We are anonymous, we are legion

No Genie At Your Fingertips

praskrishna — 2017-02-16T16:02:31Z

Aadhaar biometrics will now enable cashless shopping sans card and smartphone. A look at the hopes and fears.

The article by Arindam Mukherjee was published in the Outlook on February 20, 2017. Pranesh Prakash and Sunil Abraham were quoted.

Soon, you will be able to pay for your groceries and other purchased goods by using just your fingerprints and biometric data. You won’t need debit or credit cards, smartphones or e-wallets. You won’t need to sign or even remember your PIN.

In a bid to increase digitisation and move to the next phase of ‘cashless India’, the government is preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money. The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

The initiative, which has been running as a pilot project in fair price shops in Andhra Pradesh, is expected to be launched in a month’s time. According to officials of the Unique Identification Authority of India (UIDAI), the system has been getting a positive response in these trials and is ready for a nationwide launch.

In Aadhaar Pay, all a person needs to carry to a shop are his fingerprints as merchant establishments will authenticate his or her identity through fingerprints, which will give them access to a person’s Aadhaar data. The only essential requirement for this new mode of payments is that bank accounts have to be linked with the account-holder’s Aadhaar number.

Unlike the post-demonetisation limits imposed on ATM and bank account withdrawals, no limits are proposed to be put on Aadhaar Pay transactions as of now. The proposal is to leave the fixing of limits to the discretion of banks. However, the government hopes Aadhaar Pay will be used mostly for small-value transactions rather than large deals.

The system will work through an app in the merchant establishment’s smartphone—with a fingerprint scanner device—eliminating the requirement of a Point of Sale (POS) terminal, which is required for credit card and debit card transactions. The scanner will be priced at around Rs 2,000, considerably cheaper than POS terminals that cost Rs 8,000-10,000.

Aadhaar Pay is the next step of the government’s successful run of Aadhaar Enabled Payment System (AEPS), under which transactions are made through ‘banking correspondents’, mostly in rural areas. These transactions are done through POS machines and micro-ATMs. Like Aadhaar Pay, AEPS disburses money without a signature or a debit or credit card, and without the need to visit a bank branch. But unlike AEPS, which works through banking correspondents, Aadhaar Pay will be available through merchant establishments much the same way as debit or credit cards work.

The biggest task before the government to ensure the success of Aadhaar Pay is to develop a network of merchant establishments that will accept Aadhaar Pay just the way they accept credit or debit cards or e-wallet payments like Paytm. To do this, the government said in this year’s budget that banks would be encouraged to put 20 lakh Aadhaar Pay access machines across the country. “We have asked every bank to select 35 merchants for this. These merchants will have a smartphone and a biometric device attachment to carry out Aadhaar Pay transactions,” UIDAI CEO Ajay Bhushan Pandey tells Outlook.

This won’t be easy. Even in case of debit or credit cards, the biggest limiting factor is the relatively small number of POS terminals that accept them. According to data from the National Payment Corporation of India (NPCI), there are only 14 lakh POS terminals in India, which has over 3.5-4 crore merchant establishments and 80 crore cards (77 crore debit cards and three crore credit cards). The bulk of these terminals are in tier I and tier II cities and almost none in tier III and IV towns. To improve the situation, the government is already working towards bringing in 10 lakh new terminals by March, most of which will be put in tier III and tier IV towns, bringing them deeper within the ambit of the digitised, cashless economy.

Though a starting target of 20 lakh terminals for Aadhaar Pay may seem quite ambitious, according to the latest data, 111.51 crore adults have already obtained their Aadhaar numbers and 50 crore bank accounts (of a total 110 crore savings accounts in the country) of 40 crore people have been linked to Aadhaar and, according to UIDAI, nearly two crore people are linking their bank accounts with Aadhaar every month, brightening up the prospects of Aadhaar Pay. A majority of these numbers are from rural areas and smaller cities.

The government and UIDAI aim to roll out Aadhaar Pay primarily in rural areas and tier III and tier IV cities to begin with, as these areas do not have proper debit or credit card coverage and the people living there are not big users of plastic cards or smartphones. “We need to provide a solution for every segment of the population,” says Pandey. “We have to take care of the people who cannot use smartphones or other mobile phones and debit or credit cards, and those who cannot remember their PIN for authentication. The only tool with them is their fingerprint. Approximately 30 crore people are not comfortable with cards or phone. We had to get them into the mode of digital payments.”

Not surprisingly, critics of Aadhaar and Aadhaar-based services have attacked Aadhaar Pay and AEPS on issues of privacy and security of biometric and personal data. Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as AEPS encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices. And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned. “Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

The launch of Aadhar Pay at this time becomes more challenging as there has been a decline in digital payments this January. According to RBI data, digital payments, including transactions made by using credit cards, debit cards, electronic fund transfers, digital wallets and mobile banking transactions, were 10.2 per cent lower by volume and 7 per cent lower by value in January 2017 as compared to December 2016. Also, digital transactions fell from 1,027.7 million (worth Rs 105.4 lakh crore) to 922.9 million (worth Rs 98 lakh crore). This could get worse as the RBI raised the cash withdrawal limits from Rs 24,000 to Rs 50,000 from February 20 and aims to remove all limits by mid-March.

Within digital transactions, debit and credit transactions at POS terminals declined 18.6 per cent month-on-month in January, while mobile banking transactions declined by 7.6 per cent, showing that people still prefer to deal in cash. According to NPCI data, however, IMPS transactions rose by 18 per cent in January and UPI-based transactions went up from 2 million transactions (worth Rs 700 crore) in December to 4.2 million transactions (worth Rs 1,666 crore) in January.

Clearly, considering India’s demography and its problems, when it comes to the security of personal and biometric data, the government and the UIDAI have many issues to clear before Aadhaar Pay can achieve any success. Moreover, there are over 100 crore mobile phones in India today, with even the lowest strata of the population having access to one. Yet mobile-based payments and m-wallets are yet to hit that critical mass. To make Aadhaar Pay a bigger success than that could be a gigantic task.

For more details visit https://cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips

No Fintech company meets every single privacy requirement under IT Act: CIS report

Shilpa S. Ranipeta — 2019-07-08T02:34:59Z

The study shows that privacy policies companies such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website.

The blog post by Shilpa S. Ranipeta published by the News Minute on June 10, 2019, quotes the research done by Aayush Rathi and Shweta Mohandas of the Centre for Internet & Society.

A study by the Centre for Internet and Society on privacy and security policies of Fintech companies in India has shown that no company met every single requirements under the Section 43A Rules of the IT Act. A study of privacy policies of 48 companies has also shown that privacy policies of major entities such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website of the company.

The privacy policies were assessed based on the privacy policy requirements mandated by the Sensitive Personal Data or Information (SPD/I) Rules.

A fintech company is one that combines financial services and products with technology. The companies categorised as Fintech in this study are payment gateways, payment gateway aggregators, mobile and online wallets, digital payments banks, peer-to-peer lending platforms and miscellaneous entities that share features of the above categorisation.

Rule 4 of the SPD/I Rules mandates that a company that handles information should have a privacy policy that ensures it is dealing with the information provided by users as per the SPD/I Rules. It is also required that the privacy policy is published on the website of the company and is ‘clear and easily accessible’. However, the SPD/I Rules doesn’t specify what would constitute a ‘clear and easily accessible’ privacy policy.

In this research, CIS has studied accessibility as how many times a person has to click to access the privacy policy, if it is readily available on the homepage, if the company states its practices for privacy in language that can be understood by someone fluent in English and does not require prior legal or technical knowledge to be understood.

Here are some observations from the research:

Accessibility:

The study found that 38 companies have a privacy policy accessible on the main website of the company, 38 also have the privacy policy included in terms and conditions of all documents of the company that collects personal information.

However, policies of only 20 companies can be understood by someone without legal and technical knowledge and 16 can be partially understood. Privacy policies of RazorPay, Oxigen, Airtel Payments Bank, Capital Float, Freecharge, BHIM couldn’t be understood by someone without legal and technical knowledge.

“For some of the companies the privacy policy had to be located in the terms of service or under separate categories such as ‘legal agreements’, ‘key policies’, ‘security’, further making the privacy police more inaccessible. We anticipate that unless the user is specifically looking for the privacy policy, it is unlikely for the privacy policy to be perused in the usual course of a user’s usage of the services of the fintech provider,” the report states.

The study found that while most fintech companies in the sample explicitly specified personal information that was being collected, fewer privacy policies contained categorical provisions segregating the sensitive personal information that was being collected. However, it was unclear what each category specifically entailed.

“Another terminology that is often incorporated to broaden the ambit of information being collected is the definition of personal information as any information that may be provided by the user. This squarely places the onus of restricting information collection on the user, further compounding the handicaps users face in ascertaining the information that that firms are seeking to collect because of the illustrative nature of the listing of information,” the report states.

Option to not provide information and withdrawal of consent:

Interpretation Rule 5(7) states that the company should inform users even before collecting information that they have an option to not provide the data or information.

The rule also specifies that the individual must also be informed that he/she has an option to subsequently withdraw consent from the use of the data or information collected by the data controller.

However, Privacy Policies of 30 companies do not specify that the user has the option to not provide information. These include companies such as PayU, CitrusPay, Jio Money, Airtel Payments Bank, Paytm, Fino Paytech, Capital Float, Walnut, etc.

Only 17 companies specify that the user has the option to subsequently withdraw consent.

Registering grievances

The study showed that only 16 of companies mention the existence of grievance officer in their privacy policies.

Rule 5(9) of the SPD/I Rules state that companies are required to have a grievance redress mechanism in place vis-a-vis the user’s privacy practices.

“Thirty-two companies failed to not just provide a redressal mechanism but also failed to mention the existence of a grievance officer specific to the resolution of issues that users may encounter vis-à-vis the data controller’s privacy practices,” the report states.

Language barrier

All companies, except PhonePe, had a privacy policy only in one language – English. PhonePe provided a privacy policy in both English and Hindi.

“With the growth of the digital economy, a multitude of Indians are using online 46 services, and it is imperative that privacy policies be accessible and understandable to all users of the service. In the context of the fintech sector, accessibility to privacy policies takes on added significance given the fintech sector’s avowed promise of increasing access to financial products to hitherto underserved sections of the society,” the report states.

The research showed that few consumers, if any, read online privacy policies, despite expressing concern about their online privacy. And privacy policies are often very technical and not comprehensible by a regular user.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-shilpa-s-ranipeta-june-10-2019-no-fintech-company-meets-every-single-privacy-requirement-under-it-act-cis-report

No fear of losing internet freedom till Jan 15: Experts

praskrishna — 2012-12-31T02:20:31Z

There is no need to get scared about losing internet freedom, at least till January 2015.

The article by Kim Arora was published in the Times of India on December 22, 2012. Pranesh Prakash is quoted.

That's the view of top telecom policy watchers, who closely monitored the World Conference on International Telecommunications (WCIT) of the International Telecommunication Union (ITU) that ended in uncertainty earlier this month in Dubai.

Policy experts say the changes affecting internet users in India, if any, would be slow and minor with little or no changes existing laws and governments largely retaining their current control. The resolutions are not binding and member-states are free to opt out of it. India is yet to ratify the treaty that lays out a broad framework on international co-operation over telecommunication resources.

The ITR (International Telecom Regulations), decided by the ITU were last updated in 1988 when the internet, as we know it today, did not exist. And the hullabaloo was caused by the proliferation of internet in the intervening years had created a lot of complications and misgiving among nation states. The Dubai conference also included alarmed internet evangelists who feared that the meeting would result in UN control of the internet. But with the US, the UK and several other countries vehemently refusing to sign on the dotted line, most decisions have been withheld till January 2015 when the treaty is expected to be ratified.

For more details visit https://cis-india.org/news/times-of-india-december-22-2012-kim-arora-no-fear-of-losing-internet-freedom-till-jan-15

No Civil Society Members in the Cyber Regulations Advisory Committee

pranesh — 2013-01-09T17:56:57Z

The Government of India has taken our advice and reconstituted the Cyber Regulations Advisory Commitee. But there is no representation of Internet users, citizens, and consumers — only government and industry interests.

In multiple op-eds (Indian Express and Mint), I have pointed out the need for the government to reconstitute the "Cyber Regulations Advisory Committee" (CRAC) under section 88 of the Information Technology Act. That it be reconstituted along the model of the Brazilian Internet Steering Committee was also part of the suggestions that CIS sent to the government after a meeting FICCI had convened along with the government on September 4, 2012.

Section 88 requires that people "representing the interests principally affected" by Internet policy or "having special knowledge of the subject matter" be present in this advisory body. The main function of the CRAC is to advise the the Central Government "either generally as regards any rules or for any other purpose connected with this Act".

Despite this important function, the CRAC had — till November 2012 — only ever met twice, both times in 2001. The response to an RTI informed us that the body had never provided any advice to the government.

Government Not Serious

The increasing pressure on the government for botching up Internet regulations has led it to reconstitute the CRAC. However, the list of members of the committee shows that the government is not serious about this committee representing "the interests primarily affected" by Internet policy.

Importantly, this goes against the express wish of the Shri Kapil Sibal, the Union Minister for Communications and IT, who has repeatedly stated that he believes that Internet-related policymaking should be an inclusive process. Most recently, at the 2012 Internet Governance Forum he stated that we need systems that are:

"collaborative, consultative, inclusive and consensual, for dealing with all public policies involving the Internet"

Interestingly, despite the Hon'ble Minster verbally inviting civil society organizations (on November 23, 2012) for a meeting of the CRAC that happened on November 25, 2012, the Department of Electronics and Information Technology refused to send us invitations for the meeting. This hints at a disconnect between the political and bureaucratic wings of the government, at least at some levels.

Interestingly, this isn't the first time this has been pointed out. Na. Vijayashankar was levelling similar criticisms against the CRAC way back in August 2000 when the original CRAC was constituted.

Breakdown by Stakeholder Groupings

While there is no one universal division of stakeholders in Internet governance, but four goups are widely recognized: governments (national and intergovernmental), industry, technical community, and civil society. Using that division, we get:

Government - 15 out of 22 members
Industry bodies - 6 out of 22 members
Technical community / Academia - 1 out of 22 members
Civil society - 0 out of 22 members.

List of Members of Cyber Regulatory Advisory Committee

The official notification (G.S.R. 827(E)) is available on the DEIT website and came into force on November 16, 2012.

(Note: Names with ~~strikethroughs~~ have been removed from the CRAC since 2000, and those with emphasis have been added.)

Minister, Ministry of Communication and Information Technology - Chairman
Minister of State, Ministry of Communications and Information Technology - Member
Secretary, Ministry of Communication and Information Technology, Department of Electronics and Information Technology - Member
Secretary, Department of Telecommunications - Member
~~Finance Secretary - Member~~
Secretary, Legislative Department - Member
Secretary, Department of Legal Affairs - Member
~~Shri T.K. Vishwanathan, Presently Member Secretary, Law Commission - Member~~
Secretary, Ministry of Commerce - Member
Secretary, Ministry of Home Affairs - Member
Secretary, Ministry of Defence - Member
Deputy Governor, Reserve Bank of India - Member
Information Technology Secretary from the states by rotation - Member
Director, IIT by rotation from the IITs - Member
Director General of Police from the States by rotation - Member
President, NASSCOM - Member
President, Internet Service Provider Association - Member
Director, Central Bureau of Investigation - Member
Controller of Certifying Authority - Member
Representative of CII - Member
Representative of FICCI - Member
Representative of ASSOCHAM - Member
President, Computer Society of India - Member
Group Coordinator, Department of Electronic and Information Technology - Member Secretary

For more details visit https://cis-india.org/internet-governance/blog/cyber-regulations-advisory-committee-no-civil-society

NITI Aayog Discussion Paper: An aspirational step towards India’s AI policy

2018-06-13T13:08:47Z

The National Strategy for Artificial Intelligence — a discussion paper on India’s path forward in AI, is a welcome step towards a comprehensive document that reflects the government's AI ambitions. The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability.

Download the Report

The 115-page discussion paper attempts to be an all encompassing document looking at a host of AI related issues including privacy, security, ethics, fairness, transparency and accountability. The paper identifies five focus areas where AI could have a positive impact in India. It also focuses on reskilling as a response to the potential problem of job loss due the future large-scale adoption of AI in the job market. This blog is a follow up to the comments made by CIS on Twitter on the paper and seeks to reflect on the National Strategy as a well researched AI roadmap for India. In doing so, it identifies areas that can be strengthened and built upon.

Identified Focus Areas for AI Intervention

The paper identifies five focus areas—Healthcare, Agriculture, Education, Smart Cities and Infrastructure, Smart Mobility and Transportation, which Niti Aayog believes will benefit most from the use of AI in bringing about social welfare for the people of India. Although these sectors are essential in the development of a nation, the failure to include manufacturing and services sectors is an oversight. Focussing on manufacturing is fundamental not only in terms of economic development and user base, but also regarding questions of safety and the impact of AI on jobs and economic security. The same holds true for the service sector particularly since AI products are being made for the use of consumers, not just businesses. Use of AI in the services sector also raises critical questions about user privacy and ethics. Another sector the paper fails to include is defense, this is worrying since India is chairing the Group of Governmental Experts on Lethal Autonomous Weapons Systems (LAWS) in 2018. Across sectors, the report fails to look at how AI could be utilised to ensure accessibility and inclusion for the disabled. This is surprising, as aid for the differently abled and accessibility technology was one of the 10 domains identified in the Task Force Report on AI published earlier this year. This should have been a focus point in the paper as it aims to identify applications with maximum social impact and inclusion.

In its vision for the use of AI in smart cities, the paper suggests the adoption of a sophisticated surveillance system as well as the use of social media intelligence platforms to check and monitor people’s movement both online and offline to maintain public safety. This is at variance with constitutional standards of due process and criminal law principles of reasonable ground and reasonable suspicion. Further, use of such methods will pose issues of judicial inscrutability. From a rights perspective, state surveillance can directly interfere with fundamental rights including privacy, freedom of expression, and freedom of assembly. Privacy organizations around the world have raised concerns regarding the increased public surveillance through the use of AI. Though the paper recognized the impact on privacy that such uses would have, it failed to set a strong and forward looking position on the issue - such as advocating that such surveillance must be lawful and inline with international human rights norms.

Harnessing the Power of AI and Accelerating Research

One of the ways suggested for the proliferation of AI in India was to increase research, both core and applied, to bring about innovation that can be commercialised. In order to attain this goal the paper proposes a two-tier integrated approach: the establishment of COREs (Centres of Research Excellence in Artificial Intelligence) and ICTAI (International Centre for Transformational Artificial Intelligence). However the roadmap to increase research in AI fails to acknowledge the principles of public funded research such as free and open source software (FOSS), open standards and open data. The report also blames the current Indian Intellectual Property regime for being “unattractive” and averse to incentivising research and adoption of AI. Section 3(k) of Patents Act exempts algorithms from being patented, and the Computer Related Inventions (CRI) Guidelines have faced much controversy over the patentability of mere software without a novel hardware component. The paper provides no concrete answers to the question of whether it should be permissible to patent algorithms, and if yes, to to what extent. Furthermore, there needs to be a standard either in the CRI Guidelines or the Patent Act, that distinguishes between AI algorithms and non-AI algorithms. Additionally, given that there is no historical precedence on the requirement of patent rights to incentivise creation of AI, innovative investment protection mechanisms that have lesser negative externalities, such as compensatory liability regimes would be more desirable. The report further failed to look at the issue holistically and recognize that facilitating rampant patenting can form a barrier to smaller companies from using or developing AI. This is important to be cognizant of given the central role of startups to the AI ecosystem in India and because it can work against the larger goal of inclusion articulated by the report.

Ethics, Privacy, Security and Safety

In a positive step forward, the paper addresses a broader range of ethical issues concerning AI including transparency, fairness, privacy and security and safety in more detail when compared to the earlier report of the Task Force. Yet despite a dedicated section covering these issues, a number of concerns still remain unanswered.

Transparency

The section on transparency and opening the Black Box has several lacunae. First, AI that is used by the government, to an acceptable extent, must be available in the public domain for audit, if not under Free and Open Source Software (FOSS). This should hold true in particular for uses that impinge on fundamental rights. Second, if the AI is utilised in the private sector, there currently exists a right to reverse engineer within the Indian Copyright Act, which is not accounted for in the paper. Furthermore, if the AI was involved both in the commission of a crime or the violation of human rights, or in the investigations of such transgressions, questions with regard to judicial scrutability of the AI remain. In addition to explainability, the source code must be made circumstantially available, since explainable AI alone cannot solve all the problems of transparency. In addition to availability of source code and explainability, a greater discussion is needed about the tradeoff between a complex and potentially more accurate AI system (with more layers and nodes) vs. an AI system which is potentially not as accurate but is able to provide a human readable explanation. It is interesting to note that transparency within human-AI interaction is absent in the paper. Key questions on transparency, such as whether an AI should disclose its identity to a human have not been answered.

Fairness

With regards to fairness, the paper mentions how AI can amplify bias in data and create unfair outcomes. However, the paper neither suggests detailed or satisfactory solutions nor does it deal with biased historical data in an Indian context. More specifically, there seems to be no mention of regulatory tools to tackle the problem of fairness, such as:

Self-certification
Certification by a self-regulatory body
Discrimination impact assessments
Investigations by the privacy regulator

Such tools will proactively need to ensure inclusion, diversity, and equity in composition and decisions.

Additionally, with reference to correcting bias in AI, it should be noted that the technocratic view that as an AI solution continues to be trained on larger amounts of data , systems will self correct, does not fully recognize the importance of data quality and data curation, and is inconsistent with fundamental rights. Policy objectives of AI innovation must be technologically nuanced and cannot be at the cost of intermediary denial of rights and services.

Further, the paper does not deal with issues of multiple definitions and principles of fairness, and that building definitions into AI systems may often involve choosing one definition over the other. For instance, it can be argued that the set of AI ethical principles articulated by Google are more consequentialist in nature involving a a cost-benefit analysis, whereas a human rights approach may be more deontological in nature. In this regard, there is a need for interdisciplinary research involving computer scientists, statisticians, ethicists and lawyers.

Privacy

Though the paper underscores the importance of privacy and the need for a privacy legislation in India - the paper limits the potential privacy concerns arising from AI to collection, inappropriate use of data, personal discrimination, unfair gain from insights derived from consumer data (the solution being to explain to consumers about the value they as consumers gain from this), and unfair competitive advantage by collecting mass amounts of data (which is not directly related to privacy). In this way the paper fails to discuss the full implications on privacy that AI might have and fails to address the data rights necessary to enable the right to privacy in a society where AI is pervasive. The paper fails to engage with emerging principles from data protection such as right to explanation and right to opt-out of automated processing, which directly relate to AI. Further, there is no discussion on the issues such as data minimisation and purpose limitation which some big data and AI proponents argue against. To that extent, there is a lack of appreciation of the difficult policy questions concerning privacy and AI. The paper is also completely silent on redress and remedy. Further the paper endorses the seven data protection principles postulated by the Justice Srikrishna Committee. However CIS has pointed out that these principles are generic and not specific to data protection. Moreover, the law chapter of IEEE’s ‘Global Initiative on Ethics of Autonomous and Intelligent Systems’ has been ignored in favor of the chapter on ‘Personal Data and Individual Access Control in Ethically Aligned Design’ as the recommended international standard. Ideally, both chapters should be recommended for a holistic approach to the issue of ethics and privacy with respect to AI.

AI Regulation and Sectoral Standards

The discussion paper’s approach towards sectoral regulation advocates collaboration with industry to formulate regulatory frameworks for each sector. However, the paper is silent on the possibility of reviewing existing sectoral regulation to understand if they require amending. We believe that this is an important solution to consider since amending existing regulation and standards often takes less time than formulating and implementing new regulatory frameworks. Furthermore, although the emphasis on awareness in the paper is welcome, it must complement regulation and be driven by all stakeholders, especially given India’s limited regulatory budget. The over reliance on industry self-regulation, by itself, is not advisable, as there is an absence of robust industry governance bodies in India and self-regulation raises questions about the strength and enforceability of such practices. The privacy debate in India has recognized this and reports, like the Report of the Group of Experts on Privacy, recommend a co-regulatory framework with industry developing binding standards that are inline with the national privacy law and that are approved and enforced by the Privacy Commissioner. That said, the UN Guiding Principles on Business and Human Rights and its “protect, respect, and remedy” framework should guide any self regulatory action.

Security and Safety of AI Systems

In terms of security and safety of AI systems the paper seeks to shift the discussion of accountability being primarily about liability, to that of one about the explainability of AI. Furthermore, there is no recommendation of immunities or incentives for whistleblowers or researchers to report on privacy breaches and vulnerabilities. The report also does not recognize certain uses of AI as being more critical than others because of their potential harm to the human. This would include uses in healthcare and autonomous transportation. A key component of accountability in these sectors will be the evolution of appropriate testing and quality assurance standards. Only then, should safe harbours be discussed as an extension of the negligence test for damages caused by AI software. Additionally, the paper fails to recommend kill switches, which should be mandatory for all kinetic AI systems. Finally, there is no mention of mandatory human-in-the-loop in all systems where there are significant risks to safety and human rights. Autonomous AI is only viewed as an economic boost, but its potential risks have not been explored sufficiently. A welcome recommendation would be for all autonomous AI to go through human rights impact assessments.

Research and Education

Being a government think-tank, the NITI Aayog could have dealt in detail with the AI policies of the government and looked at how different arms of the government are aiming to leverage AI and tackle the problems arising out of the use of AI. Instead of tabulating the government’s role in each area and especially research, the report could have also listed out the various areas where each department could play a role in the AI ecosystem through regulation, education, funding research etc. In terms of the recommendations for introducing AI curriculums in schools, and colleges, the government could also ensure that ethics and rights are part of the curriculum - especially in technical institutions. A possible course of action could include corporations paying for a pan-Indian AI education campaign.This would also require the government to formulate the required academic curriculum that is updated to include rights and ethics.

Data Standards and Data Sharing

Based on the amount of data the Government of India collects through its numerous schemes, it has the potential to be the largest aggregator of data specific to India. However the paper does not consider the use of this data with enough gravity. For example, the paper recommends Corporate Data Sharing for “social good” and making government datasets from the social sector available publicly. Yet this section does not mention privacy enhancing technologies/standards such as pseudonymization, anonymization standards, differential privacy etc. Additionally there should be provisions that allow the government to prevent the formation of monopolies by regulating companies from hoarding user data. The open data standards could also be applicable to the private companies, so that they can also share their data in compliance with the privacy enhancing technologies mentioned above. The paper also acknowledges that AI Marketplaces require monitoring and maintenance of quality. It recognises the need for “continuous scrutiny of products, sellers and buyers”, and proposes that the government enable these regulations in a manner that private players could set up the marketplace. This is a welcome suggestion, but the legal and ethical framework of the AI Marketplace requires further discussion and clarification.

An AI Garage for Emerging Economies

The discussion paper also qualifies India as an “ideal test-bed” for trying out AI related solutions. This is problematic since questions of regulation in India with respect to AI have yet to be legally clarified and defined and India does not have a comprehensive privacy law. Without a strong ethical and regulatory framework, the use of new and possibly untested technologies in India could lead to unintended and possibly harmful outcomes.The government's ambition to position India as a leader amongst developing countries on AI related issues should not be achieved by using Indians as test subjects for technologies whose effects are unknown.

Conclusion

In conclusion, NITI Aayog’s discussion paper represents a welcome step towards a comprehensive AI strategy for India. However, the trend of inconspicuously releasing reports (this and the AI Task Force) as well as the lack of a call for public comments, seems to be the wrong way to foster discussion on emerging technologies that will be as pervasive as AI.

The blanket recommendations were provided without looking at its viability in each sector. Furthermore, the discussion paper does not sufficiently explore or, at times, completely omits key areas. It barely touched upon societal, cultural and sectoral challenges to the adoption of AI — research that CIS is currently in the process of undertaking.Future reports on Indian AI strategy should pay more attention to the country’s unique legal context and to possible defense applications and take the opportunity to establish a forward looking, human rights respecting, and holistic position in global discourse and developments. Reports should also consider infrastructure investment as an important prerequisite for AI development and deployment. Digitised data and connectivity as well as more basic infrastructure, such as rural electricity and well-maintained roads, require more funding to more successfully leverage AI for inclusive economic growth. Although there are important concerns, the discussion paper is an aspirational step toward India’s AI strategy.

For more details visit https://cis-india.org/internet-governance/blog/niti-aayog-discussion-paper-an-aspirational-step-towards-india2019s-ai-policy

NIPFP Seminar on Exploring Policy Issues in the Digital Technology Arena

Admin — 2019-10-20T07:40:16Z

Anubha Sinha participated in this seminar as a discussant on the "Regulating emerging technologies" panel. The event was held at Indian Institute of Advanced Study, Shimla on October 10 - 11, 2019.

Click to view the agenda here. The session briefs can be seen here.

For more details visit https://cis-india.org/internet-governance/news/nipfp-seminar-on-exploring-policy-issues-in-the-digital-technology-arena

Ninth Workshop on Media Economics

praskrishna — 2011-11-28T09:12:24Z

The Higher School of Economics and the New Economic School have joined hands to organize the ninth workshop on media economics in Moscow on October 28 and 29, 2011. All events are scheduled to take place in Marriott Courtyard, a hotel in the centre of Moscow within 10-minute walking distance from the Kremlin, the Red Square, and the Bolshoi Theatre.

Workshop Program

Friday, October 28, 2011

8:00 a.m. Morning coffee

8:45 a.m. Opening remarks

Media markets - 1: Newspapers, Mergers, and Diversity

9:00 a.m. Michal MASIKA, University of Munich

"Free commuter newspapers and the market for paid-for daily newspapers"

Discussant: Sergey V. Popov, Higher School of Economics

9:40 a.m. Lapo FILISTRUCCHI, Tilburg University and University of Florence

Tobias J. Klein, Tilburg University

Thomas Michielsen, Tilburg University

"Merger Simulation in a Two-Sided Market: The Case of the Dutch Daily Newspapers"

Discussant: Lars Sørgard, Norwegian School of Economics

10:20 a.m. Lisa GEORGE, Hunter College, City University of New York

Felix Oberholzer-Gee, Harvard Business School

"Diversity in Local Television News"

Discussant: François Keslair, Paris School of Economics

11:00 a.m. Coffee break

Media markets and Internet - 1: Advertising and Search Engines

11:30 a.m. Alexandre de CORNIÈRE, Paris School of Economics

"Search advertising"

Discussant: Simon Anderson, University of Virginia

12:10 p.m. Alexander WHITE, Tsinghua University School of Economics and Management

Kamal Jain, Microsoft Research

"The Attention Economy of Search and Web Advertisement"

Discussant: Sergei Izmalkov, New Economic School

12:50 p.m. Lunch

Political Economy - 1: Media, Elites, and the Groups of Influence

2:00 p.m. Leopoldo FERGUSSON, Universidad de Los Andes

"Media Markets, Special Interests, and Voters"

Discussant: Alexei V. Zakharov, Higher School of Economics

2:40 p.m. David STRÖMBERG, IIES at Stockholm University

Ben Qin, IIES at Stockholm University

Yanhui Wu, USC Marshall School of Business

"Determinants of Media Capture in China"

Discussant: Maria Petrova, New Economic School

3:20 p.m. Daniel STONE, Oregon State University

"Media and Gridlock"

Discussant: Elena Panova, Academy of National Economy and Gaidar Institute

4:00 p.m. Coffee break

Media markets and Internet - 2: Internet Effects and Offline Media Markets

4:30 p.m. Joel WALDFOGEL, University of Minnesota

"Bye, Bye, Miss American Pie? The Supply of New Recorded Music since Napster"

Discussant: Ruben Enikolopov, New Economic School

5:10 p.m. Ignacio FRANCESCHELLI, Northwestern University

"When the Ink is Gone: The Impact of Internet on News Coverage"

Discussant: Ruben Durante, Sciences Po Paris

5:50 p.m. Adjourn

7:00 p.m. Dinner

Saturday October 29th

8:00 a.m. Morning Coffee

Media markets - 2: Interactions in Traditional and Digital Media Industry

9:00 a.m. Harald Nygård Bergh, Norwegian School of Economics

Hans Jarle KIND, Norwegian School of Economics

Bjørn-Atle Reme, Norwegian School of Economics

Lars Sørgard, Norwegian School of Economics

"Competition between Content Distributors in Two-Sided Markets"

Discussant: Guido Friebel, Goethe University Frankfurt

9:40 a.m. Larbi Alaoui, Universitat Pompeu Fabra

Fabrizio GERMANO, Universitat Pompeu Fabra

"Time Scarcity and the Market for News"

Discussant: Sergei Guriev, New Economic School

10:20 a.m. Coffee break

Political Economy - 2: Media Effects

10:50 a.m. Francesco Drago, University of Naples

Tommaso Nannicini, Bocconi University

Francesco SOBBRIO, IMT Lucca

"Newspapers, Local News and Electoral Politics"

Discussant: Ekaterina Zhuravskaya, Paris School of Economics

11:30 p.m. Julia CAGÉ, Harvard University

François Keslair, Paris School of Economics

"Trash Media and the Decline of Turnout: Theory and Evidence from Local Media Competition in France, 1944-2010"

Discussant: Francesco Sobbrio, IMT Lucca

12:10 p.m. Parallel events (choose your favorite):

Lunch - or -

Global New Media Policy

Roundtable (with refreshments, RSVP required, more details here)

Pedro MIZUKAMI, FGV Center for Technology and Society, Rio de Janeiro, Brazil

Sunil ABRAHAM, Centre for Internet and Society, Bangalore, India

Bruce ETLING and Robert FARIS, Berkman Center for Internet and Society, Harvard University, United States

Marina ZHUNICH, Google Russia

Media markets - 3: Media Bias

2:00 p.m. Stefano DELLAVIGNA, UC Berkeley

Alec Kennedy, San Francisco Federal Reserve Bank

“Does Media Concentration Lead to Biased Coverage? Evidence from Movie Reviews”

Discussant: Joel Waldfogel, University of Minnesota

2:40 p.m. Matthias HEINZ, Goethe University Frankfurt

Guido Friebel, Goethe University Frankfurt

"Media bias against foreign owners: Downsizing"

Discussant: Olga Kuzmina, New Economic School

3:20 p.m. Break

Future Directions of Research in Media Economics

3:30 p.m. Roundtable

Simon ANDERSON, University of Virginia

Stefano DELLAVIGNA, UC Berkeley

Lisa GEORGE, Hunter College, City University of New York

David STRÖMBERG, IIES at Stockholm University

4:45 p.m. Farewell reception

The above agenda was published in Higher School of Economics website, click here.

VIDEO

For more details visit https://cis-india.org/news/media-economics-workshop

Nine-point code set out to safeguard personal information

praskrishna — 2012-10-22T06:42:36Z

A. P. Shah panel lists exceptions; suggests privacy commissioners.

Published in Hindu Business Line on October 18, 2012.

The Justice A. P. Shah panel has recommended an over-arching law to protect privacy and personal data in the private and public spheres.

The report also suggested setting up privacy commissioners, both at the Central and State levels.

It has spelt out nine national privacy principles that could be followed while framing the law.

The report comes at a time when there is growing concern over unique identity numbers, DNA profiling, brain-mapping, etc, most of which will be implemented on the ICT platform.

The report has listed certain exceptions in the right to privacy such as national security, public order, disclosure in public interest, prevention, detection, investigation and prosecution of criminal offences and protection of the individual or of the rights of freedom of others.

In certain cases, historical or scientific research and journalistic purposes can also be considered as exceptions, says the report.

Networking sites

Referring to social networking sites and search engines, which have their own privacy code, Justice Shah said these will either have to follow the model provided in the proposed Act or have a self-regulatory mechanism approved by the privacy commissioner.

The report suggests harmonising the proposed privacy Act with the RTI Act. Responding to privacy infringement concerns, as aired by the Prime Minister recently, Justice Shah said RTI was the only law that gave statutory protection to privacy, which could be over-ridden only in certain cases for individuals, not companies.

Minister of State for Planning Ashwani Kumar said a privacy Act was necessary as in a democracy one had to ensure that "no one right is so exercised so as to infringe upon the rights of individuals."

The high-level panel submitted its report to the Planning Commission on Thursday. It will now be forwarded to the Department of Personnel and Training, which is already looking into the privacy law.

Note: The Centre for Internet & Society was a part of the expert committee even though it is not explicitly mentioned here.

For more details visit https://cis-india.org/news/the-hindu-business-line-oct-18-2012-nine-point-code-set-out-to-safeguard-personal-information

Nibbling away into your bank account, salami attackers cart away a fortune

Admin — 2017-11-27T15:35:33Z

A ‘salami’ might sound an innocuous term in the culinary sense. When it comes to cybercrime, a ‘salami’ is a dreaded attack which even the victims are hardly aware of. Like a salami slice, a hacker slices away small sums of money from multiple accounts on a daily basis. By the time the victims realise that they are being ‘sliced’, too little can be done or it’s already too late.

The article by Kiran Parashar KM and Akram Mohammed was published in New Indian Express on October 25, 2017.

This is among the various strategies allegedly used by some bank employees, working in cahoots with persons working in telecom companies to defraud customers of their savings. Cyber crime police, who have arrested several bank employees in the past in similar cases, warn that throwing caution to the wind while banking online or responding to calls claiming to be from banks could land you in serious financial trouble.

What’s shocking is law enforcement agencies have failed to nab the culprits in a majority of such crimes.
Speaking to Express, Shubhamangala Sunil, head, Global Cyber Security Response Team, said that of all the techniques used by bank insiders to siphon off funds, ‘salami attack’ is probably the stealthiest. “Imagine you have Rs 2,75,233 in to your account. If someone steals say `3 or 4 from your account every day, would you get an alert? If you did, would you go and complain to the bank that such a small amount is being stolen?” she questioned.

Due to lack of awareness about such threats, a complaint to the bank about such an issue is unlikely to bring any relief to the victim, she said. With time, many new techniques will be discovered by fraudsters and security might not be adequate to thwart all of them, she added.

Pranesh Prakash, Policy Director at the Centre for Internet and Society said the extent of fraud in the financial sector can be decreased “by improving security of financial processes, auditing software for vulnerabilities and fixing them and improving consumer protection laws.” Processes used by banks, both offline and while engaging with customers online and through systems such as Unified Payments Interface, should be improved, he said.

Bad practices
Prakash cited bad practices by different banks — such as preventing right click in password boxes (which curb positive security practices such as usage of password managers), limiting password lengths, and not supporting software-based OTPs and stronger security like “Universal 2nd Factor” — were also putting customers at risk. Stressing the need for consumer awareness, he said that even if everything works fine at the bank/financial institutions side customers commit mistakes, leaving them vulnerable. Therefore, spreading awareness about security best practices and hassle-free insurance to minimise harm to customers is essential, he said. “Bank fraud or any other online fraud is inevitable. We have to ensure that the harms from such fraud are as minimal as possible,” he added.

Insider frauds
While bank fraud cases — both online and offline — are increasing, police are finding the involvement of insiders who exploit loopholes in the banking systems. Sources in the CID-Cyber Crime Cell say there have been multiple cases where there is involvement of at least one bank employee. Digital banking has increased post demonetisation and yet the security features are not enhanced. Two days after police caught two employees of JP Morgan bank who had swindled `12 crore of a US-based client, police express concern over the security and background checks in the banking system as one of the accused had been working for four years with fake documents and on a fake name. An investigating official said the insider shares details of debit/credit cards with the conmen who clone cards for commission.

Banking security
Joint Commissioner of Police (Crime), Satish Kumar N said there is a co-ordination committee of police and Reserve Bank of India. “We share notes about cases of bank fraud and also recommend some security features to be adopted in the banking sector. The meeting is held on a regular basis,” he said. To a question on ‘salami attack’, he said that police have not come across any such complaints yet. “We have been vigilant about cyber related issues,” he added.

WHODUNNIT?

Case 1: June 2017
Vinod Kumar Pacchiyappan, manager of SBI Cards and Payment Services Pvt Ltd, located in Embassy Heights on Magrath Road filed a complaint with police that Know Your Customer (KYC) data of customers was compromised. Apart from this, fake credit cards were created resulting in a loss of `38.39 lakh. The investigating officials suspect the involvement of insiders in the case.
Status: No arrests yet

Case 2: May 2016

An US-couple living in Bengaluru was cheated of `6 lakh in just 2 hours.Cyber criminals, using their bank data credentials, had shopped online.The police, almost a year-and-half after the incident, are yet to know how their credit card details were extracted, but suspect that a bank employee was involved in the case.Status: No arrests yet

Case 3: January 2016
Police lodged a complaint of hacking against unknown persons, who cheated customers of several lakhs in Karnataka and Telangana. Police learnt that the fraud was committed by hacking into Axis Bank’s mobile wallet app LIME and SBI’s Buddy app. Bank account details of the victims, mobile phone numbers, etc., were stolen by the accused.
Status: Seven people, including G Gopalakrishna, deputy manager of Axis Bank’s Peddapalli branch in Karimnagar district of Telangana, and others involved in the crime were arrested.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-october-25-2017-nibbling-away-into-your-bank-account-salami-attackers-cart-away-a-fortune

NHA Data Sharing Guidelines – Yet Another Policy in the Absence of a Data Protection Act

Shweta Mohandas and Pallavi Bedi — 2022-09-29T15:17:24Z

In July this year, the National Health Authority (NHA) released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) just two months after publishing the draft Health Data Management Policy.

Reviewed and edited by Anubha Sinha

Launched in 2018, PM-JAY is a public health insurance scheme set to cover 10 crore poor and vulnerable families across the country for secondary and tertiary care hospitalisation. Eligible candidates can use the scheme to avail of cashless benefits at any public/private hospital falling under this scheme. Considering the scale and sensitivity of the data, the creation of a well-thought-out data-sharing document is a much-needed step. However, the document – though only a draft – has certain portions that need to be reconsidered, including parts that are not aligned with other healthcare policy documents. In addition, the guidelines should be able to work in tandem with the Personal Data Protection Act whenever it comes into force. With no prior intimation of the publication of the guidelines, and the provision of a mere 10 days for consultation, there was very little scope for stakeholders to submit their comments and participate in the consultation. While the guidelines pertain to the PM-JAY scheme, it is an important document to understand the government’s concerns and stance on the sharing of health data, especially by insurance companies.

Definitions: Ambiguous and incompatible with similar policy documents

The draft guidelines add to the list of health data–related policies that have been published since the beginning of the pandemic. These include three draft health data management policies published within two years, which have already covered the sharing and management of health data. The draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; in this case, the guidelines fail to refer to the draft National Digital Health Data Management Policy (published in April 2022). To add to this, the document – by placing the definitions at the end – is difficult to read and understand, especially when terms such as ‘beneficiary’, ‘data principal’, and ‘individual’ are used interchangeably. In the same vein, the document uses the terms ‘data principal’ and ‘data fiduciary’, and the definitions of health data and personal data, from the 2019 PDP Bill, while also referring to the IT Act SDPI Rules and its definition of ‘sensitive personal data’. While the guidelines state that the IT Act and Rules will be the legislation to refer to for these guidelines, it is to be noted that the IT Act under the SPDI Rules covers ‘body corporates’, which under Section 43A(1), is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;”. It is difficult to add responsibility and accountability to the organisations under the guidelines when they might not even be covered under this definition.

With each new policy, civil society organisations have been pointing out the need to have a data protection act before introducing policies and guidelines that deal with the processing and sharing of the data of individuals. Ideally, these policies – even in draft form – should have been published after the Personal Data Protection Bill was enacted, to ensure consistency with the provisions of the law. For example, the guidelines introduce a new category of governance mechanisms under the data-sharing committee headed by a data-sharing officer (DSO). The responsibilities and powers of the DSO are similar to that of the data protection officer under the draft PDP Bill as well as the National Data Health Management Policy (NHDMP). This, in turn, raises the question of whether the DSO and the DPOs under both the PDP Bill and the draft NDMP will have the same responsibilities. Clarity in terms of which of the policies are in force and how they intersect is needed to ensure a smooth implementation. Ideally, having multiple sources of definitions should be addressed at the drafting stage itself.

Guiding Principles: Need to look beyond privacy

The guidelines enumerate certain principles to govern the use, collection, processing, and transmission of the personal or sensitive personal data of beneficiaries. These principles are accountability, privacy by design, choice and consent, openness/transparency, etc. While these provisions are much needed, their explanation at times misses the mark of why these principles were added. For example, in the case of accountability, the guidelines state that the ‘data fiduciary’ shall be accountable for complying with measures based on the guiding principles However, it does not specify who the fiduciaries would be accountable to and what the steps are to ensure accountability. Similarly, in the case of openness and transparency, the guidelines state that the policies and practices relating to the management of personal data will be available to all stakeholders. However, openness and transparency need to go beyond policies and practices and should consider other aspects of openness, including open data and the use of open-source software and open standards. This again will add to transparency, in that it would specify the rights of the data principal, as the current draft looks at the rights of the data principal merely from a privacy perspective. In the case of purpose limitation as well, the guidelines are tied to the privacy notice, which again puts the burden on the individual (in this case, beneficiary) when the onus should actually be on the data fiduciary. Lastly, under the empowerment of beneficiaries, the guidelines state that the “data principal shall be able to seek correction, amendments, or deletion of such data where it is inaccurate;”. The right to deletion should not be conditional on inaccuracy, especially when entering the scheme is optional and consent-based.

Data sharing with third parties without adequate safeguards

The guidelines outline certain cases where personal data can be collected, used, or disclosed without the consent of the individual. One of these cases is when the data is anonymised. However, the guidelines do not detail how this anonymisation would be achieved and ensured through the life cycle of the data, especially when the clause states that the data will also be collected without consent. The guidelines also state that the anonymised data could be used for public health management, clinical research, or academic research. The guidelines should have limited the scope of academic research or added certain criteria to gain access to the data; the use of vague terminology could lead to this data (sometimes collected without consent) being de-anonymised or used for studies that could cause harm to the data principal or even a particular community. The guidelines state that the data can be shared as ‘protected health information’ with a government agency for oversight activities authorised by law, epidemic control, or in response to court orders. With the sharing of data, care should be taken to ensure data minimisation and purpose limitations that go beyond the explanations added in the body of the guidelines. In addition, the guidelines also introduce the concept of a ‘clean room’, which is defined as “a secure sandboxed area with access controls, where aggregated and anonymised or de-identified data may be shared for the purposes of developing inference or training models”. The definition does not state who will be developing these training models; it could be a cause of worry if AI companies or even insurance companies have the potential to use this data to train models that could eventually make decisions based on the results. The term ‘sandbox’ is explained under the now revoked DP Bill 2021 as “such live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a
specified period for the limited purpose of the testing”. Neither the 2019 Bill nor the IT Act/Rules defines ‘sandbox’; the guidelines should have ideally spent more time explaining how the sandbox system in the ‘Clean Room’ works.

Conclusion

The draft Data Sharing Guidelines are a welcome step in ensuring that the entities sharing and processing data have guidelines to adhere to, especially since the Data Protection Bill has not been passed yet. The mention of the best practices for data sharing in annexures, including practices for people who have access to the data, is a step in the right direction, which could be made better with regular training and sensitisation. While the guidelines are a good starting point, they still suffer from the issues that have been highlighted in similar health data policies, including not referring to older policies, adding new entities, and the reliance on digital and mobile technology. The guidelines could have added more nuance to the consent and privacy by design sections to ensure other forms of notice, e.g., notice in audio form in different Indian languages. While PM-JAY aims to reach 10 crore poor and vulnerable families, there is a need to look at how to ensure that consent is given according to the guidelines that are “free, informed, clear, and specific”.

For more details visit https://cis-india.org/internet-governance/blog/nha-data-sharing-guidelines

NGOs, individuals urge state CMs to curb Internet shutdown

praskrishna — 2017-04-07T02:43:39Z

Amid rising instances of Internet curbs, a group of individuals and organisations have urged the chief ministers of 12 states to only restrict specific online content rather than resort to complete shutdown.

The article was published in the Times of India on April 4, 2017.

SFLC.in, a Delhi-based not-for-profit organisation, along with various Internet-related firms have sent letters in this regard to the chief ministers of these states impacted by Internet shutdowns.

The letters have been written to the chief ministers of Uttar Pradesh, Nagaland, Manipur, Maharashtra, J&K, Jharkhand, Rajasthan, Meghalaya, Arunachal Pradesh, Bihar, Gujarat and Haryana.

"The Internet shutdowns are imposed using state power under Section 144 by these specific states and not by the Union Government. The central government is bound to follow the process under Section 69 IT act.

"These letters to the chief ministers of all 12 states, which have been affected by Internet shutdowns till date, are an effort by us to address the source of the problem," SFLC.in President and Legal Director Mishi Choudhary told .

As per Internet Shutdown tracker of SFLC, there have been 28 incidents of Internet closure in Jammu & Kashmir, 9 cases each in Gujarat and Haryana, 8 in Rajasthan, 3 Nagaland, 2 cases each in Uttar Pradesh, Bihar and Manipur and 1 incident each in Maharashtra, Jharkhand, Meghalaya and Arunachal Pradesh since 2012.

As per the tracker, far India has experienced a record number of 66 such incidents since 2012, with the number increasing more than two-fold from 14 in 2015 to 31 in 2016.

The letters sent to the chief ministers urge them to "take requisite action that would prohibit the issuance of orders that make Internet services entirely inaccessible for a particular area, and rather recommend that Section 69A and the procedure established by the rules therein be applied to limit the restriction to certain specific online content."

The signatories of the letters include the Centre for Internet and Society, Digital Empowerment Foundation, Internet Democracy Project, IT for Change and Society for Knowledge Commons, individuals like Anivar Aravind (Executive Director, Indic Project), IIT Bombay professor Kannan Moudgalya and others.

"We are hopeful that our efforts will make the government take in account the enormous effects of Internet shutdowns on the social-economic condition of our citizens and understand their plight," Choudhary said. PRS MKJ

For more details visit https://cis-india.org/internet-governance/news/times-of-india-april-4-2017-ngos-individuals-urge-state-cms-to-curb-internet-shutdown

NGOs say eG8 report must stress internet rights

praskrishna — 2011-06-22T04:17:55Z

More than 35 NGOs from around the world signed a joint declaration requesting that issues concerning freedom of speech be included in the report set to be presented to G8 heads of government by the organisers and participants of the eG8 Forum held in Paris. The news was published in TELECOMPAPER on May 26, 2011.

Read the full story in TELECOMPAPER

For more details visit https://cis-india.org/news/e-g-8-report-internet-rights

NGO questions people's privacy in UID scheme

praskrishna — 2012-01-12T11:45:07Z

Taking a leaf out of the recommendations of the parliamentary standing committee on finance (SCF) that raised objections on the National Identification Authority of India Bill 2010, Delhi-based NGOs have called upon the Jharkhand government to stay the execution of UID projects in the state. Jaideep Deogharia's article was published in the Times of India on 11 January 2012.

Citing excerpts from the recommendations of the SCF, headed by BJP MP Yashwant Sinha, the NGO activists asserted that the MoU signed by the government on June 25, 2010, was without any legal and constitutional mandate.

This claim, however, remains unfounded as the UIDAI is functioning under an executive order of the department of planning and has no links with the NIDAI Bill. The issue was recently clarified by the director general and mission director of UIDAI when he addressed the media in the capital during his three-day visit.

Organizing a round table, report on SCF and its implications for Aadhaar project and National Population register for multipurpose National ID Card (MNIC),

Citizens Forum for Civil Liberties member Gopal Krishna said given the fact that the Election Commission had shortlisted 15 documents as evidence of identity and citizenship, there was no need to have the 16th instrument (read UID).

"It violates citizens' basic and constitutional right to privacy because collecting biometric information of an individual was limited to criminals," he said clarifying that even in case of prisoners, the fingerprint data is supposed to be deleted after acquittal under the Prisoner Identification Act.

JT D'Souza, an expert in biometrics technology, Mumbai, gave a presentation on how biometric information was vulnerable to exploitation. Using a finger print reader, he demonstrated fake finger prints being read by the machine. He said a fingerprint on a semi solid wax slab can be filled up with adhesive and allowed to set for eight hours. "Once the adhesive block is removed, it takes up the exact marks of finger prints using which any finger print reader can be fooled," he said.

Another participant, Sunil Abraham, director, Centre for Internet and Society, Bangalore, said there is no data protection or privacy law in place. "The UID project was allowed to march on without any protection being put in place," he said.

"On one hand, the government wants its citizens to be transparent by giving all their biometric and demographic data, but on the other hand, people in higher authorities are making every bid to conceal facts and function in a non-transparent manner," he said.

D' Souza also raised questions about the uniqueness of fingerprints as it has never been tested on a vast population. Citing examples from foreign countries where fingerprint studies have proved to be ineffectual in establishing non duplication, he said biometric data if hacked could be misused.

Read the original published in the Times of India

For more details visit https://cis-india.org/news/ngo-questions-peoples-privacy-in-uid-scheme

NGO invites public to peruse its accounts

praskrishna — 2013-05-21T14:38:38Z

Domlur-based The Centre for Internet and Society opens its books for anyone to see and track every rupee of the Rs 13.13 crore it received from donors.

This article by Vandana Kamath was published in the Bangalore Mirror on May 18, 2013. Sunil Abraham is quoted.

In an unusual but ‘clean’ way of celebrating its fifth anniversary, a city-based non-governmental organisation (NGO) has invited the general public to inspect its books of accounts, check out its list of donors and view contracts. At a time when several NGOs are under the scanner for trying to shroud financial transactions in secrecy, The Centre for Internet and Society (CIS), a non-profit research organisation that defends consumer rights on the Internet, has upped its policy of transparency a notch.

Located in Domlur and largely patronised by Bangalore’s tech community, CIS’s books of accounts will be available for public scrutiny during its fifth anniversary celebrations from May 20 to 23 and will show how the NGO has spent the Rs 13.13 crore it has received from donors since its launch.

Speaking to Bangalore Mirror, CIS executive director Sunil Abraham admitted that the move was to dispel any lingering doubts on the motives of his organisation. “These days, many NGOs have been in the news for misappropriation of donations,” Abraham said. “We want to keep our books of accounts open to the public. Apart from details like salaries drawn by each board member, many other details like contractual obligations with entities, details of donors and official travel expenses by board members can also be obtained. Anybody can walk into our office and ask to see the accounts. A photocopy of all the details will also be given to them at the earliest.”

In fact, a recent debate in the Rajya Sabha centred on the lack of transparency among NGOs receiving contributions from overseas after the Foreign Contribution Regulation Act (FCRA) was passed in 2010. With 17 donors, a majority of who are from overseas, CIS ensures that every rupee obtained is well spent and accounted for.

“We have made public a list of donors and their share of contributions to our society,” Abraham said. “This will give everybody a clear picture of the funds we receive and where and how it is being spent.”

CIS is primarily funded by the Kusuma Trust, The Wikimedia Foundation and The Hans Foundation among others. The society was founded in 2008 and has 17 staff of whom four are based in Delhi and the rest in Bangalore. The society also has seven distinguished fellows and five fellows.

It conducts policy research programmes on topics like accessibility, access to knowledge, openness, internet governance and telecom. The society has churned out 641 research items in five years that include essays, books and blog entries on the topics. It has also conducted research on the accessibility of the e-governance system and has suggested ways to make it more disabled-friendly.

As part of its anniversary celebrations, the society will hold a four-day event in its office starting May 20 that will include an exhibition showcasing its activities so far. Various artists like Kiran Subbaiah, Tara Kelton, Navin Thomas and Abhishekh Hazra are expected to participate and give live demonstrations.

For more details visit https://cis-india.org/news/bangalore-mirror-vandana-kamath-may-18-2013-ngo-invites-public-to-peruse-its-accounts

New Trends in Industry Self-Governance

praskrishna — 2012-10-04T11:37:54Z

Oxford Internet Institute, University of Oxford, UK and Media Change & Innovation Division, IPMZ, University of Zurich, Switzerland and Nominet, UK is organising this workshop on November 7, 2012 at the seventh annual IGF meeting to be held in Baku, Azerbaijan. This workshop will be held in Conference Room 2, from 4.30 p.m. to 6.00 p.m. Sunil Abraham is one of the panelists at this workshop.

Concise description of the proposed workshop:
Informal rule setting still plays a significant role in Internet governance. Non-governmental governance can occur at two levels: by shared rules negotiated through bodies like ICANN, and via private ordering by individual firms with significant market power. This panel will explore these two levels drawing on research into ICANN and two recent cases: the Google Books [non-] settlement, and several governments’ demands that service providers such as Research In Motion and Facebook give local law enforcement agencies access to user communications.

Google’s project to digitize, index, and later to sell access to large numbers of out-of-print books is a leading example of an Internet-triggered shift from public to private regulation and the declining authority of copyright law. It triggered a major international controversy encompassing three class action lawsuits, a proposed and subsequently amended settlement by the litigating parties, more than 400 filings by class-members and "friends of the court" (including the French and German governments), two court hearings, various conferences, innumerous blog entries and articles. A New York federal district court ultimately rejected a proposed settlement between Google and representatives of book authors and publishers, stating that the issues would be “more appropriately decided by Congress than through an agreement among private, self-interested parties."

While almost all states allow law enforcement agencies to intercept Internet communications, the growing use of encryption has restricted access to in-transit communications and social networking data. The governments of India and several Middle Eastern nations have all pressed Research In Motion to allow police access to BlackBerry encrypted messages, threatening otherwise to shut down services. RIM has installed local servers in several countries to meet these demands. The Indian government is reportedly now looking at encrypted services provided by Google and Skype. These and other online services, often hosted in the US, receive frequent requests from foreign law enforcement agencies for user data. Such requests have no statutory force, but may be voluntarily granted under US law – raising questions about user privacy and the oversight of this access.

These cases have much wider implications for other Internet services and users around the world. The proposed workshop will facilitate a multi-stakeholder exploration of these implications.

Four researchers will give precise, provocative five-minute opening statements on the key lessons for Internet rule setting from these cases. Each speaker will pose three specific questions on the accountability, viability and efficiency of these governance structures. These questions will kick-off roundtable discussion between the panelists from government, civil society, business and the technical community. The objective will be to draw out further lessons in how the public interest can best be protected in informal Internet governance processes, with contributions and questions from workshop and remote participants.representing official positions.

Background Paper:

Name of the organiser(s) of the workshop and their affiliation to various stakeholder groups:
Ian Brown, Oxford Internet Institute, University of Oxford
William Drake, University of Zurich Business, technical community, Civil Society, government co-sponsors in process (TBD)

Have you, or any of your co-organisers, organised an IGF workshop before?: Yes
Please provide link(s) to workshop(s) or report(s):
http://www.intgovforum.org/cms/index.php/component/chronocontact/?chronoformname=Workshopsreports2009View&curr=1&wr=84

Provide the names and affiliations of the panellists you are planning to invite:
Sunil Abraham, Centre for Internet and Society, Bangalore
Ian Brown, Oxford Internet Institute, University of Oxford (Moderator)
William Drake, University of Zurich
Jeanette Hoffman, Wissenschaftszentrum Berlin
Emily Taylor, Independent Consultant, UK
Rolf Weber, University of Zurich
Google representative TBC
Government representative TBC

For more details visit https://cis-india.org/news/new-trends-in-industry-self-governance