Roundtable on (Cyber)Security for stakeholder inputs to GCCS2017

Roundtable on security
Internet Society India Chennai Roundtable for stakeholder inputs to cybersecurity policy

The Internet Society India Chennai  Round Table for Stakeholder inputs was held on the on October 22 at The Raj, Residency Towers, Chennai during 6-9 pm. This event on 22nd gains added importance as an event that was  organised as a Preparatory event to the Global Conference on Cyberspace to be held at New Delhi, as a High Level global diplomaticand policy event later this year.

The Round Table topic goes well beyond Internet Security, and broadly and loosely examined how Internet Security measures spill over to everyday life and how various security concerns, valid and real, sometimes translate into restrictions that alter the way we live our lives. The intention has been to see if diverse view points could contribute to Security design and help evolve good Security policies. The session was open for remote participation and recorded. The recording of the session is accessed from the link below:

Roundtable for stakeholder inputs to Cyber(Security)

This Roundtable event was in follow up an earlier Roundtable event during an ISOC Chennai DNSSEC/KSK rollover policy session at GRT Grand Hotel aur earlier event during June at Chennai. The Report on July 9, 2017.  A writeup based on the June event was sent to the Internet Governance Forum (IGF) Best Practices on Cybersecurity as inputs and attached below for context.

Reference Documents from the earlier (July9) event: (links below)

Internet Society India Chennai Response to the Questionairre from the IGF Best Practices Forum on Cyber Security

Report on Internet Society India Chennai Roundtable on the policy aspects of Cybersecurity:

Comments on the TRAI consultation Paper on Regulatory framework for Over the Top services

The Telecom Regulatory Authority of India has called for comments on its consultation paper on regulatory framework for Over the Top services, which is accessible at page http://trai.gov.in/WriteReaddata/ConsultationPaper/Document/OTT-CP-27032015.pdf

I have submitted the following comments:

Comments on the Consultation Paper on Regulatory frameworks for Over the Top Services

The Regulatory framework as proposed by the Telecom Regulatory Authority of India is an alarm. The Members of Parliament and the common man alike needs to be concerned about the implications of TRAI’s sphere or authority expanded to include the Internet which would interfere to alter the fundamental nature of the Internet:

  1. TRAI seeks to favor Telecom companies at the consumer’s expense by this proposal to alter the core architecture of the Internet, and the core values that make the Internet a free, open and universally accessible eco-system. Internet has transformed the way we do business, the way we all communicate and relate to each other – within and beyond borders. Internet has brought the world together by its end-to-end architecture without a centralized form of control. As an eco-system, it is far more advanced than Telegraphs and Telephones, mostly runs on a business model that is benevolent to all, treats all traffic from every person or organization, big or small, irrespective of nationality or ideology equally. With its architecture and its core values, Internet offers the common man’s greatest hope for freedom of expression and civil liberties and offers the greatest hope for participation in Democracy in its fullest form, minimize conflicts, bridge technological gaps as also bring in a certain degree of equity in the World economy. What TRAI proposes to do is to destroy the very foundations on which the Internet eco-system is built.
  2. The Telecom Authority wishes to bring the Internet as part of the Telecom Regulation. This would gradually bring in Telecom-like commercial model to the Internet for the benefit of the Telecom companies which would make the Internet very similar to the Cable TV in terms of the high price the consumer pays for access.
  3. These harmful commercial models would cause net neutrality to erode. Telecom companies would become gatekeepers of Internet Traffic, interfere in Network Traffic which has so far been free of centralized forms of control. Telecom companies would introduce fast-laning for paid traffic which would invariably lead to “throttling” of free traffic, and would lead to situations of extortionist pricing by Telecom companies. Internet would become far more expensive for the common man.
  4. This would invariably lead to an Internet of walled gardens wherein large Internet companies would contain their users within their sphere of services, making it difficult for users to access the major part of the Internet not offered as part of the services they are subscribed to.
  5. There are some security concerns about the way the Internet is abused by a certain section of users. Some of the security threats are real, but politicized by Governments to bring in an excessive framework of surveillance both for legitimate and excessively political reasons. The TRAI proposal would enhance the surveillance capabilities of Telecom Companies in the process of enabling Telecom companies to inspect Internet traffic in packets (Deep Packet Inspection) for commercial reasons. DPI could be the ulterior motive for Governments to favor telecom companies. TRAI’s proposal not only favors the Telecom companies, but unseen, makes it easy for the Law and Order Agencies to legally or otherwise monitor on the common man’s Internet usage.
  6. Regulators dislike the end to end architecture of the Internet with no centralized form of control and wish to alter the architecture in the guise of making the Internet more secure. There have been similar harmful proposals to regulate the Internet in various countries, voted out by public opposition, but these very proposals come back around sometime later by a different name in a different place. The TRAI proposal wraps up elements of such regulatory moves already voted out in other countries. Moreover, in India, Airtel proposed to charge differential rates for different types of traffic, which were withdrawn by overwhelming public opposition. This was a move by a Telecom company that merited TRAI to intervene against the proposal, but it wasn’t TRAI that stopped it. Instead, TRAI brings it back, this time seeking to enable this by Government directive. TRAI’s consultation paper reads like a business case for the Telecom companies printed on Government paper. Rather than look into the regulatory issues concerning how Telcom companies operate, the Regulatory Authority pleads their business case with total disregard to the fact that the Internet has actually brought in newer opportunities for the Telecom companies to enhance their revenues, and these companies are already profitable on the existing Data pricing models. TRAI’s paper misleads the policy makers and common man with the spurious argument that extortive pricing models are necessary to keep telecommunications companies in business. “The worst thing policy makers could do to the Internet would be to allow telecom companies to mess with the Internet.” TRAI appears to argue that the Telecom companies have a right to impose a fanciful pricing model. The paper is partial on Internet companies and misguides the reader with the notion that large Internet companies such as Google and Facebook are profitable at the expense of the cable and phone companies. The Telecom companies do not incur loss on account of OTT traffic, the truth is that the OTT services have opened up the opportunity for Telecom Companies to sell Data plans that have enhanced their revenues. As Deepak Shenoy argues “Data is in fact driving their revenues up, far more than anything else” http://capitalmind.in/2015/04/telecom-companies-are-not-losing-money-to-data-services-the-net-neutrality-debate/ )

Rather than expand its sphere of reach to Internet which requires a completely different thinking, TRAI could focus on the gaps in Telecom regulation:

A. Telecom regulations, even within the Telecom sphere, have restrained consumer experience. For example, sometime ago, TRAI restrained Telecom companies from having peering arrangements among themselves for switching 3G traffic. This affected seamless connectivity for customers on the move.

B. If TRAI is concerned about the cost of communication services to customers, it could work to recommend to the Government to free the Wireless spectrum. After the recent spectrum controversy on spectrum mismanagement and loss of revenues, the Government wanted to be seen being correct, so made the wireless spectrum pricey by auction. The revenues so determined, would serve to increase the cost of communication services to customers. TRAI could recommend that this money is not collected or returned if already collected.

C. TRAI has not looked in the practices of Telecom companies concerning the bandwidth they offer to consumers in India which averages 1 Mbps of nominal connectivity, actually amounting to 256 Kbps of average connectivity which on the mobile phone streams at less than 56 kbps on 3G most of the time in most locations. This is way below the standards of a hundred other countries around the world, while the price charged per connection is almost on par with the rest of the world, TRAI could look into this.

D. One of the reasons why Telecom companies find it relatively less profitable to operate is that even the largest of the Telecom Companies have outsourced Network Management to overseas Telecom / Technology companies. TRAI could assist the Telecom companies in building up the required technical capabilities to manage Networks on their own.

E. International Mobile roaming pricing, both for Voice and Data, by Indian telecom companies is prohibitively expensive are extortionistic. TRAI could look into the reasons and assist the Telecom companies in rationalizing the pricing plans for International roaming.

F. TRAI could look for solutions for 100% connectivity across India with receptiveness.

Sivasubramanian M
President
Internet Society India Chennai
http://isocindiachennai.org
http://twitter.com/shivaindia
6.Internet@gmail.com

IETF Draft on Media Without Censorship (Censorfree)

Internet-Drafts are working documents of the Internet Engineering Task Force, its areas, and its working groups, for review after which it may be introduced as an RFC for comments. Johan Pouwelse has introduced an “Internet Draft” at the Internet Engineering Task Force which describes some scenarios in which one can imagine that the ability of an authoritarian regime to censor news is reuced. The Censorfree objective is to standardize the protocols for micro-blogging on smart phones with a focus on security and censorship resistance.
http://tools.ietf.org/html/draft-pouwelse-censorfree-scenarios-02

All RFCs are first published as Internet-Drafts (I-Ds). A well-formed RFC starts with a well-formed Internet-Draft. Please see the Internet-Drafts page on the IETF site for policy and submission guidelines, as it is authoritative regarding Internet-Drafts.

S0PA: 387 Indian ISPs must block 104 piratical websites

Indian ISPs ordered to block 104 Websites image from arstechnica.comThe recent Stop Online Piracy Act (SOPA), considered and eventually abandoned by the US Congress after rancorous debate earlier this year, proposed giving judges the power to cut off American access to particular websites. Under the initial version of the bill, judges would have been able order Internet service providers to use only crude tools like DNS blocking to make piratical websites harder to access. The proposal was criticized strongly on grounds of practicality, due process, and free speech, but major rightsholders want such approaches implemented worldwide. In India, they have succeeded.

A Kolkata court has ordered all 387 Internet providers in the country to block a list of 104 websites after the Indian Music Industry (IMI) filed suit against them. Indian Music Industry officials filed information with the court showing that each of the 104 sites hosted at least some infringing material; the judges ruled that site blocking was a proper way of dealing with the issue. Four injunctions—on January 27, February 6, March 1, and March 2—implemented the blacklist.

Every one of the sites targeted by the music industry was ordered blocked. IMI officials have insisted to local media that they are targeting only the worst offenders, saying that they began their process with 300 websites and eventually narrowed it down to 104 of the most flagrant infringers.

As for how the blocks will be implemented, the court has allowed Internet providers three options: blocking by DNS name (“arstechnica.com”), blocking by IP address (“75.102.3.15”), or URL blocking by deep packet inspection (which can do things like block specific links like “arstechnica.com/bollywood”).

But site blocking on the Internet, though it sounds so seductively easy, comes with its own set of problems. Blocking by DNS can be circumvented simply by entering a site’s actual IP address instead of its name. Blocking by IP address can be bypassed by moving a site to a new server that carries a new IP address. URL blocking has little effect when an existing site simply changes its name.

These are hardly esoteric technical secrets. One of the first sites to be blocked, “songs.pk,” has rebranded itself “songspk.pk.” Confused users who turn to a Google search for answers will already find that link number one for “songs.pk” directs them to the new site.

Truly blocking sites from the Internet in this fashion remains difficult, though as usual the goal is more about making infringement more difficult than curtailing all illegal activity. European courts have on occasion required specific sites to be blocked, but those rulings have tended to target one site at a time, and have often been applied only to a single Internet provider. The Indian approach is far broader, and Internet companies like Facebook and Google are coming under legal pressure to censor far more material, including obscene images of gods and goddesses.

The first list of 104 sites largely focuses on regional music; it includes sites like apunkabollywood.com, bollywoodmp4.com, and lovepaki.com. IMI promises that its next targets will include more general-purpose file-sharing sites, however.

Reproduced from arstechnica

IFPI, the international music trade group, welcomed the ruling—but insisted that even such measures did not go far enough. “The court ruled that blocking is a proportionate and effective way to tackle website piracy,” said IFPI chief executive Frances Moore. “The Indian government should build on this progress by moving forward legislation to effectively tackle all forms of digital piracy to enable the country’s digital music market to reach its full potential.”

 

 

India to set up agency to scan tweets, emails and updates

India to scan tweets, updates and emailThe government is setting up an internet scanning agency which will seek to monitor all web traffic passing through internet service providers in the country. The scanning agency to be called National Cyber Coordination Centre (NCCC), will issue ‘actionable alerts’ to government departments in cases of perceived security threats.

… According to the minutes of ameeting held on February 3, 2012, at the National Security Council Secretariat under the PMO, the National Cyber Coordination Centre will ‘scan whole cyber traffic flowing at the point of entry and exit at India’s international internet gateways’. The web scanning centre will provide ‘actionable alerts for proactive actions’ to be taken by government departments.

All government departments will now talk to the Internet Service Providers such as Bharti Airtel, RCOM, BSNL, MTNL and Tata Communications through NCCC for real time information and data on threats.

More at Techgig