We are anonymous, we are legion

Report on Understanding Aadhaar and its New Challenges

Japreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai Hickock — 2019-03-16T04:42:52Z

The Trans-disciplinary Research Cluster on Sustainability Studies at Jawaharlal Nehru University collaborated with the Centre for Internet and Society, and other individuals and organisations to organise a two day workshop on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26 and 27, 2016. The objective of the workshop was to bring together experts from various fields, who have been rigorously following the developments in the Unique Identification (UID) Project and align their perspectives and develop a shared understanding of the status of the UID Project and its impact. Through this exercise, it was also sought to develop a plan of action to address the welfare exclusion issues that have arisen due to implementation of the UID Project.

Report: Download (PDF)

This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:

1. Brief Background of the UID Project

2. Legal Status of the UIDAI Project

Procedural issues with passage of the Act
Status of related litigation

3. National Identity Projects in Other Jurisdictions

Pakistan
United Kingdom
Estonia
France
Argentina

4. Technologies of Identification and Authentication

Use of Biometric Information for Identification and Authentication
Architectures of Identification
Security Infrastructure of CIDR

5. Aadhaar for Welfare?

Social Welfare: Modes of Access and Exclusion
Financial Inclusion and Direct Benefits Transfer

6. Surveillance and UIDAI

7. Strategies for Future Action

Annexure A Workshop Agenda

Annexure B Workshop Participants

1. Brief Background of the UID Project

In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes. The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Act”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.

The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.

2. Legal Status of the UIDAI Project

In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.

Procedural Issues with Passage of the Act

The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.

The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. [1].

where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”

However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.

Status of Related Litigation

A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of KS Puttuswamy v. Union of India [2] which limited the use of Aadhaar. We have reproduced the presentation below.

KS Puttuswamy v. Union of India - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.
Sudhir Vombatkere & Bezwada Wilson [3] - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.
Aruna Roy & Nikhil Dey [4] - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:
Col. Mathew Thomas [5] - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).
Nagrik Chetna Manch [6] - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial inclusion.
S. Raju [7] - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.
Beghar Foundation - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.
Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.
Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.
Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.
Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.

Relevant Orders of the Supreme Court

There are six orders of the Supreme Court which are noteworthy.

Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.
Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.
Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of UIDAI v CBI [8] wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.
Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.
Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.
Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI, CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.

Status of these orders
The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory. Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.

3. National Identity Projects in Other Jurisdictions

A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.

Pakistan

The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:

Voting
Obtaining a passport
Purchasing vehicles and land
Obtaining a driver licence
Purchasing a plane or train ticket
Obtaining a mobile phone SIM card
Obtaining electricity, gas, and water
Securing admission to college and other post-graduate institutes
Conducting major financial transactions

Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)

United Kingdom

The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”

Estonia

The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:

As a national ID card for legal travel within the EU for Estonian citizens
As the national health insurance card
As proof of identification when logging into bank accounts from a home computer
For digital signatures
For i-voting
For accessing government databases to check one’s medical records, file taxes, etc.
For picking up e-Prescriptions
(This system is also operational in the country and has not been removed)

France

The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.

Argentina

Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)

4. Technologies of Identification and Authentication

The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.

Use of Biometric Information for Identification and Authentication

The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.

Architectures of Identification

The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.

Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.

The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.

The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.

Under the UID Project, for the purpose of information security, Authentication User Agencies (“AUA”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.

All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.

Security Infrastructure of CIDR

The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.

The security and privacy infrastructure of UIDAI has the following main features:

2048 bit PKI encryption of biometric data in transit
End-to-end encryption from enrolment/POS to CIDR
HMAC based tamper detection of PID blocks
Registration and authentication of AUAs
Within CIDR only a SHA 1 Hash of Aadhaar number is stored
Audit trails are stored SHA 1 encrypted. Tamper detection?
Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)
Authentication requests have unique session keys and HMAC
Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys
All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)
All accesses through a hardware security module
All analytics carried out on anonymised data

The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI. This indicates that trust is implicitly assumed which is a glaring design flaw. There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.

The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.

5. Aadhaar for Welfare?

The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.

Social Welfare: Modes of Access and Exclusion

Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries [9]. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.

Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.

In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.

The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.

It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.
The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.

A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.

Financial Inclusion and Direct Benefits Transfer

The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.

The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.

6. Surveillance and UIDAI

The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.

There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.

It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.

7. Strategies for Future Action

The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.

Prepare and compile an anthology of articles as an output of this workshop.
Prepare position papers on specific issues related to the UID Project
Prepare pamphlets/brochures on issues with the UID Project for public consumption
Prepare counter-advertisements for Aadhaar
Publish existing empirical evidence on the flaws in Aadhaar.
Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.
Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.
Create groups dedicated to research and advocacy of specific aspects of the UID Project.
Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.
Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance.
The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project
Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.
Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues.
Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project.
Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media.
Plan a national social audit and public hearing on the working of UID Project in the country.
File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court.
Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.
Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.

Annexure A – Workshop Agenda

May 26, 2016

9:00-9:30	Registration
9:30-10:00	Prof. Dinesh Abrol - Welcome Self-introduction and expectations of participants Dr. Usha Ramanathan - Overview of the Workshop
10:00-11:00	Session 1: Current Status of Aadhaar Dr. Usha Ramanathan, Legal Researcher, New Delhi - What the 2016 Law Says, and How it Came into Being S. Prasanna, Advocate, New Delhi - Status and Force of Supreme Court Orders on Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:30	Session 2: Direct Benefits Transfers Prof. Reetika Khera, Indian Institute of Technology, Delhi - Welfare Needs Aadhaar like a Fish Needs a Bicycle Prof. R. Ramakumar, Tata Institute of Social Sciences, Mumbai - Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion Ashok Rao, Delhi Science Forum - Cash Transfers Study Discussion
13:30-14:30	Lunch
14:30-16:00	Session 3: Aadhaar: Science, Technology, and Security Prof. Subashis Banerjee, Dept of Computer Science & Engineering, IIT, Delhi - Privacy and Security Issues Related to the Aadhaar Act Pukhraj Singh, Former National Cyber Security Manager, Aadhaar, New Delhi - Aadhaar: Security and Surveillance Dimensions Discussion
16:00-16:30	Tea Break
16:30-17:30	Session 4: Aadhaar - International Dimensions Joshita Pai, Center for Communication Governance, National Law University, Delhi - Biometrics and Mandatory IDs in Other Parts of the World Dr. Gopal Krishna, Citizens Forum for Civil Liberties - International Dimensions of Aadhaar Discussion
17:30-18:00	High Tea

May 27, 2016

9:30-11:00	Session 5: Privacy, Surveillance and Ethical Dimensions of Aadhaar Prabir Purkayastha, Free Software Movement of India, New Delhi - Surveillance Capitalism and the Commodification of Personal Data Arjun Jayakumar, SFLC - Surveillance Projects Amalgamated Col Mathew Thomas, Bengaluru - The Deceit of Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:00	Session 6: Aadhaar - Broad Issues I Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - How to prevent linked data in the context of Aadhaar Dr. Anupam Saraph, Pune - Aadhaar and Moneylaundering Discussion
13:00-14:00	Lunch
14:00-15:30	Session 7: Aadhaar - Broad Issues II Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - Financial lnclusion Nikhil Dey, MKSS, Rajasthan - Field witness: Technology on the Ground Prof. Himanshu, Centre for Economic Studies & Planning, JNU - UID Process and Financial Inclusion Discussion
15:30-16:00	Session 8: Conclusion
16:00-18:00	Informal Meetings

Annexure B – Workshop Participants

Anjali Bhardwaj, Satark Nagrik Sangathan

Dr. Anupam Saraph

Arjun Jayakumar, Software Freedom Law Centre

Ashok Rao, Delhi Science Forum

Prof. Chinmayi Arun, National Law University, Delhi

Prof. Dinesh Abrol, Jawaharlal Nehru University

Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai

Dr. Gopal Krishna, Citizens Forum for Civil Liberties

Prof. Himanshu, Jawaharlal Nehru University

Japreet Grewal, the Centre for Internet and Society

Joshita Pai, National Law University, Delhi

Malini Chakravarty, Centre for Budget and Governance Accountability

Col. Mathew Thomas

Prof. MS Sriram, Indian Institute of Management, Bangalore

Nikhil Dey, Mazdoor Kisan Shakti Sangathan

Prabir Purkayastha, Knowledge Commons and Free Software Movement of India

Pukhraj Singh, Bhujang

Rajiv Mishra, Jawaharlal Nehru University

Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai

Dr. Reetika Khera, Indian Institute of Technology, Delhi

Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali

S. Prasanna, Advocate

Sanjay Kumar, Science Journalist

Sharath, Software Freedom Law Centre

Shivangi Narayan, Jawaharlal Nehru University

Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi

Sumandro Chattapadhyay, the Centre for Internet and Society

Dr. Usha Ramanathan, Legal Researcher

Note: This list is only indicative, and not exhaustive.

[1] Civil Appeal No. 4853 of 2014

[2] WP(C) 494/2012

[3] . WP(C) 829/2013

[4] WP(C) 833/2013

[5] WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)

[6] WP (C) 932/2015

[7] Transferred from Madras HC 2013.

[8] SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.

[9] See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners

For more details visit https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges

We Truly are the Product being Sold

vidushi — 2016-09-01T02:08:37Z

WhatsApp has announced it will begin sharing user data such as names, phone numbers, and other analytics with its parent company, Facebook, and with the Facebook family of companies. This change to its terms of service was effected in order to enable users to “communicate with businesses that matter” to them. How does this have anything to do with Facebook?

The article was published in the Hindustan Times on August 31, 2016.

WhatsApp clarifies in its blog post, “... by coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook’s systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them.”

WhatsApp’s further clarifies that it will not post your number on Facebook or share this data with advertisers. This means little because it will share your number with Facebook for advertisement. It is simply doing indirectly, what it has said it won’t do directly. This new development also leads to the collapsing of different personae of a user, even making public their private life that they have so far chosen not to share online. Last week, Facebook published a list of 98 data points it collects on users. These data points combined with your WhatsApp phone number, profile picture, status message, last seen status, frequency of conversation with other users, and the names of these users (and their data) could lead to a severely uncomfortable invasion of privacy.

Consider a situation where you have spoken to a divorce lawyer in confidence over WhatsApp’s encrypted channel, and are then flooded with advertisements for marriage counselling and divorce attorneys when you next log in to Facebook at home. Or, you are desperately seeking loans and get in touch with several loan officers; and when you log in to Facebook at work, colleagues notice your News Feed flooded with ads for loans, articles on financial management, and support groups for people in debt.

It is no secret that Facebook makes money off interactions on its platform, and the more information that is shared and consumed, the more Facebook is benefitted. However, the company’s complete disregard for user consent in its efforts to grow is worrying, particularly because Facebook is a monopoly. In order for one to talk to friends and family and keep in touch, Facebook is the obvious, if not the only, choice. It is also increasingly becoming the most accessible way to engage with government agencies. For example, Indian embassies around the world have recently set up Facebook portals, the Bangalore Traffic Police is most easily contacted through Facebook, and heads of states are also turning to the platform to engage with people. It is crucial that such private and collective interactions of citizens with their respective government agencies are protected from becoming data points to which market researchers have access.

Given Facebook’s proclivity for unilaterally compromising user privacy, the Federal Trade Commission (FTC) in 2011 charged the company for deceiving consumers by misleading them about the privacy of their information. Following these charges, Facebook reached an agreement to give consumers clear notice and obtain consumers’ express consent before extending privacy settings that they had established. The latest modification to WhatsApp’s terms of service seems to amount to a clear violation of this agreement and brings out the grave need to treat user consent more seriously.

There is a way to opt out of sharing data for Facebook ads targeting that is outlined by WhatsApp on its blog, which is the best example for a case of invasion-of-privacy-by-design. WhatsApp plans to ask the users to untick a small green arrow, and then click on a large green button that says “Agree” (which is the only button) so as to indicate that they are opting-out. The interface of the notice seems to be consciously designed to confuse users by using the power of default option. For most users, agreeing to terms and conditions is a hasty click on a box and the last part of an installation process. Predictably, most users choose to go with default options, and this specific design of the opt-out option is not meaningful at all.

In 2005, Facebook’s default profile settings were such that anyone on Facebook could see your name, profile picture, gender and network. Your photos, wall posts and friends list were viewable by people in your network. Your contact information, birthday and other data could be seen by friends and only you could view the posts that you liked. Fast forward to 2010, and the entire internet, not just all Facebook users, can see your name, profile picture, gender, network, wall posts, photos, likes, friends list and other profile data. There hasn’t been a comprehensive study since 2010, but one can safely assume that Facebook’s privacy settings will only get progressively worse for users, and exponentially better for Facebook’s revenues. The service is free and we truly are the product being sold.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-vidushi-marda-august-31-2016-we-truly-are-the-product-being-sold

Festival scan on social media

praskrishna — 2016-08-26T03:20:36Z

Authorities in a south Karnataka district have started keeping tighter watch on rumour-mongering and hate messages on social media platforms ahead of religious festivals.

The article was published in the Telegraph on August 26, 2016. Sunil Abraham was quoted.

Police in the communally sensitive Dakshina Kannada district have cautioned people not to start or circulate any hate message or rumours that could affect law and order.

"Anyone spreading rumours or hate messages can be charged under IPC Section 505 as we have all the technical capability to find out the origins of such messages," said Mangalore city police commissioner M. Chandra Sekhar.

This section is applied in the event of any statement or rumour with the intent to cause alarm among the public. "We do get several messages that later turn out to be a hoax," the officer said, citing instances of false rumours.

The officer exhorted citizens to alert the police the moment they get any such messages so that it could minimise or even prevent any damage, especially if the content is communally sensitive.

The district authorities have already ramped up police presence to prevent anything untoward in view of the activities of cow vigilantes who recently lynched a BJP worker for transporting calves in neighbouring Udupi district.

A source in the state police department hinted the measure could be replicated across the state, although other districts are not as communally sensitive like Dakshina Kannada.

The district - Mangalore is its administrative headquarters - had been in the thick of communal tension for decades.

Bhushan Gulabrao Borase, superintendent of police in charge of the Dakshina Kannada rural district, that is the rest of the district except Mangalore city, said keeping a watch on social media had become imperative. "Rural people may be using social media less frequently. But even then we need to be careful," he said.

Cow vigilantism by Hindutva groups is a major concern.

He said people could land in trouble for a seemingly harmless message if it causes some serious issue. "It is better not to start such messages. But it's also important not to forward if one receives them," said Borase.

Sunil Abraham, executive director of The Centre for Internet and Society, had a word of caution, although he appreciated the intent behind the police move.

"It's a reasonable approach if they stick to the scope of the law (Section 505). The problem is only if police overstep their limits, like we have seen on several occasions."

But he agreed there was a need to keep an eye on what goes on in social media since many users abuse messaging platforms like WhatsApp.

"What we don't want is a Nazi Germany where the wife is asked to spy on her husband and the son on the father. But we also don't want the opposite when citizens just ignore everything," he said, asserting that it was the duty of civil society to inform the police if they found anything dangerous being circulated.

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-august-26-2016-festival-scan-on-social-media

Extending Aadhaar to more areas is a hare-brained idea, it should be dropped

praskrishna — 2016-08-24T03:05:01Z

News reports that the mandatory use of Aadhaar could be extended to a host of new areas are extremely disturbing. According to these reports, the Unique Identification Authority of India (UIDAI) has identified 20 new areas for which Aadhaar can be made mandatory. This includes registration of companies and NGOs, insurance, competitive examinations and property and vehicle registration.

The article by Seetha was published in First Post on August 23, 2016. CIS article by Pranesh Prakash and Amber Sinha was quoted.

If this happens, then it confirms the worst suspicions of all those who are opposed to Aadhaar – and this spans ideological divides – that it can be used to seriously compromise individual privacy.

A villager scanning fingerprint for Aadhaar. Reuters file photo

The defenders of Aadhaar – mainly the previous and current governments, the UIDAI and Nandan Nilekani, the father of the Aadhaar – have always argued that these concerns are exaggerated. They have pointed out that Aadhaar does not take any details that are not already in the public domain – name, date of birth and permanent address – and that the biometric data is not shared with any of the authorities that seek verification by Aadhaar. That data remains with the UIDAI and it only confirms that a person with a particular Aadhaar number is who he claims he is.

But Aadhaar’s opponents have argued that the extensive use of Aadhaar allows disparate bits of information to be linked and this could become a genuine concern if this hare-brained idea gets official approval.

Now, there is certainly no doubt that Aadhaar is, in the absence of anything better, the best technological tool for establishing identity. It is not entirely fool-proof – there are issues relating to the fingerprints of manual labourers and iris scan of aged people or those with cataract – a solution needs to be found for this. According to this report by the Centre for Internet and Society, there was fingerprint authentication failure in 290 of 790 ration card holders in Andhra Pradesh who did not lift rations, and there was an ID mismatch in 93 instances. These problems notwithstanding, there is no denying that Aadhaar has helped in significantly containing (perhaps not entirely eliminating) the problem of identity theft for diversion of government doles and other benefits.

So making Aadhaar compulsory for such cases is perfectly justifiable. Indeed, the Act giving legal status to Aadhaar is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

Mandatory quoting of Aadhaar can even be justified in the cases where duplication or falsification of identity can be used by criminals or those who fall foul of the law. Passports, for example, can be brought under the ambit of Aadhaar. Or even driving licences. A person whose licence has been suspended for repeated traffic violations should not be allowed to get another one under the same name or an assumed name.

But why should it be mandatory for bank accounts, if an individual is not interested in getting government doles? The quoting of Aadhaar for property transactions also does not make sense. If the idea is to prevent fraudulent transactions, it will not be foolproof. A person intending to sell an already sold property or one he does not own can do so even with an Aadhaar number, since people are allowed to own more than one piece of property. What will prevent this from happening is compulsory registration and digitisation of records as well as mandatory property titling; there has been little progress on both.

When filing of income tax returns is not possible without a PAN, there is little rationale for making Aadhaar mandatory for filing returns and even for PAN. It is not clear how quoting of Aadhaar is going to help in ensuring that fly-by-night companies and NGOs do not get established.

The insistence of Aadhaar on purchase of vehicles, landline and mobile phone connections and demat accounts is seriously violative of individual privacy and has enormous potential for misuse. The Act does give the government unbridled power to access data in the name of national security. This itself is worrying, since it can allow security agencies to go an random fishing expeditions to access personal financial transactions. Making it mandatory for even buying cars and phone connections (even though it is not illegal to own more than one vehicle or telephone connection) makes it even riskier – private agencies get access to one’s Aadhaar number. Forget security agencies, even unscrupulous private persons can track an individual’s personal activities, especially financial transactions.

As it is, investigating agencies want to tap Aadhaar and biometric data at the drop of a hat. The UIDAI had to approach the Supreme Court in 2014 against a Goa High Court order ordering it to share biometric details of everyone enrolled in the state for solving a gang rape case. Even after the Supreme Court ruled in favour of UIDAI, a Kerala special investigation team wanted it to share biometric details to solve another rape case. If Aadhaar now becomes mandatory for a host of financial and other transactions, the points of potential privacy breaches only increase.

The move to extend the mandatory use of Aadhaar has to be stopped in its tracks. The mandatory use should be limited to delivery of government welfare benefits and doles (after ensuring that glitches are eliminated) and security-related services like passports. For everything else, it should be purely voluntary. There can be no compromise on this.

For more details visit https://cis-india.org/internet-governance/news/first-post-august-23-2016-seetha-extending-aadhaar-to-more-areas-is-a-hare-brained-idea-it-should-be-dropped

Policy Brief on the Report of the UN Group of Governmental Experts on ICT

Elonnai Hickok and Vipul Kharbanda — 2016-08-23T15:37:05Z

In light of the complex challenges and threats posed to, and by, the field of information telecommunications in cyberspace, in 1998 the draft resolution in the First Committee of the UN General Assembly was introduced and adopted without a vote (A/RES/53/70) ]. Since then, the Secretary General to the General Assembly has invited annual reports on the issue.

The most recent report, Developments in the Field of Information and Telecommunications in the Context of International Security, was published in June 2015. The 2015 Report touches upon a number of issues, including international cooperation, norms and principles for responsible state behavior, confidence building measures cross border exchange of information, and capacity building measures.

Annual reports will continue to be accepted by the General Assembly, and the 2016/2017 Group of Governmental Experts will have it's first meeting in August 2016. India was a member of the Group of Governmental Experts in 2013.

The Centre for Internet and Society (CIS) has written an article analyzing India’s alignment with the recommendations of the report of the Group of Governmental Experts. This policy brief attempts to articulate the major policy actions that may be considered by India to further incorporate and implement the principles enunciated in the Report.

CIS believes that the report of the Group of Governmental Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Governmental Experts and similar international forums are useful and important forums for India to continue to actively engage with.

Below are our specific recommendations:

(a) Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;

India has entered into treaties on ICT issues with countries such as Belarus, Canada, China, Egypt, and France. Additionally, India’s IT Act addresses a number of the cyber crimes listed in the Budapest Convention. However, India is not yet a signatory to the Convention. This leaves scope for India to consider further forums and means of international cooperation to better realise this principle.

India has been invited to accede to the Budapest Convention in the past but for various tactical and political reasons has not yet agreed to do so. Although whether to accede to an International Convention or not is usually a well discussed and thought out policy decision of the diplomatic core of a country, the mutual assistance framework, however flawed it may be, would offer a better opportunity for India for international cooperation for increasing the stability and security of ICTs and prevent harmful ICT practices as envisaged in the Report of the Group of Governmental Experts.

(b) In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution [of cybercrime] in the ICT environment and the nature and extent of the consequences;

While the Department of Electronics and Information Technology (DEITY) as well as the Computer Emergency Response Team, India (CERT-In) have a number of policies which talk about maintaining security and means of addressing threats in the ICT environment, most ICT incidents, crimes or illegal activities using ICT, unless they involve large or government institutions, are handled by the regular police establishment of the country. The lack of capacity, both in terms of infrastructure and skill, of the regular police to adequately address most cyber crimes is an area that needs to be strengthened. The need for cyber security capacity building in India was highlighted in 2015 by the Standing Committee on Information Technology. It would be useful for dedicated cyber crime departments to be established in all districts. This would be a step in the right direction to provide the requisite capacity and resources to deal with the various technical issues such as attribution, jurisdiction, etc. arising out of ICT incidents.

(d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;

Owing to the growing irrelevance of physical and political borders in the age of globally networked devices, one of the most important issues arising out of ICTs and cyber crimes is the need for greater and more efficient exchange of information between nations. It has been widely accepted that sharing of information on a regular and sustained basis between nation states would be a very important tool. Limitations in the traditional mechanisms (MLATs, Letters Rogatory, etc.) such as the delay in accessing the information as well as denial of access due to differences in legal standards, present hurdles to the efficacy of law enforcement agencies only emphasize the urgency of developing a new mechanism of international information sharing that would be able to deal with ICT incidents, while at the same time protecting the freedoms and privacy rights of the citizens of the world. Exploration and participation in dialogues and solutions that are evolving at the international level around cross border sharing of information is key.

(i) States should take reasonable steps to ensure the integrity of the supply chain [of ICT equipment] so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

While the National Electronics Policy of 2012 states that the government should mandate technical and safety standards in order to curb the inflow of sub-standard and unsafe electronic products, the government is yet to mandate any broad standards in the Indian market for ICT equipment. Considering the enormous security implications of compromised ICT this is an area where the government should prioritize and must act immediately. Mandating standards may require the establishment of a monitoring or enforcement mechanism to ensure that the standards are being implemented. This should be done with the aim of ensuring security while not hindering innovation or the flow of business. To achieve such a balance, research and discussion is needed within the government to formulate a mechanism which would ensure the safety and quality of ICT tools while at the same time ensuring that industry is not hindered.

Conclusion

The suggestions given above are some of the major lessons from the analysis of the UN Report on ICT which CIS believe the government of India could adopt and pursue to strengthen its enlightenment with the recommendations of the Report. It is also imperative that the Government of India continues to realise the importance of the work being done by the Group of Governmental Experts and take measures to ensure that a representative from India is included in future Groups. Meanwhile, India can take positive steps by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security.

For more details visit https://cis-india.org/internet-governance/blog/policy-brief-on-the-report-of-the-un-group-of-governmental-experts-on-ict

Accessing pirated content might lead to prison term & Rs 3-lakh fine

praskrishna — 2016-08-23T02:47:52Z

India puts onus of downloading and viewing pirated content on individuals.

The article by Alnoor Peermohammed was published in the Business Standard on August 22, 2016. Sunil Abraham was quoted.

The central government is putting the onus of downloading and viewing of copyrighted content from sites it has blocked (with the help of internet service providers) on users.

Visiting torrent (a particular type of files) websites while on Tata Communications’ network recently had users being shown a message that viewing or downloading content on those sites could land them in prison for up to three years and a fine of up to Rs 3 lakh.

“There is not enough room in our prisons to keep these infringers and enough time in our courts to try them. It might sound very exciting as a message to put out but, essentially, they’re trying to scare people into good behaviour,” said Sunil Abraham, executive director at research firm Centre for Internet and Society.

There has been no change to the Copyright Act of 1957 or the Information Technology Act of 2000 for the updated notice being shown to users upon visiting blocked sites. Under these provisions, visiting a site, which is blocked is not illegal, unless it is child pornography.

“Copyright infringement happens all the time and even in developed countries, the rates are very high. Crackdowns on individuals and consumers are never going to solve the problem,” added Abraham.

Experts say the most the government could do is prosecute a couple of people and make examples of them, to dissuade others. This practice is followed globally. There are no examples, though, in India of prosecution for copyright infringement of online content.

The recent alteration of the statement seen by users on Tata networks was done on the directives of the Bombay High Court, after the company appealed that showing individual messages for why each website was blocked was not feasible. The resulting message sparked media frenzy that visitors of blocked websites could now be imprisoned.

Other media reports revealed that the recent blocking of websites by internet service providers was prompted by court orders to prevent piracy of Dishoom, the Bollywood movie.

Globally, there’s been a move to clamp on torrent websites which host pirated content, aided by large information technology entities such as Apple or Facebook. Last month, the US authorities arrested Kickass Torrents’ founder, Arten Vaulin, and blocked all the domains of the website, only to have it resurface a day later.

For more details visit https://cis-india.org/internet-governance/news/business-standard-august-22-2016-accessing-pirated-content-might-lead-to-prison-term-and-rs-3-lakh-fine

UIDAI and Welfare Services: Exclusion and Countermeasures (Bangalore, August 27)

sumandro — 2016-08-22T13:25:03Z

The Centre for Internet and Society (CIS) invites you to a one day workshop, on Saturday, August 27, 2016, to discuss, raise awareness of, and devise countermeasures to exclusion due to implementation of UID-based verification for and distribution of welfare services. We look forward to making this a forum for knowledge exchange and a learning opportunity for our friends and colleagues.

Invitation

Download (PDF)

Venue

Institution of Agricultural Technologists, No. 15, Queen’s Road, Bangalore, 560 052.

Location on Google Map: https://www.google.com/maps/place/Institution+of+Agricultural+Technologists/.

Agenda

10:00-10:30 Tea and Coffee

10:30-11:00 Introductions and Updates from Delhi Workshop

11:00-12:45 Reconfiguration of Welfare Governance by UIDAI

12:45-14:00 Lunch

14:00-15:00 Updates on Ongoing Cases against UIDAI

15:00-15:15 Tea and Coffee

15:15-16:45 Open Discussion on Countering Welfare Exclusion

16:45-17:00 Tea and Coffee

For more details visit https://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27

Public Panel Discussion: Digitalisation for Social Change

praskrishna — 2016-08-19T13:47:28Z

Sunil Abraham is participating as a panelist in a discussion co-organized by Mount Carmel College, Bangalore and Friedrich-Ebert-Stiftung, India Office in Bangalore on August 22, 2016.

Welcome Remarks by Sunanda BV , Mount Carmel College, Bangalore and Patrick Ruether, Friedrich-Ebert-Stiftung, India Office

On the Panel:

Digital Solutions to social problems and development challenges or Social Entrepreneurship and digital transformation: Sunil Abraham, Centre for Internet and Society
Gendered perspective on digital transformation: Anita Gurumurthy , IT for Change
India 2030 – the change I want Maureen Almeida, Student, Mount Carmel College
Technology as best practice: Anurag Shanker, NASVI, New Delhi

Note: Each panelist will give an input for about 5-7 minutes and this will be followed by Q&A session moderated by Rakhee Bakshee, Women's Feature Service

For more info contact: Jyoti Rawal, jyoti@fesindia.org

For more details visit https://cis-india.org/internet-governance/news/public-panel-discussion-digitalisation-for-social-change

Responses to Trai’s consultation paper on free data contain some good suggestions

praskrishna — 2016-08-17T03:05:57Z

Trai has announced that it will come up with a final consultation paper on ‘Free Data’, and also a pre-consultation paper on Net Neutrality by the end of this month.

The blog post by Asheeta Regidi was published by FirstPost's Tech 2 on August 15, 2016.

The pre-consultation paper on Free Data (the Consultation Paper), which was issued in May 2016, asked for options where free data could be provided for accessing certain websites or apps without violating the Discriminatory Tariff Regulations issued earlier in February. The objective of the paper is to maximise internet penetration, and make internet available even to the poorest.

The models suggested in the Consultation Paper are a reward of free data for certain internet uses, zero data charges for accessing certain content, and refunding data charges in a manner similar to refund of LPG subsidies. These models are very similar to plans like Facebook’s Free Basics and Airtel Zero, which were banned by the Discriminatory Tariff Regulations.

While it is clear that Trai has no intention of withdrawing the Discriminatory Tariff Regulations, the Consultation Paper does appear to open up the doors to net neutrality violations again. Here’s a look at the comments and counter-comments that have come in response to this paper.

A motorist rides past a hoarding advertising Facebook’s Free Basics. Image: Reuters

Large TSPs and TSP associations want content-based free data schemes
The response of large TSPs like Vodafone, Idea and so on are quite predictable. They, alongwith most of the TSP associations such as ACTO, COAI and AUSPI, are in support of the idea of free access to certain sites. They, in fact, point out the similarities between the proposed models and the similar models brought out by them, such as Airtel’s One Touch Internet and Reliance’s Facebook Tap. They have also asked for a withdrawal of the Discriminatory Tariff Regulations, on the grounds that they hamper the innovation and forbearance capabilities of the TSPs.

They do, however, take issue with the fact that a TSP agnostic platform, or a platform which is completely independent of the TSPs, is to be given the power to decide how the lower prices or discounts are to be provided. They allege that there is nothing to prevent such a platform from acting as a gatekeeper in itself. They argue that TSPs are in a better position to perform this function, since they are subject to strict regulatory and licensing requirements from Trai.

Employees at an outsourcing centre in Bengaluru Image: Reuters

Smaller TSPs and other companies fear net neutrality violations
Smaller TSPs like Atria, Citicom and MTS are against content based free data proposal, mostly on the grounds that the models suggested violate net neutrality. They point out that allowing content based free data in any form will give an unfair advantage to large TSPs and content providers. Smaller companies and start-ups will be left in the lurch since they will not have the financial capabilities to effectively compete with such schemes. These entities also share the fear of the TSPs that there is nothing to stop a TSP agnostic platform from also acting as a gatekeeper.

Commuters with their smartphones in a Mumbai local. Image: Reuters

Some alternative suggestions for free data schemes which do not violate net neutrality
The approach suggested by Trai will, to a large extent, only benefit existing users of the internet, since a basic internet access of some sort is required before the users can enjoy the benefits of a rewards or a refund. Software Freedom Law Centre (SFLC), in its comments, points to research that found that only 12 percent of the users of zero rating services abroad (no data charges for certain websites), started using it because of the zero rating. Clearly, these schemes are not achieving the objective of increasing internet usage, and an alternative solution is required.

Many of the responses came up with alternative suggestions for free data schemes which can increase internet usage without violating net neutrality. Some of these suggestions are listed below:

The Digital Empowerment Foundation suggests the provision of free data quotas or packs, which would give a limited amount of data free of charge to all consumers. Any data usage above the basic pack will be charged at normal rates. It also suggests making such packs mandatory as a part of the TSP licensing terms or alternatively subsidising the cost of these packs through other benefits to the TSPs.
MTS suggests that content providers be allowed free internet access for a limited time or quantity, such as 30 minutes per day, or 100MB per day, to certain groups, like low income groups.
Mozilla and SFLC suggest the ‘equal rating’ system, where a small amount of data per day is made available free of charge to all internet users, over and above whatever other packs they may have purchased.
The Centre for Internet and Society suggests that the government allow TSPs to provide free internet to all, at a lower speed, and in return exempt the TSPs from the USO contributions in their license fees. This will ensure free data to all without differentiating based on content.
SFLC also suggests an increase in free public Wi-Fi hotspots, like the kind being made available in Indian railway stations, to increase internet accessibility without content-based discrimination.
MTNL suggests that if content-based free data is to be allowed, the government should determine what constitutes the basic services to be allowed for free, such as railway booking services, and not leave this to the understanding of the TSPs.
MTS also suggests that content providers be allowed to give data-based rewards for certain activity, such as watching associated advertisements.
Atria suggests that if free data is to be allowed, first establish a negative list of what cannot be done, such as no throttling of speeds.

Anonymous protests against Internet laws in Mumbai. Image: Reuters

First establish ground rules of net neturality
One common aspect of most of the comments to the Consultation Paper was the confusion regarding Trai’s stance on net neutrality. Many entities, including the large TSPs, pointed out the contradiction between this Consultation Paper and the Discriminatory Tariff Regulations.

This paper gives the impression that the Discriminatory Tariff Regulations were issued not to prevent content based discrimination, but to prevent telecom service providers from becoming ‘gatekeepers’. In reality, that is not the main fear of the people, but the fear that net neutrality will be affected. The culprits might be anyone, whether it is the TSP, the content provider or the TSP agnostic platform suggested by Trai. It needs to modify its approach, and first lay down the fundamental rules on net neutrality. Any other regulations must first comply with these rules.

While the motives of Trai are laudible, it is hoped that Trai will look into the several suggestions made that will achieve the dual targets of maximum internet penetration as well as securing net neutrality.

For more details visit https://cis-india.org/internet-governance/news/first-post-tech-2-august-15-2016-asheeta-regidi-responses-to-trai-consultation-paper-on-free-data-contain-some-good-suggestions

Rational Internet laws essential to fulfil India’s digital goals

praskrishna — 2016-08-15T04:13:06Z

India has emerged as a digitally-connected nation but experts suggest the country still lacks pragmatic Internet laws.

The article by Krishna Makwana was published by Deccan Chronicle on August 14, 2016. Sunil Abraham was quoted.

According to a report by Internet and Mobile Association of India, our country has approximately 400 million Internet users. Given the fact that we now prevail in the digital age, the government needs to work towards devising an unbiased internet policy for helping budding entrepreneurs and businesses.

Though the government, under its Digital India initiative, has addressed manifold problems over the past year, the ambiguous internet laws in the country have had a drastic effect on businesses and individuals.

Sunil Abraham, Executive Director of Centre for Internet Society, said, “There are three categories of laws which we must consider. One, speech regulation laws –- here we tend to be more repressive in comparison to other mature democracies. Two, intellectual property law which can enable or undermine access to knowledge -– here we are quite progressive and we must thank our policymakers for their foresight. Three, privacy and data protection laws –- these are incomplete, outdated or missing -– this not only undermines the rights of citizens but also weakens our cyber security.”

Defamation and national security can be listed among other issues that have threatened free speech; there have been instances where weak Internet laws led to the defamation of several artists and authors, curbing freedom to expression.

Not only individuals but online businesses have also had to limit their potential, in order adhere to the India’s hazy Internet laws. Among others, countless websites have been blocked by the government over the past few years.

However, with proper regulation in place along with rational vigilance, many of these problems might cease to exist.

It’s essential that these issues are thought about, in-depth. The country needs to build a structure that can deliver innovation, protection and provision of one and all.

“Without improving the three important areas that I pointed out, we cannot be successful at Digital India, Make In India and Start Up India,” Abraham concluded.

For more details visit https://cis-india.org/internet-governance/news/deccan-chronicle-krishna-makwana-august-14-2016-rational-internet-laws-essential-to-fulfil-indias-digital-goals

And now, Aadhaar-enabled smartphones for easy verification and money transfer

praskrishna — 2016-08-12T02:50:58Z

As reported earlier, the Indian government has planned to make Aadhaar-enabled smartphones , with which users would be able to self-authenticate and let businesses and banks verify the identity of their clients. This would also help in the government's aim of a cashless society.

The article was published in Business Insider on August 10, 2016. Sunil Abraham was quoted.

While applauding this plan Nandan Nikelani, former chairman of UIDAI told ET that, "Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)."

In July, senior executives of UIDAI and smartphone companies met to discuss ways to allow smartphones let citizens authenticate their fingerprints and iris on the phone, so that they could avail government services from the comfort of their homes.

The most immediate use for these smartphones would be the Unified Payment Interface (UPI), a new payment system which would allow money transfer between any two parties by simply using their mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani.

With time, Aadhaar authentication will also be made open to third party apps, said another person familiar with the ongoing discussions on the condition of anonymity.

This would let users allow apps to access their biometric and iris scans, just like they grant access to other features like camera, contacts, SMS etc. However, from their end, handset makers have raised security concerns about using iris scan for Aadhar authentication.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider.

For this, the he proposal includes a "hardware secure zone" which would encrypt biometric data before sending it out. However, even this isn't a foolproof idea.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

To this, Nilekani said, "the reluctance to make changes at the vendor level is mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons." He added that both ends, the handset and the Aadhaar database, will be using the highest level of encryption.

For more details visit https://cis-india.org/internet-governance/news/business-insider-august-10-2016-and-now-aadhaar-enabled-smartphones-for-easy-verification-and-money-transfer

Implementing Indian languages in feature phones will be difficult

praskrishna — 2016-08-10T15:51:44Z

A recent government standard requiring support for inputting text in any one Indian language in mobile phones - along with Hindi and English - has manufacturers worried. The companies argue that the well-intentioned move may be difficult to implement, especially in the case of feature phones, because inventory and logistics will have to be planned for each state.

The article by Gulveen Aulakh and Neha Alawadhi was published in the Economic Times on August 10, 2016. Sunil Abraham was quoted.

The Bureau of Indian Standards (BIS) said in June that all mobile phones must support the ability to type messages in English, Hindi and at least one additional Indian official language. It also requires message readability for all 22 Indian official languages. The objective is to enable widespread communication in local languages, especially for people who may not use English or Hindi with as much ease.

Handset makers said while such changes, which are yet to be notified, can be done easily through software in smartphones, it would be a big challenge for feature phones because of screen and keypad limitations, apart from managing supplies.

"It will be nightmarish to do planning for the number of models (with different languages) to be sold in each state, and plan inventory and logistics around that, so it's very challenging," said Gaurav Nigam, product head of Lava International, which has a phone with message-reading ability in all 22 Indian official languages.

Nigam said the BIS standard does not mandate the printing of vernacular languages on keypads, which would have created a massive hurdle for mobile phone manufacturers. "I might end up over-stocking in some states and lesser inventory in some states, which might lead to loss of sales since I won't be able to divert a Kerala-printed stock to Punjab or any other state," Nigam said. However, the government is hopeful of compliance.

An official said logistical and supply-chain issues can be addressed by companies. "We are talking to them and we are open to giving them a leeway of nine to 12 months to implement the order," said the official, requesting anonymity.

The official said although the government had started consultations on the premise that the third language should be imprinted on the keypad, it was felt in due course that other technologies could also be used. "Some lanFeature phones account for 65 per cent of the total mobile phone user base of about 700 million in India and are popular in rural areas and smaller towns. Sales of feature phones in the country declined to 150 million last year from 179-180 million, according to International Data Corporation, a US market research company.

The Indian Cellular Association, which represents mobile phone makers in India including Apple, Samsung Electronics, Micromax Informatics and Intex, said that it was talking to the BIS and the Department of Electronics and Information Technology on excluding the imprinting of vernacular language characters on keypads from the standard and allowing handset makers to develop solutions for local language input capability in phones.

"A formal communication or notification is expected soon from DeitY on implementing the rules," said Pravin Gondane, associate director at ICA. The department is expected to hold consultations with the industry by the month-end before it comes out with a notification that mandates the standard.

Sunil Abraham, executive director of the Centre for Internet and Society, suggested a middle ground where the government could map all reasonably popular input standards and document them so that customers can pick a phone they are comfortable with.

While awaiting the notification, the association has internally sent notices to all companies stating that printing on keypads may not be necessary, even for feature phones, Gondane said. Alternative solutions could include a keypad cover that lists vernacular language characters for text input and inputting of text through a virtual keypad.

While a task force set up by DeitY admits it's a challenge to implement this rule for feature phones because the number of keys is limited, it suggested that a common minimum framework to assign characters on 12 keys should follow international standards and incorporate Indian languages requirement on the same. The taskforce has issued best practices for designing Indian language text-entry mechanisms for phones with 12 keys, rather than lay out a standard for keypads.

Smartphones have touchscreens, making language reading and inputting changes a software requirement that's easy to implement. Samsung smartphones and feature phones are enabled with typing, reading and changing user interface in 14 local languages, said Manu Sharma, the company's VP of mobile business.guages can be easily printed on the keyboard, while others can be enabled through typing on the screen," the official said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2016-gulveen-aulakh-neha-alawadhi-implementing-indian-languages-in-feature-phones-will-be-difficult

Indian companies need to boost encrpytion adoption rate: experts

praskrishna — 2016-08-10T14:36:05Z

Most banks do not follow Reserve bank of India’s standard 64/128-bit encryption policy due to laxity and unavailability of funds.

The article by Koustav Das was published in the Deccan Chronicle on August 9, 2016. Sunil Abraham was quoted.

A recent report by security software firm Sophos highlighted the increasing number of online attacks on Indian businesses, suggesting strong encryption policies can change the existing scenario.

As per a SophosLab research, India’s threat exposure rate has been pegged at 16.7 per cent, ranking fifth in terms of highest percentage of endpoints exposed to malware attack.

The research said cyber-criminals have developed a keen sense of luring organisations on the basis of location, language and disguise, leading to an acute increase in the number of targeted attacks.

Global Experts have explained that digital attackers have taken the aid of advanced malware including deadly ransomwares, which involve locking or capturing an organisation’s valued data and demanding money to unlock it.

In future, ransomware have been predicted to become deadlier, allowing hackers to take control of an organisation’s entire network security.

Not only financial and IT companies but Government websites also face similar obstructions due to lack of updated security tools.

Mohit Puri, Head of Pre-sales, Sophos India and SAARC, said, "India faces increased risk from cyber-criminals due to its high economic growth, which has left several companies to re-think their security strategy."

Reactive to attacks, not proactive

Though Puri mentioned that Indian enterprises have been trying to prevent such attacks, large fissures in network security have made the task easier for online criminals.

One of the major reasons for companies failing to prevent advanced cyber-attacks can be attributed to the lack of pragmatic solutions, albeit their awareness about the situation.

Puri said, “While companies are aware about security threats to our systems, we are still not there in terms of how we are trying to mitigate these threats.”

According to Sunil Abraham, Director of The Centre For Internet and Society (CIS), there are manifold issues that have led to the scenario of India’s poor online security.

He said that Indian businesses and financial organisations recognize the situation but do not want to allocate budget for updating their security infrastructure.

“The problem with cyber-security is just like smoking; people are aware of it but they do not care about the warnings. Companies know about the looming threats but need an episode to make a move towards updating their network infrastructure,” Abraham added.

Enterprises also struggle due to the absence of sufficient cyber-security professionals in the country. Abraham said, “There are uncountable software professionals in India but the story is totally opposite when it boils down to cyber-security professionals.”

Weak encryption adoption

According to technology enthusiast Blaise Crowly, Co-Founder & Head Of Security Design Gladius & Schild, "Cryptography—a broader form of encryption—can be defined as a branch of mathematical algorithms that can be used to securely protect data."

Crowly added, “It is the one of the strongest form of all defence mechanisms against cyber attacks.”

However, a Sophos assessment—State of Encryption Today—where 1,700 Indian IT managers were surveyed, showed the ignorance of companies towards integrating strong encryption tools.

Out of the total number of participants, 61 per cent felt encryption holds significant importance in protecting a company’s proprietary data.

Others had peculiar reasons—18 per cent felt that encryption would help avoid incurring additional costs after a breach and 23 per cent just wanted to avoid negative publicity of the company.

Even in case of banks, reports suggested that most banks do not follow Reserve bank of India’s (RBI) standard 64/128 bit encryption policy due to laxity and unavailability of funds.

“Indian organisations need to take a second look at their security posture and deploy up-to-date synchronized security solutions that are able to combat today’s threats as well as tomorrows,” said Puri.

Government’s role

A 2015 CIS study, titled “How India Regulates Encryption” mentioned that under section 84A of the IT Act, the government has the sole authority to prescribe modes and methods of encryption.

Though the government has not yet issued any rules in exercise of these powers, it had released earlier released a draft encryption policy on September 21, 2015. However, it failed to pass it due to wide-spread criticism regarding certain mandates in the draft.

In addition, the Internet Service Providers (ISP) License Agreement, between the Department of Telecommunication (DoT) and Internet Service Providers (ISP), limit the use of encryption up to 40-bit key length in symmetric algorithms—an extremely weak standard.

Although it cannot be enforced if organisations employ third-party encryption systems, it becomes extremely expensive for them. In such a scenario, companies hesitate in using better encryption standards.

CIS Director Sunil Abraham said, “To solve the issue, the government should work towards incentivising and enforcing strong security infrastructure which will help companies get these features at a lower price.”

Adding to the aforementioned statement, Crowly highlighted that current security standards set by the government cannot adeptly counter advanced threats.

“OpenSSL, LibNaCl and similar protocols provide free implementation of encryption schemes that companies can use. The only issue is that companies and government agencies should show proper diligence in hiring experts in this field,” Crowly concluded.

For more details visit https://cis-india.org/internet-governance/news/deccan-chronicle-koustav-das-august-9-2016-indian-companies-need-to-boost-encryption-adoption-rate

Aadhaar-enabled smartphones will ease money transfer

praskrishna — 2016-08-10T13:33:54Z

With its plans to make smartphones Aadhaar-enabled, the government hopes to provide users a means to do self-authentication and let businesses and banks verify the identity of their clients through their smartphones, a move that could potentially lead the way to a cashless society.

The article by Neha Alawadhi and Gulveen Aulakh was published in the Economic Times on August 10, 2016. Sunil Abraham was quoted.

"Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)," Nandan Nikelani, former chairman of the Unique Identification Authority of India, told ET, welcoming the government's plan to make smartphones Aadhaar-enabled.

ET was the first to report that on July 27 a meeting between UIDAI, which administers Aadhaar, and senior executives of smartphone-makers discussed ways to allow smartphone handsets let citizens authenticate their fingerprints and iris on the phone to get services. The most immediate use for the Aadhaar-enabled smartphones is the Unified Payment Interface (UPI), the new payment system that allows money transfer between any two parties using mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani. Over time, the idea is to open Aadhaar authentication to third party apps, said another person familiar with the ongoing discussions, who did not wish to be named.

In effect, biometric and iris scan authentication could become one of the permissions a user grants to different third party apps, such as access to camera, contacts, phone book and so on. Handset makers have raised concerns about some security issues on using iris scan for Aadhar authentication. Also, companies such as Apple that have very closed ecosystems, would not be easy to get on board, several people told ET.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider, who is aware of the discussions, requesting anonymity. The proposal for smartphone makers includes a "hardware secure zone" where biometric data will be encrypted and sent out. It will not leave the electronic secure zone without encryption, and every phone doing Aadhaar authentication will be registered in the UID system.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

"The reluctance to make changes at the vendor level are mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons," Nilekani said, adding that both ends - the handset and the Aadhaar database -- will use the highest level of encryption.

Samsung India, which in May launched the Galaxy Tab Iris, a device that uses Aadhaar authentication, said it has taken care that its user's biometric data does not fall into the wrong hands. "We ensure that biometric data is encrypted as per UIDAI specifications in device itself for Galaxy Tab Iris," Sukesh Jain, vice president, Samsung India Electronics, told ET in an email response.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2016-neha-alawadhi-gulveen-aulakh-aadhaar-enabled-smartphones-will-ease-money-transfer

Apps can give personal information to strangers

praskrishna — 2016-08-08T01:22:20Z

We love our apps. A study done last year, found that app usage in India has grown 131 per cent. But apps are notorious for accessing personal data and we’re obligingly careless with our privacy. Inadvertently, users give away third-parties access to their phone calls and right to operate cameras on their mobiles.

The article by Mebin John was published in the New Indian Express on August 8, 2016. Sunil Abraham was quoted.

Therefore, they can listen in to conversations and click photos as and when it pleases them.

“The detailed privacy policy of most of these apps run into pages and people rarely read through them,” says Sunil Abraham, Executive Director of The Centre for Internet and Society. “The policy is also loaded with tech jargon, which is lost on the general public.”

A study, done in June this year by Norton, reveals that one in two Indians have permitted access to their contacts and mobile data in exchange for free applications. Forty per cent have allowed access to their camera and browsing history, and 50 per cent given permission to send promotional text/emails.

A mobile application developer in Bengaluru, who wishes to remain anonymous, says, “App developers collect personal information of individuals and make a massive database. They then sell this data base to marketing agencies.” A database of 5 crore people pays `5,000 and this is sold over and over again.

Many application developers claim that they make large databases with the help of applications. “I have a database with email IDs of 2.5 lakh people,” says another app developer of the data he mined from one app.

Chief Technology Officer at T.I.G.E.R Innovations and Publicize Bengaluru, Geo Joy, says: “It is true that we can track an individual’s personal conversations and activities using mobile applications. I’ve heard that many applications scoop details from phone conversations for marketing purposes.”

“If you are not paying for anything, then you are the product,” Abraham puts it succinctly.

According to him, with access to your conversations or GPS, a third party could monitor your activities. It can get more specifid: with data from GPS, accelerometer and gyroscope, a developer can read your driving pattern.

Laws here are easy on developers too. Elonnai Hickok, a researcher from CIS, says, “Apart from Section 43A of the Information Technology Act, we don't have any strict laws or enforcement agencies to monitor these applications that breach the privacy of an individual.”

In India, since we don’t have a statutory body to monitor applications and their privacy violations, experts suggest individuals exercise caution.

CTO Joy suggests upgrading your operating systems. “Latest versions of all operating systems will warn you when an external medium tries to track your information,” he says. “So people who use the older versions should switch to the latest one or upgrade the software.

CE picks five permissions and how they could be misused.

For more details visit https://cis-india.org/internet-governance/news/apps-can-give-personal-information-to-strangers