We are anonymous, we are legion

LITD 17 Committee, Bureau of Indian Standards Meeting

praskrishna — 2016-10-07T01:38:00Z

Vanya Rakesh attended the LITD-17 committee meeting (committee on Information Systems Security and Biometrics) organised by the Bureau of Indian Standards on 23 September 2016 in Bengaluru.

The agenda for the meeting included presentation of the draft data privacy standard for India which was proposed before the BIS and its members. Elonnai Hickok and Vanya are a part of the drafting committee for the same. The draft standard was accepted by BIS and would now be circulated for further comments. Click here to read the Agenda.

For more details visit https://cis-india.org/internet-governance/news/litd-17-committee-bureau-of-indian-standards-meeting

Young Scholars' Programme, CPRSouth 2016

praskrishna — 2016-09-23T01:03:13Z

Rohini Lakshané took part in the Young Scholars' Programme organized by Communication Policy Research South from September 6 to 7, 2016 in Zanzibar.

CPRsouth 2016 Young Scholar Awards

Following highly successful joint Afro-Asian CPR conferences in Mauritius in 2012, and India in 2013, CPRafrica and CPRsouth formally merged under the banner of CPRsouth in 2014. Since then, CPRsouth has hosted conferences in the Cradle of Humankind in South Africa (2014), and at the Innovation Center for Big Data and Digital Convergence at Yuan Ze University, Taiwan (2015).

This year’s conference is co-hosted by COSTECH and TCRA in Zanzibar from 8-10 September. It will include sessions on cutting-edge developments in ICT policy and regulation in the South and discussion of the research-policy interface.

As part of the capacity building initiative, 30 Young Scholars from Africa and the Asia-Pacific region have been selected to participate in a tutorial programme. They will be taught by recognised scholars and practitioners from Africa and Asia, and will be attending the main conference thereafter. Congratulations to the Young Scholars of 2016. See the list here.

For more details visit https://cis-india.org/internet-governance/news/young-scholars-programme-cpr-south-2016

Internet Rights and Wrongs

pranesh — 2016-09-22T23:36:14Z

With a rise in PIL's for unwarranted censorship, do we need to step back and inspect if it's about time unreasonable trends are checked?

The article was published in India Today on September 1, 2016. The original piece can be read here.

Over the last few weeks, there have been a number of cases of egregious censorship of websites in India. Many people started seeing notices that (incorrectly) gave an impression that they may end up in jail if they visited certain websites. However, these notices weren't an isolated phenomenon, nor one that is new. Worryingly, the higher judiciary has been drawn into these questionable moves to block websites as well.

Since 2011, numerous torrent search engines and communities have been blocked by Indian internet service providers (ISPs). Torrent search engines provide the same functionality for torrents that Google provides for websites. Are copyright infringing materials indexed and made searchable by Google? Yes. Do we shut down Google for this reason? No. However, that is precisely what private entertainment companies have done over the past five years in India. Companies hired by the producers of Tamil movies Singham and 3 managed to get video-sharing websites like Vimeo, Dailymotion and numerous torrent search engines blocked even before the movies released, without showing even a single case of copyright infringement existed on any of them. During the FIFA World Cup, Sony even managed to get Google Docs blocked. In some cases, these entertainment companies have abused 'John Doe' orders (generic orders that allow copyright enforcement against unnamed persons) and have asked ISPs to block websites. The ISPs, instead of ignoring such requests as instances of private censorship, have also complied. In other cases (like Sony's FIFA World Cup case), courts have ordered ISPs to block hundreds of websites without any copyright infringement proven against them. High court judges haven't even developed a coherent theory on whether or how Indian law allows them to block websites for alleged copyright infringement. Still they have gone ahead and blocked.

In 2012, hackers got into Reliance Communications servers and released a list of websites blocked by them. The list contained multiple links that sought to connect Satish Seth-a group MD in Reliance ADA Group-to the 2G scam: a clear case of secretive private censorship by RCom. Further, visiting some of the YouTube links which pertained to Satish Seth showed that they had been removed by YouTube due to dubious copyright infringement complaints filed by Reliance BIG Entertainment. Did the department of telecom, whose licences forbid ISPs from engaging in private censorship, take any action against RCom? No. Earlier this year, Tata Sky filed a complaint against YouTube in the Delhi High Court, noting that there were videos on it that taught people how to tweak their set-top boxes to get around the technological locks that Tata Sky had placed. The Delhi HC ordered YouTube "not to host content that violates any law for the time being in force", presuming that the videos in question did in fact violate Indian law. They cite two sections: Section 65A of the Copyright Act and Section 66 of the Information Technology Act. The first explicitly allows a user to break technological locks of the kind that Tata Sky has placed for dozens of reasons (and allows a person to teach others how to engage in such breaking), whereas the second requires finding of "dishonesty" or "fraud" along with "damage to a computer system, etc", and an intention to violate the law-none of which were found. The court effectively blocked videos on YouTube without any finding of illegality, thus once again siding with censorial corporations.

In 2013, Indore-based lawyer Kamlesh Vaswani filed a PIL in the Supreme Court calling for the government to undertake proactive blocking of all online pornography. Normally, a PIL is only admittable under Article 32 of the Constitution, on the basis of a violation of a fundamental right (which are listed in Part III of our Constitution). Vaswani's petition-which I have had the misfortune of having read carefully-does not at any point complain that the state is violating a fundamental right by not blocking pornography. Yet the petition wants to curb the fundamental right to freedom of expression, since the government is by no means in a position to determine what constitutes illegal pornography and what doesn't.

The larger problem extends to the now-discredited censor board (headed by the notorious Pahlaj Nihalani), as also the self-censorship practised on TV by the private Indian Broadcasters Federation (which even bleeps out words and phrases like 'Jesus', 'period', 'breast cancer' and 'beef'). 'Swachh Bharat' should not mean sanitising all media to be unobjectionable to the person with the lowest outrage threshold. So who will file a PIL against excessive censorship?

For more details visit https://cis-india.org/internet-governance/blog/india-today-september-1-2016-pranesh-prakash-internet-rights-and-wrongs

The Future of Privacy in the Age of Big Data

praskrishna — 2016-09-22T23:24:16Z

A study tour on privacy and big data was organised by Friedrich Naumann Foundation for Freedom from September 3 to 10, 2016 in Berlin and Hamburg. Vanya Rakesh was one of the participants from South Asia who went for the tour.

List of Participants

Shahid Ahmad, Deputy Director, Digital Empowerment Foundation
Shahzad Ahmad, Country Director, Bytes for All
Shivam Satnani, Senior Analyst, Data Security Council of India
Vanya Rakesh, Senior Policy Officer, Centre for Internet & Society
Anja Kovacs, Director, Internet Democracy Project
Tshering Cigay Dorji, CEO, Thimphu Tech Park
Vrinda Bhandari, Lawyer and Journalist, Chambers of Trideep Pais (Anwaltskanzlei)
Tahsin Ifnoor Sayeed, Head of Business Intelligence, DNet

Click to see the Agenda

For more details visit https://cis-india.org/internet-governance/news/study-tour-on-future-of-privacy-in-age-of-big-data

Is India Prepared for a Cyber Attack? Suckfly And Other Past Responses Say No

praskrishna — 2016-09-22T00:57:02Z

From mandatory disclosures to improving CERT-IN’s functioning and transparency, there is much to be done in the event of future cyber attacks.

The article by Sushil Kambampati was published in the Wire on September 21, 2016. Pranesh Prakash was quoted.

In early September, details about India’s top secret Scorpene submarine program were published online. This presumed data breach brought the issue of cyber security into the headlines.

However, earlier this year, news of potentially catastrophic breaches of Indian networks barely made a blip. On May 17, the cyber-security firm Symantec stated in a blog post that it had traced breaches of several Indian organisations to a cyber-espionage group called Suckfly. The targeted systems belonged to the central government, a large financial institution, a vendor to the largest stock exchange and an e-commerce company. The espionage activity began in April 2014 and continued through 2015, Symantec said. Based on the targets that were penetrated, Symantec speculated that the espionage was targeted at the economic infrastructure of India. Such allegations should be ringing alarm bells inside the government and amongst private businesses across the country. And yet, from the official public response, one would think nothing was amiss.

A week later, another cyber-security firm, Kaspersky Lab, announced that it too had tracked at least one cyberespionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.

Breaches of corporate and government networks are nothing new. Usually, these breaches come to light if the perpetrators reveal the attack, the target of the attack discloses the breach, or because the leaked data shows up on the Internet. The Suckfly and Danti breaches are unusual because they were reported by a third party while the targets (in this case, Indian organisations and the government) themselves have remained silent. The breaches reported by Symantec and Kaspersky of Indian organisations received tepid coverage in India. A few news organisations published the same wire story that basically rewrote information in the original posts, but there was very little follow-up as there was not much follow-up investigation to determine the targets or an analysis to gauge how much damage the leaks could cause.

Part of the reason there was no fallout may have to do with the reluctance of the parties involved to provide information. Symantec, in response to multiple requests for more details, kept referring to the original blog post. The government made no statement either confirming or denying the report. Several banks, e-commerce companies and government agencies were asked whether they were aware of Suckfly, whether they had been breached by the organisation and whether Symantec had contacted them. Only Yatra, Axis Bank and Flipkart responded, denying that they had been penetrated by Suckfly. The National Stock Exchange also said it had not been penetrated, although the questions asked were about whether any of the stock exchange’s vendors had been penetrated and if they had been, whether the NSE knew about such a breach.

This collective lack of response across the board indicates a mindset that shows unpreparedness for the cyber threats that are very real, existent and ongoing. Compare the Suckfly reaction to the threat of a terrorist infiltration. In that scenario, the government goes on high alert, resources are mobilised and the public is warned. The government then tries to identify the threat and stop it from doing any harm. Citizens demand that in the future the government take proactive steps to catch infiltrators and prevent any future threats.

Weak government response

One method that Suckfly uses to gain access, according to Symantec, is by signing its malware with stolen digital certificates. This is the same method that was used to infect and sabotage the Iranian nuclear centrifuges with the Stuxnet virus, so the potential for harm of these breaches cannot be understated. Several security experts confirmed the plausibility of such doomsday scenarios as two-factor authentication being turned off for credit card transactions, unauthorised money transfers, leakage of credit card details, stolen password hashes or personal information, massive numbers of fake e-commerce orders and the manipulation of the stock exchange.

All the targets taken together, the potential for economic damage that the Suckfly breach poses is immense. If another country or malevolent group wanted to wreak havoc in India, it could trigger banking panic by emptying accounts or a stock-market collapse by dumping stocks at fractional values.

Even more disturbing, though, is that if a foreign entity has access to government networks, it has the potential to collect passwords to critical systems using key-loggers and password scanners. From there the entity could steal national security data, disrupt control systems of electrical grids or nuclear facilities and gain access to everything the government knows about its citizens, including personal details, financial information and identity information. On an only slightly less dangerous level, the central bank’s funds could be stolen, like the recent attempt to heist $800 million from the central bank of Bangladesh.

A report on risks facing India, published in August by KPMG and the Confederation of Indian Industry said: “While traditionally cyber attacks were largely used for causing financial and reputational loss, today they have  a potential of posing a threat to human life. While the perpetrators behind these attacks traditionally were a few challenge loving ‘hackers’ with unbridled curiosity, we see an increasing number of state sponsored cyber terrorists and organised criminals behind the attacks today.”

In light of such serious threats, the government needs to take more action to mitigate the threat and reassure the public that it is on top of the situation. Reports of encounters between the armed forces and alleged terrorists are frequently relayed to the press. Similarly, the National Informatics Centre (NIC) or its parent organisation, the Department of Electronics and Information Technology, needs to make a public statement when breaches of government systems or of private organisations at this scale come to light. The investigative agencies need to open an enquiry into the matter.

In the Suckfly case, it took a right-to-information query from this author to get a response from the NIC. In the response, the NIC stated that it was unaware of any breach of its systems by Suckfly, that it did not use Symantec’s services and that Symantec had not notified NIC of any breach. Of course, the response also raises many more questions, which could be asked if the government took an attitude of openness and disclosure.

The government also needs to step up its efforts of identifying and neutralising the threat. The Indian government’s Computer Emergency Response Team (CERT-IN) is responsible, according to its website, for “responding to computer security incidents as and when they occur” and also collecting information on and issuing “guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.” Yet, as of September 12, its website does not mention the Backdoor.Nidoran exploit which Suckfly allegedly used to gain access during at least one of its attacks. The CVE-2015-2545 vulnerability that Danti used, according to Kaspersky, is also unlisted. Any organisation or person relying on CERT-IN to get notifications of vulnerabilities would be in the dark and exposed to a breach.

CERT-IN is a perfect example of where the government could really do so much more, starting with some very basic things. For example, by design, contact e-mail addresses listed on the site cannot be clicked on or copied, and so have to be retyped. Such a measure would barely stop even a novice hacker. E-mail messages sent to one of the contact email address bounce back. While it laudably posts its e-mail encryption hash on its contact page, one of the identifiers does not match what is registered in the public KeyStores (usually that would be a sign of a hack). Most glaringly, anyone searching for information on a vulnerability on the site will have to click in and out of every document because the site does not have a search function. Collectively, these flaws give the impression that while the government has thought about cyber-security, it is not putting enough resources and effort into making that a credible initiative.

The government’s regulatory agencies also need to get into the fray. For example, one of the organisations that Suckfly allegedly breached is a large financial institution. It makes sense, therefore that the Reserve Bank of India (RBI), which oversees all financial institutions, should make it mandatory that a bank notify the RBI whenever there is a security breach. The RBI did just that in a notification issued on June 2, 2016, after the Suckfly breach. However, the notification does not address the need to inform the public. The RBI itself also needs to be more forthcoming. In the Suckfly instance the RBI has not made any statements about whether financial institutions under its supervision are secure. It took an RTI query to get a statement from the RBI, and there it responded that it had no information on the matter.

The Securities and Exchange Board of India (SEBI), which oversees the country’s stock exchanges, initially did not respond directly as to whether it knew of the breach at any IT firm that supplies an Indian stock exchange. However, SEBI reacted to an RTI query by asking all the stock exchanges under its mantle to verify with each of their IT vendors whether there had been any breach. They all denied it. If any of them are being untruthful, they have made a false statement to SEBI. However, if taken at their word, the public can take comfort in the fact that the stock market was not compromised by this attack.

SEBI also issued a cyber-security policy framework for its stock exchanges in July 2015, around the time when Suckfly may have been actively attacking systems. Where the RBI asks financial institutions to report breaches within six hours of detection, SEBI requires the reports to be quarterly. Given how fast information travels and how many transactions can be done in mere minutes, that seems like too much time for SEBI to take any effective action. SEBI’s policy also does not address the need to inform the public.

What is needed is a coordinated, comprehensive and unified policy that applies to stock exchanges, financial institutions, government organisations and private companies. It doesn’t matter from where the data is being stolen, what matters is how quickly the organisation learns of it and lets people know so that they too can take any action they need to.

Right or wrong?

The across-the-board denials of any breach raise the question whether Symantec was mistaken. Skeptics could even wonder whether the company exaggerated the situation to increase sales of its products and services. For its part, Symantec refuses to provide any further information about the breach beyond what is in its initial post; crucial information in this regard would include more forensic details, which could identify whether the breach actually took place. Symantec also would not confirm whether it had notified the targets of the attacks, though the government says it has not been alerted by Symantec.

On the other hand, according to Sastry Tumuluri, a former Chief Information Security Officer for the state of Haryana, Symantec probably did correctly identify the breaches. Symantec collects vast amounts of information at every point where it has a presence, such as on individual computers, at internet interconnection points and web hosts globally. All that data can give a fairly accurate and reliable indication of systems being penetrated. Depending on their capabilities and level of sophistication, the target organisations could also truthfully say that they have not detected a breach.

If Symantec’s is correct in conjecturing that the Suckfly breach targeted India’s economic sector, its lack of further action is disturbing. India is one of the world’s ten largest economies and instability here would have ripple effects globally. Then there is the potential of catastrophic cyberterrorism. It is in everyone’s interest that Symantec reach out to the government and to let the public know which organisations may be compromised.

According to Pranesh Prakash, Policy Director at the Centre for Internet and Society and Bruce Schneier, a globally recognised security expert, the lack of knowledge regarding which organisations were targeted reduces people’s trust in the Internet across the board. In an email response, Schneier wrote, “Symantec has an obligation to disclose the identities of those attacked. By leaving this information out, Symantec is harming us all. We all have to make decisions on the Internet all the time about who to trust and who to rely on. The more information we have, the better we can make those decisions.”

Looking at it in the other direction, it is not apparent whether the government has asked Symantec and Kaspersky for more information and a disclosure of who the targets were. After all, if government systems were breached, it is a matter of national security. If the government has indeed reached out and received more information, it has an obligation to let the public know.

What other governments and private companies are belatedly learning is that it is better to proactively disclose the breaches before the information gets out through other parties. When US retailer Target came under attack, its data breach was first revealed by security reporter Michael Krebs. Target was criticised for not coming forth itself and faced several lawsuits. In the US, most states and jurisdictions have laws that require companies to disclose data breaches, although transparency advocates point out that there is great variation on how long companies can wait to disclose and what events trigger a mandatory disclosure. In Europe, telecoms and Internet Service Providers must report a breach within 24 hours and other organisations have 72 hours.

India has no mandatory disclosure law in the case of data breaches at government or private organisations, Prakash said. It is something that CIS supports and had proposed since 2011, he added.

According to Schneier, a mandatory disclosure law would also be valuable if confidentiality agreements would otherwise prevent a security firm such as Symantec from disclosing names of targets.

Finally, private companies need to understand that they are not doing themselves any favours by remaining silent on the matter. Even if Suckfly or its clients do not use the information they may have gained, the lack of disclosure by the targets will weaken trust in online commerce and financial transactions, says Prakash. For example, looking at e-commerce, while it is true that e-commerce has grown rapidly in India, a study in 2014 by YourStory and Kalaari Capital found that lack of trust and doubt about online security were hurdles for 80% of people who had never made an online purchase.

When an organisation lets the public know that it has been breached, users of the service or site can evaluate what action they need to take. For example if a person uses the same password across multiple sites, they would know they needed to change the password at the other sites. Depending on the breach they would also be able to alert credit card companies as well as friends and family.

As the KPMG report states, cyber attacks are only going to become more common. Despite multiple warnings, the response on the part of the Indian government and private organisations has been quite underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover from them.

For more details visit https://cis-india.org/internet-governance/news/the-week-sushil-kambampati-september-21-2016-india-is-unprepared-for-future-cyber-attacks

Workshop on Big Data in India: Benefits, Harms, and Human Rights (Delhi, October 01)

vanya — 2016-09-28T05:53:55Z

CIS welcomes you to participate in the workshop we are organising on Saturday, October 01 at India Habitat Centre, Delhi, to discuss benefits, harms, and human rights implications of big data technologies, and explore potential research questions. A quick RSVP will be much appreciated.

Workshop invitation: Download (PDF)

Workshop agenda: Download (PDF)

In the last few years, there has been an emergence of the discourse of big data viewing it as an instrument not just for ensuring efficient, targeted and personalised services in the private sector, but also for development, social and policy research, and formalising and monetising various sections of the economy. This possibility is premised upon the idea that there is great knowledge that resides in both traditional and new forms of data made possible by our digital selves, and that we may now have the capability to tap into that knowledge for insights across diverse sectors like healthcare, finance, e-governance, education, law enforcement and disaster management, to name but a few. Alongside, various commentators have also pointed to the new problems and risks that big data could create for privacy of individuals through greater profiling, for free speech and economic choice by strengthening monopolistic tendencies, and for socio-economic inequalities by making existing disparities more acute and facilitating algorithmic bias and exclusion.

From a regulatory perspective, big data technologies pose fundamental challenges to the national data regulatory frameworks that have existed since many years. The nature of collection and utilisation of big data, which is often not driven by immediate purpose of the collected data, conflict with the principles of data minimisation and collection limitation that have been integral to data protection laws globally. This compels us to revisit existing theories of data governance. Additionally, use of big data in public decision-making highlights the question of how algorithmic control and governance must be regulated. This raises concerns around taking determining a balanced position that recognises the importance of big data, including for development actions, and ensures unhindered innovation with simultaneous focus on greater transparency and anonymisation to protect individual privacy, and various big data risks faced by population groups. In order to answer these questions, we need to begin with identifying the different harms and benefits of big data that could arise through its use across sectors and disciplines, especially in the context of human rights.

This workshop is designed around an extensive study of current and potential future uses of big data for governance in India that CIS has undertaken over the last year. The study focused on key central government projects and initiatives like the UID project, the Digital India programme, the Smart Cities Challenge, etc.

We will initiate the workshop with a detailed presentation of our findings and key concerns, which will then shape the discussion agenda of the workshop. We look forward to discuss aspects of big data technologies through the entry points of harms, opportunities, and human rights.

The final session of the workshop will focus on identifying key research questions on the topic, and exploring potential alliances of scholars and organisations that can drive such research activities.

We look forward to making this a forum for knowledge exchange for our friends and colleagues attending the discussion and discuss the opportunity to for potential collaboration.

RSVP: Please send an email to Ajoy Kumar at <ajoy@cis-india.org>.

Organisers: Amber Sinha <amber@cis-india.org> and Sumandro Chattapadhyay <sumandro@cis-india.org>.

For more details visit https://cis-india.org/internet-governance/events/big-data-in-india-benefits-harms-and-human-rights-oct-01-2016

Glaring Errors in UIDAI's Rebuttal

pranesh — 2016-09-18T03:22:32Z

This response note by Pranesh Prakash questions Unique Identification Authority of India’s reply to Hans Verghese Mathews' article titled “Flaws in the UIDAI Process” (EPW, March 12, 2016), which found “serious mathematical errors” in the article.

The article was published in Economic & Political Weekly Vol. 51, Issue No. 36, September 3, 2016.

While I am not a statistician, I have followed the technical debate between Hans Verghese Mathews and the UIDAI closely, and see a number of glaring errors in the latter’s so-called rebuttal in EPW (March 12, 2016).

The UIDAI alleges Mathews to have ignored the evidence that the Receiver Operating Characteristic (ROC) "flattens" with more factors. However, Mathews cannot be accused of ignorance if the flattening of the ROC is not relevant to his argument. To explain this in simple terms, the ROC curve is used to choose the appropriate "threshold distance" which determines false positives and false negatives, and belongs to a stage which precedes the estimation of the false positive identification rates (FPIR).

However, Mathews has used the FPIR estimates provided by the UIDAI (based on evidence from the enrolment of 84 million persons), and calculated how the FPIR changes when extrapolated for a population of 1.2 billion persons. In other words, he did not need to look at the ROC curve as that factor is not relevant to his argument, since he has used UIDAI data (which has presumably been estimated on the basis of all 12 factors : 10 fingerprints and 2 irises).

Further, UIDAI asks why Mathews has assumed a linear curve for his extrapolation. Mathews has done no such thing. In fact, in their paper "Role of Biometric Technology in Aadhaar Enrollment," the UIDAI states: "FPIR rate grows linearly with the database size" (nd, 19). Thus, this is an assumption formerly made by them (without providing rationale for it to be a linear curve as opposed to anything else). Mathews mathematically derives bounds for the FPIR in his paper, that is, the range within which the FPIR lies. One gets a linear curve only if they use the upper bound and not on the usage of anything else. So while Mathews does, as he explains, provide the results of the calculation based on the upper bound for the sake of simplicity, he nowhere asserts nor assumes a linear curve.

If, as the UIDAI claims, one cannot perform such an extrapolation and needs to depend on “empirical evidence” instead, the question arises as to how the UIDAI decided to scale up the programme to 1.3 billion people given the error rates. One could also ask if the machines being used to capture biometrics are good enough for the enlargement. Surely they would have performed some extrapolations to decide this.

In their paper they note that "although it [FPIR] is expected to grow as the database size increases, it is not expected to exceed manageable values even at full enrolment of 120 crores" (UIDAI nd, 13). They do not illustrate the extent to which the FPIR is expected to grow—neither in their initial paper, nor in their rebuttal to Mathews—whereas Mathews provides a method of estimating the increase of FPIR. Even if UIDAI is correct in its appraisal of FPIR and that it will not exceed "manageable values," they need to either exemplify their calculations or release the latest data. They have done neither, and that is quite unfortunate.

References

UIDAI (nd): “Role of Biometric Technology in Aadhaar Enrollment,” Unique Identification Authority of India, Government of India, New Delhi, viewed on 18 August 2016, https://uidai.gov.in/images/FrontPageUpdates/role_of_biometric_technology

Related Links

Flaws in the UIDAI Process http://www.epw.in/journal/2016/9/special-articles/flaws-uidai-process.html
Erring on Aadhaar http://www.epw.in/journal/2016/11/discussion/erring-aadhaar.html
Request for Specifics http://www.epw.in/journal/2016/36/documents/request-specifics-rebuttal-u...
Glaring Errors in UIDAI's Rebuttal http://www.epw.in/journal/2016/36/documents/glaring-errors-uidais-rebutt...
Overlooking the UIDAI Process http://www.epw.in/journal/2016/36/documents/response-hans-verghese-mathe...

For more details visit https://cis-india.org/internet-governance/blog/glaring-errors-in-uidai-rebuttal-epw

India's Aadhaar mandate for smartphone makers may rile global firms

praskrishna — 2016-09-15T02:25:31Z

They are unlikely to oblige to request to make changes in their operating system and devices to ensure Aadhaar authentication is done securely on smartphones.

The article by Alnoor Peermohammed was published in the Business Standard on September 14, 2016. Sunil Abraham was quoted.

India is asking global smartphone makers such asApple and Google to adopt locally designed standards on their devices or operating systems that would allow use of biometric scanners for Aadhaarauthentication, a move that could face resistance from global firms.

Apple, the world’s largest smartphone maker runs its own iOS closed ecosystem and mandates apps built by developers to be certified by the company. Its closest rival Google, which owns the Android operating software that runs on nine out of ten smartphones in India, has directives for device makers to comply with. Firms such as Samsung, Lenovo and Micromax build smartphones on the Android OS that are sold in India.

Most global companies are unlikely to oblige India’s request that would require to make changes in their operating system and devices to ensure Aadhaarauthentication is done securely on smartphones, say analysts.

“There is no clarity so far. As of now, it is impossible that they (global smartphone makers) would oblige for a hardware safe zone baked on the sensors,” says Sunil Abraham, executive director at Centre for Internet and Society, a Bengaluru-based researcher that works on emerging technologies. “Because the biometrics contain sensitive personal information, they (UIDAI) don’t want anybody — vmobile manufacturer, OS vendor, telco or ISP — to intercept it”.

India is hoping that global firms would accept the country’s plea considering that most of India’s population use a mobile phone as their only computing device and need them to authenticate on Aadhaar for using government and banking services.

“Right now we’re in consultation with all these device manufacturers as well as the operating system vendors,” said Ajay Bhushan Pandey, Director General of the Unique Identification Authority of India (UIDAI) in a phone interview. “Basically we’re trying to evolve our system wherein a manufacturer or the devices where those operating systems are being used will have a facility where Aadhaar authentication can be made possible in a secure manner.”

India has over 105 crore people or 98% of adult population with Aadhaar. Most government and private organisations use Aadhaar authentication to issue services or products such as opening a bank account, getting a ration card or buying a mobile connection.

Reliance plans to reduce paperwork and issue connections in less than an hour usingAadhaar and try to get its 100 million target market sooner.

Over a fifth of India’s one billion users own smartphones and as the country sees better mobile internet access, more people are expected to upgrade to smartphones and use apps to access their banks to transfer funds, do online shopping and access government services.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohammed-september-14-2016-indias-aadhaar-mandate-for-smartphone-makers-may-rile-global-firms

SpaceX Explosion Slows Facebook & Israeli Efforts To Control Online Content

praskrishna — 2016-09-14T11:24:47Z

In their ‘space race’ to expand internet access to remote, impoverished areas of the world, Facebook and Google are actually vying for control o fthe online experiences of millions of people.

The article by Kit O' Connell published by Mint Press News on September 13, 2016 has quoted Pranesh Prakash.

When a rocket operated by space startup SpaceX burned up on the launch pad, it was a setback to the prospects of commercial space travel, as well as efforts by Facebook to control the online experiences of millions of rural internet users.

Facebook’s project, Internet.org, is described by founder Mark Zuckerberg in charitable terms, but critics have accused it of spreading “techno-colonialism.”

The Sept. 1 fire in Cape Canaveral, Florida, destroyed a $200 million satellite owned by SpaceCom, an Israeli communications satellite firm, and co-leased by Facebook. The satellite, Amos-6, was built by Israel Aerospace Industries, a government-owned aviation and aerospace manufacturer.

Facebook’s partnership with SpaceCom is another sign of the corporation’s deepening ties with Israel. In June, Facebook appointed Jordana Cutler, a close advisor to Israeli Prime Minister Benjamin Netanyahu, as head of policy and communications at Facebook’s Israeli office.

Another setback for Facebook’s Internet.org

“Facebook was counting on [the satellite] to beam internet service to sub-Saharan Africa as part of its ambitious Internet.org project,” noted Will Oremus, Slate’s senior technology writer.

The Los Angeles Times reported that SpaceCom’s stock fell 9 percent on the Tel Aviv Stock Exchange after the explosion. Zuckerberg shared his dismay in a post on his facebook page, writing:

“As I’m here in Africa, I’m deeply disappointed to hear that SpaceX’s launch failure destroyed our satellite that would have provided connectivity to so many entrepreneurs and everyone else across the continent.”

Internet.org would help users get online in areas lacking conventional internet access, and the service, which works in partnership with local mobile phone companies, has launched, at least provisionally, in 48 countries in Africa, Asia, and Latin America. In addition to satellites, Internet.org plans to use cutting edge solar-powered drones to expand internet access in remote parts of the world.

The service is not without controversy, though. An offering called “Free Basics” would provide users who can’t afford full internet access with a curated selection of websites, tailored for use on low bandwidth devices such as older smartphones. Free Basics generated international protests after it was rolled out in India, and was eventually blocked by the Telecom Regulatory Authority of India in March 2015 for violating the principle of net neutrality.

In a May 12 analysis for The Guardian, Mumbai-based journalist Rahul Bhatia suggested the failure of Free Basics was also due to Zuckerberg’s dismissive attitude toward the Indian government and people.

An unnamed Facebook executive told Bhatia that Zuckerberg made the “mistake of thinking that a third-world country is a banana republic. So institutions, the public, the press — they can be bypassed.”

Colonialism or philanthropy?

Indian students gather for a protest against Facebook’s “Free Basics” in Hyderabad, India. A central element of Facebook’s Internet.org campaign was controversial even before it was shut down in a key market this month. Indian regulators banned one of the pillars of the campaign, a service known as Free Basics, because it provided access only to certain pre-approved services – including Facebook – rather than the full Internet.

Google and its parent company, Alphabet, also intend to spread internet to rural, underserved areas through the unique balloon-based Project Loon. Tech site Pocket-Lint reported in March 2015 that SpaceX hoped to offer internet service through its satellites, in what reporter Luke Edwards called an “internet space race.”

Pranesh Prakash, a representative of the Centre for Internet & Society, an NGO based in Bangalore, India, questioned the company’s motivation in a June 2015 interview with Al-Jazeera.

“They’re doing it out of their self-interest,” Prakash told Tarek Bazley, Al-Jazeera’s science and technology editor.

“They are not doing it because they are charities, because they believe in altruism etc. They’re doing it because having more people online benefits them.”

And Aral Balkan, a human rights activist, told Bazley, “I wouldn’t call it philanthropy I would call it colonialism.”

In an August 2013 post on his homepage, Balkan went into more detail about his “strong reservations about why Google and Facebook want to be the ones providing this service.”

Noting that both tech corporations profit primarily from collecting and selling information about their users, he continued:

“Google and Facebook want to give everyone access to the Internet because they need more raw materials. More data. Your data. So they can cultivate more Digital Serfs to sell to their customers.”

For more details visit https://cis-india.org/internet-governance/news/mint-pressnews-september-13-2016-kit-o-connell-spacex-explosion-slows-facebook-israeli-efforts-to-control-online-content

How does the government track all its legal cases?

praskrishna — 2016-09-14T10:17:07Z

The Legal Information Management and Briefing System , an integral part of the digital India initiative, aims to be a database of all the ongoing cases with the government.

The article by Shreeja Sen published by Livemint on September 13, 2016 has quoted Sunil Abraham.

More than one lakh cases currently exist on a law ministry platform curated in the last 13 months.The Legal Information Management and Briefing System (LIMBS), aimed to be a database of all the ongoing cases with the government as a party, is part of the government’s push towards digital India.

Law secretary Suresh Chandra said this is a big step under the Digital India project, intended to monitor and ultimately reduce spending on government litigation.

“The aim is to conduct cases properly. If our system works, along with the national litigation policy, we will be able to prevent 50% cases before they are even filed,” Chandra said.

According to the government, the project will help reduce delays in filing responses in cases , contempt notices because of such delays and consequent monetary penalties.

The website has also undergone the required security audit under the NIC (national informatics centre), to ensure the data is safe and protected. However, a database like this on the internet comes with its challenges.

“To ensure client confidentiality, communication should be bilateral between lawyer and client and should be encrypted and even watermarked. If this project allows access to documents by multiple stakeholders without encrypting it for the recipient, then if there is any leak, the documents cannot be traced back to the person who was responsible,” said Sunil Abraham, executive director at Centre for Internet and Society, a non-profit research organisation.

The LIMBS project began internally at the ministry of railway sometime in 2013, but was soon expanded as a single platform across ministries. In July 2015, it was hosted on the NIC server. The law ministry, by a gazette notification on 8 February, formally launched LIMBS to monitor cases filed against the Union government.

As of now, there is no special budget allocated for this project, which is being handled in house with a team of eight people – four developers on the technology side and four implementers for the case details. The development of the website is being handled by Ajay Gupta, deputy chief vigilance officer, northern railway. From the law ministry, Spriha Johari is the project director responsible for the website.

As of 12 September, the five ministries with the most uploads on the website were railways (69,469 cases), communications and information technology (7,830), finance (4452), environment (3,189) and defence (2,565).

Every day, nearly 400-500 cases are added to the portal. In all 58 ministries and their 202 departments have been brought under the LIMBS project.

For more details visit https://cis-india.org/internet-governance/news/livemint-september-13-2016-shreeja-sen-how-does-govt-track-all-its-legal-cases

CYFY 2016 - The India Conference on Cyber Security and Internet Governance

praskrishna — 2016-09-13T15:23:59Z

Sunil Abraham will participate as a panelist at CYFY 2016 event organized by Observer Research Foundation in New Delhi from September 28 to 30, 2016.

Into its fourth edition this year, CyFy: The India Conference on Cyber Security and Internet Governance has emerged as a global platform to discuss, debate and deliver digital policy solutions. CyFy 2015 featured nearly 110 participants from over 33 countries, with nearly 800 delegates in attendance. Prominently, the conference sessions featured several experts from Africa and the Asia Pacific, who addressed the policy priority of connecting the next billion. The 2016 iteration of CyFy will highlight the political, economic and strategic questions that underpin this imperative.

Download the Agenda

See the announcement on CYFY website or write to Samir Saran at ssaran@orfonline.org or Arun at arun.sukumar@orfonline.org for more details on the conference.

For more details visit https://cis-india.org/internet-governance/news/cyfy-2016-the-india-conference-on-cyber-security-and-internet-governance-4th-edition

The DigiLocker was supposed to cut down paperwork but less than 0.1% of Indians are using it

praskrishna — 2016-09-12T01:59:44Z

The official data shows that the platform has not enthused as many users as the government expected.

The blog post by Mayank Jain was published by Scroll.in on September 12, 2016. Sunil Abraham was quoted.

The government has been working hard to make all of India go digital – but its initiatives don't seem to be having the desired effect. Not yet anyway.

DigiLocker was launched in July last year as a secure platform for Indian citizens to store and access their documents on an electronic repository provided by the government of India. This is one of the major planks of the Digital India programme – which aims to take government services online and make the entire country digitally literate – but it does not seem to have enthused too many so far.

To popularise it further, the government on Wednesday integrated it with the Ministry of Road Transport and Highways to allow people to store a digital version of their driving licence and vehicle documents on the DigiLocker, sparing them the trouble of having to keep the hard copies on them at all times.

More than a year since its release, the platform has about 1.1 million people signed up as users, according to the official statistics on the DigiLocker website.

This might seem like an impressive number – but compare it to the country’s population of about 1.21 billion, or even its internet-using population of 350 million – and it becomes a drop in the ocean.

As this chart shows, only 0.09% of Indians are on DigiLocker – this is less than one user per 1,000 people in the country. DigiLocker is being used by 0.33% of the online population in the country, which implies that there are 33 users per 10,000 people on the internet from India.

Digital dreams

When it was launched by the Department of Electronics and Information Technology, the government had envisaged a cloud-based and secure storage platform that would cover the entire population, make it easier to procure and access important documents – including mark sheets, degrees and tax papers – and reduce paperwork as well as save time.

“In effect Digital Locker will touch every citizen's life by bringing in lot of convenience and therefore fulfilling the government's vision of a citizen centric governance model of providing services at the door-step of citizens,” the government said in a press release when the locker reached one lakh users in the first 100 days of its launch.

While the official website claims that the number of users is now about 2.1 million, the state-wise figures add up to only 1.1 million people on the platform.

Among the states, Maharashtra has most DigiLocker users in absolute numbers (more than 1 lakh), while Arunachal, Nagaland and Mizoram have less than 1,000 users each.

When the population of each state is taken into account, however, the picture changes. When adjusted for population, a mere 0.7% Sikkim’s population uses the service – and this is the highest percentage among Indian states. Maharashtra, with the highest number of DigiLocker users, has a much lower percentage of those on the service – 0.12%. The national capital, meanwhile, has just 0.17% of its population on the service.

Lock up

Citizens can use DigiLocker to store up to 10 megabytes of personal documents online.

Since the 10MB storage isn’t enticing enough, considering that internet users can avail themselves of at least 1GB of storage for free through private services such as Google Drive or Dropbox, the government is trying to push usage by integrating several departments with the service and allowing users to access more documents in real time from anywhere.

Among those enrolled so far include the road transport ministry, Maharashtra’s department of registry and stamps and educational bodies such as the Central Board of Secondary Education, which is now trying to release mark sheets and results of competitive exams online.

Though the government hoped that these initiatives would increase its usage, technical glitches have prevented several people from using the service.

A student who gave her National Engineering Entrance Exam this year spoke to Scroll.in about why she didn't sign up for DigiLocker even though her results were released on the platform.

“They allowed us to access results instantly on the platform but it required a sign up using the Aadhaar number,” a student, said on the condition of anonymity. “I tried signing up thrice using my phone number but never received the one-time password and then my Aadhaar verification didn’t go through so I could never sign up.”

The service is linked to the government's biometric-based Aadhaar identification system, but it is not mandatory to have an Aadhaar number, according to the website.

Privacy concerns

Another reason why people are hesitant to sign up for the service are privacy concerns about storing important and private documents on a central repository.

“Any large linked database with personal information is a serious threat to citizen’s data,” G Nagarjuna, a researcher at the Homi Bhabha Centre for Science Education in Mumbai told Scroll.in earlier. “There exists no agency that could secure their data till date without any possibilities of data theft.”

Experts said storing private information, such as biometric and passport data, on the service could pose security and privacy concerns.

Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society told Scroll.in over email that the project can have serious consequences if it is not encrypted well.

“Unless the cryptography and architecture is organised in such a manner that only the citizens will have access, there can be very serious consequences for the individual’s right to privacy,” he said.

Internal resistance

Those working for the project said the usage of the locker is going to go up if more government departments start issuing documents digitally to the locker, instead of handing over hard copies, as this will prompt users to sign up.

If the usage has to be increased, more departments need to come on board and start releasing documents digitally, said Debabrata Nayak, additional director of the National E-Governance Division, which implemented the project.

“It’s only when more departments start implementing digitisation and issuing digital documents that we will see a jump in the number of users because Digital Locker is pushed like that,” Nayak said, adding that National E-Governance Division is facing a fair bit of resistance from the departments.

“But not all departments are doing it yet because it requires a massive change in their work processes and we are trying to get them on board.”

Aadhaar woes

DigiLocker is designed as a push as well as pull service, which means that it should allow departments to issue as well as request documents from users. For this, users need to link their Aadhaar numbers to the locker. This is proving to be a problem, because most departments are not linking the documents they release to Aadhaar just yet, and not all users are registered with the unique identification system.

Moreover, the validity of Aadhaar is under question in the Supreme Court over privacy concerns voiced by the civil society.

An activist had moved the Supreme Court last year over the government making the Aadhaar number mandatory to sign up for DigiLocker. While the petition was quashed on procedural grounds, the government quickly moved to allow users to sign up without their Aadhaar numbers. However, the usability of the locker is restricted for such users.

Nayak said that non-Aadhaar-linked users can only upload their own documents on the system, without being able to use any other facility that DigiLocker claims to provide.

“Earlier Aadhaar was necessary but we changed it because people demanded access, but for most services, like getting government documents or requesting documents, it’s [Aadhaar] necessary,” he said. Nayak said this is because Aadhaar is the only way the government can identify the person who is being issued documents.

So what can one do without an Aadhaar on the DigiLocker?

“Without Aadhaar you can dump your garbage in it, which means you can upload your own files on the digital locker system,” Nayak said, “but why would you do that if you have Google Drive and Dropbox-like services?”

For more details visit https://cis-india.org/internet-governance/news/scroll.in-mayank-jain-september-12-2016-the-digilocker-was-supposed-to-cut-down-paperwork

Despite SC order, thousands booked under scrapped Sec 66A of IT Act

praskrishna — 2016-09-07T15:31:18Z

College student Danish Mohammed’s arrest this March under the scrapped Section 66A of the Information Technology Act for allegedly sharing a morphed picture of RSS chief Mohan Bhagwat wasn’t an exception.

The article by Aloke Tikku was published in the Hindustan Times on September 7, 2016. Sunil Abraham was quoted.

Police arrested more than 3,000 people under the section in 2015, triggering concerns that the law was abused well after it was struck down by the Supreme Court in March last year. The top court had ruled Section 66A violated the constitutional freedom of speech and expression.

The exact number of people arrested after it was scrapped is not available. But the National Crime Records Bureau’s (NCRB) Crime in India report released last month shows 3,137 arrests under the section in 2015 against 2,423 the previous year.

On an average, four people were arrested every 12 hours in 2015 as compared to three in 2014.

“I am shocked,” said Supreme Court lawyer Karuna Nundy, who represented the People’s Union for Civil Liberties, among the petitioners in Supreme Court seeking removal of Section 66A.

“Making sure that our guardians of law know their law is absolutely basic... Whether it is training or notifying every police officer, we need action on it immediately,” she said.

It is unlikely that all 3,000-plus arrests were made before the provision was struck down in March. Sunil Abraham, executive director of the Bengaluru-headquartered advocacy group Centre for Internet and Society, said it was obvious that the police had not made these arrests before the SC ruling.

Lawyer Manali Singhal said once the Supreme Court struck off a provision of law, “any arrest under that provision would be per se illegal and void”.

Police also appeared to be on an overdrive to file charge sheets against people booked before the SC verdict – in 1,500 cases last year, almost twice the 2014 figure.

NCRB statistics suggest that trials too did not end.

There were 575 people still in jail on January 1, 2016, twice as many as the 275 in prison when the law was in force a year earlier. In 2015, the courts also convicted accused in 143 cases.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-september-7-2016-despite-sc-order-thousands-booked-under-scrapped-sec-66a-of-it-act

Indians Ask: Is Visiting a Torrent Site Really A Crime?

subha — 2016-09-06T14:09:26Z

India has banned various large-scale torrent sites for a long time — this is old news. But under a new federal policy in India, one can be jailed for three years and fined 300,000 Indian Rupees (~US $4464) for downloading content on any of these blocked websites.

The blog post was first published in Global Voices on September 5, 2016.

Netizens who regularly use these and similar services have become anxious about what the rule may mean for them. Last week, a new legal notice concerning copyright violations sparked widespread rumors that users could be penalized for simply viewing torrent sites.

The notice now appears when one visits any of the banned websites. It reads:

This URL has been blocked under the instructions of the Competent Government Authority or in compliance with the orders of a Court of competent jurisdiction. Viewing, downloading, exhibiting or duplicating an illicit copy of the contents under this URL is punishable as an offence under the laws of India, including but not limited to under Sections 63, 63-A, 65 and 65-A of the Copyright Act, 1957 which prescribe imprisonment for 3 years and also fine of upto Rs. 3,00,000/-. Any person aggrieved by any such blocking of this URL may contact at urlblock@tatacommunications.com who will, within 48 hours, provide you the details of relevant proceedings under which you can approach the relevant High Court or Authority for redressal of your grievance.

Soon after news of the notice began to circulate, the Chennai High Court – one of the oldest courts in India — issued a John Doe order to block as many as 830 websites, including several torrent websites such as thepiratebay.se, torrenthound.com, and kickasstorrents.come.in.

Indian tech news portal Medianama published a blog post arguing that it is the downloading of pirated content from certain banned websites and not accessing those website that should lead to the legal issues. The problem, it seems, lies in the poor wording of the notice. Medianama described this as “bizarre by any rational standard” and noted that, taken literally, it does not comply with the Indian Copyright Act. Digital piracy legislation in India has been modified quite a lot in the recent times in general and over last five years in particular (Sections 63, 63A and 65 of the Indian Copyright Act of 1957 in particular.) But it has not been implemented with such force in the past.	What is a torrent? A torrent is part of a system that enables peer-to-peer file sharing (“P2P”) that is used to distribute data and electronic files over the Internet. Known as BitTorrent, this file distribution system is one of the most common technical protocols for transferring large files, such as digital audio files containing TV shows or video clips or digital audio files containing songs. Within this system, files labeled with the .torrent extension contain meta data about files — e.g. file names, their sizes, folder structure and cryptographic hash value for integrity verification. They do not contain the content to be distributed, but without them, the system does not work. (via Wikipedia)

This is not the first time India has put a blanket ban on such sites. In December 2014, 32 websites — including including code repository Github, video streaming sites Vimeo and Dailymotion, online archive Internet Archive, free software hosting site Sourceforge — were banned in India. They were later unblocked after agreeing to remove some ISIS-related content.

As they have in the past, tech-savvy netizens began suggesting hacks to mask or fake one's IP address. Sumiteshwar Choudhary, a practicing criminal and matrimony lawyer, described on Quora how the law had existed for quite some time but the government had never fully enforced it:

[..] The only reason that India has not been able to successfully ban these services is because the servers rest outside India and we don’t have any law to extend our jurisdiction to that extent today. As an end user if you download a pirated version of things you are not entitled to, you can be booked criminally under this Act and can face prison for up to 2 years…

Twitter user Prisma Mama Thakur criticized the ban, arguing that it should be a low priority in a moment when India has many other important problems to solve:

For more details visit https://cis-india.org/internet-governance/blog/global-voices-september-5-2016-subhashish-panigrahi-indians-ask-is-visiting-a-torrent-site-really-a-crime

Talking Point: Futile Battle Against Torrents

praskrishna — 2016-09-01T14:36:01Z

Sunil Abraham spoke to Deccan Herald to clear the air about rumours surrounding a jail threat for those logging on to Torrent sites.

Video

This was originally published by Deccan Herald on August 30, 2016

For more details visit https://cis-india.org/internet-governance/news/talking-point-futile-battle-against-torrents