Access To Knowledge (A2K)

Data Privacy Forum

Admin — 2018-03-01T01:31:56Z

Amber Sinha took part in the Data Privacy Forum organized by the Asian Business Law Institute on February 7, 2018. The forum was held at the Supreme Court of Singapore.

The forum was organised to discuss the findings of a compendium of country reports on cross border data flow regulations in countries from Asia and Australia, and the way forward. The forum had attendance from 18 countries and had about 90 participants. Elonnai Hickok and Amber Sinha were the reporters for India. Amber was a speaker on the first panel on “Adoption and reform of data protection laws in Asia: how legal systems adapt to global developments and regulatory competition”.

Click to read more

For more details visit https://cis-india.org/internet-governance/news/data-privacy-forum

Data Privacy Day 2016

praskrishna — 2016-01-29T15:34:18Z

The Bangalore chapter of Data Privacy Day was organized by Data Security Council of India on January 28, 2016 at Electronic City in Bangalore. Sunil Abraham was a panelist.

Agenda

For more details visit https://cis-india.org/internet-governance/news/data-privacy-day-2016

Data Privacy Day 2014

praskrishna — 2014-02-04T05:34:59Z

January 28 is annually celebrated as Data Privacy Day (DPD). Data Security Council of India (DSCI) organized the annual meeting J N Tata Hall, Bldg 1, Infosys Campus, Infosys Ltd., Electronics City, Bangalore. Elonnai Hickok was a panelist.

Programme Details

2:30 - 3:00 p.m.: Keynote address by Srinath Batni, Member of the Board, Infosys
3:00 - 4:30 p.m.: Panel Discussion on "Privacy today and tomorrow in Indian and Global Context"

Panelists:

M D Sharath, Deputy Superintendent of Police, Cyber Crimes Division, CID Headquarters, Karnataka Police
Srinivas Poosarla, Associate Vice President and Head (Global), Privacy & Data Protection, Infosys Ltd
Joshi Joseph, Senior Information Risk Manager, ING Vyasa Bank
Na.Vijayashankar (Naavi), Information Assurance Consultant
Elonnai Hickok, Policy & Advocacy Associate, Centre for Internet & Society (CIS)

IT Product / Internet services company

Panel will be moderated by Rahul Jain, Principal Consultant, DSCI

4:30- 5:00 p.m.: Presentation on Privacy by Rahul Jain, Principal Consultant, DSCI
5:00- 5:30 p.m.: High Tea

For more info on the event see here.

For more details visit https://cis-india.org/news/data-privacy-day-2014

Data Privacy and Citizen's Rights' Symposium Report

Admin — 2019-04-05T02:24:09Z

The Technology Law Forum at the National Academy of Legal Studies and Research (NALSAR) has published the Report on Data Privacy and Citizen's Rights' Symposium.

This report is a compilation of all the speakers' speeches during the panel discussion. Shweta Mohandas was one of the eight speakers at the panel and the excerpts from her presentation has also been covered in this report. Click to read more

For more details visit https://cis-india.org/internet-governance/news/data-privacy-and-citizens-rights-symposium-report

Data politics: BJP, Congress in spat over sharing app data without users’ consent

Admin — 2018-04-18T00:51:15Z

Congress took down its WithINC app after facing allegations of sharing user data, a day after it accused BJP of doing the same with the NaMo app.

The article by Komal Gupta was published in Livemint on March 26, 2018. Pranesh Prakash was quoted.

An app war has broken out between the Congress party and the ruling Bharatiya Janata Party (BJP)—appropriately on Twitter.

Fought in the shadow of the global storm on data leaks from Facebook and Cambridge Analytica, the two Indian parties accused each other of sharing user data with third parties collected without the users’ consent.

The Congress on Monday took down its app—WithINC —after facing allegations of sharing user data with servers in Singapore. However, the party has claimed it was forced to remove the app as the wrong URL was being circulated and people were being misled.

Congress president Rahul Gandhi took to Twitter after an anonymous French security expert claimed that Prime Minister Narendra Modi’s NaMo app was sending user data to a third-party website without user consent.

“Modi misusing PM position to build personal database with data on millions of Indians via the NaMo App promoted by Govt. If as PM he wants to use tech to communicate with India, no problem. But use the official PMO APP for it. This data belongs to India, not Modi,” Gandhi tweeted on Monday.

WithINC is the official app of the Congress to allow users to connect with the party through regular updates from various social media and news channels. “It also allows you to apply for membership of the INC by completing all steps of the INC membership process,” a descriptor on Google Play Store says.

Information and broadcasting minister Smriti Irani on Monday tweeted, “Now that we’re talking tech, would you care to answer Rahul Gandhi ji why Congress sends data to Singapore Servers which can be accessed by any Tom, Dick and Analytica?”

Trashing BJP’s allegations, Congress’ social media head Divya Spandana claimed that the membership page on the Congress app had been defunct for a while. “We don’t collect any personal data through the INC app. We discontinued it a long time ago. It was being used only for social media updates. We collect data for membership and this is through our website, this is encrypted,” Spandana tweeted on Monday.

The NaMo app is designed to ensure that users do not have access to any data other than their own, a government official said on Sunday, requesting anonymity. Data entered by any user is used for analytics using third-party service, similar to Google Analytics, said the official.

“Apps ought to request the minimum of a phone’s functionality. They should evaluate the data they need, collect as little as needed, and clearly state what use they will make of the data,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.

“The Narendra Modi app, quite famously, provided unrestricted access to the personal data of more than 5 million users,” Prakash added.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-march-26-2018-data-politics-bjp-congress-in-spat-over-sharing-app-data-without-users-consent

Data localisation may pinch startups, payments firms

Admin — 2018-07-29T07:22:30Z

The draft Data Protection Bill is likely to have significant impact on how companies and startups use customer data, particularly as it would increase costs and make it difficult for them to take data outside the country.

The article by Mugdha Variyar and Pratik Bhakta was published in Economic Times on July 28, 2018. Sunil Abraham was quoted.

It is also likely to bring more financial companies, aside from only payments companies, under the ambit of data localisation by categorising all financial data as sensitive personal data. Data localisation has been a point of contention between the Reserve Bank and payment companies.

The draft bill prescribes strict restrictions on how much personal data a company or any data fiduciary can collect and how they can use the data. It also says companies cannot make the provision of any goods or services or the quality or performance of any contract conditional on acquiring consent to process personal data not necessary for that purpose.

Experts say this will put an end to the 'take it or leave it' contracts that several companies often demand from customers.

“This is basically a provision to deal with non-negotiable contracts, wherein the data controller uses its market power to force people to give up personal data,” said Sunil Abraham, executive director of the Centre for Internet and Society, a think tank. “This recommendation makes it clear that ‘take it or leave it’
contracts can only insist on data that is necessary for the service or product being provided.”

On data localisation, the draft bill states that every data fiduciary shall ensure the storage of at least one serving copy of personal data on a server or data centre located in India. While this allows for data mirroring—or the storage of data both abroad and in India—it could make it difficult for companies to take
data outside the country, said Subho Ray, president of the Internet and Mobile Association of India.

This is because the draft bill states that the government can notify categories of personal data as critical personal data that can only be processed in a server or data centre located in India.

“Though there is no clarity yet on critical personal data, there is a strong chance that financial data could be classified as critical data and players dealing with financial data could be mandated to keep data within India only,” said Vivek Belgavi, fintech partner at PwC.

Under the bill, all financial data, including personal data used to identify an account opened by, or card or payment instrument issued by a financial institution, or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history, has been classified as sensitive personal data.

Credit scoring, lending and insurance companies could also be impacted, said an industry member on condition of anonymity. Abraham said that while crossborder data may be allowed for certain cases, it will include liability on the entity. This move will increase costs for companies as they will have to necessarily store data within the country, as per the experts.

For more details visit https://cis-india.org/internet-governance/news/economic-times-july-28-2018-mugdha-variyar-and-pratik-bhakta-data-localisation-may-pinch-startups-payments-firms

Data leaks could wreak havoc in India, so why aren’t they an issue this election?

Aria Thaker — 2019-04-12T01:40:58Z

India’s government leaks data like a sieve, and it’s putting people at risk.

The article by Aria Thaker was published in Quartz India on April 4, 2019. Karan Saini was quoted.

The latest instance was reported on April 01, when technology website ZDNet reported that an Indian government agency had left sensitive medical records of 12.5 million pregnant women online, in a database that wasn’t even password protected.

This is only the latest in a slew of dozens of data leaks and cybersecurity lapses that have plagued the Indian government over the past few years. These have occurred despite—or in part, because of—prime minister Narendra Modi’s aggressive push towards “Digital India.”

Sloppy digitisation efforts and a lack of capacity in cybersecurity issues have caused so many leaks that they seem almost routine by now. Even the one reported by ZDNet, large and grievous as it is, has received little coverage in the mainstream media so far.

“This issue has to be an election priority—the focus on privacy and protection of citizen data,” Raman Chima, policy director at digital-rights organisation Access Now, told Quartz. But as India’s general election approaches, the near silence from politicians on these issues is deafening.

Endangering pregnant women and children

ZDNet reported that a database of medical records from 12.5 million pregnant women was left available online by the department of medical, health and family welfare of a northern Indian state. It does not name the state since the server is still available online, though the medical records have finally been removed, almost a month after security researcher Bob Diachenko contacted the department.

The information in this database was extremely sensitive, including patients’ names, contact details, disease information, pregnancy status and complications, and procedures, such as abortions, that they have undergone.

This wasn’t the first such data leak incident involving the government—nor even the first involving pregnant women.

“This could lead to significant bodily harms to a woman in a context where abortions, especially for unmarried women, are heavily stigmatised,” said Ambika Tandon, a policy officer who researches gender and tech issues for the think tank Centre for Internet and Society (CIS). Women who seek abortions or sensitive procedures “may resort to unsafe abortions at facilities that are not registered for fear of their personal information or physical and informational privacy being compromised,” Tandon said.

Yet this wasn’t the first such incident involving the government—nor even the first involving pregnant women.

Aadhaar and beyond

Aadhaar, the 12-digit personal identification number from India’s controversial, biometrics-backed database, has often been at the centre of previous such leaks in India. Much like a the social security number in the US, it is a sensitive piece of information as it helps identify individuals and is often linked to other government and financial services one uses.

Here’s a look at just a handful of the most prominent leaks, breaches, and vulnerabilities involving Aadhaar:

May 2017: Around 130 million individuals have their Aadhaar numbers, banking details, and more leaked on four government websites
January 2018: A reporter of The Tribune newspaper pays Rs500 ($7) to access a portal with demographic data from every Aadhaar holder in the country
March 2018: State-owned gas company Indane leaks private dataof its customers and all Aadhaar holders
April 2018: Andhra Pradesh leaks medical records of over 2 million pregnant women, as well as their Aadhaar numbers and contact details
June 2018: An unsecured Aadhaar API on over 70 subdomains of a government website allows anyone to access demographic-authentication services
July 2018: Data of 250,000 students taking a government medical entrance exam is leaked and sold online
January 2019: The State Bank of India, the country’s largest bank, leaks financial data of millions customers
February 2019: Indane strikes again. Aadhaar data of nearly 6.7 million dealers and distributors of the state-owned gas company is exposed on its dealers portal

This list is far from comprehensive. Aadhaar-related leaks alone comprise at least 37 such cases, which can be found listed on Indian tech site Medianama. These include instances of many state and central departments publishing Aadhaar numbers next to banking details, or even instances of colour photocopies of Aadhaar cards being published online.

Government entities, especially the Unique Identification Authority of India (UIDAI), which administers Aadhaar, have been known to take a long time—sometimes even months—to respond to leaks. Worse, they have often hounded journalists and whistleblowers raising awareness about these incidents. For instance, the UIDAI filed a police case against The Tribune’s reporter and, weeks later, the newspaper’s editor stepped down. CIS, which published the report about 130 million Aadhaar records being exposed, received a legal notice from the UIDAI.

Why do leaks happen?

India’s government agencies are undergoing rapid digitisation.

“There’s been a particular focus over the past few years to aggregate (data) from different databases that might normally exist in one area, or one scheme, and bring them together to one master spreadsheet,” said Chima of Access Now. “As a result of this, a lot of data is being collected in a few places and (the government) is not doing enough thinking…as to how to control and think about cybersecurity.”

Besides, government departments face major personnel and training issues in matters of cybersecurity.

“Most of the officials who collect information do not know about security practices, and they don’t really understand the challenges involved,” said Srinivas Kodali, a cybersecurity researcher who has uncovered many government leaks. “They think it’s normal data—they don’t understand the privacy implications of it.”

Beyond this, a lack of resources holds government bodies back from protecting user data. “Indian government departments require an increase in skill and resources to deal with information security,” said Karan Saini, a security researcher and policy officer at CIS, who has also reported leaks and vulnerabilities.

A lack of comprehensive privacy regulation exacerbates the problem. India does not currently have a data-protection law. A draft bill was put forth by the electronics and IT ministry last year, but it has been criticised by many for being too lenient on government institutions who handle citizen data.

How leaks and lapses endanger democracy

The issue of data leaks is deeply tied to one of the core threats to democracy today—voter microtargeting, which often takes the form of parties conveying conflicting messages to different social groups, in their attempts to get elected. Such targeting has been under the global spotlight since 2016, after secretive firm Cambridge Analytica reportedly used it in Donald Trump’s presidential campaign.

In India, “there’s a lot of these datasets of sensitive data about citizens available, which may have electoral implications in terms of how it affects people’s desire to vote, and the ability of parties to influence or micro-target them,” Chima said.

Parties have already demonstrated an appetite for citizen data. Modi’s Bharatiya Janata Party has already been known to target voters based on data such as electricity bills, which are thought to reveal a voter’s socioeconomic standing.

State-held data could be abused by politicians, especially those currently in power, to target or profile voters.

Now Aadhaar has come into the picture as well, with the government attempting, in a failed project, to link the biometrics-backed ID number with citizens’ voter ID numbers. The project was discontinued in 2015, but concerns remain about the way the data was collected, with ground reports suggesting that reams of documents are still floating in government offices and private homes. It has also been suggested that the lapsed linking project resulted in the disenfranchisement of millions, due to an opaque algorithm it used.

Worries abound that existing state-held data could be abused by politicians, especially those currently in power, to target or profile voters. State resident data hubs (SRDH), which use Aadhaar to log full profiles of individuals, including the government schemes they avail, have come under the scanner for being particularly dangerous for profiling.

Reports have already suggested the occurrence of such data being used for political gain. An app used by a leading party in Andhra Pradesh has been accused of using stolen state data to profile voters based on caste, though the party denied this.

A government or political actor’s access to state repositories of data, which might be aided by data leaks, could be a truly sinister political tool that sways an election.

For more details visit https://cis-india.org/internet-governance/news/quartz-india-aria-thaker-april-4-2019-data-leaks-and-cybersecurity-should-be-an-election-issue-in-india

Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?

Aayush Rathi and Ambika Tandon — 2019-12-30T16:44:32Z

In order to bring out certain conceptual and procedural problems with health monitoring in the Indian context, this article by Aayush Rathi and Ambika Tandon posits health monitoring as surveillance and not merely as a “data problem.” Casting a critical feminist lens, the historicity of surveillance practices unveils the gendered power differentials wedded into taken-for-granted “benign” monitoring processes. The unpacking of the Mother and Child Tracking System and the National Health Stack reveals the neo-liberal aspirations of the Indian state.

The article was first published by EPW Engage, Vol. 54, Issue No. 6, on 9 February 2019.

Framing Reproductive Health as a Surveillance Question

The approach of the postcolonial Indian state to healthcare has been Malthusian, with the prioritisation of family planning and birth control (Hodges 2004). Supported by the notion of socio-economic development arising out of a “modernisation” paradigm, the target-based approach to achieving reduced fertility rates has shaped India’s reproductive and child health (RCH) programme (Simon-Kumar 2006).

This is also the context in which India’s abortion law, the Medical Termination of Pregnancy (MTP) Act, was framed in 1971, placing the decisional privacy of women seeking abortions in the hands of registered medical practitioners. The framing of the MTP act invisibilises females seeking abortions for non-medical reasons within the legal framework. The exclusionary provisions only exacerbated existing gaps in health provisioning, as access to safe and legal abortions had already been curtailed by severe geographic inequalities in funding, infrastructure, and human resources. The state has concomitantly been unable to meet contraceptive needs of married couples or reduce maternal and infant mortality rates in large parts of the country, mediating access along the lines of class, social status, education, and age (Sanneving et al 2013).

While the official narrative around the RCH programme transitioned to focus on universal access to healthcare in the 1990s, the target-based approach continues to shape the reality on the ground. The provision of reproductive healthcare has been deeply unequal and, in some cases, in hospitals. These targets have been known to be met through the practice of forced, and often unsafe, sterilisation, in conditions of absence of adequate provisions or trained professionals, pre-sterilisation counselling, or alternative forms of contraception (Sama and PLD 2018). Further, patients have regularly been provided cash incentives, foreclosing the notion of free consent, especially given that the target population of these camps has been women from marginalised economic classes in rural India.

Placing surveillance studies within a feminist praxis allows us to frame the reproductive health landscape as more than just an ill-conceived, benign monitoring structure. The critical lens becomes useful for highlighting that taken-for-granted structures of monitoring are wedded with power differentials: genetic screening in fertility clinics, identification documents such as birth certificates, and full-body screeners are just some of the manifestations of this (Adrejevic 2015). Emerging conversations around feminist surveillance studies highlight that these data systems are neither benign nor free of gendered implications (Andrejevic 2015). In continual remaking of the social, corporeal body as a data actor in society, such practices render some bodies normative and obfuscate others, based on categorisations put in place by the surveiller.

In fact, the history of surveillance can be traced back to the colonial state where it took the form of systematic sexual and gendered violence enacted upon indigenous populations in order to render them compliant (Rifkin 2011; Morgensen 2011). Surveillance, then, manifests as a “scientific” rationalisation of complex social hieroglyphs (such as reproductive health) into formats enabling administrative interventions by the modern state. Lyon (2001) has also emphasised how the body emerged as the site of surveillance in order for the disciplining of the “irrational, sensual body”—essential to the functioning of the modern nation-state—to effectively happen.

Questioning the Information and Communications Technology for Development (ICT4D) and Big Data for Development (BD4D) Rhetoric

Information and Communications Technology (ICT) and data-driven approaches to the development of a robust health information system, and by extension, welfare, have been offered as solutions to these inequities and exclusions in access to maternal and reproductive healthcare in the country.

The move towards data-driven development in the country commenced with the introduction of the Health Management Information System in Andhra Pradesh in 2008, and the Mother and Child Tracking System (MCTS) nationally in 2011. These are reproductive health information systems (HIS) that collect granular data about each pregnancy from the antenatal to the post-natal period, at the level of each sub-centre as well as primary and community health centre. The introduction of HIS comprised cross-sectoral digitisation measures that were a part of the larger national push towards e-governance; along with health, thirty other distinct areas of governance, from land records to banking to employment, were identified for this move towards the digitalised provisioning of services (MeitY 2015).

The HIS have been seen as playing a critical role in the ecosystem of health service provision globally. HIS-based interventions in reproductive health programming have been envisioned as a means of: (i) improving access to services in the context of a healthcare system ridden with inequalities; (ii) improving the quality of services provided, and (iii) producing better quality data to facilitate the objectives of India’s RCH programme, including family planning and population control. Accordingly, starting 2018, the MCTS is being replaced by the RCH portal in a phased manner. The RCH portal, in areas where the ANMOL (ANM Online) application has been introduced, captures data real-time through tablets provided to health workers (MoHFW 2015).

A proposal to mandatorily link the Aadhaar with data on pregnancies and abortions through the MCTS/RCH has been made by the union minister for Women and Child Development as a deterrent to gender-biased sex selection (Tembhekar 2016). The proposal stems from the prohibition of gender-biased sex selection provided under the Pre-Conception and Pre-Natal Diagnostics Techniques (PCPNDT) Act, 1994. The approach taken so far under the PCPNDT Act, 2014 has been to regulate the use of technologies involved in sex determination. However, the steady decline in the national sex ratio since the passage of the PCPNDT Act provides a clear indication that the regulation of such technology has been largely ineffective. A national policy linking Aadhaar with abortions would be aimed at discouraging gender-biased sex selection through state surveillance, in direct violation of a female’s right to decisional privacy with regards to their own body.

Linking Aadhaar would also be used as a mechanism to enable direct benefit transfer (DBT) to the beneficiaries of the national maternal benefits scheme. Linking reproductive health services to the Aadhaar ecosystem has been critiqued because it is exclusionary towards women with legitimate claims towards abortions and other reproductive services and benefits, and it heightens the risk of data breaches in a cultural fabric that already stigmatises abortions. The bodies on which this stigma is disproportionately placed, unmarried or disabled females, for instance, experience the harms of visibility through centralised surveillance mechanisms more acutely than others by being penalised for their deviance from cultural expectations. This is in accordance with the theory of "data extremes,” wherein marginalised communities are seen as living on the extremes of data capture, leading to a data regime that either refuses to recognise them as legitimate entities or subjects them to overpolicing in order to discipline deviance (Arora 2016). In both developed and developing contexts, the broader purpose of identity management has largely been to demarcate legitimate and illegitimate actors within a population, either within the framework of security or welfare.

Potential Harms of the Data Model of Reproductive Health Provisioning

Informational privacy and decisional privacy are critically shaped by data flows and security within the MCTS/RCH. No standards for data sharing and storage, or anonymisation and encryption of data have been implemented despite role-based authentication (NHSRC and Taurus Glocal 2011). The risks of this architectural design are further amplified in the context of the RCH/ANMOL where data is captured real-time. In the absence of adequate safeguards against data leaks, real-time data capture risks the publicising of reproductive health choices in an already stigmatised environment. This opens up avenues for further dilution of autonomy in making future reproductive health choices.

Several core principles of informational privacy, such as limitations regarding data collection and usage, or informed consent, also need to be reworked within this context.^[1] For instance, the centrality of the requirement of “free, informed consent” by an individual would need to be replaced by other models, especially in the context of reproductive health of rape survivors who are vulnerable and therefore unable to exercise full agency. The ability to make a free and informed choice, already dismantled in the context of contemporary data regimes, gets further precluded in such contexts. The constraints on privacy in decisions regarding the body are then replicated in the domain of reproductive data collection.

What is uniform across these digitisation initiatives is their treatment of maternal and reproductive health as solely a medical event, framed as a data scarcity problem. In doing so, they tend to amplify the understanding of reproductive health through measurable indicators that ignore social determinants of health. For instance, several studies conducted in the rural Indian context have shown that the degree of women’s autonomy influences the degree of usage of pregnancy care, and that the uptake of pregnancy care was associated with village-level indicators such as economic development, provisioning of basic infrastructure and social cohesion. These contextual factors get overridden in pervasive surveillance systems that treat reproductive healthcare as comprising only of measurable indicators and behaviours, that are dependent on individual behaviour of practitioners and women themselves, rather than structural gaps within the system.

While traditionally associated with state governance, the contemporary surveillance regime is experienced as distinct from its earlier forms due to its reliance on a nexus between surveillance by the state and private institutions and actors, with both legal frameworks and material apparatuses for data collection and sharing (Shepherd 2017). As with historical forms of surveillance, the harms of contemporary data regimes accrue disproportionately among already marginalised and dissenting communities and individuals. Data-driven surveillance has been critiqued for its excesses in multiple contexts globally, including in the domains of predictive policing, health management, and targeted advertising (Mason 2015). In the attempts to achieve these objectives, surveillance systems have been criticised for their reliance on replicating past patterns, reifying proximity to a hetero-patriarchal norm (Haggerty and Ericson 2000). Under data-driven surveillance systems, this proximity informs the preexisting boxes of identity for which algorithmic representations of the individual are formed. The boxes are defined contingent on the distinct objectives of the particular surveillance project, collating disparate pieces of data flows and resulting in the recasting of the singular offline self into various 'data doubles' (Haggerty and Ericson 2000). Refractive, rather than reflective, the data doubles have implications for the physical, embodied life of individual with an increasing number of service provisioning relying on the data doubles (Lyon 2001). Consider, for instance, apps on menstruation, fertility, and health, and wearables such as fitness trackers and pacers, that support corporate agendas around what a woman’s healthy body should look, be or behave like (Lupton 2014). Once viewed through the lens of power relations, the fetishised, apolitical notion of the data “revolution” gives way to what we may better understand as “dataveillance.”

Towards a Networked State and a Neo-liberal Citizen

Following in this tradition of ICT being treated as the solution to problems plaguing India’s public health information system, a larger, all-pervasive healthcare ecosystem is now being proposed by the Indian state (NITI Aayog 2018). Termed the National Health Stack, it seeks to create a centralised electronic repository of health records of Indian citizens with the aim of capturing every instance of healthcare service usage. Among other functions, it also envisions a platform for the provisioning of health and wellness-based services that may be dispensed by public or private actors in an attempt to achieve universal health coverage. By allowing private parties to utilise the data collected through pullable open application program interfaces (APIs), it also fits within the larger framework of the National Health Policy 2017 that envisions the private sector playing a significant role in the provision of healthcare in India. It also then fits within the state–private sector nexus that characterises dataveillance. This, in turn, follows broader trends towards market-driven solutions and private financing of health sector reform measures that have already had profound consequences on the political economy of healthcare worldwide (Joe et al 2018).

These initiatives are, in many ways, emblematic of the growing adoption of network governance reform by the Indian state (Newman 2001). This is a stark shift from its traditional posturing as the hegemonic sovereign nation state. This shift entails the delayering from large, hierarchical and unitary government systems to horizontally arranged, more flexible, relatively dispersed systems.^[2] The former govern through the power of rules and law, while the latter take the shape of self-regulating networks such as public–private contractual arrangements (Snellen 2005). ICTs have been posited as an effective tool in enabling the transition to network governance by enhancing local governance and interactive policymaking enabling the co-production of knowledge (Ferlie et al 2011). The development of these capabilities is also critical to addressing “wicked problems” such as healthcare (Rittel and Webber 1973).^[3] The application of the techno-deterministic, data-driven model to reproductive healthcare provision, then, resembles a fetishised approach to technological change. The NHSRC describes this as the collection of data without an objective, leading to a disproportional burden on data collection over use (NHSRC and Taurus Glocal 2011).

The blurring of the functions of state and private actors is reflective of the neo-liberal ethic, which produces new practices of governmentality. Within the neo-liberal framework of reproductive healthcare, the citizen is constructed as an individual actor, with agency over and responsibility for their own health and well-being (Maturo et al 2016).

“Quantified Self” of the Neo-liberal Citizen

Nowhere can the manifestation of this neo-liberal citizen can be seen as clearly as in the “quantified self” movement. The quantified self movement refers to the emergence of a whole range of apps that enable the user to track bodily functions and record data to achieve wellness and health goals, including menstruation, fertility, pregnancies, and health indicators in the mother and baby. Lupton (2015) labels this as the emergence of the “digitised reproductive citizen,” who is expected to be attentive to her fertility and sexual behaviour to achieve better reproductive health goals. The practice of collecting data around reproductive health is not new to the individual or the state, as has been demonstrated by the discussion above. What is new in this regime of datafication under the self-tracking movement is the monetisation of reproductive health data by private actors, the labour for which is performed by the user. Focusing on embodiment draws attention to different kinds of exploitation engendered by reproductive health apps. Not only is data about the body collected and sold, the unpaid labour for collection is extracted from the user. The reproductive body can then be understood as a cyborg, or a woman-machine hybrid, systematically digitising its bodily functions for profit-making within the capitalist (re)production machine (Fotoloulou 2016). Accordingly, all major reproductive health tracking apps have a business model that relies on selling information about users for direct marketing of products around reproductive health and well-being (Felizi and Varon nd).

As has been pointed out in the case of big data more broadly, reproductive health applications (apps) facilitate the visibility of the female reproductive body in the public domain. Supplying anonymised data sets to medical researchers and universities fills some of the historical gaps in research around the female body and reproductive health. Reproductive and sexual health tracking apps globally provide their users a platform to engage with biomedical information around sexual and reproductive health. Through group chats on the platform, they are also able to engage with experiential knowledge of sexual and reproductive health. This could also help form transnational networks of solidarity around the body and health (Fotopoulou 2016).

This radical potential of network-building around reproductive and sexual health is, however, tempered to a large extent by the reconfiguration of gendered stereotypes through these apps. In a study on reproductive health apps on Google Play Store, Lupton (2014) finds that products targeted towards female users are marketed through the discourse of risk and vulnerability, while those targeted towards male users are framed within that of virility. Apart from reiterating gendered stereotypes around the male and female body, such a discourse assumes that the entire labour of family planning is performed by females. This same is the case with the MCTS/RCH.

Technological interventions such as reproductive health apps as well as HIS are based on the assumption that females have perfect control over decisions regarding their own bodies and reproductive health, despite this being disproved in India. The Guttmacher Institute (2014) has found that 60% of women in India report not having control over decisions regarding their own healthcare. The failure to account for the husband or the family as stakeholder in decision-making around reproductive health has been a historical failure of the family planning programme in India, and is now being replicated in other modalities. This notion of an autonomous citizen who is able to take responsibility of their own reproductive health and well-being does not hold true in the Indian context. It can even be seen as marginalising females who have already been excluded from the reproductive health system, as they are held responsible for their own inability to access healthcare.

Concluding Remarks

The interplay that emerges between reproductive health surveillance and data infrastructures is a complex one. It requires the careful positioning of the political nature of data collection and processing as well as its hetero-patriarchal and colonial legacies, within the need for effective utilisation of data for achieving developmental goals. Assessing this discourse through a feminist lens identifies the web of power relations in data regimes. This problematises narratives of technological solutions for welfare provision.

The reproductive healthcare framework in India then offers up a useful case study to assess these concerns. The growing adoption of ICT-based surveillance tools to equalise access to healthcare needs to be understood in the socio-economic, legal, and cultural context where these tools are being implemented. Increased surveillance has historically been associated with causing the structural gendered violence that it is now being offered as a solution to. This is a function of normative standards being constructed for reproductive behaviour that necessarily leave out broader definitions of reproductive health and welfare when viewed through a feminist lens. Within the larger context of health policymaking in India, moves towards privatisation then demonstrate the peculiarity of dataveillance as it functions through an unaccountable and pervasive overlapping of state and private surveillance practises. It remains to be seen how these trends in ICT-driven health policies affect access to reproductive rights and decisional privacy for millions of females in India and other parts of the global South.

For more details visit https://cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india

Data in the open makes it easy for cyber criminals

Admin — 2017-07-29T02:40:05Z

With data of about 10 crore bank accounts available in the public domain, it has become easy for cyber criminals to steal money. What makes detection of such crimes tough is the lack of convergence between various departments and sectors.

The article by Kiran Parashar KM was published in the New Indian Express on July 26, 2017. Pranesh Prakash was quoted.

A recent report of Centre for Internet and Society-India suggests that data of 10 crore bank accounts is available in the public domain. It points out that the availability of Aadhaar numbers along with bank accounts and phone numbers increases the risk of financial fraud. Social engineering is often used to find out details of bank accounts, credit card numbers and passwords to steal money.
Investigating officials say once a victim files a complaint, they seek information from banks and many times, private banks don’t even reply.

“Also, we also have observed there are a lot of loopholes in the banking system. Banks outsource credit/debit card issuance and maintenance to agencies who follow security protocols. In many cases, insiders helped in sharing information,” a police officer said.

Nilesh Jain, Country Manager — (India and SAARC), Trend Micro, which provides cyber security solutions, says, “With more people using online transactions, there is a growing number of hackers. Most ATMs are on the legacy operating system of Windows. Banks have started realising that there are malwares designed to attack ATMs.With RBI mandating that banks should report security attacks within six hours, hackers will no longer get an upper hand.”

Pranesh Prakash, Policy Director at the Centre for Internet and Society, says, “There are many ways bank customers can safeguard themselves: using a browser-based password manager, and by never entering their banking username on any site other than their bank (which they should confirm via web address). Banks should offer a form of multi-factor authentication called “universal 2nd factor” (U2F) which prevents fraud in the form of man-in-the-middle attacks by phishing websites. Unless banks roll out U2F, they should refund any losses a customer faces due to fraud.

Case studies

June 2017
Vinod Kumar Pacchiyappan, manager of SBI Cards and Payment Services Pvt Ltd filed a police complaint that Know Your Customer data of customers was compromised.

May 2016
A US couple were cheated of D6 lakh in just two hours where criminals used their bank data and shopped online.

January 2016
Seven people from Telangana, including an Axis Bank deputy manager, were held in Bengaluru for allegedly hacking into people’s bank accounts using mobile banking apps and stealing money.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-july-26-2017-data-in-the-open-makes-it-easy-for-cyber-criminals

Data for Development: Mapping key considerations for policy and practice in India

Admin — 2019-04-25T15:17:55Z

On 24 April 2019 Arindrajit Basu delivered a talk at an event titled at Data for Development:Mapping key considerations for policy and practice in India at Azim Premchand University.

Arindrajit presented some of CIS's work on artificial intelligence and its work on privacy and the SriKrishna Bill, some of the constitutional contours of India's data governance policies and some of the larger implications on India's foreign policy vision as an emerging economy.

For more details visit https://cis-india.org/internet-governance/news/data-for-development-mapping-key-considerations-for-policy-and-practice-in-india

Data Flow in the Unique Identification Scheme of India

vidushi — 2015-09-03T17:02:44Z

This note analyses the data flow within the UID scheme and aims at highlighting vulnerabilities at each stage. The data flow within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI partners with various Registrars usually a department of the central or state Government, and some private sector agencies like LIC etc– through a Memorandum of Understanding for assisting with the enrollment process of the UID project.

Many thanks to Elonnai Hickok for her invaluable guidance, input and feedback

These Registrars then appoint Enrollment Agencies that enroll residents by collecting the necessary data and sharing this with the UIDAI for de-duplication and issuance of an Aadhaar number, at enrolment centers that they set up. The data flow process of the UID is described below:[1]

Data Capture

Filling out an enrollment form – To enroll for an Aadhaar number, individuals are required to provide proof of address and proof of identity. These documents are verified by an official at the enrollment center.

Vulnerability: Though an official is responsible for verifying these documents, it is unclear how this verification is completed. It is possible for fraudulent proof of address and proof of identity to be verified and approved by this official.

The 'introducer' system: For individuals who do not have a Proof of Identity, Proof of Address etc the UIDAI has established an 'introducer' system. The introducer verifies that the individual is who they claim to be and that they live where they claim to live.

Vulnerability: This introducer is akin to the introducer concept in banking; except that here, the introducer must be approved by the Registrar, and need not know the person bring enrolled. This leads to questions of authenticity and validity of the data collected and verified by an 'introducer'. The Home Ministry in 2012, indicated that this must be reviewed.[2]

Categories of data for enrollment: The UIDAI has a standard enrollment form and list of documents required for enrollment. This includes: name, address, birth date, gender, proof of address and proof of identity. Some MoUs (Memorandum of Understanding) permit for the Registrars to collect additional information in addition to what is required by the UIDAI. This could be any information the Registrar deems necessary for any purpose.

Vulnerability: The fact that a Registrar may collect any information they deem necessary and for any purpose leads to concerns regarding (1) informed consent – as individuals are in placed in a position of having to provide this information as it is coupled with the Aadhaar enrollment process (2) unauthorized collection - though the MOU between the UIDAI and the Registrar has authorized the Registrar to collect additional information – if the information is personal in nature and the Registrar is a body corporate it must be collected as per the Information Technology Rules 2011 under section 43A. It is unclear if Registrars that are body corporates are collecting data in accordance to these rules. (3) As Registrars are permitted to collect any data they deem necessary for any purpose – this leads to concerns regarding misuse of this data..[3]

Verification of Resident’s Documents: true copies of original documents, after verification are sent to the Registrar for “permanent storage.”[4]

Vulnerability: It is unclear as to what extent and form this storage takes place. There is no clarity on who is responsible for the data once collected, and the permissible uses of such data are also unclear. The contracts between the UID and Registry claim that guidelines must be followed, while the guidelines state that, “The documents are required to be preserved by Registrar till the UIDAI finalizes its document storage agency” and states that the “Registrars must ensure that the documents are stored in a safe and secure manner and protected from unauthorized access.” [5] The question of what is “unauthorized access”, “secure storage”, when is data transferred to the UIDAI and when the UIDAI will access it and why remain unanswered. Moreover, there is nothing about deleting documents once the MoU lapses. The guidelines in question were also developed post facto.

Data collection for enrollment: After verification of proof of address and proof of identity, operators at the enrolling the agency will be enrolling individuals. Data Collection is completed by operators at the enrolling agency. This includes the digitization of enrollment forms and collection of biometrics. Enrollment information is manually collected and entered into computers operating software provided by the UIDAI and then transferred to the UIDAI. Biometrics are collected through devices that have been provided by third parties such as Accenture and L1Identity Solutions.

Vulnerability: After data is collected by enrollment operators it is possible for data leakage to occur at the point of collection or during transfer to the Registrar and UIDAI. Data operators, are therefore not answerable to the UIDAI, but to a private agency; a fact which has been the cause of concern even within the government.[6] There have also been instances of sub contracting which leads to more complications in respect of accountability. Misuse[7] and loss of data is a very real possibility, and irregularities have been reported as well.[8] By relying on technology that is provided by third parties (in many cases foreign third parties) data collected by these devices is also available to these companies while at the same time the companies are not regulated by Indian law.

Import pre-enrolment data into Aadhaar enrollment client, Syncing NPR/census data into the software: The National Population Register (NPR) enrolls usual residents, and is governed by the Citizenship Rules, which prescribe a penalty for non disclosure of information.

Vulnerability: Biometrics does not form part of the Rules that govern NPR data collection; the Citizenship Rules, 2003. In many ways, collection of biometrics without amending the citizenship laws amounts to a worrying situation. The NPR hands over information that it collects to UIDAI, biometrics collected as part of the UIDAI is included in the NPR, leading to concerns surrounding legality and security of such data.

Resident’s consent: for “whether the resident has agreed to share the captured information with organizations engaged in delivery of welfare services.”

Vulnerability: This allows the UIDAI to use data in an almost unfettered fashion. The enrolment form reads, “‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” Informed consent, Vague. What info and with whom. Why is necessary for the UIDAI to share this information, when the organization is only supposed to be a passive intermediary? Does beyond the mandate of the UIDAI, which is only to provide and authenticate the number.

Biometric exceptions: The operator checks if the resident’s eyes/hands are amputated/missing, and after the Supervisor verifies the same, the record is made as an exception and only the individuals photograph is recorded.

Vulnerability: There has widespread misuse of this clause, with data being fabricated to fall into this category, making it unreliable as a whole. In March 2013, 3.84 lakh numbers were cancelled as they were based on fraudulent use of the exception clause. [9]

Operator checks if resident wants Aadhaar enabled bank account: The UID project was touted to be a scheme that would ensure access to benefits and subsidies that are provided through cash transfers as well as enabling financial inclusion. Subsequently, the need for a Aadhaar embedded bank account was made essential to avail of these benefits. The operator at this point checks whether the resident would like to open such a bank account.

Vulnerability: The data provided at the time of linking UID with a bank account cannot be corrected or retracted. Although this has the vision of financial inclusion, it is now a threat of exclusion.

Capturing biometrics- The UIDAI scheme includes assigning each individual a unique identification number after collecting their demographic and biometric information. One Time Passwords are used to manually override a situation in which biometric identification fails.[10] The UIDAI data collection process was revamped in 2012 to include best finger detection and multiple try method.[11]

Vulnerabilities: The collection process is not always accurate, in fact, 70% of the residents who enrolled in Salt Lake, will have to re-enroll due to discrepancies at the time of enrollment.[12] Further, a large number of people in India are unable to give biometric information due to manual labour, or cataracts etc.

After such data is entered, the Operator shows such data to the Resident or Introducer or Head of the Family (as the case may be) for validation.

Operator Sign off – Each set of data needs to be verified by an Operator whose fingerprint is already stored in the system.

Vulnerability: Vesting authority to sign off in an operator allows for signing off on inaccurate or fraudulent data. For example, the issuance of aadhaar numbers to biometric exceptions highlight issues surrounding misuse and unreliability of this function.[13]

After this, the Enrolment operator gets supervisor’s sign off for any exceptions that might exist, Acknowledgement and consent for enrolment is stored. Any correction to specified data can be made within 96 hours.

Document Storage, Back up and Sync

After gathering and verifying all the information about the resident, the Enrolment Agency Operator will store photocopies of the documents of the resident. These Agencies also backup data “from time to time” (recommended to be twice a day), and maintain it for a minimum of 60 days. They also sync with the server every 7-10 days.

Vulnerability: The security implications of third party operators storing information is greatly exacerbated by the fact that these operators use technology and devices from companies have close ties to intelligence agencies in other countries; L-1 Identity Solutions have close ties with America’s CIA, Accenture with French intelligence etc. [14]

Transfer of Demographic and Biometric Data Collected to CIDR

“First mile logistics” include transferring data by using Secure File Transfer Protocol) provided by UIDAI or through a “suitable carrier” such as India Post.

Vulnerability: There is no engagement between the UIDAI and the enrolling agencies; the registrars engage private enrolment agencies, and not the UIDAI. Further, the scope of people authorized to collect information, the information that can be collected, how such information is stored etc are all vague. In 2009, there was a notification that claimed that the UIDAI owns the database[15] but there is no indication on how it may be used, how this might react to instances of identity fraud, etc.

Data De-duplication and Aadhar Generation at CIDR

On receiving biometric information, the de-duplication is done to ensure that each individual is given only one UID number.

Vulnerability:

This de-duplication is carried out by private companies, some of which are not of indian origin and thus are also not bound by Indian law. Also, the volume of Aadhaar numbers rejected due to quality or technical reasons is a cause of worry; the count reaching 9 crores in May 2015.[16]
The MoUs promise registrars access to information contained in the Aadhaar letter, although individuals are ensured that such letter is only sent to them. [17]
General compliance and de-duplication has been an issue, with over 34,000 people being issued more than one Aadhaar number,[18] and innumerable examples of faulty Aadhaar cards being issued.[19]

[1] Enrolment Process Essentials : UIDAI , (December 13,2012), http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[2] UIDAI to review biometric data collection process of 60 crore resident Indians: P Chidambaram, Economic Times, (Jan 31, 2012), http://articles.economictimes.indiatimes.com/2012-01-31/news/31010619_1_biometrics-uidai-national-population-register.

[3]See: an MoU signed between the UIDAI and the Government of Madhya Pradesh. Also see: Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[4]http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[5] Document Storage Guidelines for Registrars – Version 1.2, https://uidai.gov.in/images/mou/D11%20Document%20Storage%20Guidelines%20for%20Registrars%20final%2005082010.pdf

[6] Arindham Mukherjee, Lola Nayar, Aadhaar,A Few Basic Issues, Outlook India, (December 5, 2011), http://dataprivacylab.org/TIP/2011sept/India4.pdf.

[7] Aadhaar: UIDAI probing several cases of misuse of personal data, The Hindu, (April 29, 2012), http://www.thehindubusinessline.com/economy/aadhar-uidai-probing-several-cases-of-misuse-of-personal-data/article3367092.ece.

[8] Harsimran Julka, UIDAI wins court battle against HCL technologies, The Economic Times, (October 4, 2011), http://articles.economictimes.indiatimes.com/2011-10-04/news/30242553_1_uidai-bank-guarantee-hp-and-ibm.

[9] Chetan Chauhan, UIDAI cancels 3.84 lakh fake Aadhaar numbers, The Hindustan Times, (December 26, 2012), http://www.hindustantimes.com/newdelhi/uidai-cancels-3-84-lakh-fake-aadhaar-numbers/article1-980634.aspx.

[10] Usha Ramanathan, “Inclusion project that excludes the poor”, The Statesman (July 4, 2013).

[11] UIDAI to Refresh Data Collection Process, Zee News, (February 7, 2012) http://zeenews.india.com/news/delhi/uidai-to-refresh-data-collection-process_757251.html.

[12] Snehal Sengupta, Queue up again to apply for Aadhaar, The Telegraph, (February 27, 2015), http://www.telegraphindia.com/1150227/jsp/saltlake/story_5642.jsp#.VayjDZOqqko

[13] Chauhan, supra note 7.

[14] Usha Ramanathan, Three Supreme Court Orders Later, What’s the Deal with Aadhaar? Yahoo News, (April 13, 2015), https://in.news.yahoo.com/three-supreme-court-orders-later--what-s-the-deal-with-aadhaar-094316180.html.

[15] Usha Ramanathan, “Threat of Exclusion and of Surveillance”, The Statesman (July 2, 2013).

[16] Over 9 Crore Aadhaar enrolments rejected by UIDAI, Zee News (May 8, 2015).

[17] Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[18] Surabhi Agarwal, Duplicate Aadhar numbers within estimate, Live Mint (March 5, 2013).

[19] Usha Ramanathan, “Outsourcing enrolment, gathering dogs and trees”, The Statesman (August 7, 2013).

For more details visit https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india

Data Empowerment And Protection Architecture (DEPA) Workshop

Admin — 2019-05-28T02:15:14Z

On 18 May 2019 Pranav Manjesh Bidare attended a workshop on the Data Empowerment And Protection Architecture (DEPA) organised by the iSPIRT Foundation.

The workshop provided an introduction to the planned architecture for licensed account aggregators that are a part of the rollout of DEPA across the finance and telecom sectors. This account aggregator infrastructure aims to enable users to access their data more easily, and also enable them to manage consent concerning the sharing of their data. For more details see here.

For more details visit https://cis-india.org/internet-governance/news/data-empowerment-and-protection-architecture-depa-workshop

Data Breach: How will the biggest scandal that Facebook is mired in affect its credibility in India?

Admin — 2018-03-27T02:09:41Z

Facebook has not been able to catch a break lately.

The article by G. Seetharaman and Shephali Bhatt with additional inputs by Indulekha Aravind was published in the Economic Times on March 26, 2018. Sunil Abraham was quoted.

Rebuked for the misinformation spread on its platform by Russian agencies during the 2016 US presidential election, aiding Donald Trump’s victory, Facebook was on the defensive for most of 2017. Making matters worse for the Menlo Park, California-headquartered social media behemoth, another one of its past oversights has now come back to haunt it in what is undoubtedly its biggest public relations challenge.

Reports by the New York Times and the Observer of London on March 17 disclosed that a researcher linked to Cambridge Analytica (CA), a political consulting firm that worked on Trump’s campaign, had accessed details of 50 million Facebook users unbeknownst to them and shared it with CA, which uses online data to reach voters on social media with personalised messages. The reports were based on revelations by whistle-blower Christopher Wylie, who had worked with CA.

This is how it unfolded: in 2014, CA hired Aleksandr Kogan, a Soviet-born American citizen, to mine data on US voters on Facebook, through a personality quiz app. It was downloaded by 2,70,000 users, who logged in with their Facebook credentials. That enabled Kogan to access not just their data on Facebook, but also their friends’ profiles. Facebook says Kogan lied that the data was only for his research, while there was a commercial element to it as CA paid for the app. It is unclear at this point how exactly the data was used or whether it was effective.

In 2015, Facebook removed his app and sought an assurance from him that the data had been destroyed. But it later found out that the information had been passed on to CA. Facebook has since stopped apps from accessing information about a user’s friends and has even limited the data that can be collected about the user.

While the broad details of the issue have been known since 2015, the sheer number of accounts that were compromised was not known till now and has led to calls for Facebook to be deleted, with #DeleteFacebook trending on Twitter. The company, one of the world’s most valuable public companies, has shed $75 billion, or 14% of its market value, since March 16.

As Facebook spends the next few months trying to convince its users that their data is safe, India will be crucial to their plans. India is, after all, its largest market, with 250 million monthly active users, 12% of its global base, according to recent data by We Are Social and Hootsuite, firms involved in social media marketing and management, respectively.

There are other reasons why India is important to Facebook: WhatsApp, the country’s chat app of choice, has 200 million users, again more than any other market, and Instagram has 53 million. Both these apps are owned by Facebook, giving the company an outsize role in how Indians communicate.

Facebook will only grow as smartphone and internet adoption grows — India is set to add 100 million internet users and 250 million smartphone users by 2020. But at the same time, it has to deal with those wondering whether they should sign up or continue being on the network.

Soumya Sinha, a 32-year-old data consultant in Delhi, says FB is quite passive-aggressive when it comes to data. “It gives you a lot of privacy options, makes you feel you are in control of your wall, but buries an ‘unless you don’t want to share’ option at the bottom,” he says. “If you don’t opt out, it assumes you are happy to share. Even if you do, you can never be sure the non-consensual sharing has stopped.”

Privacy controls — not just on Facebook but on social media platforms in general — are not easy to find and even the most tech-savvy have a hard time ensuring the accounts are as secure as they can possibly be. “Indians are very liberal with others accessing their data. A lot of other accounts are linked to my FB account. Who knows which one of them will provide my data to others?” says Prateek Kharangar, a 30-year-old doctor in Rajasthan.

Mark Zuckerberg, Facebook’s billionaire chief executive, issued a statement on March 21 admitting that Facebook had made mistakes. He added that Facebook would do a thorough audit of suspicious apps and make its privacy policy stricter by limiting the user information it shares with third-party apps.

Facebook will also revoke permission to apps that a user has not accessed for three months and show an option at the top of the news feed, allowing users to do the same. Zuckerberg also said in a subsequent interview to the New York Times that Facebook would let concerned users know about the CA debacle. Questions sent by ET Magazine to Facebook India went unanswered. The US Federal Trade Commission and the European Union are also scrutinising the issue.

Protect Data
Facebook has faced criticism in the past, including about its facial recognition software In India, it was badly bruised in its fight against net neutrality. Its Free Basics campaign tried to push free access to a few websites, including its own, in partnership with telcos, but the telecom regulator in February 2016 ruled in favour of net neutrality. Sunil Abraham, executive director of the Centre for Internet and Society, believes sites like Facebook should periodically inform users about the data the apps have access to. “Facebook should also ask you every quarter if you want to revoke permission. It’s required in countries where users are naive, unaware and incapable of protecting their own interests.”

Many experts call for more transparency and clarity. Nayantara Ranganathan, programme manager at the Internet Democracy Project, says privacy policies are tweaked constantly and the changes the companies want us to know about are conveyed through blog posts and such, while there may be changes that we may not be aware of. Nikhil Pahwa, cofounder, Internet Freedom Foundation, says the process of notifying users of changes in terms and conditions needs to be improved. “So often, T&Cs are changed and the company just sends a generic mail to all its users. If they don’t respond, it is assumed they have agreed to the changes. That needs to change.” Some believe online consent agreements are being simplified.

While there have been calls for the privacy notice to be in local languages too, Rama Vedashree, CEO of Data Security Council of India, says that in markets like India, where millions are just being introduced to the internet, websites may have to look at pictorial representations to explain how user data will be used by third-party developers. Regardless of how intelligible tech companies make their privacy policy documents, given the number of websites we use, it is impossible to read every site’s terms. That is where a stringent law becomes necessary. “We don’t have a robust legal framework that acts swiftly, permits class action lawsuits and awards damages in tune with the harm incurred,” says Mishi Choudhary, legal director at the Software Freedom Law Center.

WHY FB CAN'T TAKE DATA SECURITY LIGHTLY IN INDIA

Source: Facebook, WhatsApp, We Are Social and Hootsuite, Ministry of Communications, Internet and Mobile Association of India

Abraham says presently only data security is covered under the Information Technology Act, 2000. “A mere infringement of your privacy without financial loss does not allow you to seek remedy.” However, India could have a data protection law sooner than later. A committee was appointed by the government last year to come up with a draft law, an important part of which will be a data protection authority. The Supreme Court, in a landmark ruling last year in a case related to Aadhaar, said privacy is a fundamental right.

The European Union’s General Data Protection Regulation (GDPR), which will come into effect in May, could be emulated in countries, including India. It makes tech companies more accountable for the privacy of those who use their services and has penalties up to £20 million, or 4% of the errant company’s global annual revenues, whichever is higher. This forced Facebook to put all of its privacy settings in one place in January.

“India must go further than Europe did with its General Data Protection Regulation, which requires companies to get unambiguous consent from users to collect data, to clearly disclose how personal data are being used, and to spell out why data is being collected. It must also ban any form of political advertising and the sale of data to third parties,” wrote Vivek Wadhwa, a tech entrepreneur and academic, in a column in ET on Friday.

In light of this controversy, there will be pressure on the government to hasten the process of introducing a data protection law, accompanied by a regulator. It is likely the draft document will draw on the European regulation. “The more we adopt from EU GDPR, the better,” says Pahwa, adding that users should also have the right to removal of personal data.

Ravi Shankar Prasad, India’s IT and law minister, has warned Facebook of stringent action if it is found influencing elections “through undesirable means”. The Indian government on Friday issued a notice to Cambridge Analytica asking if any entities engaged its services to harvest data of Indian Facebook users.

India could also take a leaf out of Germany’s playbook while enforcing data protection, especially if it involves tech companies that dominate the segment they operate in, like Google in search and Facebook in social media. Germany’s competition watchdog in December accused Facebook of abusing its dominant position to get users’ consent to access their data from third-party websites. The Competition Commission of India in February imposed a penalty of `136 crore on Google for abusing its dominant position in search to create a bias to favour its own services.

Messing Up Elections?
The ongoing controversy has been exacerbated by the fact that besides data privacy, electoral politics is at the centre of the issue. CA dug itself into a deeper hole when footage emerged of a UK television channel’s sting operation, in which the company’s top officials talk about using bribes and women to entrap their clients’ political opponents. CA has since suspended its chief executive, Alexander Nix, who was in the video. CA is partly funded by conservative US billionaire Robert Mercer, and Trump’s former White House chief strategist Stephen Bannon served on its board.

The issue has had political ramifications in India, with both the ruling Bharatiya Janata Party and opposition Congress trading charges about each other’s association with CA. The BJP has attacked the Congress by quoting news reports of talks between CA and the Congress ahead of the 2019 general election, while the Congress has hit back with a reference to the 2010 Bihar election on the CA website. The company claims that it worked on the Bihar election, reportedly through its parent Strategic Communication Laboratories, by identifying swing voters.

“Our client achieved a landslide victory, with over 90% of total seats targeted by CA being won,” says the website. The JD(U)-BJP combine was the victorious coalition. Interestingly, the company’s India partner, Ovleno Business Intelligence, is run by Amrish Tyagi, son of JD(U) leader KC Tyagi. When contacted by ET Magazine, Amrish Tyagi declined to comment. Both the Congress and the BJP have denied any ties to CA.

“We have been on social media as long as social media was around and we have always been ethical in our conduct,” says Amit Malviya, head of BJP’s IT Cell. Divya Spandana, who heads the social media team for the Congress, says the party does not engage external agencies. “We only use data with the consent of the individual, emails are subscribed to and WhatsApp is through people who have signed up to receive messages.” The BJP made good use of social media in its 2014 campaign, and Prime Minister Narendra Modi and most of his cabinet are quite active on Twitter.

Facebook, Twitter and WhatsApp will play an even bigger role in the upcoming assembly polls and the 2019 general election, WhatsApp perhaps more so than the other two, given its popularity and user engagement. “What makes WhatsApp worse than Facebook is Facebook knows what’s being sent around (on its platform). If it comes up with a fake news mitigation strategy, it might work. WhatsApp doesn’t know what’s being sent on its platform,” says Abraham.

In his New York Times interview, Zuckerberg said that after the US presidential election, Facebook developed artificial intelligence tools to identify fake accounts and fake news, which were deployed during the French presidential polls in 2017. “This is a massive focus for us to make sure we’re dialed in for not only the 2018 elections in the US, but the Indian elections, the Brazilian elections, and a number of other elections that are going on this year that are really important,” he was quoted as saying. Both government authorities and the Election Commission of India will keep a close watch on how social media is used in poll campaigns.

While things do not look up for Facebook in the immediate future, some think it will get past the issue. Vineet Sehgal, chief marketing officer of Quikr, says while marketers will take a hard look at Facebook, the company will act swiftly to change its policies.

"There is too much at stake." More and more Indians are using social media, in addition to searching for information on the internet, buying things on ecommerce sites, booking app-based cabs, and making payments and transfers on online payment platforms. They will also buy more devices, including wearables and smart speakers, which gather large amounts of data. So naturally, it is imperative that the sanctity of that data become a top priority for tech companies, consumers and the government. "The emphasis of any (data protection) law needs to be protecting people, not data. Our legislators should ask about relationships of all entities with social media and data analytics companies," says Choudhary of Software Freedom Law Center.

For more details visit https://cis-india.org/internet-governance/news/economic-times-g-seetharaman-shephali-bhatt-march-25-2018-data-breach-how-will-the-biggest-scandal-that-facebook-is-mired-in-affect-its-credibility-in-india

Dark waders

praskrishna — 2011-04-20T05:22:10Z

Akhila Seetharaman finds out why a group of artists and researchers are preoccupied with chasing shadows. This article was published in Time Out Bengaluru, Vol. 3, Issue 20, April 15 - 28, 2011.

The New Bharat Brass Band from Kalasipalayam performed an unusual ditty at the Chitrakala Parishat last month. In a typical concert, the band plays raucous renditions of the latest hit Hindi film songs, but the music at this gig had its origin in a database of photographs of the city. These images had been taken by a group of student-artists, who converted the visual data into binary codes of 0s and 1s, and then transcribed the codes into musical notation, which they asked the band to perform. The result: strange, random, almost robotic music which represented a uniquely distilled experience of the city, peppered with the band’s characteristic filmy flourishes.

This performance was one among the several experimental art projects developed by participants as part of the Space the Final Frontier project, an initiative by the Dutch Art Institute and Centre for Experimental Media Arts at Srishti School of Art, Design and Technology to get students to – as described in a introduction to the project – articulate “spaces of flux” and “index the shadow worlds” of the city.

“When we speak about mapping the city, we immediately think in terms of physical geography. We don’t usually approach it in an aesthetic or theoretical way,” said Deepak DL, an art student from Chitrakala Parishat who participated in the two-week programme. His group chose to map shadow sounds – birds, buses on the street, sounds from a bar, and pressure cookers whistling in homes – piecing together an aural landscape of the city. “This project was about mapping the non-spaces. For instance when you go to a restaurant, you rarely see what’s going on behind the wall in the kitchen. We tried to do just that using sound,” said Deepak.

“Wherever there is light, there is also shadow. For all the spaces getting attention, there are many more spaces not getting attention, but surviving and often thriving,” said Prayas Abhinav, faculty member and researcher at CEMA and one of the organisers of Space the Final Frontier. In collaboration with Renée Ridgeway, founder of an online platform for art activities called n.e.w.s., and a third collaborator Stephen Wright, Abhinav is currently working on a book which examines the distribution of human attention in the art world, based on a concept known as “attention economy”.

The trio’s fascination with the theme also led them to hunt for shadow art activities on the internet. In the course of their search they found themselves wondering how to find art online without necessarily limiting themselves to work that described itself as “art”. For Abhinav and his colleagues this became more than a technical problem, since search engines assume that users are looking for what others are looking for and throw up the most popular or valid entries first, leaving the vast majority of less popular entries in the shadow. “Lesser known artists don’t refer to themselves as ‘lesser known artists’, so finding them online via Google isn’t all that easy,” said Abhinav. “Everyone is operating in the same space with established hierarchies. Shadows exist, but how do we look for them?”

“In the 1990s we used to have a culture of community web sites that looked really bad, but were thriving hubs,” said Abhinav. He pointed out that over the decade, with the advent of search engines, the larger databases gained priority among users. To democratise search results, Abhinav and Ridgeway, along with the Centre for Internet and Society, launched the Shadow Search Project with an open call for entries in early 2010 to find an algorithm that could bring up entries that otherwise exist under the radar, through search.

“If the new currency is attention – that is, if users are supposed to pay not money but time –, certain kinds of priorities are set up and vast amounts of information will always remain invisible,” said Nishant Shah, researcher at the Centre for Internet and Society. The Shadow Search Project is intended to serve as a platform to look for these shadows and give them visibility.

The winning entry, a search engine called Narcissus, which will be demonstrated this fortnight, takes the search results of a regular search engine like Google and reverses it, such that the user gets the last page first. “The least popular results come up first, and as those become more popular, the new least popular results come up. This continues in a cyclical manner,” said Ridgeway.

Data gathered and indexed by students during the Space the Final Frontier programme will be used to test the Narcissus algorithm. “If one of the strengths of the Internet is serendipity – stumbling upon a small, but great find by chance – the idea of a search engine plug in like Narcissus that scrambles Google results and presents it in a democratic manner, definitely has appeal,” said Shah.

Read the original in Time Out Bengaluru here

For more details visit https://cis-india.org/news/chasing-shadows

Dark days for the creative class in India: Siddiqui

praskrishna — 2014-02-17T09:14:43Z

As India’s literacy rate improves, governments, courts, media, publishers and big business are all stifling free speech.

Haroon Siddiqui's article was published in thestar.com on February 16, 2014. Pranesh Prakash is quoted.

In contrast to North America and Europe, India’s book publishers, newspapers and TV/radio stations are doing well, thanks to a rising literacy rate and a growing middle class. Authors, artists, journalists and filmmakers are enjoying big audiences and relatively good paycheques. Yet, paradoxically, free speech has never been so imperilled in the world’s largest democracy, for several reasons.

Governments are using colonial-era laws to stifle free speech. The lower courts and police are caving in to religious bigots who demand bans on what they don’t want to see and hear. Vigilante groups are using goon tactics to intimidate the creative class. Big business is slapping lawsuits and creating libel chill. Publishing houses are capitulating to legal, political and economic pressure. The media are too busy mollycoddling governments and advertisers to stand up for free speech.

Legal framework

The constitution guarantees free speech but, as in Canada and several European nations, it also imposes “reasonable restrictions” to maintain peace and public order. The Supreme Court has set a high bar for imposing any restrictions, yet both the federal and state governments routinely shut down anything that might flare communal riots, especially between Hindus and Muslims — a real and ever-present danger. Politicians don’t want blood on their hands to uphold the right of a preening writer to poke people in the eye. Critics counter that the political class doesn’t really care for intellectual freedom.

Libel and defamation laws criminalize speech and prescribe jail terms. This, again, is not much different than, say, the Canadian Criminal Code, under which those convicted of hate speech may be jailed for up to three years. (That’s what we are left with after the Stephen Harper Conservatives axed the civilian remedy that was available under the Human Rights Act.)

India’s Anti-Sedition Act prohibits words and actions that may cause “hatred or contempt or disaffection” toward government. This is used even against journalists, activists and those protesting government policies. As many as 6,000 farmers and fishermen were charged for opposing a nuclear plant along the southeast coast.

The Penal Code makes it an offence, punishable by up to three years in jail, to hurt anyone’s religious sensibilities; promote enmity between different religious groups; circulate “any statement or report containing rumour or alarming news with intent to create or promote, or which is likely to create or promote, on grounds of religion, race, place of birth, residence, language, caste or community feelings of enmity,” etc., etc.

Worse, the code allows anyone offended by anything to demand that the offensive material be removed.

Indians are easily offended, indeed are “desperate to be offended,” jokes novelist Manu Joseph. The milieu allows religious leaders and politicians to stoke real or imagined grievances and rush to the courts and the police, both of which usually cave in rather than risk the wrath of frenzied protesters.

“Instead of protecting the right of free expression, the state defends the offended,” writes Salil Tripathi on the website Index on Censorship.

Adds Kian Ganz, editor of the website Legally India: “Many of these British-colonial laws were written and enforced to ‘control’ a multi-ethnic and religious population. Yet they are still around and are regularly used to stifle free speech.”

Religious bigotry

While we hear mostly of angry Muslims taking offence to alleged insults to Islam — the 1988 ban on Salman Rushdie’s The Satanic Verses being the prime example — increasingly it is Hindu fundamentalists who have been agitating successfully against what they do not like.

“Hindu bigots have matched, or perhaps even outperformed, their Islamic counterparts,” writes Ramachandra Guha, India’s pre-eminent historian. He was condemning Penguin India’s decision last week to recall and pulp American academic Wendy Doniger’s The Hindus: an Alternative History, under pressure from a Hindu group that said the 2009 book contained “heresies” and was focused on “sex and eroticism.”

There has been no bigger victim of Hindu wrath than the late M.F. Hussain, the “Picasso of India.” His priceless work was vandalized, he was slapped with hundreds of lawsuits and threatened with death for painting Hindu deities in the nude. He went into exile in Doha, Qatar, where I spoke to him on the phone in 2011 and heard his pain at having been hounded out of his beloved India. We agreed to meet later but he died soon after, at age 95.

Last year, India’s leading intellectual Ashish Nandy was threatened with arrest for ostensibly offending Dalits (Hindus of a lower caste, formerly known as untouchables).

In 2012, Mumbai police arrested a young woman who complained on Facebook about the shutdown of the city of 18 million on the death of Bal Thackeray, leader of a chauvinist regional Hindu party. Another woman who “liked” the page was also detained,both for “hurting religious sentiments.”

In 2011, the western state of Gujarat stopped the sale of American journalist Joseph Lelyveld’s biography of Mahatma Gandhi, which suggested that the great leader may have had a sexual relationship with a male German architect. The chief minister (premier), Narendra Modi, is now the prime ministerial candidate of the Hindu nationalist Bharata Janata Party for federal elections in May, which he is favoured to win.

In 2010, Canadian author Rohinton Mistry’s 1995 book, A Fine Balance, was removed from the syllabus of Bombay University, his alma mater, following objections by a student, the grandson of Thackeray. The head of the university’s English Department had to go into hiding after receiving death threats.

In 2008, Delhi University expunged from its history course an essay by A.K. Ramanujam on Hinduism following complaints by a Hindu group, and Oxford University Press India temporarily stopped printing it.

Other examples:

In 2007, a court issued an arrest warrant for actor Richard Gere for kissing Bollywood actress Shilpa Shetty, following complaints by irate Hindus. An institute in the western city of Pune was vandalized because American academic James Laine had done part of his research there for his book, Shivaji: Hindu King in Islamic India. An art gallery in Bangalore hastily removed partially nude pictures of Hindu deities fearing retaliation by a Hindu moral squad.

Guha, the historian, once suggested that both Rushdie and Hussain, one pilloried by Muslims and the other by Hindus, be conferred India’s highest civilian honours. “That would have been a blow for artistic freedom. And it’d have equally offended Hindu and Islamic bigots.”

Libel chill

There has been a steady rise in what free speech advocates see as nuisance lawsuits by corporate houses, businessmen and political parties.

In December, Jitender Bhargava, executive director of Air India until 2010, saw his book on the national airline withdrawn by Bloomsbury India, allegedly under political pressure.

The same month, another book, Sahara: The Untold Story, on the controversial finance and real estate conglomerate, was held back under a court order.

In 2011, Penguin removed a chapter in The Beautiful and the Damned from its Indian edition after Arindam Chaudhuri, who runs business schools, sued about his profile in it. He also sued Caravan, a journal of politics and culture, for an article on how he had “made a fortune off the aspirations and insecurities of India’s middle class.” The Delhi-based businessman still has the Delhi-based magazine entangled in the case he filed in a jurisdiction 1,750 kilometres away — and 300 kilometres from the nearest airport.

Penguin also held back a biography of J. Jayalalithaa, chief minister of the southern state of Tamil Nadu, who had a stay order issued against it.

In 1998, a book about the head of a textile conglomerate, Dhirubhai Ambani, was not published in India after the publisher was threatened with lawsuits. A second edition of The Polyester Prince was issued in India but with the offending material cut out.

It is difficult for outsiders, especially without the benefit of reading the materials in dispute, to judge the timidity of the publishers. But there’s no questioning the creeping self-censorship.

Obeisant media

Vinod Jose, executive editor of Caravan, writes in its annual media issue:

“Media owners bargained with the government to secure lucrative licences to mine coal blocks in return for their power to influence the public. Editors got caught on tape striking deals with lobbyists but remained arrogantly unapologetic. Owners fired political editors who wrote about politics independently . . . Forbes India pulled a story because it irked the finance ministry.”

Jose said that in 2013, the year surveyed, “the dominant mood of the press was docility.” If in the 1950s and 1960s, the media served the state, now they serve big business. They have begun to expose government corruption but remain mostly mum on corporate malfeasance. The Times of India, the country’s largest English daily, takes equity in some companies it provides advertising space to.

State surveillance

India, like the United States and other democracies, is under heavy criticism for invasion of citizen privacy under sweeping state surveillance, especially by its eight intelligence agencies that operate under mostly secretive powers.

“The real problem is that we don’t know what powers they do have — we only know bits and pieces about the Centralised Monitoring System (CMS), from some tender documents that indicate that the government intends to track web usage, phone calls, text messages and map location information, apparently without the knowledge of even telecom operators,” says Nikhil Pahwa of MediaNama (Media Journal), a website that provides news and analysis of digital media. “The issue is even less obvious here than that of the NSA,” the National Security Agency in the United States.

“The rules give the Indian government the ability to gag free speech, and block any website it deems fit, without publicly disclosing why or who blocked it — or providing adequate recourse for getting the block removed.”

“Intelligence agencies are not answerable to parliament, only to the Home ministry,” says Anja Kovacs of the Centre for Internet and Society. There are few checks and balances, little or no civilian oversight.

“The Indian government’s centralized monitoring is chilling, given its reckless and irresponsible use of the sedition and Internet laws,” says Human Rights Watch. “New surveillance capabilities have been used . . . to target critics, journalists and human rights activists.”

“Every month at the federal level, 7,000 to 9,000 phone taps are authorized or re-authorized,” writes Pranesh Prakash, policy director for the Centre for Internet and Society.

Conclusion

It is useful to remember that whatever is true of India, the exact opposite may also be true. So, while the situation is getting bleaker on the free speech front, in India the state is not the sole culprit, unlike in Russia, China or other authoritarian places. India also has a vibrant civil society that’s hammering away — is free to hammer away — at the need for a liberal polity to be liberal. The intellectuals, activists and NGOs I have quoted, testify to that. Here’s another:

The PEN All-India Centre in Mumbai and the newly formed Delhi Pen, both part of the global network of writers dedicated to free speech, said this last week:

“The removal of books from our bookshops, bookshelves and libraries, whether through state-sanctioned censorship, private vigilante action or publisher capitulation are all egregious violations of free speech that we shall oppose in all forms at all times.”

For more details visit https://cis-india.org/news/the-star-op-ed-february-16-2014-haroon-siddiqui-dark-days-for-creative-class-in-india