We are anonymous, we are legion

Supreme Court extends Aadhaar linking deadline till it passes verdict

Admin — 2018-03-17T15:02:10Z

The Supreme Court, however, allowed the government to seek Aadhaar numbers to transfer benefits of government schemes funded from the consolidated fund of India.

The article by Priyanka Mittal and Komal Gupta was published in Livemint on March 13, 2018. Pranesh Prakash was quoted.

The Supreme Court (SC) on Tuesday extended the deadline for linking of Aadhaar with mobile services, opening of new bank accounts and other services until it passes its verdict on a pending challenge to the constitutional validity of such linkages.

The court also noted that Aadhaar could not be made mandatory for issuance of a Tatkal passport, for now.

The extension would be applicable to the schemes of ministries/departments of the Union government as well as those of state governments, the court ruled in an interim order.

It was however, clarified that the extension would not be applicable for availing services, subsidies and benefits under Section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.

A Constitution bench comprising Chief Justice Dipak Misra and justices D.Y. Chandrachud, A.K. Sikri, A.M. Khanwilkar and Ashok Bhushan is hearing a challenge to the constitutional basis of the 12-digit unique identification project, which is now likely to conclude after 31 March, the earlier deadline for Aadhaar linking.

“Even where Aadhaar hasn’t been mandated by the government, and even though the Supreme Court has extended the deadline for some mandatory linkages, if the software systems used by various governmental and private entities don’t make ‘Aadhaar number’ and authentication optional, then the SC’s orders gets nullified, effectively,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society (CIS).

Similar concerns over the extent of Tuesday’s interim protection were also expressed by the Software Freedom Law Centre (SFLC), an organization working to protect freedom in the digital world. “While the extension is certainly welcome, it is also important to note that there is currently some uncertainty about this extension and how it applies to linkages made mandatory under Section 7 of the Aadhaar Act. If the latest order does indeed exclude Aadhaar linkages mandated under Section 7, a large number of central and state government schemes (such as PDS, LPG, MNREGA and many more) would still need to be linked to Aadhaar by the end of the month, significantly diminishing the relief brought by today’s order, ” said the organization.

“The deadline for Aadhaar holders to link their PAN cards for taxation purposes will also be extended until disposal of the case as this linkage was mandated by Section 139AA of the Income Tax Act, 2000 and not Section 7 of the Aadhaar Act,” SFLC added.

Last week, attorney general K.K. Venugopal had told the apex court that the centre would consider extending the linking deadline since arguments in the case were likely to proceed beyond the earlier deadline of 31 March.

For more details visit https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-komal-gupta-march-13-2018-supreme-court-extends-aadhaar-linking-deadline-till-it-passes-verdict

New Lock For EU’s Digital Mines

Admin — 2018-03-17T13:10:52Z

Indian companies dealing with European data wait anxiously as the EU pushes in new security rules

The article by Arindam Mukherjee was published in the Outlook in March 26, 2018 issue. Elonnai Hickok was quoted.

Pretty soon, Indian companies, especially those associated with European companies, will have to walk that extra mile to protect personal data. Come May 25, the European Union (EU) will enact a new set of regulations, called the General Data Protection Regulation (GDPR), which will impose stringent conditions for personal data protection and privacy laws.

What’s more, any violation of or non-compliance with the new regulations will attract the strictest of penalties and fines. On an average, the new regulations call for up to 4 per cent of a company’s global revenue as penalty.

With the already huge and rapidly expanding field of big data play across companies and industries, data protection has come under the limelight and many countries are talking in terms of putting in place stringent rules for personal data protection. The EU will be the first off the block with GDPR, which comes into effect in less than three months. It is expected that following the EU’s example, similar regulations will start coming up in other countries as well.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU and its regulations will cover all EU member states and citizens. Accordingly, all companies operating in the EU and having customers there, or even having work outsourced from the EU which involves its citizens’ personal data, will have to fall in line and comply.

The rules under GDPR will be relevant for businesses collecting, processing, storing, and sharing data of EU data subjects. This would include all businesses located in India providing services directly or indirectly to EU data subjects, as well as Indian companies with a presence in Europe.

This has put a lot of Indian IT and ITES companies in a bind given that few Indian companies are in a position to comply with the new GDPR rules and regulations within the given deadline. GDPR necessitates that adequate steps have to be taken to secure EU data wherever it is stored or processed.

At present, India does not have any data privacy law. However, the government has set up a committee of experts under former Supreme Court Justice B.N. Srikrishna to look into matters related to data protection and privacy in the country. The committee has so far come up with a draft protection bill. But it is unlikely that the committee will be able to come out with its final report before the GDPR deadline of May 25.

Huzefa Goawala, who heads GRC, India & SAARC, RSA, says the impact of GDPR will be heavy on India. “A sizeable chunk of Indian companies operate out of the EU including IT/ITeS, manufacturing, financial services and telecom companies,” he adds. “The GDPR will apply to personally identifiable information and internal facing data and external facing data, and organisations will have to protect data on all these fronts. Unfortunately, very few organisations have taken measures to become GDPR compliant at the ground level and are waiting for others to make a move. Larger, tier 1 organisations are in a consultation mode at the moment and are in a preliminary stage of compliance.”

According to Ernst & Young’s forensic data analytics survey (2018) done among Indian companies, 60 per cent of Indian respondents are still not familiar with the GDPR, while only a little over 23 per cent have heard of it but have done nothing about it. “This puts India in a precarious position, especially because it takes time for a company to prepare for GDPR compliance, which involves identifying where all the data resides and taking measures to safeguard it,” says Mukul Shrivastava, partner, Fraud Investigation and Dispute Services, Ernst & Young. “Many large IT-ITeS companies have secure servers in the EU or on cloud. But a lot of EU data processing is either done in India or is outsourced to India. That data needs to be protected under the GDPR.”

Experts say that under GDPR, a company will have to report any breach of data security within 72 hours. In case it fails to do so, stiff penalties will be imposed. With GDPR, the EU wants to stress on how important personally identifiable information is and see what companies are doing to protect it. It calls for deployment of ground level technologies by companies to ensure data security.

To ensure full compliance under GDPR will be a difficult task. “It is not possible to check 100 per cent compliance,” says Vijayshankar Na, cyber law and international information security expert. “There can be multiple versions of personal data in a process. To tap this data and see where all it is flowing in the system will be the toughest part under GDPR. Companies will have to identify all this in order to protect data.”

To help Indian companies, India’s IT representative body Nasscom has sought a “data secure” status for its companies from the EU. The EU has given a similar status to American companies, which ensures some concessions for them. Indian companies would be entitled to similar concessions under GDPR if they get the data secure status. But a decision on this is yet to come.

“As India has not attained data secure status, the collection, processing, storing, and sharing of EU data subjects by Indian companies will continue to be through ‘binding corporate rules’,” says Elonnai Hickok, chief operating officer, CIS (Centre For Internet and Society), Bangalore. “Though GDPR will affect any company handling EU data, the IT sector in India could potentially be impacted the most given the amount of business that it does and potentially could do with the region. For instance, a Deloitte report has estimated the outsourcing opportunity of the Indian IT industry with Europe at $45 billion.”

Hickok says India’s legal regime around privacy, consisting primarily of section 43A of the IT Act and associated rules, has not been found to be data secure by the EU in past assessments. This means that unless practices are guided by binding corporate rules, the standard of practice in India is lower than required by the previous Data Protection Directive (1995) as well as the GDPR. Some of the potentially challenging requirements in the GDPR will include the requirement for reporting breaches, new standards for consent, ensuring the rights of data subjects including access and correction, portability, erasure and deletion, the right to objection, and, if the need arises, the right to request human intervention in automated decisions.

What could also hit Indian companies is that the cost of GDPR compliance will be high—there will be costs related to human capital, periodic updates, IT infrastructure around the data (both hardware and software) and setting up cyber security and incident response programs.

“Europe is an important market for Indian companies,” says Vinayak Godse, senior director, Data Security Council of India (DSCI). “This heightened threshold of privacy may lead to some top line compromise for Indian IT companies. The compliance burden is also bound to increase. The small and mid-size companies looking at the EU as a market may struggle to comply with the new rules.”

The Indian government is trying to bring some order vis a vis data privacy and the Justice Srikrishna panel is expected to expedite the process. “The Government of India is currently developing a national data protection framework, following the Supreme Court judgment of August 2017 recognising an individual’s privacy as a fundamental right,” says Keshav Dhakad, director & assistant general counsel, corporate, External & Legal Affairs, Microsoft India. “The coming of GDPR will help galvanise the discussion in countries outside of Europe and in India.”

As of now though, there is a lot of confusion and Indian companies, staring at a tight deadline, are under stress. If they can speed up the process and comply, they will be safe, but if they fail, they could lose business in one of India’s most promising markets.

For more details visit https://cis-india.org/internet-governance/news/outlook-march-26-2018-new-lock-for-eu-digital-mines

Aadhaar unique IDs in India: a qualified success?

Admin — 2018-03-17T12:49:51Z

Anshuman Jaswal form Kapronasia shares insights into the security and privacy concerns related to Aadhaar, which are often overlooked

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

The Digital India project initiated by the Government of India has made significant headway in the last few years. As part of this project, the Unique Identification Authority of India (UIDAI) has presided over the allotment of unique identification numbers to all Indian residents since 2009. Currently, more than 1.1 billion Indian citizens and residents have Aadhaar IDs, making this the largest exercise of this kind the world has ever seen. There are many potential benefits of such a scheme, but there are also concerns and pitfalls. Besides the advantages, this article also focuses on some of the security and privacy concerns related to Aadhaar, which are often overlooked.

Benefits of Aadhaar

India is the second most populous nation on earth, with more than 1.3 billion people. Having a unique identification system in place would be a fillip for the government, as it would allow government schemes for poverty alleviation and improvement in health and educational well-being to be better targeted. For example, if a needy person’s bank account is linked to their Aadhaar biometric ID, then it would be easier for the government to provide funds to the individual without using any intermediary. In a country struggling with corruption throughout the government machinery, being able to reach the target audience directly is a significant benefit. Similarly, if both the bank accounts and the tax IDs of individuals are linked to the Aadhaar ID, then the government can trace the income and expenditure of its citizens, thereby obtaining vital information that would allow it to counter money-laundering and the shadow economy.

Security challenges are paramount

Creating a monumental technology infrastructure to meet the requirements of a population of more than 1.3 billion people does not come without its problems. Many people have questioned the wisdom of concentrating so much critical personal information in a government platform that is not known for having a robust security framework. There have been two prominent instances in which the Aadhaar database has been compromised.

In May 2017, the Bengaluru-based Centre for Internet and Society (CIS) alleged that there had been an illegal breach of the database, and Aadhaar identity numbers of more than 130 million people had been leaked online, along with their dates of birth, addresses, and tax IDs (PAN). It is believed that the revealed information did not include the biometric identification of the people affected, but the breach was significant nonetheless as it exposed millions of people to possible fraud.

The response of the UIDAI was also insightful, because it asked the CIS to reveal on which servers the data was stored, and who might have been responsible for the breach. The UIDAI response quoted the relevant laws, namely sections of the Information Technology Act, 2000 and the Aadhaar Act, underlining the liability under law. The aggressive approach of the UIDAI forced the CIS to retract some of its claims, but then the focus of the discussion was shifted from the loss of critical information to the semantics of the claims of CIS. Instead of calling the breach a “leak”, after receiving the letter from UIDAI, CIS stated that it was merely an “illegal disclosure”.

The second instance of a breach occurred between January to July 2017, when an IT expert hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India. His intention was to access the central identities data repository of UIDAI for verification of Aadhaar numbers, to be used for an ‘eKYC Verification’ app created by him. The UIDAI database gave him access considering that it was the e-hospital system that was requesting the Aadhaar identity verification. The hack shows that the security protocols of the UIDAI require significant overhaul before it can be trusted to protect the hundreds of millions of digital identities in its database.

Aadhaar and the right to privacy

The Indian constitution does not mention a right to privacy. This has been raised as a serious concern by the critics of Aadhaar, since there is no related privacy framework that outlines how the government can use the Aadhaar information. However, the Supreme Court of India addressed some of these concerns when it stated, in August 2017, that privacy is a fundamental right under the Constitution with reasonable restrictions. It was a landmark decision in the Indian context, since it could affect the way in which the unique identification data is collected, and especially the means for which it is used. For example, in the past, the government has mandated that Aadhaar data to be linked to citizens’ information from bank accounts, tax filings, medical records and phone numbers. Once this is achieved, the government would have unregulated access to such information. There is currently no statute or legal precedent to guard against abuse or to allow an individual to file a complaint.

The Supreme Court decision gives encouragement to citizens and institutions that are concerned about the rights of ordinary individuals, while also laying the groundwork for further work that needs to be done to create a robust legal framework in this field.

Read the original blog post published by the Paypers here

For more details visit https://cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success

Analysis of ICANN revenue shows ambiguity in their records

Sunil Abraham, Arjun Venkatraman and Akriti Bopanna — 2018-04-27T10:01:26Z

We, The Centre for Internet and Society, have been instrumental in having ICANN become transparent about their revenue with our persistent requests for their sources of revenue.

Click to download a PDF of the Analysis

In 2014, CIS' Sunil Abraham demanded greater financial transparency of ICANN at both the Asia Pacific IGF and the ICANN Open Forum at the IGF. Later that year, CIS was provided with a list of ICANN's sources of revenue for the financial year 2014, including payments from registries, registrars, sponsors, among others, by ICANN India Head Mr. Samiran Gupta.This was a big step for CIS and the Internet community, as before this, no details on granular income had ever been publicly divulged by ICANN on request.¹ Our efforts have resulted in this information now being publicly available from the years 2012 onwards. We then decided to analyze all these years of financial data collaborating with Ashoka fellow Arjun Venkatraman and following are our observations:

To get a clear picture of ICANN's revenue, it can be seen that over the years it has been growing steadily. In 2016 it was 1.7 times the revenue it made in 2012.

A breakdown by country reveals that a significantly higher proportion of their revenue is from sources registered in the United States.

It is also interesting to note that revenue from China has seen a spike in the past 2 years, especially in the period of 2015-2016. Verisign CEO, James Bidzos confirmed in an interview to analysts that Chinese activity had surprised them as well though they expected the activity to slow down in the second quarter of 2016.²

Verisign also happens to be the top paying customer for ICANN every year, running the .com/.net names. Their payments are orders of magnitude greater than payments made by any other single entity or even several collective entities.

ICANN differentiates its sources of revenues by each class of entity which stand for the following:

RYN - Registry
OTH - Other
RYG - Registry
RIR - Regional Internet Registry
RYC - ccTLD (Top Level Domains)
IDN - Internationalized Domain Names
RAR - Registrar
SPN - Sponsor

It is evident that the Registries and Registrars contribute the most to revenue however the classification of these groups in itself is ambiguous. RYG and RYN both stand for registry but we do not find any explanation given for the double entry for a single group. Secondly, Sponsors are included yet it is unclear how they have sponsored ICANN, whether through travel and accommodation of personnel or any other mode of institutional sponsorship. The Regional Internet Registries are clubbed under one heading and as a consequence it is not possible to determine individual RIR contribution such as how much did APNIC pay for the Asia and Pacific region. The total payment made by RIRs is a small fraction of the payments made by many other entities and they all pay through the Numbers Resources Organization (NRO), who is listed as paying from Uruguay however the MOU creating the NRO does not specify their location as being there. The NRO website states that " RIRs may be audited by external parties with regards to their financial activities or their operations. RIRs may also allow third parties to report security incidents with regards to their services." ³ Their records show that financial disclosure is done in an inconsistent manner with the last publication from AFRINIC being for the year 2013 ⁴ while the RIPE NCC who coordinates the area of Central Europe, Middle East and Russia last published an annual report for the year 2016 but had no financial information in it. ⁵

The most frequently found words in their sources which can give us an idea of the structure of the contributing entity yields the following result.

Several clients have registered multiple corporate entities to increase their payments to ICANN such as DropCatch, Everest and Camelot. ⁶ The first of them, DropCatch, is a domain drop catcher, essentially selling expired domain names to the highest bidder. By the end of 2016, about 43% of all ICANN-accredited registrars were controlled by them. ⁷

Many clients have reported themselves from different countries over the years as well such as 'Verisign Sarl' which has been reported as originating from Switzerland and in a different year from the United States. ⁸ Another curious case is of the entity, 'Afilias plc', which when categorized as a sponsor (SPN) is reported from Ireland however as a registry (both RYG and RYN) is reported from the United States. Some entities have originated from one place such as the United Arab Emirates and then moved to other countries such as India.

To summarize, the key takeaways from the information we have dissected so far are:

- ICANN's revenue has been steadily increasing with the 2016 seeing a 1.6 times increase of its revenue generated in 2012.

- United States is the country that most of the revenue originates from.

- After the US, China is now the largest contribution to ICANN revenue, significantly increase their contributions from 2015.

- Verisign is the top contributing entity, their contribution much greater than other entities.

- Registries and Registrars are the main sources of revenue though there is ambiguity as to the classifications provided by ICANN such as the difference between RYG and RYN. The mode of contribution of sponsors exactly is not highlighted either.

- Several entities have been listed from different places in different years, sometimes depending on the role they have played such as whether they are a sponsor or registry. Registering multiple corporate entities to acquire more registrars has occurred as well.

1. Venkataraman, P. (2017). CIS' Efforts Towards Greater Financial Disclosure by ICANN . [online] The Centre for Internet and Society.[Accessed 14 Mar. 2018].

2. Murphy, K. (2016). Verisign has great quarter but sees China growth slowing | Domain Incite - Domain Name Industry News, Analysis & Opinion . [online] DomainIncite. [Accessed 14 Mar. 2018].

3. Nro.net. (2018). RIR Accountability Questions and Answers | The Number Resource Organization . [online] [Accessed 11 Mar. 2018].

4. African Network Information Centre - Annual Report

5. RIPE Network Coordination Centre Annual Report 2016

6. Murphy, K. (2016). DropCatch spends millions to buy FIVE HUNDRED more registrars | Domain Incite - Domain Name Industry News, Analysis & Opinion . [online] DomainIncite.[Accessed 13 Mar. 2018].

7. Id

8. Detailed list is available on request

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-icann-financials-from-2012-2016

People Driven and Tech Enabled – How AI and ML are Changing the Future of Cyber Security in India

Shweta Mohandas — 2018-03-11T15:30:50Z

On the 27th of February, Peter Sparkes the Senior Director, Cyber Security Services, Symantec conducted a webinar on the ‘5 Essentials of Every Next-Gen SOC’. In this webinar, he evaluated the problems that Security Operations Centers (SOCs) are currently facing, and explored possible solutions to these problems. The webinar also put emphasis on AI and ML as tools to improve cyber security. This blog draws key insights from the webinar, and explains how AI and ML can improve the cyber security process of Indian enterprises.

Introduction

In a study conducted by Cisco, it was found that in the past 12-18 months, cyber attacks have caused Indian companies to incur financial damages amounting to USD 500,000.

There is a need to strengthen the nodal agencies in an enterprise that can deal with these threats to prevent irreparable damage to enterprises and their customers. An SOC within any organization is the team responsible for detecting, monitoring, analyzing, communicating and remedying security threats. The SOC technicians employ a combination of technologies and processes to ensure that an enterprise’s security is not compromised. As instances of cyber attacks increase both in number and sophistication, SOCs need to use state of the art technologies to stay one step ahead of the attackers. Presently, SOCs face a number of infrastructural problems such as the low priority given to a cyber security budget, slower and passive response to threats, dearth of skilled technicians, and the absence of a global intelligence network for cyber-threats. This is where technologies such as Artificial Intelligence and Machine learning are helping, by monitoring the system to identify cyber attacks, and analyse the severity of the threat, and in some cases by blocking such threats.

Evolution of Security Operations Centers

In the same study, Cisco looked at the evolution of cyber threats and how companies were using technologies such as AI and ML to ameliorate those threats. Another key insight the study brought out was that 53 and 51 percent of the subject companies were reliant on ML and AI respectively. One of the reasons behind AI and ML’s effectiveness in cyber security is their capacity not only to detect known threats but also to use their learnings from data to detect unknown threats. In his webinar, Peter Sparkes also stated that SOCs were evolving into a ‘people driven and tech enabled’ system.

People Driven and Tech Enabled

In the case of cyber security, which in itself is a relatively new field, technologies such as AI and ML are helping companies to not only overcome infrastructural barriers but also to respond proactively to threats. A study conducted by the Enterprise Strategy Group, revealed that one-third of the respondents believed that ML technology could detect new and unknown malware.

The study also stated that the use of machine learning to detect and prevent threats from unknown malware reduced the number of cases the cyber security team had to investigate.

Similarly, the tasks of monitoring and blocking which were earlier conducted by entry level analysts were now done by systems, using machine learning. Typically, the AI acts as the first monitoring system after which the threat is examined by the company’s technicians who possess the requisite skill set and experience. By delegating the time consuming task of continuous monitoring to an ML system, the technicians now have time to look at serious threats. In this way AI and humans are working together to build a stronger and responsive security protocol.

Detecting the Unknown

Cyber criminals are becoming increasingly sophisticated, and in order to prevent attacks the monitoring systems (both human and automated) need to be able to detect them before the security is compromised. The detection of threats through AI and ML is done in a similar way as it is done for the identification of spam, where the system is trained on a large amount of data which teaches the algorithm to identify right from wrong.

There have been numerous cases of stealthy cyber attacks such as wannacry and ransomware, that have evaded detection by conventional security firewalls and caused crippling damage. There is also the need to use deception technology which involves automatic detection and analysis of attacks. This technology then tricks the attackers and defeats them to bring back normalcy to the system.

The systems that can handle threats by themselves do so by following a predetermined procedure, or playbook where the AI detects activities that go against the procedure/playbook. This is more effective compared to the earlier system where the technicians would analyse the attacks on a case by case basis.

AI and ML can help in reducing the time required to detect threats enabling technicians to act proactively and prevent damage. As AI and ML systems are less prone to make mistakes compared to human beings, each threat is dealt with in a prompt and accurate manner. AI systems also help by categorising attacks based on their propensity for damage. These systems can use the large volumes of data collected about previous attacks and adapt over time to give enterprises a strong line of defence against attacks.

Passive to Active Defense

Threat to cyber security can emerge even in seemingly safe departments, such as Human Resources. It is therefore important to proactively hunt for threats across all departments uniformly.

In order to detect an anomaly, the AI and ML system will require both large volumes of data as well as a significant amount of processing power, which is difficult for smaller companies to provide. A possible solution to improve defense is to have a system of sharing SOC data between companies, and thereby creating a global database of intelligence. A system of global intelligence and threat data sharing could help smaller companies combat cyber threats without having to compromise on core business development.

Use of AI in Cyber Security in India

In 2017, Indian enterprises were infected by two lethal cyber attacks called Nyetya that crept through a trusted software - Ccleaner and infected computers

. These attacks may just be the tip of the iceberg , since there may be many other attacks that might have gone unreported, or worse, undetected. Cisco reported that less than 55 per cent of the Indian enterprises were reliant on AI or ML for combating cyber threats. Although the current numbers seem bleak, there are a number of Indian enterprises that have recently begun using AI and ML in cyber security.

One such example is HDFC bank which is in the process of introducing an AI based Cyber Security Operations Centre (CSOC).

This CSOC is based on a four point approach to dealing with threats - prevent, detect, respond and recover. The government of India has also taken its first step towards the use of AI in cyber security through a project that aims to provide cyber forensic services to the various agencies of the government including law enforcement.

Indian intelligence agencies have also entered into an agreement with tech startup Innefu, which utilizes AI, to process data and decipher threats by looking at the patterns of past threats.

As India is increasingly becoming data dense both private and public organizations need to consider cyber security with utmost seriousness and protect the data from crippling attacks.

Conclusion

Enterprises have become storehouses of user data and the SOCs have a responsibility to protect this data. The companies’ SOCs have been plagued with several problems such as lack of skilled technicians, delay in response time and the inability to proactively respond to attacks. AI and ML can help in a system of continuous monitoring as well as take over the more repetitive and time consuming tasks, leaving the technicians with more time to work on damage control. Although it must be kept in mind that AI is not a silver bullet, since attackers will try their best to confuse the AI systems through evasion techniques such as adversarial AI (where the attackers design machine learning models that are intended to confuse the AI model into making a mistake).

Hence, human intervention and monitoring of AI and ML systems in cyber security is essential to maintain the defence and protection mechanisms of enterprises.

A few topics that Indian SOCs need to consider while using AI and ML :

1. The companies need to understand that AI and ML need human expertise and supervision to be effective and hence substituting people for AI is not ideal.

2. The companies need to give equal if not more importance to data security.

3. The companies need to constantly upgrade their systems and re-skill their technicians to combat cyber security threats.

4. The AI and ML systems need to be regularly audited to ensure that they are not compromised by cyber attacks and also to ensure that they are not generating false positives.

[]. Cisco, (2018, February). Annual Cybersecurity Report. Retrieved March 8, 2018, from https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2

[]. Ibid.

[]. Enterprise Strategy Group (2017, March ). Top-of-mind Threats and Their Impact on Endpoint Security Decisions. Retrieved March 8, 2018 from https://www.cylance.com/content/dam/cylance/pdfs/reports/ESG-Research-Insights-Report-Summary-Cylance-Oct-2017.pdf

[]. Ibid.

[]. Vorobeychik,Y (2016). Adversarial AI. Retrieved March 8, 2018, from https://www.ijcai.org/Proceedings/16/Papers/609.pdf

[]. Quora. ( 2081, February 15). How Will Artificial Intelligence And Machine Learning Impact Cyber Security? Retrieved March 8, 2018, from https://www.forbes.com/sites/quora/2018/02/15/how-will-artificial-intelligence-and-machine-learning-impact-cyber-security/#569454786147

[]. Sparkes, P. (2018, February 27). The 5 Essentials of Every Next-Gen SOC. Retrieved March 8, 2018, from https://www.brighttalk.com/webcast/13389/303251/the-5-essentials-of-every-next-gen-soc

[]. PTI. ( 2018, February 21).Indian companies lost $500,000 to cyber.Retrieved March 8, 2018, from https://economictimes.indiatimes.com/tech/internet/indian-companies-lost-500000-to-cyber-attacks-in-1-5-years-cisco/articleshow/63019927.cms

[]. Raval, A. ( 2018,January 30). AI takes cyber security to a new level for HDFC Bank.Retrieved March 8, 2018, from http://computer.expressbpd.com/magazine/ai-takes-cyber-security-to-a-new-level-for-hdfc-bank/23580/

[]. “The Centre for Development of Advanced Computing (C-DAC) under the Ministry of Electronics and Information Technology (MeitY) is working on a project to provide cyber forensic services to law-enforcing and other government and non-government agencies.” Ohri, R. (2018, February 15. Government readies AI-muscled cyber security plan. Retrieved March 8, 2018, from https://economictimes.indiatimes.com/news/politics-and-nation/government-readies-ai-muscled-cyber-security-plan/articleshow/62922403.cms utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

[]. Chowdhury, P.A. (2017, January 30). Cyber Warfare at large in Southeast Asia, India leverages AI for the same cause Retrieved March 8, 2018, from https://analyticsindiamag.com/cyber-warfare-large-southeast-asia-india-leverages-ai-cause/

[]. Open AI.(2017 February 24). Attacking Machine Learning with Adversarial Examples. Retrieved March 8, 2018, from https://blog.openai.com/adversarial-example-research/

For more details visit https://cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india

White Paper on Data Protection and Privacy

Admin — 2018-03-07T14:57:53Z

National Institute of Public Finance and Policy is organizing a roundtable on data protection and privacy in New Delhi on March 8, 2018. Sunil Abraham is participating as a moderator in the session on Rights and Protections. Amber Sinha is also participating as a panelist.

Agenda here

For more details visit https://cis-india.org/internet-governance/news/white-paper-on-data-protection-and-privacy

Is there a case for penalizing fake news?

Admin — 2018-03-07T14:23:05Z

Facebook and Twitter have been under increasing scrutiny for allowing targeted political ads from Russia-backed entities to manipulate voters and influence elections.

The article by Nilesh Christopher was published by ET Tech on March 7, 2018. Sunil Abraham was quoted.

In May 2017, rumours of child-lifters on the prowl circulated on WhatsApp led to the lynching of seven men in Jharkhand.

The same month, the administrator of a WhatsApp group was arrested and later released on bail after a member of the group posted a “morphed” photograph of Prime Minister Narendra Modi wearing a garland of shoes.

A month earlier, following the assembly election in Uttar Pradesh, a district magistrate and a police official issued a joint order warning that WhatsApp group administrators could be slapped with criminal charges if factually incorrect or rumours were circulated in the group. Officials in Bihar followed suit, issuing similar orders against circulation of hoaxes.

These are just a few instance of ‘fake news’ on digital platforms that India had to deal with in 2017. Between June 2016 and May last year, more than 20 criminal complaints involving online content were filed, and many people were detained for content circulated on WhatsApp or published on Facebook, as per research organisation Freedom House.

As the consequences of bogus news become more pervasive, stoking resentment and violence, many South Asian countries such as Philippines, Indonesia, and Vietnam have sought to treat the manipulation of content as a criminal offence.

“It is not penalising, but defining ‘fake news’ which is a challenge,” said Max Smeets, Cybersecurity fellow at Stanford University. “We currently lack a common definition of fake news. Is it about fake personas, spam, data theft, seeding stories in the press or creating fake stories? We have to be clear by what we mean if we want to penalise fake news (or more generally tackle it).”

Criminalising dissemination is difficult mainly because people who disseminate the information are not necessarily aware that they are involved in this practice.

The inherent ambiguity has led certain governments to frame stringent laws to deal with the menace. Philippines President Rodrigo Duterte signed stricter laws authorising punitive action resulting in a jail term of up to six months and heavy fines of up to an equivalent of Rs 2.5 lakh for publishers of fake news. But Duterte’s version of the law applies to anyone who expresses a contrarian view of the government or “causes damage to the state”. The government has set up a special task force in the national police to look into fake news, but experts say it amounts to a witch-hunt in the guise of a clampdown on fake news.

The proliferation of ‘fake news’ through misinformation and hyper-partisan content came to the fore in the run-up to the 2016 Presidential election in the United States. Facebook and Twitter have been under increasing scrutiny for allowing targeted political ads from Russia-backed entities to manipulate voters and influence elections.

Since then, “manipulation and disinformation tactics played an important role in elections in at least 17 other countries over the past year, damaging citizens’ ability to choose their leaders based on factual news and authentic debate,” as per Freedom on the Net 2017 report.

In one of the most high-profile crackdowns on the fake news in 2017, Indonesian police incarcerated administrators of organised crime ring Saracen, which peddled racist and sectarian fake news against political parties. “Indonesia had to start fighting ‘organised fake news’ organisations such as Saracen who were launching targeted fake news campaigns on behalf of political parties during the periods leading up to major elections,” said Spandana Singh, Millennial public policy fellow at New America.

With more than 800,000 followers on Facebook, the admins made millions through advertising revenue by creating memes and fake posts on their page. As a result, on January 3, Indonesia launched a separate cybersecurity task force to bring purveyors of fake news to task.

“Criminalising fake news is counterproductive,” said Sunil Abraham, executive director of the Centre for Internet and Society. “The trouble with criminalisation is the person circulating the news is ‘fooled’ and is unaware of the crime they are committing. It is very similar to copyright infringement at a non-commercial stage. Many just don’t know,” Abraham said.

“Fake news cannot be battled by the government alone. Often it is the parties in power who are involved in many fake news cases,” he said.

How do we fix this?

Of the 3.4 billion people with access to the internet, 42% live in countries where governments employ armies of “opinion shapers” to spread government views and counter government critics on social media, as per the Freedom on the Net 2017 report.

In the West, corporations are typically the ones that are expected to take up the mantle to tackle fake news. “But government censorship and corporate censorship are not the appropriate ways forward, as this impinges on freedom of speech,” Abraham said.

This raises the question as to who should fix the problem. For starters, in the European Union (EU), Germany has passed a law called the Network Enforcement Act or NetzDG advocating a crackdown on “punishable false reports”. Enforced in October 2017, the hate speech law mandates that companies remove hate speech within a certain time period, and this was created with the intention of also curbing fake news.

Policy experts say the only way forward is more collaboration among various stakeholders. In India, there are organisations such as SM Hoax Slayer and Altnews working to combat disinformation, but “stronger digital literacy, education, and transparency is the way to fight it”, Singh said. “Since there is a business model which has been established for fake news, more people may also try to join the illegal disinformation industry if it continues to prove profitable,” he said.

While existing laws are fragmented, Abraham offered a different policy view of the problem at hand. “The only way to combat bad speech is with good speech. Instead of criminalising, you can mandate public service announcements in on social media channels,” he said.

That is, if someone is using fake news to spark a riot, under the circumstances of an emergency, the government should be allowed to push actual facts around the area even in private WhatsApp groups. “A message similar to a ‘must carry’ obligation in broadcast regulation can come in,” Abraham said.

For instance, Catalan is a minority language in Spain but all Spanish language broadcasters must carry some amount of news in Catalan, Abraham said, adding this could be one way of dealing with if not eradicating fake news.

So far, the only solution to prevent rumour mongering in “sensitive” areas in India has been blocking social media sites and suspending internet services. There have been nearly 40 information communication technology (ICT) shutdowns ordered by local authorities, some lasting several months in Jammu and Kashmir, as per the Freedom on the Net 2017 report.

“Platforms like Facebook, WhatsApp, Twitter and the like are different from each other. This makes it difficult to set common standards for all organizations and to compare them fairly,” Smeets said.

“It is especially difficult for highly compartmentalised platforms like WhatsApp to deal with fake news, compared to a more public forum like Facebook,” he said.

For more details visit https://cis-india.org/internet-governance/news/et-tech-nilesh-christopher-march-7-2018-is-there-a-case-for-penalizing-fake-news

Roundtable on A.I. and Governance in India

pranav — 2018-04-20T07:41:21Z

The Centre for Internet and Society (CIS), Bangalore is organizing a roundtable on ‘A.I. and Governance in India' at India Islamic Cultural Centre in New Delhi on March 16, 2018 from 10.00 a.m. to 1.30 p.m.

Download the Event Report

The Roundtable seeks to discuss the various issues and challenges surrounding the design, development and use of AI in Governance (including law enforcement and legal institutions).

In line with the changing times, the government, as well as its agencies, have started using technology and digitization to make governance more efficient and accessible. For example,through its flagship project Digital India, the Indian government has undertaken digitization and revamping of systems related to railways, land records, educational resource etc. As the government pursues its digital agenda, artificial intelligence can be a tool for efficiency and decision making. To realize the potential of AI, a clear understanding of the technology and how it can and should be used is necessary. The first step towards a robust AI policy is a sound Information and Communication Technology (ICT) policy that lays the edifice for algorithmic decision making using AI.

Though the adoption of AI in the public sector is still in its nascent stages, the government of India is taking various steps to increase the scale of adoption. The Union Ministry of Commerce and Industry has constituted a task force on AI to facilitate India's economic transformation. This year’s Union Budget also recognised the need for government investment in research, training and skill development in robotics, AI, digital manufacturing, Big Data intelligence and Quantum communications. Though the adoption of AI in the public sector is still in its nascent stages, the government of India is taking various steps to increase the scale of adoption. The Union Ministry of Commerce and Industry has constituted a task force on AI to facilitate India's economic transformation. This year’s Union Budget also recognised the need for government investment in research, training and skill development in robotics, AI, digital manufacturing, Big Data intelligence and Quantum communications.

Our research on the application of AI in Indian governance aims to examine five broad sectors of application: law enforcement, discharge of governmental functions, defense,judicial/administrative decision making, and education. A few of the existing government research initiatives identified by CIS include the Center for Artificial Intelligence and Robotics (CAIR) hosted by the Indian Defense Research and Development Organization which focuses on research and development of ICT solutions for defense, and the Ministry of Finance’s use of geospatial analytics for their economic survey on human settlements. There are already instances where government bodies are using AI, an example being the case of the Indian Police force, which is revamping its investigation procedures by using Big Data and Artificial Intelligence. The Delhi police has already started using data and analytics to control crime. In the field of agriculture too, the Indian government has partnered with Microsoft to use AI to improve crop production.

While AI can aid governance in numerous ways, there needs to be a system of checks and balances in order to ensure effectiveness, transparency, and accountability. Hence,governance mechanisms must be able to ensure inclusiveness, while minimising the risks that might arise with the use of the technology. Experts have also predicted that, as the government incorporates AI into specific areas of governance- such as service delivery, it will simultaneously need to incorporate it into broader policy structures such as cyber security and the national education framework.

The process of designing a governance ecosystem is a complex one, and AI poses several pre-existing ethical and legal for each application within this ecosystem. The effectiveness ofAI and Machine learning inherently depends on the availability of data, and it is predicted that the most imminent challenge will also involve the same, especially as India becomesincreasingly data dense and the government is entrusted with its citizens’ data. These challenges could range from the collection, storage, and use of data, to having to answerquestions of fairness, safety, and prevention of misuse. This roundtable seeks to deliberate on these questions and more so as to understand how to optimise the use of AI ingovernance for the public interest. In doing so, the roundtable will use preliminary research that CIS has undertaken into the use of AI and governance in India as an entry point into broader discussions on the challenges and benefits and way forward for AI.

Agenda

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-a-i-and-governance-in-india

CIS ranks amongst top think tanks for public policy in the region

Admin — 2018-03-02T12:56:27Z

Think Tanks and Civil Societies Program features Centre for Internet & Society in its annual report.

The Centre for Internet and Society (CIS) ranks amongst the top public policy think tanks for 2017 in the region, according to an annual report compiled by the Think Tanks and Civil Societies Program (TTCSP). The TTCSP, a think tank at the University of Pennsylvania, maps the role and evolution of public policy think tanks in governments and civil society across the world with the objective to better integrate and create a bridge between academic knowledge and powerful institutions.

Released on 31 January 2018, the report assesses think tanks based on a range of criteria, including outreach, academic rigor, management, and impact on policy and civil society. The rankings are compiled using a participatory approach that calls upon over 6000 think tanks across the world to submit nominations for both participating organizations and the expert panel of judges.

CIS, which undertakes interdisciplinary research on digital spaces and technologies in India, ranks 81st among 90 think tanks for China, India, Korea and Japan, the dominant players in the region. The rankings also include 28 other Indian organizations, including the Observer Research Foundation (ORF), Centre for Civil Society (CCS) and Delhi Policy Group (DPG), from 293 involved in public policy in India. The report, released annually for over a decade, is part of a campaign by the TTCSP to increase the public visibility and performance of public policy think tanks globally and strengthen cross-regional collaboration.

For more details visit https://cis-india.org/internet-governance/news/cis-ranks-amongst-top-think-tanks-for-public-policy-in-the-region

Data Privacy Forum

Admin — 2018-03-01T01:31:56Z

Amber Sinha took part in the Data Privacy Forum organized by the Asian Business Law Institute on February 7, 2018. The forum was held at the Supreme Court of Singapore.

The forum was organised to discuss the findings of a compendium of country reports on cross border data flow regulations in countries from Asia and Australia, and the way forward. The forum had attendance from 18 countries and had about 90 participants. Elonnai Hickok and Amber Sinha were the reporters for India. Amber was a speaker on the first panel on “Adoption and reform of data protection laws in Asia: how legal systems adapt to global developments and regulatory competition”.

Click to read more

For more details visit https://cis-india.org/internet-governance/news/data-privacy-forum

Quantified identities as a global phenomenon: analyzing the impact of biometric systems in our societies

Admin — 2018-03-01T00:56:20Z

A session by Amber Sinha and Leandro Ucciferri of ADC, Argentina at the Internet Freedom Festival to be held in Valencia, Spain in March has been selected. Amber Sinha will make a presentation.

In the last decade, societies all around the world have seen an exponential growth in the implementation of biometric identification systems, used from the most complex to the most mundane activities that we perform in our daily lives. The research work being carried out by ADC in Argentina, and more broadly in Latin America, allowed us to reach certain observations: In general, public policies related to the use of these types of technologies are carried out with little or no transparency vis-à-vis society; the lack of precise information, which varies country to country, about the technologies and mechanisms being used for the collection, analysis and storage of the biometric data, and the use cases behind such technologies (e.g. the purpose of the data, who will have access to it, if it will be shared and transferred between different public or private bodies); and finally the lack of sufficient legal frameworks to guarantee an adequate treatment of the biometric data collected, both by the State and the private sector.

Additionally, the research by CIS in India and other jurisdictions in Asia shows that biometric identification systems are being portrayed as critical to the use of online services such as e-governance or e-commerce platforms, and facilitates the generation of enormous amounts of transactional data. In India, the biometric identity is envisioned as a ‘cradle to grave’ identity. This unique identifier is key to the integration of different government and private sector databases and poses serious risks of profiling, function creep, lack of accountability and regulation by code.

With this session we aim to address some of the more pressing issues regarding the implementation of biometric technologies in our societies, specifically: a) Threats to bodily integrity and dignity: how biometrics reduce an individual to a number represented through a biometric sequence. b) Irreversible damages in case of breach: unlike passwords, biometrics –such as our fingerprints, our faces, iris or voice– cannot be changed; so once compromised, the damage is irreversible. c) Are biometrics appropriate forms of identifiers? How can we answer questions around uniqueness, discrimination and bias, resolving false positives and false negatives, as well as the change of biometrics over time (e.g. age or medical conditions that may affect our bodies). d) How biometrics are changing our perception of public spaces, specially due to technologies such as facial recognition? e) How are biometric based identification systems reconfiguring the relationship between citizen and state? Together with CIS, we will give a brief overview of the current trends in Latin America and Asia, in order to set the context of the conversation and then allow participants to freely express their own personal/professional expertise to learn about their concerns and experiences in terms of how biometric technologies have affected their day to day lives.

For more info, click here

For more details visit https://cis-india.org/internet-governance/news/quantified-identities-as-a-global-phenomenon-analyzing-the-impact-of-biometric-systems-in-our-societies

Beyond Scale: How to make your digital development program sustainable

Admin — 2018-02-26T14:23:26Z

A dissemination workshop was organized by BBC Media Action, with support from the Digital Impact Alliance and the Bill & Melinda Gates Foundation on February 21, 2018 in Bangalore. Sunil Abraham participated in the workshop.

Agenda

9.00 to 9.45

Registration and coffee

9.50 to 10.05

Introduction to ‘Beyond Scale’, Kate Willson, CEO, Digital Impact Alliance

10.15 to 11.15

‘Surviving the Valley of Death’, panel discussion with:

Rahul Mullick, ICT lead, Bill & Melinda Gates Foundation, India,
Nehal Sanghavi, Senior Advisor for Innovation and Partnership, USAID, India
Kate Wilson, CEO, Digital Impact Alliance
Priyanka Dutt, Country Director, BBC Media Action

Moderated by Sara Chamberlain, Digital Director, BBC Media Action

11.15 to 11.30

Tea/coffee break

11.30 to 11.45

Introduction to the table workshop sessions

11.45 to 1.00

Each table works to identify solutions to some of the digital development sector’s most pressing challenges in the areas of organizational change management, regulatory compliance, legal protection and risk, public sector adoption, private sector business models, solution design, technical architecture for scale, partnerships and human capacity.

1 PM to 2.00

Lunch

2.00 to 2.30

Each table finalizes its presentation.

3.00 to 4.15

Presentations, Q&A and discussion of each table’s group work

4.15

Tea/coffee will be served at the tables

4.30 to 4.45

Introduction to the ‘Expert Bar’

4.45 to 6.00

There will be one or more ‘experts’ in specific focus areas of the guide seated at each table. Participants are free to visit the tables that interest them to discuss their challenges and share their own expertise.

6.00 – 9.00

Networking reception with open bar and snacks

For more details visit https://cis-india.org/internet-governance/news/beyond-scale-how-to-make-your-digital-development-program-sustainable

From 1 March, only registered devices to be used to authenticate Aadhaar

Admin — 2018-02-24T07:59:39Z

UIDAI directive to Aadhaar authentication agencies aims to avoid putting citizens’ biometric data at risk

The article by Komal Gupta was published in Livemint on February 8, 2018.

The Unique Identification Authority of India (UIDAI) has directed all Aadhaar authentication agencies to use only registered biometric devices from 1 March to avoid putting residents’ data at risk.

The initial deadline to upgrade these devices was 1 June 2017, but it has been extended several times. The latest is the sixth extension.

The UIDAI wants the biometric devices registered with the Aadhaar system for encryption key management. The Aadhaar authentication server can individually identify and validate these devices and manage encryption keys on each registered device.

“It is reiterated that to ensure encryption of biometrics of residents at time of capture, it is absolutely essential to use only the registered devices. Any further use of non-registered devices will be putting residents’ privacy at risk,” a UIDAI circular dated 2 February said.

In January last year, UIDAI had instructed all the authentication user agencies (AUAs) and authentication service agencies (ASAs) to adhere to its new encryption standards and accordingly upgrade the devices to the new norms.

The AUA is an entity engaged in providing Aadhaar-enabled services. It may be a government, public or a private legal agency registered in India which uses Aadhaar authentication services provided by UIDAI.

The ASA is any entity that transmits authentication requests to the Central Identities Data Repository (CIDR) on behalf of one or more AUAs.

Requests from AUAs to extend the timeline has been cited as the reason for delay by UIDAI. The last deadline was 31 January.

Still, UIDAI claims most of the entities have migrated to registered devices and “no further extension will be given in this regard.” Failure to meet the February-end deadline will lead to loss or disruption of services, the circular added.

A privacy expert called for better security in the Aadhaar system.

“The UIDAI should have gone in for smart cards, which are inherently more secure and would have proven a better basis for a national ID system. Given its choice of biometrics, UIDAI should have required hardware-level encryption — the yet-to-be-specified (Level 1) security standard— from 2010,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.

“Making the much-delayed Level 1 mandatory is what UIDAI should be focusing on; sadly, even basic registration and easily-defeated software-level encryption (Level 0) is yet to be made mandatory,” he said.

UIDAI has been under the scanner over the past few months over charges that random entities have been accessing personal information without the consent of individual Aadhaar number holders.

Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.
There are more than 1.2 billion Aadhaar holders in the country.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-8-2018-from-march-1-only-registered-devices-to-be-used-to-authenticate-aadhaar

Critics of India's ID card project say they have been harassed, put under surveillance

Admin — 2018-02-24T07:50:55Z

Researchers and journalists who have identified loopholes in India’s massive national identity card project have said they have been slapped with criminal cases or harassed by government agencies because of their work.

This was published by Reuters on February 13, 2018. Reporting by Rahul Bhatia; Editing by Raju Gopalakrishnan

Last month, the Unique Identification Authority of India (UIDAI), the semi-government body responsible for the national identity project, called Aadhaar, or “Basis”, filed a criminal case against the Tribune newspaper for publishing a story that said access to the card’s database could be bought for 500 rupees ($7.82).

Reuters spoke to eight additional researchers, activists and journalists who have complained of being harassed after writing about Aadhaar. They said UIDAI and other government agencies were extremely sensitive to criticism of the Aadhaar programme.

Aadhaar is a biometric identification card that is becoming integral to the digitisation of India’s economy, with over 1.1 billion users and the world’s biggest database.

Indians have been asked to furnish their Aadhaar numbers for a host of transactions including accessing bank accounts, paying taxes, receiving subsidies, acquiring a mobile number, settling a property deal and registering a marriage.

The Tribune said one of its reporters purchased access to a portal that could provide data linked to any Aadhaar cardholder.

The UIDAI complaint, filed with the police cyber cell in the capital, New Delhi, accused the newspaper, the reporter, and others of cheating by impersonation, forgery and unauthorised access to a computer network.

Media associations sharply criticised the action - the Editors Guild of India said UIDAI’s move was “clearly meant to browbeat a journalist whose story was of great public interest. It is unfair, unjustified and a direct attack on the freedom of the press.”

In response, the agency said “an impression was being created in media that UIDAI is targeting the media or whistleblowers or shooting the messenger.”

“That is not at all true. It is for the act of unauthorised access, criminal proceedings have been launched,” it said in a statement.

Osama Manzar, the director of the Digital Empowerment Foundation, a New Delhi-based NGO, called the government’s prickliness “a clear sign that rather than it wanting to learn how to make Aadhaar a tool of empowerment, it actually wants to use it as a coercive tool of disempowerment”.

Data Leakage

Last May, the Centre for Internet and Society (CIS), an independent Indian advocacy group, published a report that government websites had inadvertently leaked several million identification numbers from the project.

UIDAI sent the CIS a legal notice within days, said Srinivas Kodali, one of the authors of the report.

The notice alleged that some of the data cited in the report would only be available if the site had been accessed illegally. The UIDAI wrote that the people involved had to be “brought to justice.”

According to Kodali, two more notices followed, addressed to the group’s directors and two researchers, containing more accusations. “They said it was a criminal conspiracy, and demanded that we send individual responses,” he said.

CIS then received questions about its funding from the home ministry section that grants NGOs permission to receive foreign funding, said a source in the group who saw the letter. CIS viewed this as a threat to its funding, the source said. CIS declined to comment on the notices or on the questions about funding.

UIDAI did not reply to multiple e-mails seeking comment on the accusations about CIS and similar complaints by other activists and journalists, and officials could not be reached by phone. Officials at the Ministry of Information Technology that supervises UIDAI were unreachable by phone.
In a column in the Economic Times newspaper in January, Ajay Pandey, the head of the UIDAI, wrote: “The data of all Aadhaar holders is safe and secure. One should not believe rumours or claims made on its so-called ‘breach’.”

R.S. Sharma, the head of India’s telecom regulatory body, said there was an “orchestrated campaign” against Aadhaar as it was against the interests of those who operated in the shadow economy with fictitious names, or were skimming off subsidies.

“It is going to clean up many systems,” Sharma told a television channel last month. “That’s probably one of the reasons why people realise that this is now becoming too difficult or too dangerous for them.”

That trip to Turkey

A Bangalore researcher who contributed to the CIS report said scrutiny by police and government officials was a common occurrence, but harassment was stepped up after it was published.

“Sometimes people from the police station visit you. Other times from the Home Ministry. It was intimidating,” the researcher said.

The person, who asked not to be named for fear of reprisal, said police officers asked questions like “How was that trip to Turkey?',” to make it clear the subjects were under surveillance.

When Sameer Kochhar, a social scientist and author of books on Aadhaar, demonstrated how the system’s biometrics safeguards could be bypassed last year, UIDAI filed a police report in New Delhi, a person familiar with the matter said.

Subsequently, Kochhar received at least three notices from the Delhi Police alleging that he had violated 14 sections under three separate laws, the person said.

Kochhar’s lawyer declined comment. Delhi Police officials declined comment.

Critics have warned Aadhaar could be used as an instrument of state surveillance while data security and privacy regulations are still to be framed.

Former central bank governor Raghuram Rajan said last month that the government needed to prove it would protect the privacy of Aadhaar.

“I do think that we have to assure the public that their data is safe,” Rajan said. “All these reports about easy availability of data are worrying and we have to ensure security. We cannot just say trust us, trust us, it’s all secure.”

For more details visit https://cis-india.org/internet-governance/news/reuters-february-13-2018-rahul-bhatia-critics-of-indias-id-card-project-say-they-have-been-harassed-put-under-surveillance

The mystery of the website which published the ‘scoop’ on BJP’s Ram Madhav

Admin — 2018-02-22T14:55:33Z

The website has since been taken down, but the identity of its creators may not be very easy to find.

The blog post by Kaveesha Kohli and Talha Ashraf was published in The Print on February 13, 2018.

The BJP filed a criminal complaint Sunday against a website after it published a report about an alleged video said to show the party’s national general secretary Ram Madhav in a ‘compromising position’. However, the site no longer exists and experts say it may be difficult to find out who was behind the ‘expose’.

Congress MP from Assam, Sushmita Dev, was among those who shared the website’s report, which claimed that the senior BJP functionary and in-charge of the party’s north-east affairs, was allegedly caught in a hotel.

But soon after the Nagaland unit of the BJP vehemently denounced it as “fictitious report” and filed an FIR, the website ceased to exist. In its complaint, the BJP said the “news report is totally false and it seeks to character assassinate Ram Madhav and sabotage the election campaign of the BJP”.

However, the screenshot of the article continues to be shared on social media.

Registration details of thenewsjoint.com (now defunct) taken from The Internet Corporation for Assigned Names and Numbers (ICANN) that manages domain names says the site was created and registered on 2 January 2018. The site’s expiry date is 2 January 2019.

Since its creation, the site has published multiple stories, most of which have been published in the last two weeks.

“If we look through Google cache, it has published multiple stories about budget aftershocks, Sensex falls by record, Modi Sarkar shuts bamboo budget, etc,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

Anyone could have published the website with the domain name The News Joint, said Madhulika Srikuamar, Junior Fellow, Cyber Initiative, Observer Research Foundation.

“The buyer, for an additional fee, can opt to keep her details private and not reveal her identity online,” she said.

The domain name thenewsjoint.com is registered through a private organisation named DomainsByProxy.com. The use of the private organisation is to maintain secrecy and makes it easy to hide the owner’s actual name and address. So how can it be traced?

“In order to track the original owners of the domain name, the police will have to take the court order and ask DomainsByProxy to hand over the name and IP address of the persons who registered themselves,” said Prakash.

And there’s no way to regulate against such sites as well.

“While there are no specific domestic regulations that govern the registration, sale and purchase of domain names, most restrictions on domain name registration stem from intellectual property protections,” said Srikumar.

In this particular case, it remains unclear whether the website was taken down because of the article on Madhav.

Prakash says it is important to verify whether The News Joint was created to peddle false news, or was pretending to be a genuine news website.

“It can be compared to the broader news environment in India where very mainstream newspapers, especially their Web desks, very often end up publishing news without any regard for journalistic ethics, without verification of the facts,” he said.

For more details visit https://cis-india.org/internet-governance/news/the-print-kaveesha-kohli-and-talha-ashraf-the-vanishing-act-scoop-on-bjp-ram-madhav