We are anonymous, we are legion

Aadhaar verification at airports raises need for stricter data privacy regulations

Admin — 2017-11-27T13:34:35Z

The absence of legislation is letting companies compile and deploy sensitive personal information without legal oversight.

The article by Aman Sethi was published in the Hindustan Times on November 27, 2017

When Suvodeep Das, a 42-year-old marketing professional, took a Jet airways flight from Hyderabad to Mumbai in September, he said a software bug in the airline’s website wouldn’t let him check in online without first punching in his Aadhaar number.

“When I got my boarding pass, it had my Aadhaar number printed on it,” Das told HT, wondering, “Why do you need an Aadhaar number to take a flight, and why display it publicly?”

In October, another passenger found their Aadhaar number on the boarding pass: this time, it was barcoded.

HT has reviewed both boarding passes. Publishing Aadhaar numbers is an offence under the Aadhaar Act 2016.

Jet Airways did not respond to repeated requests for comment. Speaking off the record, airline executives said Jet encoded Aadhaar numbers to test the proposed Aadhaar Enabled Entry and Biometric Boarding System (AEEBBS): a complex Aadhaar-seeding project that aims to replace a passenger’s boarding pass with his/her fingerprint.

Bangalore International Airport (BIAL), which plans to install AEEBBS, says it will improve passenger security and reduce check-in time at the Kempegowda International, India’s third busiest airport.

Privacy advocates, however, say the system, which stores passenger biometrics and Aadhaar numbers on the servers of a private corporation, is an example of how the absence of a data protection law in India lets companies compile and deploy sensitive personal information without legal oversight.

Future uses of the AEEBBS, according to the BIAL website, include integrating the system with passenger blacklists, typically maintained by the ministry of home affairs, to determine who can and cannot board a flight.

“The unregulated proliferation of Aadhaar uses is compromising the digital identities of citizens and putting them at risk,” said Usha Ramanathan, a legal theorist who has written extensively on Aadhaar. ”There is a misconception that data protection is about data being at risk. It is actually about the rights of people being at risk.”

Pilot Project

In January, Bangalore International Airport Ltd (BIAL), the corporation that runs the Bengaluru terminal, and Jet Airways integrated their flight and passenger databases as part of a four-month pilot project to test the AEEBS.

“The pilot project incorporated the entire airport journey from entry right through to the boarding gate and included all security check points,” a BIAL spokesperson said in an email. “The project allowed for quicker processing time for a passenger from entry to security gate while simultaneously enabling fewer points of human interaction.”

Participation in the project was voluntary. BIAL said about 15% of passengers opted to use it. In October, BIAL called for bids for a full roll-out of the AEEBBS by December 2018.

The system, tender documents reveal, works in the following way:

First passengers enter their Aadhaar numbers when they book their flights. The airline turns this number into a QR code printed on the flight ticket. Once at the terminal, passengers bypass the standard practice of showing their ticket and ID to a security guard, and instead they enter the terminal by flashing the ticket at a QR code scanner while pressing their fingers against a biometric reader installed at the entrance.

The AEEBBS verifies the passenger’s identity by querying the UIDAI’s database, and then checks the airport’s flight information system to see if the passenger is booked to fly that day.

Thereafter, the system creates a “passenger dataset” that bundles the passenger’s biometrics and flight information into a single file unique to each passenger. This dataset is used to verify the identity of the passenger at each checkpoint, allowing the airport to track the passenger until she boards her plane.

The tender document states that the biometric data should be purged immediately after the passenger’s flight departs. If flights are rescheduled, the biometrics shall persist until the passenger finally departs.

Concerns over Bengaluru airport’s use of Aadhaar

The Aadhaar-Enabled Entry and Biometric Boarding System (AEEBBS) aims to replace boarding cards with a passenger’s fingerprint. Here is how it works.

Why Biometrics?

Bengaluru isn’t the only airport experimenting with systems like the AEEBBS.

“We have initiated trials on facial recognition, iris and finger-print scanning etc., to generate Aadhaar + Biometric enabled passenger data-sets,” said a spokesperson for the GMR Hyderabad International Airport. “We hope to complete these trials in the next two months and deploy them by June 2018 for all domestic passengers.”

Yet biometrics isn’t a fool-proof way of verifying someone’s identity. Biometric experts have maintained that fingerprints can be copied and printed onto “fake fingers” — a process known as spoofing.

At Michigan State University, biometric expert Anil Jain and his team have developed so-called fake fingers using 12 different materials, the most sophisticated of which mimics the physical properties of human skin.

“Many of the commercial systems may not have state-of-the-art spoof detection facilities,” Jain said, adding that he has advised the UIDAI on biometrics in the past.

Jain said it was important that a secured space like an airport have biometric readers that include “liveness” detection, a term that refers to a broad set of techniques that use a combination of advanced hardware and software to avoid spoof attacks.

However, it is not mandatory for UIDAI-certified biometric devices to have liveness detection features. Documents published by Standardisation Testing and Quality Certification (STQC), the agency tasked with certifying Aadhaar devices, make clear that “liveness detection” is “preferable” but not mandatory.

Some manufacturers of certified devices say their devices have liveness detection, but STQC does not include this specific feature in its testing.

Prof Jain said biometrics are harder to forge than the identity cards that are currently needed to gain access to airport terminals, suggesting that the AEEBBS could increase security only if the data that undergirds the system is properly secured.

Storage Concerns

Under regulations framed by the Unique Identification Authority of India (UIDAI), it is illegal to store biometric data captured for any Aadhaar-related transaction.

Also, UIDAI-certified biometric devices are prohibited from storing biometric data which casts a cloud over BIAL’s proposal to create passenger datasets to merge passenger flight data, biometric data and Aadhaar numbers, and store it on a local BIAL network.

While UIDAI did not respond to requests for comment on if these passenger data sets violated its regulations, BIAL said it would work around the system by capturing passenger biometric data twice — once to verify passenger identities in accordance with UIDAI regulations, and once for the purpose of creating the passenger data set.

“Our intent is to capture data and store a separate set of biometrics records (delinked from Aadhaar) that include face/iris/fingerprints for the purpose of authentication of passenger at various check points inside the airport,” the spokesperson said.

Some experts believe this may not be enough.

“The Aadhaar Act and Regulations are supposed to ensure that our biometric records are safe, and entities capturing biometrics for Aadhaar-related purposes cannot store the biometrics,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

“If biometrics collected doesn’t need to follow the Aadhaar regulations because of a technicality, how strong are the regulations?” Prakash said.

Last year, 22.18 million passengers travelled through Bengaluru airport. Once the AEEBBS is installed, the airport’s servers shall become a temporary repository of millions of fingerprints, and a lucrative target for sophisticated hackers who could capture this data by implanting malicious software in the system.

Such software has become easier to access since August 2016, when a group calling itself the “Shadow Brokers” announced it had stolen some of the world’s most advanced cyber-weapons from the vaults of the Tailored Access Operations unit of National Security Agency, which manages the cyber-arsenal of the United States of America.

Designing the system to minimise the use of biometrics could alleviate these concerns, according to Rahul Matthan, a partner at law firm Trilegal.

“If data minimisation is the principle that we keep on top of mind, Aadhaar should be used to allow entry,” Matthan said, “Then the airport must devise other methods and standards to ensure that security and passenger tracking is achieved.”

Safeguarding Aadhaar Numbers

The AEEBBS also raises questions on the manner in which airlines and airports will store non-biometric data like passenger Aadhaar numbers. UIDAI regulations published in July 2017 say companies and government departments must store Aadhaar numbers in secure, isolated, databases called ‘Aadhaar Data Vaults’.

Each Aadhaar number in these vaults must be associated with a “reference key” — which is like a nick-name for the Aadhaar number. So instead of using a citizen’s Aadhaar number for a given transaction, businesses must preserve the confidentiality of the number by using the reference key instead.

Jet Airway’s decision to print Aadhaar numbers, rather than the reference keys, on the boarding passes, suggests that the airline is not following UIDAI guidelines — a problem that is likely to multiply as more airlines start gathering this information to avail of the AEEBBS facility. Jet Airways did not respond to requests for comment.

Once the AEEBBS is in place, BIAL also intends to use passenger data, harvested during check-in and boarding, for commercial purposes, but it is unclear if and how this data will be anonymised before it is used.

“We aim to make meaning of the abundant data that will be collected,” the BIAL spokesperson said, insisting that the airport would respect traveller privacy and the data would not be sold to third parties. “In due course — and with passenger consent — we intend to use business intelligence to make the journey more impactful.”

For lawyer Matthan, the AEEBBS is an example of why India needs a comprehensive data protection law to address issues between citizens and private corporations.

“There is a need to ensure that Aadhaar is based on a sound framework of privacy protection,” he said, noting that the recent Supreme Court judgment protected citizen privacy against infringement by the government.

Data protection legislation, he said, would ensure that private corporations are held to the same standard.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-aman-sethi-november-27-2017-aadhaar-verification-at-airports-raises-need-for-stricter-data-privacy-regulations

FCC’s plan to repeal net neutrality may not impact India

Admin — 2017-11-26T11:43:59Z

India is unlikely to be impacted by the US Federal Communications Commission’s plan to repeal net neutrality regulations.

The article by Surabhi Agarwal was published in the Economic Times on November 23, 2017. Sunil Abraham quoted.

India adopted a pro-net neutrality stand by taking a tough call against zero-rated plans such as Facebook’s Free Basics and Airtel Zero last year. According to experts, the Indian telecom regulator showed great courage and conviction by battling any type of preferential treatment of internet websites. This was even after a massive campaign by Facebook in support of its Free Basics programme, which promised access to a few basic services free of cost through partnerships with selected telecom service providers.

“Our regulator now thinks of itself as a forerunner in this space, so we doubt they are going to be influenced by the American move,” said Sunil Abraham, Executive Director of the Centre for Internet and Society in Bengaluru. He called the proposal to withdraw the President Barack Obama era regulations “incredible” since they took almost a decade and lots of debate to be framed. Abraham said there is no evidence to suggest that India copies what the US does and there is a long way to go before the new regulations come in.

“The FCC is just one actor in this game — there are the Congress and the courts along with the Federal Trade Commission,” said Abraham, adding that the proposal is likely to be challenged at multiple levels. “I’m proposing to repeal the heavy-handed Internet regulations imposed by the Obama Administration and to return to the light-touch framework under which the Internet developed and thrived before 2015,” FCC chief Ajit Pai, who worked for Verizon Communications earlier, tweeted on Tuesday. The plan shared by Pai will be put to vote on December 14. Experts expect the plan to go through, given the Republican majority in the FCC and they fear it will allow internet service providers like Verizon, AT&T and Comcast to give preference to some sites and apps in return for a fee or for their own business interests.

“If it goes through, it will take control away from the user and companies will be free to make fast lanes and favour the content they like and play the gatekeepers,” said Mishi Choudhary, president at Software Freedom Law Centre.

She said the conversation has once again moved the power back to internet service providers, which will hurt small companies on the pretext of innovation and getting away from micro managing. “It is certainly not bolstering the position of the US as a leader for free and open internet,” added Choudhary. Streaming service Netflix tweeted in response saying that it supports strong net neutrality and opposes the FCC’s proposal.

The Telecom Regulatory Authority of India (Trai) fought a tough battle in 2016 against plans that promised select internet services to poor people by offering them free of cost. The regulator issued differential pricing regulations by which it banned what’s known as zerorating plans. “Trai showed immense foresight by releasing the rules and this is a good opportunity for India to occupy the vacuum of leadership in this space by providing the right regulatory environment,” said Choudhary.

For more details visit https://cis-india.org/internet-governance/news/economic-times-surabhi-agarwal-november-23-2017-fcc-plan-to-repeal-net-neutrality-may-not-impact-india

India Today Conclave Next 2017: Aadhaar was rushed, says MP Rajeev Chandrashekhar

praskrishna — 2017-11-26T06:41:07Z

Talking at the ongoing India Today Conclave Next 2017, MP Rajeev Chandrashekhar said that Aadhaar was rushed and foisted on the country by authorities that fail to first create a proper ecosystem. Chandrashekhar gave his comments at a keynote titled Privacy -- The Fundamental Right for the Digital Citizen.

The article by Priya Pathak was published by India Today on November 8, 2017.

Chandrashekhar, who has been vocal on the issues like data protection, privacy and net neutrality, said that the government should have created a proper ecosystem for Aadhaar by bringing norms and laws around data protection and privacy before asking people to sign up for the unique ID.

The MP talked about India's journey from being a largest unconnected world to becoming the largest connected world. But Chandrashekhar criticised the "flawed" Aadhaar and said that it was a classic example of how a government system would push for technology in governance without addressing key bits of the ecosystem around the citizen and the consumer.

"If that (Aadhaar) wasn't enough, the IT act and section 66A and its language and its vagueness and its potential for misuse was another example of the faults of a bureaucracy or a political system trying to legislate or create solutions in the digital world, " he said.

At the same time, he lauded the recent Supreme Court order that held all Indians had fundamental right to privacy. "The latest finding of Supreme Court of Privacy as fundamental right is a big deal and it will alter number of things going forward," he said. He added that there should be more debate and discussion on data privacy as there is an attempt to characterise data privacy as some of kind of elitist issue in India which it's not.

Privacy, especially for the digital world, currently is one of the most debated topics in India. The country in the past few years has seen a number of instances where a government or a private entity has knowingly or unknowingly compromised the data of its users. Recently a study published by Centre for Internet and Society, a Bengaluru-based organisation, revealed that private data of more 130 million Aadhaar card holders were leaked from four government websites.

The Supreme Court in August this year declared privacy as a fundamental right. A nine-judge Constitution bench headed by Chief Justice J S Khehar has declared that "right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 and entire Part III of the Constitution".

The move has been praised by many including Rajeev Chadrashekhar who has said that it is a big welcome step. "It is clear that Aadhaar and all other legislations existing and proposed will have to meet the test of privacy being a fundamental right," he recently said.

For more details visit https://cis-india.org/internet-governance/news/india-today-priya-pathak-november-8-2017-india-today-conclave-next-2017-aadhaar-was-rushed-says-mp-rajeev-chandrashekhar

What You Need To Worry About Before Linking Your Mobile Number With Aadhaar

Admin — 2017-11-26T05:55:49Z

As part of the directive issued by the Department of Telecommunications (DoT) dated March 23, 2017, major telecom service providers have issued a deadline of February 6, 2018, for linking mobile numbers with Aadhaar as part of the E-KYC verification.

The blog post by Roopa Raju and Shekhar Rai was published in Youth Ki Awaaz on November 8, 2017

The landmark case referenced by the DoT in the circular was the order issued by the Supreme Court on February 6, 2017, delivered by Justice JS Khehar (the erstwhile Chief Justice of India) in the case of Lokniti Foundation vs Union of India. The petitioner contended that terrorists, criminals and anti-social elements frequently used SIM cards to commit atrocious, organised and unorganised crimes across the country. The petition called for ensuring 100% verification on the identity of telecom service subscribers in public interest under Article 32 of the Constitution of India. The PIL added that unverified SIM cards pose a serious threat to the country’s security as they are routinely used in criminal and terrorist activities, thereby affecting a citizen’s right (as ensured under Article 21 of the Constitution). As per the CAG report tabled at the Parliament in 2014, the identities of 4.59 crore mobile users still remained unverified.

Article 21 of the Constitution of India, 1949, states that – “No person shall be deprived of his life or personal liberty except according to procedure established by law.” While there is a threat to the common public interest through increased acts of terrorism and atrocities due to unverified SIM cards, the safety of information provided and linked to Aadhaar are increasingly being questioned.

In a study dated May 1, 2017, published by the Centre for Internet and Society (CIS), a Bangalore-based organisation, it was observed that data of over 130 million Aadhaar card-holders were leaked from just four government portals dealing with the National Social Assistance programme, the National Rural Employment Guarantee Scheme, the Chandranna Bima Scheme and the Daily Online Payment Reports of NREGA.

On October 25, 2017, the chief minister of West Bengal, Mamata Banerjee, also strongly opposed the government’s plan to link mobile numbers with Aadhaar cards. She said that it was a breach of privacy and that the ruling government was intruding upon the citizen’s right to personal freedom. However, the Supreme Court questioned the state government’s right to challenge the Centre and asked her to file a plea with the court in her individual capacity.

As per the data published by Telecom Regulatory Authority of India (TRAI) on September 14, 2017, India’s telecom subscriber base dipped by 1.3 lakh to 121.07 crore in July 2017. Moreover, only three operators – Reliance Jio, Bharti Airtel and the state-run BSNL – reported additions to their subscriber base.

Month	Telephone subscriber base (in million)	Growth rate
Mar-17	1194.58	–
Apr-17	1198.89	0.36%
May-17	1204.98	0.51%
Jun-17	1210.84	0.49%
Jul-17	1210.71	-0.01%

(Source: TRAI monthly subscription data)

The dip in the subscriber count for various telecom operators can be accredited to the phasing of registration of SIM cards through E-KYC for new mobile numbers. While there is a the possibility of addition of genuine subscribers in the following months, the direct subscriber acquisition cost (DSAC) has been significantly reduced owing to the overall reduction in subscriber addition (assuming exclusion of sunk cost).

Prior to the DoT directive, telecom service providers relied heavily on the documents provided by the subscribers for SIM registration. The two-fold impact of this was the delay in SIM activation, owing to the transfer of documents from the retailer to the distributor to the company and the possibility of documents not matching with the usage timeline of usage. Additionally, tracking the ever-changing retailers was difficult for the service providers – and with the subscriber documents being collected and stored at one location by the service providers, verification of dummy subscribers was difficult.

With the introduction of Aadhaar linkage for mobile numbers, subscribers are held accountable for its usage, thereby tagging responsibility for any acts arising as a result. Savings from the digitisation of documents and paper should also be considered.

However, an increased number of job losses is possible, owing to the ‘optimisation’ of the process by way of document verification, servicing costs and reliance on third parties (to name just a few). Increased compliance costs are also an issue of concern.

The key question that looms prominently with the approaching deadline is how secure public data will be, given that it may possibly be linked with bank account numbers and income tax returns. With retailers using fingerprints of the subscribers to validate Aadhaar numbers with the mobile numbers at the time of SIM registration, there is an increased risk of exposure to identity theft.

While the government is increasingly trying to bring in a seamless process to assimilate data for transparency in analysing consumer patterns, it is suggested that they also allocate funds for enhancing the cyber-security of the data consolidated from this directive. Furthermore, cyber security regulations can be strengthened to avoid data leakages to third party organisations. Severe penalties should also be implemented to ensure robust compliance to these measures.

For more details visit https://cis-india.org/internet-governance/news/youth-ki-awaaz-roopa-sudarshan-what-you-need-to-worry-about-before-linking-your-mobile-number-with-aadhaar

OPINION | Data is New Oil and Human Mind the New Battlefield. India Must Wake Up Now

Admin — 2017-11-26T03:28:55Z

In information warfare, the battlespace is the human mind. This is where the privacy of an individual intersects with national security. Fighting this battle will require a new paradigm in thought and action.

The article by Lt. General (Retd.) D. S. Hooda was published by News18.com on November 11, 2017

A few days ago, the Army Headquarters took out a public advisory warning about a “deliberate misinformation campaign being launched by vested interests some of which is being initiated from countries bordering our nation.” This is an acknowledgment of the use of social media for what is today considered the most dominant form of warfare — ‘information warfare’. It has been extensively used by our adversaries in Jammu and Kashmir to show the government and security forces in poor light.

Deception, propaganda and misinformation have always been a part of warfare but what is different today is that the tools of information warfare have acquired a new dimension. An integration of massive amounts of data with Artificial Intelligence (AI) has given a significant weapon in the hands of information warriors.

The cost of saving data has been plummeting, with the cost being halved about every 15 months. Now more and more data about individuals is being saved, both by corporations and governments. In his book, Data and Goliath, Bruce Schneier writes that worldwide, Google has the capacity to store 15 exabytes of data. To put it in context, one exabyte is 500 billion pages of text. Bruce also quotes the case of Max Schrems, an Austrian law student, who in 2011 demanded all his personal data from Facebook. After a two year legal battle, Facebook gave him a CD with 1200 pages of PDF. This is how much Facebook knows about you, and it does not forget because it is all saved.

All this big data would be useless unless it can be utilised for decision making and this is where advances in AI have provided the breakthrough. Smart machines mine the data and detect trends, patterns, habits, ideology and desires. These personal characteristics of individuals are being used by corporations to send targeted advertisements to influence commercial decisions.

The same technique is used in information warfare. On November 1, the US House Intelligence Committee released Facebook advertisements bought by Russian operatives to influence the 2016 elections. Washington Post wrote, “The ads made visceral appeals to voters concerned about illegal immigration...African American political activism, rising prominence of Muslims” among other issues. Senator Angus King said, “The strategy is to take a crack in our society and turn it into a chasm.”

Data is the new oil and that is exactly how it is being traded and sold. In the absence of any legal provisions, companies and ‘data brokers’ are sharing and selling personal data. Can this personal data find its way to a hostile government? Last month, the US Army brought out that their troops in the Baltic had reported instances of cell phone hacking. However, more worrisome was the fact the hackers knew personal details of the soldiers. Direct threats against family members of the military can have a negative psychological impact during conflict.

India has its share of political, social and ethnic differences, just as in many societies. In recent times these differences have been magnified as nationalism has taken centre stage. It is difficult to imagine why these fault lines will not be exploited by inimical forces as India enters the election mode in 2018. Looking at examples from the US and French elections, Brexit and the cyber battle during the Catalonia referendum, I think we have no option but to be prepared.

The preparation for this war (and I do not use this word lightly) lies in three spheres — concepts, practices and structures.

Conceptually, our current shortcoming is that we are viewing this issue through a technical prism rather than the broader spectrum of information warfare. CERT and NTRO can technically protect our critical infrastructure but they do not have an equal understanding of the human dimension, which is more strategic than scientific. The Americans, world leaders in information technology, have not been able to prevent a perceived subversion of their democratic process.

Our practices need to improve. The security of personal data is a major concern. The Supreme Court has declared privacy as a fundamental right, but there are no privacy laws to back it up. Even data stored in India is not safe as the owners of our data are the giant technology companies, mostly based in the US and not under our legal control. In September 2017, it was reported that Google has quietly stopped challenging most search warrants from US judges in which the data requested is stored on overseas servers.

A May 2017, report by the Centre for Internet and Society estimated that 135 million Aadhaar numbers could have been leaked from official portals. This was not due to a security breach but due to poor privacy practices.

Our continued reliance on foreign hardware and software is extremely worrisome. There was clear evidence that Cisco systems had been back-doored by the American National Security Agency but the Indian military continues to procure hardware from Cisco. There is a similar story with Chinese equipment in our telecommunication and power sectors. An attempt to introduce an Indian operating system to replace Windows in the Army has been mired in controversy.

In case of a targeted cyber attack on India, there is little we can do except issue advisories. The solutions will have to come from foreign manufactures or developers whose equipment we are using. There is an urgent need to give a fillip to developing indigenous solutions for our critical infrastructure.

And finally, structures. An organisation to execute information warfare would have to be led by the Ministry of Defence, because the threat is mainly from external players. It would be a combination of military planners, specialists from the field of intelligence, government agencies, media and cyber warfare experts. Such an organisation does not currently exist, though the raising of the Cyber Command could fill this gap.

In information warfare, the battlespace is the human mind. This is where the privacy of an individual intersects with national security. Fighting this battle will require a new paradigm in thought and action.

(The author is former Northern Commander, Indian Army, under whose leadership India carried out surgical strikes against Pakistan in 2016. Views are personal.)

For more details visit https://cis-india.org/internet-governance/news/news-18-lt-general-retd-ds-hooda-data-is-new-oil-and-human-mind-the-new-battlefield-india-must-wake-up-now

BIS International Seminar on Internet of Things

Admin — 2017-11-25T16:35:42Z

To create awareness among Indian community and to provide a platform to all stakeholders to discuss the technology, challenges and the way forward with an emphasis on the role of standards, BIS organized a half day International seminar on Internet of Things on 15 November 2017 at India Habitat Centre in New Delhi. Amber Sinha attended the event.

Click to see the agenda.

For more details visit https://cis-india.org/internet-governance/news/bis-international-seminar-on-internet-of-things

Why should you keep a close eye on the net neutrality debate in the US

Admin — 2017-11-25T15:33:32Z

As the United State's FCC Chairman Ajit Pai gears up to repeal the net neutrality laws put in place in 2015, India should sit up and take note.

The blog post by Subhrojit Mallick was published by Digit on November 24, 2017.

Back in 2014, a group of Redditors started debating net neutrality in India after Airtel announced it would charge extra for Voice Over IP (VoIP) services like Skype. Soon, that snowballed into a nation-wide campaign with over a million internet users participating. Things didn’t help when Facebook too wanted to provide a bunch of internet services for free in India through its Internet.org or Free Basics initiative. However, a year-long discussion and public outrage against the two, led the Telecom Regulatory Authority of India (TRAI) to rule in favour of net neutrality and stop both Airtel and Facebook in their tracks of violating a free and open internet.

Fast forward three years down the line and America, the birthplace of the internet, is struggling with the problem of internet freedom. The Federal Communications Commission (FCC) under the Donald Trump Administration led by Chairman Ajit Pai submitted a final draft proposal yesterday to repeal the existing net neutrality laws put in force by the Obama administration in 2015. The draft proposal will be voted upon by FCC by the end of the year and considering the FCC has a Republican majority under Ajit Pai, the proposal is likely to pass.

The draft removes almost every net neutrality rule from 2015, making ISPs the gatekeepers of the internet. It states internet providers will have the freedom to implement fast and slow speed lanes, prioritise traffic and block apps and services. The only rule they have to follow -- publicly disclose when they are doing any of the things stated above.

Executive director of the Centre for Internet and Society, Sunil Abraham elaborated on what's on Pai's mind.

"Ajit Pai's ideology is pro-market. He believes the market will sort all problems out. According to Pai, the magic of competition will eliminate all the harms emerging from net neutrality violation," he said.

"Pai has said, you do what you want to do, but you have to disclose that to the public. You can block, throttle, have fast lanes, prioritise traffic, have discriminatory pricing, but you disclose them. If the customer doesn't like it, he can swith to another network. Pai believes the transparency requirements will allow the magic of the market to diminish and eliminate harm. His regulation of net neutrality is transparency," Abraham further added.

However, such a move will have drastic effects on the free flow of internet traffic. Telecom companies and ISPs can handpick services by charging customers to access some sites or by slowing down the speeds of others. For instance, ISPs can make consumers pay more to watch high-quality content on Netflix.

With net neutrality rules repealed, the internet will become a pay-to-play service. It will essentially divide the internet into fast and slow lanes. One will be a speedy service that could be priced higher and another, much slower and cheaper. While big players like Amazon, Facebook, Google, Netflix and the likes can easily pay the higher fees and stay unfettered, newcomers and smaller players will have it tough. Although, the move will lead to cuts in profits for everyone. A higher price to consumers will eat into the user base of these companies, while startups and new voices in the media will find entry and success prohibitive.

Although it’s true that no single ISP in the US has the entire market to itself and the market is indeed divided into a handful of players, they do operate in a de facto monopolised way. How? ISPs in the US have sliced up the entire country into areas such that users in a particular area have only one choice of service provider. That essentially leaves users at the mercy of whatever Comcast or Spectrum is offering (or not offering).

By putting the net neutrality rules in place in 2015, the US had ensured these ISPs won’t do anything grossly uncompetitive. The current rules make broadband in the country a public utility, same as electricity. And now, Ajit Pai-led FCC is about to repeal those very rules that kept them grounded.

Will the FCC ruling make apps and services expensive in other countries?

While Pai’s jurisdiction does not extend beyond the United States, his tirades against a free internet will most definitely have rippling effects across the world. More importantly, it will raise the cost of operations of companies like Netflix and Amazon who will have to hire legal experts and lobbyists to negotiate deals with service providers. That extra cost will be burdened on the US consumers of course, but since they have a large international presence, it is likely that the extra cost will trickle down to users outside the US as well.

And that’s not just the streaming companies. All the tech giants hail from the US and it is only logical that a rise in their costs of operation will have an impact on their global operations.

Although, if the level playing field in the US is disrupted, companies will look for greener pastures and if that means moving out of the US to other countries, it could happen.

How will FCC’s decision impact India?

While US is grappling with such a reality, Indians fought against it and won. Or did they? Last year, after Airtel and Facebook were asked to drop their plans for differential pricing, TRAI released a paper on net neutrality and differential pricing to finalise its views on the matter. The regulatory body released a 14-question long consultation paper seeking comments on internet traffic management from the public.

“Increasingly, concerns have been raised globally relating to discriminatory treatment of Internet traffic by access providers. These concerns relating to nondiscriminatory access have become the centre of a global policy debate. The purpose of this second stage of consultation is to proceed towards the formulation of final views on policy or regulatory interventions, where required, on the subject of NN,” the paper read.

“Net Neutrality being repealed in the US will hurt innovation in that country, and will lead to a consolidation of power with those Internet companies which have the money to partner with US carriers. This hurts Indian product startups, because it means that their apps may not be as easily available to users in the US. The Internet is one world, and we need the same Internet to be available everywhere, across the world: one Internet for the entire world,” Nikhil Pahwa, Co-Founder of Internet Freedom Foundation told Digit.

That means, essentially, the debate on net neutrality is not over in India. In fact, both RS Sharma, the Chairman of TRAI and FCC’s Ajit Pai agree on the need to bridge the digital divide. Both are exploring ways to keep the internet open while providing access to the unconnected. Thankfully, both differs on the approach to meet that goal.

Pai believes the internet should be left unregulated despite the “hypothetical harms” to the consumer. He thinks the current rules were put in place to avoid theoretical harms which were not based on hard evidence. Pai claims there should be evidence-based regulation of the internet.

Sharma, in contrast, disagrees on an evidence-based approach.

“The TRAI's view of Net Neutrality has so far been diametrically opposite to Ajit Pai's FCC, and with good reason. Net Neutrality ensures that all ISPs and telecom operators act as exchanges of data between users, and do not discriminate on the basis of the type or source of that data. This allows for permission-less innovation on the Internet, which has given us the Internet that we have today,” Pahwa added.

Will India’s stance on net neutrality change after the FCC’s decision?

Rajan Mathews, Director General of Cellular Operators Association of India believes the FCC’s decision will no doubt have some impact on the path India takes.

“I think the policymakers will look at the decision the US makes. They had taken their decision as a point of reference before and the FCC’s ruling is too large an issue to not look at it. Both the DoT (Department of Telecom) and TRAI will have to reevaluate their approach in the context of the what happens in the US,” he said.

“Net neutrality approach in both countries is still in flux and India is going to tread lightly on net neutrality issues,” he added. As per Mathews, in India, the situation is different from the US where a handful of telecom companies and ISPs wield control of the entire country. In India, there is a licensed environment which provides a minimal standard of net neutrality, which is applied across the board and everybody who is providing a similar service is made to follow similar guidelines.

However, Mathews did attribute India’s efforts to enforce net neutrality to the United States’ efforts to place the rules in the first place in 2015 under the Obama administration, when internet was deemed as a public utility, same as electricity or telephone.

“Net neutrality in India emerged from the US definition. Now that they are going to repeal it, people in India who were looking at the US as a model will evaluate the implications of the move,” Mathews elaborated.

The US is looking to implement an ex-post approach to regulating the internet wherein the ISPs and telcos will adopt a free market approach and will only be investigated if they violate a rule. India, Mathews says, is adopting an ex-ante approach where there will be some commonly accepted criteria of net neutrality, but operators will have the ability to manage their traffic to ensure quality of service.

Minister of Information and Broadcasting, Ravi Shankar Prasad also helped alleviate fears of India following suit. During the Global Summit for Cyberspace Security held yesterday, he said, "The citizens' right of accessing the internet is "non-negotiable" and the government will not allow any company to restrict people's entry to the worldwide web."

Prime Minister Narendra Modi also came in support of net neutrality in India. He tweeted, "The internet, by nature, is inclusive and not exclusive. It offers equity of access and equality of opportunity."

Pahwa, who fought hard against Airtel and Facebook to ensure the internet remains neutral, was confident the decision won’t affect India’s stance on net neutrality. However, he is apprehensive that Indian telecom companies might borrow a leaf from their US counterparts and lobby hard to repeal the rules.

“I don't think the FCC decision affects the Indian regulation in any way, because the Indian regulator TRAI has already established strong and well rooted principles for Net Neutrality regulations in India. The only thing that worries me is that Indian telecom operators will use the developments in the US to push back against Net Neutrality with renewed vigour,” he said.

So, on the face of it, while India is well insulated from the catastrophe the United States has embarked upon, it is important to watch what the US is doing closely and make sure we don’t repeat their mistakes here.

For more details visit https://cis-india.org/internet-governance/news/digit-subhrojit-mallick-november-24-2017-why-should-you-keep-a-close-eye-on-net-neutrality-debate-in-us

Govt working to set up financial CERT to tackle cyber threats

Admin — 2017-11-25T02:28:18Z

IT secretary Ajay Prakash Sawhney says the government is getting the framework in place for financial CERT, which will be followed by other sectoral CERTs later.

The article by Komal Gupta was published in Livemint on November 16, 2017

The government is working to set up a financial Computer Emergency Response Team (CERT) to tackle a rise in cyber threats to India’s financial institutions.

This will be the first sectoral CERT to be introduced in India, said IT secretary Ajay Prakash Sawhney on Wednesday.

“Right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors, said Sawhney, responding to a question on the progress of setting up of sectoral CERTs in the country. “It will oversee the entire financial sector including banks and financial institutions,” he added.

He was addressing the Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in the capital on Wednesday.

In March, the power ministry had announced setting up of four sectoral CERTs for cyber security in power systems—CERT (Transmission), CERT (Thermal), CERT (Hydro) and CERT (Distribution).

According to Sawhney, as of now, there is a national CERT and no other sectoral CERTs. While addressing the conference, he said one of the themes to be discussed will be “How sectoral CERTs can function in conjunction with the national CERT.”

CERT-In is the national nodal agency under the ministry of electronics and IT (MeitY), which deals with cyber security threats such as hacking and phishing. The agency is tasked with the collection, analysis and dissemination of information on cyber incidents and even taking emergency measures for handling cyber security incidents.

“The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack; normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank

“From April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries,” said cyber security chief Gulshan Rai, who was also present at the event.

A total of 50 incidents of cyber attacks affecting 19 financial organizations have been reported from 2016 till June 2017, PTI reported in August.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats

Roundtable on Data Integrity and Privacy

Admin — 2017-11-25T02:17:13Z

Amber Sinha attended a roundtable on data integrity and privacy organized by the Observer Research Foundation (ORF) on November 18, 2017 in New Delhi. The round table discussion was chaired by Shri Baijayant Panda, Hon'ble Member of Parliament.

With the 10-member committee headed by former Justice B.N. Srikrishna being mandated to recommend principles for a new data protection bill, the time is ripe for online platforms, service providers and citizen stakeholders to discuss what the substantive elements of the new data protection law should look like.

Regulatory principles around data should be informed by the impetus for innovation, the responsibility to deliver social benefits and most importantly the users’ expectation of privacy. Increasingly, the nature and number of actors collecting and processing user data is becoming unclear. The new data protection framework must clarify the relationship between the user and apps/ mobile platforms that collect her data, but should do so while acknowledging the heterogenous nature of the Indian digital economy, comprising operating systems, platforms and devices of varying security and sophistication.

To kick-start this project, ORF hosted a roundtable chaired by Shri Baijayant Panda to hear from a diverse set of stakeholders to understand what direction the data privacy regime in India should take. The roundtable took place at the Viceroy, Claridges Hotel, 12, Dr APJ Abdul Kalam Road, New Delhi, Delhi 110011.

The roundtable broadly covered the following aspects –

Role of user consent and choice
Importance of cross border data flows
Appropriate regulatory authority
International best practices and relevance to the Indian context
Reasonable restrictions
Private-public collaboration

For more details visit https://cis-india.org/internet-governance/news/roundtable-on-data-integrity-and-privacy

Internet Universality Indicators for a Safe, Secure and Inclusive Cyberspace for Sustainable Development

Admin — 2017-11-25T02:04:54Z

Amber Sinha attended an event organized by UNESCO in collaboration with the Ministry of Electronics and IT, Government of India in the run-up to the 5th Global Conferene on Cyberspace (GCCS 2017) on November 17, 2017 at UNESCO Conference Room in Chanakyapuri, New Delhi.

Agenda here

For more details visit https://cis-india.org/internet-governance/news/internet-universality-indicators-for-a-safe-secure-and-inclusive-cyberspace-for-sustainable-development

Why you should keep a close eye on the net neutrality debate in the US

Admin — 2018-01-18T14:50:52Z

As the United State's FCC Chairman Ajit Pai gears up to repeal the net neutrality laws put in place in 2015, India should sit up and take note.

The blog post by Subhrojit Mallick was published by Digital.in on November 24, 2017.

What is FCC chairman Ajit Pai doing?

Executive director of the Centre for Internet and Society, Sunil Abraham elaborated on what's on Pai's mind.

Will the FCC ruling make apps and services expensive in other countries?

And that’s not just the streaming companies. All the tech giants hail from the US and it is only logical that a rise in their costs of operation will have an impact on their global operations.

Although, if the level playing field in the US is disrupted, companies will look for greener pastures and if that means moving out of the US to other countries, it could happen.

How will FCC’s decision impact India?

While US is grappling with such a reality, Indians fought against it and won. Or did they? Last year, after Airtel and Facebook were asked to drop their plans for differential pricing, TRAI released a paper on net neutrality and differential pricingto finalise its views on the matter. The regulatory body released a 14-question long consultation paper seeking comments on internet traffic management from the public.

Sharma, in contrast, disagrees on an evidence-based approach.

Will India’s stance on net neutrality change after the FCC’s decision?

Rajan Mathews, Director General of Cellular Operators Association of India believes the FCC’s decision will no doubt have some impact on the path India takes.

For more details visit https://cis-india.org/internet-governance/news/digit-in-subhrojit-mallick-november-24-2017-why-you-should-keep-a-close-eye-on-the-net-neutrality-debate-in-the-us

Indian activists slam FCC decision to ditch net neutrality

Admin — 2017-12-18T15:27:04Z

Indian net neutrality activists are assured the ongoing net neutrality tussle in the US will have no impact on India.

The article by Kul Bhushan was published in the Hindustan Times on November 23, 2017.

Net neutrality is in the news again. This time it is because the US’ Federal Communications Commission (FCC) has decided to formally scrap existing protections that are meant to keep access to internet equitable.

India had its own tryst with the idea of net neutrality after it blocked the zero-rating programmes by social networking giant Facebook — which proposed to rollout the Internet.org or Free Basics project in February last year.

A powerful social media campaign made Facebook back down and the Telecom Regulatory Authority of India (TRAI) to announce that ‘differential pricing’ — a practice where some services or sites are priced in a special manner — will no longer be allowed.

Some people who were at the forefront of the net neutrality campaign in here almost three years ago have expressed their displeasure over the FCC’s move.

“I think the approach the FCC is taking is flawed. Spectrum is a public resource and it needs to be spent on maximisation of public good. That public good, and the utility of the Internet is based on the freedom that people have to create new apps and services, without needing permission from ISPs, or the fear that ISPs might discriminate against them or favour their competitors. This is what net neutrality enables,” said Nikhil Pahwa, founder of publication Medianama and one of the activists.

“By going against Net Neutrality, FCC chairman Ajit Pai is attacking the core of what makes the Internet tick. We didn’t let that happen in India, and instead, focused on increasing competition between ISPs and telecom operators, because of which we’ve see broadband prices drop, quality of service improve, a tremendous growth in Internet users in India. For this, we owe a great debt to all those who supported Net Neutrality, especially the TRAI,” he added.

Apar Gupta, who is closely associated with the ‘Save the Internet’ initiative and is the co-founder of Internet Freedom Foundation, said, “FCC’s move to take back the internet order is a huge setback to the global campaign to ensure open internet because it undermines the net neutrality.”

“I don’t think the development should impact the regulatory process in India considering TRAI’s strong support for net neutrality. I hope that TRAI comes out with a comprehensive network neutrality regulation in the future,” he responded when asked about the possible impact on India of the FCC move.

Sunil Abraham, executive director of Bangalore-based research organisation Centre for Internet and Society, said there should be no impact on India from the FCC move.

He also slammed FCC chief Pai’s attempt to change the existing net neutrality rules. “What Ajit Pai is trying to do he’s not saying he will not regulate. He is saying when companies violate net neutrality principles they should be transparent about it. He hopes the magic of market competition will help resolve the problem,” he said

“Pai’s approach to the net neutrality might work in a market where there is a lot of competition. In the US, there is no competition and that in case damage will be immediate,” he added.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-kul-bhushan-november-23-2017-indian-activists-slam-fcc-decision-to-ditch-net-neutrality

Global Technology Summit 2017

Admin — 2017-12-05T13:47:57Z

The 2017 Global Technology Summit will take place on December 7 and 8, 2017 at the Hotel Leela Palace, Bangalore. Sunil Abraham is a speaker at the event.

Link to the original published by Carnegie here

The inaugural edition of the Global Technology Summit convened leading scholars, experts, and officials from more than ten countries for wide-ranging discussions on policy frameworks for technological innovation.

Building on its success, leading innovators, researchers, and entrepreneurs in cutting-edge technologies from around the world will engage with regulators, policy experts, and civil society actors this December in Bangalore.

The Summit will focus on new directions in technology policy, such as tech-diplomacy, data protection, and building an innovation ecosystem, as well as fields like digital finance, e-mobility, robotics, and smart cities, where massive technological transformation is likely in the coming years.

Agenda here

Panel Description

Navigating Big Data Challenges: Access to data, and capabilities to analyze the same, redefine the business moat for corporations and governance opportunities for governments. Data dictates product and policy success. It also raises complex challenges. With ever increasing hacks and vulnerabilities, data security continues to confound us. Data-driven businesses and governments also question core assumptions of privacy and individual reputation. Machine learning and deep learning, facilitated by data crunching algorithms, can either be coded to discriminate or learn from human data sets and imbibe the very same prejudices. This panel will deliberate upon these varied challenges, and explore possible policy frameworks to address them.

The panelists are:

Ann Cavoukian
Rahul Matthan
Vishnu Shankar
Rob Sherman
Sunil Abraham

Chaired by B.N. Srikrishna, former judge, Supreme Court of India

For more details visit https://cis-india.org/internet-governance/news/global-technology-summit-2017

Cyberattacks a significant threat to democracy: Modi

Admin — 2017-11-24T13:29:17Z

We have to ensure that cyberspace does not become a playground for dark horses of radicalism, says PM Narendra Modi at the fifth Global Conference on Cyber Space in Delhi.

The article by Komal Gupta was published in Livemint on November 24, 2017.

Prime Minister Narendra Modi on Thursday said creating a safe and secure cyberspace is on the primary agenda of the government as cyberattacks were a threat to democracy.

Modi’s assurance of decisively dealing with cyberattacks comes at a time when policymakers are making an unprecedented push to popularize digital transactions and cut down use of cash in order to have a more transparent and accountable economic environment. The government is at present working on a draft policy for tackling ransomware, a malicious software.

“We have to ensure that cyberspace does not become a playground for dark horses of radicalism,” Modi said, while inaugurating the fifth Global Conference on Cyber Space (GCCS) in the national capital.

A total of 50 incidents of cyberattacks affecting 19 financial organizations were reported from 2016 until June 2017, PTI reported in August.

With multiple cyberattacks affecting key infrastructure assets like ports and major payment companies recently, the government has decided to come out with a draft policy for tackling ransomware, a senior government official told Mint during the conference. “CERT-In (The Indian Computer Emergency Response Team) is working on a draft policy for tackling ransomware which will be put up for consultation by various stakeholders, including organized enterprise users of IT (Information Technology), solution providers and internet service providers (ISPs),” Ajay Kumar, additional secretary in the ministry of electronics and information technology said.

Kumar said the draft policy will focus on the proprietary steps the country will take in case of a ransomware attack. This will include the steps for the sharing of information to try and restrict the loss as much as possible. A centre of excellence will be set up to find solutions to attacks or neutralise the malware, he added.

The need to set up a safe and secure cyberspace is one the major concerns of the government as it is moving to create a ‘less-cash’ economy. Earlier this year, the government announced the “DigiDhan Mission” to achieve a 25 billion digital transactions target, outlined in the Union budget for this fiscal.

Modi said empowerment through digital access is the aim of the government and digital technology has saved around $10 billion so far by eliminating middlemen.

The MyGov platform is a prime example of how technology strengthens offices. PRAGATI has resulted in faster governance decisions through general consensus, he added.

PRAGATI (Pro-Active Governance And Timely Implementation) is an interactive platform aimed at addressing the common man’s grievances and monitoring and reviewing programmes and projects of the central and state governments.

Umang stands for Unified Mobile Application for New-age Governance. It provides all pan India e-Gov services ranging from central to local government bodies and other citizen-centric services like Aadhaar and Digilocker on one single platform or mobile app.

Modi said, “the app will provide over hundred citizen-centric services. It will automatically add pressure among peers and result in a better performance.”

Law and IT minister Ravi Shankar Prasad, speaking at the event, said privacy of individuals was of utmost importance but “privacy cannot withhold innovation.” He further said the citizens’ right of accessing the internet is “non-negotiable” and the government will not allow any company to restrict people’s entry to the worldwide web.

Speaking on Facebook’s Free Basics programme, Prasad said the government did not allow social networking giant’s programme because it offered access to select internet services. Facebook had introduced its Free Basics programme in India in 2015 to offer free basic internet access to people in partnership with telecom operators. Prasad said the idea behind Free Basics was that everything will be free, namely eduction, health, entertainment and others, if one enters the Net through one gate (Facebook’s).

“I said India is a democracy, we don’t believe in one gate. We believe in multiple gates. Therefore, this gate locking for India will not be accepted and I did not allow it. This stems (from) our commitment that internet must be accessible to all,” he added.

Sri Lankan Prime Minister Ranil Wickremesinghe, who was present at the event, said there was no legal framework on cyberspace and he hoped the conference would lead to a consensus to finalize the terms of the framework. “Our government has a lot more to do in net neutrality but we have taken progressive and revolutionary step in this regard,” added Wickremesinghe.

Wickremesinghe is on a four-day visit to India with the aim of boosting bilateral ties.

On the first day of the conference, India agreed to establish a joint working group with Iran to work in different IT areas.

India will provide technical advice to Mauritius for setting up the digilocker infrastructure. An MoU has been signed with Denmark for future cooperation in the IT sector.

“While a policy on ransomware is welcome, there is much more to be done. Implementation of the 2014 National Cybersecurity Policy has been very slow. Even the simplest bits, such as a secure process for receiving vulnerability disclosure has been lacking,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

PTI contributed to this story.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-24-2017-komal-gupta-cyberattacks-a-significant-threat-to-democracy-modi

Privacy issues exist even without Aadhaar

Admin — 2017-11-23T16:12:11Z

There is a critical need for a data privacy regulator to penalize unauthorized disclosure of personal information.

The article by Ronald Abraham was published by Livemint on November 15, 2017.

In part I, I argued that while Aadhaar can be a tool to infringe upon our right to privacy, it is merely one such; there exist other tools that can be similarly exploited. This becomes evident when you analyse each privacy issue related to Aadhaar using the National Privacy Principles framework, and compare Aadhaar’s data privacy risks to other national ID systems. We need an independent data privacy regulator, backed by a robust law, to safeguard against the risks.

Here, we explore two such data privacy issues: data disclosure and voluntariness (database linking was analysed in part I).

Data disclosure

According to the National Privacy Principle on data disclosure, “a data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure”.

On paper, the Aadhaar Act appears compliant with this principle as Section 29 prohibits the disclosure of personal information. Exceptions exist for courts to request demographic data, and for joint secretaries and higher ranks to request biometric data; the latter on the grounds of “national security”. However, greater clarity is required on whether individuals will be informed of data disclosures.

In practice, however, data disclosures well beyond these exceptions have taken place. A study by the Centre for Internet and Society found that nearly 130 million Aadhaar numbers had been published online by four government departments. In many cases, these were published along with information on “caste, religion, address, photographs and financial information”. If someone manages to steal these individuals’ fingerprints as well (which is becoming less difficult), one possibility is that Aadhaar-linked bank accounts can be cleaned out using micro-ATMs.

Demographic data disclosure, however, is not limited to Aadhaar. For transparency reasons, state election commission websites disclose the personal information of every person registered to vote online. Agencies scrape these databases and sell them.

Like database linking, the onus of abiding by the principle of data disclosure is on the “data controller”. The four government agencies that disclosed Aadhaar data—not the Unique Identification Authority of India (UIDAI)—are the relevant data controllers in this case. However, UIDAI has not pressed charges against them; under the Aadhaar Act, it is solely authorized to do so. Given UIDAI’s role of working with the government to enable and encourage the use of Aadhaar, it should not also be responsible for regulating them. Additionally, the Election Commission’s data disclosure norms demonstrate that the issue is bigger than Aadhaar.

This, therefore, points to the critical need for a data privacy regulator to investigate and penalize unauthorized disclosure of sensitive personal information. A strong regulator, with a clear law, will also serve as an effective deterrent for negligent disclosure practices.

Voluntariness

The ability to voluntarily opt in and out of data systems, based on informed consent, is central to the National Privacy Principle of “Choice and Consent”. Once an individual opts in, the principle clarifies that they “also have an option to withdraw (their) consent given earlier to the data controller”.

With regard to opting in, UIDAI has maintained that Aadhaar enrolment is voluntary. However, Section 7 of the Aadhaar Act and various orders by government agencies require Aadhaar to access basic services. Though exceptions are allowed, in practice they are implemented inconsistently, making Aadhaar near-mandatory.

To be sure, the choice principle states that data controllers can choose not to provide services if an individual doesn’t consent to provide data, “if such information is necessary for providing the goods or services”. However, we need more explicit guidelines on what features satisfy this condition, something that can be defined in a data privacy law.

With regard to opting out, no such UIDAI provision exists. One argument is that more data increases UIDAI’s capability to establish the uniqueness of new enrollees. However, it is unclear why this is the case because even if millions opt out of Aadhaar, UIDAI’s ability to guarantee the uniqueness of new enrollees compared to existing enrollees doesn’t diminish.

While voluntariness is actively discussed with Aadhaar, the same is not true for other IDs and data initiatives. For example, fingerprints are collected to issue Indian passports, but the use of this is not clear—raising concerns around voluntariness as well as purpose limitation.

Through this analysis, it becomes clear that data privacy issues exist even without Aadhaar. To tackle the risks to privacy, India requires a strong, competent and independent data privacy regulator, backed by a robust law.

With the recent Supreme Court judgement and upcoming hearings, we have a unique opportunity to strengthen our institutional ability to manage future risks. We must seize this opportunity to try and secure a privacy-protected future.

Ronald Abraham is a partner at IDinsight and co-author of ‘State of Aadhaar’ report 2016-17.

Research contributions from Shreya Dubey and Akash Pattanayak.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-23-2017-ronald-abraham-privacy-issues-exist-even-without-aadhaar