Centre for Internet and Society

Dr. Madan M. Oberoi - Digital Forensics and Cyber Investigations (Delhi, April 07)

saikat — 2017-04-04T12:06:26Z

We are proud to announce that Dr. Madan M. Oberoi will be the speaker at the inaugural #FirstFriday@cis_india event at the Delhi office. These events, held on the first Friday of each month, will facilitate open and in-depth discussion and learning on topics crucial to our understanding of internet and society. The event will comprise of the speaker's presentation followed by an open discussion. If you are joining us, please RSVP at the soonest as we have only limited space in our office.

RSVP

Dr. Madan M. Oberoi

Dr. Madan M. Oberoi is an Indian Police Service (IPS) officer of 1992 batch. He is a Fulbright Scholar in the area of "Cyber Security" from University of Washington. He also holds a PhD in the area of cybercrime from Indian Institute of Technology (IIT), Delhi. He also holds a Master’s Degree in ‘Management and Systems’ from IIT Delhi and another Master’s Degree in Police Management.

Till January 2017, he was deployed as Director Cybercrime in INTERPOL in Singapore with global jurisdiction. As part of this, he supervised ‘Cyber Fusion Centre’, ‘Cyber Investigation Support’, ‘Cyber Strategy’ and ‘Cyber Training’ ‘Cyber Research Lab”, “Digital Forensics Lab’ and ‘Innovation Centre’ units of INTERPOL.

Dr. Oberoi has worked as Inspector General of Police, Deputy Inspector General of Police and as Superintendent of Police with Central Bureau of Investigation (CBI), where he has headed the Cyber-Crime Cell. He has also worked in Delhi Police and in his last posting he was heading Delhi Police’s Special Cell, which is responsible for Anti-Terror Operations.

Dr. Oberoi has served in two UN Peace Keeping Missions. He was head of the Management Information Unit of UN Mission in Bosnia and Herzegovina at Mission HQ in Sarajevo. He has also served as Head of Data Centre in Mission HQ of UN Mission in Kosovo at Pristina.

For more details visit http://editors.cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07

Don't dive headlong into money-making schemes on the internet

praskrishna — 2017-02-07T15:02:24Z

If you do fall victim to fraud, file your complaint at RBI's Sachet web site.

The article by Sanjay Kumar Singh was published in the Business Standard on February 7, 2017. Udbhav Tiwari was quoted.

By now you have surely read the news about a Noida-based company called Ablaze Info Solutions, which is said to have defrauded about 700,000 people of Rs 3,700 crore. In this scheme, participants first had to pay a substantial subscription fee to join it, after which they were compensated for clicking on links. There were also incentives for bringing in other members, which made it akin to a multi-level marketing (MLM) scheme. Experts advise that investors should do the due diligence before putting their money in such schemes. According to cyber experts, this scheme took off because the activity it was pursuing was a legitimate one per se. There is an entire industry on the Internet, wherein you can earn money by clicking on links: This improves the traffic on websites and allows them to demand higher advertising rates. Many websites outsource the task of improving traffic to third parties, which in turn recruit people in countries like India for the task. You can also earn money through activities like filling up forms, answering surveys, etc.

The mistake participants made in this case was to join the scheme without exploring other options. "Many players would have offered a similar level of compensation without demanding a subscription fee. Moreover, the very fact that the company was demanding a substantial subscription fee should have made people suspicious," says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru. Before participating in such money-making schemes, spend time doing a detailed background check of the company's credentials, especially if the promised returns are realistic or not. "If the return offered by the company is high compared to the market rates of return, or the company is new, you should be extra cautious. Check various blogs and forums on the internet for possible complaints against the company and its key stakeholders," says Mukul Shrivastava, partner, fraud investigation and dispute services, EY India.

If you join such a programme, be warned the moment the company defaults on payments, delays them, or avoids your queries. Stop all interactions with it and lodge a complaint with the police. If the company had used forged documents, especially the ones claiming that the scheme had the approval of a regulator like Sebi, submit them.

You can also file a complaint at Sachet, a website set up by the Reserve Bank of India (see box). Another option is to contact the Serious Fraud Investigation Office (SFIO) under the Ministry of Corporate Affairs. As the police take up a case usually when many complaints pour in against an entity, motivate other victims to complain, too. The state fights the case on your behalf. Your task after complaining is to cooperate with the investigation and depose in court. Nowadays victims can be compensated under the Criminal Procedure Code as well. They also have the option to file a civil suit for recovering their money.

Finally, there is a need for new laws to tackle online frauds. "There is a gap both in terms of legislation and effective enforcement. We only have a central 1978 Act for Prize Chits and allied rules in states, which need to be updated," says Nishant Joshi, partner, Shardul Amarchand Mangaldas.

Word box
Turn to Sachet

RBI has launched a website, sachet.rbi.org.in, where you can complain if you have been cheated by an entity that has illegally collected money from you
The website also provides information on legitimate entities that are authorised to collect money
Many regulators and enforcement agencies take up the complaints filed on this site
Investors don’t have to know the regulator under whose jurisdiction the company they want to complain against falls
You will get an email informing you about the regulator/entity that will take up your case

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet

Discussion at CyFy on Technology, Policy and National Security: Building 21st Century Curricula in India’s Law Schools

Admin — 2019-10-20T07:23:11Z

Arindrajit Basu attended the session and gave comments on the course outline which included thoughts on:

Threshold of technical knowledge-comparison with WTO law
Need for India-centric approaches both in domestic and foreign policy
Possibility of executive training of senior diplomats
Need to include fintech security in the syllabus
Necessity of international law as a tool of conflict 6. Sustained collaboration between think-tanks and universities

The event was organized by Centre for Communication Governance at National Law University Delhi and Observer Research Foundation at Villa Medici, Taja Mahal Hotel, Man Singh Road, New Delhi.

For more details visit http://editors.cis-india.org/internet-governance/news/discussion-at-cyfy-on-technology-policy-and-national-security-building-21st-century-curricula-in-india2019s-law-schools

Digital Citizens: Why Cyber Security and Online Privacy are Vital to the Success of Democracy and Freedom of Expression

praskrishna — 2014-01-08T04:59:10Z

Michael Oghia will give a presentation which will show why cyber security and online privacy are vital for democracy and freedom of expression.

In the time when Edward Snowden is fighting for both clemency and to be known as a brave whistle blower that exposed government wrongdoing, cyber security and online privacy have never been more important. As Jacob Applebaum discussed in May last year, and CIS’ Maria Xynou presented recently in December, surveillance throughout the world is increasing. With security apparatus’ likethe NSA and now India’s Central Monitoring System, coupled with corporate data centers around the world storing our e–mails, address books, preferences, and passwords, it is easy to see how our online privacy is increasingly being threatened and often, violated.

Indeed, online privacy is inextricably linked to freedom of expression, and freedom of expression is a fundamental civil liberty imperative to democracy. Moreover, online security and privacy are essential to good, transparent, and accountable democratic governance. This is largely because surveillance, censorship, and monitoring ultimately create environments where self-censorship is the norm, as is the fear of the government instead of spaces that allow for freedom of expression and democratic dialogue and dissent.

What I would like to accomplish my speaking at CIS is not to merely educate about the dangers posed to Internet security or to world democracy, but rather to:

Reiterate the importance of digital privacy and cyber security to the success of democracy and the continued protection of free expression.
Encourage citizens, technology specialists, Internet and privacy advocates, and others to see themselves as part of a larger system of democratic governance and civic participation. This means understanding how technical capabilities intersect with civil society, and then use them to advocate for a more open, accessible, and private cyberspace.
Reinforce that digital media literacy education is vital to ensuring a free, open, accessible, and democratic Internet.

Additionally, I want to present ideas and recommendations for what you can do to engage with these problems, and how we can collaborate together to address them.

About the Public Intelligence Project

The Public Intelligence Project is an independent, non-partisan, not-for-profit think tank conducting research, education, and advocacy on the importance of diversity, critical thinking, dialogue, and freedom of expression. We seek to promote more robust systems of participatory democracy, civic engagement, and conflict prevention in order to create a culture of democracy.

Michael Oghia

Michael is responsible for a new project at Meta-Culture called the Public Intelligence Project, which focuses on expanding participatory democracy, civic engagement, and conflict prevention by conducting research, education, and advocacy on the intersections between diversity, dialogue, critical thinking, and freedom of expression. While new to the conflict resolution field, as a poet, musician, editor, writer, blogger, and activist, he is well-versed in the importance of freedom of expression and participating in the democratic process. He was born in Kentucky to Lebanese-Syrian parents, and after graduating with a BS in sociology from the University of Louisville, he moved to Lebanon to pursue an MA in sociology from the American University of Beirut. There, he had the opportunity to witness the Arab Revolutions first-hand while research about topics such as Internet ownership in the Middle East, social movements, Arab media, globalization, Arab youth and family, and his thesis subject, romantic love in the Arab world. Michael enjoys engaging Twitter conversations, and has an unnatural affinity for crunchy peanut butter.

Date: Tuesday, January 14, 2014
Time: 6.30 p.m. to 8.00 p.m.
Talk by: Michael Oghia
Title: Research & Advocacy Consultant, and Project Manager
Organisation: Meta-Culture / Public Intelligence Project
Websites: www.meta-culture.in <http://www.meta-culture.in> & www.publicintelligenceproject.org <http://www.publicintelligenceproject.org>

For more details visit http://editors.cis-india.org/events/why-cyber-security-and-online-privacy-are-vital-for-success-of-democracy-and-freedom-of-expression

Developer team fixed vulnerabilities in Honorable PM's app and API

pranesh — 2016-12-04T19:08:56Z

The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.
There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.
The API was still being served over HTTP instead of HTTPS.

Fixed

The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

DesiSec: Episode 1 - Film Release and Screening

purba — 2013-12-17T08:13:32Z

The Centre for Internet and Society is pleased to to announce the release of the first documentary film on cybersecurity in India - DesiSec. We hope you can join us for a special screening of the first episode of DesiSec, on 11th December, at CIS!

Early 2013, the Centre for Internet and Society began shooting its first documentary film project. After months of researching and interviewing activists and experts, CIS is thrilled to announce the release of the first documentary film on cybersecurity in India - DesiSec: Cybersecurity and Civi Society in India.

Trailer link: http://cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer

CIS is hosting a special screening of DesiSec: Episode 1 on 11th December, 2013, 6 pm and invites you to this event. The first episode is centered around the issue of privacy and surveillance in cyber space and how it affects Indian society.

We look forward to seeing you there!

RSVP: purba@cis-india.org

Venue: http://osm.org/go/yy4fIjrQL?m=

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit http://editors.cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening

DesiSec: Cybersecurity and Civil Society in India

Laird Brown — 2015-06-29T16:25:43Z

As part of its project on mapping cyber security actors in South Asia and South East Asia, the Centre for Internet & Society conducted a series of interviews with cyber security actors. The interviews were compiled and edited into one documentary. The film produced by Purba Sarkar, edited by Aaron Joseph, and directed by Oxblood Ruffin features Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad.

Originally the idea was to do 24 interviews with an array of international experts: Technical, political, policy, legal, and activist. The project was initiated at the University of Toronto and over time a possibility emerged. Why not shape these interviews into a documentary about cybersecurity and civil society? And why not focus on the world’s largest democracy, India? Whether in India or the rest of the world there are several issues that are fundamental to life online: Privacy, surveillance, anonymity and, free speech. DesiSec includes all of these, and it examines the legal frameworks that shape how India deals with these challenges.

From the time it was shot till the final edit there has only been one change in the juridical topography: the dreaded 66A of the IT Act has been struck down. Otherwise, all else is in tact. DesiSec was produced by Purba Sarkar, shot and edited by Aaron Joseph, and directed by Oxblood Ruffin. It took our team from Bangalore to Delhi and, Dharamsala. We had the honour of interviewing: Malavika Jayaram, Nitin Pai, Namita Malhotra, Saikat Datta, Nishant Shah, Lawrence Liang, Anja Kovacs, Sikyong Lobsang Sangay and, Ravi Sharada Prasad. Everyone brought something special to the discussion and we are grateful for their insights. Also, we are particularly pleased to include the music of Charanjit Singh for the intro/outro of DesiSec. Mr. Singh is the inventor of acid house music, predating the Wikipedia entry for that category by five years. Someone should correct that.

DesiSec is released under the Creative Commons License Attribution 3.0 Unported (CC by 3.0). You can watch it on Vimeo: https://vimeo.com/123722680 or download it legally and free of charge via torrent. Feel free to show, remix, and share with your friends. And let us know what you think!

Video

For more details visit http://editors.cis-india.org/internet-governance/blog/desi-sec-cybersecurity-and-civil-society-in-india

Decrypting Automated Facial Recognition Systems (AFRS) and Delineating Related Privacy Concerns

Arindrajit Basu, Siddharth Sonkar — 2020-01-02T14:01:48Z

Arindrajit Basu and Siddharth Sonkar have co-written this blog as the first of their three-part blog series on AI Policy Exchange under the parent title: Is there a Reasonable Expectation of Privacy from Data Aggregation by Automated Facial Recognition Systems?

The use of aggregated Big Data by governments has the potential to exacerbate power asymmetries and erode civil liberties like few technologies of the past. In order to guard against the aggressive aggregation and manipulation of the data generated by individuals who are branded as suspect, it is critical that our firmly established constitutional rights protect human dignity in the face of this potential erosion.

The increasing ubiquity of Automated Facial Recognition Systems (AFRS) serve as a prime example of the rising desire of governments to push fundamental rights to the brink. With AFRS, the core fundamental right in question is privacy, although questions have been posed regarding the potential violation of other related rights, such as the Right to Equality and the Right to Free Speech and Expression, as well.

There is a rich corpus of literature, (see here, here and an excellent recent paper by Smriti Parsheera here) from a diverse coterie of scholars that call out the challenges posed by AFRS, particularly with respect to its proportionality as a restriction over the right to privacy. Our contribution to this discourse focuses on a very specific question around a ‘reasonable expectation of privacy’ — the standard identified for the protection of privacy in public spaces across jurisdictions, including in India. This is because at this juncture, the precise nature of the AFRS which will eventually be used and the regulations it will be subject to are not clear.

In Retd. K.S Puttaswamy (Retd.) v. Union of India: Justice Chandrachud (Puttaswamy I), the Indian Supreme Court was concerned with the question whether there exists a fundamental right to privacy under the Indian Constitution. A nine-judge bench of the Court recognized that the right to privacy is a fundamental right implicit inter alia in the right to life within Article 21 of the Constitution.

The right to privacy protects people and not places. Every person is entitled, however, to a reasonable expectation of privacy. The expectation of privacy must be twofold. First, the person must prove that the alleged act could inflict some harm. Such harm must be real and not be speculative or imaginary. Second, society must recognize this expectation as reasonable. The test of reasonable expectations is contextual, i.e., the extent to which it safeguards privacy depends on the place at which the individual is.

In order to pass any constitutional test, therefore, AFRS must satisfy the ‘reasonable expectation’ test articulated in Puttaswamy. However, in this context, the test itself has multiple contours. Do we have a right to privacy in a public place? Is AFRS collecting any data that specifically violates a right to privacy? Is the aggregation of that data a potential violation?

After providing a brief introduction to the use cases of AFRS in India and across the world, we embark upon answering all these questions.

Primer on Automated Facial Recognition Systems (AFRS)

Facial recognition is a biometric technology that utilises cameras to match stored or live footage of individuals (including both stills and moving footage) with images or video from an existing database. Some systems might also be used to analyze broader demographic trends or conduct sentiment analysis through crowd scanning.

While the use of photographs and video footage have been core components of police investigation, the use of algorithms to process vast tracts of Big Data (characterized by ‘Volume, Velocity, and Variety), and compare disparate and discrete data points allows for the derivation of hitherto unfeasible insights on the subjects of Big Data.

The utilisation of AFRS for law enforcement is rapidly spreading around the world. A Global AI Surveillance Index compiled by the Carnegie Endowment for International Peace found that at least sixty-four countries are incorporating facial recognition systems into their AI surveillance programs.

Chinese technology company Yitu has entered into a partnership with security forces in Malaysia to equip police officers with facial recognition body cameras that, powered by enabling technologies, would allow a comparison of images caught by the live body cameras with images from several central databases.

In England and Wales, London Metropolitan Police, South Wales Police, and Leicestershire Police are all in the process of developing technologies that allow for the identification and comparison of live images with those stored in a database.

The technology is being developed by Japanese firm NEC and the police force has limited ability to oversee or modify the software, given its proprietary nature. The Deputy Chief of South Wales Police stated that “the tech is given to [them] as a sealed box… [and the police force themselves] have no input – whatever it does, it does what it does.”

In the US, Baltimore’s police set up facial recognition cameras to track and arrest protestors — a system that reached its zenith during the 2018 riots in the city.

It is suspected that authorities in Hong Kong are also using AFRS to clamp down on the ongoing pro-democracy protests.

In India, the Ministry of Home Affairs, through the National Crime Records Bureau put out a tender for a new AFRS, whose stated objective is to “act as a foundation for national level searchable platform of facial images.” The AFRS will pull facial image data from CCTV feeds and compare these with existing records across databases including the Crime and Criminal Tracking Networks and Systems (CCTNS), Inter-operable Criminal Justice System (or ICJS), Immigration Visa Foreigner Registration Tracking (IVFRT), Passport, Prisons and state police records.

Plans are also afoot to integrate this with the yet to be deployed National Automated Fingerprint Identification System (NAFIS), thereby creating a multi-faceted surveillance system.

Despite raising eyeballs due to its potential all-pervasive scope, this tender is not the first instance of AFRS being used by Indian authorities. Punjab Police, in partnership with Gurugram-based start-up Staqu has launched and commenced implementation of the Punjab Artificial Intelligence System (PAIS) which uses digitised criminal records and automated facial recognition to retrieve information on a suspected criminal and essentially tracks their public whereabouts, which poses potential constitutional questions.

This was published by AI Policy Exchange.

For more details visit http://editors.cis-india.org/internet-governance/decrypting-automated-facial-recognition-systems-afrs-and-delineating-related-privacy-concerns

CyFy 2018

Admin — 2018-10-08T15:36:40Z

Swaraj Paul Barooah and Arindrajit Basu participated in CyFy 2018 organized by Observer Research Foundation at Hotel Taj Mahal, New Delhi from October 3 - 5, 2018.

Click to see the agenda

For more details visit http://editors.cis-india.org/internet-governance/news/cyfy-2018

CyFy 2017

Admin — 2017-11-26T09:36:25Z

CyFy is a conference on internet governance and cyber security organised by the Observer Research Foundation (ORF) in New Delhi between 2 and 4 October 2017. Sunil Abraham was a speaker.

Sunil Abraham was a speaker on a panel titled "Security Through Identity?" on the 4 October 2017 and chaired an invite only session titled "Encryption: The End of Surveillance?" on the 3rd of October, 2017. Saikat Dutta and Udbhav Tiwari also participated in the encryption session. Saikat was a speaker in a session titled "Digital Vulnerabilities: Capacity Building for Tackling Cyber Crime" on 3 October 2017. Udbhav Tiwari chaired a session titled "Dangerous Disclosures: Cyber Security Incident Reporting" on 4 October 2017.

Conference agenda here

For more details visit http://editors.cis-india.org/internet-governance/news/cy-fy-2017

CYFY 2016 - The India Conference on Cyber Security and Internet Governance

praskrishna — 2016-09-13T15:23:59Z

Sunil Abraham will participate as a panelist at CYFY 2016 event organized by Observer Research Foundation in New Delhi from September 28 to 30, 2016.

Into its fourth edition this year, CyFy: The India Conference on Cyber Security and Internet Governance has emerged as a global platform to discuss, debate and deliver digital policy solutions. CyFy 2015 featured nearly 110 participants from over 33 countries, with nearly 800 delegates in attendance. Prominently, the conference sessions featured several experts from Africa and the Asia Pacific, who addressed the policy priority of connecting the next billion. The 2016 iteration of CyFy will highlight the political, economic and strategic questions that underpin this imperative.

Download the Agenda

See the announcement on CYFY website or write to Samir Saran at ssaran@orfonline.org or Arun at arun.sukumar@orfonline.org for more details on the conference.

For more details visit http://editors.cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition

Cyfy 2015: The India Conference on Cyber Security and Internet Governance

praskrishna — 2015-10-17T14:44:42Z

In its third year, Cyfy; South Asia’s biggest internet policy conference is being held in New Delhi, from 14-16 October, 2015. The event is organized by Observer Research Foundation at Hotel Taj Mansingh. Sunil Abraham is a panelist in the session "Protection of Intellectual Property and Business Secrets in the Knowledge Economy".

Building on its scope and scale of the previous year — over 55 speakers, from 12 countries, with 350 attendees — the conference discusses issues that affect the emerging world and developed world alike. The conversations will further and widen the debate around internet governance, security, surveillance, freedom of expression, norms of state behaviour, technology and specific societal challenges that emerging and developing countries seek to address by the effective design and deployment on these technologies. In 2015, Cyfy will bring together more experts from South Asia, in order to present new thought on the specific challenges of internet access, policy and regulation, e-governance, financial inclusion, and bottom of the pyramid solutions.

Along with its growing network of both Indian and international partners, ORF looking forward to hosting another thought-provoking and productive few days, and bridging some digital divides in contemporary internet cyber policy debates.

Protection of Intellectual Property and Business Secrets in the Knowledge Economy

Over the past decade, there has been an exponential rise in cyber-enabled theft of intellectual property, and it has been recognized as an unfair predatory practice. With the rise of the globalized knowledge economy, the stability of open trading systems increasingly depends on cross-border IP protection. What is the relevance of the protection of intellectual property and business secrets for economic development and stability of the international trading system?

Download the agenda For more info visit here.

For more details visit http://editors.cis-india.org/internet-governance/news/cyfy-2015-india-conference-on-cyber-security-and-internet-governance

CYFY 2013: India Conference on Cyber Security and Cyber Governance

praskrishna — 2013-09-26T06:50:15Z

The Observer Research Foundation in collaboration with the Federation of Indian Chambers of Commerce and Industry is holding the India Conference on Cyber Security and Cyber Governance at the Oberoi Hotel in New Delhi on October 14 and 15, 2013. Sunil Abraham will participate in this event as a speaker.

Click to download the full details in the event brochure.

Shri Kapil Sibal, Minister of Communications & Technology will give the inaugural address. Shri Shivshankar Menon, National Security Advisor, Government of India will give the keynote address. Shri Shashi Tharoor, Minister of State, Human Resource Development, Government of India will give the dinner table address on October 14.

On the second day, October 15, Minister Jaak Aaviksoo will give the keynote address and Shri Nehchal Sandhu, Deputy National Advisor, Government of India will give the valedictory address.

List of Speakers

Kapil Sibal, Minister for Communications and Information Technology, India
Shivshankar Menon, National Security Advisor, Government of India
Shashi Tharoor, Minister of State for Human Resource Development, India
Nehchal Sandhu, Deputy National Security Advisor, Government of India
A.P. Shah, Former Chief Justice, Delhi High Court
Arvind Gupta, Director General, Institute for Defence Studies and Analyses, India
Ashish Chauhan, CEO, Bombay Stock Exchange
C. Raja Mohan, Distinguished Fellow, ORF
Christopher Painter, Office of the Coordinator for Cyber Issues, Department Of State, USA
Dirk Brengelmann, Commissioner for International Cyber Policy, Federal Foreign Office, Germany
Eric H. Loeb, Vice President, International External Affairs, AT&T
Gabriel Siboni, Director, Cyber Warfare Program, Institute for National Security Studies, Tel Aviv University, Israel
Jaak Aaviksoo, Minister of Education and Research of the Republic of Estonia
Jamie Shea, Deputy Assistant Secretary General, Emerging Security Challenges, NATO
Joe Sullivan, CSO, Facebook
John Mallery, Research Scientist, MIT Computer Science & Artificial Intelligence Laboratory, USA
Maurizio Martellini, Secretary General, Landau Network-Centro Volta and IWG Executive Secretary, Italy
Michael Cheatham, Head U.S. Representative Office, Indo-US Science and. Technology Forum, USA
M.M.Oberoi, Indian Police Service, Joint commissioner of Police, Delhi Police, Government of India
Oleg Demidov, The Russian Center for Policy Studies, Russia
Peter Grabosky, Researcher, Australian National University, Australia
Prakash Nagpal, Senior Vice President, Product Marketing and Marketing, Narus
Rajan Mathews, Director General, Cellular Operators Association of India
Ram Narain, Deputy Director General (Security), Department of Telecommunication (DoT), Government of India
Sandro Gaycken, Freie Universität Berlin, Institute of Computer Science, Germany
Sean Kanuck, National Intelligence Officer for Cyber Issues, Office of the Director of National Intelligence, USA
Sunil Abraham, Executive Director, Centre for Internet and Society, Bangalore
Vijay Madan, Chief Mentor, Tata Teleservices (former Director, C-DOT), India
Vivke Lall, President & CEO, Reliance Industries Limited

For more details visit http://editors.cis-india.org/news/india-conference-on-cyber-security-and-cyber-governance

Cyberspying: Government may ban Gmail for official communication

praskrishna — 2013-09-02T04:19:53Z

The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyberspying by the US.

This article was published in the Times of India on August 30, 2013. Sunil Abraham is quoted.

A senior official in the ministry of communications and information technology said the government plans to send a formal notification to nearly 5 lakh employees barring them from email service providers such as Gmail that have their servers in the US, and instead asking them to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data," said J Satyanarayana, secretary in the department of electronics and information technology.

Snowden fallout

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies like Google, Facebook and Apple through a programme called PRISM.

Documents leaked by Snowden showed that NSA may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Even as the new policy is being formulated, there has been no mention yet of how compliance will be ensured.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

A Google India spokeswoman said the company has not been informed about the ban, and hence it cannot comment on speculation. "Nothing is documented so far, so for us, it is still speculation," Google said in an email response.

A senior official in the IT department admitted on condition of anonymity that employees turn to service providers such as Gmail because of the ease of use compared with official email services, as well as the bureaucratic processes that govern creation of new accounts.

"You can just go and create an account in Gmail easily, whereas for a government account, you have to go through a process because we have to ensure that he is a genuine government user."

Last week, IT Minister Kapil Sibal said the new policy would require all government officials living abroad to use NIC servers that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agrees with the government's decision to ban Gmail for official communication and that any official violating this needs to be punished.

"After Snowden's revelations, we can never be sure to what extent foreign governments are intercepting government emails," he said. Abraham, however, called the government's decision a "late reaction", as the use of Gmail and other free email services by bureaucrats has increased in the past.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

For more details visit http://editors.cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication

Cyberspace and External Affairs:A Memorandum for India Summary

Arindrajit Basu and Elonnai Hickok — 2018-12-01T04:10:51Z

This memorandum seeks to summarise the state of the global debate in cyberspace; outline how India can craft it’s global strategic vision and finally, provides a set of recommendations for the MEA as they craft their cyber diplomacy strategy.

It limits itself to advocating certain procedural steps that the Ministry of External Affairs should take towards propelling India forward as a leading voice in the global cyber norms space and explains why occupying this leadership position should be a vital foreign policy priority. It does not delve into content-based recommendations at this stage. Further, this memorandum is not meant to serve as exhaustive academic research on the subject but builds on previous research by the Centre for Internet & Society in this area to highlight key policy windows that can be driven by India.

This memorandum provides a background to global norms formation focussing on key global developments over the past month; traces the opportunities s for India to play a lead role in the global norms formulation debate and then charts out process related recommendations on next steps towards India taking this forward.

Click here to read more

For more details visit http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs