We are anonymous, we are legion

Your mobile apps have the permission to spy on you

Admin — 2018-04-03T15:48:47Z

The top applications on the Android Play store in India seek permission like access to your camera, microphone, modify contacts and download files without notifications depending on the use of the app.

The article was published in the Economic Times on March 30, 2018. Pranesh Prakash was quoted.

“What we need is, not just knowing what permissions are being sought, but why they need such permissions,” said Pranesh Prakash, policy director of the Centre for Internet and Society.

Companies such as TrueCaller say that app developers should only be permitted to collect data that they can demonstrate as proportionate and “necessary for the stated purpose of their service”.

An Uber spokesperson said they provide users with an option to turn off certain permissions like location and phone contacts within the privacy settings on app along with explanations on what data they collect and the reason behind it. Others declined comment.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-30-2018-your-mobile-apps-have-the-permission-to-spy-on-you

If data is the new oil, how much does an Indian citizen lose?

Admin — 2018-04-03T15:42:31Z

Surveillance capitalism is the business model of the Internet, so what exactly are we talking about here?

The article by Saurya Sengupta was published in the Hindu on March 31, 2018. Sunil Abraham was quoted.

“We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.” That was the former executive chairman of Google, Eric Schmidt, trying to convince users that the tech giants did care about their privacy, ironically enough. But that was in 2010.

Fast forward eight years, and a lot has changed. The world has been rattled by revelations that the personally identifiable data of about 50 million Facebook users was breached by an analytics firm. Since then, the skeletons haven’t stopped tumbling out, with the news that the NaMo app asks for as many as 22 permissions from users, and that the official Congress app, since deleted, was vulnerable to data breach.

Bruce Schneier, an American security technologist and fellow at Harvard University’s Berkman Klein Center for Internet & Society, in his book Data and Goliath, says: “Google knows what kind of porn each of us searches for, which old lovers we still think about, our shames, our concerns, and our secrets.”

So, what does any of this mean for us, the lay users?

It may be helpful to start by asking what this ‘data’ is. “Whenever you use any service on your phone or browser, you end up giving a lot more information than you consciously recall. This includes not just the content of your interactions, but also metadata and so on,” says Nayantara Ranganathan, manager of the Internet Democracy Project’s Freedom of Expression programme. Metadata is, simply put, data about your data. So, for example, your location information, what time you were home, how many times you made calls to a certain number, and so on.

“This is known as behavioural data,” says Sunil Abraham, executive director of The Centre for Internet & Society, “which includes how fast or slow you scrolled, how long you stayed on a page, how many times you went to a particular part of a website, and so on.”

Bhajan or you?

This is not just data gathered by the large Facebook and Gmail apps, but also by a lot of the smaller ones. An app that plays bhajans, for example, may mine your data and share it. And what do the third parties do with this? Well, the idea is to simply embed you further in a consumerist panopticon.

To FB or not to be

As #DeleteFacebook gets louder, users agonise about leaving Facebook on Facebook, irony be damned
Truth is, quitting FB won't help. Because it's also about Google Photos and Maps and Candy Crush and Which Disney Villain Are You
In the absence of laws, you've no control of what apps can do with your data. Even after you've 'deleted' it
Facebook doesn't take responsibility for data collected by apps, and refers users to app developers instead
Quitting FB and other apps might be a privilege and not an option for most

“Surveillance capitalism is the business model of the Internet, and all social media apps make their money collecting data on users and monetising that,” says Schneier.

“Lots of apps have no revenue generation. Their only benefit is data,” says Manan Shah, founder and CEO of Avalance Global Solutions, a cyber security firm. In fact, he says, apps like WhatsApp are the obvious suspects while the smaller ones, like the bhajan one, slip under the radar.

All of it is part of ‘lead generation’ — the process of identifying potential customers for a service or business. “A call-centre is useless without data,” Shah says. “If I want to sell you an antivirus, for instance, a company will identify filters — who owns a computer, who has already purchased an antivirus, and so on. I can then target that user. This filtered data is often your full name, bank details, data about your debit and credit cards. Abraham says there is another fairly obvious purpose for all this data collection – to get you to spend as much time on the said platform as possible.

This explains why, for example, when you Google something, the suggested searches are often tailored in an eerie manner. If you search for a word, the second search suggestion will offer to get that word translated into the local language. So if you’re in Chennai, Tamil, or into Marathi if you’re in Mumbai.

This a product of profiling your location data as well as behavioural data. “Imagine the kind of insights your location information over the course of a month can expose: your residence, where you spend your mornings, your route to work, your loved one’s residence, and more,” says Ranganathan.

“Users are often not aware that they’ve given their consent to sharing this data,” says Nikhil Pahwa, digital rights activist. “The terms and conditions of every app are so complicated and voluminous that often you have no way of knowing what something is being used for and what you’ve given your permission to. That’s a failure of the kind of consent we have today,” he says. If an app developer, quips Pahwa, puts in a condition saying the user will name their first child after the app, the user is more than likely to click on ‘I agree’.

While the failure to make consent transparent is illegal, data collection in itself is a grey area. And what constitutes ‘misuse’ of data is murky because of the lack of regulations and clear outlines. “What if a salon has your phone number and sends an SMS saying your haircut is due,” asks S. Anand, CEO of data science firm Gramener. “Would you consider that misuse?”

It gets more ominous.

We’ll use it some day

At present, India has no law to stop apps from sharing your data with data brokers or data analytics firms. “The tendency has been to collect as much data as you can, even if it isn't relevant to your business today, because it might be some day or, better still, it might be valuable to others,” says Amba Kak, a Mozilla technology policy fellow. “This is why we need a law to say — collect what you need, not what you want.”

As an Indian citizen, your data today is breached, misused or sold, there is little you can do about it. “At most, users can be more vigilant about the apps they download, what permissions they give, and evaluate whether there are better alternatives,” says Ranganathan.

“One can approach a court and seek redress under the IT Act,” says Abraham, “but only if you have suffered a loss of property or money. If your data has been breached or leaked, and you haven’t suffered a monetary or property loss, there’s nothing you can do.”

The Justice Srikrishna committee, set up in July, is right now working on a draft data protection bill. The committee published a white paper last November, and a final report is expected by end of May. “The white paper itself looks fantastic,” Abraham tells me.

An ideal data protection law, says Kak, “will reflect the Supreme Court’s recent decision that all interference with the right to privacy must be necessary and proportionate.”

If data sharing is inevitable in the digital age, then it could be made illegal, for instance, to share data that can identify individuals. Anand says, “This could be done by replacing all names with a new random name or by aggregating total purchases by store and product rather than by individual purchase.”

So in an era where we have been casually asked to accept that ‘data is the new oil’, who is the biggest loser? “Framing 'data' as the new oil is dangerous,” says Ranganathan. Kak agrees: “This is a tired analogy that doesn't seem to get us anywhere except to recognise that data is a source of profit for the private sector.” She would rather go with Turkish sociologist Zeynep Tufekci’s definition where we think of data privacy like clean air or safe drinking water. “It is a public good that we need to safeguard as a collective through laws that make controllers of data accountable,” says Kak.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-march-31-2018-saurya-sengupta-if-data-is-new-oil-how-much-an-indian-citizen-lose

Parties seek social media influencers to go viral

Admin — 2018-04-03T15:30:30Z

It was 2015. Rahul Gandhi, Congress vice president then, met Mount Carmel College students in Bengaluru. Soon after the interaction, there were media reports on how Gandhi was stumped by the questions.

The article by Ipsita Basu was published in the Economic Times on March 31, 2018. Sunil Abraham was quoted.

While everybody was debating what really transpired in the auditorium, a 20-something Elixir Nahar wrote an open letter to Gandhi which said: ‘Thanks for stopping by, Rahul Gandhi. You were inspiring’.

It was the letter’s outspokenness and stating of facts that caught the imagination of everyone, especially on social media. The blog post went viral and was shared widely across digital platforms. In 2017, Nahar became part of the Congress social media cell when the party wanted to increase the party’s digital outreach.

Digital-savvy influencers are now an essential part of social media teams of political parties, which know that a viral tweet or a post can mean immense visibility. Knowing that traditional means like door-todoor campaigning and rallies have limited reach towards millennials, parties are making sure that the right messaging is sent out through such influencers, who usually have a large following on platforms like Twitter, Facebook and even Instagram.

According to Sunil Abraham, executive director, the Centre for Internet and Society, a Bengalurubased organisation looking at multidisciplinary research and advocacy works in internet and society, “Internet communication is becoming more and more sophisticated. Social media is not impressed by just ghost accounts and mass propagation. Influencers come with their own brand and credibility and this constitutes into more articulate and targeted communication, which is an engaging way to speak to a constituency."

Shilpa Ganesh, star wife and state vice president of BJP Mahila Morcha, is an intrinsic part of the party’s social media outreach. With 56,000 followers on Twitter and close to 2,00,000 on Facebook, she makes for a formidable influencer. “Most of my posts get a huge traction. I spend about 15-18 hours on various social media platforms to track news and restrict issue-related posts to at least twice a day,” she says.

Working on such social media teams is a draw for young corporates, IT professionals and college students who want to experience the power of digital media. Kamran Shahid, 28, a simulation engineer with a German car company, has taken a break, to work for the Aam Aadmi Party. Shahid, who now oversees the party’s state social media, was chosen for his knack with words and digital content.

Influencers are picked depending on their online popularity, proficiency to articulate on the Internet and the number of followers across platforms. The identities of those working in the background are kept under wraps. Review meetings are held every week to discuss the next strategy. Actor and former Mandya MP Divya Spandana, the chief of social media and digital communications of the Congress, has put together a mid-size team for digital outreach. “We’ve chosen people from diverse backgrounds who share our ideology. Each one brings a specific skill set to our team,” says Spandana, who is on the phone 24x7 tracking social media developments.

For more details visit https://cis-india.org/internet-governance/news/economic-times-ipsita-basu-march-31-2018-parties-seek-social-media-influencers-to-go-viral

The Narendra Modi app: The secret weapon in BJP’s elections arsenal

Admin — 2018-03-29T16:28:28Z

Narendra Modi app, BJP's secret weapon.

The article by Jayadevan PK and Pankaj Mishra was published by Factor Daily on March 29, 2018. Pranesh Prakash was quoted.

Story Highlights

Why is Rahul Gandhi beating the drums about the Narendra Modi app? Because he knows that the app – with over 10 million users already – will be crucial decider of a BJP victory or failure in the general elections.
The Narendra Modi app’s mission is two fold — mobilize and integrate some 100 million BJP members and use the app to deliver targeted messaging to voters. Party president Amit Shah has a target that each district should have 100,000 downloads.
In the coming general elections, there will be more than 180 million first-time voters – people who are relatively easy to target on social media. Of the 241 million Facebook users in India, about 54 million are between the age of 18 and 23 years.

Congress president Rahul Gandhi earlier this week got panned for his criticism of the Narendra Modi app. The app, Gandhi had said on Twitter, was leaking user data and added that Prime Minister Narendra Modi was “the Big Boss who likes to spy on Indians”. Much of what the Congress leaders said was hyperbole common at the hustings.

But as it turns out, Gandhi has good reason to beat the drums wildly: the Narendra Modi app is going to be, by all accounts, the Bharatiya Janata Party’s arrowhead as India pads up for its biggest general elections next year. The app is going to be the fulcrum of the BJP’s tech outreach and social media strategy in the months ahead of the elections, which may be held earlier than the scheduled early 2019 going by the buzz in political circles in capital New Delhi.

The usage of the state apparatus to promote an app owned by Modi personally and the way it plans to use data of its users is drawing criticism from political rivals and privacy activists. Critics have pointed out that the app asks for too many permissions, is less than ideally secure, and is run by the BJP while being positioned as the official application of the prime minister of India. These questions are now taking a serious tone after the Facebook-Cambridge Analytica scandal.

“Overall, Facebook’s fallout means even more focus and reliance on the Narendra Modi app by the BJP,” said a person familiar with BJP’s social and digital plans, adding the Facebook and WhatsApp platforms will be in the background and continue to be valuable. This person asked to remain anonymous.

By “Facebook’s fallout”, he is referring to the aftermath of the scandal that implicated political consulting firm Cambridge Analytica of misusing Facebook data of millions of users without consent. Questions are also being raised in the UK and US about the involvement of Russian actors using Facebook, Google and Twitter to influence key global events such as Britain’s exit from the European Union and the US presidential elections in 2016.

After a sting by British broadcaster Channel4 showed Cambridge Analytica used dubious means to influence elections, both the Congress party and the BJP have accused each other of using the services of the analytics company.

To be sure, it will be difficult for anyone to ignore Facebook and WhatsApp for the sheer reach they offer – Facebook has over 240 million users in India and WhatsApp has a similar number of users in India. But growing the Narendra Modi app’s user base will mean a channel that won’t need to be constantly paid for and in the BJP’s direct control with all the granular data and reach that such a platform can offer.

India has the largest number of Facebook users in the world.

“The game plan is to make Narendra Modi app the killer platform for the next elections and beyond,” said the person aware of the BJP’s plan. With estimated downloads of over 10 million already, the Narendra Modi app’s mission is two-fold — mobilize and integrate some 100 million BJP members across the party’s operations and use the app to deliver targeted messaging to existing and potential voters.

To that end, Prime Minister Modi himself and the BJP have been driving app downloads in ways that will put seasoned growth hackers to shame. For instance, Modi’s new book Exam Warriors. Readers can scan QR codes in the book and post responses to the Narendra Modi app. The target: more young users for the app who will soon vote for the first time. A student taking the 12th board exams this year is likely 18 years old, come the 2019 elections.

As has been pointed out, targeting first-time voters in a country where 41% of the population is younger than 20 years is a no-brainer. Political scientist Oliver Heath posited in 2015 that the BJP’s 2014 victory came about more thanks to first-time voters rather the votes it weaned away from rival parties. There were 136 million new voters in 2014. This time there will be more than 180 million first-timers – people who are relatively easy to target on social media. Of the 241 million Facebook users in India, about 54 million are between the age of 18 and 23 years.

The BJP also has plans to co-opt educational institutions to distribute the book, said another source. The book, released in February 2018 is being translated into various languages starting with Hindi and Marathi. The BJP state government in Maharashtra is procuring nearly 150,000 books on Modi but it hasn’t said yet it would be Exam Warriors that it would buy and distribute to state schools.

The number of times Prime Minister Narendra Modi has plugged the app in his Mann Ki Baat speeches.

The prime minister also channels users to the app in his speeches and on his social media channels. A typical plug in his monthly Mann Ki Baat speech would call out a comment received on the app or ask “fellow countrymen” to share a photo or views on an issue on the app. Since October 2014, Modi has made 41 Mann Ki Baat speeches and he has mentioned the Narendra Modi app over 50 times, an analysis of his speeches shows (See graph).

Besides launching modules that enable the prime minister to talk to his council of ministers or run surveys and bundling the app with new phones to drive users, the BJP has also from time to time driven some hard app download targets to its rank and file. In September 2016, for instance, the Gujarat party chief said it will ensure at least 7 lakh downloads of the app as a birthday gift to Modi. BJP President Amit Shah wants nearly 50 million downloads for the app and has directed state officials to drive nearly 100,000 app installations in each district. “Do not take this as an information (or suggestion). Accountability will be ensured and it is the responsibility of each district unit to ensure downloading of one lakh of Narendra Modi App,” Shah reportedly said at the party’s national executive meeting in March 2016.

The app is already in play at the Karnataka elections scheduled for April. “As of now, the app has national content. Going forward we will be pumping lot of content related to Karnataka in Kannada. It will include voice, non-voice and lot of messages. He (Modi) will also be sharing through the app for Kannadigas,” says Amresh K, BJP Information Technology Cell State Convener.

“We will also be doing a Narendra Modi campaign to drive downloads,” said Amresh, who is helping create manifestos for 224 constituencies in Karnataka. “Earlier it used to be one state-level manifesto. This time we have it for 224 constituencies. We’re also engaging with 500-1000 influencers in these constituencies and about 100 sectors to compile their inputs,” he said. The 2013 manifesto of the BJP, a 40-page document, led with the development agenda focussed on specific sectors but also promised freebies such as 25-kilogram free rice to the poor and free laptop to high school goers.

Modi’s popularity as a leader in central to the app. “More than BJP today, Modi as a brand has become extremely strong. There’s a lot of mud sticking to political leaders but in comparison, he seems to be coming through as spotless,” says brand strategist and author M G Parameswaran, who helped create some of the biggest brands such as Santoor and Wipro. To appeal to the young voter, it’s important for Modi to stick to the “development narrative and not get derailed by the Hindutva narrative,” he adds.

So how does the app really help the BJP? The answer to this question really lies in the BJP’s earlier campaigns and the party’s learnings. FactorDaily interviewed people closely associated with BJP’s 2014 campaign to find out.

The ‘Golden Triple’

India could go to polls as early as the end of this year, as is being speculated by the political chatterati, or early next year. Nearly one billion Indians eligible to vote this time around (814 million in 2014) will decide the fate of 543 seats to which representatives are elected. As Rajesh Jain, a former advisor to the BJP campaign points out on his blog, “using data and analytics to identify supporters and then getting them out to vote on election day will be instrumental in determining the eventual winner”. He estimates that nearly 670 million people in India, comprising 330 million who don’t vote and 340 million who aren’t likely to support a mainstream party (or are undecided), are up for grabs.

Importantly, the dynamics at the hustings have changed. “Unlike 2015, this isn’t an election with a wave (the Narendra Modi wave). This isn’t a Facebook or a WhatsApp election in that sense. This is going to be about micro-targeting and use of Narendra Modi app. If BJP wins 2019, the app will become even more all-pervasive and a way to be free from platforms like WhatsApp and Facebook,” said the source familiar with the BJP’s plans quoted above.

Micro-targeting is the practice of crafting messages and advertising to small user cohorts. For this to work, the advertiser, will need to understand its target audience deeply and accurately. Having data from various sources, including the Modi app, will help target the electorate better.

The golden triple is a combination of booth level information, contact details and political leaning of a voter.

The lynchpin of the data strategy of the BJP is what number crunchers call the “Golden Triple”, which has three pieces to it: the details of the booth at which someone votes, the contact phone number and the political leaning of the voter. Voter details are public information in India. Collating that accurately with contact phone numbers is difficult but doable (and likely has already been done by political parties including the BJP).

The BJP, through its missed call-based membership drive back in November 2014, had amassed nearly 100 million registered members. At the time, the BJP had collected voter ID details of members as well. In other words, the party already has over 100 million ‘golden triples’. “If you have 10 crore golden triples, your target audience is sorted,” said the source who knows of BJP’s plans.

“There are four things on which the battles are won and lost—identifying those who already are your supporters, voter registration, pursue them, and finally ensuring that they turn out on the day when it all matters the most,” says the person. The Narendra Modi app becomes a tool to mobilize party workers and getting them to execute the game plan. It also doubles up as a channel to send targeted messages based on the data it has captured already.

Having data of its supporters in a constituency can help parties craft targeted messages and zone in on the audience better using social media platforms, says Ankit Lal, the author of India Social: How social media is leading the charge and changing the countryand a social media strategist for the Aam Aadmi Party (AAP). For instance, Facebook allows you to build a custom audience by uploading a list of email addresses or phone numbers.

The election commission’s Form 20 gives polling booth level data on which candidate got how many votes. “Now, this combined with more specific data sets, can make it far more impactful,” says the person quoted above. For instance, if the numbers aren’t looking good in a certain region, the Narendra Modi app can be used to mobilise party workers to campaign harder in those areas.

In 2014, the BJP used a market research and analytics agency Penn Schoen Berland (PSB) to firm up the key planks on which it would fight elections. The party built its campaign around issues of corruption, security of women, and inflation based on the firm’s inputs. For sure, there will be voter surveys done by the BJP (as also other parties) this time, too, but with the Narendra Modi app and its growing install base, the party’s understanding of local, district-level issues – even booth-level inputs – get strengthened through internal surveys and other mechanisms.

But, can the sophisticated combination of data analytics, micro-targeting, and bespoke messaging swing an election? The answer depends on how close the electoral fight in different constituencies will turn out to be.

When victory margins are thin, targeted campaigns (especially on social media) can win seats. Case in point: Gujarat assembly elections late last year. As this article points out, the victory margins in 57 out of 182 seats in Gujarat was less than 5% – in other words, just a few thousand votes could swing victory either which way. “The win or loss margin is very small, generally less than 5% of the electorate for a majority of constituencies,” says Lal, the AAP strategist. “For urban areas, it is easy to influence results using social media because the margins are so close.” In Karnataka, more than 30 of the 224 seats in the legislative assembly had wins with a margin of less than 3%.

What about the national elections? Here, too, the narrow wins are make or break in nature. Ninety-two seats were won with a winning margin of less than 5% in the 2014 elections. This despite the Modi wave that saw the BJP end with 282 seats in the Lok Sabha – the first time in 30 years a party won a simple majority in the lower house of Parliament.

In other words, social media has – and will continue to have – a definite sway in Indian electoral outcomes and the Narendra Modi app has its role cut out for itself.

The privacy question

On March 23, a security researcher who goes by the pseudonym Elliot Alderson, revealed that the data collected by Narendra Modi app is being passed on to analytics company Clevertap. The app also takes 22 permissions from the user, including the ability to access the user’s contacts, gallery and microphone. Privacy advocates warn that doing so without explicitly telling the user is a breach of trust. “Be careful when you enter personal data. It is often not needed and this data is often misuse (sic) after that,” Alderson messaged FactorDaily on Twitter in reply to a question. His tweets were what had the Congress Party’s Gandhi kicking up a minor storm accusing the BJP of spying on users. To be sure, it is common practice to integrate analytics and marketing tools like Clevertap into an app (also see: CleverTap’s Commitment to User Consent and Data Privacy).

Thejesh G N, founder of Datameet, a community of data scientists and open data enthusiasts, says that it’s okay for politicians to use websites or apps to string members together or talk to their constituents. But they should follow ground rules such as stating the purpose of data collection clearly, collecting minimum amount of data, sharing information about who is collecting the data, for what purpose and guaranteeing the security of personal data, and also stating how it will share data with third parties and for what purpose. This may have sounded like ideal principles of data use but less so in the aftermath of the Facebook-Cambridge Analytica scandal which has brought into focus the flagrant violation of privacy standards by almost every platform.

“People might be thinking they are giving data to the prime minister… in fact, it’s probably going to a campaign database. It’s important to make that clear.”

In the case of Narendra Modi app, some of these basic rules aren’t followed, points out Thejesh, a privacy activist from Bengaluru. “The app description on Play Store says ‘Official App of Prime Minister of India, Narendra Modi. It brings to you latest information, instant updates & helps you contribute towards various tasks. It provides a unique opportunity to receive messages and emails directly from the Prime Minister.’ But the app is not owned by Government of India and so the statement is misleading,” he says. “People might be thinking they are giving data to the prime minister… in fact, it’s probably going to a campaign database. It’s important to make that clear.”

Lal of AAP minces no words when it comes to the question of ownership of data. “That’s the biggest question. How did a private app end up being used by the prime minister’s office? Either they were conned into it or they know about it. If they did it deliberately, they knowingly stole data which is no smaller than that of Cambridge Analytica. There it was between Cambridge Analytica and Facebook, here it is between citizen and their prime minister,” he says.

“There is a distinction to be drawn between providing one’s own data and providing the data of others that you happen to have.”

In 2015, privacy and tech policy expert Pranesh Prakash helped report a security vulnerability that exposed the data of Narendra Modi app users. “In 2016 again, the same set of security vulnerabilities blew up… this time, more than 5 million people’s personal profiles including their birthdates, phone numbers was available to the public,” Prakash told India Today TV. “There is a distinction to be drawn between providing one’s own data and providing the data of others that you happen to have. For instance, the Narendra Modi app asks for permissions for ‘Contacts’, which allows it to harvest your contacts. Are they using it (as you suggest they would) for the elections? If so, are they upfront about that as one of the purposes for the data collection? And are they collecting your details or details of your contacts as well,” Prakash later told FactorDaily in reply to a question on the use of data from the Narendra Modi app.

The BJP has responded to some of the criticism. Amit Malviya, the BJP IT Cell chief pointed FactorDaily to the party’s statement that said: “Narendra Modi App is a unique App, which unlike most Apps, gives access to users in ‘guest mode’ without even any permission or data. The permissions required are all contextual and cause-specific. Contrary to Rahul (Gandhi)’s lies, fact is that data is being used for only analytics using third-party service, similar to Google Analytics. Analytics on the user data is done for offering users the most contextual content. This ensures that a user gets the best experience by showing content in his language & interests. A person who looks up agri-related info will get agri related content easily. A person from TN will get updates in Tamil and get an update about an important initiative about TN.”

Will the Narendra Modi app prove to be the BJP’s Brahmastra – the mythical destructive weapon from ancient Hindu texts? The contextual content served on the app in the coming months will give the answer. If it is hyperlocal and raises issues at the booth level, you can be sure that the Brahmastra has been deployed.

For more details visit https://cis-india.org/internet-governance/news/factor-daily-jayadevan-pk-and-pankaj-mishra-march-29-2018-narendra-modi-app-bjp-2019-election

Narendra Modi’s personal app sparks India data privacy row

Admin — 2018-03-28T16:17:32Z

PM’s NaMo app sends user data to third party in US, says researcher.

Sunil Abraham was quoted in the article published by Financial Times on March 28, 2018.

“People are outraged that there is a peephole,” says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, a non-profit research organisation. “They are not outraged that anyone has looked into the peephole — because there is no evidence of that yet.”

For Mr Abraham, however, the controversy demonstrates that “Indian political parties have a voracious appetite for political data. If unchecked by law or public outrage, they will continue to hoover up as much data as they can from our devices.”

“Privacy is definitely a political issue,” says Mr. Abraham. “Political parties are reacting not because they will get into trouble under the law. They are reacting because they areafraid their supporters may not like it.”

For more details visit https://cis-india.org/internet-governance/news/financial-times-march-28-2018-narendra-modi-personal-app-sparks-india-data-privacy-row

Cambridge Analytica scandal: How India can save democracy from Facebook

sunil — 2018-03-28T15:44:00Z

Hegemonic incumbents like Google and Facebook need to be tackled with regulation; govt should use procurement power to fund open source alternatives.

The article was published in the Business Standard on March 28, 2018

The Cambridge Analytica scandal came to light when whistleblower Wylie accused Cambridge Analytica of gathering details of 50 million Facebook users. Cambridge Analytica used this data to psychologically profile these users and manipulated their opinion in favour of Donald Trump. BJP and Congress have accused each other of using the services of Cambridge Analytica in India as well. How can India safeguard the democratic process against such intervention? The author tries to answer this question in this Business Standard Special.

Those that celebrate the big data/artificial intelligence moment claim that traditional approaches to data protection are no longer relevant and therefore must be abandoned. The Cambridge Analytica episode, if anything, demonstrates how wrong they are. The principles of data protection need to be reinvented and weaponized, not discarded. In this article I shall discuss the reinvention of three such data protection principles. Apart from this I shall also briefly explore competition law solutions.

Collect data only if mandated by regulation

One, data minimization is the principle that requires the data controller to collect data only if mandated to do so by regulation or because it is a prerequisite for providing a functionality. For example, Facebook’s messenger app on Android harvests call records and meta-data, without any consumer facing feature on the app that justifies such collection. Therefore, this is a clear violation of the data minimization principle. One of the ways to reinvent this principle is by borrowing from the best practices around warnings and labels on packaging introduced by the global anti-tobacco campaign. A permanent bar could be required in all apps, stating ‘Facebook holds W number of records across X databases over the time period Y, which totals Z Gb’. Each of these alphabets could be a hyperlink, allowing the user to easily drill down to the individual data record.

Consent must be explicit, informed and voluntary

Two, the principle of consent requires that the data controller secure explicit, informed and voluntary consent from the data subject unless there are exceptional circumstances. Unfortunately, consent has been reduced to a mockery today through obfuscation by lawyers in verbose “privacy notices” and “terms of services”. To reinvent consent we need to bring ‘Do Not Dial’ registries into the era of big data. A website maintained by the future Indian data protection regulator could allow individuals to check against their unique identifiers (email, phone number, Aadhaar). The website would provide a list of all data controllers that are holding personal information against a particular unique identifier. The data subject should then be able to revoke consent with one-click. Once consent is revoked, the data controller would have to delete all personal information that they hold, unless retention of such information is required under law (for example, in banking law). One-click revocation of consent will make data controllers like Facebook treat data subjects with greater respect.

There must be a right to explanation

Three, the right to explanation, most commonly associated with the General Data Protection Directive from the EU, is a principle that requires the data controller to make transparent the automated decision-making process when personal information is implicated. So far it has been seen as a reactive measure for user empowerment. In other words, the explanation is provided only when there is a demand for it.

The Facebook feeds that were used for manipulation through micro-targeting of content is an example of such automated decision making. Regulation in India should require a user empowerment panel accessible through a prominent icon that appears repeatedly in the feed. On clicking the icon the user will be able to modify the objectives that the algorithm is maximizing for. She can then choose to see content that targets a bisexual rather than a heterosexual, a Muslim rather than a Hindu, a conservative rather a liberal, etc. At the moment, Facebook only allows the user to stop being targeted for advertisements based on certain categories. However, to be less susceptible to psychological manipulation, the user should be allowed to define these categories, for both content and advertisements.

How to fix the business model?

From a competition perspective, Google and Facebook have destroyed the business model for real news, and replaced it with a business model for fake news, by monopolizing digital advertising revenues. Their algorithms are designed to maximize the amount of time that users spend on their platforms, and therefore, don’t have any incentive to distinguish between truth and falsehood. This contemporary crisis requires three types of interventions: one, appropriate taxation and transparency to the public, so that the revenue streams for fake news factories can be ended; two, the construction of a common infrastructure that can be shared by all traditional and new media companies in order to recapture digital advertising revenues; and three, immediate action by the competition regulator to protect competition between advertising networks operating in India.

The Google challenge

With Google, the situation is even worse, since Google has dominance in both the ad network market and in the operating system market. During the birth of competition law, policy-makers and decision-makers acted to protect competition per se. This is because they saw competition as an essential component of democracy, open society, innovation, and a functioning market. When the economists from the Chicago school began to influence competition policy in the USA, they advocated for a singular focus on the maximization of consumer interest. The adoption of this ideology has resulted in competition regulators standing powerlessly by while internet giants wreck our economy and polity. We need to return to the foundational principles of competition law, which might even mean breaking Google into two companies. The operating system should be divorced from other services and products to prevent them from taking advantage of vertical integration. We as a nation need to start discussing the possible end stages of such a breakup.

In conclusion, all the fixes that have been listed above require either the enactment of a data protection law, or the amendment of our existing competition law. This, as we all know, can take many years. However, there is an opportunity for the government to act immediately if it wishes to. By utilizing procurement power, the central and state governments of India could support free and open source software alternatives to Google’s products especially in the education sector. The government could also stop using Facebook, Google and Twitter for e-governance, and thereby stop providing free advertising for these companies for print and broadcast media. This will make it easier for emerging firms to dislodge hegemonic incumbents.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-march-28-2018-sunil-abraham-cambridge-analytica-scandal-how-india-can-save-democracy-from-facebook

UIDAI servers or third parties, Aadhaar leaks are dangerous: Experts

Admin — 2018-03-27T02:16:55Z

Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.

The article by Mayank Jain was published in Business Standard on March 27, 2018. Pranesh Prakash was quoted.

The government has told the Supreme Court that the Aadhaar data “remains safely behind 13-feet high walls” and it will take “the age of the universe” to break one key in the Unique Identification Authority of India’s (UIDAI’s) encryption.

Even if this claim is taken at face value, experts suggest leaks from third-party databases seeded with Aadhaar numbers are equally dangerous and the UIDAI is responsible for the damage. The most recent case came from a report published online and it said random numbers could provide access to the Aadhaar data, which also includes people’s financial information, from a state-owned company’s database. Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.“There is no truth in this story as there has been absolutely no breach of the UIDAI’s Aadhaar database.

Aadhaar remains safe and secure,” the UIDAI said on Twitter shortly after the story broke on ZDNet.The authority added even if the report was taken to be true, “it would raise security concerns on the database of that Utility Company and has nothing to do with the security of the UIDAI’s Aadhaar database”.This has been the authority’s defence in several such cases but those in the know of things say it doesn’t hold water simply because the Aadhaar data is not concentrated in the UIDAI’s complexes anymore and has spread across various databases.“Publishing this by the state entities is a violation under the Aadhaar Act.

Even if you publish your Aadhaar number, it is a violation of the law,” said Pranesh Prakash, policy director at the Centre for Internet and Society.“Saying that the UIDAI has not been compromised is thoroughly insufficient because for customers, it doesn’t matter if the leak comes from servers operated by the UIDAI or from others holding copies of the UIDAI database.”Prakash said it should be the authority’s responsibility to help others comply with the law and prevent data leaks.

He gave the example of biometric leaks from Gujarat government servers and how criminals used them to forge fingerprints.The possibility of data leaks was demonstrated when Robert Baptiste, purportedly a French app developer, announced on Twitter how he got access to thousands of scanned Aadhaar card copies through simple Google searches.In an interview to Business Standard, Baptiste said the major threat was data handling by third parties, which could lead to identity theft.Even the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, has provisions that debar making public citizens’ Aadhaar-related information public unless required for certain purposes.

“Whoever intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act” can be in jail for three years and pay a fine of ~10,000 under the Act.A lawyer appearing on the petitioners’ side in the ongoing Supreme Court case on the constitutional validity of Aadhaar said only the UIDAI had the powers to file cases against people who published Aadhaar information. Hence everyone else is helpless despite the leaks.

The UIDAI’s argument that Aadhaar information can’t be misused is duplicitous because the regulations under the Aadhaar Act assure individuals that if biometric authentication fails, they should have other means of identifying themselves, says Kiran Jonnalagadda, founder of HasGeek.“So the regulations guarantee that anyone in possession of stolen identity information will be able to misuse it without biometric authentication,” he said.Prakash agreed with this. He said demographic authentication, which is an acceptable authentication method under the Aadhaar Act, was prone to misuse as long as Aadhaar numbers remained public.“Aadhaar is used as just a piece of paper, unlike security features embedded in passports or even permanent account number cards. Thus, demographic authentication merely involves providing Aadhaar numbers and details like addresses, which can be used even for things like getting entry into an airport by just printing a ticket and having a fake Aadhaar,” he said.

Queries sent to the UIDAI were not answered till the time of going to press

For more details visit https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts

Data Breach: How will the biggest scandal that Facebook is mired in affect its credibility in India?

Admin — 2018-03-27T02:09:41Z

Facebook has not been able to catch a break lately.

The article by G. Seetharaman and Shephali Bhatt with additional inputs by Indulekha Aravind was published in the Economic Times on March 26, 2018. Sunil Abraham was quoted.

Rebuked for the misinformation spread on its platform by Russian agencies during the 2016 US presidential election, aiding Donald Trump’s victory, Facebook was on the defensive for most of 2017. Making matters worse for the Menlo Park, California-headquartered social media behemoth, another one of its past oversights has now come back to haunt it in what is undoubtedly its biggest public relations challenge.

Reports by the New York Times and the Observer of London on March 17 disclosed that a researcher linked to Cambridge Analytica (CA), a political consulting firm that worked on Trump’s campaign, had accessed details of 50 million Facebook users unbeknownst to them and shared it with CA, which uses online data to reach voters on social media with personalised messages. The reports were based on revelations by whistle-blower Christopher Wylie, who had worked with CA.

This is how it unfolded: in 2014, CA hired Aleksandr Kogan, a Soviet-born American citizen, to mine data on US voters on Facebook, through a personality quiz app. It was downloaded by 2,70,000 users, who logged in with their Facebook credentials. That enabled Kogan to access not just their data on Facebook, but also their friends’ profiles. Facebook says Kogan lied that the data was only for his research, while there was a commercial element to it as CA paid for the app. It is unclear at this point how exactly the data was used or whether it was effective.

In 2015, Facebook removed his app and sought an assurance from him that the data had been destroyed. But it later found out that the information had been passed on to CA. Facebook has since stopped apps from accessing information about a user’s friends and has even limited the data that can be collected about the user.

While the broad details of the issue have been known since 2015, the sheer number of accounts that were compromised was not known till now and has led to calls for Facebook to be deleted, with #DeleteFacebook trending on Twitter. The company, one of the world’s most valuable public companies, has shed $75 billion, or 14% of its market value, since March 16.

As Facebook spends the next few months trying to convince its users that their data is safe, India will be crucial to their plans. India is, after all, its largest market, with 250 million monthly active users, 12% of its global base, according to recent data by We Are Social and Hootsuite, firms involved in social media marketing and management, respectively.

There are other reasons why India is important to Facebook: WhatsApp, the country’s chat app of choice, has 200 million users, again more than any other market, and Instagram has 53 million. Both these apps are owned by Facebook, giving the company an outsize role in how Indians communicate.

Facebook will only grow as smartphone and internet adoption grows — India is set to add 100 million internet users and 250 million smartphone users by 2020. But at the same time, it has to deal with those wondering whether they should sign up or continue being on the network.

Soumya Sinha, a 32-year-old data consultant in Delhi, says FB is quite passive-aggressive when it comes to data. “It gives you a lot of privacy options, makes you feel you are in control of your wall, but buries an ‘unless you don’t want to share’ option at the bottom,” he says. “If you don’t opt out, it assumes you are happy to share. Even if you do, you can never be sure the non-consensual sharing has stopped.”

Privacy controls — not just on Facebook but on social media platforms in general — are not easy to find and even the most tech-savvy have a hard time ensuring the accounts are as secure as they can possibly be. “Indians are very liberal with others accessing their data. A lot of other accounts are linked to my FB account. Who knows which one of them will provide my data to others?” says Prateek Kharangar, a 30-year-old doctor in Rajasthan.

Mark Zuckerberg, Facebook’s billionaire chief executive, issued a statement on March 21 admitting that Facebook had made mistakes. He added that Facebook would do a thorough audit of suspicious apps and make its privacy policy stricter by limiting the user information it shares with third-party apps.

Facebook will also revoke permission to apps that a user has not accessed for three months and show an option at the top of the news feed, allowing users to do the same. Zuckerberg also said in a subsequent interview to the New York Times that Facebook would let concerned users know about the CA debacle. Questions sent by ET Magazine to Facebook India went unanswered. The US Federal Trade Commission and the European Union are also scrutinising the issue.

Protect Data
Facebook has faced criticism in the past, including about its facial recognition software In India, it was badly bruised in its fight against net neutrality. Its Free Basics campaign tried to push free access to a few websites, including its own, in partnership with telcos, but the telecom regulator in February 2016 ruled in favour of net neutrality. Sunil Abraham, executive director of the Centre for Internet and Society, believes sites like Facebook should periodically inform users about the data the apps have access to. “Facebook should also ask you every quarter if you want to revoke permission. It’s required in countries where users are naive, unaware and incapable of protecting their own interests.”

Many experts call for more transparency and clarity. Nayantara Ranganathan, programme manager at the Internet Democracy Project, says privacy policies are tweaked constantly and the changes the companies want us to know about are conveyed through blog posts and such, while there may be changes that we may not be aware of. Nikhil Pahwa, cofounder, Internet Freedom Foundation, says the process of notifying users of changes in terms and conditions needs to be improved. “So often, T&Cs are changed and the company just sends a generic mail to all its users. If they don’t respond, it is assumed they have agreed to the changes. That needs to change.” Some believe online consent agreements are being simplified.

While there have been calls for the privacy notice to be in local languages too, Rama Vedashree, CEO of Data Security Council of India, says that in markets like India, where millions are just being introduced to the internet, websites may have to look at pictorial representations to explain how user data will be used by third-party developers. Regardless of how intelligible tech companies make their privacy policy documents, given the number of websites we use, it is impossible to read every site’s terms. That is where a stringent law becomes necessary. “We don’t have a robust legal framework that acts swiftly, permits class action lawsuits and awards damages in tune with the harm incurred,” says Mishi Choudhary, legal director at the Software Freedom Law Center.

WHY FB CAN'T TAKE DATA SECURITY LIGHTLY IN INDIA

Source: Facebook, WhatsApp, We Are Social and Hootsuite, Ministry of Communications, Internet and Mobile Association of India

Abraham says presently only data security is covered under the Information Technology Act, 2000. “A mere infringement of your privacy without financial loss does not allow you to seek remedy.” However, India could have a data protection law sooner than later. A committee was appointed by the government last year to come up with a draft law, an important part of which will be a data protection authority. The Supreme Court, in a landmark ruling last year in a case related to Aadhaar, said privacy is a fundamental right.

The European Union’s General Data Protection Regulation (GDPR), which will come into effect in May, could be emulated in countries, including India. It makes tech companies more accountable for the privacy of those who use their services and has penalties up to £20 million, or 4% of the errant company’s global annual revenues, whichever is higher. This forced Facebook to put all of its privacy settings in one place in January.

“India must go further than Europe did with its General Data Protection Regulation, which requires companies to get unambiguous consent from users to collect data, to clearly disclose how personal data are being used, and to spell out why data is being collected. It must also ban any form of political advertising and the sale of data to third parties,” wrote Vivek Wadhwa, a tech entrepreneur and academic, in a column in ET on Friday.

In light of this controversy, there will be pressure on the government to hasten the process of introducing a data protection law, accompanied by a regulator. It is likely the draft document will draw on the European regulation. “The more we adopt from EU GDPR, the better,” says Pahwa, adding that users should also have the right to removal of personal data.

Ravi Shankar Prasad, India’s IT and law minister, has warned Facebook of stringent action if it is found influencing elections “through undesirable means”. The Indian government on Friday issued a notice to Cambridge Analytica asking if any entities engaged its services to harvest data of Indian Facebook users.

India could also take a leaf out of Germany’s playbook while enforcing data protection, especially if it involves tech companies that dominate the segment they operate in, like Google in search and Facebook in social media. Germany’s competition watchdog in December accused Facebook of abusing its dominant position to get users’ consent to access their data from third-party websites. The Competition Commission of India in February imposed a penalty of `136 crore on Google for abusing its dominant position in search to create a bias to favour its own services.

Messing Up Elections?
The ongoing controversy has been exacerbated by the fact that besides data privacy, electoral politics is at the centre of the issue. CA dug itself into a deeper hole when footage emerged of a UK television channel’s sting operation, in which the company’s top officials talk about using bribes and women to entrap their clients’ political opponents. CA has since suspended its chief executive, Alexander Nix, who was in the video. CA is partly funded by conservative US billionaire Robert Mercer, and Trump’s former White House chief strategist Stephen Bannon served on its board.

The issue has had political ramifications in India, with both the ruling Bharatiya Janata Party and opposition Congress trading charges about each other’s association with CA. The BJP has attacked the Congress by quoting news reports of talks between CA and the Congress ahead of the 2019 general election, while the Congress has hit back with a reference to the 2010 Bihar election on the CA website. The company claims that it worked on the Bihar election, reportedly through its parent Strategic Communication Laboratories, by identifying swing voters.

“Our client achieved a landslide victory, with over 90% of total seats targeted by CA being won,” says the website. The JD(U)-BJP combine was the victorious coalition. Interestingly, the company’s India partner, Ovleno Business Intelligence, is run by Amrish Tyagi, son of JD(U) leader KC Tyagi. When contacted by ET Magazine, Amrish Tyagi declined to comment. Both the Congress and the BJP have denied any ties to CA.

“We have been on social media as long as social media was around and we have always been ethical in our conduct,” says Amit Malviya, head of BJP’s IT Cell. Divya Spandana, who heads the social media team for the Congress, says the party does not engage external agencies. “We only use data with the consent of the individual, emails are subscribed to and WhatsApp is through people who have signed up to receive messages.” The BJP made good use of social media in its 2014 campaign, and Prime Minister Narendra Modi and most of his cabinet are quite active on Twitter.

Facebook, Twitter and WhatsApp will play an even bigger role in the upcoming assembly polls and the 2019 general election, WhatsApp perhaps more so than the other two, given its popularity and user engagement. “What makes WhatsApp worse than Facebook is Facebook knows what’s being sent around (on its platform). If it comes up with a fake news mitigation strategy, it might work. WhatsApp doesn’t know what’s being sent on its platform,” says Abraham.

In his New York Times interview, Zuckerberg said that after the US presidential election, Facebook developed artificial intelligence tools to identify fake accounts and fake news, which were deployed during the French presidential polls in 2017. “This is a massive focus for us to make sure we’re dialed in for not only the 2018 elections in the US, but the Indian elections, the Brazilian elections, and a number of other elections that are going on this year that are really important,” he was quoted as saying. Both government authorities and the Election Commission of India will keep a close watch on how social media is used in poll campaigns.

While things do not look up for Facebook in the immediate future, some think it will get past the issue. Vineet Sehgal, chief marketing officer of Quikr, says while marketers will take a hard look at Facebook, the company will act swiftly to change its policies.

"There is too much at stake." More and more Indians are using social media, in addition to searching for information on the internet, buying things on ecommerce sites, booking app-based cabs, and making payments and transfers on online payment platforms. They will also buy more devices, including wearables and smart speakers, which gather large amounts of data. So naturally, it is imperative that the sanctity of that data become a top priority for tech companies, consumers and the government. "The emphasis of any (data protection) law needs to be protecting people, not data. Our legislators should ask about relationships of all entities with social media and data analytics companies," says Choudhary of Software Freedom Law Center.

For more details visit https://cis-india.org/internet-governance/news/economic-times-g-seetharaman-shephali-bhatt-march-25-2018-data-breach-how-will-the-biggest-scandal-that-facebook-is-mired-in-affect-its-credibility-in-india

PM’s app also susceptible

Admin — 2018-03-27T01:23:36Z

Even the Narendra Modi app of PM Modi is susceptible to data theft as a 22-year old Indian hacker established, claiming that privacy of more than 70 lakh users on it is at stake.

This was published by Free Press Journal on March 25, 2018

Still worse is that anybody downloading the app may not know that all data on his mobile automatically goes to CleverTap without his or her consent to let the firm populate it alike British firm Cambridge Analytica that helped the US President Donald Trump in the last election with the vast data stolen from Facebook.

Congress social media chief Divya Spandana/ Ramya on Saturday retweeted a tweet by one Pranesh Prakash to know whether Law Minister Ravi Shankar Prasad talking of summoning Facebook CEO Mark Zuckerberg will also summon the PM for privacy violation and data theft.

Once you download the Narendra Modi app, all your data like your phone numbers, emails, name, location and interests as also all on your phone list, WhatsApp list and email is captured and then populated to know your interests and send you mails and messages accordingly, Divya explained.

Hacker Javed Khatri, who was able to crack the app late last year says he is able to access private data of any user and that is how he “successfully managed to extract the personal phone numbers and email ids of ministers like Smriti Irani.”

“Not only that, I can make any user on the platform follow any other user on the platform. This is just the summary of this huge security loophole which I want to report. The privacy of more than seven million users is at stake if this gets ignored.” Javed said, stressing that he did not want to cause any harm but wanted to demonstrate how poor the security of the app is that he could easily hack it.

For more details visit https://cis-india.org/internet-governance/news/free-press-journal-march-25-2018-pm-app-also-susceptible

Data politics: BJP, Congress in spat over sharing app data without users’ consent

Admin — 2018-04-18T00:51:15Z

Congress took down its WithINC app after facing allegations of sharing user data, a day after it accused BJP of doing the same with the NaMo app.

The article by Komal Gupta was published in Livemint on March 26, 2018. Pranesh Prakash was quoted.

An app war has broken out between the Congress party and the ruling Bharatiya Janata Party (BJP)—appropriately on Twitter.

Fought in the shadow of the global storm on data leaks from Facebook and Cambridge Analytica, the two Indian parties accused each other of sharing user data with third parties collected without the users’ consent.

The Congress on Monday took down its app—WithINC —after facing allegations of sharing user data with servers in Singapore. However, the party has claimed it was forced to remove the app as the wrong URL was being circulated and people were being misled.

Congress president Rahul Gandhi took to Twitter after an anonymous French security expert claimed that Prime Minister Narendra Modi’s NaMo app was sending user data to a third-party website without user consent.

“Modi misusing PM position to build personal database with data on millions of Indians via the NaMo App promoted by Govt. If as PM he wants to use tech to communicate with India, no problem. But use the official PMO APP for it. This data belongs to India, not Modi,” Gandhi tweeted on Monday.

WithINC is the official app of the Congress to allow users to connect with the party through regular updates from various social media and news channels. “It also allows you to apply for membership of the INC by completing all steps of the INC membership process,” a descriptor on Google Play Store says.

Information and broadcasting minister Smriti Irani on Monday tweeted, “Now that we’re talking tech, would you care to answer Rahul Gandhi ji why Congress sends data to Singapore Servers which can be accessed by any Tom, Dick and Analytica?”

Trashing BJP’s allegations, Congress’ social media head Divya Spandana claimed that the membership page on the Congress app had been defunct for a while. “We don’t collect any personal data through the INC app. We discontinued it a long time ago. It was being used only for social media updates. We collect data for membership and this is through our website, this is encrypted,” Spandana tweeted on Monday.

The NaMo app is designed to ensure that users do not have access to any data other than their own, a government official said on Sunday, requesting anonymity. Data entered by any user is used for analytics using third-party service, similar to Google Analytics, said the official.

“Apps ought to request the minimum of a phone’s functionality. They should evaluate the data they need, collect as little as needed, and clearly state what use they will make of the data,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.

“The Narendra Modi app, quite famously, provided unrestricted access to the personal data of more than 5 million users,” Prakash added.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-march-26-2018-data-politics-bjp-congress-in-spat-over-sharing-app-data-without-users-consent

Security experts say need to secure Aadhaar ecosystem, warn about third party leaks

Admin — 2018-03-26T22:37:30Z

The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming.

The article by Nilesh Christopher was published in Economic Times on March 26, 2018. Sunil Abraham was quoted.

While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.

“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication ZDnet citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company Indane that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.

UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.

There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.

“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.

In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.

UIDAI could take a leaf from Indian Space Research Organisation while handling data breach reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.

“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane.

“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks

Indian IT firms not ready for European Union's proposed privacy laws, only a few compliant with GDPR

Admin — 2018-04-18T00:56:20Z

Only a third of Indian IT firms are compliant with the European Union's General Data Protection Regulation (GDPR), which will come into force on 25 May, according to a media report.

The article was published in First Post on March 26, 2018.

The GDPR, the EU's new online privacy rules, is designed to protect users' online privacy. The European Parliament has adopted the regulation but European governments have yet to approve the text.

“Only 30-35 percent of all IT/ITeS companies have started their journey to work towards GDPR compliance,” Jaspreet Singh, Cyber Security Partner at EY, was quoted as saying by The Economic Times.

The GDPR is applicable to companies globally, and has significant potential financial penalties. Damages of any breach of privacy of user data from Europe could cost companies as much as four percent of their revenue, according to The Economic Times. For the Indian IT sector, Europe ranks number two in terms of the amount of business it drives, with US still taking the lead.

Indian firms, according to Business Standard, are struggling to understand the GDPR policies. A survey by EY had shown that 60 percent of Indian respondents were unfamiliar with the new regulation.

"When asked to describe their company’s current status with respect to complying with the GDPR, only 33 percent of respondents said that they have a plan, while 39 percent said that they are not familiar with the GDPR at all and 17 percent said that they have heard of the GDPR but have not yet taken any action," EY’s Global Forensic Data Analytics Survey 2018 had said.

What the GDPR is all about?

The GDPR attempts to unify data protection laws across the EU. It applies to all companies, regardless of location, that process the personal data of people living in the European Union. It aims to strengthen the protection of EU citizens' personal details. It will apply to all companies, including those outside of the EU.

The GDPR is considered the biggest shake-up of personal data privacy rules since the birth of the internet. It is intended to give European citizens more control over their online information.

Under the new regulation, users will be asked once and for all whether to accept cookies, rather than every time they visit a new website. Users will have the option of going invisible online, while the rules enshrine the so-called "right to be forgotten" legislation. The industries most deeply affected will be those that collect large amounts of customer data and include technology companies, retailers, healthcare providers, insurers and banks.

Companies must be able to provide European customers with a copy of their personal data and under some circumstances delete it at their behest. They will also be required to report data breaches within 72 hours.

How Indian firms will be affected?

According to a study published by The Centre for Internet and Society, as a result of GDPR, data protection procedures like breach notification; excessive documentation and appointment of data protection officer may have to be incorporated in the Indian laws as well.

"As non – compliance involves high fines, inability of India or the organizations situated in India to qualify as data secure destinations is likely to divert business opportunities to safer locations," the study said.

(With inputs from agencies)

For more details visit https://cis-india.org/internet-governance/news/first-post-march-26-2018-indian-it-firms-not-ready-for-european-unions-proposed-privacy-laws-only-a-few-compliant-with-gdpr

Modi Govt compromising privacy of individuals: Cong

Admin — 2018-04-18T01:10:42Z

Charging the Narendra Modi Governemt with compromising the privacy of individuals by leaking user information on the Narendra Modi app, the Congress on Monday said the counter allegations by the BJP that the Opposition party was indulging in 'data theft' were an attempt to divert attention from the issue.

This was published by United News of India on March 26, 2018.

Talking to reporters here, AICC spokesperson Abhishek Manu Singhvi said, 'we have said repeatedly that the biggest assault on individual privacy has occurred under the watch of the Narendra Modi Government. Not only people’s money, but people’s privacy is also in question.

Even as startling revelations that the Narendra Modi app, run by the BJP is sharing data of millions of users with American companies emerge, the Modi Government mocks and flouts the ‘Right to Privacy’ with brazen impunity. While the Prime Minister’s Office, PMO India app, asks users to voluntarily part with their identity on 14 data points, the NaMo app asks for a sweeping access to 22 data points. The NaMo app records audio, video, contacts of your friends and family and even tracks your location via GPS. No wonder, Modi ji is like the ‘Bigg Boss’ who with brazenness likes to spy on Indians. The BJP whose IT (Identity Theft?) Minister does daily press conferences on the issue of data security and democracy, has much to answer to the people of India on the unscrupulous means by which Shri Narendra Modi’s personal app is accessing data and passing on data of more than 50 lakh Indians,' he alleged.

Describing the BJP allegations that the Congress was indulging in 'data theft' through its mobile app, Mr Singhvi said. 'the Modi Government is resorting to deflectionary and diversionary tactics. The Congress application had just 15,000 downloads against the 50 lakh Indians who downloaded the NaMo app. Also, the Congress application was discontinued as most of the users wanted to register offline.'

Accusing Mr Modi of misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by the government, Mr Singhvi said, 'Why does Mr Modi, in his own book ‘Exam Warriors’ urge you to download the NaMo app. Is he now planning to snoop in on minors? Mr Modi is misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by Government. If as PM he wants to use tech to communicate with India, there is no problem in that. But use the official PMO app for it, not the NaMo app. This data belongs to India, not to Mr Modi.

Shockingly, data of atleast 13 lakh NCC cadets which include personal mobile phone numbers and email ID’s are being given to the Prime Minister’s Office for an interaction.'

Citing in this regard the report of a committee of experts appointed by the government on the issue of data protection, Mr Singhvi said, 'importantly, a Government appointed Committee of Experts (CoE) to look into a framework for data protection, headed by Justice (retd) BN Srikrishna has made scathing observations in a paper released in November 2017, against the Government and has shockingly implied (according to the media reports) that the Modi Government is collecting personal data illegally. The committee, which is currently in the process of conducting consultations, has also considered the SC judgment on privacy, says in its paper “The public and private sector are collecting and using personal data on an unprecedented scale. While data can be put to beneficial use, unregulated and arbitrary use of data, especially personal data, raise concerns relating to centralisation of databases, profiling of individuals, increased surveillance and a consequent erosion of individual autonomy.”

Alleging that under the Modi Government, not only the personal data of citizens was under serious threat, but there were multiple reports of data breaches in banks, Mr Singhvi said, 'astonishingly, under the Modi Government, not only the personal data of citizens is under serious threat, but multiple breaches in the banks. In an atmosphere where every single day there has been a bank fraud worth thousands of crores of rupees being reported, have resulted in one single question - how safe is our money in banks?

Banks and PSU’s have reported multiple breaches in recent past. A newspaper report on Monday said two online security experts have claimed that the Aadhaar database of two public-sector enterprises leaked select data and the vulnerability was fixed only a month after attention was drawn to it. This exposes their names, the 12-digit Aadhaar number and information of the services they have linked their Aadhaar card to. These services include bank details, policy details and other private information. This was corroborated by the UIDAI statement released on Sunday.

“It was left up there for more than a month — even though it had been reported to them directly,” claim the security experts. On February 23, 2018 a report had claimed that there was a data breach which had hit the the Punjab National Bank, whereby sensitive credit, debit card details of 10,000 customers were leaked. Quick Heal, a reputed software company in October 2017 had also claimed that there was a massive data breach in 6,000 government offices including banks. Earlier in 2016, as per media reports -- 32 lakh debit/credit cards of various Indian banks were compromised. The worst-hit was the State Bank of India along with certain private banks.'

He also charged the present Government of breach of Aadhaar data of individuals.

'In April 2014, the then Gujarat Chief Minister Narendra Modi had attacked Aadhaar and the UPA Government on its possible ‘security threat’. Life has now come full circle for the BJP. Just like numerous other issues, their blatant hypocrisy on Aadhaar is exposed. In January, this year, when a reputed newspaper in a sting exposed how 1 crore Aadhaar details can be accessed in just 10 minutes, by paying just Rs 500 in Chandigarh, the UIDAI had then filed an FIR against the reporter. Now the editor of the reputed media house has also been replaced.

We have seen it in May 4, 2017, when the Modi Government is on record in Supreme Court, accepting data breach in the Aadhaar scheme. Now the Attorney General in Supreme Court, while arguing that Aadhaar data remains safe and secure, says that the Aadhaar data remains secure behind a complex that has 13-ft high and five-feet thick walls, which is laughable and ludicrous, to say the least. On November 20, 2017, the UIDAI had accepted on record that –“More than 210 central and state government websites publicly displayed details such as names and addresses of Aadhaar beneficiaries”. Earlier too, ‘Centre for Internet and Society’, a Bengaluru-based organisation (CIS) in a study published on May 1, 2017, had found that data of more than 130 million Aadhaar card holders has been leaked from just four government websites. Therefore this is a serious issue. Clearly, neither our money, nor our Aadhaar details or our personal details are secure under the Modi Government.'

For more details visit https://cis-india.org/internet-governance/news/united-news-of-india-march-26-2018-modi-govt-compromising-privacy-of-individuals-congress

Aadhaar safety

Admin — 2018-03-26T17:09:26Z

We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.

The article was published in Asian Age on March 25, 2018.

Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.

‘Safety claims are bogus’
Hrishikesh Bhaskaran, Privacy Activist
Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).

The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.

‘Multi-level security assumes added significance’
Jaideep Mehta, CEO of VCCircle.com
Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.

‘Tightening system, or line of human command more important’
Ershad Kaleebullah, Technology Editor
There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar’s size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI’s datacentre and even fortifying it with the world’s thickest and tallest wall is not going to protect them. I’m really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can’t keep a secret to save their lives.

‘Your data security is in your hands, always be cautious’
Viraj Kumar Pratapwant, Senior Software Design Engineer
First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.

Sunil Abraham, Executive Director at Centre for Internet and Society
Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data in encrypted in the CIDR - the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.

For more details visit https://cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety

Listening Machines - New interfaces for Art-Science and Technology Policy

Admin — 2018-03-25T03:37:00Z

Sharath Chandra presented his work "Listening Machines - New interfaces for Art-Science and Technology Policy" at the National Academy of Sciences, Washington D.C, at the Arthur M Sackler Colloquia on March 12, 2018.

For more info on the program click here

For more details visit https://cis-india.org/internet-governance/news/listening-machines-new-interfaces-for-art-science-and-technology-policy