We are anonymous, we are legion

It Hurts Them Too

Mir Farhat — 2017-12-19T15:12:31Z

Strap: Internet shutdown robs security forces' social media lifeline in J&K.

Srinagar, J&K: For Mahender*, a member of the Central Reserve Police Force (CRPF) posted in Srinagar for the last two years, the internet has been a way to feel virtually close to his children and wife in Bihar, nearly 1,900 kms away. After duty every day, he finds a quiet corner to start video-calling his wife. At the other end, she ensures their two children are beside her. “We discuss how our day went. Most of our conversations revolve around the kids, their schooling and food, and about my parents who live near our house,” says Mahender, who identified himself only with his first name.

However, Mahender and thousands of security personnel like him posted in the Kashmir Valley haven't found this easy connectivity always reliable, courtesy the government's frequent internet shutdowns, phone data connectivity cuts, and social media bans.

Jammu & Kashmir has faced 55 internet shutdowns between 2012 and 2017, as recorded by the Software Freedom Law Centre. The administration justifies this crackdown by citing "law-and-order situations" that occur during encounters of security forces with militants and, later, when protests and marches are carried out by civilians during militants' funerals.

Hizbul Mujahideen commander Burhan Wani was killed by security forces and police on 8 July 2016, triggering a six-month-long “uprising” among civilians in Kashmir. Immediately after the shootout, security agencies shut the internet down. With 55 internet shutdowns in 2017 itself, it is something of a standard practice in Kashmir today to block social media or internet in a district or entire Valley each time there is an encounter. It is also a recurring practice of precaution against protests on Independence and Republic Day every year.

Security forces and police are not untouched by these shutdowns though. There are 47 CRPF battalions posted in the Kashmir region. “Our jawans experience difficulties during internet bans as they are not able to communicate with their families and friends as frequently as they do when internet is working,” says Srinagar-based CRPF Public Relations Officer Rajesh Yadav.

The J&K police, who are at the forefront of quelling protests and maintaining law & order in the Valley with a strength of nearly 100,000, also suffer. There have been growing instances of clashes between the Kashmiri police and protesters who believe their home force is being brutal during crowd control. The policemen have had to hide or operate in plain clothes. A senior police officer in Srinagar, who does not want to be named, says, “Our families are worried about our well-being when we are dealing with frequent agitations. In such a situation, when there is a ban, we find it difficult to stay in touch with our families.”

More dangerously, internet bans also hit the official communication of cops in action. Their offices are equipped with BSNL landline connections, which are rarely shut down, and they usually communicate through wireless; but for mobile internet most of them depend on private internet service providers, owing to their better connectivity, as the rest of the state. A senior police officer who deals with counter-insurgency in Kashmir speaks of the impact of cutting off phone data connectivity. "We have our own WhatsApp groups for quick official communication. We use broadband in offices only and can’t take it to sites of counter-insurgency operations.”

Yadav of the CRPF says, “While we have several effective means of communication for official purposes, social media is one that has accentuated our communication network. During internet bans, our work is not entirely hampered, but there is a little bit of pinch, since that speed and ease of working is not there.” Nevertheless, he defends the ban, insisting that Facebook and WhatsApp are handy tools for people to "flare up" the situation and "mobilise youths" during protests. "So, it becomes a compulsion for the administration to impose the ban."

Counter-insurgency forces have in the last few years created social media monitoring and surveillance cells. They say it is to equally match the extremists, including those in Pakistan, who use social media services like Telegram, Facebook and WhatsApp now, instead of their phones which can be tapped. It is also to keep an eye on suspected rumour-mongers and propagandists. For instance, 22-year-old Burhan Wani had gained the attention of security forces precisely because of the way he used his huge following, amassed through Facebook posts and gun-toting pictures, to inspire young Kashmiris to militancy.

“There is always monitoring and surveillance. If militants are using it, then they are within the loop,” says Yadav.

There is widespread public outrage against the state government and agencies who impose frequent net bans in Kashmir, but the CRPF official says it hampers their attempts to build an image and do public relations in Kashmir too. “We promote and highlight programmes like Civic Action and Sadhbhavana online, and that's not possible when there's no social media.”

"The public's criticism of the ban is justified,” the counter-insurgency official says. But they are compelled to use it in situations like during the recent scare around braid chopping, which was caused due to “rumour-mongering by persons with vested interests”. Kashmiri civil society had suggested that the police keep the internet up to issue online clarifications trashing the rumours, but it was not to be.

"The internet has made it possible to identify culprits while sitting in an office. But we have to shut it down in case of communal tensions which have the tendency to engulf the whole state,” says the senior cop. “When we have no option left, we go back to traditional human intelligence.”

Name changed to protect identity.

Mir Farhat is a journalist from Jammu & Kashmir, with an experience of reporting politics, conflict, environment, development and governance issues. His primary interests lie in reporting environment and development. He is a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/it-hurts-them-too

It feeds on you!

Admin — 2018-04-10T16:16:24Z

A robust data protection law can prevent Facebook from manipulating users

The article by Anita Babu was published as a cover story in The Week on April 8, 2018. Pranesh Prakash was quoted.

Soon after the Facebook-Cambridge Analytica scandal broke, a meme featuring Donald Duck began circulating on social media. It showed the cartoon character waking up to the news of the data leak, and then going back to sleep realising that the data was as “worthless” as he was.

The meme struck a chord with the younger generation, which has learnt to laugh at its own triviality. But, what it misses is the fact that technology companies can profit from even the most insignificant set of personal data.

Facebook, as its users know, is a marketing behemoth in the guise of a social media platform. By using it, people willingly give away information about themselves—their identity, relationship status, places visited and people met, political views, and so on. Facebook collates all this information, which may seem insignificant to an individual user, and then converts it into multiple databases.

These databases are lucrative, as it helps Facebook target ads at specific individuals or groups. The company earned as much as $40 billion in revenues last year by harvesting ‘worthless’ data. “Data collection at such a granular level is the problem,” said Nikhil Pahwa, Delhi-based digital rights activist and cofounder of Internet Freedom Foundation. “Data once collected is going to get stolen, lost, compromised or sold. Also, the linking of multiple data sets should not be allowed, because, at the end of the day, it has the potential to undermine democracies.”

The Cambridge Analytica (CA) files have revealed the extent to which tech companies like Facebook and Google profile users. “The fact that micro-targeting of ads were done through Facebook was a known fact,” said Bedasree, copy editor at the education services firm Careers360. “What is dangerous is that data theft can create identical virtual identities, like bots, which is happening. Since everything is digitised we would not be able to differentiate the real from the fake. And, there would be no accountability, because you have given your data to almost everyone.”

Micro-targeted ads have exposed Facebook to allegations of discrimination. For instance, a lawsuit filed in the US last year said companies like Amazon and T-Mobile ran recruitment ads in Facebook, allowing only younger workers to see them. “There is a difference between influencing and manipulating people,” said Pranesh Prakash, policy director at the think tank Centre for Internet and Society. “While ‘influencing’ a person politically is something to be celebrated in a democracy, manipulating someone is dangerous…. The problem is not necessarily the content, but the way it is presented: whether it is done transparently and ethically.”

So, what does the CA scandal mean to users? “They must understand what they are trading for convenience,” said Mishi Choudhary, technology lawyer and legal director at Software Freedom Law Centre, New York. “The technology package, consisting of smartphones and social media companies, peddles a form of convenience that we are all buying into. This convenience ensures that a form of inhuman social control is established, not only in our buying habits, but in our democracy as well.”

Facebook’s algorithm to determine a user’s newsfeed—the list of updates that a user sees on her Facebook homepage—is a key tool in establishing this control. According to Facebook, the objective of the newsfeed is “to show you the stories that matter the most to you”. It means Facebook determines what a user should see or not see. Studies have shown that Facebook can tweak the algorithm in such a way that only certain types of stories appear in your newsfeed, thereby influencing your mood and behaviour. “The kind of powers that a company like Facebook has, is dangerous,” said Prakash. “Certainly, it is not just Facebook which is problematic in this regard, but all companies with similar business models.”

In 2016, India campaigned hard and upheld net neutrality in its attempt to stop Facebook's 'Free Basics', a coterie of free web services provided by the social media giant but with controls. Two years later, the data theft scandal, with Facebook at the heart of it, has put the spotlight on India's need for a robust data protection law.

Last year, the government had appointed a committee of experts under the chairmanship of Justice B.N. Srikrishna to look into the matter. The committee submitted a white paper early this year, which drew criticism from experts for its shortcomings.

Perhaps, the government should take cues from the current discourse on digital rights. The need of the hour, say experts, is a comprehensive, user-centric data protection law rooted in user consent. The government should hold companies liable for any failure in taking the consent of users and protecting their data.

The laws should focus on the business model of social media companies, which effectively sell people to advertisers. “The value in digital advertising lies in collecting information about peoples’ behaviour, on a scale previously unimagined in the history of humankind,” said Choudhary. “Gram for gram, the smartphone is the densest collection of sensors ever assembled. It’s a spy satellite in your pocket, aimed at you.”

Perhaps, the answer lies in building a technology ecosystem that encourages smaller players to take on giants like Facebook. A key to that would be implementing ‘interoperability’ between social networks. Said Hrishikesh Bhaskaran, member of Mozilla India’s Policy and Advocacy Task Force, which works to ensure privacy and data security: “This [interoperability] means that, just like one is able to send mails between Gmail and Yahoo platforms, a user should be able to interact between Facebook and Twitter. There is no technical reason why this cannot be allowed.”

For more details visit https://cis-india.org/internet-governance/news/the-week-anita-babu-april-8-2018-it-feeds-on-you

IT companies in Bengaluru on high alert over WannaCry ransomware

praskrishna — 2017-05-19T09:05:46Z

In the wake of the ransomware attack triggered by WannaCry virus, IT firms in Bengaluru are racing against time to updating their security systems. At some firms, employees have been asked to stay away from work for a few hours, while many other companies have declared holiday for a day or two for their employees.

The article by Kiran Parashar K M & Shruthi H M was published in the New Indian Express on May 17, 2017. Pranesh Prakash was quoted.

Sources said IT teams in many firms are working overtime to ensure such attacks do not harm their systems. Employees have been communicated to be aware of unsolicited emails and were asked to stay away from work at a few places where the security systems update was in progress.

A network engineer of a secondary source software firm, who provides security solutions, said, “We were asked to work on weekend and monitor the servers. The monitoring process is likely to continue. Some of the outsourcing companies have declared holiday as network engineers are flooded with work.”
“Recent developments have affected work at IT firms but there is no report of any company getting affected,” a techie said.

Wipro Ltd officials told Express: “Wipro has not seen any impact. However, we remain vigilant and have strengthened security controls at all layers to detect and mitigate any such threat.”

Companies providing financial technology are struggling to ensure that all ATMs are running on updated software. “We are in touch with the original equipment manufacturers for the patches that may be required to be rolled out on the ATMs running on Windows XP and Windows 7, to make them additionally secure,” said Radha Rama Dorai (Country Head - ATM & Allied Services), FIS, a financial technology provider.
“Fortunately ATMs in India have not been affected by WannaCry ransomware,” said Dorai.

Sudesh Shetty, Partner, Forensics, KPMG in India, said: “Banks need to apply the patch which Windows has released for outdated operating systems. Organisations need to make use of it.”

WannaCry under reported

The Indian Cyber Army sources said that there has been under reporting of such incidents as many individuals use pirated version of the Windows software. Also, people have no idea whom to report if they fall prey to WannaCry.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware

IT (Amendment) Act, 2008, 69B Rules: Draft and Final Version Comparison

jdine — 2013-04-30T09:47:46Z

Jadine Lannon has performed a clause-by-clause comparison of the Draft 69B Rules and official 69B Rules under Section 69B in order to better understand how the two are similar and how they differ. Notes have been included on some changes we deemed to be important.

There has been a considerable amount of re-arrangement and re-structuring of the various clauses between the 69B Draft Rules and the official Rules, as can be seen in the comparison chart, but very little content has been changed. The majority of the changes made to the official Rules are changes in wording and language that serve to provide some much-needed clarification to the Draft Rules (see the differences between Clause (9) of the Draft Rules and sub-section (4) of Clause (3) of the official Rules as an example). Language redundancies, as well as full clauses (Clause [6] of the Draft Rules) have been thankfully removed in the official Rules.

Aside from the addition of four definitions, including a definition for a “security policy”, a phrase which appears in the Draft Rules without being defined, Clause (2) contains what is most likely one of the more noteable changes between the two definitions: under sub-section (g) in the 69 Rules, the words “or unauthorised use” have been added to the definition of “cyber security breaches”, which significantly increases the scope of what can be considered a cyber security breach under the Rules.

A significant change between the two sets of rules can be found in sub-section (2) of Clause (8) of the official rules, which states that, “save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or the person in-charge of computer resource shall destroy records pertaining to directions for monitoring or collection of information”. The section in italics has been added to the original Clause (22) of the Draft Rules, meaning that when the Rules were originally drawn up, no exceptions were to be made for the destructions of the records for the issuing of directions for monitoring and/or the collected information. They would simply have to be destroyed within six months of the discontinuance of the monitoring/collection.

One change that may or may not be significant is the replacement of the words “established violations” in the Draft Rules to simply “violation” in the official Rules in Clauses (19)/(6), which deal with the responsibility of the intermediary. This could be taken to mean that suspected and/or perceived violations may also be punishable under this clause, but this is a hard stance to argue. Most likely the adjustment was made when those superfluous and/or convoluted parts of the Draft rules were being removed.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-b-draft-and-final-version-comparison

IT (Amendment) Act, 2008, 69A Rules: Draft and Final Version Comparison

jdine — 2013-04-30T10:10:48Z

Jadine Lannon has performed a clause-by-clause comparison of the 69A draft rules and 69A rules for Section 69A of the IT Act in order to better understand how the two differ. While there has been reshuffling of the clauses in the official rules, the content itself has not changed significantly. Notes have been included on some changes we deemed to be important.

Below is a chart depicting the 69A Draft Rules and the 69A Rules:

There was a lot of structural change between the draft rules and the official rules—many of the draft clauses were shuffled around and combined—but not a lot of change in content. Many of the changes that appear in the official rules serve to clarify parts of the draft rules.

Three definitions were added under clause (2), two to clarify later references to a “designated officer” and a “nodal officer” and the third to indicate a form appended to the official Rules.

Clause (3) of the official rules then clarifies who shall be named the “designated officer”, which was not done in the draft rules as there was no inclusion of an official title of the officer who would have the responsibilities of the “designated officer”. Interestingly, clause (3) of the draft rules requires the Secretary of the Department of Information Technology, Ministry of Communications & Information Technology, Government of India to name an officer, whereas clause (3) of the official rules states that the “Central Government” shall designate an officer, a change in language that allows for much more flexibility on the government's part.

Clause (5) in the draft rules and clause (4) in the official rules deal with the designation of a Nodal Officer, but omitted in the official rules are responsibilities of the designated officer, which includes acting on the “direction of the indian competent court”. This responsibility does not appear in any part of the official rules. Further, clause (4) of the official rules requires the organizations implicated in the rules to publish the name of the Nodal Officer on their website; this is an addition to the draft rules, and a highly useful one at that. This is an important move towards some form of transparency in this contentious process.

Clause (5) of the official rules significantly clarifies clause (4) of the draft rules by stating that the designated officer may direct any Agency of the Government or intermediary to block access once a request from the Nodal Officer has been received.

Clause (7) of the official rules uses the word “information” instead of “computer resource”, which is used in the corresponding clause (12) in the draft rules, when referring to the offending object. This change in language significantly widens the scope of what can be considered offending under the rules.

The sub-sections (2), (3) and (4) of clause (9) of the official rules are additions to the draft rules. Sub-section (2) is a significant addition, as it deals with the ability of the Secretary of the Department of Information Technology's ability to block for public access any information or part thereof without granting a hearing to the entity in control of the offending information in a case of emergency nature. The request for blocking will then be brought before the committee of examination of request within 48 hours of the issue of direction, meaning that the offending information could be blocked for two days without giving notice to the owner/controller of the information of the reason for the blockage.

An important clarification has been included in clause (15) of the official rules, which differs from clause (23) of the draft rules through the inclusion of the following phrase: “The Designated Officer shall maintain complete record of the request received and action taken thereof [...] of the cases of blocking for public access”. This is a significant change from clause (23), which simply states that the “Designated Officer shall maintain complete record [...] of the cases of blocking”. This could be seen as an important step towards transparency and accountability in the 69B process of blocking information for public access if clause (16) of the official rules did not state that all requests and complaints received and all actions taken thereof must be kept confidential, so the maintenance of records mentioned in clause (15) of the official rules appears to be only for internal record-keeping. However, just the fact that this information is being recording is a significant change from the draft rules, and may, if the sub-rules relating to confidentiality were to be changed, be useful data for the public.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-a-rules-draft-and-final-version-comparison

IT (Amendment) Act, 2008, 69 Rules: Draft and Final Version Comparison

jdine — 2013-04-30T09:56:07Z

Jadine Lannon has performed a clause-by-clause comparison of the Draft 69 Rules and official 69 Rules under Section 69B in order to better understand how the two are similar and how they differ. Very brief notes have been included on some changes we deemed to be important.

Similar to the other comparisons that I have done on the 69A and 69B Draft and official Rules, the majority of the changes between these two sets of rules serves to restructure and clarify various clauses in the Draft 69 Rules.

Three new definitions appear in the Clause (2) of the 69 Rules, including a definition for “communication”, which appears in the Draft Rules but has no associated definition under Clause (2) of the Draft Rules.

Clause (31) of the Draft Rules, which deals with the requirement of security agencies of the State and Union territories to share any information gathered through interception, monitoring and/or decryption with federal agencies, does not make an appearance in the official rules. Further, this necessity does not seem to be implied anywhere in the official 69 Rules.

For more details visit https://cis-india.org/internet-governance/blog/it-amendment-act-69-rules-draft-and-final-version-comparison

Issue of duplication of identities of users under control: Nilekani

praskrishna — 2013-07-02T10:13:10Z

Nandan Nilekani says UIDAI system almost completely accurate, duplication of identities virtually negligible.

The article by Anirban Sen was published in Livemint on June 29, 2013. Sunil Abraham is quoted.

The Unique Identification Authority of India (UIDAI) chief Nandan Nilekani said the government agency was in preliminary discussions with some embassies to use the Aadhaar project to simplify visa application procedures and that the issue of duplication of identities of users was well under control.

In March, a UIDAI spokesperson told Mint that it had detected 34,015 cases where one person had been issued two Aadhaar numbers. The figures represented a little over 0.01% of the 290 million people who had been enrolled at the time.

Nilekani, who was delivering a keynote address at a three-day conference on the success and failures of information technology (IT) in the public and private sector at the Indian Institute of Management in Bangalore, said the UIDAI system was almost completely accurate and duplication of identities was virtually negligible.

“Knowing what we know now, we believe we have accuracy of upto 99.99%,” said Nilekani, chairman of the Unique Identification Authority of India (UIDAI).

Nilekani, on Saturday, assured that the project was completely secure and user data and biometrics were safe in the hands of the agencies it works with and brushed aside any concerns on security of user data that have been widely raised by Internet security groups and activists.

“We’re not giving any access to data, except when it is resident authorized. It is shared only when a resident participates in a transaction and authorizes the data which is shared,” said Nilekani, who was one of the seven co-founders of India’s second largest software exporter Infosys Ltd. He served as CEO of Infosys from 2002 to 2007.

“The system is also not open to the internet—the system has rings of authentications of service agencies. There are lots of concentric rings of security,” he added. “The biometric data is not used except for enrolment, re-duplication and authentication.”

Internet rights groups and activists such as Sunil Abraham of the Centre for Internet and Society (CIS), a research thinktank that focuses on issues of Internet governance, have often raised concerns over UID’s overtly broad scope and privacy issues in the project.

“We don’t need Aadhaar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a “billions-of-users” scale on the Internet with reasonable security. The Unique Identification (UID) project based on the so-called “infallibility of biometrics” is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies,” Abraham wrote in a blog post on the CIS website last year.

Nilekani also acknowledged that the department had faced several challenges, due to the sheer scale of the project that aims to cover the country’s entire population of 1.2 billion.

“We have had lots of challenges on this project—we have backlogs of enrolment because we have more packets than we can process, we backlogs of letter deliveries because we cannot handle so many letters…but fundamentally notwithstanding those challenges, we believe we are on the right track,” said Nilekani.

Both UIDAI and the census department under the National Population Register project are recording biometric data, which includes fingerprint and iris data. Even though both the agencies reached a truce after a cabinet decision in January 2012 and were allowed to co-exist, there have been several reports of duplication between the two agencies in biometric collection.

UIDAI is not just being used as the main platform for rolling out the government’s direct cash transfer scheme, but is also being regarded as an important authentication scheme for financial transactions and other security measures.

For more details visit https://cis-india.org/news/livemint-anirban-sen-june-29-2013-issue-of-duplication-of-identities-of-users-under-control

ISPs start blocking escort websites following govt order

praskrishna — 2016-07-02T04:17:25Z

DoT on Monday ordered blocking of 240 URLs; blocking of websites takes place under Section 69A of the IT Act, and Information Technology Rules.

The article by Moulishree Srivastava was published in the Business Standard on June 14, 2016.

The Internet Service Providers (ISPs) have started blocking websites allegedly offering escort services after an order from the Department of Telecommunication (DoT).

The DoT on Monday asked ISPs to immediately block around 240 such URLs (Uniform Resource Locator) offering escort services, to filter out obscene content on the internet. Speaking to Business Standard, Internet Service Providers Association of India’s (ISPAI) President Rajesh Chharia said the ISPs were in process of shutting down these websites. ISPAI represents 60 ISPs including Bharti Airtel, Tata Teleservices, Reliance Communication, Vodafone and Idea Cellular.

“We received the order yesterday, and it entails a list of about 240 websites that the government wants us to block,” said Chharia. “CERT-In, which works under the Department of Electronics and Information Technology (Deity), advised the department on certain websites that it feels could be a national or social threat. Deity then reached out to DoT, which is our licensor. We are the licensee, and as per the licensing agreement, we have to comply with the order.”

While declining to comment on whether this is the first such order the association had received this year, Chharia said, “Since last few years, we have been receiving orders to block websites which hosts content that may be a threat to social order or national security.” Blocking of websites takes place under Section 69A of the IT Act, and a 2009 secondary legislation called the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules (“Blocking Rules”).

The rules empower the central government to direct any agency or intermediary to block access to information when satisfied that it is “necessary or expedient so to do” in the interest of the “sovereignty and integrity of India, defense of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognisable offence relating to above. Intermediaries failing to comply are punishable with fines and prison terms up to seven years.”

In December 2014, around six months after the Modi-led BJP government came into power, the DoT ordered ISPs to block 32 websites, including Vimeo, Dailymotion, GitHub and Pastebin.

According to an RTI filed by no-for-profit organisation Software Freedom Law Centre in March last year, Deity said 2341 URLs were blocked in 2014, adding that “barring few numbers, all URLs were blocked on the orders of the Court”.

Another RTI filed by Bangalore based think tank Centre for Internet and Society (CIS) found that 143 URLs were blocked in first three months of 2015 in order to comply with the directions of the competent courts. Later that year, the government attempted to block about 857 porn websites, but it had to revoke the order following the backlash online and offline.

The recent notice named a number of websites that need to be banned, including pinkysingh.com, jasmineescorts.com, onlyoneescorts.com, payalmalhotra.in, localescorts.in, pearlpatel.in, kavyajain.in, xmumbai.in, shimi.in and anchu.in.

According to Freedom on the Net 2015 report by Freedom House, which termed India as a “partly free” country on the internet, there were 129 operational ISPs in India as of May 2015.

For more details visit https://cis-india.org/internet-governance/news/business-standard-moulishree-srivastava-june-14-2016-isps-start-blocking-escort-websites-following-govt-order

ISPs in Kashmir Grappling with Mounting Losses Amid Recurrent Shutdowns

Safeena Wani — 2017-12-20T15:54:06Z

Strap: Internet savvy youth taking to alternative routes to access the world wide web.

Srinagar, J&K: CNS Infotel Services, once a buzzing cybercafé in Srinagar’s Lal Chowk, is now a prominent internet service provider (ISP) for the town. It is popular for providing uninterrupted, fast internet connection, but that reputation has been tough to maintain as the Kashmir Valley has witnessed 56 internet shutdowns since 2012, 38 over the last two years alone. This has pushed the economy downhill and discouraged new enterprises from emerging.

Once the internet is blocked, executives at ISPs either skip calls to avoid public ire, or express their helplessness over the sudden disruption of internet ordered by authorities in the wake of some security situation.

An executive at CNS, Imran says how a sudden ‘police directive’ often forces them to apply the internet ‘kill switch’. “In May this year,” says Imran, “we received a circular stating that authorities want us to block 22 social media and messaging sites, including Facebook, WhatsApp, Twitter, Skype, Telegram and Viber, with immediate effect.” That day, CNS executives were only repeating a prohibition procedure that has become a norm in the Valley. In the post-2008 Kashmir, as street protests became the popular
mode of dissent, the state’s observation has been that resistance is being “fuelled by social media.”

“There’s a perpetual struggle for us to grapple between police orders and annoyed customers,” says Owais Mir, an executive of G Technologies, another ISP in Srinagar. “The frequent internet gags hamper our operations… annoyed customers often threaten to either switch over to another service provider or to deactivate their connections.”

Mobile data and broadband services in Kashmir were banned 10 times between April 8 and July 13 in 2017. “By then,” Imran says, “we were running into huge losses.”

While Imran does not have an actual figure to quote about the loss he faced, mobile ISPs were decrying daily losses to the tune of Rs 2 crore between April and July 2017.

According to Cellular Operators Association of India (COAI), mobile service providers in Kashmir suffered losses worth Rs 180 crore during that period. When such orders are passed, usually, except the state-run BSNL, other service providers — Airtel, Aircel, Vodafone and Reliance (Jio) — promptly shut down their operations. The postpaid BSNL numbers, which are mainly with police, army and government officials, continue running.

Alternative access

The repeated loss of communication in the Valley has prompted Kashmiri netizens to explore solutions. Many of them have learnt to access the Virtual Private Networks (VPNs), mostly through broadband internet and state-owned BSNL, in order to continue using messaging services and social media.

A VPN uses proxy servers to securely access a private network while allowing users to change location and share data remotely through public networks. It secures a connection through encryption and security protocols, and enables access to content that is otherwise blocked. VPN keeps the ISP from placing restrictions on access.

“VPNs help us to overcome the irrational social media blockade,” says Shagufta Mir, a college student from Srinagar. “More than a political statement, using VPN sends out a positive message that Kashmiris have evolved to tackle repeated restrictions imposed on them.” Most users have learnt about VPNs from their tech-savvy peers.

“When the government banned social media earlier this year,” says Shafat Hamid, a trader, “my friend taught me how to access a VPN. I felt empowered to be able to overcome the frequent gag on online activities.”

‘India worse than Iraq’

Jammu & Kashmir has higher internet penetration than the all-India average with 28.62 internet subscribers per 100 people compared to the national figure of 25.37.

Although broadband was functioning, the suspended mobile internet for over five months from July 9 to Nov 19, 2016 (data services on pre-paid mobiles remained suspended until January 27, 2017) saw many operators winding up. During that period, internetshutdowns.in, a website run by Delhi-based non-profit Software Freedom Law Centre (SFLC) to track incidents of internet shutdowns across India, recorded that Kashmir had no internet access for “over 2,920 hours”. This made India worse than Iraq and Pakistan in terms of number of days without internet, according to a report by the Brookings Institution.

According to a report, out of the 14,000 local youth employed in the IT sector in the Valley, an estimated 7,000 people lost their jobs due to the frequent internet shutdowns imposed last year. Online businesses incurred losses worth Rs 40-50 lakh on a daily basis during that period.

During the internet shutdown last year, COAI had written to the department of telecommunications that such communication bans have an adverse impact on the subscribers and result in losses to telecom operators. “Kashmir lost around 4.5 lakh active subscribers during the 2016 unrest,” says Sameer Parray, an area manager for Vodafone.

But service providers say they have to comply with the orders, lest their licenses be cancelled.

Safeena Wani is a Srinagar-based freelance writer and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/isps-in-kashmir-grappling-with-mounting-losses-amid-recurrent-shutdowns

iSpirt's Sharad Sharma: Sorry, I trolled Aadhaar critics

praskrishna — 2017-05-26T00:13:38Z

Sharad Sharma, the man who is seen as one of the critical backbones of India's digital drive, profusely apologized on Tuesday for anonymously trolling those arguing for better privacy and security standards in Aadhaar.

The article by Shalina Pillai and Anand J was published in the Times of India on May 24, 2017.

The apology came a few days after Kiran Jonnalagadda, co-founder of developer community platform HasGeek and one of those who were at the receiving end of the trolling, used internet tools to discover the faces behind the trolling.

The trolls allegedly included several other members of iSpirt, the software product association co-founded by Sharma and which leads IndiaStack, a set of technologies that can be used to digitise many everyday processes used by common people. The issue has divided India's nascent startup community like never before, and coming soon after the division over the arrest of Stayzilla co-founder Yogendra Vasupal, there are many who now worry for the ecosystem.This may also explain the apology by Sharma, who has been at the forefront of building this ecosystem.

In the apology mail that he tweeted, Sharma said: "There was a lapse of judgment on my part. I condoned tweets with uncivil comments. So I would like to unreservedly apologise to everybody who was hurt by them. Anonymity seemed easier than propriety, and tired as I was by personal events and attack on iSpirt's reputation, I slipped. I won't be part of anything like this again nor passively allow such behaviour to happen, even in the worst of times."

Nandan Nilekani tweeted in response to Sharma's apology that it was brave of him to do so. Several others in iSpirt also backed Sharma after the public apology . There was a surge of tweets in response to Sharma's and Nilekani's tweets, some welcoming the turn of events and others saying it wasn't enough. Jonnalagadda is among those who are not satisfied. "There were several individuals at iSpirt behind these trolls and Sharma's apology is not enough," he told TOI.

Aadhaar, aggressively pushed by the government, is being fiercely questioned by privacy and security advocates. Though most of these activists say they are asking for implementation of safeguards, the Twitter hashtags used by some of them include #antiaadhaar, #destroyaadhaar and #attackaadhaar, which seem to suggest they are entirely opposed to the authentication mechanism.

Both sides have used intemperate and often abusive language on social media -many using anonymous names. The latest flashpoint was a report by the Centre for Internet and Society (CIS) released earlier this month that said some 135 million Aadhaar numbers were leaked through government databases. There have also been accusations that private companies that verify Aadhaar credentials often get access to the full Aadhaar information of individuals. These provoked the proAadhaar trolls. Jonnalagadda, Nikhil Pahwa, co-founder of the Internet Freedom Foundation, which works on issues including net neutrality, and free expression and privacy on the internet, and Sunil Abraham of CIS were under particular attack.

Some of the iSpirt fellows and volunteers TOI spoke to had little remorse. "I am not saying iSpirt should have done what it did. But I can imagine why iSpirt reacted like this as we all have been under constant personal attack for a year now," said an iSpirt fellow, who did not want to be identified. Jas Gulati, co-founder and CEO at Nowfloats and a volunteer at iSprit, said iSpirt was an open organisation. "Sharad was upfront about it and I think it's very positive."

The Aadhaar privacy advocates, including Jonnalagadda and Pahwa, are clear they value iSpirt, but say it was undermining itself by its actions. One pointed to a February meeting of iSpirt where they created a programme called Sudham that distributed prominent Aadhaar critiques into four quadrants -`Misinformed, fearful and engaging', `Informed, fearful and engaging', `Misinformed and trolling' and `Informed and trolling' -and assigned different members to deal with each quadrant. Some of those who were assigned responsibilities appear to have taken their job too seriously .

Pahwa told TOI, "The work done by the Product Nation initiative at iSpirt is what makes it an important organization. But when people raise questions of IndiaStack and Aadhaar, many in that team respond with venom. iSpirt is unique, in that it is a thinktank that plays the role of an activist and lobbyist with a high degree of influence with the government and so they must develop processes for better governance, transparency and accountability ."

Anand Venkatanarayanan, a senior engineer at NetApp and independent Aadhaar researcher, said iSpirt should not be judged based on what Sharma did. "What we are trying to do is strengthen the Aadhaar system. Currently, they do not even have a process to report bugs. Large companies all have SOPs (standard operating procedures) to deal with issues. UIDAI does not," he said, noting that his views are personal and not that of his employer's.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-24-2017-shalina-pillai-anand-j-ispirts-sharad-sharma-sorry-i-trolled-aadhaar-critics

ISO/IEC/ JTC 1/SC 27 Working Groups Meeting, Jaipur

vanya — 2015-12-21T02:38:46Z

I attended this event held from October 26 to 30, 2015 in Jaipur.

The Bureau of Indian Standards (BIS) in collaboration with Data Security Council of India (DSCI) hosted the global standards’ meeting – ISO/IEC/ JTC 1/SC 27 Working Groups Meeting in Jaipur, Rajasthan at Hotel Marriott from 26th to 30th of October, 2015, followed by a half day conference on Friday, 30th October on the importance of Standards in the domain. The event witnessed experts from across the globe deliberating on forging international standards on Privacy, Security and Risk management in IoT, Cloud Computing and many other contemporary technologies, along with updating existing standards. Under SC 27, 5 working groups parallely held the meetings on varied Projects and Study periods respectively. The 5 Working Groups are as follows:

WG1: Information Security Management Systems;
WG 2 :Cryptography and Security Mechanisms;
WG 3 : Security Evaluation, Testing and Specification;
WG 4 : Security Controls and Services; and
WG 5 :Identity Management and Privacy technologies; competence of security management

This key set of Working Groups (WG)met in India for the first time. Professionals discussed and debated development of standards under each working group to develop international standards to address issues regarding security, identity management and privacy.

CIS had the opportunity to attend meetings under Working Group 5. This group further had parallel meetings on several topics namely:

Privacy enhancing data de-identification techniques ISO/IEC NWIP 20889 : Data de-identification techniques are important when it comes to PII to enable the exploitation of the benefits of data processing while maintaining compliance with regulatory requirements and the relevant ISO/IEC 29100 privacy principles. The selection, design, use and assessment of these techniques need to be performed appropriately in order to effectively address the risks of re-identification in a given context. There is thus a need to classify known de-identification techniques using standardized terminology, and to describe their characteristics, including the underlying technologies, the applicability of each technique to reducing the risk of re-identification, and the usability of the de-identified data. This is the main goal of this International Standard. Meetings were conducted to resolve comments sent by organisations across the world, review draft documents and agree on next steps.
A study period on Privacy Engineering framework : This session deliberated upon contributions, terms of reference and discuss the scope for the emerging field of privacy engineering framework. The session also reviewed important terms to be included in the standard and identify possible improvements to existing privacy impact assessment and management standards. It was identified that the goal of this standard is to integrate privacy into systems as part of the systems engineering process. Another concern raised was that the framework must be consistent with Privacy framework under ISO 29100 and HL7 Privacy and security standards.
A study period on user friendly online privacy notice and consent: The basic purpose of this New Work Item Proposal is to assess the viability of producing a guideline for PII Controllers on providing easy to understand notices and consent procedures to PII Principals within WG5. At the Meeting, a brief overview of the contributions received was given,along with assessment of liaison to ISO/IEC JTC 1/SC 35 and other entities. This International Standard gives guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from PII principals online and is applicable to all situations where a PII controller or any other entity processing PII informs PII principals in any online context.
Some of the other sessions under Working Group 5 were on Privacy Impact Assessment ISO/IEC 29134, Standardization in the area of Biometrics and Biometric information protection, Code of Practise for the protection of personally identifiable information, Study period on User friendly online privacy notice and consent, etc.

ISO/IEC/JTC 1/ SC27 is a joint technical committee of the international standards bodies – ISO and IEC on Information Technology security techniques which conducts regular meetings across the world. JTC 1 has over 2600 published standards developed under the broad umbrella of the committee and its 20 subcommittees. Draft International Standards adopted by the joint technical committees are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75% of the national bodies casting a vote in favour of the same. In India, the Bureau of Indian Standards (BIS) is the National Standards Body. Standards are formulated keeping in view national priorities, industrial development, technical needs, export promotion, health, safety etc. and are harmonized with ISO/IEC standards (wherever they exist) to the extent possible, in order to facilitate adoption of ISO/IEC standards by all segments of industry and business.BIS has been actively participating in the Technical Committee work of ISO/IEC and is currently a Participating member in 417 and 74 Technical Committees/ Subcommittees and Observer member in 248 and 79 Technical Committees/Subcommittees of ISO and IEC respectively. BIS holds Secretarial responsibilities of 2 Technical Committees and 6 Subcommittees of ISO.

The last meeting was held in the month of May, 2015 in Malaysia, followed by this meeting in October, 2015 Jaipur. 51 countries play an active role as the ‘Participating Members, India being one, while a few countries as observing members. As a part of these sessions, the participating countries also have rights to vote in all official ballots related to standards. The representatives of the country work on the preparation and development of the International Standards and provide feedback to their national organizations.

There was an additional study group meeting on IoT to discuss comments on the previous drafts, suggest changes , review responses and identify standard gaps in SC 27.

On October 30, 2015 BIS-DSCI hosted a half day International conference on 30 October, 2015 on Cyber Security and Privacy Standards, comprising of keynotes and panel discussions, bringing together national and international experts to share experience and exchange views on cyber security techniques and protection of data and privacy in international standards, and their growing importance in their society. The conference looked at various themes like the Role of standards in smart cities, Responding to the Challenges of Investigating Cyber Crimes through Standards, etc. It was emphasised that due to an increasing digital world, there is a universal agreement for the need of cyber security as the infrastructure is globally connected, the cyber threats are also distributed as they are not restricted by the geographical boundaries. Hence, the need for technical and policy solutions, along with standards was highlighted for future protection of the digital world which is now deeply embedded in life, businesses and the government. Standards will help in setting crucial infrastructure for in data security and build associated infrastructure on these lines.

The importance of standards was highlighted in context of smart cities wherein the need for standards was discussed by experts. Harmonization of regulations with standards must be looked at, by primarily creating standards which could be referred to by the regulators. Broadly, the challenges faced by smart cities are data security, privacy and digital resilience of the infrastructure. It was suggested that in the beginning, these areas must be looked at for development of standards in smart cities. Also, the ISO/IEC has a Working Group and a Strategic Group focussing on Smart Cities. The risks of digitisation, network, identity management, etc. must be looked at to create the standards.

The next meeting has been scheduled for April 2016 in Tampa (USA).

This meeting was a good opportunity to interact with experts from various parts of the World and understand the working of ISO Meetings which are held twice/thrice every year. The Centre for Internet and Society will be continuing work and becoming involved in the standard setting process at the future Working group meetings.

For more details visit https://cis-india.org/internet-governance/blog/iso-iec-jtc-1-sc-27-working-groups-meeting-jaipur

ISO/IEC JTC1/SC 27 Meetings

praskrishna — 2017-04-27T16:38:46Z

Udbhav Tiwari represented the Centre for Internet & Society in a series of meetings held at University of Waikato and Novotel in Hamilton, New Zealand between April 18 and 25, 2017.

The participation was by the virtue of our institutional membership in Information Systems Security Sectional Committee (LITD 17) at the Bureau of Indian Standards.

The first 5 days of the meetings (18 to 23 April, 2017) were the working group meetings, where Udbhav participated in Working Group 1 - Information security management systems and Working Group 5 - Identity management and privacy technologies. Udbhav's participation in WG1 was largely exploratory, where I made some connections and tagged projects for us to comment on prior to the next set of meetings. These projects were Cyber Security, Cyber Insurance, Government Use of the ISO 27001 Standards, International Framework for Cyber Security and the Standing Document on Regulatory Use of 27001.

In WG5, Udbhav was appointed as Co-Rapporteur in the Study Period on Smart Cities, which will go on for another 6 months. The plenary of SC 27 was held on April 24 and 25, 2017. The final resolutions from the Working Groups plenary can be accessed below:

WG1 Recommendations and Resolutions

WG5 Resolutions

For more details visit https://cis-india.org/internet-governance/news/iso-iec-jtc1-sc-27-meetings

ISO/IEC JTC 1 SC 27 Working Group Meetings - A Summary

vanya — 2016-12-16T23:53:19Z

The Centre for Internet & Society attended the ISO/IEC JTC 1 SC 27 Working Group Meetings from 22 to 27 October 2016 in Abu Dhabi at Abu Dhabi National Exhibition Centre.

Being a member of Working Group 5: Information technology - Security techniques – Identity management and privacy technologies, we attended the following meetings:

WD 29184 Guidelines for online privacy notices and consent- As technological advancement and wider availability of communication infrastructures has enabled collection and analysis of information regarding an individuals' activities, along with people becoming aware about privacy implications of the same, this standard aims to provides a framework for organizations to provide clear and easily under information to consumers about how the organization will process their PII.
SP PII Protection Considerations for Smartphone App providers - Being a 1-year long project proposed during the ISO/IEC SC 27 JTC 1 Working Group Meetings in Jaipur in the year 2015. This group aims to build off a privacy framework for mobile applications to guide app developers on the lines of ISO/IEC 29100 international standard (which defines a broad privacy framework for information technologies) in light of excessive data collection by apps in absence of consent or justification, lack of comprehensive policies, Non transparent practices, Lack of adequate choice and consent, to ensure protection of rights of the individuals, etc. and will work towards ensuring a harmonized and standardized privacy structure for mobile application data policies and practices.
WD 20889 Privacy enhancing data de-identification techniques- Given the importance of Data de-identification techniques when it comes to PII to enable the exploitation of the benefits of data processing while maintaining compliance with regulatory requirements and the relevant ISO/IEC 29100 privacy principles, the selection, design, use and assessment of these techniques needs to be performed appropriately in order to effectively address the risks of re-identification in a given context.
SP Privacy in Smart Cities- Being a 1-year long project proposed during the ISO/IEC SC 27 JTC 1 Working Group Meetings in Jaipur this group saw contributions from Japan, India, PRIPARE in EU, to name a few. The scope for the group was proposed to produce a framework in light of data ownership, communication channels, privacy risk and impact assessment in smart cities, data lifecycle privacy governance for smart cities, and Develop use cases and contexts for Privacy Controls w.r.t the data lifecycle in Smart Cities, along with detailed documentation of Privacy Controls for Smart Cities aligned to the primary controls and associated sub controls.

For more details visit https://cis-india.org/internet-governance/blog/iso-iec-jtc-1-sc-27-working-group-meetings-a-summary

ISIS and Recruitment using Social Media – Roundtable Report

Vidushi Marda, Aditya Tejus, Megha Nambiar and Japreet Grewal — 2016-12-16T02:19:16Z

The Centre for Internet and Society in collaboration with the Takshashila Institution held a roundtable discussion on “ISIS and Recruitment using Social Media” on 1 September 2016 from 5.00 p.m. to 7.30 p.m. at TERI in Bengaluru.

The objective of this roundtable was to explore the recruitment process and methods followed by ISIS on social media platforms like Facebook and Twitter and to understand the difficulties faced by law enforcement agencies and platforms in countering the problem while understanding existing counter measures, with a focus on the Indian experience.

Reviewing Existing Literature

To provide context to the discussion, a few key pieces of existing literature on online extremism were highlighted. Discussing Charlie Winter’s “Documenting the Virtual Caliphate”, a participant outlined the multiple stages of the radicalisation process that begins with a person being exposed to general ISIS releases, entering an online filter bubble of like minded people, initial contact, followed by persuasion by the contact person to isolate the potential recruit from his/her family and friends. This culminates with the assignment of an ISIS task to such person. The takeaway from the paper, was the colossal scale of information and events put out by ISIS on the social media. It was pointed out that contrary to popular belief, ISIS publishes content under six broad themes: mercy, belonging, brutality, victimhood, war and utopia, least of which falls under the category of brutality which in fact garners the most attention worldwide. It was further elaborated that ISIS employs positive imagery in the form of nature and landscapes, and appeals to the civilian life within its borders. This strategy is that of prioritising quantity, quality, adaptability and differentiation while producing media. This strategy of producing media that is precise, adaptable and effective, according to the author, must be emulated by Governments in their counter measures, although there is no universal counter narrative that is effective. This effort, he stressed cannot be exclusively state-driven.

JM Berger’s “Making Countering Violent Extremism Work” was also discussed. Here, a slightly different model of radicalisation has been identified with potential recruits going through 4 stages: the first being that of Curiosity where there is exposure to violent extremist ideology, the second stage is Consideration where the potential recruit evaluates the ideology, the third being Identification where the individual begins to self identify with extremist ideology, and the last being that of Self-Critique which is revisited periodically. According to Berger, law enforcement need only be involved in the third stage identified in this taxonomy, through situational awareness programs and investigations. This paper stated that counter-messaging policies need not mimic the ISIS pattern of slick messaging. A data-driven study had found that suspending and suppressing the reach of violent extremist accounts and individuals on online platform was effective in reducing the reach of these ideologies, though not universally so. It also found that generic counter strategies used in the US was more efficient than targeted strategies followed in Europe.

Lack of Co-ordination, Fragmentation between the States and Centre

Speaking of the Indian scenario in particular, another participant brought to light the lack of co-ordination and consensus between the State and Central Governments and law enforcement agencies with respect to countering violent extremism with leads to a breakage in the chain of action. Another participant added that the underestimation of the problem at the state level coupled with the theoretical and abstract nature of work done at the Centre is another pitfall. While the fragmentation of agencies was stated to be ineffective, bringing them under the purview of a single agency was also proposed as an ineffective measure. It was instead suggested that a neutral policy body, and not an implementing body, should coordinate the efforts of the multiple groups involved.

Unreliable Intelligence Infrastructure

It was pointed out that countries are presently underequipped due to the lack of intelligence infrastructure and technical expertise. This was primarily because agencies in India tend to use off-the shelf hardware and software produced by foreign companies, and such heavy dependence on unreliable parts will necessarily be detrimental to building reliable security infrastructure. Emphasis was laid on the significance of collaboration and open-source intelligence in countering online radicalisation. An appeal was made to inculcate a higher IT proficiency, indigenous production of resources, funding, collaboration, integration of lower level agencies and more research to be produced in this regard.

Proactive Counter Narratives

The importance of proactive counter-narratives to extremist content was stressed on, with the possibility of generating inputs from government agencies and private bodies backing the government being discussed. Another solution identified was the creation and internal circulation of a clear strategy to counter the ISIS narrative and the public dissemination of research on online radicalization in the Indian context.

Policies of Social Media Platforms

The conversation moved towards understanding policies of social media. One participant shed light on a popular platform’s strategies against extremism, wherein it was pointed out that the site’s tolerance policy extends not only to directly extremist content but also content created by people who support violent extremism .The involvement of the platform with several countries and platforms in order to create anti-extremist messaging and its intention to expand these initiatives was in furtherance of its philosophy to prevent any celebration of violence. The participant further explained that research shows that anti-extremist content that made use of humour and a lighter tone was more effective than media which relied on gravitas.

Having identified the existing literature and current challenges, the roundtable concluded with suggestions for further areas of research:

Understanding the use of encrypted messaging services like Whatsapp and Telegram for extremism, and an analysis of these platforms in the Indian context. A deeper understanding of these services is essential to gauge the dimensions of the problem and identify counter measures.
A lexical analysis of Indian social media accounts to identify ISIS supporters and group them into meta-communities, similar to research done by the RAND Corporation
Collation of ISIS media packages was also flagged off as an important measure in order to have a dossier to present to the government. This would help policymakers gain context around the issue, and also help them understand the scale of the problem.

For more details visit https://cis-india.org/internet-governance/blog/isis-and-recruitment-using-social-media-2013-roundtable-report

Is your personal information under lock and key?

Admin — 2018-01-16T16:54:33Z

Customers, be more careful about how you log in and log off!

The article by Sravanthi Challapalli was published by Hindu Businessline on January 16, 2018.

We’re coming off a year that was highlighted by several data breaches around the world. In India, the Aadhaar debate continues to make headlines, with allegations about its data theft and Big Brother potential for surveillance. And for quite a while now, the marketing world has been suffused with mention of artificial intelligence, chatbots, big data, data-driven analytics, and other such buzzwords. The ultimate, stated aim is to make life simpler for the citizen/customer. But how secure is our data, which we put out there both voluntarily and by mandate, and what can we do to protect it?

Laziness will hurt

A study by security services provider Gemalto found that retailers (76 per cent), banks (74 per cent) and social media sites (71 per cent) operating in India have a lot of work to do on this front. Consumers would leave if their personal information suffered a breach, it said. Even as the majority of customers said businesses don’t treat their data with due respect, they did not take enough precautions themselves, it observed. Fifty-one per cent of the study’s respondents used the same password across several online accounts and many did not use even available solutions such as two-factor authentication to protect social media accounts, making them susceptible to data breaches. They also believed the onus of protecting data lay on the business.

Caveats of little help

The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.

So, caveat emptor? “Caveat emptor has meaning only when the customer has enough knowledge to protect himself,” says Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society. Using the sausage factory analogy (no one knew what went into the products and how clean they were), he says few know how big data is used. Regulation can help in this regard. He expects India to have data protection rules in place in a couple of years.
The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.

Efficiency all round

ICICI Prudential Life Insurance Executive Director Puneet Nanda says digital data storage has catalysed efficiency on several fronts. “Technology helps us swiftly identify the nominee and facilitates faster payouts as compared to the times when the information was stored physically. It has improved turnaround times and enabled delivery of superior service leading to higher customer satisfaction. Corporations can provide customers instant gratification. Today, we can issue a policy in minutes. Proliferation of technology has enabled corporations to identify customer needs and make offers best suited to their requirements.”

CIS will offer comments to the Srikrishna Committee. Abraham says such laws in other countries define what personal information is, establish the office of the regulator, have powers to receive and investigate complaints and ensure marketers fall in line. Regulators have punitive powers as well. In 2014, telecom major Verizon had to pay $7.4 million in the US to settle a Federal Communications Commission complaint about advertising to customers without letting them know they had an opt-out option. The privacy conditions one routinely “agrees” to online does not give the data controller a free ticket to do what they want with the information, he says.

Not much one can do

Abraham says there is very little the customer can do, other than “acts of civil disobedience, tell lies, fill out false information” when there’s little protection. Rana Gupta, Vice President – APAC, Identity and Data Protection, Gemalto, says one is not left with many choices in an increasingly digital world, not to mention the social pressure. Imagine asking for time off from work to withdraw some cash from your bank because you are suspicious of ATMs? “Users have to rely on organisations doing the right thing,” he says. Regulation making data encryption and second-factor authentication mandatory will help. Customers have begun to ask how data is being secured, and whether it is encrypted. Addressing such concerns would help businesses such as e-commerce and banks, which are increasingly dependent on an online presence.

Even though they’re painful to remember and key in, long passwords that include a capital letter, a special character and a number are deterrents to misuse, as are one-time passwords and messages that alert/ confirm users logging in to an account or transacting a deal. Rohan Bhargava, Co-founder of cashback and coupons site CashKaro.com, says businesses have to design the best methods to thwart the worst intentions. “Companies are vulnerable when they take short cuts at basic processes.”

Bhargava says his company prefers to build most of the technical products it needs, itself, rather than resort to third-party builders/providers. Marketers, he says, experiment with a lot of untested products and the scripts they use can be the root of the problem.

Checks and balances at every stage, running security reviews whenever something changes, effectively managing the life cycle of the encryption keys and limiting access to customer data are vital. The responsibility for securing data lies with both customer and marketer but the latter’s is the larger responsibility as it is they who implement and have the infrastructure that the user does not, says Gemalto’s Gupta.

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key