Category: Internet Security

Examining the Rise of the ‘Splinternet’

Posted on by Tech Law Forum NALSAR

[Ed Note: The following post is part of the TLF Editorial Board Test 2020-21. It has been authored by Manasvin Andra, a fourth year student of NALSAR University of Law.]

Data localisation laws have been on the rise in recent years. Since Edward Snowden’s revelations regarding the National Security Agency’s PRISM program, states have begun associating informational security with the need to retain data within their territories. The list of countries insisting on data localisation is long, including Brazil, Germany, Russia and South Korea. India is also on the path to adopting localisation norms, primarily through the revised Personal Data Protection Bill, 2019.

Read more

Open Banking in India & the Need for Setting Uniform Standards in Usage of APIs

Posted on by Tech Law Forum NALSAR

[This post has been authored by Vaibhav Parikh, Legal Counsel at ICICI Bank. Views are personal]

The value of online/ mobile banking rose from INR 69.47 billion in 2016-17 to INR 21,317 billion in 2019-20. Providing data access to third-party firms by banks and other financial institutions has proved to be one of the important reasons for such rapid development in online/ mobile banking, since it has allowed for introduction of innovative financial services and products to customers (Basel Committee Report on Open Banking, Page 8); such as seamless payments transmission between accounts at different banks, instant payments using Unified Payments Interface (“UPI”) and aggregation of all financial accounts onto one dashboard. Gradually, the delivery of financial services and products is also being offered by non-banking third parties, such as fintech firms. These developments are aspects of open banking and are continuously evolving in nature.

Read more

Metadata by TLF: Issue 15

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our reporters Kruttika Lokesh and Dhananjay Dhonchak put together handpicked stories from the world of tech law! You can find other issues here.

PIL filed seeking identities of content moderation officers

Former RSS ideologue K N Govindacharya filed a public-interest litigation in the High Court of Delhi to prompt Google, Twitter and Facebook to disclose identities of designated content moderation officers on the basis of the Information Technology Rules. In response, Google submitted that the officers worked with government authorities to remove illegal content. Govindacharya claimed that without disclosure of the officers’ identities, no mechanisms to enforce obligations could not be adequately instituted. However, Google responded by stating that revealing the identities of officers would jeopardize their capacity to work efficiently with the government, as they would be exposed to public scrutiny and criticism.

Read more

India’s 5G Trial: The Case for Huawei’s Exclusion

Posted on by Tech Law Forum @ NALSAR

[This post has been authored by Sarthak Gupta of the Institute of Law, Nirma University.]

5G is the next big change awaiting mankind. It is not just an incremental change but rather represents a paradigm shift in technology. Among other things, it is going to have a huge impact on the national and economic security of countries. As a result, a safe and reliable framework for the development of 5G technology is very much critical for a nation’s ability to preserve its sovereignty.

Read more

Metadata by TLF: Issue 7

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Israel spyware ‘Pegasus’ used to snoop on Indian activists, journalists, lawyers

In a startling revelation, Facebook owned messaging app WhatsApp revealed that a spyware known as ‘Pegasus’ has been used to target and surveil Indian activists and journalists. The revelation came to light after WhatsApp filed a lawsuit against the Israeli NSO Group, accusing it of using servers located in the US and elsewhere to send malware to approximately 1400 mobile phones and devices. On its part, the NSO group has consistently claimed that it sells its software only to government agencies, and that it is not used to target particular subjects. The Indian government sought a detailed reply from WhatsApp but has expressed dissatisfaction with the response received, with the Ministry of Electronics and Information Technology stating that the reply has “certain gaps” which need to be further investigated.

Further reading:

  1. Sukanya Shantha, Indian Activists, Lawyers Were ‘Targeted’ Using Israeli Spyware Pegasus, The Wire (31 October 2019).
  2. Seema Chishti, WhatsApp confirms: Israeli spyware was used to snoop on Indian journalists, activists, The Indian Express (1 November 2019).
  3. Aditi Agrawal, Home Ministry gives no information to RTI asking if it bought Pegasus spyware, Medianama (1 November 2019).
  4. Shruti Dhapola, Explained: What is Israeli spyware Pegasus, which carried out surveillance via WhatsApp?, The Indian Express (2 November 2019).
  5. Akshita Saxena, Pegasus Surveillance: All You Want To Know About The Whatsapp Suit In US Against Israeli Spy Firm [Read Complaint], LiveLaw (12 November 2019).

RBI raises concerns over WhatsApp Pay

Adding to the WhatsApp’s woes in India, just after the Israeli spyware Pegasus hacking incident, The RBI has asked the National Payments Corporation of India (NPCI) not to permit WhatsApp to go ahead with the full rollout of its payment service WhatsApp Pay. The central bank has expressed concerns over WhatsApp’s non-compliance with data processing regulations, as current regulations allow for data processing outside India on the condition that it returns to servers located in the country without copies being left on foreign servers.

Further Reading:

  1. Karan Choudhury & Neha Alawadhi, WhatsApp Pay clearance: RBI raises concerns data localisation concerns with NPCI, Business Standard (7 November 2019).
  2. Aditi Agarwal, ‘No payment services on WhatsApp without data localisation’, RBI to SC, Medianama (9 October 2019).
  3. Sujata Sangwan, WhatsApp can’t start payments business in India, YOURSTORY (9 November, 2019).
  4. Yatti Soni, WhatsApp Payments India Launch May Get Delayed Over Data Localisation Concerns, Inc42 (9 October 2019).
  5. Priyanka Pani, Bleak future for messaging app WhatsApp’s payment future in India, IBS Intelligence (9 November 2019).

Kenya passes new Data Protection Law

The Kenyan President, Uhuru Kenyatta recently approved a new data protection law in conformity with the standards set by the European Union. The new bill was legislated after it was found that existing data protection laws were not at par with the growing investments from foreign firms such as Safaricom and Amazon. There was growing concern that tech giants such as Facebook and Google would be able to collect and utilise data across the African subcontinent without any restrictions and consequently violate the privacy of citizens. The new law has specific restrictions on the manner in which personally identifiable data can be handled by the government, companies and individuals, and punishment for violations can to penalties of three million shillings or levying of prison sentences.

Further reading:

  1. Duncan Miriri, Kenya Passes Data Protection Law Crucial for Tech Investments, Reuters (8 November 2019).
  2. Yomi Kazeem, Kenya’s Stepping Up Its Citizens’ Digital Security with a New EU-Inspired Data Protection Law, Quartz Africa (12 November 2019).
  3. Kenn Abuya, The Data Protection Bill 2019 is Now Law. Here is What that Means for Kenyans, Techweez (8 November 2019).
  4. Kenya Adds New Data Regulations to Encourage Foreign Tech Entrants, Pymnts (10 November 2019).

Google gains access to healthcare data of millions through ‘Project Nightingale’

Google has been found to have gained access data to the healthcare data of millions through its partnership with healthcare firm Ascension. The venture, named ‘Project Nightingale’ allows Google to access health records, names and addresses without informing patients, in addition to other sensitive data such as lab results, diagnoses and records of hospitalisation. Neither doctors nor patients need to be told that Google an access the information, though the company has defended itself by stating that the deal amounts to “standard practice”. The firm has also stated that it does not link patient data with its own data repositories, however this has not stopped individuals and rights groups from raising privacy concerns.

Further reading:

  1. Trisha Jalan, Google’s Project Nightingale collects millions of Americans health records, Medianama (12 November 2019).
  2. Ed Pilkington, Google’s secret cache of medical data includes names and full details of millions – whistleblower, The Guardian (12 November 2019).
  3. James Vincent, The problem with Google’s health care ambitions is that no one knows where they end, The Verge (12 November 2019).
  4. Rop Copeland & Sarah E. needlemen, Google’s ‘Project Nightingale’ Triggers Federal Inquiry, Wall Street Journal (12 November 2019).

Law professor files first ever lawsuit against facial recognition in China

Law professor Guo Bing sued the Hangzhou Safari Park after it suddenly made facial recognition registration a mandatory requirement for visitor entrance. The park had previously used fingerprint recognition to allow entry, however it switched to facial recognition as part of the Chinese government’s aggressive rollout of the system meant to boost security and enhance consumer convenience. While it has been speculated that the lawsuit might be dismissed if pursued, it has stirred conversations among citizens over privacy and surveillance issues which it is hoped will result in reform of existing internet laws in the nation.

Further reading:

  1. Xue Yujie, Chinese Professor Files Landmark Suit Against Facial Recognition, Sixth Tone (4 November 2019).
  2. Michael Standaert, China wildlife park sued for forcing visitors to submit to facial recognition scan, The Guardian (4 November 2019).
  3. Kerry Allen, China facial recognition: Law professor sues wildlife park, BBC (8 November 2019).
  4. Rita Liao, China Roundup: facial recognition lawsuit and cashless payments for foreigners, TechCrunch (10 November 2019).

Twitter to ban all political advertising

Twitter has taken the decision to ban all political advertising, in a move that increases pressure on Facebook over its controversial stance to allow politicians to advertise false statements. The policy was announced via CEO Jack Dorsey’s account on Wednesday, and will apply to all ads relating to elections and associated political issues. However, the move may only to prove to have symbolic impact, as political ads on Twitter are just a fraction of those on Facebook in terms of reach and impact.

Further reading:

  1. Julie Wong, Twitter to ban all political advertising, raising pressure on Facebook, The Guardian (30 October 2019).
  2. Makena Kelly, Twitter will ban all political advertising starting in November, The Verge (30 October 2019).
  3. Amol Rajan, Twitter to ban all political advertising, BBC (31 October 2019).
  4. Alex Kantrowitz, Twitter Is Banning Political Ads. But It Will Allow Those That Don’t Mention Candidates Or Bills., BuzzFeed News (11 November 2019).

Read more

Mackinnon’s “Consent of The Networked” Deconstruction (Part I)

Posted on by Prateek Surisetti

SERIES INTRODUCTION

Rebecca MacKinnon’s “Consent of the Networked: The Worldwide Struggle for Internet Freedom” (2012) is an interesting read on online speech. Having read the book, I will be familiarizing readers with some of the themes discussed in it.

In Part I, we will discuss censorship in the context of authoritarian governments.

In Part II, we will be dealing with the practices of democratic governments vis-à-vis online speech.

In Part III, we shall discuss the influence of corporations on online speech.

Essentially, the discussion will revolve around the interactions between the three stakeholders: netizens, corporations providing internet-based products and governments (both autocratic and democratic). Each of the stakeholders have varied interests or agendas and work with or against in each other based on the situation.

Governments wish to control corporations’ online platforms to pursue political agendas and corporations wish to attract users and generate profits, while also having to acquiesce to government demands to access markets. The ensuing interactions, involving corporations and governments, affect netizens’ online civil liberties across the world.

PART I: AUTHORITARIAN GOVERNMENTS (THE CHINESE MODEL)

“Networked Authoritarianism” is the exercise of authoritarianism, by a government, through the control over the network used by the citizens. MacKinnon explains the phenomenon through an explanation of the Chinese government’s exercise of control over the Chinese networks.

Interestingly, the Chinese citizenry is unaware of the infamous Tiananmen Square protests. The government, with compliant corporates (in order to access Chinese markets, corporations comply), works in an opaque manner to manipulate information reaching the people. The people aren’t even aware of the fact of manipulation!

The government does allow discussion, but within the limits prescribed by it. This is the concept of “Authoritarian Deliberation”. Considerable discussion occurs on the “e-parliament” (a website where the Chinese public is allowed to make suggestions on issues of policy) and the Chinese government has stated that it cares about public opinion, but any discussion that could potentially lead to unrest is screened out. In other words, the government is engendering a false sense of freedom amongst its populace.

Now, let us have a look at the modus operandi of such Chinese censorship.

Modus Operandi

Firstly, The Chinese networks are connected to the global networks through 8 gateways. Each of the gateways contain data filters that restrict websites that contain specific restricted key words. As a slight aside, it is pertinent to note that western corporations, such as Forcepoint and Narus, also provide software that assist authoritarian governments in censorship and surveillance.

Now, the Chinese netizens can access global networks through certain technical means. But there exists a lack of incentive to do so as the Chinese have their own, government compliant, versions of Twitter, Facebook and Google (Weibo; RenRen & Kaixin001: Facebook; Baidu respectively) with which the people are content. Given the size of the Chinese market, investors abound and consequently, there doesn’t exist a dearth of products.

Secondly, as mentioned earlier, the Chinese government forces corporations to manage their platforms in compliance with the government’s standards. Content from offshore servers of non-compliant corporations are blocked by the data filters. But if a corporation intends to work in China, it will have to self-regulate and ensure that platforms are compliant with the censorship policy.

Thirdly, in addition to censorship, the Chinese government also manipulates discussions through “Astroturfing”.  Originally a marketing term, it refers to the practice of paying people a certain fee to propagate views beneficial to the payee. The 50 Cent Army (etymology from fee per post) is a common term used to refer to those paid by the Chinese government.

Apart from Astroturfing, there also exist people who voluntarily spread propaganda on the internet. While the Chinese government can disavow knowledge of their activities, they are given special treatment by the government to carry out their agendas.

Through the approach followed above, the Chinese government has manipulated its populace with wondrous success. From the example above we have learnt that mere access to the internet doesn’t ensure political reform. It depends on the authoritarian government’s ability to manipulate the networks. There exist other examples of other countries successfully preventing unrest through manipulation of speech on its networks.

Censorship in Other Countries

Iran, too, has successfully manipulated networks. The Iranian government was able to restrict communications and debilitate the Green Movement, an uprising against the president at the time. Even if the government isn’t actually monitoring the communications, if enough people believe it is doing so, the government will have achieved its purpose.

The Russian government, instead of using online tools to restrict content, restricts speech through offline methods in the form of defamation laws and threat of physical consequences. Even the Chinese take offline retaliatory measures. We will discuss one such example (Shi Tao) in Part III.

Now, let us look at a few of the approaches or policies that democratic countries have adopted to tackle censorship in repressive regimes.

Approaches to Tackling Authoritarian Censorship

Initially, policies attempted to ensure that netizens were able to access an uncensored internet. Access to an uncensored internet was expected to create political consciousness and consequently, revolution against repressive regimes. Hence, government funding was aimed towards circumvention technology that would facilitate netizens in accessing the uncensored cyberspace. Ironically though, while the public treasury being used to fund circumvention technology, American corporations are aiding censorship by providing the censorship technology to authoritarian regimes.

But there exist other approaches as well. Certain policy experts, with the belief that free speech precedes democracy, are in favour of encouraging citizens, under repressive regimes, to host and develop content. Advocates of this approach argue that such an approach would be more beneficial towards building communities of dissent as opposed to attempting to provide them access to offshore content.  Further, such an approach doesn’t portray the U.S. as an enemy of the authoritarian state, leading to lesser complications, since the content will be generated by the citizens of the repressive state itself.

Lastly, some experts have suggested that democratic countries should make efforts to set their own house in order, instead of interfering with other regimes. Laws, in even the most democratic of countries, could be draconian. For instance, the U.K. was set to allow for disconnection of a user’s internet access, if she or he violates copyright thrice.  And these laws serve as a justification for authoritarian regimes to censor.

Conclusion

Here, using Chinese censorship as an example, we have attempted to understand (a) the concepts of “networked authoritarianism” and “authoritarian deliberation”, (b) the online and offline methods of censorship employed by authoritarian governments (gateway regulation, corporate compliance, “astroturfing”, et cetera) and (c) approaches adopted by democracies to tackle censorship by repressive regimes.

In Part II, we will discuss the effects of actions by democratic governments on online speech.

 

Image taken from here.

Read more

The Dark Web : To Regulate Or Not Regulate, That Is The Question.

Posted on by Shweta Rao

[Ed Note : In an interesting read, Shweta Rao of NALSAR University of Law brings us upto speed on the debate regarding regulation of the mysterious “dark web” and provides us with a possible way to proceed as far as this hidden part of the web is concerned. ]

Human Traffickers, Whistleblowers, Pedophiles, Journalists and Lonely-Hearts Chat-room participants all find a home on the Dark Web, the underbelly of the World Wide Web that is inaccessible to the ordinary netizen.  The Dark Web is a small fraction of the Deep Web, a term it is often confused with, but the distinction between the two is important.

The Dark Web unlike the Deep Web is only accessible through anonymous servers, as distinguished from non-anonymous surface web accessing servers like Google, Bing etc. One such server is The onion router (Tor),one of the most popular servers for accessing the dark web, which derives its name from the similarity of the platform’s multilayered encryption to that of the layers of an onion. Dark Web sites also require users to enter a unique Tor address with an additional security layer of a password input. These access restrictions are what distinguish the Dark Web from the Deep Web, which may be breached into through Surface Web applications. Further, the Deep Web may, due to its discreet nature, seem to occupy a fraction of the World Wide Web, when in actuality, it is estimated to be 4000-5000 times larger than the Surface Web and hosts around 90% of the internet’s web traffic.  The Dark Web, in contrast to these figures, occupies a minuscule amount of space, with less than 45,000 Dark Web sites as recorded in 2015. Thus, the difference between Deep and Dark Web lies not in their respective content, but in the requirements and means of access to these two spaces along with the quantity of web traffic they attract.

The Dark Web has existed nearly as long as the Internet has and begun as a parallel project to the US Department of Defense’s (USDD’s) 1960s ARPANET Project. The USDD allowed the Dark Web to be accessible to the public via the Tor for it to mask its own communications. Essentially, if the Dark Web was used for only USDD communications there would be no anonymity as anyone who made their way into the system would be aware that all communications would be that of the USDD. So, by allowing the public to access it via the Tor, the USDD could use the general traffic of the Dark Web through the Tor to mask its communications under the stampede of information passing through the Tor.

While the Internet became a household name by the late 90’s the Dark Web remained obscure until 2013 when it gained infamy due to the arrest of Ross William Ulbricht ( aka the Dread Pirate Roberts) the operator of the Silk Route, marketplace for illegal goods and services.

While fully regulating a structure such as the Dark Web is a near impossible feat, this arrest has indeed pushed the previously obscure Dark Web into the spotlight, putting prosecutors and law enforcement agencies across the world on the alert. This new-found attention into the workings of the Dark Web is the junction at which the debate for regulation policies emerges.

The debate on the status of surveillance of the Dark Web broadly has two branches. The first branch, which has emerged with more force post the exposure of the Silk Route, advocates for more frequent and stricter probes into the activities of the Dark Web. In contrast, the second branch weighs increased regulation against issues of breach of privacy, which is one of the main reasons behind use of servers such as Tor.

In order to understand the reasoning behind either branch’s stance, it is essential to look at the breakup of the Dark Web and its various uses, each finding its place at different points along the spectrum having legality and illegality as its extremes.

The Dark Web, as mentioned  previously, occupies a faction of the space on the Deep Web with less than 50,000 websites currently functioning, and the number of fully active sites are even lower. Legal activities take up about 55.9% of the total space on the Dark Web whilst the rest of the space contains illegal activities such as counterfeit, child pornography, illegal arms dealing and drug pedaling amongst others. Activities such as whistleblowing and hacking given their contextual scenario-based characteristic would thus not allow themselves to be placed in one or the other category and would fall into a “grey area” of sorts.

With over 50% of the activity on the Dark Web being illegal, the call for increased regulations seems to be reasonable. However, those who are regular residents of this fraction of the internet oft differ. And this hinges on, as mentioned earlier, the issue of privacy.

Privacy has become a buzzword across the globe in the recent past with various nations having to reevaluate the rights their citizens’ information had in the midst of the boom of the data wars. From the General Data Protection Regulations (GDPR) in the EU to the Puttaswamy case in India, across the globe, the Right to Privacy has been thrown into the spotlight. Its relevance only grows with corporations both large and small mining information from users across platforms. Privacy has thus become the need of the hour, and the privacy that the Dark Web provides has been one its biggest USPs. It has harbored anyone one requiring the shield of privacy including political whistleblowers who have in the past have released vital information on violations against citizens in both tyrannical regimes as well as in democracies. Edward Snowden, whose claim to infamy was indeed surrounding privacy and surveillance, had used and still continues to use the Dark Web to ensure the protection of any communications from his location, which is a Moscow airport terminal.

In the age of #FakeNews  targeting the journalism community, the need to protect the private Tor gateway that many journalists use to protect their sensitive information seems to be of paramount importance. But despite what the creators of the Tor would like to believe, the bulk of the active traffic (which differs from the actual number of sites present) in the aforementioned “illegal” branch of the Dark Web is predominantly is that of child pornography distribution.

However, this might not bode the end of the privacy sphere as created by the Tor within the Dark Web. Using the same logic as used by the USDD, given that the increased activity of child pornography and abuse sites is a known factor, it becomes easier for authorities to single out threads of heightened activity within the Dark Web without compromising its integral cloak of privacy. This tactic has been successfully used by the American FBI in the Playpen case where it  singled out the thread of rapid activity created by a  website called Playpen which had over 200,000 active accounts that participated in the creating and viewing of child pornography. The FBI singled out the traffic for this site due to its dynamic activity and once the source of the activity was precisely determined, the FBI in a unprecedented move extracted the Playpen website from the Dark Web onto a federal server and then were able to access the IP addresses of over a 1000 users who were then prosecuted, with the creator of the site having received 30 years of jailtime. This was all done without the privacy of other Tor users being breached.

Thus, whilst Hamlet’s existential question may not have a middle ground to settle on, the status of regulations on the Dark Web could be established by using the past precedent and by using better non-invasive surveillance methods along with international cooperation, in order to respect its true intended purpose.

Read more