We are anonymous, we are legion

Accessing pirated content might lead to prison term & Rs 3-lakh fine

praskrishna — 2016-08-23T02:47:52Z

India puts onus of downloading and viewing pirated content on individuals.

The article by Alnoor Peermohammed was published in the Business Standard on August 22, 2016. Sunil Abraham was quoted.

The central government is putting the onus of downloading and viewing of copyrighted content from sites it has blocked (with the help of internet service providers) on users.

Visiting torrent (a particular type of files) websites while on Tata Communications’ network recently had users being shown a message that viewing or downloading content on those sites could land them in prison for up to three years and a fine of up to Rs 3 lakh.

“There is not enough room in our prisons to keep these infringers and enough time in our courts to try them. It might sound very exciting as a message to put out but, essentially, they’re trying to scare people into good behaviour,” said Sunil Abraham, executive director at research firm Centre for Internet and Society.

There has been no change to the Copyright Act of 1957 or the Information Technology Act of 2000 for the updated notice being shown to users upon visiting blocked sites. Under these provisions, visiting a site, which is blocked is not illegal, unless it is child pornography.

“Copyright infringement happens all the time and even in developed countries, the rates are very high. Crackdowns on individuals and consumers are never going to solve the problem,” added Abraham.

Experts say the most the government could do is prosecute a couple of people and make examples of them, to dissuade others. This practice is followed globally. There are no examples, though, in India of prosecution for copyright infringement of online content.

The recent alteration of the statement seen by users on Tata networks was done on the directives of the Bombay High Court, after the company appealed that showing individual messages for why each website was blocked was not feasible. The resulting message sparked media frenzy that visitors of blocked websites could now be imprisoned.

Other media reports revealed that the recent blocking of websites by internet service providers was prompted by court orders to prevent piracy of Dishoom, the Bollywood movie.

Globally, there’s been a move to clamp on torrent websites which host pirated content, aided by large information technology entities such as Apple or Facebook. Last month, the US authorities arrested Kickass Torrents’ founder, Arten Vaulin, and blocked all the domains of the website, only to have it resurface a day later.

For more details visit https://cis-india.org/internet-governance/news/business-standard-august-22-2016-accessing-pirated-content-might-lead-to-prison-term-and-rs-3-lakh-fine

UIDAI and Welfare Services: Exclusion and Countermeasures (Bangalore, August 27)

sumandro — 2016-08-22T13:25:03Z

The Centre for Internet and Society (CIS) invites you to a one day workshop, on Saturday, August 27, 2016, to discuss, raise awareness of, and devise countermeasures to exclusion due to implementation of UID-based verification for and distribution of welfare services. We look forward to making this a forum for knowledge exchange and a learning opportunity for our friends and colleagues.

Invitation

Download (PDF)

Venue

Institution of Agricultural Technologists, No. 15, Queen’s Road, Bangalore, 560 052.

Location on Google Map: https://www.google.com/maps/place/Institution+of+Agricultural+Technologists/.

Agenda

10:00-10:30 Tea and Coffee

10:30-11:00 Introductions and Updates from Delhi Workshop

11:00-12:45 Reconfiguration of Welfare Governance by UIDAI

12:45-14:00 Lunch

14:00-15:00 Updates on Ongoing Cases against UIDAI

15:00-15:15 Tea and Coffee

15:15-16:45 Open Discussion on Countering Welfare Exclusion

16:45-17:00 Tea and Coffee

For more details visit https://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27

Public Panel Discussion: Digitalisation for Social Change

praskrishna — 2016-08-19T13:47:28Z

Sunil Abraham is participating as a panelist in a discussion co-organized by Mount Carmel College, Bangalore and Friedrich-Ebert-Stiftung, India Office in Bangalore on August 22, 2016.

Welcome Remarks by Sunanda BV , Mount Carmel College, Bangalore and Patrick Ruether, Friedrich-Ebert-Stiftung, India Office

On the Panel:

Digital Solutions to social problems and development challenges or Social Entrepreneurship and digital transformation: Sunil Abraham, Centre for Internet and Society
Gendered perspective on digital transformation: Anita Gurumurthy , IT for Change
India 2030 – the change I want Maureen Almeida, Student, Mount Carmel College
Technology as best practice: Anurag Shanker, NASVI, New Delhi

Note: Each panelist will give an input for about 5-7 minutes and this will be followed by Q&A session moderated by Rakhee Bakshee, Women's Feature Service

For more info contact: Jyoti Rawal, jyoti@fesindia.org

For more details visit https://cis-india.org/internet-governance/news/public-panel-discussion-digitalisation-for-social-change

Responses to Trai’s consultation paper on free data contain some good suggestions

praskrishna — 2016-08-17T03:05:57Z

Trai has announced that it will come up with a final consultation paper on ‘Free Data’, and also a pre-consultation paper on Net Neutrality by the end of this month.

The blog post by Asheeta Regidi was published by FirstPost's Tech 2 on August 15, 2016.

The pre-consultation paper on Free Data (the Consultation Paper), which was issued in May 2016, asked for options where free data could be provided for accessing certain websites or apps without violating the Discriminatory Tariff Regulations issued earlier in February. The objective of the paper is to maximise internet penetration, and make internet available even to the poorest.

The models suggested in the Consultation Paper are a reward of free data for certain internet uses, zero data charges for accessing certain content, and refunding data charges in a manner similar to refund of LPG subsidies. These models are very similar to plans like Facebook’s Free Basics and Airtel Zero, which were banned by the Discriminatory Tariff Regulations.

While it is clear that Trai has no intention of withdrawing the Discriminatory Tariff Regulations, the Consultation Paper does appear to open up the doors to net neutrality violations again. Here’s a look at the comments and counter-comments that have come in response to this paper.

A motorist rides past a hoarding advertising Facebook’s Free Basics. Image: Reuters

Large TSPs and TSP associations want content-based free data schemes
The response of large TSPs like Vodafone, Idea and so on are quite predictable. They, alongwith most of the TSP associations such as ACTO, COAI and AUSPI, are in support of the idea of free access to certain sites. They, in fact, point out the similarities between the proposed models and the similar models brought out by them, such as Airtel’s One Touch Internet and Reliance’s Facebook Tap. They have also asked for a withdrawal of the Discriminatory Tariff Regulations, on the grounds that they hamper the innovation and forbearance capabilities of the TSPs.

They do, however, take issue with the fact that a TSP agnostic platform, or a platform which is completely independent of the TSPs, is to be given the power to decide how the lower prices or discounts are to be provided. They allege that there is nothing to prevent such a platform from acting as a gatekeeper in itself. They argue that TSPs are in a better position to perform this function, since they are subject to strict regulatory and licensing requirements from Trai.

Employees at an outsourcing centre in Bengaluru Image: Reuters

Smaller TSPs and other companies fear net neutrality violations
Smaller TSPs like Atria, Citicom and MTS are against content based free data proposal, mostly on the grounds that the models suggested violate net neutrality. They point out that allowing content based free data in any form will give an unfair advantage to large TSPs and content providers. Smaller companies and start-ups will be left in the lurch since they will not have the financial capabilities to effectively compete with such schemes. These entities also share the fear of the TSPs that there is nothing to stop a TSP agnostic platform from also acting as a gatekeeper.

Commuters with their smartphones in a Mumbai local. Image: Reuters

Some alternative suggestions for free data schemes which do not violate net neutrality
The approach suggested by Trai will, to a large extent, only benefit existing users of the internet, since a basic internet access of some sort is required before the users can enjoy the benefits of a rewards or a refund. Software Freedom Law Centre (SFLC), in its comments, points to research that found that only 12 percent of the users of zero rating services abroad (no data charges for certain websites), started using it because of the zero rating. Clearly, these schemes are not achieving the objective of increasing internet usage, and an alternative solution is required.

Many of the responses came up with alternative suggestions for free data schemes which can increase internet usage without violating net neutrality. Some of these suggestions are listed below:

The Digital Empowerment Foundation suggests the provision of free data quotas or packs, which would give a limited amount of data free of charge to all consumers. Any data usage above the basic pack will be charged at normal rates. It also suggests making such packs mandatory as a part of the TSP licensing terms or alternatively subsidising the cost of these packs through other benefits to the TSPs.
MTS suggests that content providers be allowed free internet access for a limited time or quantity, such as 30 minutes per day, or 100MB per day, to certain groups, like low income groups.
Mozilla and SFLC suggest the ‘equal rating’ system, where a small amount of data per day is made available free of charge to all internet users, over and above whatever other packs they may have purchased.
The Centre for Internet and Society suggests that the government allow TSPs to provide free internet to all, at a lower speed, and in return exempt the TSPs from the USO contributions in their license fees. This will ensure free data to all without differentiating based on content.
SFLC also suggests an increase in free public Wi-Fi hotspots, like the kind being made available in Indian railway stations, to increase internet accessibility without content-based discrimination.
MTNL suggests that if content-based free data is to be allowed, the government should determine what constitutes the basic services to be allowed for free, such as railway booking services, and not leave this to the understanding of the TSPs.
MTS also suggests that content providers be allowed to give data-based rewards for certain activity, such as watching associated advertisements.
Atria suggests that if free data is to be allowed, first establish a negative list of what cannot be done, such as no throttling of speeds.

Anonymous protests against Internet laws in Mumbai. Image: Reuters

First establish ground rules of net neturality
One common aspect of most of the comments to the Consultation Paper was the confusion regarding Trai’s stance on net neutrality. Many entities, including the large TSPs, pointed out the contradiction between this Consultation Paper and the Discriminatory Tariff Regulations.

This paper gives the impression that the Discriminatory Tariff Regulations were issued not to prevent content based discrimination, but to prevent telecom service providers from becoming ‘gatekeepers’. In reality, that is not the main fear of the people, but the fear that net neutrality will be affected. The culprits might be anyone, whether it is the TSP, the content provider or the TSP agnostic platform suggested by Trai. It needs to modify its approach, and first lay down the fundamental rules on net neutrality. Any other regulations must first comply with these rules.

While the motives of Trai are laudible, it is hoped that Trai will look into the several suggestions made that will achieve the dual targets of maximum internet penetration as well as securing net neutrality.

For more details visit https://cis-india.org/internet-governance/news/first-post-tech-2-august-15-2016-asheeta-regidi-responses-to-trai-consultation-paper-on-free-data-contain-some-good-suggestions

Rational Internet laws essential to fulfil India’s digital goals

praskrishna — 2016-08-15T04:13:06Z

India has emerged as a digitally-connected nation but experts suggest the country still lacks pragmatic Internet laws.

The article by Krishna Makwana was published by Deccan Chronicle on August 14, 2016. Sunil Abraham was quoted.

According to a report by Internet and Mobile Association of India, our country has approximately 400 million Internet users. Given the fact that we now prevail in the digital age, the government needs to work towards devising an unbiased internet policy for helping budding entrepreneurs and businesses.

Though the government, under its Digital India initiative, has addressed manifold problems over the past year, the ambiguous internet laws in the country have had a drastic effect on businesses and individuals.

Sunil Abraham, Executive Director of Centre for Internet Society, said, “There are three categories of laws which we must consider. One, speech regulation laws –- here we tend to be more repressive in comparison to other mature democracies. Two, intellectual property law which can enable or undermine access to knowledge -– here we are quite progressive and we must thank our policymakers for their foresight. Three, privacy and data protection laws –- these are incomplete, outdated or missing -– this not only undermines the rights of citizens but also weakens our cyber security.”

Defamation and national security can be listed among other issues that have threatened free speech; there have been instances where weak Internet laws led to the defamation of several artists and authors, curbing freedom to expression.

Not only individuals but online businesses have also had to limit their potential, in order adhere to the India’s hazy Internet laws. Among others, countless websites have been blocked by the government over the past few years.

However, with proper regulation in place along with rational vigilance, many of these problems might cease to exist.

It’s essential that these issues are thought about, in-depth. The country needs to build a structure that can deliver innovation, protection and provision of one and all.

“Without improving the three important areas that I pointed out, we cannot be successful at Digital India, Make In India and Start Up India,” Abraham concluded.

For more details visit https://cis-india.org/internet-governance/news/deccan-chronicle-krishna-makwana-august-14-2016-rational-internet-laws-essential-to-fulfil-indias-digital-goals

And now, Aadhaar-enabled smartphones for easy verification and money transfer

praskrishna — 2016-08-12T02:50:58Z

As reported earlier, the Indian government has planned to make Aadhaar-enabled smartphones , with which users would be able to self-authenticate and let businesses and banks verify the identity of their clients. This would also help in the government's aim of a cashless society.

The article was published in Business Insider on August 10, 2016. Sunil Abraham was quoted.

While applauding this plan Nandan Nikelani, former chairman of UIDAI told ET that, "Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)."

In July, senior executives of UIDAI and smartphone companies met to discuss ways to allow smartphones let citizens authenticate their fingerprints and iris on the phone, so that they could avail government services from the comfort of their homes.

The most immediate use for these smartphones would be the Unified Payment Interface (UPI), a new payment system which would allow money transfer between any two parties by simply using their mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani.

With time, Aadhaar authentication will also be made open to third party apps, said another person familiar with the ongoing discussions on the condition of anonymity.

This would let users allow apps to access their biometric and iris scans, just like they grant access to other features like camera, contacts, SMS etc. However, from their end, handset makers have raised security concerns about using iris scan for Aadhar authentication.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider.

For this, the he proposal includes a "hardware secure zone" which would encrypt biometric data before sending it out. However, even this isn't a foolproof idea.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

To this, Nilekani said, "the reluctance to make changes at the vendor level is mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons." He added that both ends, the handset and the Aadhaar database, will be using the highest level of encryption.

For more details visit https://cis-india.org/internet-governance/news/business-insider-august-10-2016-and-now-aadhaar-enabled-smartphones-for-easy-verification-and-money-transfer

Implementing Indian languages in feature phones will be difficult

praskrishna — 2016-08-10T15:51:44Z

A recent government standard requiring support for inputting text in any one Indian language in mobile phones - along with Hindi and English - has manufacturers worried. The companies argue that the well-intentioned move may be difficult to implement, especially in the case of feature phones, because inventory and logistics will have to be planned for each state.

The article by Gulveen Aulakh and Neha Alawadhi was published in the Economic Times on August 10, 2016. Sunil Abraham was quoted.

The Bureau of Indian Standards (BIS) said in June that all mobile phones must support the ability to type messages in English, Hindi and at least one additional Indian official language. It also requires message readability for all 22 Indian official languages. The objective is to enable widespread communication in local languages, especially for people who may not use English or Hindi with as much ease.

Handset makers said while such changes, which are yet to be notified, can be done easily through software in smartphones, it would be a big challenge for feature phones because of screen and keypad limitations, apart from managing supplies.

"It will be nightmarish to do planning for the number of models (with different languages) to be sold in each state, and plan inventory and logistics around that, so it's very challenging," said Gaurav Nigam, product head of Lava International, which has a phone with message-reading ability in all 22 Indian official languages.

Nigam said the BIS standard does not mandate the printing of vernacular languages on keypads, which would have created a massive hurdle for mobile phone manufacturers. "I might end up over-stocking in some states and lesser inventory in some states, which might lead to loss of sales since I won't be able to divert a Kerala-printed stock to Punjab or any other state," Nigam said. However, the government is hopeful of compliance.

An official said logistical and supply-chain issues can be addressed by companies. "We are talking to them and we are open to giving them a leeway of nine to 12 months to implement the order," said the official, requesting anonymity.

The official said although the government had started consultations on the premise that the third language should be imprinted on the keypad, it was felt in due course that other technologies could also be used. "Some lanFeature phones account for 65 per cent of the total mobile phone user base of about 700 million in India and are popular in rural areas and smaller towns. Sales of feature phones in the country declined to 150 million last year from 179-180 million, according to International Data Corporation, a US market research company.

The Indian Cellular Association, which represents mobile phone makers in India including Apple, Samsung Electronics, Micromax Informatics and Intex, said that it was talking to the BIS and the Department of Electronics and Information Technology on excluding the imprinting of vernacular language characters on keypads from the standard and allowing handset makers to develop solutions for local language input capability in phones.

"A formal communication or notification is expected soon from DeitY on implementing the rules," said Pravin Gondane, associate director at ICA. The department is expected to hold consultations with the industry by the month-end before it comes out with a notification that mandates the standard.

Sunil Abraham, executive director of the Centre for Internet and Society, suggested a middle ground where the government could map all reasonably popular input standards and document them so that customers can pick a phone they are comfortable with.

While awaiting the notification, the association has internally sent notices to all companies stating that printing on keypads may not be necessary, even for feature phones, Gondane said. Alternative solutions could include a keypad cover that lists vernacular language characters for text input and inputting of text through a virtual keypad.

While a task force set up by DeitY admits it's a challenge to implement this rule for feature phones because the number of keys is limited, it suggested that a common minimum framework to assign characters on 12 keys should follow international standards and incorporate Indian languages requirement on the same. The taskforce has issued best practices for designing Indian language text-entry mechanisms for phones with 12 keys, rather than lay out a standard for keypads.

Smartphones have touchscreens, making language reading and inputting changes a software requirement that's easy to implement. Samsung smartphones and feature phones are enabled with typing, reading and changing user interface in 14 local languages, said Manu Sharma, the company's VP of mobile business.guages can be easily printed on the keyboard, while others can be enabled through typing on the screen," the official said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2016-gulveen-aulakh-neha-alawadhi-implementing-indian-languages-in-feature-phones-will-be-difficult

Indian companies need to boost encrpytion adoption rate: experts

praskrishna — 2016-08-10T14:36:05Z

Most banks do not follow Reserve bank of India’s standard 64/128-bit encryption policy due to laxity and unavailability of funds.

The article by Koustav Das was published in the Deccan Chronicle on August 9, 2016. Sunil Abraham was quoted.

A recent report by security software firm Sophos highlighted the increasing number of online attacks on Indian businesses, suggesting strong encryption policies can change the existing scenario.

As per a SophosLab research, India’s threat exposure rate has been pegged at 16.7 per cent, ranking fifth in terms of highest percentage of endpoints exposed to malware attack.

The research said cyber-criminals have developed a keen sense of luring organisations on the basis of location, language and disguise, leading to an acute increase in the number of targeted attacks.

Global Experts have explained that digital attackers have taken the aid of advanced malware including deadly ransomwares, which involve locking or capturing an organisation’s valued data and demanding money to unlock it.

In future, ransomware have been predicted to become deadlier, allowing hackers to take control of an organisation’s entire network security.

Not only financial and IT companies but Government websites also face similar obstructions due to lack of updated security tools.

Mohit Puri, Head of Pre-sales, Sophos India and SAARC, said, "India faces increased risk from cyber-criminals due to its high economic growth, which has left several companies to re-think their security strategy."

Reactive to attacks, not proactive

Though Puri mentioned that Indian enterprises have been trying to prevent such attacks, large fissures in network security have made the task easier for online criminals.

One of the major reasons for companies failing to prevent advanced cyber-attacks can be attributed to the lack of pragmatic solutions, albeit their awareness about the situation.

Puri said, “While companies are aware about security threats to our systems, we are still not there in terms of how we are trying to mitigate these threats.”

According to Sunil Abraham, Director of The Centre For Internet and Society (CIS), there are manifold issues that have led to the scenario of India’s poor online security.

He said that Indian businesses and financial organisations recognize the situation but do not want to allocate budget for updating their security infrastructure.

“The problem with cyber-security is just like smoking; people are aware of it but they do not care about the warnings. Companies know about the looming threats but need an episode to make a move towards updating their network infrastructure,” Abraham added.

Enterprises also struggle due to the absence of sufficient cyber-security professionals in the country. Abraham said, “There are uncountable software professionals in India but the story is totally opposite when it boils down to cyber-security professionals.”

Weak encryption adoption

According to technology enthusiast Blaise Crowly, Co-Founder & Head Of Security Design Gladius & Schild, "Cryptography—a broader form of encryption—can be defined as a branch of mathematical algorithms that can be used to securely protect data."

Crowly added, “It is the one of the strongest form of all defence mechanisms against cyber attacks.”

However, a Sophos assessment—State of Encryption Today—where 1,700 Indian IT managers were surveyed, showed the ignorance of companies towards integrating strong encryption tools.

Out of the total number of participants, 61 per cent felt encryption holds significant importance in protecting a company’s proprietary data.

Others had peculiar reasons—18 per cent felt that encryption would help avoid incurring additional costs after a breach and 23 per cent just wanted to avoid negative publicity of the company.

Even in case of banks, reports suggested that most banks do not follow Reserve bank of India’s (RBI) standard 64/128 bit encryption policy due to laxity and unavailability of funds.

“Indian organisations need to take a second look at their security posture and deploy up-to-date synchronized security solutions that are able to combat today’s threats as well as tomorrows,” said Puri.

Government’s role

A 2015 CIS study, titled “How India Regulates Encryption” mentioned that under section 84A of the IT Act, the government has the sole authority to prescribe modes and methods of encryption.

Though the government has not yet issued any rules in exercise of these powers, it had released earlier released a draft encryption policy on September 21, 2015. However, it failed to pass it due to wide-spread criticism regarding certain mandates in the draft.

In addition, the Internet Service Providers (ISP) License Agreement, between the Department of Telecommunication (DoT) and Internet Service Providers (ISP), limit the use of encryption up to 40-bit key length in symmetric algorithms—an extremely weak standard.

Although it cannot be enforced if organisations employ third-party encryption systems, it becomes extremely expensive for them. In such a scenario, companies hesitate in using better encryption standards.

CIS Director Sunil Abraham said, “To solve the issue, the government should work towards incentivising and enforcing strong security infrastructure which will help companies get these features at a lower price.”

Adding to the aforementioned statement, Crowly highlighted that current security standards set by the government cannot adeptly counter advanced threats.

“OpenSSL, LibNaCl and similar protocols provide free implementation of encryption schemes that companies can use. The only issue is that companies and government agencies should show proper diligence in hiring experts in this field,” Crowly concluded.

For more details visit https://cis-india.org/internet-governance/news/deccan-chronicle-koustav-das-august-9-2016-indian-companies-need-to-boost-encryption-adoption-rate

Aadhaar-enabled smartphones will ease money transfer

praskrishna — 2016-08-10T13:33:54Z

With its plans to make smartphones Aadhaar-enabled, the government hopes to provide users a means to do self-authentication and let businesses and banks verify the identity of their clients through their smartphones, a move that could potentially lead the way to a cashless society.

The article by Neha Alawadhi and Gulveen Aulakh was published in the Economic Times on August 10, 2016. Sunil Abraham was quoted.

"Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)," Nandan Nikelani, former chairman of the Unique Identification Authority of India, told ET, welcoming the government's plan to make smartphones Aadhaar-enabled.

ET was the first to report that on July 27 a meeting between UIDAI, which administers Aadhaar, and senior executives of smartphone-makers discussed ways to allow smartphone handsets let citizens authenticate their fingerprints and iris on the phone to get services. The most immediate use for the Aadhaar-enabled smartphones is the Unified Payment Interface (UPI), the new payment system that allows money transfer between any two parties using mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani. Over time, the idea is to open Aadhaar authentication to third party apps, said another person familiar with the ongoing discussions, who did not wish to be named.

In effect, biometric and iris scan authentication could become one of the permissions a user grants to different third party apps, such as access to camera, contacts, phone book and so on. Handset makers have raised concerns about some security issues on using iris scan for Aadhar authentication. Also, companies such as Apple that have very closed ecosystems, would not be easy to get on board, several people told ET.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider, who is aware of the discussions, requesting anonymity. The proposal for smartphone makers includes a "hardware secure zone" where biometric data will be encrypted and sent out. It will not leave the electronic secure zone without encryption, and every phone doing Aadhaar authentication will be registered in the UID system.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

"The reluctance to make changes at the vendor level are mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons," Nilekani said, adding that both ends - the handset and the Aadhaar database -- will use the highest level of encryption.

Samsung India, which in May launched the Galaxy Tab Iris, a device that uses Aadhaar authentication, said it has taken care that its user's biometric data does not fall into the wrong hands. "We ensure that biometric data is encrypted as per UIDAI specifications in device itself for Galaxy Tab Iris," Sukesh Jain, vice president, Samsung India Electronics, told ET in an email response.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2016-neha-alawadhi-gulveen-aulakh-aadhaar-enabled-smartphones-will-ease-money-transfer

Apps can give personal information to strangers

praskrishna — 2016-08-08T01:22:20Z

We love our apps. A study done last year, found that app usage in India has grown 131 per cent. But apps are notorious for accessing personal data and we’re obligingly careless with our privacy. Inadvertently, users give away third-parties access to their phone calls and right to operate cameras on their mobiles.

The article by Mebin John was published in the New Indian Express on August 8, 2016. Sunil Abraham was quoted.

Therefore, they can listen in to conversations and click photos as and when it pleases them.

“The detailed privacy policy of most of these apps run into pages and people rarely read through them,” says Sunil Abraham, Executive Director of The Centre for Internet and Society. “The policy is also loaded with tech jargon, which is lost on the general public.”

A study, done in June this year by Norton, reveals that one in two Indians have permitted access to their contacts and mobile data in exchange for free applications. Forty per cent have allowed access to their camera and browsing history, and 50 per cent given permission to send promotional text/emails.

A mobile application developer in Bengaluru, who wishes to remain anonymous, says, “App developers collect personal information of individuals and make a massive database. They then sell this data base to marketing agencies.” A database of 5 crore people pays `5,000 and this is sold over and over again.

Many application developers claim that they make large databases with the help of applications. “I have a database with email IDs of 2.5 lakh people,” says another app developer of the data he mined from one app.

Chief Technology Officer at T.I.G.E.R Innovations and Publicize Bengaluru, Geo Joy, says: “It is true that we can track an individual’s personal conversations and activities using mobile applications. I’ve heard that many applications scoop details from phone conversations for marketing purposes.”

“If you are not paying for anything, then you are the product,” Abraham puts it succinctly.

According to him, with access to your conversations or GPS, a third party could monitor your activities. It can get more specifid: with data from GPS, accelerometer and gyroscope, a developer can read your driving pattern.

Laws here are easy on developers too. Elonnai Hickok, a researcher from CIS, says, “Apart from Section 43A of the Information Technology Act, we don't have any strict laws or enforcement agencies to monitor these applications that breach the privacy of an individual.”

In India, since we don’t have a statutory body to monitor applications and their privacy violations, experts suggest individuals exercise caution.

CTO Joy suggests upgrading your operating systems. “Latest versions of all operating systems will warn you when an external medium tries to track your information,” he says. “So people who use the older versions should switch to the latest one or upgrade the software.

CE picks five permissions and how they could be misused.

For more details visit https://cis-india.org/internet-governance/news/apps-can-give-personal-information-to-strangers

Why experts are worried about Aadhaar-based authentication

praskrishna — 2016-08-07T02:16:29Z

As private companies are increasingly using Aadhaar data, is the privacy and security of personal data really at risk? What do those defending Aadhaar have to say?

The post was published in Citizen Matters on August 2, 2016. Amber Sinha was quoted.

The Unique Identification numbers of Aadhaar card holders are being extensively used by government and private agencies for authentication purposes, as we have already seen in an earlier article.

There are 246 registered Authentication User Agencies in India, both government and private, which are helping organisations and individuals in executing the authentication process. In simple terms, they help the organisation that has placed the authentication request, to confirm the identity of a person during hiring, lending loans or while implementing welfare schemes.

But all does not seem well with the Aadhaar authentication process. Concerns have been raised about the privacy and security aspects and, loopholes in the law.

The amended Aadhaar Bill (now, Aadhaar Act) has a clause that allows the UIDAI to respond to any authentication query “with a positive, negative or any other appropriate response.” This move has drawn a lot of criticism from the activist fraternity. They have questioned the government on framing an Act that places the security and privacy of individual citizens at risk.

Even before the Bill was passed, legal scholar Usha Ramanathan had, in an article published in Scroll.in, expressed concern over private agencies using the Aadhaar database for authenticating the identity of an individual.

“Very little was heard about the interest private companies would have in this information data base. It is not until the 2016 Bill was introduced in Lok Sabha that we were told, expressly, that just about any person or company may draw on the Aadhaar system for its purposes. There are no qualifications or limits on who may use it and why. It depends on the willingness of the Unique Identification Authority of India, which is undertaking the project, to let them become a part of the Aadhaar system,” she wrote.

What’s crucial in the entire process is how the government is allowing private players to use Aadhaar-based information, putting the privacy of Aadhaar-holders at stake. The government is technically allowed to share the Aadhaar information with other agencies, only if the holder has given consent to sharing his information, during enrollment.

The guidelines for recording Aadhaar demographic data states: “Ask resident’s consent to whether it is alright with the resident if the information captured is shared with other organisations for the purpose of welfare services including financial services. Select appropriate circle to capture residents response as - Yes/No.”

In 2011, Citizen Matters had published a report on how people wanting to register for Aadhaar were not asked if they would agree to share their personal information. Citizens seemingly were unaware of the provision for sharing information with a third party and data operators had reportedly not asked them for their consent before marking ‘yes’ for the consent option.

There remains a regulatory vacuum

In less than four months of the enactment of the Aadhaar Act, the number of private agencies using Aadhaar database for identity authentication too has grown long. Amber Sinha, Programme Officer at the Center for Internet and Society expresses concern over the privacy implications that a project of this magnitude would lead to.

“The original idea of Aadhaar was to use it for providing services under welfare schemes. But the Aadhaar Act lets private agencies avail the Aadhaar authentication service. The scope of the Act itself doesn’t envisage sharing the data with private parties, but if any third party wants to authenticate the identity of an individual, they can use the UIDAI repository for the purpose,” he points out.

In the process, Amber says, the CIDR has to send a reply in ‘yes’ or ‘no’ format, for any request seeking to confirm the identity of an individual. The new legislation gives scope for the authorities to respond to a query with a positive, negative or any other appropriate response.

“The Aadhaar enrollment information includes demographic and biometric details. So at this stage, we do not know what that “other appropriate response” stands for. Further, while there are requirements to take the data subject’s consent under the Act, there is lack of clarity on the oversight mechanisms and control mechanisms in place when a private party collects information for authentication. The UIDAI is yet to frame the rules and the rules will probably determine this. Until the rules are framed, some of the issues will exist in regulatory vacuum,” Amber observes.

Under the current circumstances, Amber says, the responsible thing to do for UIDAI is not to make such services available until the rules are framed.

But why has the Authority then started the authentication process even before the rules have been framed? Assistant Director General of the Authentication and Application Division of UIDAI, Ajai Chandra says the rules when framed will have retrospective effect, from the date the Act was enacted.

Activists have also questioned the UIDAI for allowing private agencies to use and authenticate Aadhaar data, when the Supreme Court has restricted the use of Aadhaar. In its last order dated 15 October 2015, the Apex Court allowed the government to use Aadhaar in implementing selective welfare schemes such as PDS, LPG distribution, MGNREGS, pension schemes, PMJDY and EPFO. It makes no mention about the UIDAI using the Aadhaar data repository to provide services to private agencies.

“When the Supreme Court has restricted the use of Aadhaar number to a few specific government programmes only, how can UIDAI allow the data to be used for any other programmes, let alone by private agencies?” Amber asks.

In a very brief conversation, Reena Saha, Additional DG, UIDAI told Citizen Matters that UIDAI was acting as per the Supreme Court’s order dated October 15th. “We aren’t sharing the data with private agencies,” she said.

‘Authentication happening only with consent’

Srikanth Nadhamuni, CEO of Khosla Labs - a registered Authentication User Agency, who was also the Head of Technologies at UIDAI, rejects the accusations on the security aspect, saying that the authentication system is completely secure and foolproof.

“We have made a secure system so that there is no man in the middle taking the biometric information. The biometric information shared on the application is encrypted and neither the AUA nor the Authentication Service Agency (an intermediary between the AUA and the CIDR) can open it. Both the AUA and ASA will sign on the packet and forward it to the data repository as it is. There is no way that we can figure out what is inside the packet. Once the request reaches the data repository, they will unlock the signatures, run the authentication and reply in ‘yes’ or ‘no’ or with an error code,” Srikanth explains.

ADG Chandra says that at present the CIDR is replying to authentication requests in an “yes/no” format. “We aren’t sharing the data with any agencies. Upon receiving the request for authentication, be it demographic, biometric or one time pin (OTP), a notification is sent to the registered mobile / email address of the Aadhaar holder,” he says. So if the Aadhaar holder has changed the address, phone number, email ID etc after Aadhaar enrollment, he/she should update the data with UIDAI by placing a request online or through post. This will avoid any confusion that may occur during the authentication.

Ajai Chandra further clarifies, “the private agencies seeking authentication (the Authentication User Agency) are not given direct access to the database. On receiving the request, the intermediary Authentication Service Agencies first examine the format of the authentication request. The request is forwarded to the CIDR only if it complies with the format.”

Apart from authentication, the eKYC (Know Your Customer) option also allows companies to retrieve eKYC data of the Aadhaar holder. This data includes photo, name, address, gender and date of birth (excludes mobile number and email ID). But in this case too, “eKYC data can be retrieved only with the consent of the Aadhaar card holder, the person has to be adequately informed about the retrieval and the data cannot be shared with a third party,” says Chandra.

Though Aadhaar Act allows the UIDAI to perform authentication of Aadhaar number, subject to the requesting entity paying the fee, UIDAI at present is providing the service free of cost. “We will provide free service till December 2016 and may levy the fee thereafter,” the ADG says.

For more details visit https://cis-india.org/internet-governance/news/bangalore-citizen-matters-august-2-2016-akshatha-why-experts-are-worried-about-aadhaar-based-authentication

Book Review: Apocalypse Now Redux

nishant — 2016-08-06T04:16:07Z

My review for Arundhati Roy and John Cusack's new book that captures their encounter with Edward Snowden, 'Things that can and cannot be said' is now out. It's an engaging, if somewhat freewheeling, political critique of the times we live in.

The review was published in the Indian Express on August 6, 2016.

Book: Things That Can and Cannot Be Said
Authors: Arundhati Roy & John Cusack
Publication: Juggernaut
Pages: 132
Price: Rs 250

The title of the book — Things That Can and Cannot be Said — demands an imperative. It is as if Arundhati Roy and John Cusack, aware of their internal turmoil in dealing with a world that is rapidly becoming unintelligible, though not incomprehensible, are demanding an order where none exists. Hence, they are advocating for certainty and assurance, only to undermine it, ironically, through their own freely associative writing that mimics linear time and causative narrative. This deep-seated irony of needing to say something, but knowing that saying it is not going to shine a divining light on the sordid realities of the world that is being managed through the production of grand structures like valorous nation states, virtuous civil societies, the obsequious NGO-isation of radical action, and the persistent neutering of justice through the benign vocabulary of human rights, defines the oeuvre, the politics and the poetics of the book. Written like a scrap book, filled with excerpts from long conversations scattered over time and space, annotated by reminiscences of books read long ago that have seared their imprints on the mind, and events that are simultaneously platitudinous for their status as global landmarks and fiercely personal for the scars that they have left on the minds of the authors, the book remains an engaging, if a somewhat freewheeling, ride into a political critique that makes itself all the more palatable and disconcerting for the levity, irreverence and the dark sense of humour that accompanies it.

Composed in alternating chapters, the first half of the book is about Cusack and Roy laying themselves bare. They spare no words, square no edges, and put their personal, political and collective wounds on display with humble pride and proud humility. Cusack’s experience as a screenplay writer comes in handy — he rescues what could have been a long tirade, into a series of conversations. The familiar narratives are rehistoricised and de-territorialised, put into new contexts while eschewing the older ones, thus providing a large landscape that refers to state-sponsored genocide, structural reorganisation of nation states, the dying edge of political action, the overwhelming but invisible presence of capital, and the dithering state of social justice that treats human beings like things. Cusack, identifying the poetic genius of Roy, gives her centre stage, making her the voice in command.

Roy, for her part, seems to have enjoyed this moment in the soapbox — something that she has been doing quite effectively and provocatively to a national and global audience — and gives it her all. There are moments when the text feels indulgent, when the voice feels a little relentless, when the almost schizophrenic global and historical references become a litany of mixed-up events that might have required further nuance and deeper interpretation. However, the whimsical style of Roy’s narrative, with her sense of what is right, and her demeanour that remains friendly, curious and disarming, saves the text from being heavy handed, even when it does dissolve into cloying poignancy and makes you pause, just so that you can breathe.

Surprisingly, it is the second part of the book, where the two encounter Edward Snowden along with Daniel Ellsberg, the “Snowden of the 1960s” who had leaked the Pentagon papers, that falters. Snowden had jocularly mentioned that Roy was there to “radicalise him”. She does that, but in a way that doesn’t give us anything more than what we already know. While Cusack and Roy were committed to getting to know Snowden beyond his systems-man image, there wasn’t much that they could uncover, either in dialogue or in discourse, that could have told us more, endeared us further to possibly the most over-exposed person in recent times. However, one realises that the genius of the narrative is actually in reminding us how transparent Edward Snowden has become to us. We know all kinds of things about this young man — from his girlfriends past to his actions future, from his values and convictions to his opinion on the NSA watching people’s naked pictures — and yet, what has been missing in the Snowden files, has been the larger arc of global politics, social reordering, and perhaps, a glimpse of the post-nation future that Snowden might have seen in his act of whistleblowing that is going to remain the landmark moment that defines the rest of this century.

Once you have gotten over the fact that this is not a book about Snowden, the expectations are better tailored for what is to come, and suddenly, the long prelude to the meeting falls into place. Snowden matches Roy and Cusack in whimsy, irony, political conviction, and the sacred faith in human values that make you want to give them all a fierce hug of hesitant reassurance. What Snowden says, what Roy and Cusack make of it, and how they leave us, almost abruptly at the end, breathless, unnerved, and severely conflicted about some of the 20th century structures like society, activism, nation states, governance, communication, technologies, sharing and caring is what the book has to be read for. The tight screen-writing skills of Cusack meet the perfect timing of Roy’s prose, and all of it becomes surreal, futuristic and indelibly real when it gets anchored on the physical presence of Snowden, who, in exile, talks achingly of the home that has thrown him out and the home that he can never really call his own.

And while there are lapses — fragments, translations and evocations which might have needed more explanations to have their pedagogic intent shine through — there is no denying that, in all its flaws, much like the narrators, the book manages to first immerse you in the cold shock of a sobering reality, clearly positioning the apocalypse as the now, and then drags you out and wraps you up in a warm blanket, opening up forms of critique, formats of intervention, and functions of political commitment towards saying things that have and have not been said. The book should have, perhaps, been titled what could, would, should have been said, but can’t, won’t, shan’t be said — not because of anything else, but because it seems futile.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-nishant-shah-august-6-2016-book-review-apocalypse-now-redux

Digital in South Asia

praskrishna — 2016-08-02T15:38:39Z

Sunil Abraham participated in this event organized by the World Economic Forum on July 19, 2016 at Taj Mahal Hotel in Bangalore.

The digital revolution is transforming all the aspects of business and society. The internet has been a principal contributor to evolution and growth in the global economy over the past decades. Modern technologies are dramatically altering today’s industries. It continues to have the potential to propel societies and economies by enabling government and business leaders to develop innovative solutions, platforms, and models.

This session will focus on how Governments are designing, implementing, governing, and monitoring their digital strategies particularly as it pertains to growing the digital economy. The focus of the workshop will be to learn and understand how the Government’s in South Asia have and are currently developing digital agendas to support innovation, entrepreneurship, commerce, and economic growth. Further, the hope is to examine the parameters, mechanisms, and governance structures in the region. This working session will explore the specific opportunities and digital development barriers presented to governments. As well as discuss potential approaches or solutions to these barriers.

Structure

(25 min) Opening, digital champions from the private sector and civil society will present on the key issues of policy and governance as it pertains to growing the digital economy. There will be four discussion leaders and each leader will be given 5-7 minutes to make their remarks

(15 min) The opening remarks will be followed by a moderated discussion and Q&A led by Alan Marcus from the World Economic Forum. Government leaders will have the opportunity to react to the discussion leader’s comments and answer any additional questions. Potential leaders to call on include:

(5min) The next portion of the session will involve breakouts directly related to the Digital Policy work at the WEF. Alan Marcus will describe the Digital Government/ Economy project that is being done at the WEF and how the outcomes from the breakouts will feed the ongoing work.

(45min) Following the moderated discussion, the group will split into four breakouts. Each breakout group will have a Table Leader and Firestarter. The role of the Table Leader is manage the flow of the discussion such that it addresses the three key questions below. The Firstarter will have prepared initial comments to commence the discussion.

1) What are the key policy issues that are critical to driving the digital economy? What hurdles, if any, are associated with governing these policies?

2) What mechanisms are currently being used to determine policy issues?

Many of the issues and needed digital policies straddle various government ministries/ agencies ?
What mechanisms determine policy at the national vs transnational level?

3) How can multistakeholder collaboration enhance and support respective government’s digital agendas?

(15 min) After the breakout groups have finished, each discussion leader will present the key and differentiating results of their table discussion to the plenary group. A moderator from the World Economic Forum will then lead invite comments on the outcomes, and discuss the next steps that could be taken to promote digital government in the region.

(15 min) Closing remarks will be made by Mr Ravi Shanker Prasad, Minister of Communications and Information Technology, India.

For more details visit https://cis-india.org/internet-governance/news/digital-in-south-asia

IGF Academy Regional Workshop

praskrishna — 2016-08-06T15:30:53Z

Sunil Abraham will be a speaker at this event organized by LIRNE Asia in Colombo, Sri Lanka on August 4, 2016. He will speak on the status of freedom of expression, internet governance and multi-stakeholder processes

Sunil Abraham made a presentation at the event.

For more details visit https://cis-india.org/internet-governance/news/igf-academy-regional-workshop

Mandatory Aadhaar card for govt scholarships violates SC order

praskrishna — 2016-07-30T15:55:38Z

There seems to be no end to the government’s legal troubles.

The article by Neelam Pandey and Aloke Tikku was published in the Hindustan Times on July 15, 2016. Sunil Abraham was quoted.

The human resource development (HRD) ministry has made Aadhaar mandatory for government scholarship and fellowship from this academic year, a move that violates the Supreme Court’s order.

Under this decision, the government will transfer the funds to the students’ bank accounts only after they submit their Aadhaar number.

The court had last August barred the government from using Aadhaar for any purpose other than distributing food grain and cooking fuel such as kerosene and LPG. The SC had gone further to rule that production of Aadhaar would not be condition for obtaining any benefits due to a citizen.

It was this SC order that prompted the government to push the Aadhaar law through Parliament to ensure that the court’s restriction did not come in the way of expanding the direct benefit transfer project.

The law – that was passed by Parliament – gave the government powers to make Aadhaar mandatory for receiving any benefit, facility or service that involved any expenditure from the public exchequer.

But most provisions of the Aadhaar law have not come into force yet.

This week, it notified provisions that enabled it to appoint the chairperson of the Unique Identification Authority of India (UIDAI) that issues the 12-digit unique number and set up offices in cities outside Delhi.

“This appears to be contempt of court,” said Sunil Abraham, head of the Bengaluru-headquartered advocacy group, Centre for Internet and Society.

Thomas Mathew, one of the petitioners in the case pending before the Supreme Court, agreed. “I am going to move a contempt petition against the HRD ministry and UGC,” Mathew said, pointing that oil companies were also forcing people to get Aadhaar.

The UGC directive to central universities sets July-end as the deadline for scholars at central universities to get their Aadhaar number. Many scholars who did not have an Aadhaar number said the fellowship were an important source of income for them to get by.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-neelam-pandey-aloke-tikku-july-15-2016-mandatory-aadhaar-card-for-govt-scholarships-violates-sc-order