulation, it should also exit other older areas where regulatory rupee is providing limited returns. These decisions should be based on evidence of harm caused to citizens and consumers. The following are a list of areas where regulation is required for Internet intermediaries:

Privacy: India needs the office of the privacy commissioner established and an articulation of national privacy principles through the enactment of the long awaited Privacy Act. This privacy commissioner should be able to investigate complaints against intermediaries, proactively investigate companies, order remedial action and fine companies that violate the principles and other policies in force. Remedial action could require change in policies, features, data retention policies and services etc.

Competition: Many of these intermediaries have been taken to court on anti-trust complaints, fined and subjected to remedial action by regulators in America and Europe.

Earlier this year, BharatMatrimony.com has filed a complaint against Google at the Competition Commission of India (CCI) alleging anti-competitive practices in its Adwords program. In addition, based on a report submitted by Consumer Unity & Trust Society (CUTS), a civil society organisation, CCI has initiated an investigation into Google's search engine for anti-competitive practices. If they are found guilty of breaking competition law they could be fined up to 10 per cent of their turnover.

Speech: Article 19(2) of the Constitution permits Parliament to enact laws that place eight categories of reasonable restrictions on speech. Unfortunately, the Information Technology Act and its associated rules attempts to expand these restrictions and in addition does not comply with the principles of natural justice. Ideally, all those impacted by the censorship should be informed and should be able to seek redress and reinstatement for the censured speech.

The policy sting operation conducted by the Centre for Internet and Society (CIS) last year demonstrated that intermediaries are risk-averse and tend to over-comply with takedown notices. There is a clear chilling effect on speech online and it is important that the Act and rules be amended at the earliest.

Intellectual Property: Policies that fall under this inappropriate umbrella term for many differently configured laws make the yet unproven fundamental assumption that granting limited monopolies to rights holders, usually corporations, will result in greater innovation. However, citizen and consumer interest is protected through provisions for exceptions and limitations in laws such as copyright, patent, trademarks etc. Some examples of these safeguards that guarantee access to knowledge in Indian law include compulsory licences, patent opposition, fair-dealing etc.

There are many other areas where special treatment may be required for intermediaries. For example tax law needs to handle evasion techniques like the Double Irish and the Dutch Sandwich. Given my lengthy wish-list of regulation of Internet intermediaries, why then has CIS become an NGO member of the Global Network Initiative?

This is because I believe that technological development happen too quickly for us to purely depend on government regulation. Self-regulation has an important role to play in keeping up with these rapid changes. As self-regulatory norms mature they could be formalised into policy by the government.

Therefore, I consider it a privilege that CIS has been accepted as a member of this self-regulatory initiative and we influence GNI norms using our Indian perspective. However, when self-regulation fails to protect public interest, then the government must step in to regulate Internet intermediaries.

For more details visit http://editors.cis-india.org/internet-governance/www-deccan-herald-aug-26-2012-to-regulate-net-intermediaries-or-not-is-the-question

Tin Chen

sunil — 2009-09-08T04:56:25Z

Tin Chen holding camera.

For more details visit http://editors.cis-india.org/home-images/IMG_0726_small.JPG

The scariest bill in Parliament is getting no attention – here’s what you need to know about it

sunil — 2015-09-13T07:56:42Z

A bill proposes creation of a national DNA data bank, without requisite safeguards for privacy, and opens the information to everything from civic disputes to compilation of statistics.

The blog post by Nayantara Narayanan was published in Scroll.in on July 24, 2015.

On Wednesday, the Narendra Modi government told the Supreme Court that India's citizens have no fundamental right to privacy. Attorney General Mukul Rohatgi referred to a 1950 court verdict which held that the right to privacy was not a fundamental right while defending the constitutional validity of the Aadhar scheme, a massive database of information of individual citizens including biometrics and bank accounts. At the same time, the government is planning another big database.

In the ongoing stormy monsoon session of Parliament, where the government and opposition have locked horns over several proposed legislation, Human DNA Profiling Bill 2015 has been making little noise but can have widespread impact on India’s criminal justice system and the privacy of citizens. The bill aims to regulate the collection and use of genetic material from crime scenes, and also proposes the creation of a national DNA databank that might be used for non-forensic purposes.

DNA is a mighty tool, especially in criminal forensics, but access to a person’s genetic information can be highly intrusive and dangerous. DNA contains information about health and genetic relationships that can influence employment, insurance. It can be tampered with and planted at crime scenes.

Law and poverty expert Usha Ramanathan and Centre for Internet and Society executive director Sunil Abraham, who are members of an expert committee on DNA profiling constituted by the government, have written dissent notes against the final draft of the Human DNA Profiling Bill. Ramanathan and Abraham are of the opinion that there aren’t adequate safeguards to privacy and too much power rests with the proposed DNA Profiling Board.

Ramanathan notes that one of the biggest challenges of a DNA database is function creep – the gradual widening of the use of a technology beyond the purpose for which it was originally intended. As this DNA profiling bill enters Parliament, here are some questions we should be asking.

Is DNA evidence infallible?

The short answer is “no”. Despite all the crime shows and murder movies we have seen where DNA evidence nails the perpetrator to the crime, DNA evidence is far from absolute. Genetic material recovered from a crime scene is likely to be only a partial strand of DNA. Analysing this partial strand can lead to a match with the person that left the DNA behind but can also lead to a coincidental match with people who happen to have a similar gene sequence in their DNA. False incriminations can happen when more than one person’s DNA get mixed at the crime scene, from DNA contamination, mislabelling and even degradation over time.

In the Aarushi Talwar murder case, for instance, the Hyderabad-based Centre for DNA Fingerprinting and Diagnostics altered its 2008 report in 2013 and admitted to typographical errors in the description of its DNA samples. The evidence could have changed the course of the investigation.

What will the national DNA database look like?

The bill proposes to set up a national DNA data bank and a number of state or regional data banks that will feed into the national data pool. Every data bank will have six categories under which DNA profiles will be filed – crime scene index, suspects’ index, offenders’ index, missing persons’ index, unknown deceased persons’ index, and volunteers’ index. The DNA profiling board will have the power to include more categories. In the offenders’ index, the DNA information will be linked to the name of the person from whom it was collected. All others will be linked to a case reference number.

What happens when my genetic material is on the database?

The bill gives sanction for broad use of DNA profiles and samples – to identify victims of accidents or disasters, to identify missing persons, for civil disputes and other offences. It also allows the information to be used to create population statistics, identification research, parental disputes, issues relating to reproductive technologies and migration. In his dissent note, Abraham argues that all non-forensic use should be rejected.

Cases like whether paternity should be determined, unwed mothers leaving their children and adopted children looking for their natural parents are hugely contestable things, said Ramanathan. “You are changing multiple structures and not recognising any of them,” she added.

Even though the bill allows for DNA information of offenders to be expunged once a court acquits them or sets aside a conviction, it makes no provision for removing other kinds of profiles.

The CDFD, which will be instrumental in building and processing DNA profiles, is using the CODIS software bought from the US's Federal Bureau of Investigation an compatible with their systems. The FBI used CODIS to identify victims of the terrorist attacks on the World Trade Center in 2001. More recently, the CDFD used CODIS to identify some who died in the Uttarakhand floods of 2013 after asking for 5,000 people who were possibly relatives of the deceased to undertake DNA testing.

Can the DNA profiling board protect our genetic information?

The bill grants the board vast powers to allow the use of DNA profiles in any civil and criminal proceedings that it deems necessary. “Ideally these powers would lie with the legislative or judicial branch,” Abraham said, in his dissent note. “Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board.”

Ramanathan questions the constitution of the board itself, her worry being that the board is not a body of disinterested officials. The secretary of the board is supposed to be from the Centre for DNA Fingerprinting and Diagnostics, an autonomous institute that will get a lot of work from the creation of the national DNA data bank.

Why does a DNA fingerprinting consent form ask for caste?

One of the most troubling features of the creation of a databank is the consent form to be signed by a person donating blood for DNA analysis. Along with name, gender and address, the form also asks for caste to be listed.

India has a history of unwarrantedly linking caste and community with criminality. Members of decriminalised tribes regularly report being harassed by the police and even having false cases foisted on them simply because they are linked to a certain community. Tagging caste onto genetic data can result in unfair profiling and identification errors.

The United Kingdom set up its national criminal DNA database in 1995. The database expanded over a decade by including genetic information of anyone who was arrested till more than one million innocent people were on it – including a grandmother who didn’t return a football to children who kicked it into her garden. The dangers of a genetic database are too much state oversight, false implication in crimes and a loss of privacy – none of which should come to pass without at least a debate.

For more details visit http://editors.cis-india.org/internet-governance/news/the-scariest-bill-in-parliament-is-getting-no-attention-2013-here2019s-what-you-need-to-know-about-it

The Quixotic Fight to Clean up the Web

sunil — 2012-01-26T20:53:02Z

The ongoing attempt to pre-screen online content won’t change anything. It will only drive netizens into the arms of criminals, writes Sunil Abraham in this article published in Tehelka Magazine, Vol 9, Issue 04, Dated 28 Jan 2012.

GOOGLE AND Facebook’s ongoing case in the Delhi High Court over offensive online content is curious in three ways. First, the complaint does not mention the IT Act, 2000. Prior to the 2008 amendment, intermediaries (in this case, Google, Facebook, etc) had no immunity. But after the amendment, intermediaries have significant immunity and are not considered liable unless takedown notices are ignored.

Second, it is curious that the complaint does not mention specific individuals or groups directly responsible for authoring the allegedly offensive material. Only intermediaries have been explicitly named. If specific content items have been submitted in court then it is curious that specific accounts and users have not been charged with the same offences.

Three, Delhi-based journalist Vinay Rai claims that takedown notices and requests for user information were ignored by the intermediaries. As yet, unpublished research at the Centre for Internet and Society has reached the exact opposite conclusion. We sent fraudulent takedown notices to seven of the largest intermediaries in India as part of a policy sting operation. Six of them over-complied and demonstrated no interest in protecting freedom of expression. Our takedown notices were complied with even though they were largely nonsensical. It is therefore curious that Rai’s takedown notices were ignored.

Under Section 79 of the IT Act, the intermediary must not “initiate the transmission”, “select the receiver of the transmission” and “select or modify the information contained in the transmission”. In other words, they must not possess “actual knowledge” of the content. This would be absolutely true if intermediaries acted as “dumb pipes” or “mere conduits”. But today, they have reactive “human filters” ensuring conformance to community guidelines that often go beyond constitutional limits on freedom of expression.

For example, Facebook deletes breastfeeding photographs if a certain proportion of the breast is visible, despite numerous protests. Intermediaries also use proactive “machine filters” to purge their networks of pornography and copyright infringing content. In order to retain immunity under the IT Act, intermediaries would have to demonstrate that they have no “actual knowledge”. This would also imply that they cannot proactively filter or pre-screen content without becoming liable for illegal content.

More sophisticated “machine filters” will continue to be built for social media platforms as computing speeds increase and costs decrease dramatically. But there will be significant collateral damage — the vibrancy of online Indian communities will be diminished as legitimate content will be removed and this in turn will retard Internet adoption rates. Free media, democratic governance, research and development, culture and the arts will all be fundamentally undermined. So whether pre-censorship is technically feasible is an irrelevant question. The real question is what limits on freedom of expression are reasonable in the Internet age.

The legal tussle is yet another chance for reflecting on the shortcomings of the IT Act

Censorship is like prohibition, illegal content will persist, the mafia will profit and ordinary citizens will be implicated in criminal networks. Use of anonymising proxies, circumvention tools and encryption technologies will proliferate, frustrating network optimisation efforts and law enforcement activities.

This is yet another opportunity for reflecting on the shortcomings of the ITAct. A lot of the confusion and anxiety today emerges from vague language, unconstitutional limits on freedom of expression, multi-tiered blanket surveillance provisions, blunt security policy measures contained in the statute and its associated rules. The next Parliament session is the last opportunity for MPs to ask for the rules for intermediaries, cyber cafes and reasonable security practices to be revisited. The MP who musters the courage to speak will be dubbed a superhero.

As told to Shonali Ghosal. Sunil Abraham is Executive director, centre for internet and society and can be contacted at sunil@cis-india.org. The original article was published in Tehelka.

Illustration by Sudeep Chaudhuri

For more details visit http://editors.cis-india.org/internet-governance/quixotic-fight-to-clean-the-web

The generation of e-Emergency

sunil — 2015-06-29T16:40:54Z

The next generation of censorship technology is expected to be ‘real-time content manipulation’ through ISPs and Internet companies.

The article was published in Livemint on June 22, 2015.

Censorship during the Emergency in the 1970s was done by clamping down on the media by intimidating editors and journalists, and installing a human censor at every news agency with a red pencil. In the age of both multicast and broadcast media, thought and speech control is more expensive and complicated but still possible to do. What governments across the world have realized is that traditional web censorship methods such as filtering and blocking are not effective because of circumvention technologies and the Streisand effect (a phenomenon in which an attempt to hide or censor information proves to be counter-productive). New methods to manipulate the networked public sphere have evolved accordingly. India, despite claims to the contrary, still does not have the budget and technological wherewithal to successfully pull off some of the censorship and surveillance techniques described below, but thanks to Moore’s law and to the global lack of export controls on such technologies, this might change in the future.

First, mass technological-enabled surveillance resulting in self-censorship and self-policing. The coordinated monitoring of Occupy protests in the US by the Department of Homeland Security, the Federal Bureau of Investigation (FBI) counter-terrorism units, police departments and the private sector showcased the bleeding edge of surveillance technologies. Stingrays or IMSI catchers are fake mobile towers that were used to monitor calls, Internet traffic and SMSes. Footage from helicopters, drones, high-res on-ground cameras and the existing CCTV network was matched with images available on social media using facial recognition technology. This intelligence was combined with data from the global-scale Internet surveillance that we know about thanks to the National Security Agency (NSA) whistle-blower Edward Snowden, and what is dubbed “open source intelligence” gleaned by monitoring public social media activity; and then used by police during visits to intimidate activists and scare them off the protests.

Second, mass technological gaming—again, according to documents released by Snowden, the British spy agency, GCHQ (Government Communications Headquarters), has developed tools to seed false information online, cast fake votes in web polls, inflate visitor counts on sites, automatically discover content on video-hosting platform and send takedown notices, permanently disable accounts on computers, find private photographs on Facebook, monitor Skype activity in real time and harvest Skype contacts, prevent access to certain websites by using peer-to-peer based distributed denial of service attacks, spoof any email address and amplify propaganda on social media. According to The Intercept, a secret unit of GCHQ called the Joint Threat Research Intelligence Group (JTRIG) combined technology with psychology and other social sciences to “not only understand, but shape and control how online activism and discourse unfolds”. The JTRIG used fake victim blog posts, false flag operations and honey traps to discredit and manipulate activists.

Third, mass human manipulation. The exact size of the Kremlin troll army is unknown. But in an interview with Radio Liberty, St. Petersburg blogger Marat Burkhard (who spent two months working for Internet Research Agency) said, “there are about 40 rooms with about 20 people sitting in each, and each person has their assignments.” The room he worked in had each employee produce 135 comments on social media in every 12-hour shift for a monthly remuneration of 45,000 rubles. According to Burkhard, in order to bring a “feeling of authenticity”, his department was divided into teams of three—one of them would be a villain troll who would represent the voice of dissent, the other two would be the picture troll and the link troll. The picture troll would use images to counter the villain troll’s point of view by appealing to emotion while the link troll would use arguments and references to appeal to reason. In a day, the “troika” would cover 35 forums.

The next generation of censorship technology is expected to be “real-time content manipulation” through ISPs and Internet companies. We have already seen word filters where blacklisted words or phrases are automatically expunged. Last week, Bengaluru-based activist Thejesh GN detected that Airtel was injecting javascript into every web page that you download using a 3G connection. Airtel claims that it is injecting code developed by the Israeli firm Flash Networks to monitor data usage but the very same method can be used to make subtle personalized changes to web content. In China, according to a paper by Tao Zhu et al titled The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions, “Weibo also sometimes makes it appear to a user that their post was successfully posted, but other users are not able to see the post. The poster receives no warning message in this case.”

More than two decades ago, John Gilmore, of Electronic Frontier Foundation, famously said, “the Net interprets censorship as damage and routes around it.” That was when the topology of the Internet was highly decentralized and there were hundreds of ISPs that competed with each other to provide access. Given the information diet of the average netizen today, the Internet is, for all practical purposes, highly centralized and therefore governments find it easier and easier to control.

For more details visit http://editors.cis-india.org/internet-governance/blog/livemint-june-22-2015-sunil-abraham-the-generation-of-e-emergency

The Free Basics debate: Trai has a point in imposing temporary ban on net neutrality

sunil — 2015-12-25T14:58:30Z

The argument against net neutrality in India is simple. Regulation cannot be based on dogma – evidence of harm must be provided before you can advocate for rules for ISPs and telecom operators.

The article was published in FirstPost on December 24, 2015.

But net neutrality regardless of your preferred definition is a very complex regulatory question and there is no global or even national consensus on what counts as relevant evidence. To demonstrate the chain of causality between network neutrality violations and a variety of potential harms - expertise in a wide variety of fields such as economics, competition law, telecom policy, spectrum allocation, communications engineering and traffic management is required. Even with a very large research budget and a multidisciplinary team it would be impossible to predict with confidence what the impact of a particular regulatory option will be on the digital divide or innovation. And therefore the advocates of forbearance say that the Indian telecom regulator — Trai — should not regulate unprecedented technical and business model innovations like Facebook's Free Basics since we don't understand them.

Till recently I agreed with this empirical line of argument. But increasingly I am less convinced that scientific experiment and evidence is the only basis for regulation. Perhaps there is a small but necessary role for principles or ideology. Like the subtitle of Nassim Nicholas Taleb's book, we need to ask: How to Live in a World We Don't Understand. Let us take another area of technological regulation – cyber security. Do we really need to build a centralised database containing the passwords of all netizens and perform scientific experiments on it to establish that it can be compromised? A 100 percent centralised system has a single point of failure and therefore from a security perspective centralisation is almost always a bad idea. How are we so sure that such a system will be compromised at some date? To quote Sherlock Holmes: “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” Decentralisation eliminates the possibility of a single point of failure thereby growing resilience. The Internet is perhaps the most famous example. It is not necessarily true that all decentralized systems are more secure than all centralised system of a decentralized network but it is usually the case. In other words, the principle of decentralisation in cyber security does not require repeated experimental confirmation across
markets and technologies.

To complicate matters, the most optimal solutions developed using economics and engineering may not be acceptable to most stakeholders. Professor Vishal Misra has provided a Shapley Value solution using cooperative game theory in the multi-sided market to determine how surplus should be divided between three types of ISPs [eyeball, transit and content] and Internet companies using transparent paid transit arrangements. But a migration from the current opaque arrangement to the Misra solution may never happen because Internet companies will resist such proposals and are increasingly getting into access provision themselves through projects like Google Fibre and Loom. Walter Brown from South African Communications Forum proposes that billing by minutes for phone calls and billing by message for SMSes should be prohibited because on 4G networks voice and text messages are carried as data and price is the best signal to consumers to ensure optimum use of network resources. This according to Walter Brown will eliminate the incentive for telcos to throttle or block or charge differently for VOIP traffic. Again this solution will not be adopted by any regulator because regulators prefer incremental changes with the least amount of disruption.

So given that we only have numbers that we can't trust - what should be some of the principles that form the bedrock of our net neutrality policy? To begin with there is the obvious principle of non-discrimination. The premise is simple – anyone who has gate-keeping powers might abuse it. Therefore we need to eliminate the possibility through regulation. Non-exclusivity is the result of non-discrimination and transparency is its precondition. That can also be considered as a principle and now we have three core principles to work with. Maybe that is sufficient since we should keep principles to the bare minimum to keep regulation and compliance with regulation simple. Some net
neutrality experts have also identified fairness and proportionality as additional principles. How do we settle this? Through transparent and participatory policy development as has been the case so far. Once we have principles articulated in law - how can we apply them to a specific case such as Facebook's Free Basics? Through the office of the appropriate regulator. As Chris Marsden advocates, net neutrality regulations should ideally be positive and forward looking. Positive in the sense that there should be more positive obligations and incentives than prohibitions and punitive measures. Forward looking in the sense that that the regulations should not retard or block technological and business model innovations. For example zero-rated walled gardens could be regulated by requiring that promoters such as Facebook also provide 50Mb of data per day to all users of Free Basics and also by requiring that Reliance provides the very same free service to other parties that want to compete with Facebook with similar offerings. Alternatively, users of Free Basics should get access to the whole Internet every other hour. All these proposal ensure that Facebook and it business partners have a incentive to innovate but at the same time ensures that resultant harms are mitigated.

Just to be absolutely clear, my defense of principle based regulation does not mean that I see no role for evidence and research. As regulation gets under way – further regulation or forbearance should be informed by evidence. But lack of evidence of harm is not an excuse for regulatory forbearance. India is the last market on the planet where the walled garden can be bigger than the Internet – and Facebook is sure giving it its very best shot. Fortunately for us Trai has acted and acted appropriately by issuing a temporary prohibition till regulation has been finalised. Like the US, coming up with stable regulation may take 10 years and we cannot let Facebook shape the market till then.

For more details visit http://editors.cis-india.org/telecom/blog/the-free-basics-debate-trai-has-a-point-in-imposing-temporary-ban-on-net-neutrality

The Five Monkeys & Ice-cold Water

sunil — 2012-10-30T10:43:38Z

The Indian government provides leadership, both domestically and internationally, when it comes to access to knowledge.

This article by Sunil Abraham was published in Deccan Chronicle on September 16, 2012.

Our domestic patent policy ensures that generic medicines are available and largely affordable not only within India but also in Africa and elsewhere. It also allows Indians to consume a wide range of technological innovations without worrying about legal bans that are an otherwise common feature in the developed countries, thanks to phenomena such as the ongoing mobile phone patent wars.

Copyright policy, including the last amendment of the copyright act, has ensured that fair dealing and the rights of students, researchers, disabled, etc., are protected. Texts, audio and video for education and entertainment are relatively affordable, especially in comparison to other countries in the Asia-Pacific.

Even at the World Intellectual Property Organisation, other developing countries look to India for guidance. The interventions of the copyright registrar G.R. Raghavender and the Indian team won praise during the most recent round of negotiations for the Treaty for the Visually Impaired. An excellent example of India's soft power protecting public interest at home and abroad.

In diametrical contrast, India has a terrible track record when it comes to freedom of expression, especially expression mediated by networked technologies such as telecommunications and the Internet.

Our policy-makers seem determined to extinguish the privacy of communications and also anonymous/pseudonymous speech through such devices as Know Your Customer (KYC) and data retention requirements for accessing the Internet through cyber-cafes, mobile phones, dial-up or broadband, ban on open wi-fi networks, plans to tie together Aadhaar and NATGRID and Central Monitoring System (CMS) to track a citizen using his/her UID across devices, networks and intermediaries, and requiring real-time interception equipment to be installed at all network and data centres.

All these without any horizontal privacy law or a data protection law that is compliant with international best practices. Security hawks argue that this pervasive, multi-tiered surveillance regime helps thwart criminal and terrorist attacks, but its poor design extracts a terrible price in terms of freedom of expression.

Citizens who cannot express themselves anonymously and privately begin to censor themselves, seriously undermining our democracy, which is most importantly founded on an anonymous expression, the electoral ballot.

In addition, in April 2011, rules under the amended IT Act were notified for intermediaries that have a chilling effect on free speech via unclear and unconstitutional limits on freedom of expression, encouragement of private censorship without any notice to those impacted, missing procedure for redress, and lack of penalties for those who abuse the rules to target legitimate speech. This was followed by calls for proactive censorship of social media, which caused much outrage amongst the twitterati.

Even when the government had legitimate grounds (the recent exodus of North-East Indians) to censor free speech, it overreached and acted incompetently, cracking down on parody accounts on social media rather than carefully configuring the text message ban. As if that weren't enough, the government beats up a cartoonist and jails him for sedition.

There’s a plan behind such attacks on free speech. The powerful in India, with their fragile egos, can afford expensive lawyers who can ensure that for those who dare to speak their mind, “the process is the punishment”, as Lawrence Liang of the Alternative Law Forum put it. Needless to say, cartoonists and others that dare to speak their mind cannot usually afford the time and expense of courts.

An experiment featuring monkeys, bananas and ice-cold water, commonly attributed to the late American psychologist Harry Harlow, explains what’s being attempted by those who attack free speech. First, five monkeys are put in a cage with bananas hanging from the top that can be reached by climbing a ladder. Every time one of the monkeys try to climb the ladder, ice-cold water is thrown on all of them. Soon, the monkeys learn not to climb the ladder.

Then, one of them is replaced with a monkey that has never been drenched with ice-cold water. When the new monkey tries to climb the ladder, the other four monkeys attack it and prevent it from reaching the banana. This is continued till all the original monkeys are replaced with new ones.

When that’s done, although none of the monkeys left in the cage has ever been drenched with ice-cold water, they continue to enforce the regulation on themselves. This is what has happened in China. This is what is being attempted here – to social engineer the Indian netizen.

For more details visit http://editors.cis-india.org/internet-governance/www-deccan-chronicle-sep-16-2012-sunil-abraham-the-five-monkeys-and-ice-cold-water

The Fight for Digital Sovereignty

sunil — 2013-10-25T07:29:22Z

It is time to incorporate free software principles to address the issue of privacy. Thanks to the revelations of Edward Snowden, a former contractor to the United States (US) National Security Agency (NSA) who leaked secrets about the agency’s surveillance programmes, a 24-year-old movement aimed at protecting the rights of software users and developers has got some fresh attention from policymakers.

The article was published in the Economic & Political Weekly, Vol-XLVIII No. 42, October 19, 2013

The free and open source software movement (often collectively labelled as FOSS or sometimes FLOSS, with the “l” standing for “libre”) guarantees four freedoms through a copyright licence – the freedom to use for any purpose, the freedom to study the code, the freedom to modify it and the freedom to distribute the modified code gratis or for a fee. Free software principles have permeated the world in the form of movements around open standards, open content, open access and open data. The second freedom is the most critical in an open society. Privacy, security and integrity are best achieved through the transparency guaranteed by free software rather than the opacity of proprietary software.

Free software is directly useful in deciding on the software required for your device operating system and applications. NSA’s surveillance programme covered operating system vendors like Microsoft and Apple, and application vendors like Skype. The concerns raised by such surveillance programmes are best addressed by shifting to free software. Increasingly, this is possible on mobile devices because of the availability of Android derivatives that keep Google’s nose out of your business and on other personal computing devices through GNU/Linux distributions such as Ubuntu. Ideally, this should be accomplished by a mandate for government and public infrastructure in specific areas where free software alternatives are on par with proprietary competitors. Two other policy options remain outside procurement policies for hardware – code escrow and independent audits. Firms that are willing to share code with the government should be preferred over those that do not, thereby encouraging proprietary software companies to provide for the second freedom in free software within a limited context. Code escrow could improve the quality of the independent audit.

Unfortunately, open hardware based on free software principles is still a fringe phenomenon in terms of market share. The Indian government cannot afford bans on foreign products, unlike the intelligence and military of Australia, the US, Britain, Canada and New Zealand, which recently prohibited the use of Lenovo machines in “secret” and “top secret” networks. Last October, the US government banned US telecos from using equipment from Huawei and ZTE. Both these bans are not based on any credible public evidence regarding back doors in any of the products manufactured by these Chinese companies. The Indian government, using funds like the Universal Service Obligation Fund, should support competitive research to reverse-engineer and analyse all foreign and indigenous hardware to ensure that there is no national security threat or infringement on the individual’s right to privacy. One example would be a research project to determine whether China-manufactured phones call home when they are used on Indian telecom networks.

Cloud and other online services run by corporations could also completely undermine privacy and security. This again can be partially addressed through the transparency enabled by free software and open standards. To begin with, the government must ban the use of Google, Yahoo, Hotmail, etc, for official purposes by those in public office, law enforcement and the military, while simultaneously mandating the use of cryptography for all sensitive material and communication. It should not, however, mandate the use of National Informatics Centre (NIC) infrastructure as it may be a single point of failure; instead, a variety of open-standards-compliant and free-software-based infrastructure for all public sector information communication technology (ICT) requirements should be encouraged. This procurement bias will result in the growth of domestic server administration and security competence, thus creating and contributing towards the establishment of a market for affordable privacy and security-enhanced services that ordinary citizens and private sector organisations can access.

The end objective through means such as free software, open hardware, code escrow and independent audits is sovereignty over software, hardware, cloud and network infrastructure. However, the state, the private sector, the consumer and the citizen may disagree on the details. Apart from law enforcement and national security concerns that may require targeted surveillance, there are other occasions when technological possibilities may have to be curtailed through policy to protect human rights and the public interest. For example, to implement the internationally accepted privacy principle of notice on electronic recording devices, some jurisdictions may require that video recorders display a blinking red light and that digital cameras make an audible click sound just like analog cameras. This was first initiated in South Korea to reduce the incidence of “upskirt photography”. This type of law may become more commonplace when technologies like Google Glass become more popular. In other words, absolute digital sovereignty may need to be curtailed in order to protect human rights in certain circumstances. But code could be used to resist regulation through law, thereby converting both the software and hardware layers of devices and networks into a battleground for sovereignty between the free software hacker and the state.

For more details visit http://editors.cis-india.org/a2k/blogs/epw-vol-xlviii-42-october-19-2013-sunil-abraham-the-fight-for-digital-sovereignty

That’s the unkindest cut, Mr Sibal

sunil — 2011-12-12T04:59:00Z

There’s Kolaveri-di on the Internet over Kapil Sibal’s diktat to social media sites to prescreen users’ posts. That diktat goes far beyond the restrictions placed on our freedom of expression by the IT Act. But, says Sunil Abraham of the Centre for Internet and Society, India is not going to be silenced online.

Thanks to leaked reports about unpublicised meetings that communications minister Kapil Sibal had with social media operators – or Internet intermediaries, to use legalese — such as Facebook, Google and Indiatimes.com, censorship policy in India has gained public attention, and caused massive outrage.

According to The New York Times India Ink reportage, quoting unnamed sources from the Internet intermediaries, Mr Sibal demanded proactive and pre-emptive screening of posts that people make on social media sites, ostensibly to filter out or remove “offensive” content and hate speech. In a television interview, however, the minister denied he wanted to censor what Indians thought and shared with others online.

One is tempted to believe him. He was, after all, the amicus for the landmark People’s Union of Civil Liberties (PUCL) wiretapping judgment of 1996, which is pivotal to protecting our civil liberties when using communication technology in India.

Last week, though, Mr Sibal came out in public with his demands, saying that there was a lot of content that risked hurting the sensibilities of people and could lead to violence. “It was brought to my notice some of the images and content on platforms like Facebook, Twitter and Google are extremely offensive to the religious sentiments of people ...”We will not allow Indian sentiments and religious sentiments of large sections of the community to be hurt,” he said.

There was even a threat of state action if Internet companies did not comply with demands to screen content before it was posted online.

The NYT blogpost said, however, quoting executives from the Internet companies Mr Sibal had reportedly met, that the minister showed them a Facebook page that maligned Congress president Sonia Gandhi and told them, “This is unacceptable.”

Google responded to Mr Sibal by releasing its Transparency Report, saying that out of 358 items that it had been requested to remove between January and June 2011, only eight requests pertained to hate speech, while as many as 255 complaints were against “government criticism”.

Indian netizens raged against Mr Sibal, and very quickly #IdiotKapil Sibal was ‘trending’ on Twitter, with thousands posting comments against attempts to ‘censor’ Internet content. Much has changed, in Mr Sibal’s reckoning, between 1996 and 2011.

So, what’s all the fuss over ‘pre-screening’ and what’s at stake here? Critics of Mr Sibal say, our freedom of speech and expression is under threat. They see a pattern in the way the government has sought to impose rules and restrictions on Internet and telecommunications players, with demands on BlackBerry-maker RIM to give it access to its users’ email and messenger content, on telecom players to install electronic surveillance equipment and let the government eavesdrop as it sees fit, and on the likes of Google and Yahoo to part with email content and users’ details.

It all started with the amendments to the Information Tech-nology Act 2000 in 2008. Together, they constitute damaging consequences for citizens, including the creation of a multi-tier blanket surveillance regime, inappropriate security recommendations, and undermining freedom of speech and expression.

The amendments passed in 2008 — without any discussion in Parliament – did solve some existing policy concerns, but simultaneously introduced new ones. For instance, Section 66, introduced during this amendment, criminalises sending offensive messages through any ICT-based communication service.

Offensive messages are described as “grossly offensive, menacing character..... or causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will.” These terms are not defined in the IT Act or in any other existing law, rules or case-law, except for a couple of exceptions such as what constitutes “criminal intimidation”. These limits on the freedom of expression go well beyond Article 19(2) of the Constitution, which only permits “reasonable restrictions...in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.”

If Mr Sibal himself were to don his lawyer’s coat again and launch a legal challenge to Section 66, in all likelihood, courts in India would strike it down as unconstitutional.

Section 79, which was amended, brought into being an intermediary liability regime. This was in part precipitated by the arrest of Avnish Bajaj, the former CEO of bazee.com in December 2004 for the infamous Delhi Public School MMS clip which was being sold on his e-commerce platform. Policy-makers were, however, convinced to follow international best practices and grant intermediaries immunity under certain conditions.

Just as the postal department is not considered liable for the content of letters or telecom operators liable for the content of phone conversations, Internet intermediaries, too, were to be considered “dumb pipes” or “common carriers” of content produced and distributed by users. Intermediaries therefore earned immunity from legal action so long as they acted upon take-down notices, or written requests for deletion of illegal content.

Section 79 was further clarified in April this year when the Intermediaries Guidelines Rules were notified. Stakeholders from the technology industry, media and civil society had sent feedback to the Department of Information Technology under the Ministry of Communication and Information Technology in February, but DIT choose to ignore the feedback and finalised rules with serious flaws in them. For one, a standardised “Terms of Service” that focused on limits on free expression had to be implemented by all intermediaries – forcing a one-size-fits-all approach.

Content that was 'harmful to minors' was not permissible regardless of the target market of the website. All intermediaries were supposed to act upon take-down notices within 36 hours, something that a Google may be able to do, but an average blogger could not.

Two, the vague terms introduced in Section 66A were left undefined. Intermediaries were asked to sit on judgment on the question of whether an article, image or video was causing 'inconvenience'.

Three, all principles of natural justice were ignored – the person responsible for posting the content would not be informed, s/he would not be given an opportunity to file a counter-notice to challenge the intermediary’s decision in court.

Four, the rules left it open for economically or politically motivated actors to seriously damage opponents online using fraudulent take-down notices, instead of treating abuse of the take-down notice system as an offence.

How the take-down system terrorises free expression on the Internet was illustrated when the Centre for Internet and Society, where this author works, undertook a research project. A pro-bono independent researcher who led the exercise sent fraudulent take-down notices to seven Internet companies in India. These included some of the largest and most popular Indian and foreign search engines, news portals and social media platforms.

Although they all employ the most competent lawyers in the country, six of the seven intermediaries over-complied, confirming our worst fears. In one case, a news portal deleted not just the specific comment that was mentioned in the take-down notice but 14 other comments as well. Most importantly, it must be pointed out, the comment identified in the take-down notice was itself an excellent piece of writing that could not be construed as “offensive” by any stretch!

In the single exception to the rule, one e-commerce portal refused to act upon a take-down notice trying to prevent the sale of diapers on the grounds that it was “harmful to minors”, rightly dismissing the notice as frivolous. But that exception simply proved a rule: Private intermediaries use their best lawyers to protect their commercial interests, but are highly risk-averse and do not value freedom of expression, unless it affects their bottomline.

Proactive and pre-emptive screening of social media content, as Mr Sibal has demanded, will only further compromise online civil liberties in what’s already a dismal situation. In short, we move from a post-facto to a pre-emptive censorship regime.

In fact, given the magnitude of the task of pre-screening in a nation with a 100 million Internet users and growing, such an intense censorship regime will mean not only that what Indian citizens say or post will be censored by private companies, but those private companies will, in turn, use machines to screen what humans are saying and doing! After all, otherwise, companies would require armies of human censors to screen the millions of posts that are made on Twitter and Facebook every minute.

But the Supreme Court has held that even the executive arm of government cannot engage in censorship prior to publication, let alone ordering private companies to do so. In any case, it’s a policy that’s bound to fail, for both technical reasons and for its failure to take into account human motivations.

Machines, as we know, continue to be poor judges of the nuances of human expression and will likely cause massive damage to the idea of public debate. Humans, on the other hand, will begin to circumvent machine filters – for example, content labelled as PRON instead of PORN will go through.

Draconian crackdown on certain types of fringe content is likely to have the counterproductive result of the general society developing an unhealthy obsession for exactly such content. Despite the comprehensive censorship controls in Saudi Arabia, for instance, pornography consumption is rampant, usually accessed via pirated satellite TV and circulated using personal computing devices and mobile phones.

But all is not lost yet, perhaps. Faced with the barrage of criticism, Mr Sibal has now called for public consultations on the issue of pre-screening content. There’s hope yet for freedom of speech and expression in India. Thanks to the Internet, a throwback to 1975 simply does not look possible.

Sunil Abraham is executive director of the Centre for Internet and Society, Bengaluru. He wrote this article in the Deccan Chronicle on December 11, 2011. Read the original here

For more details visit http://editors.cis-india.org/internet-governance/unkindest-cut-mr-sibal

Surveillance Project

sunil — 2016-04-05T15:21:27Z

The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.

The article will be published in Frontline, April 15, 2016 print edition.

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.

Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.

Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”

Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.

Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology

One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”

Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.

One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?

Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

For more details visit http://editors.cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project

Sunil Abraham - Key Listener Speech at Wikimedia Summit 2019

sunil — 2019-05-04T03:34:15Z

The Wikimedia Summit 2019 – formerly known as "Wikimedia Conference" or "Chapters Meeting" – took place on 29–31 March 2019 in Berlin. Sunil Abraham made a speech at the summit organized in Berlin.

Sunil answers a series of questions at the closing session of the Wikimedia Summit 2019:

What stands out?

Money. Creative Commons revenues are pegged at 2.4 million dollars. Mozilla Foundation gets 24 million dollars. Wikimedia Foundation gets 91 million dollars. So the job of pulling off the "Big Open" or the "creation of the meta movement" or "the movement of movements" is primarily the responsibility of the Wikimedia community given the scale of resources it is able to mobilize. For example, the Open Access movement has lost funding as its key donor Open Society Foundation after supporting the movement for 17 years is unable to support any further. The Wikipedia movement can easily save the global access movement by just allocating 1 million dollar for it.

What concerns me?

Homogenization. Homogenization of time frames, homogenization of process. Should we, for example, stagger the time period for online community consultation on the draft recommendations, so that there is less 'consultation fatigue' By homogenizing the processes at the Summit, it would be risking infantilizing the community. Would this meeting have been more exciting and useful, if Working Groups had the freedom to fork the process, and do what works for them.

What have I learned from my own journey and work?

Working with lawyers for the last 10 years, has led me to appreciate tests over principles. For example, in the open standards movement there is a constant question: is this particular standard an open standard? There, free software acts as the canary in the coal mine: If we cannot implement a standard using free software, then it is not an open standard. Working with lawyers for the last 10 years, has led me to appreciate tests over principles. For example, in the open standards movement there is a constant question: is this particular standard an open standard?There, free software acts as the canary in the coal mine: If we cannot implement a standard using free software, then it is not an open standard.

What have you learned that could be useful for the strategy process?

From the process architect I have learned that we shouldn't focus on solving /this/ particular instance of the problem, we should focus on working on developing processes that solve these problems in the future. So, the emphasis is on process fixes. This is really the bleeding edge of regulatory theory these days. Since we are in Germany, I must mention the name of the German academic Gunther Teubner who developed this concept of reflexive regulation 26 years ago in his article 'Substantive and Reflexive Elements in Modern Law.

What would you suggest to improve the strategy process?

The core of responsive regulation is community consultation processes. However, closing the loop on the consultation process is critical, otherwise participants feel that they have wasted time providing feedback. For example, the Indian telecom regulator first issues a consultation paper. Then solicits the first round of feedback, then solicits a second round of counter comments then they hold round tables, and, finally, they issue the recommendation or the regulation. But when they do that, they make sure they close the loop.They provide reasoned explanations for why suggestions were rejected. This might have to happen at both stages for this strategy development process. The working groups will have to say why they rejected certain pieces of feedback, and also the board will have to explain why they rejected certain recommendations from the working groups.

What would be your wish for this movement?

As we enter adulthood as a movement, it is important that we do not lose our youthful idealism. Idealism at two levels: ambition and vocabulary. Global civil society is broadly divided into two groups. Those who work on tractable problems, like getting rid of polio. And those who work on intractable problems, like saving and developing democracy. When monitoring and evaluation becomes a primary management lens for our movement, it shouldn't make us more and more risk-averse. Let us not focus on the easy problems let us always focus, as a movement, on the hard problems. When it comes to vocabulary, I am not totally sure that phrases like 'product experience', 'target markets', and 'Knowledge as a Service' is the vocabulary of the movement. Maybe, we need to think of two types of vocabulary, External facing vocabulary and internal facing vocabulary.

Watch the Video

Video, via Wikimedia Commons, source: https://commons.wikimedia.org/wiki/File:Wikimedia_Summit_2019_-_Key_listener_Sunil_Abraham.webm.
Author, Anna Rees (WMDE): Uploader: Cornelius Kibelka (WMDE), This file is licensed under the Creative Commons Attribution-Share Alike 4.0 International license.

For more details visit http://editors.cis-india.org/openness/sunil-abraham-key-listener-speech-at-wikimedia-summit-2019

Substantive Areas

sunil — 2011-12-04T15:26:47Z

For more details visit http://editors.cis-india.org/about/substantive-areas

Spreading unhappiness equally around

sunil — 2018-07-31T14:49:52Z

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.

The article was published in Business Standard on July 31, 2018.

There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.

Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.

Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with
the henhouse.

Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.

Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.

Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.

Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.

For more details visit http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around

Software Patents

sunil — 2010-01-11T09:51:40Z

Software patents are a potent threat to both open standards as well as FOSS. While in India, pure software patents (i.e., a patent over a "computer programme per se") is not allowed, still software patents are to be reckoned with. The draft patent manual prepared by the Patent Office in 2008 seemingly goes against section 3(k) of the Patents Act, and allows partially for software patents. Further, the Patent Office sometimes incorrectly grants software patents, even though the same is prohibited by the law.

For more details visit http://editors.cis-india.org/openness/publications/software-patents