censorship, Civil Liberties, Core Internet Values, Mobile, NetNeutrality, News, privacy, security, surveillance

Comments on the TRAI consultation Paper on Regulatory framework for Over the Top services

The Telecom Regulatory Authority of India has called for comments on its consultation paper on regulatory framework for Over the Top services, which is accessible at page http://trai.gov.in/WriteReaddata/ConsultationPaper/Document/OTT-CP-27032015.pdf

I have submitted the following comments:

Comments on the Consultation Paper on Regulatory frameworks for Over the Top Services

The Regulatory framework as proposed by the Telecom Regulatory Authority of India is an alarm. The Members of Parliament and the common man alike needs to be concerned about the implications of TRAI’s sphere or authority expanded to include the Internet which would interfere to alter the fundamental nature of the Internet:

  1. TRAI seeks to favor Telecom companies at the consumer’s expense by this proposal to alter the core architecture of the Internet, and the core values that make the Internet a free, open and universally accessible eco-system. Internet has transformed the way we do business, the way we all communicate and relate to each other – within and beyond borders. Internet has brought the world together by its end-to-end architecture without a centralized form of control. As an eco-system, it is far more advanced than Telegraphs and Telephones, mostly runs on a business model that is benevolent to all, treats all traffic from every person or organization, big or small, irrespective of nationality or ideology equally. With its architecture and its core values, Internet offers the common man’s greatest hope for freedom of expression and civil liberties and offers the greatest hope for participation in Democracy in its fullest form, minimize conflicts, bridge technological gaps as also bring in a certain degree of equity in the World economy. What TRAI proposes to do is to destroy the very foundations on which the Internet eco-system is built.
  2. The Telecom Authority wishes to bring the Internet as part of the Telecom Regulation. This would gradually bring in Telecom-like commercial model to the Internet for the benefit of the Telecom companies which would make the Internet very similar to the Cable TV in terms of the high price the consumer pays for access.
  3. These harmful commercial models would cause net neutrality to erode. Telecom companies would become gatekeepers of Internet Traffic, interfere in Network Traffic which has so far been free of centralized forms of control. Telecom companies would introduce fast-laning for paid traffic which would invariably lead to “throttling” of free traffic, and would lead to situations of extortionist pricing by Telecom companies. Internet would become far more expensive for the common man.
  4. This would invariably lead to an Internet of walled gardens wherein large Internet companies would contain their users within their sphere of services, making it difficult for users to access the major part of the Internet not offered as part of the services they are subscribed to.
  5. There are some security concerns about the way the Internet is abused by a certain section of users. Some of the security threats are real, but politicized by Governments to bring in an excessive framework of surveillance both for legitimate and excessively political reasons. The TRAI proposal would enhance the surveillance capabilities of Telecom Companies in the process of enabling Telecom companies to inspect Internet traffic in packets (Deep Packet Inspection) for commercial reasons. DPI could be the ulterior motive for Governments to favor telecom companies. TRAI’s proposal not only favors the Telecom companies, but unseen, makes it easy for the Law and Order Agencies to legally or otherwise monitor on the common man’s Internet usage.
  6. Regulators dislike the end to end architecture of the Internet with no centralized form of control and wish to alter the architecture in the guise of making the Internet more secure. There have been similar harmful proposals to regulate the Internet in various countries, voted out by public opposition, but these very proposals come back around sometime later by a different name in a different place. The TRAI proposal wraps up elements of such regulatory moves already voted out in other countries. Moreover, in India, Airtel proposed to charge differential rates for different types of traffic, which were withdrawn by overwhelming public opposition. This was a move by a Telecom company that merited TRAI to intervene against the proposal, but it wasn’t TRAI that stopped it. Instead, TRAI brings it back, this time seeking to enable this by Government directive. TRAI’s consultation paper reads like a business case for the Telecom companies printed on Government paper. Rather than look into the regulatory issues concerning how Telcom companies operate, the Regulatory Authority pleads their business case with total disregard to the fact that the Internet has actually brought in newer opportunities for the Telecom companies to enhance their revenues, and these companies are already profitable on the existing Data pricing models. TRAI’s paper misleads the policy makers and common man with the spurious argument that extortive pricing models are necessary to keep telecommunications companies in business. “The worst thing policy makers could do to the Internet would be to allow telecom companies to mess with the Internet.” TRAI appears to argue that the Telecom companies have a right to impose a fanciful pricing model. The paper is partial on Internet companies and misguides the reader with the notion that large Internet companies such as Google and Facebook are profitable at the expense of the cable and phone companies. The Telecom companies do not incur loss on account of OTT traffic, the truth is that the OTT services have opened up the opportunity for Telecom Companies to sell Data plans that have enhanced their revenues. As Deepak Shenoy argues “Data is in fact driving their revenues up, far more than anything else” http://capitalmind.in/2015/04/telecom-companies-are-not-losing-money-to-data-services-the-net-neutrality-debate/ )

Rather than expand its sphere of reach to Internet which requires a completely different thinking, TRAI could focus on the gaps in Telecom regulation:

A. Telecom regulations, even within the Telecom sphere, have restrained consumer experience. For example, sometime ago, TRAI restrained Telecom companies from having peering arrangements among themselves for switching 3G traffic. This affected seamless connectivity for customers on the move.

B. If TRAI is concerned about the cost of communication services to customers, it could work to recommend to the Government to free the Wireless spectrum. After the recent spectrum controversy on spectrum mismanagement and loss of revenues, the Government wanted to be seen being correct, so made the wireless spectrum pricey by auction. The revenues so determined, would serve to increase the cost of communication services to customers. TRAI could recommend that this money is not collected or returned if already collected.

C. TRAI has not looked in the practices of Telecom companies concerning the bandwidth they offer to consumers in India which averages 1 Mbps of nominal connectivity, actually amounting to 256 Kbps of average connectivity which on the mobile phone streams at less than 56 kbps on 3G most of the time in most locations. This is way below the standards of a hundred other countries around the world, while the price charged per connection is almost on par with the rest of the world, TRAI could look into this.

D. One of the reasons why Telecom companies find it relatively less profitable to operate is that even the largest of the Telecom Companies have outsourced Network Management to overseas Telecom / Technology companies. TRAI could assist the Telecom companies in building up the required technical capabilities to manage Networks on their own.

E. International Mobile roaming pricing, both for Voice and Data, by Indian telecom companies is prohibitively expensive are extortionistic. TRAI could look into the reasons and assist the Telecom companies in rationalizing the pricing plans for International roaming.

F. TRAI could look for solutions for 100% connectivity across India with receptiveness.

Sivasubramanian M
President
Internet Society India Chennai
http://isocindiachennai.org
http://twitter.com/shivaindia
6.Internet@gmail.com

Civil Liberties, Core Internet Values, Future of Internet, IGF, Internet, News, privacy, technology

A document from 39 years ago: Western Concern for Privacy in the age of Computers

Common Concerns

[ This was in 1973, 39 years ago, when “when computers ran on steam and the internet was still largely mechanical”. I was led to this document from a message posted by Karl Auerbach in the At Large mailing list today ]

Most of the advanced industrial nations of Western Europe and North America share concerns about the social impact of computer-based personal data systems. Although there are minor differences in the focus and intensity of their concerns, it is clear that there is nothing peculiarly American about the feeling that the struggle of individual versus computer is a fixed feature of modern life. The discussions that have taken place in most of the industrial nations revolve around themes that are familiar to American students of the problem: loss of individuality, loss of control over information, the possibility of linking data banks to create dossiers, rigid decision making by powerful, centralized bureaucracies. Even though there is little evidence that any of these adverse social effects of computer-based record keeping have occurred on a noticeable scale, they have been discussed seriously since the late sixties, and the discussions have prompted official action by many governments as well as by international organizations.

western concern for privacy in the 70sConcern about the effects of computer-based record keeping on personal privacy appears to be related to some common characteristics of life in industrialized societies. In the first place, industrial societies are urban societies. The social milieu of the village that allowed for the exchange of personal information through face-to-face relationships has been replaced by the comparative impersonality of urban living. …

Concern about the effects of computer-based record keeping appears to have deep roots in the public opinion of each country, deeper roots than could exist if the issues were manufactured and merchandised by a coterie of specialists, or reflected only the views of a self-sustaining group of professional Cassandras. The fragility of computer-based systems may account for some of the concern… There are few computer systems designed to deal with the disruption that deliberately lost or mutilated punched cards in a billing system-to give a simple example-would cause. Thus, the very vulnerability of automated personal data systems, systems without which no modern society could function, may make careful attention to the human element transcend national boundaries.

The Response in Individual Nations

WEST GERMANY

On October 7, 1970, the West German State of Hesse adopted the world’s first legislative act directed specifically toward regulating automated data processing. This “Data Protection Act” applies to the official files of the government of Hesse; wholly private files are specifically exempted from control. The Act established a Data Protection Commissioner under the authority of the State parliament whose duty it is to assure that the State’s files are obtained, transmitted, and stored in such a way that they cannot be altered, examined, or destroyed by unauthorized persons…

Thus, the Data Protection Act of Hesse seems designed more to protect the integrity of State data and State government than to protect the interests of the people of the State…

SWEDEN

When strong opposition to the 1969 census erupted in Sweden, public mistrust centered not so much on the familiar features of the census itself as on the fact that, for the first time, much of the data gathering would be done in a form specifically designed to facilitate automated data processing. Impressed by the possibility that opposition might be so severe as to invalidate the entire census, the government added the task of studying the problems of computerized record keeping to the work of an official commission already studying policies with respect to the confidentiality of official records.

After a notably thorough survey of personal data holdings in both public and private systems, the commission issued a report containing draft legislation for a comprehensive statute for the regulation of computer-based personal data systems in Sweden.2 The aim of the act is specifically the protection of personal privacy. Its key provisions are these:

  • Establishment of an independent “Data Inspectorate,” charged with the responsibility for executing and enforcing the provisions of the Data Law.
  • No automated data system containing personal data may be set up without a license from the Data Inspectorate.
  • Data subjects have the right to be informed about all uses made of the data about them, and no new use of the data may be made without the consent of the subject.
  • Data subjects have the right of access without charge to all data about them, and if the data are found to be incorrect, incomplete, or otherwise faulty, they must either be corrected to the subject’s satisfaction, or a statement of rebuttal from the subject must be filed along with the data.
  • The Data Inspectorate will act as ombudsman in all matters regarding automated personal data systems.

The Data Law has been passed by the Swedish Parliament and will become effective on July 1, 1973. A transition period of one year will be allowed to implement all the provisions of the law.

FRANCE

Article 9 of the French Civil Code states plainly, “Everyone has the right to have his private life respected. 3 As legal scholars in all countries have noted, however, it is very difficult to define the precise limits of privacy in every case that comes before a court, and in spite of such explicit protection, the privacy of the French, both inside and outside of automated personal data systems, seems in practice no better defended than that of most other people…

One other development on the French scene deserves mention. The 1972 annual report of the Supreme Court of Appeals went considerably out of its way, after reviewing a case of literary invasion of privacy, to comment on the subject of computers and privacy:

… The progress of automation burdens society in each country with the menace of a computer which would centralize the information that each individual is obliged to furnish in the course of his life to the civil authorities, to his employer, his banker, his insurance company, to Internal Revenue, to Social Security, to the census, to university administrations, and, in addition, the data, correct or not, which is received about him by the various services of the police. When one thinks about the uses that might be made of that mass of data by the public powers, of the indiscretions of which that data might be the origin, and of the errors of which the subjects might be the victims, one becomes aware that there lies a very important problem, not only for the private life of everyone, but even for his very liberty.

It appears to us that this eventuality, an extremely probable one, ought to be made the object of consideration of the public power, . . .and that this consideration should take its place among the measures of precaution and of safeguard which should not lack for attention.7

To sum up, the situation in France is complex. The subject of computers and privacy has been given serious attention by a relatively small group of experts, but that group has an influence in government far out of proportion to its numbers. The attitude of the present government is strongly colored by another aspect of the privacy problem: It has been caught in a wiretap scandal, and its defensiveness in that regard appears to be influencing its actions on the computer front. The official report of the present working group is due before the end of 1973, but it does not seem realistic to expect that there will be any definitive action in France before, perhaps, mid-1974.

GREAT BRITAIN

Britain is unique among the countries reviewed in having recently completed a thorough study of the entire subject of privacy.8 Although the committee in charge of the study, the Younger Committee, was restricted in its terms of reference to private, rather than public, organizations that might threaten privacy, the committee’s report is a model of clarity and concern. In brief, the Committee found that both the customs of society and the Common law had evolved defenses against the traditional intrusions of nosey neighbors, unwelcome visitors, door-to-door salesmen, and the like. Against the new threats of technological intrusions-wiretaps, surveillance cameras, and, of course, computerized data banks-the Committee recognized that the traditional defenses are inadequate. To help deal with the threat of the computer, the Committee recommended specific safeguards to be applied to automated personal data systems, although it left the method of application up to the government to decide. The main features of the safeguards are:

  1. Information should be regarded as held for a specific purpose and not to be used, without appropriate authorization, for other purposes
  2. Access to information should be confined to those authorized to have it for the purpose for which it was supplied.
  3. The amount of information collected and held should be the minimum necessary for the achievement of the specified purpose.
  4. In computerized systems handling information for statistical purposes, adequate provision should be made in their design and programs for separating identities from the rest of the data.
  5. There should be arrangements whereby the subject could be told about the information held concerning him.
  6. The level of security to be achieved by a system should be specified in advance by the user and should include precautions against the deliberate abuse or misuse of information.
  7. A monitoring system should be provided to facilitate the detection of any violation of the security system.
  8. In the design of information systems, periods should be specified beyond which the information should not be retained.
  9. Data held should be accurate. There should be machinery for the correction of inaccuracy and the updating of information.
  10. Care should betaken in coding value judgments.9

CANADA

In its report, published in late 1972,11 the Canadian Task Force concluded that computer invasion of privacy is still far short of posing a social crisis. However, the rapidly rising volume of computerized personal data and the equally rapidly rising public expectation of a right to deeper and more secure privacy threaten to converge at the crisis level. To forestall that crisis, the Task Force recommends that a commissioner or ombudsman be established in a suitable administrative setting, that carefully prepared test cases on cogent issues be brought before the courts, and that the operation of government data systems be made to serve as a national model.

from http://aspe.hhs.gov/datacncl/1973privacy/appenb.htm

 

Civil Liberties, cloud computing, Core Internet Values, News, privacy

Europe’s proposed Online Privacy Laws: Template for the World

European Commission's Vice President for Justice, Viviane Reding
“Companies must be transparent about what they are doing,” said Viviane Reding, the European Commission’s vice president for justice.

 

Europe is considering a sweeping new law that would force Internet companies like Amazon.com and Facebook to obtain [highlight_1] explicit consent from consumers [/highlight_1] about the use of their personal data, delete that data forever at the consumer’s request and face fines for failing to comply…

The proposed law strikes at the heart of some of the knottiest questions governing digital life and commerce: who owns personal data, what happens to it once it is posted online…

“Companies must be transparent about what they are doing, clear about which data is being used for what,” the European Commission’s vice president for justice, Viviane Reding, said in a recent telephone interview. “I am absolutely persuaded the new law is necessary to have, on the one hand, better protection of the constitutional rights of our citizens and more flexibility for companies to utilize our Continent.”

Ms. Reding is scheduled to release the proposed regulation on Wednesday in Brussels. The European Parliament is expected to deliberate on the proposal in the coming months, and the law, if approved, would go into effect by 2014…

One of the most contested provisions of the European law is the so-called right to be forgotten, which refers to an Internet user’s right to demand that his or her accumulated data on a particular site be deleted forever. “When a citizen has asked to get it back, then the data has to be given back,” Ms. Reding said in the interview. “When an individual no longer wants his data to be processed, it will be deleted.”…

Read more from of this report by Kevin J O’Brien at the New York Times

# Individual Comments:   There are positive clauses in the proposed Law to be soon introduced by Vice President Reding. However, the proposed Law looks only into the Individual Vs Companies situation, and could as well extend to situations where Governments access Citizen’s data. The proposed Law could also look into the moral and legal aspects of Social Networking Companies and ISPs opening doors to Governments, often by direct and indirect pressure on them.

The right to be forgotten would be somewhat pointless if copies are retained by Governments ahead of deletion by social networks or by the individual users.

Europe could go one step beyond the “right to be forgotten” and examine what could be called the “right to refuse access to one’s own information”, whether the information is shared within one’s own personal or corporate network, or placed on the cloud in the individual’s ‘private’ storage space. The individual does not transfer the powers to the social networks and the cloud computing companies to grant access to Governments, so the law could clearly state that the companies require the consent of the individual before opening up their data servers / networks for access by Governments.

Internet, News, privacy, security, surveillance

Cameras May Open Up the Board Rooms for evesdropping

This is a New York Times article published on January 23, 2011 with the title “Cameras May Open Up the Board Room to Hackers” by Nicole Perlroth:

Mike Tuchen and HD Moore of Rapid 7
Mike Tuchen, left, and H D Moore of Rapid 7 were able to gain access to company boardrooms with videoconferencing equipment.

One afternoon this month in San Francisco, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.

With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

A company boardroom viewed via videoconferencing equipment from Rapid 7’s offices.

In this case, the hacker was H D Moore, a chief security officer at Rapid 7, a Boston based company that looks for security holes in computer systems that are used in devices like toaster ovens and Mars landing equipment. His latest find: videoconferencing equipment is often left vulnerable to hackers.

Businesses collectively spend billions of dollars each year beefing up security on their computer systems and employee laptops. They agonize over the confidential information that employees send to their Gmail and Dropbox accounts and store on their iPads and smartphones. But rarely do they give much thought to the ease with which anyone can penetrate a videoconference room where their most guarded trade secrets are openly discussed.

Mr. Moore has found it easy to get into several top venture capital and law firms, pharmaceutical and oil companies and courtrooms across the country.

He even found a path into the Goldman Sachs boardroom. “The entry bar has fallen to the floor,” said Mike Tuchen, chief executive of Rapid 7. “These are [highlight_1] some of the world’s most important boardrooms [/highlight_1] — this is where their most critical meetings take place — and [highlight_1] there could be silent attendees in all of them[/highlight_1].”

Read more in the New York Times

 

Core Internet Values, Internet, News, privacy

EU Data Retention Directive rejected as Unconstitutional by Czechs

The following is a reproduction of the article published by the Open Rights Group as reported by NNSquad

Data retention has been rejected as unconstitutional in the Czech republic. The EU Directive, pushed forward by the UK, creates an obligation to store everyone’s traffic data, such as who you email or call on your phone, for possible use in criminal investigations.
This rejection follows a similar rejection in Romania, limitations in Germany and failure to implement in Sweden. There is an ongoing challenge by Digital Rights Ireland.
Data rentention cancelled in Czech republic
Constitutional Court: Spying on Communication Declared Unconstitutional
An ongoing campaign by the civic rights organisation Iuridicum Remedium (IuRe) aimed against public spying on everyday communication resulted in a considerable success. In its today´s session, the Constitutional Court announced its decision to repeal legislation according to which records of e-mails, phone calls, SMS as well as websites accesses of every citizen should be retained for a time period of six months as a matter of precaution.
“The Constitutional Court accepted all points of our complaint and we do consider this a great success. Now the time has come to open discussion on new ways of implementing the Data Retention Directive into our legal system in order to meet the highest standards with respect to privacy protection. Of course, only assuming that the Directive will not be repealed as a whole,” explains IuRe legal expert Jan Vobo?il.
Constitutional Court agreed with IuRe privacy protection activists and a group of 51 MPs headed by Marek Benda who in March 2010 submitted a proposal elaborated by IuRe calling for repeal of relevant sections of the Electronic Communications Act and implementing legislation imposing obligation on mobile operators and internet providers to retain data on communication for police use. “I do welcome this decision of the Constitutional Court to accept the proposal of Civic Democratic Party (ODS) MPs to repeal such obligation imposed on operators. This is another confirmation proving the merits of our ongoing efforts to protect personal integrity. Not even the European anti-terrorism campaign can lead to unrivalled privacy infringement,” urged MP Marek Benda, MP. Apart from Civic Democrats (ODS), the complaint filed with the Constitutional Court also enjoyed support of Green Party (Strana zelených) MPs.
The Court declared the respective section of the Electronic Communications Act and its implementing legislation unconstitutional and repealed it as of today. According to the Court statement, ambiguous definition of data retention rules results in a situation where such “measures as to request and use retained data are being overused by authorities engaged in criminal proceedings for purposes related to investigation of common, i.e. less serious crimes”.
“The Constitutional Court also regards e.g. certain provisions of the Criminal Act concerning the use of such data by authorities engaged in criminal proceeding as highly questionable and it called on MPs to consider its modification,” adds IuRe expert Petr Ku?era.
According to the Court, it will be necessary to consider each individual case in which data have already been requested in order to be used in criminal proceedings one by one – with respect to the principle of proportionality regarding privacy rights infringement. “This decision also implies that electronic communication providers are no longer obliged by any law to retain such data for the use of entitled authorities – as was previously the case according to the repealed provisions; the respective databases should be deleted,” explains IuRe legal expert Jan Vobo?il. “This Constitutional Court decision is of great importance not only with respect to the Czech Republic but to the European Union as a whole, since there is currently an evaluation process under way assessing the impact and constitutionality of the Data Retention Directive,” comments Vobo?il.