Centre for Internet and Society

Open Access Day

sunil — 2011-04-05T04:45:17Z

October 14, 2008 will be the world’s first Open Access Day. The founding partners for this Day are SPARC (the Scholarly Publishing and Academic Resources Coalition), Students for FreeCulture, and the Public Library of Science.

The Centre for Culture, Media & Governance, Jamia Millia Islamia, New Delhi, and the Cente for Internet and Society, Bangalore, request your presence at the celebrations of the first Open Access Day. Speaker include Prof. Andrew Lynn, Department of Bio-informatics, Jawaharlal Nehru University, and Prof. Subbiah Arunachalam, Distinguished Fellow, Centre for Internet and Society.

Venue: Tagore Hall, Dayar-i-Mir Taqi Mir, Jamia Millia Islamia, New Delhi.

Agenda

About Open Access Day

For more details visit http://editors.cis-india.org/openness/publications/content-access/open-access-day

Oo.org Format

admin — 2011-08-23T03:06:49Z

For more details visit http://editors.cis-india.org/openness/publications/standards/uploads/response-to-indian-open-standards-policy-10-sept-2008.odt

Online Censorship: How Government should Approach Regulation of Speech

sunil — 2012-12-05T07:06:52Z

Why is there a constant brouhaha in India about online censorship? What must be done to address this?

Sunil Abraham's article was published in the Economic Times on December 2, 2012.

Of course, we must get the basics right â€” bad law has to be amended, read down by courts or repealed, and bad implementation of law should be addressed via reform and capacity building for the police. But most importantly those in power must understand how to approach the regulation of speech.

To begin with, speech is regulated across the world. Even in the US â€” contrary to popular impression in India â€” speech is regulated both online and offline.

However, law is not the basis of most of this regulation. Speech is largely regulated by social norms. Different corners of our online and offline society have quite complex forms of self-regulation.

The harm caused by speech is often proportionate to the power of the person speaking â€” it maybe unacceptable for a politician or a filmstar to make an inflammatory remark but that very same utterance from an ordinary citizen may be totally fine.

To complicate matters, the very same speech by the very same person could be harmful or harmless based on context. A newspaper editor may share obscene jokes with friends in a bar, but may not take similar liberties in an editorial.

The legal scholar Alan Dershowitz tells us, "The best answer to bad speech is good speech." More recently the quote has been amended, with "more speech" replacing "good speech".

Censorship by the state has to be reserved for the rarest of rare circumstances. This is because censorship usually results in unintended consequences.

The "Streisand Effect", named after the singer-actor Barbra Streisand, is one of these consequences wherein attempts to hide or censor information only result in wider circulation and greater publicity.

The Maharashtra police's attempt to censor the voices of two women has resulted in their speech being broadcast across the nation on social and mainstream media. If the state had instead focused on producing good speech and more speech, nobody would have even heard of these women.

Circumventing Censorship

Peer-to-peer technologies on the internet mimic the topology of human networks and can also precipitate unintended consequences when subject to regulation. John Gilmore, a respected free software developer, puts it succinctly: "The Net interprets censorship as damage and routes around it."

Most of the internet censorship in the US is due to IPR-enforcement activities. This is why Christopher Soghoian, a leading privacy activist, attributes the massive adoption of privacy-enhancing technologies such as proxies and VPNs (virtual private networks) by American consumers to the crackdown on online piracy.

In India, and even when the government has had legitimate reasons to regulate speech, there have been unintended consequences.

During the exodus of people from the North-east, the five SMS per day restriction imposed by the government resulted in another exodus from SMS to alternative messaging platforms such as BlackBerry Messenger (BBM), WhatsApp and Twitter.

In both cases the circumvention of censorship by the users has resulted in a worsening situation for law-enforcement organisations â€” VPNs and applications like WhatsApp are much more difficult to monitor and regulate.

Mixed Memes

Regulation of speech also cannot be confused with cyber war or security. Speech can occasionally have security implications but that cannot be the basis for enlightened regulation.

A cyber war expert may be tempted to think of censored content as weapons, but unlike weapons that usually remain lethal, content that can cause harm today may become completely harmless tomorrow. This is unlike a computer virus or malware. For example, during the exodus, the online edition of ET featured the complete list of 309 URLs that were in the four block orders issued by the government to ISPs.

However, this did not result in fresh harm, demonstrating the fallacy of cyber war analogies. A cyber security expert, on the other hand, may be tempted to implement a 360Â° blanket surveillance to regulate speech, but as Gilmore again puts it, "If you're watching everybody, you're watching nobody."

In short, if your answer to bad speech is more censorship, more surveillance and more regulation, then as the internet meme goes, "You're Doing It Wrong".

For more details visit http://editors.cis-india.org/internet-governance/blog/economic-times-december-2-2012-sunil-abraham-online-censorship

Nishant Shah

sunil — 2008-11-01T07:57:58Z

For more details visit http://editors.cis-india.org/internet-governance/blog/uploads/nishantshah1.gif

Newspapers should empower citizen journalism

sunil — 2012-10-23T08:47:50Z

A single content-management system can be used to publish highly-targeted and customised content. Sunil Abraham, director, Centre for Internet and Society (CIS India), believes traditional newspapers should expose their primary research databases such as photos, video and audio recordings, and documents to the public using web technologies.

With every generation of technology, businesses are affected and have to reinvent themselves along with their business models. Today, this is very true of traditional newspapers and the Internet. To begin with, there is the opportunity and threat presented for traditional media by the rise of citizen journalists. Given the penetration of mobile phones, and the emergence of micro-blogging services like Twitter, it is possible for ordinary citizen to create press-worthy reportage.
Some initial experiments like Scoopt.com, Spy Media and Cell Journalist, which allowed citizen journalists to sell content to traditional media, have, by and large, failed, but I am certain there will be many commercial and non-commercial services emerging in this area, like — Demotix.com.

Demotix currently has 8,300 reporters from 110 countries. The second opportunity is the plurality of delivery mechanisms available, thanks to digital technologies. A single content-management system can be used to publish highly targeted and customised content across several digital technologies such as SMS, GPRS, Twitter, RSS, Email, HTML, etc. Some of these formats like LATEX and PDF allow readers to print out personalised individual and institutional newspapers.

Most of these technology options are not exercised because of the conservatism of the marketing departments. Those responsible for collecting advertisement revenues and maintaining sales target keep asking 'how can we monetise that piece of content'. Their traditional business model only allows them to target subscribers and advertisers.

Once they account for their role in public attention aggregation and bandwidth consumption they could try and generate income from Internet service providers and telecom operators.

The third opportunity is interactivity. These days, a story no longer ends when the ink hits the paper. That is only considered the beginning, and there is sufficient discussion today about the transformative role played by citizens on mailing lists, discussion forums, blogs and wiki, ensuring that the story continues. I would like to focus on the process before the story hits the press or the content-management system, especially those stories that need sustained investigation or exhaustive time-consuming research. I believe traditional newspapers should expose their primary research databases such as photos, video and audio recordings, and documents to the public using web technologies.

If this is done in a truly open and transparent manner, online volunteer energy will lend a much-needed shoulder to traditional journalism. As a consequence, the reader will be engaged even before the story.

Link to the original article (Page 12)

For more details visit http://editors.cis-india.org/news/newspapers-should-empower-citizen-journalism

Net Freedom Campaign Loses its Way

sunil — 2014-05-27T11:07:04Z

A recent global meet was a victory for governments and the private sector over civil society interests.

The article was published in the Hindu Businessline on May 10, 2014.

One word to describe NetMundial: Disappointing! Why? Because despite the promise, human rights on the Internet are still insufficiently protected. Snowden’s revelations starting last June threw the global Internet governance processes into crisis.

Things came to a head in October, when Brazil’s President Dilma Rousseff, horrified to learn that she was under NSA surveillance for economic reasons, called for the organisation of a global conference called NetMundial to accelerate Internet governance reform.

The NetMundial was held in São Paulo on April 23-24 this year. The result was a statement described as “the non-binding outcome of a bottom-up, open, and participatory process involving … governments, private sector, civil society, technical community, and academia from around the world.” In other words — it is international soft law with no enforcement mechanisms.

The statement emerges from “broad consensus”, meaning governments such as India, Cuba and Russia and civil society representatives expressed deep dissatisfaction at the closing plenary. Unlike an international binding law, only time will tell whether each member of the different stakeholder groups will regulate itself.

Again, not easy, because the outcome document does not specifically prescribe what each stakeholder can or cannot do — it only says what internet governance (IG) should or should not be. And finally, there’s no global consensus yet on the scope of IG. The substantive consensus was disappointing in four important ways:

Mass surveillance : Civil society was hoping that the statement would make mass surveillance illegal. After all, global violation of the right to privacy by the US was the raison d'être of the conference.

Instead, the statement legitimised “mass surveillance, interception and collection” as long as it was done in compliance with international human rights law. This was clearly the most disastrous outcome.

Access to knowledge: The conference was not supposed to expand intellectual property rights (IPR) or enforcement of these rights. After all, a multilateral forum, WIPO, was meant to address these concerns. But in the days before the conference the rights-holders lobby went into overdrive and civil society was caught unprepared.

The end result — “freedom of information and access to information” or right to information in India was qualified “with rights of authors and creators”. The right to information laws across the world, including in India, contains almost a dozen exemptions, including IPR. The only thing to be grateful for is that this limitation did not find its way into the language for freedom of expression.

Intermediary liability: The language that limits liability for intermediaries basically provides for a private censorship regime without judicial oversight, and without explicit language protecting the rights to freedom of expression and privacy. Even though the private sector chants Hillary Clinton's Internet freedom mantra — they only care for their own bottomlines.

Net neutrality: Even though there was little global consensus, some optimistic sections of civil society were hoping that domestic best practice on network neutrality in Brazil’s Internet Bill of Right — also known as Marco Civil, that was signed into law during the inaugural ceremony of NetMundial — would make it to the statement. Unfortunately, this did not happen.

For almost a decade since the debate between the multi-stakeholder and multilateral model started, the multi-stakeholder model had produced absolutely nothing outside ICANN (Internet Corporation for Assigned Names and Numbers, a non-profit body), its technical fraternity and the standard-setting bodies.

The multi-stakeholder model is governance with the participation (and consent — depending on who you ask) of those stakeholders who are governed. In contrast, in the multilateral system, participation is limited to nation-states.

Civil society divisions

The inability of multi-stakeholderism to deliver also resulted in the fragmentation of global civil society regulars at Internet Governance Forums.

But in the run-up to NetMundial more divisions began to appear. If we ignore nuances — we could divide them into three groups. One, the ‘outsiders’ who are best exemplified by Jérémie Zimmermann of the La Quadrature du Net. Jérémie ran an online campaign, organised a protest during the conference and did everything he could to prevent NetMundial from being sanctified by civil society consensus.

Two, the ‘process geeks’ — for these individuals and organisations process was more important than principles. Most of them were as deeply invested in the multi-stakeholder model as ICANN and the US government and some who have been riding the ICANN gravy train for years.

Even worse, some were suspected of being astroturfers bootstrapped by the private sector and the technical community. None of them were willing to rock the boat. For the ‘process geeks’, seeing politicians and bureaucrats queue up like civil society to speak at the mike was the crowning achievement.

Three, the ‘principles geeks’ perhaps best exemplified by the Just Net Coalition who privileged principles over process. Divisions were also beginning to sharpen within the private sector. For example, Neville Roy Singham, CEO of Thoughtworks, agreed more with civil society than he did with other members of the private sector in his interventions.

In short, the ‘outsiders’ couldn't care less about the outcome and will do everything to discredit it, the ‘process geeks’ stood in ovation when the outcome document was read at the closing plenary and the ‘principles geeks’ returned devastated.

For the multi-stakeholder model to survive it must advance democratic values, not undermine them.

This will only happen if there is greater transparency and accountability. Individuals, organisations and consortia that participate in Internet governance processes need to disclose lists of donors including those that sponsor travel to these meetings.

For more details visit http://editors.cis-india.org/internet-governance/blog/the-hindu-business-line-may-10-2014-sunil-abraham-net-freedom-campaign-loses-its-way

Multiple Aspects Need to be Addressed as the Clamour Grows for Network Neutrality

sunil — 2015-04-16T13:33:03Z

In the global debate there are four violations of Network Neutrality that are considered particularly egregious.

The article was published in DNA on April 16, 2015.

One — blocking of destinations or services in order to force the consumer to pay extra charges for access, two — not charging or zero-rating of certain destinations and services with or without extraction of payment from the sender or destination, and three — throttling or prioritisation of traffic between competing destinations or services and four — specialised services wherein the very same Internet infrastructure is used to provide non-Internet but IP based services such as IP-TV.

The main harms of network neutrality violations are as follows: one, censorship by private parties without legal basis; two, innovation harms because the economic threshold for new entrants is raised significantly; three, competition harms as monopolies become more entrenched and then are able to abuse their dominant position; four, harms to diversity because of the nudge effect that free access to certain services and destinations has on consumers reducing the infinite plurality of the Internet to a set of menu options. The first and fourth harm could result in the Internet being reduced to a walled garden.

It is insufficient to try and address this with networking rules for engineers such as “all packets should be treated equally.” But a set of principles could be developed that can help us grow access without violating network neutrality. Wikimedia Foundation has already developed their principles which they call “Wikipedia Zero Operating Principles”. In India our principles could include the following. One, no blocking without legal basis. Two, transparency — all technical and commercial arrangements are to be disclosed to the public. Three, non-exclusivity — all arrangements should be available to all parties, no special deals for those you favour. Four, non-discrimination between equals — technologies and entities that are alike should be treated alike. Five, necessity — whilst some measure may be required occasionally when there is network congestion they should be rolled back in a time-bound fashion.

Once these principles are enforced through a network neutrality regulation, ISPs and telecom operators will be allowed to innovate with business and payment models. Steve Song, inventor of Village Telco says “My preferred take on zero-rating would be to zero-rate gprs/edge data in general so that there is a minimum basic access for all.” My colleague Pranesh Prakash says “One possibility, of many, is to create a single marketplace or exchange for zero-rating, through which one can zero-rate on all telecom networks for standard tiered rates that they publish, and terms that are known to the regulator. Banning is akin to a brahmastra in a regulator's arsenal: it should not be used lightly” Jochai Ben-Avie of Mozilla told me yesterday of experiments in Bangladesh where consumers watch an advertisement everyday in exchange for 5Mb of data. My own suggestion to address the harms caused by walled gardens would be to make them leak – mandate that unfettered access to the Internet be provided every other hour.

There is many other ways in which the Internet has been transformed in India and other countries but these are not commonly considered network neutrality violations. Here are some examples. One, blocking of port 25 — a port that is commonly used to relay email spam. Two, blocking of port 80 – so that domestic connections cannot be used to host web servers. Three, the use of private IP addresses, ISPs who are delaying migration to IPv6 infrastructure because of cost implications leverage their IPv4 address inventory by using Carrier Grade — Network Address Translators [CG-NATs]. Four, asymmetric connections where download speeds for consumers are faster than upload speeds. With the exception of the first example — all of them affect end users negatively but do not usually impact corporations and therefore have been unfortunately sidelined in the global debate.

The TRAI consultation paper reveals many of the concerns of the telecom operators that go beyond the scope of network neutrality. Many of these concerns are very legitimate. There is a scarcity of spectrum — this could partially be addressed by auctioning more spectrum, scientific management of spectrum, promotion of shared spectrum and unlicensed spectrum. Their profit margins are thinning – this could be addressed by dismantling the Universal Service Obligation Fund, it is after all as Rohan Samarajiva puts it “a tax on the poor.” Internet companies don't pay taxes – this could be addressed by the Indian government, by adopting the best practices from the OECD around preventing tax avoidance. But some of their concerns cannot be addressed because of the technological differences between telecom and Internet networks. While it is relatively easy to require telecom companies to provide personal information and allow for interception of communications, those Internet companies that use end-to-end encryption cannot divulge personal information or facilitate interception because it is technologically impossible. While the first two concerns could be addressed by TRAI, the last two should be addressed by other ministries and departments in the Indian government.

There are other concerns that are much more difficult to address without the deep understanding of latest advancements in radio communication, signal processing and congestion control techniques in packet switched networks. A telecom expert who did not wish to be identified told me that “even 2G TDM voice is 10 to 15 times more efficient when compared to VOIP. IP was developed to carry data, and is therefore not an efficient mode to carry voice as overhead requirement for packets destroys the efficiency on voice. Voice is best carried close to the physical layer where the overheads are lowest.” He claims that since “VOIP calls are spectrally inefficient they should be discouraged” through differential pricing. We need accessible scientific literature and monitoring infrastructure so that an evidence base around concerns like this can be created so as to address them effectively through regulatory interventions.

You know you have reached a policy solution when all concerned stakeholders are equally unhappy. Unfortunately, the TRAI consultation paper assumes that Internet companies operate in a regulatory vacuum and therefore places much unnecessary focus on the licensing of these companies. This is a disastrous proposal since the Internet today is the result of “permission-less innovation”. The real issue is network neutrality and one hopes that after rigorous debate informed by scientific evidence TRAI finds a way to spread unhappiness around equally.

The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation which has zero-rating alliances with telecom operators in many countries across the world.

For more details visit http://editors.cis-india.org/internet-governance/blog/dna-april-16-2015-sunil-abraham-multiple-aspects-need-to-be-addressed-as-the-clamour-grows-for-network-neutrality

MS Format

admin — 2011-08-23T03:07:11Z

For more details visit http://editors.cis-india.org/openness/publications/standards/uploads/response-to-indian-open-standards-policy-10-sept-2008.doc

Members

sunil — 2009-06-19T14:16:51Z

The members of the Society registered under Karnataka Societies Act are Vibodh Parthasarathi, Atul Ramachandra, Achal Prabhala, Lawrence Liang, Subbiah Arunachalam, Nishant Shah, and Sunil Abraham.

Vibodh Parthasarathi

Vibodh Parthasarathi maintains a multidisciplinary interest in the creative industries, cross-national communication policy, business history of the media and governance of media infrastructure. Currently at the Centre for Culture, Media & Governance, Jamia Millia Islamia, he has held positions at the Centre for Jawaharlal Nehru Studies, also at Jamia, Centre for Co-operative Research in Social Sciences, and Manipal Institute of Communication. He is the co-editor of L’idiot du Village Mondial (Editions Luc Pire/ECLM, 2004), Media and Mediation (Sage, 2005) and The Social and the Symbolic (Sage, 2007). His work has attracted support variously from the India Foundation for the Arts, Netherlands Fellowship Programme, Charles Leopold Mayer Foundation, Prince Klaus Fund, Charles Wallace India Trust and Commonwealth Fund for Technical Co-operation. Periodically on assignments in business development and television production with the media industry, his last documentary Crosscurrents: A Fijian Travelogue (2001) explored the underbelly of ‘reconciliation’ following a decade of military coups in Fiji. Vibodh’s nominations include Non Executive Director, Kadam Films Ltd. (New Delhi); Independent Director, Centre for Social Ecology (Jaipur); Founding International Member, Intercultural Library for the Future (Paris); Associate, South Asian Poverty Network Association (Colombo); and, Member, Academic Council, Institute of Social Studies (The Hague).

Atul Ramachandra

Atul Ramachandra has a background in New Media having worked for 8 years with Explocity, a News Corp company, joining them at the set-up of their expansion with VC funding, looking after operations, budget control, management and selection of technology and technology providers with an accent on open source platforms. He completed his stint at Explocity as VP - Digital, having been in charge of developing new digital media products for the Internet and Mobile phones.

He is currently Project Director setting up a self-sustaining news and information service on mobile phones, for the urban slums of Kolkata. The project is funded by the European Commission through a grant to Internews Europe, a non-profit International news agency. Prior to this, he has over a decade of experience in the solar and renewable energy sector and has worked on product development and technical marketing. A graduate in applied physics (5 year MS) from IIT Delhi (1981), Atul specialised in Solar Energy and he has 3 years of post-graduate work at Southern Illinois University at Carbondale, USA. His interests are product development and innovation, new trends in technology and web enabling of products and services. He continues to be interested in the area of new and renewable energy sources and new applications powered by them and technology for the supply of potable water powered by solar energy.

Achal Prabhala

Achal Prabhala is a writer and researcher based in Bangalore. He works primarily on intellectual property; previously, he worked in media, mainly in television and print. From 2004-2006, he coordinated the Access to Learning Materials Project in Southern Africa from Johannesburg. He works on aspects of patent and copyright systems, in relation to access to medicines and access to knowledge. Some representative publications by him include Battling HIV/AIDS – A Decision Maker's Guide to the Procurement of Medicines and Related Supplies, Intellectual Property, Education and Access to Knowledge in Southern Africa, Response to Indian Copyright Law Amendment, and Reconsidering the Pirate Nation: Notes from South Africa and India.

For more details visit http://editors.cis-india.org/about/people/members

Linking Aadhaar with social media or ending encryption is counterproductive

sunil — 2019-08-28T01:39:47Z

Should Aadhaar be used as KYC for social media accounts? We have recently seen a debate on this question with even the courts hearing arguments in favour and against such a move.

The article was published in Prime Time on August 26, 2019.

The case began in Madras High Court and later Facebook moved the SC seeking transfer of the petition to the Apex court. The original petition was filed in July, 2018 and sought linking of Aadhaar numbers with user accounts to further traceability of messages.

Before we try and answer this question, we need to first understand the differences between the different types of data on social media and messaging platforms. If a crime happens on an end to end cryptographically secure channel like WhatsApp the police may request the following from the provider to help solve the case:

Identity data: Phone numbers of the accused. Names and addresses of the accused.
Metadata: Sender, receiver(s), time, size of message, flag identifying a forwarded messages, delivery status, read status, etc.
Payload Data: Actual content of the text and multimedia messages.

Different countries have taken different approaches to solving different layers of the surveillance problem. Let us start with identity data. Some like India require KYC for sale of SIM cards while others like the UK allow anonymous purchases. Corporations also have policies when it comes to anonymous speech on their platforms – Facebook for instance enforces a soft real ID policy while Twitter does not crack down on anonymous speech. The trouble with KYC the old fashioned way is that it exposes citizens to further risk. Every possessor of your identity documents is a potential attack surface. Indian regulation should not result in Indian identity documents being available in the millions to foreign corporations. Technical innovations are possible, like tokenisation, Aadhaar paperless local e-KYC or Aadhaar offline QR code along with one time passwords. These privacy protective alternatives must be mandatory for all and the Aadhaar numbers must be deleted from previously seeded databases. Countries that don’t require KYC have an alternative approach to security and law enforcement. They know that if someone like me commits a crime, it would be easy to catch me because I have been using the same telecom provider for the last fifteen years. This is true of long term customers regardless if they are pre-paid or post-paid. The security risk lies in the new numbers without this history that confirms identity. These countries use targeted big data analytics to determine risk and direct surveillance operations to target new SIM cards. My current understanding is that when it comes to basic user data – all the internet giants in India comply with what they consider as legitimate law enforcement requests. Some proprietary and free and open source [FOSS] alternatives to services offered by the giants don’t provide such direct cooperation in India.

When it comes to payload data – it is almost impossible (meaning you will need supercomputers) to access the data unless the service/software provider breaks end-to-end cryptography. It is unwise, like some policy-makers are proposing, to prohibit end-to-end cryptography or mandate back doors because our national sovereignty and our capacity for technological self-determination depends on strong cryptography. A targeted ban or prohibition against proprietary providers might have a counterproductive consequence with users migrating to FOSS alternatives like Signal which won’t even give the police identity data. As a supporter of the free software movement, I would see this as a positive development but as a citizen I am aware that the fight against crime and terror will become harder. So government must pursue other strategies to getting payload data such as a comprehensive government hacking programme.

Meta-data is critical when it comes to separating the guilty from the innocent and apportioning blame during an investigation. For example, who was the originator of a message? Who got it and read it last? WhatsApp claims that it has implemented the Signal protocol faithfully meaning that they hold no meta-data when it comes to the messages and calls. Currently there is no regulation which mandates data retention for over the top providers but such requirements do exist for telecom providers. Just like access to meta-data provides some visibility into illegal activities it also provides visibility into legal activities. Therefore those using end-to-end cryptography on platforms with comprehensive meta-data retention policies will have their privacy compromised even though the payload data remains secure. Here is a parallel example to understand why this is important. Early last year, the Internet Engineering Task Force chose a version of TLS 1.3 that revealed less meta-data over one that provided greater visibility into the communications. This hardening of global open standards, through the elimination of availability of meta-data for middle-boxes, makes it harder for foreign governments to intercept Indian military and diplomatic communications via imported telecom infrastructure. Courts and policy makers across the world have to grapple with the following question: Are meta-data retention mandates for the entire population of users a “necessary and proportionate” legal measure to combat crime and terror. For me, it should not be illegal for a provider who voluntarily wishes to retain data, provided it is within legally sanctioned limits but it should not be requirement under law.

There are technical solutions that are yet to be properly discussed and developed as an alternative to blanket meta-data retention measures. For example, Dr. V Kamakoti has made a traceability proposal at the Madras High Court. This proposal has been critiqued by Anand Venkatanarayanan as being violative in spirit of the principles of end-to-end cryptography. Other technical solutions are required for those seeking justice and for those who wish to serve as informers for terror plots. I have proposed client side metadata retention. If a person who has been subjected to financial fraud wishes to provide all the evidence from their client, it should be possible for them to create a digital signed archive of messages for the police. This could be signed by the sender, the provider and also the receiver so that technical non-repudiation raises the evidentiary quality of the digital evidence. However, there may be other legal requirements such as the provision of notice to the sender so that they know that client side data retention has been turned on.

The need of the hour is sustained research and development of privacy protecting surveillance mechanisms. These solutions need to be debated thoroughly amongst mathematicians, cryptographers, scientists, technologists, lawyers, social scientists and designers so that solutions with the least negative impact can be rolled out either voluntarily by providers or as a result of regulation.

For more details visit http://editors.cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive

Lining up the data on the Srikrishna Privacy Draft Bill

sunil — 2018-07-31T02:52:23Z

In the run-up to the Justice BN Srikrishna committee report, some stakeholders have advocated that consent be eliminated and replaced with stronger accountability obligations. This was rejected and the committee has released a draft bill that has consent as the bedrock just like the GDPR. And like the GDPR there exists legal basis for nonconsensual processing of data for the “functions of the state”. What does this mean for lawabiding persons?

The article was published in Economic Times on July 30, 2018

Non-consensual processing is permitted in the bill as long it is “necessary for any function of the” Parliament or any state legislature. These functions need not be authorised by law.

Or alternatively “necessary for any function of the state authorised by law” for the provision of a service or benefit, issuance of any certification, licence or permit.
Fortunately, however, the state remains bound by the eight obligations in chapter two i.e., fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice and data quality and data storage limitations and accountability. This ground in the GDPR has two sub-clauses: one, the task passes the public interest test and two, the loophole like the Indian bill that possibly includes all interactions the state has with all persons.

The “necessary” test appears both on the grounds for non-consensual processing, and in the “collection limitation” obligation in chapter two of the bill. For sensitive personal data, the test is raised to “strictly necessary”. But the difference is not clarified and the word “necessary” is used in multiple senses.

Under the “collection limitation” obligation the bill says “necessary for the purposes of processing” which indicates a connection to the “purpose limitation” obligation. The “purpose limitation” obligation, however, only requires the state to have a purpose that is “clear, specific and lawful” and processing limited to the “specific purpose” and “any other incidental purpose that the data principal would reasonably expect the personal data to be used for”. It is perhaps important at this point to note that the phrase “data minimisation” does not appear anywhere in the bill.

Therefore “necessary” could broadly understood to mean data Parliament or the state legislature requires to perform some function unauthorised by law, and data the citizen might reasonably expect a state authority to consider incidental to the provision of a service or benefit, issuance of a certificate, licence or permit.

Or alternatively more conservatively understood to mean data without which it would be impossible for Parliament and state legislature to carry out functions mandated by the law, and data without it would be impossible for the state to provide the specific service or benefit or issue certificates, licences and permits. It is completely unclear like with the GDPR why an additional test of “strictly necessary” is — if you will forgive the redundancy — necessary.

After 10 years of Aadhaar, the average citizen “reasonably expects” the state to ask for biometric data to provide subsidised grain. But it is not impossible to provide subsidised grain in a corruption-free manner without using surveillance technology that can be used to remotely, covertly and non-consensually identify persons. Smart cards, for example, implement privacy by design. Therefore a “reasonable expectation” test is not inappropriate since this is not a question about changing social mores.

When it comes to persons that are not law abiding the bill has two exceptions — “security of the state” and “prevention, detection, investigation and prosecution of contraventions of law”. Here the “necessary” test is combined with the “proportionate” test.

The proportionate test further constrains processing. For example, GPS data may be necessary for detecting someone has jumped a traffic signal but it might not be a proportionate response for a minor violation. Along with the requirement for “procedure established by law”, this is indeed a well carved out exception if the “necessary” test is interpreted conservatively. The only points of concern here is that the infringement of a fundamental right for minor offences and also the “prevention” of offences which implies processing of personal data of innocent persons.

Ideally consent should be introduced for law-abiding citizens even if it is merely tokenism because you cannot revoke consent if you have not granted it in the first place. Or alternatively, a less protective option would be to admit that all egovernance in India will be based on surveillance, therefore “necessary” should be conservatively defined and the “proportionate” test should be introduced as an additional safeguard.

For more details visit http://editors.cis-india.org/internet-governance/blog/economic-times-july-30-2018-sunil-abraham-lining-up-data-on-srikrishna-privacy-draft-bill

J. T. D'souza

sunil — 2008-09-23T10:50:54Z

For more details visit http://editors.cis-india.org/openness/publications/software-patents/JTDs-position-on-DPM.pdf

It’s the technology, stupid

sunil — 2017-04-07T12:53:21Z

Eleven reasons why the Aadhaar is not just non-smart but also insecure.

The article was published in Hindu Businessline on March 31, 2017.

Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:

One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.

Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.

Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.

Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.

Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.

Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.

Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.

Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.

Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.

Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.

Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.

Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.

The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.

Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.

This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.

In other words, you cannot fix using the law what you have broken using technology.

For more details visit http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid

Internet censorship will continue in opaque fashion

sunil — 2015-03-26T02:07:28Z

A division bench of the Supreme Court has ruled on three sections of the Information Technology Act 2000 - Section 66A, Section 79 and Section 69A. The draconian Section 66A was originally meant to tackle spam and cyber-stalking but was used by the powerful elite to crack down on online dissent and criticism.

The article by Sunil Abraham was published in the Times of India on March 25, 2015.

Section 79 was meant to give immunity to internet intermediaries for liability emerging from third-party speech, but it had a chilling effect on free speech because intermediaries erred on the side of caution when it came to deciding whether the content was legal or illegal.

And Section 69A was the web blocking or internet censorship provision, but the procedure prescribed did not adhere to the principles of natural justice and transparency. For instance, when books are banned by courts, the public is informed of such bans but when websites are banned in India, there's no clear message from the Internet Service Provider.

The Supreme Court upheld 69A, so web blocking and internet censorship in India will continue to happen in an opaque fashion which is worrying. But on 66A and 79, the landmark judgment protects the right to free speech and expression. It struck down 66A in entirety, saying the vague and imprecise language made the provision unconstitutional and it interfered with "the right of the people to know - the market place of ideas - which the internet provides to persons of all kinds". However, it only read down Section 79 saying "unlawful acts beyond what is laid down" as reasonable restrictions to the right to free speech in the Constitution "obviously cannot form any part" of the section. In short, the court has eliminated any additional restrictions for speech online even though it admitted that the internet is "intelligibly different" from traditional media and might require additional laws to be passed by the Indian Parliament."

For more details visit http://editors.cis-india.org/internet-governance/blog/the-times-of-india-march-25-2015-sunil-abraham-internet-censorship-will-continue-in-opaque-fashion

Intermediary liability law needs updating

sunil — 2019-02-13T00:05:30Z

The time has come for India to exert its foreign policy muscle. There is a less charitable name for intermediary liability regimes like Sec 79 of the IT Act — private censorship regimes.

The article was published in Business Standard on February 9, 2019.

Intermediaries get immunity from liability emerging from user-generated and third-party content because they have no “actual knowledge” until it is brought to their notice using “take down” requests or orders.

Since some of the harm caused is immediate, irreparable and irreversible, it is the preferred alternative to approaching courts for each case. When intermediary liability regimes were first enacted, most intermediaries were acting as common carriers — ie they did not curate the experience of users in a substantial fashion. While some intermediaries like Wikipedia continue this common carrier tradition, others driven by advertising revenue no longer treat all parties and all pieces of content neutrally. Facebook, Google and Twitter do everything they can to raise advertising revenues. They make you depressed. And if they like you, they get you to go out and vote. There is an urgent need to update intermediary liability law.

In response to being summoned by multiple governments, Facebook has announced the establishment of an independent oversight board. A global free speech court for the world’s biggest online country. The time has come for India to exert its foreign policy muscle. The amendments to our intermediary liability regime can have global repercussions, and shape the structure and functioning of this and other global courts.

While with one hand Facebook dealt the oversight board, with the other hand it took down APIs that would enable press and civil society to monitor political advertising in real time. How could they do that with no legal consequences? The answer is simple — those APIs were provided on a voluntary basis. There was no law requiring them to do so.

There are two approaches that could be followed. One, as scholar of regulatory theory Amba Kak puts it, is to “disincentivise the black box”. Most transparency reports produced by intermediaries today are on a voluntary basis; there is no requirement for this under law. Our new law could require a extensive transparency with appropriate privacy safeguards for the government, affected parties and the general public in terms of revenues, content production and consumption, policy development, contracts, service-level agreements, enforcement, adjudication and appeal. User empowerment measures in the user interface and algorithm explainability could be required. The key word in this approach is transparency.

The alternative is to incentivise the black box. Here faith is placed in technological solutions like artificial intelligence. To be fair, technological solutions may be desirable for battling child pornography, where pre-censorship (or deletion before content is published) is required. Fingerprinting technology is used to determine if the content exists in a global database maintained by organisations like the Internet Watch Foundation. A similar technology called Content ID is used pre-censor copyright infringement. Unfortunately, this is done by ignoring the flexibilities that exist in Indian copyright law to promote education, protect access knowledge by the disabled, etc. Even within such narrow application of technologies, there have been false positives. Recently, a video of a blogger testing his microphone was identified as a pre-existing copyrighted work.

The goal of a policy-maker working on this amendment should be to prevent repeats of the Shreya Singhal judgment where sections of the IT Act were read down or struck down. To avoid similar constitution challenges in the future, the rules should not specify any new categories of illegal content, because that would be outside the scope of the parent clause. The fifth ground in the list is sufficient — “violates any law for the time being in force”. Additional grounds, such as “harms minors in anyway”, is vague and cannot apply to all categories of intermediaries — for example, a dating site for sexual minorities. The rights of children need to be protected. But that is best done within the ongoing amendment to the POCSO Act.

As an engineer, I vote to eliminate redundancy. If there are specific offences that cannot fit in other parts of the law, those offences can be added as separate sections in the IT Act. For example, even though voyeurism is criminalised in the IT Act, the non-consensual distribution of intimate content could be criminalised, as it has been done in the Philippines.

Provisions that have to do with data retention and government access to that data for the purposes of national security, law enforcement and also anonymised datasets for the public interest should be in the upcoming Data Protection law. The rules for intermediary liability is not the correct place to deal with it, because data retention may also be required of those intermediaries that don’t handle any third-party information or user generated content. Finally, there have to be clear procedures in place for reinstatement of content that has been taken down.

Disclosure: The Centre for Internet and Society receives grants from Facebook, Google and Wikimedia Foundation

For more details visit http://editors.cis-india.org/internet-governance/blog/business-standard-february-9-2019-sunil-abraham-intermediary-liability-law-needs-updating