We are anonymous, we are legion

Aadhaar Remains an Unending Security Nightmare for a Billion Indians

Admin — 2018-05-13T16:28:40Z

Yesterday was the 38th and last day of hearings in the Supreme Court case challenging the constitutional validity of India’s biometric authentication programme. After weeks of arguments from both sides, the Supreme Court has now reserved the matter for judgement.

The article by Karan Saini was published in the Wire on May 11, 2018.

Since its inception, the Aadhaar project has lurched from controversy to scandal. In the last two years, the debate has heavily centred around issues of data security, privacy and government overreach. This debate, unfortunately, like with most things Aadhaar, has been obfuscated in no small part due to the manner in which the Unique Identification Authority of India (UIDAI) reacts to critical public discussion.

As India waits for the apex court’s judgement, this is as good time as any to take stock of the security and privacy flaws underpinning the Aadhaar ecosystem.

Poor security standards

Let’s start with the lackadaisical attitude towards information security. As has become evident in the past, harvesting and collecting Aadhaar numbers – or acquiring scans and prints of valid Aadhaar cards – has become a trivial matter.

There are several government websites which implement Aadhaar authentication while at the same time lack in basic security practices such as the use of SSL to encrypt user traffic and/or the use of captchas to protect against brute-force or scraping attacks. This includes the biometric attendance website of the Director General of Foreign Trade, the website for the National Food Security Mission and the Medleapr website.

With numerous government websites being susceptible, problematic issues such as the use of open directories to store sensitive data gives us a look into how even the bare minimum – when it comes to adhering to security best practices – isn’t enforced across the gamut of websites which interface with Aadhaar.

It should not be acceptable practice to have government websites with open web directories containing PDF scans of dozens of Aadhaar cards available for just about anyone to view and/or download. Yet, over the past year and even before, many government websites have been found to either inadvertently or knowingly publish this information without much regard for the potential consequences it could have.

The UIDAI has repeatedly shown an attitude of hostility and dismissiveness when it comes to fixing security and privacy issues which are present in the Aadhaar ecosystem. It has also shown no signs of how it plans to tackle this problem.

In my personal experience as a security researcher, I have found and reported a cache of more than 40,000 scanned Aadhaar cards being available through an unsecured database managed by a private company, which relied on those scans for the purposes of verifying and maintaining records of their customers.

What’s worse is that the media reports regarding Aadhaar information being exposed may only be scratching the surface of the issue as more data may actually be susceptible to access and theft, and simply yet to be found and publicly reported. For example, data could be leaking through publicly available data stores of third-party companies interfacing with Aadhaar, or through inadequately secured API and sensitive portals without proper access controls.

Not all security incidents become a matter of public knowledge, so what we know at any given point about the illegal exposure of Aadhaar information may just be a glimpse of what is actually out there.

It should be acknowledged that the possession of these 12-digit numbers and their corresponding demographic information can open up room for potential fraud – or at the very least make it easier for criminals to carry out identity theft and SIM and banking fraud.

A detailed analysis of all publicly-reported Aadhaar-related or Aadhaar-enabled fraud over the last few years shows that the problem is not only real but deserves far more attention than what it has received so far.

Threat level infinity

Taking a step back, it’s clear that the Aadhaar project snowballed into an ecosystem that it now struggles to control.

For instance, demographic information – as is stated in the draft for the Aadhaar Act (NIDAI Bill 2010) – was originally considered confidential information, meaning no entity could request your demographic information such as name, address, phone number etc. for purposes of eKYC.

However, as the ecosystem has progressed, the implementation and usage of eKYC have also changed and grown significantly with companies like PayTM utilising eKYC for the purposes of requesting and verifying customer information. It should be considered that data which has been collected by any of these companies through Aadhaar can be accessed by them in the future for an indefinite period of time depending on their own policies regarding storage and retention of the data.

If there ever is a breach of the CIDR or a mirrored silo containing a significant amount of Aadhaar-related data, it would directly affect more than one billion people. To put this in perspective, it would easily be the single largest breach of data in terms of the sheer number of people affected and it would have far-reaching consequences for everyone affected which might be very hard to offset.

On a comparatively smaller scale – although just as serious, if not more in terms of potential implications – would be a breach of any given state’s resident data hub (SRDH) repository. In some cases, SRDHs have been known to integrate data acquired from other sources containing information regarding parameters such as caste, banking details, religion, employment status, salaries, and then linking the same to residents’ corresponding Aadhaar data.

Damage control would be costly and painstaking due to the number of people enrolled. What adds to the disastrous consequences is that one cannot just deactivate their Aadhaar or opt-out of the programme the way they would with say a compromised Facebook or Twitter account. You can always deactivate Facebook. You cannot deactivate your Aadhaar. It should be noted that even with biometrics set to ‘disabled’, Aadhaar verification transactions can be verified through OTP.

Additionally, the Aadhaar ecosystem is such that information about individuals can be accessed not just from UIDAI servers but also from other third-party databases where Aadhaar numbers are linked with their own respective datasets. Due to this aspect – multiple points of failure are introduced for possible compromise of data, especially because third-party databases are almost certainly not as secure as the CIDR.

Recently, after taking a closer look at the ecosystem of websites which incorporate the use of Aadhaar based authentication, I discovered that it was possible to extract the phone number linked to any given Aadhaar through the use of websites which poorly implemented Aadhaar text-based (OTP) authentication.

This process worked by first retrieving the last four digits of the phone number linked to an Aadhaar using any website which reveals this information (this includes DigiLocker, NFSM.gov.in and seems to be standard practice which seems to be enforced by UIDAI) and then performing an enumeration attack on the first six digits using websites which allow the user to provide both their Aadhaar number and the verified phone number linked to it.

This again highlights that while secure practices might be followed by the UIDAI, the errors in implementation and other flaws are introduced neverthelessby third parties who interface with Aadhaar, posing a risk to the privacy and security of its data.

The bank mapper rabbit hole

As of February 24, 2017, it was possible to retrieve bank linking status information directly from UIDAI’s website without any prior verification.

However, after this information was reported, the ‘uidai.gov.in’ website was updated to first require requesters to prove their identity before retrieving Aadhaar bank-linking data from the endpoint on their website.

A year later – when business technology news site ZDNet published their report regarding a flawed API on the website of a state-owned utility company (later revealed to be Indane) – part of the data revealed included bank linking status information which was identical to what was previously revealed on UIDAI’s website without proper authentication.

This suggests that both the Indane API and UIDAI website utilised the National Payments Corporation of India (NPCI) to retrieve bank-linking data – but as of now, this remains conjecture since Indane never put out a statement or gave a public comment regarding the flawed API on their website.

More importantly, what this also suggests is that the NPCI never placed any controls or security mechanisms (such as request throttling or access controls) on the lookup requests it processed for the UIDAI (and seemingly for Indane as well).

This means that while the UIDAI may have fixed their website to not reveal bank linking data without proper verification – the issue was not rectified at its core by the NPCI – allowing the same to happen a year later in Indane’s case. This practice also classifies as a case of security through obscurity, which “is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms”.

Who is on the hook?

There is a lack of needed accountability when it comes to data breaches. Have any of the organisations against whom allegations of data breach been made been investigated and acted on? Have fines been imposed on those responsible for allowing access/theft of user data? Have there been reports published by any of the affected organisations in which they investigate any alleged breaches to either provide insight regarding the breach and its impact, the scale of data accessed, logs of access and other crucial evidence or dismiss the allegations by proving that there was no intrusion which took place?

Most of the times, organisations do not even accept that a breach has taken place, let alone take responsibility for the same and strive to better protect user data in the future.

Switching to ‘PR spin mode’ should never be the answer when dealing with the data of billion-plus Indian citizens and residents. This can be observed in almost all cases where a breach or security lapse was alleged.

The UIDAI has also acquired the dubious reputation of sending legal notices and slapping cases on journalists and security researchers who seek to highlight the security and privacy problems ailing the Aadhaar infrastructure.

In March 2017, a case against Sameer Kochhar – chairman of the Skoch Group – was filed on the basis of a complaint from Yashwant Kumar of the UIDAI allegedly for “spreading rumours on the internet about vulnerability of the Aadhaar system”. Kochhar had written an article in February 2017 titled “Is a Deep State at Work to Steal Digital India?” in which a request replay attack on biometric Aadhaar authentication was demonstrated.

Two months later, The Centre for Internet and Society published a report regarding several government websites which were inadvertently leaking millions of Aadhaar card numbers. A few days after this report was published, the UIDAI sent a legal notice to the organisation, stating that the people involved with the report had to be “brought to justice”.

In January 2018, an investigative story was published by Rachna Khaira of The Tribune newspaper – in which she reported that access to an Aadhaar portal was being sold by “agents” for as cheap as Rs 500. In response to this story – the UIDAI first sought to discredit the investigative work by calling it a ‘case of misreporting’ – after which they attempted to downplay the magnitude of the report by citing that biometrics were safe and had not been breached.

Following this, the Delhi crime branch registered an FIR against the reporter and others named in the article on the basis of a complaint by a UIDAI official, with charges ranging from forgery, cheating by impersonation and unauthorised access of a computer system.

In March 2018, ZDNet published a report about Aadhaar-related data leaking from an unsecured API on a utility provider’s website. This was the result of days of testing to first confirm the existence issue and its scope. It was preempted by more than a month of attempted communication through several channels of communication – email, phone, even direct messages via Twitter – with both Indane and the UIDAI (and even the Indian Consulate in New York).

But still, when the report was published after a lack of acknowledgement/response from affected parties, the UIDAI was quick to deny the report as well as any possibility of such a thing occurring. The Aadhaar agency then released a statement in which they said they were ‘contemplating legal action’ against the publication of their report.

Data security and privacy laws won’t do much to affect the dismissive and hostile attitude the UIDAI seems to have regarding the people that investigate and report on security and privacy issues relating to Aadhaar.

Hide and seek

In general, when it comes to reports of security breaches and security incidents, many authorities in India prefer playing the blame-game. This was seen latest in response to an internal letter (ironically marked as ‘SECRET’) that was circulated on social media – which mentioned that data was stolen from the Aadhaar Seeding portal of the EPFO by hackers exploiting a known vulnerability in the Apache Struts framework.

Following this – the EPFO quickly switched to PR mode and publicly issued a statement through their official Twitter account (@socialepfo) denying the breach – saying that “There is no leak from EPFO database. We have already shut down the alleged Aadhaar seeding site run by Common Service Centres on 22.03.2018.”

Every time reports of a potential breach or leak of data circulate, Indian government agencies are quick to come out and announce that no breach has taken place. However, this is always to be taken just on the basis of their saying so, as opposed to the reports which they’re meant to be arguing (in some cases) contain verifiable evidence which is the result of arduous investigative work.

Regardless, passing around the blame and in cases completely denying security incidents is not something authorities should be doing when it concerns the data of more than a billion people.

In response to a recent story by Asia Times regarding Aadhaar enrolment software being cracked and sold, the UIDAI sought to discredit and discount the report through messages shared on their social media profiles – where they stated that the report was “baseless, false, misleading and irresponsible”.

The UIDAI should have an interest in protecting any and all data which stems from or relates to Aadhaar as it has to do with a project they are ultimately responsible for. It should not matter whether the leak occurred from a portal on EPFO’s website, an API without proper access controls on Indane’s website, a website of the Andhra Pradesh state government, through biometric request replay attacks, through sold access to admin portals and cracked software, or however else. It should ultimately be the UIDAI’s responsibility to not only be reactive about these issues when they’re brought to light but to do so in such a way which does not hinder reporters from continuing their work.

Additionally, if the UIDAI wishes to keep its systems as secure as they could be – they should proactively seek such reports about flaws or vulnerabilities in critical infrastructure pertaining to their project.

The way forward

In April 2018, the head of the Indian Computer Emergency Response Team (CERT-IN), rather defensively noted that “not a single person had reported any incident” to the organisation.

CERT-In, a part of the IT ministry, is the central agency responsible for dealing with security issues and incidents. To put it bluntly, it has not done a very great job of outreach when it comes to the people it ultimately relies on: security researchers and hackers.

In India, there is an abundance of skills and talent when it comes to IT security and this could be of immense help to organisations responsible for managing critical infrastructure – but only if they cared enough to utilise it to the fullest extent.

Ajay Bhushan Pandey, the CEO of UIDAI, promised a secure and legal bug reporting environment for the Aadhaar ecosystem sometime in 2017. However, almost a year later, there are no tangible signs of any steps being taken to ensure the same. In fact, the UIDAI would already be straying from their usual course of action if they stopped harassing people reporting on issues of security and privacy with regard to Aadhaar.

It has been suggested that the UIDAI employ a bug bounty programme – which involves rewarding hackers with monetary compensation or through means such as an addition to a ‘Security Hall of Fame’ as an incentive.

I personally believe that there is no need for a bug bounty programme in its traditional sense – meaning that UIDAI should not have to provide material incentives to attract hackers to report valid issues to them. Simply acknowledging the work of those that discover and report valid issues should more than likely be incentive enough to get talent on-board.

The US Department of Defense (DoD) employs a similar approach where they invite hackers from the world over to test their systems for security vulnerabilities/bugs and then report them in a responsible manner. What the hackers get in return is the acknowledgement of their skill and devotion to ensuring the security of DoD’s platform. Something similar needs to be set up with regard to critical information infrastructures in India so that issues can be reported by anyone who wishes to do so – without hassle and/or fear of persecution hanging over the heads of hackers.

For more details visit https://cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians

India's National ID Project Brings Pain to Those it Aims to Help

Admin — 2018-05-12T00:53:39Z

Poor management, corruption and fraud are threatening to derail the world’s largest national identity project.

The blog post by Aayush Soni was published in Ozy.com on May 11, 2018.

For Phoolmati, a resident of the Kusumpur Pahari slum in south Delhi, standing every month in a queue at the neighborhood fair-price shop was a trusted routine. When her turn came up, she would place her thumb on a scanning machine that confirmed her identity. But on a biting-cold morning this past January, she had to return home empty-handed because, the shopkeeper told her, the “server was down.”

The next day, it happened again. On her third try, Phoolmati thought she had gotten lucky when the machine scanned her thumb successfully. But she was in for a shock. “The shopkeeper told me that, according to the computer records, I’ve already taken my quota of wheat flour for the month,” she says. When she protested and showed her ration card, another form of identification, the shopkeeper wouldn’t accept it.

Left with no choice, Phoolmati had to buy wheat flour from the open market at 25 rupees per kilogram — more than 12 times the amount she usually paid at fair-price shops. She wasn’t alone. At a weekly meeting of slum residents in a temple courtyard in April, many women complained about the difficulty of buying subsidized food grains to the Satark Nagrik Sangathan (Alert Citizens Organization), a nonprofit that seeks accountability from government agencies. Nanno Devi, a 67-year-old homemaker whose fingers are wrinkled with age, said that she didn’t receive her quota of wheat flour for January because a fingerprint-scanning machine couldn’t detect her thumb impression.

Nor are the urban poor, like Phoolmati, the only ones with such complaints. Students with government scholarships, senior citizens with pensions, farmers entitled to subsidies, religious minorities and backward castes eligible for benefits, patients at public hospitals, young couples trying to get married and professionals updating their bank details are all on the front line of an unparalleled experiment that was meant to help them but is hurting them instead.

Theirs is the lived experience of Aadhaar, a unique 12-digit identity system that includes an individual’s biometrics and demographic data — and that must verify an individual’s identity for the government, increasingly, to even recognize their existence. First rolled out in 2010, it is modeled on America’s Social Security number system, with the aim that government subsidies and welfare programs reach the intended beneficiaries and aren’t siphoned off by middlemen.

But over the past three years, India’s Narendra Modi government has cajoled, pressured and often effectively forced people into enrolling for this ID, even though it isn’t required by law. Today, a person’s bank account risks being frozen if it isn’t linked to her Aadhaar number. Her PAN (permanent account number) card, used to file income tax, could be declared invalid. Mobile phone companies can disconnect her number if it isn’t authenticated through biometrics. An Aadhaar number (or an enrollment number, in case someone has already applied for it) is mandatory to open a new bank account, get a new passport, invest in mutual funds or register a marriage. A joke making the rounds on Twitter is that very soon, Aadhaar will be mandatory for a person to swipe right on Tinder.

In the absence of any privacy law, much of the concern within sections of India’s educated middle class has focused on questions about personal freedom, data security and mass surveillance. But a parallel tide of complaints is rising from those the program was meant to help, rooted in complications it has instead imposed upon them. This growing frustration is threatening to derail the initiative in a manner privacy can’t, in a nation where millions live in cramped city apartments with strangers, and the distinction between personal and public is often blurred.

Cases of fraud, mismanagement and corruption hurting Aadhaar beneficiaries are tumbling out into the public domain almost every week. In late March, hackers used weaknesses in the Aadhaar database to steal data from a government organization that manages more than $120 billion in the pensions and savings of millions of Indians. In January, a 10-year-old girl from the Dalit community — historically at the bottom of India’s caste ladder — was denied a school scholarship because officials had misnamed her on her Aadhaar card. Last October, a farm loan waiver program in Maharashtra state ran into trouble after officials discovered that 100 farmers had the same Aadhaar identity number.

The Modi government maintains that it takes both the security of personal data and the concerns of Aadhaar beneficiaries seriously. But it is reluctant to answer any questions about identity theft, corruption, privacy or misappropriated benefits. Neither Ajay Bhushan Pandey, the current CEO of the Unique Identification Authority of India (UIDAI), which runs Aadhaar, nor Vikas Shukla, its spokesperson, responded to multiple requests for comment.

At a public rally in early May, Modi — who had himself opposed the program before he came to power in 2014 — called critics of Aadhaar “opponents of technology” unwilling to evolve with the times. Increasingly, though, many are questioning whether it’s Aadhaar’s own identity that has changed the most from when the idea first came up. “From a project of inclusion, it has become a project of exclusion,” says Usha Ramanathan, a lawyer who focuses on issues of development and poverty. Just ask Phoolmati.

Aadhaar was the brainchild of Nandan Nilekani, a former CEO of tech giant Infosys, who in a 2009 book argued that multiple forms of identification made it “difficult” to establish a “definitive identity” for India’s citizens.

A single identity linked to passports, PAN cards and other national databases, Nilekani argued, would not only solve this problem but also help eliminate the exasperating processes that India’s bureaucracy is notorious for — mountains of paper, proof of identity in triplicate and a glacial pace of work. It would help citizens avail government benefits that are rightfully theirs. Such a system would reduce a citizen’s dependence on distribution mechanisms susceptible to leakages and make “the moral scruples of our bureaucrats redundant,” Nilekani wrote. “An IT-enabled, accessible national ID system would be nothing less than revolutionary in how we distribute state benefits and welfare handouts.”

That same year, the Congress Party–led United Progressive Alliance government offered Nilekani a chance to translate his idea into reality, appointing him UIDAI chairman. Under Nilekani the UIDAI hired people from within the Indian bureaucracy as well as those outside it. The initial team of 50 included software engineers, designers and entrepreneurs from Silicon Valley as well as lawyers and policy wonks who worked at the head office in New Delhi. Each of the eight regional offices had a staff of 20.

In its early-stage avatar, the team had thought out solutions to problems such as the ones the residents of Kusumpur Pahari faced, says a policy consultant who worked with the UIDAI in 2010 and spoke on condition of anonymity. “You can use old methods and physically verify a person’s name and address [by going to their house] if biometrics aren’t working,” the consultant says. “It’s built into the architecture [of Aadhaar].” In his view, the current government under Modi — whose Bharatiya Janata Party defeated the Congress Party and came to power in 2014 — and the UIDAI setup have made a “mess” of the program. He also believes that the goal has shifted from inclusion to mass enrollment. Nilekani did not respond to a request for comment.

For sure, Aadhaar has staunch supporters too, who argue that it has helped reduce the misuse of government subsidies. In July 2017, India’s junior minister for consumer affairs, food and public distribution, C.R. Chaudhary, told the country’s Parliament that Aadhaar had helped the government delete nearly 25 million fake ration cards that the poor use to access subsidized food ingredients.

“This unnecessary fearmongering around Aadhaar is uncalled for,” says Sanjay Anandaram of iSpirit, a software industry think tank. In his view, it’s “last-mile deployment challenges” like fingerprint authentication, one-time-password systems and server glitches that need to be fixed, not Aadhaar. He juxtaposes anecdotal examples of people struggling to gain benefits with the “larger purpose” he believes Aadhaar serves. “It is a revolutionary system to ensure governance improves — especially for centrally administered programs,” he says.

The UIDAI has made some efforts too, if not to improve security of personal data then at least to allow citizens to check whether their Aadhaar identity has been misused. They can go online and view any occasions when their Aadhaar identity was used to access benefits.

But for millions of Indians dependent on subsidies, pensions, scholarships and other benefits, the concerns go well beyond privacy. Getting an Aadhaar identity can be a struggle. Earlier this year, the Punjab government conceded that it can’t process nearly 200,000 farm loan waiver claims either because intended beneficiaries don’t have Aadhaar cards or because the UIDAI is still processing their applications. At the same time, not signing on to Aadhaar is increasingly not an option. In February 2017, Chaudhary’s ministry made it mandatory for individuals to have an Aadhaar card to access subsidized food grains. Then, in October, an 11-year-old girl died of starvation in the central state of Jharkhand because the local ration dealer refused to give her family food grains for six months, as they had not linked their ration cards to Aadhaar. Facing criticism, the government asked states not to deny the poor the food grains they are entitled to, but the incident underscored how the Aadhaar initiative is cutting the needy off from subsidy access, rather than helping them, suggests Ramanathan, the lawyer. “People are dying because of Aadhaar,” she says.

But the Modi government has shown no signs of rethinking either the ways in which Aadhaar appears to hurt the poorest in Indian society or its data security protocols. Instead, it has appeared keener to target whistle-blowers pointing out weaknesses in the initiative.

It cost Rachna Khaira, a reporter, only 500 rupees ($7.50) to access the entire Aadhaar database — the names, addresses, fingerprint scans, iris scans, mobile phone numbers, email addresses, postal index numbers (PINs) and Aadhaar numbers of 830 million Indians. She “purchased” the service offered by anonymous sellers on WhatsApp and transferred the money via Paytm, a popular digital wallet company, to an “agent,” who created a “gateway” for Khaira. He then gave her a log-in ID and a password to that gateway, which allowed Khaira unrestricted access to the Aadhaar database. Her report, published in January in The Tribune, one of India’s oldest English dailies, created a national stir. Instead of trying to plug the holes the report had revealed, the UIDAI filed criminal cases against Khaira and the newspaper, accusing them of breaching privacy.

Khaira’s wasn’t the first piece of evidence to expose the vulnerability of the Aadhaar database. In May 2017, a report by the Centre for Internet and Society, a nonprofit organization, claimed that 130 million to 135 million Aadhaar numbers were published on four websites: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme and two projects run by Andhra Pradesh state. “This is the largest exercise in the world of the conversion of public information into an asset and then its privatization,” says Nikhil Pahwa, editor of MediaNama and a critic of Aadhaar.

These breaches of security highlight corruption and mismanagement that belie claims the government continues to peddle. In April 2017, Ravi Shankar Prasad, India’s minister of information and technology, told Parliament that “Aadhaar is robust. Aadhaar is safe. Aadhaar is secure, and totally accountable.” The government hasn’t appeared too perturbed by privacy concerns. On July 22, 2015, Mukul Rohatgi, the then attorney general, argued before the country’s Supreme Court that “the right of privacy is not a guaranteed right under our constitution.” That set off a two-year-long hearing before a nine-judge bench of the court, which unanimously ruled in 2017 that the right to privacy was indeed a fundamental right.

The criticism from social groups Aadhaar was meant to benefit, though, has left the Modi administration on the defensive. Since the passage of the 2016 Aadhaar law, civil society activists have filed 12 petitions in the Supreme Court challenging its legality. In January, the All India Kisan Sabha, one of India’s largest farmer organizations with millions of members, petitioned the top court against government moves to link subsidies to Aadhaar identities. Some leaders from Modi’s party, the BJP, have also started questioning their own government in Parliament about cases of beneficiaries denied their due because of the Aadhaar program. The Supreme Court, which is holding regular hearings on the case, has extended indefinitely the date by which citizens must link all identity documents to their Aadhaar number, until it rules on the validity of the legislation. At stake is the trust the Indian people can place in their government.

Back in Kusumpur Pahari, much of that trust has already eroded. In his 2014 election campaign, Modi had promised to stand guard as a chaukidaar (watchman) over the country’s resources, to prevent corruption. But when someone illegally withdrew Phoolmati’s grains by using her Aadhaar identity, the watchman wasn’t able to stop the theft.

For Phoolmati and other residents of Kusumpur Pahari, their ration cards guaranteed them food, and were a rare pillar of certainty in an unstable life. The Aadhaar-linked fingerprint authentication system is a source of frustration, and they don’t want it, they make clear at their weekly meeting. They now get their ration some months, and other months they don’t. Life on the fringes of society was already tough. Aadhaar, they say, has made it harder still.

For more details visit https://cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help

RightsCon Toronto 2018

Admin — 2018-06-07T14:31:20Z

RightsCon is organizing the 2018 edition of the event at Beanfield Centre at Exhibition Place, Toronto in Canada. A session on Pervasive Technologies project titled "Cheap and chipper: IP in India’s affordable smartphones" is scheduled on May 17, 5.15 p.m. to 6.15 p.m. in the International Trade and the Commons track. (Room #203B, Beanfield Centre).

We present the findings of the Centre for Internet and Society’s "Pervasive Technologies" research project that concluded last year. The project was an endeavour to study how Internet-enabled mobile phones sold for USD 100 or less interact with India's intellectual property laws. These low-cost technologies that lie in a grey zone of IP laws have been instrumental in bringing access to the Internet and, in turn, access to knowledge and information to people. The project undertook a study of the mobile device landscape in India while developing legal strategies to ensure that consumers continue to have access to inexpensive devices; that manufacturers, software developers and content creators operating in the budget device segment are not snuffed out by litigation; and that the rights of IP holders are not infringed upon.

Each researcher will elucidate on her findings in the areas of patents and copyright pertaining to the hardware, software and media content and the interaction of these findings with public policy.

Maggie Huang, Amba Kak, Rohini Lakshané, Vidushi Marda and Anubha Sinha are among the speakers at the event. For more info click here

Amber Sinha remotely participated in a private meeting on 'Strategizing Civil Society Roles in the Artificial Intelligence Debate'.
Anubha Sinha, Maggie Huang, Rohini Lakshané and Vidushi Marda presented their findings from the Pervasive Technologies project in a panel titled "Cheap and Chipper: IP in India's Affordable Smartphones". Prof Michael Geist moderated the session. Anubha Sinha and Vidushi Marda participated remotely.
Elonnai Hickok participated in these sessions: IDRC cyber policy meeting; GNI board meeting; GNI learning session on MLATs; FOC-AN meeting; GNI session on Intermediary Liability.

For more details visit https://cis-india.org/a2k/news/rightscon-toronto-2018

Meeting of Coalition for an Inclusive Approach on the Trafficking Bill

Admin — 2018-08-18T09:21:36Z

Gurshabad Grover attended a meeting of the Coalition for an Inclusive Approach on the Trafficking Bill at the Alternative Law Forum, Bangalore on May 3, 2018.

The coalition is working on a report highlighting the various concerns in the recently Cabinet-approved Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill, 2018.

Swaraj Barooah had written a blogpost about some provisions in the Bill that could potentially impact freedom of expression. These inputs have been incorporated into the report the Coalition is preparing.

Clarification (18th August, 2018): A letter sent to the Ministry of Women and Child Development mentioned the Centre for Internet & Society as instituionally endorsing a critique of the The Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill, 2018. We seek to clarify that the Centre for Internet & Society did not endorse the letter to the Ministry.

For more details visit https://cis-india.org/internet-governance/news/meeting-of-coalition-for-an-inclusive-approach-on-the-trafficking-bill

Digital India' in Dire Need of Safety Policy Reboot - Cybersecurity Experts

Admin — 2018-05-05T12:00:43Z

Some experts say the need of the hour is for India to update its cybersecurity policy to respond to growing threats in cyberspace. Information warfare specialists hint at the local storage of digital information as the key to the cybersecurity of the country.

The blog post was published by Sputnik on April 17, 2018. Sunil Abraham was quoted.

The afternoon of the first Friday of April was a telling statement on India's biggest nightmare — a digital meltdown. It was so glaring that the National Media Centre in the capital Delhi was abuzz with media persons seeking to ascertain the news of around 10 government websites, including those of the Ministry of Defense and the Ministry of Home Affairs, was hacked and the government seemed clueless. No government official was ready to speak, prompting the day's headlines to thrive on speculations with television channels running news flashes attributing the mischief to a "Chinese" hacker.

The Defense Ministry website was showing Mandarin characters in an error message which further gave strength to the conspiracy theory. In panic, the Ministry of Home Affairs shut down its portal, creating further speculations.

In the absence of an official statement, the press based their news reports on a tweet by Defense Minister Nirmala Sitaraman which confirmed the alleged hack. A sense of a massive cyberattack engulfed the air.

The general sense was that it was a digital offensive targeted against India and perpetrated by none other than its neighbor China. There was a sudden outrage among social media users who accused the government of failing to protect the nation's digital assets and letting India be vulnerable to cyber threats.

After Ministry of Defence, suspected Chinese hackers hack Ministry of Home Affairs’ website too. Welcome to Modi’s Digital India Jumla. #IndiaDoesNotTrustBJP #IndiaHatesBJP

However, late in the evening, National cybersecurity head Gulshan Rai conveyed that all 10 websites hosted by the National Informatics Centre (NIC) went down due to "a hardware failure" while declining to comment on the possibility of a cyberattack by any neighboring country.

"There is no hacking or coordinated cyberattack on the website of central ministries. There was a hardware failure in the storage network system at the NIC which resulted in a number of government websites being serviced by that system going down. We are working to replace the hardware and these websites will be up soon," Rai said in a statement putting to rest all speculations.

The National cybersecurity head, who directly works under thExperts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.e supervision of Indian Prime Minister Narendra Modi, also confirmed that a total of ten websites, including that of the Central Bureau of Investigation, the Central Vigilance Commission, the e-gazette of India, and the websites of the Ministries of Law, Civil Aviation, Defense, Home Affairs, Labor, Water Resources and Science & Technology suffered due to the hardware failure.

Nevertheless, experts say that India needs a robust framework not only to protect the cyber assets, but also quickly assess threats in view of the experience.

"Technical glitches happen, especially when you have so many hardware and software products connected online. The immediate reaction of the hack (on Friday, 6th April 2018) was in haste and caused all the confusion but no such hack took place. We need to have a more robust framework for response, reporting, and reaction," cyber expert Rakshit Tandon told Sputnik.

The brief period of inaccessibility of the government websites and the ensuing panic was symptomatic of a situation which India is facing. Even if it was not a hack, the hardware failure is worrying for the billion plus nation, say experts.

The cyber emergency in India was not the first. Last year, the Home Ministry websites had to be temporarily shut down following a cyberattack. This was in close heels to a hack of the website of the elite Indian special force National Security Guard (NSG) by a suspected Pakistan based group. In 2016, data from Indian missions in Africa and Europe were hacked and posted online by unknown hackers.

The Indian Computer Emergency Response Team (CERT-In), the premier cyber security agency of India had stated in a reply in Parliament that until June 2017 India had more than 27,000 cyberattacks of all levels and cost the economy around $4 billion.

The Hindustan Times in a report predicts that with India embarking on an ambitious digitalization mode, the total losses from cybersecurity threats for the country could touch $20 billion over the next ten years.

Experts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.

"We have a national cybersecurity policy but we don't have a clear commitment from the government when it comes to financial allocations. The government must fund small and medium-sized enterprises to produce innovative cybersecurity products and services. Separately, the government must fund research by corporations, civil society organizations, educational organizations, and individuals which should be published in peer-reviewed open access journals and also presented at national and international cybersecurity academic conference," Sunil Abraham, executive director, Centre for Internet and Society told Sputnik.

"India has the best minds when it comes to hacking. In fact, a majority of the top hackers in the world are Indians but they are not part of India's security apparatus and not in the country's service," Rizwan Shaikh, ethical hacker and one of the youngest information security consultants in South Asia told Sputnik.

Rizwan was in the news recently when he drew the attention of the government about the severe lacuna in the Indian Railway system which is called the backbone of Indian economy employing around 1.3 million people and running 13,000 passenger trains daily.

The ethical hackers cannot sustain in the government ecosystem, they need patronage and incentives in terms of recognition, but the government of India lacks any such program. There was a program launched recently by the Ministry of Information Technology but it has failed to attract good minds due to its lack-luster management. In India, even if I find a loophole, there is no reporting system to intimate and no proper heads to initiate action, Rizwan added.

The Indian government has multiple stakeholders to monitor and report on digital emergency situations. The plethora of agencies begin with the nodal agency of the Ministry of Electronics and Information Technology, there is a hub called the National Critical Infrastructure Information Protection Center, then there is the interior security ministry of Home Affairs which is the oversight authority over all investigative agencies in the country and there is a new institution by the name national Cyber Coordination Centre created recently.

Rakshit Tandon says that "a sudden spurt in online transactions especially after demonization (in October 2016), coming of 4G mobile networks, cheaper smartphones, and the prestigious vision of 'Digital India' have made the country and its population more prone to cyber threats."

Moreover, with the controversy of the British political consulting firm Cambridge Analytica allegedly using personal details of Indian social media users has created a sense of insecurity among the online population of the country.

In view of the threat to personal and national digital security, Sunil Abraham calls for an approach to a complete upheaval the country's cyber laws to combat the threat. He says simply user behavior change is not sufficient for keeping Indians safe from digital harm.

"First, India needs a comprehensive omnibus data protection law, in the lines of the GDPR which exists for the EU. Second, India needs amendments to our existing competition law. Once the law has been updated to give the regulator powers to go after Internet monopolies —we need a comprehensive investigation of the anti-competitive activities, especially in the digital advertising sector. Change in user behavior is not sufficient to mitigate harms resulting from Internet monopolies. These harms can only be addressed via appropriate, comprehensive and proactive action by lawmakers and regulators," Sunil Abraham said.

Information warfare specialists hint at the local storage of digital information as the key to cybersecurity of the country.

"A nation the size of India can never be a comfortable partner for other great powers who will always be uneasy of the latent power of this sleeping giant. Consequently unlike Japan, South Korea or Singapore, we cannot rely on a security umbrella from another great power to reach our full economic potential," Pavithran Rajan, information warfare specialist based out of Bangalore, told Sputnik.

Pavithran Rajan is a former Indian Army officer-turned writer and trainer on cyber issues.

The need for a data protection law was triggered by the debate on individual privacy. However, the importance of this data for national security must not be overlooked. The solution lies in localizing the sensitive data of Indian citizens within the boundaries of India. While currently the infrastructure for this may not exist, it would come up if the data controllers wish to continue to take advantage of the size of the Indian market, he added.

Rajan feels that data protection for India is vital as it is on the cusp of a major technological advancement and has opined that the country needs to put in place legal stipulations on data transfers.

"The advent of the IoT (Internet of Things technology) would exponentially increase the volume of data being generated. Any new infrastructure being created for IoT should also make arrangement for data to be stored in India. We understand that cross-border flows of data cannot be completely stopped. However, no sensitive personal data should be permitted to go outside the country. There should be legal restrictions on the transfer of data to controllers who have no presence in India," Pavithran Rajan told Sputnik.

The earliest technology-based law in India was the Indian Telegraph Act of 1885 which is still operational and encompasses the telephone services as well. With the advent of the digital age, India brought in the Information Technology Act in the year 2000 and lastly, a National Cybersecurity Policy was drafted and presented for action 2013, but its actual implementation has not yet taken place. With the fast changing digital ecosystem, India, the largest democracy in the world, struggles to keep pace with the threats it faces and the dangers seem imminent.

For more details visit https://cis-india.org/internet-governance/news/sputnik-april-17-2018-digital-india-in-dire-need-of-safety-policy-reboot-cybersecurity-experts

Artificial Intelligence for Growth: Leveraging AI and Robotics for India's Economic Transformation

Admin — 2018-05-05T09:08:07Z

Amber Sinha took part in the second international conference organized by ASSOCHAM at Hotel Shangri-La in New Delhi on April 27, 2018.

Keynote Address

12.15 p.m. - 12.30 p.m.: Shri Gopalakrishnan S., Joint Secretary, Ministry of Electronics and IT, Government of India

Special Address

12.30 p.m. - 12.45 p.m.: Dr. Pushpak Bhattacharyya, Director and Professor, Computer Science and Engg, IIT Patna and Chairman, BIS Committee for Standardisation in Artificial Intelligence

Panel Discussion

Session Moderator

12.45 p.m. - 1.40 p.m.: Shri Sudipta Ghosh, India Leader, Data and Analytics, PwC

Panelists

Shri Amber Sinha, Senior Programme Manager, Centre for Internet and Society
Shri Utpal Chakraborty, Lead Architect - AI, L&T Infotech
Shri Atul Rai, CEO & Co-Founder, Staqu Technologies
Shri Prabhat Manocha, IBM

For more details visit https://cis-india.org/internet-governance/news/artificial-intelligence-for-growth-leveraging-ai-and-robotics-for-indias-economic-transformation

#NAMApolicy on Online Content Regulation

Admin — 2018-05-05T01:52:21Z

Swaraj Barooah attended the #NAMApolicy on Online Content Regulation organized by Media Nama at India Habitat Centre in New Delhi on May 3, 2018.

Agenda

01:30 p.m. - 03:00 p.m.: Panel #1 & Open House - News

03:00 p.m. - 03:15 p.m.: Tea break

03:15 p.m. - 04:45 p.m.: Panel #2 & Open House - Entertainment

04:45 p.m. - 05:15 p.m.: Remaining issues

05:15 p.m. - 06:00 p.m.: High-tea

01:30 p.m. - 03:00 p.m.: Panel #1 & Open House - News03:00 p.m. - 03:15 p.m.: Tea break03:15 p.m. - 04:45 p.m.: Panel #2 & Open House - Entertainment
04:45 p.m. - 05:15 p.m.: Remaining issues
05:15 p.m. - 06:00 p.m.: High-tea

For more details visit https://cis-india.org/internet-governance/news/namapolicy-on-online-content-regulation

Cyber experts say 'playground open' for influencing elections

Admin — 2018-05-03T03:17:33Z

Cyber experts said that under the provisions provided by 43 (A) of Indian IT Act, two types of data collection are completely legal: first, the data shared by the user in the public domain and secondly, the data published by the social platforms, like Facebook.

This article was published in the Economic Times on May 2, 2018. Sunil Abraham was quoted.

With the Karnataka Assembly elections round the corner, the cyber experts have said that it is quite possible to influence elections in India.

Talking to ANI, cyber expert Sunil Abraham did not rule out the possibility of influencing the voters as India does not have data protection law in place.

He said under the provisions provided by 43 (A) of Indian IT Act, two types of data collection are completely legal: first, the data shared by the user in the public domain and secondly, the data published by the social platforms, like Facebook and Twitter, which was shared by the user for his/her friends.

"Both these types of data are not considered sensitive personal data. Under Indian law, if they are collecting your biometrics, passwords and health information only then they need your consent," Abraham told in an exclusive interview.

Replying a question about the chances of political parties influencing elections, Abraham said, "One cannot answer this question with a clear yes or no. But, the more a political party has in its database about you; the more they can micro-target you for various types of advertising."

He, however, said with the literacy level of Indian internet users, the chances are high that they can be manipulated.

"Once they do this, especially in a country where 30 percent of the public is illiterate and only 10 percent of public knows English and many-many users have just come online, there is a high chance that these users can be manipulated," the cyber expert said.

When asked can it be termed influence, he said, "It will definitely be an influence. Most of the internet users in India have just come online, they don't have media literacy; they have not consumed older technologies like television and broadcast media like radio sufficiently enough so it is easy for these users to get fooled by the content that is propaganda and fake news etcetera."

Abraham said it is unlikely that India will have a data protection law before 2019 general elections, which means the playground is open for people with a clever idea to manipulate voters.

"India is working on data protection laws from last eight years. With the existing laws; all the political parties, social media companies, and search engine optimization companies etcetera can do what they want and they won't get into trouble. So, it is very unlikely that this data protection law is going to be approved by Parliament the 2019 elections. So for the 2019 elections, it is going to be very exciting times because anybody who has any clever idea when it comes to manipulating voters, they will definitely try it. Because, there is no law to stop them from trying those tricks," the cyber expert said.

Replying to another question about India's position in data security, he said, 'India is lagging as per the global trend across the world. The European Union's world-class data protection law called 'General Data Protection Regulation' is being followed by all the countries with the exception of the US. About 108 countries have the data protection laws which look similar to the EU's General Data Protection Regulation."

He, however, added, "We shouldn't be upset because making a law in a big country like India takes time. Shri Krishna Committee is going to present the draft of the Indian data protection law and hopefully, within one or two years India will have data protection law."

Another expert Shubhamangala Sunil told ANI that "In India, our data is not secure today. Be it politicians or businesses, they want the database of people. Many data breaches have already happened and they are being used for different propagandas".

She said the union government and state governments should come forward and tell people about data security measures instead of people complaining about the data breach.

She also said India is at least 10 years behind in comparison with the world in the cyber security domain.

The comments of the experts have come in the backdrop of recently data breach in the Facebook wherein its CEO Mark Zuckerberg faced US Congress for two days over the data theft. The Facebook-Cambridge Analytica data scandal involves the collection of personally identifiable information of up to 87 million Facebook users and almost certainly a much greater number that Cambridge Analytica began collecting in 2014.

For more details visit https://cis-india.org/internet-governance/news/economic-times-may-2-2018-cyber-experts-say-playground-open-for-influencing-elections

Data Usage by Political Parties

Admin — 2018-05-03T03:14:02Z

Sunil Abraham spoke to ANI regarding collection of data and its use by political parties for electoral gains.

In law, if bio metrics, passwords & health info are collected, only then consent is needed. The more a political party has in its database, the more they can micro-target you. It'll be an influence: Sunil Abraham,cyber expert on date usage by political parties #KarnatakaElections pic.twitter.com/eUk478jJbB
— ANI (@ANI) 1 May 2018

See the original here

For more details visit https://cis-india.org/internet-governance/news/ani-may-2-2018-data-usage-by-political-parties

Now, Twitter too caught up in Cambridge Analytica controversy

Admin — 2018-05-02T02:49:25Z

Twitter does not share a break-up of users by region, the platform has less than 100 million users in India.

The article by Prasun Sonwalkar and Vidhi Choudhury was published in the Hindustan Times on April 30, 2018. Sunil Abraham was quoted.

Social media company Twitter Inc sold data to the University of Cambridge academic Aleksandr Kogan who harvested millions of Facebook users’ information without their knowledge, it has emerged, although the company has clarified that no private data was accessed.

It isn’t clear whether any of the data pertained to Indian users.

Twitter does not share a break-up of users by region, the platform has less than 100 million users in India.

Kogan, who created tools that allowed political consultancy Cambridge Analytica to psychologically profile and target voters, bought the data from the microblogging website in 2015, well before the recent scandal, involving use of the data of Facebook users, came to light.

According to The Daily Telegraph, Kogan bought data on tweets, user names, photos, profiles and locations over a five-month period between December 2014 and April 2015 through his company Global Science Research (GSR). Twitter said it had banned GSR and Cambridge Analytica from buying data or running advertisements on the website and that no private data had been accessed, while Kogan insisted the data had only been used to create "brand reports" and "survey extender tools" and that he had not violated Twitter's policies.

The daily reported that Twitter charges companies and organisations for large data sets that are particularly useful for gleaning public opinion or receptiveness to certain topics and ideas, although Twitter bans companies from using the data to derive sensitive political information or matching it with personal information obtained elsewhere.

A Twitter spokesman confirmed the ban and said: "Twitter has also made the policy decision to off-board advertising from all accounts owned and operated by Cambridge Analytica. This decision is based on our determination that Cambridge Analytica operates using a business model that inherently conflicts with acceptable Twitter Ads business practices. "Cambridge Analytica may remain an organic user on our platform, in accordance with the Twitter Rules."

The company said it does not allow "inferring or deriving sensitive information like race or political affiliation, or attempts to match a user's Twitter information with other personal identifiers" and that it had staff in place to police this "rigorously".

Sunil Abraham, founder for think tank Centre for Internet and Society said: “Even though Twitter claims it has contracts in place and staff for contractual enforcement, I cannot understand how they will prevent those buying their data from inferring race and political affiliation. Especially in jurisdictions like ours without comprehensive data protection law.”

A Cambridge Analytica spokesman said the company used Twitter for political advertising but insisted that it had never "undertaken a project with GSR focusing on Twitter data and Cambridge Analytica has never received Twitter data from GSR”.

Delhi-based lawyer Apar Gupta said, “Since we do not have a data protection law at present we are more or less dependent on the proactive disclosures by Twitter. Facebook is not a gold standard of upholding user rights and it is hoped that we soon have a regulator that can enforce such disclosures and place penalties.”

On 5 April, Facebook said user data of more than 560,000 Indians may have been harvested by British researcher Cambridge Analytica, at the centre of a recent storm over data breaches and potential privacy violations on the social media network.

“Twitter or Facebook are not alone in harvesting and storing user data. This is a widespread industry practice that relies on profiling. Such breaches and malpractices will continue to occur till we have a set of defined norms and enforceable penalties to protect user rights,” Gupta further added.

Only 335 users in India installed the thisisyourdigitallife app developed by academic Kogan and his company Global Science Research that may have been possibly at the centre of the data breaches, according to Facebook. The 335 people make up just 0.1% of the app’s total worldwide installs. Users agreed to take a personality test and have their data collected by the app, which then went on to also access information about the test-takers’ Facebook friends, leading to the accumulation of a much larger data pool.

Twitter Inc’s spokesperson said in an e-mail that an internal review conducted by it showed GSR had not accessed any private data.

“Unlike many other services, Twitter is public by its nature. People come to Twitter to speak publicly, and public Tweets are viewable and searchable by anyone. In 2015, Global Science Research (GSR) did have one-time API access to a random sample of public Tweets from a five-month period from December 2014 to April 2015,” the company statement added.

This is basically information that users chose to make public.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-april-30-2018-prasun-sonwalkar-vidhi-choudhury-now-twitter-too-caught-up-in-cambridge-analytica-controversy

April 2018 Newsletter

praskrishna — 2018-05-20T14:57:47Z

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing? Sunil Abraham and Aayush Rathi explores this in an article which was published in Asia Times on April 20, 2018. CIS submitted comments to the Ministry of Health & Family Welfare, Government of India on the draft Digital Information Security in Healthcare Act on April 21, 2018. CIS had conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. A blog post by Swaraj Paul Barooah examines two badly drafted provisions of the new Anti-Trafficking bill that have the potential to severely impinge upon the Freedom of Expression, including through a misunderstanding of intermediary liability. A chapter by P.P. Sneha was published in 'Making Things and Drawing Boundaries: Experiments in the Digital Humanities' edited by Jentery Sayers. The chapter throws light on some of the questions that arise around the processes by which digital objects are ‘made’ and made available for arts and humanities research and practice, by drawing on recent work in text and film archival initiatives in India. CIS made a submission to the Indian Patent Office on the issue of Statement of Working as per Form 27 under the Patents Act, 1970. Select stakeholders were invited to the consultation meeting held on April 6, 2018. Anubha Sinha attended it along with a few other public-spirited stakeholders. She made a statement stressing on the requirement of the patent system to serve the welfare-purpose and not create mere non-working/ blocking monopolies; and that the argument of representatives of patentees about non-working of patents being the existing norm, and that they cannot be questioned about this, is absolutely against the central tenets of patent law.

Highlights

In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing? Sunil Abraham and Aayush Rathi explores this in an article which was published in Asia Times on April 20, 2018.
CIS submitted comments to the Ministry of Health & Family Welfare, Government of India on the draft Digital Information Security in Healthcare Act on April 21, 2018. CIS had conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views.

A blog post by Swaraj Paul Barooah examines two badly drafted provisions of the new Anti-Trafficking bill that have the potential to severely impinge upon the Freedom of Expression, including through a misunderstanding of intermediary liability.

A chapter by P.P. Sneha was published in 'Making Things and Drawing Boundaries: Experiments in the Digital Humanities' edited by Jentery Sayers. The chapter throws light on some of the questions that arise around the processes by which digital objects are ‘made’ and made available for arts and humanities research and practice, by drawing on recent work in text and film archival initiatives in India.
CIS made a submission to the Indian Patent Office on the issue of Statement of Working as per Form 27 under the Patents Act, 1970. Select stakeholders were invited to the consultation meeting held on April 6, 2018. Anubha Sinha attended it along with a few other public-spirited stakeholders. She made a statement stressing on the requirement of the patent system to serve the welfare-purpose and not create mere non-working/ blocking monopolies; and that the argument of representatives of patentees about non-working of patents being the existing norm, and that they cannot be questioned about this, is absolutely against the central tenets of patent law.

Articles:

Digital Native: Delete Facebook? (Nishant Shah; Indian Express; April 8, 2018).

Digital Native: The e-wasteland of our times (Nishant Shah; Indian Express; April 22, 2018).
What’s up with WhatsApp? (Aayush Rathi and Sunil Abraham; Asia Times; April 23, 2018).

CIS in the News:

Cambridge Analytica row: Facebook data breach hit 560K Indian users (Vidhi Choudhury and Yashwant Raj; Hindustan Times; April 5, 2018).
Govt websites face major outage; hacking ruled out (Hindu Businessline; April 6, 2018).
After data leak row, Facebook imposes restrictions on user data access (Romita Majumdar and Kiran Rathee; Business Standard; April 6, 2018).
It Took Just 355 Indians to Mine the Data of 5.6 Lakh Facebook Users. Here's How (CNN-News 18; April 7, 2018).
It feeds on you! (Anita Babu; The Week; April 8, 2018).
Pension won’t be denied for want of Aadhaar, says EPFO (Prashant K. Nanda and Komal Gupta; Livemint; April 11, 2018).
Facebook’s fake news clean-up hits language barrier (Nilesh Christopher; Economic Times; April 13, 2018).
Is This The Beginning Of The End For Facebook? (Bloomberg Quint; April 15, 2018).
Metrolife: Brutality porn has sadly many takers in India (Nina C. George; Deccan Herald; April 18, 2018).
Aadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online (New Indian Express; April 27, 2018).
You Are Not the Only One: India stares at a loneliness epidemic (Asad Ali and Tabassum Barnagarwala; Indian Express; April 29, 2018).
Now, Twitter too caught up in Cambridge Analytica controversy (Prasun Sonwalkar and Vidhi Choudhury; Hindustan Times; April 30, 2018).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Copyright and Patent

Submission

CIS' Submission on Statement of Working of Patents (Anubha Sinha; April 10, 2018).

►Wikipedia

Event Organized

Sambad Health and Women Edit-a-thon (April 15, 2018).

Blog Entries

Telugu Wikisource Feature Book in Pustakam.net (Pavan Santhosh; April 17, 2018).
Institutional Partnership with Tribal Research & Training Institute (Subodh Kulkarni; April 18, 2018).
Exploring Wikimedia platforms in Dialogue on the Urban Rivers of Maharashtra (Subodh Kulkarni; April 22, 2018).

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Submission

Comments on the Draft Digital Information Security in Healthcare Act (Amber Sinha and Shweta Mohandas; April 22, 2018).

Analysis

Revenge Porn Laws across the World (Shradha Nigam; April 25, 2018).

Blog Entries

Government gives free publicity worth 40k to Twitter and Facebook (Akriti Bopanna; April 10, 2018).

Artificial Intelligence in Governance: A Report of the Roundtable held in New Delhi (Saman Goudarzi and Natallia Khaniejo; April 19, 2018).

►Free Speech and Expression

Blog Entries

A look at two problematic provisions of the draft Anti-trafficking bill (Swaraj Paul Barooah; April 21, 2018).

DIDP Request #29 - Revenue breakdown by source for FY 2017 (Akriti Bopanna; April 26, 2018).

►Cyber Security

Event Organized

Workshop on Python (April 14, 2018; CIS, Bengaluru).

-----------------------------------
Researchers at Work
-----------------------------------

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Article

Making Humanities in the Digital: Embodiment and Framing in Bichitra and Indiancine.ma (P.P. Sneha; Making Things and Drawing Boundaries: Experiments in the Digital Humanities (2017), edited by Jentery Sayers, University of Minnesota Press, Minneapolis, London April 1, 2018).

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/april-2018-newsletter

You Are Not the Only One: India stares at a loneliness epidemic

Admin — 2018-04-29T16:15:42Z

“To anyone looking at me from the outside, I seem like a fairly successful woman. I have a good job with great pay. I am in a relationship and have a bunch of close friends. I couldn’t figure out why I felt so angry or so lonely all the time.

The article by Asad Ali and Tabassum Barnagarwala was published in the Indian Express on April 29, 2018.

Most people will presume that throwing a bunch of hangers on the bed is a harmless act of venting. Akanksha Joshi knew it was the tipping point for her. Her mood swings had become more mercurial and she had been lashing out at people close to her or simply shutting herself in her room, watching Netflix for hours. But that day was different. “I had opened my cupboard and a hanger fell out. I don’t know what happened to me, but I suddenly picked up all the hangers and threw them on the bed in rage. The impulse lasted for 30 to 40 seconds, but it left me shaken. I had changed my job recently. It was a good one with great pay. It was what I wanted. I was in a relationship, had a bunch of close friends. I couldn’t figure out why I felt so angry or so lonely,” says Joshi, 32, who had moved to Mumbai from Dehradun in 2008 to look after her ageing grandparents and to work with a business process outsourcing firm.

The first inkling of trouble had come when her three-year-old marriage ended in divorce in 2013. Joshi underwent counselling for nearly two years, and, slowly, life seemed to get back on track. She entered into a new relationship, moved up the job ladder, formed new friendships. But the anger and the loneliness wouldn’t go. “To anyone looking at me from the outside, I seem like a fairly successful woman,” she says. But it has come at a cost.

In 2004, the National Sample Survey Office reported that 4.91 million people in India were living alone and suffered from loneliness. More recently, the National Mental Health Survey of India (2015-16) reported that high suicidal risk is an increasing concern in India; that children and adolescents are vulnerable to mental disorders; and, mental disorders, including depression and anxiety, affect nearly 10 per cent of the population. In 2016, the Centre for the Study of Developing Societies in partnership with Konrad Adenauer Stiftung conducted a survey of the attitudes, anxieties and aspirations of India’s young population (aged 15-34 years). The findings, released in April 2017, revealed that 12 per cent of the youth reported feeling depressed often, and 8 per cent said they felt lonely quite frequently.

“Youngsters who move from tier-II and III cities to metropolises find a sudden change in lifestyle. Even if you have friends, it is difficult to meet them in a city like Mumbai. Having a social life does not mean they have good social support,” says Dr Vishal Sawant, who is currently treating Joshi. When she first approached Dr Sawant, Joshi had great reservations. “Opening up to treatment makes you feel vulnerable. I am at a senior marketing position. To talk about mental health issues is also to put myself out in the open at this point in my career. But I knew I needed intervention,” she says. Now, after six months, she says her reactions to situations are more even.

In January this year, British Prime Minister Theresa May announced a minister for loneliness to address the condition that afflicts 14 per cent of UK’s population. In Japan, it has been an affliction that has affected generations. In India, though, conversations around mental health are only getting started. Apart from a lack of information and widespread social stigma, the cost of treatment also remains prohibitively expensive. Each session, depending on the therapist, may cost between Rs 2,000 and Rs 7,000. Besides the cost of medication, therapy and consultations, there is also the possibility of reduced work efficiency. In addition to these, despite multiple reports and surveys indicating that there might be a serious health problem at hand, the conversation around loneliness doesn’t go beyond conventional markers, such as the isolation of the elderly. But loneliness can be an equally debilitating experience for other demographies, including the youth. A 2010 research in the Indian Journal of Psychiatry finds that women suffer more from depression than men. The National Mental Health Survey (2015-16) in 12 states of India covering 39,532 people found that one in 20 people suffers from depression. “Depression was reported to be higher in females, in the age-group of 40-49 years and among those residing in urban metros,” the report observes.

In India, psychologists say, conversations around loneliness need to expand in scope and look at the condition born out of conflicts in gender identity, class, or isolation even within the framework of a family or a relationship. When 18-year-old Harshit Patel (name changed), a resident of south Mumbai’s plush Charni Road, visited psychiatrist Dr Sagar Mundada at his Fort clinic last November, he already had suicidal thoughts. He lived in a joint family of 10 in a well-to-do Gujarati household. He had just joined engineering college and was struggling to find his feet. Patel had tried discussing his feelings with his parents, but they had brushed it off as adolescent mood swings. They also refused to entertain thoughts of therapy when a tutor brought it up. Patel had called Mundada on his own, seeking help. The doctor advised him to call whenever he felt suicidal. Within 10 days, a call came: “Nobody notices me at home. What is the point of living?” Patel was contemplating throwing himself in front of a train, he said. Mundada immediately called him to his clinic and got in touch with his parents.

The road to therapy has been littered with obstacles for Patel. His parents are still not entirely convinced about therapy and refuse to attend sessions at the clinic. Instead, they meet at a McDonald’s outlet near the clinic.

Even as a 10-year-old child with a physically abusive father, Dharmesh Mekala knew — through all the loneliness and trauma that he hadn’t yet developed a vocabulary to articulate — that he had to escape. He wrote the entrance test for Navodaya Vidyalaya in Nalgonda, Telengana. “I just knew that I had to leave home somehow,” says Mekala, 29, a freelance artist, now based in Delhi. The arc of his loneliness had started developing early in his childhood — the beatings he received; the bouts of sadness that enveloped him; the isolation he felt from his family; and, finally, the suicidal thoughts that he had all the time.

Mekala made it to boarding school, but the reprieve that he had sought did not come to pass. His sense of isolation grew more acute when Mekala started discovering his sexuality, much later, he says, than his friends. By the time Mekala reached college he knew he was homosexual, but could not bring himself to admit it. “Being homosexual in a hetero world is a lonely life in any case, but when I first came to Delhi in 2010 — a dusky South Indian man with an accent, not well read or fluent in English, with far too little money — I felt adrift,” he says.

Dr Neetu Rana, psychologist at the Vidya Sagar Institute of Mental Health and Neurosciences, Delhi, says, people like Mekala are more prone to mental health issues. “When we can’t find our social anchor we feel lonely. It could be a result of bullying, isolation and being ostracised, but it could also reflect changes in the family structures due to urbanisation and a shift towards an individualistic society,” she says.

More recently, the National Mental Health Survey of India (2015-16) reported that high suicidal risk is an increasing concern in India; that children and adolescents are vulnerable to mental disorders.

The UK-based National Society for the Prevention and Cruelty to Children (NSPCC) released data in 2017 on the number of calls received by its helpline to deal with loneliness. In 2016-17, the helpline counselled 4,063 children on loneliness, 73 per cent of whom were girls. Parul Tank, a psychiatrist who counsels students studying in a foreign country, says, many Indian students who venture abroad for higher studies, come to her with complaints of loneliness and depression. “In the US or UK, students have no structured classes. They lead an isolated life, the only idea of socialisation is to go out in cafes or pubs. Many do not know how to deal with this lifestyle,” she says.

Sahil, 45, a media professional, remembers how things started spiralling out of control for him when he went to London for a post-graduate degree. He had lived in Mumbai all his life and found London disconcerting. Soon, he wanted to “remain in my room all day” or spent time in the college library “figuring out a way to kill myself”. A friend took him to the university psychiatrist but the drugs he was prescribed didn’t help. By the time he came to Delhi in the mid-’90s for a job, he could barely hold it together; he had also become addicted to drugs and alcohol. “You feel lonely, and then you drink, and you feel even more lonely,” he says. Around this time, he got married. The thoughts of suicide receded somewhat, only to be replaced by an insatiable appetite for sex. “You don’t talk about things like loneliness when you are married. My wife and I never discussed my sex addiction either, though she was aware of it,” says Sahil, who is undergoing therapy at Sex Addicts Anonymous.

According to the Economic Survey 2016-17, the inter-state migration of workers in India has increased to 9 million annually during 2011-16 compared to previous years. A large section of these people leave their families behind in search of better prospects. In the hierarchy of visible discourse on loneliness, perhaps the migrant worker is the most affected, says Surinder Jodhka, professor of sociology at Jawaharlal Nehru University, Delhi. “The family structure is non-existent in the urban cities, and even in rural societies, there has been a disintegration. So, their feeling of loneliness is more pronounced.”

When his father died, Manik left his hometown in West Bengal’s Malda district for Delhi, more than 10 years ago. He was about 20 years old then. A distant uncle of his, a driver with a private company in the city, had promised to set him up with a job. But when Manik showed up, the uncle looked “surprised that I had actually come and grew distant.” Desperate, Manik began taking up odd jobs to survive. “I didn’t have friends and didn’t speak Hindi. The only person I knew refused to acknowledge me. I felt lonely and lost,” says Manik. He found a job as a cook/peon at a small company, but the pay was minimal and Manik says he spent it on “cheap alcohol and women”. “Otherwise, I’d be crying in my room all the time. I used to keep the radio on, not to feel less lonely but to not hear myself cry. I was so ashamed of my feebleness,” says Manik. He still can’t bear to be in a room without the radio on, but he doesn’t believe that his condition merits medical attention. In any case, it is a luxury he can’t afford. “It’s a personal battle, which only you can fight, no?” he asks.

A first-of-its-kind study conducted by Brihanmumbai Municipal Corporation, between October 2015 till September 2017 analysing patients in its major hospitals — KEM, Sion, Nair and RN Cooper — found that 31 per cent patients visiting these hospitals suffered from mental disorders. At least 1,70,000 patients attended these four major hospitals for psychiatric aid. Depression formed the second-most common mental disorder in out-patient departments forming 20 per cent of the total chunk. All of them came from a low income group. “We realised that there is a need to have more treatment facilities in primary healthcare centres for mental health. Rates of depression are high even in urban poor, and diagnosis shouldn’t be delayed until they reach a tertiary centre,” says dean of KEM hospital, Dr Avinash Supe. “For poor people, it is unemployment, frustrated political environment that affects their livelihood, that leads to depression. Take for instance, the farmers who are committing suicide. They feel isolated in the agrarian and financial distress, they have no one to seek aid from,” says Dr Vinayak Kale, head of psychiatry department in JJ Group of Hospitals, Mumbai. For affluent sections, he says, it’s the opposite. Steady career growth is not enough. The stress to win the corporate race often leads to loneliness.

One of the biggest contributors to loneliness, say psychologists and social scientists is our increasing reliance on technology. “One may have hundreds of friends on social media, but communication on that platform is virtual. Our culture is not individualised and we still need physical proximity. Social media has widened the gap of physical interaction,” says Dr Shubhangi Parkar, head of psychiatry at KEM hospital.

Nishant Shah, co-founder of The Centre for Internet and Society, Bengaluru, points out how “technologies have transformed what we understand as sociality, friendship and intimacy”. He says that young people — constant consumers of social media like Snapchat and WhatsApp — are “being told that they are always connected. Which means that they can, by definition, not feel lonely”. Yet, especially within the Indian context, says Shah, the pace of life and the rapid transformation of societies means that we no longer pay attention to the emotional needs of belonging, which actually alleviate loneliness. “We have replaced belonging with connectivity and this is going to have dire consequences in how we reshape our cities and lives,” he says.

Rachna Saxena (name changed), 31, agrees. Saxena migrated to Mumbai from a small town in Uttar Pradesh 14 years ago. “It was a big shift from the protective environment of home,” she says. She moulded herself to the demands of her new life once she joined the creative team in a multinational FMCG firm. She had been dating a Christian boy, but, at 28, when she finally broached the topic of marriage, the boy dithered on grounds of religious differences. The relationship crumbled, but something shifted inside her. “On Facebook, I’d look at photographs of my friends on their honeymoon. Everyone looked so happy, I felt depressed. I really wanted to get married, have a stable relationship. But that was just one part of my problems. I was a star performer at work, my social media feed showcased my ‘happening’ life, but no one could sense the immense pressure to live up to it,” she says.

Last year, a colleague she was close to died of a sudden heart attack at the age of 36. She saw his family squabble over property and his pregnant widow shunted out. “Another very close friend of mine, with whom I would share my distress, committed suicide. One fine day, he just shot himself,” says Saxena. She stopped meeting friends or inviting people over. In February this year, Saxena fell unconscious in her office. She had been sleeping fitfully and now had constant headaches. During her medical leave, she went home. “I ate and slept well, and, after a long time, felt happy. My parents are super supportive. But when I returned to Mumbai, it all came back. I realised I live two lives and I just couldn’t handle the stress of it,” she says. She started undergoing counselling sessions, and, a month ago, she deactivated her WhatsApp and Facebook accounts, choosing to travel and forge real friendships instead. “Now that I observe things more closely, I see that a lot of people around me are lonely even if they don’t look it. It can happen to anyone, you know,” she says.

For more details visit https://cis-india.org/internet-governance/news/indian-express-asad-ali-tabassum-barnagarwala-april-29-2018-you-are-not-the-only-one-india-stares-at-a-loneliness-epidemic

Aadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online

Admin — 2018-05-05T08:43:53Z

Independent security researcher Kodali Srinivas tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers available on the Andhra Pradesh Benefit Disbursement Portal.

The article was published in New Indian Express on April 27, 2018.

Independent security researcher Kodali Srinivas, who exposed the leakage of Aadhaar and other personal data of 1.34 lakh beneficiaries on the State Housing Corporation website, on Thursday tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers availalbe on the Andhra Pradesh Benefit Disbursement Portal, which is maintained by APOnline, a joint venture between the Tata Consultancy Services (TCS) and the State government.

Hours after he blew the whistle, the website administrators began masking the data. In May 2017, Srinivas had co-authored a report for the Centre for Internet and Society, exposing how the Aadhaar data of 13.5 crore card holders was leaked online. The data was then leaked by four government portals, National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme of the Government of Andhra Pradesh and Daily Online Payment Reports of NREGA of the Government of Andhra Pradesh.

It appears that almost a year later, nothing much has changed. Srinivas told TNIE he had sent a mail to the chief operating officer, APOnline and Universal Identification Authority of India, the National Critical Information Infrastructure Protection Centre, and CERT-In, the Centre's cyber response wing. When contacted, Balasubramanyam, Joint Secretary (NREGS) told TNIE, "I have seen it. It is Benefit Disbursement Portal... not maintained by us. We have been very careful ever since that massive leak of data last year."

Executive (operations), APOnline, S Chandramouleeswara Reddy refused comment saying that he was not the competent authority to speak on the issue. APOnline developed ICT solution for MGNREGA scheme, a framework involving Department of Posts, for disbursement of entitlements after accurate authentication of the entitlements through finger print authentication. TCS implements the ICT solution for MGNREGA in the State.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online

DIDP Request #29 - Revenue breakdown by source for FY 2017

akriti — 2018-04-26T11:06:16Z

We requested ICANN for financial information they have not yet provided for the period ending June 2017.

ICANN publication of its financial records for 2017 were missing a crucial document which lists down their revenue as per the all the legal entities as sources who contributed to it including Regional Internet Registries, various registrars and their source of origin among other details. We have requested them for this document in order to get a better idea of the how these entities contribute to ICANN.

In response to our DIDP, ICANN notified us that they are in the process of compiling this report for the year ending June 2017 and will publish the same by 31st of May, 2018. Further they remarked that this procedure of making public their revenue by source was developed as part of ICANN’s enhancements to transparency in response to CIS’s earlier DIDP which was submitted in 2015.

The said report will be published on their Financial page within the time frame mentioned.

For more details visit https://cis-india.org/internet-governance/blog/didp-request-29-revenue-breakdown-by-source-for-fy-2017

PAI WG Labor and Economy Meeting

Admin — 2018-05-05T09:35:07Z

Elonnai Hickok co-chaired the first PAI Labor and Economy WG in NYC on April 25, 2018.

Agenda

For more details visit https://cis-india.org/internet-governance/news/pai-wg-labor-and-economy-meeting