We are anonymous, we are legion

Non human intelligence is closer than you think!

nishant — 2012-05-24T06:36:57Z

In one of the research projects that I have been involved in, I was recently a part of a jury, for a contest which required on-line voting. It sounded like a fun thing, giving the participants a chance to bring in their inherited networks and also expanding the reach of the contest entries.

Nishant Shah's article was published in FirstPost on April 25, 2012.

We were just about to close shop and announce the clear winners who had a landslide victory in the contest, when following up on a clue – a simple mismatch between the number of people who had visited the webpage and the number of votes polled – sniffed up by a colleague, we were suddenly faced with the suggestion that a lot of the votes cast in the contest were by non-human actors.

The first instincts for many of us involved were that an act of deception or fraud had happened. It felt natural, to most of us that when we asked for votes, we were specifically looking for human votes. Our relationship with technologies – digital or otherwise – has been primarily defined through usage. We use technologies so that we can perform an intended task. Especially with transparent and wearable portable technologies, we constantly think of them as disposable extensions which help execute our ideas and actions with efficiency.

In this one-way functional understanding of technologies, we often forget that these technologies are not merely tools. More often than not, the technologies that we interact with and engage with, shape the ways in which we look at the world. This is true even of the simplest of tools – If you have a hammer in your hand, the whole world appears to be a nail.

Within large-scale digital networks this becomes so much more complicated because the lines between human and non-human actors within those networks are very blurred. Our engagement with the network is not merely to use it as a conduit for communication. The network is an intelligent entity. It grows, learns, watches and responds to our different actions. There are actors within the network which can perform actions which might resemble, if they are not exactly the same, as the human actions in the same environment.

In fact, we are often faced with non-human actors – call them bots, scripts, artificial intelligence, or any other name – which are more efficient in performing certain repetitive and recursive actions which are necessary to sustain the network, that the human actor might be unable to cope with.

Think of your favourite social network and realise that there are so many ways by which the interface and the network, aided by a range of non-human actors, are interacting with you constantly to customise and ease your interactions within the network. Anthropomorphised guides give you tours of new applications. Email based bots notify of activity in your network. Sniffers detect your browser, your ISP, your connectivity speed, your browser, your access device, your preferred language, your customised settings, etc. to render the social network legible on your screen.

We increasingly depend upon these transparent workers, very much like the magical servants in Beast’s enchanted castle in the fairy tale about Beauty and the Beast. If you do a measure of who you interact with the most within a network you will quickly realise that what you actually interact with, within a network, is these non-human actors who facilitate your peer-2-peer connections in the digital domain.

And this is not limited to your social networking systems. As we move towards a more intuitive internet that operates through multiple nodes and forms pervasive and persuasive networks of being, we are increasingly living with non-human actors who can mimic life more efficiently in their native environments. The bots that perform edits on Wikipedia entries to clean the language and correct styles are made out of code.

Scripts that relay information about your usage so that it gets logged, tracked and visually presented in Google Analytics are also bits and bytes. The IVR that you use for your financial transactions or indeed the very systems which authenticate your credit card details, without you worrying about fraud is because it is done without human intervention. It is despite these transactions, or perhaps, because of it, that we refuse to think of technologies as sapient.

We often think of ourselves in technology terms and sometimes also Disnefy our gadgets by giving them names and talking of them as almost-human. However, when it comes to questions of actions or doing things, there is a false presumption that the human proposes and the technological does it, despite the contrary evidence that we generally have the technological dictating terms and us following them through within digital networks.

We resolved our small crisis by counting only the human votes. But that resolution is not one that we will be able to live with for long. We are soon going to enter worlds where the non-human actor in the network is going to have equal rights, agency, will and choices, and it will perform actions that will have equal credibility as the human one. If not more.

For more details visit https://cis-india.org/internet-governance/non-human-intelligence

Noida cyber cell gives tips on preventing WannaCry attack

praskrishna — 2017-06-07T01:18:22Z

The attackers targeted a weakness found in older versions of Microsoft Windows.

The article by Juana McKenzie was published in the World News Journal on May 20, 2017.

Since late last week, the WannaCry cyber scourge has blocked customers the world over from accessing their data - unless they paid a ransom using Bitcoin. Here's what you should do to protect yourself.

Third, and perhaps more important: like the emperor's new clothes, even this new-fangled ransomware isn't as sophisticated as it's cracked up to be. If you're unsure about the legitimacy of something, delete it.

When Microsoft sells software it does so through a licensing agreement that states the company is not liable for any security breaches, said Michael Scott, a professor at Southwestern Law School.

It pays to know the proper file extensions that are available.

If you happen to come across files such as worklog.doc.exe, or financial_statement.xls.scr, do not open them as the files are most likely malicious.

'And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today - nation-state action and organised criminal action'.

Then there's the USA government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

No. This strain of ransomware was spread from device to device by taking advantage of an old security hole in some versions of Microsoft's Windows operating system.

Microsoft released a patch for this vulnerability in March and, on the heels of the attack Friday, even took the unusual step of releasing fixes for older versions of Windows that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8. This included the release of the patch in March and an update on Friday to Windows Defender to detect the WannaCrypt attack.

As there are different types of ransomware, there is no single, easy solution to restore your computer if it has been infected. Enterprises need to test patches before installing them to ensure that they don't have compatibility issues with existing applications and break existing workflows.

Security experts have hailed Microsoft's decision to publicly call out the U.S. government and the NSA's decision to stockpile cyberweapons.

"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable", Gates wrote in an email to employees identifying trustworthy computing as Microsoft's top priority. Such software will act as the first line of defence by blocking auto downloads and actively scan for suspected threats on the PC.

The culprit was "ransomware" known as WanaCryptOr 2.0, or WannaCry.

Europol said a special task force at its European Cybercrime Centre was "specially created to assist in such investigations and will play an important role in supporting the investigation".

Kaspersky said it was seeking to develop a decryption tool "as soon as possible". If the ransomware has locked your entire PC, as WannaCry has done, combating it is more hard. Backups often are also out of date and missing critical information.

Cloud storage services such as Google Drive, Microsoft OneDrive, Dropbox and Box offer large amount of storage space for a monthly or yearly subscription fee.

For more details visit https://cis-india.org/internet-governance/news/world-news-journal-juana-mckenzie-may-20-2017-noida-cyber-cell-gives-tips-on-preventing-wannacry-attack

No, India did NOT oppose the United Nations move to “make internet access a human right”

Pranesh Prakash and Japreet Grewal — 2016-07-13T16:09:31Z

Last Friday, the United Nations Human Rights Council (UNHRC) passed a resolution titled “The promotion, protection and enjoyment of human rights on the Internet.”

The article by Pranesh Prakash and Japreet Grewal was published in Factordaily on July 13, 2016.

Several media outlets, including T he Verge, India Today, and BuzzFeed, reported that the resolution was ‘opposed’ by China, Russia, Saudi Arabia, South Africa and India. The Verge, for instance, reported that these countries “specifically opposed” a clause of the resolution that “condemns unequivocally measures to intentionally prevent or disrupt access to or dissemination of information online and calls for all countries to refrain from such measures”. This is pure bunkum. Some media organisations have also been reporting that the UNHRC resolution “declares that access to the Internet is a human right”. This too is fiction.

What’s the truth? The UNHRC resolution covers wide ground, including the reaffirmations of two previous resolutions, which stated that the same rights that people have offline must also be protected online as well. As ARTICLE19, an international free speech NGO, notes: “The draft resolution goes further than its predecessors, including by stressing the importance of an accessible and open Internet to the achievement of the Sustainable Development Goals, as well as in calling for accountability for extrajudicial killings, arbitrary detentions and other violations against people for expressing themselves online.” Importantly, the resolution “unequivocally condemns” internet shutdowns, such as the one that happened in Kashmir just last week after security forces killed guerrilla Burhan Wani.

This resolution was, in fact, adopted without any opposition. So why the brouhaha over countries like India?

Here are the facts

There were four separate amendments, two of which were proposed by Belarus, China and Russia (referred as L85, L86 in this article) and the other two were proposed by Belarus, China, Russia and Iran (referred as L87 and L88). None of these amendments comment on the paragraph in the resolution that condemns intentional disruption of access or dissemination of internet services. So the headlines in most of the reports are just plain wrong. Let’s examine each of these four amendments one by one

In L85, an amendment was suggested to a paragraph that refers to past resolutions by the UNHRC and the UN General Assembly relating to freedom of expression and the right to privacy online. The amendment, which proposed including a reference to a previous UNHRC resolution on the rights of children online, was later withdrawn.

In L86 the proposed amendments both added and removed some text, and was hotly opposed by organisations like ARTICLE19. The proposed amendment said that the same rights people have offline must also be protected online, in particular, freedom of expression and the right to privacy, in accordance with articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR), a multilateral treaty adopted by the United National General Assembly to respect civil and political rights of individuals. Major additions: Some text on right to privacy and a reference to Article 17 of the ICCPR, which is about privacy. Major deletions: a reference to the Universal Declaration on Human Rights, and language stating that that freedom of expression is “applicable regardless of frontiers and through any media of one’s choice”, which is present in article 19 of the ICCPR. However, article 19 of the ICCPR is incorporated by reference even in the proposed amendment! So is there a real loss in purely legal terms? Not really.

The amendments in L87 sought to replace the term “human rights based approach” that stressed on the need to provide and expand access to the internet, and to replace it with the term “comprehensive and integrated approach.” The problem is that there is no clarity about what a “human rights based approach” to providing and expanding access to the internet is. What does it even mean? Is there a “human rights based approach” to spectrum auctions and spectrum sharing? Or the laying of fibre optic cables? Or anything else associated with internet access? If there is, indeed, a human rights based approach to providing and expanding access to the internet, it should be spelt out, rather than simply calling it that. Similarly, the term “comprehensive and integrated approach” is equally vague.

Even if one harbours reservations about these amendments, none of these amendments could be reasonably be characterised as “opposing” the condemnation of Internet shutdowns or “opposing” online freedoms.

Finally, in L88, the amendments proposed that the UN resolution should acknowledge concerns about using the internet and information technology for spreading ideas about “racial superiority or hatred, incitement to racial discrimination, xenophobia and related intolerance.” In the light of this, it is difficult to understand how adding concerns relating to hate speech to the resolution is seen as “being opposed” to online freedoms, especially when there is no direct action contemplated in the proposed amendment.

Indeed, in Paragraph 9, gender violence is mentioned, and in Paragraph 11, incitement to hatred is mentioned. Adding an additional, more specific reference can hardly be construed as being opposed to online freedoms. After all, states have a positive obligation to enact laws to prohibit hate speech under Article 20 (2) of the ICCPR, which is a centrepiece of international human rights law.

Even if one harbours reservations about these amendments, none of these amendments could be reasonably be characterised as “opposing” the condemnation of Internet shutdowns or “opposing” online freedoms. And factually, no states (including India, China, South Africa, Russia, and more) voted against the resolution.

A game of Chinese whispers

So why did so many prominent news organisations around the world get it so wrong? My theory is that it happened because organisation like ARTICLE19 put out press releases on what they perceived as the ‘weakening’ of the resolutions by the amendments examined above, and their regret that even democratic states like India and South Africa voted for these amendments. This was wrongly portrayed in much of the media as opposition by these countries to the resolution itself, to online freedoms, and particularly as opposition to the idea of condemning internet shutdowns. Thanks to the Chinese whispers nature of news reporting, this mistaken idea spread far and wide without any of the reporters bothering to check the original UN documents.

It is shameful if India condemns internet shutdowns at the UNHRC while deploying them for purposes such as preventing cheating during an examinations, during Ganesha visarjan, during Eid, during wrestling matches, and during protests.

However, regardless of the faulty reportage, there is a real crisis in India, with organisations like Medianama and the Software Freedom Law Centre having counted at least nine internet shutdowns this year alone, and at least 30 since 2013. It is shameful if India condemns internet shutdowns at the UNHRC while deploying them for purposes such as preventing cheating during an examinations, during Ganesha visarjan, during Eid, during wrestling matches, and during protests.

We at the Centre for Internet and Society have previously explained why a Gujarat High Court order allowing for an internet shutdown during riots was wrong in law, and violated our Constitution as well as our international human rights obligations. That is something the India media ought to be focussing far more on, but aren’t.

Lastly, it would also be welcome for the individual civil society organisations that signed an open letter to UNHRC members to explain why they too believed that these amendments would have significantly harmed our freedoms online. We see it instead as a case of ‘human rights politics’ being played out, when none of the proposed amendments would have had much of a negative legal impact, but only a political impact.

Should civil society organisations really get worked up about these?

Edited by: Pranav Dixit

For more details visit https://cis-india.org/internet-governance/blog/factordaily-pranesh-prakash-and-japreet-grewal-july-13-2016-no-india-did-not-oppose-un-move-to-make-internet-access-a-human-right

No UID Campaign in New Delhi - A Report

praskrishna — 2012-06-20T03:51:45Z

The Unique Identification (UID) Bill is not pro-citizen. The scheme is deeply undemocratic, expensive and fraught with unforseen consequences. A public meeting on UID was held at the Constitution Club, Rafi Marg in New Delhi on 25 August, 2010. The said Bill came under scrutiny at the meeting which was organised by civil society groups from Mumbai, Bangalore and Delhi campaigning under the banner of "No UID". The speakers brought to light many concerns, unanswered questions and problems of the UID scheme.

Since 2009, when the UID Bill was presented to the general public by Nandan Nilekani, the project has been characterized as a landmark initiative that will transform India, bring in good governance, and provide relief and basic services for the poor. The scheme is rapidly being put in place; the draft Bill has been put before the Parliament of India and the resident numbers and data have been collected.

The UID proposes to take the finger prints and iris scans of every resident of India for authentication of each individual. J. T. D'Souza, an expert in free software technology exposed the flaws of the entire technical aspect of the UID project. He presented the risks and loopholes that technology such as iris and fingerprint scanners pose, and the risks in using a biometric system as a form of identification system. Contrary to the claim of the UID authority, that a scheme based on biometrics is foolproof, he explained how fingerprints are not unchanging, both fingerprints and iris scans can be easily spoofed (with a budget of only $10), and there are many ways in which the technology can break, be inconsistent, or be inaccurate.

From a human rights perspective the lack of democracy in the entire project was stressed. Usha Ramanathan reiterated the fact that no white paper was issued, the Bill has not gone through the Parliament and yet citizens’ data is being collected, citizens were given only a two week period to comment on the Bill, and in practice the UID number will not be voluntary for individuals.

The UID authority has posited the scheme as bringing benefits to the poor, plugging leakages in the Public Distribution System and the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), as well as enabling inclusive growth by providing each citizen with a verifiable and portable identity. These claims were debunked. An identity number will not fix the waste of grain that takes place every day, the portability of the number raises new problems of accessibility and distribution of resources, and the MGNREGS system is already working to be financially inclusive with a majority of its members already having a bank account.

In response to hearing the presentations of the speakers and the comments by the audience, senior Member of Parliament of the Revolutionary Socialist Party of India (RSP), Abani Roy called for the launching of a massive campaign to resist this expensive and dangerous project through which several companies will gain massive contracts from the public exchequer.

The campaigners for No UID plans to hold further meetings across the country and lobby Parliamentarians in the coming months.

For more information contact: Mathew Thomas (Bangalore) mathew111983@gmaill.com, Elonnai Hickok (Bangalore) elonnai@cis-india.org , Sajan Venniyoor (Delhi): +91-9818453483 - Bobby Kunhu (Delhi): +91-9654510398

For more details visit https://cis-india.org/internet-governance/blog/no-uid-campaign

No to homosexuals, yes to their vote

praskrishna — 2014-04-04T09:54:39Z

The ad appears at the bottom of the page. It has BJP’s symbol and Modi’s photograph displayed prominently.

The article by Yogesh Pawar was published in DNA on March 21, 2014. Sunil Abraham is quoted.

In a hotly contested election where every vote will count, the scramble among political parties to scrounge for votes is understandable. Yet, what would you make of a party that hates a community but wants their votes? The BJP had opposed any move to nullify Supreme Court's order re-criminalizing consensual sex among consenting adults, dealing a huge setback to any move to scrap or dilute Section 377 of the Indian Penal Code (IPC). Party chief Rajnath Singh went to the extent of saying, "Gay sex is not natural and we cannot support something which is unnatural."

This is why the gay community across the country has expressed surprise to find a BJP ad asking for votes on the popular gay social media dating website grindr. The ad which will obviously lead to to a lot of red faces in the BJP, appears at the bottom of the page has both the party' lotus symbol and their prime-ministerial candidate Narendra Modi's photograph displayed prominently. It exhorts voters to vote BJP to stop price rise.

"This exposes the party's hypocrisy," guffawed India's pioneering gay rights activist Ashok Row Kavi. "So you want our votes and not us. I'm glad this has happened. The country will finally know the true face of falsehood of the party."

He's not alone. Many from the community have taken to social media sites like facebook and twitter to make their disgust known. Counselling psychologist Deepak Kashyap is one of them. "So, #BJP says it'd never support the "unnatural act" of homosexuality, but #NaMO has no qualms about asking for support on gay dating apps, like grindr! What a sham(e)!" he posted.

Linking most homophobia with an intense struggle with latent homosexuality Kashyap, the University of Bristol pass-out and equal rights activist for the LGBTQ community told dna, "Whatever makes you jump up in your chair, essentially makes you insecure about your own condition in some way or the other." According to him, similar results were shown in a research called 'Is Homophobia Associated with Homosexual Arousal?', by Georgia University published in the Journal of Abnormal Psychology.

When reached for comment, the BJP's National IT head Arvind Gupta said, "I am not aware of such an ad being placed on this website. If this is indeed true we will take it up with the advertising agency responsible." BJP spokesperson and Lok Sabha candidate from New Delhi Meenakshi Lekhi too told dna, "This is the first I am hearing of such an advertisement," and added, "In the first instance it seems like a deliberate act of mischief in the poll season to embarrass our party."

Centre for Internet and Society, Executive Director Sunil Abraham felt the ad on grindr may have to do more with the lack of knowledge than anything else. "We find many ads by top Indian corporate brands on pirate websites. This happens because people are still not completely conversant with negotiating with advertising networks when it comes to websites."

For more details visit https://cis-india.org/news/dna-march-21-2014-yogesh-pawar-no-to-homosexuals-yes-to-their-vote

No such rule, but many vaccination centres are insisting on Aadhaar as proof

Sreedevi Jayarajan — 2021-06-26T04:43:13Z

Radhika Radhakrishnan saw three words swimming before her as she inched closer to the hospital lobby.

The blog post by Sreedevi Jayarajan was published in the News Minute on June 4, 2021. Pranesh Prakash was quoted.

The words were written on a white board inside the private hospital she had visited in Bengaluru on May 21, three weeks after the Union Government opened up COVID-19 vaccinations for the 18+ category after online registration. “I had booked a vaccine slot and visited the hospital and the words on the board read ‘Aadhaar is mandatory’, along with other dos and don’ts of the vaccination process that the hospital followed,” she tells TNM. On the morning of her vaccination date, Radhika had registered on the Union Health Ministry’s CoWin portal for a vaccine slot in the 18+ age group. She had given her PAN number when the portal asked for a government ID proof. The appointment slip on CoWin also showed her PAN, she says.

But on the day of vaccination, authorities at the private hospital refused to accept her PAN card. Radhika says that they insisted on her Aadhaar number in order to authenticate her vaccination appointment, despite her telling them that it is illegal to demand her Aadhar card. “The hospital authorities told me that they only used Aadhaar cards to register people for vaccination or authenticate CoWin appointments. They said that if I did not want to give my Aadhaar number, I would have to wait a few more hours for them to figure out a different process,” she tells TNM. By this time, Radhika had already waited three hours in the hospital queue.

Bengaluru-based journalist Biswak* too recounts a similar experience at a government run vaccination centre he had visited on May 5. The 25-year-old had registered on CoWin using his Driving License, one of five government ID proofs that the Health Ministry portal accepts for booking vaccination slots. But at the centre, Biswak says that the officials insisted on his Aadhaar number. “Thankfully I had the number despite not carrying my card. I got vaccinated and the vaccination certificate issued on my CoWin account showed the last four digits of my Aadhaar, and did not mention my driving license which was my ID proof of choice,” he says.

TNM got in touch with several people from Tamil Nadu and Karnataka among other states who confirmed that their vaccination centres refused to accept any other ID proof, and insisted on Aadhaar. This despite the Union government not making Aadhaar mandatory for CoWin registration, for on-the-spot registrations, and even for authentication of appointments at vaccination centres.

Co-Win does not insist on Aadhaar

A quick look at the CoWin portal will tell you that you can register with any of six government ID proofs other than your Aadhaar card. These are Driving License, PAN card, Passport, Pension Passbook, NPR Smart Card and Voter ID (EPIC). To the vaccine centres, registered citizens should carry the very same ID proof they have used to register on the Co-Win portal, along with a printout or screenshot of their appointment slip. This means, if a person has registered on the portal using an Aadhaar card, the vaccination centre will ask for the same for authentication.

Once vaccinated, citizens get a certificate with their vaccination status (one dose or fully vaccinated) on their phones. This certificate contains the person’s name, age, type of vaccine (Covishield or Covaxin) and the last four digits of the ID proof used for registration.

While Radhika and Biswak say that their appointment slips had their PAN and Driving License numbers respectively, after they were coerced to give their Aadhaar numbers, the vaccination certificate on the Co-Win portal showed their Aadhaar number. “This means that they have forced me to give my Aadhaar number and then used this, despite me giving a different ID proof,” Radhika says. Multiple private hospitals in Chennai too currently insist on Aadhaar card for vaccinations, while Tamil Nadu government maintains that Aadhaar is not mandatory.

TNM spoke to a senior official in the Revenue and Finance Department of the Greater Chennai Corporation who confirmed that centres, both private and government, did not have the right to demand Aadhaar for vaccination. “There is no such rule that Aadhaar has to be submitted by citizens. In fact, the Co-Win portal also has a section to register those who have no ID proof, i.e homeless persons or those from marginalised sections. The portal finds another way to register these people. So insisting on an Aadhaar number is out of the question,” he says. In the neighbouring state of Kerala, the government recently announced that persons who had to travel abroad for various reasons should register on the government portal only using their passports. This, so that their vaccination certificate would generate their passport number as ID proof.

A matter of convenience?

In the absence of a law which mandates Aadhaar to be used for the purpose of universal COVID-19 vaccination, there is no legal basis for hospitals and vaccination centres to insist on Aadhaar numbers to vaccinate people. “Unlike a law passed by the Union government which makes it compulsory for your PAN to be linked to your Aadhaar, there is no law which the government has passed to make Aadhaar compulsory for vaccination. The Union government does, however, have the legislative competence to pass such a law. Which means that if they want to make Aadhaar mandatory for vaccination, they can. So far they have not. And therefore, nobody has the right to demand Aadhaar to vaccinate people,” says Pranesh Prakash of the Centre for Internet and Society.

However, it could be a matter of convenience for hospitals to use one type of ID proof, to be able to streamline their data entry process. “As (I believe) Aadhaar is the most widespread ID card in the country right now, when compared to other ID proofs, it makes it simple for vaccination centres to ask for Aadhaar numbers and key this in," Pranesh adds.

To a query that TNM posted on Twitter, we got varied responses from people. While many said that the centres did not insist on a particular ID card, many others said they had to give their Aadhaar. The insistence for Aadhaar by vaccination centres, both private and government, seems to be random, with no proper pattern or rule in place.

System does not support other ID proofs?

From Radhika’s experience, the hospital she visited for vaccination could not support any other ID proof, as they, in their own words “followed a system of using just Aadhaar cards”. This indirectly coerces unwilling citizens to part with their Aadhaar details, and offers no choice for those who registered with other ID proofs.

“I had to finally give my Aadhaar number but it said that there was a mismatch. Later we found out that my name on my PAN was a bit different from the name on my Aadhaar card. Since I had used the PAN to register on Co-Win, the portal could not authenticate me with the Aadhaar number. Finally I had to re-register on the spot and give a different phone number as the phone number I had given was already linked to my Aadhaar and PAN,” she says, adding that all of this could have been avoided if the hospital had accepted her PAN in the first place.

However, a private hospital that has been doing vaccinations in many places across India told TNM that they had no instructions from the state or Union government to use only Aadhaar and claimed that they only asked for Aadhaar if the person had used it during registration. However, many people who responded to TNM named this private hospital and many others too as those insisting on Aadhaar as proof.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-june-4-2021-sreedevi-jayarajan-no-such-rule-but-many-vaccination-centres-are-insisting-on-aadhaar-as-proof

No party's got a clear stand, Aadhaar's fate hangs in balance

praskrishna — 2014-05-05T06:01:08Z

A non-UPA government for sure will review the multi-crore UID programme, but none of the parties have yet talked about scrapping it.

The article by Pratap Vikram Singh was published in GovernanceNow.com on April 13, 2014. Sunil Abraham is quoted.

Since inception, Aadhaar’s foundation has been shaky. The Unique Identification Authority of India (UIDAI) has been functioning on an executive fiat, without parliamentary ratification. When the government first came up with a bill on the UID programme, it was rejected by the parliamentary standing committee, which questioned the purpose of the programme.

Aadhaar’s acceptability as proof of residence and its issuance to the illegal immigrants too has courted controversy. The opposition and the ministry of home affairs have repeatedly flagged the issue. Recently, the supreme court (SC) instructed the government to withdraw all orders mandating Aadhaar number for service delivery. In September last year too the apex court had ruled that no one should be denied a service for want of Aadhaar.

While the Congress hasn’t changed its position on Aadhaar and wishes to continue with Aadhaar-linked benefits transfer, the BJP hasn’t mentioned it even once in its 52-page manifesto. On April 8, Narendra Modi, BJP’s prime ministerial candidate, in an election rally near Bangalore was quoted as saying, “I asked several questions on the Aadhaar project. I asked them questions relating to illegal migrants and national security. They (the government) did not have any answer.”

Rajendra Pratap Gupta, member of BJP’s core committee on manifesto, told Governance Now: “If we come to power we will review this in totality. There is scepticism around the whole project and even the SC has ruled against mandating it.” He called Aadhaar one of the ‘biggest scams’ of the UPA. “We have found people owning multiple Aadhaar cards. It (Aadhaar) is not a very secure system,” he added.

On the other hand, Aam Aadmi Party doesn’t oppose the idea of Aadhaar, though it is critical of its linkage to delivering food and other subsidies. Atishi Marlena, the party’s manifesto committee chief, said, “In principle, we don’t oppose the Aadhaar programme. If it’s about providing an identification proof to the poor who don’t have other documents, we certainly welcome it. But Aadhaar’s linkage with benefits-transfer needs to be questioned. Who gets what and who doesn’t should be determined by gram sabhas and mohalla sabhas. It should be done via people participation.”

The CPI(M), in its manifesto, called for halting the project unless it gets parliamentary approval. It also underlined the need for a privacy and data protection law prior to the rollout of the UID programme. “The moment Aadhaar is linked with service delivery, the scope for exclusion widens. You need to have universal coverage of Aadhaar and banking before you roll out the benefits transfer programme,” CPI(M) Rajya Sabha member Tapan Sen said.

In its manifesto, the party has talked about ‘constituting an independent high-level expert panel for an appraisal of the technology of biometrics used in the project’.

Sunil Abraham of the Centre for Internet and Society said, “The centralised online authentication automatically raises issues of privacy infringement. The authentication, in a decentralised fashion, with help of smart cards, is less intrusive, as the logs are stored in a local fashion and not centralised as in the case of Aadhaar. It will be a welcome move if the next government selects resident ID (smart) card, issued by the home ministry, as proof for identification and service delivery.”

For more details visit https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance

No more blocking of entire websites?

praskrishna — 2012-06-26T09:47:02Z

The Madras HC has taken one step to ensure that entire websites are no longer blocked, but it doesn't mean that arbitrary takedowns will cease.

CIS research is quoted in this article by Danish Sheikh published in the Business Standard on June 24, 2012

Vimeo’s back. As is Pastebin, and Pirate Bay and IsoHunt. For your, you know, legitimate file-sharing practices.

Having been approached by a consortium of Internet Service Providers, the Madras High Court has issued a welcome clarification of its “John Doe order” issued in favour of RK Productions for the films 3 and Dammu. Designed to protect against potential offences by yet-unidentified persons, the sweeping scope of the order left a very wide, undefined scope to ISPs dealing with potentially infringing material. The ISPs over-complied, a host of file-sharing websites were barred from Indian servers overnight — oh, and “Anonymous” got more annoyed. Note here that the vagueness of the order extended to not specifying any infringing websites in particular.

Following the representation from the ISPs, the Court has provided them a specific directive. The new order states that the interim injunction was granted only with respect to the particular URL which featured the infringing movie, and not the entire website. No more blocking entire websites — the ISPs are now required to be informed about the particulars of where the infringing movie is kept within 48 hours.

The clarification couldn’t have come at a more vital time, and will hopefully serve as a precedent to curb an alarming practice that can be traced back to 2002. Back then, the Delhi High Court was approached in a matter concerning the unauthorised transmission of Ten Sports by unlicensed cable operators. The result was the Court’s first John Doe order with respect to media transmission: a commissioner was appointed to search premises of unnamed cable operators and seize evidence by taking photographs and video films. This particular order was then relied on by the Court almost a decade later in pre-emptively injuncting piracy of UTV Software Communication’s Saat Khoon Maaf and Thank You. The trend escalated from there, with similar orders being obtained for a number of films including Don 2, Bodyguard, Kahaani and Department, to name a few.

Where the last few years have seen a steadily rising output of orders largely from the Delhi and Madras High Court, just last week it was the Bombay High Court that joined the fray. Approached by Viacom 18 Motion Pictures, it passed a John Doe pre-emptively banning the piracy of Viacom’s Gangs of Wasseypur prior to its June 22 release. Considering the Bombay High Court’s noted apprehension in granting ex-parte orders, this decision looked set to add further momentum to the John Doe juggernaut.

Instead, we get the Madras High Court’s welcome restraint. That vague injunctions are an abuse of process is a principle that has been noted time and again, with the Delhi High Court even noting that “vague and general injunction of anticipatory nature can never be granted”. This is coupled with the larger access to information and free speech issue that has been raised more vocally following the ire with the mass block of file-sharing websites. The antecedents to this scenario may well be the media infrastructure cases of the ‘50s and ‘60s, where newspaper content was indirectly being regulated by way of regulation of newsprint, advertisement space, etc. Recognising these indirect control mechanisms in their ultimate speech-restricting form, the Supreme Court struck them down as unreasonable restrictions to the right to free expression under Article 19(1)(a) of the Constitution.

Prevention isn’t always better than cure. The Madras High Court has thankfully taken one step in the direction. What is left dangling is the other big question — that of the intermediary rules. There may now be a barrier to blocking of entire websites in this manner, but as so many internet users have found, one doesn’t have to necessarily approach the Courts if they want internet service providers to take down content: the ISPs are happy to do that for free. As a Centre for Internet and Society study found, takedown requests sent to ISPs, no matter how trivial or flimsy, will for the most part be met by acquiescence of the order. Without appropriate checks and balances, the intermediary will over-comply.

While the ISPs’ intervention before the Madras High Court is an encouraging sign, it doesn’t mean that the arbitrary takedowns under the intermediary rules will cease to happen. The digital media site Medianama quotes an ISP representative citing concern that ISPs were being wrongfully vilified on the Internet — and (significantly) that it would adversely impact their business if video streaming was disabled for users. The same commercial considerations wouldn’t likely stand when it comes to the bit-by-bit requests that come forward under the IT rules. Along with focusing attention on the High Court’s clarification, we need to sustain the movement to strike down the intermediary rules and push for a more transparent and fair mechanism.

For more details visit https://cis-india.org/news/no-more-blocking-of-websites

No laws in India to protect customers if they lose money during digital transactions

praskrishna — 2016-12-02T17:07:02Z

The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services.

The article by Alnoor Peermohamed was published by Business Standard on December 2, 2016. Sunil Abraham was quoted.

India lacks laws to protect consumers if they lose money during digital transactions even as the government pushes for a less-cash economy after it withdrew Rs 500 and Rs 1,000 currency notes as the legal tender.

The Modi government's demonetisation move might have warranted an increase in transaction activity on digital wallets, but measures to ensure the underlying cyber security parameters for digital payments is still kept largely under the ambit of the Information Technology Act.

"We don't have any dedicated law on digital payments. That's very important to grant complete legality and remove and doubts and clarifications pertaining to legal efficacies and legal validity of digital payments," says Pavan Duggal, an advocate in the Supreme Court specialising in cyber law.

While the Reserve Bank of India usually sets security and privacy standards for banks in the country, the various digital wallets such as Paytm, Freecharge and Mobikwik fall under the category of Non-banking Financial Corporations (NBFCs) excluding them from this. For FinTech companies, security compliance falls under just Section 43 A of the IT Act.

Today, transactions between a user and a mobile wallet service provider are merely contractual agreements which can always be repudiated. There's a heightened need to legally back digital payments in India, not only to ensure the safety of consumer money but also for the safety of these companies.

Since the demonetisation on November 8, digital wallet firms such as Paytm have seen 35 million transactions by users to either buy goods and services, or transfer funds to another account. Rival Freecharge has tied up with police forces of Mumbai to pay traffic fines using its platform.

Research by Bengaluru-based think tank Centre for Internet and Society (CIS) shows that some of India's largest technology companies still do not comply with Section 43 A.

"We have a minimal data protection law in our IT Act and that will apply to all the FinTech players. But our ISPs and Telcos don't comply with Section 43 A, so you can imagine in the FinTech sector the compliance will be even lower," says Sunil Abraham, Executive Director at CI

The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services. While the issue is not being completely ignored by the authorities, some of the proposed workarounds such as creating a virtual sandbox around digital payment services raised questions.

The RBI limits the maximum balance on digital wallets to Rs 10,000 per user, ensuring that in the case of a breach the damage caused to a consumer is minimal but on November 23, the banking regulator increased the limit to Rs 20,000 .

Just last week India's largest digital wallet provider Paytm rolled out the option for customers to increase their wallet balance to a maximum of Rs 100,000 by getting a KYC check done.

"There are no legal mechanisms available should there be disputes pertaining to digital payments,"aid Duggal. He added that there are no effective remedy mechanisms available in case money in the digital payment ecosystem gets lost, hacked, stolen or misused.

While laws might take years to be framed and implemented, Abraham says there are temporary workarounds with which the overall cyber security of digital payment services can be improved. Under Section 43 A there are provisions to allow a sector to form a consortium that mutually agrees to set security standards, which all players must follow and is valid in the court of law during dispute resolution.

This move is encouraged by experts as governments often lack the bandwidth to define sectoral specific laws but is where private sector expertise can go a long way.

For more details visit https://cis-india.org/internet-governance/news/business-standard-december-2-2016-alnoor-peermohammed-no-laws-in-india-to-protect-customers-if-they-lose-money-during-digital-transactions

No ID, no benefits: thousands could lose lifeline under India’s biometric scheme

praskrishna — 2017-03-22T14:27:25Z

Controversial Aadhaar card restricts fundamental rights, argue critics, limiting access to free school meals and exposing 1 billion people to privacy risks.

The article was published in the Guardian on March 21, 2017. Sumandro Chattapadhyay was quoted.

An Aadhaar biometric identity card, which will be mandatory for Indians to access many essential government services and benefits. Photograph: Bloomberg/Getty Images

Hundreds of thousands of people in India could be left without essential government services and benefits – including free school meals and uniforms, food subsidies and pensions – under new rules that make access to more than three dozen state-funded schemes conditional on showing identification.

Over the past month, citizens have been notified that they have to prove their identity with a biometric ID, known as an Aadhaar card, to be eligible to use various services. Booking railway tickets online, applying for some jobs, and getting fuel subsidies will also be dependent on showing the controversial card.

Aadhaar cards were introduced by the Indian government in 2009, and rolled out by prime minister Narendra Modi in 2014. They record personal biometric data, including fingerprints and eye scans, which the government says allows it to ensure that welfare services are being delivered to those who really need them, and saving billions of rupees by reducing welfare fraud.

The Unique Identification Authority of India (UIDAI), which oversees the Aadhaar programme, says that more than 1.13 billion people have been enrolled on an official database. But activists say that hundreds of thousands of Indians and migrants are still undocumented and could miss out on their fundamental rights because of the new rules.

“What if a Facebook account was necessary to log in to the internet, and what if Facebook was owned by the government of the US?” asked Sumandro Chattapadhyay, research director at the Centre for Internet and Society (CIS), a thinktank with offices in Bangalore and Delhi. “We are building a system that will decide whether a child will eat or not on an afternoon based on [the] quality of internet connectivity and cleanliness of the child’s thumbprint.”

Chattapadhyay argued that Aadhaar, which is effectively being forced upon Indians, and which is used increasingly by private companies, exposed more than a billion people to huge privacy risks.

“The Aadhaar ID is being connected to digital communications via sim card registration, it is being connected to financial transactions via bank accounts, and all Indian citizens are being forced to enrol for it against the threat of losing out from welfare services,” he said.

“The potential of unmonitored and unregulated use of such linked data by the private sector is massive. It does not matter if the Indian state will finally go ahead with implementing this system or not. The fact that [it] is considering such a system is scary enough.”

Nanu Bhasin, spokesperson at the ministry of women and child development, confirmed that the order to link Aadhaar to government schemes had come directly from the Modi government. “There are leakages in the system,” she said. “This will plug leakages.”

Bhasin said Aadhaar was now mandatory: “You have to take it, it is necessary. You cannot take the right to a benefit if you don’t have the Aadhaar card.”

She said she did not know if those who did not want to enrol in the scheme because of potential privacy risks would still be able to receive benefits. “You have bank accounts, there you give all your details, everything. Why make a fuss [about privacy] for Aadhaar?” she said.

One of the most contentious new rules introduced this month, and coming into force in July, requires children to show Aadhaar cards to get free school meals. The notice led to a media storm in India, where malnutrition rates are high and nearly 60 million children are underweight.

On 7 March the government said alternative forms of ID would be accepted for free school meals where people did not yet have Aadhaar cards, and urged schools and childcare centres to enrol all attendees.

Activists argue that setting any barriers to free school meals is unethical and unconstitutional. Ambarish Rai, national convenor of the Right to Education Forum, said: “This is a very insensitive decision of the government. How can you make it mandatory? It is a clear-cut violation of the Right to Education Act 2009.”

Compulsory identification could deter school attendance if children struggle to get free school meals or uniforms, said Swati Narayan, visiting research scholar from the LSE and food activist. “India’s school meal programme covers almost 100 million children – the largest in the world. Instead of creating unnecessary barriers, the focus should be on how to improve these modest meals by adding eggs, fruit and nutritious foods to the menu.”

Glitches in the Aadhaar system have already led to reports of people being unfairly denied government subsidies. In February, the news website Scroll recorded a number of people in the state of Jharkhand being denied rice subsidies because of problems with Aadhaar card machines.

The constitutional validity of the government’s new orders is currently being debated in court, with questions raised as to whether the Indian parliament can restrict fundamental rights enshrined in the constitution, and whether the government has the power to force citizens to enrol.

In 2015, a supreme court order had ruled that the scheme was purely voluntary, and that it could not become mandatory with a court ruling. But in 2016, parliament passed the Aadhaar Act, which allowed the government to require identification for government services.

Khagesh Jha, a lawyer and activist, argued that the act was fundamentally unconstitutional. “Rescued children, children who have been trafficked or those who have been forced into child labour – [you] can’t expect them to hold an Aadhaar card or documents like a birth certificate. Right to education is a fundamental right, and is protected by the core of the constitution. It cannot be challenged by any other document.”

UIDAI, the agency overseeing Aadhaar, issued a statement saying the government had made savings of more than 490bn rupees (£6bn) in the past two and a half years, thanks to schemes linking government benefits to Aadhaar. It added that during the past seven years, there had been no report of a breach or leak of residents’ data.

For more details visit https://cis-india.org/internet-governance/news/the-guardian-march-21-2017-no-id-no-benefits

No Genie At Your Fingertips

praskrishna — 2017-02-16T16:02:31Z

Aadhaar biometrics will now enable cashless shopping sans card and smartphone. A look at the hopes and fears.

The article by Arindam Mukherjee was published in the Outlook on February 20, 2017. Pranesh Prakash and Sunil Abraham were quoted.

Soon, you will be able to pay for your groceries and other purchased goods by using just your fingerprints and biometric data. You won’t need debit or credit cards, smartphones or e-wallets. You won’t need to sign or even remember your PIN.

In a bid to increase digitisation and move to the next phase of ‘cashless India’, the government is preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money. The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

The initiative, which has been running as a pilot project in fair price shops in Andhra Pradesh, is expected to be launched in a month’s time. According to officials of the Unique Identification Authority of India (UIDAI), the system has been getting a positive response in these trials and is ready for a nationwide launch.

In Aadhaar Pay, all a person needs to carry to a shop are his fingerprints as merchant establishments will authenticate his or her identity through fingerprints, which will give them access to a person’s Aadhaar data. The only essential requirement for this new mode of payments is that bank accounts have to be linked with the account-holder’s Aadhaar number.

Unlike the post-demonetisation limits imposed on ATM and bank account withdrawals, no limits are proposed to be put on Aadhaar Pay transactions as of now. The proposal is to leave the fixing of limits to the discretion of banks. However, the government hopes Aadhaar Pay will be used mostly for small-value transactions rather than large deals.

The system will work through an app in the merchant establishment’s smartphone—with a fingerprint scanner device—eliminating the requirement of a Point of Sale (POS) terminal, which is required for credit card and debit card transactions. The scanner will be priced at around Rs 2,000, considerably cheaper than POS terminals that cost Rs 8,000-10,000.

Aadhaar Pay is the next step of the government’s successful run of Aadhaar Enabled Payment System (AEPS), under which transactions are made through ‘banking correspondents’, mostly in rural areas. These transactions are done through POS machines and micro-ATMs. Like Aadhaar Pay, AEPS disburses money without a signature or a debit or credit card, and without the need to visit a bank branch. But unlike AEPS, which works through banking correspondents, Aadhaar Pay will be available through merchant establishments much the same way as debit or credit cards work.

The biggest task before the government to ensure the success of Aadhaar Pay is to develop a network of merchant establishments that will accept Aadhaar Pay just the way they accept credit or debit cards or e-wallet payments like Paytm. To do this, the government said in this year’s budget that banks would be encouraged to put 20 lakh Aadhaar Pay access machines across the country. “We have asked every bank to select 35 merchants for this. These merchants will have a smartphone and a biometric device attachment to carry out Aadhaar Pay transactions,” UIDAI CEO Ajay Bhushan Pandey tells Outlook.

This won’t be easy. Even in case of debit or credit cards, the biggest limiting factor is the relatively small number of POS terminals that accept them. According to data from the National Payment Corporation of India (NPCI), there are only 14 lakh POS terminals in India, which has over 3.5-4 crore merchant establishments and 80 crore cards (77 crore debit cards and three crore credit cards). The bulk of these terminals are in tier I and tier II cities and almost none in tier III and IV towns. To improve the situation, the government is already working towards bringing in 10 lakh new terminals by March, most of which will be put in tier III and tier IV towns, bringing them deeper within the ambit of the digitised, cashless economy.

Though a starting target of 20 lakh terminals for Aadhaar Pay may seem quite ambitious, according to the latest data, 111.51 crore adults have already obtained their Aadhaar numbers and 50 crore bank accounts (of a total 110 crore savings accounts in the country) of 40 crore people have been linked to Aadhaar and, according to UIDAI, nearly two crore people are linking their bank accounts with Aadhaar every month, brightening up the prospects of Aadhaar Pay. A majority of these numbers are from rural areas and smaller cities.

The government and UIDAI aim to roll out Aadhaar Pay primarily in rural areas and tier III and tier IV cities to begin with, as these areas do not have proper debit or credit card coverage and the people living there are not big users of plastic cards or smartphones. “We need to provide a solution for every segment of the population,” says Pandey. “We have to take care of the people who cannot use smartphones or other mobile phones and debit or credit cards, and those who cannot remember their PIN for authentication. The only tool with them is their fingerprint. Approximately 30 crore people are not comfortable with cards or phone. We had to get them into the mode of digital payments.”

Not surprisingly, critics of Aadhaar and Aadhaar-based services have attacked Aadhaar Pay and AEPS on issues of privacy and security of biometric and personal data. Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as AEPS encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices. And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned. “Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

The launch of Aadhar Pay at this time becomes more challenging as there has been a decline in digital payments this January. According to RBI data, digital payments, including transactions made by using credit cards, debit cards, electronic fund transfers, digital wallets and mobile banking transactions, were 10.2 per cent lower by volume and 7 per cent lower by value in January 2017 as compared to December 2016. Also, digital transactions fell from 1,027.7 million (worth Rs 105.4 lakh crore) to 922.9 million (worth Rs 98 lakh crore). This could get worse as the RBI raised the cash withdrawal limits from Rs 24,000 to Rs 50,000 from February 20 and aims to remove all limits by mid-March.

Within digital transactions, debit and credit transactions at POS terminals declined 18.6 per cent month-on-month in January, while mobile banking transactions declined by 7.6 per cent, showing that people still prefer to deal in cash. According to NPCI data, however, IMPS transactions rose by 18 per cent in January and UPI-based transactions went up from 2 million transactions (worth Rs 700 crore) in December to 4.2 million transactions (worth Rs 1,666 crore) in January.

Clearly, considering India’s demography and its problems, when it comes to the security of personal and biometric data, the government and the UIDAI have many issues to clear before Aadhaar Pay can achieve any success. Moreover, there are over 100 crore mobile phones in India today, with even the lowest strata of the population having access to one. Yet mobile-based payments and m-wallets are yet to hit that critical mass. To make Aadhaar Pay a bigger success than that could be a gigantic task.

For more details visit https://cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips

No Fintech company meets every single privacy requirement under IT Act: CIS report

Shilpa S. Ranipeta — 2019-07-08T02:34:59Z

The study shows that privacy policies companies such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website.

The blog post by Shilpa S. Ranipeta published by the News Minute on June 10, 2019, quotes the research done by Aayush Rathi and Shweta Mohandas of the Centre for Internet & Society.

A study by the Centre for Internet and Society on privacy and security policies of Fintech companies in India has shown that no company met every single requirements under the Section 43A Rules of the IT Act. A study of privacy policies of 48 companies has also shown that privacy policies of major entities such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website of the company.

The privacy policies were assessed based on the privacy policy requirements mandated by the Sensitive Personal Data or Information (SPD/I) Rules.

A fintech company is one that combines financial services and products with technology. The companies categorised as Fintech in this study are payment gateways, payment gateway aggregators, mobile and online wallets, digital payments banks, peer-to-peer lending platforms and miscellaneous entities that share features of the above categorisation.

Rule 4 of the SPD/I Rules mandates that a company that handles information should have a privacy policy that ensures it is dealing with the information provided by users as per the SPD/I Rules. It is also required that the privacy policy is published on the website of the company and is ‘clear and easily accessible’. However, the SPD/I Rules doesn’t specify what would constitute a ‘clear and easily accessible’ privacy policy.

In this research, CIS has studied accessibility as how many times a person has to click to access the privacy policy, if it is readily available on the homepage, if the company states its practices for privacy in language that can be understood by someone fluent in English and does not require prior legal or technical knowledge to be understood.

Here are some observations from the research:

Accessibility:

The study found that 38 companies have a privacy policy accessible on the main website of the company, 38 also have the privacy policy included in terms and conditions of all documents of the company that collects personal information.

However, policies of only 20 companies can be understood by someone without legal and technical knowledge and 16 can be partially understood. Privacy policies of RazorPay, Oxigen, Airtel Payments Bank, Capital Float, Freecharge, BHIM couldn’t be understood by someone without legal and technical knowledge.

“For some of the companies the privacy policy had to be located in the terms of service or under separate categories such as ‘legal agreements’, ‘key policies’, ‘security’, further making the privacy police more inaccessible. We anticipate that unless the user is specifically looking for the privacy policy, it is unlikely for the privacy policy to be perused in the usual course of a user’s usage of the services of the fintech provider,” the report states.

The study found that while most fintech companies in the sample explicitly specified personal information that was being collected, fewer privacy policies contained categorical provisions segregating the sensitive personal information that was being collected. However, it was unclear what each category specifically entailed.

“Another terminology that is often incorporated to broaden the ambit of information being collected is the definition of personal information as any information that may be provided by the user. This squarely places the onus of restricting information collection on the user, further compounding the handicaps users face in ascertaining the information that that firms are seeking to collect because of the illustrative nature of the listing of information,” the report states.

Option to not provide information and withdrawal of consent:

Interpretation Rule 5(7) states that the company should inform users even before collecting information that they have an option to not provide the data or information.

The rule also specifies that the individual must also be informed that he/she has an option to subsequently withdraw consent from the use of the data or information collected by the data controller.

However, Privacy Policies of 30 companies do not specify that the user has the option to not provide information. These include companies such as PayU, CitrusPay, Jio Money, Airtel Payments Bank, Paytm, Fino Paytech, Capital Float, Walnut, etc.

Only 17 companies specify that the user has the option to subsequently withdraw consent.

Registering grievances

The study showed that only 16 of companies mention the existence of grievance officer in their privacy policies.

Rule 5(9) of the SPD/I Rules state that companies are required to have a grievance redress mechanism in place vis-a-vis the user’s privacy practices.

“Thirty-two companies failed to not just provide a redressal mechanism but also failed to mention the existence of a grievance officer specific to the resolution of issues that users may encounter vis-à-vis the data controller’s privacy practices,” the report states.

Language barrier

All companies, except PhonePe, had a privacy policy only in one language – English. PhonePe provided a privacy policy in both English and Hindi.

“With the growth of the digital economy, a multitude of Indians are using online 46 services, and it is imperative that privacy policies be accessible and understandable to all users of the service. In the context of the fintech sector, accessibility to privacy policies takes on added significance given the fintech sector’s avowed promise of increasing access to financial products to hitherto underserved sections of the society,” the report states.

The research showed that few consumers, if any, read online privacy policies, despite expressing concern about their online privacy. And privacy policies are often very technical and not comprehensible by a regular user.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-shilpa-s-ranipeta-june-10-2019-no-fintech-company-meets-every-single-privacy-requirement-under-it-act-cis-report

No fear of losing internet freedom till Jan 15: Experts

praskrishna — 2012-12-31T02:20:31Z

There is no need to get scared about losing internet freedom, at least till January 2015.

The article by Kim Arora was published in the Times of India on December 22, 2012. Pranesh Prakash is quoted.

That's the view of top telecom policy watchers, who closely monitored the World Conference on International Telecommunications (WCIT) of the International Telecommunication Union (ITU) that ended in uncertainty earlier this month in Dubai.

Policy experts say the changes affecting internet users in India, if any, would be slow and minor with little or no changes existing laws and governments largely retaining their current control. The resolutions are not binding and member-states are free to opt out of it. India is yet to ratify the treaty that lays out a broad framework on international co-operation over telecommunication resources.

The ITR (International Telecom Regulations), decided by the ITU were last updated in 1988 when the internet, as we know it today, did not exist. And the hullabaloo was caused by the proliferation of internet in the intervening years had created a lot of complications and misgiving among nation states. The Dubai conference also included alarmed internet evangelists who feared that the meeting would result in UN control of the internet. But with the US, the UK and several other countries vehemently refusing to sign on the dotted line, most decisions have been withheld till January 2015 when the treaty is expected to be ratified.

For more details visit https://cis-india.org/news/times-of-india-december-22-2012-kim-arora-no-fear-of-losing-internet-freedom-till-jan-15

No Civil Society Members in the Cyber Regulations Advisory Committee

pranesh — 2013-01-09T17:56:57Z

The Government of India has taken our advice and reconstituted the Cyber Regulations Advisory Commitee. But there is no representation of Internet users, citizens, and consumers — only government and industry interests.

In multiple op-eds (Indian Express and Mint), I have pointed out the need for the government to reconstitute the "Cyber Regulations Advisory Committee" (CRAC) under section 88 of the Information Technology Act. That it be reconstituted along the model of the Brazilian Internet Steering Committee was also part of the suggestions that CIS sent to the government after a meeting FICCI had convened along with the government on September 4, 2012.

Section 88 requires that people "representing the interests principally affected" by Internet policy or "having special knowledge of the subject matter" be present in this advisory body. The main function of the CRAC is to advise the the Central Government "either generally as regards any rules or for any other purpose connected with this Act".

Despite this important function, the CRAC had — till November 2012 — only ever met twice, both times in 2001. The response to an RTI informed us that the body had never provided any advice to the government.

Government Not Serious

The increasing pressure on the government for botching up Internet regulations has led it to reconstitute the CRAC. However, the list of members of the committee shows that the government is not serious about this committee representing "the interests primarily affected" by Internet policy.

Importantly, this goes against the express wish of the Shri Kapil Sibal, the Union Minister for Communications and IT, who has repeatedly stated that he believes that Internet-related policymaking should be an inclusive process. Most recently, at the 2012 Internet Governance Forum he stated that we need systems that are:

"collaborative, consultative, inclusive and consensual, for dealing with all public policies involving the Internet"

Interestingly, despite the Hon'ble Minster verbally inviting civil society organizations (on November 23, 2012) for a meeting of the CRAC that happened on November 25, 2012, the Department of Electronics and Information Technology refused to send us invitations for the meeting. This hints at a disconnect between the political and bureaucratic wings of the government, at least at some levels.

Interestingly, this isn't the first time this has been pointed out. Na. Vijayashankar was levelling similar criticisms against the CRAC way back in August 2000 when the original CRAC was constituted.

Breakdown by Stakeholder Groupings

While there is no one universal division of stakeholders in Internet governance, but four goups are widely recognized: governments (national and intergovernmental), industry, technical community, and civil society. Using that division, we get:

Government - 15 out of 22 members
Industry bodies - 6 out of 22 members
Technical community / Academia - 1 out of 22 members
Civil society - 0 out of 22 members.

List of Members of Cyber Regulatory Advisory Committee

The official notification (G.S.R. 827(E)) is available on the DEIT website and came into force on November 16, 2012.

(Note: Names with ~~strikethroughs~~ have been removed from the CRAC since 2000, and those with emphasis have been added.)

Minister, Ministry of Communication and Information Technology - Chairman
Minister of State, Ministry of Communications and Information Technology - Member
Secretary, Ministry of Communication and Information Technology, Department of Electronics and Information Technology - Member
Secretary, Department of Telecommunications - Member
~~Finance Secretary - Member~~
Secretary, Legislative Department - Member
Secretary, Department of Legal Affairs - Member
~~Shri T.K. Vishwanathan, Presently Member Secretary, Law Commission - Member~~
Secretary, Ministry of Commerce - Member
Secretary, Ministry of Home Affairs - Member
Secretary, Ministry of Defence - Member
Deputy Governor, Reserve Bank of India - Member
Information Technology Secretary from the states by rotation - Member
Director, IIT by rotation from the IITs - Member
Director General of Police from the States by rotation - Member
President, NASSCOM - Member
President, Internet Service Provider Association - Member
Director, Central Bureau of Investigation - Member
Controller of Certifying Authority - Member
Representative of CII - Member
Representative of FICCI - Member
Representative of ASSOCHAM - Member
President, Computer Society of India - Member
Group Coordinator, Department of Electronic and Information Technology - Member Secretary

For more details visit https://cis-india.org/internet-governance/blog/cyber-regulations-advisory-committee-no-civil-society

NITI Aayog Discussion Paper: An aspirational step towards India’s AI policy

2018-06-13T13:08:47Z

The National Strategy for Artificial Intelligence — a discussion paper on India’s path forward in AI, is a welcome step towards a comprehensive document that reflects the government's AI ambitions. The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability.

Download the Report

The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability. The paper identifies five focus areas where AI could have a positive impact in India. It also focuses on reskilling as a response to the potential problem of job loss due the future large-scale adoption of AI in the job market. This blog is a follow up to the comments made by CIS on Twitter on the paper and seeks to reflect on the National Strategy as a well researched AI roadmap for India. In doing so, it identifies areas that can be strengthened and built upon.

Identified Focus Areas for AI Intervention

The paper identifies five focus areas—Healthcare, Agriculture, Education, Smart Cities and Infrastructure, Smart Mobility and Transportation, which Niti Aayog believes will benefit most from the use of AI in bringing about social welfare for the people of India. Although these sectors are essential in the development of a nation, the failure to include manufacturing and services sectors is an oversight. Focussing on manufacturing is fundamental not only in terms of economic development and user base, but also regarding questions of safety and the impact of AI on jobs and economic security. The same holds true for the service sector particularly since AI products are being made for the use of consumers, not just businesses. Use of AI in the services sector also raises critical questions about user privacy and ethics. Another sector the paper fails to include is defense, this is worrying since India is chairing the Group of Governmental Experts on Lethal Autonomous Weapons Systems (LAWS) in 2018. Across sectors, the report fails to look at how AI could be utilised to ensure accessibility and inclusion for the disabled. This is surprising, as aid for the differently abled and accessibility technology was one of the 10 domains identified in the Task Force Report on AI published earlier this year. This should have been a focus point in the paper as it aims to identify applications with maximum social impact and inclusion.

In its vision for the use of AI in smart cities, the paper suggests the adoption of a sophisticated surveillance system as well as the use of social media intelligence platforms to check and monitor people’s movement both online and offline to maintain public safety. This is at variance with constitutional standards of due process and criminal law principles of reasonable ground and reasonable suspicion. Further, use of such methods will pose issues of judicial inscrutability. From a rights perspective, state surveillance can directly interfere with fundamental rights including privacy, freedom of expression, and freedom of assembly. Privacy organizations around the world have raised concerns regarding the increased public surveillance through the use of AI. Though the paper recognized the impact on privacy that such uses would have, it failed to set a strong and forward looking position on the issue - such as advocating that such surveillance must be lawful and inline with international human rights norms.

Harnessing the Power of AI and Accelerating Research

One of the ways suggested for the proliferation of AI in India was to increase research, both core and applied, to bring about innovation that can be commercialised. In order to attain this goal the paper proposes a two-tier integrated approach: the establishment of COREs (Centres of Research Excellence in Artificial Intelligence) and ICTAI (International Centre for Transformational Artificial Intelligence). However the roadmap to increase research in AI fails to acknowledge the principles of public funded research such as free and open source software (FOSS), open standards and open data. The report also blames the current Indian Intellectual Property regime for being “unattractive” and averse to incentivising research and adoption of AI. Section 3(k) of Patents Act exempts algorithms from being patented, and the Computer Related Inventions (CRI) Guidelines have faced much controversy over the patentability of mere software without a novel hardware component. The paper provides no concrete answers to the question of whether it should be permissible to patent algorithms, and if yes, to to what extent. Furthermore, there needs to be a standard either in the CRI Guidelines or the Patent Act, that distinguishes between AI algorithms and non-AI algorithms. Additionally, given that there is no historical precedence on the requirement of patent rights to incentivise creation of AI, innovative investment protection mechanisms that have lesser negative externalities, such as compensatory liability regimes would be more desirable. The report further failed to look at the issue holistically and recognize that facilitating rampant patenting can form a barrier to smaller companies from using or developing AI. This is important to be cognizant of given the central role of startups to the AI ecosystem in India and because it can work against the larger goal of inclusion articulated by the report.

Ethics, Privacy, Security and Safety

In a positive step forward, the paper addresses a broader range of ethical issues concerning AI including transparency, fairness, privacy and security and safety in more detail when compared to the earlier report of the Task Force. Yet despite a dedicated section covering these issues, a number of concerns still remain unanswered.

Transparency

The section on transparency and opening the Black Box has several lacunae. First, AI that is used by the government, to an acceptable extent, must be available in the public domain for audit, if not under Free and Open Source Software (FOSS). This should hold true in particular for uses that impinge on fundamental rights. Second, if the AI is utilised in the private sector, there currently exists a right to reverse engineer within the Indian Copyright Act, which is not accounted for in the paper. Furthermore, if the AI was involved both in the commission of a crime or the violation of human rights, or in the investigations of such transgressions, questions with regard to judicial scrutability of the AI remain. In addition to explainability, the source code must be made circumstantially available, since explainable AI alone cannot solve all the problems of transparency. In addition to availability of source code and explainability, a greater discussion is needed about the tradeoff between a complex and potentially more accurate AI system (with more layers and nodes) vs. an AI system which is potentially not as accurate but is able to provide a human readable explanation. It is interesting to note that transparency within human-AI interaction is absent in the paper. Key questions on transparency, such as whether an AI should disclose its identity to a human have not been answered.

Fairness

With regards to fairness, the paper mentions how AI can amplify bias in data and create unfair outcomes. However, the paper neither suggests detailed or satisfactory solutions nor does it deal with biased historical data in an Indian context. More specifically, there seems to be no mention of regulatory tools to tackle the problem of fairness, such as:

Self-certification
Certification by a self-regulatory body
Discrimination impact assessments
Investigations by the privacy regulator

Such tools will proactively need to ensure inclusion, diversity, and equity in composition and decisions.

Additionally, with reference to correcting bias in AI, it should be noted that the technocratic view that as an AI solution continues to be trained on larger amounts of data , systems will self correct, does not fully recognize the importance of data quality and data curation, and is inconsistent with fundamental rights. Policy objectives of AI innovation must be technologically nuanced and cannot be at the cost of intermediary denial of rights and services.

Further, the paper does not deal with issues of multiple definitions and principles of fairness, and that building definitions into AI systems may often involve choosing one definition over the other. For instance, it can be argued that the set of AI ethical principles articulated by Google are more consequentialist in nature involving a a cost-benefit analysis, whereas a human rights approach may be more deontological in nature. In this regard, there is a need for interdisciplinary research involving computer scientists, statisticians, ethicists and lawyers.

Privacy

Though the paper underscores the importance of privacy and the need for a privacy legislation in India - the paper limits the potential privacy concerns arising from AI to collection, inappropriate use of data, personal discrimination, unfair gain from insights derived from consumer data (the solution being to explain to consumers about the value they as consumers gain from this), and unfair competitive advantage by collecting mass amounts of data (which is not directly related to privacy). In this way the paper fails to discuss the full implications on privacy that AI might have and fails to address the data rights necessary to enable the right to privacy in a society where AI is pervasive. The paper fails to engage with emerging principles from data protection such as right to explanation and right to opt-out of automated processing, which directly relate to AI. Further, there is no discussion on the issues such as data minimisation and purpose limitation which some big data and AI proponents argue against. To that extent, there is a lack of appreciation of the difficult policy questions concerning privacy and AI. The paper is also completely silent on redress and remedy. Further the paper endorses the seven data protection principles postulated by the Justice Srikrishna Committee. However CIS has pointed out that these principles are generic and not specific to data protection. Moreover, the law chapter of IEEE’s ‘Global Initiative on Ethics of Autonomous and Intelligent Systems’ has been ignored in favor of the chapter on ‘Personal Data and Individual Access Control in Ethically Aligned Design’ as the recommended international standard. Ideally, both chapters should be recommended for a holistic approach to the issue of ethics and privacy with respect to AI.

AI Regulation and Sectoral Standards

The discussion paper’s approach towards sectoral regulation advocates collaboration with industry to formulate regulatory frameworks for each sector. However, the paper is silent on the possibility of reviewing existing sectoral regulation to understand if they require amending. We believe that this is an important solution to consider since amending existing regulation and standards often takes less time than formulating and implementing new regulatory frameworks. Furthermore, although the emphasis on awareness in the paper is welcome, it must complement regulation and be driven by all stakeholders, especially given India’s limited regulatory budget. The over reliance on industry self-regulation, by itself, is not advisable, as there is an absence of robust industry governance bodies in India and self-regulation raises questions about the strength and enforceability of such practices. The privacy debate in India has recognized this and reports, like the Report of the Group of Experts on Privacy, recommend a co-regulatory framework with industry developing binding standards that are inline with the national privacy law and that are approved and enforced by the Privacy Commissioner. That said, the UN Guiding Principles on Business and Human Rights and its “protect, respect, and remedy” framework should guide any self regulatory action.

Security and Safety of AI Systems

In terms of security and safety of AI systems the paper seeks to shift the discussion of accountability being primarily about liability, to that of one about the explainability of AI. Furthermore, there is no recommendation of immunities or incentives for whistleblowers or researchers to report on privacy breaches and vulnerabilities. The report also does not recognize certain uses of AI as being more critical than others because of their potential harm to the human. This would include uses in healthcare and autonomous transportation. A key component of accountability in these sectors will be the evolution of appropriate testing and quality assurance standards. Only then, should safe harbours be discussed as an extension of the negligence test for damages caused by AI software. Additionally, the paper fails to recommend kill switches, which should be mandatory for all kinetic AI systems. Finally, there is no mention of mandatory human-in-the-loop in all systems where there are significant risks to safety and human rights. Autonomous AI is only viewed as an economic boost, but its potential risks have not been explored sufficiently. A welcome recommendation would be for all autonomous AI to go through human rights impact assessments.

Research and Education

Being a government think-tank, the NITI Aayog could have dealt in detail with the AI policies of the government and looked at how different arms of the government are aiming to leverage AI and tackle the problems arising out of the use of AI. Instead of tabulating the government’s role in each area and especially research, the report could have also listed out the various areas where each department could play a role in the AI ecosystem through regulation, education, funding research etc. In terms of the recommendations for introducing AI curriculums in schools, and colleges, the government could also ensure that ethics and rights are part of the curriculum - especially in technical institutions. A possible course of action could include corporations paying for a pan-Indian AI education campaign.This would also require the government to formulate the required academic curriculum that is updated to include rights and ethics.

Data Standards and Data Sharing

Based on the amount of data the Government of India collects through its numerous schemes, it has the potential to be the largest aggregator of data specific to India. However the paper does not consider the use of this data with enough gravity. For example, the paper recommends Corporate Data Sharing for “social good” and making government datasets from the social sector available publicly. Yet this section does not mention privacy enhancing technologies/standards such as pseudonymization, anonymization standards, differential privacy etc. Additionally there should be provisions that allow the government to prevent the formation of monopolies by regulating companies from hoarding user data. The open data standards could also be applicable to the private companies, so that they can also share their data in compliance with the privacy enhancing technologies mentioned above. The paper also acknowledges that AI Marketplaces require monitoring and maintenance of quality. It recognises the need for “continuous scrutiny of products, sellers and buyers”, and proposes that the government enable these regulations in a manner that private players could set up the marketplace. This is a welcome suggestion, but the legal and ethical framework of the AI Marketplace requires further discussion and clarification.

An AI Garage for Emerging Economies

The discussion paper also qualifies India as an “ideal test-bed” for trying out AI related solutions. This is problematic since questions of regulation in India with respect to AI have yet to be legally clarified and defined and India does not have a comprehensive privacy law. Without a strong ethical and regulatory framework, the use of new and possibly untested technologies in India could lead to unintended and possibly harmful outcomes.The government's ambition to position India as a leader amongst developing countries on AI related issues should not be achieved by using Indians as test subjects for technologies whose effects are unknown.

Conclusion

In conclusion, NITI Aayog’s discussion paper represents a welcome step towards a comprehensive AI strategy for India. However, the trend of inconspicuously releasing reports (this and the AI Task Force) as well as the lack of a call for public comments, seems to be the wrong way to foster discussion on emerging technologies that will be as pervasive as AI.

The blanket recommendations were provided without looking at its viability in each sector. Furthermore, the discussion paper does not sufficiently explore or, at times, completely omits key areas. It barely touched upon societal, cultural and sectoral challenges to the adoption of AI — research that CIS is currently in the process of undertaking.Future reports on Indian AI strategy should pay more attention to the country’s unique legal context and to possible defense applications and take the opportunity to establish a forward looking, human rights respecting, and holistic position in global discourse and developments. Reports should also consider infrastructure investment as an important prerequisite for AI development and deployment. Digitised data and connectivity as well as more basic infrastructure, such as rural electricity and well-maintained roads, require more funding to more successfully leverage AI for inclusive economic growth. Although there are important concerns, the discussion paper is an aspirational step toward India’s AI strategy.

For more details visit https://cis-india.org/internet-governance/blog/niti-aayog-discussion-paper-an-aspirational-step-towards-india2019s-ai-policy