Centre for Internet and Society

Cyberspace and External Affairs:A Memorandum for India Summary

Arindrajit Basu and Elonnai Hickok — 2018-12-01T04:10:51Z

This memorandum seeks to summarise the state of the global debate in cyberspace; outline how India can craft it’s global strategic vision and finally, provides a set of recommendations for the MEA as they craft their cyber diplomacy strategy.

It limits itself to advocating certain procedural steps that the Ministry of External Affairs should take towards propelling India forward as a leading voice in the global cyber norms space and explains why occupying this leadership position should be a vital foreign policy priority. It does not delve into content-based recommendations at this stage. Further, this memorandum is not meant to serve as exhaustive academic research on the subject but builds on previous research by the Centre for Internet & Society in this area to highlight key policy windows that can be driven by India.

This memorandum provides a background to global norms formation focussing on key global developments over the past month; traces the opportunities s for India to play a lead role in the global norms formulation debate and then charts out process related recommendations on next steps towards India taking this forward.

Click here to read more

For more details visit http://editors.cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs

Cybersecurity Compilation: Indian Context

Leilah Elmokadem and edited by Elonnai Hickok — 2017-06-18T13:16:39Z

This document intends to serve as a comprehensive source compiling all the cyber-security related regulations, policies, guidelines, notifications, executive orders, court rulings, etc.

Ultimately, it attempts to collect all the cyber security initiatives that have been put out by Indian regulatory bodies and organizations. To approach this end, we identified they actors and institutions in cyber security and record their published guidelines, frameworks, ongoing projects and any policies released to strengthen cyber security. We have mostly followed a general framework in which, for each document found, we indicate the definition of cyber security (if stated), the objectives, recommendations/guidelines and scope. This format was sometimes difficult to follow for some types of initiatives in the documents. For example, a document of questions and answers to parliament could not be recorded in this fashion. As a result, the document is not entirely uniform in structure. This research compendium is in continuous progress, expanding along with the base of our knowledge and ongoing research.

Download the Compendium

For more details visit http://editors.cis-india.org/internet-governance/blog/cybersecurity-compilation-indian-context

Cyberattacks a significant threat to democracy: Modi

Admin — 2017-11-24T13:29:17Z

We have to ensure that cyberspace does not become a playground for dark horses of radicalism, says PM Narendra Modi at the fifth Global Conference on Cyber Space in Delhi.

The article by Komal Gupta was published in Livemint on November 24, 2017.

Prime Minister Narendra Modi on Thursday said creating a safe and secure cyberspace is on the primary agenda of the government as cyberattacks were a threat to democracy.

Modi’s assurance of decisively dealing with cyberattacks comes at a time when policymakers are making an unprecedented push to popularize digital transactions and cut down use of cash in order to have a more transparent and accountable economic environment. The government is at present working on a draft policy for tackling ransomware, a malicious software.

“We have to ensure that cyberspace does not become a playground for dark horses of radicalism,” Modi said, while inaugurating the fifth Global Conference on Cyber Space (GCCS) in the national capital.

A total of 50 incidents of cyberattacks affecting 19 financial organizations were reported from 2016 until June 2017, PTI reported in August.

With multiple cyberattacks affecting key infrastructure assets like ports and major payment companies recently, the government has decided to come out with a draft policy for tackling ransomware, a senior government official told Mint during the conference. “CERT-In (The Indian Computer Emergency Response Team) is working on a draft policy for tackling ransomware which will be put up for consultation by various stakeholders, including organized enterprise users of IT (Information Technology), solution providers and internet service providers (ISPs),” Ajay Kumar, additional secretary in the ministry of electronics and information technology said.

Kumar said the draft policy will focus on the proprietary steps the country will take in case of a ransomware attack. This will include the steps for the sharing of information to try and restrict the loss as much as possible. A centre of excellence will be set up to find solutions to attacks or neutralise the malware, he added.

The need to set up a safe and secure cyberspace is one the major concerns of the government as it is moving to create a ‘less-cash’ economy. Earlier this year, the government announced the “DigiDhan Mission” to achieve a 25 billion digital transactions target, outlined in the Union budget for this fiscal.

Modi said empowerment through digital access is the aim of the government and digital technology has saved around $10 billion so far by eliminating middlemen.

The MyGov platform is a prime example of how technology strengthens offices. PRAGATI has resulted in faster governance decisions through general consensus, he added.

PRAGATI (Pro-Active Governance And Timely Implementation) is an interactive platform aimed at addressing the common man’s grievances and monitoring and reviewing programmes and projects of the central and state governments.

Umang stands for Unified Mobile Application for New-age Governance. It provides all pan India e-Gov services ranging from central to local government bodies and other citizen-centric services like Aadhaar and Digilocker on one single platform or mobile app.

Modi said, “the app will provide over hundred citizen-centric services. It will automatically add pressure among peers and result in a better performance.”

Law and IT minister Ravi Shankar Prasad, speaking at the event, said privacy of individuals was of utmost importance but “privacy cannot withhold innovation.” He further said the citizens’ right of accessing the internet is “non-negotiable” and the government will not allow any company to restrict people’s entry to the worldwide web.

Speaking on Facebook’s Free Basics programme, Prasad said the government did not allow social networking giant’s programme because it offered access to select internet services. Facebook had introduced its Free Basics programme in India in 2015 to offer free basic internet access to people in partnership with telecom operators. Prasad said the idea behind Free Basics was that everything will be free, namely eduction, health, entertainment and others, if one enters the Net through one gate (Facebook’s).

“I said India is a democracy, we don’t believe in one gate. We believe in multiple gates. Therefore, this gate locking for India will not be accepted and I did not allow it. This stems (from) our commitment that internet must be accessible to all,” he added.

Sri Lankan Prime Minister Ranil Wickremesinghe, who was present at the event, said there was no legal framework on cyberspace and he hoped the conference would lead to a consensus to finalize the terms of the framework. “Our government has a lot more to do in net neutrality but we have taken progressive and revolutionary step in this regard,” added Wickremesinghe.

Wickremesinghe is on a four-day visit to India with the aim of boosting bilateral ties.

On the first day of the conference, India agreed to establish a joint working group with Iran to work in different IT areas.

India will provide technical advice to Mauritius for setting up the digilocker infrastructure. An MoU has been signed with Denmark for future cooperation in the IT sector.

“While a policy on ransomware is welcome, there is much more to be done. Implementation of the 2014 National Cybersecurity Policy has been very slow. Even the simplest bits, such as a secure process for receiving vulnerability disclosure has been lacking,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

PTI contributed to this story.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-november-24-2017-komal-gupta-cyberattacks-a-significant-threat-to-democracy-modi

Cyber Policy Centres Meeting in Sri Lanka

Admin — 2019-01-21T23:50:45Z

Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in this event organized by IDRC in Sri Lanka on January 11 - 14, 2019.

Download the agenda here

See the presentation here

For more details visit http://editors.cis-india.org/internet-governance/news/cyber-policy-centres-meeting-in-sri-lanka

Cyber law experts asks why CERT-In removed advisory warning about WhatsApp vulnerability

Megha Mandavia — 2019-11-15T00:48:00Z

On the missing web page note, CERT-In had provided a detailed explanation of the vulnerability, which could be exploited by an attacker by making a decoy voice call to a target.

The article by Megha Mandavia was published in ET Tech.com on November 4, 2019. Pranesh Prakash was quoted.

Cyber law experts have asked the government to explain why the Indian computer emergency response team (CERT-In) removed from its website two days ago an advisory it had put out in May warning users of a vulnerability that could be used to exploit WhatsApp on their smartphones.

“This is merely further evidence that the explanation is to be provided by GoI (Government of India) instead of blame shifting and politicizing the issue,” said Mishi Choudhary, the legal director of the New York-based Software Freedom Law Center. “India is a surveillance state with no judicial oversight.”

On the missing web page note, CERT-In had provided a detailed explanation of the vulnerability, which could be exploited by an attacker by making a decoy voice call to a target.

It had warned WhatsApp users that the vulnerability could allow an attacker to access information on the system, such as logs, messages and photos, and could further compromise it. CERT-In rated the severity “high” and asked users to upgrade to the latest version of the app.

It also listed links to hackernews and cyber security firm Check Point Software that pointed to the alleged involvement of Israeli cyber software firm NSO Group in the hacking of WhatsApp messenger.

CERT-In Director-General Sanjay Bahl did not respond to ET’s mails or calls seeking clarity on why the advisory was pulled from its website.

The Times of India reported first the development.

The government had blamed WhatsApp for not informing it about the attack and asked the Facebook-owned company to respond by November 4.

In response, WhatsApp sources pointed out that it had informed CERT-in in May about the vulnerability and updated in September that 121 Indian nationals were targeted using the exploit, ET reported on Sunday.

“We should not read too much into it. It could just be bad website management. The vulnerability was public knowledge. It was reported by the Common Vulnerabilities and Exposures (CVE) organization in May,” said Pranesh Prakash, fellow at the Centre of Internet and Society, a non-profit organisation.

The government has also questioned the timing of the disclosure, as it comes amid a request by it to the Supreme Court seeking three months to frame rules to curb misuse of social media in the country.

The government has categorically told WhatsApp that it wants the platform to bring in a mechanism that would enable tracing of the origin of messages, a demand that the instant messaging platform has resisted citing privacy concerns.

For more details visit http://editors.cis-india.org/internet-governance/news/et-tech-megha-mandavia-november-4-2019-cyber-law-experts-asks-why-cert-in-removed-advisory-warning-about-whatsapp-vulnerability

Cyber experts suggest using open source software to protect privacy

praskrishna — 2013-07-03T04:32:48Z

Big Brother is watching. With the Central Monitoring System (CMS) at home and PRISM from the US, millions of users worldwide have become vulnerable to online surveillance by state agencies without even realizing it. No surprise, several cyber security experts feel that building one's own personal firewall is a good way of fortifying online privacy.

The article by Kim Arora was published in the Times of India on June 22, 2013. Sunil Abraham is quoted.

One enterprising netizen has compiled a list of services, from social networks to email clients, and even web browsers, that offer better protection from surveillance. They are listed on a web page called prism-break.org.

When asked about steps that a digital native can take to protect his privacy and online data, Sunil Abraham, executive director of Bangalore-based non-profit Center for Internet and Society said, "Stop using proprietary software, shift to free/open source software for your operating system and applications on your computer and phone. Android is not sufficiently free; shift to CyanogenMod. Encrypt all sensitive Internet traffic and email using software like TOR and GNU Privacy Guard. Use community based infrastructure such as Open Street Maps and Wikipedia. Opt for alternatives to mainstream services. For example, replace Google Search with DuckDuckGo."

Use of licensed or proprietary software, which bind users legally when it comes to use and distribution, seems to be losing favour among an informed niche. While alternative software cannot offer absolute protection, it is being seen as a "better-than-nothing" option. Anonymisers like TOR, though also not entirely foolproof, are also a popular option among those who wish to keep their web usage untraceable. Once installed on a browser, anonymisers can hide the route that digital traffic takes when sent from your computer over a network before emerging at an end node.

There is one caveat, though. Some websites can deny service to users operating on certain anonymising networks. Also, anonymisers are known to reduce browsing speeds. In India, where broadband speeds are already abysmally low, anything that slows one down even further would find popularity hard to come by.

Computer and network security expert Aseem Jakhar too recommends open source software since they offer the convenience of customization to suit one's encryption needs and are able to verify the source code. For laypersons, there are other tools. "One can use anonymisers like TOR which encrypt your communication and hide your identity. With these it becomes very difficult to exactly locate the source. For email clients, it is best to use ones that offer end-to-end strong encryption," he says. Jakhar, co-founder of open security community "null", also recommends the use of customized and Linux systems for more advanced users. Default Linux distributions, he points out, may have free online services which can again be analysed by the governments.

The home-bred CMS programme seeks to directly procure data pertaining to call records and internet usage for intelligence purposes without going through telecom service providers. There were fears of abuse when information about the programme, kept under strict wraps by the government, trickled in. Department of Telecom and Ministry of IT and Communication have been reticent about the state of implementation of the 400-crore rupees programme.

PRISM, a similar, international monitoring programme mounted by the US and revealed to the world by the US National Security Authority whistleblower Edward Snowden, has raised concerns of safeguarding digital information the world over.

For more details visit http://editors.cis-india.org/news/times-of-india-june-22-2013-kim-arora-cyber-experts-suggest-open-source-software-to-protect-privacy

Cyber experts say 'playground open' for influencing elections

Admin — 2018-05-03T03:17:33Z

Cyber experts said that under the provisions provided by 43 (A) of Indian IT Act, two types of data collection are completely legal: first, the data shared by the user in the public domain and secondly, the data published by the social platforms, like Facebook.

This article was published in the Economic Times on May 2, 2018. Sunil Abraham was quoted.

With the Karnataka Assembly elections round the corner, the cyber experts have said that it is quite possible to influence elections in India.

Talking to ANI, cyber expert Sunil Abraham did not rule out the possibility of influencing the voters as India does not have data protection law in place.

He said under the provisions provided by 43 (A) of Indian IT Act, two types of data collection are completely legal: first, the data shared by the user in the public domain and secondly, the data published by the social platforms, like Facebook and Twitter, which was shared by the user for his/her friends.

"Both these types of data are not considered sensitive personal data. Under Indian law, if they are collecting your biometrics, passwords and health information only then they need your consent," Abraham told in an exclusive interview.

Replying a question about the chances of political parties influencing elections, Abraham said, "One cannot answer this question with a clear yes or no. But, the more a political party has in its database about you; the more they can micro-target you for various types of advertising."

He, however, said with the literacy level of Indian internet users, the chances are high that they can be manipulated.

"Once they do this, especially in a country where 30 percent of the public is illiterate and only 10 percent of public knows English and many-many users have just come online, there is a high chance that these users can be manipulated," the cyber expert said.

When asked can it be termed influence, he said, "It will definitely be an influence. Most of the internet users in India have just come online, they don't have media literacy; they have not consumed older technologies like television and broadcast media like radio sufficiently enough so it is easy for these users to get fooled by the content that is propaganda and fake news etcetera."

Abraham said it is unlikely that India will have a data protection law before 2019 general elections, which means the playground is open for people with a clever idea to manipulate voters.

"India is working on data protection laws from last eight years. With the existing laws; all the political parties, social media companies, and search engine optimization companies etcetera can do what they want and they won't get into trouble. So, it is very unlikely that this data protection law is going to be approved by Parliament the 2019 elections. So for the 2019 elections, it is going to be very exciting times because anybody who has any clever idea when it comes to manipulating voters, they will definitely try it. Because, there is no law to stop them from trying those tricks," the cyber expert said.

Replying to another question about India's position in data security, he said, 'India is lagging as per the global trend across the world. The European Union's world-class data protection law called 'General Data Protection Regulation' is being followed by all the countries with the exception of the US. About 108 countries have the data protection laws which look similar to the EU's General Data Protection Regulation."

He, however, added, "We shouldn't be upset because making a law in a big country like India takes time. Shri Krishna Committee is going to present the draft of the Indian data protection law and hopefully, within one or two years India will have data protection law."

Another expert Shubhamangala Sunil told ANI that "In India, our data is not secure today. Be it politicians or businesses, they want the database of people. Many data breaches have already happened and they are being used for different propagandas".

She said the union government and state governments should come forward and tell people about data security measures instead of people complaining about the data breach.

She also said India is at least 10 years behind in comparison with the world in the cyber security domain.

The comments of the experts have come in the backdrop of recently data breach in the Facebook wherein its CEO Mark Zuckerberg faced US Congress for two days over the data theft. The Facebook-Cambridge Analytica data scandal involves the collection of personally identifiable information of up to 87 million Facebook users and almost certainly a much greater number that Cambridge Analytica began collecting in 2014.

For more details visit http://editors.cis-india.org/internet-governance/news/economic-times-may-2-2018-cyber-experts-say-playground-open-for-influencing-elections

Cyber Dialogue Conference 2014

praskrishna — 2014-04-08T05:09:54Z

The Cyber Dialogue conference, presented by the Canada Centre for Global Security Studies at the Munk School of Global Affairs, University of Toronto, will convene an influential mix of global leaders from government, civil society, academia and private enterprise to participate in a series of facilitated public plenary conversations and working groups around cyberspace security and governance.

Malavika Jayaram is participating in this event being held on March 30 and 31, 2014. Full event details here.

After Snowden, Whither Internet Freedom?

A recent stream of documents leaked by former NSA contractor Edward Snowden has shed light on an otherwise highly secretive world of cyber surveillance. Among the revelations — which include details on mass domestic intercepts and covert efforts to shape and weaken global encryption standards — perhaps the most important for the future of global cyberspace are those concerning the way the U.S. government compelled the secret cooperation of American telecommunications, Internet, and social media companies with signals intelligence programs.

For American citizens, the NSA story has touched off soul-searching discussions about the legality of mass surveillance programs, whether they violate the Fourth and Fifth Amendments of the U.S. Constitution, and whether proper oversight and accountability exist to protect American citizens' rights. But for the rest of the world, they lay bare an enormous “homefield advantage” enjoyed by the United States — a function of the fact that AT&T, Verizon, Google, Facebook, Twitter, Yahoo!, and many other brand name giants are headquartered in the United States.

Prior to the Snowden revelations, global governance of cyberspace was already at a breaking point. The vast majority of Internet users — now and into the future — are coming from the world’s global South, from regions like Africa, Asia, Latin America, and the Middle East. Of the six billion mobile phones on the planet, four billion of them are already located in the developing world. Notably, many of the fastest rates of connectivity to cyberspace are among the world’s most fragile states and/or autocratic regimes, or in countries where religion plays a major role in public life. Meanwhile, countries like Russia, China, Saudi Arabia, Indonesia, India, and others have been pushing for greater sovereign controls in cyberspace. While a US-led alliance of countries, known as the Freedom Online Coalition, was able to resist these pressures at the Dubai ITU summit and other forums like it, the Snowden revelations will certainly call into question the sincerity of this coalition. Already some world leaders, such as Brazil’s President Rousseff, have argued for a reordering of governance of global cyberspace away from U.S. controls.

For the fourth annual Cyber Dialogue, we are inviting a selected group of participants to address the question, “After Snowden, Whither Internet Freedom?” What are the likely reactions to the Snowden revelations going to be among countries of the global South? How will the Freedom Online Coalition respond? What is the future of the “multi-stakeholder” model of Internet governance? Does the “Internet Freedom” agenda still carry any legitimacy? What do we know about “other NSA’s” out there? What are the likely implications for rights, security, and openness in cyberspace of post-Snowden nationalization efforts, like those of Brazil’s?

As in previous Cyber Dialogues, participants will be drawn from a cross-section of government (including law enforcement, defence, and intelligence), the private sector, and civil society. In order to canvass worldwide reaction to the Snowden revelations, this year’s Cyber Dialogue will include an emphasis on thought leaders from the global South, including Africa, Asia, Latin America, and the Middle East.

For more details visit http://editors.cis-india.org/news/cyber-dialogue-conference-2014

Cyber Crime & Privacy

merlin — 2011-09-01T09:36:11Z

India is a growing area in the field of active Internet usage with 71 million Internet users.

Introduction

India is a growing area in the field of active Internet usage with 71 million Internet users.[1] “Cyberspace is shorthand for the Web of consumer electronics; computers and communication networks that interconnect the World”. [2] The recent incidents of hacking into various popular websites of Yahoo, CNN, Sony, the CBI and the Indian Army raise the very pertinent issue of online data privacy. This blog will examine the growing instances of hacking websites and its impact on data privacy.

Cyber Crime

“Cybercrime is a criminal offence on the Web, a criminal offence regarding the Internet, a violation of law on the Internet, an illegality committed with regard to the Internet, breach of law on the Internet, computer crime, contravention through the Web, corruption regarding Internet, disrupting operations through malevolent programs on the Internet, electric crime, sale of contraband on the Internet, stalking victims on the Internet and theft of identity on the Internet.”[3]

The computer age gave rise to a new field of crime namely “cybercrime” or “computer crime”. During the 1960s and 1970s cybercrime involved physical damage to the consumer system. Gradually computers were attacked using more sophisticated modus operandi where individuals would hack into the operating system to gain access to consumer files. The 1970s - through to the present - saw cybercrimes taking different trajectories like impersonation, credit card frauds, identity theft, and virus attacks, etc.[4]

The IT Act 2000 was enacted by the government to punish such acts of cyber crime. The Act was amended in the year 2008[5].

Cybercrime — An Overview: India

The IT Act 2000 was enacted by the government in 2000 to punish acts of cyber crime. The Act was amended in the year 2008[5]. According to the National Crime Records Bureau, cyber crime is on the rise. The Bureau reported that 420 cases were reported under the IT Act in the year 2009 alone, which was a 45.8 per cent increase from the year 2008. [6] The NCRB data on cyber crime also provides a useful insight as to the growing awareness of the IT Act. The data clearly shows an increase in the number of cases reported from the years 2005 to 2009.[7]. Hacking and obscene [8] publication/transmission are the highest reported crimes with the highest rate of conviction under the IT Act 2008.

Cyber Attack: No One is Safe!!

In February 2000 the many ‘busy’ Internet websites were jammed shut by hackers causing a national upheaval in the USA with the then President Clinton calling in a high level meeting with experts from around the world. Websites like Yahoo.com were forced to shut down for three hours after they were ‘smurfed’ by hackers [9]. Many other websites like Amazon.com and CNN.com were also attacked by the same hackers. Hacking such popular websites within a span of few hours was unprecedented which left many, including the FBI, clueless. By far these are the most serious cyber attacks in the history of Internet. The attacks not only shut down important sites, but also highlighted a very disturbing growing trend. If such popular websites were shut down by unknown perpetrators then how in the world will these and similar sites be able to protect scores of personal data and credit card information of the customers they pledge to serve?

More recently cyber vandals attacked the US Senate website on the 14 June 2011, causing a huge security scare [10]. This instance again brings us to the pertinent question of the safety of our personal data held by these websites. If the personal data of the US Senators can be breached by somebody, then certainly we as consumers should be very wary of the cyberspace and its ability to protect our data.

Closer Home

On June 8, a group claiming to be “anonymous” hacked into the government’s National Information Centre to protest against the anti-graft agitation [11]. The same group was accused of hacking into the Indian Army’s website although no report of data theft was claimed by the government. Last year in December a Pakistani hacker group named Predators PK hacked into various websites including the website of the CBI.[12]

Cyber Crime: Its Implications to Privacy

Internet security has become an important issue. Recent cyber attacks on various important websites has placed many consumers at risk and vulnerable to cyber criminals. The hacking attack on the Sony website on April 16 and 17 led to the theft of 26.4 million SOE (Sony Online Enterprise) Accounts. The criminals even hacked into a 2007 database which held credit and debit card information of 23,400 customers.[13]

Attacks such as these demonstrate the vulnerability of websites, and the possibility of serious harm to a countries economy and security. Furthermore, consumers’ personal data can be used by hackers to extort and blackmail individuals.

The Internet has become a huge stakeholder in facilitating trade and e-commerce, subsequently cyberspace has become a large network of communication and commerce. We carry out a number of tasks on the Internet — from e-shopping and e-ticketing to e-banking. Though the recent attacks on the CBI website, and the Indian Army website did catch some attention from the media, and the government did make some noise about it, the issue slowly faded away. The government cannot seem to protect its own websites which houses sensitive details of national security, but seems confident about putting personal data and biometrics of a billion plus population under the AADHAR scheme [14] onto a web server which can be hacked anytime by almost anybody with a personal computer in China or Pakistan.[15]

Privacy: No More?

Data generated in cyberspace are a fingerprint of an individual which is detailed, processed, and made permanent.[16] The cyberspace generates a blue print of our whole personality as we navigate through a health site, pay our bills, or shop for books at Amazon.com. The data collected by surfing through all these domains creates a fitting profile of who we are. [17] When hackers and cyber vandals steal this very information, it becomes a gross violation of our privacy.

Conclusion

Privacy does not exist in cyber space. The various websites that offer varied services to its consumers fail to protect their personal data time and again. The Sony website including its play station and music website was hacked at least three times this year. Scores of personal data was stolen and the consumers were kept in dark regarding the breach for almost a week. Speaking as a consumer, if a large corporate company like Sony cannot protect its website from being hacked into, it is hard to imagine other websites protecting itself from attacks.

The rise of the Internet has brought with it a new dimension of crime. The IT Act 2000 has brought some reprieve to the aggrieved according to the NCRB. Despite this, the IT Act clearly will not completely deter criminals from hacking into websites, as was demonstrated in the NCRB report. The cyber criminals of the February 2000 cyber attacks have yet to be apprehended and the attacks on various websites have been increasing every year.

Despite progress being made on enacting cyber laws and implementing them, cyber crime is still not nipped in the bud. Governments can do precious little to stop it and only hope that a cyber criminal can be traced back and be punished. Hence, Internet users need to more careful of the sites they visit; know the privacy policy of these websites to protect their personal data as much as possible.

Notes

[1] According to an annual survey conducted by IMRB and Internet and Mobile Association of India for the year 2009 – 2010.

[2] http://www.jstor.org/stable/pdfplus/1229286.pdf?acceptTC=true

[3] http://legal-dictionary.thefreedictionary.com/cybercrime

[4] http://www.mekabay.com/overviews/history.pdf

[5]http://www.cyberlaws.net/itamendments/index1.htm

[6] http://ncrb.nic.in/CII%202009/cii-2009/Chapter%2018.pdf

[7] http://ncrb.nic.in/CII%202009/cii-2009/Chapter%2018.pdf

[8] http://ncrb.nic.in/CII%202009/cii-2009/Chapter%2018.pdf

[9] http://www.pbs.org/newshour/extra/features/jan-june00/hackers_2-17.html

[10] http://in.reuters.com/article/2011/06/14/idINIndia-57677720110614

[11] http://www.thinkdigit.com/General/Anonymous-hacks-Indian-govt-website-to-support_6933.html

[12] http://www.deccanherald.com/content/117901/pakistan-hackers-wage-cyber-war.html

[13] http://mashable.com/2011/05/03/sony-another-hacker-attack/

[14] http://uidai.gov.in/

[15] http://www.securitywatchindia.org.in/selected_Article_Cyber_warfare.aspx

[16] http://www.jstor.org/stable/pdfplus/1229286.pdf?acceptTC=true

[17] http://www.jstor.org/stable/pdfplus/1229286.pdf?acceptTC=true

For more details visit http://editors.cis-india.org/internet-governance/cyber-crime-privacy

Curating Genderlog India's Twitter handle

Admin — 2019-05-14T14:40:08Z

Shweta Mohandas has been nominated to curate Genderlog's Twitter handle (@genderlogindia).

Shweta Mohandas will be tweeting about topics related to gender and data, more specifically around AI, big data, privacy and surveillance. To view the tweets, click here

For more details visit http://editors.cis-india.org/internet-governance/news/curating-genderlog-indias-twitter-handle

Crypto Night

praskrishna — 2013-08-06T06:04:05Z

Challenging government snooping at an all-night cryptography party.

This article by Rahul M was published in the Caravan on August 1, 2013. Pranesh Prakash and Bernadette Langle are quoted.

Satyakam Goswami sat in a conference hall in the Institute of Informatics & Communication in Delhi University's South Campus, furiously typing code into his laptop. He typed the string “/var/log/tor#”, into a Linux terminal, then turned to me and said, “I am one step away, man.” It was around midnight on a muggy July Saturday, and Goswami had been here for six hours. He resumed typing—and cursing under his breath in Telugu as he realised that the online instructions he was following weren’t helping.

Around him, the room bustled with the activity of around 25 other people, all participants at a Cryptoparty, a cryptography event at which programmers and non-programmers meet to share information and expertise on tools that can help thwart government spying.

Goswami was one of the organisers of the event, which was led by Bernadette Längle, a German ‘hacktivist’ who is a member of the Chaos Computer Club (CCC), Europe’s largest association of hackers. Längle was one of the organisers of the CCC’s Chaos Communication Congress in 2012, an international hackers’ meet held in Hamburg that year. While processing participant applications for the Congress, she came across a group that wanted to organise what they called a “Cryptoparty” at the meet. “I thought Cryptoparty would be a bunch of guys coming together, learning crypto and having a party,” she told me. Only at the event did she realise that Cryptoparties are rather more political affairs, at which participants experiment with ways of combating governmental intrusions into privacy and freedom.

After she graduated, Längle decided she wanted to travel. “I hadn’t been to America or Asia, and I don’t think I want to enter America,” she said. “I thought India might be a good point to start.” While she was exploring her options, she met Goswami online. “I first met Bernadette on an IRC channel, ‘hasgeek’, where she expressed her interest to come to India,” Goswami said. “I suggested that she write a proposal to CIS [the Centre for Internet and Society, in Bangalore].” Längle applied, and was accepted to work with the organisation for six months.

When Längle was teaching a one-week course on email cryptography at a CIS event, a participant suggested to her that she organise a Cryptoparty in the city. “I thought I was travelling anyway, and I can make a Cryptoparty everywhere I go,” Längle said. This led to the Bangalore Cryptoparty on 30 June, followed by the Delhi edition on 6 July. Längle then held a Cryptoparty in Dharamsala in the second week of July, and plans to hold another in Mumbai in October. At each of these, she gave tutorials on specific aspects of cryptography, such as the Pretty Good Privacy (PGP) encryption and decryption program, which Edward Snowden used to communicate with The Guardian’s Glenn Greenwald during their now-famous collaboration. Participants would then experiment with these tools, sending emails and messages to each other using secure channels. The Delhi edition, which saw around 70 participants, continued late into the night, with the last exhausted stragglers shutting off their gadgets and heading home at 4 am.

I met Längle again the day after the Delhi event; with her was Pranesh Prakash, policy director at CIS, who is a commentator on issues related to surveillance and privacy. Both agreed that the Indian government’s Central Monitoring System programme, as well as Edward Snowden’s recent leaks, had resulted in a greater interest in cryptography in the country in recent months. “Without the PRISM stuff, there wouldn’t have been so many people attending,” Längle said. “People are concerned about that.” Prakash believes that the NSA leaks have served as a loud wake-up call about a longstanding state of affairs. “It’s this I-told-you-so moment for lots of people right now,” he said. “This isn’t the first time there have been revelations about the NSA spying beyond their authority. These revelations have been happening at least since 2006.”

For more details visit http://editors.cis-india.org/news/caravan-magazine-august-1-2013-rahul-m-crypto-night

Crowdsourcing Incidents of Communication Privacy Violation in India

sumandro — 2015-10-16T10:49:17Z

In the context of several ongoing threads of debates and policy discussions, we are initiating this effort to crowdsource incidents of violation of digital/online/telephonic privacy of persons and organisations in India. The full list of submitted incidents is publicly shared, under Creative Commons Attributions-ShareAlike 4.0 International license. Please contribute and share with your friends and colleagues.

Report an incident: http://goo.gl/forms/8Xcf0zcWZW

Collected incidents: http://bit.ly/privacy-violation-india (CC BY-SA 4.0)

You are welcome to cross-post this to your website or other online forum. Please provide attribution, and link back to this page. For any clarification, write to Sumandro Chattapadhyay, Research Director, CIS, at sumandro[at]cis-india[dot]org.

For more details visit http://editors.cis-india.org/internet-governance/crowdsourcing-incidents-of-communication-privacy-violation-in-india

Crowdsourced innovation for government projects and services is easier said than done

praskrishna — 2017-02-07T15:36:38Z

Late January. The buzz was palpable at the MLR Convention Centre in South Bengaluru. Developers were streaming into 50p, a conference organised by HasGeek, which has curated technology forums since 2011. But this wasn't just one of the six HasGeek communions that the programmers attend annually. 50p put the spotlight on digital payments, which meant the gathering would be more diverse than anything before.

The article by Kunal Talgeri was published in the Times of India on February 3, 2017. Sunil Abraham was quoted.

Of the 250-plus attendees in two days, only 40% were developers. There were around 10 lawyers, an activist here, a social-impact investor there, product managers, and a 20-strong team from online payment systems company PayPal. There were managers from traditional banks too. "We realised early on that one thing the developer community really needs to know is how various payment-systems work, like who makes what percentage (in the value chain)?," said Zainab Bawa, cofounder of HasGeek. "It is a big mystery to them."

Kiran Jonnalagadda, co-founder of HasGeek and Bawa's husband, concurred: "A payment conference cannot primarily be centred on technology. Regulations make a bulk of the difference." So the interdisciplinary forum traversed areas as diverse as customer data and privacy, payment-systems unique to India, regulations, and the Watal Committee report apart from technology.

HasGeek got folks from the payments industry to converse with developers. At the outset, Bawa spelt out to the audience something about technology's role in society. "While we (coders) are here to bridge gaps, we also need to understand that technology is not necessarily the solution. Developers must have their ears to the ground." She had touched upon the divide between the coder community and the government.

Globally, governments are only just beginning to be exposed to the geeks. "The broader theme of digitisation and opening up of APIs (application programming interface) is happening across the world," said Sanjay Swamy, managing partner at Prime Venture Partners, and an Aadhaar volunteer with the Unique Identity Authority of India (UIDAI) until early 2011. APIs empower developers to build applications that access the features or data of an operating system or service. This requires developers to come together with, in this case, the government.

The digital dream has never showed more promise in India—the chance for a few developers to build a platform that can digitise government services for millions of users. "The government wants to use hackathons for digital disruption—leverage hackers to build solutions for them," says Subhendu Panigrahi, co-founder of Venturesity that helps companies find developers.

This is easier said than done. But how did India even get to this point?

CODE NAME: GENESIS
On 10 June 2016, the Indian Software Product Industry Round Table (iSPIRT) think-tank released a paper that took note of the country moving from "data poor to data rich."

This was a few weeks after the UIDAI platform Aadhaar crossed 1 billion enrolments. "The Aadhaar system can authenticate 100 million transactions per day in real time," iSPIRT stated. The paper also pointed to three national platforms - essentially services that would in time digitise government services on a national scale.

These were the Goods and Services Tax (GST) Network, the Bharat Bill Payment System which would cover utility services (electricity, water, gas, and so on), and the electronic toll collection system.

All three platforms come under the National Payments Corporation of India (NPCI), an umbrella organisation for retail payment systems in India. iSPIRT had helped NPCI organise a hackathon in Mumbai in February 2016 to build prototypes for harnessing the Unified Payment Interface (UPI) platform's application programming interface to digitise bank transfers in real time. Similarly, steps were being taken to open up APIs to large companies for the other NPCI platforms.

On its part, iSPIRT was drawing the attention of a breed of software developers to the national-scale opportunities ahead. It unequivocally stated: "Data flows benefit public services and governments." But even as India moves to being data rich, the outreach to developers - estimated to be more than 5 million in India - could be futile for two reasons.

First, government departments and traditional systems of, say, nationalised banks have a technology procurement culture that is at odds with how developers build digital solutions. While government is the largest technology procurer, procurement contracts typically have clauses that encourage lowest (cost) bidders, which rarely spawns innovation.

"Government needs to adopt and evangelise pro-challenger tools and policies that reduce barriers to experimentation, level-playing field and encourage innovating around national issues," wrote Swati T Satpathy for iSPIRT in a November 2015 paper titled 'Igniting Hundreds of Experiments'.

Second, independent developers still have to come out in larger numbers for the best solutions to shine. Sachin Gupta, CEO of HackerEarth, another developer platform, agrees: "Governments may still go ahead and give projects to a TCS and Wipro, but they want to crowdsource the innovation, prototype and the whole concept. They want to build an active relationship with the tech community."

These can be government bodies at the state level, too, like the Department of Urban Land Transport in Karnataka, for whom Venturesity helped with a 'transit hack' to solve traffic in Bangalore with submissions like how to enable carpooling or track public transport.

"The government is really interested in the final product or an app they can use," Panigrahi said. For this, governments are willing to distribute their APIs to eventually own the app. "Developers participate in such hackathons to make it part of their portfolios or resumes, or because they love building products, or for the prize-money."

This is crowd sourced innovation. Yet, culturally, it is hard for developers and governments' interests to be aligned.

INSIDE THE DICHOTOMY
The API-driven approach is based on a philosophy in the United States that dates back to the 1960s. It a culture of giving powerful building blocks, as opposed to just building an actual solution, said Jonnalagadda. A 'solution' evolves into a platform if it can serve as 'building blocks' for the next set of developers to build on.

"A good product is also one on top of which something more can be built. That has been the principle on which the developer community has thrived," he said. This approach works well in technology. "It means you are slow, but also that you are a lot more mature and innovative."

The government has got this aspect right, by opening up secure APIs to nationalscale projects and systems. But while they have provided such building blocks, they have already decided the path to meet goals like financial inclusion. Mobile apps like BHIM (Bharat Interface for Money) are becoming the default mode of reaching the masses. Many observers agree with the smartphone as a medium for India, but developers feel web browsers are more secure than apps.

Jonnalagadda cites a 50p session, 'Everyone can see your credit card details. Seriously,' where the speaker Arnav Gupta described the flow of the web as independent websites that can't actually communicate with each other. As against this, every function of a mobile app is a subset of the parent app. "So whatever password you type for one 'function' can be visible to the parent, which never happens on the web," Jonnalagadda said. "If security is defined by the fact that it is tested against being broken, a mobile app is trusted on the basis of goodwill. For developers, this is a shitty way to do technology. It bothers the heck out of him when a security model assumes goodwill because government wants an app."

Also, solutions need a decentralised approach from governing bodies like local municipalities. Independent budgets and decision-making can lead to stronger links between government and local service providers. There are exceptions to this, like Singapore, a city nation. But in larger developed countries like the United States, local government bodies are stronger than in India. "Here, we are getting even more centralised over time," Jonnalagadda said. It makes the government look like a monolith in the eyes of developers. How can the two be compatible? "We haven't found a solution yet."

For more details visit http://editors.cis-india.org/internet-governance/news/the-times-of-india-february-3-2017-kunal-talegri-crowdsourced-innovation-for-government-projects-and-services-is-easier-said-than-done

Cross-Border Data Sharing and India: A study in Processes, Content and Capacity

Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu — 2018-09-29T00:37:39Z

A majority of criminal investigations in the modern era necessitate law enforcement access to electronic evidence stored extra-territorially. The conventional methods of compelling the presentation of evidence available for investigative agencies often fail when the evidence is not present within the territorial boundaries of the state.

The crux of the issue lies in the age old international law tenet of territorial sovereignty.Investigating crimes is a sovereign act and it cannot be exercised in the territory of another country without that country’s consent or through a permissive principle of extra-territorial jurisdiction. Certain countries have explicit statutory provisions which disallow companies incorporated in their territory from disclosing data to foreign jurisdictions. The United States of America, which houses most of the leading technological firms like Google, Apple, Microsoft, Facebook, and Whatsapp, has this requirement.

This necessitates a consent based international model for cross border data sharing as a completely ad-hoc system of requests for each investigation would be ineffective. Towards this, Mutual Legal Assistance Treaties (MLATs) are the most widely used method for cross border data sharing, with letters rogatory, emergency requests and informal requests being other methods available to most investigators. While recent gambits towards ring-fencing the data within Indian shores might alter the contours of the debate, a sustainable long-term strategy requires a coherent negotiation strategy that enables co-operation with a range of international partners.

This negotiation strategy needs to be underscored by domestic safeguards that ensure human rights guarantees in compliance with international standards, robust identification and augmentation of capacity and clear articulation of how India’s strategy lines up with the existing tenets of International law. This report studies the workings of the Mutual Legal Assistance Treaty (MLAT) between the USA and India and identifies hurdles in its existing form, culls out suggestions for improvement and explores how recent legislative developments, such as the CLOUD Act might alter the landscape.

The path forward lies in undertaking process based reforms within India with an eye on leveraging these developments to articulate a strategically beneficial when negotiating with external partners.As the nature of policing changes to a model that increasingly relies on electronic evidence, India needs to ensure that it’s technical strides made in accessing this evidence is not held back by the lack of an enabling policy environment. While the data localisation provisions introduced in the draft Personal Data Protection Bill may alter the landscape once it becomes law, this paper retains its relevance in terms of guiding the processes, content and capacity to adequately manoeuvre the present conflict of laws situation and accessing data not belonging to Indians that may be needed for criminal investigations.As a disclaimer,the report and graphics contained within it have been drafted using publicly available information and may not reflect real world practices.

Click here to download the report With research assistance from Sarath Mathew and Navya Alam and visualisation by Saumyaa Naidu

For more details visit http://editors.cis-india.org/internet-governance/blog/cross-border-data-sharing-and-india-a-study-in-processes-content-and-capacity

Cross Border Sharing of Data: Challenges and Solutions

Admin — 2017-11-20T15:20:18Z

Centre for Internet & Society (CIS) has been following the debates around MLAT process taking place globally and researching potential areas of tension in the tools that India uses to access data across borders. As part of this research, CIS is hosting a workshop on cross border sharing of data on December 8, 2017 at India Islamic Centre from 10.30 a.m. to 5.00 p.m.

For more details visit http://editors.cis-india.org/internet-governance/events/cross-border-sharing-of-data-challenges-and-solutions