04 Nov 13 | Digital Freedom, News and features
We can partially blame gerrymandering for the current gridlock in the U.S. Congress. By shaping the electoral map to create politically safe spaces, we have generated a fractious body that often clashes rather than collaborates, limiting our chances of resolving the country’s toughest challenges. Unfortunately, revelations about the global reach of American security surveillance programs under the National Security Agency (NSA) are leading some to propose what amounts to gerrymandering for the internet in order to route around NSA spying. This will shackle the internet, inherently change its technical infrastructure, throttle innovation, and likely lead to far more dangerous privacy violations around the globe.
Nations are rightly upset that the communications of their citizens are swept up in the National Security Agency’s pervasive surveillance dragnet. There is no question the United States has overreached and violated human rights in its collection of communications information on innocent people around the globe; however, the solution to this problem should not, and truly cannot, be data localization mandates that restrict data storage and flow.
The calls for greater localization of data are not new, but the recent efforts of Brazil’s President, Dilma Rouseff, to protect Brazilians from NSA spying reflected the view of many countries suddenly faced with a new threat to the privacy of the communications of their citizens. Rouseff has been an advocate for internet freedom, so undoubtedly her proposal is well intentioned, though the potential unintended repercussions are alarming.
First, it’s important to consider the technical reasons why data location requirements are a really bad idea. The Internet developed in a widely organic manner, creating a network that allowed data to flow from all corners of the world – regardless of political boundaries, residing everywhere and nowhere at the same time. This has helped increase the resilience of the internet and it has promoted significant efficiencies in data flow. As is, the network routes around damage, and data can be wherever it best makes sense and take an optimal route for delivery.
Data localization mandates would turn the internet on its head. Instead of a unified internet, we would have a fractured internet that may or may not work seamlessly. We would instead see districts of communications that cater to specific needs and interests – essentially we would see Internet gerrymandering at its finest. Countries and regions would develop localized regulations and rules for the internet to benefit them in theory, and would certainly aim to disadvantage competitors. The potential for serious winners and losers is huge. Certainly the hope for an internet that promotes global equality would be lost.
Data localization may only be a first step. Countries seeking to keep data out of the United States or that want to exert more control over the internet may also mandate restrictions on how data flows and how it is routed. This is not far-fetched. Countries such as Russia, the United Arab Emirates, and China have already proposed this at last year’s World Conference on International Telecommunications.
As internet traffic begins to demand more bandwidth, especially as we witness more real-time multimedia applications, efficient routing is essential to advance new internet services. High capacity applications like Apple’s FaceTime may slow to the painful crawl reminiscent of the dial-up days of the internet.
This only begins to illustrate the challenges internet innovators would face, but big established players like Facebook, Google and Microsoft, would potentially have the resources to abide by localization mandates – of course, only if the business case supports working in particular locales. Some countries with local storage rules may be bypassed altogether. For small or emerging businesses, data localization requirements would be a greater challenge. It would build barriers to markets and shut off channels for innovation. Few emerging businesses could afford to locate servers in every new market, and if local data server requirements become ubiquitous, it will be businesses in emerging markets that are most disadvantaged. The reality for developing nations is that protectionist measures such as data localization will further isolate local business from the global market, depriving them of the advantages for growth that are provided by the borderless internet.
Most important though, is the potential for fundamental harm to human rights due to data localization mandates. We recognize that this is a difficult argument to accept in the wake of the revelations about NSA surveillance, but data localization requirements are a double-edged sword. It is important to remember that human rights and civil liberties groups have long been opposed to data localization requirements because if used inappropriately, such requirements can become powerful tools of control, intimidation and oppression.
When companies were under intense criticism for turning over the data of Chinese activists to China, internet freedom activists were united in theirs calls to keep user data out of the country. When Yahoo! entered the Vietnamese market, it placed its servers out of the country in order to better protect the rights of its Vietnamese users. And the dust up between the governments of the United Arab Emirates, Saudi Arabia, India, and Indonesia, among others, demanding local servers for storage of BlackBerry messages in order to ensure legal accountability and meet national security concerns, was met with widespread condemnation. Now with democratic governments such as Brazil and some in Europe touting data localization as a response to American surveillance revelations, these oppressive regimes have new, albeit inadvertent, allies. While some countries will in fact store, use and protect data responsibly, the validation of data localization will unquestionably lead to many regimes abusing it to silence critics and spy on citizens. Beyond this, data server localization requirements are unlikely to prevent the NSA from accessing the data. U.S. companies and those with a U.S. presence will be compelled to meet NSA orders, and there appear to be NSA access points around the world.
Data localization is a proposed solution that is distracting from the important work needed to improve the Internet’s core infrastructural elements to make it more secure, resilient and accessible to all. This work includes expanding the number of routes, such as more undersea cables and fiber runs, and exchange points, so that much more of the world has convenient and fast Internet access. If less data is routed through the U.S., let it be for the right reason: that it makes the Internet stronger and more accessible for people worldwide. We also need to work to develop better Internet standards that provide usable privacy and security by default, and encourage broad adoption.
Protecting privacy rights in an era of transborder surveillance won’t be solved by ring fencing the Internet. It requires countries, including the U.S., to commit to the exceedingly tough work of coming to the negotiating table to work out agreements that set standards on surveillance practices and provide protections for the rights of privacy and free expression for people. Germany and France have just called for just such an agreement with the U.S. This is the right way forward.
In the U.S., we must reform our surveillance laws, adopt a warrant requirement for stored email and other digital data, and implement a consumer privacy law. The standards for government access to online data in all countries must likewise be raised. These measures are of course much more difficult in the short run that than data localization requirements, but they are forward-looking, long-term solutions that can advance a free and open internet that benefits us all.
Joseph Lorenzo Hall, Chief Technologist at Center for Democracy and Technology, co-authored this piece with Leslie Harris.
This article was originally posted on 4 Nov 2013 at indexoncensorship.org
25 Oct 13 | Asia and Pacific, Digital Freedom, India, News and features
Just days before the United Nation’s led Internet Governance Forum in Indonesia, India, held its own – and first of its kind – conference on cyber governance and cyber security.
With the support of the National Security Council Secretariat of the Government of India, the two-day conference was organized by private think-tank Observer Research Foundation and industry body, Federation of Indian Chambers of Commerce and Industry, (FICCI). Speakers were from a host of countries including Estonia, Germany, Belgium, Australia, Russia, Israel, and of course, India.
It was ironic, that in a post-Snowden world, buried under allegations of the extent of the NSA’s spying, US officials were unable to attend the conference due to their government’s shutdown. Instead, other views took center stage, and India also visibly demonstrated the various positions its stakeholders take around the questions of governance and security.
Right at the kickoff, India’s Minister for Communications and Technology, Kapil Sibal, challenged the question of sovereignty and jurisdiction in cyberspace. “If there is a cyber space violation and the subject matter is India because it impacts India, then India should have jurisdiction. For example, if I have an embassy in New York, then anything that happens in that embassy is Indian territory and there applies Indian Law.”
India has, over the last few years, flirted with the idea of an UN-lead internet governance structure, and subsequently backed away from it. Minister Sibal said that India believes in “complete freedom of the internet”, however, at the same time needs to acknowledge that along with cyber freedoms come cyber gangsters, and the state and its citizens need to be protected from them.
India, with its 860 million mobile subscriptions (although, the numbers of users would be lower than this figure) is looking more and more to the internet as a delivery platform of socio-economic programs and a tool to boost the economy. That the internet can raise GDP by 10% is a much favored figure for those who promote the internet for economic reasons. The fact is that as the remaining unconnected population of India begins to acquire net connections through desktops and smart phones, the government is increasingly looking at security and surveillance over the internet as a necessary and inevitable route. This also means that the government needs to rely on industry to help them with this gigantic task.
The possible synergy between businesses and government in India was a central theme for discussion; as industry bodies asked the government to invest in training more cyber security specialists and also start moving towards uniform security standards and protocols. In fact, Indian industry most certainly wants to be relived of the financial burden of training personnel, and to an extent, investment in security R&D, and is keen to partner with the government to achieve both ends. Indian industry is often in the news because it appears almost universally under prepared for cyber attacks, both from within the country and externally. Suggestions of a government-led cyber awareness program were made as well, with calls to allocate funds for these exercises in the budget.
However, as has been the case in India, the real source of friction still lies between civil society and the government over the question of surveillance and monitoring. In a session entitled ‘Privacy and National Security’; perhaps the only India-centric panel of the entire conference, the debate became overheated. The panel consisted of a senior police officer involved in surveillance, India’s director-general of CERT (Computer Emergency Response Team), a representative from the mobile industry and a privacy expert. The government official was pushed by civil society members and journalists to explain the workings of the Central Monitoring System, still very opaque to the public, and later the official definition of privacy. He did neither. Unsurprisingly, India is yet to really define what privacy is, leading to simultaneous furor in the room and twitter (#cyfy13) about why this hasn’t been done as yet.
The sense in the room was that surveillance, while necessary to protect citizens, is only really effective when it is conducted in a targeted manner. Mass surveillance leads to self-censorship and is, in the end, counter productive. The other bone of contention was the question of identity, with the government making arguments that verifiable cyber identity is a possible solution to cyber crime. However, other participants found the issue troubling, as anonymity is necessary for a number of reasons, including as we have seen around the world, political dissent.
Finally, panelists discussed how best to inculcate a multistakeholder approach when legislating the internet. It was pointed out more than once that the internet was a product of private enterprise, made on open standards and principles, but now governments are attempting to control this resource. However, while public calls for multistakeholderism were made for many reasons; human rights, protection of privacy and even to benefit business in the long run (as they would not risk being caught up in lengthy court cases in the future if they took civil society on board from the start), there was still an elephant in the room. Offline, many official participants wondered why Chatham House Rules were not observed, or why there were no closed-door meetings only for government officials. It was clear that much of the weighty – and honest – discussions still don’t involve the public. Perhaps not where the question of governance is, but certainly when the question of security is.
Ultimately, there are two broad outcomes of this conference. The first is that India has indicated its willingness to start shouldering discussions to do with the global cyberspace. The other is, as India’s National Security Advisor put it, — ““India has a national cybersecurity policy not a national cybersecurity strategy.” This is certainly a start to building a consensus for that strategy.
This article was posted at indexoncensorship.org on 25 Oct 2013.
07 Oct 13 | Digital Freedom, India, News and features, Politics and Society
Illustration: Shutterstock
India’s National Integration Council met in the last week of September 2013 to discuss the threat of communal violence in the country. The council, first set up in the early 1960s, gives senior Indian politicians and public leaders a platform to discuss issues that could divide the country along caste, communal, language and regional fault lines. This September, with the backdrop of violent communal clashes that have seen over 50 killed and 40,000 displaced in India’s most populous state, Uttar Pradesh, Prime Minister Manmohan Singh sat with some of the Chief Ministers, to discuss how to resolve these issues.
There were early reports that the meeting was going to discuss the ‘misuse’ of social media, as news reports have indicated that the violent clashes in Uttar Pradesh were spurred on by false videos on YouTube. In India, the regulation of social media has been a subject of great controversy. The government has, in the past, used the IT Act’s Section 66(A) to arrest people for irresponsible posts that they claimed could cause ‘communal tension’. However, as the famous case of the Palghar girls demonstrated, many early arrests under this Section were politically motivated. Similarly, while the government has in the past asked social media companies to take down controversial posts, it has been revealed that most of the requests were again to take down criticism against the government.
However, at the same time, social media and MMS (multimedia messages through texts) have indeed been known to cause real damage. Last year, false rumours spread through MMS resulted in the exodus of northeastern migrants from south India, as the threat of violence seemed imminent. At the time, the government had to ban bulk text messaging, and ultimately restricted messages to 5 a day to curb any more rumours. Meanwhile, with global violence in the aftermath of the YouTube video, The Innocence of Muslims, the government of Jammu and Kashmir decided to suspend the internet for a few days to prevent any incidents.
Only about 164.81 million Indians have access to the internet, and only 143.20 million over mobile phones according to official figures released by the Telecom and Regulatory Authority of India in March 2013. Given this scenario, both the reach in terms of positive and negative impact, is still quite limited in India.
The prime minister, however, chose to focus on social media’s role on fanning communal violence in his address at the National Integration Council. His views on hate speech on social media were echoed by many others, including Uttar Pradesh Chief Minister Akhilesh Yadav, Maharashtra Chief Minister Prithviraj Chavan, Assam Chief Minister Tarun Gogoi, Jharkhand Chief Minister Hemant Soren, Haryana Chief Minister Bhupinder Singh Hooda and Meghalaya Chief Minister Mukul Sangma. The majority of chief ministers, then, favour social media regulation. Ideas thrown forward included taking action within the current legal framework, setting up ‘social media laboratories’ to monitor posts under intelligence departments and even mobilizing NGOs and prominent citizens to counter social media rumours.
There are a few important points to keep in mind while looking at this debate: the real need for regulating social media, scapegoating by politicians and finally, preserving freedom of expression and an open internet.
Given India’s experience with hate speech online, and reports about gender targeted abuse, along with abuse based on political, caste, community and regional affiliation, there is a valid point raised for some kind of regulation of social media. However, the real question is the kind of regulation India chooses to favor. In China, a new law can charge people with defamation if a false rumor started by them gets reposted over 500 times. In India, current laws allow citizens to go to court over information that has even caused them “annoyance” under Section 66A of the law. To ensure this is not abused, the government has now mandated that a senior police officer looks at individual cases before allowing charges to be filed to avoid nuisance cases. In the aftermath of the Muzzafarnagar riots of Uttar Pradesh, some citizens are urging the National Human Rights Commission to ask the Department of Telecom to screen and remove inflammatory posts on social media. However, when looking at cases where mass impact can cause damage (such as the exodus of northeasterns from south India), the government relied immediately on technology to solve the problem. The same can be said of the Jammu and Kashmir government, which switched off the internet, at the slightest hint of trouble.
However, both responses need to have legal sanctity. We already know the Indian government monitors its citizens’ communications, and much like many other governments across the world, and the legal basis for these programmes are still dubious. The government may want to come up with a plan for targeted control of certain communication channels should a particularly disastrous video or message surface over social media, and clearly contributes to an inflamed environment and damage on the ground. Social media is already being used to recruit terrorists. Perhaps some communication channels will be used to organize riots, as have been seen before in London. These will become bigger concerns when more than a sliver of India is connected to the internet. The debate will undoubtedly be seen through the prism of security instead of the freedom of expression, as we are currently witnessing the world over.
In a predominantly uneducated country, rumours run rife, and the result is not violence alone. For example, in 2006, polio campaigns in India have failed in Muslim communities, because of rampant rumours that the polio campaigns were a method to sterilize the community. In 2008, despite warnings, rumours that an apparition of the Virgin Mary would appear to devotees after staring into the sun caused dozens to go blind. Earlier in June 2013, three men were lynched to death in the state of Assam because of a rumour that a group of “naked men” were raping women. This does not mean every misguided or even damaging video needs to be censored immediately.
The constitution of India allows for freedom of expression, although with restrictions. However, any plan to take reasonable action in light of clear and present danger, should be drawn up with the help of civil society organizations and lawyers, and cannot be made and implemented unilaterally. The potential for abuse is too great.
Unfortunately, as it seems today – social media has become become the target of scapegoating by politicians. For example, the violence in Uttar Pradesh may or may not have been caused/spurred by a YouTube video. There is no empirical evidence for that. What isclear is that the Muzzafarnagar riots started with two Hindu boys stabbing a Muslim youth because he stalked their sister. Not YouTube. However, it would appear that instead of focusing on other causes of communal tensions in a neighbourhood, which include poverty, development, and unemployment, senior politicians vilified social media.
With elections looming, can one guarantee that any gap in planning, law and order management or inflammatory campaign speeches won’t be blamed on a tweet or Facebook update? Will the outward calling for “regulating social media” will substitute for real change on the ground?
Finally, the most important point remains. Hate speech, law and order, and mass panic are realities India’s states have been living with for years. It would appear that, in dealing with free expression on the internet, India’s politicians seem to err on the side of control. Perhaps the next election is not just about the economy, but equally about the Indian citizens freedom of expression and freedom from control.
This article was originally published on 7 Oct 2013 at indexoncensorship.org
25 Sep 13 | India, News and features, Politics and Society
India’s President Pranab Mukherjee (Photo: Wikipedia)
In September 2013, India’s President Pranab Mukherjee spoke about the inviolable right to privacy that citizens of India must enjoy, at the annual event of the Central Information Commission (CIC), a body constituted by India’s Right to Information Act, 2005.
Both the Act and the CIC have empowered ordinary citizens to submit applications requesting information from government bodies, injecting a new phase of transparency in an infamously opaque bureaucracy. In fact, the RTI Act has been born of, and has encouraged, large RTI ‘movements’, that have exposed layers of corruption in numerous schemes across various government departments.
For citizens, the fact that a government official has to release information regarding budgets, forms, decisions and other facets of public governance has led to the belief that unchecked corruption might finally simmer down, and that they are not longer helpless against the system.
However, as the RTI movement has matured over the last decade, serious questions of privacy protection have also started making their way into public discourse. The Act itself excludes a number of security and police agencies from having to divulge any information, and private companies and NGOs do not fall under the Act.
However, political parties that do fall under the act are furiously trying to legislate their way out from under the scanner. In fact, this move, supported by the ruling government that helped bring in the RTI has attracted a lot of criticism and well earned scepticism from the public. In a report on the matter, one of India’s biggest English news channels, NDTV, wrote, “The government decided to amend the law after political parties opposed the Central Information Commission’s order in June that six political parties including the Congress and the BJP will be under the RTI as they were substantially funded by public money. This would mean political parties would have to disclose campaign funding or how members voted during a secret ballot.” Indicative of the mistrust between government and the public, the report was called ‘Divided on everything else, political parties unite against RTI Act.’
Therefore, when the conversation turns to a conflict between the right to information and privacy, in India, it can often become muddled. It can seem that wrongdoers might attempt to hide behind the excuse of ‘privacy’. However, there is no escaping that protecting individual privacy is a genuine concern.
Many countries across the world that have enacted national RTI Acts also have privacy laws that carefully spell out the limits to which information about individuals can be disclosed. In general, information about personal life, sometimes including medical information, is exempt from RTI. Should names be revealed from all official documents, are all court proceedings public? And finally, do some people necessarily lose some privacy because of a ‘public interest’ test?
The World Bank Institute released a paper that describes RTI and privacy as “two sides of the same coin, essential human rights in modern information society.” It also goes on to add that, “privacy laws can be used to obtain information in the absence of RTI laws and RTI can be used to enhance privacy by revealing abuses,” and that both have been designed for accountability.
India does not have a privacy law in place right now, although what should be in the law has attracted considerable debate. Therefore, the contours of privacy in the RTI gambit have resulted from various decisions and court orders given over the years. For example, in 2011, the then chief information commissioner of the CIC informed India’s Reserve Bank of India that it had to reveal information, even if it meant public confidence in the institution might be adversely affected. And, as recently as early September 2012, the Mumbai High Court ruled that “disclosure of personal information in respect of service record, income tax returns and assets of an individual is illegal unless it is necessary in larger public interest.” This judgement protected the individual against any disclosure that had nothing to do with public interest, but instead caused unwarranted invasion of privacy.
There have also been reports that some RTI applications are filed only to be a nuisance, with cases of RTI being used to blackmail public officials, with the threat of burying them under paperwork. In April 2013, one applicant was fined for filing over 100 applications.
Moving ahead, President Mukherjee’s speech indicated that public authorities should be proactive and voluntarily put information in the public domain for the use of citizens, effectively inculcating a culture of transparency from the beginning.
However, until that happens, one can assume that the citizen will most certainly have to rely on the RTI for full disclosure about its government’s activity, and the government will have to be wary of those using RTI applications for ulterior purposes. Most importantly, the individual right to privacy should not be lost in this paper war, between the two sides of the same coin.
This article was originally posted on 25 Sept 2013 at indexoncensorship.org
