Centre for Internet and Society

Surveillance Project

sunil — 2016-04-05T15:21:27Z

The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.

The article will be published in Frontline, April 15, 2016 print edition.

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.

Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.

Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”

Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.

Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology

One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”

Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.

One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?

Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

For more details visit http://editors.cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project

Sunil Abraham - Key Listener Speech at Wikimedia Summit 2019

sunil — 2019-05-04T03:34:15Z

The Wikimedia Summit 2019 – formerly known as "Wikimedia Conference" or "Chapters Meeting" – took place on 29–31 March 2019 in Berlin. Sunil Abraham made a speech at the summit organized in Berlin.

Sunil answers a series of questions at the closing session of the Wikimedia Summit 2019:

What stands out?

Money. Creative Commons revenues are pegged at 2.4 million dollars. Mozilla Foundation gets 24 million dollars. Wikimedia Foundation gets 91 million dollars. So the job of pulling off the "Big Open" or the "creation of the meta movement" or "the movement of movements" is primarily the responsibility of the Wikimedia community given the scale of resources it is able to mobilize. For example, the Open Access movement has lost funding as its key donor Open Society Foundation after supporting the movement for 17 years is unable to support any further. The Wikipedia movement can easily save the global access movement by just allocating 1 million dollar for it.

What concerns me?

Homogenization. Homogenization of time frames, homogenization of process. Should we, for example, stagger the time period for online community consultation on the draft recommendations, so that there is less 'consultation fatigue' By homogenizing the processes at the Summit, it would be risking infantilizing the community. Would this meeting have been more exciting and useful, if Working Groups had the freedom to fork the process, and do what works for them.

What have I learned from my own journey and work?

Working with lawyers for the last 10 years, has led me to appreciate tests over principles. For example, in the open standards movement there is a constant question: is this particular standard an open standard? There, free software acts as the canary in the coal mine: If we cannot implement a standard using free software, then it is not an open standard. Working with lawyers for the last 10 years, has led me to appreciate tests over principles. For example, in the open standards movement there is a constant question: is this particular standard an open standard?There, free software acts as the canary in the coal mine: If we cannot implement a standard using free software, then it is not an open standard.

What have you learned that could be useful for the strategy process?

From the process architect I have learned that we shouldn't focus on solving /this/ particular instance of the problem, we should focus on working on developing processes that solve these problems in the future. So, the emphasis is on process fixes. This is really the bleeding edge of regulatory theory these days. Since we are in Germany, I must mention the name of the German academic Gunther Teubner who developed this concept of reflexive regulation 26 years ago in his article 'Substantive and Reflexive Elements in Modern Law.

What would you suggest to improve the strategy process?

The core of responsive regulation is community consultation processes. However, closing the loop on the consultation process is critical, otherwise participants feel that they have wasted time providing feedback. For example, the Indian telecom regulator first issues a consultation paper. Then solicits the first round of feedback, then solicits a second round of counter comments then they hold round tables, and, finally, they issue the recommendation or the regulation. But when they do that, they make sure they close the loop.They provide reasoned explanations for why suggestions were rejected. This might have to happen at both stages for this strategy development process. The working groups will have to say why they rejected certain pieces of feedback, and also the board will have to explain why they rejected certain recommendations from the working groups.

What would be your wish for this movement?

As we enter adulthood as a movement, it is important that we do not lose our youthful idealism. Idealism at two levels: ambition and vocabulary. Global civil society is broadly divided into two groups. Those who work on tractable problems, like getting rid of polio. And those who work on intractable problems, like saving and developing democracy. When monitoring and evaluation becomes a primary management lens for our movement, it shouldn't make us more and more risk-averse. Let us not focus on the easy problems let us always focus, as a movement, on the hard problems. When it comes to vocabulary, I am not totally sure that phrases like 'product experience', 'target markets', and 'Knowledge as a Service' is the vocabulary of the movement. Maybe, we need to think of two types of vocabulary, External facing vocabulary and internal facing vocabulary.

Watch the Video

Video, via Wikimedia Commons, source: https://commons.wikimedia.org/wiki/File:Wikimedia_Summit_2019_-_Key_listener_Sunil_Abraham.webm.
Author, Anna Rees (WMDE): Uploader: Cornelius Kibelka (WMDE), This file is licensed under the Creative Commons Attribution-Share Alike 4.0 International license.

For more details visit http://editors.cis-india.org/openness/sunil-abraham-key-listener-speech-at-wikimedia-summit-2019

Substantive Areas

sunil — 2011-12-04T15:26:47Z

For more details visit http://editors.cis-india.org/about/substantive-areas

Spreading unhappiness equally around

sunil — 2018-07-31T14:49:52Z

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.

The article was published in Business Standard on July 31, 2018.

There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.

Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.

Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with
the henhouse.

Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.

Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.

Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.

Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.

For more details visit http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around

Software Patents

sunil — 2010-01-11T09:51:40Z

Software patents are a potent threat to both open standards as well as FOSS. While in India, pure software patents (i.e., a patent over a "computer programme per se") is not allowed, still software patents are to be reckoned with. The draft patent manual prepared by the Patent Office in 2008 seemingly goes against section 3(k) of the Patents Act, and allows partially for software patents. Further, the Patent Office sometimes incorrectly grants software patents, even though the same is prohibited by the law.

For more details visit http://editors.cis-india.org/openness/publications/software-patents

Snooping Can Lead to Data Abuse

sunil — 2012-03-21T10:39:22Z

THE NATGRID, aiming to link databases of 21 departments and ministries for better counter- terror measures, adopts blunt policy approach, subjecting every citizen to the same level of blanket surveillance, instead of a targeted approach that intelligently focuses on geographic or demographic areas that are currently important.

All you manage to do with the current approach help software, hardware and biometric equipment vendors achieve their sales targets. It is quite unlikely that security agencies will learn anything insightful by putting everybody under the same degree of surveillance. There is no scientific evidence to show that we will be a safer nation if the government eavesdropped into all aspects of a citizen’s life. Targeted surveillance, on the other hand, is like good old- fashioned detective work. Put a particular section — of potential troublemakers — under surveillance and leave the others alone.

With round- the- clock, 100- per cent, 360- degree surveillance, all the data is scrutinised all the time. The more effective approach is to sample and collect data while maintaining data trails. If anything suspicious is noticed, the rest of the trail can be dug up. Blanket surveillance only leads to leaks and abuse and tremendous distraction. The surveillance infrastructure will be overburdened as 99 per cent of the records and files scanned will be of no interest terms of fighting terrorism, etc.

The 21 databases need to be opened only when there is anything suspicious in any of the extracted and scrutinised samples or subsets. If there is a suspicious pattern, it should lead to opening of subsets in all the databases. Obviously, there should be ways in which the databases can talk to each other — demand for a particular subset, and not for all the records to be available to agencies all the time.

The NATGRID has to be able to let investigators selectively go in and out of the necessary subsets data. No one should be able to have a 360 degree view of all activities of all Indians. AS OF now, the NATGRID design does not appear to have a safeguard for data abuse. And no matter what you see Hollywood movies, this configuration does not exist in Europe or the US. Two important forms of protections that should be available in democracies with robust privacy laws are missing in India. The first is breach notification.

If intelligence agencies and the police have looked up your files, you have a right to be informed. Secondly, you can request for a copy of the information that is maintained on you and request modifications if the data is inaccurate, so as to prevent harassment. Such checks and balances are necessary an intelligent and appropriate surveillance regime.

Merging all 21 databases for 1.2 billion people into a single system only provides a juicy target for any internal or external enemy. From the perspective national security, it is a foolish thing to do. Terrorist groups will be able to target a single failure point destroy over a billion lives. Since the current configuration of the NATGRID only undermines national security, one is forced conclude that national security is a false pretext.

This explains the deep scepticism among many the intelligence agencies involved. The real purpose of the project is to scare citizens in the age of Arab springs. The NATGRID is a disciplinary measure aimed at social engineering of citizens’ behaviour. Unfortunately, our media has been misled by the corporate cheerleaders of this humongous waste of money.

The writer is executive director at the Centre for Internet and Society in Bangalore.
( As told to Max Martin)

Follow on Mail Today

Download the original here

For more details visit http://editors.cis-india.org/internet-governance/blog/snooping-to-data-abuse

Shreya Singhal and 66A

sunil — 2015-04-19T08:09:42Z

Most software code has dependencies. Simple and reproducible methods exist for mapping and understanding the impact of these dependencies. Legal code also has dependencies --across court orders and within a single court order. And since court orders are not produced using a structured mark-up language, experts are required to understand the precedential value of a court order.

The article was published in the Economic and Political Weekly Vol-L No.15. Vidushi Marda, programme officer at the Centre for Internet and Society, was responsible for all the research that went into this article. PDF version here.

As a non–lawyer and engineer, I cannot authoritatively comment on the Supreme Court’s order in Shreya Singhal vs Union of India (2015) on sections of the Information Technology Act of 2000, so I have tried to summarise a variety of views of experts in this article. The Shreya Singhal order is said to be unprecedented at least for the last four decades and also precedent setting as its lucidity, some believe, will cause a ripple effect in opposition to a restrictive understanding of freedom of speech and expression, and an expansiveness around reasonable restrictions. Let us examine each of the three sections that the bench dealt with.

The Section in Question

Section 66A of the IT Act was introduced in a hastily-passed amendment. Unfortunately, the language used in this section was a pastiche of outdated foreign laws such as the UK Communications Act of 2003, Malicious Communications Act of 1988 and the US Telecommunications Act, 1996.¹ Since the amendment, this section has been misused to make public examples out of innocent, yet uncomfortable speech, in order to socially engineer all Indian netizens into self-censorship.²

Summary: The Court struck down Section 66A of the IT Act in its entirety holding that it was not saved by Article 19(2) of the Constitution on account of the expressions used in the section, such as "annoying," "grossly offensive," "menacing,", "causing annoyance." The Court justified this by going through the reasonable restrictions that it considered relevant to the arguments and testing them against S66A. Apart from not falling within any of the categories for which speech may be restricted, S66A was struck down on the grounds of vagueness, over-breadth and chilling effect. The Court considered whether some parts of the section could be saved, and then concluded that no part of S66A was severable and declared the entire section unconstitutional. When it comes to regulating speech in the interest of public order, the Court distinguished between discussion, advocacy and incitement. It considered the first two to fall under the freedom of speech and expression granted under Article 19(1)(a), and held that it was only incitement that attracted Article 19(2).

Between Speech and Harm

Gautam Bhatia, a constitutional law expert, has an optimistic reading of the judgment that will have value for precipitating the ripple effect. According to him, there were two incompatible strands of jurisprudence which have been harmonised by collapsing tendency into imminence.³ The first strand, exemplified by Ramjilal Modi vs State of UP⁴ and Kedar Nath Singh vs State of Bihar,⁵ imported an older and weaker American standard, that is, the tendency test, between the speech and public order consequences. The second strand exemplified byRam Manohar Lohia vs State of UP,⁶ S Rangarajan vs P Jagjivan Ram,⁷ andArup Bhuyan vs Union of India,⁸ all require greater proximity between the speech and the disorder anticipated. In Shreya Singhal, the Supreme Court held that at the stage of incitement, the reasonable restrictions will step in to curb speech that has a tendency to cause disorder. Other experts are of the opinion that Justice Nariman was doing no such thing, and was only sequentially applying all the tests for free speech that have been developed within both these strands of precedent. In legal activist Lawrence Liang's analysis, "Ramjilal Modi was decided by a seven judge bench and Kedarnath by a constitutional bench. As is often the case in India, when subsequent benches of a lower strength want to distinguish themselves from older precedent but are unable to overrule them, they overcome this constraint through a doctrinal development by stealth. This is achieved by creative interpretations that chip away at archaic doctrinal standards without explicitly discarding them."⁹

Compatibility with US Jurisprudence

United States (US) jurisprudence has been imported by the Indian Supreme Court in an inconsistent manner. Some judgments hold that the American first amendment harbours no exception and hence is incompatible with Indian jurisprudence, while other judgments have used American precedent when convenient. Indian courts have on occasion imported an additional restriction beyond the eight available in 19(2)-the ground of public interest, best exemplified by the cases of K A Abbas¹⁰ and Ranjit Udeshi.¹¹ The bench in its judgment-which has been characterised by Pranesh Prakash as a masterclass in free speech jurisprudence¹²-clarifies that while the American first amendment jurisprudence is applicable in India, the only area where a difference is made is in the "sub serving of general public interest" made under the US law. This eloquent judgment will hopefully instruct judges in the future on how they should import precedent from American free speech jurisprudence.

Article 14 Challenge

The Article 14 challenge brought forward by the petitioners contended that Section 66A violated their fundamental right to equality because it differentiated between offline and online speech in terms of the length of maximum sentence, and was hence unconstitutional. The Court held that an intelligible differentia, indeed, did exist. It found so on two grounds. First, the internet offered people a medium through which they can express views at negligible or no cost. Second, the Court likened the rate of dissemination of information on the internet to the speed of lightning and could potentially reach millions of people all over the world. Before Shreya Singhal, the Supreme Court had already accepted medium-specific regulation. For example in K A Abbas, the Court made a distinction between films and other media, stating that the impact of films on an average illiterate Indian viewer was more profound than other forms of communication. The pessimistic reading of Shreya Singhal is that Parliament can enact medium-specific law as long as there is an intelligible differentia which could even be a technical difference-speed of transmission. However, the optimistic interpretation is that medium-specific law can only be enacted if there are medium-specific harms, e g, phishing, which has no offline equivalent. If the executive adopts the pessimistic reading, then draconian sections like 66A will find their way back into the IT Act. Instead, if they choose the optimistic reading, they will introduce bills that fill the regulatory vacuum that has been created by the striking down of S66A, that is, spam and cyberbullying.

Section 79

Section 79 was partially read down. This section, again introduced during the 2008 amendment, was supposed to give legal immunity to intermediaries for third party content by giving a quick redressal for those affected by providing a mechanism for takedown notices in the Intermediaries Guidelines Rules notified in April 2011. But the section and rules had enabled unchecked invisible censorship¹³ in India and has had a demonstrated chilling effect on speech¹⁴ because of the following reasons:

One, there are additional unconstitutional restrictions on speech and expression. Rule 3(2) required a standard "rules and regulation, terms and condition or user agreement" that would have to be incorporated by all intermediaries. Under these rules, users are prohibited from hosting, displaying, uploading, modifying, publishing, transmitting, updating or sharing any information that falls into different content categories, a majority of which are restrictions on speech which are completely out of the scope of Article 19(2). For example, there is an overly broad category which contains information that harms minors in any way. Information that "belongs to another person and to which the user does not have any right to" could be personal information or could be intellectual property. A much better intermediary liability provision was introduced into the Copyright Act with the 2013 amendment. Under the Copyright Act, content could be reinstated if the takedown notice was not followed up with a court order within 21 days.¹⁵ A counter-proposal drafted by the Centre for Internet and Society for "Intermediary Due Diligence and Information Removal," has a further requirement for reinstatement that is not seen in the Copyright Act.¹⁶

Two, a state-mandated private censorship regime is created. You could ban speech online without approaching the court or the government. Risk-aversive private intermediaries who do not have the legal resources to subjectively determine the legitimacy of a legal claim err on the side of caution and takedown content.

Three, the principles of natural justice are not observed by the rules of the new censorship regime. The creator of information is not required to be notified nor given a chance to be heard by the intermediary. There is no requirement for the intermediary to give a reasoned decision.

Four, different classes of intermediaries are all treated alike. Since the internet is not an uniform assemblage of homogeneous components, but rather a complex ecosystem of diverse entities, the different classes of intermediaries perform different functions and therefore contribute differently to the causal chain of harm to the affected person. If upstream intermediaries like registrars for domain names are treated exactly like a web-hosting service or social media service then there will be over-blocking of content.

Five, there are no safeguards to prevent abuse of takedown notices. Frivolous complaints could be used to suppress legitimate expressions without any fear of repercussions and given that it is not possible to expedite reinstatement of content, the harm to the creator of information may be irreversible if the information is perishable. Transparency requirements with sufficient amounts of detail are also necessary given that a human right was being circumscribed. There is no procedure to have the removed information reinstated by filing a counter notice or by appealing to a higher authority.

The judgment has solved half the problem by only making intermediaries lose immunity if they ignore government orders or court orders. Private takedown notices sent directly to the intermediary without accompanying government orders or courts order no longer have basis in law. The bench made note of the Additional Solicitor General's argument that user agreement requirements as in Rule 3(2) were common practice across the globe and then went ahead to read down Rule 3(4) from the perspective of private takedown notices. One way of reading this would be to say that the requirement for standardised "rules and regulation, terms and condition or user agreement" remains. The other more consistent way of reading this part of the order in conjunction with the striking down of 66A would be to say those parts of the user agreement that are in violation of Article 19(2) have also been read down.

This would have also been an excellent opportunity to raise the transparency requirements both for the State and for intermediaries: for (i) the person whose speech is being censored, (ii) the persons interested in consuming that speech, and (iii) the general public. It is completely unclear whether transparency in the case of India has reduced the state appetite for censorship. Transparency reports from Facebook, Google and Twitter claim that takedown notices from the Indian government are on the rise.¹⁷ However, on the other hand, the Department of Electronics and Information Technology (DEITY) claims that government statistics for takedowns do not match the numbers in these transparency reports.¹⁸ The best way to address this uncertainty would be to require each takedown notice and court order to be made available by the State, intermediary and also third-party monitors of free speech like the Chilling Effects Project.

Section 69A

The Court upheld S69A which deals with website blocking, and found that it was a narrowly-drawn provision with adequate safeguards, and, hence, not constitutionally infirm. In reality, unfortunately, website blocking usually by internet service providers (ISPs) is an opaque process in India. Blocking under S69A has been growing steadily over the years. In its latest response to an RTI (right to information)¹⁹ query from the Software Freedom Law Centre, DEITY said that 708 URLs were blocked in 2012, 1,349 URLs in 2013, and 2,341 URLs in 2014. On 30 December 2014 alone, the centre blocked 32 websites to curb Islamic State of Iraq and Syria propaganda, among which were "pastebin" websites, code repository (Github) and generic video hosting sites (Vimeo and Daily Motion).²⁰ Analysis of leaked block lists and lists received as responses to RTI requests have revealed that the block orders are full of errors (some items do not exist, some items are not technically valid web addresses), in some cases counter speech which hopes to reverse the harm of illegal speech has also been included, web pages from mainstream media houses have also been blocked and some URLs are base URLs which would result in thousands of pages getting blocked when only a few pages might contain allegedly illegal content.²¹

Pre-decisional Hearing

The central problem with the law as it stands today is that it allows for the originator of information to be isolated from the process of censorship. The Website Blocking Rules provide that all "reasonable efforts" must be made to identify the originator or the intermediary who hosted the content. However, Gautam Bhatia offers an optimistic reading of the judgment, he claims that the Court has read into this "or" and made it an "and"-thus requiring that the originator must also be notified of blocks when he or she can be identified.²²

Transparency

Usually, the reasons for blocking a website are unknown both to the originator of material as well as those trying to access the blocked URL. The general public also get no information about the nature and scale of censorship unlike offline censorship where the court orders banning books and movies are usually part of public discourse. In spite of the Court choosing to leave Section 69A intact, it stressed the importance of a written order for blocking, so that a writ may be filed before a high court under Article 226 of the Constitution. While citing this as an existing safeguard, the Court seems to have been under the impression that either the intermediary or the originator is normally informed, but according to Apar Gupta, a lawyer for the People's Union for Civil Liberties, "While the rules indicate that a hearing is given to the originator of the content, this safeguard is not evidenced in practice. Not even a single instance exists on record for such a hearing."²³ Even worse, block orders have been unevenly implemented by ISPs with variations across telecom circles, connectivity technologies, making it impossible for anyone to independently monitor and reach a conclusion whether an internet resource is inaccessible as a result of a S69A block order or due to a network anomaly.

Rule 16 under S69A requires confidentiality with respect to blocking requests and complaints, and actions taken in that regard. The Court notes that this was argued to be unconstitutional, but does not state their opinion on this question. Gautam Bhatia holds the opinion that this, by implication, requires that requests cannot be confidential. Chinmayi Arun, from the Centre for Communication Governance at National Law University Delhi, one of the academics supporting the petitioners, holds the opinion that it is optimism carried too far to claim that the Court noted the challenge to Rule 16 but just forgot about it in a lack of attention to detail that is belied by the rest of the judgment.

Free speech researchers and advocates have thus far used the RTI Act to understand the censorship under S69A. The Centre for Internet and Society has filed a number of RTI queries about websites blocked under S69A and has never been denied information on grounds of Rule 16.²⁴ However, there has been an uneven treatment of RTI queries by DEITY in this respect, with the Software Freedom Law Centre²⁵ being denied blocking orders on the basis of Rule 16. The Court could have protected free speech and expression by reading down Rule 16 except for a really narrow set of exceptions wherein only aggregate information would be made available to affected parties and members of the public.

Conclusions

In Shreya Singhal, the Court gave us great news: S66A has been struck down; good news: S79(3) and its rules have been read down; and bad news: S69A has been upheld. When it comes to each section, the impact of this judgment can either be read optimistically or pessimistically, and therefore we must wait for constitutional experts to weigh in on the ripple effect that this order will produce in other areas of free speech jurisprudence in India. But even as free speech activists celebrate Shreya Singhal, some are bemoaning the judgment as throwing the baby away with the bathwater, and wish to reintroduce another variant of S66A. Thus, we must remain vigilant.

Notes

1 G S Mudur (2012): "66A 'Cut and Paste Job,'" The Telegraph, 3 December, visited on 3 April, 2015, http://www.telegraphindia.com/1121 203/jsp/frontpage/story_16268138.jsp

2 Sunil Abraham (2012): "The Five Monkeys and Ice Cold Water," Centre for Internet and Society, 26 September, visited on 3 April 2015, http://cis-india.org/internet-governance/www-deccan-chronicle-sep-16-201...

3 Gautam Bhatia (2015): "The Striking Down of 66A: How Free Speech Jurisprudence in India Found Its Soul Again," Indian Constitutional Law and Philosophy, 26 March, visited on 4 April 2015, https://indconlawphil.wordpress.com/2015/03/26/the-striking-down-of-sect...

4 Ramjilal Modi vs State of UP, 1957, SCR 860.

5 Kedar Nath Singh vs State of Bihar, 1962, AIR 955.

6 Ram Manohar Lohia vs State of UP, AIR, 1968 All 100.

7 S Rangarajan vs P Jagjivan Ram, 1989, SCC(2), 574.

8 Arup Bhuyan vs Union of India, (2011), 3 SCC 377.

9 Lawrence Liang, Alternative Law Forum, personal communication to author, 6 April 2015.

10 K A Abbas vs Union of India, 1971 SCR (2), 446.

11 Ranjit Udeshi vs State of Maharashtra,1965 SCR (1) 65.

12 Pranesh Prakash (2015): "Three Reasons Why 66A Verdict Is Momentous"/ Times of India/(29 March). Visited on 6 April 2015, http://timesofindia.indiatimes.com/home/sunday-times/all-that-matters/Th...

13 Pranesh Prakash (2011): "Invisble Censorship: How the Government Censors Without Being Seen," The Centre for Internet and Society, 14 December, visited on 6 April 2015, http://cis-india.org/internet-governance/blog/invisible-censorship

14 Rishabh Dara (2012): "Intermediary Liability in India: Chilling Effects on Free Expression on the Internet," The Centre for Internet and Society, 27 April, visited on 6 April 2015, http://cis-india.org/internet-governance/chilling-effects-on-free-expres... .

15 Rule 75, Copyright Rules, 2013.

16 The Draft Counter Proposal is available at http://cis-india.org/internet-governance/counter-proposal-by-cis-draft-i...

17 According to Facebook's transparency report, there were 4,599 requests in the first half of 2014, followed by 5,473 requests in the latter half. Available at https://govtrequests.facebook. com/country/India/2014-H2/ also see Google's transparency report available at http: //www.google. com/transparencyreport/removals/government/IN/?hl=en and Twitter's report, available at https:// transparency.twitter.com/country/in

18 Surabhi Agarwal (2015): "Transparency Reports of Internet Companies are Skewed: Gulashan Rai," Business Standard, 31 March, viewed on 5 April 2015, http://www.business-standard.com/article/current-affairs/transparency-re... .

19 http://sflc.in/deity-says-2341-urls-were-blocked-in-2014-refuses-to-reve...

20 "32 Websites Go Blank," The Hindu, 1 January 2015, viewed on 6 April 2015, http://www.thehindu.com/news/national/now-modi-govt-blocks-32-websites/a...

21 Pranesh Prakash (2012): "Analysing Latest List of Blocked Sites (Communalism and Rioting Edition)," 22 August, viewed on 6 April 2015, http://cis-india.org/internet-governance/blog/analysing-blocked-sites-ri... . Also, see Part II of the same series at http://cis-india.org/internet-governance/analyzing-the-latest-list-of-bl... and analysis of blocking in February 2013, at http://cis-india.org/internet-governance/blog/analyzing-latest-list-of-b...

22 Gautam Bhatia (2015): "The Supreme Court's IT Act Judgment, and Secret Blocking," Indian Constitutional Law and Philosophy, 25 March, viewed on 6 April 2015, https://indconlawphil.wordpress.com/2015/03/25/the-supreme-courts-it-act...

23 Apar Gupta (2015): "But What about Section 69A?," Indian Express, 27 March, viewed on 5 April 2015, http://indianexpress. com/article/opinion/ columns/but-what-about-section-69a/

24 Pranesh Prakash (2011): DIT's Response to RTI on Website Blocking, The Centre for Internet and Society, 7 April, viewed on 6 April 2015, http://cis-india.org/internet-governance/blog/rti-response-dit-blocking ). Also see http://cis-india.org/internet-governance/blog/analysis-dit-response-2nd-... and http://cis-india.org/internet-governance/resources/reply-to-rti-applicat...

25 http://sflc.in/wp-content/uploads/2015/04/RTI-blocking-final-reply-from-...

For more details visit http://editors.cis-india.org/internet-governance/blog/economic-and-political-weekly-sunil-abraham-april-11-2015-shreya-singhal-and-66a

Services like TwitterSeva aren’t the silver bullets they are made out to be

sunil — 2016-10-06T16:31:51Z

TwitterSeva is great, but it should not be considered a sufficient replacement for proper e-governance systems. This is because there are several serious shortcomings with the TwitterSeva approach, and it is no wonder that enthusiastic police officers and bureaucrats are somewhat upset with the slow deployment of e-governance applications. They are also right in being frustrated with the lack of usability and scalability of existing applications that hold out the promise of adopting private sector platforms to serve citizens better.

Sunil Abraham, executive director of the Centre for Internet and Society, wrote this in response to the FactorDaily story on TwitterSeva, a special feature developed by Twitter’s India team to help citizens connect better with government services. Sunil's article in FactorDaily can be read here.

Let’s take a look at why the TwitterSeva approach is not adequate:

1. Vendor and Technology Neutrality: Providing a level ground for competing technologies in e-governance has been a globally accepted best practice for about 15 years now. This is usually done by using open standards policies and interoperability frameworks.

India does have a national open standards policy, but the National Informatics Centre (NIC) has only published one chapter of the Interoperability Framework for e-Governance .

The thing is, while Twitter might be the preferred choice for urban elites and the middle class, it might not be the choice of millions of Indians coming online. By implicitly signaling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter. Ideally, all interactions that the state has with citizens should be such that citizens can choose which vendor and technology they would like to use. Ideally, the government should have its own work-flow so that it can harvest complaints, feedback and other communications from all social media platforms be it Twitter or Identica, Facebook or Diaspora, and publish responses back onto them.

By implicitly signalling to citizens that Twitter complaints will be taken more seriously than e-mail or SMS complaints, the government is becoming a salesperson for Twitter

Apart from undermining the power of choice for citizens, lack of vendor and technology neutrality in government use of technology undermines the efficient functioning of a competitive free market, which is the bedrock of future innovation.

When it comes to micro-blogging, Twitter has established a near monopoly in India. There are no clear signs of harm and therefore it would not be wise to advocate that the Competition Commission of India investigate Twitter. However, if the government helps Twitter tighten its grip over the Indian market, it is preventing the next cycle of creative destruction and disruption. Therefore, e-governance applications should ideally only “loosely couple” with the APIs of private firms so that competition and innovation are protected.

2. Holistic Approach and Accountability: Ideally, as the Electronic Service Delivery Bill 2011 had envisaged, every agency within the government was supposed to (within 180 days of the enactment of the Act) do several things: publish a list of services that will be delivered electronically with a deadline for each service; commit to service-level agreements for each service and provide details of the manner of delivery; provide an agency-level grievance redressal mechanism for citizens unhappy with the delivery of these electronic services.

Notwithstanding the 180-day commitment, the Bill required that “all public services shall be delivered in electronic mode within five years” after the enactment of the Bill with a potential three-year extension if the original deadline was not met. The Bill also envisaged the constitution of a Central Electronic Service Delivery Commission with a team of commissioners who “monitor the implementation of this Bill on a regular basis” and publish an annual report which would include “the number of electronic service requests in response to which service was provided in accordance with the applicable service levels and an analysis of the remaining cases.”

The Electronic Service Delivery Bill 2011 had a much more comprehensive and accountable plan for e-governance adoption in the country

Citizens suffering from non-compliance with the provisions of the Bill and unsatisfied with the response from the agency level grievance redressal mechanism could appeal to the Commission. The state or central commissioners after giving the government officials an opportunity to be heard were empowered to impose a fine of Rs 5000.

Unlike the piecemeal approach of TwitterSeva, the Bill had a much more comprehensive and accountable plan for e-governance adoption in the country.

3. Right To Transparency: Some of the interactions that the government has with citizens and firms may have to be disclosed under the obligation emerging from the Right to Information Act for disclosure to the public or to the requesting party. Therefore it is important that the government take its own steps for the retention of all data and records — independent of the goodwill and lifecycles of private firms.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests? Even if the government is not keen on pushing for data portablity as a right for consumers (just like mobile number portability in telecom, so that consumers can seamlessly shift between competing service providers), it absolutely should insist on data portability for all government use.

Twitter is only 10 years old. It took 10 years for Orkut to shut down. Maybe Twitter will shut down in the next 10 years. How then will the government comply with RTI requests?

This will allow it to shift to a) support multiple services, b) shift to competing/emerging services c) incrementally build its own infrastructure and also comply with the requirements of the Right to Information Act.

4. Privacy: Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology.” There is an obsession with collecting as much data as possible from citizens, storing it in centralized databases and providing “dashboards” to bureaucrats and politicians. This is diametrically opposed to the view of the security community.

Unfortunately, thanks to the techno-utopians behind the Aadhaar project, the current government is infected with “data ideology”

For example, Bruce Schneier posted on his blog in March this year (in a piece titled ‘Data is a Toxic Asset‘) saying: “What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous. This idea has always been part of the data protection law starting with the 2005 EU Data Protection Directive expressed as the principle of “Data Minimization” or “Collection Limitation”. More recently technologists and policy makers also use the phrase “Privacy by Design”. Introducing an unnecessary intermediary or gate-keeper between what is essentially transactions between citizens and the state is an egregious violation of a key privacy principle.”

5. Middle Class and Elite Capture: The use of Twitter amplifies the voices of the English-speaking, elite, and middle class citizens at the expense of the voices of the poor. While elites don’t exhibit fear when tagging police IDs and making public complaints from the comforts of their gated communities with private security guards shielding them the violence of the state, this might be a very intimidating option for the poor and disempowered.

While elites don’t fear tagging police IDs and making public complaints from the comforts of their gated communities, it’s intimidating for the disempowered

While the system may not be discriminatory in its design, it will have disparate impact on different sections of our society. In other words, the introduction of TwitterSeva will exacerbate power asymmetries in our society rather than ameliorating them.

The canonical scholarly reference for this is Kate Crawford’s analysis of City of Boston’s StreetBump smartphone, which resulted in an over-reporting of potholes in elite neighbourhoods and under-reporting from poor and elderly residents. This meant that efficiency in the allocation of the city’s resources was only a cover for increased discrimination against the powerless.

6. Security: The most important conclusion to draw from the Snowden disclosure is that the tin-foil conspiracy theorists who we used to dismiss as lunatics were correct. What has been established beyond doubt is that the United States of America is the world leader when it comes to conducting mass surveillance on netizens across the globe. It is still completely unclear how much access the NSA has to the databases of American social media giants. When the complete police force of a state starts to use Twitter for the delivery of services to the public, then it may be possible for foreign intelligence agencies to use this information to undermine our sovereignty and national security.

For more details visit http://editors.cis-india.org/internet-governance/blog/factordaily-sunil-abraham-october-6-2016-services-like-twitterseva-are-not-the-silver-bullets-they-are-made-out-to-be

Sense and censorship

sunil — 2012-03-21T10:15:15Z

Sunil Abraham examines Google's crusade against censorship in China in wake of the attacks on its servers in this article published in the Indian Express.

Some believe that Google’s co-founder Sergey Brin’s memories as a six-year-old in the former Soviet Union has inspired Google’s crusade against censorship in China. However, as Siva Vaidhyanathan, author of upcoming book The Googlisation of Everything, notes in a recent blog post — this “isn’t a case of Google standing up for free speech....but about Google standing up against the attacks.”

He was referring to the attacks on Google’s servers that originated from China mid-December last year. Anyone running a multi-billion dollar enterprise online would be well attuned to the security threats posed by anarchists, crackers, spammers and phishers on a daily basis. So what made the recent Google attacks so special? According to Google, intellectual property was stolen and two human-right activists accounts were compromised during the attack. So which was the straw that broke the camel’s back — intellectual property or human rights? Google could have spoken out against censorship years ago — after all it still censors search results in more than 20 countries, including India. Although there is no official channel or protocol guiding censorship practices in India, Google is regularly contacted by government officials and continues to delete web content deemed sensitive according to various ethnic, political and religious groups. Human rights activists note that Google offers some token resistance and then usually complies with the state’s demands. Google’s deputy general counsel, Nicole Wong, justifies her cooperation with the authorities citing the Indian way of torching buses during riots. Therefore it is odd that the US government endorses Google’s selective idealism in China. One week after the attacks, Hillary Clinton decided to lecture the world on Internet freedom. Then, Google and the National Security Agency announced a collaboration to deal with future cyber-attacks. This was followed by Google honouring female bloggers in Iran, forcing cyber-ethnographer, Maximilian Forte to wonder on Twitter, “Is it just me, or is Google consistently joining the causes of the US State Department?” How is Google’s move, and recent White House support for a “free web”, to be understood? How is Google’s move consistent with the Obama administration’s goal of protecting US business interests across the globe? Such questions may tell us why Google is picking a fight with China rather than Saudi Arabia or Burma. The recent privacy disaster incited by the release of Google’s new social networking application Buzz became yet another occasion when many began to doubt Google’s high rhetoric about freedom of expression. When Buzz first made the social connections of Gmail users public without their consent, blogger Evgeny Morozov questioned the company’s logic in protecting the email accounts of Chinese human rights activists (ie, when they are happy to tell the rest of the world who those activists are talking to). According to Morozov, Google has only managed to capture 30 per cent of the Chinese search market, and he believes that Google was willing to sacrifice this market for some much need needed positive PR given after a storm of bad press after projects like Buzz and Wave.

It is clear that Google will have to fight such pressures towards greater control of the internet across the globe, China being no great exception. This week, Google and Yahoo have come out strongly in opposition to Australia’s plan to implement a mandatory ISP filter. Sometimes, a particular form of censorship serves a useful and necessary purpose — for example, Google and Microsoft were forced by the Indian Supreme Court in September 2008 to stop serving advertisements for do-it-yourself foetus sex determination kits. Given our daughter deficit, I would not have it any other way. However, in Thailand, such filtering takes the form of overly expansive lèse majesté laws which force ISPs to reveal details of individuals posting content deemed insulting to the monarch, Bhumibol Adulyadej — this practice leading to self-censorship and over-moderation on forums and mailing lists in Thailand.

Also, soon as traffic was redirected from Google.cn to Google.com.hk, Google advised its enterprise customers in China to use VPN (virtual private networking), SSH (secure shell) tunneling, or a proxy server to access Google Apps. These are circumvention technologies of choice for many Chinese cyber-activists, says Rebecca McKinnion, founder of Global Voices Online. In her recent congressional submission, she also points out that in China, online defiance has a very different history, perhaps best illustrated by the Mud Grass Horse Internet meme which was an obscene pun on a government media campaign aimed at national unity and harmony. In China, aesthetics rather than technology is the primary tool for subversive political speech. Also like in Burma and Saudi Arabia, offline piracy and pirated satellite television ensures that most citizens are able to access censored content. And the average Chinese netizen cannot tell the difference between Google censoring its own results and the Great Firewall censoring Google. Google’s recent actions has very little real impact on the state of censorship in China.

For original article in the Indian Express

For more details visit http://editors.cis-india.org/internet-governance/blog/sense-and-censorship

Sense and Censorship

sunil — 2012-01-31T06:15:38Z

The Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) bills, at the US House of Representatives and Senate, respectively, appear to enforce property rights, but are, in fact, trade bills. This article by Sunil Abraham was published in the Indian Express on 20 January 2012.

In developed countries like the US, intellectual property (IP) plays a dominant role in the economy, unlike in economies like India. Countries that have significant IP are keen to increase global and national enforcement activities, while countries with little domestic IP are keen to reduce outgoing royalties in the balance of payments and therefore, keen to expand alternatives, limitations and exceptions like copyleft licensing, compulsory/statutory licensing and fair dealing.

The loss of generic medicines, hardware based on open standards, public domain content, free and open source software, open access journal articles, etc will equally impoverish consumers in the US and in India. SOPA and PIPA, therefore, do not represent the will of the average American but rather the interests of the IP sector, which has tremendous influence in the Hill. There is one more layer of complication for policy-makers to consider as they work towards a compromise of interests in Internet governance — the tension between the old and the new. The incumbents — corporations with business models that have been rendered obsolete by technological developments — versus emerging actors who provide competing products and services, often with greater technological sophistication, higher quality, at a lower cost.

The US, in terms of policy and infrastructure, still controls the global Domain Name System (DNS) and consequently, post-SOPA/PIPA, can take unilateral trade action without worrying about national variations enabled by international law. These bills directly undermine the business models of many Indian companies — generic drug manufacturers like Ranbaxy, software service providers like Infosys, electronics manufacturers like Spice and players in many other sectors dominated by IP rights. So it is baffling that they have not added their voices to the global outcry.

SOPA and PIPA, if passed, will enable the US administration to take three-pronged action against IP infringers — seizure of domain names and DNS filtering, blocking of transactions by financial intermediaries and revocation of hosting by ISPs. While circumvention may still be possible, it will get increasingly laborious — something like the Great Firewall of China, but worse. Unfortunately, the implementation of these blunt policy instruments will require more and more public-funded surveillance and censorship.

The censorship potential of efforts like SOPA and PIPA may appeal to others, as autocratic and democratic regimes across the world have been keen to try technology-mediated social engineering — these efforts have been multiplied in the post-Arab Spring and Occupy Wall Street world. Organised religion, social conservatives and those who have been at the receiving end of free speech would all want to shut down platforms like WikiLeaks and political movements like Anonymous and the Pirate Party.

These are equally dismal times for Internet governance in India. Google, Facebook and 20-odd other intermediaries are trying to avoid jail time at the hands of a Delhi court. However, ever since the IT Act amendments were put in place three years back, digital activists have been requesting intermediaries to register their protests early and often, regarding draconian provisions in the statute and in the associated rules. Their silence is going to be very expensive for all of us. We cannot depend on the private sector alone to defend our constitutional rights. As yet unpublished research from CIS demonstrates that private intermediaries only bother with defending freedom of expression when it undermines their business interests. Working with an independent researcher, we conducted a policy sting operation — faulty take-down notices were served to seven intermediaries asking for legitimate content to be taken down. In six of those cases, the intermediaries over-complied, in one case deleting all comments on a news article instead of just those comments identified in the notice. The only take-down that was resisted was one claiming that sale of diapers was “harmful to minors” under the Indian IT Act (because they caused nappy rash). It is clear that the IT Act and its associated rules have already had a chilling effect on online participation by Indians.

Fortunately for us, during the previous parliamentary session — Jayant Chaudhary, Lok Sabha MP from the Rashtriya Lok Dal, asked for the revision of rules concerning intermediaries, cyber-cafes and reasonable security practices. The next Parliament session is the last opportunity for the House to reject these rules and intervene for a free Internet.

The writer is executive director of the Bangalore-based Centre for Internet and Society

Read the original published in the Indian Express

For more details visit http://editors.cis-india.org/internet-governance/sense-and-censorship

Security: Privacy, Transparency and Technology

sunil — 2015-09-15T10:53:52Z

The Centre for Internet and Society (CIS) has been involved in privacy and data protection research for the last five years. It has participated as a member of the Justice A.P. Shah Committee, which has influenced the draft Privacy Bill being authored by the Department of Personnel and Training. It has organised 11 multistakeholder roundtables across India over the last two years to discuss a shadow Privacy Bill drafted by CIS with the participation of privacy commissioners and data protection authorities from Europe and Canada.

The article was co-authored by Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar. It was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2.

Our centre’s work on privacy was considered incomplete by some stakeholders because of a lack of focus in the area of cyber security and therefore we have initiated research on it from this year onwards. In this article, we have undertaken a preliminary examination of the theoretical relationships between the national security imperative and privacy, transparency and technology.

Security and Privacy

Daniel J. Solove has identified the tension between security and privacy as a false dichotomy: "Security and privacy often clash, but there need not be a zero-sum tradeoff." [1] Further unpacking this false dichotomy, Bruce Schneier says, "There is no security without privacy. And liberty requires both security and privacy." [2] Effectively, it could be said that privacy is a precondition for security, just as security is a precondition for privacy. A secure information system cannot be designed without guaranteeing the privacy of its authentication factors, and it is not possible to guarantee privacy of authentication factors without having confidence in the security of the system. Often policymakers talk about a balance between the privacy and security imperatives—in other words a zero-sum game. Balancing these imperatives is a foolhardy approach, as it simultaneously undermines both imperatives. Balancing privacy and security should instead be framed as an optimisation problem. Indeed, during a time when oversight mechanisms have failed even in so-called democratic states, the regulatory power of technology [3] should be seen as an increasingly key ingredient to the solution of that optimisation problem.

Data retention is required in most jurisdictions for law enforcement, intelligence and military purposes. Here are three examples of how security and privacy can be optimised when it comes to Internet Service Provider (ISP) or telecom operator logs:

Data Retention: We propose that the office of the Privacy Commissioner generate a cryptographic key pair for each internet user and give one key to the ISP / telecom operator. This key would be used to encrypt logs, thereby preventing unauthorised access. Once there is executive or judicial authorisation, the Privacy Commissioner could hand over the second key to the authorised agency. There could even be an emergency procedure and the keys could be automatically collected by concerned agencies from the Privacy Commissioner. This will need to be accompanied by a policy that criminalises the possession of unencrypted logs by ISP and telecom operators.
Privacy-Protective Surveillance: Ann Cavoukian and Khaled El Emam [4] have proposed combining intelligent agents, homomorphic encryption and probabilistic graphical models to provide “a positive-sum, ‘win–win’ alternative to current counter-terrorism surveillance systems.” They propose limiting collection of data to “significant” transactions or events that could be associated with terrorist-related activities, limiting analysis to wholly encrypted data, which then does not just result in “discovering more patterns and relationships without an understanding of their context” but rather “intelligent information—information selectively gathered and placed into an appropriate context to produce actual knowledge.” Since fully homomorphic encryption may be unfeasible in real-world systems, they have proposed use of partially homomorphic encryption. But experts such as Prof. John Mallery from MIT are also working on solutions based on fully homomorphic encryption.
Fishing Expedition Design: Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal have proposed a standard [5] that could be adopted by authorised agencies, telecom operators and ISPs. Instead of giving authorised agencies complete access to logs, they propose a format for database queries, which could be sent to the telecom operator or ISP by authorised agencies. The telecom operator or ISP would then process the query, and anonymise/obfuscate the result-set in an automated fashion based on applicable privacypolicies/regulation. Authorised agencies would then hone in on a subset of the result-set that they would like with personal identifiers intact; this smaller result set would then be shared with the authorised agencies.

An optimisation approach to resolving the false dichotomy between privacy and security will not allow for a total surveillance regime as pursued by the US administration. Total surveillance brings with it the ‘honey pot’ problem: If all the meta-data and payload data of citizens is being harvested and stored, then the data store will become a single point of failure and will become another target for attack. The next Snowden may not have honourable intentions and might decamp with this ‘honey pot’ itself, which would have disastrous consequences.

If total surveillance will completely undermine the national security imperative, what then should be the optimal level of surveillance in a population? The answer depends upon the existing security situation. If this is represented on a graph with security on the y-axis and the proportion of the population under surveillance on the x-axis, the benefits of surveillance could be represented by an inverted hockey-stick curve. To begin with, there would already be some degree of security. As a small subset of the population is brought under surveillance, security would increase till an optimum level is reached, after which, enhancing the number of people under surveillance would not result in any security pay-off. Instead, unnecessary surveillance would diminish security as it would introduce all sorts of new vulnerabilities. Depending on the existing security situation, the head of the hockey-stick curve might be bigger or smaller. To use a gastronomic analogy, optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

In India the designers of surveillance projects have fortunately rejected the total surveillance paradigm. For example, the objective of the National Intelligence Grid (NATGRID) is to streamline and automate targeted surveillance; it is introducing technological safeguards that will allow express combinations of result-sets from 22 databases to be made available to 12 authorised agencies. This is not to say that the design of the NATGRID cannot be improved.

Security and Transparency

There are two views on security and transparency: One, security via obscurity as advocated by vendors of proprietary software, and two, security via transparency as advocated by free/open source software (FOSS) advocates and entrepreneurs. Over the last two decades, public and industry opinion has swung towards security via transparency. This is based on the Linus rule that “given enough eyeballs, all bugs are shallow.” But does this mean that transparency is a necessary and sufficient condition? Unfortunately not, and therefore it is not necessarily true that FOSS and open standards will be more secure than proprietary software and proprietary standards.

Optimal surveillance is like salt in cooking—necessary in small quantities but counter-productive even if slightly in excess.

The recent detection of the Heartbleed [6] security bug in Open SSL, [7] causing situations where more data can be read than should be allowed, and Snowden’s revelations about the compromise of some open cryptographic standards (which depend on elliptic curves), developed by the US National Institute of Standards and Technology, are stark examples. [8]

At the same time, however, open standards and FOSS are crucial to maintaining the balance of power in information societies, as civil society and the general public are able to resist the powers of authoritarian governments and rogue corporations using cryptographic technology. These technologies allow for anonymous speech, pseudonymous speech, private communication, online anonymity and circumvention of surveillance and censorship. For the media, these technologies enable anonymity of sources and the protection of whistle-blowers—all phenomena that are critical to the functioning of a robust and open democratic society. But these very same technologies are also required by states and by the private sector for a variety of purposes—national security, e-commerce, e-banking, protection of all forms of intellectual property, and services that depend on confidentiality, such as legal or medical services.

In order words, all governments, with the exception of the US government, have common cause with civil society, media and the general public when it comes to increasing the security of open standards and FOSS. Unfortunately, this can be quite an expensive task because the re-securing of open cryptographic standards depends on mathematicians. Of late, mathematical research outputs that can be militarised are no longer available in the public domain because the biggest employers of mathematicians worldwide today are the US military and intelligence agencies. If other governments invest a few billion dollars through mechanisms like Knowledge Ecology International’s proposed World Trade Organization agreement on the supply of knowledge as a public good, we would be able to internationalise participation in standard-setting organisations and provide market incentives for greater scrutiny of cryptographic standards and patching of vulnerabilities of FOSS. This would go a long way in addressing the trust deficit that exists on the internet today.

Security and Technology

A techno-utopian understanding of security assumes that more technology, more recent technology and more complex technology will necessarily lead to better security outcomes.

This is because the security discourse is dominated by vendors with sales targets who do not present a balanced or accurate picture of the technologies that they are selling. This has resulted in state agencies and the general public having an exaggerated understanding of the capabilities of surveillance technologies that is more aligned with Hollywood movies than everyday reality.

More Technology

Increasing the number of x-ray machines or full-body scanners at airports by a factor of ten or hundred will make the airport less secure unless human oversight is similarly increased. Even with increased human oversight, all that has been accomplished is an increase in the potential locations that can be compromised. The process of hardening a server usually involves stopping non-essential services and removing non-essential software. This reduces the software that should be subject to audit, continuously monitored for vulnerabilities and patched as soon as possible. Audits, ongoing monitoring and patching all cost time and money and therefore, for governments with limited budgets, any additional unnecessary technology should be seen as a drain on the security budget. Like with the airport example, even when it comes to a single server on the internet, it is clear that, from a security perspective, more technology without a proper functionality and security justification is counter-productive. To reiterate, throwing increasingly more technology at a problem does not make things more secure; rather, it results in a proliferation of vulnerabilities.

Latest Technology

Reports that a number of state security agencies are contemplating returning to typewriters for sensitive communications in the wake of Snowden’s revelations makes it clear that some older technologies are harder to compromise in comparison to modern technology. [9] Between iris- and fingerprint-based biometric authentication, logically, it would be easier for a criminal to harvest images of irises or authentication factors in bulk fashion using a high resolution camera fitted with a zoom lens in a public location, in comparison to mass lifting of fingerprints.

Complex Technology

Fifteen years ago, Bruce Schneier said, "The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future." [10] This is because complexity increases fragility; every feature is also a potential source of vulnerabilities and failures. The simpler Indian electronic machines used until the 2014 elections are far more secure than the Diebold voting machines used in the 2004 US presidential elections. Similarly when it comes to authentication, a pin number is harder to beat without user-conscious cooperation in comparison to iris- or fingerprint-based biometric authentication.

In the following section of the paper we have identified five threat scenarios [11] relevant to India and identified solutions based on our theoretical framing above.

Threat Scenarios and Possible Solutions

Hacking the NIC Certifying Authority
One of the critical functions served by the National Informatics Centre (NIC) is as a Certifying Authority (CA). [12] In this capacity, the NIC issues digital certificates that authenticate web services and allow for the secure exchange of information online. [13] Operating systems and browsers maintain lists of trusted CA root certificates as a means of easily verifying authentic certificates. India’s Controller of Certifying Authority’s certificates issued are included in the Microsoft Root list and recognised by the majority of programmes running on Windows, including Internet Explorer and Chrome. [14] In 2014, the NIC CA’s infrastructure was compromised, and digital certificates were issued in NIC’s name without its knowledge. [15] Reports indicate that NIC did not "have an appropriate monitoring and tracking system in place to detect such intrusions immediately." [16] The implication is that websites could masquerade as another domain using the fake certificates. Personal data of users can be intercepted or accessed by third parties by the masquerading website. The breach also rendered web servers and websites of government bodies vulnerable to attack, and end users were no longer sure that data on these websites was accurate and had not been tampered with. [17] The NIC CA was forced to revoke all 250,000 SSL Server Certificates issued until that date [18] and is no longer issuing digital certificates for the time being. [19]Public key pinning is a means through which websites can specify which certifying authorities have issued certificates for that site. Public key pinning can prevent man-in-the-middle attacks due to fake digital certificates. [20] Certificate Transparency allows anyone to check whether a certificate has been properly issued, seeing as certifying authorities must publicly publish information about the digital certificates that they have issued. Though this approach does not prevent fake digital certificates from being issued, it can allow for quick detection of misuse. [21]

‘Logic Bomb’ against Airports
Passenger operations in New Delhi’s Indira Gandhi International Airport depend on a centralised operating system known as the Common User Passenger Processing System (CUPPS). The system integrates numerous critical functions such as the arrival and departure times of flights, and manages the reservation system and check-in schedules. [22] In 2011, a logic bomb attack was remotely launched against the system to introduce malicious code into the CUPPS software. The attack disabled the CUPPS operating system, forcing a number of check-in counters to shut down completely, while others reverted to manual check-in, resulting in over 50 delayed flights. Investigations revealed that the attack was launched by three disgruntled employees who had assisted in the installation of the CUPPS system at the New Delhi Airport. [23] Although in this case the impact of the attack was limited to flight delay, experts speculate that the attack was meant to take down the entire system. The disruption and damage resulting from the shutdown of an entire airport would be extensive.

Adoption of open hardware and FOSS is one strategy to avoid and mitigate the risk of such vulnerabilities. The use of devices that embrace the concept of open hardware and software specifications must be encouraged, as this helps the FOSS community to be vigilant in detecting and reporting design deviations and investigate into probable vulnerabilities.

Attack on Critical Infrastructure
The Nuclear Power Corporation of India encounters and prevents numerous cyber attacks every day. [24] The best known example of a successful nuclear plant hack is the Stuxnet worm that thwarted the operation of an Iranian nuclear enrichment complex and set back the country’s nuclear programme. [25]

The worm had the ability to spread over the network and would activate when a specific configuration of systems was encountered [26] and connected to one or more Siemens programmable logic controllers. [27] The worm was suspected to have been initially introduced through an infected USB drive into one of the controller computers by an insider, thus crossing the air gap. [28] The worm used information that it gathered to take control of normal industrial processes (to discreetly speed up centrifuges, in the present case), leaving the operators of the plant unaware that they were being attacked. This incident demonstrates how an attack vector introduced into the general internet can be used to target specific system configurations. When the target of a successful attack is a sector as critical and secured as a nuclear complex, the implications for a country’s security and infrastructure are potentially grave.

Security audits and other transparency measures to identify vulnerabilities are critical in sensitive sectors. Incentive schemes such as prizes, contracts and grants may be evolved for the private sector and academia to identify vulnerabilities in the infrastructure of critical resources to enable/promote security auditing of infrastructure.

Micro Level: Chip Attacks
Semiconductor devices are ubiquitous in electronic devices. The US, Japan, Taiwan, Singapore, Korea and China are the primary countries hosting manufacturing hubs of these devices. India currently does not produce semiconductors, and depends on imported chips. This dependence on foreign semiconductor technology can result in the import and use of compromised or fraudulent chips by critical sectors in India. For example, hardware Trojans, which may be used to access personal information and content on a device, may be inserted into the chip. Such breaches/transgressions can render equipment in critical sectors vulnerable to attack and threaten national security. [29]

Indigenous production of critical technologies and the development of manpower and infrastructure to support these activities are needed. The Government of India has taken a number of steps towards this. For example, in 2013, the Government of India approved the building of two Semiconductor Wafer Fabrication (FAB) manufacturing facilities [30] and as of January 2014, India was seeking to establish its first semiconductor characterisation lab in Bangalore. [31]

Macro Level: Telecom and Network Switches

The possibility of foreign equipment containing vulnerabilities and backdoors that are built into its software and hardware gives rise to concerns that India’s telecom and network infrastructure is vulnerable to being hacked and accessed by foreign governments (or non-state actors) through the use of spyware and malware that exploit such vulnerabilities. In 2013, some firms, including ZTE and Huawei, were barred by the Indian government from participating in a bid to supply technology for the development of its National Optic Network project due to security concerns. [32] Similar concerns have resulted in the Indian government holding back the conferment of ‘domestic manufacturer’ status on both these firms. [33]

Following reports that Chinese firms were responsible for transnational cyber attacks designed to steal confidential data from overseas targets, there have been moves to establish laboratories to test imported telecom equipment in India. [34] Despite these steps, in a February 2014 incident the state-owned telecommunication company Bharat Sanchar Nigam Ltd’s network was hacked, allegedly by Huawei. [35]

Security practitioners and policymakers need to avoid the zero-sum framing prevalent in popular discourse regarding security VIS-A-VIS privacy, transparency and technology.

A successful hack of the telecom infrastructure could result in massive disruption in internet and telecommunications services. Large-scale surveillance and espionage by foreign actors would also become possible, placing, among others, both governmental secrets and individuals personal information at risk.

While India cannot afford to impose a general ban on the import of foreign telecommunications equipment, a number of steps can be taken to address the risk of inbuilt security vulnerabilities. Common International Criteria for security audits could be evolved by states to ensure compliance of products with international norms and practices. While India has already established common criteria evaluation centres, [36] the government monopoly over the testing function has resulted in only three products being tested so far. A Code Escrow Regime could be set up where manufacturers would be asked to deposit source code with the Government of India for security audits and verification. The source code could be compared with the shipped software to detect inbuilt vulnerabilities.

Conclusion

Cyber security cannot be enhanced without a proper understanding of the relationship between security and other national imperatives such as privacy, transparency and technology. This paper has provided an initial sketch of those relationships, but sustained theoretical and empirical research is required in India so that security practitioners and policymakers avoid the zero-sum framing prevalent in popular discourse and take on the hard task of solving the optimisation problem by shifting policy, market and technological levers simultaneously. These solutions must then be applied in multiple contexts or scenarios to determine how they should be customised to provide maximum security bang for the buck.

[1]. Daniel J. Solove, Chapter 1 in Nothing to Hide: The False Tradeoff between Privacy and Security (Yale University Press: 2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982.

[2]. Bruce Schneier, “What our Top Spy doesn’t get: Security and Privacy aren’t Opposites,” Wired, January 24, 2008, http://archive.wired.com/politics/security commentary/security matters/2008/01/securitymatters_0124 and Bruce Schneier, “Security vs. Privacy,” Schneier on Security, January 29, 2008, https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html.

[3]. There are four sources of power in internet governance: Market power exerted by private sector organisations; regulatory power exerted by states; technical power exerted by anyone who has access to certain categories of technology, such as cryptography; and finally, the power of public pressure sporadically mobilised by civil society. A technically sound encryption standard, if employed by an ordinary citizen, cannot be compromised using the power of the market or the regulatory power of states or public pressure by civil society. In that sense, technology can be used to regulate state and market behaviour.

[4]. Ann Cavoukian and Khaled El Emam, “Introducing Privacy-Protective Surveillance: Achieving Privacy and Effective Counter-Terrorism,” Information & Privacy Commisioner, September 2013, Ontario, Canada, http://www.privacybydesign.ca/content/uploads/2013/12/pps.pdf.

[5]. Madan Oberoi, Pramod Jagtap, Anupam Joshi, Tim Finin and Lalana Kagal, “Information Integration and Analysis: A Semantic Approach to Privacy”(presented at the third IEEE International Conference on Information Privacy, Security, Risk and Trust, Boston, USA, October 2011), ebiquity.umbc.edu/_file_directory_/papers/578.pdf.

[6]. Bruce Byfield, “Does Heartbleed disprove ‘Open Source is Safer’?,” Datamation, April 14, 2014, http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html.

[7]. “Cybersecurity Program should be more transparent, protect privacy,” Centre for Democracy and Technology Insights, March 20, 2009, https://cdt.org/insight/cybersecurity-program-should-be-more-transparent-protect-privacy/#1.

[8]. “Cracked Credibility,” The Economist, September 14, 2013, http://www.economist.com/news/international/21586296-be-safe-internet-needs-reliable-encryption-standards-software-and.

[9]. Miriam Elder, “Russian guard service reverts to typewriters after NSA leaks,” The Guardian, July 11, 2013, www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks and Philip Oltermann, “Germany ‘may revert to typewriters’ to counter hi-tech espionage,” The Guardian, July 15, 2014, www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance.

[10]. Bruce Schneier, “A Plea for Simplicity,” Schneier on Security, November 19, 1999, https://www.schneier.com/essays/archives/1999/11/a_plea_for_simplicit.html.

[11]. With inputs from Pranesh Prakash of the Centre for Internet and Society and Sharathchandra Ramakrishnan of Srishti School of Art, Technology and Design.

[12]. “Frequently Asked Questions,” Controller of Certifying Authorities, Department of Electronics and Information Technology, Government of India, http://cca.gov.in/cca/index.php?q=faq-page#n41.

[13]. National Informatics Centre Homepage, Government of India, http://www.nic.in/node/41.

[14]. Adam Langley, “Maintaining Digital Certificate Security,” Google Security Blog, July 8, 2014, http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html.

[15]. This is similar to the kind of attack carried out against DigiNotar, a Dutch certificate authority. See: http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1246&context=jss.

[16]. R. Ramachandran, “Digital Disaster,” Frontline, August 22, 2014, http://www.frontline.in/the-nation/digital-disaster/article6275366.ece.

[17]. Ibid.

[18]. “NIC’s digital certification unit hacked,” Deccan Herald, July 16, 2014, http://www.deccanherald.com/content/420148/archives.php.

[19]. National Informatics Centre Certifying Authority Homepage, Government of India, http://nicca.nic.in//.

[20]. Mozilla Wiki, “Public Key Pinning,” https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning.

[21]. “Certificate Transparency - The quick detection of fraudulent digital certificates,” Ascertia, August 11, 2014, http://www.ascertiaIndira.com/blogs/pki/2014/08/11/certificate-transparency-the-quick-detection-of-fraudulent-digital-certificates.

[22]. “Indira Gandhi International Airport (DEL/VIDP) Terminal 3, India,” Airport Technology.com, http://www.airport-technology.com/projects/indira-gandhi-international-airport-terminal -3/.

[23]. “How techies used logic bomb to cripple Delhi Airport,” Rediff, November 21, 2011, http://www.rediff.com/news/report/how-techies-used-logic-bomb-to-cripple-delhi-airport/20111121 htm.

[24]. Manu Kaushik and Pierre Mario Fitter, “Beware of the bugs,” Business Today, February 17, 2013, http://businesstoday.intoday.in/story/india-cyber-security-at-risk/1/191786.html.

[25]. “Stuxnet ‘hit’ Iran nuclear plants,” BBC, November 22, 2010, http://www.bbc.com/news/technology-11809827.

[26]. In this case, systems using Microsoft Windows and running Siemens Step7 software were targeted.

[27]. Jonathan Fildes, “Stuxnet worm ‘targeted high-value Iranian assets’,” BBC, September 23, 2010, http://www.bbc.com/news/technology-11388018.

[28]. Farhad Manjoo, “Don’t Stick it in: The dangers of USB drives,” Slate, October 5, 2010, http://www.slate.com/articles/technology/technology/2010/10/dont_stick_it_in.html.

[29]. Ibid.

[30]. “IBM invests in new $5bn chip fab in India, so is chip sale off?,” ElectronicsWeekly, February 14, 2014, http://www.electronicsweekly.com/news/business/ibm-invests-new-5bn-chip-fab-india-chip-sale-2014-02/.

[31]. NT Balanarayan, “Cabinet Approves Creation of Two Semiconductor Fabrication Units,” Medianama, February 17, 2014, http://articles.economictimes.indiatimes.com/2014-02-04/news/47004737_1_indian-electronics-special-incentive-package-scheme-semiconductor-association.

[32]. Jamie Yap, “India bars foreign vendors from national broadband initiative,” ZD Net, January 21, 2013, http://www.zdnet.com/in/india-bars-foreign-vendors-from-national-broadband-initiative-7000010055/.

[33]. Kevin Kwang, “India holds back domestic-maker status for Huawei, ZTE,” ZD Net, February 6, 2013, http://www.zdnet.com/in/india-holds-back-domestic-maker-status-for-huawei-zte-70 00010887/. Also see “Huawei, ZTE await domestic-maker tag,” The Hindu, February 5, 2013, http://www.thehindu.com/business/companies/huawei-zte-await-domesticmaker-tag/article4382888.ece.

[34]. Ellyne Phneah, “Huawei, ZTE under probe by Indian government,” ZD Net, May 10, 2013, http://www.zdnet.com/in/huawei-zte-under-probe-by-indian-government-7000015185/.

[35]. Devidutta Tripathy, “India investigates report of Huawei hacking state carrier network,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-india-huawei-hacking-idUSBREA150QK20140206.

[36]. “Products Certified,” Common Criteria Portal of India, http://www.commoncriteria-india.gov.in/Pages/ProductsCertified.aspx.

For more details visit http://editors.cis-india.org/internet-governance/blog/security-privacy-transparency-and-technology

Route map for CCMG-JMI

admin — 2008-09-21T14:43:16Z

For more details visit http://editors.cis-india.org/openness/publications/content-access/CCMG_Location.gif

Response to the Draft National Policy on Open Standards for e-Governance

sunil — 2011-08-23T03:05:56Z

Pranesh Prakash, Programme Manager at the Centre for Internet and Society, authored a response to the draft Open Standards Policy document published by the National Informatics Centre, Department of Information Technology, Ministry of Communications and Information Technology.

The National Informatics Centre (NIC), Department of Information Technology (DIT), Ministry of Communications and Information Technology (MCIT) has recently published a Draft Policy on Open Standards for eGovernance. Members of the public have been invited to provide feedback to the document. The last date for feedback is 21st November 2008.

The Centre for Internet and Society has prepared a draft response to the draft policy. This response letter only deals with the policy document from the perspective of the global FLOSS movement. This is not meant to be comprehensive feedback to the document itself.

Institutional Co-signatories

Richard Stallman, Founder, Free Software Foundation, USA
Mishi Choudhary, Partner, Software Freedom Law Centre, USA
Dr. Alvin Marcelo, Director for Southeast Asia, International Open Source Network, the Philippines
Lawrence Liang, Founder, Alternative Law Forum, Bangalore, India
Dr. G. Nagarjuna, Chaiman, Free Software Foundation of India, Mumbai, India
Vinay Sreenivasa, Member, IT for Change, Bangalore, India

Individual Co-signatories

Shahid Akhtar, Founder, International Open Source Network, Canada
Denis Jaromil Rojo, Developer, Dyne, Netherlands
Raj Mathur, Consultant, Kandalaya, New Delhi, India
Marek Tuszynski, Founder, Tactical Technology Collective, United Kingdom

Text

Dear Sir or Madam,

The government had done a commendable job of releasing a progressive and forward-looking policy on the usage of open standards in e-governance. Globally the European Union's Electronic Interoperability Framework (EIF) guidelines (version 2 of which is currently in the draft stage) is considered to be the gold standard as far as open standard policy is concerned. The draft National Policy on Open Standards meets all of the EIF's four open standard requirements. However, there is still some room for improvement as discussed below.

While the document talks of the standard being royalty free (4.1 and 5.1.1) and without any patent-related encumbrance (4.1), it limits those requirements "for the life time of the standard" (5.1.1), which seems a bit ambiguous and is not defined in the appendix either. It would be preferable to make it royalty-free for the lifetime of the patents (if any) as open archival material shouldn't one day (after the end of "life time of the standard", and before the expiry of the patents) suddenly be forced to become paid archives. It would be desirable to make declarations of patent non-enforcement irrevocable (as the EU EIF does), by incorporating a wording such as: "irrevocably available on a royalty-free basis, without any patent-related encumbrance".

There should also be a separate provision in the "policy statement on open standards adoption in e-governance" section of the document making explicit that there can be no restraint on use or implementation of the standard (as has been stated in the "guiding principles" section).

Perhaps when talking of specification documents (5.1.5) the words "any restrictions" could be amended to include a few examples of what the term "any restrictions" would include. The document could make explicit that it must be permissible for all to copy, distribute and use the specifications freely, without any cost or legal barriers.

Sometimes private companies can interfere with the standardisation process, the document could perhaps be more explicit regarding remedial measures that could be undertaken in the event – for example use of competition law, as in the case of the EU EIF which states: "Practices distorting the definition and evolution of open standards must be addressed immediately to protect the integrity of the standardisation process."

As it stands, the draft document addresses many notions of openness (freely accessible, at zero cost, non-discriminatory, extensible, and without any legal hindrances, thus preventing vendor lock-in), and there is much to applaud in it. It has a clear implementation mechanism, with a laudable aim of establishing a monitoring agency and an Open Source Solutions Laboratory. It is applicable not only to future e-governance initiatives, but to existing ones as well. Furthermore, it also has an in-built review mechanism, which is crucial given the rate of change of technologies and consequently of the requirements of the government. Thus, the draft policy document very clearly encourages competition and innovation in the software industry and promotes the Free and Open Source Software (FOSS) movement and industry. As researchers from UNU MERIT have pointed out, even a nominal fee for usage of a standard can lead to exclusion of open source software implementations, leading to less competition in the software industry. Thus, all in all this draft document represents a commendable effort by the Indian government towards a sustainable and robust e-governance structure based on open standards. However, a few small amendments as suggested in this letter would make it an even greater guarantor of openness.

Yours sincerely,
Sunil Abraham
Director (Policy)
Centre for Internet and Society

Please download the draft response in the format you prefer.

For more details visit http://editors.cis-india.org/openness/publications/standards/the-response

Registering for Aadhaar in 2019

sunil — 2019-01-03T14:59:04Z

It is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.

The article was published in Business Standard on January 2, 2019.

Last November, a global committee of lawmakers from nine countries the UK, Canada, Ireland, Brazil, Argentina, Singapore, Belgium, France and Latvia summoned Mark Zuckerberg to what they called an “international grand committee” in London. Mr. Zuckerberg was too spooked to show up, but Ashkan Soltani, former CTO of the FTC was among those who testified against Facebook. He said “in the US, a lot of the reticence to pass strong policy has been about killing the golden goose” referring to the innovative technology sector. Mr. Soltani went on to argue that “smart legislation will incentivise innovation”. This could be done either intentionally or unintentionally by governments. For example, a poorly thought through blocking of pornography can result in innovative censorship circumvention technologies. On other occasions, this can happen intentionally. I hope to use my inaugural column in these pages to provide an Indian example of such intentional regulatory innovation.

Eight years ago, almost to this date, my colleague Elonnai Hickok wrote an open letter to the Parliamentary Finance Committee on what was then called the UID or Unique Identity. She compared Aadhaar to the digital identity project started by the National Democratic Alliance (NDA) government in 2001. Like the Vajpayee administration which was working in response to the Kargil War, she advocated a decentralised authentication architecture using smart cards based on public key cryptography. Last year, even before the five-judge constitutional bench struck down Section 57 of the Aadhaar Act, the UIDAI preemptively responded to this regulatory development by launching offline Aadhaar cards. This was to be expected especially since from the A.P. Shah Committee report, the Puttaswamy Judgment, the B.N. Srikrishna Committee consultation paper, report and bill, the principle of “privacy by design” was emerging as a key Indian regulatory principle in the domain of data protection.

The introduction of the offline Aadhaar mechanism eliminates the need for biometrics during authentication. I have previously provided 11 reasons why biometrics is inappropriate technology for e-governance applications by democratic governments, and this comes as a massive relief for both human rights activists and security researchers. Second, it decentralises authentication, meaning that there is a no longer a central database that holds a 360-degree view of all incidents of identification and authentication. Third, it dramatically reduces the attack surface for Aadhaar numbers, since only the last four digits remain unmasked on the card. Each data controller using Aadhaar will have to generate his/her own series of unique identifiers to distinguish between residents. If those databases leak or get breached, it won’t tarnish the credibility of Aadhaar or the UIDAI to the same degree. Fourth, it increases the probability of attribution in case a data breach were to occur; if the breached or leaked data contains identifiers issued by a particular data controller, it would become easier to hold them accountable and liable for the associated harms. Fifth, unlike the previous iteration of the Aadhaar “card”, on which the QR code was easy to forge and alter, this mechanism provides for integrity and tamper detection because the demographic information contained within the QR code is digitally signed by the UIDAI. Finally, it retains the earlier benefit of being very cheap to issue, unlike smart cards.

Thanks to the UIDAI, the private sector is also being forced to implement privacy by design. Previously, since everyone was responsible for protecting Aadhaar numbers, nobody was. Data controllers would gladly share the Aadhaar number with their contractors, that is, data processors, since nobody could be held responsible. Now, since their own unique identifiers could be used to trace liability back to them, data controllers will start using tokenisation when they outsource any work that involves processing of the collected data. Skin in the game immediately breeds more responsible behaviour in the ecosystem.

The fintech sector has been rightfully complaining about regulatory and technological uncertainty from last year’s developments. This should be addressed by developing open standards and free software to allow for rapid yet secure implementation of these changes. The QR code standard itself should be an open standard developed by the UIDAI using some of the best practices common to international standard setting organisations like the World Wide Web Consortium, Internet Engineers Task Force and the Institute of Electrical and Electronics Engineers. While the UIDAI might still choose to take the final decision when it comes to various technological choices, it should allow stakeholders to make contributions through comments, mailing lists, wikis and face-to-face meetings. Once a standard has been approved, a reference implementation must be developed by the UIDAI under liberal licences, like the BSD licence that allows for both free software and proprietary software derivative works. For example, a software that can read the QR code as well as send and receive the OTP to authenticate the resident. This would ensure that smaller fintech companies with limited resources can develop secure systems.

Since Justice Dhananjaya Y. Chandrachud’s excellent dissent had no other takers on the bench, holdouts like me must finally register for an Aadhaar number since we cannot delay filing taxes any further. While I would still have preferred a physical digital artefact like a smart card (built on an open standard), I must say it is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.

For more details visit http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019

Pylons

sunil — 2008-09-26T13:26:58Z

For more details visit http://editors.cis-india.org/home-images/pylons-bigger.jpg