We are anonymous, we are legion

Networked Economies and Gender Action Learning

Admin — 2018-10-02T03:10:02Z

Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in a meeting organized by IDRC for grantees under their networked economies programme to discuss gender-based outputs and development outcomes in their work. The event was held in Ottawa on September 20 - 21, 2018, facilitated by Gender at Work.

Sunil Abraham, Swaraj Paul Barooah and Ambika Tandon also attended a workshop on Gender Action Learning on September 24 - 25, 2018, which discussed strategies to work on gender under a grant for Cyber Policy Centres. Other organizations present at the workshop were Research ICT Africa, Lirne Asia, and Centre Latam Digital at CIDE, Mexico. Gender at Work facilitated this workshop as well, and will be working with all the grantees over a period of 18 months.

For more details visit https://cis-india.org/internet-governance/news/networked-economies-and-gender-action-learning

Cyber-Security in the Age of Smart Manufacturing

Admin — 2018-10-02T00:23:45Z

Arindrajit Basu attended the event 'Cyber-security in the age of Smart Manufacturing.' The event 'BTS - CyberComm 2018' was organised by the Federation of Indian Chamber of Commerce & industry (FICCI) in association with Karnataka Innovation and Technology Society, and Government of Karnataka at The Lalit Ashok, Bengaluru on September 26, 2018.

The event was aimed at understanding the cyber security threats revolving around Industry 4.0 and smart manufacturing. The speakers included Mr. Gaurav Gupta, Principal Secretary, IT, BT and S&T Department, Government of Karnataka;Mr. Sanjay Mujoo, Vice President, Pointnext Global Centre Bangalore, Hewlett Packard Enterprise, India;Mr. Yogesh Andlay, Founder, Nucleus Software & Polaris Financial Technology and Mr. Ambrish Bakaya, Co-Chair, ICT and Digital Economy Committee FICCI.

Apart from discussing how to cover the threat vectors as businesses increasingly become digitised and use digital supply chains,the event was also useful in terms of obtaining an understanding of how the Karnataka government is approaching the digital ecosystem. The Centres of Excellence aim to bring on board academics, industry bodies and practitioners to develop best practices. FICCI, which was co-hosting this event indicated that they will continue to work with the government to further this agenda.

For more details visit https://cis-india.org/internet-governance/news/cyber-security-in-the-age-of-smart-manufacturing

After Supreme Court Setback, Fintech Firms Await Clarity On Aadhaar

Admin — 2018-10-01T23:39:42Z

The 12-digit Aadhaar number is now out of bounds for fintech companies in India.

The article by Nishant Sharma was published in Bloomberg Quint on September 27, 2018. Pranesh Prakash was quoted.

Video

With the Supreme Court on Wednesday terming Aadhaar authentication by private companies as “unconstitutional”, companies such as online wallets and e-tailers, among others, will now have to make changes to how they onboard and verify customers, in addition to how they transact.

In a 567-page majority judgment authored by Justice Sikri and concurred upon by two other judges—Chief Justice Dipak Misra and Justice AM Khanwilkar—it said that Section 57 of the Aadhaar Act, which allows private companies to use Aadhaar for authentication services based on a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.

“What it essentially means is that the private bodies, such as lending platforms, wallets, or any private entity, cannot use Aadhaar for authentication,” said Anirudh Rastogi founder at Ikigai Law (formerly TRA), a law firm that specialises in representing businesses on data privacy.

The decision is set to impact private companies right from Flipkart-owned PhonePe, Paytm, Reliance Jio and Amazon, among others, which rely on Aadhaar for e-verification. Amazon recently launched cardless equated monthly installments on Amazon Pay through the digital finance platform Capital Float and asked customers to provide Aadhaar numbers or virtual ID and PAN details on the Amazon app for verification.

'Aadhaar Is Just Another ID'

Pranesh Prakash, fellow, Centre for Internet and Society, said that with this judgment Aadhaar is no longer an identity infrastructure as its creators have dreamt of. “It is now just another ID.”

For those opposed to Aadhaar, on privacy and security grounds, this may be a part victory. But for the Fintech industry it stymies the use of quick Aadhaar-based e-KYC (know your customer norms) to onboard customers. “The fintech industry thrives on the instant paperless mantra, and this move will curb its rapid growth, ” Amrish Rau, co-founder of PayU, said in a text message.

The verdict is also set to push up costs for the industry. Rau said: “Conducting physical KYC would be a costly affair, with every physical KYC costing about Rs 100 per person.”

Companies like PhonePe await more clarity. “We are waiting to hear from bodies like the Reserve Bank of India, UIDAI on what KYC that will be required for wallets moving ahead," Sameer Nigam, cofounder of PhonePe, said. "Whether we go to no KYC, lower limit environment or go to the physical KYC environment."

The judgment also stated that the identification number will not be mandatory for opening bank accounts, mobile-phone connections or for admissions into educational institutions. However, Aadhaar will continue to be mandatory for the distribution of state-sponsored welfare schemes including direct benefit transfers and the public distribution system. Taxpayers will have to link their Permanent Account Numbers to the biometric database.

Aadhaar-Based KYC: Allowed With Consent?

The Supreme Court has concluded that the part of section 57 which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals.

Prasanna S, a Supreme Court advocate and lawyer for one of the petitioners in the Aadhaar matter interpreted it to mean that even if a customer voluntarily wants to use Aadhaar for e-KYC, businesses cannot accept it.

They have struck down the part of Section 57 that allows use of Aadhaar based on a contract. A contract, by nature is voluntary, But since the court has struck down this part, even voluntary use won’t be permitted.

Prasanna S, Advocate, Supreme Court

Jaitley Hints At Legal Backing

Meanwhile, Finance Minister Arun Jaitley on Wednesday hinted that the Centre is likely to examine whether separate legal backing is needed for Section 57 of the Aadhaar Act, the newswire PTI reported. “So, let us first read the judgement. There are two-three prohibited areas. Are they because they are totally prohibited or are they because they need legal backing,” Jaitley was quoted as saying.

Rastogi of Ikigai Law said that the court has left open for the government to promulgate a law to enable private parties to use Aadhaar that can withstand judicial scrutiny.

Rahul Matthan, a technology partner at law firm Trilegal differed with this view. He said that since the apex court has ruled that private entities cannot access the Aadhaar infrastructure, it means that even if the government brings a specific law to allow for that, it would be unconstitutional.

Prasanna agreed with this interpretation.

The court has hinted that commercial exploitation of personal information will fail the proportionality test laid down by it in the Right to Privacy judgment. This is one of the grounds for them to conclude that Section 57 is unconstitutional. So even a law is introduced, private access will be impermissible.

Prasanna S, Advocate, Supreme Court

Are Aadhaar-Based KYCs Tainted?

Since the use of Aadhaar by private entities has been struck down, does it mean entities who have used it for KYC so far have to re-do that exercise? And data that was collected as part of Aadhaar-based KYC- does that need to be deleted?

The majority order hasn’t specifically addressed these questions, Matthan pointed out. But went on to explain that his reading of the judgment is that the court wants things to remain as they are.

The Supreme Court has said that collection of data before the Aadhaar Act was introduced is valid. If you follow that sentiment, may be we can argue that there’s no requirement to delete the data.

Rahul Matthan, Partner, Trilegal

Whatever has been done without the authority of law has to go, Prasanna said. But this outcome may not be practical and another hearing before the Supreme Court may be required to clear these questions, he added.

Private entities such as the online cab aggregator Ola have already removed eKYC from its e-wallet when BloombergQuint last checked. Others may follow suit.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar

Cross-Border Data Sharing and India: A study in Processes, Content and Capacity

Amber Sinha, Elonnai Hickok, Udbhav Tiwari and Arindrajit Basu — 2018-09-29T00:37:39Z

A majority of criminal investigations in the modern era necessitate law enforcement access to electronic evidence stored extra-territorially. The conventional methods of compelling the presentation of evidence available for investigative agencies often fail when the evidence is not present within the territorial boundaries of the state.

The crux of the issue lies in the age old international law tenet of territorial sovereignty.Investigating crimes is a sovereign act and it cannot be exercised in the territory of another country without that country’s consent or through a permissive principle of extra-territorial jurisdiction. Certain countries have explicit statutory provisions which disallow companies incorporated in their territory from disclosing data to foreign jurisdictions. The United States of America, which houses most of the leading technological firms like Google, Apple, Microsoft, Facebook, and Whatsapp, has this requirement.

This necessitates a consent based international model for cross border data sharing as a completely ad-hoc system of requests for each investigation would be ineffective. Towards this, Mutual Legal Assistance Treaties (MLATs) are the most widely used method for cross border data sharing, with letters rogatory, emergency requests and informal requests being other methods available to most investigators. While recent gambits towards ring-fencing the data within Indian shores might alter the contours of the debate, a sustainable long-term strategy requires a coherent negotiation strategy that enables co-operation with a range of international partners.

This negotiation strategy needs to be underscored by domestic safeguards that ensure human rights guarantees in compliance with international standards, robust identification and augmentation of capacity and clear articulation of how India’s strategy lines up with the existing tenets of International law. This report studies the workings of the Mutual Legal Assistance Treaty (MLAT) between the USA and India and identifies hurdles in its existing form, culls out suggestions for improvement and explores how recent legislative developments, such as the CLOUD Act might alter the landscape.

The path forward lies in undertaking process based reforms within India with an eye on leveraging these developments to articulate a strategically beneficial when negotiating with external partners.As the nature of policing changes to a model that increasingly relies on electronic evidence, India needs to ensure that it’s technical strides made in accessing this evidence is not held back by the lack of an enabling policy environment. While the data localisation provisions introduced in the draft Personal Data Protection Bill may alter the landscape once it becomes law, this paper retains its relevance in terms of guiding the processes, content and capacity to adequately manoeuvre the present conflict of laws situation and accessing data not belonging to Indians that may be needed for criminal investigations.As a disclaimer,the report and graphics contained within it have been drafted using publicly available information and may not reflect real world practices.

Click here to download the report With research assistance from Sarath Mathew and Navya Alam and visualisation by Saumyaa Naidu

For more details visit https://cis-india.org/internet-governance/blog/cross-border-data-sharing-and-india-a-study-in-processes-content-and-capacity

Takshashila's online Cogitatum on AI and Ethics in India

Admin — 2018-09-26T01:46:39Z

Elonnai Hickok participated in an event organized by Takhshashila on August 27, 2018 and made a presentation on Ethics and AI in India. The event was held in Takshashila Institution

Click to view the slides

For more details visit https://cis-india.org/internet-governance/news/takshashilas-online-cogitatum-on-ai-and-ethics-in-india

SFLC Round Table Discussion on Personal Data Protection Bill

Admin — 2018-10-02T03:16:19Z

Shweta Mohandas participated in a Round Table Discussion on Personal Data Protection Bill, orgnanised by SFLC on September 25, 2018 in Bangalore. She also moderated the first session - Data Protection Principles (Rights and Obligations).

See the agenda of the event here.

For more details visit https://cis-india.org/internet-governance/news/sflc-round-table-discussion-on-personal-data-protection-bill

A trust deficit between advertisers and publishers is leading to fake news

sunil — 2018-10-02T06:44:55Z

Transparency regulations is need of the hour. And urgently for election and political advertising. What do the ads look like? Who paid for them? Who was the target? How many people saw these advertisements? How many times? Transparency around viral content is also required.

The article was published in Hindustan Times on September 24, 2018.

Traditionally, we have depended on the private censorship that intermediaries conduct on their platforms. They enforce, with some degree of success, their own community guidelines and terms of services (TOS). Traditionally, these guidelines and TOS have been drafted keeping in mind US laws since historically most intermediaries, including non-profits like Wikimedia Foundation were founded in the US.

Across the world, this private censorship regime was accepted by governments when they enacted intermediary liability laws (in India we have Section 79A of the IT Act). These laws gave intermediaries immunity from liability emerging from third party content about which they have no “actual knowledge” unless they were informed using takedown notices. Intermediaries set up offices in countries like India, complied with some lawful interception requests, and also conducted geo-blocking to comply with local speech regulation.

For years, the Indian government has been frustrated since policy reforms that it has pursued with the US have yielded little fruit. American policy makers keep citing shortcomings in the Indian justice systems to avoid expediting the MLAT (Mutual Legal Assistance Treaties) process and the signing of an executive agreement under the US Clout Act. This agreement would compel intermediaries to comply with lawful interception and data requests from Indian law enforcement agencies no matter where the data was located.

The data localisation requirement in the draft national data protection law is a result of that frustration. As with the US, a quickly enacted data localisation policy is absolutely non-negotiable when it comes to Indian military, intelligence, law enforcement and e-governance data. For India, it also makes sense in the cases of health and financial data with exceptions under certain circumstances. However, it does not make sense for social media platforms since they, by definition, host international networks of people. Recently an inter ministerial committee recommended that “criminal proceedings against Indian heads of social media giants” also be considered. However, raiding Google’s local servers when a lawful interception request is turned down or arresting Facebook executives will result in retaliatory trade actions from the US.

While the consequences of online recruitment, disinformation in elections and fake news to undermine public order are indeed serious, are there alternatives to such extreme measures for Indian policy makers? Updating intermediary liability law is one place to begin. These social media companies increasingly exercise editorial control, albeit indirectly, via algorithms to claim that they have no “actual knowledge”.

But they are no longer mere conduits or dumb pipes as they are now publishers who collect payments to promote content. Germany passed a law called NetzDG in 2017 which requires expedited compliance with government takedown orders. Unfortunately, this law does not have sufficient safeguards to prevent overzealous private censorship. India should not repeat this mistake, especially given what the Supreme Court said in the Shreya Singhal judgment.

Transparency regulations are imperative. And they are needed urgently for election and political advertising. What do the ads look like? Who paid for them? Who was the target? How many people saw these advertisements? How many times? Transparency around viral content is also required. Anyone should be able to see all public content that has been shared with more than a certain percentage of the population over a historical timeline for any geographic area. This will prevent algorithmic filter bubbles and echo chambers, and also help public and civil society monitor unconstitutional and hate speech that violates terms of service of these platforms. So far the intermediaries have benefitted from surveillance — watching from above. It is time to subject them to sousveillance — watched by the citizens from below.

Data portability mandates and interoperability mandates will allow competition to enter these monopoly markets. Artificial intelligence regulations for algorithms that significantly impact the global networked public sphere could require – one, a right to an explanation and two, a right to influence automated decision making that influences the consumers experience on the platform.

The real solution lies elsewhere. Google and Facebook are primarily advertising networks. They have successfully managed to destroy the business model for real news and replace it with a business model for fake news by taking away most of the advertising revenues from traditional and new news media companies. They were able to do this because there was a trust deficit between advertisers and publishers. Perhaps this trust deficit could be solved by a commons-based solutions based on free software, open standards and collective action by all Indian new media companies.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-sunil-abraham-september-24-2018-a-trust-deficit-between-advertisers-and-publishers-is-leading-to-fake-news

Find ways to trace origin of messages: Government to WhatsApp

Admin — 2018-09-24T02:53:23Z

Unhappy with the steps taken so far by WhatsApp, the government plans to trace the origins of incendiary messages spread on its platform.

The article by Surabhi Agarwal was published in Economic Times on September 20, 2018. Sunil Abraham was quoted.

The Ministry of Electronics and IT (MeitY) is drafting a letter — its third since July to the Facebook-owned platform — asking it to design a technology-led solution to the issue that in the past has led to mob lynching or riots in the country. Since India first raising its concerns, WhatsApp has announced measures such as limiting forwards to five groups at a time from the earlier 250, identifying forwarded messages, and a publicity campaign against fake news.

The government says these measures may not be enough. “It’s a reasonable demand from us, and very much doable. The third letter will reiterate that WhatsApp is not meeting all our concerns,” said a top government official, who did not want to be identified.

If WhatsApp feels the solution given by the government for traceability goes against its end-to-end encryption policy, then the company should be able to find a solution on its own which is technically feasible without compromising on its offering, the official said. “We are not asking them to look into the contents of the message, but if some message has been forwarded, say, 100 times and has caused some law and order problem, then they should be able to identify where it originated from,” he said, adding that WhatsApp cannot absolve itself from responsibility in the name of user privacy. “We are not being unfair since we can’t allow anonymous publishing.”

WhatsApp could not be immediately reached for comment.

Some analysts say the government’s demand from WhatsApp is reasonable and the company could provide traceability using metadata without compromising on encryption.

“For basic level of traceability, storing the metadata is enough,” said Sunil Abraham, executive director of Center of Internet and Society.

“For the kind of traceability that the Indian government is asking for, WhatsApp may have to break its end-toend encryption. But other kind of traceablity, such as who is messaging whom, how many times, who are the propagators of messages, and who are receivers, can all be seen through storing just metadata.”

Just like every organisation used to store copies of end-of-end encrypted emails on their own servers, similarly WhatsApp can either store copies of encrypted messages or the metadata, he said. Last month, at a meeting between Union minister for electronics and IT Ravi Shankar Prasad and WhatsApp CEO Chris Daniels, the government asked the company to appoint a grievance officer in India, set up an Indian entity, and ensure traceability of messages.
While the company agreed to register a corporate entity and build a team here, a stalemate over the issue of traceability continues.

“(WhatsApp) needs to find solutions to deal with sinister developments like mob lynching and revenge porn and has to follow Indian law,” Prasad said in August. “It does not take rocket science to locate a message being circulated in hundreds and thousands...

(WhatsApp) must have a mechanism to find a solution.”

WhatsApp has maintained that people rely on the platform for all kinds of sensitive conversations, including with their doctors, banks and families. “Building traceability would undermine end-to-end encryption and the private nature of WhatsApp, creating the potential for serious misuse. WhatsApp will not weaken the privacy protections we provide,” the company’s spokesperson said in August after the demand from the Indian government on traceability.

The official quoted earlier reiterated that the government is notasking the company to break its end-to-end encryption, adding that if the company could find ways to tag non-original content with ‘forward’ labels and flag some links as spurious, it could also find a way around this problem.

For more details visit https://cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-september-20-2018-find-ways-to-trace-origin-of-messages-govt-to-whatsapp

Forecasting the Implications of the CLOUD Act Around the World

Admin — 2018-09-20T15:51:48Z

Elonnai Hickok participated in the event organized by the Global Network Initiative at the Russell Senate Office Building, Washington D.C. on September 18, 2018 as a speaker.

Elonnai spoke on the CLOUD Act from an Indian perspective based on the article that she co-authored with Vipul Kharbanda.

For more details visit https://cis-india.org/internet-governance/news/forecasting-the-implications-of-the-cloud-act-around-the-world

Conference on Data Protection

Admin — 2018-09-20T14:47:17Z

Sunil Abraham and Amber Sinha participated in a conference on data protection at NIPFP in New Delhi on September 4, 2018. The event was organized by National Institute of Public Finance and Policy.

Sunil Abraham and Amber Sinha were discussant in the session Disclosures in Privacy Policies: Does Consent Work?

Click to see the agenda

For more details visit https://cis-india.org/internet-governance/news/conference-on-data-protection

'What Security Breach?' The Unchanging Tone of UIDAI's Denials

Admin — 2018-09-19T14:14:53Z

This week brought with it another instance of Aadhaar déjà vu. The narrative is now eerily familiar to people with even a passing acquaintance with the matter.

The article by Karan Saini was published in the Wire on September 12, 2018

A security vulnerability in the Aadhaar ecosystem comes to light, usually through civil society stakeholders or the media. The Unique Identification Authority of India (UIDAI) issues a standard denial, refuses to publicly acknowledge that it has to course-correct and fix the problem, and the public waits for the process to repeat.

Following a three-month-long investigation by Huffington Post into the known and documented problem of cracked Aadhaar enrolment software, several security experts from within the country and elsewhere were able to conclude that the authenticity of entries within the Aadhaar database was likely compromised to an unknown extent. This was a direct result of a patched version of the enrolment software with stripped security features being circulated and used by potential hostile actors – among others.

The patched software bypasses several crucial security features of the enrolment client and could have also been used to get around the biometric authentication which legitimate enrolment operators would have to undertake before attempting to add new entries to the database.

The UIDAI responded to this report with a statement which is nearly identical to many of the authority’s previous press releases on alleged security incidents.

In its statement, the UIDAI said that “the claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless”.

The statement which was issued by the authority seems straightforward but is actually cryptic in its very nature. The story published by Huffington Post did not categorically assert that the software bypass was being used ‘to generate multiple Aadhaar cards’, while the authority’s statement specifically refuted this claim.

This is, sadly, not new. The Aadhaar authority has always purposely misinterpreted what is actually being alleged in critical stories, and then presented their interpretations in their statements of rebuttal, which essentially amount to irresponsible dissemination of misleading information.

For instance, the UIDAI ignores that even without the issue of cracked enrolment software, there are already many proven cases of ghost entries in the database, including that of a Pakistani ISI spy as well as an Uzbek national involved in illegal sex-trade in the country. Both of these persons held real, valid Aadhaar cards which were issued to them under false identities.

The UIDAI also states that enrolments are verified at their backend system in order to prevent any such false entries from finding their way into the database. Given this, the question arises – how did these highlighted cases of false entries make it through the supposed checks and balances in place to the point where Aadhaar numbers for these persons were issued (and delivered)?

Similar events took place when in March 2018, ZDNet broke the story of an application programming interface (API) hosted on the website of utility provider Indane Gas, which could have been abused by hackers to steal information such as full names, Aadhaar numbers, names of linked banking institutions as well as details of the specific utility provider which a person uses for a major chunk of the population.

The UIDAI statement at the time baldly claimed that there was no breach of its central database (what is called the ‘CIDR’) and that biometric data were safe. The only problem? Neither of these issues were asserted or even hinted at in the original story.

Reporters from the publication had attempted to reach out to UIDAI repeatedly – and that too through several mediums of communication, such as phone, email and even direct messages to the official UIDAI Twitter account – all to no avail.

“We tried to contact UIDAI by phone and email after we learned of the Aadhaar data leak. We eventually sent all the details in a Twitter DM message — but only because UIDAI wouldn’t offer […] an email address to send this data leak issue to,” posted Zack Whittaker, the reporter who had broken the story for ZDNet, as a tweet on his public Twitter account.

This was not the first time the authority had done such a thing (and neither was it the last, as we see with the Huffington Post story), as witnessed in the January 2018 incident with the Tribune; where the UIDAI did not respond to the paper’s attempts at communication at all before publication and later used it to state that no security incident had taken place altogether.

Reporters from the Huffington Post had also attempted to reach out to UIDAI prior to publication of the story; attempts at communication which the UIDAI willingly left unanswered. After UIDAI’s rebuttal, the Huffington Post published a statement of their own in which they asserted that they stood by the claims made in their story, while also making it known that the UIDAI had never responded directly to any of their communication.

The UIDAI’s most recent statement deploys a bizarre array of security jargon including buzzwords such as “full encryption”, “access control” and “tamper resistance” – without providing any elaboration on what any of these things would help prevent with regard to the issues raised in the media report.

This obfuscation is very troubling, and particularly so for those people who do not actively follow news regarding the troubles of the programme or other media organisations that are not equipped to understand the nuances of security reporting. For both groups of people, the statements issued by the UIDAI would be enough of an assertion to lead them to believe that all is well with the project and that anyone saying otherwise is an “unscrupulous element” with “vested interests”.

After the first few incidents, the authority’s cookie-cutter response seems to be part of the playbook through which they seek to protect their image: by retaining the ability to publicly deny an incident, even if it has already taken place; which is done by never confirming (or even acknowledging) an issue before publication. This is presumably done out of fear of the reputational damage which would inevitably be caused by admittance of a compromise or fault on their part.

Consider what happened with the Tribune breach report. The UIDAI officially denied it (even though some of their lower-level officials were quoted in the story), filed an FIR against the journalist. When the dust settled down, a prominent business newspaper ran a story which strangely enough quoted anonymous officials who highlighted the steps that were taken to fix the problem.

The UIDAI understands that ‘the first step in solving a problem is to recognise that it does exist’. Acknowledging problems within the Aadhaar project would be catastrophically damaging for the authority as well as the public’s perception of them. This is why we are always presented with almost indistinguishable statements of rebuttal and denial from the UIDAI, which too are never backed with any evidence.

Seeing as how the UIDAI’s statements almost always end up backfiring, their decision to employ a social media agency to monitor the internet for chatter on Aadhaar starts to make a little sense. For a while now, the authority has wished to undertake mass digital surveillance through social media and other online forums in order to track “top detractors” of the Aadhaar scheme and counter them to effectively “neutralise negative sentiments” surrounding the project.

This move, however, was challenged by petitioner Mahua Moitra who saw it as “an attempt by the State to overreach the jurisdiction of the Hon’ble Supreme Court in matters where the legality of social media surveillance and Aadhaar itself is under challenge”.

For now, the next time we are hit with a sense of déjà vu when it comes to an Aadhaar-related security incident, we should see through the UIDAI’s statements for what they truly are: hopeless attempts at damage control for a system that is crumbling at its very foundation.

For more details visit https://cis-india.org/internet-governance/news/the-wire-karan-saini-september-12-2018-what-security-breach-the-unchanging-tone-of-uidai-denials

Meeting of Information Systems Security and Biometrics Sectional Committee

Admin — 2018-09-19T14:08:23Z

Gurshabad Grover attended the 14th meeting of the Information Systems Security and Biometrics Sectional Committee (LITD 17) of the Bureau of Indian Standards (BIS), which was held at the BIS office in New Delhi on 14 September 2018.

This was Gurshabad's first LITD 17 meeting. The committee noted my co-option in the committee and registration in Working Group 1 (Information security management systems) and WG5 (Identity management and privacy technologies) of ISO JTC 1 / SC 27 / “IT Security Techniques”. Some of the items discussed included proposed standards for biometric information protection, mobile phone security, and data privacy engineering & management practices.

For more details visit https://cis-india.org/internet-governance/news/meeting-of-information-systems-security-and-biometrics-sectional-committee

'Why should we talk to Dunzo?' State regulators fume at liquor delivery

Admin — 2018-09-19T14:04:35Z

In 2016, the Chandigarh police ordered thirty bottles of liquor on getTalli, an online liquor ordering platform.

The blog post by Aroon Deep was published in Medianama on September 7, 2018

“We do not sell liquor. On your request, we procure liquor from a government authorized vendor on your behalf and deliver it to you,” getTalli explained on its website, according to a Hindustan Times report. The police weren’t exactly interested in consuming that liquor. The order was a trap. They arrested both Pratham Gupta and Anurag Awasthi, who founded the site. The two were charged with criminal conspiracy, fraud, and a state law prohibiting “unlawful import, export, transport, manufacture, possession, etc”. The site was shut down.

Excise is a state subject, so each state has varying levels of strictness in regulating services like Dunzo, which allow users to buy alcohol (among several other things) through them. Karnataka is among the stricter jurisdictions. Dunzo stopped delivering alcohol in the state when regulators made noise about online alcohol delivery not being a recognized mode of sale. “Why should we talk to [Dunzo]?” Rajendra Prasad, an excise official in Bangalore told MediaNama. Dunzo doesn’t seem to have government relations managers, so the company has chosen simply to shut down alcohol delivery rather than engage with regulators. Alcohol deliveries previously accounted for around one in thirty orders for Dunzo in Bangalore, an employee told The News Minute.

Alcohol delivery and the law

On the face of it, alcohol delivery — at least the kind used by Dunzo — doesn’t seem to be cause for regulatory concern. Third party delivery services can’t have their own inventory, so they must simply buy liquor from authorized retailers and deliver them to customers. This doesn’t seem to have any downsides, since the delivery is separately charged and taxed; and the tax on the alcohol is also paid. But regulators have continued to cry foul.

Aayush Rathi, a policy officer at the Centre for Internet and Society, pointed out that the Karnataka Excise Act — and possibly other states’ excise regimes — gives states a lot of control on regulating the movement of alcohol. “A ‘sale’ in the Karnataka Excise Act is defined as ‘any transfer otherwise than by way of gift’,” Rathi told MediaNama. This definition essentially makes online ordering and delivery of liquor illegal — even if the service doing it doesn’t maintain inventory. Since there is no license for online delivery of alcohol, there is little by way of legal standing services like Dunzo have when faced with regulatory scrutiny.

But that is assuming that the regulatory scrutiny comes in the first place. While Punjab and Karnataka have chosen to use the vast regulatory powers the law grants them, other states haven’t done the same. In Gurgaon and Pune, though, alcohol deliveries continue unabated. HipBar, which delivers alcohol across India, told The News Minute, “HipBar is engaging with multiple states and their respective regulators to move the needle on last mile deliveries of alcoholic beverages with reasonable restrictions and safeguards in place, such that the letter and spirit of the excise policy is not vitiated.” That brings the question of whether the current model of last-mile delivery by services like Dunzo and HipBar violate the spirit of excise law in the first place.

For more details visit https://cis-india.org/internet-governance/news/medianama-september-7-2018-aroon-deep-why-should-we-talk-to-dunzo-state-regulators-fume-at-liquor-delivery

Gender and Privacy: Countering the Patriarchal Gaze

Admin — 2018-09-19T01:48:07Z

Ambika Tandon participated in a workshop on privacy and gender which was organized by Privacy International in United Kingdom on September 13 and 14, 2018. Ambika was part of a panel on reproductive rights and privacy in India. She also recorded a podcast on the same topic, as part of a series on privacy and gender being hosted by Privacy International.

Read the Agenda here

For more details visit https://cis-india.org/internet-governance/news/gender-and-privacy-countering-the-patriarchal-gaze

Haryana Cops Say Internet Shutdowns Hurt Police Operations

praskrishna — 2018-09-18T15:57:12Z

India sees a very high number of Internet shutdowns, often to preserve law and order, but Haryana cops are arguing against the practice.

The article by Gopal Sathe was published by Huffington Post on September 19, 2018.

Ahead of a Haryana court verdict in a rape case against Dera Sacha Sauda (DSS) head Gurmeet Ram Rahim Singh, mobile Internet services were shut down in nearby areas such as Panchkula and Mohali. The Hindustan Times reported that SMSes, mobile Internet and all services apart from voice calls were suspended to keep the peace.

But as a result of the shutdown, police in Panchkula faced a challenge in estimating the size of crowds gathered at different locations. "We were until then sharing information and photos on WhatsApp to figure out the number of people pouring in the city from various points as it helped identify problem areas. DSS followers had started gathering August 22 onwards," Panchkula police commissioner Arshinder Singh Chawla has said, according to a report by Manoj Kumar first published by the Centre for Internet and Society.

This was a replay of events during the Jat agitation of 2016 as well—protestors were present in much greater numbers than police personnel, who were not aware of the scenario on the ground. The police also worried about sending messages asking for help over the radio, as this could have been tapped into by the protestors, according to the report.

The lack of mobile Internet during the DSS-related Internet shutdown also affected the use of technology such as drone cameras, Chawla said. And because the police could not communicate with security personnel at the court complex, the police inside had to scale walls to leave safely, as they could not ask their colleagues for backup.

The report points out that this is in stark contrast to what happened in Mumbai, where former police commissioner Rakesh Maria made use of WhatsApp and SMS messages to prevent a scuffle from turning into a riot during Eid celebrations in early 2015.

A study by the Software Freedom Law Centre stated that India has already over 100 Internet shutdowns in 2018, Medianama reported. The five states with the most shutdowns are Jammu and Kashmir, Rajasthan, Uttar Pradesh, Maharashtra and Bihar. This has been criticised by many, including the UN, and as the Haryana police's experience show, the shutdowns are not just harming citizens, but are counter-productive to maintaining order as well.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-gopal-sathe-september-17-2018-haryana-cops-say-internet-shutdowsn-hurt-police-operations