We are anonymous, we are legion

Bowing to public pressure, govt withdraws draft encryption policy

praskrishna — 2015-10-01T02:15:17Z

Bowing to pressure from the public, the government on Tuesday withdrew a draft policy that sought to control secured online communication, including through mass-use social media and web applications such as WhatsApp and Twitter.

The article was published by the Hindustan Times on September 22, 2015. Pranesh Prakash was quoted.

Communications and information technology minister Ravi Shankar Prasad announced the government’s decision at a news conference, saying the draft National Encryption Policy will be reviewed before it is again presented to the public for their suggestions.

“I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded,” Prasad said. He said the draft would be re-released, but did not say when it would be made public.

“Experts had framed a draft policy...This draft policy is not the government’s final view,” he added. “There were concerns in some quarters. There were some words (in the draft policy) that caused concern.”

The draft will be reviewed and experts will be asked to specify to whom the policy will be applicable, Prasad said. He did not say when the new draft will be made public.

Those using social media platforms and web applications fell outside the scope of an encryption policy, Prasad said.

Several countries have felt the need for an encryption policy because of the boom in e-commerce and e-governance, he remarked. “Cyber space interactions are on the rise. There are concerns about security. We need a sound encryption policy,” he said.

Before Prasad announced the withdrawal of the draft policy, the government had issued an addendum early on Tuesday to keep social media and web applications like WhatsApp, Twitter and Facebook out of its purview.

Secure banking transactions and password protected e-commerce businesses too will be kept out of the ambit of the proposed policy, the addendum said.

The climb down by the government came following a storm of protests from users who objected to any stringent state controls on the use of email, social media accounts and apps.

According to the original draft, users of apps such as WhatsApp and Snapchat would be required to save all messages for up to 90 days and be able to produce them if asked by authorities.

Experts told Hindustan Times the draft policy, if implemented in its current form, could compromise the privacy of users and hamper the functioning of several multi-national service providers in India.

Nikhil Pahwa, editor of the MediaNama website that tracks cyber issues and tech news, said there were several problems even with the addendum to the draft policy.

“The usage of the phrase ‘currently in use’ renders the policy vague: Firstly, when is ‘currently’?” he questioned in a post on his website.

“Will a new service that uses a different kind of encryption to protect its users, still be covered? Why should users be ‘restricted to encryption currently in use’? Why should services like Whatsapp, Facebook and Twitter define our security standards?” said Pahwa, who also volunteers for savetheinternet.in.

Pranesh Prakash, policy director for The Centre for Internet and Society, tweeted that even the addendum “does not clarify anything, but further muddles the encryption policy”.

Social media users called the draft “draconian” and “delusional”, and Congress leader Manish Tewari too attacked the Union government.

“The encryption policy (draft) is a snooping and spying orgy. After net chats, the government may want you to keep a video record of what you do in your bedroom for 90 days,” the Congress spokesperson told reporters.

The draft policy had been posted online last week to seek suggestions from the public.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-september-22-2015-bowing-to-public-pressure-govt-withdraws-draft-encryption-policy

India encryption policy draft faces backlash

praskrishna — 2015-09-22T01:59:44Z

The department of information technology is facing a backlash from industry experts, Internet watchers and netizens on its draft of the National Encryption Policy that it recently made public.

The article by Moulishree Srivastava was published in Livemint on September 22, 2015. Pranesh Prakash gave inputs.

While the draft policy aims to enable a secure environment for both information and transactions in cyberspace for individuals, businesses and government, experts are concerned over privacy and outdated standards prescribed in the policy, among other things.

The policy puts the onus to produce encrypted information when demanded by government agencies on Indian citizens as well as on all the online service providers including instant messaging and e-commerce services that use encryption technology (to convert plain information to an unreadable format).

The department put the policy online late last week and it came on the radar of industry watchers and experts over the weekend. The policy is open for comments from the public till 16 October.

The policy, in its current form, is poorly drafted and the measures listed in it make Indian information systems vulnerable to cyber attacks, experts say.

For instance, the policy has mandated the use of specific standards and algorithms for encryption.

Encryption can be compared to the process of translating information in one language into a foreign language.

“Specifying certain algorithms to be used for encryption, and restricting the key sizes is same as saying that you are only allowed to communicate using a language from a given set of government-specified languages and no other language can be used,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

However, the ones mentioned in the draft policy are outdated and unsafe to use, experts say. Another thing that weakens the security considerably is the req-uirement for businesses and citizens to keep the information (that was encrypted and sent over) for 90 days, in case law en-forcement agencies demand it. But that also means that for those 90 days, cyber criminals, too, can access it, warn experts.

Another big gap in the policy is that it leaves out “sensitive departments/agencies of the government designated for performing sensitive and strategic roles”, said Prakash.

“When the policy states its mission to be the enhancing of confidentiality of information and of security of critical networks by laying out information security best practices, how does it make any sense to keep sensitive or strategic government department and agencies outside its purview?” he asked. “After all, these are the organizations that most need to be kept secure to enhance national cybersecurity.”

The draft is also ambiguous on which online services—be it shopping online or accessing email—people can use (in compliance with the law) and which online service providers will have to be registered with the government.

The policy states that “service providers located within and outside India, using encryption technology for providing any type of services in India, must enter into an agreement with the government for providing such services in India”. Users can only use the services that are registered with the government.

“This is the first time when users are actually being told what are the things they can and cannot do,” said Prakash.

“The government must take note that the knowledge and expertise of common citizens may be inadequate to understand the nuances of encryption,” said cyber law expert Na Vijayashankar on his blog. “For example, if a citizen uses a service available on the Internet which uses, say, a higher level of encryption than what is appro-ved, then this policy may make him liable for the violation.”

The problem is enhanced because all online services use some encryption technology. This means that practically all online activity will fall under this new policy.

For instance, companies like Apple or Microsoft use encryption technologies at various levels of their operating systems; e-commerce services like Flipkart, Amazon and Snapdeal; web browsers like Mozilla Firefox and Google Chrome and mail services like Gmail, Yahoo and Rediff may be required to register with the government. The only way they may escape this requirement is if there is an exemption for products that are in use at a large scale. Network security service providers like Cisco Inc. will also need to comply. (Cisco declined to respond to a query.) Snapdeal said it is still examining the draft policy, while Amazon, Google, Microsoft did not reply to emails sent by Mint. Yahoo said its spokesperson was unavailable.

One clause that is drawing a lot of ire from industry veterans and technology enthusiasts requires individual users and businesses to store all information that was sent in an encrypted form for 90 days from the date of transaction. The users would also be required to reproduce the plain text and the encrypted text, if demanded by law enforcement agencies.

The draft policy also overlooks the privacy concerns of citizens and businesses. “It is clearly a violation of freedom of speech. A large part of the policy states how the government can interfere with users, like, by demanding their private messages. The policy is anti-privacy law,” said Prakash. “Privacy and security go hand in hand. So, as this policy weakens the security of the information, it puts the privacy at greater risk.”

For more details visit https://cis-india.org/internet-governance/news/livemint-moulishree-srivastava-september-22-2015-india-encryption-policy-draft-faces-backlash

Peering behind the veil of ICANN’s DIDP (I)

Padmini Baruah — 2015-10-15T02:42:14Z

One of the key elements of the process of enhancing democracy and furthering transparency in any institution which holds power is open access to information for all the stakeholders. This is critical to ensure that there is accountability for the actions of those in charge of a body which utilises public funds and carries out functions in the public interest.

As the body which “...coordinates the Internet Assigned Numbers Authority (IANA) functions, which are key technical services critical to the continued operations of the Internet's underlying address book, the Domain Name System (DNS)”^{^[1]}, the centrality of ICANN in regulating the Internet (a public good if there ever was one) makes it vital that ICANN’s decision-making processes, financial flows, and operations are open to public scrutiny. ICANN itself echoes the same belief, and upholds “...a proven commitment to accountability and transparency in all of its practices”^{^[2]}, which is captured in their By-Laws and Affirmation of Commitments. In furtherance of this, ICANN has created its own Documentary Information Disclosure Policy, where it promises to “...ensure that information contained in documents concerning ICANN's operational activities, and within ICANN's possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”^{^[3]}

ICANN has a vast array of documents that are already in the public domain, listed here. These include annual reports, budgets, registry reports, speeches, operating plans, correspondence, etc. However, their Documentary Information Disclosure Policy falls short of meeting international standards for information disclosure. In this piece, I have focused on an examination of their defined conditions for non-disclosure of information, which seem to undercut the entire process of transparency that the DIDP process aims towards upholding. The obvious comparison that comes to mind is with the right to information laws that governments the world over have enacted in furtherance of democracy. While ICANN cannot be equated to a democratically elected government, it nonetheless does exercise sufficient regulatory power of the functioning of the Internet for it to owe a similar degree of information to all the stakeholders in the internet community. In this piece, I have made an examination of ICANN’s conditions for non-disclosure, and compared it to the analogous exclusions in India’s Right to Information Act, 2005

ICANN’ꜱ Defined Conditions for Non-Disclosure versus Exclusions in Indian Law :

ICANN, in its DIDP policy identifies a lengthy list of conditions as being sufficient grounds for non-disclosure of information. One of the most important indicators of a strong transparency law is said to be minimum exclusions.^{^[4]} However, as seen from the table below, ICANN’s exclusions are extensive and vast, and this has been a barrier in the way of free flow of information. An analysis of their responses to various DIDP requests (available here) shows that the conditions for non-disclosure have been invoked in over 50 of the 85 requests responded to (as of 11.09.2015); i.e., over two-thirds of the requests that ICANN receives are subjected to the non-disclosure policies.

In contrast, an analysis of India’s Right to Information Act, considered to be among the better drafted transparency laws of the world, reveals a much narrower list of exclusions that come in the way of a citizen obtaining any kind of information sought. The table below compares the two lists:

No.	ICANN^{^[5]}	India	Analysis
1.	Information provided by or to a government or international organization which was to be kept confidential or would materially affect ICANN’s equation with the concerned body.	Information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, "strategic, scientific or economic" interests of the State, relation with foreign State or lead to incitement of an offense^{^[6]}/ information received in confidence from foreign government^{^[7]}	The threshold for both the bodies is fairly similar for this exclusion.
2.	Internal (staff/Board) information that, if disclosed, would or would be likely to compromise the integrity of ICANN's deliberative and decision-making process	Cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers, provided that such decisions the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over (unless subject to these exemptions)^{^[8]}	The Indian law is far more transparent as it ultimately allows for the records of internal deliberation to be made public after the decision is taken.
3.	Information related to the deliberative and decision-making process between ICANN, its constituents, and/or other entities with which ICANN cooperates that, if disclosed, would or would be likely to compromise the integrity of the deliberative and decision-making process	No similar provision in Indian Law.	This is an additional restriction that ICANN introduces in addition to the one above, which in itself is quite broad.
4.	Records relating to an individual's personal information	Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual (but it is also provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied by this exemption);^{^[9]}	Again, the Indian law contains a proviso for information with “relationship to any public activity or interest”
5.	Proceedings of internal appeal mechanisms and investigations.	Information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;^{^[10]}	While ICANN prohibits the disclosure of all proceedings, in India, the exemption is only to the limited extent of information that the court prohibits from being made public.
6.	Information provided to ICANN by a party that, if disclosed, would or would be likely to materially prejudice the commercial interests, financial interests, and/or competitive position of such party or was provided to ICANN pursuant to a nondisclosure agreement or nondisclosure provision within an agreement.	Information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;^{^[11]}	This is fairly similar for both lists.
7.	Confidential business information and/or internal policies and procedures.	No similar provision in Indian Law. This is encapsulated in the abovementioned provision	This is fairly similar in both lists.
8.	Information that, if disclosed, would or would be likely to endanger the life, health, or safety of any individual or materially prejudice the administration of justice.	Information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;^{^[12]}	This is fairly similar for both lists.
9.	Information subject to any kind of privilege, which might prejudice any investigation	Information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature^{^[13]}/Information which would impede the process of investigation or apprehension or prosecution of offenders;^{^[14]}	This is fairly similar in both lists.
10.	Drafts of all correspondence, reports, documents, agreements, contracts, emails, or any other forms of communication.	No similar provision in Indian Law	This exclusion is not present in Indian law, and it is extremely broadly worded, coming in the way of full transparency.
11.	Information that relates in any way to the security and stability of the Internet	No similar provision in Indian Law	This is perhaps necessary to ICANN’s role as the IANA Functions Operator. However, given the large public interest in this matter, there should be some proviso to make information in this regard available to the public as well.
12.	Trade secrets and commercial and financial information not publicly disclosed by ICANN.	Information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;^{^[15]}	This is fairly similar in both cases.
13.	Information requests: ● which are not reasonable; ● which are excessive or overly burdensome ● complying with which is not feasible ● which are made with an abusive or vexatious purpose or by a vexatious or querulous individual.	No similar provision in Indian Law	Of all the DIDP exclusions, this is the one which is most loosely worded. The terms in this clause are not clearly defined, and it can effectively be used to deflect any request sought from ICANN because of its extreme subjectivity. What amounts to ‘reasonable’? Whom is the process going to ‘burden’? What lens does ICANN use to define a ‘vexatious’ purpose? Where do we look for answers?
14.	No similar provision in ICANN’s DIDP.	Information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;^{^[16]}	-
15.	No similar provision in ICANN’s DIDP.	Information which providing access to would involve an infringement of copyright subsisting in a person other than the State.^{^[17]}	-

Thus, the net cast by the DIDP exclusions policy is more vast than even than that of a democratic state’s transparency law. Clearly, the exclusions above have effectively allowed ICANN to dodge answers to most of the requests floating its way. One can only hope that ICANN realises that these exclusions come in the way of the transparency that they are so committed to, and does away with this unreasonably wide range on the road to the IANA Transition.

^{^[1]} https://www.icann.org/resources/pages/welcome-2012-02-25-en

^{^[2]} https://www.icann.org/resources/accountability

^{^[3]} https://www.icann.org/resources/pages/didp-2012-02-25-en

^{^[4]} Shekhar Singh, India: Grassroot Initiatives in Tʜᴇ Rɪɢʜᴛ ᴛᴏ Kɴᴏᴡ 19, 44 (Ann Florin ed., 2007)

^{^[5]} In a proviso, ICANN’s DIDP states that all these exemptions can be overridden if the larger public interest is higher. However, this has not yet been reflected in their responses to any DIDP requests.

^{^[6]} Section 8(1)(a), Right to Information Act, 2005.

^{^[7]} Section 8(1)(f), Right to Information Act, 2005.

^{^[8]} Section 8(1)(i), Right to Information Act, 2005.

^{^[9]} Section 8(1)(j), Right to Information Act, 2005.

^{^[10]} Section 8(1)(b), Right to Information Act, 2005.

^{^[11]} Section (1)(d), Right to Information Act, 2005

^{^[12]} Section 8(1)(g), Right to Information Act, 2005.

^{^[13]} Section 8(1)(c), Right to Information Act, 2005.

^{^[14]} Section 8(1)(h), Right to Information Act, 2005.

^{^[15]} Section (1)(d), Right to Information Act, 2005

^{^[16]} Section 8(1)(e), Right to Information Act, 2005.

^{^[17]} Section 9, Right to Information Act, 2005.

For more details visit https://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icann2019s-didp

Sustainable Smart Cities India Conference 2015, Bangalore

vanya — 2015-09-21T02:24:19Z

Nispana Innovative Platforms organized a Sustainable Smart Cities India Conference 2015, in Bangalore on 3rd and 4th September, 2015. The event saw participation from people across various sectors including Government Representatives from Ministries, Municipalities, Regulatory Authorities, as well as Project Management Companies, Engineers, Architects, Consultants, Handpicked Technology Solution Providers and Researchers. National and International experts and stakeholders were also present to discuss the opportunities and challenges in creating smart and responsible cities as well as citizens, and creating a roadmap for converting the smart cities vision into a reality that is best suited for India.

The objective of the conference was to discuss the meaning of a smart city, the promises made, the challenges and possible solutions for implementation of ideas by transforming Indian Cities towards a Sustainable and Smart Future.

Smart Cities Mission

Considering the pace of rapid urbanization in India, it has been estimated that the urban population would rise by more than 400 million people by the year 2050[1] and would contribute nearly 75% to India’s GDP by the year 2030. It has been realized that to foster such growth, well planned cities are of utmost importance. For this, the Indian government has come up with a Smart Cities initiative to drive economic growth and improve the quality of life of people by enabling local area development and harnessing technology, especially technology that leads to Smart outcomes.

Initially, the Mission aims to cover 100 cities across the countries (which have been shortlisted on the basis of a Smart Cities Proposal prepared by every city) and its duration will be five years (FY2015-16 to FY2019-20). The Mission may be continued thereafter in the light of an evaluation to be done by the Ministry of Urban Development (MoUD) and incorporating the learnings into the Mission. This initiative aims to focus on area-based development in the form of redevelopment, or developing new areas (Greenfield) to accommodate the growing urban population and ensure comprehensive planning to improve quality of life, create employment and enhance incomes for all, especially the poor and the disadvantaged.[2]

What is being done?

The Smart City Mission will be operated as a Centrally Sponsored Scheme (CSS) and the Central Government proposes to give financial support to the Mission to the extent of Rs. 48,000 crores over five years i.e. on an average Rs. 100 crore per city per year.The Government has come up with 2 missions:Atal Mission for Rejuvenation and Urban Transformation (AMRUT) and Smart Cities Mission for the purpose of achieving urban transformation.The vision is to preserve India’s traditional architecture, culture & ethnicity while implementing modern technology to make cities livable, use resources in a sustainable manner and create an inclusive environment. Additionally, Foreign Direct Investment regulations have been relaxed to invite foreign capital and help into the Smart City Mission.

What is a Smart City?

Over the two-day conference, various speakers shared a common sentiment that the Governments’ mission does not clearly define what encompasses the idea of a Smart City. There is no universally accepted definition of a Smart City and its conceptualization varies from city to city and country to country.

A global consensus on the idea of a smart city is a city which is livable, sustainable and inclusive. Hence, it would mean a city which has mobility, healthcare, smart infrastructure, smart people, traffic maintenance, efficient waste resource management, etc.

Also, there is a global debate at United Nations regarding developmental goals. One of these goals is gender equality which is very important for the smart city initiative. According to this, a smart city must be such where the women have a life free from violence, must be made to participate and are economically empowered.

Promises

The promises of the Smart City mission include:

Make a sustainable future, reduce carbon footprint, adequate water supply, assured electricity supply, proper sanitation, including solid waste management, efficient urban mobility and public transport, affordable housing especially for the poor, robust IT connectivity and digitalization, good governance, especially e-Governance and citizen participation, sustainable environment, safety and security of citizens, particularly women, children and the elderly, and health and education.

The vision is to preserve country’s traditional architecture, culture & ethnicity while implementing modern technology. It was discussed how the Smart City Mission is currently attracting global investment, will create new job opportunities, improve communications and infrastructure, decrease pollution and ultimately improve the quality of living.

Challenges

The main challenges for implementation of these objectives are with respect to housing, dealing

with existing cities and adopting the idea of retro-fitting.

Also, another challenge is that of eradicating urban poverty, controlling environment degradation, formulating a fool-proof plan, proper waste management mechanism, widening roads but not at the cost of pedestrians and cyclist and building cities which are inclusive and cater to the needs of women, children and disabled people.

Some of the top challenges will include devising a fool-proof plan to develop smart cities, meaningful public-private partnership, increasing the renewable energy, water supply, effective waste management, traffic management, meeting power demand, urban mobility, ICT connectivity, e-governance, etc., while preparing for new threats that can emerge with implementation of these new technologies.

What needs to be done?

The following suggestions were made by the experts to successfully implement government’s vision of creating successful smart cities in India.

Focus on the 4 P’s: Public-Private-People Partnership since people very much form a part of the cities.
Integration of organizations, government bodies, and the citizens. The Government can opt for a sentiment analysis.
Active participation by state governments since Land is a state subject under the Constitution. There must be a detailed framework to monitor the progress and the responsibilities must be clearly demarcated.
Detailed plans, policies and guidelines
Strengthen big data initiatives
Resource maximization
Make citizens smart by informing them and creating awareness
Need for competent people to run the projects
Visionary leadership
Create flexible and shared spaces for community development.

National/International case studies

Several national and international case studies were discussed to list down practical challenges to enable the selected Indian cities learn from their mistakes or include successful schemes in their planning from its inception.

Amsterdam Smart City: It is said to be a global village which was transformed into a smart city by involving the people. They took views of the citizens to make the plan a success. The role of big data and open data was highly emphasized. Also, it was suggested that there must be alignment with respect to responsibilities with the central, state and district government to avoid overlap of functions. The city adopted smart grid integration to make intelligent infrastructure and subsidized initiatives to make the city livable.
GIFT City, Gujarat: This is an ICT based sustainable city which is a Greenfield development. It is strategically situated. One of the major features of the City is a utility tunnel for providing repair services and the top of the tunnel can be utilized as a walking/jogging track. The city has smart fire safety measures, wide roads to control traffic, smart regulations.
TEL AVIV Smart City, Israel: It has been named as the Mediterranean cool city with young and free spirted people. The city comprises of creative class with 3 T’s-talent, technology and tolerance. The city welcomes startups and focuses on G2G, G2C and C2C initiatives by adopting technologically equipped initiatives for effective governance and community building programmes.

Participation

The event saw participation from people across various sectors including Government Representatives of Ministries, Municipalities, Regulatory Authorities, as well as Project Management Companies, Engineers, Architects, Consultants, Handpicked Technology Solution Providers and Researchers.

Foundation for Futuristic Cities: The conference saw participation from this think tank based out of Hyderabad working on establishing vibrant smart cities for a vibrant India. They are currently working on developing a "Smart City Protocol" for Indian cities collaborating with Technology, Government and Corporate partners by making a framework for Smart Cities, Big Data and predictive analytics for safe cities, City Sentiment Analysis, Situation Awareness Tools and mobile Apps for better city life by way of Hackathons and Devthons.
Centre for SMART cities, Bangalore: This is a research organization which aims to address the challenge of collaborating and sharing knowledge, resources and best practices that exist both in the private sector and governments/municipal bodies in a usable form and format.
BDP – India (Studio Leader – Urbanism): The Organization is based out of Delhi and is involved in providing services relating to master planning, urbanism, design and landscape design. The team includes interior designers, engineers, urbanists, sustainability experts, lighting designers, etc. The vision is to help build and create high quality, effective and inspiring built spaces.
UN Women: It is a United Nations Organization working on gender equality, women empowerment and elimination of discrimination. They strive to strengthen rights of women by working with women, men, feminists, women’s networks, governments, local authorities and civil society to create national strategies to advance gender equality in line with national and international priorities. The UN negotiated the 2030 Agenda for Sustainable Development in August 2015 (which would be formally adopted by World leaders in September 2015) and it feature 17 sustainable development goals, one of them being achievement of gender equality and empowerment of all women and girls.
Elematic India Pvt. Ltd.: The Company is a leading supplier of precast concrete technology worldwide providing smart solutions for concrete buildings to help enable build smart cities with safe infrastructure.

Conclusion

The event discussed in great detail about what a smart city would look like in a country like India where every city has different demographics, needs and resources.

The Participants had a mutual understanding that a city is not gauged by its length and width, but by the broadness of its vision and height of its dream. The initiative of creating smart cities would echo across the country as a whole and would not be limited to the urban centers. Hence, the plan must be inclusive in implementation and right from its inception, the people and their needs must be given due consideration to make it a success. The issue of the road ahead was resonating in the minds of many, as to how would this exactly happen. Hence, the first step, as was suggested by the experts, was to involve the citizens by primarily informing them, taking their suggestions and planning the project for every city accordingly. While focusing on cities which would be made better by human ingenuity and technology, along with building mechanism for housing, commerce, transportation and utilities, it must not be forgotten that technology is timely, but culture is timeless. The cities must not be faceless and community space must be built with walkable spaces with smart utilization of limited resources. Also, it must be ensured that the cities do not cater to the needs of the elite and skilled population, but also the less privileged community. Adequate urban mapping must be done to ensure placement for community facilities, such as restrooms, trash bins, and information kiosks.

A story shared from personal experience by an expert Architect in building Green infrastructure was highly instrumental in setting the tone of the conference and is bound to stay with many of the participants. The son of the Architect, a small child from Baroda left his father speechless when he questioned him about the absence of butterflies from the Big City of Mumbai since he used to play with butterflies every morning in his hometown in Gujarat. The incident was genuinely thought provoking and left every architect, government representative and engineer thinking that before they step on to build a smart cities with technologically equipped infrastructure and utilities - can we, as a country, come together and ensure to build a smart city with butterflies? Can we pay equal attention to sustainability, environment and requirements of a community in the smart city that is envisioned by the Government to make the city livable and inclusive?

Questions that I, as a participant, am left with are:

Building a Greenfield project is comparatively easier than upgrading the existing cities into Smart ones, which requires planning and optimum utilization of resources. The role of local bodies needs to be strengthened which would primarily require skilled workforce, beginning from planning to execution. Therefore, what must be done to make the current cities “Smarter” and how encourage and fund ordinary citizens to redefine and prioritize local needs?
The conference touched upon the need for a well-planned policy framework to govern the smart cities; however, what was missing was a discussion on the kind of policies that would be required for every city to ensure governance and monitor the operations. Chalking out well thought of urban policies is the first step towards implementation of the Project and requires deliberation in this regard.
The Government plans seem to cater to the needs of a handful of sections of the society and must focus on safety of women, chalk out initiatives to build basic utilities like public toilets, plan the infrastructure keeping in mind the disabled individuals, etc.

This is of paramount importance since it is necessary for the Government to consider who would be the potential inhabitants of these future smart cities and what would be their particular needs. Before the cities are made better by use of technology, there is a requirement of more toilets as a basic utility. Thus, instead of focusing on technological advancement as the sole foundation to make lives of the people easy, the cities must have provision of utilities which are accessible to develop livable smart cities. Hence, what measures would the Government and other bodies involved in the plan take to ensure that the urban enclaves would not oversee the under privileged class?

Another issue that went unnoticed during the two-day event was pertaining to the Fundamental Rights of individuals within the city. For example, the right of privacy, right to access services and utilities, right to security, etc. These basic rights must be given due recognition by the smart city developers to uphold the spirit of these internationally accepted Human Rights principles. Therefore, it is important to ask how these future cities are going to address the rights of its people in the cities?

Apart from plans of working on waste management, another important factor that must not be overlooked is sustainability in terms of maximization of the available resources in the best possible ways and techniques to be adopted to stop the fast paced degradation of the environment.

The conference could suggest more solutions to adopt measures like rain water harvesting, better sewage management in the existing cities.

Also, the importance of big data in building the smart cities was emphasized by many experts. However, the question of regulation of data being generated and released was not talked about. Use of big data analytics involves massive streaming of data which required regulation and control over its use and generation to ensure such information is not misutilised in any way. In such a scenario, how would these cities regulate and govern big data techniques to make the infrastructure and utilities technologically efficient on one hand, but also to use the large data sets in a monitored fashion on the other?

An answer to these crucial issues and questions would have brought about a lot of clarity in minds of all the officials, planners and the potential residents of the Smart Cities in India.

[1] 2014 revision of the World Urbanization Prospects, United Nations, Department of Economic and Social Affairs, July 2014, Available at : http://www.un.org/en/development/desa/publications/2014-revision-world-urbanization-prospects.html

[2] Smart Cities, Mission Statement and Guidelines, Ministry of Urban Development, Government of India, June 2015, Available at : http://smartcities.gov.in/writereaddata/SmartCityGuidelines.pdf

For more details visit https://cis-india.org/internet-governance/blog/sustainable-smart-cities-india-conference-2015-bangalore

Outrage before sharing

praskrishna — 2015-09-20T17:08:14Z

Has the social media converted people into a lynch mob that seeks out justice and passes judgement instantly, without bothering to hear both sides of the story?

The article by Nikhil Varma was published in the Hindu on September 9, 2015. Rohini Lakshané was quoted.

The Internet has changed the way we communicate in more ways than we can imagine. Apart from being a medium to share pictures and updates with family and friends, social media has also become an arena where political debates are a commonplace and people are quick to make judgements. The social media space has become one where superlatives are commonly used and videos or conversations about inappropriate behaviour or even a tweet or Facebook post has a tendency to go viral and snowball into a shaming of the individual or organisation in question, without bothering to hear out the other side of the story. Outraging can be over anything, from the faults of the Government, to lay people who sometimes find themselves the subject of an online shaming campaign.

Recently, an FB user put up pictures of a person, who she claimed misbehaved with her on a street in Delhi. Within a few hours, the man’s picture went viral and he was arrested by the police, even as he was called names and abused on social media networks. A few days later, eyewitness accounts corroborated the man’s account of the incident. The response online now put the girl at fault and blamed her for politicising the issue. The initial response to the video of the Rohtak sisters bashing up alleged molesters also saw the outrage shifting sides.

How does one deal with people making judgements with a click of a button? Does online shaming dent the chances of people getting justice in genuine cases of assault?

Rohini Lakshané, a researcher at the Centre for Internet and Society says, “Online, public shaming is a useful and often effective strategy for calling out unacceptable behaviour when recourse to other remedies is tedious, time-consuming, or non-existent. Its flipside is that shaming online could lead to mob justice or a witch-hunt. The onus should be on the viewers or readers of such an act of shaming to not take the law into their own hands and on the news media to do their basic duty of checking facts before publishing or broadcasting anything.”

She adds, “People use social networking sites, among other things, as verandas where they can gather gossip, and talk about their interests. If people jumping the gun and being judgemental offline isn’t a cause for concern, I don’t see why it should be when it happens online.”

On checks, Rohini contends, “They would not be in the interest of free speech. It would, of course, make a difference if social media users paused to think.”

V. Shakti, Social Media and Branding Professional, points out that the mass adoption of social media platforms has had positive and negative effects. “It has ensured that anyone can reach out and get any information. The flip side is that this power to reach millions needs to be handled with care and responsibility. The Jasleen Kaur incident is a glaring reflection. Such is the mindset of people online that anyone who is shamed is assumed guilty and derided. Sometimes the shaming does permanent damage to the target and the effects are life-long. The minute Jasleen posted a picture online, even the media jumped in calling the guy a ‘pervert’, if this were some other country, they would be sued. We need to understand that un-shaming is not an option and hence be careful when throwing mud at someone online. Remember, it could be you tomorrow. Think, verify and then act. Like I always say, there are three sides to every story - yours, mine and the truth.”

For psychiatrist and Integrative medicine specialist Shyam Bhatt, online shaming is a combination of a sense of mob justice and the feeling of participating in a cause. “It is easy to sign up for a cause online, you can click share and feel good about yourself. People also tend to get swayed by what their friend circles are talking about.”

Social media user Praveen Rao feels an attempt to feel involved with causes is responsible for this phenomenon.

“It is important for people to check the authenticity and wait for a clear picture to emerge before talking about something. However, in the rush to appear clued in, people tend to share anything that goes viral, without pausing to think if someone’s life could be ruined. It is a good tool to call out genuine cases of misbehaviour and assault, but mob justice should be avoided.”

For more details visit https://cis-india.org/internet-governance/news/hindu-nikhil-varma-september-9-2015-outrage-before-sharing

DIDP Request #12: Revenues

Aditya Garg — 2015-09-14T15:32:37Z

The Centre for Internet & Society (CIS) sought information from ICANN on their revenue streams by sending them a second request under their Documentary Information Disclosure Policy. This request and their response have been described in this blog post.

CIS Request

22 July 2015

To:

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Mr. Samiran Gupta, ICANN India

All other members of Staff involved in accounting and financial tasks

Sub: Raw data with respect to granular income/revenue statements of ICANN from 1999-2011

We would like to thank ICAN for their prompt response to our earlier requests. We appreciate that the granular Revenue Details for FY14 have been posted online.[1] We also appreciate that a similar document has been posted for FY13.[2]

And we hope that one for FY12 would be posted soon, as noted by you in your Response to our Request No. 20141222-1.[3]

As also noted by you in the same request, similar reports cannot be prepared for FY99 to FY11 since “[i]t would be extremely time consuming and overly burdensome to cull through the raw data in order to compile the reports for the prior years”.[4]

Additionally, it was also mentioned that the “relevant information is available in other public available documents”.[5]

Hence, we would like to request for the raw data for years FY99 to FY11, for our research on accountability and transparency mechanisms in Internet governance, specifically of ICANN. Additionally, we would also like to request for the links to such public documents where the information is available.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.
Thank you very much.
Warm regards,
Aditya Garg,
I Year, National Law University, Delhi
For Centre for Internet & Society
W: http://cis-india.org

ICANN Response

ICANN referred to our earlier DIDP request (see here) where we had sought for a detailed report of their granular income and revenue statements from 1999-2014. They refused to disclose the data on grounds that it would be ‘time consuming’ and ‘overly burdensome’, which is a ground for refusal as per their exceptions to disclosure.

Our request may be found here, and their response is linked to here.

[1]. See FY14 Revenue Detail By Source, https://www.icann.org/en/system/files/files/fy2014-revenue-source-01may15-en.pdf.

[2]. See FY13 Revenue Detail By Source, https://www.icann.org/en/system/files/files/fy2013-revenue-source-01may15-en.pdf

[3]. See Response to Documentary Information Disclosure Policy Request No. 20141222-1, https://www.icann.org/en/system/files/files/cis-response-21jan15-en.pdf.

[4]. Id

[5]. See Response to Documentary Information Disclosure Policy Request No. 20141222-1, https://www.icann.org/en/system/files/files/cis-response-21jan15-en.pdf.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-12-revenues

DIDP Request #11: NETmundial Principles

Aditya Garg — 2015-09-14T15:08:40Z

The Centre for Internet & Society (CIS) followed up on the implementation of the NETmundial Principles that ICANN has been endorsing by sending them a second request under their Documentary Information Disclosure Policy. This request and their response have been described in this blog post.

22 July 2015

To:

Mr. Fadi Chehade, CEO and President

Mr. Steve Crocker, Chairman of the Board

Mr. Cherine Chalaby, Chair, Finance Committee of the Board

Mr. Xavier Calvez, Chief Financial Officer

Sub: Details of documents within ICANN regarding implementation of NETmundial Principles and documents modified within ICANN as a result of the same

It is our understanding that ICANN is one of the founding members of the NETmundial Initiative. And hence, it has been credited in the public forum for championing the Initiative.[1]

Mr. Fadi Chehade, CEO and President of ICANN, has maintained that it is time for the global community to act and implement the Principles set forth in the initiative.[2]

ICANN itself, in response to one of our earlier requests, has acknowledged that "NETmundial Principles are high-level statements that permeate through the work of any entity –particularly a multistakeholder entity like ICANN."[3]

We, therefore, request for all existing documents within ICANN which represent its efforts to implement the NETmundial Principles within its working. Additionally, we would also want to request for all the documents which were modified as the result of ICANN’s support of the NETmundial Initiave, highlighting the modification so made.

We look forward to the receipt of this information within the stipulated period of 30 days. Please feel free to contact us in the event of any doubts regarding our queries.

Thank you very much.

Warm regards,
Aditya Garg,
1st Year, National Law University, Delhi for Centre for Internet & Society

ICANN Response

ICANN in their response pointed to an earlier DIDP request that we had sent in, and they replied along the same lines. They brought to our attention that ICANN was not responsible for the implementation of the NETMundial Principles, despite it being one of the founding members of the Initiative. They reiterated their earlier statement of ICANN not being the “…home for implementation of the NETmundial Principles or the evolution of multistakeholder participation in Internet governance.” They have failed to provide us with documentary proof of the implementation of these principles, and have only pointed to statements which indicate a potential prospective adoption of said the initiative [4]; the responses have been near identical to those for the earlier DIDP request, which you can find here.

Further, ICANN claims that the information we seek falls within the scope of the exceptions to disclosure they lay down, as it is not within their operational activities, an explanation that fails to satisfy us. As always, they have used the wide scope of their non-disclosure policy to avoid providing us with the requisite information.

The request can be found here, and ICANN’s response has been linked here.

[1]. See McCarthy, I’m Begging You To Join, The Register (12 December 2014), http://www.theregister.co.uk/2014/12/12/im_begging_you_to_join_netmundial_initiative_gets_desperate/

[2]. See NETmundial Initiative Goes Live, Gobal Internet Community Invited to Participate (Press Release), https://www.netmundial.org/press-release-1

[3]. See Response to Documentary Information Disclosure Policy Request No. 20141228-1-NETmundial, https://www.icann.org/en/system/files/files/cis-netmundial-response-27jan15-en.pdf

[4]. Such as Objective 4.3 of their Strategic Five Year Plan. “Demonstrate leadership by implementing best practices in multistakeholder mechanisms within the distributed Internet governance ecosystem while encouraging all stakeholders to implement the principles endorsed at NETmundial” at https://www.icann.org/en/system/files/files/strategic-plan-2016-2020-10oct14-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/didp-request-11-netmundial-principles

CIS Submission on CCWG-Accountability 2nd Draft Proposal on Work Stream 1 Recommendations

pranesh — 2015-11-23T14:58:58Z

The Centre for Internet & Society (CIS) submitted the below to ICANN's CCWG-Accountability.

The CCWG Accountability proposal is longer than many countries' constitutions. Given that, we will keep our comments brief, addressing a very limited set of the issues in very broad terms.

Human Rights

ICANN is unique in many ways. It is a global regulator that has powers of taxation to fund its own operation. ICANN is not a mere corporation. For such a regulator, ensuring fair process (what is often referred to as "natural justice") as well as substantive human rights (such as the freedom of expression, right against discrimination, right to privacy, and cultural diversity), are important. Given this, the narrow framing of "free expression and the free flow of information" in Option 1, we believe Option 2 is preferable.

Diversity

We are glad that diversity is being recognized as an important principle. As we noted during the open floor session at ICANN49: [We are] extremely concerned about the accountability of ICANN to the global community. Due to various decisions made by the US government relating to ICANN's birth, ICANN has had a troubled history with legitimacy. While it has managed to gain and retain the confidence of the technical community, it still lacks political legitimacy due to its history. The NTIA's decision has presented us an opportunity to correct this.

However, ICANN can't hope to do so without going beyond the current ICANN community, which while nominally being 'multistakeholder' and open to all, grossly under-represents those parts of the world that aren't North America and Western Europe.

Of the 1010 ICANN-accredited registrars, 624 are from the United States, and 7 from the 54 countries of Africa. In a session yesterday, a large number of the policies that favour entrenched incumbents from richer countries were discussed. But without adequate representation from poorer countries, and adequate representation from the rest of the world's Internet population, there is no hope of changing these policies.

This is true not just of the business sector, but of all the 'stakeholders' that are part of global Internet policymaking, whether they follow the ICANN multistakeholder model or another. A look at the board members of the Internet Architecture Board, for instance, would reveal how skewed the technical community can be, whether in terms of geographic or gender diversity.

Without greater diversity within the global Internet policymaking communities, there is no hope of equity, respect for human rights — civil, political, cultural, social and economic — and democratic functioning, no matter how 'open' the processes seem to be, and no hope of ICANN accountability either.

Meanwhile, there are those who are concerned that diversity should not prevail over skill and experience. Those who have the greatest skill and experience will be those who are insiders in the ICANN system. To believe that being an insider in the ICANN system ought to be privileged over diversity is wrong. A call for diversity isn't just political correctness. It is essential for legitimacy of ICANN as a globally-representative body, and not just one where the developed world (primarily US-based persons) makes policies for the whole globe, which is what it has so far been. Of course, this cannot be corrected overnight, but it is crucial that this be a central focus of the accountability initiative.

Jurisdiction, Membership Models and Voting Rights

The Sole-Member Community Mechanism (SMCM) that has been proposed seems in large part the best manner provided under Californian law relating to public benefit corporations of dealing with accountability issues, and is the lynchpin of the whole accountability mechanism under workstream.

However, the jurisdictional analysis laid down in 11.3 will only be completed post-transition, as part of workstream. Thus the SMCM may not necessarily be the best model under a different legal jurisdiction. It would be useful to discuss the dependency between these more clearly. In this vein, it is essential that the Article XVIII Section 1 not be designated a fundamental bylaw. Further, it would be useful to add that for some limited aspects of the transition (such as IANA functioning), ICANN should seek to enter into a host country agreement to provide legal immunity, thus providing a qualification to para 125 ("ICANN accountability requires compliance with applicable legislation, in jurisdictions where it operates.") since the IANA functions operator ought not be forced by a country not to honour requests made by, for example, North Korea.

It should also be noted that accountability needs independence, which may be of two kinds: independence of financial source, and independence of appointment. From what one could gather from the CCWG proposal, the Independent Review Panel will be funded by the budget the ICANN Board prepares, while the appointment process is still unclear.

One of the most important accountability mechanisms with regard to the IANA functions is that of changing the IANA Functions Operator. As per the CWG Stewardship's current proposal, the "Post-Transition IANA" won't be an entity that is independent of ICANN. If the PTI's governance is permanently made part of ICANN's fundamental bylaws (as an affiliate controlled by ICANN), how is it proposed that the IFO be moved from PTI to some other entity if the IANA Functions Review Team so decides? Additionally, for such an important function, the composition of the IFRT should not be left unspecified.

While it is welcome that a separation is proposed between the IANA budget and budget for rest of ICANN's functioning, the current discussion around budgets seems to be based on the assumption that all IANA functions will be funded by ICANN, whereas if the IANA functions are separated, each community might fund it separately. That provides two levels of insulation to IANA functions operator(s): separate sources of operational revenue, as well as separate budgets within ICANN.

It should be noted that there have been some responses that express concern about the shifting of existing power structures within ICANN through some of the proposed alternative voting allocations in the SMCM. However, rather than present arguments as to why these shifts would be beneficial or harmful for ICANN's overall accountability, these responses seem to assume that shift from the current power structures are harmful. This is an unfounded assumption and cannot be a valid reason, nor can speculation of how the United States Congress will behave be a valid reason for rejecting an otherwise valid proposal. If there are harms, they ought to be clearly articulated: shifts from the status quo and fear of the US Congress aren't valid harms. Thus, while it is important to consider how different voting rights models might change the status quo while arriving at any judgments, that cannot be the sole criterion for judgment of its merits. Further, as the French government notes:

[T]he French Government still considers that linking Stress Test 18 to a risk of capture of ICANN by governments and NTIA’s requirement that no “government-led or intergovernmental organization solution would be acceptable”, makes no sense. . . . Logically, the risk of capture of ICANN by governments in the future is as low as it is now and in any case, it cannot lead to a “government-led or intergovernmental organization solution”.

While dealing with the question of relative voting proportions, the community must remembered that not all parts of the world are equally developed with regard to the domain name industry and with respect to civil society as those countries in North America, Western Europe, and other developed nations, and thus may not find adequate representation via the SOs. In many parts of the world, civil society organizations — especially those focussed on Internet governance and domain name policies — are non-existent. Thus a system that privileges the SOs to the exclusion of other components of a multistakeholder governance model would not be representative or diverse. A multistakeholder model cannot disproportionately represent business interests over all other interests.

In this regard, the comments of former ICANN Chairperson, Rod Beckstrom, at ICANN43 ought to be recalled:

ICANN must be able to act for the public good while placing commercial and financial interests in the appropriate context . . . How can it do this if all top leadership is from the very domain name industry it is supposed to coordinate independently?

As Kieren McCarthy points out about ICANN:

The Board does have too many conflicted members
The NomCom is full of conflicts
There are not enough independent voices within the organization

Reforms in these ought to be as crucial to accountability as the membership model.

The current mechanisms for ensuring transparency, such as the DIDP process, are wholly inadequate. We have summarized our experience with the DIDP process, and how often we were denied information on baseless grounds in this table.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-on-ccwg-accountability-2nd-draft-proposal-on-work-stream-1-recommendations

Transnational Due Process: A Case Study in Multi-stakeholder Cooperation

praskrishna — 2015-11-07T15:47:41Z

The Internet & Jurisdiction Project is organizing the workshop “Transnational due process: A case study in multi-stakeholder cooperation” at the Internet Governance Forum convened by the United Nations on November 10-13, 2015. Sunil Abraham will be a speaker in this event.

Multi-stakeholder cooperation is necessary to develop and implement operational solutions to Internet Governance challenges. One such challenge is the tension between the cross-border nature of the Internet and diverse national jurisdictions. As a result, direct requests are increasingly addressed by public authorities and courts in one country to Internet platforms and DNS operators in other jurisdictions for domain seizures, content takedowns and user identification.

Since 2012, the Internet & Jurisdiction Project facilitates a multi-stakeholder dialogue process on this issue. More than 80 entities have collaboratively produced a draft transnational due process framework.

The roundtable at the Internet Governance Forum 20125 will gather participants in the I&J Project from different stakeholder groups to report on the progress of the Internet & Jurisdiction process and talk about:

the method employed to develop this framework, challenges encountered and solutions found
the potential distribution of roles among the respective stakeholders in the operation of the diverse framework components

Participants

ANNE CARBLANC, Head of Division, Directorate for Science, Technology and Industry, OECD
EILEEN DONAHUE, Director Global Affairs, Human Rights Watch
BYRON HOLLAND, President and CEO, CIRA (Canadian ccTLD)
CHRISTOPHER PAINTER, Coordinator for Cyber Issues, US Department of State
SUNIL ABRAHAM, Executive Director, CIS India
ALICE MUNYUA, Lead dotAfrica Initiative and GAC representative, African Union Commission
Speaker tbc, Google
FRANK LaRUE, Former UN Special Rapporteur for Freedom of Expression
Speaker tbc, German Federal Foreign Office
HARTMUT GLASER, Executive Secretary, Brazilian Internet Steering Committee
MATT PERAULT, Head of Policy Development, Facebook

This was published on the website of Internet & Jurisdiction Also see this on IGF website.

For more details visit https://cis-india.org/internet-governance/news/transnational-due-process-a-case-study-in-multi-stakeholder-cooperation

Bangalore Chapter Meet of DSCI

sunil — 2015-09-09T01:40:56Z

The Centre for Internet & Society (CIS) will host the Bangalore Chapter Meeting of Data Security Council of India (DSCI) on September 26, 2015 at its Bangalore office in Domlur. The event will be held from 2.30 p.m. to 5.30 p.m.

After the Nasscom cyber security task force meeting held at Wipro in June, followed by DSCI Best Practices meet in July, we now have the next chapter meeting at CIS.

Speakers

The first speaker will be Melissa Hathaway, Commissioner, Global Commission for Internet Governance. She is an internationally distinguished cyber security expert and has worked as cyber security adviser in two US Presidential Administrations, and is the former acting Senior Director for cyberspace at the National Security Council in the US. The topic she will be speaking on is "Connected Choices".

The second speaker will be Sunil Abraham, Executive Director, CIS (Center for internet & Society). Sunil is a renowned thought leader when it comes to internet governance, cyber space & its interface with civil society and actively contributes to DSCI and other forums. He will be presenting on "Anonymity in Cyberspace" - the SIG that he led over last 8 months along with a diverse group of members from the industry in Bangalore.

Agenda

Time	Topic
2.30 p.m. - 2.45 p.m.	Recent Developments and Updates from DSCI
2.45 p.m. - 4.00 p.m.	Srinivas P. (Anchor): DSCI Bangalore Chapter
4.00 p.m. - 5.00 p.m.	Melissa Hathaway: Connected Choices
5.00 p.m. - 5.30 p.m.	Sunil Abraham: Anonymity in Cyberspace

This will be followed by High Tea & Networking.

For participation, please send your email confirmation to Rajesh of Infosys at Rajesh_K18@infosys.com

Since seats are limited, the participation will be restricted to first 50 confirmations. We had to organize it on a Saturday, due to Melissa’s availability – I’m sure many of you who know about her as expert security speaker, will not see weekend as a constraint to attend. Look forward to meeting you at CIS.

For more details visit https://cis-india.org/internet-governance/events/bangalore-chapter-meet-of-dsci-september-26-2015

Human DNA Profiling Bill 2012 v/s 2015 Bill

vanya — 2015-09-06T14:10:26Z

This entry analyses the Human DNA Profiling Bill introduced in 2012 with the provisions of the 2015 Bill

A comparison of changes that have been introduced in the Human DNA Profiling Bill, June 2015.

Definitions:

1. 2012 Bill: The definition of "analytical procedure" was included under clause 2 (1) (a) and was defined as an orderly step by step procedure designed to ensure operational uniformity.

2015 Bill: This definition has been included under the Explanation under clause 22 which provides for measures to be taken by DNA Laboratory.

2. 2012 Bill: The definition of "audit" was earlier defined under clause 2 (1) (b) and was defined as an inspection used to evaluate, confirm or verify activity related to quality.

2015 Bill: This definition has been included under the Explanation under clause 22 which provides for measures to be taken by DNA Laboratory.

3. 2012 Bill: There was no definition of "bodily substance".

2015 Bill: Clause 2(1) (b) defines bodily substance to be any biological material of or from a body of the person (whether living or dead) and includes intimate/non-intimate body samples as well.

4. 2012 Bill: The definition of "calibration" was included under clause 2 (1) (d) in the previous Bill.

2015 Bill: The definition has been removed from the definition clause and has been included as an explanation under clause 22.

5. 2012 Bill: Previously "DNA Data Bank" was defined under clause 2(1)(h) as a consolidated DNA profile storage and maintenance facility, whether in computerized or other form, containing the indices as mentioned in the Bill.

2015 Bill: However, in this version, the definition has been briefed under clause 2(1) (f) to mean as a DNA Data Bank as established under clause 24.

6. 2012 Bill: Previously a "DNA Data Bank Manager" was defined clause 2(1) (i) as the person responsible for supervision, execution and maintenance of the DNA Data Bank.

2015 Bill: In the new Bill, it is defined clause 2(1) (g) as a person appointed under clause 26.

7. 2012 Bill: Under clause 2(1) (j), the definition of "DNA laboratory" was defined to be any laboratory established to perform DNA procedures.

8. 2015 Bill: Under clause 2(1) (h) "DNA laboratory" has been now defined to be any laboratory established to perform DNA profiling.

9. 2012 Bill: "DNA procedure" was defined under clause 2(1) (k) as a procedure to develop DNA profile for use in the applicable instances as specified in the Schedule.

2015 Bill: This definition has been removed from the Bill.

10. 2012 Bill: There was no definition of "DNA Profiling".

2015 Bill: DNA profiling has been defined under clause 2(1) (j) as a procedure to develop DNA profile for human identification.

11. 2012 Bill: "DNA testing" was defined under clause 2(1) (n) as the identification and evaluation of biological evidence using DNA technologies for use in the applicable instances.

2015 Bill: This definition has been removed.

12. 2012 Bill: "forensic material" was defined under clause 2(1) (o) as biological material of or from the body of a person living or dead, and representing an intimate body sample or non-intimate body sample.

2015 Bill: This definition has been included under the definition of "bodily substance" under clause 2(1) (b).

13. 2012 Bill: "intimate body sample" was defined under clause 2(1) (q).

2015 Bill: This has been removed from the definitions clause and has been included as an explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.

14. 2012 Bill: "intimate forensic procedure" was defined under 2(1) (r).

2015 Bill: This has been removed from the definitions clause and has been included as an explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.

15. 2012 Bill: "non-intimate body sample" was defined under clause 2(1) (v) in 2012 Bill.

2015 Bill: The definition of "non-intimate body sample" has not been included in the definitions clause and has been included as an Explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.

16. 2012 Bill: "non-intimate forensic procedure" was defined under clause 2(1) (w) in 2012 Bill.

2015 Bill: The definition of "non-intimate forensic procedure" has not been included in the definitions clause and has been included as an Explanation under clause 23 which addresses sources and manner of collection of samples for DNA profiling.

17. 2012 Bill: "undertrial" was defined under clause 2(1) (zk) as a person against whom a criminal proceeding is pending in a court of law.

2015 Bill: The definition now states such a person against whom charges have been framed for a specified offence in a court of law under clause 2(1) (zc).

DNA Profiling Board:

1. 2012 Bill: Under clause 4 (a), the Bill stated that a renowned molecular biologist must be appointed as the Chairperson.

2015 Bill: Under clause 4 addressing Composition of the Board, the Bill states that the Board shall consist of a Chairperson who shall be appointed by the Central Government and must have at least fifteen years' experience in the field of biological sciences.

2. 2012 Bill: Under clause 4 (i), the Chairman of National Bioethics Committee of Department of Biotechnology, Government of India was to be included as a member under the DNA Profiling Board.

2015 Bill: This member has been removed from the composition.

3. 2012 Bill: Under clause 4 (m), the term of 1 person from the field of genetics was not mentioned in the 2012 Bill.

2015 Bill: In this Bill under clause 4 (m), it has been stated that such a person must have minimum experience of twelve years in the field.

4. 2012 Bill: The term of 2 people from the field of biological sciences was not mentioned in the 2012 Bill under clause 4 (l).

2015 Bill: Under clause 4 (l), it has been stated that such 2 people must have minimum experience of twelve years in the field.

5. The following members have been included in the 2015 Bill-

i. Chairman of National Human Rights Commission or his nominees, as an ex-officio member under clause 4 (a).

ii. Secretary to Government of India, Ministry of Law and Justice or his nominees (not below rank of Joint Secretary), as an ex-officio member under clause 4 (b).

6. 2012 Bill: Under clause 5, the term of the members was not uniform and varied for all members.

2015 Bill: The term of people from the field of biological sciences and the person from the field of genetics has been states to be five years from the date of their entering upon the office, and would be eligible for re-appointment for not more than 2 consecutive terms.

Also, the age of a Chairperson or a member cannot exceed seventy years.

The term of members under clauses (c), (f), (h), and (i) of clause 4 is 3 years and for others the term shall continue as long as they hold the office.

Chief Executive Officer:

2012 Bill: Earlier it was stated in the Bill under clause 10 (3) that such a person should be a scientist with understanding of genetics and molecular biology.

2015 Bill: The Bill states under clause 11 (3) that the CEO shall be a person possessing qualifications and experience in science or as specified under regulations. The specific experience has been removed.

A new clause- 12(5) addresses power of the Board to co-opt the number of people for attending the meetings and take part in proceedings; however such a person shall be devoid of voting rights. Also, such a person shall be entitled to specified allowances for attending the meetings.

Officers and Other Employees of Board:

2012 Bill: The Bill stated under clause 11 (3) that the Board may appoint consultants required to assist in the discharge of its functions on such terms and conditions as may be specified by the regulations.

2015 Bill: The 2015 Bill states under clause 12 (3) that the Board may appoint experts to assist for discharging its functions and may hold consultations with people whose rights may be affected by DNA profiling.

Functions of the Board:

2012 Bill: 26 functions were stated in the 2012 Bill.

2015 Bill: The number of the functions has been reduced to 22 with a few changes based on recommendations of Expert Committee.

Power of Board to withdraw approval:

2015 Bill: The circumstances in which the Board could withdraw its approval have not been changed from the 2012 Bill (previously under clause 16). There's an addition to the list as provided under clause 17 (1) (d) wherein the Board can also withdraw its approval in case the DNA laboratory fails to comply with any directions issued by the DNA Profiling Board or any such regulatory Authority under any other Act.

Obligations of DNA Laboratory:

2015 Bill: There is an addition to the list of obligations to be undertaken by a DNA laboratory under clause 19 (d). The laboratory has an additional obligation to share the DNA data prepared and maintained by it with the State DNA Data Bank and the National DNA Data Bank.

Qualification and experience of Head, technical and managerial staff and employees of DNA Laboratory:

2012 Bill: The previous Bill clearly mandated under clause 19 (2) the qualifications of the Head of every DNA laboratory to be a person possessing educational qualifications of Doctorate in Life Sciences from a recognised University with knowledge and understanding of the foundation of molecular genetics as applied to DNA work and such other qualifications as may be specified by regulations made by the Board.

2015 Bill: The provision has been generalized and provides under clause 20 (1) for a person to be possess the specified educational qualifications and experience.

Measures to be taken by DNA Laboratory:

2012 Bill: In the previous Bill, there were separate clauses with regard to security, minimization of contamination, evidence control system, validation process, analytical procedure, equipment calibration and maintenance, audits of laboratory to be followed by a DNA Laboratory.

2015 Bill: In the 2015 Bill, these measures to be adopted by DNA Laboratory have been included under one clause itself-clause 22.

Infrastructure and training:

2012 Bill: The specific provisions regarding infrastructure, fee, recruitment, training and installing of security system in the DNA Laboratory were present in the Bill under clauses 28-31.

2015 Bill: These provisions have been removed from the 2015 Bill.

Sources and manner of collection of samples for DNA profiling:

2012 Bill: Part II of the Schedule in the Bill provided for sources and manner of collection of samples for DNA Profiling.

The sources include: Tissue and skeleton remains and Already preserved body fluids and other samples.

Also, it provided for a list of the manner in which the profiling can be done:

(1) Medical Examination (2) Autopsy examination (3) Exhumation

Also, provision for collection of intimate and non-intimate body samples was provided as an Explanation.

2015 Bill: Under Clause 23, the sources include bodily substances and other sources as specified in Regulations. The other sources remain unchanged.

Also, provision for collection of intimate and non-intimate body samples is addressed in clause 23(2).

The explanation to the provision states what would be implied by the terms medical practitioner, intimate body sample, intimate forensic procedure, non-intimate body sample and non-intimate forensic procedure.

DNA Data Bank:

- Establishment:

2012 Bill: The Bill did not specify any location for establishment of the National DNA Data Bank.

2015 Bill: The Bill states under clause 24 (1) that the Central Government shall establish a National DNA Data Bank at Hyderabad.

-Maintenance of indices of DNA Data Bank:

2012 Bill: Apart from the DNA profiles, every DNA Data Bank shall contain the identity of the person from whose body the substances are taken in case of a profile in the offenders' index as under clause 32 (6) (a).

2015 Bill: Clause 25 (2) (a) states that the DNA Data Bank shall contain the identity for the suspects' or offenders' index.

DNA Data Bank Manager:

2012 Bill: The Bill States under clause 33 (1) that a DNA Data Bank Manger shall be appointed for conducting all operations of the National DNA Data Bank. The functions were not specific.

2015 Bill: The Bill states under clause 26 (1) specifically that a DNA Data Bank Manger shall be appointed for the purposes of execution, maintenance and supervision of the National DNA Data Bank.

- Qualification:

2012 Bill: In the previous Bill, it was stated under clause 33 (3) that the DNA Data Bank Manager must be a scientist with understanding of computer applications and statistics.

2015: The Bill states under clause 26 (2) that the DNA Data Bank Manager must possess educational qualification in science and any such experience as prescribed by the regulations.

Officers and other employees of the National DNA Data Bank:

2012 Bill: The Bill stated under clause 34 (3) that the Board may appoint consultants required to assist in the discharge of the functions of the DNA Data Banks.

2015 Bill: The Bill provides under clause 27 (3) that the Board may appoint experts required to assist in the discharge of the functions of the DNA Data Banks

Comparison and Communication of DNA profiles:

2015 Bill: The New Bill specifically addresses comparison and communication the DNA profiles as that in the offenders' or crime scene index under clause 28 (1). Also, there is an additional provision under clause 29 (3) which states that the National DNA Data Bank Manger may communicate a DNA profile through Central Bureau of Investigation on request of a court, tribunal, law enforcement agency or DNA laboratory to the Government of a foreign State, an international organization or institution of Government.

Use of DNA profiles and DNA samples and records:

2012 Bill: The Bill provided under clause 39 that all DNA profiles, samples and records would be used solely for purpose of facilitating identification of perpetrator of an offence as listed under the Schedule. The proviso to this provision addressed the fact that such samples could be used to identify victims of accidents or disaster or missing persons, or any purpose of civil dispute.

2015 Bill: The Bill restricts the use of all DNA profiles, samples and records solely for purpose of facilitating identification of a person under the Act under clause 32.

DNA Profiling Board Fund:

2012 Bill: The Bill stated under clause 47 (2) that the financial power for the application of monies of the Fund shall be delegated to the Board in such manner as may be prescribed and as may be specified by the regulations made by the Board.

Also, the Bill stated that the Fund shall be applied for meeting remuneration requirements to be paid to the consultants under clause 47 (3) (c).

2015 Bill: This provision has not been included in the Bill. Also, the Bill does not include the provision of paying the remuneration to the experts from the Fund.

Delegation of Powers:

2012 Bill: The Bill provided under clause 61 that The Board may delegate its powers and functions to the Chairperson or any other Member or officer of the Board subject to such conditions, if necessary.

2015 Bill: This provision has not been included in the 2015 Bill.

Powers of Board to make rules:

2012 Bill: The Bill provided for an exhaustive list consisting of 33 powers listed under clause 65.

2015 Bill: The Bill provides for a list of 27 powers of the Board under clause 57.

Schedule:

2012 Bill: In the list of offense where human DNA profiling would be applicable, there was an inclusion of any law as may be specified by the regulations made by the Board.

2015 Bill: This provision has been removed from the 2015 Bill.

For more details visit https://cis-india.org/internet-governance/blog/human-dna-profiling-bill-2012-vs-2015

Data Flow in the Unique Identification Scheme of India

vidushi — 2015-09-03T17:02:44Z

This note analyses the data flow within the UID scheme and aims at highlighting vulnerabilities at each stage. The data flow within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI partners with various Registrars usually a department of the central or state Government, and some private sector agencies like LIC etc– through a Memorandum of Understanding for assisting with the enrollment process of the UID project.

Many thanks to Elonnai Hickok for her invaluable guidance, input and feedback

These Registrars then appoint Enrollment Agencies that enroll residents by collecting the necessary data and sharing this with the UIDAI for de-duplication and issuance of an Aadhaar number, at enrolment centers that they set up. The data flow process of the UID is described below:[1]

Data Capture

Filling out an enrollment form – To enroll for an Aadhaar number, individuals are required to provide proof of address and proof of identity. These documents are verified by an official at the enrollment center.

Vulnerability: Though an official is responsible for verifying these documents, it is unclear how this verification is completed. It is possible for fraudulent proof of address and proof of identity to be verified and approved by this official.

The 'introducer' system: For individuals who do not have a Proof of Identity, Proof of Address etc the UIDAI has established an 'introducer' system. The introducer verifies that the individual is who they claim to be and that they live where they claim to live.

Vulnerability: This introducer is akin to the introducer concept in banking; except that here, the introducer must be approved by the Registrar, and need not know the person bring enrolled. This leads to questions of authenticity and validity of the data collected and verified by an 'introducer'. The Home Ministry in 2012, indicated that this must be reviewed.[2]

Categories of data for enrollment: The UIDAI has a standard enrollment form and list of documents required for enrollment. This includes: name, address, birth date, gender, proof of address and proof of identity. Some MoUs (Memorandum of Understanding) permit for the Registrars to collect additional information in addition to what is required by the UIDAI. This could be any information the Registrar deems necessary for any purpose.

Vulnerability: The fact that a Registrar may collect any information they deem necessary and for any purpose leads to concerns regarding (1) informed consent – as individuals are in placed in a position of having to provide this information as it is coupled with the Aadhaar enrollment process (2) unauthorized collection - though the MOU between the UIDAI and the Registrar has authorized the Registrar to collect additional information – if the information is personal in nature and the Registrar is a body corporate it must be collected as per the Information Technology Rules 2011 under section 43A. It is unclear if Registrars that are body corporates are collecting data in accordance to these rules. (3) As Registrars are permitted to collect any data they deem necessary for any purpose – this leads to concerns regarding misuse of this data..[3]

Verification of Resident’s Documents: true copies of original documents, after verification are sent to the Registrar for “permanent storage.”[4]

Vulnerability: It is unclear as to what extent and form this storage takes place. There is no clarity on who is responsible for the data once collected, and the permissible uses of such data are also unclear. The contracts between the UID and Registry claim that guidelines must be followed, while the guidelines state that, “The documents are required to be preserved by Registrar till the UIDAI finalizes its document storage agency” and states that the “Registrars must ensure that the documents are stored in a safe and secure manner and protected from unauthorized access.” [5] The question of what is “unauthorized access”, “secure storage”, when is data transferred to the UIDAI and when the UIDAI will access it and why remain unanswered. Moreover, there is nothing about deleting documents once the MoU lapses. The guidelines in question were also developed post facto.

Data collection for enrollment: After verification of proof of address and proof of identity, operators at the enrolling the agency will be enrolling individuals. Data Collection is completed by operators at the enrolling agency. This includes the digitization of enrollment forms and collection of biometrics. Enrollment information is manually collected and entered into computers operating software provided by the UIDAI and then transferred to the UIDAI. Biometrics are collected through devices that have been provided by third parties such as Accenture and L1Identity Solutions.

Vulnerability: After data is collected by enrollment operators it is possible for data leakage to occur at the point of collection or during transfer to the Registrar and UIDAI. Data operators, are therefore not answerable to the UIDAI, but to a private agency; a fact which has been the cause of concern even within the government.[6] There have also been instances of sub contracting which leads to more complications in respect of accountability. Misuse[7] and loss of data is a very real possibility, and irregularities have been reported as well.[8] By relying on technology that is provided by third parties (in many cases foreign third parties) data collected by these devices is also available to these companies while at the same time the companies are not regulated by Indian law.

Import pre-enrolment data into Aadhaar enrollment client, Syncing NPR/census data into the software: The National Population Register (NPR) enrolls usual residents, and is governed by the Citizenship Rules, which prescribe a penalty for non disclosure of information.

Vulnerability: Biometrics does not form part of the Rules that govern NPR data collection; the Citizenship Rules, 2003. In many ways, collection of biometrics without amending the citizenship laws amounts to a worrying situation. The NPR hands over information that it collects to UIDAI, biometrics collected as part of the UIDAI is included in the NPR, leading to concerns surrounding legality and security of such data.

Resident’s consent: for “whether the resident has agreed to share the captured information with organizations engaged in delivery of welfare services.”

Vulnerability: This allows the UIDAI to use data in an almost unfettered fashion. The enrolment form reads, “‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” Informed consent, Vague. What info and with whom. Why is necessary for the UIDAI to share this information, when the organization is only supposed to be a passive intermediary? Does beyond the mandate of the UIDAI, which is only to provide and authenticate the number.

Biometric exceptions: The operator checks if the resident’s eyes/hands are amputated/missing, and after the Supervisor verifies the same, the record is made as an exception and only the individuals photograph is recorded.

Vulnerability: There has widespread misuse of this clause, with data being fabricated to fall into this category, making it unreliable as a whole. In March 2013, 3.84 lakh numbers were cancelled as they were based on fraudulent use of the exception clause. [9]

Operator checks if resident wants Aadhaar enabled bank account: The UID project was touted to be a scheme that would ensure access to benefits and subsidies that are provided through cash transfers as well as enabling financial inclusion. Subsequently, the need for a Aadhaar embedded bank account was made essential to avail of these benefits. The operator at this point checks whether the resident would like to open such a bank account.

Vulnerability: The data provided at the time of linking UID with a bank account cannot be corrected or retracted. Although this has the vision of financial inclusion, it is now a threat of exclusion.

Capturing biometrics- The UIDAI scheme includes assigning each individual a unique identification number after collecting their demographic and biometric information. One Time Passwords are used to manually override a situation in which biometric identification fails.[10] The UIDAI data collection process was revamped in 2012 to include best finger detection and multiple try method.[11]

Vulnerabilities: The collection process is not always accurate, in fact, 70% of the residents who enrolled in Salt Lake, will have to re-enroll due to discrepancies at the time of enrollment.[12] Further, a large number of people in India are unable to give biometric information due to manual labour, or cataracts etc.

After such data is entered, the Operator shows such data to the Resident or Introducer or Head of the Family (as the case may be) for validation.

Operator Sign off – Each set of data needs to be verified by an Operator whose fingerprint is already stored in the system.

Vulnerability: Vesting authority to sign off in an operator allows for signing off on inaccurate or fraudulent data. For example, the issuance of aadhaar numbers to biometric exceptions highlight issues surrounding misuse and unreliability of this function.[13]

After this, the Enrolment operator gets supervisor’s sign off for any exceptions that might exist, Acknowledgement and consent for enrolment is stored. Any correction to specified data can be made within 96 hours.

Document Storage, Back up and Sync

After gathering and verifying all the information about the resident, the Enrolment Agency Operator will store photocopies of the documents of the resident. These Agencies also backup data “from time to time” (recommended to be twice a day), and maintain it for a minimum of 60 days. They also sync with the server every 7-10 days.

Vulnerability: The security implications of third party operators storing information is greatly exacerbated by the fact that these operators use technology and devices from companies have close ties to intelligence agencies in other countries; L-1 Identity Solutions have close ties with America’s CIA, Accenture with French intelligence etc. [14]

Transfer of Demographic and Biometric Data Collected to CIDR

“First mile logistics” include transferring data by using Secure File Transfer Protocol) provided by UIDAI or through a “suitable carrier” such as India Post.

Vulnerability: There is no engagement between the UIDAI and the enrolling agencies; the registrars engage private enrolment agencies, and not the UIDAI. Further, the scope of people authorized to collect information, the information that can be collected, how such information is stored etc are all vague. In 2009, there was a notification that claimed that the UIDAI owns the database[15] but there is no indication on how it may be used, how this might react to instances of identity fraud, etc.

Data De-duplication and Aadhar Generation at CIDR

On receiving biometric information, the de-duplication is done to ensure that each individual is given only one UID number.

Vulnerability:

This de-duplication is carried out by private companies, some of which are not of indian origin and thus are also not bound by Indian law. Also, the volume of Aadhaar numbers rejected due to quality or technical reasons is a cause of worry; the count reaching 9 crores in May 2015.[16]
The MoUs promise registrars access to information contained in the Aadhaar letter, although individuals are ensured that such letter is only sent to them. [17]
General compliance and de-duplication has been an issue, with over 34,000 people being issued more than one Aadhaar number,[18] and innumerable examples of faulty Aadhaar cards being issued.[19]

[1] Enrolment Process Essentials : UIDAI , (December 13,2012), http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[2] UIDAI to review biometric data collection process of 60 crore resident Indians: P Chidambaram, Economic Times, (Jan 31, 2012), http://articles.economictimes.indiatimes.com/2012-01-31/news/31010619_1_biometrics-uidai-national-population-register.

[3]See: an MoU signed between the UIDAI and the Government of Madhya Pradesh. Also see: Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[4]http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[5] Document Storage Guidelines for Registrars – Version 1.2, https://uidai.gov.in/images/mou/D11%20Document%20Storage%20Guidelines%20for%20Registrars%20final%2005082010.pdf

[6] Arindham Mukherjee, Lola Nayar, Aadhaar,A Few Basic Issues, Outlook India, (December 5, 2011), http://dataprivacylab.org/TIP/2011sept/India4.pdf.

[7] Aadhaar: UIDAI probing several cases of misuse of personal data, The Hindu, (April 29, 2012), http://www.thehindubusinessline.com/economy/aadhar-uidai-probing-several-cases-of-misuse-of-personal-data/article3367092.ece.

[8] Harsimran Julka, UIDAI wins court battle against HCL technologies, The Economic Times, (October 4, 2011), http://articles.economictimes.indiatimes.com/2011-10-04/news/30242553_1_uidai-bank-guarantee-hp-and-ibm.

[9] Chetan Chauhan, UIDAI cancels 3.84 lakh fake Aadhaar numbers, The Hindustan Times, (December 26, 2012), http://www.hindustantimes.com/newdelhi/uidai-cancels-3-84-lakh-fake-aadhaar-numbers/article1-980634.aspx.

[10] Usha Ramanathan, “Inclusion project that excludes the poor”, The Statesman (July 4, 2013).

[11] UIDAI to Refresh Data Collection Process, Zee News, (February 7, 2012) http://zeenews.india.com/news/delhi/uidai-to-refresh-data-collection-process_757251.html.

[12] Snehal Sengupta, Queue up again to apply for Aadhaar, The Telegraph, (February 27, 2015), http://www.telegraphindia.com/1150227/jsp/saltlake/story_5642.jsp#.VayjDZOqqko

[13] Chauhan, supra note 7.

[14] Usha Ramanathan, Three Supreme Court Orders Later, What’s the Deal with Aadhaar? Yahoo News, (April 13, 2015), https://in.news.yahoo.com/three-supreme-court-orders-later--what-s-the-deal-with-aadhaar-094316180.html.

[15] Usha Ramanathan, “Threat of Exclusion and of Surveillance”, The Statesman (July 2, 2013).

[16] Over 9 Crore Aadhaar enrolments rejected by UIDAI, Zee News (May 8, 2015).

[17] Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[18] Surabhi Agarwal, Duplicate Aadhar numbers within estimate, Live Mint (March 5, 2013).

[19] Usha Ramanathan, “Outsourcing enrolment, gathering dogs and trees”, The Statesman (August 7, 2013).

For more details visit https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india

August 2015 Bulletin

praskrishna — 2015-10-27T00:25:02Z

We are happy to share with you the eighth issue of the Centre for Internet and Society (CIS) newsletter (August 2015). The past editions of the newsletter can be accessed at http://cis-india.org/about/newsletters.

Highlights

Researchers at Work programme has published a book titled Digital Activism in Asia Reader exploring in detail digital activism in Asia. The Reader was edited by Nishant Shah, P.P. Sneha, and Sumandro Chattapadhyay with support from Anirudh Sridhar, Denisse Albornoz, and Verena Getahun. The pre-publication drafts of two sections written by Sumandro Chattapadhyay for the third volume (2000-2010) of the Asia Internet History series edited by Prof. Kilnam Chon have been posted for open-review process. As part of the 'Studying Internets in India' series, RAW published blog entries on Governing Speech on the Internet and Mock-Calling - Ironies of Outsourcing and the Aspirations of an Individual. NVDA team conducted a workshop at Jeevan Jyoti School for the Blind, Varanasi from August 26 to 28, 2015. Eighty five students and 13 teachers took part in the training programme. NVDA team had conducted another workshop earlier in Nashik. The workshop was conducted in June. A batch of 17 Special Educators and teachers of the blind attended the workshop. Maggie Huang, Arpita Sengupta and Paavni Anand as part of the Pervasive Technologies project co-authored a research paper that seeks to compare the publicly available information on the websites of music collective management organizations ("CMOs") operating within India, the United States, and the United Kingdom. Amulya Purushothama, Nehaa Chaudhari and Varun Baliga in a blog entry have delved into the question of what the mandate of the Sectoral Innovation Council is, what its activities are, and what vision for IPR development in India has it put forth. An RTI Application has been filed by CIS to attain information on these issues. In a blog post, Amulya Purushothama announced our new MHRD IPR Chair Series and has charted the sequence of events, starting from the establishment of MHRD IPR Chairs, to discussions surrounding their purpose and functioning, to concerns surrounding the lack of information about the IPR Chairs, the first round of RTIs that CIS had filed in regard to this and the responses it solicited. Subhashish Panigrahi interviewed Prateek Pattanaik. Prateek has not just digitized as many as 54 Odia-language poetry dating early 18th century but has also annotated, both poetic and prosaic translation in his blogs "Sri Jagannatha" and "Utkal Sangeet". He has also published a complete book "Kisora chandranana champu" on Odia Wikisource. A recent entrant into the Odia Wikimedia community, Prateek is also the youngest Odia Wikimedian. Rohan George and Elonnai Hickok in a blog post analyzed consent, big data and data protection that examines in detail why the principle of consent is providing us increasingly less of an aegis in protecting our data. Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh on behalf of CIS submitted a clause-by-clause comments on the Human DNA Profiling Bill that was circulated by the Department of Biotechnology on June 9, 2015. Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar co-authored an article titled Security: Privacy, Transparency and Technology. The article was published by Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2. Elonnai Hickok in a blog post titled A Review of the Policy Debate around Big Data and Internet of Things has done an analysis as to how regulators and experts across jurisdictions are reacting to Big Data and Internet of Things. The Supreme Court of India has deemed it fit to refer the question of the very existence of a fundamental right to privacy to a Constitution Bench to finally decide the matter, and define the contours of such right if it does exist. Vipul Kharbanda analyses this in a blog entry. Experts and regulators across jurisdictions are examining the impact of Big Data practices on traditional data protection standards and principles. This will be a useful and pertinent exercise for India to undertake as the government and the private and public sectors begin to incorporate and rely on the use of Big Data in decision making processes and organizational operations. Elonnai Hickok has provided an initial evaluation of how Big Data could impact India's current data protection standards. Elonnai Hickok has provided a comparison of Human DNA Profiling Bill 2012 vs. the Human DNA Profiling Bill 2015, CIS's main recommendations vs. the 2015 Bill, Sub-Committee Recommendations vs. the 2015 Bill, and the Expert Committee Recommendations vs. the 2015 Bill. CIS submitted its comments to the non-paper on the UNGA Overall Review of the Implementation of the WSIS outcomes, evaluating the progress made and challenges ahead. In a policy brief, Vipul Kharbanda has analyzed the different laws regulating surveillance at the state and central level in India and calls out ways in which the provisions are unharmonized. The brief then provides recommendations for the harmonization of surveillance law in India. Hardnews interviewed Sunil Abraham about the future of the internet in India. The article was published in their August edition. Shyam Ponappa in an Op-ed published by Business Standard has given an analysis on the reasons of the number of dropped calls on our mobile phones.

Accessibility and Inclusion

Under a grant from the Hans Foundation we are doing a project on developing text-to-speech software for 15 Indian languages. The progress made so far in the project can be accessed here. The project on creating a national resource kit of state-wise laws, policies and programmes on issues relating to persons with disabilities in India got over and the compilation has been printed.

NVDA and eSpeak

Monthly Updates

August 2015 Report (Suman Dogra; July 31, 2015).

Event Reports

Training in eSpeak Marathi (Organized by NVDA team; National Association for the Blind; Nashik; June 22 - 23, 2015). The workshop was held in the month of June but the report got published later in August.
Training in eSpeak Hindi (Organized by NVDA team; Jeevan Jyoti School for the Blind; Varanasi; August 26 - 28, 2015).

Access to Knowledge

As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

Pervasive Technologies

Blog Entries

Methodology: Patent Landscaping in the Indian Mobile Device Market (Rohini Lakshané; November 10, 2014). This blog post published last year has been recently updated.
Comparative Transparency Review of Collective Management Organisations in India, United Kingdom and the United States (Maggie Huang, Arpita Sengupta and Paavni Anand; August 1, 2015).

Other (Copyright and Patent)

Blog Entries

CCI Participation at the Upcoming 3rd International Conference on IPR and Competition (Amulya Purushothama; August 5, 2015). CIS wrote to the Competition Commission of India Chairman on August 5, 2015 about participation at a conference organised by Ericsson and concerns regarding conflict of interest. We also had several other NGOs sign on to the letter.
MHRD IPR Chair Series: Introduction (Amulya Purushothama; August 10, 2015). Aditya Garg assisted in research and writing.
National IPR Policy Series: What Have the Sectoral Innovation Councils Been Doing on IPR (Nehaa Chaudhari and Varun Baliga; August 13, 2015). Amulya Purushothama assisted with research and writing.

Media Coverage

Competition Commission of India chariman's participation in Assocham conference raises conflict of interests (Rema Nagarajan; The Times of India; August 6, 2015).
Assocham event sparks row over conflict of interest by CCI (Dilasha Seth and Deepak Patel; Business Standard; August 6, 2015).

Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entry

Odia Wikisource has a new Wikisourcer, and he is the youngest in the Odia Wikimedia community! (Subhashish Panigrahi; August 21, 2015).

Events Co-organized

Annamaya Library edit-a-thon (Organized by CIS-A2K and Telugu Wikipedia Community; August 6, 2015; Andhra Loyola College; Vijaywada).
International Workshop on Digitization and Archiving (Organized by CIS-A2K and Wikipedia Community; August 19 - 21, 2015). Rahmanuddin Shaik was one of the trainers.

FOSS

Participation in Events

Workshop on digital collaborations in Tamil-language, Tamil Virtual Chennai (Organized by Tamil Virtual University, Anna University Campus, Chennai; August 8 - 9, 2015). Dr. U.B. Pavanaja atttended this event.
Open Innovation, entrepreneurship, and our digital future (Organized by iSpirit; Bangalore; August 13, 2015). Rohini Lakshané attended the event. Rohini wrote a report on this .

Media Coverage

CIS gave its inputs to the following:

Telugu Wikipedia Edit-a-thon at ALC (Eenadu; August 6, 2015)
Telugu Wiki Edit-a-thon in ALC (Eenadu; August 6, 2015)
Rare Telugu religious and historical work preserved at Annamacharya library to come on Wikisource! (The Hans India; August 7, 2015).
ಗ್ರಾಮೀಣ ಪ್ರದೇಶದ ಆರ್ಥಿಕ ಪ್ರಗತಿಯಿಂದ ದೇಶದ ಆರ್ಥಿಕ ಪ್ರಗತಿ ಸಾಧ್ಯವಾಗುತ್ತದೆ. (Mangalorean.com; August 13, 2015).
ವಿಕಿಪಿಡಿಯ ಮುಕ್ತವಾಗಿ ಬಳಸಿ: ಡಾ.ಪವನಜ (Karavali Karnataka; August 14, 2015).
ಬೆಳ್ತಂಗಡಿ:ಎಲ್ಲಾ ಕಾಲಕ್ಕೂ ಲಭ್ಯ ಇರುವ ಸ್ವತಂತ್ರ ಹಾಗೂ ಮುಕ್ತ ವಿಶ್ವಕೋಶ ವಿಕಿಪೀಡಿಯಾ-ಪವನಜ (SahilOnline; August 14, 2015).
Talamaddale on August 23 (Hindu; August 16, 2015).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and International Development Research Centre (IDRC)) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on studying the restrictions placed on freedom of expression online by the Indian government.

Privacy

Article

Security: Privacy, Transparency and Technology (Sunil Abraham, Elonnai Hickok and Tarun Krishnakumar; Observer Research Foundation, Digital Debates 2015: CyFy Journal Volume 2 ; August 19, 2015).

Submission

CIS Comments and Recommendations to the Human DNA Profiling Bill, June 2015 (Elonnai Hickok, Vipul Kharbanda and Vanya Rakesh; August 27, 2015).

Blog Entries

Policy Paper on Surveillance in India (Vipul Kharbanda; August 3, 2015).
Comparison of the Human DNA Profiling Bill 2012 with: CIS recommendations, Sub-Committee Recommendations, Expert Committee Recommendations, and the Human DNA Profiling Bill 2015 (Elonnai Hickok; August 10, 2015).
Right to Privacy in Peril (Vipul Kharbanda; August 13, 2015).
Responsible Data Forum: Discussion on the Risks and Mitigations of releasing Data (Vanya Rakesh; August 26, 2015).
Are we Throwing our Data Protection Regimes under the Bus? (Elonnai Hickok and Rohan George; August 29, 2015).
Supreme Court Order is a Good Start, but is Seeding Necessary? (Elonnai Hickok and Rohan George; August 29, 2015).

Big Data

Blog Entries

Big Data and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Elonnai Hickok; August 11, 2015).
A Review of the Policy Debate around Big Data and Internet of Things (Elonnai Hickok; August 17, 2015).

Participation in Event

The Changing Landscape of ICT Governance and Practice - Convergence and Big Data (Co-organized by Innovation Center for Big Data and Digital Convergence, Yuan Ze University, Taiwan; August 24 - 25, 2015). Sharat Chandra Ram was granted the Young Scholar Award 2015 to attend theYoung Scholar Workshop followed by main CPRSouth2015 conference (Communication Policy Research South) conference.

Free Speech and Expression

Submission

CIS submission to the UNGA WSIS+10 Review (Jyoti Panday; August 9, 2015),

Cyber Security

Upcoming Event

Bangalore Chapter Meet of DSCI (Co-organized by DSCI and CIS; September 26, 2015). Melissa Hathaway, Commissioner, Global Commission for Internet Governance and Sunil Abraham will be speaking at this event.

Telecom

CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Op-ed

Those Dropped Calls (Shyam Ponappa; Business Standard; August 5, 2015 and Organizing India Blogspot; August 6, 2015).

Researchers at Work

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by contemporary concerns to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It is interested in producing local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Books

Digital Activism in Asia Reader (edited by Nishant Shah, P.P. Sneha, and Sumandro Chattapadhyay, with support from Anirudh Sridhar, Denisse Albornoz, and Verena Getahun; August 8, 2015).

Books Chapters

Civil Society Organisations and Internet Governance in Asia - Open Review (Sumandro Chattapadhyay; Asia Internet History Vol. 3, edited by Prof. Kilnam Chon). Comments are invited.
Civil Society Organisations and Internet Governance in India - Open Review (Sumandro Chattapadhyay; Asia Internet History Vol. 3, edited by Prof. Kilnam Chon). Comments are invited.

Accepted Paper Abstract

Studying the Emerging Database State in India: Notes for Critical Data Studies (Sumandro Chattapadhyay; August 2, 2015). The paper has been provisionally accepted.

Blog Entries

Mock-Calling - Ironies of Outsourcing and the Aspirations of an Individual (Sreedeep; August 6, 2015).
Governing Speech on the Internet: From the Free Marketplace Policy to a Controlled 'Public Sphere' (Smarika Kumar; August 28, 2015).

News & Media Coverage

CIS gave its inputs to the following media coverage:

Why the DNA Bill is open to misuse: Sunil Abraham (Kanika Datta; Business Standard; August 1, 2015)
Porn ban: People will soon learn to circumvent ISPs and govt orders, expert says (Karthikeyan Hemalatha; The Times of India; August 2, 2015).
Indian government orders ISPs to block 857 porn websites (John Ribeiro; IDG News and PC World; August 2, 2015)
India blocks access to 857 porn sites (BBC; August 3, 2015).
India launches crackdown on online porn (James Crabtree; Financial Times; August 3, 2015).
Proxies and VPNs: Why govt can't ban porn websites? (Siladitya Ray; August 3, 2015; Hindustan Times)
Nanny state rules porn bad for you (Anahita Mukherji; The Times of India; August 4, 2015).
Ban on pornography temporary, says government (Business Standard; August 4, 2015)
Porn block in India sparks outrage (Australian; August 5, 2015).
Indian Porn Ban is Partially Lifted But Sites Remain Blocked (Sean Mclain; Wall Street Journal; August 5, 2015)
Genetic Profiling: Is it all in the DNA? (Ullekh N.P.; The Open Magazine; August 7, 2015)
India partially lifts Porn Ban? (Nazhat Khan; DESI blitz; August 7, 2015)
Net Neutrality: India is a Key Battleground (Abeer Kapoor; Hardnews; August 10, 2015)
Stats from 2014 reveal horror of scrapped section 66A of IT Act (Aloke Tikku; Hindustan Times; August 20, 2015).
The seedy underbelly of revenge porn (Sandhya Soman; The Times of India; August 23, 2015).
The new tattler in town (P. Anima; Hindu Businessline; August 28, 2015).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the mediation and reconfiguration of social and cultural processes and structures by the internet and digital media technologies.

► Follow us elsewhere

CIS - Twitter: http://twitter.com/cis_india
Access to Knowledge - Twitter: https://twitter.com/CISA2K
Access to Knowledge - Facebook: https://www.facebook.com/cisa2k
Access to Knowledge - E-Mail: a2k@cis-india.org
Researchers at Work - E-Mail: raw@cis-india.org
Researchers at Work - Mailing List: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration:

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, Access to Knowledge, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/august-2015-bulletin

Response by the Centre for Internet and Society to the Draft Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration

pranesh — 2015-11-29T06:35:12Z

This proposal was made to the Global Multistakeholder Community on August 9, 2015. The proposal was drafted by Pranesh Prakash and Jyoti Panday. The research assistance was provided by Padmini Baruah, Vidushi Marda, and inputs from Sunil Abraham.

For more than a year now, the customers and operational communities performing key internet functions related to domain names, numbers and protocols have been negotiating the transfer of IANA stewardship. India has dual interests in the ICANN IANA Transition negotiations: safeguarding independence, security and stability of the DNS for development, and promoting an effective transition agreement that internationalizes the IANA Functions Operator (IFO). Last month the IANA Stewardship Transition Coordination Group (ICG) set in motion a public review of its combined assessment of the proposals submitted by the names, numbers and protocols communities. In parallel to the transition of the NTIA oversight, the community has also been developing mechanisms to strengthen the accountability of ICANN and has devised two workstreams that consider both long term and short term issues. This 2 is our response to the consolidated ICG proposal which considers the proposals for the transition of the NTIA oversight over the IFO.

Click to download the submission.

For more details visit https://cis-india.org/internet-governance/blog/response-by-the-centre-for-internet-and-society-to-the-draft-proposal-to-transition-the-stewardship-of-the-internet-assigned-numbers-authority-iana-functions-from-the-u-s-commerce-department2019s-national-telecommunications-and-information-administration

Supreme Court Order is a Good Start, but is Seeding Necessary?

Elonnai Hickok and Rohan George — 2015-09-07T13:21:58Z

This blog post seeks to unpack the ‘seeding’ process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the court in the context of the seeding process.

Introduction

On August 11th 2015, in the writ petition Justice K.S Puttaswamy (Retd.) & Another vs. Union of India & Others1, the Supreme Court of India issued an interim order regarding the constitutionality of the UIDAI scheme. In response to the order, Dr. Usha Ramanathan published an article titled  'Decoding the Aadhaar judgment: No more seeding, not till the privacy issue is settled by the court' which, among other points, highlights concerns around the seeding of Aadhaar numbers into service delivery databases. She writes that "seeding' is a matter of grave concern in the UID project. This is about the introduction of the number into every data base. Once the number is seeded in various databases, it makes convergence of personal information remarkably simple. So, if the number is in the gas agency, the bank, the ticket, the ration card, the voter ID, the medical records and so on, the state, as also others who learn to use what is called the 'ID platform', can 'see' the citizen at will."2

Building off of this statement, this article seeks to unpack the 'seeding' process in the UIDAI scheme, understand the implications of the Supreme Court order on this process, and identify questions regarding the UID scheme that still need to be clarified by the Court in the context of the seeding process.

What is Seeding?

In the UID scheme, data points within databases of service providers and banks are organized via individual Aadhaar numbers through a process known as 'seeding'. The UIDAI has released two documents on the seeding process - "Approach Document for Aadhaar Seeding in Service Delivery Databases version 1.0" (Version 1.0)3 and "Standard Protocol Covering the Approach & Process for Seeding Aadhaar Number in Service Delivery Databases June 2015 Version 1.1" (Version 1.1)4

According to Version 1.0 "Aadhaar seeding is a process by which UIDs of residents are included in the service delivery database of service providers for enabling Aadhaar based authentication during service delivery."5 Version 1.0 further states that the "Seeding process typically involves data extraction, consolidation, normalization, and matching".6 According to Version 1.1, Aadhaar seeding is "a process by which the Aadhaar numbers of residents are included in the service delivery database of service providers for enabling de-duplication of database and Aadhaar based authentication during service delivery".7 There is an extra clause in Version 1.1's definition of seeding which includes "de-duplication" in addition to authentication.

Though not directly stated, it is envisioned that the Aadhaar number will be seeded into the databases of service providers and banks to enable cash transfers of funds. This was alluded to in the Version 1.1 document with the UIDAI stating "Irrespective of the Scheme and the geography, as the Aadhaar Number of a given Beneficiary finally has to be linked with the Bank Account, Banks play a strategic and key role in Seeding."8

How does the seeding process work?

The seeding process itself can be done through manual/organic processes or algorithmic/in-organic processes. In the inorganic process the Aadhaar database is matched with the database of the service provider - namely the database of beneficiaries, KYR+ data from enrolment agencies, and the EID-UID database from the UIDAI. Once compared and a match is found - for example between KYR fields in the service delivery database and KYR+ fields in the Aadhaar database - the Aadhaar number is seeded into the service delivery database.9

Organic seeding can be carried out via a number of methods, but the recommended method from the UIDAI is door to door collection of Aadhaar numbers from residents which are subsequently uploaded into the service delivery database either manually or through the use of a tablet or smart phone. Perhaps demonstrating the fact that technology cannot be used as a 'patch' for a broken or premature system, organic (manual) seeding is suggested as the preferred process by the UIDAI due to challenges such as lack of digitization of beneficiary records, lack of standardization in Name and Address records, and incomplete data.10

According to the 1.0 Approach Paper, to facilitate the seeding process, the UIDAI has developed an in house software known as Ginger. Service providers that adopt the Aadhaar number must move their existing databases onto the Ginger platform, which then organizes the present and incoming data in the database by individual Aadhaar numbers. This 'organization' can be done automatically or manually. Once organized, data can be queried by Aadhaar number by person's on the 'control' end of the Ginger platform.11

In practice this means that during an authentication in which the UIDAI responds to a service provider with a 'yes' or 'no' response, the UIDAI would have access to at least these two sets of data: 1.) Transaction data (date, time, device number, and Aadhaar number of the individual authenticating) 2.) Data associated to an individual Aadhaar number within a database that has been seeded with Aadhaar numbers (historical and incoming). According to the Approach Document version 1.0, "The objective here is that the seeding process/utility should be able to access the service delivery data and all related information in at least the read-only mode." 12 and the Version 1.1 document states "Software application users with authorized access should be able to access data online in a seamless fashion while providing service benefit to residents." 13

What are the concerns with seeding?

With the increased availability of data analysis and processing technologies, organisations have the ability to link disparate data points stored across databases in order that the data can be related to each other and thereby analysed to derive holistic, intrinsic, and/or latent assessments. This can allow for deeper and more useful insights from otherwise standalone data. In the context of the government linking data, such "relating" can be useful - enabling the government to visualize a holistic and more accurate data and to develop data informed policies through research14. Yet, allowing for disparate data points to be merged and linked to each other raises questions about privacy and civil liberties - as well as more intrinsic questions about purpose, access,  consent and choice.  To name a few, linked data can be used to create profiles of individuals, it can facilitate surveillance, it can enable new and unintended uses of data, and it can be used for discriminatory purposes.

The fact that the seeding process is meant to facilitate extraction, consolidation, normalization and matching of data so it can be queried by Aadhaar number, and that existing databases can be transposed onto the Ginger platform can give rise to Dr. Ramanthan's concerns. She argues that anyone having access to the 'control' end of the Ginger platform can access all data associated to a Aadhaar number, that convergence can now easily be initiated with databases on the Ginger platform,  and that profiling of individuals can take place through the linking of data points via the Ginger platform.

How does the Supreme Court Order impact the seeding process and what still needs to be clarified?

In the interim order the Supreme Court lays out four welcome clarifications and limitations on the UID scheme:

The Union of India shall give wide publicity in the electronic and print media including radio and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;
The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen;
The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the purpose of the LPG Distribution Scheme;
The information about an individual obtained by the Unique Identification Authority of India while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a Court for the purpose of criminal investigation."15

In some ways, the court order addresses some of the concerns regarding the seeding of Aadhaar numbers by limiting the scope of the seeding process to the PDS scheme, but there are still a number of aspects of the scheme as they pertain to the seeding process that need to be addressed by the court.

These include:

The Process of Seeding

Prior to the Supreme Court interim order, the above concerns were quite broad in scope as Aadhaar could be adopted by any private or public entity - and the number was being seeded in databases of banks, the railways, tax authorities, etc. The interim order, to an extent, lessens these concerns by holding that  "The Unique Identification Number or the Aadhaar card will not be used by the respondents for any purpose other than the PDS Scheme…".

However, the Court could have perhaps been more specific regarding what is included under the PDS scheme, because the scheme itself is broad. That said, the restrictions put in place by the court create a form of purpose limitation and a boundary of  proportionality on the UID scheme. By limiting the purpose of the Aadhaar number to use in the PDS system, the  Aadhaar number can only be seeded into the databases of entities involved in the PDS Scheme, rather than any entity that had adopted the number. Despite this, the seeding process is an issue in itself for the following reasons:

Access: Embedding service delivery databases and bank databases with the Aadhaar number allows for the UIDAI or authorized users to access information in these databases. According to version 1.1 of the seeding document from the UIDAI - the UIDAI is carrying out the seeding process through 'seeding agencies'. These agencies can include private companies, public limited companies, government companies, PSUs, semi-government organizations, and NGOs that are registered and operating in India for at least three years.16 Though under contract by the UIDAI, it is unclear what information such organizations would be able to access. This ambiguity leaves the data collected by UIDAI open to potential abuse and unauthorized access. Thus, the Court Ruling fails to provide clarity on the access that the seeding process enables for the UIDAI and for private parties.

Consent: Upon enrolling for an Aadhaar number, individuals have the option of consenting to the UIDAI sharing information in three instances:

"I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services."

"I want the UIDAI to facilitate opening of a new Bank/Post Office Account linked to my Aadhaar Number.

"I have no objection to sharing my information for this purpose""I have no objection to linking my present bank account provided here to my Aadhaar number"17

Aside for the vague and sweeping language of actions users provide consent for, which raises questions about how informed an individual is of the information he consents to share, at no point is an individual provided the option of  consenting  to the UIDAI accessing data - historic or incoming - that is stored in the database of a service provider in the PDS system seeded with the Aadhaar number. Furthermore, as noted earlier, the fact that the UIDAI concedes that a beneficiary has to be linked with a bank account raises questions of consent to this process as linking one's bank account with their Aadhaar number is an optional part of the enrollment process. Thus, even with the restrictions from the court order, if individuals want to use their Aadhaar number to access benefits, they must also seed their number with their bank accounts. On this point, in an order from the Finance Ministry it was clarified that the seeding of Aadhaar numbers into databases is a voluntary decision, but if a beneficiary provides their number on a voluntary basis - it can be seeded into a database.18

Withdrawing Consent: The Court also did not directly address if individuals could withdraw consent after enrolling in the UID scheme - and if they did - whether Aadhaar numbers should be 'unseeded' from PDS related databases. Similarly, the Court did not clarify whether services that have seeded the Aadhaar number, but are not PDS related, now need to unseed the number. Though news items indicate that in some cases (not all) organizations and government departments not involved in the PDS system are stopping the seeding process19, there is no indication of departments undertaking an 'unseeding' process. Nor is there any indication of the UIDAI allowing indivduals enrolled to 'un-enroll' from the scheme. In being silent on issues around consent, the court order inadvertently overlooks the risk of function creep possible through the seeding process, which "allows numerous opportunities for expansion of functions far beyond those stated to be its purpose"20.

Verification and liability: According to Version 1.0 and Version 1.1 of the Seeding documents, "no seeding is better than incorrect seeding". This is because incorrect seeding can lead to inaccuracies in the authentication process and result in individuals entitled to benefits being denied such benefits. To avoid errors in the seeding process the UIDAI has suggested several steps including using the "Aadhaar Verification Service" which verifies an Aadhaar number submitted for seeding against the Aadhaar number and demographic data such as gender and location in the CIDR. Though recognizing the importance of accuracy in the seeding process, the UIDAI takes no responsibility for the same. According to Version 1.1 of the seeding document, "the responsibility of correct seeding shall always stay with the department, who is the owner of the database."21 This replicates a disturbing trend in the implementation of the UID scheme - where the UIDAI 'initiates' different processes through private sector companies but does not take responsibility for such processes. 22

The Scope of the UIDAI's mandate and the necessity of seeding

Aside from the problems within the seeding process itself, there is a question of the scope of the UIDAI's mandate and the role that seeding plays in fulfilling this. This is important in understanding the necessity of the seeding process.

On the official website, the UIDAI has stated that its mandate is "to issue every resident a unique identification number linked to the resident's demographic and biometric information, which they can use to identify themselves anywhere in India, and to access a host of benefits and services." 23 Though the Supreme Court order clarifies the use of the Aadhaar number, it does not address the actual legality of the UIDAI's mandate - as there is no enabling statute in place -and it does not clarify or confirm the scope of the UIDAI's mandate.

In Version 1.0 of the Seeding document the UIDAI has stated the "Aadhaar numbers of enrolled residents are being 'seeded' ie. included in the databases of service providers that have adopted the Aadhaar platform in order to enable authentication via the Aadhaar number during a transaction or service delivery."24 This statement is only partially correct. For only providing and authenticating of an Aadhaar number - seeding is not necessary as the Aadhaar number submitted for verification alone only needs to be compared with the records in the CIDR to complete authentication of the same. Yet, in an example justifying the need for seeding in the Version 1.0 seeding document the UIDAI states "A consolidated view of the entire data would facilitate the social welfare department of the state to improve the service delivery in their programs, while also being able to ensure that the same person is not availing double benefits from two different districts."25 For this purpose, seeding is again unnecessary as it would be simple to correlate PDS usage with a Aadhaar number within the PDS database. Even if limited to the PDS system,  seeding in the databases of service providers is only necessary for the creation and access to comprehensive information about an individual in order to determine eligibility for a service. Further, seeding is only necessary in the databases of banks if the Aadhaar number moves from being an identity factor - to a transactional factor - something that the UIDAI seems to envision as the Version 1.1 seeding document states that Aadhaar is sufficient enough to transfer payments to an individual and thus plays a key role in cash transfers of benefits.26

Conclusion

Despite the fact that adherence to the interim order from the Supreme Court has been adhoc27, the order does provide a number of welcome limitations and clarifications to the UID Scheme. Yet, despite limited clarification from the Supreme Court and further clarification from the Finance Ministry's Order, the process of seeding and its necessity remain unclear. Is the UIDAI taking fully informed consent for the seeding process and what it will enable? Should the UIDAI be liable for the accuracy of the seeding process? Is seeding of service provider and bank databases necessary for the UIDAI to fulfill its mandate? Is the UIDAI's mandate to provide an identifier and an authentication of identity mechanism or is it to provide authentication of eligibility of an individual to receive services? Is this mandate backed by law and with adequate safeguards? Can the court order be interpreted to mean that to deliver services in the PDS system, UIDAI will need access to bank accounts or other transactions/information stored in a service provider's database to verify the claims of the user?

Many news items reflect a concern of convergence arising out of the UID scheme.28 To be clear, the process of seeding is not the same as convergence. Seeding enables convergence which can enable profiling, surveillance, etc. That said, the seeding process needs to be examined more closely by the public and the court to ensure that society can reap the benefits of seeding while avoiding the problems it may pose.

[1]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[2]. Usha Ramanthan. Decoding the Aadhaar judgment: No more seeding, not till the privacy issues is settled by the court. The Indian Express. August 12^th 2015. Available at: http://indianexpress.com/article/blogs/decoding-the-aadhar-judgment-no-more-seeding-not-till-the-privacy-issue-is-settled-by-the-court/

[3]. UIDAI. Approach Document for Aadhaar Seeding in Service Delivery Databases. Version 1.0. Available at: https://authportal.uidai.gov.in/static/aadhaar_seeding_v_10_280312.pdf

[4]. UIDAI. Standard Protocol Covering the Approach & Process for Seeding Aadhaar Numbers in Service Delivery Databases. Available at: https://uidai.gov.in/images/aadhaar_seeding_june_2015_v1.1.pdf

[5]. Version 1.0 pg. 2

[6]. Version 1.0 pg. 19

[7]. Version 1.1 pg. 3

[8]. Version 1.1 pg. 7

[9]. Version 1.1 pg. 5 -7

[10]. Version 1.1 pg. 7-13

[11]. Version 1.0 pg 19-22

[12]. Version 1.0 pg. 4

[13]. Version 1.1 pg. 5, figure 3.

[14]. David Card, Raj Chett, Martin Feldstein, and Emmanuel Saez. Expanding Access to Adminstrative Data for Research in the United States. Available at: http://obs.rc.fas.harvard.edu/chetty/NSFdataaccess.pdf

[15]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[16]. Version 1.1 pg. 18

[17]. Aadhaar Enrollment Form from Karnataka State. http://www.karnataka.gov.in/aadhaar/Downloads/Application%20form%20-%20English.pdf

[18]. Business Line. Aadhaar only for foodgrains, LPG, kerosene, distribution. August 27^th 2015. Available at: http://www.thehindubusinessline.com/economy/aadhaar-only-for-foodgrains-lpg-kerosene-distribution/article7587382.ece

[19]. Bharti Jain. Election Commission not to link poll rolls to Aadhaar. The Times of India. August 15^th 2015. Available at: http://timesofindia.indiatimes.com/india/Election-Commission-not-to-link-poll-rolls-to-Aadhaar/articleshow/48488648.cms

[20]. Graham Greenleaf. “Access all areas': Function creep guaranteed in Australia's ID Card Bill (No.1) Computer Law & Security Review. Volume 23, Issue 4. 2007. Available at: http://www.sciencedirect.com/science/article/pii/S0267364907000544

[21]. Version 1.1 pg. 3

[22]. For example, the UIDAI depends on private companies to act as enrollment agencies and collect, verify, and enroll individuals in the UID scheme. Though the UID enters into MOUs with these organizations, the UID cannot be held responsible for the security or accuracy of data collected, stored, etc. by these entities. See draft MOU for registrars: https://uidai.gov.in/images/training/MoU_with_the_State_Governments_version.pdf

[23]. Justice K.S Puttaswamy & Another vs. Union of India & Others. Writ Petition (Civil) No. 494 of 2012. Available at: http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841

[24]. Version 1.0 pg.3

[25]. Version 1.0 pg.4

[26]. Version 1.1 pg. 3

[27]. For example, there are reports of Aadhaar being introduced for different services such as education. See: Tanu Kulkarni. Aadhaar may soon replace roll numbers. The Hindu. August 21^st, 2015. For example: http://www.thehindu.com/news/cities/bangalore/aadhaar-may-soon-replace-roll-numbers/article7563708.ece

[28]. For example see: Salil Tripathi. A dangerous convergence. July 31^st. 2015. The Live Mint. Available at: http://www.livemint.com/Opinion/xrqO4wBzpPbeA4nPruPNXP/A-dangerous-convergence.html

For more details visit https://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary