Access To Knowledge (A2K)

Bolstering right to remain private

praskrishna — 2012-10-29T09:00:13Z

The Justice AP Shah panel has done to well to lay down an enforceable roadmap that can strengthen privacy laws in the country. It’s now for the legislature to take the issue to a logical conclusion.

Apar Gupta's column was published in the Pioneer on October 29, 2012.

A haveli courtyard is an apt metaphor for the complexity which is involved in drafting a law on privacy. Though the courtyard gives an appearance of openness, it is limited by the walls, doors and windows which surround it. The architecture represents a mediated understanding of the options which are available to the resident in sharing and limiting information to family and strangers. A somewhat similar project is in the works with the Union Government taking steps towards the enactment of a privacy law.

Privacy law as it is understood at present is usually limited to the odd writ petition filed against the Government by a private individual seeking enforcement of a fundamental right to privacy. Recently, such adjudication has been limited to high-profile individuals, and where there is wide voyeuristic interest. For instance, two recent petitioners include industrialist Ratan Tata and former Samajwadi Party leader Amar Singh. Here, it is important to stress that with the state gathering more and more data about individuals through the Unique Identification Authority of India scheme, there is a need to democratise the right by making legal provisions for its enforcement. In making such provisions a balance has to be maintained, where information which serves public interest or gathered through informed consent is not encumbered in the name of protecting individual privacy.

To find this balance, the Government late last year tasked a Committee of Experts chaired by Justice AP Shah to prepare a report on the Privacy Bill. Readers would recall that Justice Shah had authored a judgement which read down Section 377 of the Indian Penal Code, decriminalising homosexual activity. A closer reading of the judgement shows the reliance placed by the court on the privacy right and to reach its determination. With such credentials, the Justice Shah Committee has exceeded the high expectations placed on it, presenting a fair and balanced approach towards a privacy law in India.

At the very outset the report clearly marks its objectives, from which it then commences to study judicial precedent on privacy as well as the experience of foreign jurisdictions. On the basis of this study, it has evolved nine privacy principles which encompass within it distinct aspects of individual privacy. Such a nuanced approach to privacy is certainly welcome given that privacy as a right is often subjective, varying drastically in its appreciation as per civil society, private industry and even Government itself.

Beyond the specific aspects of the privacy right, the report extends the right both to Government as well as private industry. This is a sign of the times, best put by Pranesh Prakash, policy director, Centre for Internet and Society, when he says that citizens reveal more data about themselves to social networking websites than they would to the Government under torture!

Another significant aspect is the proposed co-regulatory regime which the report suggests. And, experience has taught us that a right without an effective remedy to enforce it counts for a little more than a black letter on paper. In this respect, the report proposes a sectoral regulator which has supervision over State level privacy commissioners. In addition to this, the report also proposes a system of self-regulation where industry-specific standards may be proposed and then sanctioned by the privacy commissioners. However, contrary to the present approach of tribunalisation, the report suggests that recourse to civil courts for aggrieved persons should always be kept open.

Though the origins of the privacy rights may be antiquated, widespread consensus suggests that the modern practice and substance of privacy law owes its beginning to an article published in the fourth volume of the Harvard Law Review. The article, authored by Louis Brandeis and Samuel Warren drawing a physical justification for what seemed like a novelty back then, stated that the law regarded a man’s house as his castle.

Sadly, the right has not seen a proper development in India, mainly due to the absence of an overarching legislation as well as a lack of understanding of its proper contours. At least in this respect, the report marks a significant development in the drafting of a comprehensive privacy legislation in India. A haveli, a house or a castle — the Justice Shah panel has provided a useful blueprint to the legislature to build an effective and balanced statute to safeguard individual privacy.

(The writer is a partner in a Delhi-based law firm and visiting faculty at the National Law University, Delhi)

For more details visit https://cis-india.org/news/daily-pioneer-columnists-oct-29-2012-apar-gupta-bolstering-right-to-remain-private

Bloggers' Rights Subordinated to Rights of Expression: Cyber Law Expert

elonnai — 2012-03-21T09:35:06Z

Vijayashankar, an eminent cyber law expert answers Elonnai Hickok’s questions on bloggers' rights, freedom of expression and privacy in this e-mail interview conducted on May 19, 2011.

A set of rules relating to regulation of the Internet (mentioned in section 79 of the ITAA, 2008) was released in April 2011. In light of the rules framed under the IT Act, and as part of our research on privacy and Internet users, we have been looking into questions surrounding bloggers’ rights, freedom of expression, and privacy.

The new rules require among other things that intermediaries take down any content that could be considered disparaging. In practice, these rules will act to limit the ability of individuals to express their opinions on the Internet — especially for the bloggers. Though these requirements seem to only impact the freedom of expression of bloggers, a blogger’s privacy rights, especially in relation to the protection of their identity, are also pulled into question. Other issues surrounding bloggers’ rights and privacy include: if bloggers are identified as journalists, then whether they should be afforded the same protections and privileges, e.g., should bloggers have the right to free political speech and should intermediaries have freedom from liability for hosting speech or others’ comments? Are bloggers allowed to publish material that is under copyright on their website?

On May 19, 2011, through e-mail, I had the opportunity to interview Vijayashankar, an expert in cyber law, on issues regarding the rights of bloggers freedom of expression, and privacy. Vijayashankar has authored multiple books on cyber law, taught in many universities, and is an active leader of the Netizen movement in India. Below is a summary of the questions I posed to Vijayashankar and his responses.

I began the interview by trying to understand bloggers’ rights and how they are defined. Often the term 'bloggers' rights is used casually, but it is important to understand the different roles that a blogger plays in order to understand what his/her rights are, how they could be violated, and how they could be protected. Vijayashankar explained that a blog is comprised of two parties: a blogger and an intermediary – which is the application host. Bloggers have many different roles: authors, editors, or publishers of content, and thus, a blogger’s rights should be defined within these contexts. As authors, bloggers write their own article/blog or adds comments to others’ blogs. As such, they should have the freedom to express their thoughts and opinions and determine a level of privacy with which to maintain them, without regulation or censorship from a third party. Though the freedom of expression and privacy should be basic rights for blog authors, bloggers must also be held accountable and responsible for the content that they choose to make public by posting on accessible web pages.

The need for a blogger to be held responsible and accountable is similar to the limitation on speech that informs defamation law, and it means that a blogger cannot be entirely anonymous – at least not once a blog is public and is challenged. Thus, accountability must limit the right to be entirely private and anonymous. Though a blogger should be held accountable, the international implications give rise to thorny issues of jurisdiction and accountability under unforeseen laws: all of which raises the question whether, instead of local jurisdictions seeking to enforce their laws against potentially out-of-the-jurisdiction bloggers, an international third party should be entrusted with the responsibility of holding bloggers accountable and responsible – whether that takes the form of an organization like the WTO or WIPO or looks more like specially trained international arbitrators.

This challenge arises because bloggers live in different jurisdictions where different rules apply, but their opinions cross multiple borders and boundaries. This raises questions such as: Which jurisdictional law should the blogger be accountable to? Should a blogger be held responsible for actions that are considered violations in a jurisdiction in which a blog is read, even if those actions are not violations in the jurisdiction in which it is written? And if a blogger is to be held responsible, who should hold him responsible – the country where the action is considered a violation or his own country – and where does a private party have a cause of action? According to Vijayashankar, blogger’s rights’ are always subordinated to the rights of expression guaranteed to the blogger in his country where he is a citizen.

Furthermore, the rights of a blogger have to be seen in the context of who has the "cause of action" against blog writing, i.e., which party involved has the right to complain. If an individual is a victim of a blog, and that individual is a citizen of another country and is guaranteed certain rights, the blogger's rights cannot override the rights of the victim in his own country. Hence, the victim has the right to invoke law enforcement in his country, and the law enforcement agencies do have a right to seek information from the blogger. If, however, a citizen brings a private civil action against a blogger, the discovery limitations are much more severe across boundaries, and the blogger’s national policy on responding to discovery from other countries will determine the extent to which information from the blogger will be made available. To the extent that the impact of a blogger’s expression reaches across boundaries, his actions should be considered similar to a situation where a citizen of one country does certain things which affect the rights enjoyed by a citizen of another country. It does not seem right that a blogger can say something offensive in one jurisdiction and be held liable, but a different blogger can say the same thing from another jurisdiction and be protected. On the one hand, since the Internet as a medium broadcasts across geographical boundaries, it is the responsibility of the individual countries to erect their "cyber boundaries" if they do not want the broadcast to reach their citizens. On the other, individuals should be able to invoke international laws to seek consistent application of standards about what is actionable and what information is discoverable in support of an action. This suggests that an international tribunal might be the best solution.

Other questions to think about when exploring the idea of a trusted third party holding online bloggers accountable include: who would form the third party, what legal authority/power would they have, would this group also be in charge of reviewing a country’s "cyber boundaries" in addition to holding online bloggers accountable? and how would it avoid being influenced by any one government or by other stakeholders?

Next I asked him for examples of common privacy violations that happen to online users. A few he said included identity theft in the form of phishing, which leads to financial frauds, and is one of the most dangerous consequences of privacy breach. Other examples included manipulation of online profiles in social networking sites to cause annoyance, defamation, and coercion; cyber squatting with content which can be misleading; posting of obscene pictures with or without morphing of victim’s photographs to other obscene photographs/pictures; and SPAM – particularly through mobile phones – are all serious forms of privacy violations.

My third question focused on privacy violations and bloggers. How could a blogger’s rights be compromised, especially with a focus on privacy? For bloggers, is privacy important simply to protect their identity and content, or are there other implications for privacy and bloggers? In our research we have looked into ways in which practices such as data retention by ISPs, government/law enforcements’ access to web content including private conversations, and poorly established user control over privacy settings on websites can violate online users’ privacy. According to Vijayashankar, a blogger is mainly concerned about privacy in the context of protecting his identity. It is important for bloggers to protect their identity because the content they create could be considered controversial or illegal in different regions. Thus, it is critical for bloggers to have the right to blog anonymously. An exception to this right is that if the blog is so offensive then the law enforcement agency can take action. In some countries individuals also can sue bloggers. To help protect bloggers from unreasonable and ungrounded searches, Vijayashankar suggested that a mechanism be created by which international and domestic law enforcement agencies can request 'sensitive' information. This mechanism would work to filter and evaluate requests for information without bias, and according to a country’s law own domestic law.

I then asked him what legal protections he felt bloggers needed. He said that he believes that it is important that bloggers and online users’ right to anonymity, protection of identity and freedom of expression (political and non-political) are protected from excessive regulations. An interesting point that he raised was about the protection of bloggers from international requests for information. According to –him — bloggers can be protected only to the extent to which their rights are protected in their own country. If a request for information comes to a law enforcement agency of a country of which the blogger is a citizen, information may need to be released unless an “asylum” has been granted.

An example of the situation Vijayashankar is referring to is that if a blogger in India writes content that is found to be controversial by the U.S Government; the U.S Government then has a right to request and access that information, unless the Indian Government provides protection over the citizen and the information and refuses to release it. Though right to information requests tend to be governmental, this rule changes if it is a citizen requesting information. Very rarely can a citizen of one country request information about a blogger from another country and gain access. The question of international discovery over Internet material is one that has many angles that need to be taken into consideration – a few being: what the content on the blog contained; was the content against an individual or a government; who is requesting the information — a citizen or the government, and whom are they requesting the information from? For example, in the US Supreme Court case, Calder vs. Jones 465 U.S. 783 (1984), information about a woman, Shirley Jones, was published in another state, but the court ruled that the wrongful action was directed to her where she was.

A large part of the debate over bloggers’ rights is centered on governments’ need to monitor online activity. Developments such as the new rules to the IT Act, the Indian Government’s request for blackberry’s encryption keys, and the news about the government wiretapping citizens’ phones show that the Government of India is demanding access to see and regulate content created by online users in India. When asked about bloggers’ rights and government access to content, Vijayashankar stressed that there has to be a mechanism to check the requests from government agencies, and any such mechanism should have popular representation. He went on to explain that presently an order for the blocking of a blog or for private information is made by a government agency or a court. Unfortunately, government agencies may be responsive to certain interests. Likewise, decisions of conventional courts can be inconsistent. Therefore, it is important that a mechanism that reflects the common person’s input is put in place. This could either be a stand-alone private body, such as Netizen Protection Agency, acting as one more layer of protection, or the government body itself could build in adequate public representation. Courts would need to recognize such bodies and seek their opinion as an input to any dispute. This is an innovative option, but one that is a radical departure from the view of a court as an impartial tribunal that is supposed to weigh every matter independently on its merits.

Lastly, I asked if a privacy legislation could address the issue at hand i.e., could a privacy legislation work to protect bloggers’ rights by providing them identity protection and protection of their content and in general what should be included in a comprehensive privacy legislation? Though India already addresses bloggers’ rights through the Information Technology Act, it could be possible that privacy legislation could establish a third party group to work to protect bloggers’ rights and hold both governments and bloggers’ accountable. When asked what should be included in a comprehensive privacy legislation, Vijayashankar suggested that it should recognize that privacy rights of individuals are part of the larger interests of the society, and a comprehensive legislation should work to take all the stakeholders into consideration.

For more details visit https://cis-india.org/internet-governance/blog/privacy/bloggers-rights-and-privacy

Bloggers battle India's supreme court over prosecution for internet threats

sachia — 2011-04-02T16:17:48Z

Article by Randeep Ramesh in the Guardian, 26 February 2009

India's supreme court is facing the wrath of the country's bloggers over the prosecution of a student because of anonymous comments published on a social networking group he created.

The computer science student, named as Ajith D, was arrested over allegations that death threats had been posted on his "anti-Shiv Sena" group on Google's networking site, Orkut. The 20-year-old also faces charges of criminal intimidation and hurting religious sentiments.

The Shiv Sena (Army of Shiv) is a political party that made its name in the 1990s for populist policies that were anti-Muslim and favoured locals over outsiders. Its leader, Bal Thackeray, has been quoted as admiring Hitler.

Mumbai police had been monitoring the site since the Sena staged violent protests against Orkut for carrying anti-party statements, vandalising cybercafes across Mumbai. Officers contacted federal authorities in Delhi before bringing charges.

In response, the lawyer representing the student asked the supreme court to quash the case, saying his client had published nothing provocative. However India's chief justice, KG Balakrishnan, refused the application saying: "We will not do that. Anything that is posted on the internet goes to the public. The internet is open to the world."

The case highlights how India, the world's largest democracy, deals with the thorny issue of freedom of speech on the internet. A law about to arrive on the statute books places the onus for publishing material on the web, not on hosts of the material, such as Google's Orkut service, but on individuals who create blogs and websites.

"The difficulty here is that my client did not make the threats. He simply set up a community group and left it unmoderated," Jogy Scaria, Ajith's lawyer, said. "He only created the anti-Shiv Sena site."

Orkut is one of India's most popular social networking sites and many bloggers vented their fury online. "I am not able to gather how it is possible that bloggers can be hit with libel and criminal suits on the basis of anonymous postings on their websites," wrote one on Ekawaaz-One Voice.

Lawrence Liang, India's foremost authority on freedom of speech on the internet, wrote about the case on Kafila.org.

"When organisations like the Shiv Sena start using defamation laws, it smacks of chutzpah to me … What other way can we describe the bizarre situation of the violence-prone macho men, who suddenly run around screaming about the violation of their legal rights and the slurring of their reputation?"

India's constitution guarantees freedom of expression as long as this does not extend to libel, national security, contempt and a broad category of public morality – which includes "hurting religious sentiments".

Pranesh Prakash of Bangalore's Centre for Internet and Society, a thinktank specialising in web civil rights, said the internet had allowed "everyone to become a publisher but not the awareness of what responsibilities of a publisher. The way the law is dealing with it is highly problematic."

-----

To read the article at the Guardian website, click here.

For more details visit https://cis-india.org/news/bloggers-battle-indias-supreme-court-over-prosecution-for-internet-threats

Blocking Twitter: How Internet Service Providers & telcos were caught between tweets and tall egos

praskrishna — 2012-08-25T07:36:04Z

Long derided as 'dumb pipes' to the Web, Internet service providers (ISPs) are discovering these days that insult is being increasingly followed up by injury.

Joji Thomas Philip and Harsimran Julka's article was published in the Times of India on August 25, 2012. Pranesh Prakash is quoted.

In the fight between netizens who spare no effort at lampooning the powers that be and alarmingly frequent government flashes of rage at comments that can range from the mildly disrespectful to downright defamatory, telcos and ISPs find themselves much like the grass in the age-old Swahili saying "When two elephants fight, it's the grass that suffers".

The latest reminder of the hard place they find themselves in came earlier this week when news first broke that the government had asked for some accounts on social media site Twitter to also be part of websites and Internet pages it wanted blocked by ISPs. The news triggered a wave of outrage across cyberspace, with many users venting their rage at the first entity they associate the web with - their ISP, which in many cases is also their telecom operator.

"We acted immediately to the government's orders, but ended up being targetted and criticised wrongly only because we acted first," explained one official, who sought anonymity for himself and the company to avoid offending bureaucrats.

It's a common feeling. Telcos and ISPs are increasingly finding themselves in a 'Damned if you do, Damned if you don't' predicament these days, having to walk a tightrope between government orders and a restive netizenry.

And government orders can range from the super-urgent to arbitrary to sometimes ill-conceived. Very often, its 'one ban fits all' makes little allowance for differences between social networking sites and regular websites.

Executives in telecom companies recounted the instance when the government on August 18 ordered a ban on bulk SMSes and restricted text messages to five per day as part of efforts to combat the large-scale migration of people of north-eastern origins from other states to their home provinces fearing reprisal attacks.

"Within an hour of the directive, we started getting calls seeking compliance," said a top executive with a leading telco. But as the Centre was demanding compliance reports, operators were busy trying to decipher its notification, which read: "(a) Block bulk SMS (more than 5) for the next 15 days in the entire country across all states/UTs (b) Block bulk MMS (more than 5) and all MMS with attachment more than 25 KB for the next 15 days in the entire country across all states/UTs."

Shoot first, talk later

Telecom operators were nonplussed by the notification. Did it apply only to senders of bulk text messages who use this facility for commercial purposes? Or, did it mean customers could not send SMSes to more than five people simultaneously?

"When we sought clarification, the explanation was completely different and took a new dimension. It was five text messages per day per customer," said the regulatory head of a GSM operator, requesting anonymity as he did not want to offend the government.

Mobile phone companies then approached the department of telecom explaining that they did not have any technology with which they could impose a five SMSes a day limit for postpaid users. "The home and telecom ministries had not even realised that a facility did not exist before issuing the directive," said the marketing head of a leading telco.

In this case, the government accepted the operator's arguments and relented, but still told the companies not to highlight the limitation. "This time around, our arguments were accepted. Going by past instances, some operators had feared that the government would slap a hefty penalty for non-compliance without considering what we had to say," the marketing head said.

Industry officials say the tendency of 'shoot first, talk later' among bureaucrats and ministers long used to having their orders followed, especially when it came to the world of social networking which very few of them had any idea about, meant that it was safer to obey first and correct later.

"We don't even do any application of mind to the government's notices on requests. We wholesale block them. We can't even question the government's requests. A notice is a law in effect. Violation means a potential penalty which can go up to the cancellation of my licence and thus end to my business," said the head of a Delhi-based ISP that serves business users.

Executives with several ISPs and telcos say most often, court orders, government notifications and directives are not in public domain, and these result in angry consumers assuming that their service provider is up to some mischief.

ISPs say public clarifications by the government would go a long way in addressing the issue. "There has to be transparency. The government should have proactively disclosed the names of the websites it wanted blocked. The persons and intermediaries hosting the content should have been notified and provided with 48 hours to respond as required by the IT Act," said Pranesh Prakash of the Centre for Internet and Society, a research organisation.

For more details visit https://cis-india.org/news/times-of-india-aug-25-2012-blocking-twitter

Blocked websites: Where India flawed

praskrishna — 2012-08-27T03:00:16Z

Apart from not giving 48 hours response time, the Indian government has blocked some websites which don't exist or don't have web addresses, says an analyst.

Published in CIOL on August 23, 2012. Pranesh Prakash's analysis is quoted.

India is threatening to block Twitter as the latter has allegedly failed to respond to the government's order to remove some inflammatory posts.

That has come to light as it is being widely covered in media, but there are hundreds of websites which have already been shut, apparently without due notice to the owners.

Apart from Facebook, Twitter and YouTube accounts, the blocked websites include which are sympathetic to Hindu and Muslim radical groups.

In an analysis of 309 websites blocked in the wake of exodus of North eastern people from Bangalore, Pranesh Prakash of the Centre for Internet and Society (CIS), says the government has blocked these sites under the Information Technology Act, but it failed to provide the mandatory 48 hours to respond (under Rule 8 of the Information Technology Procedure and Safeguards for Blocking for Access of Information by Public, Rules 2009).

He writes in his post: "The persons and intermediaries hosting the content should have been notified. Even if the emergency provision (Rule 9) was used, the block issued on August 18, 2012, should have been introduced before the "Committee for Examination of Request" by August 20, 2012 (within 48 hours), and that committee should have notified the persons and intermediaries hosting the content.

Internet censorship is acceptable as long as it is in the purview of the law and doesn't encroach one's freedom. In this case, some people and posts debunking rumours have been blocked, says Pranesh.

He points to some discrepancies in the way the websites are blocked:

Some of the items are not even web addresses (e.g., a few HTML img tags were included). Some of the items they have tried to block do not even exist (e.g., one of the Wikipedia URLs).
An entire domain was blocked on Sunday, and a single post on that domain was blocked on Monday.
For some YouTube videos, the 'base' URL of YouTube videos is blocked, but for other the URL with various parameters (like the "&related=" parameter) is blocked. That means that even nominally 'blocked' videos will be freely accessible.

He concludes: "All in all, it is clear that the list was not compiled with sufficient care."

For more details visit https://cis-india.org/news/www-ciol-com-aug-23-2012-blocked-websites

Blockchain: A primer for India

Anusha Madhusudhan — 2020-03-30T13:32:58Z

This report is presently being updated.

For more details visit https://cis-india.org/internet-governance/blog/blockchain-a-primer-for-india

BJP outspends Congress, others in social media advertising

Vidhi Choudhary — 2019-05-14T15:21:35Z

The data shows that so far the BJP has spent Rs 25 crore in advertisements across Facebook, Instagram, Google and YouTube.

The article by Vidhi Choudhary was published in Hindustan Times on May 3, 2019. Sunil Abraham was quoted.

The ruling Bharatiya Janata Party (BJP) is way ahead of the Congress in advertising expenditure on social media at the end of the fourth phase of the ongoing Lok Sabha elections, according to data from advertising transparency reports by Google and Facebook - but the spending across parties is being described as much lower than expected by media experts.

The data shows that so far the BJP has spent ₹25 crore in advertisements across Facebook, Instagram, Google and YouTube.

It has spent ₹11.6 crore andRs 13.43 crore on Google and Facebook respectively. The Congress, the main opposition party has spent a total of ₹1.42 crore for ads on Facebook (Rs 74 lakh) and Google (₹62 lakh).

The total spend on political ads across Facebook, Google and their affiliates stood atRs 42.3 crore between February 2019 to the end of April 2019 across 108,968 ads.

The balance political ad spend ofRs 15.9 crore have been incurred by regional parties such as the Telugu Desam Party (TDP) and individual leaders such as Odisha chief minister Naveen Patnaik of the Biju Janata Dal (BJD).

These spends are part of the Facebook and Google political ad transparency reports - a measure most social media companies took as part of a voluntary code of ethics developed to ensure free, fair and ethical usage of social media platforms to maintain the integrity of the electoral process for the general elections 2019.

According to Sunil Abraham, founder and executive director for think tank, Centre for Internet and Society, the poll expenditure on social media appears to be abysmally low.

“Over all these number look low to me. It is possible that political parties are using astroturfing strategies to avoid public scrutiny through the transparency reports published by Facebook and Google. For those unfamiliar with the term, astroturfing is the creation of fake grassroots support - named after the fake grass that is used in sports fields,” he said.

But other experts suggested these figures don’t reflect the full picture.

“These are only the media spends by major political parties. Media spends don’t reflect the total spend on social media because a lot of money is spent on both content creation and manpower to oversee online campaigns.

Major parties collectively are likely to spend a total ofRs 350- 400 crore on social media this time, especially to tap into the first time voter who are regular users of Internet in the country,” said Ashish Bhasin, chairman and chief executive (CEO) at Dentsu Aegis Network - India and Greater South, a media buying agency.

In 2014, political parties would have spent overRs 175 crore on social media, Bhasin added.

The 2019 Lok Sabha elections have being widely touted as India’s first social media election with close to 600 million Internet users in the country, more than double of 2014.

Some other digital media experts contended that the social media spends by the BJP are more conservative compared to the 2014 general elections.

“The focus is back to booth level marketing as opposed to online spends perhaps because the Election Commission has put stringent audit checks and are closely monitoring all the invoices and ads put up on social media,” said Jyothirmayee JT, founder and chief executive of HiveMinds, a Bangalore based digital marketing agency.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-vidhi-choudhary-may-3-2019-bjp-outspends-congress-others-in-social-media-advertising

Biz moving to IPv6 but lower costs, support needed

praskrishna — 2012-06-14T05:01:34Z

Organisations such as Cisco Systems, Equinix and Singapore Internet Exchange are all gearing up for migration to IPv6 in time for the World IPv6 Launch day slated on Jun. 6,which involved everything from redesigning their backend infrastructure to assessing their systems’ readiness.

Published in intellasia.net on June 8, 2012

However, one industry player noted that the costs and effort in doing so is one key reason why more companies are not making the transition.

Cisco, for one, told ZDNet Asia that is had been preparing for the migration on Wednesday since the test run was conducted last year. Joshua Soh, managing director for Cisco Singapore and Brunei, pointed out that switching IPv6 on permanently demanded a certain level of production quality and this required a lengthy preparation time.

The first step was to work on its backend IT architecture and design, Soh revealed, adding that their primary goals were to leverage network infrastructure already in place to avoid spending on parallel networks, as well as to ensure production quality and ability to maintain overall service levels.

To meet these goals, the networking giant redesigned their data centre based on the reverse proxy model, in which the proxy server retrieves resources from the server to deliver to a client before returning these resources to the original server.

It also used its Application Control Engine (ACE) load-balancing platform to configure incoming IPv6 sessions to be proxied to the IPv4 tier so that the network will be dual-stacked to include existing ISP (Internet service provider) connections, the managing director explained.

The Singapore Internet Exchange did likewise. According to Yeo See Kiat, its sales and marketing director, the organisation enabled dual-stack networks on their servers for public-facing services, which would enable it to obtain IPv6 streams and turn on the service permanently.

“Meet in the middle” saves cost

Another company making a similar transition to the new Web protocol is Equinix. Its director of network engineering & operations for the Asia-Pacific office, Raphael Ho, told ZDNet Asia that the migration would require existing networks to be upgraded and expanded to support the additional bandwidth and power.

This is especially so for facilities such as the company’s International Business Exchange (IBX) data centers where the volume of interconnection is consistently high, he added.

In order to facilitate the switch, the company used its IPv6 Exchange to simplify the process for its networks to enhance traffic within an IPv6 environment, Ho stated. The central switching capability also helped create a “unicast” peering virtual local area network (LAN).

This “meet in the middle” approach helped reduce costs as it enabled its servers to more efficiently establish IPv6 peering, he explained.

Assess systems’ readiness

Cisco’s Soh noted that after the redesigning of the data centre is complete, the company performed an assessment to determine if existing devices in its demilitarised zone (DMZ) and datacenter networks were capable of supporting the new protocol. It also enhanced its network management systems to support network, devices and application monitoring over IPv6, he added.

At this late stage, the company is conducting system-level testing and quality assurance engineers are going about the functional and performance checks, the executive pointed out. Its last test will be a practice run in which it will switch on the IPv6 service for a few hours to make sure everything works fine, including the content delivery network and ISP services, he said.

Beyond the technical preparations, it also put together a training programme to ensure employees, from the frontline to the network engineers, were equipped with knowledge of the new protocol and skills appropriate for their roles, the executive stated.

No impetus for change

The amount of time and costs reflected in these companies’ migration efforts were cited as one of the main reasons why there are not more companies considering making the switch.

According to a statement issued by Tata Communications and India-based centre for Internet and Society on Wednesday, costs and infrastructure as well as having a minimum number of service providers and users utilising the network were identified as the two main impediments for IPv6 adoption.

One the first obstacle, they said: “IPv6 platforms do not communicate easily with IPv4 networks. This idea of abandoning IPv4 and moving to a new protocol is not only redundant, it is also futile because IPv4 is already running the largest network in human history quite efficiently.”

To make the transition more palatable, they believed “translators”, or technologies able to “speak” in both protocols, are needed. However, these translators are still expensive and there is a need to divert more resources to make these technologies more affordable, the statement noted.

As for the second reason, both Tata and the centre for Internet and Society stated that as long as the deployment of IPv6 remains nascent, there will be no concentrated energy to bridge both protocol versions.

“We are going to need a systemic change among all stakeholders to make IPv6 a reality, toward a faster, safer and more robust Internet,” they said.

For more details visit https://cis-india.org/news/biz-moving-to-ip-v-6

Bitcoin & Open Source with Aaron Koenig

praskrishna — 2014-02-06T01:40:24Z

Aaron Koenig, director of bitfilm.org and a global Bitcoin entrepreneur will give a talk at the Centre for Internet and Society, Bangalore on February 7 at 6.00 p.m.

Learn more about Bitcoin and its global path as we explore concepts and ideaologies behind the technology behemoth.


Above is an image of a Bitcoin Expert giving a presentation. Image source: http://bit.ly/1keLpwi

For more details visit https://cis-india.org/events/bitcoin-and-open-source-aaron-koenig

Bit by byte protecting her privacy

Admin — 2018-07-29T01:46:38Z

The Srikrishna committee draft law on data protection is days away. Here’s a bucket list of issues that will matter

The article by Mihir Dalal and Anirban Sen was published in Livemint on July 26, 2018. Amber Sinha was quoted.

In an era dominated by “free” platforms such as Google, Facebook and Amazon, among others, data privacy had largely been considered an academic matter. However, in the past one year that notion has changed forever, bringing data privacy to the fore, as one of the defining issues of the internet, both in India and abroad.

Last August, the Supreme Court ruled that privacy was a fundamental right under the Constitution of India. Concomitantly, the debate over Aadhaar and its potential misuse picked up steam on the back of reports about data breaches in the biometric ID system though these reports were denied by the Unique Identification Authority of India, which built Aadhaar. (The apex Court will deliver its verdict on petitions that have challenged the constitutional validity of Aadhaar and its legal framework)

Globally, Facebook came under severe criticism after it was revealed that the social media giant had compromised user data in the run up to the US elections. Finally, in May, Europe introduced its landmark data privacy law, General Data Protection Regulation (GDPR), which has put users in control of their data through various measures.

The stage is now set for the much-delayed draft law on data protection, which is expected to be submitted soon by the 10-member panel headed by former Supreme Court justice B.N. Srikrishna.

The committee, which had been set up last July, has attracted criticism from some quarters. Earlier this month, more than 150 lawyers, activists and journalists, among others, wrote to the Srikrishna committee, complaining about the lack of transparency in its process, the lack of diversity in the views held by members of the committee, besides other issues. In an earlier letter in November last, activists, lawyers and others had alleged that too many members of the committee held pro-Aadhaar views. Some experts believe that the mandate of the committee was flawed to begin with. “Given that personal information is omnipresent in so many different sectors, it is better to have a light touch legislation that deals mostly with key principles of data privacy and empowers a data commissioner to frame more detailed regulations,” said Stephen Mathias, partner, Kochhar and Co.

Last week, the Telecom Regulatory Authority of India (Trai) released a set of recommendations on data privacy that favour giving users control of their data and personal information, while severely restricting the ways in which telecom and internet companies can use customer data. Here are the major issues to watch out for in the draft data protection law.

Users vs. collectors

This broad umbrella includes mandatory consent of users for data collection, data portability, the right to be forgotten and the right to erasure. Last week, Trai gave its recommendations on some of these issues in what were considered pro-privacy and progressive suggestions. Those recommendations tracked GDPR measures. The Srikrishna committee is also expected to suggest pro-privacy measures, though the details will be all-important. The committee is also expected to define what is ‘sensitive’ or ‘critical’ data. “In India, government agencies, private entities and others collect various forms of data on individuals,” said Chetan Nagendra, partner, AZB Partners. “The committee will have to clarify what category of data is allowed to be collected and whether this should this be standardized across different entities. It will also have to standardize rules on how long is it okay to store such user-collected data.”

The flip side of user rights is the role of data repositories that collect and process user data. The committee will be required to clarify what data firms and government agencies can gather on users and what will be their responsibilities toward the usage of that data. This includes the principle of privacy by design, that is, companies must ensure by default that their platforms are designed to protect rather than exploit user data and privacy.

IndusLaw partner Namita Viswanath said that in terms of data repositories, there was a need to distinguish between a data controller and a data processor. A data controller is the user-facing platform that gathers data, whereas a data processor is often a third-party firm that provides infrastructure for the platform. “Responsibilities of user personal data should be shared between a data controller and processor. The nature and extent of liability should depend on the nature of data, the party responsible for handling data and the measures adopted, but ultimately, the data controller should most responsibility,” Viswanath said.

Regulation vs. Self-control

Given that data is such a broad-ranging topic, the Srikrishna committee will be expected to recommend who should have oversight of data-related matters. Will there be a new data protection authority? If so, what will be its scope, given that regulators, such as the RBI, Sebi and Trai, will all be affected by a privacy framework in their respective areas? And what will be the punitive measures and fines for offenders on data matters?

Some experts said the government should appoint a data protection authority. As the recent travails at Facebook show, relying solely on self-regulation of internet platforms, is a disastrous policy. But it’s unlikely that the entire burden of regulation will fall on one authority.

“Logistical problems are likely, especially in the early days, with having a top-down regulatory approach,” said Kriti Trehan, partner, Panag and Babu. “The process of training, requirement of funding and access to skilled human resources will necessitate organisational and administrative inputs. With this in mind, I believe that a co-regulatory framework for data protection will be efficient. With this approach, established parameters may guide escalation in specific instances.”

Data localisation

In April, the RBI had issued norms on the storage of payments system data, which requires digital payment providers to store data in India. That has sparked another debate over the possible stance of the Srikrishna committee. Many start-ups and firms use data servers located in overseas locations because of several reasons, including economies of scale and tax planning. “Data protection should not be confused with data access,” said Kartik Maheshwari, leader, Nishith Desai Associates. “For instance, if a firm is storing user data abroad, that should be fine as long as it is secure and access in India is provided, whenever required. Storing data locally is not necessarily the best solution from the perspective of data security as better infrastructure may be available abroad. However, the government may, in exceptional cases of sensitivity, legitimately require local storage of very narrowly defined streams of data.”

Surveillance is key

The law will also need to clearly define the contours of the contentious issue of surveillance and how to ensure that India does not end up replicating the policies in place in countries such as China, which are notorious for mass surveillance practices. Surveillance that has been legally sanctioned is part of the exceptions to regular privacy practices. The committee will have to define the parameters of these exceptions. In the case of surveillance, some experts, including Amber Sinha of Centre for Internet and Society, said that while it needs to be allowed in specific instances such as issues related to national security, a judicial system needs to be in place to protect the rights of the parties that are being put under surveillance. This, in many ways, is the heart of a very important matter.

The Aadhaar factor

The most hot-button of all issues for the committee is, of course, Aadhaar. Former UIDAI chairman Nandan Nilekani told Mint this week that “if something needs to be modified in the Aadhaar law, it will be done” by the Srikrishna committee. The changes that the committee will suggest to the Aadhaar law will go a long way in determining whether its draft law is truly pro-privacy.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-26-2018-mihir-dalal-and-anirban-sen-byte-by-byte-protecting-her-privacy

BIS LITD 17 Privacy Panel meeting

praskrishna — 2017-07-07T01:31:35Z

Udbhav Tiwari represented CIS at this meeting organized by National Law School of India University in Bangalore on June 21, 2017.

The bare-bones structure for what as discussed at the meeting can be found in the trailing email below. The standard itself is still in the drafting stage, which makes it confidential. I will share it on this thread once it hits the public draft stage, which should happen by September 2017. (approx)

For more details visit https://cis-india.org/internet-governance/news/bis-litd-17-privacy-panel-meeting

BIS LITD 17 meeting

Admin — 2019-07-21T13:58:29Z

On July 3, 2019, Gurshabad Grover attended the sixteenth meeting of the Information Systems Security and Biometrics Section Committee (LITD17) at the Bureau of Indian Standards (BIS) in New Delhi.

In a previous meeting, a panel was formed to review two biometric standards: ISO/ IEC 24745 'Security Techniques - Biometric Information Protection' (2011), and ISO/IEC 19792 'Security techniques - Security evaluation of biometrics' (2009). Elonnai Hickok, Karan Saini and Gurshabad Grover had reviewed the documents and sent comments to BIS in December 2018 and January 2019 respectively. The Centre for Internet & Society (CIS) had also shared a document that compared the security guidelines in the standards to the provisions of the draft data protection bill.

The committee discussed whether the aforementioned standards should be adopted as Indian standards by BIS. A decision will be taken on the matter after future discussions that CIS will participate in.

Members updated the committee on their participation at the ISO/IEC. Iupdated the committee on the progress of the study period on the impact of machine learning on privacy, which I am a co-rapporteur for in the identity management and privacy group working group at ISO/IEC IT Security Techniques committee. We also planned our participation at the next ISO/IEC SC 27 meeting, which is in October.

For more details visit https://cis-india.org/internet-governance/news/bis-litd-17-meeting

BIS International Seminar on Internet of Things

Admin — 2017-11-25T16:35:42Z

To create awareness among Indian community and to provide a platform to all stakeholders to discuss the technology, challenges and the way forward with an emphasis on the role of standards, BIS organized a half day International seminar on Internet of Things on 15 November 2017 at India Habitat Centre in New Delhi. Amber Sinha attended the event.

Click to see the agenda.

For more details visit https://cis-india.org/internet-governance/news/bis-international-seminar-on-internet-of-things

Biometry Is Watching

praskrishna — 2011-04-02T12:08:26Z

In its first steps, the UID drive encounters practical problems, raises ethical questions, reports Sugata Srinivasaraju in Outlook.

Three women are fighting to take one chair in a classroom of a government school in Chelur village, in Gubbi taluka of Tumkur district. One sits on the lap of another and the third tries to push them both off the chair. What all three want is to be the first to be profiled under the Centre’s ambitious Aadhaar or unique identity number (UID) project. Their squabbling holds up the documentation by nearly 20 minutes, and the crowd outside, standing in line in the afternoon sun, grows restless. To calm them, the village revenue secretary orders the distribution of another round of buttermilk.

Chelur is one of four villages in the district picked for field trials before the 12-digit UIDs are assigned to people later in the year. Besides Tumkur, the pilot project is simultaneously running in seven villages of Mysore district. Each village has been given a target of 2,400-2,500 profiles to be completed in 20 days. This involves photographing the face, imaging the iris and scanning all ten digits of each person profiled and assigned a UID.

Villagers are enthusiastic about this rigorous profiling process even though there’s little awareness about the true purpose of the exercise. This is because of some falsehoods that have somehow spread in these areas. Nagamma, an elderly woman coming out after being profiled, thinks her eyes had been tested and found to be in perfect condition. Another middle-aged woman thought the exercise would bring her a new ration card—one that would entitle her family to an extra four kilos of rice. Some others were in a tizzy that if they didn’t undergo this “photography” their BPL cards would be taken away. Most, however, had queued up because they didn’t want to be left out of a sarkari exercise their neighbours were submitting to. Of the dozen people Outlook spoke to, only Muniswamy could tell us that this process would ensure that no one had more than one voter ID card or ration card—the way it should be, unlike some in his village who had illegally acquired two of each.

The village authorities have been doing little to counter the misinformation because their attention is focused on other compelling matters, like meeting the assigned target. This is an important issue because gram panchayat elections have been declared in Karnataka and lots of youngsters set off for campaigning early in the morning and would be difficult to locate for profiling.

According to official figures, Chelur has a population of 5,000, with 3,640 people above the age of 18. A random selection of 2,400 has been made from this to meet the UID target. The number seems small, but handling it at the village level can be demanding for the local authorities—there’s no police for crowd control, refreshments have to be distributed and the computerised work has to be done despite the power outages. Using generators has become inevitable, for the villages get hardly four or five hours’ power supply.

Another problem lies in obtaining the fingerprints of rural folk: most of them are engaged in manual labour or farm work and arrive with dirty palms that defeat the biometric reading machines. Pails of water, detergent and towels are provided for cleaning up. Much time is lost in such rescanning and it goes against the official estimate of five minutes for the young, nine for the elderly.

Prasanna Kumar, the village secretary, admits to the problems. “We did not make an open announcement for the UID pilot because we didn’t want to attract large crowds. We quietly prepared a random list of 2,400 people from the ration card database and went door-to-door to invite them,” he says. “We have left out people above the age of 80 and under 18. We told people this identity number will help them access various government schemes. Fingerprinting is the toughest problem. Initially people were reluctant, but suddenly they have become curious.”

H. Gnanesh, the tehsildar, says the ongoing step is only “concept testing”; the next will be rechecking, in which those already profiled will verify their identity details against what has been stored. Only after that will the UID be issued. In Chelur village, the concept testing ended on May 4; rechecking began the very next day.

Some NGOs observing the process have noted the lack of awareness in villagers. “They are clueless about what they are taking part in,” say Mahadev Prasad and Murthy, of the Basava Seva Trust. Murthy says fingerprinting is a big problem. He speaks of Hommaragalli, in Mysore district, where some foreign experts had to be called in to take a look at the scanning machines.

Then there are larger issues. Away from the surging crowds in Chelur, civil society organisations like the Centre for Internet & Society, the Alternative Law Forum and PUCL have been demanding greater dialogue. In fact, they have even suggested a review of the scheme. They argue there is no clarity on how the government proposes to store and secure personal and biometric data, given the fact that various agencies such as banks, telecom companies and government departments would potentially access it. Security is a huge concern also because the software, hardware and expertise of foreign companies is being used. These NGOs say the UID data, the National Population Registry and the NATGRID, when connected, could prove a grave threat to civil liberties.

“First, a centralised database, like the UID will create, has never been safe,” says Sunil Abraham of CIS. “It needs to be decentralised like our various mail servers. Second, we feel the collection of biometric data is happening at the wrong end of the pyramid. Instead of putting the poor through the process first, why not start with those with financial dealings of Rs 1 crore and above. Third, one study says 48 per cent of our people cannot remember a 12-digit ID. Fourth, we need privacy laws in place before the UID regime sets in.”

Those problems apart, even raising the level of the current exercise—from small samples of a few thousand each to profiling the billion-plus population of India—could place severe demands on our shaky administration. There’s a mountain to be moved.

Read the original article in the Outlook

For more details visit https://cis-india.org/news/biometry-is-watching

Biometrics: An ‘Angootha Chaap’ nation?

Mukta Batra — 2014-09-19T06:12:17Z

This blog post throws light on the inconsistencies in biometric collection under the UID and NPR Schemes.

Introduction

Fingerprints and iris scans. The Unique Identification (UID) Number aims to serve as a proof of identity that can be easily verified and linked to subsidies and to bank accounts. Four years into its implementation, the UID Scheme seems to have the vote of confidence of the public. More than 65 Crore Indians have been granted UID Numbers,[1] and only a few have been concerned enough to seek clarity through Right to Information Requests to the UIDAI about the finances and legal authority backing the scheme.[2] Parallel to the UID scheme, the National Population Register scheme is also under way, with enrolment in some areas, such as Srinagar, Shimla and Panchkula, having reached 100% of the estimated population.[3]

The NPR scheme is an offshoot of the census. It began in census cycle 2010-11, pursuant to the amendment of the Citizenship Act in 2004, under which national identity cards are to be issued. The desired outcome of the NPR scheme is an NPR card with a chip embedded with three bits of information built into a card: (i) biometric information, (ii) demographic information and (iii) UID Number.

Both the UID and NPR schemes aspire to be conduits that subsidies, utilities, and other benefits are routed through. While the UID and NPR schemes are distinct in terms of their legal sanctity, purpose and form, the harmonization of these two schemes is one of the UIDAI’s functions.

There are substantial overlaps in the information collected and the purpose they serve leading to the argument that having two schemes is redundant. The compatibility of the two schemes was questioned and it was initially thought that a merger would be unreasonable. While there has been speculation that the UID scheme may terminate, or that it would be taken over by the Home Ministry, it has been reported that the new government has directed expedited enrolments through the UID scheme. [4]

Both schemes are incomplete and suffer from vagaries, including, but not limited to: their legality, safeguards against misuse of the data, the implementation of the schemes – including the collection and storage of biometric information and their convergence or divergence.

This blog will focus on understanding the process of collecting biometric data in each scheme – calling out similarities and differences – as well as areas in which data collected under one scheme is incompatible with the other scheme. It will look at existing and missing safeguards in the collection of biometrics, overlap in the collection of biometrics by the two schemes, and existing practice in the collection of biometrics. In doing so the blog will highlight the lack of privacy safeguards for the biometric information and conclude that since the policies for data collection and use policy are unclear, the data subjects do not know how their data is being collected, used, and shared between the UID and the NPR schemes.

Unreliability of Biometric Data

Biometric data has been qualified as being unreliable.[5] It cannot always be successfully used to identify a person, especially in India, where manual labour degrades the fingerprint[6] and nutritional deficiencies mar the iris. Even experts working with the UIDAI[7] admit that fingerprints are not always good indicators of identity. If the very identification of a person fails, which is what the UID seeks to do, then the purpose of the UID is defeated.

Biometric Data Collection under the UID Scheme

In the current structure of the scheme, collected biometric information is stored by, and vests with the UIDAI for an undefined period. The data if used only for identification and authentication purposes, as originally intended, could very well fail to serve its intended purpose. But amassing the personal data of the entire country is lucrative, particularly to the service providers who collect the information and are mandated with the task to manually collect the data before it is fed into the UID system and encrypted. Most of the service providers that collect information, including biometric data, for the UID are engaged in information services such as IT or online marketing service providers.[8]

The below chart delineates the process followed for the collection of biometrics under the UID Scheme:

Under the NIAI Bill, all data collected or authenticated by the UIDAI, until the Bill is enacted and the National Identification Authority of India is created, vests with the UIDAI. In practice this means that the UIDAI owns the biometric data of the data-subject, without clear safeguards against misuse of the data.

In the UID scheme, the collection of biometrics at the time of enrollment by the UIDAI is severely flawed for a number of reasons:

1. Lack of clear legal authority and procedure for collection of biometrics: The only legal authority the UIDAI has to collect biometric information is via the notification of its constitution. Even then, the powers of the UIDAI are vague and broad. Importantly, the notification tells us nothing of how biometric data is to be collected and how it is to be used. These standards have only been developed by the UIDAI in an ad-hoc manner when the need arises or after a problem is spotted. The lack of purpose-specification is in violation of the law[9] and prevents the data subject from giving informed consent to data collection. This is discussed at a later stage.

2. The collection of Biometrics is regulated through only a Bill, which delegates the development of safeguards to Rules: The National Identification Authority of India (NIAI) Bill[10] confers the National Information Authority of India (NOT THE UIDAI) with the power to pass rules to collect biometric data and to prescribe standards for collection.[11] This is a rule-making power, which is conferred under a Bill. Neither has the Bill been enacted, nor have rules for the collection of biometrics been framed and notified.

3. Collection of biometric data only with implied consent: Though collection of biometrics is mentioned in the enrolment form, explicit consent for the collection of biometrics is not collected and only implied consent may be inferred. The last line in the enrollment form is titled ‘CONSENT’ and is a declaration that all data, including biometric information, is true.[12]

4. Collection of biometric data outsourced to third party: Collection of biometric information in the UID scheme is outsourced to third parties through tenders. For instance, Accenture has been declared a biometric service provider under a contract with the UID.[13] The third party may be a company, firm, educational institution or an accreditation agency. The eligibility criteria are quite straightforward, they relate to the entity’s structure and previous experiences with small projects.[14] Since the ability to protect privacy of the data subject is entirely absent from the eligibility criteria, a successful bidder may not have adequate procedure in place or sufficient experience in managing confidential data, to ensure the privacy of the data subject. By outsourcing the data collection, the UIDAI has arguably delegated a function it never had the legal authority to perform. Thus, the agency of the data collection is equally defective. To heighten the irregularity, these contract agents can sub-contract the job of physical data collection.[15] This means that the data operator and the ground supervisors, who come into direct contact with the raw data, including biometric data, are not appointed by the government, or the UIDAI, but by a private agency, who is further removed from the chain. The data operator scans the documents submitted for verification and has physical access to the document.[16]

5. Biometric data is admittedly vulnerable to sale and leakage: In an ongoing case in the Supreme Court of India, the national Capital Territory of Delhi has, in its counter-affidavit, admitted that data collected under the UID is vulnerable to sale and leakage.[17] To quote from the counter-affidavit ‘..in any exercise of gathering identities whether it is by census authority… or through the present process… there is always a possibility of leakage. Enumerators can scan and keep copies of all the forms and sell them for a price.- this (sic) it can never be said that the data gathered… is safe.’[18] Anyone who has registered for either UID is therefore a candidate for identity theft or unsolicited commercial information. This is also true for the NPR, as census data is the basis for the NPR.

Data collection under the NPR Scheme

The declaration of courts that it is unnecessary to link the UID number for public utilities and the admission by Delhi in the case that a data subject cannot be compelled to provide biometrics or to obtain a UID Number under the Aadhaar scheme[19] are steps forward in ensuring the voluntariness of UID. However, the UID Number is mandatory by implication. It is a pre-requisite for registration under the National Population Register, which is compulsory, pursuant to S. 14-A of the Citizenship Act. The below diagram delineates the collection of biometric information under the NPR scheme:

DATA FLOW PROCESS

Flaws in the collection of biometric data under the NPR scheme

Compulsion: Registration in the NPR is legally mandated and individuals who fail to do so can face penalty. As a note, arguably, the compulsion to register for the NPR is untenable, as the Rules prescribe penalty, whereas the Act does not. [20] A word of caution is appropriate here. The penalty under the Rules stands till it is deleted by the legislature or declared void by courts and one may be held liable for refusing to register for the NPR, though the above argument may be a good defense.
Duplicity: Duplicity is a problem under the NPR Scheme. Biometric data is collected twice before the NPR exercise is completed. Even if one has registered under the UID scheme, they have to give their biometric information again under the NPR scheme. The first instance of collection of biometric information is for the UID number and the second, under the NPR scheme. The latter is necessary even if the data has already been collected for the UID number. Since the parties collecting biometric information for NPR are empanelled by the UIDAI and the eligibility is the same, the data is subject to the same or similar threats of data leakage that may arise when registering for the UID. The multi-level data collection only amplifies the admitted vulnerability of data as unauthorized actors can unlawfully access the data at any stage. This, coupled with the fact that UIDAI has to harmonize the NPR and UID schemes, and that the data comes to the UIDAI for de-duplication, means that the NPR data could be used by the UIDAI, but it may not result in a UID Number. There is no data that disproves this potential. This is a matter of concern, as one who wishes not to register for a UID number, in protection of their privacy, is at peril for their data falls into the hands of the UIDAI.
Biometric data collectors under the NPR scheme empanelled by the UIDAI: The service providers collecting biometric data under the NPR are selected through bids and need to be empanelled with the UIDAI.[21] Most enrolment agencies that are empanelled with the UIDAI are either IT or online marketing companies[22], making the fear of targeted marketing even more likely.
Public display and verification: Under the NPR scheme, the biometric and demographic information and UID number of registrants is publicly displayed in their local area for verification.[23] However, it is a violation of privacy to have sensitive personal data, such as biometrics put up publicly. Not only will the demographic information be readily accessible, nothing will prohibit the creation of a mailing list or collection of data for either data theft or for sending unsolicited commercial communication. The publicly available information is the kind of information that can be used for verification (Know Your Customer) and to authorize financial transactions. Since the personal information is displayed in the data subject’s local area, it is arguably a more invasive violation of privacy, since the members of the local area can make complex connections between the data subject and the data.
Smart Card: The desired outcome of the NPR scheme is an NPR card. This card is to contain a chip, which is embedded with information such as the UID Number, biometrics and the demographic information. It is still unclear as to whether this information will be machine-readable. If so, this information may be just a swipe away. However, this cannot be confirmed without information on the level encryption and how the data will be stored on the chip.

‘Privacy safeguards available under the UID and NPR schemes are ad-hoc and incomplete

The safeguards under both the UID and NPR schemes are quite similar, since the UIDAI and its empanelled biometric service providers are involved in collecting biometric information for both the UID and the NPR.

Pilot studies for the UID scheme, including the use of biometrics, were not conducted in advance to implementation. In line with this, the enactment of a legislation governing the UID and the implementation of policies with respect to data handling and use will be made as and when the need arises. The development of safeguards in relation to the NPR will also be ad-hoc.

Also, the data standards for one will potentially influence that of the other scheme. For instance, the change in privacy standards for handling biometrics under the UID may affect the empanelment of biometric service providers. This will automatically affect the data security level the NPR can seek to achieve.

Being developed ad-hoc and after the fact, there is a risk that these regulations may unreasonably curtail the rights of data subjects.

The existing Indian laws on data protection and privacy are not comprehensive. Certain laws protect privacy only in specific situations. For instance, the IT Act and related rules protect privacy in relation to digital information.

Any body that collects sensitive personal data such as biometric data, or any other data for processing and storage has a legal mandate under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 to make certain disclosures BEFORE OR WHILE THE DATA IS COLLECTED. This includes, inter-alia, disclosures of (i) the purpose of information collection, (ii) the intended recipients of the information and (iii) name and addresses of the collector and of the party retaining the data.[24]

Under the Rules, the data collector has a duty to give the data subject an option to withhold personal sensitive information.[25] A conversation with a data subject shows that this safeguard has not been upheld. The subject also conveyed a lack of knowledge of who the collection agency was. This is a problem of lack of accountability, as the data path cannot be traced and the party responsible for misuse or breach of security cannot be held liable.

Conclusion

The data collection under the NPR and UID schemes shows several vulnerabilities. Apart from the vulnerabilities with biometric information, there is a real risk of misuse of the data and documents submitted for enrolment under these schemes. Since the data collectors are primarily online marketing or IT service providers, there is likelihood that they will use this data for marketing.

We can only hope that in time, data subjects will be able to withdraw their personal data from the UID database and surrender their UID number. We can only wait and watch to see whether (i) the UID Number is a legal prerequisite for the NPR Card and (ii) whether the compulsion to register for NPR is done away with.

[1] https://portal.uidai.gov.in/uidwebportal/dashboard.do accesed: 21 August, 2014

[2] As of January 2013, only 25 RTI requests were made to the UIDAI http://uidai.gov.in/rti/rti-requests.html accessed: 21 August, 2014

[3] DIT-NPR Management Information System accessed: 22 August, 2014 http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx

[4] Cloud Still Hangs Over Aadhaar’s Future, Business Standard, accessed 28 August, 2014. http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html

[5] Frost & Sullivan, Best Practices Guide to Biometrics, accessed: 13 August, 2014 http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0CD8QFjAE&url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&ei=6VbsU4m8HcK58gWx64DYDQ&usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&sig2=cOOPm1JJ79AcJq2Gfq1_3Q&bvm=bv.73231344,d.dGc

[6] Malavika Jayaram, “India’s Identity Crisis”, Internet Monitor 2013, reflections of a digital world, accessed: 13 August, 2014 http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1

[7]M. Vatsa, et.al, “Analyzing Fingerprints of Indian Population Using Image Quality: A UIDAI Case Study” , accessed: 13 August, 2014 https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf

[8] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[9] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[10] National Identification Authority of India Bill, 2010 (Bill No. LXXV of 2010), accessed: 26 August,2014 http://164.100.24.219/BillsTexts/RSBillTexts/asintroduced/national%20ident.pdf

[11] Clause 23 of the NIAI Bill, 2010

[12]The UID Enrollment form, accessed: 26 August, 2014 http://uidai.gov.in/images/uid_download/enrolment_form.pdf

[13] Documents filed and relied on in Puttuswamy v Union of India

[14] Request for empanelment, accessed: 28 August, 2014. http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf

[15] This information is available from the documents filed and relied on in Puttuswamy v Union Of India, which is being heard in the Supreme Court of India

[16] An anonymous registrant observes that the data was scanned behind a screen and was not visible from the registered counter. The registrant is concerned that, in addition to collection of information for the UID, photocopies or digital copies could be taken for other uses and the registrant would not know.

[17] Counter Affidavit filed in the Supreme Court of India on behalf on New Delhi in K. Puttuswamy v Union of India

It is also admitted that the census is equally vulnerable. The information collected through census is used for the NPR exercise.

[18] Para. 48 in the Counter Affidavit filed by NCR Delhi.

[19] Affidavit in K. Puttuswamy v Union of India.

See also: FAQs: Enrollment Agencies, accessed 22 August, 2014 http://uidai.gov.in/faq.html?catid=37

[20] Usha Ramanathan, A Tale of Two Turfs, The Statesman, accessed: 20 August, 2014 http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3

[21] RFQ for Engaging MSP for Biometric Enrolment for the Creation of NPR, accessed: 26 August, 2014 http://ditnpr.nic.in/pdf/120102_RFQBiometricUrban_rebidding-Draft.pdf

[22] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[23] http://censusindia.gov.in/2011-Common/IntroductionToNpr.html, accessed: 26 August, 2014

[24] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[25] R. 5(7) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011.

For more details visit https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation