We are anonymous, we are legion

India's Biometric Identification Programs and Privacy Concerns

divij — 2016-07-21T10:51:42Z

The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.

Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.

‘Big Data’ and Privacy Issues

Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,[1] the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.[2] The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.

Biometric ID and Theft of Private Data

The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.

Biometric data and Potential Misuse

Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.[4] The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]

A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.[5] Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.[6] With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.[7]

With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.[8] Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]

Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.

[1]. http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections.

[2]. http://www.wired.com/threatlevel/2008/03/hackers-publish.

[3].https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions.

[4]. http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001.

[5]. http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece.

[6]. http://news.bbc.co.uk/2/hi/8691753.stm

[7]. Supra note 1.

For more details visit https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns

India's biometric database crosses billion-member mark

praskrishna — 2016-04-07T02:54:08Z

India's biometric database notched up one billion members on Monday, as the government sought to allay concerns about privacy breaches in the world's biggest such scheme.

The news by AFP was published by Daily Mail, UK on April 4, 2016. Sunil Abraham gave inputs.

The database was set up seven years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93 percent of India's adult population have now registered their fingerprints and iris signatures and been given a biometric ID, according to the government.

IT minister Ravi Shankar Prasad hailed it as "an instrument of good governance" at a ceremony in New Delhi marking the crossing of the one-billion member mark.

Prasad said the initiative, inherited from the previous left-leaning Congress government, had enabled millions to receive cash benefits directly rather than dealing with middlemen.

He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone -- by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates.

He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database.

"We have taken all measures to ensure privacy. The data will not be shared with anyone except in cases of national security," Prasad said.

His comments come after parliament passed legislation last month giving government agencies access to the database in the interests of national security.

It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house.

The way it was passed, as well as the legislation itself, raised concerns about government agencies accessing private citizens' details.

Internet experts have also raised fears about the safety of such a massive database, including hacking and theft of details.

"It was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, 'we are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!'," Sunil Abraham, executive director of the Centre for Internet and Society, wrote in India's Frontline news magazine.

For more details visit https://cis-india.org/internet-governance/news/daily-mail-april-4-2016-afp-india-biometric-database-crosses-billion-member-mark

India's billion-member biometric database raises privacy fears

praskrishna — 2016-03-17T15:25:45Z

India's parliament is set to pass legislation that gives federal agencies access to the world's biggest biometric database in the interests of national security, raising fears the privacy of a billion people could be compromised.

The article by Sanjeev Miglani and Manoj Kumar was published by Reuters on March 16, 2016. Sunil Abraham was quoted.

The move comes as the ruling Bharatiya Janata Party (BJP) cracks down on student protests and pushes a Hindu nationalist agenda in state elections, steps that some say erode India's traditions of tolerance and free speech.

It could also usher in surveillance far more intrusive than the U.S. telephone and Internet spying revealed by former National Security Agency (NSA) contractor Edward Snowden in 2013, some privacy advocates said.

The Aadhaar database scheme, started seven years ago, was set up to streamline payment of benefits and cut down on massive wastage and fraud, and already nearly a billion people have registered their finger prints and iris signatures.

Now the BJP, which inherited the scheme, wants to pass new provisions including those on national security, using a loophole to bypass the opposition in parliament.

"It has been showcased as a tool exclusively meant for disbursement of subsidies and we do not realize that it can also be used for mass surveillance," said Tathagata Satpathy, a lawmaker from the eastern state of Odisha.

"Can the government ... assure us that this Aadhaar card and the data that will be collected under it – biometric, biological, iris scan, finger print, everything put together – will not be misused as has been done by the NSA in the U.S.?"

Finance Minister Arun Jaitley has defended the legislation in parliament, saying Aadhaar saved the government an estimated 150 billion rupees ($2.2 billion) in the 2014-15 financial year alone.

A finance ministry spokesman added that the government had taken steps to ensure citizens' privacy would be respected and the authority to access data was exercised only in rare cases.

According to another government official, the new law is in fact more limited in scope than the decades-old Indian Telegraph Act, which permits national security agencies and tax authorities to intercept telephone conversations of individuals in the interest of public safety.

"POLICE STATE"

Those assurances have not satisfied political opponents and people from religious minorities, including India's sizeable Muslim community, who say the database could be used as a tool to silence them.

"We are midwifing a police state," said Asaduddin Owaisi, an opposition MP.

Raman Jit Singh Chima, global policy director at Access, an international digital rights organization, said the proposed Indian law lacked the transparency and oversight safeguards found in Europe or the United States, which last year reformed its bulk telephone surveillance program.

He pointed to the U.S. Foreign Intelligence Surveillance Court, which must approve many surveillance requests made by intelligence agencies, and European data protection authorities as oversight mechanisms not present in the Indian proposal.

The Indian government brought the Aadhaar legislation to the upper house of parliament on Wednesday in a bid to secure passage before lawmakers go into recess.

To get around its lack of a majority there, the BJP is presenting it as a financial bill, which the upper chamber cannot reject. It can return it to the lower house, where the ruling party has a majority.

In its assessment of the measure, New Delhi-based PRS Legislative Research said law enforcement agencies could use someone's Aadhaar number as a link across various datasets such as telephone and air travel records.

That would allow them to recognize patterns of behavior and detect potential illegal activities.

But it could also lead to harassment of individuals who are identified incorrectly as potential security threats, PRS said.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, said Aadhaar created a central repository of biometrics for almost every citizen of the world's most populous democracy that could be compromised.

"Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station," he said.

"It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

For more details visit https://cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears

India's Aadhaar with biometric details of its billion citizens is making experts uncomfortable

praskrishna — 2017-02-14T14:57:33Z

"Indians in general have yet to understand the meaning and essence of privacy," says Member of Parliament, Tathagata Satpathy.

The blog post was published by Mashable India on February 14, 2017. Sunil Abraham was quoted.

But on Feb. 3, privacy was the hot topic of debate among many in India, thanks to a tweet that showed random people being identified on the street via Aadhaar, India's ubiquitous database that has biometric information of more than a billion Indians.

That's how India Stack, the infrastructure built by the Unique Identification Authority of India (UIDAI), welcomed OnGrid, a privately owned company that is going to tap on the world's largest biometrics system, conjuring images of Minority Report style surveillance.

But how did India get here?

Aadhaar's foundation

Not long ago, there were more people in India without a birth or school certificate than those with one (PDF). They had no means to prove their identity. This also contributed to what is more popularly known as “leakage” in the government subsidy fundings. The funds weren’t reaching the right people, in some instances, and much of it was being siphoned off by middlemen.

Nearly a decade ago, the government began scrambling for ways to tackle these issues. Could technology come to the rescue? The government dialled techies, people like Nandan Nilekani, a founder of India's mammoth IT firm Infosys, for help.

In 2008, they formulated Aadhaar, an audacious project "destined" to change the prospects of Indians. It was similar to Social Security number that US residents are assigned, but its implications were further reaching.

At the time, the government said it will primarily use this optional program to help the poor who are in need of services such as grocery and other household items at subsidized rates.

Eight years later, Aadhar, which stores identity information such as a photo, name, address, fingerprints and iris scans of its citizens and also assigns them with a unique 12-digit number, has become the world's largest biometrics based identity system.

According to the Indian government, over 1.11 billion people of the country's roughly 1.3 billion citizens have enrolled themselves in the biometrics system. About 99 percent of all adults in India have an Aadhaar card, it said last month.

Today, the significance of Aadhaar, which on paper remains an optional program, is undeniable in the country. The government says Aadhaar has already saved it as much as $5 billion.

But that's not it.

There's a bit of Aadhaar in everyone's life

Aadhaar (Hindi for foundation) has long moved beyond helping the poor. The UPI (Unified Payment Interface), another project by the Indian government that uses Aadhaar, is helping the country's much unbanked population to avail financial services for the first time. Nilekani calls it a "WhatsApp moment" in the Indian financial sector.

In December last year, Prime Minister Narendra Modi launched BHIM, a UPI-based payments app that aims to get millions of Indians to do online money transactions for the first time, irrespective of which bank they had their accounts with. With BHIM, transferring money is as simple as sending a text message. People can also scan QR codes and pay merchants for their purchases.

"This app is destined to replace all cash transactions," Modi said at the launch event. "BHIM app will revolutionize India and force people worldwide to take notice," he added.

The next phase, called Aadhaar Enabled Payments System will do away with smartphones. People will be able to make payments by swiping their finger on special terminals equipped with fingerprint sensors rather than swiping cards.

Last year, the government said people could store their driver license documents in an app called DigiLocker, should they want to be relieved from the burden of carrying paper documents. DigiLocker is a digital cloud service that any citizen in India can avail using their Aadhaar information.

The government also plans to hand out "health cards" to senior citizens, mapped to their Aadhaar number, which will store their medical records, which doctors will be able to access.

“Aadhaar is an instrument for good governance. Aadhaar is the mode to reach the poor without the middlemen,” Ravi Shankar Prasad, India’s IT minister said in a press conference last year.

But despite all the ways Aadhaar is making meaningful impact in millions of lives, some people are very skeptical about it. And for them, the scale at which Aadhaar operates now is only making things worse.

A security nightmare

There have been multiple reports suggesting bogus and fake entries in Aadhaar database. Instances of animals such as dogs and cows having their own Aadhaar identification numbers have been widely reported. In one instance, even Hindu god Hanuman was found to have an Aadhaar card.

The problem, it appears, is Aadhaar database has never been verified or audited, according to multiple security experts, privacy advocates, lawyers, and politicians who spoke to Mashable India this month.

“There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified,” Member of Parliament and privacy advocate, Rajeev Chandrasekhar told Mashable India. “Aadhaar isn’t foolproof, and this has resulted in fake data get into the system. This in turn opens new gateways for money launderers,” he added.

Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There’s little a person whose Aadhaar data has been compromised could do. “Citizens who have voluntarily given their data to Aadhaar authority, as of result of this, are at risk,” he added.

Rahul Narayan, a lawyer who is counselling several petitioners challenging the Aadhaar project, echoed similar sentiments. “There’s no concrete regulation in place,” he told Mashable India. “The scope for abuses in Aadhaar is very vast,” he added.

But regulation — or its lack thereof — is only one of the many challenges, experts say. Sunil Abraham, the executive director of Bangalore-based research organisation the Centre for Internet and Society (CIS), says the security concerns around Aadhaar are alarming.

“Aadhaar is remote, covert, and non-consensual,” he told Mashable India, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling.

Abraham said fingerprint and iris data of a person can be stolen with little effort — a “gummy bear” which sells for a few cents, can store one’s fingerprint, while a high resolution camera can capture one’s iris data.

Aadhaar doesn’t use basic principles of cryptography, and much of its security is not known.

Aadhaar is also irrevocable, which strands a person, whose data has been compromised, with no choice but to get on with life, Abraham said, adding that these vulnerabilities could have been averted had the government chosen smart cards instead of biometrics.

On top of this, he added, that Aadhaar doesn’t use basic principles of cryptography, and much of the security defences it uses are not known.

Had the government open sourced Aadhaar code to the public (a common practice in the tech community), security analysts could have evaluated the strengths of Aadhaar. But this too isn’t happening.

At CIS, Sunil and his colleagues have written over half-a-dozen open letters to the UIDAI (the authority that governs Aadhaar project) raising questions and pointing holes in the system. But much of their feedback has not returned any response, Abraham told Mashable India.

India Stack: A goldmine for everyone

As part of its push to make Aadhaar more useful, the UIDAI created what is called India Stack, an infrastructure through which government bodies as well as private entities could leverage Aadhaar's database of individual identities. This is what sparked the initial debate about privacy when India Stack tweeted the controversial photo.

Speaking to Mashable India, Piyush Peshwani, a founder of OnGrid, however dismissed the concerns, clarifying that the picture was for representation purposes only. He said OnGrid is building a trust platform, through which it aims to make it easier for recruiters to do background check on their potential employees after getting their consent.

India Stack and OnGrid have since taken down the picture from their Twitter accounts. "OnGrid, much like other 200 companies working with UIDAI, can only retrieve information of users after receiving their prior consent," he said.

The lack of information from the UIDAI and India Stack is becoming a real challenge for citizens, many feel. There also appears to be a conflict of interest between the privately held companies and those who helped design the framework of Aadhaar.

As Rohin Dharmakumar, a Bangalore-based journalist pointed out, Peshwani was part of the core team member of Aadhaar project. A lawyer, who requested to be not identified, told Mashable India that there is a chance that these people could be familiar with Aadhaar’s roadmap and use the information for business advantage, to say the least.

Most people Mashable India spoke to are questioning the way these third-party companies are handling Aadhaar data. There is no regulation in place to prevent these companies from storing people’s data or even creating a parallel database of their own — a view echoed by Abraham, Narayan, and Chandrasekhar.

Not mandatory only on paper

But for many, the biggest concern with Aadhaar remains just how aggressively it is being implemented into various systems. For instance, in the past one month alone, students in most Indians states who want to apply for NEET, a national level medical entrance test, were told by the education board CBSE that they will have to provide their Aadhaar number.

A few months ago, Aadhaar was also made mandatory for students who wanted to appear in JEE, an all India common engineering entrance examination conducted for admission to various engineering colleges in the country.

The apex Supreme Court of India recently asked the central government to register the phone number of all mobile subscribers in India (there are about one billion of those in India) to their respective Aadhaar cards. Telecom carriers are already enabling new connections to get activated by verifying users with Aadhaar database.

A prominent journalist who focuses on privacy and laws in India questioned the motive. “When they kickstarted UIDAI, people were told that this an optional biometrics system. But since then the government has been rather tight-lipped on why it is aggressively pushing Aadhaar into so many areas,” he told Mashable India, requesting not to be identified.

"It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar."

“It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar. The Aadhaar card is being offered to people in need, especially the poor, by making them believe that services and subsidies provided by the government will be held back from them unless they register,” Satpathy told Mashable India.

The central government said last week Aadhaar number would be mandatory for availing food grains through the Public Distribution System under the National Food Security Act. In October last year, the government made Aadhaar mandatory for those who wanted to avail cooking gas at subsidized prices.

“No matter how many laws are made about not making Aadhaar mandatory, ultimately it depends on the last mile person who is offering any service to inform citizens about their rights,” Satpathy added.

“These last-mile service providers are companies who would benefit from collecting and bartering big data for profit. They would be least interested to inform citizens about their rights and about the not mandatory status of Aadhaar.

“As Aadhaar percolates more and is used by more government and private services, the citizen will start assuming it's a part of their life. This card is already being misunderstood as if it is essential like a passport,” he added.

“My worry is that this data will be used by government for mass surveillance, ethnic cleansing and other insidious purposes,” Satpathy said. “Once you have information about every citizen, the powerful will not refrain from misusing it and for retention of power. The use of big data for psycho-profiling is not unknown to the world anymore.”

Mashable India reached out to UIDAI on Feb. 8 for comment on the privacy and security concerns made in this report. At the time of publication, the authority hadn't responded to our queries.

For more details visit https://cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate

India's Aadhaar mandate for smartphone makers may rile global firms

praskrishna — 2016-09-15T02:25:31Z

They are unlikely to oblige to request to make changes in their operating system and devices to ensure Aadhaar authentication is done securely on smartphones.

The article by Alnoor Peermohammed was published in the Business Standard on September 14, 2016. Sunil Abraham was quoted.

India is asking global smartphone makers such asApple and Google to adopt locally designed standards on their devices or operating systems that would allow use of biometric scanners for Aadhaarauthentication, a move that could face resistance from global firms.

Apple, the world’s largest smartphone maker runs its own iOS closed ecosystem and mandates apps built by developers to be certified by the company. Its closest rival Google, which owns the Android operating software that runs on nine out of ten smartphones in India, has directives for device makers to comply with. Firms such as Samsung, Lenovo and Micromax build smartphones on the Android OS that are sold in India.

Most global companies are unlikely to oblige India’s request that would require to make changes in their operating system and devices to ensure Aadhaarauthentication is done securely on smartphones, say analysts.

“There is no clarity so far. As of now, it is impossible that they (global smartphone makers) would oblige for a hardware safe zone baked on the sensors,” says Sunil Abraham, executive director at Centre for Internet and Society, a Bengaluru-based researcher that works on emerging technologies. “Because the biometrics contain sensitive personal information, they (UIDAI) don’t want anybody — vmobile manufacturer, OS vendor, telco or ISP — to intercept it”.

India is hoping that global firms would accept the country’s plea considering that most of India’s population use a mobile phone as their only computing device and need them to authenticate on Aadhaar for using government and banking services.

“Right now we’re in consultation with all these device manufacturers as well as the operating system vendors,” said Ajay Bhushan Pandey, Director General of the Unique Identification Authority of India (UIDAI) in a phone interview. “Basically we’re trying to evolve our system wherein a manufacturer or the devices where those operating systems are being used will have a facility where Aadhaar authentication can be made possible in a secure manner.”

India has over 105 crore people or 98% of adult population with Aadhaar. Most government and private organisations use Aadhaar authentication to issue services or products such as opening a bank account, getting a ration card or buying a mobile connection.

Reliance plans to reduce paperwork and issue connections in less than an hour usingAadhaar and try to get its 100 million target market sooner.

Over a fifth of India’s one billion users own smartphones and as the country sees better mobile internet access, more people are expected to upgrade to smartphones and use apps to access their banks to transfer funds, do online shopping and access government services.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohammed-september-14-2016-indias-aadhaar-mandate-for-smartphone-makers-may-rile-global-firms

India's ‘Facebook ruling’ is another nail in the coffin of the MNO model

praskrishna — 2016-02-28T03:44:34Z

Ability to access 'net from mobe no longer considered a miracle.

The article was published in the Register on February 15, 2016. Pranesh Prakash gave inputs.

Nobody could accuse India’s telecoms regulator, TRAI, of being in the operators’ pockets. This month it has, once again, set eye-watering reserve prices for the upcoming 700 MHz spectrum auction (see separate item), and now it has taken one of the toughest stances in the world on net neutrality, in effect banning zero rated or discounted content deals like Reliance Communications’ Facebook Basics, or Bharti Airtel’s Zero.

In a ruling last Monday, TRAI said telecoms providers are banned from offering discriminatory tariffs for data services based on content, and from entering deals to subsidize access to certain websites. They have six months to wind down any existing arrangements which contravene the new rules. Its stance is even stricter than in other countries with strong pro-neutrality laws, such as Brazil and The Netherlands.

“This is the most extensive and stringent regulation on differential pricing anywhere in the world,” Pranesh Prakash, policy director at the Centre for Internet and Society, said. “Those who suggested regulation in place of complete ban have clearly lost.”

Such decisions, combined with high spectrum costs, will quickly make the traditional cellular business model unworkable in India, and the more that happens, the more wireless internet innovation will switch to open networks running on Wi-Fi and unlicensed spectrum. R.S. Sharma, chairman of TRAI, was careful to tell reporters that the zero rating ruling would not affect any plans to offer free Wi-Fi services, like those planned by Google in a venture with Indian Railways.

A disaster for MNOs, not Facebook

Facebook pronounced itself “disappointed” at TRAI’s ruling, having lobbied aggressively for a more flexible approach since RCOM was forced to suspend the Basics offering in December while the consultation process took place. But while the ruling bars the Basics offering – which provided free, low speed access, on RCOM’s network, to a selection of websites, curated by Facebook – it does not stop the social media giant pursuing other initiatives within its internet.org umbrella. These include projects to extend access using its own networks, powered by drones and unlicensed spectrum, to the unserved of India and other emerging economies.

So while the TRAI decision may be a setback for Facebook, it is not the body blow that it represents for the MNOs with their huge debt loads and infrastructure costs, and low ARPUs. Facebook, with 130m users in India, has a comparable reach to the Indian MNOs (only three, Bharti Airtel, Vodafone and Idea, have more subscribers than Facebook has users), and is better skilled at monetizing those consumers.

The challenge for companies like Facebook is that strict neutrality rules reduce their ability to harness others’ networks in order to reach out to new users. There are about 240m people in India who are online, but don’t use Facebook, and about 800m who are not connected, so the growth potential is far larger than in the other 37 countries where Basics is offered, such as Kenya or Zambia (Facebook is blocked in China). Using RCOM’s network and marketing activities was a far cheaper way to reach some of those people than launching drones, but Facebook has other options too, including its existing efforts to make its services more usable on very basic handsets and connections; the ability to leverage the WhatsApp brand; and partnerships with Wi-Fi providers.

The drones may have less immediate results than Basics, but they are a high profile example of an ongoing shift towards open networks, which has been going on for years, driven more by Wi-Fi proliferation than neutrality laws. The latter will be an accelerant, however.

All internet will be free, not zero rated

Currently, zero rating is an increasingly popular tactic to lure users with an apparently cheap deal and then, hopefully, see them upgrade to richer data plans, or spend money on m-commerce and premium content, in future. Zero rating involves allowing users access to selected websites and services without it affecting their data caps or allowances.

The US regulator has so far tolerated the practice, but the debate is raging, there and elsewhere, over whether it infringes neutrality laws, by offering different pricing for different internet services. If other authorities take the stance adopted by TRAI in India, operators will have to find new ways to attract customers and differentiate themselves.

Increasingly, access to a truly open internet will be the baseline, and priced extremely low. That low pricing will be made commercially viable by rising use of Wi-Fi to reduce cost of data delivery, whether for MNOs, wireline providers or web players like Google and Facebook, which are moving into access provision. Providers, whether traditional or new, will have to stop regarding access to the internet as a premium service or a privilege – it will be more akin to connecting someone to the electricity grid, just the base enabler of the real revenue model.

Just as it’s only when users plug something into that grid that they start to pay fees, so the operators will charge for higher value offerings which ride on top of the internet – premium content, enterprise services, cloud storage, freemium applications and so on.

The mobile operators have not embraced these ideas willingly. For years, the ability to access the internet from a mobile device was regarded as a value-add, almost a miracle. Now that the wireless network is often the primary access method, they need to change their ideas and be more like the smarter cablecos – which have tacked internet access onto a model driven by paid-for content and services – or the web giants, which have worked out ways to monetize ‘free’ access, from advertising to big data.

This, of course, is one of the goals of internet.org and Google’s similar initiatives involving drones, white space spectrum and satellites. The more users are able to access the internet, preferably for free, and the more they see Google or Facebook as their primary conduits to the web, the more data these companies have to feed into their deep learning platforms, their context aware services and their advertising and big data engines.

So while critics of TRAI said the zero rating decision was a setback to the goal of getting internet access into the hands of the huge underserved population of India, that population is too large and potentially rich for Facebook and its rivals to give up at the first hurdle.

Facebook CEO Mark Zuckerberg wrote in a blog post: "While we're disappointed with today's decision, I want to personally communicate that we are committed to keep working to break down barriers to connectivity in India and around the world. Internet.org has many initiatives, and we will keep working until everyone has access to the internet."

For more details visit https://cis-india.org/telecom/news/the-register-february-15-2016-india-facebook-ruling-is-another-nail-in-coffin-of-mno-model

India's 'Big Brother': The Central Monitoring System (CMS)

maria — 2013-12-06T09:39:20Z

In this post, Maria Xynou looks at India´s Central Monitoring System (CMS) project and examines whether it can target individuals´ communications data, regardless of whether they are involved in illegal activity.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Starting from this month, all telecommunications and Internet communications in India will be analysed by the government and its agencies. What does that mean? It means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities. This totalitarian type of surveillance will be incorporated in none other than the Central Monitoring System (CMS).

The Central Monitoring System (CMS)

The Central Monitoring System (CMS) may just be another step in the wrong direction, especially since India currently lacks privacy laws which can protect citizens from potential abuse. Yet, all telecommunications and Internet communications are to be monitored by Indian authorities through the CMS, despite the fact that it remains unclear how our data will be used.

The CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and by the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. The CMS project is likely to start operating this month and the government plans on creating a platform that will include all the service providers in Delhi, Haryana and Karnataka. The Information Technology Amendment Act 2008 enables e-surveillance and central and regional databases will be created to help central and state level law enforcement agencies in interception and monitoring. Without any manual intervention from telecom service providers, the CMS will equip government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers. The CMS will also enable Call Data Records (CDR) analysis and data mining to identify the personal information of the target numbers.

The estimated set up cost of the CMS is Rs. 4 billion and it will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Research and Analysis Wing (R&AW), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Central Board of Direct Taxes (CBDT), the Narcotics Control Bureau, and the Enforcement Directorate (ED). In particular, last October, the NIA approached the Department of Telecom requesting its connection with the CMS, which would help it intercept phone calls and monitor social networking sites without the cooperation of telcos. However, the NIA is currently monitoring eight out of 10,000 telephone lines and if it is connected with the CMS, the NIA will also get access to e-mails and other social media platforms. Essentially, the CMS will be converging all the interception lines at one location and Indian law enforcement agencies will have access to them. The CMS will also be capable of intercepting our calls and analyzing our data on social networking sites. Thus, even our attempts to protect our data from ubiquitous surveillance would be futile.

In light of the CMS being installed soon, the Mumbai police took the initiative of setting up a ´social media lab´ last month, which aims to monitor Facebook, Twitter and other social networking sites. This lab would be staffed by 20 police officers who would keep an eye on issues being publicly discussed and track matters relating to public security. According to police spokesman Satyanarayan Choudhary, the lab will be used to identify trends among the youth and to plan law and order accordingly. However, fears have arisen that the lab may be used to stifle political debate and freedom of expression. The arrest of two Indian women last November over a Facebook post which criticized the shutdown of Mumbai after the death of politician Bal Thackeray was proof that the monitoring of our communications can potentially oppress our freedom and human rights. And now that all our online activity will be under the microscope...will the CMS security trade-off be worth it?

Surveillance in the name of Security

In a digitised world, threats to security have been digitised. Terrorism is considered to be a product of globalisation and as such, the Internet appears to be a tool used by terrorists. Hence governments all around the world are convinced that surveillance is probably one of the most effective methods in detecting and prosecuting terrorists, as all movement, action, interests, ideas and everything else that could define an individual are closely being monitored under the ´surveillance umbrella´ True; if everything about our existence is being closely monitored and analysed, it seems likely that we will instantly be detected and prosecuted if engaged in illegal activity. But is that the case with big data? According to security expert Bruce Schneier, searching for a terrorist through data mining is like looking for a needle in a haystack. Generally, the bigger the amount of data, the bigger the probability of an error in matching profiles. Hence, when our data is being analysed through data mining of big data, the probability of us being charged for a crime we did not commit is real. Nonetheless, the CMS is going to start operating soon in an attempt to enable law enforcement agencies to tackle crime and terrorism.

A few days ago, I had a very interesting chat with an employee at SAS Institute (India) Pvt. Ltd. in Bangalore, which is a wholly owned subsidiary of SAS Institute Inc. SAS is a company which produces software solutions and services to combat fraud in financial services, identify cross-sell opportunities in retail, and all the business issues it addresses are based on three capabilities: information management, analytics and business intelligence. Interestingly enough, SAS also produces social network analysis which ´helps institutions detect and prevent fraud by going beyond individual and account views to analyze all related activities and relationships at a network dimension´. In other words, social network analysis by SAS would mean that, through Facebook, for example, all of an individual's´ interests, activities, habits, relationships and everything else that could be, directly or indirectly, linked to an individual would be mapped out in relation to other individuals. If, for example, several individuals appear to have mutual interests and activities, there is a high probability that an individual will be associated with the same type of organization as the other individuals, which could potentially be a terrorist organization. Thus, an essential benefit of the social network analysis solution is that it uncovers previously unknown network connections and relationships, which significantly enables more efficient investigations.

According to the SAS employee I spoke to, the company provides social network analysis to Indian law enforcement agencies and aims at supporting the CMS project in an attempt to tackle crime and terrorism. Furthermore, the SAS employee argued that their social network analysis solution only analyzes open source data which is either way in the public online domain, hence respecting individuals´ online privacy. In support of the Mumbai ´social media lab´, cyber security expert, Vijay Mukhi, argued:

´There may be around 60 lakh twitter users in the city and millions of other social media network users. The police will require a budget of around Rs 500 crore and huge resources such as complex software, unique bandwidth and manpower to keep a track of all of them. To an extent, the police can monitor select people who have criminal backgrounds or links with anti-social or anti-national elements...[...]...Even the apprehension that police is reading your tweet is wrong. The volume of networking on social media sites is beyond anybody's capacity. Deleting any user's message is humanly impossible. It is even difficult to find the origin of messages and shares. However, during the recent Delhi gangrape incident such monitoring of data in public domain helped the police gauge the mood of the people.´

Another cyber security expert argued that the idea that the privacy of our messages and online activity would be intercepted is a misconception. The expert stated that:

´The police are actually looking out for open source intelligence for which information in public domain on these sites is enough. Through the lab, police can access what is in the open source and not the message you are sending to your friend.´

Cyber security experts also argued that the purpose of the creation of the Mumbai social media lab and the CMS in general is to ensure that Indian law enforcement agencies are better informed about current public opinion and trends among the youth, which would enable them to take better decisions on a policy level. It was also argued that, apparently, there is no harm in the creation of such monitoring centres, especially since other countries, such as the U.S., are conducting the same type of surveillance, while have enacted stringent privacy regulations. In other words, the monitoring of our communications appears to be justified, as long as it is in the name of security.

CMS targeting individuals: myth or reality?

The CMS is not a big deal, because it will not target us individually...or at least that is what cyber security experts in India appear to be claiming. But is that really the case? Lets look at the following hypothesis:

The CMS can surveille and target individuals, if Indian law enforcement agencies have access to individuals content and non-content data and are simultaneously equipped with the necessary technology to analyse their data.

The two independent variables of the hypothesis are: (1) Indian law enforcement agencies have access to individuals´ content and non-content data, (2) Indian law enforcement agencies are equipped with the necessary technology to analyse individuals´ content and non-content data. The dependent variable of the hypothesis is that the CMS can surveille and target individuals, which can only be proven once the two independent variables have been confirmed. Now lets look at the facts.

The surveillance industry in India is a vivid reality. ClearTrail is an Indian surveillance technology company which provides communication monitoring solutions to law enforcement agencies around the world and which is a regular sponsor of ISS world surveillance trade shows. In fact, ClearTrail sponsored the ISS world surveillance trade show in Dubai last month - another opportunity to sell its surveillance technologies to law enforcement agencies around the world. ClearTrail´s solutions include, but are not limited to, mass monitoring of IP and voice networks, targeted IP monitoring, tactical Wi-Fi monitoring and off-the-air interception. Indian law enforcement agencies are equipped with such technologies and solutions and thus have the technical capability of targeting us individually and of monitoring our ´private´ online activity.

Shoghi Communications Ltd. is just another example of an Indian surveillance technology company. WikiLeaks has published a brochure with one of Shoghi´s solutions: the Semi Active GSM Monitoring System. This system can be used to intercept communications from any GSM service providers in the world and has a 100% target call monitor rate. The fact that the system is equipped with IMSI analysis software enables it to extract the suspect´s actual mobile number from the network without any help from the service provider. Indian law enforcement agencies are probably being equipped with such systems by Shoghi Communications, which would enable the CMS to monitor telecommunications more effectively.

As previously mentioned, SAS provides Indian law enforcement agencies social network analysis solutions. In general, many companies, Indian and international, produce surveillance products and solutions which they supply to law enforcement agencies around the world. However, if such technology is used solely to analyse open source data, how do law enforcement agencies expect to detect criminals and terrorists? The probability of an individual involved in illegal activity to disclose secrets and plans in the public online sphere is most likely significantly low. So given that law enforcement agencies are equipped with the technology to analyse our data, how do they get access to our content data in order to detect criminals? In other words, how do they access our ´private´ online communications to define whether we are a terrorist or not?

Some of the biggest online companies in the world, such as Google and Microsoft, disclose our content data to law enforcement agencies around the world. Sure, a lawful order is a prerequisite for the disclosure of our data...but in the end of the day, law enforcement agencies can and do have access to our content data, such as our personal emails sent to friends, our browsing habits, the photos we sent online and every other content created or communicated via the Internet. Law enforcement requests reports published by companies, such as Google and Microsoft, confirm the fact that law enforcement agencies have access to both our content and non-content data, much of which was disclosed to Indian law enforcement agencies. Thus, having access to our ´private´ online data, all Indian law enforcement agencies need is the technology to analyse our data and match patterns. The various surveillance technology companies operating in India, such as ClearTrail and Shoghi Communications, ensure that Indian law enforcement agencies are equipped with the necessary technology to meet these ends.

The hypothesis that the CMS can surveille and target us individually can be confirmed, since Indian law enforcement agencies have access to our content and non-content data, while simultaneously being equipped with the necessary technology to analyse our data. Thus, the arguments brought forth by cyber security experts in India appear to be weak in terms of validity and reliability and the CMS appears to be a new type of ´Big Brother´ upon us. But what does this mean in terms of our privacy and human rights?

The telephone tapping laws in India are weak and violate constitutional protections. The Information Technology Amendment Act 2008 has enabled e-surveillance to reach its zenith, but yet surveillance projects, such as the CMS, lack adequate legal backing. No privacy legislation currently exists in India which can protect us from potential abuse. The confirmed CMS hypothesis indicates that all individuals can potentially be targeted and monitored, regardless of whether they have been involved in illegal activity. Yet, India currently lacks privacy laws which can protect individuals from the infringement of their privacy and other human rights. The following questions in regards to the CMS remain vague: Who can authorise the interception of telecommunications and Internet communications? Who can authorise access to intercepted data? Who can have access to data? Can data monitored by the CMS be shared between third parties and if so, under what conditions? Is data monitored by the CMS retained and if so, for how long and under what conditions? Do individuals have the right to be informed about their communications being monitored and about data retained about them?

Immense vagueness revolves around the CMS, yet the project is due to start operating this month. In order to ensure that our right to privacy and other human rights are not breached, parliamentary oversight of intelligence agencies in India is a minimal prerequisite. E-surveillance regulations should be enacted, which would cover both policy and legal issues pertaining to the CMS project and which would ensure that human rights are not infringed. The overall function of the CMS project and its use of data collected should be thoroughly examined on a legal and policy level prior to its operation, as its current vagueness and excessive control over communications can create a potential for unprecedented abuse.

The necessity and utility of the CMS remain unclear and thus it has not been adequately proven yet that the security trade-off is worth it. One thing, though, is clear: we are giving up a lot of our data....we are giving up the control of our lives...with the hope that crime and terrorism will be reduced. Does this make sense?

This was cross-posted in Medianama

For more details visit https://cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system

India won't censor social media: Telecom Minister

praskrishna — 2012-03-01T07:15:29Z

India does not intend to censor online social networks such as Facebook, a minister said Tuesday, but he demanded that they obey the same rules governing the press and other media. The article by AFP was published in the Tribune on February 14, 2012.

“I never wanted to censor social media and no government wants to do so. But like the print and electronic media, they have to obey the laws of the country.” He held a number of meetings with leading Internet companies late last year in which he asked about the possibility of checking content before it is posted online by users.

The minister was said to have shown Internet executives examples of obscene images found on the Internet that risked offending Muslims or defaming politicians, including the boss of the ruling Congress party, Sonia Gandhi. “The media reported I had said I wanted to pre-screen the content on social media. I have never even heard the word pre-screen,” he told the summit.

Since these meetings, 19 Internet firms including Google, Yahoo! and Facebook have been targeted in criminal and civil cases lodged in lower courts, holding them responsible for content posted by users of their platforms. The government has given its sanction for the firms to be tried for serious crimes such as fomenting religious hatred and spreading social discord — offences that could land company directors in prison.

“All I want is that they (social media) should follow the laws of the land. Social media must not consider itself to be above that,” Sibal said. But Internet privacy groups say social media sites may not have the resources to screen obscene material that violates local laws posted on the Internet. Local laws prohibit the sale or distribution of obscene material as well as those that can hurt religious sentiments in overwhelmingly-Hindu India.

“It is just not humanly possible to pre-censor content and Sibal knows that very well,” said Rajan Gandhi, founder of a New Delhi-based advocacy group Society in Action. Pranesh Prakash of the Bangalore-based Centre for Internet and Society said he was “glad Sibal does not believe in censorship and that companies operating in India should follow local laws.” “But on the other hand he has asked them to evolve new guidelines and actively monitor user content which is not legally sanctioned. This makes him look two-faced,” Prakash added.

Google and Facebook said earlier this month they had removed the allegedly offensive content used as evidence in the court cases.

The groups have appealed to the Delhi High Court asking for the cases against them to be quashed on the basis they cannot be held responsible for their clients’ actions. The comments of a judge hearing the case raised further fears that freedom of expression online could be restricted. “You must have a stringent check. Otherwise, like in China, we may pass orders banning all such websites,” the judge said at the January hearing. Facebook is banned in China and Google moved its operations out of the country in 2010 in protest at censorship laws there.

The debate about social networks mirrors a larger national dialogue about freedom of speech in the world’s biggest democracy following recent protests by religious groups. Indian-origin writer Salman Rushdie was prevented from speaking at a literature festival in Jaipur last month after Muslim groups protested against his presence over his allegedly blasphemous 1988 novel “The Satanic Verses.” A group led by author and journalist Nilanjana Roy organised public readings of banned literary works on Monday to protest against what it said were recent curbs on intellectual freedom.

The initiative, called “Flashreads for free speech”, was widely advertised on social networks including Twitter and Facebook.

Originally published by AFP and reproduced in the Tribune.

For more details visit https://cis-india.org/news/india-wont-censor-social-media

India WhatsApp Privacy Fight May Affect Multinationals

praskrishna — 2017-02-02T02:28:23Z

The Indian Supreme Court’s review of Facebook Inc.'s and WhatsApp Inc.'s data security practices may lack teeth but also presages a desire for a stronger privacy regime and oversight of multinationals, internet and privacy specialists told Bloomberg BNA.

The article by Nayanima Basu was published by Bloomberg BNA on February 1, 2017. Pranesh Prakash was quoted.

WhatsApp revised its privacy policy in August 2016 to share data with owner Facebook and allow targeted ads and messages from businesses, laying the groundwork for the free messaging service to monetize such data. But a public interest complaint, akin to a class action in the U.S., filed by two Indian students and regulatory inquiries have resulted in India’s top court asking Facebook and WhatsApp about their data protection practices.

The court’s move Jan. 17 to seek the information may make multinational companies jittery, Rahul Khullar, former secretary of commerce for India’s Ministry of Commerce and Industry, told Bloomberg BNA. Although stronger data privacy enforcement is needed, all the high court has done is aggravate Facebook and other large multinationals, he said.

Facebook is the second largest media company in the world with a $367 billion market capitalization, Bloomberg data show. It acquired WhatsApp in 2014 for approximately $18 billion, data show. Facebook didn’t immediately respond to Bloomberg BNA’s e-mail request for comments.

Khullar, who is also the former chairman of the Telecom Regulatory Authority of India, said multinationals need to be more careful in sharing their data because of the “distinction between digital non-commercial data and digitally sensitive data,” he said. A strong national data privacy law would resolve some of these issues, he said.

An U.S. official based at the U.S. Embassy in New Delhi, speaking on background, told Bloomberg BNA that any maneuver that restricts the free flow of data may harm the operations of U.S.-based multinationals and similar companies.

Clarity, Stronger Laws Needed

Some internet and privacy specialists say that Facebook and WhatsApp failed to provide effective data protection under Indian law.

Pranesh Prakash, policy director at the nonprofit digital technologies advocate Centre for Internet and Society, told Bloomberg BNA that Facebook and WhatsApp are in violation of Section 43A of the Information Technology Act that lays out “reasonable security practices and procedures.”

Indian citizens are reaching out to the courts for data protection enforcement because lawmakers have “failed to do so,” he said. That highlights the need for robust data protection laws in India and, he said, hopefully “goads the government and Parliament into enacting a privacy and data protection law.”

In lieu of further legislative action, companies may be able to resolve some issues by establishing clearer privacy policies, Niraj Gunde, a Mumbai-based attorney and consumer advocate, told Bloomberg BNA. Most software agreements have a clandestine clause that allows companies to access user data, but those agreements should also state how the data will be used, stored and eventually disposed of, he said.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-bna-february-1-2017-nayanima-basu-india-whatsapp-privacy-fight-may-affect-multinationals

India Weighing Looser Web Rules

praskrishna — 2011-05-31T12:23:22Z

Indian authorities are considering revisions to new Internet regulations after criticism from free-speech advocates and companies like Google Inc. that fear they could be exposed to liability under the regime. This article by Amol Sharma was published in the Wall Street Journal on May 30, 2011.

The rules, which took effect in April, require Internet companies to remove objectionable content from their sites, including anything "grossly harmful" or "harassing," within 36 hours of being notified by authorities. Executives could thereafter face penalties, including stiff fines or even jail time, say lawyers who have reviewed the regulations.

The rules may soon be revised to add greater liability protections for Internet companies, Minister of Communications and Information Technology Kapil Sibal said in an interview.

Mr. Sibal said it is fair for the government to ask Internet companies to put in place codes of conduct that restrain users from posting certain material online, as the regulations do. But he said it is "relatively unfair" to expect Internet companies—which are referred to in the rules as "intermediaries"—to be responsible for third-party content. "To make the intermediary liable for the user violating that code would, I think, not serve the larger interests of the market," Mr. Sibal said.The backlash after the rules were enacted has been growing. Civil-liberties groups are expressing fears the rules are too open to interpretation and could be used by the government to restrict free speech on the Web. The regulations represent an effort by India to get a grip on the Web without the kind of direct censorship or website-blocking practiced in countries like Iran, China and Saudi Arabia.

He said ministry officials are trying to "apply our minds and see if the regime can be made more rational."

In its defense earlier this month, India's ministry said the restrictions rightly require that Internet companies observe due diligence in order to enjoy exemption from liability for content posted by third parties. "These due diligence practices are the best practices followed internationally by well-known mega corporations operating on the Internet," the statement said.

Google was among the companies and nonprofit organizations that offered feedback on the rules before they went into effect. The Web giant unsuccessfully sought changes to limit its potential liability for third-party content and to scale back a list of banned material that it said was "too prescriptive."

The rules also require removal of content that is "ethnically objectionable," "disparaging," or that "harm[s] minors in any way."

On Monday, a Google India spokeswoman referred to a previously issued statement on the matter. "If Internet platforms are held liable for third party content, it would lead to self-censorship and reduce the free flow of information. The regulatory framework should ideally help protect Internet platforms and people's abilities to access information," the statement said. Google has faced requests in many countries to take down content including social-networking profiles and YouTube videos that foreign governments or users find objectionable.

India is one of the world's largest Internet markets, with a user base estimated at more than 80 million. That represents only a slice of its 1.2 billion-strong population, leaving room for growth.

Mr. Sibal, who wasn't the telecom minister when the act was passed, is trying various efforts to boost Web usage. He plans to bring 500,000 villages online within a few years by laying a massive fiber-optic backbone and using wireless devices to let Web traffic travel the "last mile" to rural households.

He said the government has to be careful not to get in the way of Internet companies trying to build up the market. "We need to ensure that we don't put conditions which are adverse to the efficient functioning of the intermediaries," he said. Despite his interest in relaxing the new rules, however, Mr. Sibal said Internet companies must "take into account the sensitivities of the countries in which they're operating."

Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore, said his organization and other civil liberties groups are preparing legal challenges to the regulations on constitutional grounds.

He said the groups will broadly argue that the rules have put in place arbitrary and unclear restrictions on speech and have gone beyond the scope of the Information Technology Act of 2008, the law on which they are based.

Mr. Abraham welcomed Mr. Sibal's interest in potentially revising the regulations. "If Kapil Sibal gives this his personal time...there's a good chance the next version would be more robust in terms of constitutionality," he said.

Read the original published by the Wall Street Journal here

For more details visit https://cis-india.org/news/looser-web-rules

India Trilateral Forum

Admin — 2018-04-10T15:09:21Z

Sunil Abraham was a panelist in the session "The Promise and Peril of Technology" at the 14th edition of India Trilateral Forum organized by the German Marshall Fund of the United States, Observer Research Foundation and Ministry of Foreign Affairs, Government of Sweden in Goa from March 22 - 23, 2018.

The Promise and Peril of Technology

The emergence of new technologies create possibilities for change, yet also carry risks of the emergence of “soft wars,” privacy issues, ethical challenges, among others. With global military spending on the rise, we may now be on the cusp of a series of new technological innovations that will fundamentally change the way we conduct warfare. The rise of low-cost real-time satellite surveillance has the potential for privacy violation, intrusive controls, and hacking. Many credit the digital revolution with creating new possibilities for democratic engagement, because information technology has made institutions like mass media less hierarchical. There are hidden costs to the digital revolution and the transformative technologies, which needs to be carefully understood. The panel discussed the deeper layers of opportunities and risks associated with transformative technologies on war and peace and discuss whether the U.S., India, and Europe are falling behind China in this crucial area.

For more details visit https://cis-india.org/internet-governance/news/india-trilateral-forum

India tops list of content restrictions requests, says Facebook

praskrishna — 2015-04-03T17:01:53Z

India has again topped the list of content restriction requests in the second half of 2014 with over 5,800 requests recorded in Facebook's Government Requests Report released on Sunday.

The article by Neha Alawadhi was published in the Economic Times on March 17, 2015. Pranesh Prakash gave his inputs.

"Overall, we continue to see an increase in government requests for data and content restrictions. The amount of content restricted for violating local law increased by 11% over the previous half, to 9,707 pieces of content restricted, up from 8,774," said Monika Bickert, Facebook's head of global policy management, and Chris Sonderby, deputy general counsel, in a statement on the social networking website.

Facebook saw a rise in content restriction requests from countries like Turkey and Russia, while requests from countries like Pakistan came down. The number of content restriction requests from Pakistan came down to 54 in the second half of 2014 from 1,773 in the first half. The number of content restriction requests from India rose to 5,832 from 4,960 in the first half.

India has been the top requestor for content restrictions in the past one and a half years, and the number of these requests and for user account data from the country have consistently been on the rise.

Facebook said that while the number of government requests for user account data remained relatively flat in the six-month period, there was an increase in data requests from "governments such as India, and decline in requests from countries such as the United States and Germany".

India made 5,473 requests for user account data in the six months ending December 2014, second only to the United States, which made 14,274 requests in the same period. About 45% of the requests made by India led to Facebook producing some data, according to the report, while 79% of the requests made by the US were complied with.

"Of course, the figures are alarming... But it would have been better if Facebook had also given us more information on the kind of data that was being asked for. Now we only have consolidated figures. So what kind of data was asked for, that would have been more useful," said counsel for the Software Freedom Law Centre.

India is the second largest market for Facebook, with 112 million users until last year, second only to the United States. According to Pranesh Prakash, policy director at the Centre for Internet and Society, "the number of content restriction requests are not only high on an absolute number, but even on a per-user basis".

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-17-2015-neha-alawadhi-india-tops-list-of-content-restrictions-requests-says-facebook

India Today Conclave Next 2017: Aadhaar was rushed, says MP Rajeev Chandrashekhar

praskrishna — 2017-11-26T06:41:07Z

Talking at the ongoing India Today Conclave Next 2017, MP Rajeev Chandrashekhar said that Aadhaar was rushed and foisted on the country by authorities that fail to first create a proper ecosystem. Chandrashekhar gave his comments at a keynote titled Privacy -- The Fundamental Right for the Digital Citizen.

The article by Priya Pathak was published by India Today on November 8, 2017.

Chandrashekhar, who has been vocal on the issues like data protection, privacy and net neutrality, said that the government should have created a proper ecosystem for Aadhaar by bringing norms and laws around data protection and privacy before asking people to sign up for the unique ID.

The MP talked about India's journey from being a largest unconnected world to becoming the largest connected world. But Chandrashekhar criticised the "flawed" Aadhaar and said that it was a classic example of how a government system would push for technology in governance without addressing key bits of the ecosystem around the citizen and the consumer.

"If that (Aadhaar) wasn't enough, the IT act and section 66A and its language and its vagueness and its potential for misuse was another example of the faults of a bureaucracy or a political system trying to legislate or create solutions in the digital world, " he said.

At the same time, he lauded the recent Supreme Court order that held all Indians had fundamental right to privacy. "The latest finding of Supreme Court of Privacy as fundamental right is a big deal and it will alter number of things going forward," he said. He added that there should be more debate and discussion on data privacy as there is an attempt to characterise data privacy as some of kind of elitist issue in India which it's not.

Privacy, especially for the digital world, currently is one of the most debated topics in India. The country in the past few years has seen a number of instances where a government or a private entity has knowingly or unknowingly compromised the data of its users. Recently a study published by Centre for Internet and Society, a Bengaluru-based organisation, revealed that private data of more 130 million Aadhaar card holders were leaked from four government websites.

The Supreme Court in August this year declared privacy as a fundamental right. A nine-judge Constitution bench headed by Chief Justice J S Khehar has declared that "right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 and entire Part III of the Constitution".

The move has been praised by many including Rajeev Chadrashekhar who has said that it is a big welcome step. "It is clear that Aadhaar and all other legislations existing and proposed will have to meet the test of privacy being a fundamental right," he recently said.

For more details visit https://cis-india.org/internet-governance/news/india-today-priya-pathak-november-8-2017-india-today-conclave-next-2017-aadhaar-was-rushed-says-mp-rajeev-chandrashekhar

India To Let Private Companies Access Citizens’ Biometric Data

praskrishna — 2017-02-27T15:09:16Z

India, home to the world’s largest national biometric registry, plans to begin sharing citizens’ data with the country’s private companies and startups.

The blog post by Joshua Kopstein was published by Vocativ on February 21, 2017. Sunil Abraham was quoted.

The government-backed program, called “India Stack,” will allow the second most populous country on Earth to share nearly all of its 1.3 billion citizens’ fingerprints, iris scans, and more, potentially creating unprecedented security and privacy risks in the name of convenience and digital commerce.

India Stack will open up the country’s troves of biometric data to Indian software developers, health care providers, and any other business interested in using the government’s identification records in their apps and services. The Indian government hopes the move will spur innovation, jumpstarting its effort to create a centralized system of digital commerce where citizens can purchase goods, apply for health insurance, or even qualify for a loan using the biometric sensors on their smartphones.

Opponents, however, warn that the sharing scheme opens a Pandora’s box of security and privacy problems, dramatically increasing the likelihood of data breaches and abuse.

“It’s the worst time for privacy policy in the country,” Sunil Abraham, the executive director of the Bangalore-based Centre for Internet and Society, told the Wall Street Journal. “We are very caught up in technological exuberance. Techno-utopians are ruling the roost.”

The dangers aren’t just hypothetical. In 2015, an unprecedented breach at the U.S. Office of Personnel Management allowed hackers to steal the fingerprints of 5.6 million federal employees. Researchers have found that stolen fingerprints can be used to commit fraud and identity theft, and even replicated and used to unlock smartphones and other personal devices. Worst of all, unlike passwords and social security numbers, biometric identifiers like fingerprints can never be changed, meaning that any breach is virtually guaranteed to have long-term consequences.

The India Stack program is the latest in several recent schemes to push the country toward a fully-digitized and cashless economy. As of December 2016, the Unique Identification Authority of India had registered more than 91% of the population into a centralized system called Aadhaar, which integrates with banks and allows citizens to complete transactions and access government services using their fingerprints. The country has also temporarily withdrawn its higher-denomination bank notes from circulation in an effort to bolster digital payment systems.

“While the efforts of the government are commendable, the efficacy of these programs in the absence of sufficient infrastructure for security raises various concerns,” the Centre For Internet and Society wrote in a paper outlining the privacy risks of India’s digital identity system. “Increased awareness among citizens and stronger security measures by the governments are necessary to combat the cogent threats to data privacy arising out of the increasing rate of cyberattacks.”

India’s program has already gone far beyond other countries’ biometric data collection schemes, which have mostly been limited to passports and border control. But law enforcement officials’ smaller, more piecemeal efforts to collect biometric information have also raised alarm over their potential for abuse. Thanks to the cooperation of 16 state DMVs, one in two Americans currently has their photo registered to a law enforcement face recognition database – regardless of whether they’ve been charged or even suspected of a crime. Local police in several U.S. states have also begun collecting iris scans and DNA swabs from people randomly stopped on the street, in some cases specifically targeting African American children.

For more details visit https://cis-india.org/internet-governance/news/vocativ-joshua-kopstein-india-private-companies-citizens-biometric-data

India To Introduce Virtual ID For Aadhaar To Strengthen Privacy

Admin — 2018-01-17T00:11:13Z

The government will introduce a virtual identification number for Aadhaar to help strengthen privacy following several instances of data leaks.

The blog post was published by Bloomberg Quint on January 11, 2018.

The additional layer of security is meant to help Aadhaar users avoid sharing their unique identification number at the time of authentication to avail various services and welfare schemes, UIDAI said in a circular seen by BloombergQuint. The virtual ID will be an optional feature and users will be allowed to provide Aadhaar for verification.

The Aadhaar-issuing body, Unique Identification Authority of India, will also introduce limited know-your-customer rules to eliminate the need for agencies to store the biometric ID. Migration to the new system will start from June 1, it added.

Virtual IDs should be made mandatory and the UIDAI should itself generate these codes instead of having the user do it, said Pranesh Prakash, policy director at the Center for Internet Security, which has published reports on the security flaws in the world’s largest database.

This takes into account concerns of third-party databases being combined without the consent of the individual but fails to address issues of government surveillance, exclusion and cybersecurity, he added.

The move comes barely a week after The Tribune, a Chandigarh-based newspaper, reported that it could access the Aadhaar database by paying Rs 500, raising privacy concerns. Petitions challenging the validity of Aadhaar and the government’s decision to make it mandatory for everything from bank accounts to mobile services are pending in the Supreme Court.

As of now, citizens are required to share their Aadhaar number for authentication to avail certain services. With the introduction of the virtual ID that would change.

It would be a randomly generated 16-digit number that'd be digitally linked to a person's Aadhaar number. This ID would be temporary and revocable. There can be only one active and valid virtual ID for an Aadhaar number at any given point in time. Aadhaar holders will be able to use the virtual ID whenever authentication is required.

Virtual ID, by design being temporary, cannot be used by agencies for duplication.
UIDAI Circular

Only Aadhaar holders themselves can generate a virtual ID and set a minimum validity period for that after which it will have to be replaced by a new one. The virtual IDs can be changed through UIDAI's portal, at an Aadhaar enrolment centre or using the mAadhaar mobile application, the circular said.

Who Can Store Your Aadhaar Data?

The UIDAI will limit the number of agencies that can access and store your Aadhaar number. For this purpose, it will divide the agencies that seek to use Aadhaar authentication for services into two categories—global and local.

Global authentication agencies will be allowed to "securely" store the Aadhaar number, while local agencies won't. The latter would be the ones that’d use the virtual IDs and a unique token for authentication.

The Aadhaar-issuing body has not clearly defined what would classify as a global agency. It has only said that it will "from time to time" evaluate authentication agencies "based on the laws governing them and categorise them" as global agencies. Any authentication agency that is not classified as global would be local.

Transition To New System

UIDAI has told all agencies that use Aadhaar authentication to update their applications and processes for accepting virtual IDs instead of the Aadhaar number and allow authentication using the UID token. This has to be done by June 1.

If an agency fails to migrate to the new system by then, their authentication services "may be discontinued" and a penalty may be imposed, UIDAI said.

UIDAI will release the updated tools and protocols required for building the authentication software by March 1. All authentication agencies would also receive technical documents, workshops and training session to ensure smooth implementation.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy