Access To Knowledge (A2K)

DIDP Request #10 - ICANN does not know how much each RIR contributes to its Budget

asvatha — 2016-07-27T14:57:00Z

In an effort to understand the relationship between the Regional Internet Registries (RIRs) and ICANN, we requested current and historical information on the contract fees paid by the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) to ICANN annually.

We acknowledged that the independently audited financial reports on ICANN’s website list the total amount from all RIRs as a lump sum.[1] However, we specifically sought a breakdown of these fees detailing contributions made by each RIR from 1999 to 2014. Not only will this information help understand the RIR-ICANN relationship, it will also be relevant to the IANA transition.

The request filed by Protyush Choudhury can be found here.

What ICANN said

According to ICANN’s response to our request, the five RIRs (AfriNIC, ARIN, APNIC, LACNIC and RIPE NCC) make a voluntary annual contribution to ICANN’s budget through the Number Resource Organization (NRO). [2] Since Financial Year 2000, this contribution has been made to ICANN as an aggregate amount without the kind of breakdown requested by us with the exception of FY03, FY04 and FY05. The breakdown of the contribution for those years is as below:

FY03: APNIC - $129,400; ARIN - $159,345; RIPE - $206,255
FY04: APNIC - $160,500; ARIN - $144,450; RIPE - $224,700; LACNIC - $5,350
FY05: APNIC - $220,976; ARIN - $218,507; RIPE - $358,086; LACNIC - $25,431

The response links back to the independent financial reports mentioned by us in the request. These reports can be found on the ICANN website here.

On closer examination of the audit reports of FY03, 04 and 05, it is clear that the information provided in their response is either incomplete or incorrect. According to KPMG’s audit report of FY03, the total contribution from Address Registries is US$535,000. The breakdown in the response adds up only to $494,600. The response does not account for the extra $40,400. If only APNIC, ARIN and RIPE contributed to ICANN in 2003, where did the other $40,400 come from? Moreover, why is it listed as an Address Registry Fee in the audit report if it was a voluntary contribution?[3]

The “Address Registry Fees” in the audit reports for FY04 and FY05 match the amounts in the response: $535,000 and $823,00 respectively. ICANN's response to our DIDP request may be found here.

For the reader’s reference, the audit reports for FY00 - FY14 are linked below:

[1] See audited financial reports: https://www.icann.org/resources/pages/governance/current-en

[2] See letter from NRO to ICANN: https://www.icann.org/en/system/files/files/akplogan-to-twomey-23mar09-en.pdf

[3]. See report for FY03 (pg 4): https://www.icann.org/en/system/files/files/financial-report-fye-30jun03-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/didp-request-10-icann-does-not-know-how-much-each-rir-contributes-to-its-budget

DIDP Request #9 - Exactly how involved is ICANN in the NETmundial Initiative?

asvatha — 2016-07-27T15:53:22Z

The importance and relevance of knowing ICANN’s involvement in the NETmundial Initiative cannot be overstated.

It was reported recently that ICANN contributed US$200,000 to the Initiative.[1] Following this report, we requested the details of all expenses incurred by ICANN for NMI till date. This includes formal contributions to NMI as well as costs incurred towards travel and accommodation of ICANN board and staff to meetings relevant to the NMI discussion.

Apart from these financial details, we also requested information regarding the number of staff working on NMI from ICANN and the hours clocked by them for the same. We further specified that we would like this information to gauge ICANN’s involvement beyond its technical mandate. The request filed by Geetha Hariharan can be found here.

What ICANN said

In its response, ICANN separated the questions in the request into two categories: a) Expenses incurred by ICANN towards the NETmundial Initiative and b) Other resources (personnel and hours) allocated to the Initiative by ICANN. The first category in the request includes: formal contribution to the NETmundial Initiative; travel costs of ICANN board and staff; and costs of maintenance of other sponsored parties. The second includes the number of staff involved in the NETmundial Initiative from ICANN and the number of hours spent working on it.

To answer both, the response directs us to the Memorandum of Collaboration (MOC)[2]signed by the Brazilian Internet Steering Committee (CGI.br), ICANN and the World Economic Forum (WEF) to set up the NETmundial Initiative according to the outcome document from the initial NETmundial meeting in Sao Paulo, Brazil.

Some of the important takeaways from the MOC that are relevant to our request are the following:

Each party to the MOC agrees to pay $201,667 towards operational expenses on signature of the agreement.
Total anticipated cost of the NETmundial Initiative is $605,000 (also mentioned in the response).
Each party will assign 1 staff member to the NETmundial Initiative secretariat during the inaugural period to smoothen the process. This staff member will commit at least 50% of their time towards Secretariat work.

This information is important but it does not provide a comprehensive answer to our query. It does not, for example, answer if ICANN contributed anything more than the $201,667 the MOC specifies. It also does not tell us if ICANN allotted any staff apart from the designated secretariat member to work on NETmundial Initiative.

Further, the response states that ICANN does not keep track of costs according to the number of hours or the topic but rather according to strategic objectives. Since ICANN is not required to create a document that does not already exist to answer a DIDP enquiry,[3] we have no way of knowing the specific amount of time or money spent on the NETmundial Initiative by ICANN. The response instead directs us to the financial presentation at ICANN50 where the costs of attending the NETmundial Meeting at Sao Paulo is detailed. While this is interesting (ICANN spent $1.5 million)[4] it is not a satisfactory answer to our question.

ICANN justifies its lack of direct answers by expressing that not only is the request “overbroad", it is also “subject to the following DIDP Condition of Nondisclosure: Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; and (iii) complying with which is not feasible.”[5]

ICANN's response to our DIDP request may be found here.

[1] See McCarthy, ‘I’m Begging You To Join’ – ICANN’s NETmundial Initiative gets desperate, THE REGISTER (12 December 2014), http://www.theregister.co.uk/2014/12/12/im begging you to join netmundial initiative gets d esperate/

[2] See MOC: https://www.netmundial.org/sites/default/files/MOC-%20CGI.br,%20ICANN%20&%20WEF.pdf

[3] See Disclosure Policy: https://www.icann.org/resources/pages/didp-2012-02-25-en

[4] See ICANN50 Finance Presentation (Pg 4): https://london50.icann.org/en/schedule/thu-finance/presentation-finance-26jun14-en

[5] See ICANN conditions for non-disclosure: https://www.icann.org/resources/pages/didp-2012-02-25-en

For more details visit https://cis-india.org/internet-governance/blog/didp-request-9-exactly-how-involved-is-icann-in-the-netmundial-initiative

DIDP #34 On granular detail on ICANN's budget for policy development process

akriti — 2019-07-06T01:23:55Z

ICANN has Advisory Committees which help guide the policy recommendations that the ICANN community develops while its Supporting Organizations are charged with developing policy recommendations for a particular aspect of ICANN's operations. Supporting Organizations are composed of volunteers from the community. ICANN publishes a combined budget for all these bodies under the head of policy development and CIS inquired about the financial resources allocated to each of them specifically.

The ICANN budgets are published for public comment yet the community does not have supporting documents to illustrate how the numbers were estimated or the rationale for allocation of the resources. There is a lack of transparency when it comes to the internal budgeting.

This DIDP is concerned with the policy development budget which, as Stephanie Perrin of the Non-Commercial Stakeholder Group pointed out, was merely 5% of ICANN’s total budget, a number significantly low for a policy making organization. Thus, the information we request is a detailed breakdown for the budgets for every Advisory Council as well as Supporting Organizations for the previous fiscal year. You can find the attached request here.

For more details visit https://cis-india.org/internet-governance/blog/didp-34-on-granular-detail-on-icanns-budget-for-policy-development-process

DIDP #33 On ICANN's 2012 gTLD round auction fund

akriti — 2019-07-09T15:51:47Z

This DIDP was filed to inquire about the state of the funds ICANN received from the last gTLD auctions.

In 2012, after years of deliberation ICANN opened the application round for new top level domains and saw over 1930 applications. Since October 2013, delegation of these extensions commenced with it still going on. However, 7 years since the round was open there has been no consensus on how to utilize the funds obtained from the auctions. ICANN until its last meeting was debating on the legal mechanisms/ entities to be created who will decide on the disbursement of these funds. There is no clear information on how those funds have been maintained over the years or its treatments in terms of whether they have been set aside or invested etc. Thus, our DIDP questions ICANN on the status of these funds and can be found here.

The response to the DIDP received on 24th April, 2019 states that that even though the request asked for information, rather than documentation, our question was answered. Reiterating that the DIDP mechanism was developed to provide documentation rather than information. It stated that on 25 October 2018, Resolution 2018.10.25.23 was passed that compels the President and CEO to allocate $36 million to the Reserve Fund. The gTLD auction proceeds were allocated to separate investment accounts, and the interest accruing from the proceedings was in accordance with the new gTLD Investment Policy.

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-april-4-2019-didp-33-on-icann-s-2012-gtld-round-auction-fund

DIDP #32 On ICANN's Fellowship Program

akriti — 2018-11-12T15:58:30Z

In furtherance of its capacity building functions, ICANN selects Fellows for every public meeting. These are individuals from underserved and underrepresented communities who are trained to become active participants in the ICANN community.

These fellows are assigned a mentor and receive training on ICANN's various areas of engagement. They are also given travel assistance to attend the meeting. While the process and selection criteria is detailed on their website, CIS had some questions as to the execution of these.

Our DIDP questioned the following aspects:

Has any individual received the ICANN Fellowship more than the stated maximum limit of 3 times?
If so, whose decision and what was the justification given for awarding it the 4th time and any other times after that?
What countries did any such individuals belong to?
How many times has the limit of 3 been breached while giving fellowships?
What recording mechanisms are being used to ensure that awarding of these fellowships is kept track of, stored and updated? Are these public or privately made available anywhere?

You can access the request here.

For more details visit https://cis-india.org/internet-governance/blog/didp-31-on-icanns-fellowship-program

DIDP #31 Diversity of employees at ICANN

Akash Sriram — 2018-08-21T09:26:48Z

We have requested ICANN to disclose information pertaining to the diversity of employees based on race and citizenship.

This data is being requested to verify ICANN’s claim of being an equal opportunities employer. ICANN’s employee handbook states that they “...provide equal opportunities and are committed to the principle of equality regardless of race, colour, ethnic or national origin, religious belief, political opinion or affiliation, sex, marital status, sexual orientation, gender reassignment, age or disability.” The data on the diversity of employees based on race and nationality of their employees will depict how much they have stuck to their commitment to delivering equal opportunities to personnel in ICANN and potential employees.

The request filed by CIS can be accessed here

For more details visit https://cis-india.org/internet-governance/blog/didp-31-diversity-of-employees-at-icann

Dialogue Cafe @ Centre for Internet and Society

praskrishna — 2011-12-07T11:10:08Z

The Centre for Internet and Society announces the launch of its dialogue cafe, where every month, we approach seminal thinkers, scholars and practitioners to help explore knowledge paradigms that help us understand and research techno-social realities through innovative thought, concepts and frameworks.

The dialogue cafe draws upon different disciplines, histories, perspectives and intellectual legacies in order to respond to a seminal piece of writing that has changed, challenged and shaped the contours of interdisciplinary science and technology studies.

The dialogue cafe initiates several strands of dialogues — between critical thinkers and canonical texts, between different paradigm of knowledges that interact with digital and internet technologies, and between interlocutors located in different disciplines, to initiate critical thought/work for new and innovative research in the field of Internet and Society.

For its first brew of conversations, the Dialogue Cafe serves you...

Computation and the Humanities: Revisiting a Silent Revolution

Steve Jobs’ comments on how “technology married with liberal arts, married with the humanities” made Apple hearts sing is today widely re-circulated, but not fully comprehended. We often take this to be the mark of one man’s genius, rather than the symptom of a broader interdisciplinary history. Noted Artificial Intelligence scholar Philip Agre recalls, “When I was a graduate student in artificial intelligence, the humanities were not held in high regard. They were vague and woolly, they employed impenetrable jargons, and they engaged in "meta-level bickering that never decides anything".

What happened, in the formative decades of Jobs and Agre’s generation, to bring technology and the humanities into conversation? What have the results been, other than well-designed personal computational devices, and what is the significance for us? On December 2, 2011, the Centre for Internet and Society invites you to a Dialogue Cafe, where we engage in exploring what this all means and what kinds of labour it might take to ‘marry’ these disparate ways of knowing.

As a response to Philip Agre’s seminal essay on “Critical Technology Practice”, the cafe will begin with an exposition by Kavita Philip (University of California, Irvine), opening up into a critical response spearheaded by Cherry Matthew, and leading to a larger dialogue with the audience, exploring fault lines of interdisciplinary research and challenges of integrated technology studies.

For more background on these questions, audience is encouraged (but not required) to explore the materials at Agre’s home page http://polaris.gseis.ucla.edu/pagre/, and STSrelated links from Wikipedia’s page http://en.wikipedia.org/wiki/Science,_technology_and_society

VIDEOS

For more details visit https://cis-india.org/internet-governance/dialogue-cafe

Developing location-based services

praskrishna — 2012-02-28T09:31:50Z

For mapping enthusiasts, geeks and neogeographers in Bangalore, here's something to look forward to. Cartonama, a workshop that offers intensive hands-on training on tools to build and manage location data for location-based services, will be held in the city on March 2 and 3.

The article was published in the Hindu on February 26, 2012

This workshop, being organised by city-based tech event management firm HasGeek, is open to developers, neogeographers and entrepreneurs working on location-based services who want to understand how to use advanced tools to manage and represent their geographic data.

The workshop will be conducted by Mikel Maron and Schuyler Erle, both from the OpenStreetMap project. The event is being held at the Centre for Internet and Society in Domlur.

For more on this, log on to workshop.cartonama.com or contact sajjad@hasgeek.com

Cloud 20/20: online technical paper contest

Unisys India announced the results of Cloud 20/20 Version 3.0, the third edition of one of India's largest technical paper contests, designed to encourage innovative ideas and recognise emerging technical talent from among the country's leading engineering colleges.

Following several rigorous rounds of evaluation, the judges selected Dharmesh Kakadia from International Institute of Information Technology, Hyderabad, as the first prize winner for his entry on ‘Network Virtualisation and Cloud Computing'. The runner-ups were Sridhar S. from Anna University, Chennai, and Poornima J.R. from M.S. Ramaiah Institute of Technology.

A system to protect confidential data

Xerox and computer security firm McAfee have teamed up to design a security system to help companies protect against threats to confidential data, a release from McAfee stated.

This involves integrating embedded McAfee software into Xerox technology. The two companies plan to use a whitelisting method that allows only approved files to run, offering significantly more protection than traditional blacklisting tactics, where a user has to be aware of and proactively block viruses, spyware and other malicious software.

Additionally, the solution provides an audit trail to track and investigate the time and origin of security events, and take action on them, the release added. The companies claim that the decision to partner on this was a result of a survey commissioned by the two firms that found that 54 per cent employees in India do not follow their company's IT security policies, even fewer (33 per cent) are aware of these policies.

Automating healthcare and insurance

IT major Wipro Infotech announced that it has successfully implemented the digitisation of the Employees' State Insurance Corporation's (ESIC) Project, Panchdeep, the healthcare administration programme that automates healthcare services to over six crore beneficiaries across the country.

This is the largest e-governance programme in this sector, providing online facilities to employers and insured people for registration, payment of premium and disbursement of cash benefits.

It also automates medicare services to all insured people, and an estimated 75,000 people use this every day.

HP launches new press

Hewlett-Packard announced the launch of HP Indigo W7200 Digital Offset press for the Indian market. This has been installed at Bangalore-based printing press, the KolorKode digital press. With its robust productivity this new press offers the ability to address a wider range of long-run jobs. It will be able to deliver a broader range of jobs for a dynamic market place meeting the demands of monochrome to seven-color jobs, from spot to highlight color during a single run, without stopping or changing the settings, a press release from HP stated.

For more details visit https://cis-india.org/news/developing-location-based-services

Developer team fixed vulnerabilities in Honorable PM's app and API

pranesh — 2016-12-04T19:08:56Z

The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.

This blog post has been authored by Bhavyanshu Parasher. The original post can be read here.

What were the issues?

The main issue was how the app was communicating with the API served by narendramodi.in.

I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.
There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.
The API was still being served over HTTP instead of HTTPS.

Fixed

The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.
A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.
Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.

Detailed Vulnerability Disclosure

Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app, I would suggest you to change your password immediately. Can’t leave out a possibility of it being compromised.

Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.

The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).

Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,

They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.

Disclosure to officials

The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.

Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM

After about 30 hours of reporting the vulnerabillity

Proposed Solution

Consulted @pranesh_prakash as well regarding the issue.

After this, I mailed them a solution regarding the issues.

Discussion with developer

Received phone call from a developer. Discussed possible solutions to fix it.

The solution that I proposed could not be implemented since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that people don’t upgrade to latest versions leaving themselves vulnerable to security flaws. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.

On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. I can now confirm they have fixed all three issues.

Update 12/02/2016

This vulnerability in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.

Developer releases WannaCry key-recovery tool for Windows XP

praskrishna — 2017-06-07T01:02:12Z

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised. Unfortunately, however, a new variant of the program is already in the wild.

The article by Cirilo Laguardia was published by Hoyen TV on May 20, 2017.

Meaning, as he wrote in a blog post this past weekend, agencies like that NSA should have a "new requirement" to report vulnerabilities they find to software makers like Microsoft, instead of stockpiling or selling or exploiting them. Eternal Blue was technically created to spy on key target points that the NSA deems necessary to.

Smith says cyberweapons require a new approach, and governments must "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits".

"We're looking at many decades of building complex systems - one on top of the other - with no effort to go back to fix what we did wrong along the way", said Wendy Nather, principal security strategist at Duo Security, who has worked in security for 22 years.

And while Smith says Microsoft and other tech companies need to take the lead on combatting these widespread attacks, he highlights the shared responsibility required to protect, detect and respond to threats.

Unfortunately, numerous millions of computers now still running the 2001 operating system never received those updates because their owners refused to pay for it.

WannaCry doesn't seem to be any more virulent or more expensive than other ransomware.

Make sure that your computer is up to date with its Windows updates.

In both cases, these computer owners are the digital equivalent of medical vaccine deniers.

While businesses that failed to update Microsoft's Windows-based computer systems could be sued over lax cyber security, Microsoft itself enjoys strong immunity from lawsuits. When a user clicks on the link, their computer and the information on it is held for ransom while being used to further spread the ransomware. Without doing a thing, when WannaCry came along nearly 2 months later, the machine was protected because the exploit it targeted had already been patched.

According to the company, "customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March". These are valid explanations for using obsolete software, but they are not excuses. Unfortunately, far too few people even bother.

WannaCry, developed in part with hacking techniques that were either stolen or leaked from the United States National Security Agency, has infected over 300,000 computers since last Friday, locking up their data and demanding a ransom payment to release it. This is to prevent the ransomware from using the unprotected Windows XP unit as a gateway.

Government agencies running obsolete software is also a huge problem.

While the federal government mostly avoided WannaCry infections, its processes highlight how hard it is for large organizations to modernize.

For more details visit https://cis-india.org/internet-governance/news/hoyen-tv-may-20-2017-cirilo-laguardia-developer-releases-wanna-cry-key-recovery-tool-for-windows-xp

Details of 135 million Aadhaar card holders may have leaked, claims CIS report

praskrishna — 2017-05-20T08:42:57Z

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

The news from the Press Trust of India was published in the Hindustan Times on May 2, 2017.

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS said.

Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

“Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number,” it cautioned.

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of “proper controls” in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

“The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern,” the report added.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-may-2-2017-details-of-135-million-aadhaar-card-holders-may-have-leaked-claims-cis-report

Details emerge on government blockade of websites

praskrishna — 2012-08-28T09:51:01Z

Facebook pages, Twitter handles among 300 unique web addresses blocked by ISPs.

Pranesh Prakash's analysis is quoted in this article published in the Hindu on August 24, 2012.

Over the past week, the Ministry of Communications and IT has sent out orders to ISPs (Internet service providers) to block over 300 unique addresses on the Web, cracking down on websites, Facebook pages, YouTube videos and even Twitter handles, ostensibly to prevent incitement to communal tension and rioting.

But a closer look at the specific URLs (web addresses) blocked by the government has given rise to doubts whether the government may have acted high-handedly, in some instances cracking down on parody Twitter handles.

Through four orders, one issued a day from August 18 to 21, the government sent out lists of specific URLs to be blocked by the Internet service providers.

An analysis of the leaked government orders by blogger Pranesh Prakash of the Center for Internet and Society (www.cis-india.org) revealed the extent of the government missive: in specific cases, it had asked for blocking of some portions of a website — like Facebook pages or Twitter handles — and in other instances asked for entire websites.

The government orders carried no specific reasons for the blockades. But in the backdrop of the paranoia surrounding the exodus of northeast people from South Indian cities, it appears that it may have been to disallow the use of the Web for spreading information that incites communal violence and rioting.

Cyber law expert N. Vijayashankar said though the government seemed to have acted within the Rules of IT Act 2008, the onus fell on it to justify the reasons why the specific websites were blocked and dispel doubts that there may have been some political motives at least pertaining to specific sites, especially in the blocking of some parody Twitter accounts spoofing the official Twitter account of the Prime Minister’s office (@PMOIndia).

“No website can be blocked permanently. Any blocked website must be taken up for review by a committee in a span of two months,” Mr. Vijayashankar added. “But sadly the review committee does not have any public representatives. It comprises only the secretaries to government.”

If the websites had indeed been blocked considering the emergency of the situation and keeping in mind national security, then the responsibility for preparing the list falls with the Home Ministry.

“Whatever be the case, this cannot pave the way for clamping down on websites at one swipe,” Mr. Vijayashankar added.

The news about the clampdown set the social networks abuzz through Thursday. Popular humour Twitter account holder Ramesh Srivats tweeted: “Am slightly worried that some government guy will notice that all the offending sites have “http” in them, and then go ban that.”

For more details visit https://cis-india.org/news/www-the-hindu-com-aug-24-2012-details-emerge-on-govt-blockade-of-websites

Despite SC order, thousands booked under scrapped Sec 66A of IT Act

praskrishna — 2016-09-07T15:31:18Z

College student Danish Mohammed’s arrest this March under the scrapped Section 66A of the Information Technology Act for allegedly sharing a morphed picture of RSS chief Mohan Bhagwat wasn’t an exception.

The article by Aloke Tikku was published in the Hindustan Times on September 7, 2016. Sunil Abraham was quoted.

Police arrested more than 3,000 people under the section in 2015, triggering concerns that the law was abused well after it was struck down by the Supreme Court in March last year. The top court had ruled Section 66A violated the constitutional freedom of speech and expression.

The exact number of people arrested after it was scrapped is not available. But the National Crime Records Bureau’s (NCRB) Crime in India report released last month shows 3,137 arrests under the section in 2015 against 2,423 the previous year.

On an average, four people were arrested every 12 hours in 2015 as compared to three in 2014.

“I am shocked,” said Supreme Court lawyer Karuna Nundy, who represented the People’s Union for Civil Liberties, among the petitioners in Supreme Court seeking removal of Section 66A.

“Making sure that our guardians of law know their law is absolutely basic... Whether it is training or notifying every police officer, we need action on it immediately,” she said.

It is unlikely that all 3,000-plus arrests were made before the provision was struck down in March. Sunil Abraham, executive director of the Bengaluru-headquartered advocacy group Centre for Internet and Society, said it was obvious that the police had not made these arrests before the SC ruling.

Lawyer Manali Singhal said once the Supreme Court struck off a provision of law, “any arrest under that provision would be per se illegal and void”.

Police also appeared to be on an overdrive to file charge sheets against people booked before the SC verdict – in 1,500 cases last year, almost twice the 2014 figure.

NCRB statistics suggest that trials too did not end.

There were 575 people still in jail on January 1, 2016, twice as many as the 275 in prison when the law was in force a year earlier. In 2015, the courts also convicted accused in 143 cases.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-september-7-2016-despite-sc-order-thousands-booked-under-scrapped-sec-66a-of-it-act

Despite apex court order, IOC proceeds with Aadhaar-linked DBT

praskrishna — 2014-01-31T06:50:33Z

Once DBT starts, there is no other method to avail of subsidy: IOC official.

The article by Deepa Kurup was published in the Hindu on January 6, 2014. Sunil Abraham is quoted.

Despite an interim order by the Supreme Court disallowing the government from making the Aadhaar number mandatory for accessing State subsidies and benefits, Indian Oil Corporation (IOC) Ltd. continues to inform consumers that they will not get their LPG subsidy if they do not seed their Aadhaar-linked bank accounts to the IOC database.

SMSes and publicity material released by IOC in the past week indicate that the company is going ahead with the Union government’s deadlines for the Direct Benefit Transfer scheme for LPG. While the deadline for Udupi and Dharwad districts has been extended till January-end, the “grace period” for Bangalore Urban will expire on March 1.

Over the past week, LPG consumers have been receiving frequent SMSes requesting them to submit their Aadhaar number to their LPG distributor and their bank, with “no further delay”. Though the SMS does not state whether or not this is mandatory, frequent messages have been instilling a sense of urgency and panic among consumers. Further, several consumers told The Hindu that, upon enquiry, distributors had been telling them that they would have to forego their subsidy amount (for nine cylinders a year) if they failed to register their details with the IOC database. Once the DBT scheme is enforced, the IOC will migrate customers entirely to the new system — that is, consumers will have to pay the market price, and the subsidy amount will be credited to their bank accounts.

‘No other method’

Senior IOC officials said that while the oil manufacturing company was desisting from making statements on whether or not this was mandatory, in effect those whose details would not be seeded to the database would not be able to avail of the benefit. “Basically, once the DBT scheme starts there is no other method to receive or avail of the subsidy. As of now, there is no alternative method,” said R.K. Arora, executive director, Karnataka State office. He pointed out that in rural areas several other subsidies were already linked to Aadhaar, and the DBT scheme was at 100 per cent in Tumkur and Mysore districts.

As of January 1, an IOC official said, only 30 per cent of LPG consumers in the Bangalore Circle had ‘seeded’ their accounts to the IOC database, while in Udupi and Dharwad it was roughly around 50 per cent.

“We are not claiming it’s mandatory, and currently all companies have submitted an affidavit seeking the order be reconsidered. Meanwhile, we have just asked people to submit the details to the distributor as soon as they can,” the official said. He added that IOC was likely to keep extending the deadline to “be on the safe side”.

Meanwhile, there is confusion among consumers on the issue. Krishnan Pillai, a resident of R.T. Nagar here, said Aadhaar numbers were being delayed, and there was huge anxiety among people. “Last week, I saw an advertisement that implied that I will lose subsidy if I don’t submit my number. Is the Supreme Court verdict not applicable?” he said. Sumitra Gupta, a charted accountant from Majestic, said distributors were telling them to “ignore news report on the Supreme Court verdict”.

“This is arm twisting,” she said.

‘So-called voluntary’

Sunil Abraham of the Centre for Internet and Society, a Bangalore-based NGO that has been part of the anti-Aadhaar campaign, said IOC was “pushing the boundary”. “From the very beginning, people have been objecting to the so-called voluntary nature of the scheme. It’s unfortunate that the will of the Supreme Court in its interim order on such as a critical component of our citizenship is also being ignored,” he said.

For more details visit https://cis-india.org/news/hindu-january-6-2014-deepa-kurup-despite-apex-court-order-ioc-proceeds-with-aadhar-linked-dbt

DesiSec: Episode 1 - Film Release and Screening

purba — 2013-12-17T08:13:32Z

The Centre for Internet and Society is pleased to to announce the release of the first documentary film on cybersecurity in India - DesiSec. We hope you can join us for a special screening of the first episode of DesiSec, on 11th December, at CIS!

Early 2013, the Centre for Internet and Society began shooting its first documentary film project. After months of researching and interviewing activists and experts, CIS is thrilled to announce the release of the first documentary film on cybersecurity in India - DesiSec: Cybersecurity and Civi Society in India.

Trailer link: http://cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer

CIS is hosting a special screening of DesiSec: Episode 1 on 11th December, 2013, 6 pm and invites you to this event. The first episode is centered around the issue of privacy and surveillance in cyber space and how it affects Indian society.

We look forward to seeing you there!

RSVP: purba@cis-india.org

Venue: http://osm.org/go/yy4fIjrQL?m=

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/desisec-episode-1-film-release-and-screening