We are anonymous, we are legion

India’s largest bank SBI leaked account data on millions of customers

Admin — 2019-02-01T15:13:15Z

India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.

The blog post by Zack Whittaker was published Tech Crunch on January 30, 2019. Karan Saini was quoted.

The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.

But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.

It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story.

SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts. It’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service. By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back the current amount in that customer’s bank account. The system can also be used to send back the last five transactions, block an ATM card and make inquiries about home or car loans.

It was the back-end text message system that was exposed, TechCrunch can confirm, storing millions of text messages each day.

A redacted example of some of the banking and credit information found in the database (Image: TechCrunch)

The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.

The bank sent out close to three million text messages on Monday alone.

The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.

We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message he received back.

“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ridesharing app.

Saini said that knowing a phone number “could be used to aid social engineering attacks — which is one of the most common attack vectors in the country with regard to financial fraud,” he said.

SBI claims more than 500 million customers across the glob,e with 740 million accounts.

Just days earlier, SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system. (UIDAI often uses the term “fake news” to describe coverage it doesn’t like.)

TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector. The database was secured overnight.

Despite several emails, SBI did not comment prior to publication.

For more details visit https://cis-india.org/internet-governance/news/tech-crunch-zak-whittaker-january-30-2019-indias-largest-bank-sbi-leaked-account-data-on-millions-of-customers

Amazon and Walmart are about to take a big hit in India

Admin — 2019-02-01T15:03:56Z

India is the world’s biggest emerging digital economy, and Silicon Valley’s top companies have invested huge sums to cash in on it. Now new regulations are threatening their business.

The blog post was published in Q13 Fox on January 31, 2019. Gurshabad Grover was quoted.

E-commerce restrictions due to go into effect Friday will prevent global retailers such as Amazon and Walmart from using their deep pockets and massive scale to drive down prices in India.

And proposed legal changes would require social media companies like Facebook and Twitter to monitor and take down content at the request of Indian authorities, which critics say could be misused for censorship.

The new rules highlight the risk global tech giants are running in a country they see as their next growth frontier.

Amazon and Walmart push back

The new e-commerce rules, announced in late December, look to curb practices like steep discounts that have helped Amazon dominate the US market and already make huge inroads in India.

The rules state that foreign online retailers can no longer strike deals with companies to offer products that are not available elsewhere. They also prevent these platforms from selling products distributed by companies they have invested in.

That would strike at the heart of Amazon’s business in India — the US company has snapped up stakes in several local suppliers.

Amazon and India’s biggest online retailer, Walmart-owned Flipkart, had been pushing India to delay the introduction of the new rules, but the government said in a statement Thursday that it had decided “after due consideration” not to do so.

Amazon had written to the Indian government asking for a four-month extension to comply with the new rules, a company spokesperson said.

“With over [400,000] sellers and hundreds of thousands of transactions happening daily on the Amazon India Marketplace we need adequate time to understand the details of the policy,” the spokesperson added.

Flipkart had asked the government for a six-month extension, a person familiar with the matter told CNN.

The company reportedly warned of “significant customer disruption” if the new policy is implemented this week. Flipkart CEO Kalyan Krishnamurthy said in a letter to the Indian government that the new rules could “have undesirable impacts on the continued growth of e-commerce in India,” according to Reuters.

The rules will affect the Bangalore-based company’s sales of products like smartphones, many of which it offers exclusively to its customers.

Flipkart declined to comment.

The changes follow intensive lobbying by India’s small businesses against Amazon and Walmart’s outsized influence in the country. (Together they have more than 70% of the Indian online shopping market.) The Confederation of All India Traders, which says it represents more than 70 million local retailers, warned the government against granting an extension.

“If any deferment or extension is given, the small traders both offline and online will be compelled to resort to a national campaign against any such move … which may also have political repercussions,” the group said in a statement earlier this week, a thinly-veiled warning to the government in an election year.

The trade body expressed “deep satisfaction” at the government’s decision not to extend the deadline.

India’s WhatsApp problem

India’s effort to further regulate its internet isn’t restricted to retail.

In late December, two days before the e-commerce restrictions were unveiled, India’s technology ministry published a host of proposed changes to laws governing online content.

The changes state that “intermediaries” including internet providers and platforms like Facebook and Twitter must remove “unlawful” material within 24 hours at the request of Indian authorities. That covers content that goes against India’s sovereignty, national security or foreign relations as well as “public order, decency or morality,” the new rules state.

Experts say the broad phrasing leaves the rules open to misuse and could be used to suppress free speech. It could also lead to self censorship by tech companies to avoid government scrutiny.

“It can lead to en masse takedown of content,” said Gurshabad Grover, a policy officer at the Bangalore-based Centre for Internet and Society, a think tank. “Intermediaries are often happy to take down perfectly legal content just to avoid liability.”

Twitter said in a statement that it would continue to lobby the Indian government on the proposed regulations before they are passed into law.

“Our hope is that after this robust public consultation process any changes to the [rules] in India strike a careful balance that protects important values such as freedom of expression,” a Twitter spokesperson told CNN Business.

Google and Facebook declined to comment.

The Asia Internet Coalition, an industry group that counts all three companies as its members, also urged the Indian government to reconsider the rule changes.

“In addition to interfering with the fundamental rights of freedom of speech and expression, and right to privacy as guaranteed under the constitution, the [proposed regulations] impose burdensome obligations on the intermediaries,” the group said in a letter to India’s technology ministry.

The regulations appear to be driven by India’s growing battle with fake news and misinformation, with viral rumors on Facebook’s mobile messaging service WhatsApp blamed for more than a dozen lynchings last year.

The Indian government specifically called out the mob violence in its statement announcing the regulations, citing the “misuse of social media by criminals and anti-national elements” as a key factor.

The rules also state that platforms must enable the tracing of individual posts and messages at the government’s request, a requirement that WhatsApp has previously rejected as a non-starter.

India is WhatsApp’s biggest market, with more than 200 million users.

Why India matters

India has opened itself up to foreign investment in recent years, particularly in its fast-growing tech and retail industries, and companies from around the world have rushed in.

India’s internet is a particularly tempting prize. About 500 million people are already online, with nearly 900 million more yet to be connected.

Amazon has pledged at least $5 billion dollars to growing its business in the country, while Walmart spent $16 billion to buy Flipkart last year.

Facebook and Google have also identified India as their next big market, rolling out several features and services in the country before taking it to the rest of the world.

But the changing legal environment presents a huge challenge, and Big Tech is battling to keep the promise alive.

“An uncertain, constantly changing regulatory environment is not good for any business,” Mishi Choudhary, legal director at the New York-based advocacy group Software Freedom Law Center, told CNN.

“India must decide where it sees itself in the global landscape,” Choudhary added. “It can either be a democracy that will let the best company win and provide an open, free and secure internet to its citizens or turn the way our neighbors across the Himalayas [China] have. It can’t have it both ways.”

For more details visit https://cis-india.org/internet-governance/news/q-13-fox-january-31-2019-amazon-and-walmart-are-about-to-take-a-big-hit-in-india

January 2019 Newsletter

praskrishna — 2019-03-03T16:34:21Z

The Centre for Internet & Society (CIS) welcomes you to the first issue of its e-Newsletter for 2019.

The CIS newsletter aims to highlight developments in copyright and patent, free speech and expression, privacy, cyber security, telecom, etc. as well as Industry 4.0, big data, additive manufacturing and so on which are revolutionizing and moving the digital world forward. Through this newsletter we look to engage you with our research and build a strong bond by bringing you insightful articles and blog posts which will be beneficial for you and your business. Throughout the year we will send you stories and insights from our board, staff and community leaders. We welcome your feedback, suggestions or comments regarding our newsletter or any other aspect of our research.

Welcome to r@w blog!

CIS researchers@work programme (RAW) is delighted to announce the launch of its new blog hosted on Medium. The RAW blog will feature works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media, and society. The blog will also feature highlights and materials from ongoing research and events at the researchers@work programme.

Highlights for January 2019

Ambika Tandon and Aayush Rathi have produced a research paper that contextualises the narrative around Industry 4.0 and the future of work with reference to the female labour force in India.
Gurshabad Grover, Nikhil Srinath and Aayush Rathi (with inputs from Anubha Sinha and Sai Shakti) presented a response to the Telecom Regulatory Authority of India’s Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services. CIS appreciates the continual efforts of TRAI to have consultations on the regulatory framework that should be applicable to OTT services and Telecom Service Providers (TSPs).
Pranesh Prakash, Karan Saini and Elonnai Hickok authored a policy brief that recommends several changes pertaining to current legislation, policy and practice to the Government of India regarding coordinated vulnerability disclosure (“CVD”) for improving the overarching information and cyber security posture of the country.
The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe opened a public comment procedure to solicit comments and obtain additional feedback. Arindrajit Basu, Gurshabad Grover and Elonnai Hickok responded to the public call-offering comments on all six norms and proposing two further norms.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

How to make EVMs hack-proof, and elections more trustworthy (Pranesh Prakash; Times of India; December 9, 2018).
Registering for Aadhaar in 2019 (Sunil Abraham; Business Standard; January 2, 2019).
The DNA Bill has a sequence of problems that need to be resolved (Shweta Mohandas and Elonnai Hickok; Newslaundry; January 15, 2019).
India should reconsider its proposed regulation of online content (Gurshabad Grover; Hindustan Times; January 24, 2019). Akriti Bopanna and Aayush Rathi provided feedback for the article.
India’s proposed new internet bill is as repressive as the worst of Chinese laws (Nishant Shah; Indian Express; January 27, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Creeped out by Netflix's 'You'? Here's how you can avoid online stalkers, data thieves (Sanyukta Dharmadhikari; The News Minute; January 10, 2019).
Civic activism over WhatsApp and stories of and from cab drivers are part of a new narrative in Bengaluru (Sowmya Rajaram; Bangalore Mirror; January 13, 2019).
They know where you are (Tini Sara Anien; Deccan Herald; January 17, 2019).
Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears (Nishant Sharma; Bloomberg Quint; January 16, 2019).
Is the viral #10YearChallenge just another sneaky way for tech firms to gather users’ personal data? (Devarsi Ghosh; Scroll.in; January 18, 2019).
Google Gives Wikimedia Millions—Plus Machine Learning Tools (Wired; January 22, 2019).
New movies lose out due to piracy (Surupasree Sarmmah; Deccan Herald; January 23, 2019).
Submitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data (Vidya Raja; Better India; January 24, 2019).
India’s largest bank SBI leaked account data on millions of customers (Zack Whittaker; Tech Crunch; January 30, 2019).
Open standards can disrupt Facebook’s messaging monopoly (Abhimanyu Ghoshal; The Next Web; January 30, 2019).
Conmen seed fake phone numbers in Google to trap people looking for customer care details (Tushar Kaushik; Economic Times; January 30, 2019).
Amazon and Walmart are about to take a big hit in India (Q13 Fox; January 31, 2019).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Cyber Security

Submission

Response to GCSC on Request for Consultation: Norm Package Singapore (Gurshabad Grover, Arindrajit Basu and Elonnai Hickok; January 22, 2019).

Policy Brief

Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India (Pranesh Prakash; Karan Saini and Elonnai Hickok; January 23, 2019).

Privacy

Submission

CIS Submission to UN High Level Panel on Digital Co-operation (Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok; January 30, 2019).

Gender

Research Paper

A Gendered Future of Work (Ambika Tandon and Aayush Rathi; December 19, 2018).

Event Organized

RFCs We Love meetup (Organized by CIS and India Internet Engineering Society; CIS, Bangalore; January 19, 2019).

Events Participated / Partnered In

Webinar on the draft Intermediary Guidelines Amendment Rules (Organized by CCAOI and the ISOC Delhi Chapter; New Delhi; January 10, 2019). Gurshabad Grover was a discussant in the panel.
MediaNama roundtables on intermediary liability rules (St. Marks Hotel, Bangalore; January 25, 2019). CIS was a community partner. Gurshabad Grover participated in the meeting.
DSCI's Bangalore chapter meet (Organized by Data Security Council of India; Bangalore; January 29, 2019). Karan Saini and Gurshabad Grover participated in the meet.

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions.

Submission

Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services (Gurshabad Grover, Nikhil Srinath and Aayush Rathi with inputs from Anubha Sinha and Sai Shakti; January 10, 2019).

Researchers at Work (RAW)

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Announcement

Internet Researchers' Conference 2019 (IRC19): #List, Jan 30 - Feb 1, Lamakaan (P.P. Sneha; January 9, 2019).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/january-19-newsletter

Open standards can disrupt Facebook’s messaging monopoly

Admin — 2019-02-02T01:59:37Z

Facebook made the news last week when The New York Times’ Mike Isaac reported that CEO Mark Zuckerberg intended to integrate the company’s three messaging platforms: WhatsApp, Messenger, and Instagram.

The blog post by Abhimanyu Ghoshal was published in The Next Web on January 30, 2019. Pranesh Prakash was quoted.

We don’t have all the details of exactly how this will work. The plan is still in its early stages, and there are plenty of moving parts – legal and technical – to take care of. What’s clear is this: with more than 2.6 billion users between the platforms, this is set to impact a lot of people if it goes through – and potentially many hundreds of millions more in the following years.

While the specifics of the move are yet to be revealed, a move like this could help Facebook create more detailed profiles of its users. Even if the company encrypts communications end-to-end as it seemed to imply in its responses to NYT, it could still leverage communications metadata to target ads more accurately than you might think.

Here’s an example: without looking at your messages (because they’re encrypted), Facebook could gather data on who you chat with most often and for how long, later correlating that with the recipients’ interests from Instagram. It could then show you ads for gifts that contact may like, right around the time their birthday comes up.

Integrating these platforms could also bolster Facebook’s efforts to keep users tied into its ecosystem. That’s problematic, when you consider the larger your network of contacts is on the company’s services, the harder it is for you to leave them and use an alternative you’re more comfortable with.

Is there a way out? Pranesh Prakash – a Fellow at the Center for Internet and Society, as well as a Fellow at the New America think tank – believes that the answer lies not in breaking up Facebook over privacy laws, but in competition, and regulators at the government level should demand Facebook use open standards for its messaging platforms.

Prakash explained that standards like SMTP and IMAP, which are used for facilitating email exchanges, allow for interoperability between services run by different organizations. They also let users choose the client apps they prefer for accessing their inboxes.

Facebook’s messaging services, meanwhile, run on closed standards and don’t play nice with platforms created by third parties.

This results in people becoming trapped in Facebook’s ecosystem: even if you’re opposed to using the company’s products, you can’t realistically ditch them all because your friends and family are all using its platforms.

In case you’re worried about open-source protocols not being up to the task of serving massive networks like the ones Facebook operates, consider the fact that WhatsApp runs on FunXMPP, a customized version of the open XMPP set of standards that anyone can use for their own projects.

If Facebook is doing the difficult legwork of unifying the underlying technical infrastructure of its three apps, Prakash argues, it’d do well to make its new protocol public and open-source. That way, anyone should be able to use the company’s services to reach people just the same as when they choose to use a service created by a separate entity.

Prakash said that the only way diminishing Facebook’s power in this regard is to open up access to its network of users. In doing so, it will see people stick with the company’s services because they like using them, not because they can’t stay in touch with their contacts.

Questions surrounding Facebook’s monopolistic domination of the messaging space will inevitably crop up when the company implements Zuckerberg’s plan, and this sounds like a healthy way to tackle those issues.

Naturally, that seems like it’d hurt Facebook’s bottom line – but it’s important to start thinking about realistic measures to comply with antitrust law – or risk being booted from countries that don’t appreciate the way the company does business.

For more details visit https://cis-india.org/internet-governance/news/the-next-web-abhimanyu-ghoshal-january-30-2019-open-standards-can-disrupt-facebooks-messaging-monopoly

CIS Submission to UN High Level Panel on Digital Co-operation

Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok — 2019-02-19T01:41:35Z

The High-level Panel on Digital Cooperation was convened by the UN Secretary-General to advance proposals to strengthen cooperation in the digital space among Governments, the private sector, civil society, international organizations, academia, the technical community and other relevant stakeholders. The Panel issued a call for input that called for responses to various questions. CIS responded to the call for inputs.

Download the submission here

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-un-high-level-panel-on-digital-co-operation

Submitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data

Admin — 2019-02-02T02:09:56Z

Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?

The blog post by Vidya Raja was published in the Better India on January 24, 2019. Pranesh Prakash was quoted.

Imagine someone hacking into your Netflix account – all you have to do is change the password. However, if there is a security breach with respect to your biometric details, there is no reversing it. So think carefully about how and where you submit your details. While the Supreme Court has said that it is no longer mandatory to link Aadhaar with your bank accounts or your telecom service provider, it does not lessen the importance of Aadhaar.

Pranesh Prakash, Policy Director, The Centre for Internet & Society, in a report published in The Mint, says, “Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner’s finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.” Over the last year, there has been so much chatter about the Aadhaar number and how one can protect one’s information.

Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?

In this article, we explain how you can do that.

Locking biometrics online:

Visit UIDAI’s online portal to lock or unlock your biometrics
Once there, you will need to click on ‘My Aadhaar’ and under the Aadhaar Services tab, click on Lock/Unlock Biometrics
You will then be redirected to a new page and prompted to enter the 12-digit Aadhaar number and the security code
Once the details have been entered, click on ‘Send OTP’
You will receive an OTP on your registered mobile number
Enter this and click on the Login button
This feature will allow you to lock your biometrics
Enter the 4-digit security code mentioned on the screen and click on the ‘Enable’ button
Your biometrics will be locked, and you will have to unlock it in case you want to access it again

Unlocking biometrics online:

To unlock your biometrics, click on the ‘Login’ button
Enter your Aadhaar number and the security code in the designated spaces
Now click on ‘Send OTP’
An OTP will be sent to your registered mobile number
Enter it in the space provided and click on ‘Login’
In case you want to temporarily unlock the biometrics, enter the security code and click on the unlock button
Your biometrics will be unlocked for 10 minutes
The locking date and time is mentioned on the screen after which biometrics will be automatically locked
When you do not want to lock your biometrics, you can disable the lock permanently.

Using mAadhaar to lock/unlock biometrics:

mAadhaar is the official mobile application developed by the Unique Identification Authority of India (UIDAI). Presently, it is available on the Android platform.

Once the mAadhaar app has been downloaded, the user must use their Aadhaar card registered mobile number to login.
You will then be sent an OTP that you are required to enter for authentication. Do remember to change your password once registered.
On the top right side, tap on ‘Biometric lock’, and enter your password to lock the biometrics. Once locked, it will show a small lock icon next to your profile.
To unlock, tap on the same icon followed by your password. The information will unlock for 10 minutes. After that, it will be locked again.
Once you lock this information, it ensures that even the Aadhaar holder will not be able to use their biometric data (iris scan and fingerprints) for authentication, until unlocked.
If you try to use this information without unlocking, it will show you an error code 330.

Remember to lock and unlock your biometrics through a trusted channel. The fact that there is no fee involved in either exercise will make this easier. Also, even with the biometric locked, you can continue to use the OTP-based authentication process for transactions, where you will receive the OTP on your registered mobile number and e-mail address.

(Edited by Shruti Singhal)

For more details visit https://cis-india.org/internet-governance/news/the-better-india-vidya-raja-january-24-2019-aadhaar-biometric-privacy-safety-online-india

India should reconsider its proposed regulation of online content

gurshabad — 2019-01-24T16:59:07Z

The lack of technical considerations in the proposal is also apparent since implementing the proposal is infeasible for certain intermediaries. End-to-end encrypted messaging services cannot “identify” unlawful content since they cannot decrypt it. Presumably, the government’s intention is not to disallow end-to-end encryption so that intermediaries can monitor content.

The article was published in the Hindustan Times on January 24, 2019. The author would like to thank Akriti Bopanna and Aayush Rathi for their feedback.

Flowing from the Information Technology (IT) Act, India’s current intermediary liability regime roughly adheres to the “safe harbour” principle, i.e. intermediaries (online platforms and service providers) are not liable for the content they host or transmit if they act as mere conduits in the network, don’t abet illegal activity, and comply with requests from authorised government bodies and the judiciary. This paradigm allows intermediaries that primarily transmit user-generated content to provide their services without constant paranoia, and can be partly credited for the proliferation of online content. The law and IT minister shared the intent to change the rules this July when discussing concerns of online platforms being used “to spread incorrect facts projected as news and designed to instigate people to commit crime”.

On December 24, the government published and invited comments to the draft intermediary liability rules. The draft rules significantly expand “due diligence” intermediaries must observe to qualify as safe harbours: they mandate enabling “tracing” of the originator of information, taking down content in response to government and court orders within 24 hours, and responding to information requests and assisting investigations within 72 hours. Most problematically, the draft rules go much further than the stated intentions: draft Rule 3(9) mandates intermediaries to deploy automated tools for “proactively identifying and removing [...] unlawful information or content”.

The first glaring problem is that “unlawful information or content” is not defined. A conservative reading of the draft rules will presume that the phrase means restrictions on free speech permissible under Article 19(2) of the Constitution, including that relate to national integrity, “defamation” and “incitement to an offence”.

Ambiguity aside, is mandating intermediaries to monitor for “unlawful content” a valid requirement under “due diligence”? To qualify as a safe harbour, if an intermediary must monitor for all unlawful content, then is it substantively different from an intermediary that has active control over its content and not a safe harbour? Clearly, the requirement of monitoring for all “unlawful content” is so onerous that it is contrary to the philosophy of safe harbours envisioned by the law.

By mandating automated detection and removal of unlawful content, the proposed rules shift the burden of appraising legality of content from the state to private entities. The rule may run afoul of the Supreme Court’s reasoning in Shreya Singhal v Union of India wherein it read down a similar provision because, among other reasons, it required an intermediary to “apply [...] its own mind to whether information should or should not be blocked”. “Actual knowledge” of illegal content, since then, has held to accrue to the intermediary only when it receives a court or government order.

Given the inconsistencies with legal precedence, the rules may not stand judicial scrutiny if notified in their current form.

The lack of technical considerations in the proposal is also apparent since implementing the proposal is infeasible for certain intermediaries. End-to-end encrypted messaging services cannot “identify” unlawful content since they cannot decrypt it. Internet service providers also qualify as safe harbours: how will they identify unlawful content when it passes encrypted through their network? Presumably, the government’s intention is not to disallow end-to-end encryption so that intermediaries can monitor content.

Intermediaries that can implement the rules, like social media platforms, will leave the task to algorithms that perform even specific tasks poorly. Just recently, Tumblr flagged its own examples of permitted nudity as pornography, and Youtube slapped a video of randomly-generated white noise with five copyright-infringement notices. Identifying more contextual expression, such as defamation or incitement to offences, is a much more complex problem. In the lack of accurate judgement, platforms will be happy to avoid liability by taking content down without verifying whether it violated law. Rule 3(9) also makes no distinction between large and small intermediaries, and has no requirement for an appeal system available to users whose content is taken down. Thus, the proposed rules set up an incentive structure entirely deleterious to the exercise of the right to freedom of expression. Given the wide amplitude and ambiguity of India’s restrictions on free speech, online platforms will end up removing swathes of content to avoid liability if the draft rules are notified.

The use of draconian laws to quell dissent plays a recurring role in the history of the Indian state. The draft rules follow India’s proclivity to join the ignominious company of authoritarian nations when it comes to disrespecting protections for freedom of expression. To add insult to injury, the draft rules are abstruse, ignore legal precedence, and betray a poor technological understanding. The government should reconsider the proposed regulation and the stance which inspired it, both of which are unsuited for a democratic republic.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-gurshabad-grover-january-24-2019-india-should-reconsider-its-proposed-regulation-of-online-content

New movies lose out due to piracy

Admin — 2019-02-02T02:24:42Z

Piracy continues to be a huge concern among filmmakers but it can also be a marketing strategy for small-budget films.

The article by Surupasree Sarmmah was published in Deccan Herald on January 23, 2019. Akriti Bopanna was quoted.

Despite a slew of measures taken by filmmakers, pirated versions of recently released films like ‘Uri: The Surgical Strike’, ‘Viswasam’, ‘KGF’ and ‘Why Cheat India’ were leaked online on websites like TamilRockers. Piracy has been a huge concern for all movie industries in India, national and regional, but experts say that not much can be done when a film is leaked online.

Neville J Kattakayam, author of the book ‘The All Seeing Digital Eyes: A Guide To Privacy, Security and Literacy’, says, “The maximum one can do is to control the servers in a particular jurisdiction. But there are servers in unlikely places — like somewhere out in the sea. These places don’t fall under any jurisdiction, national or international. It becomes impossible to control the servers then.”

Talking about the process of piracy, he explains that once a content is leaked, it mirages into different servers across to the world; not just online but offline too. “There are mirror sites having the same content that are immediately born. Accessibility wise, it’s all out there; there is nothing that one can completely restrict,” he says.

Neville feels that it is largely in the hands of the producers to restrict access to their material until the movie is released. With people usually preferring good quality prints, theatrical replicas are not favoured much, he told Metrolife.

“From what I have heard, the piracy usually happens when the copy is being sent to the censor board. Some intermediate source, who really wants to kill a movie, leaks it from there. That is the real challenge,” says Neville.

Hemanth M Rao, a director, says that when a movie is leaked online, the effort, time and money put in is at stake. “You feel robbed. Most people would want to go to the theatres to watch a film but with incidents of piracy on the rise, the life span of a movie is shortened,” he says.

However, he adds that the audience is beginning to understand the impact piracy has on the movie industry, especially at a time when there is intense competition between regional language industries.

He has a word of praise for the Kannada Film Industry, which he feels is safeguarding interests of the artistes.

“We have a close tie-up with the city police. We monitor where all a film is playing after its release. In case we come to know about any illegal activities, we intimate the police who act swiftly. This way, the access is cut down.”

“Another thing that upsets me is the habit of going live on Facebook while one is at the theatre. I don’t understand what pleasure people get out of it,” he says.

According to a new draft rule, being contemplated by the IT Ministry, host websites will be liable for any illegal content uploaded on their platform. Currently, a website is liable only for unlawful actions; like uploading copyrighted content without permission.

“The Government can block access to the original host of the pirated content if needed however the traction and virality these kinds of content get make it very difficult to contain their spread. It ends up being a blanket ban on sites such as torrent sites where all the content is not illegal yet the site is blocked as a whole,” says Akriti Bopanna, Policy Officer, Centre for Internet and Society.

The time taken for legal recourse doesn’t help either. Though filmmakers can approach the court for a ban on the website or server, the time taken for a legal remedy is way too long. By that time, the same link would have appeared in two or three other websites, says Akriti. “A leaked movie can be easily downloaded and sent to someone instantly.”

She feels that a more effective method than banning a website or a server would be to educate people.

“Not many know about copyright infringement, it is important to spread awareness from the grassroots level. Though we have messages on piracy shown at the start of every movie, these need to be more creative and fun so they will stay in the audience’s minds. Maybe the industry, as a whole, can do this as a community initiative,” she opines.

Small players don’t care much about piracy

Small-budget movies take piracy as a marketing strategy. They feel that once people watch the movie and write reviews, the film will get an overall boost — allowing them to sell more tickets in theatres.

However, major players spend crores on their movies and depend on ticket sales to get back the amount.

Difficult to claim copyright from different websites

Prominent production companies are targeting streaming websites who have uploaded their movies, citing copyright issues. However, floating websites like citytorrents and TamilRockers keep changing their domain name and it becomes impossible to counter them.

-Neville J Kattakayam

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-surupasree-sarmmah-january-23-2019-new-movies-lose-out-due-to-piracy

Response to GCSC on Request for Consultation: Norm Package Singapore

Arindrajit Basu, Gurshabad Grover and Elonnai Hickok — 2019-01-27T15:43:12Z

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms.

The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe that seeks to promote awareness and understanding among the various cyberspace communities working on issues related to international cyber security. CIS is honoured to have contributed research to this initiative previously and commends the GCSC for the work done so far.

The GCSC announced the release of its new Norm Package on Thursday November 8, 2018 that featured six norms that sought to promote the stability of cyberspace.This was done with the hope that they may be adopted by public and private actors in a bid to improve the international security architecture of cyberspace

The norms introduced by the GCSC focus on the following areas:

Norm to Avoid Tampering
Norm Against Commandeering of ICT Devices into Botnets
Norm for States to Create a Vulnerability Equities Process
Norm to Reduce and Mitigate Significant Vulnerabilities
Norm on Basic Cyber Hygiene as Foundational Defense
Norm Against Offensive Cyber Operations by Non-State Actors

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms. We sincerely hope that the Commission may find the feedback useful in their upcoming deliberations.

Read the full submission here

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation

Cyber Policy Centres Meeting in Sri Lanka

Admin — 2019-01-21T23:50:45Z

Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in this event organized by IDRC in Sri Lanka on January 11 - 14, 2019.

Download the agenda here

See the presentation here

For more details visit https://cis-india.org/internet-governance/news/cyber-policy-centres-meeting-in-sri-lanka

RFCs We Love meetup

Admin — 2019-02-02T13:43:36Z

In collaboration with India Internet Engineering Society (IIESoc), CIS hosted the a 'RFCs We Love' meetup, where we discussed some IETF specifications and standards. The event was held on January 19 at the CIS office, Bangalore.

The theme of the meetup was data centres and service providers. The agenda was:

10:00 - 10:10 Introduction
10:10 - 11:00 Link State Vector Running for DC Routing (Kannan)
11:00 - 11:50 Multicast via Bit Index Explicit Replication (Senthil)
11:50 - 12:40 Traffic Engineering in WAN (Shraddha)
12:40 - 13:00 Open Discussion and planning for Feb meetup
13:00 - 14:00 Lunch and networking

Dhruv Dhody has written about the meetup at the IIESoc blog, where you can also find slides used by the presenters and some photos of the event.

For more details visit https://cis-india.org/internet-governance/news/rfcs-we-love-meetup

Is the viral #10YearChallenge just another sneaky way for tech firms to gather users’ personal data?

Admin — 2019-02-02T13:57:40Z

Is it merely an exercise in nostalgia? Or is it providing fodder for facial recognition algorithms on ageing?

The blog post by Devarsi Ghosh was published in Scroll.in on January 18, 2019. Pranesh Prakash was quoted.

“I like to look back at old memories and smile,” said the 25-year-old Kolkata resident Smitakshi Chowdhury. That’s what prompted her to upload a decade-old photo of herself alongside a recent one on Facebook last week without much thought. Chowdhury is among tens of thousands of people who have participated in the “ten year challenge” that has gone viral in recent days as social media users nostalgically display “then” and “now” images of themselves to the world.

Among the prominent Indian personalities who showed how they’d changed over the decade were movie stars Sonam Kapoor, Diana Penty and Shruti Haasan.

But is there a darker design to this initiative to get social media users to sportlingly show what a difference a decade can make? On January 15, an article in Wired suggested that the fad could be an ingenious ploy to gather data on a person’s age or how people age over time. The article by technology writer Kate O’Neill noted that data obtained in this way could be put to a variety of purposes, some benign such as targeted advertising, and some not so harmless.

“Age progression could someday factor into insurance assessment and health care,” O’Neill writes. “For example, if you seem to be ageing faster than your cohorts, perhaps you’re not a very good insurance risk. You may pay more or be denied coverage.”

This hypothesis set off a frenzy, as social media users issued warnings against participating in the challenge. But others noted that Facebook already has photographs of many long-time users from 10 years ago or more. It was also pointed out that the metadata of images posted online contains information about the date on which the photo was taken, where it was shot and the unique identification number of the photo device – even though most people don’t realise this. With so much information already out there, there isn’t much the 10-Year Challenge could add.

“Facebook has spookily sophisticated face-recognition technology, as anyone who’s seen Facebook’s automatic tagging software at work will tell you,” wrote Max Read in New York Magazine.

The debate has revolved around not only what tech companies know about social media users but how they share this information. For instance, Facebook’s facial tagging system identifies people in images to third parties, making it susceptible to misuse. In fact, Facebook had been storing data obtained through facial recognition software since 2011, without notifying or obtaining consent from its users. It was only in February 2018 that it gave users the chance to opt out of the system.

Facebook, on its part, in an official statement, said that it was not involved with the 10-Year Challenge.

Possibilities of misuse

While personal information uploaded online could potentially be misused in several ways, that does not mean just about any doomsday scenario is feasible, said Pranesh Prakash of the Centre for Internet and Society.

“Insurance companies always try to gather as much information as they can about a person to weed out bad risks but governments regulate these companies on the matter of what they can or cannot use,” he said.

For example, in 2018, the Delhi High Court ruled that insurance companies could not deny coverage to a person based on their genetic history, he noted. However, the contradictory ruling also said that if a disorder was established after genetic testing, the insurance company could deny coverage or demand higher premiums.

Prakash suggested a more dire situation. “Suppose the data produced from the 10-Year Challenge is used to improve the quality of deepfakes and that is put into making pornography about you against your will?” he said. “That business, unlike insurance, is unregulated.”

On the other hand, the prospect of a person’s rate of ageing being calculated by algorithms could also be beneficial. “If a medical AI [artificial intelligence] company figures out your health looking at the data based on your face and detects early skin cancer, would anyone be complaining about this?” asked Shashank Bijapur, co-founder of SpotDraft, a Gurgaon-based company that creates and manages legal contracts using artificial intelligence.

He noted that while it is impractical to expect businesses to ignore the opportunity to use such data to their advantage, social media users should make informed decisions while signing up on platforms. “Every such app online has a privacy policy which is made available to whoever is using it right at the beginning,” Bijapur said.

For more details visit https://cis-india.org/internet-governance/news/scroll-in-january-18-2019-devarsi-ghosh-is-the-viral-10yearchallenge-just-another-sneaky-way-for-tech-firms-to-gather-users-personal-data

Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears

Admin — 2019-01-18T02:26:50Z

Oyo Hotels’ pilot to maintain a real-time digital database of guests and plan to share it with law-enforcement agencies has triggered privacy concerns.

The article by Nishant Sharma was published by Bloomberg Quint on January 16, 2019. Pranesh Prakash was quoted.

The digital check-in and check-out database of guests will do away with the conventional arrival and departure registers, Aditya Ghosh, chief executive India and South Asia at the hotel chain said at a CII event, according to a report in Business Standard. That will make the process efficient and transparent and the SoftBank-backed startup has received acceptance from governments of Haryana, Rajasthan and Telangana for the proposed digitisation of guest entry and departure records, the report said quoting Ghosh.

That triggered an outrage on social media, with users calling it invasion of privacy.

Oyo, in an emailed statement to BloombergQuint, said it will provide information to the law-enforcement agencies about who is staying only after an information order is issued by the police. The company said it will create “stronger data security net”. Oyo, however, didn't clarify who will maintain the data centres.

Centralisation of data of any kind isn't good and will make data more fragile, Sunil Abraham, founder of research think tank Center for Internet and Society, told BloombergQuint. “If someone manages to break into the police data, or where the data is stored then they will be able to have the access to the data. It is always good to store data locally.”

Just last year, Marriott International Inc. reported a hack in which passport numbers, emails and mailing addresses of 327 million of its 500 million Starwood guests was leaked.

To be sure, police always have access to data of customers staying at hotels, one way or the another. As per existing regulations, all hotels, bed and breakfasts and guest-houses have to make an entry of guests checking in and out in a register. This can be checked by the local police when an information order is presented.

Chances of manipulating information in such a register is high, and at times police go through the data without having an information order as well, said an industry executive requesting anonymity.

Srinivas Kodali, a cybersecurity expert, said such a centralised database makes business sense for Oyo because they will get access to data not just of people who booked through them but also of others who checked in without booking online. “Because there is no law, the entities can do it.”

Pranesh Prakash, a technology policy analyst and affiliated fellow at CIS, sees this as an invasion of privacy in the absence of law. Digitisation of data can be allowed only after there’s a law on what happens in the case it’s misused. There is no legal framework about how and where the data will be used, he said.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-january-16-2019-oyo-hotels-real-time-digital-record-database-sparks-privacy-fears

Webinar on the draft Intermediary Guidelines Amendment Rules

Admin — 2019-01-18T02:13:23Z

CCAOI and the ISOC Delhi Chapter organised a webinar on January 10 to discuss the draft "The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018". Gurshabad Grover was a discussant in the panel.

The agenda of the discussion was:

A brief introduction to the draft highlighting the key issues[Shashank Mishra]
Invited experts sharing their view on the paper and questions asked [Nehaa Chaudhari, Paul Brooks, Arjun Sinha, Gurshabad Grover]
Open Discussion Q&A
Summarizing the session

A recording of the session can be accessed here

For more details visit https://cis-india.org/internet-governance/news/webinar-on-the-draft-intermediary-guidelines-amendment-rules

They know where you are

Admin — 2019-01-18T02:14:46Z

With hotel-booking app routinely sharing real-time guest data with police and government, lives of those fleeing persecution is in danger, privacy advocates fear.

The article by Tini Sara Anien was published in Deccan Herald on January 17, 2019. Aayush Rathi was quoted.

Oyo Rooms, the online hotel room booking service, has been receiving brickbats since it disclosed this week that it was sharing real-time data of guests with the police and the government.

Internet and legal experts in Bengaluru say it is a breach of informational privacy, granted as a fundamental right by the Constitution. Couples running away from hostile families and individuals escaping religious and political persecution are at huge risk if their whereabouts are shared, they say.

Aayush Rathi, policy officer with Centre for Internet and Society, finds the sharing of live guest data disturbing.

“Hotels have always maintained records. Earlier, when information from hotels was needed, a specific query had to be raised by law enforcement, pursuant to an ongoing case. The registry represents a significant departure by facilitating the collection of this data by law enforcement without cause,” he says.

He also rues the lack of transparency about what the government will do with such data.

“The government is already collecting a lot of data and has little direction on what to do with it. There is no clarity on how this information will be used and protected. The government might say it is necessary for security, a very broad umbrella term, but in the absence of regulations, the data can be used for purposes little to do with security,” says Rathi.

The service had initially marketed itself as a couple-friendly service, while across the country, unmarried, inter-faith couples face various challenges finding a room. “This targeting could get even more enhanced,” he fears.

Recently, passport details were leaked from a popular hotel chain. The leaked data from hotel bookings can be used for multifarious purposes, ranging from selling to potential advertisers to identity theft,” Rathi says.

Lawyer-researcher Nayantara Ranganathan, from the Internet Democracy Project, says the argument that sharing data improves privacy is “absolutely disingenuous.”

“Sharing all guest records in real-time to state governments and law enforcement is shocking and most definitely a breach of privacy,” she says.

With the state getting access to such information with the promise of preventive policing, there is no telling how data is going to be used, she says.

She finds it bizarre that a private company is proactively sharing data, especially at a time when companies are “waking up to the fact that their consumers value their privacy.”

Why it endangers lives

Vinay Sreenivasa, lawyer and member of Alternative Law Forum, says providing access to such information is ‘criminal.’ “A couple could be running away from moral policing after an inter-caste marriage and people might be tracking them, or someone might be going through a divorce and just need some privacy. There could be several reasons why one seeks a room and such data could put lives at risk,” he says.

The Supreme Court has clearly stated one’s data is one’s own and consent has to be taken when any personal information is used. The government has no business accessing such information, he says.

For more details visit https://cis-india.org/internet-governance/news/tini-sara-anien-deccan-herald-january-17-2019-they-know-where-you-are