We are anonymous, we are legion

Financial CERT to combat cyber threats, says MoS home affairs

Admin — 2017-11-23T16:07:21Z

To tackle cyber threats to India’s financial institutions, the central government is mulling to establish a financial Computer Emergency Response Team (CERT).

This was published by CISO MAG on November 17, 2017

Addressing the 15th Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in New Delhi on November 15, 2017, IT Secretary Ajay Prakash Sawhney said, “right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors. It will oversee the entire financial sector including banks and financial institutions.”

In March this year, the power ministry had announced to create four sectoral CERTs for cybersecurity in power systems: CERT (Transmission), CERT (Thermal), CERT (Hydro), and CERT (Distribution).

Udbhav Tiwari, program manager at the Centre for Internet and Society, a Bengaluru-based think tank, highlighted the responsibilities of the financial CERT in a conversation with Live Mint. “The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack, normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” he said.

Cybersecurity Chief Gulshan Rai, who was also present at the event, said “from April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries.”

On August 1, 2017, MoS home affairs Hansraj Gangaram Ahir had said “as per the information by the Indian computer emergency response team (CERT-In), 50 incidents affecting 19 financial organizations have been reported during the period of November, 2016 to June, 2017.”

For more details visit https://cis-india.org/internet-governance/news/ciso-mag-financial-cert-to-combat-cyber-threats-says-mos-home-affairs

Global Commission on the Stability of Cyberspace (GCSC)

Admin — 2017-11-23T14:38:12Z

The Global Commission on the Stability of Cyberspace organized a meeting on November 21, 2017 in New Delhi. The meeting took place at Taj Diplomatic Enclave Hotel on the sidelines of the 5th Global Conference on Cyberspace. Pranesh Prakash participated in the event.

GSC commissioners engaged in discussions with leading experts on cyber diplomacy, cyber norms and counter-proliferation. See the Draft Agenda here.

For more details visit https://cis-india.org/internet-governance/news/global-commission-on-the-stability-of-cyberspace-gcsc

Counter Comments on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

amber — 2017-11-23T14:29:06Z

The Centre for Internet & Society (CIS) has commented on the Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in three main parts. The first part 'Preliminary' introduces the document. The second part 'About CIS' is an overview of the organization. The third part contains the 'Counter Comments' on the Consultation Paper taking into account the submission made by other stakeholders.

Download the full submission here

For more details visit https://cis-india.org/internet-governance/blog/counter-comments-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector

Elements of a Decentralized Web

Admin — 2017-11-23T14:16:26Z

Gene Kogan will deliver a talk on the elements of a decentralized web at the Centre for Internet (CIS) office in Bengaluru on December 11, 5.30 p.m. to 7.30 p.m.

The internet is broken. Straying far from the original vision of democratizing access to knowledge, large tech companies now resemble the industrial barons of the 19th century, presiding over what many scholars regard as a public utility but nevertheless unregulated. As machine learning has entered the picture, the usual suspects like Facebook, Reddit, and Quora, have begun training sophisticated algorithms on personal data to route traffic in order to maximize attention, leading to a web which is more atomized, addictive, and anxiety-inducing.

In response to this, some have begun writing about, conceptualizing, and implementing the open-source protocols of what they consider the future web 3.0. Cryptocurrency enthusiasts have expanded their focus to more generalized blockchains which enable trust in decentralized platforms, while initiatives like IPDB and IPFS ambitiously promise to make hosting, storage, database querying, and even computation itself possible inside of peer-to-peer networks. But all is not well in this techno-utopia -- as the speculative bubble around this "internet of money" grows, so too does interest from the very institutions these new initiatives seek to overcome. The landscape is beginning to look like Silicon Valley of the 1990s and the threat of a crash looms. It's up to us to determine which way this one will play out.

Gene Kogan

Gene Kogan is an artist and a programmer who is interested in generative systems, computer science, and software for creativity and self-expression. He is a collaborator within numerous open-source software projects, and gives workshops and lectures on topics at the intersection of code and art. Gene initiated ml4a, a free book about machine learning for artists, activists, and citizen scientists, and regularly publishes video lectures, writings, and tutorials to facilitate a greater public understanding of the subject.

Links:

genekogan.com

twitter.com/genekogan

For more details visit https://cis-india.org/internet-governance/events/elements-of-a-decentralized-web-talk-by-gene-kogan

India’s internet missionaries: The women Google is relying on to spread its Next Billion message

Admin — 2017-11-23T02:33:35Z

Google’s internet saathis have brought 11.5 million women in 105,000 villages online. But there’s a catch: the women are taught to use only Google products.

The article by Sunny Sen was published by Livemint on November 21, 2017.

Until Google came calling at Khaula, one of the nearly 100,000 villages in Uttar Pradesh, early in 2016, few among the womenfolk there had heard about the internet. A few had seen their men watching videos on smartphones, but none had accessed the internet on her own.

Now, more than 1,100 women in Khaula and neighbouring villages know how to access the internet and regularly log in. They teach their children, they teach themselves new skills, they look up fixes to niggling medical problems, and watch YouTube videos.

Khaula is ground zero for an ambitious Google initiative called Next Billion to spread use of the internet in developing economies. The initiative rides on the shoulders of women—internet saathis, who have been roped in to carry the “here’s how to access the internet” message across India. The success or failure of the saathis (saathi means friend in Hindi) in the internet literacy project will make or break the programme.

India, whose over 400 million data consumers make it the No. 2 market by internet users, only behind China, is the top focus country in the Next Billion programme. The project also covers Brazil, Indonesia, Nigeria, and parts of Africa.

The internet saathi programme, run by Google along with Tata Trusts is designed in such a way that two-three women in a village are handpicked and trained to use the internet. They, then, further train thousands of village women—not men—on how to access it. This design is with good reason: less than one-third of internet users in India are women and the number is far lower in its villages, explained Rajan Anandan, Google’s vice president for Southeast Asia and India, in a Mint newspaper article in April.

Neetu’s story

Four years ago, Neetu Bhagour, now 22, had made news in the village when she won a state-level wrestling event and was selected at the national level. But, she never made it to the nationals. “My parents didn’t allow me to… girls in our villages are not allowed to play much,” Bhagour said, her disappointment showing in her smile.

After leaving wrestling, she decided to pursue studies. The college was far away from the village and she didn’t attend every day, yet completed her graduation in science earlier this year—one of the few to do so in Khaula.

It was on one of the days she was home, bunking college, that her uncle told her that if she had time, she could teach village women how to access the internet. That was about one-and-a-half years ago.

“I had only seen my brother using (the internet). He had an Android phone, but he would never let us use it,” Bhagour said. “I decided to learn how to use the internet. People from Google trained us for three-four days… That was the first time I used the internet.”

Google gave her a Lava smartphone and a Celkon tablet—both entry-level brands—to use and train other village women. The cost of the two devices was around Rs11,000, a price that the women of Khaula would perhaps never be able to afford. The trainers also get an umbrella and 2GB of monthly data for each device—all provided by Google.

Till now Google has spent about Rs50 crore on training 35,000 saathis. That’s a tab of between Rs14,000 and Rs15,000 per saathi which includes the Rs11,000 spent on the devices, umbrella and data.

It was not easy for Bhagour to convince women in her village that learning to access the internet would be useful. Often they would scoff at her: “We don’t need it.” She stayed persistent. “It’s okay if you don’t need the internet, but teach it to your children,” she told them. “Use Google to know anything in this world.”

Next billion

Bhagour is one of the 35,000 internet saathis in India Google is backing. And, in a move atypical of the search giant, it is pouring crores of rupees training them. “Tata Trusts are equally funding the initiative for us. Google brings in the devices, the data, and the technical know-how of training the saathis. And Tata Trusts are managing the on-ground implementation, the saathi stipend,” said Neha Barjatya, head of ads marketing & digitizing initiatives, Google India.

The saathis are trained on how the web works, especially how to use various Google products such as Chrome, Search, YouTube, and PlayStore. They are not trained to use any other product, not Facebook or WhatsApp.

Since the beginning of the internet saathis project in 2015, Google has covered 105,000 villages in 12 states and taught 11.5 million women how to use the internet—making it the biggest project by Google under its Next Billion initiative and perhaps the single largest such outreach programme anywhere in the world.

Google wants to take the programme to 300,000 villages. “These women discover the internet (through Google and its products), and eventually discover how to use the internet for their needs,” said Barjatya.

Internet hard-sell

It wasn’t easy for Bhagour or any of the other saathis, initially.

Deepa Rajput of Dehtora village (near Khaula) is a Ph.D in Hindi. She teaches at the Shree Jagdamba Degree College in Agra. She was introduced to the internet saathi initiative by a friend of her husband’s. “Our family is one of the progressive ones in the village, so it was easy to convince my in-laws,” said Rajput.

But when she went out to teach, it was a problem. At the start, women didn’t allow her to take their picture, which is needed to enrol them in the programme. Some even refused to fill the enrolment form.

Rajput’s pitch was simple, yet compelling. “Google pe saara vishwa ka jankari prapt kar sakte hai… Agar aapka bhains bimar ho jata hai toh aap uske karan dekh sakte hai (You can find the entire world’s information on Google… If your buffalo falls sick, you find the reasons there),” she told the village women.

Most women liked the idea but they had to take the permission of their in-laws and husbands. “Women are weak… their survival depends on how much their husbands provide,” Rajput said.

When Google first went to a few villages in 2013, it started by training women directly for three-four hours. This was done at a school or the village community centre. It didn’t work out. The turnout was dismal. Folks at Google knew that they had to fix it if they had to expand beyond towns.

A pilot was done in a village near the Maheshwar town in Madhya Pradesh. Google piloted something called the internet cart, like an ice cream cart, which had internet-enabled tablets. Google-contracted agents would go from village to village, home to home, with these carts and teach the village women how to use the internet.

But, even that wasn’t enough. Google realized that it was important to stay in the village for a long period of time and keep training the women. That’s when the internet saathi concept was born.

The other problem was that women didn’t have devices to access the internet on. So Google gave them devices and free data. In 2015, Google and Tata Trusts started identifying trainers. Initially, Google also provided the saathis with a cycle in 1,500 villages, but stopped it as the women preferred walking.

Changing lives

For many of these beneficiaries, the internet is the only form of empowerment. For Deepmala, a primary school teacher in Atus village not far from Khaula, the internet helps her children learn English. “Children often ask things we don’t know… I have started using Google to explain things to children,” she said.

Deepmala’s first acquaintance with the internet was when she enrolled to become a saathi. She has trained 1,500 women since then. It wasn’t easy to convince her husband to allow her to learn how to use the internet but his mother stepped in. “My mother-in-law allowed me to learn… she used to go with me for the training,” she said.

For all the world that the internet has opened up for her, some centuries-old habits haven’t changed. Deepmala doesn’t know much about her husband’s work or what he earns. All she knows is that her husband works in a shoe factory near Agra. Without her mother-in-law’s backing, Deepmala said, she wouldn’t have been able to become a saathi.

When she showed the village women the internet, they were initially afraid to use it. There are a lot of myths about the ills of the internet in the villages. Rightly so, as often boys and men in the villages click pictures of girls and upload them to porn sites.

Women are shy and shun anything that may intrude on their privacy. It is in such a context that the world of information—access to Bollywood, culture, lifestyle, pornography, information, email, voice calling, and dozens of applications—suddenly opened up to them.

The saathis need to have a minimum education of up to Class VIII and should be comfortable with English. But there are no restrictions on the saathis to pick educated women. Many of their students don’t know how to read or write. For them, Deepa Rajput of Dehtora village said, Google voice commands are the easiest way to search the internet. “Women are seeing videos condemning domestic violence and oppression of women… That is a big change,” she said.

Making money

Deepmala, the school teacher saathi, taught women to search for mehendi designs and facial makeup on Google and YouTube. “Some of them have even started searching new salwar and blouse designs… The women tailors make more money for these designs,” she said.

Some women have started charging Rs50 for drawing mehendi designs. Others have started using the internet to look for agriculture and health-related information.

There are other avenues of making money, too. Deepmala and few of the women she trained landed a contract from research firm Nielsen to do a survey of the villages and the shops, for which they were paid. A list of 96 shops was given to them with a list of 80 questions. “The form was on the internet, we surveyed these villages and filled the form. It was about things like what products are sold, which shops have shut down, updating contact information…,” said Deepmala.

Monica Sisodiya from Barhan village has trained 2,000 women, most of them who are young. After being trained by Monica, two of them opened a beauty parlour. “She gets customers from 10-12 villages because of the new ways she has introduced,” said Monica, who wanted to study law in Agra, but couldn’t because her family wouldn’t allow her to go to the city. She is now pursuing a nursing course at Maa Bhagwati College, 7km from her home.

Google makes most of its revenue by serving digital ads. As more people join the internet and as more of them use the worldwide web, Google can negotiate with brands to get a higher share of the digital advertizing wallet.

Others like Babita Singh are evidence that the lack of information access is not a problem of the poor alone. Babita, 20, whose father is an intelligence officer with the Uttar Pradesh police, lives in a house that is prosperous by Dehtora standards. Her house has four CCTV cameras monitoring the front and rear of the building. The images are captured on a 42-inch LED television on the living room wall.

Yet, Babita used the internet for the first time only four months ago after getting trained by Deepa. Babita refers to the Chrome browser as ‘kromee’. She said she uses the internet to fill forms for banking entrance exams. At leisure, she browses designs of cushion covers and sweaters and tries out new food recipes that she pulls up from the Net.

Babita’s neighbour, Malti Rajput, teaches in a school for the mentally challenged in a nearby village. She isn’t well off and got her first phone from Google.

“We have started using the internet in our schools to teach the children dance steps… They also see craft designs. We sell some of these products to raise some money for the children,” said Malti.

It’s business, of course

For Google, this is not any corporate social responsibility activity. It is about getting every individual in India online. “This is not a social initiative for us. It is very much a business or marketing objective,” said Barjatya.

Getting more people to use the internet lies at the heart of Google’s business. Google makes most of its revenue by serving digital ads. As more people join the internet and as more of them use the worldwide web, Google can negotiate with brands to get a higher share of the digital advertizing wallet.

Barjatya said Google does not measure what it is getting back from the initiative. “It’s very much to get these women online and the rest will follow,” she said. “We are only seeing how many villages and how many women are coming online, and how does it tie back into our Next Billion initiative.”

But experts say Google alone can’t change rural India. “Google is probably worried that rural India might end up like Myanmar where most users stay within Facebook and do not explore the rest of the internet,” said Sunil Abraham, executive director of Bengaluru-based research organization Centre for Internet and Society.

Click here for enlarge

Moving the needle

All the saathis FactorDaily spoke with said that at their training sessions they are taught only how to use Google products, apart from handling the hardware. Those, too, only on Android phones. No Facebook, no WhatsApp, no Snapchat, no Twitter, no Paytm, no Flipkart...

“This is a smart business decision for Google but it does not really bridge the digital divide. We need all stakeholders, including Google to work together to reduce the cost of hardware and connectivity,” Abraham said.

Still, a Google-commissioned study by research firm Ipsos suggests that the internet giant has made some headway in rural India. Here are some pointers from the study:

■ 90% of women who have attended the training have a better understanding of the internet

■ 25% of women continue to use the internet (Gujarat is the highest at 35%)

■ 7% of women trained under the program feel that their social standing has improved

■ 33% trained women think that their economic condition has improved by learning new skills

■ 1% increase in village income in instances where training was conducted

Even though most of the women are not taught to use Facebook and WhatsApp, most of them eventually get on to social media. This is little consolation for Facebook, which has failed to mainstream itself in rural India the way Google has.

While Google gets a large number of the first-time users, some of the women have also started buying things online. Mamta Mahour of Bijpuri village bought earphones and books from Amazon and a saree from Voonik. The products are delivered at one of the shops in the village and Mamta collects it from there.

Some of the households have also started disconnecting their cable connections, said Mamta. Her’s and Deepmala’s houses are two, for instance. Deepmala watches ‘Piya Albela’ and ‘Big Boss’ on YouTube. “We can watch it anytime. There is so much (power) load-shedding that you can’t watch an entire episode on television… that’s not the case on YouTube,” she said.

Slow going

Mamta has taken a Reliance Jio connection. She watches her shows on JioTV and YouTube. “JioTV is free. I don’t see the need of having a cable connection at home. Rather I would use that money to recharge my phone,” she said.

Still, the going is grindingly slow. While Google has been successful in teaching women in these villages to use the internet, three out of four stop using the internet after the training.

When the saathi project started, internet penetration in villages was about 10%, said Barjatya. A recent report by industry lobby Internet and Mobile Association of India and market researcher Kantar IMRB shows that it has gone up to 17%.

Barjatya said Google spent a lot of time understanding the needs of the rural India. These 11.5 million women trained by Google have at least been introduced to the internet. “Over time we have seen that they have found value in going and buying a smartphone,” Barjatya is optimistic.

The data story in India is changing, especially after the launch of Reliance Jio. Google is already in talks with Reliance Jio to provide 4GB of 4G data at Rs149 a month to the saathis. Right now it is 2GB of 2G data.

The feedback from the saathis, meanwhile, is that the training module needs to change: the time is too short to train someone who had never used the internet, according to them. The saathis were given the target of training 250 women in a week, based on which they would receive a stipend from Tata Trust. It varies between Rs4 and Rs8 for each woman trained.

Barjatya said the target has been brought down to 100 women a month.

Changing data story

While Google has set up a call centre to check how many beneficiaries use the internet after training, there is no way it can ensure that women continue to use it. Call centre agents make random calls to check if the training is sufficient and if they are using the internet. Google might also contemplate returning to the same village to train more women.

Also, very few women own devices in male-dominated rural Indian society. “We haven’t really got into creating access beyond spreading awareness. However, yes, this is something we are open to and can consider. But right now it is just the literacy part,” Barjatya said, talking about subsidising mobile phones for women in villages.

In the next two years, Google will need more devices and more data. For its target of covering 300,000 villages, it will need an army of about 100,000 saathis— nearly a 10-fold jump.

Meanwhile, back at Khaula, Bhagour, the former wrestler, has started studying for the entrance test to join Delhi police. YouTube, she said, is handy for her studies. She is learning tricks to solve math problems quicker. Something else happened on Dhanteras, the festival to worship wealth, that made Bhagour proud.

“I got Rs4,211 for training the women. I got the money on the day of Dhanteras,” she said. “I gave the money to my father to get the house painted.”

This story has been published in association with FactorDaily.

For more details visit https://cis-india.org/internet-governance/news/sunny-sen-livemint-november-23-2017-indias-internet-missionaries

Aadhaar seeding: benefits and concerns

Admin — 2017-11-23T02:02:45Z

Products and services such as bank accounts, life insurance policies and phone connections have to be linked with Aadhaar. But is this of any real help?

The article by Shaikh Zoaib Saleem was published by Livemint on November 14, 2017.

The government has made it mandatory for consumers to link many important services with Aadhaar. You too may be getting frequent reminders to link your banks account, mutual fund and mobile number with Aadhaar. Recently, the Reserve Bank of India also clarified that it is mandatory to link bank accounts with Aadhaar.

The latest addition to this list are insurance policies. In a circular, the Insurance Regulatory and Development Authority of India (Irdai) has stated that linking of Aadhaar number to insurance policies is mandatory under the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017.

The issue is being discussed intensively, with the Supreme Court taking a decision in favour of linking Aadhaar biometrics and the number with a host of services. Several petitions have been filed challenging not just the linking of these services with Aadhaar but also the validity of Aadhaar itself. We spoke to people who support and those who oppose this linking, to understand how either case impacts consumers.

The benefits

According to the Unique Identification Authority of India (UIDAI), government schemes are asking for Aadhaar as it helps to clean out duplications and fakes, and provides accurate data to enable implementation of direct benefit programmes. “Use of Aadhaar reduces the cost of identifying persons and provides increased transparency to the government in implementation of its schemes,” the Authority states under frequently asked questions on its website (read more at: https://uidai.gov.in/your-aadhaar/help/faqs.html) So, when you link your bank account with your Aadhaar, government benefits such as subsidy on LPG cylinders is credited directly to that account. The FAQs, however, do not elaborate how such linking helps an individual who does not get, or does not wish to get, such subsidies. In a tweet, UIDAI had said that verifying a bank account using Aadhaar adds an additional layer of security.

Nakul Saxena, a former banker who now works on policy advocacy at the software think tank iSpirt Foundation, said that linking of Aadhaar with these services will help eradicate fake accounts, fake insurance policies and unauthorised mobile connections. “It is possible that there are many accounts in the system that have been opened using such documents and copied signatures and even the banks may not be aware of it. Some people may not even be aware that an account exists in their name. These accounts need to be verified using Aadhaar now,” he said.

The government claims to have removed millions of fake beneficiaries for government benefits by Aadhaar linking. As reported by Mint in May 2017, over 23 million fake ration cards have been scrapped, potentially saving the government Rs14,000 crore in food subsidy every year. Another Mint report in August says, three states discovered that about 2,72,000 fake students were availing the mid-day meal (MDM) scheme.

However, those who are against linking Aadhaar disagree with these arguments. “Initially, Aadhaar was about delivery of services. But linking everybody’s phone number and bank account is not about that anymore. The real question is, what purpose this linking serves. If the intention is to update the databases, then there can be other means to update those,” said Rahul Narayan, a Supreme Court advocate who is among the lawyers representing petitioners who have challenged Aadhaar linking in court.

The concerns

The fundamental objection to this linking of services is that all information on an individual will be available at a single place, which could make surveillance easier and also increase the risks if this information is hacked. “As of now, your bank knows something about you, your insurance company knows something and your mobile phone company knows something about you. Each of these are different silos of information. When these converge, which is then accessible to a single person, that person knows almost everything about you,” said Narayan.

Moreover, a user’s Aadhaar number and fingerprint are permanent identifiers, and at least the Aadhaar number has been compromised for over 130 million citizens, as per a study by Centre for Internet & Society, said Nikhil Pahwa, co-founder of the SaveTheInternet.in (https://internetfreedom.in) campaign for net neutrality in India. “This leaves the users vulnerable to social hacks, some of which we have already been reading about in the news. To forcefully and mandatorily link Aadhaar to bank accounts means that their finances are at risk,” he said.

Saxena said the data leaks that have been highlighted have been typically about demographic details such as name, date of birth and address “which have been commonly available so far.” However, given the heightened sensitivities in this digital age, customers must ask their service providers to not publish such details, nor provide this information freely, he added.

Grievance redressal and data privacy

Another major concern is the absence of a clear redressal mechanisms for consumers in case of a data leak, misuse or hack. “When things go wrong, consumers need to have access to a proper complaints mechanism. In the case of Aadhaar, such access is to be provided through the establishment of ‘contact centres’ under the Regulation 32 of the UIDAI Enrolment and Update Regulations. To the best of our knowledge, not much beyond Regulation 32 has yet been specified by the UIDAI,” said Renuka Sane, associate professor at the National Institute of Public Finance and Policy, who has worked on data privacy and security issues.

Apart from this, Section 47 of the Aadhaar Act stipulates that only UIDAI or its authorised officers can file a criminal complaint for violations of the Act, she added.

“The UIDAI has been given complete discretion in determining if and when to file a criminal complaint for violations of the Act, and an individual aggrieved by actions of a third person is left to rely upon the bonafide actions of the UIDAI,” Sane added. The government is also working towards a data privacy legislation, that is needed to give citizens protection against misuse of their data, and them having some control over who gets their data, how it is used, and where it can be shared. “However, a data privacy legislation and mechanism will not ensure that data remains secure and protected, and that processes are followed. The Act disallowing people from sharing Aadhaar numbers did not prevent government departments from publishing details online,” said Pahwa. He also said that systems can get hacked, which could include the Aadhaar database, the parallel Aadhaar databases with state governments, or eKYC databases held with banks and telecom operators.

Saxena said the UIDAI has clarified that biometric information is not stored with user agencies, and stored biometrics can't be used for Aadhaar authentication or eKYC. “Hence, customers can be assured when using Aadhaar and biometrics with authorized entities,” he said. “The data privacy law will address data privacy and protection in all digital systems, not just Aadhaar. It will equally apply to social media and mobile apps. It should also go into the aspect of ‘right to be forgotten’,” said Saxena.

Pahwa, however, insists that the least that should be done is to give citizens the right to not link their Aadhaar and use other IDs for authentication, plus the ability to change their ID number if the system gets compromised.

What you should do

For now, the deadlines for linking bank accounts with Aadhaar is 31 December 2017, and for mobile phones it is 7 February 2018. In its latest hearing on the matter, the Supreme Court has directed service providers to mention these deadlines in their reminders. “Right now, regardless of what they say, nobody is going to shut down your bank account or disconnect your mobile connection, at least till the deadline. There are several petitions being heard in the Supreme Court. The matter is supposed to be taken up by the Supreme Court in the last week of November. The final word from the court is yet to come and it is quite possible that at least the deadlines gets extended,” said Narayan.

If you have already linked these services with Aadhaar, you are in no trouble. But if you are having second thoughts, the linking cannot be undone. If you are concerned about safety or other aspects, you can wait to get more clarity from the Supreme Court.

For more details visit https://cis-india.org/internet-governance/news/shaikh-zoaib-saleem-livemint-november-14-2017-aadhaar-seeding-benefits-and-concerns

UIDAI admits 210 government websites made Aadhaar details public

Admin — 2017-11-21T16:03:29Z

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were leaked on over 200 central and state government websites.

The article was published in the Financial Express on November 20, 2017.

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were made public on over 200 central and state government websites. According to an RTI reply, these websites publicly displayed name, address and other details of Aadhaar beneficiaries, which was removed when the breach was identified.

However, UIDAI does not have information about the time of the breach. It also said that Aadhaar details have never been made public by UIDAI. “However, it was found that approximately 210 websites of the central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of the general public,” it said.

UIDAI issues Aadhaar — a 12-digit unique identification number — which acts as a proof of identity and addresses anywhere in the country. Lately, Aadhaar has been creating furore for security and privacy reasons, especially after the Narendra Modi government began aggressively pushing the identification number to be linked with social benefits, banks, PAN, mobile number et al. In a landmark judgement this August, the Supreme Court ruled that privacy was a fundamental right of citizens, weakening the case for pushing Aadhar.

Currently, cases are being heard in the apex court on linking Aadhaar to banks and mobile numbers. In May, the Centre for Internet and Society had claimed that Aadhaar numbers of as many as 135 millions could have been leaked. “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS had said. Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it had added.

UIDAI and the government had been vehemently denying that Aadhaar details can be leaked despite apprehension from different sections of society. Soon after the RTI reply appeared in media, UIDAI refuted the news of leaks, calling it a “skewed presentation of facts. “Such report is a skewed presentation of the facts and poses as if the Aadhaar data is breached or leaked which is not the true presentation. Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI,” press release by PIB said.

It said that the data on these websites was placed in public domain as a measure of proactive disclosure under the RTI Act.

For more details visit https://cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public

National Privacy Workshop

Admin — 2017-12-05T14:24:16Z

Centre for Internet & Society is organizing a round-table to discuss the potential impact of numerous policy developments with wide ranging implications for recognition and governance of privacy in India. The round-table will be held on December 9, 2017 at India International Centre in New Delhi, 10.30 a.m. to 5.00 p.m.

Background

The recent past in India has seen numerous policy developments with wide ranging implications for recognition and governance of privacy in India. The emphatic and unanimous avowal of the right to privacy by the Supreme Court, the government’s stated commitment to a data protection law and the formation of the Sri Krishna Committee are developments which will continue to inform policymaking around privacy in India for a long time to come. The Supreme Court’s conception of a robust right to privacy encompassing different element - spatial, decisional and informational, and its guidance on strict limiting tests may have a wide impact on a range of issues. The impact of this judgment and a data protection law on informational privacy in India will be immense and it is important to delve in challenges and issues that it may throw up. In last year, we have also seen instances of purported conflict between the transparency instruments such as the right to information and the right to informational privacy. How these conflicts are resolved in law and practice will be key to these two essential human rights in the modern information society. Further, while these general consensus on privacy principles, the appropriate ways to govern and enforce privacy remains an open issue, and the success of any data protection framework will depend as much on what kind of privacy governance models are adopted.This roundtable will look to discuss the potential impact of these policy decisions, what theories should guide the data protection law in India, what models of privacy governance are workable and how privacy can co-exist with transparency principle and robust RTI regime.

Agenda

10.30 - 11.00	Tea
11.00 - 11.30	Welcome and setting the scene
11.30 - 12.30	Session 1: Policy Developments around Informational Privacy in India What do different policy developments indicate about privacy in India? What are the (potential) impacts of these developments? What questions are being asked and are these the right questions to ask? How do we expect the ‘state of privacy’ to change in India in response to these policy developments?
12.30 - 13.30	Session 2: Approaches to Privacy and Data Protection for India What are different approaches to privacy and government the Indian government can take? What cultural/political etc. aspects should be taken into consideration when thinking through this question? What are the pros and cons to different approaches? What are the pros and cons to the below approaches: - Privacy as control - Data as property - Utilitarian approaches - Technological Solutions
13.30 - 14.30	Lunch
14.30 - 15.30	Session 3: Transparency and Privacy How can transparency from the private sector enable the right to privacy? What are key principles that can guide this relationship? Where is transparency from the private sector most needed with respect to privacy? What are incentives that governments can adopt to encourage privacy?
15.30 - 16.30	Governance Models for Data Protection What kind of institutional framework is required for governance of privacy in India? How do we address questions of liability, penalties and enforcement? What role do sectoral players have in a data governance framework? What is best way for other stakeholders like industry, civil society and academia in collaborative governance of privacy?
16.30 - 17.00	Tea and snacks

Speakers

Usha Ramanathan
Rahul Sharma
Apar Gupta
Malavika Raghavan
Shankar Narayanan
Ujwala Uppaluri
Rebecca MacKinnon
Nikhil Pahwa
Kamlesh Bajaj
Manasa Venkatraman
Smitha K Prasad

Download the Agenda

For more details visit https://cis-india.org/internet-governance/events/national-privacy-workshop-at-india-international-centre

Breach Notifications: A Step towards Cyber Security for Consumers and Citizens

Amelia Andersdotter — 2017-11-14T15:38:15Z

Through the Digital India project the Indian government is seeking to establish India as a digital nation at the forefront. Increasingly, this means having good cyber-security policies in place and enabling a prosperous business environment for companies that implement sound cyber-security policies. This paper will look at one such policy, which enables investments in cyber-security for IT products and services through giving consumers a way to hold business owners and public authorities to account when their security fails.

Electronic data processing has awarded societies with lots of opportunities for improvements that would not have been possible without them. Low market entrance barriers for new innovators have caused a flood of applications and automations that have the potential to improve citizens’ and consumers’ lives, as well as government operations. But while the increasing prevalence of electronic hardware and programmable software in many different parts of society and industry, combined with the intricate value chains of international communications networks, devices and equipment markets and software markets, have created a large number of opportunities for economic, social and public activity, they have also brought with them a number of specific problems pertaining to consumer rights.

Read full report here

For more details visit https://cis-india.org/internet-governance/blog/breach-notifications-a-step-towards-cyber-security-for-consumers-and-citizens

Cross Border Sharing of Data: Challenges and Solutions

Admin — 2017-11-20T15:20:18Z

Centre for Internet & Society (CIS) has been following the debates around MLAT process taking place globally and researching potential areas of tension in the tools that India uses to access data across borders. As part of this research, CIS is hosting a workshop on cross border sharing of data on December 8, 2017 at India Islamic Centre from 10.30 a.m. to 5.00 p.m.

For more details visit https://cis-india.org/internet-governance/events/cross-border-sharing-of-data-challenges-and-solutions

Open House on Security Practices in FinTech

Admin — 2017-11-12T10:18:09Z

CIS in collaboration with Has Geek is organizing an Open House on security practices in FinTech.

The prevalence of fintech companies operating in India is growing with new actors entering the sector and traditional actors such as banks beginning to offer digital financial services. The push to digital payments has been particularly strong after the demonetization policy, the development and implementation of Aadhaar and India Stack. Services offered by Fintech firms can range from offering a loan or credit to a digital wallet and digital banking and payment services.

Presently, there is a regulatory gap for many of the fintech services and business models. The Reserve Bank of India has published consultation papers on Peer-to-Peer lending platforms as well as Account Aggregators, but comprehensive regulations, especially those surrounding minimum security practices, have yet to emerge – presenting a critical policy and research window. Furthermore, under Section 43A of the IT Act and its associated Rules, ‘body corporates’ are required to implement reasonably security procedures compliant with ISO27001 or a sectoral standard approved by the Central Government. However, currently such a sectoral standard is absent for the FinTech and Digital Payments space.

The growing prevalence of these fintech technologies and the criticality of security of the same to engender citizen trust, protect rights, and comprehensive national security posture demands debate and discussion.

On November 17th, the HasGeek in collaboration with the Centre for Internet and Society will be holding an Open House from 6pm - 8pm to discuss security practices in the fintech industry.

Pressing questions for discussion include: How secure are these services? What security standards are they adhering to? Who is holding them accountable for adherence to security standards? What can individuals do if there financial data is compromised?

Please join us for a robust discussion on these issues @HasGeek House, 2699, 19th Main Rd, HAL 2nd Stage, Indiranagar, 19th Main Rd, HAL 2nd Stage, Indiranagar, Bengaluru, Karnataka 560008 from 6PM - 8 PM on November 17th.

For more details visit https://cis-india.org/internet-governance/events/open-house-on-security-practices-in-fintech

A Comparison of Legal and Regulatory Approaches to Cyber Security in India and the United Kingdom

Authored by Divij Joshi and edited by Elonnai Hickok — 2017-11-14T15:26:46Z

This report is the first part of a three part series of reports that compares the Indian cyber security framework with that of the U.K, U.S and Singapore.

This report compares laws and regulations in the United Kingdom and India to see the similarities and disjunctions in cyber security policy between them. The first part of this comparison will outline the methodology used to compare the two jurisdictions. Next, the key points of convergence and divergence are identified and the similarities and differences are assessed, to see what they imply about cyber space and cyber security in these jurisdictions. Finally, the report will lay out recommendations and learnings from policy in both jurisdictions.

Read the full report here

For more details visit https://cis-india.org/internet-governance/blog/a-comparison-of-legal-and-regulatory-approaches-to-cyber-security-in-india-and-the-united-kingdom

#NAMAprivacy: Data standards for IoT and home automation systems

Admin — 2017-11-08T02:15:52Z

On 5th October, MediaNama held a #NAMAprivacy conference in Bangalore focused on Privacy in the context of Artificial Intelligence, Internet of Things (IoT) and the issue of consent, supported by Google, Amazon, Mozilla, ISOC, E2E Networks and Info Edge, with community partners HasGeek and Takshashila Institution. Part 1 of the notes from the discussion on IoT:

Link to the original published by Medianama on October 18 here

The second session of the #NAMAprivacy in Bangalore dealt with the data privacy in the Internet of Things (IoT) framework. All three panelists for the session – Kiran Jonnalagadda from HasGeek, Vinayak Hegde, a big data consultant working with ZoomCar and Rohini Lakshane a policy researcher from CIS – said that they were scared about the spread of IoT at the moment. This led to a discussion on the standards which will apply to IoT, still nascent at this stage, and how it could include privacy as well.

Hedge, a volunteer with the Internet Engineering Task Force (IETF) which was instrumental in developing internet protocols and standards such as DNS, TCP/IP and HTTP, said that IETF took a political stand recently when it came to privacy. “One of the discussions in the IETF was whether security is really important? For a long time, the pendulum swung the other way and said that it’s important and that it’s not big enough a trade-off until the bomb dropped with the Snowden revelations. The IETF has always avoided taking any political stance. But for the first time, they did take a political position and they published a request for comments which said: “Pervasive monitoring is an attack on the Internet” and that has become a guiding standard for developing the standards,” he explained.

He added that this led the development of new standards which took privacy into consideration by default.

“The repercussions has been pervasive across all the layers of the stack whether it is DNS and the development of DNS Sec. The next version of HTTP, does not actually mandate encryption but if you look at all the implementation on the browser side, all of them without exception have incorporated encryption,” he added.

Rohini added that discussion around the upcoming 5G standard, where large-scale IoT will be deployed, also included increased emphasis on privacy. “It is essentially a lot of devices connected to the Internet and talking to each other and the user. The standards for security and privacy for 5G are being built and some of them are in the process of discussion. Different standard-setting bodies have been working on them and there is a race of sorts for setting them up by stakeholders, technology companies, etc to get their tech into the standard,” she said.

“The good thing about those is that they will have time to get security and privacy. Here, I would like to mention RERUM which is formed from a mix of letters which stands for Reliable, Resilient, and Secure IoT for smart cities being piloted in the EU. It essentially believes that security should include reliability and privacy by design. This pilot project was thought to allow IoT applications to consider security and privacy mechanisms early in the design, so that they could balance reliability. Because once a standard is out or a mechanism is out, and you implement something as large as a smart city, it is very difficult to retrofit these considerations,” she explained.

Privacy issues in home automation and IoT

Rohini pointed out a report which illustrates the staggering amount of data collection which will be generated by home automation. “I was looking for figures, and I found an FTC report published in 2015 where one IoT company revealed in a workshop that it provides home automation to less than 10,000 households but all of them put together account for 150 million data points per day. So that’s one data point for every six seconds per household. So this is IoT for home automation and there is IoT for health and fitness, medical devices, IoT for personal safety, public transport, environment, connected cars, etc.”

In this sort of situation, the data collected could be used for harms that users did not account for.

“I received some data a couple of years back and the data was from a water flowmeter. It was fitted to a villa in Hoskote and the idea was simple where you could measure the water consumption in the villa and track the consumption. So when I received the data, I figured out by just looking at the water consumption, you can see how many people are in the house, when they get up at night, when they go out, when they are out of station. All of this data can be misused. Data is collected specifically for water consumption and find if there are any leakages in the house. But it could be used for other purposes,” Arvind P from Devopedia said.

Pranesh Prakash, policy director at Centre for Internet and Society (CIS), also provided an example of a Twitter handle called “should I be robbed now” where it correlates a user’s vacation pictures says that they could be robbed. “What we need to remember is that a lot of correlation analysis is not just about the analysis but it is also about the use and misuse of it. A lot of that use and misuse is non-transparent. Not a single company tells you how they use your data, but do take rights on taking your data,” he added.

Vinayak Hedge also added that the governments are using similar methods of data tracking to catch bitcoin miners in China and Venezuela from smart meters.

“In China, there are all these bitcoin miners. I was reading this story in Venezuela, where bitcoin mining is outlawed. The way they’re catching these bitcoin miners is by looking at their electricity consumption. Bitcoin mining uses a huge amount of power and computing capacity. And people have come out with ingenious ways of getting around it. They will draw power from their neighbours or maybe from an industrial setting. This could be a good example for a privacy-infringing activity.”

Pseudonymization

Srinivas P, head of security at Infosys, pointed out that a possible solution to provide privacy in home automation systems could be the concept of pseudonymity. Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers or pseudonyms.

“There are a number of home automation systems which are similar to NEST, which is extensively used in Silicon Valley homes, that connect to various systems. For example, when you are approaching home, it will know when to switch on your heating system or AC based on the weather. And it also has information on who stays in the house and what room and what time they sleep. And in a the car, it gives a full real-time profile about the situation at home. It can be a threat if it is hacked. This is a very common threat that is being talked about and how to introduce pseudo-anonymity. When we use these identifiers, and when the connectivity happens, how do we do so that the name and user are not there? Pseudonymity can be introduced so that it becomes difficult for the hacker to decipher who this guy is,” Srinivas added.

Ambient data collection

With IoT, it has never been able to capture ambient data. Ambient data is information that lies in areas not generally accessible to the user. An example for this is how users get traffic data from Internet companies. Kiran Jonnalagadda explained how this works:

“When you look at traffic data on a street map, where is that data coming from? It’s not coming from the fact that there is an app on the phone constantly transmitting data from the phone. It’s coming from the fact that cell phone towers record who is coming to them and you know if the cell phone tower is facing the road, and it has so many connections on it, you know that traffic is at a certain level in that area. Now as a user of the map, you are talking to a company which produces this map and it is not a telecom company. Someone who is using a phone is only dealing with a telecom company and how does this data transfer happen and how much user data is being passed on to the last mile user who is actually holding the phone.”

Jonnalagadda stressed on the need for people to ask who is aggregating this ambient data.

“Now obviously, when you look at the map, you don’t get to see, who is around you. And that would be a clear privacy violation and you only get to see the fact that traffic is at a certain level of density around the street around you. But at what point is the aggregation of data happening from an individually identifiable phone to just a red line or a green line indicating the traffic in an area. We also need to ask who is doing this aggregation. Is it happening on the telecom level? Is it happening on the map person level and what kind of algorithms are required that a particular phone on a cell phone network represents a moving vehicle or a pedestrian? Can a cell phone company do that or does a map company do that? If you start digging and see at what point is your data being anonymized and who is responsible for anonmyzing it and you think that this is the entity that is supposed to be doing it, we start realizing that it is a lot more complicated and a lot more pervasive than we thought it would be,” he said.

#NAMAprivacy Bangalore:

Will artificial Intelligence and Machine Learning kill privacy? [read]
Regulating Artificial Intelligence algorithms [read]
Data standards for IoT and home automation systems [read]
The economics and business models of IoT and other issues [read]

#NAMAprivacy Delhi:

Blockchains and the role of differential privacy [read]
Setting up purpose limitation for data collected by companies [read]
The role of app ecosystems and nature of permissions in data collection [read]
Rights-based approach vs rules-based approach to data collection [read]
Data colonisation and regulating cross border data flows [read]
Challenges with consent; the Right to Privacy judgment [read]
Consent and the need for a data protection regulator [read]
Making consent work in India [read]

For more details visit https://cis-india.org/internet-governance/news/medianama-october-18-2017-namaprivacy-data-standards-for-iot

#NAMAprivacy: The economics and business models of IoT and other issues

Admin — 2017-11-08T02:09:51Z

Link to the original published by Medianama on October 18, 2017 here

Part 1 of the notes from the discussion on IoT are here. Part 2:

The session on IoT shifted gears and the participants spoke more about the economics and business IoT. Participants expressed concern that data could be linked to very private aspects of their lives and build business models around them. For example, data from fitness trackers can be linked to a user’s insurance premiums. Or sensors on a car that monitors a user’s driving behavior and link motor insurance.

“I work for Zoomcar, and these are devices which our lives depend and are collecting and reporting data. And that data can be used against you. So it is very hard to know what is fair and what is unfair. Someone mentioned insurance, I feel it is useful to collect a lot of data and decide on insurance based on your driving behaviour and we have had markers for that. But is it fair to the user? The same kind of questions crops up elsewhere like in the US when it comes to healthcare,” Vinayak Hegde said.

An audience member pointed out to that in such a scenario, privacy can help businesses rather than inhibit them and cited a research study in UC Berkely. “If I use a health tracking device, some of those devices can be valuable for health insurance companies and using that data, they might increase the premiums. But I don’t know actually who might sell my data to someone,” he explained.

“Because I don’t know which tracking devices sell my data, I would like not to own the devices itself. So that itself harms the entire health tracker industry itself. He (the researcher) defines privacy as contextual integrity. So a health tracking device is supposed to help me track my health and not supposed to be used by insurance people to determine my premium. If the regulation mandates the contextual integrity of that, it helps that particular industry to avoid those feedback loops,” he explained.

Are fitness trackers in the hardware or services business?

Kiran Jonnalagadda of HasGeek added to the point on fitness trackers. He said that all of IoT is not in the business of hardware and that they are in the services business. “I had an unusual experience for the past one week, I was out in an area with no Internet connection. But I have two fitness trackers. I bought them mostly because I’m curious about how these companies operate and what they’re doing. And the differences between them are the way they think about things. Now both of these are capable of counting steps without an Internet connection…. But they cannot do anything to show the step count on my phone which it connects to until the data is sent to the Internet and brought back. So my phone would keep telling me that I am not moving and tell me the move but the watch is saying that I am doing 20,000 steps a day and that I am trekking a lot,” he explained.

“For whatever reason, these companies have decided to operate in this manner where validation of data happens on the cloud and not on the device. You only get the most rudimentary data from your device and your phone is just a conduit and not a processing centre at all,” Jonnalagadda said.

He explained both the devices were in the device sales business and has not asked money from them for enabling this sort of Internet-based processing of data. “It calls into question, what is the model here. One could bring the conspiracy theory that they’re selling my data and therefore they don’t worry about collecting data from me. The second is to say: be a little bit more charitable and they recognize that if they piss me off, I won’t buy their device again. And then just assume that a device has a lifetime of just 2-3 years and if you keep a person happy for 2-3 years, they will buy the device from you again. What’s interesting is ultimately not about devices and that it is about services. And this is what I want to say about IoT that it is not about hardware at all it is entirely about services. Without services, the entire business model of IoT breaks down. You do not get software updates, you get vulnerabilities, you get broken design, things have stopped working and no one supports you.”

The economics of processing data locally on a device

Thejesh GN, co-founder of DataMeet, questioned the need for data to be processed on the Internet and asked whether the data will be better protected and have better privacy if it were processed locally. “Considering the fact that we have such powerful phones which are affordable, and can do a lot of things without the Internet. I mean the biggest concept we had in IoT was that we didn’t have CPU or memory and processing power. Given that and the availability of EDGE devices, how long will we have economic cases where privacy can be sold as part of IoT. The processing happens 99% of the times locally without Internet and requires the Internet only when there is messaging. This could be true for your fitness trackers that can be connected to your phone. Your phone has all the capabilities to do all the analysis and doesn’t need to go to the server,” he said.

Pranesh Prakash of the CIS countered him and said that the economics for processing data works out cheaper for the companies.

“One on local processing, this I think is a perennial problem and it really is a question of economics versus principles. Free software is losing out the battle against using other people’s computers for computing—cloud computing—because of economics. So, you no longer own the software that you purchase and even the hardware, very often, with IOT might not actually be yours. It might come with a license, it might come with data that is tied to the company that is actually providing you the device. So the economics of this are for me clear: it’s much cheaper to do it on other computers than to do it locally,” Prakash explained.

He made a case for asserting for individual user’s rights to privacy in this kind of scenario. “It is a question of principles. Should we allow for that or should we assert for consumer protection laws and assert other manners of laws to say that ‘no, people who are purchasing devices’ ought to have greater control of the devices and the data that they produce,” he added.

Group privacy

The audience also suggested that privacy laws should not just look at protecting the rights of individuals but should look at protecting the rights of groups as well. They raised concerns that even in a group and if the data has been anonymized, it still can be weaponized and cause harms.

“For example, if there are 10-15 of us in this room and given our detailed medical histories, I can find a correlation between some of that. And then I can use that data in some other form when I run a test to see if I am vulnerable to something or use it as a way to discriminate further down the line. As a group, privacy matters a lot because when we talk about devices, we are talking about individuals. Maybe you can target via ethnicity or by age or by class and that can also be weaponized,” an audience member suggested.

Vinayak Hegde gave an example of how weather data captured by IoT can cause harms to a society at large. “If I’m using the weather sensor data and because of global warming, some places like Florida and south of India are going to be extremely hot, I can use surge pricing for a person’s electricity. Again I am not getting targeted as an individual, but as a group, I am being targeted. And sensors are closing that loop really fast.” he explained.

Srinivas P, head of security at Infosys, gave another example where gyroscopes in a phone could target a family. “Some companies in the US use gyroscope in a phone to surreptitiously monitor TV viewing habits. The mobile phone gets activated and over a period of time, they can tweak the advertisements. It is an interesting example, because in TV, when you watch at home, you cannot pinpoint TV a user, because it is shared by a family. This is because the guy who is watching the maximum amount of TV, their data gets circulated and the ads will be tailored to them. The person who does not watch that much amount of TV gets baffled to see advertisements that are not relevant to them. So when you want to process data, you want to assume that, this TV belongs to a user. The TV belongs to a group. And what if the viewing habits are so different, that once your privacy is violated, you don’t want your other family member to know what you are watching,” he added.

Perception of permissions for sensors

Rohini Lakshane of CIS raised an important point during the discussion. The users have different perceptions about the sensors that are embedded in smartphones. She pointed out that users are generally unaware that accelerometers are sensors and capture data and most apps do not ask permissions for the same. An accelerometer is a device used to measure acceleration forces. It is usually used in devices to measure movement and vibrations in devices such as fitness trackers.

“A researcher surveyed a control group and asked them if their GPS data was taken and their camera was made accessible, whether they would be comfortable with it? They were hugely uncomfortable. The question came to the accelerometer on the phone and the respondents said that ‘we are not all that afraid’. The accelerometer only counts the acceleration. So in that app which counts how many steps we have taken in a day, it uses the accelerometer and there is no permission required for it. The accelerometer is still on the phone and is still generating the data and you don’t see it because you don’t have an interface directly with it,” she commented.

#NAMAprivacy Bangalore:

Will artificial Intelligence and Machine Learning kill privacy? [read]
Regulating Artificial Intelligence algorithms [read]
Data standards for IoT and home automation systems [read]
The economics and business models of IoT and other issues [read]

#NAMAprivacy Delhi:

Blockchains and the role of differential privacy [read]
Setting up purpose limitation for data collected by companies [read]
The role of app ecosystems and nature of permissions in data collection [read]
Rights-based approach vs rules-based approach to data collection [read]
Data colonisation and regulating cross border data flows [read]
Challenges with consent; the Right to Privacy judgment [read]
Consent and the need for a data protection regulator [read]
Making consent work in India [read]

For more details visit https://cis-india.org/internet-governance/news/medianama-october-18-2017-namaprivacy-economics-and-business-models-of-iot

Big Data for governance

Admin — 2017-11-08T01:42:18Z

Recent times have witnessed an explosion of data as users started leaving a huge data footprint everywhere they go. Interestingly, this period has seen a phenomenal increase in computing power couple by a drop in costs of storage.

The article by Alekhya Hanumanthu was published in Telangana Today on November 4, 2017.

India is now sitting on the data so generated and subjecting it to data analytics for uses in various sectors like insurance, education, healthcare, governance, so on and so forth.

According to Centre for Internet and Society (CIS), in 2015, the Government of Narendra Modi launched Digital India Programme to ensure availability of government services to citizens electronically by improving online infrastructure and Internet connectivity.

Amongst other things, e-Governance and e-Kranti intend to reform governance through technology and enable electronic delivery of services. Needless to say, it will involve large scale digitisation, electronic collection of data from residents and processing. The Big data so created will help policy making evolve into a data backed, action oriented initiative with accountability asserted where it is due.

Let’s take a look at some Big Data based initiatives underway according to analyticsindiamag:

Project insight: Undertaken up by Indian tax agencies, Project Insight is an advanced analytical tool that is a comprehensive platform that encourages compliance of tax while at the same time it prevents non-compliance. Significantly, it will be used to detect fraud, support investigations and provide insights for policy making. For instance, it will detect the social media activity of a person to glean their spending and check if it is commensurate with the tax they have paid during that year. Needless to say, this will also unearth sources of black money.

Economic Development Board in Andhra: CORE-CM Office Realtime Executive Dashboard is an integrated dashboard established to monitor category-wise key performance indicators of various departments/schemes in real time. Users can check key performance indicators of various departments, schemes, initiatives, programmes, etc. With a panoply of services information ranging from Women and Child Welfare to Street lights monitoring, it has become an exemplary role model of governance.

Geo-tagging of assets under Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA): Under the guidance of Narendra Modi, online monitoring of assets to check leakages Ministry of Rural development was started. To achieve this, they were tied up with ISRO and National Informatics Centre to geo tag MGNREGA assets. According to India Today, the assets created range from plantations, rural infrastructure, water harvesting structures, flood control measures such as check dams etc. To do this, a junior engineer takes a photo of an asset and uploads it on the Bhuvan web portal run by ISRO’s National Remote Sensing Centre via a mobile app. Once a photo is uploaded, time and location gets encrypted automatically. Thus, the Government hopes to hold an ironclad control of the resources thus disseminated.

CAG’s centre for Data Management and Analytics: According to Comptroller and Auditor General of India, The CAG’s Centre for Data Management and Analytics (CDMA) is going to play a catalytic role to synthesise and integrate relevant data into auditing process. According to an announcement on National Informatics Centre (NIC), it aims to build up capacity in the Indian Audit and Accounts Department in Big Data Analytics to explore the data rich environment at the Union and State levels. What’s more, this initiative of CAG of India, puts it amongst the pioneers in institutionalising data analytics in government audit in the international community.

Task Force to spruce up Employment Data: The data provided by Labour Bureau is limited and not timely enough for policymakers to assess the need for job creation. To address this gap, the Government has set up a committee tasked to fill the employment data gap and ensure the timely availability of reliable information regarding job creation. Thus the top line of Government has a direct view of where the employment gaps are so that it can facilitate creation of appropriate jobs.

What’s the big picture?

Policy making and governance by Indian government have traditionally been rife with red tape, bureaucracy and corruption. Lack of accountability on part of Government workforce not only impacted the quantity and quality of work delivered but also invited corrupt practices and leakages. So, Big data is a welcome change in direction.

For more details visit https://cis-india.org/internet-governance/news/telangana-today-november-8-2017-alekhya-hanumanthu-big-data-for-governance