Centre for Internet and Society

Hits and Misses With the Draft Encryption Policy

sunil — 2015-09-26T16:46:53Z

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

The article was published in the Wire on September 26, 2015.

This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.

However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.

Plain-text storage requirement

First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.

Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.

Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.

Regulatory design

Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.

This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.

Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”

The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.

And the good news is…

On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.

Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.

The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.

Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.

For more details visit http://editors.cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy

Freedom from Monitoring: India Inc Should Push For Privacy Laws

sunil — 2013-08-21T07:04:48Z

More surveillance than absolutely necessary actually undermines the security objective.

This article by Sunil Abraham was published in Forbes India Magazine on August 21, 2013.

I think I understand why the average Indian IT entrepreneur or enterprise does not have a position on blanket surveillance. This is because the average Indian IT enterprise’s business model depends on labour arbitrage, not intellectual property. And therefore they have no worries about proprietary code or unfiled patent applications being stolen by competitors via rogue government officials within projects such as NATGRID, UID and, now, the CMS.

A sub-section of industry, especially the technology industry, will always root for blanket surveillance measures. The surveillance industry has many different players, ranging from those selling biometric and CCTV hardware to those providing solutions for big data analytics and legal interception systems. There are also more controversial players who provide spyware, especially those in the market for zero-day exploits. The cheerleaders for the surveillance industry are techno-determinists who believe you can solve any problem by throwing enough of the latest and most expensive technology at it.

What is surprising, though, is that other indigenous or foreign enterprises that depend on secrecy and confidentiality—in sectors such a banking, finance, health, law, ecommerce, media, consulting and communications—also don’t seem to have a public position on the growing surveillance ambitions of ‘democracies’ such as India and the United States of America. (Perhaps the only exceptions are a few multinational internet and software companies that have made some show of resistance and disagreement with the blanket surveillance paradigm.)

Is it because these businesses are patriotic? Do they believe that secrecy, confidentiality and, most importantly, privacy, must be sacrificed for national security? If that were true then it would not be a particularly wise thing to do, as privacy is the precondition for security. Ann Cavoukian, privacy commissioner of Ontario, calls it a false dichotomy. Bruce Schneier, security technologist and writer, calls it a false zero sum game; he goes on to say, “There is no security without privacy. And liberty requires both security and privacy.”

The reason why the secret recipe of Coca Cola is still secret after over 120 years is the same as the reason why a captured soldier cannot spill the beans on the overall war strategy. Corporations, like militaries, have layers and layers of privacy and secrecy. The ‘need to know’ principle resists all centralising tendencies, such as blanket surveillance. It’s important to note that targeted surveillance to identify a traitor or spy within the military, or someone engaged in espionage within a corporation, is pretty much an essential. However, any more surveillance than absolutely necessary actually undermines the security objective. To summarise, privacy is a pre-condition to the security of the individual, the enterprise, the military and the nation state.

Most people complaining online about projects like the Central Monitoring System seem to think that India has no privacy laws. This is completely untrue: We have around 50 different laws, rules and regulations that aim to uphold privacy and confidentiality in various domains. Unfortunately, most of those policies are very dated and do not sufficiently take into account the challenges of contemporary information societies. These policy documents need to be updated and harmonised through the enactment of a new horizontal privacy law. A small minority will say that Section 43(A) of the Information Technology Act is the India privacy law. That is not completely untrue, but is a gross exaggeration. Section 43(A) is really only a data security provision and, at that, it does not even comprehensively address data protection, which is only a sub-set of the overall privacy regulation required in a nation.

What would an ideal privacy law for India look like? For one, it would protect the rights of all persons, regardless of whether they are citizens or residents. Two, it would define privacy principles. Three, it would establish the office of an independent and autonomous privacy commissioner, who would be sufficiently empowered to investigate and take action against both government and private entities. Four, it would define civil and criminal offences, remedies and penalties. And five, it would have an overriding effect on previous legislation that does not comply with all the privacy principles.

The Justice AP Shah Committee report, released in October 2012, defined the Indian privacy principles as notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability. The report also lists the exemptions and limitations, so that privacy protections do not have a chilling effect on the freedom of expression and transparency enabled by the Right to Information Act.

The Department of Personnel and Training has been working on a privacy bill for the last three years. Two versions of the bill had leaked before the Justice AP Shah Committee was formed. The next version of the bill, hopefully implementing the recommendations of the Justice AP Shah Committee report, is expected in the near future. In a multi-stakeholder-based parallel process, the Centre for Internet and Society (where I work), along with FICCI and DSCI, is holding seven round tables on a civil society draft of the privacy bill and the industry-led efforts on co-regulation.

The Indian ITES, KPO and BPO sector should be particularly pleased with this development. As should any other Indian enterprise that holds personal information of EU and US nationals. This is because the EU, after the enactment of the law, will consider data protection in India adequate as per the requirements of its Data Protection Directive. This would mean that these enterprises would not have to spend twice the time and resources ensuring compliance with two different regulatory regimes.

Is the lack of enthusiasm for privacy in the Indian private sector symptomatic of Indian societal values? Can we blame it on cultural relativism, best exemplified by what Simon Davies calls “the Indian Train Syndrome, in which total strangers will disclose their lives on a train to complete strangers”? But surely, when email addresses are exchanged at the end of that conversation, they are not accompanied by passwords. Privacy is perhaps differently configured in Indian societies but it is definitely not dead. Fortunately for us, calls to protect this important human right are growing every day.

For more details visit http://editors.cis-india.org/internet-governance/blog/forbesindia-article-august-21-2013-sunil-abraham-freedom-from-monitoring

Free Basics: Negating net parity

sunil — 2016-01-03T05:58:00Z

Researchers funded by Facebook were apparently told by 92 per cent of Indians they surveyed from large cities, with Internet connection and college degree, that the Internet “is a human right and that Free Basics can help bring Internet to all of India.” What a strange way to frame the question given that the Internet is not a human right in most jurisdictions.

The article was published in the Deccan Herald on January 3, 2016.

Free Basics is gratis service offered by Facebook in partnership with telcos in 37 countries. It is a mobile app that features less than a 100 of the 1 billion odd websites that are currently available on the WWW which in turn is only a sub-set of the Internet. Free Basics violates Net Neutrality because it introduces an unnecessary gatekeeper who gets to decide on “who is in” and “who is out”. Services like Free Basics could permanently alienate the poor from the full choice of the Internet because it creates price discrimination hurdles that discourage those who want to leave the walled garden.

Inika Charles and Arhant Madhyala, two interns at Centre for Internet and Society (CIS), surveyed 1/100th of the Facebook sample, that is, 30 persons with the very same question at a café near our office in Bengaluru. Seventy per cent agreed with Facebook that the Internet was a human right but only 26 per cent thought Free Basics would achieve universal connectivity. My real point here is that numbers don’t matter. At least not in the typical way they do. Facebook dismissed Amba Kak’s independent, unfunded, qualitative research in Delhi, in their second public rebuttal, saying the sample size was only 20.

That was truly ironical. The whole point of her research was the importance of small numbers. Kak says, “For some, it was the idea of an ‘emergency’ which made all-access plans valuable.” A respondent stated: “But maybe once or twice a month, I need some information which only Google can give me... like the other day my sister needed to know results to her entrance exams.” If you consider that too mundane, take a moment to picture yourself stranded in the recent Chennai flood. The statistical rarity of a Black Swan does not reduce its importance. A more neutral network is usually a more resilient network. When we do have our next national disaster, do we want to be one of the few countries on the planet who, thanks to our flawed regulation, have ended up with a splinternet?

Telecom Regulatory Authority of India (Trai) chairman R S Sharma rightly expressed some scepticism around numbers when he said “the consultation paper is not an opinion poll.” He elaborated: “The issue here is some sites are being offered to one person free of cost while another is paying for it. Is this a good thing and can operators have such powers?” Had he instead asked “Is this the best option?” my answer would be “no”. Given the way he has formulated the question, our answer is a lawyerly “it depends”. The CIS believes that differential pricing should be prohibited. However, it can be allowed under certain exceptional standards when it is done in a manner that can be justified by the regulator against four axes of sometimes orthogonal policy objectives. They are increased access, enhanced competition, increased user choice and contribution to openness. For example, a permanent ban on Free Basics makes sense in the Netherlands but regulation may be sufficient for India.

Gatekeeping powers

To the second and more important part to Trai chairman’s second question on gatekeeping powers of operators, our answer is a simple “no”. But then, do we have any evidence that gatekeeping powers have been abused to the detriment of consumer and public interest? No. What do we do when we cannot, like Russell’s chicken, use induction to explain our future? Prof Simon Wren-Lew says, “If Bertrand Russell’s chicken had been an economist ...(it would have)... asked a crucial additional question: Why is the farmer doing this? What is in it for him?” There were five serious problems with Free Basics that Facebook has at least partially fixed, thanks mostly to criticism from consumers in India and Brazil. One, exclusivity with access provider; two, exclusivity with a set of web services; three, lack of transparency regarding retention of personal information; four, misrepresentation through the name of the service, Internet.org and five, lack of support for encrypted traffic. But how do we know these problems will stay fixed? Emerging markets guru Jan Chipchase tweeted asking “Do you trust Facebook? Today? Tomorrow? When its share price is under pressure and it wants to wring more $$$ from the platform?”

Zero. Facebook pays telecom operators zero. The operators pay Facebook zero. The consumers pay zero. Why do we need to regulate philanthropy? Because these freebies are not purely the fruit of private capital. They are only possible thanks to an artificial state-supported oligopoly dependent on public resources like spectrum and wires (over and under public property). Therefore, these oligopolies much serve the public interest and also ensure that users are treated in a non-discriminatory fashion.

Also provision of a free service should not allow powerful corporations to escape regulation–in jurisdictions like Brazil it is clear that Facebook has to comply with consumer protection law even if users are not paying for the service. Given that big data is the new oil, Facebook could pay the access provider in advertisements or manipulation of public discourse or by tweaking software defaults such as autoplay for videos which could increase bills of paying consumers quite dramatically.

India needs a Net Neutrality regime that allows for business models and technological innovation as long as they don’t discriminate between users and competitors. The Trai should begin regulation based on principles as it has rightly done with the pre-emptive temporary ban. But there is a need to bring “numbers we can trust” to the regulatory debate. We as citizens need to establish a peer-to-peer Internet monitoring infrastructure across mobile and fixed lines in India that we can use to crowd source data.

(The writer is Executive Director, Centre for Internet and Society, Bengaluru. He says CIS receives about $200,000 a year from WMF, the organisation behind Wikipedia, a site featured in Free Basics and zero-rated by many access providers across the world)

For more details visit http://editors.cis-india.org/internet-governance/blog/deccan-herald-january-3-2016-sunil-abraham-free-basics-negating-net-parity

Fixing Aadhaar: Security developers' task is to trim chances of data breach

sunil — 2018-01-10T16:47:59Z

The task before a security developer is not only to reduce the probability of identity breach but to eliminate certain occurrences.

The article was published in Business Standard on January 10, 2017

I feel no joy when my prophecies about digital identity systems come true. This is because from a Popperian perspective these are low-risk prophecies. I had said that that all centralised identity databases will be breached in the future. That may or may not happen within my lifetime so I can go to my grave without worries about being proven wrong. Therefore, the task before a security developer is not only to reduce the probability but more importantly to eliminate the possibility of certain occurrences.

The blame for fragility in digital identity systems today can be partially laid on a World Bank document titled “Ten Principles on Identification for Sustainable Development” which has contributed to the harmonisation of approaches across jurisdictions. Principle three says, “Establishing a robust — unique, secure, and accurate — identity”. The keyword here is “a”. Like The Lord of the Rings, the World Bank wants “one digital ID to rule them all”. For Indians, this approach must be epistemologically repugnant as ours is a land which has recognised the multiplicity of truth since ancient times.

In “Identities Research Project: Final Report” funded by Omidyar Network and published by Caribou Digital — the number one finding is “people have always had, and managed, multiple personal identities”. And the fourth finding is “people select and combine identity elements for transactions during the course of everyday life”. As researchers they have employed indirect language, for layman the key takeaway is a single national ID for all persons and all purposes is an ahistorical and unworkable solution.

Revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers. Photo: Reuters

monoculture can be prevented. The traditional approach is followed in the US - you could have multiple documents that are accepted as valid ID. Or you could have multiple identity providers providing ID artifacts using an interoperable framework as they do in the UK. Another approach is tokenisation. The first time tokenisation was suggested in the Aadhaar context was in an academic paper published in August 2016 by Shweta Agrawal, Subhashis Banerjee and Subodh Sharma from IIT Delhi titled “Privacy and Security of Aadhaar: A Computer Science Perspective”.

Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.

On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.

The paper in its fourth key recommendation says “cryptographically embed Aadhaar ID into Authentication User Agency (AUAs) and KYC User Agency (aka KUAs) — specific IDs making correlation impossible”. The paper considers several designs for such local identifier where — 1) no linking is possible, 2) only unidirectional linking is possible, and 3) bidirectional linking is possible referring to a similar scheme in the LSE identity report.Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.

For more details visit http://editors.cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar

Financial Speculation as Urban Planning

sunil — 2011-04-05T04:36:21Z

Talk by Prof Michael Goldman

A talk by Michael Goldman followed by an open discussion organised by a group of concerned citizens and the Centre for Internet and Society, about the roots of the US financial crisis and related dynamics in "world city" planning, such as that here in Bangalore.

Speaker Bio

Michael Goldman
Associate Professor
Dept of Sociology
Univ of Minnesota, Minneapolis, MN
McKnight Presidential Fellow

Interest Areas: Transnational, political, environmental, and development sociology; Sociology of knowledge and power; Transnational institutions (international finance, expert networks).

Current Research: Neoliberalism and its discontents; the making of a world city: Bangalore, India; “Water for All”/ water privatization policies; development and environment in North-South relations.

Recent Publications

“How ‘Water for All!’ Became Hegemonic: The Power of the World Bank and its Transnational Policy Networks.” 2007. Geoforum special issue on global water policy, 38(5): 786-800.
“Under New Management: Historical Context and Current Challenges at the World Bank.” 2007. Brown Journal of World Affairs, special issue on Wolfowitz’s Bank, Vol. XIII: 2, Summer 2007.
“El neoliberalismo verde.” 2006. Chapter in Las Politicas de la Tierra, Alfonso Guerra and Jose Felix Tezanos, eds. Madrid: Editorial Sistema.
Imperial Nature: The World Bank and Struggles for Social Justice in the Age of Globalization. 2005. New Haven, CT and London: Yale University Press. Yale UP paperback edition, 2006; India edition, Orient Longman Press, 2006; Japanese edition, Kyoto University Press, 2008.
“World Bank.” 2005. Entry in Encyclopedia of International Development, Tim Forsyth, ed., London: Routledge.
“Tracing the Routes/Roots of World Bank Power.” 2005. International Journal of Sociology and Social Policy, special issue on global water policy, 25(1/2): 10-29.
“The Birth of a Discipline: Producing Authoritative Green Knowledge for the World (Bank).” 2005. Chapter in Earthly Politics: Local and Global in Environmental Governance, Sheila Jasanoff and Marybeth Long, eds. Cambridge, MA: MIT Press.
“La tragedia della recinzione dei beni comuni.” 2005. Beni Comuni: Fra Tradizione e Futuro, Giovanna Ricoveri, ed., Rome: Editrice Missionaria Italiana.
“Eco-governmentality and Other Transnational Practices of a ‘Green’ World Bank.” 2004. in Liberation Ecologies 2nd ed. Richard Peet and Michael Watts, eds. London: Routledge.

For more details visit http://editors.cis-india.org/internet-governance/events/financial-speculation-as-urban-planning

Fear, Uncertainty and Doubt

sunil — 2015-04-17T01:44:39Z

Much confusion has resulted from the Section 66A verdict. Some people are convinced that online speech is now without any reasonable restrictions under Article 19 (2) of the Constitution. This is completely false.

There are many other provisions within the IT Act that still regulate speech online, for example the section on obscenity (Sec. 67) and also the data protection provision (Sec. 43A). Additionally there are provisions within the Indian Penal Code and other Acts that regulate speech both online and offline. For example, defamation remains a criminal offence under the IPC (Sec. 499), and disclosing information about children in a manner that lowers their reputation or infringes their privacy is also prohibited under the Protection of Children from Sexual Offences Act, 2012 (Sec. 23).

Others are afraid that the striking down of Section 66A results in a regulatory vacuum where it will be possible for bad actors to wreak havoc online because the following has been left unaddressed by the IT Act.

Criminal Intimidation: The phrase "criminal intimidation" was included in Sec. 66A(b), but the requirement was that intimidation should be carried out using "information which he knows to be false". Sec. 506 of the IPC which punishes criminal intimidation does not have this requirement and is therefore a better legal route for affected individuals, even though the maximum punishment is a year shorter than the three years possible under the IT Act.
Cyber-stalking: A new section for stalking - Sec. 345 D - was added into the IPC in 2013 which also recognised cyber stalking. The definition within Sec.345D is more precise compared to the nebulous phrasing in Sec. 66A, which read - "monitors the use by a woman of the internet, email or any other form of electronic communication, commits the offence of stalking".
Phishing: Sec. 66A (c) dealt with punishment to people who "deceive or mislead the addressee or recipient about the origin of such messages". Sec.66D, which will be the operative section after this verdict, deals with "cheating by impersonation" and forms a more effective safeguard against phishing.

Cyber-bulling of children is arguably left unaddressed. Most importantly, spam, the original intention behind 66A, now cannot be tackled using any existing provision of the law. However, the poorly drafted section made it impossible for law enforcement to crack down on spammers. A 2005 attempt by the ITU to produce model law for spam based on a comparative analysis of national laws resulted in several important best practices that were ignored during the 2008 Amendment of the Act. For example, the definition of spam must cover the following characteristics - mass, unsolicited and commercial. All of which was missing in 66A.

Good quality law must be drafted by an open, participatory process where all relevant stakeholders are consulted and responded to before bills are introduced in parliament.

A scanned copy of the article was published in the Deccan Chronicle on March 26, 2015.

For more details visit http://editors.cis-india.org/internet-governance/blog/deccan-chronicle-march-26-2015-sunil-abraham-fear-uncertainty-doubt

Facebook, privacy and India

sunil — 2013-09-26T11:40:00Z

Does Facebook's decision to open out user information and data to third party websites amount to an invasion of privacy and should users' seriously consider getting out of the site? Sunil Abraham doesn't think so.

Even if you aren’t a Facebook user (and most likely than not you are), chances are that you’ve at least heard that there are problems related to privacy settings on the site. The net has been abuzz with indignation over a decision by Facebook to open out user information and data to third party websites. A number of high profile Facebook users (and many more low profile ones) completely deactivated their accounts after the changes were announced by Founder and Chief executive Mark Zuckerberg and critics immediately pointed out that users were losing control of their personal information.

There have been a slew of articles condemning the move, and highlighting “dramatic” changes to the sites privacy policy. Most alarming perhaps being this slideshow compiled by Matt McKeon.

All these are legitimate concerns, but how worried should we be really? Should you be seriously considering getting off the site? “As long as you are a little smart about what you upload on Facebook, there is no need to do anything as drastic as deleting your account”, says Sunil Abraham the executive director of the Centre for Internet & society, based out of Bangalore. Abraham said that the issue has shown people the risk of uploading certain types of photographs and content on to the net, but most importantly highlights the need for a privacy commission in India.

“The EU has a commission which makes certain directives to sites like Facebook from time to time, which are then adhered to. India should also seriously consider setting up a similar commission, he said.

Facebook has mantained that its privacy settings are prominently displayed and can be easily accessed by users. But critics say that it is much too long and convoluted. The BBC reports that the policy in its current form has 50 different settings, 170 options and runs to 5,830 words, making it longer than the US Constitution. And the sheer volume of outrage has prompted a rethink of the privacy policy by Facebook, which since held an internal meeting to discuss the affair.

Abraham agrees that the issue of privacy is a complex one, but noted that the definition of what constituted “privacy” varied from culture to culture. “In India, it is perfectly normal for someone to ask someone else how much they earn, while such a question would be completely outside the boundaries of propriety in most Western countries”, he said. The issue with Facebook, he says, is that its desicion to change its privacy settings was tantamount to a breach of contract. “People who joined Facebook did so because they were comfortable with the settings and regulations available on the site. For Facebook to suddenly change that violates the spirit of that contract”, he said.

Meanwhile the founder and chief executive of Facebook Mark Zuckerberg has written an article in the Washington Post today directly addressing issues relating to privacy controls on the popular social networking site.

“The biggest message we have heard recently is that people want easier control over their information. Simply put, many of you thought our controls were too complex. Our intention was to give you lots of granular controls; but that may not have been what many of you wanted. We just missed the mark,”said Zuckerberg.

Read the article in Livemint

For more details visit http://editors.cis-india.org/news/facebook-privacy-india

Facebook's Fall from Grace: Arab Spring to Indian Winter

sunil — 2016-02-11T15:51:34Z

Facebook’s Free Basics has been permanently banned in India! The Indian telecom regulator, TRAI has issued the world’s most stringent net neutrality regulation! To be more accurate, there is more to come from TRAI in terms of net neutrality regulations especially for throttling and blocking but if the discriminatory tariff regulation is anything to go by we can expect quite a tough regulatory stance against other net neutrality violations as well.

The article was published in First Post on February 9, 2016. It can be read here.

Even the regulations it cites in the Explanatory Memorandum don’t go as far as it does. The Dutch regulation will have to be reformulated in light of the new EU regulations and the Chilean regulator has opened the discussion on an additional non-profit exception by allowing Wikipedia to zero-rate its content in partnership with telecom operators.

Bravo to Nikhil Pahwa, Apar Gupta, Raman Chima, Kiran Jonnalagadda and the thousands of volunteers at Save The Internet and associated NGOs, movements, entrepreneurs and activists who mobilized millions of Indians to stand up and petition TRAI to preserve some of the foundational underpinnings of the Internet. And finally bravo to Facebook for having completely undermined any claim to responsible stewardship of our information society through their relentless, shrill and manipulative campaign filled with the staggeringly preposterous lies. Having completely lost the trust of the Indian public and policy-makers, Facebook only has itself to blame for polarizing what was quite a nuanced debate in India through its hyperbole and setting the stage for this firm action by TRAI.

And most importantly bravo to RS Sharma and his team at TRAI for several reasons for the notification of “Prohibition of Discriminatory Tariffs for Data Services Regulations, 2016” aka differential pricing regulations. The regulation exemplifies six regulatory best practices that I briefly explore below.

Transparency and Agility: Two months from start to finish, what an amazing turn around! TRAI was faced with unprecedented public outcry and also comments and counter-comments. Despite visible and invisible pressures, from the initial temporary ban on Free Basics to RS Sharma’s calm, collected and clear interactions with different stakeholders resulted in him regaining the credibility which was lost during the publication of the earlier consultation paper on Regulatory Framework for Over-the-top (OTTs) services. Despite being completely snowed over electronically by what Rohin Dharmakumar dubbed as Facebook’s DDOS attack, he gave Facebook one last opportunity to do the right thing which they of course spectacularly blew.

Brevity and Clarity: The regulation fits onto three A4-sized pages and is a joy to read. Clarity is often a result of brevity but is not necessarily always the case. At the core of this regulation is a single sentence which prohibits discriminatory tariffs on the basis of content unless it is a “data service over closed electronic communications network”. And unlike many other laws and regulations, this regulation has only one exemption for offering or charging of discriminatory tariffs and that is for “emergency services” or during “grave public emergency”. Even the best lawyers will find it difficult to drive trucks through that one. Even if imaginative engineers architect a technical circumvention, TRAI says “if such a closed network is used for the purpose of evading these regulations, the prohibition will nonetheless apply”. Again clear signal that the spirit is more important than the letter of the regulation when it comes to enforcement.

Certainty and Equity: Referencing the noted scholar Barbara Van Schewick, TRAI explains that a case-by-case approach based on principles [standards] or rules would “fail to provide much needed certainty to industry participants…..service providers may refrain from deploying network technology” and perversely “lead to further uncertainty as service providers undergoing [the] investigation would logically try to differentiate their case from earlier precedents”. Our submission from the Centre for Internet and Society had called for more exemptions but TRAI went with a much cleaner solution as it did not want to provide “a relative advantage to well-financed actors and will tilt the playing field against those who do not have the resources to pursue regulatory or legal actions”.

What next? Hopefully the telecom operators and Facebook will have the grace to abide with the regulation without launching a legal challenge. And hopefully TRAI will issue equally clear regulations on throttling and blocking to conclude the “Regulatory Framework for Over-the-top Services” consultation process. Critically, TRAI must forbear from introducing any additional regulatory burdens on OTTs, a.k.a Internet companies based on unfounded allegations of regulatory arbitrage. There are some legitimate concerns around issues like taxation and liability but that has to be addressed by other arms of the government. To address the digital divide, there are other issues outside net neutrality such as shared spectrum, unlicensed spectrum and shared backhaul infrastructure that TRAI must also prioritize for regulation and deregulation.

Without doubt other regulators from the global south will be inspired by India’s example and will hopefully take firm steps to prevent the rise of additional and unnecessary gatekeepers and gatekeeping practices on the Internet. The democratic potential of the Internet must be preserved through enlightened and appropriate regulation informed by principles and evidence.

The writer is Executive Director, Centre for Internet and Society, Bengaluru. He says CIS receives about $200,000 a year from WMF, the organisation behind Wikipedia, a site featured in Free Basics and zero-rated by many access providers across the world).

For more details visit http://editors.cis-india.org/internet-governance/blog/first-post-february-9-2016-sunil-abraham-facebook-fall-from-grace-arab-spring-to-indian-winter

Facebook Shares 10 Key Facts about Free Basics. Here's What's Wrong with All 10 of Them.

sunil — 2015-12-25T14:59:10Z

Shweta Sengar of Catch News spoke to Sunil Abraham about the recent advertisement by Facebook titled "What Net Neutrality Activists won't Tell You or, the Top 10 Facts about Free Basics". Sunil argued against the validity of all the 'top 10 facts'.

Facebook has rebranded internet.org as Free Basics. After suffering from several harsh blows from the net neutrality activists in India, the social media behemoth is positioning a movement in order to capture user attention.

Apart from a mammoth two page advertisement on Free Basics on 23 December in a leading English daily, we spotted a numerous hoardings across the capital.

Unlike Facebook, Wikipedia has a rather upfront approach for raising funds. You must have noticed a pop-up as you open Wikipedia when they are in need of funds. What Facebook has done is branded Free Basics as 'free' as the basic needs of life.

The newspaper advertisement by Facebook was aimed at clearing all the doubts about Free Basics. The 10 facts highlighted a connected India and urging users to take the "first step towards digital equality."

In an interview with Catch, Sunil Abraham, Executive Director of Bangalore based research organisation, the Centre for Internet and Society, shared his thoughts on the controversial subject. Abraham countered each of Facebook's ten arguments. Take a look:

01 Free basics is open to any carriers. Any mobile operator can join us in connecting India.

Sunil Abraham: Free Basics was initially exclusive to only one telecom operator in most markets that it was available in.

The non-exclusivity was introduced only after activists in India complained. But now the arrangement is exclusive to Free Basics as a walled garden provider. But discrimination harms remain until other Internet services can also have what Facebook has from telecom operators ie. free access to their destinations.

02 We do not charge anyone anything for Free Basics. Period.

SA: As Bruce Schneier says "surveillance is the business model of the Internet". Free basics users are subject to an additional layer of surveillance ie. the data retention by the Facebook proxy server. Just as Facebook cannot say that they are ignoring Data Protection law because Facebook is a free product - they cannot say that Free Basics can violate network neutrality law because it is a free service. For ex. Flipkart should get Flipkart Basic on all Indian ISPs and Telcos.

03 We do not pay for the data consumed in Free Basics. Operators participate because the program has proven to bring more people online. Free Basics has brought new people onto mobile networks on average over 50% faster since launching the service.

SA: Facebook has been quoting statistics as evidence to influence the policy formulation process. But we need the absolute numbers and we also need them to be independently verifiable. At the very least we need the means to cross verify these numbers with numbers that telcos and ISPs routinely submit to TRAI.

Theoretical harms must be addressed through net neutrality regulation. For example, you don't have to build a single, centralised database of all Indian citizens to know that it can be compromised - from a security design perspective centralisation is always a bad idea. Gatekeeping powers given to any powerful entity will be compromised. While evidence is useful, regulation can already begin based on well established regulatory principles. After scientific evidence has been made available - the regulation can be tweaked.

04 Any developer or publisher can have their content on Free Basics. There are clear technical specs openly published here ... and we have never rejected an app or publisher who has me these tech specs.

SA: Again this was only done as a retrospective fix after network neutrality activists in India complained about exclusive arrangements. For example, the music streaming service Hungama is not a low-bandwidth destination but since it was included the technical specifications only mentions large images and video files. Many of the other sites are indistinguishable from their web equivalents clearly indicating that this was just an afterthought. At the moment Free Basics has become controversial so most developers and publishers are not approaching them so there is no way for us to verify Facebook's claim.

05 Nearly 800 developers in India have signed their support for Free Basics.

SA: I guess these are software developers working in the services industry who don't see themselves as potential competition to Facebook or any of the services within Free Basics. Also since Facebook as been completely disingenuous when it comes to soliciting support for their campaigns it is very hard to believe these claims. It has tried to change the meaning of the phrase "net neutrality" and has framed the debate in an inaccurate manner - therefore I could quite confidently say that these developers must have been fooled into supporting Free Basics.

06 It is not a walled garden: In India, 40% of people who come online through Free Basics are paying for data and accessing the full internet within the first 30 days. In the same time period, 8 times more people are paying versus staying on just

SA: Again, no absolute numbers and also no granularity in the data that makes it impossible for anyone to verify these numbers. Also there is no way to compare these numbers to access options that are respectful of network neutrality such as equal rating. If the numbers are roughly the same for equal rating and zero-rating then there is no strong case to be made for zero-rating.

07 Free Basics is growing and popular in 36 other countries, which have welcomed the program with open arms and seen the enormous benefits it has brought.

SA: Free Basics was one of the most controversial topics at the last Internet Governance Forum. A gratis service is definitely going to be popular but that does not mean forbearance is the only option for the regulator. In countries with strong civil society and/or a strong regulator, Free Basics has ran into trouble. Facebook has been able to launch Free Basics only in jurisdictions where regulators are still undecided about net neutrality. India and Brazil are the last battle grounds for net neutrality and that is why Facebook is spending advertising dollar and using it's infrastructure to win the global south.

08 In a recent representative poll, 86% of Indians supported Free Basics by Facebook, and the idea that everyone deserves access to free basic internet services.

SA: This is the poll which was framed in alarmist language where Indian were asked to choose between perpetuating or bridging the digital divide. This is a false choice that Facebook is perpetuating - with forward-looking positive Network Neutrality rules as advocated by Dr. Chris Marsden it should be possible to bridge digital divide without incurring any free speech, competition, innovation and diversity harms.

09 In the past several days, 3.2 million people have petitioned the TRAI in support of Free Basics.

SA: Obviously - since Free Basics is better than nothing. But the real choice should have been - are you a) against network neutrality ie. would you like to see Facebook play gatekeeper on the Internet OR b) for network neutrality ie. would you like to see Free Basics forced to comply with network neutrality rules and expand access without harms to consumers and innovators.

10 There are no ads in the version of Facebook on Free Basics. Facebook produces no revenue. We are doing this to connect India, and the benefits to do are clear.

SA: As someone who has watched the Internet economy since the first dot com boom - it is absolutely clear that consumer acquisition is as important as revenues. They are doing it to connect people to Facebook and as a result some people will also connect to the Internet. But India is the last market on the planet where the walled garden can be bigger than the Internet, and therefore Facebook is manipulating the discourse through it's dominance of the networked public sphere.

Bravo to TRAI and network neutrality activists for taking Facebook on.

Originally published by Catch News, on December 24, 2015.

For more details visit http://editors.cis-india.org/internet-governance/news/facebook-shares-10-key-facts-about-free-basics-heres-whats-wrong-with-all-10-of-them

Essay Competition for Software Freedom Day

sunil — 2011-08-18T05:02:02Z

The Free Software Users Group of Bangalore and the Centre for Internet and Society in collaboration organise an essay competition for schools and colleges in Bangalore on the topic of "Software Freedom"

For more details visit http://editors.cis-india.org/openness/blog-old/essay-competition-for-software-freedom-day

Essay Competition

sunil — 2009-09-23T10:02:28Z

In partnership with Free Software User Group - Bangalore, the Centre for Internet and Society is organising a essay competition for school and college students from Bangalore. The last date for submitting entries is 8th November 2008. Three prizes of Rs. 3,000/- each are available for college students, and three 3 prizes of Rs. 1,000/- each are available for school students.

Poster and Cover Letter

Download an electronic copy of the poster and covering letter that has been sent to around 350 school and colleges in Bangalore city.

Process of Judging

Volunteers from the Free Software User Group will together constitute a committee that will anonymously and individual score all entries. The score will be consolidated across judges to determine the final winners.

Terms and Conditions

Copyright: The copyright of the essay will remain with the participant.
License: All submissions will automatically be considered licensed under Creative Commons Attribution 2.5 India License.
The collective decision of the judges will be considered final.

Rules

Participants must be bona fide students of a school or college in Bangalore.
The word limit for essays is 1200 words.
Essays can be submitted either in English or in Kannada.
Electronic submission should be in an Open Format [Text - .txt, Rich Text Format - .rtf, Open Document Format - .odt, Portable Document Format - .pdf]

Thanks

Free Software Users Group, Bangalore, for acting as co-organiser for the competition.
Renuka Prasad, Professor, R.V.College of Engineering for the concept, providing leadership and organising the databases of schools and colleges.
Anivar Aravind for providing advice and support.
Hiran Venugopalan, Engineering Student, for designing the poster.

For more details visit http://editors.cis-india.org/openness/blog-old/uploads/essay-competition

Dr. Zakir Thomas

sunil — 2008-10-31T09:33:44Z

For more details visit http://editors.cis-india.org/openness/blog-old/uploads/dsc_0388.jpg

Dr. Anshu Bharadwaj

sunil — 2008-10-31T09:38:40Z

Dr. Anshu Bharadwaj

For more details visit http://editors.cis-india.org/openness/blog-old/uploads/dsc_0393.jpg

Dr. Andrew Lynn

sunil — 2008-10-31T09:36:55Z

Dr. Andrew Lynn

For more details visit http://editors.cis-india.org/openness/blog-old/uploads/dsc_0384.jpg

Don’t SLAPP free speech

sunil — 2013-02-28T11:22:09Z

IIPM is proving adept at the tactical use of lawsuits to stifle criticism, despite safeguards. THE DEPARTMENT of Telecommunications, on 14 February, issued orders to block certain web pages critical of the Indian Institute of Planning and Management (IIPM).

Sunil Abraham's column with inputs from Snehashish Ghosh was published in Tehelka on February 3, 2013 (Issue 9 Volume 10)

Despite our best efforts, we have not managed to get a copy of the court order. Meanwhile, there has been a lot of speculation among Internet policy experts on Twitter. What is the title of the case? Which judge issued the order? Who is the affected party? Why have mainstream media houses like Outlook not been served notice by the court? Is the infamous Section 66A of the IT Act to be blamed? That is highly unlikely. News reports suggest that a lower court in Gwalior has issued an ad interim injunction in a defamation suit. Most experts agree that this is a SLAPP (Strategic Litigation Against Public Participation) suit, where a company uses the cost of mounting a legal defence to silence critics.

Bullies with deep pockets use the law in very creative ways, such as forum shopping, forum shifting and the use of proxies. Forum shopping can be best understood through the example of mining giant Fomento suing Goan blogger Sebastian Rodrigues for $1 billion at the Kolkata High Court, even though Goa would have been a more logical location. Though IIPM lost an earlier case against Careers360 before the Uttaranchal High Court, the offending URLs from that case are included in the latest block order, exemplifying successful forum shifting. The doctrine of ‘res subjudice’ does not permit courts to proceed in a matter which is “directly and substantially” similar to a previous suit between the same parties. Proxies are usually employed to circumvent this procedural doctrine.

Article 19(2) of our Constitution empowers the State to create laws that place eight types (depending on how you count) of reasonable restrictions on the freedom of speech and expression. One of these reasonable restrictions is defamation. Tort law on defamation in India has been mostly borrowed from common law principles developed in the UK, which include a series of exceptions where the law cannot be used. In the present context, the exceptions important for the IIPM case include: fair and bona fide comment and matter of public interest. In addition, Section 499 of the Indian Penal Code provides for 10 exceptions to defamation. The exceptions relevant to this case are: “first: imputation of truth which public good requires to be made or published”, “ninth: imputation made in good faith by person for protection of his or other’s interests” and “tenth: caution intended for good of person to whom conveyed or for public good”. The criminal law on defamation in India is based on robust legal principles, but for the sake of public interest it’d be best to do away with such a law as it has far-reaching, chilling effects on free speech.

On interim injunctions in defamation suits, the Delhi High Court set an important precedent protecting free speech in 2011. While applying the English principle — the Bonnard Rule — the court in Tata Sons Pvt Ltd versus Greenpeace International held that a higher standard should be adhered to while granting an interim injunction in a defamation suit, because such an injunction might impinge upon freedom of expression and thus potentially be in violation of the Indian Constitution. This century-old rule states that “until it is clear that an alleged libel is untrue… the importance of leaving free speech unfetter – ed is a strong reason in cases of libel for dealing most cautiously and warily with the granting of interim injunctions…”

In the same case, the Court rejected the argument that since it was published online and thus had wider reach and greater permanence, an injunction should be granted. It observed that “publication is a comprehensive term, embracing all forms and mediums — including the Internet”, thus ruling out special treatment for the Inter net in cases of defamation. That is good news for free speech online in India. Now let’s stick to it.

For more details visit http://editors.cis-india.org/internet-governance/blog/tehelka-sunil-abraham-feb-3-2013-dont-slap-free-speech