We are anonymous, we are legion

No such rule, but many vaccination centres are insisting on Aadhaar as proof

Sreedevi Jayarajan — 2021-06-26T04:43:13Z

Radhika Radhakrishnan saw three words swimming before her as she inched closer to the hospital lobby.

The blog post by Sreedevi Jayarajan was published in the News Minute on June 4, 2021. Pranesh Prakash was quoted.

The words were written on a white board inside the private hospital she had visited in Bengaluru on May 21, three weeks after the Union Government opened up COVID-19 vaccinations for the 18+ category after online registration. “I had booked a vaccine slot and visited the hospital and the words on the board read ‘Aadhaar is mandatory’, along with other dos and don’ts of the vaccination process that the hospital followed,” she tells TNM. On the morning of her vaccination date, Radhika had registered on the Union Health Ministry’s CoWin portal for a vaccine slot in the 18+ age group. She had given her PAN number when the portal asked for a government ID proof. The appointment slip on CoWin also showed her PAN, she says.

But on the day of vaccination, authorities at the private hospital refused to accept her PAN card. Radhika says that they insisted on her Aadhaar number in order to authenticate her vaccination appointment, despite her telling them that it is illegal to demand her Aadhar card. “The hospital authorities told me that they only used Aadhaar cards to register people for vaccination or authenticate CoWin appointments. They said that if I did not want to give my Aadhaar number, I would have to wait a few more hours for them to figure out a different process,” she tells TNM. By this time, Radhika had already waited three hours in the hospital queue.

Bengaluru-based journalist Biswak* too recounts a similar experience at a government run vaccination centre he had visited on May 5. The 25-year-old had registered on CoWin using his Driving License, one of five government ID proofs that the Health Ministry portal accepts for booking vaccination slots. But at the centre, Biswak says that the officials insisted on his Aadhaar number. “Thankfully I had the number despite not carrying my card. I got vaccinated and the vaccination certificate issued on my CoWin account showed the last four digits of my Aadhaar, and did not mention my driving license which was my ID proof of choice,” he says.

TNM got in touch with several people from Tamil Nadu and Karnataka among other states who confirmed that their vaccination centres refused to accept any other ID proof, and insisted on Aadhaar. This despite the Union government not making Aadhaar mandatory for CoWin registration, for on-the-spot registrations, and even for authentication of appointments at vaccination centres.

Co-Win does not insist on Aadhaar

A quick look at the CoWin portal will tell you that you can register with any of six government ID proofs other than your Aadhaar card. These are Driving License, PAN card, Passport, Pension Passbook, NPR Smart Card and Voter ID (EPIC). To the vaccine centres, registered citizens should carry the very same ID proof they have used to register on the Co-Win portal, along with a printout or screenshot of their appointment slip. This means, if a person has registered on the portal using an Aadhaar card, the vaccination centre will ask for the same for authentication.

Once vaccinated, citizens get a certificate with their vaccination status (one dose or fully vaccinated) on their phones. This certificate contains the person’s name, age, type of vaccine (Covishield or Covaxin) and the last four digits of the ID proof used for registration.

While Radhika and Biswak say that their appointment slips had their PAN and Driving License numbers respectively, after they were coerced to give their Aadhaar numbers, the vaccination certificate on the Co-Win portal showed their Aadhaar number. “This means that they have forced me to give my Aadhaar number and then used this, despite me giving a different ID proof,” Radhika says. Multiple private hospitals in Chennai too currently insist on Aadhaar card for vaccinations, while Tamil Nadu government maintains that Aadhaar is not mandatory.

TNM spoke to a senior official in the Revenue and Finance Department of the Greater Chennai Corporation who confirmed that centres, both private and government, did not have the right to demand Aadhaar for vaccination. “There is no such rule that Aadhaar has to be submitted by citizens. In fact, the Co-Win portal also has a section to register those who have no ID proof, i.e homeless persons or those from marginalised sections. The portal finds another way to register these people. So insisting on an Aadhaar number is out of the question,” he says. In the neighbouring state of Kerala, the government recently announced that persons who had to travel abroad for various reasons should register on the government portal only using their passports. This, so that their vaccination certificate would generate their passport number as ID proof.

A matter of convenience?

In the absence of a law which mandates Aadhaar to be used for the purpose of universal COVID-19 vaccination, there is no legal basis for hospitals and vaccination centres to insist on Aadhaar numbers to vaccinate people. “Unlike a law passed by the Union government which makes it compulsory for your PAN to be linked to your Aadhaar, there is no law which the government has passed to make Aadhaar compulsory for vaccination. The Union government does, however, have the legislative competence to pass such a law. Which means that if they want to make Aadhaar mandatory for vaccination, they can. So far they have not. And therefore, nobody has the right to demand Aadhaar to vaccinate people,” says Pranesh Prakash of the Centre for Internet and Society.

However, it could be a matter of convenience for hospitals to use one type of ID proof, to be able to streamline their data entry process. “As (I believe) Aadhaar is the most widespread ID card in the country right now, when compared to other ID proofs, it makes it simple for vaccination centres to ask for Aadhaar numbers and key this in," Pranesh adds.

To a query that TNM posted on Twitter, we got varied responses from people. While many said that the centres did not insist on a particular ID card, many others said they had to give their Aadhaar. The insistence for Aadhaar by vaccination centres, both private and government, seems to be random, with no proper pattern or rule in place.

System does not support other ID proofs?

From Radhika’s experience, the hospital she visited for vaccination could not support any other ID proof, as they, in their own words “followed a system of using just Aadhaar cards”. This indirectly coerces unwilling citizens to part with their Aadhaar details, and offers no choice for those who registered with other ID proofs.

“I had to finally give my Aadhaar number but it said that there was a mismatch. Later we found out that my name on my PAN was a bit different from the name on my Aadhaar card. Since I had used the PAN to register on Co-Win, the portal could not authenticate me with the Aadhaar number. Finally I had to re-register on the spot and give a different phone number as the phone number I had given was already linked to my Aadhaar and PAN,” she says, adding that all of this could have been avoided if the hospital had accepted her PAN in the first place.

However, a private hospital that has been doing vaccinations in many places across India told TNM that they had no instructions from the state or Union government to use only Aadhaar and claimed that they only asked for Aadhaar if the person had used it during registration. However, many people who responded to TNM named this private hospital and many others too as those insisting on Aadhaar as proof.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-june-4-2021-sreedevi-jayarajan-no-such-rule-but-many-vaccination-centres-are-insisting-on-aadhaar-as-proof

No party's got a clear stand, Aadhaar's fate hangs in balance

praskrishna — 2014-05-05T06:01:08Z

A non-UPA government for sure will review the multi-crore UID programme, but none of the parties have yet talked about scrapping it.

The article by Pratap Vikram Singh was published in GovernanceNow.com on April 13, 2014. Sunil Abraham is quoted.

Since inception, Aadhaar’s foundation has been shaky. The Unique Identification Authority of India (UIDAI) has been functioning on an executive fiat, without parliamentary ratification. When the government first came up with a bill on the UID programme, it was rejected by the parliamentary standing committee, which questioned the purpose of the programme.

Aadhaar’s acceptability as proof of residence and its issuance to the illegal immigrants too has courted controversy. The opposition and the ministry of home affairs have repeatedly flagged the issue. Recently, the supreme court (SC) instructed the government to withdraw all orders mandating Aadhaar number for service delivery. In September last year too the apex court had ruled that no one should be denied a service for want of Aadhaar.

While the Congress hasn’t changed its position on Aadhaar and wishes to continue with Aadhaar-linked benefits transfer, the BJP hasn’t mentioned it even once in its 52-page manifesto. On April 8, Narendra Modi, BJP’s prime ministerial candidate, in an election rally near Bangalore was quoted as saying, “I asked several questions on the Aadhaar project. I asked them questions relating to illegal migrants and national security. They (the government) did not have any answer.”

Rajendra Pratap Gupta, member of BJP’s core committee on manifesto, told Governance Now: “If we come to power we will review this in totality. There is scepticism around the whole project and even the SC has ruled against mandating it.” He called Aadhaar one of the ‘biggest scams’ of the UPA. “We have found people owning multiple Aadhaar cards. It (Aadhaar) is not a very secure system,” he added.

On the other hand, Aam Aadmi Party doesn’t oppose the idea of Aadhaar, though it is critical of its linkage to delivering food and other subsidies. Atishi Marlena, the party’s manifesto committee chief, said, “In principle, we don’t oppose the Aadhaar programme. If it’s about providing an identification proof to the poor who don’t have other documents, we certainly welcome it. But Aadhaar’s linkage with benefits-transfer needs to be questioned. Who gets what and who doesn’t should be determined by gram sabhas and mohalla sabhas. It should be done via people participation.”

The CPI(M), in its manifesto, called for halting the project unless it gets parliamentary approval. It also underlined the need for a privacy and data protection law prior to the rollout of the UID programme. “The moment Aadhaar is linked with service delivery, the scope for exclusion widens. You need to have universal coverage of Aadhaar and banking before you roll out the benefits transfer programme,” CPI(M) Rajya Sabha member Tapan Sen said.

In its manifesto, the party has talked about ‘constituting an independent high-level expert panel for an appraisal of the technology of biometrics used in the project’.

Sunil Abraham of the Centre for Internet and Society said, “The centralised online authentication automatically raises issues of privacy infringement. The authentication, in a decentralised fashion, with help of smart cards, is less intrusive, as the logs are stored in a local fashion and not centralised as in the case of Aadhaar. It will be a welcome move if the next government selects resident ID (smart) card, issued by the home ministry, as proof for identification and service delivery.”

For more details visit https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance

No more blocking of entire websites?

praskrishna — 2012-06-26T09:47:02Z

The Madras HC has taken one step to ensure that entire websites are no longer blocked, but it doesn't mean that arbitrary takedowns will cease.

CIS research is quoted in this article by Danish Sheikh published in the Business Standard on June 24, 2012

Vimeo’s back. As is Pastebin, and Pirate Bay and IsoHunt. For your, you know, legitimate file-sharing practices.

Having been approached by a consortium of Internet Service Providers, the Madras High Court has issued a welcome clarification of its “John Doe order” issued in favour of RK Productions for the films 3 and Dammu. Designed to protect against potential offences by yet-unidentified persons, the sweeping scope of the order left a very wide, undefined scope to ISPs dealing with potentially infringing material. The ISPs over-complied, a host of file-sharing websites were barred from Indian servers overnight — oh, and “Anonymous” got more annoyed. Note here that the vagueness of the order extended to not specifying any infringing websites in particular.

Following the representation from the ISPs, the Court has provided them a specific directive. The new order states that the interim injunction was granted only with respect to the particular URL which featured the infringing movie, and not the entire website. No more blocking entire websites — the ISPs are now required to be informed about the particulars of where the infringing movie is kept within 48 hours.

The clarification couldn’t have come at a more vital time, and will hopefully serve as a precedent to curb an alarming practice that can be traced back to 2002. Back then, the Delhi High Court was approached in a matter concerning the unauthorised transmission of Ten Sports by unlicensed cable operators. The result was the Court’s first John Doe order with respect to media transmission: a commissioner was appointed to search premises of unnamed cable operators and seize evidence by taking photographs and video films. This particular order was then relied on by the Court almost a decade later in pre-emptively injuncting piracy of UTV Software Communication’s Saat Khoon Maaf and Thank You. The trend escalated from there, with similar orders being obtained for a number of films including Don 2, Bodyguard, Kahaani and Department, to name a few.

Where the last few years have seen a steadily rising output of orders largely from the Delhi and Madras High Court, just last week it was the Bombay High Court that joined the fray. Approached by Viacom 18 Motion Pictures, it passed a John Doe pre-emptively banning the piracy of Viacom’s Gangs of Wasseypur prior to its June 22 release. Considering the Bombay High Court’s noted apprehension in granting ex-parte orders, this decision looked set to add further momentum to the John Doe juggernaut.

Instead, we get the Madras High Court’s welcome restraint. That vague injunctions are an abuse of process is a principle that has been noted time and again, with the Delhi High Court even noting that “vague and general injunction of anticipatory nature can never be granted”. This is coupled with the larger access to information and free speech issue that has been raised more vocally following the ire with the mass block of file-sharing websites. The antecedents to this scenario may well be the media infrastructure cases of the ‘50s and ‘60s, where newspaper content was indirectly being regulated by way of regulation of newsprint, advertisement space, etc. Recognising these indirect control mechanisms in their ultimate speech-restricting form, the Supreme Court struck them down as unreasonable restrictions to the right to free expression under Article 19(1)(a) of the Constitution.

Prevention isn’t always better than cure. The Madras High Court has thankfully taken one step in the direction. What is left dangling is the other big question — that of the intermediary rules. There may now be a barrier to blocking of entire websites in this manner, but as so many internet users have found, one doesn’t have to necessarily approach the Courts if they want internet service providers to take down content: the ISPs are happy to do that for free. As a Centre for Internet and Society study found, takedown requests sent to ISPs, no matter how trivial or flimsy, will for the most part be met by acquiescence of the order. Without appropriate checks and balances, the intermediary will over-comply.

While the ISPs’ intervention before the Madras High Court is an encouraging sign, it doesn’t mean that the arbitrary takedowns under the intermediary rules will cease to happen. The digital media site Medianama quotes an ISP representative citing concern that ISPs were being wrongfully vilified on the Internet — and (significantly) that it would adversely impact their business if video streaming was disabled for users. The same commercial considerations wouldn’t likely stand when it comes to the bit-by-bit requests that come forward under the IT rules. Along with focusing attention on the High Court’s clarification, we need to sustain the movement to strike down the intermediary rules and push for a more transparent and fair mechanism.

For more details visit https://cis-india.org/news/no-more-blocking-of-websites

No laws in India to protect customers if they lose money during digital transactions

praskrishna — 2016-12-02T17:07:02Z

The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services.

The article by Alnoor Peermohamed was published by Business Standard on December 2, 2016. Sunil Abraham was quoted.

India lacks laws to protect consumers if they lose money during digital transactions even as the government pushes for a less-cash economy after it withdrew Rs 500 and Rs 1,000 currency notes as the legal tender.

The Modi government's demonetisation move might have warranted an increase in transaction activity on digital wallets, but measures to ensure the underlying cyber security parameters for digital payments is still kept largely under the ambit of the Information Technology Act.

"We don't have any dedicated law on digital payments. That's very important to grant complete legality and remove and doubts and clarifications pertaining to legal efficacies and legal validity of digital payments," says Pavan Duggal, an advocate in the Supreme Court specialising in cyber law.

While the Reserve Bank of India usually sets security and privacy standards for banks in the country, the various digital wallets such as Paytm, Freecharge and Mobikwik fall under the category of Non-banking Financial Corporations (NBFCs) excluding them from this. For FinTech companies, security compliance falls under just Section 43 A of the IT Act.

Today, transactions between a user and a mobile wallet service provider are merely contractual agreements which can always be repudiated. There's a heightened need to legally back digital payments in India, not only to ensure the safety of consumer money but also for the safety of these companies.

Since the demonetisation on November 8, digital wallet firms such as Paytm have seen 35 million transactions by users to either buy goods and services, or transfer funds to another account. Rival Freecharge has tied up with police forces of Mumbai to pay traffic fines using its platform.

Research by Bengaluru-based think tank Centre for Internet and Society (CIS) shows that some of India's largest technology companies still do not comply with Section 43 A.

"We have a minimal data protection law in our IT Act and that will apply to all the FinTech players. But our ISPs and Telcos don't comply with Section 43 A, so you can imagine in the FinTech sector the compliance will be even lower," says Sunil Abraham, Executive Director at CI

The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services. While the issue is not being completely ignored by the authorities, some of the proposed workarounds such as creating a virtual sandbox around digital payment services raised questions.

The RBI limits the maximum balance on digital wallets to Rs 10,000 per user, ensuring that in the case of a breach the damage caused to a consumer is minimal but on November 23, the banking regulator increased the limit to Rs 20,000 .

Just last week India's largest digital wallet provider Paytm rolled out the option for customers to increase their wallet balance to a maximum of Rs 100,000 by getting a KYC check done.

"There are no legal mechanisms available should there be disputes pertaining to digital payments,"aid Duggal. He added that there are no effective remedy mechanisms available in case money in the digital payment ecosystem gets lost, hacked, stolen or misused.

While laws might take years to be framed and implemented, Abraham says there are temporary workarounds with which the overall cyber security of digital payment services can be improved. Under Section 43 A there are provisions to allow a sector to form a consortium that mutually agrees to set security standards, which all players must follow and is valid in the court of law during dispute resolution.

This move is encouraged by experts as governments often lack the bandwidth to define sectoral specific laws but is where private sector expertise can go a long way.

For more details visit https://cis-india.org/internet-governance/news/business-standard-december-2-2016-alnoor-peermohammed-no-laws-in-india-to-protect-customers-if-they-lose-money-during-digital-transactions

No ID, no benefits: thousands could lose lifeline under India’s biometric scheme

praskrishna — 2017-03-22T14:27:25Z

Controversial Aadhaar card restricts fundamental rights, argue critics, limiting access to free school meals and exposing 1 billion people to privacy risks.

The article was published in the Guardian on March 21, 2017. Sumandro Chattapadhyay was quoted.

An Aadhaar biometric identity card, which will be mandatory for Indians to access many essential government services and benefits. Photograph: Bloomberg/Getty Images

Hundreds of thousands of people in India could be left without essential government services and benefits – including free school meals and uniforms, food subsidies and pensions – under new rules that make access to more than three dozen state-funded schemes conditional on showing identification.

Over the past month, citizens have been notified that they have to prove their identity with a biometric ID, known as an Aadhaar card, to be eligible to use various services. Booking railway tickets online, applying for some jobs, and getting fuel subsidies will also be dependent on showing the controversial card.

Aadhaar cards were introduced by the Indian government in 2009, and rolled out by prime minister Narendra Modi in 2014. They record personal biometric data, including fingerprints and eye scans, which the government says allows it to ensure that welfare services are being delivered to those who really need them, and saving billions of rupees by reducing welfare fraud.

The Unique Identification Authority of India (UIDAI), which oversees the Aadhaar programme, says that more than 1.13 billion people have been enrolled on an official database. But activists say that hundreds of thousands of Indians and migrants are still undocumented and could miss out on their fundamental rights because of the new rules.

“What if a Facebook account was necessary to log in to the internet, and what if Facebook was owned by the government of the US?” asked Sumandro Chattapadhyay, research director at the Centre for Internet and Society (CIS), a thinktank with offices in Bangalore and Delhi. “We are building a system that will decide whether a child will eat or not on an afternoon based on [the] quality of internet connectivity and cleanliness of the child’s thumbprint.”

Chattapadhyay argued that Aadhaar, which is effectively being forced upon Indians, and which is used increasingly by private companies, exposed more than a billion people to huge privacy risks.

“The Aadhaar ID is being connected to digital communications via sim card registration, it is being connected to financial transactions via bank accounts, and all Indian citizens are being forced to enrol for it against the threat of losing out from welfare services,” he said.

“The potential of unmonitored and unregulated use of such linked data by the private sector is massive. It does not matter if the Indian state will finally go ahead with implementing this system or not. The fact that [it] is considering such a system is scary enough.”

Nanu Bhasin, spokesperson at the ministry of women and child development, confirmed that the order to link Aadhaar to government schemes had come directly from the Modi government. “There are leakages in the system,” she said. “This will plug leakages.”

Bhasin said Aadhaar was now mandatory: “You have to take it, it is necessary. You cannot take the right to a benefit if you don’t have the Aadhaar card.”

She said she did not know if those who did not want to enrol in the scheme because of potential privacy risks would still be able to receive benefits. “You have bank accounts, there you give all your details, everything. Why make a fuss [about privacy] for Aadhaar?” she said.

One of the most contentious new rules introduced this month, and coming into force in July, requires children to show Aadhaar cards to get free school meals. The notice led to a media storm in India, where malnutrition rates are high and nearly 60 million children are underweight.

On 7 March the government said alternative forms of ID would be accepted for free school meals where people did not yet have Aadhaar cards, and urged schools and childcare centres to enrol all attendees.

Activists argue that setting any barriers to free school meals is unethical and unconstitutional. Ambarish Rai, national convenor of the Right to Education Forum, said: “This is a very insensitive decision of the government. How can you make it mandatory? It is a clear-cut violation of the Right to Education Act 2009.”

Compulsory identification could deter school attendance if children struggle to get free school meals or uniforms, said Swati Narayan, visiting research scholar from the LSE and food activist. “India’s school meal programme covers almost 100 million children – the largest in the world. Instead of creating unnecessary barriers, the focus should be on how to improve these modest meals by adding eggs, fruit and nutritious foods to the menu.”

Glitches in the Aadhaar system have already led to reports of people being unfairly denied government subsidies. In February, the news website Scroll recorded a number of people in the state of Jharkhand being denied rice subsidies because of problems with Aadhaar card machines.

The constitutional validity of the government’s new orders is currently being debated in court, with questions raised as to whether the Indian parliament can restrict fundamental rights enshrined in the constitution, and whether the government has the power to force citizens to enrol.

In 2015, a supreme court order had ruled that the scheme was purely voluntary, and that it could not become mandatory with a court ruling. But in 2016, parliament passed the Aadhaar Act, which allowed the government to require identification for government services.

Khagesh Jha, a lawyer and activist, argued that the act was fundamentally unconstitutional. “Rescued children, children who have been trafficked or those who have been forced into child labour – [you] can’t expect them to hold an Aadhaar card or documents like a birth certificate. Right to education is a fundamental right, and is protected by the core of the constitution. It cannot be challenged by any other document.”

UIDAI, the agency overseeing Aadhaar, issued a statement saying the government had made savings of more than 490bn rupees (£6bn) in the past two and a half years, thanks to schemes linking government benefits to Aadhaar. It added that during the past seven years, there had been no report of a breach or leak of residents’ data.

For more details visit https://cis-india.org/internet-governance/news/the-guardian-march-21-2017-no-id-no-benefits

No Genie At Your Fingertips

praskrishna — 2017-02-16T16:02:31Z

Aadhaar biometrics will now enable cashless shopping sans card and smartphone. A look at the hopes and fears.

The article by Arindam Mukherjee was published in the Outlook on February 20, 2017. Pranesh Prakash and Sunil Abraham were quoted.

Soon, you will be able to pay for your groceries and other purchased goods by using just your fingerprints and biometric data. You won’t need debit or credit cards, smartphones or e-wallets. You won’t need to sign or even remember your PIN.

In a bid to increase digitisation and move to the next phase of ‘cashless India’, the government is preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money. The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

The initiative, which has been running as a pilot project in fair price shops in Andhra Pradesh, is expected to be launched in a month’s time. According to officials of the Unique Identification Authority of India (UIDAI), the system has been getting a positive response in these trials and is ready for a nationwide launch.

In Aadhaar Pay, all a person needs to carry to a shop are his fingerprints as merchant establishments will authenticate his or her identity through fingerprints, which will give them access to a person’s Aadhaar data. The only essential requirement for this new mode of payments is that bank accounts have to be linked with the account-holder’s Aadhaar number.

Unlike the post-demonetisation limits imposed on ATM and bank account withdrawals, no limits are proposed to be put on Aadhaar Pay transactions as of now. The proposal is to leave the fixing of limits to the discretion of banks. However, the government hopes Aadhaar Pay will be used mostly for small-value transactions rather than large deals.

The system will work through an app in the merchant establishment’s smartphone—with a fingerprint scanner device—eliminating the requirement of a Point of Sale (POS) terminal, which is required for credit card and debit card transactions. The scanner will be priced at around Rs 2,000, considerably cheaper than POS terminals that cost Rs 8,000-10,000.

Aadhaar Pay is the next step of the government’s successful run of Aadhaar Enabled Payment System (AEPS), under which transactions are made through ‘banking correspondents’, mostly in rural areas. These transactions are done through POS machines and micro-ATMs. Like Aadhaar Pay, AEPS disburses money without a signature or a debit or credit card, and without the need to visit a bank branch. But unlike AEPS, which works through banking correspondents, Aadhaar Pay will be available through merchant establishments much the same way as debit or credit cards work.

The biggest task before the government to ensure the success of Aadhaar Pay is to develop a network of merchant establishments that will accept Aadhaar Pay just the way they accept credit or debit cards or e-wallet payments like Paytm. To do this, the government said in this year’s budget that banks would be encouraged to put 20 lakh Aadhaar Pay access machines across the country. “We have asked every bank to select 35 merchants for this. These merchants will have a smartphone and a biometric device attachment to carry out Aadhaar Pay transactions,” UIDAI CEO Ajay Bhushan Pandey tells Outlook.

This won’t be easy. Even in case of debit or credit cards, the biggest limiting factor is the relatively small number of POS terminals that accept them. According to data from the National Payment Corporation of India (NPCI), there are only 14 lakh POS terminals in India, which has over 3.5-4 crore merchant establishments and 80 crore cards (77 crore debit cards and three crore credit cards). The bulk of these terminals are in tier I and tier II cities and almost none in tier III and IV towns. To improve the situation, the government is already working towards bringing in 10 lakh new terminals by March, most of which will be put in tier III and tier IV towns, bringing them deeper within the ambit of the digitised, cashless economy.

Though a starting target of 20 lakh terminals for Aadhaar Pay may seem quite ambitious, according to the latest data, 111.51 crore adults have already obtained their Aadhaar numbers and 50 crore bank accounts (of a total 110 crore savings accounts in the country) of 40 crore people have been linked to Aadhaar and, according to UIDAI, nearly two crore people are linking their bank accounts with Aadhaar every month, brightening up the prospects of Aadhaar Pay. A majority of these numbers are from rural areas and smaller cities.

The government and UIDAI aim to roll out Aadhaar Pay primarily in rural areas and tier III and tier IV cities to begin with, as these areas do not have proper debit or credit card coverage and the people living there are not big users of plastic cards or smartphones. “We need to provide a solution for every segment of the population,” says Pandey. “We have to take care of the people who cannot use smartphones or other mobile phones and debit or credit cards, and those who cannot remember their PIN for authentication. The only tool with them is their fingerprint. Approximately 30 crore people are not comfortable with cards or phone. We had to get them into the mode of digital payments.”

Not surprisingly, critics of Aadhaar and Aadhaar-based services have attacked Aadhaar Pay and AEPS on issues of privacy and security of biometric and personal data. Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as AEPS encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices. And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned. “Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

The launch of Aadhar Pay at this time becomes more challenging as there has been a decline in digital payments this January. According to RBI data, digital payments, including transactions made by using credit cards, debit cards, electronic fund transfers, digital wallets and mobile banking transactions, were 10.2 per cent lower by volume and 7 per cent lower by value in January 2017 as compared to December 2016. Also, digital transactions fell from 1,027.7 million (worth Rs 105.4 lakh crore) to 922.9 million (worth Rs 98 lakh crore). This could get worse as the RBI raised the cash withdrawal limits from Rs 24,000 to Rs 50,000 from February 20 and aims to remove all limits by mid-March.

Within digital transactions, debit and credit transactions at POS terminals declined 18.6 per cent month-on-month in January, while mobile banking transactions declined by 7.6 per cent, showing that people still prefer to deal in cash. According to NPCI data, however, IMPS transactions rose by 18 per cent in January and UPI-based transactions went up from 2 million transactions (worth Rs 700 crore) in December to 4.2 million transactions (worth Rs 1,666 crore) in January.

Clearly, considering India’s demography and its problems, when it comes to the security of personal and biometric data, the government and the UIDAI have many issues to clear before Aadhaar Pay can achieve any success. Moreover, there are over 100 crore mobile phones in India today, with even the lowest strata of the population having access to one. Yet mobile-based payments and m-wallets are yet to hit that critical mass. To make Aadhaar Pay a bigger success than that could be a gigantic task.

For more details visit https://cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips

No Fintech company meets every single privacy requirement under IT Act: CIS report

Shilpa S. Ranipeta — 2019-07-08T02:34:59Z

The study shows that privacy policies companies such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website.

The blog post by Shilpa S. Ranipeta published by the News Minute on June 10, 2019, quotes the research done by Aayush Rathi and Shweta Mohandas of the Centre for Internet & Society.

A study by the Centre for Internet and Society on privacy and security policies of Fintech companies in India has shown that no company met every single requirements under the Section 43A Rules of the IT Act. A study of privacy policies of 48 companies has also shown that privacy policies of major entities such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website of the company.

The privacy policies were assessed based on the privacy policy requirements mandated by the Sensitive Personal Data or Information (SPD/I) Rules.

A fintech company is one that combines financial services and products with technology. The companies categorised as Fintech in this study are payment gateways, payment gateway aggregators, mobile and online wallets, digital payments banks, peer-to-peer lending platforms and miscellaneous entities that share features of the above categorisation.

Rule 4 of the SPD/I Rules mandates that a company that handles information should have a privacy policy that ensures it is dealing with the information provided by users as per the SPD/I Rules. It is also required that the privacy policy is published on the website of the company and is ‘clear and easily accessible’. However, the SPD/I Rules doesn’t specify what would constitute a ‘clear and easily accessible’ privacy policy.

In this research, CIS has studied accessibility as how many times a person has to click to access the privacy policy, if it is readily available on the homepage, if the company states its practices for privacy in language that can be understood by someone fluent in English and does not require prior legal or technical knowledge to be understood.

Here are some observations from the research:

Accessibility:

The study found that 38 companies have a privacy policy accessible on the main website of the company, 38 also have the privacy policy included in terms and conditions of all documents of the company that collects personal information.

However, policies of only 20 companies can be understood by someone without legal and technical knowledge and 16 can be partially understood. Privacy policies of RazorPay, Oxigen, Airtel Payments Bank, Capital Float, Freecharge, BHIM couldn’t be understood by someone without legal and technical knowledge.

“For some of the companies the privacy policy had to be located in the terms of service or under separate categories such as ‘legal agreements’, ‘key policies’, ‘security’, further making the privacy police more inaccessible. We anticipate that unless the user is specifically looking for the privacy policy, it is unlikely for the privacy policy to be perused in the usual course of a user’s usage of the services of the fintech provider,” the report states.

The study found that while most fintech companies in the sample explicitly specified personal information that was being collected, fewer privacy policies contained categorical provisions segregating the sensitive personal information that was being collected. However, it was unclear what each category specifically entailed.

“Another terminology that is often incorporated to broaden the ambit of information being collected is the definition of personal information as any information that may be provided by the user. This squarely places the onus of restricting information collection on the user, further compounding the handicaps users face in ascertaining the information that that firms are seeking to collect because of the illustrative nature of the listing of information,” the report states.

Option to not provide information and withdrawal of consent:

Interpretation Rule 5(7) states that the company should inform users even before collecting information that they have an option to not provide the data or information.

The rule also specifies that the individual must also be informed that he/she has an option to subsequently withdraw consent from the use of the data or information collected by the data controller.

However, Privacy Policies of 30 companies do not specify that the user has the option to not provide information. These include companies such as PayU, CitrusPay, Jio Money, Airtel Payments Bank, Paytm, Fino Paytech, Capital Float, Walnut, etc.

Only 17 companies specify that the user has the option to subsequently withdraw consent.

Registering grievances

The study showed that only 16 of companies mention the existence of grievance officer in their privacy policies.

Rule 5(9) of the SPD/I Rules state that companies are required to have a grievance redress mechanism in place vis-a-vis the user’s privacy practices.

“Thirty-two companies failed to not just provide a redressal mechanism but also failed to mention the existence of a grievance officer specific to the resolution of issues that users may encounter vis-à-vis the data controller’s privacy practices,” the report states.

Language barrier

All companies, except PhonePe, had a privacy policy only in one language – English. PhonePe provided a privacy policy in both English and Hindi.

“With the growth of the digital economy, a multitude of Indians are using online 46 services, and it is imperative that privacy policies be accessible and understandable to all users of the service. In the context of the fintech sector, accessibility to privacy policies takes on added significance given the fintech sector’s avowed promise of increasing access to financial products to hitherto underserved sections of the society,” the report states.

The research showed that few consumers, if any, read online privacy policies, despite expressing concern about their online privacy. And privacy policies are often very technical and not comprehensible by a regular user.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-shilpa-s-ranipeta-june-10-2019-no-fintech-company-meets-every-single-privacy-requirement-under-it-act-cis-report

No fear of losing internet freedom till Jan 15: Experts

praskrishna — 2012-12-31T02:20:31Z

There is no need to get scared about losing internet freedom, at least till January 2015.

The article by Kim Arora was published in the Times of India on December 22, 2012. Pranesh Prakash is quoted.

That's the view of top telecom policy watchers, who closely monitored the World Conference on International Telecommunications (WCIT) of the International Telecommunication Union (ITU) that ended in uncertainty earlier this month in Dubai.

Policy experts say the changes affecting internet users in India, if any, would be slow and minor with little or no changes existing laws and governments largely retaining their current control. The resolutions are not binding and member-states are free to opt out of it. India is yet to ratify the treaty that lays out a broad framework on international co-operation over telecommunication resources.

The ITR (International Telecom Regulations), decided by the ITU were last updated in 1988 when the internet, as we know it today, did not exist. And the hullabaloo was caused by the proliferation of internet in the intervening years had created a lot of complications and misgiving among nation states. The Dubai conference also included alarmed internet evangelists who feared that the meeting would result in UN control of the internet. But with the US, the UK and several other countries vehemently refusing to sign on the dotted line, most decisions have been withheld till January 2015 when the treaty is expected to be ratified.

For more details visit https://cis-india.org/news/times-of-india-december-22-2012-kim-arora-no-fear-of-losing-internet-freedom-till-jan-15

No Civil Society Members in the Cyber Regulations Advisory Committee

pranesh — 2013-01-09T17:56:57Z

The Government of India has taken our advice and reconstituted the Cyber Regulations Advisory Commitee. But there is no representation of Internet users, citizens, and consumers — only government and industry interests.

In multiple op-eds (Indian Express and Mint), I have pointed out the need for the government to reconstitute the "Cyber Regulations Advisory Committee" (CRAC) under section 88 of the Information Technology Act. That it be reconstituted along the model of the Brazilian Internet Steering Committee was also part of the suggestions that CIS sent to the government after a meeting FICCI had convened along with the government on September 4, 2012.

Section 88 requires that people "representing the interests principally affected" by Internet policy or "having special knowledge of the subject matter" be present in this advisory body. The main function of the CRAC is to advise the the Central Government "either generally as regards any rules or for any other purpose connected with this Act".

Despite this important function, the CRAC had — till November 2012 — only ever met twice, both times in 2001. The response to an RTI informed us that the body had never provided any advice to the government.

Government Not Serious

The increasing pressure on the government for botching up Internet regulations has led it to reconstitute the CRAC. However, the list of members of the committee shows that the government is not serious about this committee representing "the interests primarily affected" by Internet policy.

Importantly, this goes against the express wish of the Shri Kapil Sibal, the Union Minister for Communications and IT, who has repeatedly stated that he believes that Internet-related policymaking should be an inclusive process. Most recently, at the 2012 Internet Governance Forum he stated that we need systems that are:

"collaborative, consultative, inclusive and consensual, for dealing with all public policies involving the Internet"

Interestingly, despite the Hon'ble Minster verbally inviting civil society organizations (on November 23, 2012) for a meeting of the CRAC that happened on November 25, 2012, the Department of Electronics and Information Technology refused to send us invitations for the meeting. This hints at a disconnect between the political and bureaucratic wings of the government, at least at some levels.

Interestingly, this isn't the first time this has been pointed out. Na. Vijayashankar was levelling similar criticisms against the CRAC way back in August 2000 when the original CRAC was constituted.

Breakdown by Stakeholder Groupings

While there is no one universal division of stakeholders in Internet governance, but four goups are widely recognized: governments (national and intergovernmental), industry, technical community, and civil society. Using that division, we get:

Government - 15 out of 22 members
Industry bodies - 6 out of 22 members
Technical community / Academia - 1 out of 22 members
Civil society - 0 out of 22 members.

List of Members of Cyber Regulatory Advisory Committee

The official notification (G.S.R. 827(E)) is available on the DEIT website and came into force on November 16, 2012.

(Note: Names with ~~strikethroughs~~ have been removed from the CRAC since 2000, and those with emphasis have been added.)

Minister, Ministry of Communication and Information Technology - Chairman
Minister of State, Ministry of Communications and Information Technology - Member
Secretary, Ministry of Communication and Information Technology, Department of Electronics and Information Technology - Member
Secretary, Department of Telecommunications - Member
~~Finance Secretary - Member~~
Secretary, Legislative Department - Member
Secretary, Department of Legal Affairs - Member
~~Shri T.K. Vishwanathan, Presently Member Secretary, Law Commission - Member~~
Secretary, Ministry of Commerce - Member
Secretary, Ministry of Home Affairs - Member
Secretary, Ministry of Defence - Member
Deputy Governor, Reserve Bank of India - Member
Information Technology Secretary from the states by rotation - Member
Director, IIT by rotation from the IITs - Member
Director General of Police from the States by rotation - Member
President, NASSCOM - Member
President, Internet Service Provider Association - Member
Director, Central Bureau of Investigation - Member
Controller of Certifying Authority - Member
Representative of CII - Member
Representative of FICCI - Member
Representative of ASSOCHAM - Member
President, Computer Society of India - Member
Group Coordinator, Department of Electronic and Information Technology - Member Secretary

For more details visit https://cis-india.org/internet-governance/blog/cyber-regulations-advisory-committee-no-civil-society

NITI Aayog Discussion Paper: An aspirational step towards India’s AI policy

2018-06-13T13:08:47Z

The National Strategy for Artificial Intelligence — a discussion paper on India’s path forward in AI, is a welcome step towards a comprehensive document that reflects the government's AI ambitions. The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability.

Download the Report

The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability. The paper identifies five focus areas where AI could have a positive impact in India. It also focuses on reskilling as a response to the potential problem of job loss due the future large-scale adoption of AI in the job market. This blog is a follow up to the comments made by CIS on Twitter on the paper and seeks to reflect on the National Strategy as a well researched AI roadmap for India. In doing so, it identifies areas that can be strengthened and built upon.

Identified Focus Areas for AI Intervention

The paper identifies five focus areas—Healthcare, Agriculture, Education, Smart Cities and Infrastructure, Smart Mobility and Transportation, which Niti Aayog believes will benefit most from the use of AI in bringing about social welfare for the people of India. Although these sectors are essential in the development of a nation, the failure to include manufacturing and services sectors is an oversight. Focussing on manufacturing is fundamental not only in terms of economic development and user base, but also regarding questions of safety and the impact of AI on jobs and economic security. The same holds true for the service sector particularly since AI products are being made for the use of consumers, not just businesses. Use of AI in the services sector also raises critical questions about user privacy and ethics. Another sector the paper fails to include is defense, this is worrying since India is chairing the Group of Governmental Experts on Lethal Autonomous Weapons Systems (LAWS) in 2018. Across sectors, the report fails to look at how AI could be utilised to ensure accessibility and inclusion for the disabled. This is surprising, as aid for the differently abled and accessibility technology was one of the 10 domains identified in the Task Force Report on AI published earlier this year. This should have been a focus point in the paper as it aims to identify applications with maximum social impact and inclusion.

In its vision for the use of AI in smart cities, the paper suggests the adoption of a sophisticated surveillance system as well as the use of social media intelligence platforms to check and monitor people’s movement both online and offline to maintain public safety. This is at variance with constitutional standards of due process and criminal law principles of reasonable ground and reasonable suspicion. Further, use of such methods will pose issues of judicial inscrutability. From a rights perspective, state surveillance can directly interfere with fundamental rights including privacy, freedom of expression, and freedom of assembly. Privacy organizations around the world have raised concerns regarding the increased public surveillance through the use of AI. Though the paper recognized the impact on privacy that such uses would have, it failed to set a strong and forward looking position on the issue - such as advocating that such surveillance must be lawful and inline with international human rights norms.

Harnessing the Power of AI and Accelerating Research

One of the ways suggested for the proliferation of AI in India was to increase research, both core and applied, to bring about innovation that can be commercialised. In order to attain this goal the paper proposes a two-tier integrated approach: the establishment of COREs (Centres of Research Excellence in Artificial Intelligence) and ICTAI (International Centre for Transformational Artificial Intelligence). However the roadmap to increase research in AI fails to acknowledge the principles of public funded research such as free and open source software (FOSS), open standards and open data. The report also blames the current Indian Intellectual Property regime for being “unattractive” and averse to incentivising research and adoption of AI. Section 3(k) of Patents Act exempts algorithms from being patented, and the Computer Related Inventions (CRI) Guidelines have faced much controversy over the patentability of mere software without a novel hardware component. The paper provides no concrete answers to the question of whether it should be permissible to patent algorithms, and if yes, to to what extent. Furthermore, there needs to be a standard either in the CRI Guidelines or the Patent Act, that distinguishes between AI algorithms and non-AI algorithms. Additionally, given that there is no historical precedence on the requirement of patent rights to incentivise creation of AI, innovative investment protection mechanisms that have lesser negative externalities, such as compensatory liability regimes would be more desirable. The report further failed to look at the issue holistically and recognize that facilitating rampant patenting can form a barrier to smaller companies from using or developing AI. This is important to be cognizant of given the central role of startups to the AI ecosystem in India and because it can work against the larger goal of inclusion articulated by the report.

Ethics, Privacy, Security and Safety

In a positive step forward, the paper addresses a broader range of ethical issues concerning AI including transparency, fairness, privacy and security and safety in more detail when compared to the earlier report of the Task Force. Yet despite a dedicated section covering these issues, a number of concerns still remain unanswered.

Transparency

The section on transparency and opening the Black Box has several lacunae. First, AI that is used by the government, to an acceptable extent, must be available in the public domain for audit, if not under Free and Open Source Software (FOSS). This should hold true in particular for uses that impinge on fundamental rights. Second, if the AI is utilised in the private sector, there currently exists a right to reverse engineer within the Indian Copyright Act, which is not accounted for in the paper. Furthermore, if the AI was involved both in the commission of a crime or the violation of human rights, or in the investigations of such transgressions, questions with regard to judicial scrutability of the AI remain. In addition to explainability, the source code must be made circumstantially available, since explainable AI alone cannot solve all the problems of transparency. In addition to availability of source code and explainability, a greater discussion is needed about the tradeoff between a complex and potentially more accurate AI system (with more layers and nodes) vs. an AI system which is potentially not as accurate but is able to provide a human readable explanation. It is interesting to note that transparency within human-AI interaction is absent in the paper. Key questions on transparency, such as whether an AI should disclose its identity to a human have not been answered.

Fairness

With regards to fairness, the paper mentions how AI can amplify bias in data and create unfair outcomes. However, the paper neither suggests detailed or satisfactory solutions nor does it deal with biased historical data in an Indian context. More specifically, there seems to be no mention of regulatory tools to tackle the problem of fairness, such as:

Self-certification
Certification by a self-regulatory body
Discrimination impact assessments
Investigations by the privacy regulator

Such tools will proactively need to ensure inclusion, diversity, and equity in composition and decisions.

Additionally, with reference to correcting bias in AI, it should be noted that the technocratic view that as an AI solution continues to be trained on larger amounts of data , systems will self correct, does not fully recognize the importance of data quality and data curation, and is inconsistent with fundamental rights. Policy objectives of AI innovation must be technologically nuanced and cannot be at the cost of intermediary denial of rights and services.

Further, the paper does not deal with issues of multiple definitions and principles of fairness, and that building definitions into AI systems may often involve choosing one definition over the other. For instance, it can be argued that the set of AI ethical principles articulated by Google are more consequentialist in nature involving a a cost-benefit analysis, whereas a human rights approach may be more deontological in nature. In this regard, there is a need for interdisciplinary research involving computer scientists, statisticians, ethicists and lawyers.

Privacy

Though the paper underscores the importance of privacy and the need for a privacy legislation in India - the paper limits the potential privacy concerns arising from AI to collection, inappropriate use of data, personal discrimination, unfair gain from insights derived from consumer data (the solution being to explain to consumers about the value they as consumers gain from this), and unfair competitive advantage by collecting mass amounts of data (which is not directly related to privacy). In this way the paper fails to discuss the full implications on privacy that AI might have and fails to address the data rights necessary to enable the right to privacy in a society where AI is pervasive. The paper fails to engage with emerging principles from data protection such as right to explanation and right to opt-out of automated processing, which directly relate to AI. Further, there is no discussion on the issues such as data minimisation and purpose limitation which some big data and AI proponents argue against. To that extent, there is a lack of appreciation of the difficult policy questions concerning privacy and AI. The paper is also completely silent on redress and remedy. Further the paper endorses the seven data protection principles postulated by the Justice Srikrishna Committee. However CIS has pointed out that these principles are generic and not specific to data protection. Moreover, the law chapter of IEEE’s ‘Global Initiative on Ethics of Autonomous and Intelligent Systems’ has been ignored in favor of the chapter on ‘Personal Data and Individual Access Control in Ethically Aligned Design’ as the recommended international standard. Ideally, both chapters should be recommended for a holistic approach to the issue of ethics and privacy with respect to AI.

AI Regulation and Sectoral Standards

The discussion paper’s approach towards sectoral regulation advocates collaboration with industry to formulate regulatory frameworks for each sector. However, the paper is silent on the possibility of reviewing existing sectoral regulation to understand if they require amending. We believe that this is an important solution to consider since amending existing regulation and standards often takes less time than formulating and implementing new regulatory frameworks. Furthermore, although the emphasis on awareness in the paper is welcome, it must complement regulation and be driven by all stakeholders, especially given India’s limited regulatory budget. The over reliance on industry self-regulation, by itself, is not advisable, as there is an absence of robust industry governance bodies in India and self-regulation raises questions about the strength and enforceability of such practices. The privacy debate in India has recognized this and reports, like the Report of the Group of Experts on Privacy, recommend a co-regulatory framework with industry developing binding standards that are inline with the national privacy law and that are approved and enforced by the Privacy Commissioner. That said, the UN Guiding Principles on Business and Human Rights and its “protect, respect, and remedy” framework should guide any self regulatory action.

Security and Safety of AI Systems

In terms of security and safety of AI systems the paper seeks to shift the discussion of accountability being primarily about liability, to that of one about the explainability of AI. Furthermore, there is no recommendation of immunities or incentives for whistleblowers or researchers to report on privacy breaches and vulnerabilities. The report also does not recognize certain uses of AI as being more critical than others because of their potential harm to the human. This would include uses in healthcare and autonomous transportation. A key component of accountability in these sectors will be the evolution of appropriate testing and quality assurance standards. Only then, should safe harbours be discussed as an extension of the negligence test for damages caused by AI software. Additionally, the paper fails to recommend kill switches, which should be mandatory for all kinetic AI systems. Finally, there is no mention of mandatory human-in-the-loop in all systems where there are significant risks to safety and human rights. Autonomous AI is only viewed as an economic boost, but its potential risks have not been explored sufficiently. A welcome recommendation would be for all autonomous AI to go through human rights impact assessments.

Research and Education

Being a government think-tank, the NITI Aayog could have dealt in detail with the AI policies of the government and looked at how different arms of the government are aiming to leverage AI and tackle the problems arising out of the use of AI. Instead of tabulating the government’s role in each area and especially research, the report could have also listed out the various areas where each department could play a role in the AI ecosystem through regulation, education, funding research etc. In terms of the recommendations for introducing AI curriculums in schools, and colleges, the government could also ensure that ethics and rights are part of the curriculum - especially in technical institutions. A possible course of action could include corporations paying for a pan-Indian AI education campaign.This would also require the government to formulate the required academic curriculum that is updated to include rights and ethics.

Data Standards and Data Sharing

Based on the amount of data the Government of India collects through its numerous schemes, it has the potential to be the largest aggregator of data specific to India. However the paper does not consider the use of this data with enough gravity. For example, the paper recommends Corporate Data Sharing for “social good” and making government datasets from the social sector available publicly. Yet this section does not mention privacy enhancing technologies/standards such as pseudonymization, anonymization standards, differential privacy etc. Additionally there should be provisions that allow the government to prevent the formation of monopolies by regulating companies from hoarding user data. The open data standards could also be applicable to the private companies, so that they can also share their data in compliance with the privacy enhancing technologies mentioned above. The paper also acknowledges that AI Marketplaces require monitoring and maintenance of quality. It recognises the need for “continuous scrutiny of products, sellers and buyers”, and proposes that the government enable these regulations in a manner that private players could set up the marketplace. This is a welcome suggestion, but the legal and ethical framework of the AI Marketplace requires further discussion and clarification.

An AI Garage for Emerging Economies

The discussion paper also qualifies India as an “ideal test-bed” for trying out AI related solutions. This is problematic since questions of regulation in India with respect to AI have yet to be legally clarified and defined and India does not have a comprehensive privacy law. Without a strong ethical and regulatory framework, the use of new and possibly untested technologies in India could lead to unintended and possibly harmful outcomes.The government's ambition to position India as a leader amongst developing countries on AI related issues should not be achieved by using Indians as test subjects for technologies whose effects are unknown.

Conclusion

In conclusion, NITI Aayog’s discussion paper represents a welcome step towards a comprehensive AI strategy for India. However, the trend of inconspicuously releasing reports (this and the AI Task Force) as well as the lack of a call for public comments, seems to be the wrong way to foster discussion on emerging technologies that will be as pervasive as AI.

The blanket recommendations were provided without looking at its viability in each sector. Furthermore, the discussion paper does not sufficiently explore or, at times, completely omits key areas. It barely touched upon societal, cultural and sectoral challenges to the adoption of AI — research that CIS is currently in the process of undertaking.Future reports on Indian AI strategy should pay more attention to the country’s unique legal context and to possible defense applications and take the opportunity to establish a forward looking, human rights respecting, and holistic position in global discourse and developments. Reports should also consider infrastructure investment as an important prerequisite for AI development and deployment. Digitised data and connectivity as well as more basic infrastructure, such as rural electricity and well-maintained roads, require more funding to more successfully leverage AI for inclusive economic growth. Although there are important concerns, the discussion paper is an aspirational step toward India’s AI strategy.

For more details visit https://cis-india.org/internet-governance/blog/niti-aayog-discussion-paper-an-aspirational-step-towards-india2019s-ai-policy

NIPFP Seminar on Exploring Policy Issues in the Digital Technology Arena

Admin — 2019-10-20T07:40:16Z

Anubha Sinha participated in this seminar as a discussant on the "Regulating emerging technologies" panel. The event was held at Indian Institute of Advanced Study, Shimla on October 10 - 11, 2019.

Click to view the agenda here. The session briefs can be seen here.

For more details visit https://cis-india.org/internet-governance/news/nipfp-seminar-on-exploring-policy-issues-in-the-digital-technology-arena

Ninth Workshop on Media Economics

praskrishna — 2011-11-28T09:12:24Z

The Higher School of Economics and the New Economic School have joined hands to organize the ninth workshop on media economics in Moscow on October 28 and 29, 2011. All events are scheduled to take place in Marriott Courtyard, a hotel in the centre of Moscow within 10-minute walking distance from the Kremlin, the Red Square, and the Bolshoi Theatre.

Workshop Program

Friday, October 28, 2011

8:00 a.m. Morning coffee

8:45 a.m. Opening remarks

Media markets - 1: Newspapers, Mergers, and Diversity

9:00 a.m. Michal MASIKA, University of Munich

"Free commuter newspapers and the market for paid-for daily newspapers"

Discussant: Sergey V. Popov, Higher School of Economics

9:40 a.m. Lapo FILISTRUCCHI, Tilburg University and University of Florence

Tobias J. Klein, Tilburg University

Thomas Michielsen, Tilburg University

"Merger Simulation in a Two-Sided Market: The Case of the Dutch Daily Newspapers"

Discussant: Lars Sørgard, Norwegian School of Economics

10:20 a.m. Lisa GEORGE, Hunter College, City University of New York

Felix Oberholzer-Gee, Harvard Business School

"Diversity in Local Television News"

Discussant: François Keslair, Paris School of Economics

11:00 a.m. Coffee break

Media markets and Internet - 1: Advertising and Search Engines

11:30 a.m. Alexandre de CORNIÈRE, Paris School of Economics

"Search advertising"

Discussant: Simon Anderson, University of Virginia

12:10 p.m. Alexander WHITE, Tsinghua University School of Economics and Management

Kamal Jain, Microsoft Research

"The Attention Economy of Search and Web Advertisement"

Discussant: Sergei Izmalkov, New Economic School

12:50 p.m. Lunch

Political Economy - 1: Media, Elites, and the Groups of Influence

2:00 p.m. Leopoldo FERGUSSON, Universidad de Los Andes

"Media Markets, Special Interests, and Voters"

Discussant: Alexei V. Zakharov, Higher School of Economics

2:40 p.m. David STRÖMBERG, IIES at Stockholm University

Ben Qin, IIES at Stockholm University

Yanhui Wu, USC Marshall School of Business

"Determinants of Media Capture in China"

Discussant: Maria Petrova, New Economic School

3:20 p.m. Daniel STONE, Oregon State University

"Media and Gridlock"

Discussant: Elena Panova, Academy of National Economy and Gaidar Institute

4:00 p.m. Coffee break

Media markets and Internet - 2: Internet Effects and Offline Media Markets

4:30 p.m. Joel WALDFOGEL, University of Minnesota

"Bye, Bye, Miss American Pie? The Supply of New Recorded Music since Napster"

Discussant: Ruben Enikolopov, New Economic School

5:10 p.m. Ignacio FRANCESCHELLI, Northwestern University

"When the Ink is Gone: The Impact of Internet on News Coverage"

Discussant: Ruben Durante, Sciences Po Paris

5:50 p.m. Adjourn

7:00 p.m. Dinner

Saturday October 29th

8:00 a.m. Morning Coffee

Media markets - 2: Interactions in Traditional and Digital Media Industry

9:00 a.m. Harald Nygård Bergh, Norwegian School of Economics

Hans Jarle KIND, Norwegian School of Economics

Bjørn-Atle Reme, Norwegian School of Economics

Lars Sørgard, Norwegian School of Economics

"Competition between Content Distributors in Two-Sided Markets"

Discussant: Guido Friebel, Goethe University Frankfurt

9:40 a.m. Larbi Alaoui, Universitat Pompeu Fabra

Fabrizio GERMANO, Universitat Pompeu Fabra

"Time Scarcity and the Market for News"

Discussant: Sergei Guriev, New Economic School

10:20 a.m. Coffee break

Political Economy - 2: Media Effects

10:50 a.m. Francesco Drago, University of Naples

Tommaso Nannicini, Bocconi University

Francesco SOBBRIO, IMT Lucca

"Newspapers, Local News and Electoral Politics"

Discussant: Ekaterina Zhuravskaya, Paris School of Economics

11:30 p.m. Julia CAGÉ, Harvard University

François Keslair, Paris School of Economics

"Trash Media and the Decline of Turnout: Theory and Evidence from Local Media Competition in France, 1944-2010"

Discussant: Francesco Sobbrio, IMT Lucca

12:10 p.m. Parallel events (choose your favorite):

Lunch - or -

Global New Media Policy

Roundtable (with refreshments, RSVP required, more details here)

Pedro MIZUKAMI, FGV Center for Technology and Society, Rio de Janeiro, Brazil

Sunil ABRAHAM, Centre for Internet and Society, Bangalore, India

Bruce ETLING and Robert FARIS, Berkman Center for Internet and Society, Harvard University, United States

Marina ZHUNICH, Google Russia

Media markets - 3: Media Bias

2:00 p.m. Stefano DELLAVIGNA, UC Berkeley

Alec Kennedy, San Francisco Federal Reserve Bank

“Does Media Concentration Lead to Biased Coverage? Evidence from Movie Reviews”

Discussant: Joel Waldfogel, University of Minnesota

2:40 p.m. Matthias HEINZ, Goethe University Frankfurt

Guido Friebel, Goethe University Frankfurt

"Media bias against foreign owners: Downsizing"

Discussant: Olga Kuzmina, New Economic School

3:20 p.m. Break

Future Directions of Research in Media Economics

3:30 p.m. Roundtable

Simon ANDERSON, University of Virginia

Stefano DELLAVIGNA, UC Berkeley

Lisa GEORGE, Hunter College, City University of New York

David STRÖMBERG, IIES at Stockholm University

4:45 p.m. Farewell reception

The above agenda was published in Higher School of Economics website, click here.

VIDEO

For more details visit https://cis-india.org/news/media-economics-workshop

Nine-point code set out to safeguard personal information

praskrishna — 2012-10-22T06:42:36Z

A. P. Shah panel lists exceptions; suggests privacy commissioners.

Published in Hindu Business Line on October 18, 2012.

The Justice A. P. Shah panel has recommended an over-arching law to protect privacy and personal data in the private and public spheres.

The report also suggested setting up privacy commissioners, both at the Central and State levels.

It has spelt out nine national privacy principles that could be followed while framing the law.

The report comes at a time when there is growing concern over unique identity numbers, DNA profiling, brain-mapping, etc, most of which will be implemented on the ICT platform.

The report has listed certain exceptions in the right to privacy such as national security, public order, disclosure in public interest, prevention, detection, investigation and prosecution of criminal offences and protection of the individual or of the rights of freedom of others.

In certain cases, historical or scientific research and journalistic purposes can also be considered as exceptions, says the report.

Networking sites

Referring to social networking sites and search engines, which have their own privacy code, Justice Shah said these will either have to follow the model provided in the proposed Act or have a self-regulatory mechanism approved by the privacy commissioner.

The report suggests harmonising the proposed privacy Act with the RTI Act. Responding to privacy infringement concerns, as aired by the Prime Minister recently, Justice Shah said RTI was the only law that gave statutory protection to privacy, which could be over-ridden only in certain cases for individuals, not companies.

Minister of State for Planning Ashwani Kumar said a privacy Act was necessary as in a democracy one had to ensure that "no one right is so exercised so as to infringe upon the rights of individuals."

The high-level panel submitted its report to the Planning Commission on Thursday. It will now be forwarded to the Department of Personnel and Training, which is already looking into the privacy law.

Note: The Centre for Internet & Society was a part of the expert committee even though it is not explicitly mentioned here.

For more details visit https://cis-india.org/news/the-hindu-business-line-oct-18-2012-nine-point-code-set-out-to-safeguard-personal-information

Nibbling away into your bank account, salami attackers cart away a fortune

Admin — 2017-11-27T15:35:33Z

A ‘salami’ might sound an innocuous term in the culinary sense. When it comes to cybercrime, a ‘salami’ is a dreaded attack which even the victims are hardly aware of. Like a salami slice, a hacker slices away small sums of money from multiple accounts on a daily basis. By the time the victims realise that they are being ‘sliced’, too little can be done or it’s already too late.

The article by Kiran Parashar KM and Akram Mohammed was published in New Indian Express on October 25, 2017.

This is among the various strategies allegedly used by some bank employees, working in cahoots with persons working in telecom companies to defraud customers of their savings. Cyber crime police, who have arrested several bank employees in the past in similar cases, warn that throwing caution to the wind while banking online or responding to calls claiming to be from banks could land you in serious financial trouble.

What’s shocking is law enforcement agencies have failed to nab the culprits in a majority of such crimes.
Speaking to Express, Shubhamangala Sunil, head, Global Cyber Security Response Team, said that of all the techniques used by bank insiders to siphon off funds, ‘salami attack’ is probably the stealthiest. “Imagine you have Rs 2,75,233 in to your account. If someone steals say `3 or 4 from your account every day, would you get an alert? If you did, would you go and complain to the bank that such a small amount is being stolen?” she questioned.

Due to lack of awareness about such threats, a complaint to the bank about such an issue is unlikely to bring any relief to the victim, she said. With time, many new techniques will be discovered by fraudsters and security might not be adequate to thwart all of them, she added.

Pranesh Prakash, Policy Director at the Centre for Internet and Society said the extent of fraud in the financial sector can be decreased “by improving security of financial processes, auditing software for vulnerabilities and fixing them and improving consumer protection laws.” Processes used by banks, both offline and while engaging with customers online and through systems such as Unified Payments Interface, should be improved, he said.

Bad practices
Prakash cited bad practices by different banks — such as preventing right click in password boxes (which curb positive security practices such as usage of password managers), limiting password lengths, and not supporting software-based OTPs and stronger security like “Universal 2nd Factor” — were also putting customers at risk. Stressing the need for consumer awareness, he said that even if everything works fine at the bank/financial institutions side customers commit mistakes, leaving them vulnerable. Therefore, spreading awareness about security best practices and hassle-free insurance to minimise harm to customers is essential, he said. “Bank fraud or any other online fraud is inevitable. We have to ensure that the harms from such fraud are as minimal as possible,” he added.

Insider frauds
While bank fraud cases — both online and offline — are increasing, police are finding the involvement of insiders who exploit loopholes in the banking systems. Sources in the CID-Cyber Crime Cell say there have been multiple cases where there is involvement of at least one bank employee. Digital banking has increased post demonetisation and yet the security features are not enhanced. Two days after police caught two employees of JP Morgan bank who had swindled `12 crore of a US-based client, police express concern over the security and background checks in the banking system as one of the accused had been working for four years with fake documents and on a fake name. An investigating official said the insider shares details of debit/credit cards with the conmen who clone cards for commission.

Banking security
Joint Commissioner of Police (Crime), Satish Kumar N said there is a co-ordination committee of police and Reserve Bank of India. “We share notes about cases of bank fraud and also recommend some security features to be adopted in the banking sector. The meeting is held on a regular basis,” he said. To a question on ‘salami attack’, he said that police have not come across any such complaints yet. “We have been vigilant about cyber related issues,” he added.

WHODUNNIT?

Case 1: June 2017
Vinod Kumar Pacchiyappan, manager of SBI Cards and Payment Services Pvt Ltd, located in Embassy Heights on Magrath Road filed a complaint with police that Know Your Customer (KYC) data of customers was compromised. Apart from this, fake credit cards were created resulting in a loss of `38.39 lakh. The investigating officials suspect the involvement of insiders in the case.
Status: No arrests yet

Case 2: May 2016

An US-couple living in Bengaluru was cheated of `6 lakh in just 2 hours.Cyber criminals, using their bank data credentials, had shopped online.The police, almost a year-and-half after the incident, are yet to know how their credit card details were extracted, but suspect that a bank employee was involved in the case.Status: No arrests yet

Case 3: January 2016
Police lodged a complaint of hacking against unknown persons, who cheated customers of several lakhs in Karnataka and Telangana. Police learnt that the fraud was committed by hacking into Axis Bank’s mobile wallet app LIME and SBI’s Buddy app. Bank account details of the victims, mobile phone numbers, etc., were stolen by the accused.
Status: Seven people, including G Gopalakrishna, deputy manager of Axis Bank’s Peddapalli branch in Karimnagar district of Telangana, and others involved in the crime were arrested.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-october-25-2017-nibbling-away-into-your-bank-account-salami-attackers-cart-away-a-fortune

NHA Data Sharing Guidelines – Yet Another Policy in the Absence of a Data Protection Act

Shweta Mohandas and Pallavi Bedi — 2022-09-29T15:17:24Z

In July this year, the National Health Authority (NHA) released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) just two months after publishing the draft Health Data Management Policy.

Reviewed and edited by Anubha Sinha

Launched in 2018, PM-JAY is a public health insurance scheme set to cover 10 crore poor and vulnerable families across the country for secondary and tertiary care hospitalisation. Eligible candidates can use the scheme to avail of cashless benefits at any public/private hospital falling under this scheme. Considering the scale and sensitivity of the data, the creation of a well-thought-out data-sharing document is a much-needed step. However, the document – though only a draft – has certain portions that need to be reconsidered, including parts that are not aligned with other healthcare policy documents. In addition, the guidelines should be able to work in tandem with the Personal Data Protection Act whenever it comes into force. With no prior intimation of the publication of the guidelines, and the provision of a mere 10 days for consultation, there was very little scope for stakeholders to submit their comments and participate in the consultation. While the guidelines pertain to the PM-JAY scheme, it is an important document to understand the government’s concerns and stance on the sharing of health data, especially by insurance companies.

Definitions: Ambiguous and incompatible with similar policy documents

The draft guidelines add to the list of health data–related policies that have been published since the beginning of the pandemic. These include three draft health data management policies published within two years, which have already covered the sharing and management of health data. The draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; in this case, the guidelines fail to refer to the draft National Digital Health Data Management Policy (published in April 2022). To add to this, the document – by placing the definitions at the end – is difficult to read and understand, especially when terms such as ‘beneficiary’, ‘data principal’, and ‘individual’ are used interchangeably. In the same vein, the document uses the terms ‘data principal’ and ‘data fiduciary’, and the definitions of health data and personal data, from the 2019 PDP Bill, while also referring to the IT Act SDPI Rules and its definition of ‘sensitive personal data’. While the guidelines state that the IT Act and Rules will be the legislation to refer to for these guidelines, it is to be noted that the IT Act under the SPDI Rules covers ‘body corporates’, which under Section 43A(1), is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;”. It is difficult to add responsibility and accountability to the organisations under the guidelines when they might not even be covered under this definition.

With each new policy, civil society organisations have been pointing out the need to have a data protection act before introducing policies and guidelines that deal with the processing and sharing of the data of individuals. Ideally, these policies – even in draft form – should have been published after the Personal Data Protection Bill was enacted, to ensure consistency with the provisions of the law. For example, the guidelines introduce a new category of governance mechanisms under the data-sharing committee headed by a data-sharing officer (DSO). The responsibilities and powers of the DSO are similar to that of the data protection officer under the draft PDP Bill as well as the National Data Health Management Policy (NHDMP). This, in turn, raises the question of whether the DSO and the DPOs under both the PDP Bill and the draft NDMP will have the same responsibilities. Clarity in terms of which of the policies are in force and how they intersect is needed to ensure a smooth implementation. Ideally, having multiple sources of definitions should be addressed at the drafting stage itself.

Guiding Principles: Need to look beyond privacy

The guidelines enumerate certain principles to govern the use, collection, processing, and transmission of the personal or sensitive personal data of beneficiaries. These principles are accountability, privacy by design, choice and consent, openness/transparency, etc. While these provisions are much needed, their explanation at times misses the mark of why these principles were added. For example, in the case of accountability, the guidelines state that the ‘data fiduciary’ shall be accountable for complying with measures based on the guiding principles However, it does not specify who the fiduciaries would be accountable to and what the steps are to ensure accountability. Similarly, in the case of openness and transparency, the guidelines state that the policies and practices relating to the management of personal data will be available to all stakeholders. However, openness and transparency need to go beyond policies and practices and should consider other aspects of openness, including open data and the use of open-source software and open standards. This again will add to transparency, in that it would specify the rights of the data principal, as the current draft looks at the rights of the data principal merely from a privacy perspective. In the case of purpose limitation as well, the guidelines are tied to the privacy notice, which again puts the burden on the individual (in this case, beneficiary) when the onus should actually be on the data fiduciary. Lastly, under the empowerment of beneficiaries, the guidelines state that the “data principal shall be able to seek correction, amendments, or deletion of such data where it is inaccurate;”. The right to deletion should not be conditional on inaccuracy, especially when entering the scheme is optional and consent-based.

Data sharing with third parties without adequate safeguards

The guidelines outline certain cases where personal data can be collected, used, or disclosed without the consent of the individual. One of these cases is when the data is anonymised. However, the guidelines do not detail how this anonymisation would be achieved and ensured through the life cycle of the data, especially when the clause states that the data will also be collected without consent. The guidelines also state that the anonymised data could be used for public health management, clinical research, or academic research. The guidelines should have limited the scope of academic research or added certain criteria to gain access to the data; the use of vague terminology could lead to this data (sometimes collected without consent) being de-anonymised or used for studies that could cause harm to the data principal or even a particular community. The guidelines state that the data can be shared as ‘protected health information’ with a government agency for oversight activities authorised by law, epidemic control, or in response to court orders. With the sharing of data, care should be taken to ensure data minimisation and purpose limitations that go beyond the explanations added in the body of the guidelines. In addition, the guidelines also introduce the concept of a ‘clean room’, which is defined as “a secure sandboxed area with access controls, where aggregated and anonymised or de-identified data may be shared for the purposes of developing inference or training models”. The definition does not state who will be developing these training models; it could be a cause of worry if AI companies or even insurance companies have the potential to use this data to train models that could eventually make decisions based on the results. The term ‘sandbox’ is explained under the now revoked DP Bill 2021 as “such live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a
specified period for the limited purpose of the testing”. Neither the 2019 Bill nor the IT Act/Rules defines ‘sandbox’; the guidelines should have ideally spent more time explaining how the sandbox system in the ‘Clean Room’ works.

Conclusion

The draft Data Sharing Guidelines are a welcome step in ensuring that the entities sharing and processing data have guidelines to adhere to, especially since the Data Protection Bill has not been passed yet. The mention of the best practices for data sharing in annexures, including practices for people who have access to the data, is a step in the right direction, which could be made better with regular training and sensitisation. While the guidelines are a good starting point, they still suffer from the issues that have been highlighted in similar health data policies, including not referring to older policies, adding new entities, and the reliance on digital and mobile technology. The guidelines could have added more nuance to the consent and privacy by design sections to ensure other forms of notice, e.g., notice in audio form in different Indian languages. While PM-JAY aims to reach 10 crore poor and vulnerable families, there is a need to look at how to ensure that consent is given according to the guidelines that are “free, informed, clear, and specific”.

For more details visit https://cis-india.org/internet-governance/blog/nha-data-sharing-guidelines