We are anonymous, we are legion

It’s the technology, stupid

sunil — 2017-04-07T12:53:21Z

Eleven reasons why the Aadhaar is not just non-smart but also insecure.

The article was published in Hindu Businessline on March 31, 2017.

Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:

One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.

Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.

Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.

Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.

Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.

Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.

Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.

Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.

Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.

Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.

Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.

Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.

The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.

Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.

This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.

In other words, you cannot fix using the law what you have broken using technology.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid

It’s mainstream vs social

praskrishna — 2012-04-30T04:23:27Z

Mainstream and social media share an increasingly uneasy relationship. Mahima Kaul, a Guest Columnist with the Sunday Guardian wrote this article. Sunil Abraham is quoted in this.

The Abhishek Manu Singhvi CD scandal brought into focus the increasingly confrontational relationship between social media and mainstream media. When a court order kept the mainstream from broadcasting the CD, social media took centrestage in spreading it online and keeping a buzz about the scandal for days. Many termed it as a "victory" for social media. Others slammed social media users as "eternal voyeurs" and wondered why they seemed to be above the court order. In return, blogs went as far as to title a post, "Why the Indian MSM (mainstream media) Wants Social Media Dead".

A quick recap: after the CD leak, Singhvi moved court to stop certain media organisations from telecasting it. The Delhi High Court gave an ex parte order that "the defendants (media house), their agents ... are restrained from publishing, broadcasting and disseminating or distributing in any form or any manner..." However, people caught hold of the video and kept linking it on Twitter, Facebook, YouTube etc. It went viral. Singhvi resigned from all political posts and settled the matter out of court. In his statement of resignation, Singhvi's bitterness at the role of social media was apparent: "in either event it raises no public interest issue... contumacious internet violation of a flagrant kind." I will save you a Google search: contumacious means to be wilfully disobedient to authority.

There are questions to be asked. Who was the 13 April court order aimed at? Is Singhvi's proposition that an internet violation took place true?

The order was explicitly binding on only specific organisations (Aaj Tak, India Today Group and Headlines Today). The rest of the mainstream media showed remarkable restraint. In the case of the video being linked on social media, it was users' prerogative, as they were not covered under that order even though Singhvi's statement suggests otherwise. However, there is another angle to consider. Social media users would have broken the law only if the video content itself was objectionable. "If the video is judged to be 'obscene', then under s.67 of the Information Technology Act, 'causing [obscenity] to be transmitted', is also a crime," says Sunil Abraham of the Center for Internet and Society. So, the question is, was this video obscene? While my journalistic integrity did not extend to watching the video, I've been told it has neither nudity nor explicit sexual activity, and cannot be considered obscene. Therefore, it appears that social media has functioned well within its rights.

What remains, then, is the view that social media "should" be restrained. How? A court order could stop users from linking the video online, but it would only be applicable in India. Also, there are already provisions in the IT Amendment Act 2008, which allows for "offensive" material to be removed by the intermediary, or site blockage by the government. Twitter has already announced national policies of censorship, although this incident would probably not qualify for such a drastic action. Sunil Abraham adds that the court could also give a "John Doe order" against prospective offenders that enables the IP owner to serve notice and take action at the same time against anyone who is found to be guilty. However, this step is to be taken with caution. In criticising the existing order on the Singhvi case, Arun Jaitley wrote in an editorial that "a pre-publication injunction (should) ... be exercised with great caution specially in a case of libel and slander," because in this case it was yet to be proven that the CD was indeed fabricated.

It seems there is offline outrage about online outrage. However, for mainstream media to call for restraint on social media based on their own actions seems to be hypocritical in this particular instance, because they did so only because of a court order. One need to look at stories ranging from the Mumbai attacks to the Arushi Talwar murder case to understand the invasive nature of mainstream media in India. What is more worrying is that the mainstream media is equating itself with social media in some ways, wondering why it needs to have editorial checks if citizens can gossip away on Twitter. In return, social media is counting its victories against the mainstream in a manner that suggests that the two consider each other competitors. Although most conversation on social media would not exist without mainstream news sources, ultimately their function in society is not the same. The media is considered the fourth pillar of democracy, while social media is considered an "unofficial" channel. If either is found indulging in illegal or harmful activities, they can and must be checked. But, in the end, it serves freedom of speech to keep the two functioning in context, not in confrontation.

Read the original published in the Sunday Guardian on April 30, 2012.

For more details visit https://cis-india.org/news/mainstream-vs-social

It's That Eavesdrop Endemic

praskrishna — 2016-07-30T15:45:31Z

Whatsapp Says It’s Snoop-Proof Now, But There’s Always A Way In

The article by Arindam Mukherjee was published in Outlook on July 25, 2016. Pranesh Prakash was quoted.

Lock and Key

WhatsApp says it has end-to-end encryption, so no one, not even WhatsApp, can snoop into calls.

Experts say any encryption can be broken by security agencies. Android phones can also get infected by malware.

For years, a Delhi power-broker used to call from nondescript landline numbers, changing them ever so often. Of late, he has started using WhatsApp calls for ‘sensitive’ conversations. He’s not alone. WhatsApp has revealed that over 100 million voice calls are being made on the social network every day. That’s over 1,100 calls a second! India is one of the biggest user bases of WhatsApp. And many Indian users are making the app their main engine for voice calls.

One reason for this shift is that WhatsApp calls are seen to be essentially free (though they indeed have data charges). But for a lot of people, the chief allure lies in the touted fact that WhatsApp calling is far more secure than mobile calling. In April, the app introduced end-to-end encryption for its messages and voice calls.

Consequent to this, Sudhir Yadav, a Gurgaon-based software engineer filed a PIL in the Supreme Court seeking a ban on WhatsApp on the grounds that its calls are so safe that it could be misused by ‘terrorists’. Last month, a court in Brazil issued orders to block WhatsApp for 72 hours after it failed to provide the authorities access to encrypted data.

Are WhatsApp calls really impenetrable? WhatsApp believes so and says that the encryption key is held by the two persons at the two ends of the message or call and no one, not even the company, can snoop in. “The calls are end-to-end encrypted so WhatsApp and third parties can’t listen to them,” a WhatsApp spokesperson told Outlook. This is precisely Yadav’s concern. “Because the encryption is end to end, the government can’t break it and WhatsApp cannot provide the decryption key,” he says.

However, experts do not buy this argument. They believe everything on the Internet is vulnerable. “Anything that uses a phone number is vulnerable,” says Kiran Jonnalagadda, founder of technology platform HasGeek. “Anyone can impersonate the phone number by getting a duplicate SIM and get access to a phone. There are also bugs in the system which security agencies use.”

WhatsApp uses a person’s phone number to open an account and authenticate a user. So, if the government or a security agency wants to get access to a WhatsApp call, it would be very easy. “Telecom companies cannot access these calls as they are encrypted before they reach the network. But the government can. It just has to replicate a SIM to access any number and its messages or voice calls,” says Aravind R.S., a volunteer for Save the Internet campaign and founder of community chat app Belong,

There are other modes of attack as well. It is a given that Android phones, which form the majority of mobile phones used in India today, are most vulnerable to malware attacks. So, even if the app itself is secure, the device is not and if the device is attacked, just about everything in it can be tapped into. For instance, there’s the ‘man in the middle’ mode of attack, where a third person gets into a call and mirrors the messages to both the sides and relays the messages or calls to a different server. There is also the SS7 signalling protocol that can help hackers get into networks and calls. These attacks can make even a WhatsApp encryption vulnerable.

Security agencies and hackers routinely implant viruses into the phones of people they are monitoring. Once a phone is “infected”, everything is accessible. And Android phones are extremely prone to attacks from malware. “It's not perfectly secure, especially if there is any virus in an Android phone, which is what security agencies work with. They have many more ways to get into a phone. There is no defence against that,” says Aravind,

Experts believe it is possible that US intelligence agencies like the FBI and the NSA may have access to or are capable of breaking into even the WhatsApp encryption. This is proven by the recent incident where the FBI, after being refused by Apple to open up an iPhone used by a terrorist, broke into the phone by itself.

“If you are on the NSA list, there is nothing you can do to protect yourself,” says Pranesh Prakash, policy director with the Centre for Internet and Society. “They will find a way to get into your phone. In WhatsApp, many things like photographs and videos are not encrypted; these can get access to a person’s account.”

In India, the debate on access to encrypted phones has been on since the government engaged with Blackberry a few years ago. “There is no law governing an Over The Top (OTT) service like WhatsApp. If the government orders decryption of a call and WhatsApp cannot comply, it will become illegal,” says cyber lawyer Asheeta Regidi. The government’s seeming comfort level with all this legal ambiguity is yet another indicator that all is not what is seems with WhatsApp. As for callers, they would do well to speak discreetly on any network.

For more details visit https://cis-india.org/internet-governance/news/outlook-july-25-2016-arindam-mukherjee-its-that-eavesdrop-endemic

It Took Just 355 Indians to Mine the Data of 5.6 Lakh Facebook Users. Here's How

Admin — 2018-04-07T15:33:46Z

Data privacy in India is still a nascent subject. Experts say cheap data has led to unprecedented Facebook penetration. Often, it is seen that those who open an account are not aware of the privacy concerns.

The blog post by Subhajit Sengupta was published in CNN-News 18 on April 7, 2018. Sunil Abraham was quoted.

Over 5.6 lakh Indian Facebook profiles have allegedly been compromised and their data leaked to the controversial data analytics firm Cambridge Analytica. As per the company, only 335 people in India installed the App yet they managed to penetrate over half a million profiles.

So, how does this work?

Once a user downloaded the quiz app called “thisisyourdigitallife”, Global Science Research Limited got access to the entire treasure trove of data. There are two mechanisms which are used for this.

First, the Application Program Interface (API) of Facebook called ‘Social Graph’ allows any app to harvest the entire contact list and everything else that could be seen on a users’ friend’s profile. This would take place even for private profiles, says Sunil Abraham, Executive Director of Bangalore based research organization ‘Centre for Internet and Society’.

The second way is when users have a public profile. The algorithm seeks out public profiles from the friend list and would go on multiplying from one public profile to another without any of the users even coming to know what is happening. This is like the ‘True Caller’ application, for it to get your number, you don’t need to download the software. If anyone has the app and your number, then it gets automatically logged there.

Facebook says "Cambridge Analytica’s acquisition of Facebook data through the app developed by Dr Aleksandr Kogan and his company Global Science Research Limited (GSR) happened without our authorisation and was an explicit violation of our Platform policies."

GSR continued to access this data from all the Facebook profiles throughout the entire lifespan of the app on the Facebook platform, which was roughly two years between 2013 and 2015. This means, even if a user is careful enough to not download the application but his/her profile’s privacy settings are weak, the algorithm would infiltrate the data bank.

Amit Dubey, a Cyber Security Expert goes into the details of what the app did, “The app called 'thisisyourdigitallife', which was created for research work by Aleksandr Kogan, was eventually used for psychometric profiling of users and then manipulating their political biases. The app was offered to users on the pretext to take a personality test and it agreed to have their data collected for academic use only. But the app has exploited a security vulnerability of Facebook application.”

Facebook “platform policy” allowed only collection of friends’ data to improve user experience in the app and barred it from being sold or used for advertising.

But this kind of data scrapping is not just limited to Cambridge Analytica. The Social Media Algorithm is often abused in the world of data scavenging and analytics. Even law enforcement agencies have often used similar means to locate possible miscreants.

According to Shesh Sarangdhar, Chief Executive Officer in Seclabs & Systems Pvt Ltd, similar data scrapping helped them unearth the terror module behind one of the attacks at an airbase last year. Shesh said that through Social Media Algorithm they would often narrow down on unknown terror modules. What his team did was to connect to the profile the whereabouts of multiple known nods converging. That is how the mastermind was located.

Data privacy in India is still a nascent subject. Experts say cheap data has led to unprecedented Facebook penetration.

Often, it is seen that those who open an account are not aware of the privacy concerns. But as Sunil Abraham puts it, Caveat emptor or ‘Let the Buyers Beware’ does not even apply here. It is not possible for anyone to go through the entire privacy policy.

“So it is not even right to ask if the consumer can protect his/her own interest. Thus, the state should proactively regulate the industry,” said Abraham.

Facebook has brought in a number of changes to its privacy settings. It now allows you to remove third-party apps in bulk. This welcome change has come after sustained pressure on the tech giant from users and a number of regulatory bodies across the world.

For more details visit https://cis-india.org/internet-governance/news/news-18-subhajit-sengupta-how-just-355-indians-put-data-of-5-6-lakh-facebook-users-at-risk

IT Leaders, Lawyers Welcome SC Ruling on 66A of the IT Act

praskrishna — 2015-03-26T15:58:19Z

The Supreme Court of India has delivered a landmark judgment in scrapping section 66A of the Information Technology Act, which prescribed 'punishment for sending offensive messages through communication service, etc.' and had been branded as grossly 'unconstitutional' by various lawyers and legal advisors.

The blog past was published by Cio.in on March 25, 2015. Pranesh Prakash is quoted.

Here's what 66A of the IT (Amendment) Act, 2008 stated: Any person who sends, by means of a computer resource or a communication device,(a) any information that is grossly offensive or has menacing character;(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently by making use of such computer resource or a communication device, or (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.

As per the study conducted by the Centre for Internet and Society, Bangalore, intermediaries over-comply and tend to take down even legitimate information when they receive a takedown notice. There were also several arrests made as a result. The most recent among which was when a class XI student from Bareilly was arrested for sharing an “objectionable” post on Facebook against senior Samajwadi party leader and state Urban Development Minister, Azam Khan.

The ruling by the Supreme Court has not only been welcomed by Shreya Singhal, the young law student who was among the first to challenge it in the Supreme Court, but also lawyers, legal advisors as well as IT leaders.

Pranesh Prakash, a Policy Director with the Centre for Internet and Society, Bangalore, and a graduate of the National Law School tweeted: While the case is about 'Internet' censorship, the SC judgment is against ALL censorship. That's important. #66A

According to Pavan Duggal, advocate, Supreme Court of India, Section 66A symbolized the tyranny of ambiguous vague terms over the purity of legitimate free speech.

"It represented a tool for suppressing bonafide free speech, which was extensively misused. Sec 66A was a foe more than your friend. In scrapping Sec 66A, Supreme Court has done a great service to the cause of free speech of vibrant digital Indians. Digital free speech in India owes a great deal to the SC ruling," said Duggal.

Various Indian IT leaders also expressed their satisfaction towards the apex court's ruling, and called it a balanced judgment.

Anjani Kumar, CIO, Safexpress says, the ruling is by and large, a favorable one. “Previously, people who were writing against the establishment were being harassed. However, with this ruling, the apex court has protected the constitutional right of freedom of speech,” he said.

There will be freedom of speech and everyone will be able to express their views openly on social media platforms. It will help maintain an equilibrium over a period of time,” said T.G Dhandapani, group CIO, TVS Motors.

While the general sentiment was fairly positive. Manas Mati, executive director and technology head, Walt Disney said, “I think the Section should not have been scrapped. Every person needs to be responsible and accountable for what they post on social media.”

Accountable or not, the judgment clearly indicates that's there won't be any arrests on the subjective interpretation of vague expressions such as “grossly offensive” and “menacing character” etc. under section 66A of the Information Technology Act, 2000.

“However, the ruling is a very balanced one, with the court stating that the government has the right to remove objectionable content, but not arrest the person. The negative can be that some people go overboard on social media and they need to be checked," Kumar said.

For more details visit https://cis-india.org/internet-governance/news/cio-in-march-25-2015-it-leaders%2C-lawyers-welcome-sc-ruling-on-66a-of-the-it-act

It Hurts Them Too

Mir Farhat — 2017-12-19T15:12:31Z

Strap: Internet shutdown robs security forces' social media lifeline in J&K.

Srinagar, J&K: For Mahender*, a member of the Central Reserve Police Force (CRPF) posted in Srinagar for the last two years, the internet has been a way to feel virtually close to his children and wife in Bihar, nearly 1,900 kms away. After duty every day, he finds a quiet corner to start video-calling his wife. At the other end, she ensures their two children are beside her. “We discuss how our day went. Most of our conversations revolve around the kids, their schooling and food, and about my parents who live near our house,” says Mahender, who identified himself only with his first name.

However, Mahender and thousands of security personnel like him posted in the Kashmir Valley haven't found this easy connectivity always reliable, courtesy the government's frequent internet shutdowns, phone data connectivity cuts, and social media bans.

Jammu & Kashmir has faced 55 internet shutdowns between 2012 and 2017, as recorded by the Software Freedom Law Centre. The administration justifies this crackdown by citing "law-and-order situations" that occur during encounters of security forces with militants and, later, when protests and marches are carried out by civilians during militants' funerals.

Hizbul Mujahideen commander Burhan Wani was killed by security forces and police on 8 July 2016, triggering a six-month-long “uprising” among civilians in Kashmir. Immediately after the shootout, security agencies shut the internet down. With 55 internet shutdowns in 2017 itself, it is something of a standard practice in Kashmir today to block social media or internet in a district or entire Valley each time there is an encounter. It is also a recurring practice of precaution against protests on Independence and Republic Day every year.

Security forces and police are not untouched by these shutdowns though. There are 47 CRPF battalions posted in the Kashmir region. “Our jawans experience difficulties during internet bans as they are not able to communicate with their families and friends as frequently as they do when internet is working,” says Srinagar-based CRPF Public Relations Officer Rajesh Yadav.

The J&K police, who are at the forefront of quelling protests and maintaining law & order in the Valley with a strength of nearly 100,000, also suffer. There have been growing instances of clashes between the Kashmiri police and protesters who believe their home force is being brutal during crowd control. The policemen have had to hide or operate in plain clothes. A senior police officer in Srinagar, who does not want to be named, says, “Our families are worried about our well-being when we are dealing with frequent agitations. In such a situation, when there is a ban, we find it difficult to stay in touch with our families.”

More dangerously, internet bans also hit the official communication of cops in action. Their offices are equipped with BSNL landline connections, which are rarely shut down, and they usually communicate through wireless; but for mobile internet most of them depend on private internet service providers, owing to their better connectivity, as the rest of the state. A senior police officer who deals with counter-insurgency in Kashmir speaks of the impact of cutting off phone data connectivity. "We have our own WhatsApp groups for quick official communication. We use broadband in offices only and can’t take it to sites of counter-insurgency operations.”

Yadav of the CRPF says, “While we have several effective means of communication for official purposes, social media is one that has accentuated our communication network. During internet bans, our work is not entirely hampered, but there is a little bit of pinch, since that speed and ease of working is not there.” Nevertheless, he defends the ban, insisting that Facebook and WhatsApp are handy tools for people to "flare up" the situation and "mobilise youths" during protests. "So, it becomes a compulsion for the administration to impose the ban."

Counter-insurgency forces have in the last few years created social media monitoring and surveillance cells. They say it is to equally match the extremists, including those in Pakistan, who use social media services like Telegram, Facebook and WhatsApp now, instead of their phones which can be tapped. It is also to keep an eye on suspected rumour-mongers and propagandists. For instance, 22-year-old Burhan Wani had gained the attention of security forces precisely because of the way he used his huge following, amassed through Facebook posts and gun-toting pictures, to inspire young Kashmiris to militancy.

“There is always monitoring and surveillance. If militants are using it, then they are within the loop,” says Yadav.

There is widespread public outrage against the state government and agencies who impose frequent net bans in Kashmir, but the CRPF official says it hampers their attempts to build an image and do public relations in Kashmir too. “We promote and highlight programmes like Civic Action and Sadhbhavana online, and that's not possible when there's no social media.”

"The public's criticism of the ban is justified,” the counter-insurgency official says. But they are compelled to use it in situations like during the recent scare around braid chopping, which was caused due to “rumour-mongering by persons with vested interests”. Kashmiri civil society had suggested that the police keep the internet up to issue online clarifications trashing the rumours, but it was not to be.

"The internet has made it possible to identify culprits while sitting in an office. But we have to shut it down in case of communal tensions which have the tendency to engulf the whole state,” says the senior cop. “When we have no option left, we go back to traditional human intelligence.”

Name changed to protect identity.

Mir Farhat is a journalist from Jammu & Kashmir, with an experience of reporting politics, conflict, environment, development and governance issues. His primary interests lie in reporting environment and development. He is a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/it-hurts-them-too

It feeds on you!

Admin — 2018-04-10T16:16:24Z

A robust data protection law can prevent Facebook from manipulating users

The article by Anita Babu was published as a cover story in The Week on April 8, 2018. Pranesh Prakash was quoted.

Soon after the Facebook-Cambridge Analytica scandal broke, a meme featuring Donald Duck began circulating on social media. It showed the cartoon character waking up to the news of the data leak, and then going back to sleep realising that the data was as “worthless” as he was.

The meme struck a chord with the younger generation, which has learnt to laugh at its own triviality. But, what it misses is the fact that technology companies can profit from even the most insignificant set of personal data.

Facebook, as its users know, is a marketing behemoth in the guise of a social media platform. By using it, people willingly give away information about themselves—their identity, relationship status, places visited and people met, political views, and so on. Facebook collates all this information, which may seem insignificant to an individual user, and then converts it into multiple databases.

These databases are lucrative, as it helps Facebook target ads at specific individuals or groups. The company earned as much as $40 billion in revenues last year by harvesting ‘worthless’ data. “Data collection at such a granular level is the problem,” said Nikhil Pahwa, Delhi-based digital rights activist and cofounder of Internet Freedom Foundation. “Data once collected is going to get stolen, lost, compromised or sold. Also, the linking of multiple data sets should not be allowed, because, at the end of the day, it has the potential to undermine democracies.”

The Cambridge Analytica (CA) files have revealed the extent to which tech companies like Facebook and Google profile users. “The fact that micro-targeting of ads were done through Facebook was a known fact,” said Bedasree, copy editor at the education services firm Careers360. “What is dangerous is that data theft can create identical virtual identities, like bots, which is happening. Since everything is digitised we would not be able to differentiate the real from the fake. And, there would be no accountability, because you have given your data to almost everyone.”

Micro-targeted ads have exposed Facebook to allegations of discrimination. For instance, a lawsuit filed in the US last year said companies like Amazon and T-Mobile ran recruitment ads in Facebook, allowing only younger workers to see them. “There is a difference between influencing and manipulating people,” said Pranesh Prakash, policy director at the think tank Centre for Internet and Society. “While ‘influencing’ a person politically is something to be celebrated in a democracy, manipulating someone is dangerous…. The problem is not necessarily the content, but the way it is presented: whether it is done transparently and ethically.”

So, what does the CA scandal mean to users? “They must understand what they are trading for convenience,” said Mishi Choudhary, technology lawyer and legal director at Software Freedom Law Centre, New York. “The technology package, consisting of smartphones and social media companies, peddles a form of convenience that we are all buying into. This convenience ensures that a form of inhuman social control is established, not only in our buying habits, but in our democracy as well.”

Facebook’s algorithm to determine a user’s newsfeed—the list of updates that a user sees on her Facebook homepage—is a key tool in establishing this control. According to Facebook, the objective of the newsfeed is “to show you the stories that matter the most to you”. It means Facebook determines what a user should see or not see. Studies have shown that Facebook can tweak the algorithm in such a way that only certain types of stories appear in your newsfeed, thereby influencing your mood and behaviour. “The kind of powers that a company like Facebook has, is dangerous,” said Prakash. “Certainly, it is not just Facebook which is problematic in this regard, but all companies with similar business models.”

In 2016, India campaigned hard and upheld net neutrality in its attempt to stop Facebook's 'Free Basics', a coterie of free web services provided by the social media giant but with controls. Two years later, the data theft scandal, with Facebook at the heart of it, has put the spotlight on India's need for a robust data protection law.

Last year, the government had appointed a committee of experts under the chairmanship of Justice B.N. Srikrishna to look into the matter. The committee submitted a white paper early this year, which drew criticism from experts for its shortcomings.

Perhaps, the government should take cues from the current discourse on digital rights. The need of the hour, say experts, is a comprehensive, user-centric data protection law rooted in user consent. The government should hold companies liable for any failure in taking the consent of users and protecting their data.

The laws should focus on the business model of social media companies, which effectively sell people to advertisers. “The value in digital advertising lies in collecting information about peoples’ behaviour, on a scale previously unimagined in the history of humankind,” said Choudhary. “Gram for gram, the smartphone is the densest collection of sensors ever assembled. It’s a spy satellite in your pocket, aimed at you.”

Perhaps, the answer lies in building a technology ecosystem that encourages smaller players to take on giants like Facebook. A key to that would be implementing ‘interoperability’ between social networks. Said Hrishikesh Bhaskaran, member of Mozilla India’s Policy and Advocacy Task Force, which works to ensure privacy and data security: “This [interoperability] means that, just like one is able to send mails between Gmail and Yahoo platforms, a user should be able to interact between Facebook and Twitter. There is no technical reason why this cannot be allowed.”

For more details visit https://cis-india.org/internet-governance/news/the-week-anita-babu-april-8-2018-it-feeds-on-you

IT companies in Bengaluru on high alert over WannaCry ransomware

praskrishna — 2017-05-19T09:05:46Z

In the wake of the ransomware attack triggered by WannaCry virus, IT firms in Bengaluru are racing against time to updating their security systems. At some firms, employees have been asked to stay away from work for a few hours, while many other companies have declared holiday for a day or two for their employees.

The article by Kiran Parashar K M & Shruthi H M was published in the New Indian Express on May 17, 2017. Pranesh Prakash was quoted.

Sources said IT teams in many firms are working overtime to ensure such attacks do not harm their systems. Employees have been communicated to be aware of unsolicited emails and were asked to stay away from work at a few places where the security systems update was in progress.

A network engineer of a secondary source software firm, who provides security solutions, said, “We were asked to work on weekend and monitor the servers. The monitoring process is likely to continue. Some of the outsourcing companies have declared holiday as network engineers are flooded with work.”
“Recent developments have affected work at IT firms but there is no report of any company getting affected,” a techie said.

Wipro Ltd officials told Express: “Wipro has not seen any impact. However, we remain vigilant and have strengthened security controls at all layers to detect and mitigate any such threat.”

Companies providing financial technology are struggling to ensure that all ATMs are running on updated software. “We are in touch with the original equipment manufacturers for the patches that may be required to be rolled out on the ATMs running on Windows XP and Windows 7, to make them additionally secure,” said Radha Rama Dorai (Country Head - ATM & Allied Services), FIS, a financial technology provider.
“Fortunately ATMs in India have not been affected by WannaCry ransomware,” said Dorai.

Sudesh Shetty, Partner, Forensics, KPMG in India, said: “Banks need to apply the patch which Windows has released for outdated operating systems. Organisations need to make use of it.”

WannaCry under reported

The Indian Cyber Army sources said that there has been under reporting of such incidents as many individuals use pirated version of the Windows software. Also, people have no idea whom to report if they fall prey to WannaCry.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware

IT (Amendment) Act, 2008, 69B Rules: Draft and Final Version Comparison

jdine — 2013-04-30T09:47:46Z

Jadine Lannon has performed a clause-by-clause comparison of the Draft 69B Rules and official 69B Rules under Section 69B in order to better understand how the two are similar and how they differ. Notes have been included on some changes we deemed to be important.

There has been a considerable amount of re-arrangement and re-structuring of the various clauses between the 69B Draft Rules and the official Rules, as can be seen in the comparison chart, but very little content has been changed. The majority of the changes made to the official Rules are changes in wording and language that serve to provide some much-needed clarification to the Draft Rules (see the differences between Clause (9) of the Draft Rules and sub-section (4) of Clause (3) of the official Rules as an example). Language redundancies, as well as full clauses (Clause [6] of the Draft Rules) have been thankfully removed in the official Rules.

Aside from the addition of four definitions, including a definition for a “security policy”, a phrase which appears in the Draft Rules without being defined, Clause (2) contains what is most likely one of the more noteable changes between the two definitions: under sub-section (g) in the 69 Rules, the words “or unauthorised use” have been added to the definition of “cyber security breaches”, which significantly increases the scope of what can be considered a cyber security breach under the Rules.

A significant change between the two sets of rules can be found in sub-section (2) of Clause (8) of the official rules, which states that, “save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or the person in-charge of computer resource shall destroy records pertaining to directions for monitoring or collection of information”. The section in italics has been added to the original Clause (22) of the Draft Rules, meaning that when the Rules were originally drawn up, no exceptions were to be made for the destructions of the records for the issuing of directions for monitoring and/or the collected information. They would simply have to be destroyed within six months of the discontinuance of the monitoring/collection.

One change that may or may not be significant is the replacement of the words “established violations” in the Draft Rules to simply “violation” in the official Rules in Clauses (19)/(6), which deal with the responsibility of the intermediary. This could be taken to mean that suspected and/or perceived violations may also be punishable under this clause, but this is a hard stance to argue. Most likely the adjustment was made when those superfluous and/or convoluted parts of the Draft rules were being removed.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-b-draft-and-final-version-comparison

IT (Amendment) Act, 2008, 69A Rules: Draft and Final Version Comparison

jdine — 2013-04-30T10:10:48Z

Jadine Lannon has performed a clause-by-clause comparison of the 69A draft rules and 69A rules for Section 69A of the IT Act in order to better understand how the two differ. While there has been reshuffling of the clauses in the official rules, the content itself has not changed significantly. Notes have been included on some changes we deemed to be important.

Below is a chart depicting the 69A Draft Rules and the 69A Rules:

There was a lot of structural change between the draft rules and the official rules—many of the draft clauses were shuffled around and combined—but not a lot of change in content. Many of the changes that appear in the official rules serve to clarify parts of the draft rules.

Three definitions were added under clause (2), two to clarify later references to a “designated officer” and a “nodal officer” and the third to indicate a form appended to the official Rules.

Clause (3) of the official rules then clarifies who shall be named the “designated officer”, which was not done in the draft rules as there was no inclusion of an official title of the officer who would have the responsibilities of the “designated officer”. Interestingly, clause (3) of the draft rules requires the Secretary of the Department of Information Technology, Ministry of Communications & Information Technology, Government of India to name an officer, whereas clause (3) of the official rules states that the “Central Government” shall designate an officer, a change in language that allows for much more flexibility on the government's part.

Clause (5) in the draft rules and clause (4) in the official rules deal with the designation of a Nodal Officer, but omitted in the official rules are responsibilities of the designated officer, which includes acting on the “direction of the indian competent court”. This responsibility does not appear in any part of the official rules. Further, clause (4) of the official rules requires the organizations implicated in the rules to publish the name of the Nodal Officer on their website; this is an addition to the draft rules, and a highly useful one at that. This is an important move towards some form of transparency in this contentious process.

Clause (5) of the official rules significantly clarifies clause (4) of the draft rules by stating that the designated officer may direct any Agency of the Government or intermediary to block access once a request from the Nodal Officer has been received.

Clause (7) of the official rules uses the word “information” instead of “computer resource”, which is used in the corresponding clause (12) in the draft rules, when referring to the offending object. This change in language significantly widens the scope of what can be considered offending under the rules.

The sub-sections (2), (3) and (4) of clause (9) of the official rules are additions to the draft rules. Sub-section (2) is a significant addition, as it deals with the ability of the Secretary of the Department of Information Technology's ability to block for public access any information or part thereof without granting a hearing to the entity in control of the offending information in a case of emergency nature. The request for blocking will then be brought before the committee of examination of request within 48 hours of the issue of direction, meaning that the offending information could be blocked for two days without giving notice to the owner/controller of the information of the reason for the blockage.

An important clarification has been included in clause (15) of the official rules, which differs from clause (23) of the draft rules through the inclusion of the following phrase: “The Designated Officer shall maintain complete record of the request received and action taken thereof [...] of the cases of blocking for public access”. This is a significant change from clause (23), which simply states that the “Designated Officer shall maintain complete record [...] of the cases of blocking”. This could be seen as an important step towards transparency and accountability in the 69B process of blocking information for public access if clause (16) of the official rules did not state that all requests and complaints received and all actions taken thereof must be kept confidential, so the maintenance of records mentioned in clause (15) of the official rules appears to be only for internal record-keeping. However, just the fact that this information is being recording is a significant change from the draft rules, and may, if the sub-rules relating to confidentiality were to be changed, be useful data for the public.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-a-rules-draft-and-final-version-comparison

IT (Amendment) Act, 2008, 69 Rules: Draft and Final Version Comparison

jdine — 2013-04-30T09:56:07Z

Jadine Lannon has performed a clause-by-clause comparison of the Draft 69 Rules and official 69 Rules under Section 69B in order to better understand how the two are similar and how they differ. Very brief notes have been included on some changes we deemed to be important.

Similar to the other comparisons that I have done on the 69A and 69B Draft and official Rules, the majority of the changes between these two sets of rules serves to restructure and clarify various clauses in the Draft 69 Rules.

Three new definitions appear in the Clause (2) of the 69 Rules, including a definition for “communication”, which appears in the Draft Rules but has no associated definition under Clause (2) of the Draft Rules.

Clause (31) of the Draft Rules, which deals with the requirement of security agencies of the State and Union territories to share any information gathered through interception, monitoring and/or decryption with federal agencies, does not make an appearance in the official rules. Further, this necessity does not seem to be implied anywhere in the official 69 Rules.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-rules-draft-and-final-version-comparison

Issue of duplication of identities of users under control: Nilekani

praskrishna — 2013-07-02T10:13:10Z

Nandan Nilekani says UIDAI system almost completely accurate, duplication of identities virtually negligible.

The article by Anirban Sen was published in Livemint on June 29, 2013. Sunil Abraham is quoted.

The Unique Identification Authority of India (UIDAI) chief Nandan Nilekani said the government agency was in preliminary discussions with some embassies to use the Aadhaar project to simplify visa application procedures and that the issue of duplication of identities of users was well under control.

In March, a UIDAI spokesperson told Mint that it had detected 34,015 cases where one person had been issued two Aadhaar numbers. The figures represented a little over 0.01% of the 290 million people who had been enrolled at the time.

Nilekani, who was delivering a keynote address at a three-day conference on the success and failures of information technology (IT) in the public and private sector at the Indian Institute of Management in Bangalore, said the UIDAI system was almost completely accurate and duplication of identities was virtually negligible.

“Knowing what we know now, we believe we have accuracy of upto 99.99%,” said Nilekani, chairman of the Unique Identification Authority of India (UIDAI).

Nilekani, on Saturday, assured that the project was completely secure and user data and biometrics were safe in the hands of the agencies it works with and brushed aside any concerns on security of user data that have been widely raised by Internet security groups and activists.

“We’re not giving any access to data, except when it is resident authorized. It is shared only when a resident participates in a transaction and authorizes the data which is shared,” said Nilekani, who was one of the seven co-founders of India’s second largest software exporter Infosys Ltd. He served as CEO of Infosys from 2002 to 2007.

“The system is also not open to the internet—the system has rings of authentications of service agencies. There are lots of concentric rings of security,” he added. “The biometric data is not used except for enrolment, re-duplication and authentication.”

Internet rights groups and activists such as Sunil Abraham of the Centre for Internet and Society (CIS), a research thinktank that focuses on issues of Internet governance, have often raised concerns over UID’s overtly broad scope and privacy issues in the project.

“We don’t need Aadhaar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a “billions-of-users” scale on the Internet with reasonable security. The Unique Identification (UID) project based on the so-called “infallibility of biometrics” is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies,” Abraham wrote in a blog post on the CIS website last year.

Nilekani also acknowledged that the department had faced several challenges, due to the sheer scale of the project that aims to cover the country’s entire population of 1.2 billion.

“We have had lots of challenges on this project—we have backlogs of enrolment because we have more packets than we can process, we backlogs of letter deliveries because we cannot handle so many letters…but fundamentally notwithstanding those challenges, we believe we are on the right track,” said Nilekani.

Both UIDAI and the census department under the National Population Register project are recording biometric data, which includes fingerprint and iris data. Even though both the agencies reached a truce after a cabinet decision in January 2012 and were allowed to co-exist, there have been several reports of duplication between the two agencies in biometric collection.

UIDAI is not just being used as the main platform for rolling out the government’s direct cash transfer scheme, but is also being regarded as an important authentication scheme for financial transactions and other security measures.

For more details visit https://cis-india.org/news/livemint-anirban-sen-june-29-2013-issue-of-duplication-of-identities-of-users-under-control

ISPs start blocking escort websites following govt order

praskrishna — 2016-07-02T04:17:25Z

DoT on Monday ordered blocking of 240 URLs; blocking of websites takes place under Section 69A of the IT Act, and Information Technology Rules.

The article by Moulishree Srivastava was published in the Business Standard on June 14, 2016.

The Internet Service Providers (ISPs) have started blocking websites allegedly offering escort services after an order from the Department of Telecommunication (DoT).

The DoT on Monday asked ISPs to immediately block around 240 such URLs (Uniform Resource Locator) offering escort services, to filter out obscene content on the internet. Speaking to Business Standard, Internet Service Providers Association of India’s (ISPAI) President Rajesh Chharia said the ISPs were in process of shutting down these websites. ISPAI represents 60 ISPs including Bharti Airtel, Tata Teleservices, Reliance Communication, Vodafone and Idea Cellular.

“We received the order yesterday, and it entails a list of about 240 websites that the government wants us to block,” said Chharia. “CERT-In, which works under the Department of Electronics and Information Technology (Deity), advised the department on certain websites that it feels could be a national or social threat. Deity then reached out to DoT, which is our licensor. We are the licensee, and as per the licensing agreement, we have to comply with the order.”

While declining to comment on whether this is the first such order the association had received this year, Chharia said, “Since last few years, we have been receiving orders to block websites which hosts content that may be a threat to social order or national security.” Blocking of websites takes place under Section 69A of the IT Act, and a 2009 secondary legislation called the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules (“Blocking Rules”).

The rules empower the central government to direct any agency or intermediary to block access to information when satisfied that it is “necessary or expedient so to do” in the interest of the “sovereignty and integrity of India, defense of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognisable offence relating to above. Intermediaries failing to comply are punishable with fines and prison terms up to seven years.”

In December 2014, around six months after the Modi-led BJP government came into power, the DoT ordered ISPs to block 32 websites, including Vimeo, Dailymotion, GitHub and Pastebin.

According to an RTI filed by no-for-profit organisation Software Freedom Law Centre in March last year, Deity said 2341 URLs were blocked in 2014, adding that “barring few numbers, all URLs were blocked on the orders of the Court”.

Another RTI filed by Bangalore based think tank Centre for Internet and Society (CIS) found that 143 URLs were blocked in first three months of 2015 in order to comply with the directions of the competent courts. Later that year, the government attempted to block about 857 porn websites, but it had to revoke the order following the backlash online and offline.

The recent notice named a number of websites that need to be banned, including pinkysingh.com, jasmineescorts.com, onlyoneescorts.com, payalmalhotra.in, localescorts.in, pearlpatel.in, kavyajain.in, xmumbai.in, shimi.in and anchu.in.

According to Freedom on the Net 2015 report by Freedom House, which termed India as a “partly free” country on the internet, there were 129 operational ISPs in India as of May 2015.

For more details visit https://cis-india.org/internet-governance/news/business-standard-moulishree-srivastava-june-14-2016-isps-start-blocking-escort-websites-following-govt-order

ISPs in Kashmir Grappling with Mounting Losses Amid Recurrent Shutdowns

Safeena Wani — 2017-12-20T15:54:06Z

Strap: Internet savvy youth taking to alternative routes to access the world wide web.

Srinagar, J&K: CNS Infotel Services, once a buzzing cybercafé in Srinagar’s Lal Chowk, is now a prominent internet service provider (ISP) for the town. It is popular for providing uninterrupted, fast internet connection, but that reputation has been tough to maintain as the Kashmir Valley has witnessed 56 internet shutdowns since 2012, 38 over the last two years alone. This has pushed the economy downhill and discouraged new enterprises from emerging.

Once the internet is blocked, executives at ISPs either skip calls to avoid public ire, or express their helplessness over the sudden disruption of internet ordered by authorities in the wake of some security situation.

An executive at CNS, Imran says how a sudden ‘police directive’ often forces them to apply the internet ‘kill switch’. “In May this year,” says Imran, “we received a circular stating that authorities want us to block 22 social media and messaging sites, including Facebook, WhatsApp, Twitter, Skype, Telegram and Viber, with immediate effect.” That day, CNS executives were only repeating a prohibition procedure that has become a norm in the Valley. In the post-2008 Kashmir, as street protests became the popular
mode of dissent, the state’s observation has been that resistance is being “fuelled by social media.”

“There’s a perpetual struggle for us to grapple between police orders and annoyed customers,” says Owais Mir, an executive of G Technologies, another ISP in Srinagar. “The frequent internet gags hamper our operations… annoyed customers often threaten to either switch over to another service provider or to deactivate their connections.”

Mobile data and broadband services in Kashmir were banned 10 times between April 8 and July 13 in 2017. “By then,” Imran says, “we were running into huge losses.”

While Imran does not have an actual figure to quote about the loss he faced, mobile ISPs were decrying daily losses to the tune of Rs 2 crore between April and July 2017.

According to Cellular Operators Association of India (COAI), mobile service providers in Kashmir suffered losses worth Rs 180 crore during that period. When such orders are passed, usually, except the state-run BSNL, other service providers — Airtel, Aircel, Vodafone and Reliance (Jio) — promptly shut down their operations. The postpaid BSNL numbers, which are mainly with police, army and government officials, continue running.

Alternative access

The repeated loss of communication in the Valley has prompted Kashmiri netizens to explore solutions. Many of them have learnt to access the Virtual Private Networks (VPNs), mostly through broadband internet and state-owned BSNL, in order to continue using messaging services and social media.

A VPN uses proxy servers to securely access a private network while allowing users to change location and share data remotely through public networks. It secures a connection through encryption and security protocols, and enables access to content that is otherwise blocked. VPN keeps the ISP from placing restrictions on access.

“VPNs help us to overcome the irrational social media blockade,” says Shagufta Mir, a college student from Srinagar. “More than a political statement, using VPN sends out a positive message that Kashmiris have evolved to tackle repeated restrictions imposed on them.” Most users have learnt about VPNs from their tech-savvy peers.

“When the government banned social media earlier this year,” says Shafat Hamid, a trader, “my friend taught me how to access a VPN. I felt empowered to be able to overcome the frequent gag on online activities.”

‘India worse than Iraq’

Jammu & Kashmir has higher internet penetration than the all-India average with 28.62 internet subscribers per 100 people compared to the national figure of 25.37.

Although broadband was functioning, the suspended mobile internet for over five months from July 9 to Nov 19, 2016 (data services on pre-paid mobiles remained suspended until January 27, 2017) saw many operators winding up. During that period, internetshutdowns.in, a website run by Delhi-based non-profit Software Freedom Law Centre (SFLC) to track incidents of internet shutdowns across India, recorded that Kashmir had no internet access for “over 2,920 hours”. This made India worse than Iraq and Pakistan in terms of number of days without internet, according to a report by the Brookings Institution.

According to a report, out of the 14,000 local youth employed in the IT sector in the Valley, an estimated 7,000 people lost their jobs due to the frequent internet shutdowns imposed last year. Online businesses incurred losses worth Rs 40-50 lakh on a daily basis during that period.

During the internet shutdown last year, COAI had written to the department of telecommunications that such communication bans have an adverse impact on the subscribers and result in losses to telecom operators. “Kashmir lost around 4.5 lakh active subscribers during the 2016 unrest,” says Sameer Parray, an area manager for Vodafone.

But service providers say they have to comply with the orders, lest their licenses be cancelled.

Safeena Wani is a Srinagar-based freelance writer and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/isps-in-kashmir-grappling-with-mounting-losses-amid-recurrent-shutdowns

iSpirt's Sharad Sharma: Sorry, I trolled Aadhaar critics

praskrishna — 2017-05-26T00:13:38Z

Sharad Sharma, the man who is seen as one of the critical backbones of India's digital drive, profusely apologized on Tuesday for anonymously trolling those arguing for better privacy and security standards in Aadhaar.

The article by Shalina Pillai and Anand J was published in the Times of India on May 24, 2017.

The apology came a few days after Kiran Jonnalagadda, co-founder of developer community platform HasGeek and one of those who were at the receiving end of the trolling, used internet tools to discover the faces behind the trolling.

The trolls allegedly included several other members of iSpirt, the software product association co-founded by Sharma and which leads IndiaStack, a set of technologies that can be used to digitise many everyday processes used by common people. The issue has divided India's nascent startup community like never before, and coming soon after the division over the arrest of Stayzilla co-founder Yogendra Vasupal, there are many who now worry for the ecosystem.This may also explain the apology by Sharma, who has been at the forefront of building this ecosystem.

In the apology mail that he tweeted, Sharma said: "There was a lapse of judgment on my part. I condoned tweets with uncivil comments. So I would like to unreservedly apologise to everybody who was hurt by them. Anonymity seemed easier than propriety, and tired as I was by personal events and attack on iSpirt's reputation, I slipped. I won't be part of anything like this again nor passively allow such behaviour to happen, even in the worst of times."

Nandan Nilekani tweeted in response to Sharma's apology that it was brave of him to do so. Several others in iSpirt also backed Sharma after the public apology . There was a surge of tweets in response to Sharma's and Nilekani's tweets, some welcoming the turn of events and others saying it wasn't enough. Jonnalagadda is among those who are not satisfied. "There were several individuals at iSpirt behind these trolls and Sharma's apology is not enough," he told TOI.

Aadhaar, aggressively pushed by the government, is being fiercely questioned by privacy and security advocates. Though most of these activists say they are asking for implementation of safeguards, the Twitter hashtags used by some of them include #antiaadhaar, #destroyaadhaar and #attackaadhaar, which seem to suggest they are entirely opposed to the authentication mechanism.

Both sides have used intemperate and often abusive language on social media -many using anonymous names. The latest flashpoint was a report by the Centre for Internet and Society (CIS) released earlier this month that said some 135 million Aadhaar numbers were leaked through government databases. There have also been accusations that private companies that verify Aadhaar credentials often get access to the full Aadhaar information of individuals. These provoked the proAadhaar trolls. Jonnalagadda, Nikhil Pahwa, co-founder of the Internet Freedom Foundation, which works on issues including net neutrality, and free expression and privacy on the internet, and Sunil Abraham of CIS were under particular attack.

Some of the iSpirt fellows and volunteers TOI spoke to had little remorse. "I am not saying iSpirt should have done what it did. But I can imagine why iSpirt reacted like this as we all have been under constant personal attack for a year now," said an iSpirt fellow, who did not want to be identified. Jas Gulati, co-founder and CEO at Nowfloats and a volunteer at iSprit, said iSpirt was an open organisation. "Sharad was upfront about it and I think it's very positive."

The Aadhaar privacy advocates, including Jonnalagadda and Pahwa, are clear they value iSpirt, but say it was undermining itself by its actions. One pointed to a February meeting of iSpirt where they created a programme called Sudham that distributed prominent Aadhaar critiques into four quadrants -`Misinformed, fearful and engaging', `Informed, fearful and engaging', `Misinformed and trolling' and `Informed and trolling' -and assigned different members to deal with each quadrant. Some of those who were assigned responsibilities appear to have taken their job too seriously .

Pahwa told TOI, "The work done by the Product Nation initiative at iSpirt is what makes it an important organization. But when people raise questions of IndiaStack and Aadhaar, many in that team respond with venom. iSpirt is unique, in that it is a thinktank that plays the role of an activist and lobbyist with a high degree of influence with the government and so they must develop processes for better governance, transparency and accountability ."

Anand Venkatanarayanan, a senior engineer at NetApp and independent Aadhaar researcher, said iSpirt should not be judged based on what Sharma did. "What we are trying to do is strengthen the Aadhaar system. Currently, they do not even have a process to report bugs. Large companies all have SOPs (standard operating procedures) to deal with issues. UIDAI does not," he said, noting that his views are personal and not that of his employer's.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-24-2017-shalina-pillai-anand-j-ispirts-sharad-sharma-sorry-i-trolled-aadhaar-critics