We are anonymous, we are legion

April 2017 Newsletter

praskrishna — 2017-05-20T12:59:17Z

Welcome to the CIS newsletter for April 2017.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
In a report on the information security practices of Aadhaar, Amber Sinha and Srinivas Kodali documented numerous instances of publicly available Aadhaar numbers along with other personally identifiable information of individuals on government websites. CIS along with like minded organizations made a submission to the Government of India to frame a feasible accessibility guidelines for mobile apps since there is no single standard in existence at the moment. A two-day 100 Women Edit-a-thon was held in March 2017 by CIS-A2K team along with Odisha's biggest newspaper Sambad. The event was inspired by BBC’s 100 Women series and edit-a-thons with the same name in December 2016. More than 20 female journalists participated and registered as new Odia Wikipedians. On March 31, 2017, the Ministry of Personnel, Public Grievances and Pensions, Department of Personnel and Training released a Circular framing rules under the Right to Information Act, 2005 (“RTI Rules”). The Ministry invited comments on on the RTI Rules. CIS submitted its comments. In an article originally published in Hindu Businessline on March 31, Sunil Abraham lists out 11 reasons why Aadhaar is not just non-smart but also insecure. Shuttleworth Foundation has announced Sunil Abraham as Honorary Steward for its September 2017 fellowship round. CIS worked on a three part case study. The first case study on digital protection of traditional knowledge was published by GIS Watch in December 2016. The other two case studies along with the synthesis overview has also been published.

CIS in the news:

NGOs, individuals urge state CMs to curb Internet shutdown (The Times of India; April 4, 2017).
India’s National ID Program May Be Turning The Country Into A Surveillance State (Pranav Dixit; BuzzFeed News; April 4, 2017).
Privacy, what? Bengaluru police leaks 46,000 phone numbers on Twitter (Neha Vashishth; India Today; April 6, 2017).

Bengaluru cops' twitter handle in ethical storm (Umesh Yadav; The Times of India; April 6, 2017).

Opposition questions govt move to make Aadhaar must (Komal Gupta; Livemint; April 12, 2017).
Aadhaar: A widening net (Komal Gupta, Apurva Vishwanath and Suranjana Roy; Livemint; April 21, 2017).
Chemistry research in India 'still not in big league' (IANS and India Online News Portal; April 24, 2017).
Stop the Haphazard Internet Shutdown Says MP Jay Panda (Regina Mihindukulasuriya; Businessworld; April 26, 2017).
Now, Aadhaar details displayed in Mizoram too (Sebastian P.T.; National Herald; April 26, 2017).
After SPB-Ilaiyaraaja, Sony Music and Sun Network lock horns over copyrights (Priyanka Thirumurthy; Newsminute; April 26, 2017).
Analysis: Data Protection in India - Getting It Right (Suparna Goswami and Varun Haran; Info Risk Today; April 26, 2017).
India bans social media in Kashmir for one month (Telegraph; April 27, 2017).
J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say experts (Shruti Dhapola; Indian Express; April 28, 2017).

CIS members wrote the following articles:

How Aadhaar compromises privacy? And how to fix it? (Sunil Abraham; Hindu; April 1, 2017).
Digital native: You can check out, you can never leave (Nishant Shah; Indian Express; April 2, 2017).
Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’ (Pranesh Prakash; Hindustan Times; April 3, 2017).
It’s the technology, stupid (Sunil Abraham; Hindu Businessline; April 7, 2017).
Privacy in the Age of Big Data (Amber Sinha; Asian Age; April 10, 2017).
Digital native: Are You Still Having Fun? (Nishant Shah; Indian Express; April 17, 2017).
Digital native: Snap out of outrage mode (Nishant Shah; Indian Express; April 30, 2017).

-------------------------------------
Accessibility & Inclusion
-------------------------------------
India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities, we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

Submission

Mobile Accessibility Practices (Nirmita Narasimhan; April 12, 2017).

Event

Global Accessibility Awareness Day 2017 (Organized by Prakat Solutions, Mithra Jyothi and CIS; Bengaluru; May 18, 2017).

-----------------------------------

Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Note: All the following events were held earlier but the reports were published in the month of April:

Women's Day Edit-a-thon at Jeewan Jyoti Women's Empowerment Centre, Pune (Subodh Kulkarni; April 10, 2017).
Marathi Wikipedia Edit-a-thon at Savitribai Phule Mahila Ekatma Samaj Mandal, Aurangabad (Subodh Kulkarni; April 13, 2017).
Google-translated Telugu articles prioritisation exercise: January iteration (Pavan Santhosh; April 15, 2017).
Telugu Wikipedia stall at Vijayawada Book Festival (Pavan Santhosh; April 15, 2017).
Women's Day Edit-a-thon at Jnana Prabodhini (Subodh Kulkarni; April 15, 2017).
Bargarh Manuscript Digitisation Project (Sailesh Patnaik; April 16, 2017).
Imperial College Orientation Program, Bargarh (Sailesh Patnaik; April 16, 2017).
Orientation & Training session for Environmental Activists in Satara (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Rajarshi Chhatrapati Shahu College, Kolhapur (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Shivaji University, Kolhapur (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Sangli, Maharashtra (Subodh Kulkarni; April 16, 2017).
Orientation & Training session of Jalbiradari Activists (Subodh Kulkarni; April 16, 2017).
"Free-license Wings To Your Books" in Guntur (Pavan Santhosh; April 16, 2017).
"Free-license Wings To Your Books" in Vijayawada (Pavan Santhosh; April 16, 2017).
Adikavi Nannaya University Telugu Wikipedia Workshop (Pavan Santhosh; April 16, 2017).
Odia Wikipedia Workshop in IIMC, Dhenkanal (Sailesh Patnaik; April 17, 2017).
Sambad 100 Women Edit-a-thon (Ting Yi Chang and Sailesh Patnaik; April 18, 2017).
Google-translated Telugu articles prioritisation exercise: February iteration (Pavan Santhosh; April 18, 2017).

►Copyright and Patent

National Conference on Intellectual Property Rights and Public Interest (Organized by Indian Law Institute; New Delhi; April 7 - 8, 2017). Maggie Huang took part in the event.

►Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Publication

Economic, Social and Cultural Rights in India: Opportunities for Advocacy in Intellectual Property (Sunil Abraham and Vidushi Marda; GIS Watch and Association for Progressive Communications; April 23, 2017). Total 4 reports: Synthesis Overview, Access to Mobile Technology, Traditional Knowledge Digital Library, and FOSS and Open Standards.

Submission

Comments on the Right to Information Rules, 2017 (Amber Sinha; April 27, 2017).

Event Organized

NASA Space Apps Challenge 2017 (CIS, Bengaluru, April 22, 2017).

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Blog Entries

Analysis of Key Provisions of the Aadhaar Act Regulations (Amber Sinha; April 3, 2017).
Right to be Forgotten: A Tale of Two Judgements (Amber Sinha; April 7, 2017).

►Free Speech and Expression

Blog Entries

Killing of Yameen Rasheed Reveals Worsening Human Rights Situation in the Maldives (Pranesh Prakash; April 25, 2017).
Internet Shutdowns in 2016 (Japreet Grewal; April 27, 2016).

►Miscellaneous

Blog Entry

Regulating Bitcoin in India (Vipul Kharbanda; April 20, 2017).

Event

Amutha Arunachalam - Stand Shielded of Digital Rights (CIS; New Delhi; May 5, 2017).

Participation in Event

ISO/IEC JTC1/SC 27 Meetings (Organized by Bureau of Indian Standards; University of Waikato and Novotel; New Zealand; April 18 - 25, 2017). Udbhav Tiwari attended the meetings.

►Cyber Security

Event Organized

Dr. Madan M. Oberoi - Digital Forensics and Cyber Investigations (CIS; New Delhi; April 7, 2017).

Participation in Event

Brainstorming Session on the Global Conference on Cyberspace (GCCS 2017) (Organized by the Ministry of Electronics & Information Technology; New Delhi; April 12, 2017). Japreet Grewal attended the session.

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/april-2017-newsletter

Microsoft says WannaCry ransomware must be a wake-up call for governments

praskrishna — 2017-06-07T00:55:40Z

Computer security experts said the current attack could have been much worse but for the quick action of a young researcher in Britain who discovered a vulnerability in the ransomware itself, known as WanaCryptor 2.0. It has, however, retweeted a blog post by Brad Smith, president and chief legal officer at Microsoft, who directs much of the blame toward the USA government, arguing that it should have alerted the $524 billion tech titan about the problem.

The article was published in Journaldu Maghreb on May 20, 2017

"This is an emerging pattern in 2017", he continued. "We have seen vulnerabilities stored by the Central Intelligence Agency show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world", wrote Smith in a blog post on Sunday. Then there's the US government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals.

"An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen", Mr Smith wrote. Brad Smith, Microsoft's top lawyer, criticized US intelligence agencies for "stockpiling" software code that can be used by hackers. In February, Smith first called for the creation of what he has dubbed a Geneva Convention for cyberspace, which would outlaw nation-state cyberattacks on critical infrastructure and tech companies.

Cyber-security firm HumanFirewall said that on account of high use of pirated Windows operating system in India, it was more susceptible to the attack. Microsoft has connected previous exploits of its products released by the mysterious Shadow Brokers group to tools which were stolen from NSA cyber warfare operations. "All our systems are updated as required". This sophisticated, self-propagating malware was created to spread to all other computers on the same network after infecting one machine.

Estimates by law enforcement agency Europol estimated yesterday that more than 200,000 computers in 150 countries were infected, but with the worm continuing to spread to vulnerable Windows machines, that number will surely rise. When 22 year olds are the heroes of the anti-cyber attack fight, rather than the agencies tasked to defend countries against these types of threats, it is perhaps time to question what these organisations have been doing all this time? NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer. That dump included a vulnerability codenamed EternalBlue, which preys on a flaw in Microsoft Word to transmit malicious software from one Windows Computer to another. Usually used by cyber criminals, ransomware is a popular means of making illicit money from victims who have to pay the criminals in order to have their data decrypted.

Today is likely to be painful for many organizations all over the world that took the weekend off and are returning to the work-week to find hundreds or thousands of computers on their networks encrypted by WannaCry ransomware, which surfaced Friday and has been propagating ever since. It was a stress-filled weekend for many IT workers this past weekend as the WannaCry ransomware attack spread, crippling Windows systems worldwide.

Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems that have the SMB service exposed to the internet. "Otherwise they're literally fighting the problems of the present with tools from the past", he said. However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised. This allowed users of the older systems to secure their computers without requiring an upgrade to the latest operating software.

For more details visit https://cis-india.org/internet-governance/news/journaldu-maghreb-may-20-2017-microsoft-says-wannacry-ransomware-must-be-a-wake-up-call

4th National Standards Conclave Evolving a Comprehensive National Strategy for Standards Sectoral and Regional Inclusiveness

praskrishna — 2017-05-20T08:06:15Z

Udbhav Tiwari represented CIS in the 4th National Standards Conclave held on the May 1 and 2, 2017 at The Lalit, New Delhi. The event was organized by the Ministry of Commerce and Industry and the Confederation of Indian Industry.

The event looked at creating a National Standards Strategy to focus on India's standardisation efforts in the global stage. The event also focused on the release on the National Standards Portal, a website that creats a one stop access of standards, technical regulations and TBT information. There were a few sessions that were useful in particular - the IT Standardisation, the Standards Portal and the theme paper for National Standards Strategy.

Download the Agenda

For more details visit https://cis-india.org/internet-governance/news/4th-national-standards-conclave-evolving-a-comprehensive-national-strategy-for-standards-sectoral-and-regional-inclusiveness

Will Aadhaar leaks be used as an excuse to shut out scrutiny of welfare schemes?

Anumeha Yadav — 2017-05-20T07:09:51Z

Aadhaar data of all 23 crore beneficiaries of Direct Benefit Transfer schemes could be publicly available, says a report by Centre for Internet and Society.

The blog post by Anumeha Yadav was published on Scroll on May 20, 2017.

In the past three months, there have been several reports about caches of Aadhaar data being publicly displayed on government websites across the country.

Personal information associated with the biometric-based 12-digit unique identification number, which the government wants every Indian resident to have, is mandated to be confidential under the Aadhaar Act, 2016.

But exactly how much Aadhaar data has been compromised by negligent government departments?

On May 2, researchers at the non-profit Centre for Internet and Society released a comprehensive report on the extent of the data breaches. They documented four government portals using Aadhaar for making payments and found that sensitive personal and financial information of nearly 13 crore people was being displayed on them, including details of about 10 crore bank accounts.

Two of the portals, for the Mahatma Gandhi National Rural Employment Guarantee Act and the National Social Assistance Programme, belong to the Union rural development ministry. The others are run by the Andhra Pradesh government for the workers’ insurance scheme Chandranna Bima and for filing Daily Online Payment Reports of MNREGA.

The researchers estimated that Aadhaar data of all 23 crore beneficiaries of the central government’s various Direct Benefit Transfer schemes could be publicly available. This means nearly a fifth of India’s population is potentially exposed to irreversible privacy harm, and financial and identity fraud.

The Unique Identification Authority of India, the agency which manages the Aadhaar database, however, and had earlier denied any breach of confidential data, has now reportedly said that such a data leak could only be the result of a potentially illegal hack attack and asked CIS to provide details of the persons involved in the data theft.

The rural development ministry, on its part, has changed how its MNREGA database is accessed, redacting Aadhaar numbers and bank account details of the beneficiaries. Senior officials of the ministry, however, denied making systemic changes in the wake of the Centre for Internet and Society report.

“The researchers claimed that financial information of over 10 crore individuals was available publicly, on pension and MNREGA portals,” said Nagesh Singh, additional secretary in the ministry, “but bank account details were displayed only on two state department websites of Andhra Pradesh and Telangana as these states are far advanced in transparency practices.”

“For all other states,” Singh added, “financial information and Aadhaar numbers were removed or masked last year. For pension schemes we masked the data in June 2016, and for MNREGA this data was removed in December. Even if any data was showing, it would only be for the particular block the resident is in, not for any other state workers.”

All this was done, he said, “because the UIDAI communicated to us that this information is sensitive and should not be displayed and the Aadhaar regulations prohibit display of Aadhaar numbers”. The Aadhaar (Sharing of Information) Regulations were introduced last September.

Contrary to Singh’s claims, social activists outside Andhra Pradesh and Telangana confirmed they could access bank account details of MNREGA workers until May 3. Only on May 4, two days after the Centre for Internet and Society report was released, did the details stop showing on the Management Information System.

“We could no longer access the electronic muster roll, and it started returning error messages,” said Ashish Ranjan of Jan Jagran Shakti Sangathan, a registered union of unorganised workers in Araria, Bihar. But until early May, he added, the Management Information System allowed anyone in any state to access the personal information of workers, even from other states.

Activists and beneficiaries relied on this system for two things. “Several of the new bank accounts have errors, and accessing this information directly helped get the discrepancies corrected without going to block level officials,” Ranjan explained. “It also helped track where the wages of workers were stuck.”

When activists asked why the data was no longer accessible, Ranjan said, rural development department officials said the Management Information System was changed “on the directions of the Supreme Court and the Union cabinet secretary.”

“This has been the pattern with the MNREGA MIS for long,” Ranjan said, referring to the information system. “Senior officials change access to a feature as they wish without clear processes or explanations.”

James Herenj, an activist with NREGA Watch, a non-profit which monitors the implementation of MNREGA in Jharkhand, had the same experience. “Bank account details were removed from the website last week,” he said, “this is a problem as we can no longer help MNREGA workers get data entry errors corrected.”

The Centre for Internet and Society researchers too contested the rural development ministry’s claim that Aadhaar numbers and bank account details were displayed only on Andhra Pradesh and Telangana government websites. They released a video clip showing them accessing bank account details and Aadhaar numbers of 801 MNREGA workers of Agara panchayat in Bengaluru through an internet search on March 25.

Screenshot of a Chandigarh Union Territory website displaying Aadhaar information.

Consent, please?

The Aadhaar Act, 2016 requires both government and private agencies to take informed consent before using a person’s Aadhaar for authentication, but there is little evidence that consent is sought before Aadhaar is seeded with personal and financial information.

Indeed, when the Supreme Court first permitted the voluntary use of Aadhaar for MNREGA in October 2015, Aadhaar numbers of 2.36 crore workers had already been seeded to their bank accounts, without the consent of over 99% of them.

The rural development ministry’s data shows that until June 2016, only about 4,10,000, or less than 1% of the 10.7 crore MNREGA workers, had agreed to Aadhaar-based payments. The ministry worked around this by organising “consent camps” to retrospectively collect proof of consent.

Poor standards

Writing in The Economic Times, Ram Sewak Sharma, chairperson of the Telecom Regulatory Authority of India and former director general of the Unique Identification Authority of India, argued that the reports about “Aadhaar leaks” on government websites failed to account for provisions of the Right to Information Act, 2005. Section 4 of this law provides for proactive disclosure of government decisions while Section 8 mandates public authorities to publish all information on welfare schemes, including details of beneficiaries.

This has created a situation, Sharma pointed out, where the transparency law may require even Aadhaar numbers of beneficiaries to be made public even though the Aadhaar Act mandates them to be confidential.

Right to Information activists, however, said the authorities were anything but devoted to the transparency law. Crucial information they seek on the efficacy of Aadhaar in welfare schemes is routinely denied.

“The government is willfully manipulating information systems to subvert details of biometric failures,” said Amrita Johri, a member of the National Campaign for People’s Right to Information and an activist with the Right to Food campaign, which has petitioned the Delhi High Court against Aadhaar being mandatory for food rations. “We have come across instances of ration cardholders being turned back because of fingerprints being falsely rejected, or network failure, but on the Delhi government’s website, this is shown as the beneficiaries not having come to the ration shop at all.”

“Similarly, the government claims it has removed bogus ration cards through Aadhaar,” Johri added, “but they do not show any administrative action if such bogus cards were really found through Aadhaar even though Section 4 of the RTI Act requires disclosure of such decisions.”

Jharkhand Directorate of Social Security displayed Aadhaar numbers, bank accounts numbers and transaction details of over 15 lakh pensioners.

Johri is concerned that the “Aadhaar leaks” could become an excuse to deny people “other useful information”. “When we requested officials to display how many biometric transaction were not successful, they told us that in a few days, they will remove the entire MIS as there had received orders from the food ministry to not display demographic data associated with Aadhaar,” she said. “But we pointed out that it was the creation of a single identification number that is the problem. Why should information on all other government schemes be removed?”

The Centre for Internet and Society report points out that while the law now makes Aadhaar numbers confidential, the government has failed to specify data masking standards. Section 6 of the Aadhaar Regulations lays down that no government or private agency should publish Aadhaar numbers unless they are redacted or blacked out “through appropriate means”.

But this is too vague, the report points out. “In some instances, the first four digits are masked while in others the middle digits are masked,” Srinivas Kodali, one of the authors of the report, explained, “which means someone with access to different databases can use tools for aggregation to reconstruct information hidden or masked in a particular database.”

Kodali said that for information other than Aadhaar numbers, each ministry and department is required to classify the data that is sensitive, restricted or open, which they have failed to do. “The National Data Sharing and Accessibility Policy, 2012 requires securing information of sensitive and restricted data but it does not recommend the ways to do it,” he said. “The standards around information disclosure and control do not exist, and the Ministry of Statistics expert committee on this was unable to suggest one last month.”

“Even for MNREGA data,” Kodali continued, “the Ministry of Rural Development’s chief data officer should have classified the financial information as restricted or open when the database was first created. But did they do this.”

Nagesh Singh, the additional secretary, however said his ministry “does not have a chief data officer to do this”. “The ministry’s economic advisor is the official responsible for categorising data and advises us on this,” he added.

For more details visit https://cis-india.org/internet-governance/news/scroll-may-20-2017-anumeha-yadav-will-aadhaar-leaks-be-used-as-an-excuse-to-shut-out-scrutiny-of-welfare-schemes

Aadhaar assurances fail to assuage privacy concerns

praskrishna — 2017-05-20T06:23:32Z

While Aadhaar may be secure from external attacks, a failsafe system hasn’t been developed to protect it from Edward Snowden-style leakages and hacks.

The article by Anirban Sen was published by Livemint on May 5, 2017. Pranesh Prakash was quoted.

As calls for a privacy and data protection law grow louder with each passing day amid reports of a central government ministry having made up to 130 million Aadhaar numbers public on its website, widespread concerns continue to emerge over loopholes in the security of the unique identification programme, though the man who created the system continues to defend the security and integrity of the system.

Most worryingly, a consensus is emerging among security and privacy experts, who have argued that while the Aadhaar system may be secure from external attacks, a failsafe system has not been developed to protect it from Edward Snowden-style internal leaks or hacks.

“(What has been suggested by the Unique Identification Authority of India and Nandan Nilekani) is that there will never be a data breach like what we saw in the US with the National Security Agency, Central Intelligence Agency, or Office of Personnel and Management breaches (data of federal government personnel, including more than 5.6 fingerprints, was leaked), or in Mexico or Turkey, or even in India when the department of defence was breached for cyber-espionage for multiple years without detection,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

“While the system may be secure from external attacks, there is no failsafe system to make it invulnerable to Snowden-style breaches,” he added.

In an interview, former UIDAI chairman and Infosys Ltd co-founder Nandan Nilekani continued to defend the security of the system and said steps are being taken everyday to enhance the failsafe processes surrounding the system.

“I think the Aadhaar system is extremely well-designed. It’s not an online system that is exposed to the Internet. When enrolment happens, the packet is encrypted at source and sent, so that there can’t be a man-in-the-middle attack. And when the authentication happens, that is also encrypted—not compared to the original data, but to a digital minutiae. The point is that the system is very, very secure. So, if the objection is to centralization, then you should not have clouds. Clouds are also centralized,” said Nilekani. He added that Aadhaar was also safe from internal breaches, an assumption that is being challenged by security experts all across.

“Within seven years of its launch, the Aadhaar system has made a remarkable leap in terms of its security and privacy and it will keep improving things. Technology does not come through immaculate conception, where one morning some perfect technology is born. It has to evolve. It’s called learning by doing,” added Nilekani. He added that improving the security of the system is an ongoing process and conceded that a data protection and privacy law needs to be in place to supplement the current Aadhaar law.

“I know the government has sent a notice to everyone. If somebody has done it; they ought not to have done it—there’s a law for that,” said Nilekani when asked about recent instances of Aadhaar numbers being made public by government departments.

“We should have a data protection and privacy law which is an umbrella law, which looks at all these phenomena and certainly Aadhaar should be part of that. That’s perfectly fine—but people are behaving as if Aadhaar is the only reason why we should have a privacy law,” added Nilekani.

The last few weeks and months have witnessed a steady stream of negative news surrounding Aadhaar and three main cases are currently being fought in the Supreme Court, including one challenging the government’s decision to make the 12-digit ID mandatory for filing income tax returns as well as for obtaining and retaining a PAN Card.

Meanwhile, as Mint reported in April, questions are being raised on the Aadhaar biometric authentication failure rate in the rural job guarantee scheme in areas such as Telangana.

The report of Aadhaar numbers being listed on the government ministry website has caused widespread uproar, although a lawyer pointed out that it is not due to a breach in the Aadhaar system.

“It’s a misnomer to say this a leak because this was voluntarily, very actively put up there. A leak is when some information being kept securely gets breached somehow and comes out. Now, why is this information up on government websites? This is the problem of our government’s perception of transparency...The fact that the Aadhaar numbers are on the government website is not a flaw of the Aadhaar system, but it is a flaw of the understanding of what needs to be done to demonstrate transparency,” said Rahul Matthan, partner at Trilegal.

In a column in Mint, Matthan had also pointed out that while Aadhaar has been a transformative project, there remains enough scope of misusing the database.

“There is a legitimate fear that this identity technology will open us all up to discrimination, prejudice and the risk of identity theft,” Matthan wrote. “Aadhaar has given us the tools to harness data in large volumes. If used wisely, this technology can transform the nation. If not, it can cause us untold harm. We need to be prepared for the impending flood of data—we need to build dams, sluice gates and canals in its path so that we can guide its flow to our benefit.”

Even as both sides debate the issue of Aadhaar’s security, calls are getting louder to revamp the unique identification database.

“The point is that the UIDAI knows the device ID of the machine with which the biometric transaction took place along with the time and date, which means that by just using basic data analytics, any one with access to the transaction logs from the UIDAI (which have to be kept for a period of 5 years and 6 months) can have a complete view of a person’s Aadhaar-based interactions that are increasing day by day.”

“Further, the UIDAI has built up a biometric profile of the entire country. This means that courts can order UIDAI to provide law enforcement agencies the biometrics for an entire state (as the Bombay high court did) to check if they match against the fingerprints recovered from a crime scene. This too is surveillance, since it collects biometrics of all residents in advance rather than just that of criminal suspects,” said Prakash of CIS.

“The UIDAI could have chosen to derive unique 16 digit numbers from your Aadhaar number and provide a different one to each requesting entity. That would have prevented much of these fears. But the UIDAI did not opt for that more privacy-friendly design,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-may-5-2017-anirban-sen-aadhaar-assurances-fail-to-assuage-privacy-concerns

UIDAI goes after org that disclosed government departments were releasing Aadhaar data

Nikhil Pahwa — 2017-05-20T10:46:36Z

If there was ever a case of shoot the messenger, it is this.

The blog post by Nikhil Pahwa was published by Medianama on May 19, 2017. Pranesh Prakash was quoted.

The UIDAI, the body which runs the Aadhaar project in India, has written to the Centre for Internet & Society suggesting that their disclosure of the fact that the data of 130 million Aadhaar users is being publicly disclosed on the Internet is owed to a hack-attack, reports the Times of India. On being contacted by MediaNama, Pranesh Prakash, Policy Director at CIS told MediaNama that “We are waiting for an official copy of the letter, and once we receive it we will decide on our future course of action.” The UIDAI told MediaNama that they’ll get back to us, and declined to share a copy of the letter with MediaNama.

Read the full story on Medianama

For more details visit https://cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

Suicide videos: Facebook beefs up team to monitor content

praskrishna — 2017-05-20T02:59:14Z

Responding to the spate of suicides being livestreamed, social media giant Facebook has announced it will add another 3,000 people to its 4,500-strong review team that moderates content. The review team will also work in tandem with law enforcement agencies on this issue.

The article by Kim Arora was published in the Times of India on May 5, 2017.

"Over the last few weeks, we've seen people hurting themselves and others on Facebook, either live or in video posted later. It's heartbreaking, and I've been reflecting on how we can do better for our community," Facebook co-founder and CEO Mark Zuckerberg wrote in a status update and added, "Over the next year, we'll be adding 3,000 people to our community operations team around the world, on top of the 4,500 we have today, to review the millions of reports we get every week, and improve the process for doing it quickly."

"...we'll keep working with local community groups and law enforcement who are in the best position to help someone if they need it, either because they're about to harm themselves, or because they're in danger from someone else," Zuckerberg added announcing the move.

Over the last year, several violent incidents and suicides have been streamed live on Facebook. In India last April, a young student went live on Facebook minutes before he jumped off the 19th floor of Taj Lands End hotel in Mumbai. The same month saw similar news coming out of the US and Thailand as well. A 49-year-old from Alabama went live on Facebook before shooting himself in the head. Another man from Bangkok made a video of hanging his 11-month-old daughter, and uploaded it to Facebook. He was later discovered to have killed himself too.

"It's a positive development that Facebook is adding human power and tools for dealing with hate speech, child abuse and suicide attempts. It would be interesting to see how Facebook coordinates with the Indian police departments to get an emergency response to a potential suicide attempt or attempt to harm someone else," says Rohini Lakshane, program officer, Center for Internet and Society, though she warns against false reports clogging up reviewers' feeds and police notifications.

On Facebook, a video, picture or any other piece of content reaches the review team after it is reported by users for flouting its "community guidelines".

Chinmayi Arun, research director at the Centre for Communication Governance, National Law University, Delhi, says Facebook must be transparent about this process. "Facebook should also announce how it is keeping this process accountable. It is a public platform of great importance which has been guilty of over-censorship in the past. It should be responsive not just to government censorship requests but also to user requests to review and reconsider its blocking of legitimate content," she says.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-kim-arora-may-5-2017-suicide-videos-facebook-beefs-up-team-to-monitor-content

World Press Freedom Day 2017

praskrishna — 2017-05-20T02:52:39Z

Udbhav Tiwari represented the Centre for Internet & Society at the World Press Day event organised by UNESCO and the Digital Empowerment Foundation (DEF) at UNESCO House, New Delhi on May 3, 2017.

The event had the release of two reports, one on Violence against Journalists in South Asia and one of Internet Shutdowns in India, with a panel accompanying the last one. The panel was quite interesting, with perspectives from Osama Manzar and a Editor from The Hoot standing out in particular about how social media websites are being used for rapid response governance and how these bans negatively affect those attempts. The agenda for the event is attached to this email.

Click to read about the Internet Shutdown report from the event.

For more details visit https://cis-india.org/internet-governance/news/world-press-freedom-day-2017

Developer releases WannaCry key-recovery tool for Windows XP

praskrishna — 2017-06-07T01:02:12Z

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised. Unfortunately, however, a new variant of the program is already in the wild.

The article by Cirilo Laguardia was published by Hoyen TV on May 20, 2017.

Meaning, as he wrote in a blog post this past weekend, agencies like that NSA should have a "new requirement" to report vulnerabilities they find to software makers like Microsoft, instead of stockpiling or selling or exploiting them. Eternal Blue was technically created to spy on key target points that the NSA deems necessary to.

Smith says cyberweapons require a new approach, and governments must "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits".

"We're looking at many decades of building complex systems - one on top of the other - with no effort to go back to fix what we did wrong along the way", said Wendy Nather, principal security strategist at Duo Security, who has worked in security for 22 years.

And while Smith says Microsoft and other tech companies need to take the lead on combatting these widespread attacks, he highlights the shared responsibility required to protect, detect and respond to threats.

Unfortunately, numerous millions of computers now still running the 2001 operating system never received those updates because their owners refused to pay for it.

WannaCry doesn't seem to be any more virulent or more expensive than other ransomware.

Make sure that your computer is up to date with its Windows updates.

In both cases, these computer owners are the digital equivalent of medical vaccine deniers.

While businesses that failed to update Microsoft's Windows-based computer systems could be sued over lax cyber security, Microsoft itself enjoys strong immunity from lawsuits. When a user clicks on the link, their computer and the information on it is held for ransom while being used to further spread the ransomware. Without doing a thing, when WannaCry came along nearly 2 months later, the machine was protected because the exploit it targeted had already been patched.

According to the company, "customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March". These are valid explanations for using obsolete software, but they are not excuses. Unfortunately, far too few people even bother.

WannaCry, developed in part with hacking techniques that were either stolen or leaked from the United States National Security Agency, has infected over 300,000 computers since last Friday, locking up their data and demanding a ransom payment to release it. This is to prevent the ransomware from using the unprotected Windows XP unit as a gateway.

Government agencies running obsolete software is also a huge problem.

While the federal government mostly avoided WannaCry infections, its processes highlight how hard it is for large organizations to modernize.

For more details visit https://cis-india.org/internet-governance/news/hoyen-tv-may-20-2017-cirilo-laguardia-developer-releases-wanna-cry-key-recovery-tool-for-windows-xp

Debate over #Aadhaar Turns Nasty as Critics Accuse Supporters of Online Trolling

praskrishna — 2017-06-07T13:09:10Z

Internet Freedom Foundation’s Kiran Jonnalagadda has alleged that iSPIRT and its co-founder Sharad Sharma set up fake Twitter profiles to harass, intimidate Aadhaar critics.

The article by Ajoy Ashirwad Mahaprahasta was published in the Wire on May 19, 2017.

As bizarre as this may sound, one of the founders of the Indian Software Products Industry Round Table (iSPIRT) – an influential think-tank closely associated with the Unique Identification Authority of India (UIDAI) – Sharad Sharma, is battling allegations of trolling anti-Aadhar campaigners through fake Twitter profiles.

Kiran Jonnalagadda, one of the founders of Internet Freedom Foundation (IFF), has alleged that a number of fake profiles started to troll him online earlier this month in response to his criticism of Aadhar on Twitter. Surprisingly, he said, one of the profiles –@confident_India – which trolled him was apparently operated by Sharma, considered highly influential within the IT and start-up industry and a governing council member of iSPIRT.

What is iSPIRT?

In 2013, a group of volunteers working with NASSCOM founded iSPIRT to represent the software products industry independently. It is widely known that many of these same volunteers also helped the UIDAI develop much of the initial Aadhaar infrastructure and ecosystem. According to Forbes India, iSPIRT helps Indian software product companies “draft and take policy proposals to government officials; create reusable ‘playbooks’ from successful companies that can be applied by others; and create ‘self-help communities’.” It aims to facilitate Indian software product companies, which build affordable and innovative technologies, get a footprint in sectors like health, education, infrastructure and create conditions so that they get an equal platform to compete with big multinationals.

In this mission, iSPIRT believes that Aadhaar-based technologies, which Indian software product companies may create, could help the Indian software product industry gain an advantage over multinationals, which may be skeptical about using Aadhaar. In other words, iSPIRT, one of the biggest advocates of Aadhaar, sees a commercial advantage to the increasing use of Aadhaar for many of the entrepreneurs associated with the Round Table. To this end, iSPIRT runs two initiatives – ProductNation and IndiaStack, a collection of open APIs for technology infrastructure projects like UPI and Aadhaar.

While the mission may sound fine, many of the Aadhaar advocates within iSPIRT have had to face questions from civil society, most of which have to do with the suspicion that Aadhaar could compromise online privacy. This, over the past few months, has led to heated social media battles between iSPIRT and anti-Aadhaar campaigners.

However, the debate took a darker turn when Jonnalagadda uploaded a video showing that the @Confident_India Twitter handle could be traced back to Sharma’s personal mobile phone number on Twitter. Sharma, has since then, apparently changed his number.

“It was only when I started to grow suspicious of the handle that I thought of using Sharma’s phone number to verify the account,” Jonnalagadda tells The Wire.

In an article – “Inside the mind of India’s chief tech stack evangelist” – where he narrates the events, he says “a flurry of newly created Twitter trolls accounts began heckling me about Aadhaar”.

Around 10 such handles started making unprovoked attacks on Jonnalagadda and another founder of IFF, Nikhil Pahwa, accusing them of being guided by “greed, profit, and deceit” for being in the “#AntiAadhaar brigade.”

As the argument continued, @confident_India called Jonnalgadda “pretentious” mouthing “highfalutin stuff” and “techno-babble”.

“All these did not perturb me as it was a part of routine arguments,” says Jonnalagadda.

However, in what he calls a “lightbulb moment”, he had the first inkling that Sharma could be operating the account of @confident_India through this thread:

“Sharad Sharma’s original account doesn’t follow any of these people on the thread. The conversation would not have shown on his timeline. Yet both @confident_India and Sharad Sharma made the same argument,” says Jonnalagadda.

Then, he says, Sharma gave it out. A question addressed to Sharad Sharma ended up being answered by @confident_India.

@Confident_India also went on a tirade against the IFF fellows and called them “JNUtype”, “ISISstooge” or belonging to Lutyens Delhi, insinuating that the IFF fellows are terrorists or largely belong to a certain social elite category of people.

When this prompted Jonnalagadda to verify the account with Sharma’s number, it matched. He later posted the video on his account.

An email from The Wire to Sharad Sharma remained unanswered at the time of writing.

However, soon after this alleged expose kicked off a Twitter war between the two groups, Sharad responded with a reply to Nikhil Pahwa’s tweet.

iSPIRT also responded in various online forums. “Sharad Sharma, co-founder of iSPIRT, named in these allegations is in the US for a medical emergency in his family. As of this morning, Eastern Standard Time, Sharad has categorically denied these allegations. We will further investigate the confusion around the alleged link of mobile number and clarify all outstanding questions. For the moment, we are prioritising the well-being of Sharad and his family,” says the organisation’s response.

“We want to categorically state that the allegations against iSPIRT coordinating and/or promoting any troll campaign are false and the evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack” it added.

Interestingly, however, what has emerged out of the controversy is another allegation by the IFF that iSPIRT had made trolling part of its policy to counter Aadhaar’s “detractors.”

At a fellows meeting earlier this year in February, iSPIRT charted out a “Detractors Matrix” in which they categorised the anti-Aadhar campaigners into four categories, namely “misinformed, fearful, and engaging”, “informed, fearful and engaging”, “misinformed and trolling” and lastly, “informed yet trolling”. In an internal iSPIRT presentation, Reetika Khera, IIT professor and a renowned economist, and Nikhil Pahwa, IFF’s co-founder were shown as belonging to the last two categories.

To counter Aadhaar critics on online platforms, iSPIRT volunteers intended to group themselves into “archers” and “swordsmen” who would challenge their theories on Twitter and elsewhere.

iSPIRT has acknowledged discussing the “detractor matrix” in its reply to the allegation but dismissed it being equivalent to trolling, as Jonnalagadda alleges. Co-founder of iSPIRT, ThiyagaRajan Maruthavanan, while responding to allegations said that there was no official involvement on behalf of iSPIRT.

CIS allegations

Many of the pro-Aadhaar Twitter trolls, most noticeably Confident_India, have also lashed out at other Internet rights organisations. This includes the Bangalore-based Centre for Internet and Society (CIS) which last month released a report that claimed that over 100 million Aadhaar numbers were publicly exposed by four government websites. The Confident_India Twitter handle has alleged that CIS has violated foreign funding regulations (under the Foreign Contributions Regulations Act), that they are likely “funded by ISI” and that because of their “advocacy efforts”, the organisation should be shut down.

It should be noted that the Unique Identification Authority of India has also sent a sharp letter to CIS over its report and has suggested that some of the Aadhaar data that the report documented could not have been gotten through legal means.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-19-2017-ajoy-ashirwad-mahaprahasta-debate-over-aadhaar-turns-nasty-as-critics-accuse-supporters-of-online-trolling

Experts stress on need for enhanced security

praskrishna — 2017-05-20T06:13:19Z

With more and more people falling prey to phishing scams, experts believe that lack of adequate security features in online payment systems will only increase the number of such cases in the coming days. While admitting that the rise in such crimes would be hard to stop or control, cyber security consultants also blame the lack of preparedness before taking the digital economy route as a cause for such problems.

The article was published in the New Indian Express on May 6, 2017. Pranesh Prakash was quoted.

Speaking to Express, Dr A Nagarathna of the Advanced Centre on Cyber Law and Forensics, National Law School of India University, said that apart from the push for digital payment solutions, the merger of various State Bank entities also provided chances for criminals to exploit gullible people.

“People tend to give away critical information since cyber criminals seem so convincing. But they should remember that banks never collect such information over phone,” she said.

The cyber security features of banks and e-wallets are also questionable. Banks and e-wallet service providers should be held accountable for such crimes, so that they make an effort to ensure necessary safety measures, she said.

Pranesh Prakash, Policy Director at the Centre for Internet and Society, noted that there were security concerns with e-wallets. “Many e-wallet apps compromise on security in favour of convenience, but, at the same time, have terms of service that hold customers liable for financial losses. There have been many reports of criminals working with rogue telecom company employees to clone SIM cards and steal money via UPI and BHIM,” he said.

He also criticised the use of biometrics as the only factor for authorising payments to merchants using Aadhaar Pay. He noted, “Your fingerprints cannot be changed, unlike a PIN. So, if a merchant clones your fingerprint, you cannot revoke it or replace it the way you can with a debit card and a PIN.”

Another activist said the recommendations of Watal Committee, which looked into digital payments, should be implemented. “As of now, the law does not focus on the need for consumer protection in digital payments. The Payment and Settlement Systems Act, 2007, needs to be updated,” he said.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security

Aadhaar data leak: Take precautions while sharing info on websites, MEITy tells all depts

praskrishna — 2017-05-19T14:59:38Z

‘Publishing identity info is in clear contravention of the provisions of the Aadhaar Act, 2016’

The article was published in the Indian Express on May 11, 2017.

In light of various Central and state government departments making public Aadhaar information of several users on their websites, the Ministry of Electronics and Information Technology (MEITy) has written to secretaries of all government departments asking them to sensitise the officials and take precautions while publishing or sharing data on their websites.

“It has come to notice that there have been instances wherein personal identity or information of residents, alongwith Aadhaar numbers and demographic information and other sensitive personal data such as bank details collected by ministries/departments, state departments for administration of welfare schemes etc. have been
published online,” IT secretary Aruna Sundararajan wrote in the letter dated April 24.

“Publishing identity information i.e. Aadhaar number along with demographic information is in clear contravention of the provisions of the Aadhaar Act, 2016 and constitutes an offence punishable with imprisonment up to three years. Further, publishing of financial information including bank details, being sensitive personal data, is also in contravention of provision under IT Act, 2000 with violations liable to pay damages by way of compensation to persons affected,” she noted.

According to media reports, Aadhaar numbers of hundreds of thousands of pension beneficiaries were published on a state government website, and was followed by Chandigarh’s Food and Civil Supplies Department revealing the Aadhaar information of beneficiaries of public distribution system. Following Sundararajan’s letter, various central government ministries have issued advisories to sensitise the officials and the web information managers to comply with the IT Act.

Earlier this month, a report by non-profit organisation The Centre for Internet and Society noted that up to 13.5 crore Aadhaar numbers were exposed and were publicly available on government websites, with about 10 crore of these being linked to bank account details. The 27-paged report — Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information — has collected Aadhaar data from four government portals.

Two of these are national portals: National Social Assistance Programme and Mahatma Gandhi National Rural Employment Guarantee Act, both under the rural development ministry. The other two studied by the report’s authors, Srinivas Kodali and Amber Sinha, are run by the AP government: a daily online payments report under MGNREGA by the state government, and Chandranna Bima Scheme.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million (13-13.5 crore) and the number of bank accounts numbers leaked at around 100 million (10 crore) from the specific portals we looked at,” the report stated.

The letter

“It has come to notice that there have been instances wherein…information of residents, alongwith Aadhaar numbers and demographic information…have been published online,” IT secretary Aruna Sundararajan wrote in the letter dated April 24

For more details visit https://cis-india.org/internet-governance/news/the-indian-express-may-11-2017-aadhaar-data-leak-take-precautions-while-sharing-info-on-websites-meity-tells-all-depts

Taking Cognisance of the Deeply Flawed System That Is Aadhaar

praskrishna — 2017-05-19T14:52:58Z

Aadhaar and its many connotations have grown to be among the most burning issues on the Indian fore today, that every citizen aware of their rights should be taking note of.

The article by Shreyashi Roy was published in the Wire on May 10, 2017.

With the leak of 130 million Aadhaar numbers recently coming to light, several activists, lawyers and ordinary citizens are up in arms about what is increasingly being viewed as a government surveillance system. Keeping this in mind, on Tuesday, May 9, Software Freedom Law Centre India (SFLC) hosted an event that brought together a panel to clearly articulate the dangers of Aadhaar and to discuss whether the biometric identification system is capable of being reformed.

SFLC is a donor-supported legal services organisation that calls itself a protector of civil liberties in the digital age.

Titled ‘Revisiting Aadhaar: Law, Tech and Beyond’, the discussion, with several eminent personalities who have in-depth knowledge of Aadhaar and its working, threw light on the various problems that have cropped up with regard to India’s unique identification system. The discussion was moderated by Saikat Datta, policy director at Centre for Internet and Society, which published the report that studied the third-party leaks of Aadhaar numbers and other personal data.

The leaks

The discussion took off from the point of the leaks, with Srinivas Kodali, a panelist and one of the authors of the report, explaining his methodology for the study that proved that the Aadhaar database lacked the security required when dealing with private information of people. He highlighted the fact that during the course of his research, he had noticed several leaks from government websites and notified the Unique Identification Authority of India (UIDAI) about the same. Yet, at every step, UIDAI continued to deny and reject the possibility of this happening. Kodali says, however, that he had noticed that the websites that were unknowingly leaking data were, in fact, fixing the leaks after being notified without acknowledging that the leak had happened in the first place. Kodali reiterated at the discussion, as in his report, that a simple tweaking of URL query parameters of the National Social Assistance Programme website could unmask and display private information. Unfortunately, UIDAI cannot be brought to task for unknowingly leaking information because there is no such provision.

He also addressed the question of the conflict of interest that existed in the entire system of building Aadhaar, which was created by developers who later left the UIDAI and built their own private companies, monetising the mine of private information that they were sitting on. Kodali blames UIDAI for this even being allowed, since the developers, though clearly lacking ethics, were in fact, merely volunteers.

The system

One of the glaring issues with the technology behind Aadhaar is that the software is not open source. Anivar Aravind, a panelist, called it “defected by design” and “bound to fail” because not only is the technology completely untested but there are very obvious leaks that are taking place. Moreover, UIDAI does not allow any third-party audits or any other persons to look at the technology. Datta pointed to the fact that this is unheard of in other nations, where software is routinely subjected to penetration testing and hacking experts are called upon to check how secure a database is.

Anupam Saraph, another panelist and future designer, illuminated the creation of the Aadhaar database, pointing out that this is a system less about identification and more about verification. All of the verification, moreover, has been done by private parties, making the database itself suspect and leaving everyone’s private information loose at the time of enrolment. In addition, Aadhaar was meant for all residents and not just citizens. But now there is a mix of both, creating confusion in many aspects. Saraph also brought up how one rogue agency with access to all this information could pose an actual national security threat, unlike all the requests for information on breaches that the government keeps pointing fingers at. Referring to Nandan Nilekani’s statement about Aadhaar not being like AIDS, Saraph pointed out that it was exactly like it because much like the body, which cannot distinguish between an invasion and itself, the Aadhaar system is not being able to distinguish between aliens and citizens and has begun denying the latter benefits.

The Supreme Court has declared time and again that Aadhaar cannot be made mandatory, but the government continues to – in complete disregard of the apex court’s judgment – insist on Aadhaar for a multitude of schemes. More and more schemes are being made unavailable without the existence of an Aadhaar number as the government continues to function in a complete lack of cognisance of the fact that the poor are losing out on something as basic as their food because of a number. Prasanna S., an advocate and a panelist, called it a “voluntary but mandatory” system that is becoming an evidence collection mechanism. Moreover, everything is connected through this one number, making many options like financial fraud, selective treatment of citizens and other horrors possible. The collection of all this information is not dangerous, screams the government. Maybe not in the hands of this one. But what of the next? What of rogues?

The legal aspect

One of the panelists was Shyam Divan, a senior advocate of the Supreme Court, who has represented petitioners fighting against Aadhaar. Divan spoke about how along with a group of advocates he has been trying to get the apex court to rule on the issue but has been met with long queues before a ruling can be procured. He addressed the right to privacy aspect of the system and the recent declaration that the citizen does not have the absolute right to the body. He emphasised that the government cannot own the body and that for a free and democratic society, a limited government, instead of an all-knowing and all-seeing government, is essential. Unfortunately for India, there is no express right to privacy in the constitution, but that does not mean that rights can be taken away in exchange for a fingerprint. It is the government’s duty to respect privacy. For him, Aadhaar has become an instrument of oppression and exclusion, a point that Prasanna also agreed with, calling it a “systematic attack on consent”.

There is complete agreement that there has been a railroading of consent in this entire matter if Aadhaar being passed forcibly through the Lok Sabha as a money bill is anything to go by. If parliament’s consent can be disregarded in that fashion, what is an ordinary citizen to do in the face of this complete imbalance of power in the state’s hand?

Usha Ramanathan, a legal researcher and a long-time critic of Aadhaar, spoke about how India has turned into a state where there are more restrictions than fundamental rights, rather than the other way around. She related how there was no clarity at the beginning of Aadhaar of how it would be a card or a number and was never a government project in the first place. This is a private sector ambition that the government has jumped on board with, without considering that the private sector does not concern itself with civil liberties. As other panelists also pointed out, the private sector cannot and will not protect public interest. This is the job of the government, especially in an age of digitisation. But Aadhaar compromises the ability of the state to stand up for its citizens.

With June 30 approaching fast, many of those who have so far abstained from enrolling in the system are considering giving up their rebellion and going like sheep to get themselves registered in the database. In the words of Divan, they will have to “volunteer compulsorily for an Aadhaar”. The government is probably counting on this. Turning to the Supreme Court has been of no help, although a verdict can be hoped for in a couple of weeks. But what can we do if they rule for the government?

Some of the panelists are on board with the idea of a civil disobedience movement, a kind of a rebellion against Aadhaar. Some suggested thinking of out-of-the-box ways to register one’s protest and dissent against what is clearly becoming the architecture of a surveillance state. Saraph was particularly vehement about the need to completely destroy the Aadhaar database – “shred it”.

What all the panelists emphasised repeatedly was that there can be no improvements to a system that is so deeply flawed and that has had so many “teething problems” that are making millions suffer. The main takeaway from the discussion was that Aadhaar must see a speedy demise because it cannot be saved and cannot persist in its current state.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-10-2017-shreyashi-roy-taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar

Revisiting Aadhaar: Law, Tech and Beyond

praskrishna — 2017-05-19T14:47:32Z

Udbhav Tiwari attended a panel on "Revisiting Aadhaar: Law, Tech and Beyond" held at the India International Centre Annexe on May 9, 2017 in New Delhi, organised by the Software Freedom Law Centre (SFLC.in) in collaboration with Digital Empowerment Foundation and IT for Change.

The panel consisted of:

Saikat Datta; Policy Director, Centre for Internet and Society (Moderator)
Anivar Aravind; Founder/Director at Indic Project
Anupam Saraph; Professor and Future Designer
Prasanna S; Advocate
Shyam Divan; Senior Advocate, Supreme Court
Srinivas Kodali; Co-founder at Open Stats
Osama Manzar; Founder and Director, Digital Empowerment Foundation
Usha Ramanathan; Legal Researcher

The panel was quite enlightening (and Saikat was a stellar moderator), with Mr. Divan's elucidation on the arguments made in the court for the Aadhaar case in particular being a great learning experience. Benjamin and Sheetal (both interns in the Delhi office) along with Sumandro also attended the event.

The other learning was that for people who have attended multiple such panels/seminars and meetings on Aadhaar, they can have a lot of repeated content. I passed on the feedback to SFLC about how they could possibly include a small 10 to 15 minute session in future such panels on developments since the previous such event on the Aadhaar and include practical aspects about what people can do about minimising the harms that we are all slowly being co opted into facing with the system.

More info about the event here.

For more details visit https://cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond