We are anonymous, we are legion

How the world’s largest democracy is preparing to snoop on its citizens

praskrishna — 2013-07-15T09:41:21Z

Monitoring system will allow govt to snoop on voice calls, SMSes, and access Internet data.

The article by Leslie D' Monte and Joji Thomas Philip was published in Livemint on July 3, 2013. Sunil Abraham is quoted.

Nothing will be secret or private.

Every conversation on landlines and mobile phones will be heard; some will be recorded. Every move you make on the Internet will be tracked.

Fiction?

By December, when the Nanny State goes live, it will be fact.

Once the government’s innocuously named CMS (communication monitoring system) is in place, the state will be able to snoop on your voice calls, fax messages, SMSes and MMSes, across all phone networks. It will be able to access your Internet data, and see not just what sites you visit but even build a cache of your inbox, to decrypt at leisure.

The process began more than a couple of years ago.

On 29 April 2011, India’s home ministry called for bids to set up communications monitoring systems in all state capitals. The notice, which was published on its website and went almost unnoticed, specified that the system should be able to monitor voice calls, fax messages, SMSes and MMSes, and work across terrestrial networks, GSM and CDMA (the dominant mobile telephony platforms), and the Internet.

	The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”. The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT). A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”.

The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT).

A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

Subsequent media reports, which have cited internal government documents, peg the cost of the CMS at around Rs.400 crore, but there is hardly any official data from the government about the implementation of the CMS.

In its 2012-13 annual report, DoT said the government has decided to set up the CMS for lawful interception and monitoring by law enforcement agencies, “reducing the manual intervention at many stages as well as saving of time”.

The system, according to the report, was to be installed by C-DoT after which the Telecom Enforcement, Resource and Monitoring (TERM) cells would take over. As on 31 March, there were 34 such TERM cells in the country. The current number could not be ascertained.

How does the government justify this invasive system? Its purpose is unclear, but national security is always a handy spectre. And so what if such a system can be misused to bully, spy and curtail the freedom of individuals? Indeed, India’s track record of using existing laws doesn’t inspire confidence.

Student Shaheen Dhada was arrested (under the law) for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray on her personal Facebook account. Her friend, Renu Srinivasan, who had “liked” the comment was also arrested. The two were later freed, on bail.

No known safeguards

But how does the CMS work? According to the government official cited above, the Central Bureau for Investigation (CBI), for instance, is likely to be provided interception facilities through the CMS in Delhi initially.

“CBI shall enter data related to target in the CMS system and approach the telecom services provider”, at which point the process is automated, and the provider simply sends the data to a server which forwards the requested information, he explained.

He didn’t mention any safeguards, nor have any been made public, which means that there are likely none. In a Q&A session on the popular social network Reddit on Tuesday, academic and activist Lawrence Lessig, the co-founder of Creative Commons, wrote on the subject of snooping in the US, “I’m really troubled by national security programmes. We don’t know what protections are built into the system.”

That has become the subject of much debate following the leaks by whistleblower Edward Snowden about the US National Security Agency’s surveillance programme.

Lessig pointed out that protection based on code is the only real protection from misuse, as other safeguards are dependent on people choosing not to violate reasonable expectations of privacy.

Which is the heart of the problem. From what we know, the list of agencies with access to data in India is already large: the Research and Analysis Wing, CBI, the National Investigation Agency, the Central Board of Direct Taxes, the Narcotics Control Bureau, and the Enforcement Directorate. More may be added.

For the system to be useful in any practical fashion, access will have to be given to a large number of officials in each of these agencies. And in the absence of safeguards, one must assume that all data is accessible to all officials.

To be sure, some of this information is already being tracked by Internet companies.

Ravina Kothari, a 22-year-old student at Cardiff University, said she learnt a bitter lesson “last year when I Googled my name”. “It revealed all the personal details I had put up on social media sites. My childhood school photos popped up on Google image search results. Worse, I had not put them there. My friends had tagged me in—all so scary. And I can’t do anything about it.”

She has since stopped uploading personal details such as videos, pictures or telephone numbers.

Twenty-one-year-old Shruti Lodha, studying to be a chartered accountant, feels a similar discomfort.

“I am definitely not comfortable with Google, and how every time I Google myself it reveals my identity and shows information that is on social media sites.”

In 2011, 24-year-old Max Schrems of Vienna, Austria, asked the world’s largest social networking site Facebook Inc. for a copy of every piece of information it had collected on him since he had created an account with it two years earlier.

Schrems was delivered a CD packing a 1,222-page file that included information he had deleted, but had been stored on Facebook’s servers, according to ThreatPost, a publication on information technology (IT) security run by Kaspersky Lab, a leading maker of antivirus software.

Had Schrems been a resident of India, he could not have known how much personal information Facebook had on him. Every person in the European Union (EU) has the right to access all the data that a company holds on him or her.

With the CMS, all this information, and much more, can be called up by just about anyone—the taxman, CBI officials, Assam Police (which will also monitor the network according to some reports)—and the old bogey of national security may not even be raised.

Need for a privacy law

Publicly at least, companies agree that the new monitoring systems infringe on our rights. Subho Ray, president, Internet and Mobile Association of India said, “Without any prior permission, government should not take or use any information which is considered private. The biggest challenge for us is that we do not have a privacy law in India.”

Cyber law experts and privacy lobby groups caution that the world’s largest democracy’s attempt to snoop on its citizens with the CMS, ostensibly for security reasons, could be abused in the absence of a transparent process and a privacy law.

The issue has become alarming, they add, with the US admitting to be collecting billions of pieces of information on immigrants—6.3 billion from Indian citizens alone under the Foreign Intelligence Surveillance Act, according to an 8 June report in the UK-based The Guardian newspaper.

“We don’t know much about the CMS, except that when implemented, it could be plugged directly into telecom nodes and lead to widespread tapping,” said Apar Gupta, a partner at law firm Advani and Co. specializing in IT law.

“There’s no legal sanction as of now for any type of mass surveillance, such as the one that the CMS suggests,” said Pavan Duggal, a Supreme Court lawyer and cyberlaw expert.

Gupta added that since India lacks privacy legislation, which obliges companies to maintain privacy standards when they export the data which they’ve gathered in India overseas, “this poses a problem”.

N.S. Nappinai, a Bombay high court advocate, said, “India has lived without any codified laws to protect privacy all these years and has relied primarily on Article 21 of the Constitution. Protecting privacy has just become more complicated with the humongous quantity of data being uploaded online. People seem totally unaware of the trouble they are inviting upon themselves.”

Current laws are already compromised

The lack of a privacy law makes it easier for the government to take such extreme steps. The Indian Telegraph Act and the IT Act, 2008 (amendments introduced in the IT Act, 2000), already gives the government the power to monitor, intercept and even block online conversations and websites. The addition of the CMS will greatly widen the number of sources and could simplify access to these records as well.

On 25 April 2011, the government admitted that the existing laws include provisions for interception and pointed out that the Supreme Court had, on 18 December 1996, upheld the constitutional validity of interceptions and monitoring.

While the court had added that telephone tapping infringes on the right to life and the right to freedom of speech and expression, unless permitted under special procedures, these guidelines are not usually implemented, according to activists.

The shortcomings of the existing laws already make it possible to misuse the vast amount of information that is available today. These laws were written at a time when the Internet was not a fact of life, and where the lines between public and private were not already blurred. Given that, the perspectives on privacy can be worrisome.

In a report presented to the Lok Sabha on 13 December 2011, the ministry of planning said, “Collection of information without a privacy law in place does not violate the right to privacy of the individual…There is no bar on collecting information, the only requirement to be fulfilled with respect to the protection of the privacy of an individual is that care should be taken in collection and use of information, consent of individual would be relevant, information should be kept safe and confidential.”

This proposed Right to Privacy Bill was leaked to the public, and eventually nothing came of it.

On 16 October 2012, a commission headed by justice (retired) A.P. Shah issued a report that included the study of privacy laws and related Bills from around the world. The report noted that with the “increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons”.

Despite the report being given to the Planning Commission, the government has continued with its plans.

Early this year, a privacy lobby body, the Centre for Internet and Society (CIS) drafted the Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India.

CIS worked with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India and held round table meetings around the country to bring about a privacy law.

Sunil Abraham, executive director, CIS, said, “While the government sets out to protect national interests, it’s also very important to protect the rights of individuals.”

The way ahead

Human Rights Watch, in a 7 June media release, described the CMS as “chilling, given its (India’s) reckless and irresponsible use of sedition and Internet laws”.

According to Freedom on the Net 2012, released on 24 September, India—which scored 39 points out of 100—was termed “partly-free”. But India is not alone. Around 40 countries filter the Internet in varying degrees, including democratic and non-democratic governments.

YouTube and Gmail (both owned by Google Inc.), BlackBerry, WikiLeaks, Skype (owned by Microsoft Corp.), Twitter and Facebook have all been censored, at different times, in countries such as China, Iran, Egypt and India.

European Union countries have strong privacy laws as is evident from the Schrems case.

Australia is engaged in putting similar safeguards in place. On 24 June, a Senate committee recommended that Australia’s proposed data retention scheme only be considered if it just collected metadata, avoided capture of browser histories and contained rigorous privacy controls and oversight.

Indian politicians could take a cue from such countries when balancing national interest with protecting the privacy of individuals.

Gopal Sathe in New Delhi and Zahra Khan in Mumbai contributed to this story.

For more details visit https://cis-india.org/news/livemint-leslie-d-monte-joji-thomas-philip-july-3-2013-how-the-worlds-largest-democracy-is-preparing-to-snoop-on-its-citizens

How the UID project can be a cause for concern

praskrishna — 2018-04-09T12:59:02Z

The Unique Identification Authority of India (UIDAI), headed by Nandan Nilekani, is the UPA government's most ambitious project, where one billion Indians are branded with a unique identity number.

Prime Minister Manmohan Singh handed over the first of the Aadhaar cards at Tembhli village in Nandurbar district of Maharashtra. This mammoth project aims to provide Indian residents with a unique 12-digit identification number that will serve multiple purposes.

Given the reach and the impact of such an exercise there is much excitement around the Unique Identity (UID) number (also known as Aadhaar) drive, along with some confusion.

However, there remains some concerns of identity theft.

For example, the number is linked to their fingerprints and the patterns in their eyes. Since those markers are unique to each of us, no one will steal their rations and wages again. They will be issued only after verification. But our eye's Iris patterns change, with age, disease or malnourishment. Fake fingerprints can very easily be made. Hence, the unique element of these numbers can be tampered.

Sunil Abraham, Director, Centre for Internet and Society said, “If I leave my fingerprints around, my identity can be stolen and transactions done on my behalf.”

Activists claim that in a few years, banks, insurance companies, cell phone providers and hospitals will demand UID number before doing business with you. They could use that number, to share information about anybody.

Hence, Abraham said, “An insurance company and a hospital can merge databases. If you have AIDS or TB, they can bump up your premium, or refuse you cover.”

Usha Ramanathan, lawyer said, “Say I go to Srinagar six times in a month. That information could be accessed by the government because the airlines asked for my number before booking a ticket. And that could make me a suspect. There's something wrong in being treated as a suspect for no other reason, than state paranoia.”

Interestingly, even though India seems excited about this project, Britain recently stopped attempts at biometric based identification systems, after warnings that such a database could easily be hacked.

See the video here.
See the original coverage in IBN Live

For more details visit https://cis-india.org/news/uid-project-concern

How The U.K. Got A Better Deal From Facebook Than India Did

praskrishna — 2016-11-18T01:56:49Z

The U.K.’s Information Commissioner’s Office (ICO) and India’s Karmanya Sareen shared a similar concern – how messenger application WhatsApp’s decision to share user data with parent Facebook is a violation of the promise of privacy.

The blog post by Payaswini Upadhyay was published in Bloomberg Quint on November 17, 2016. Sunil Abraham was quoted.

Last week, Facebook agreed to address the concerns of the ICO; in India, it didn’t have to.

WhatsApp: New Privacy Policy

In August 2016, WhatsApp issued a revised privacy policy that allowed it to share user information with parent company Facebook. Any user who didn’t want her information to be shared with Facebook had a 30-day period to opt out of the policy. Opting out meant that a user’s account information would not be shared with Facebook to improve ads and product experiences. But, there was a caveat.

The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.
WhatsApp Support Team statement on its website

Facebook’s Commitment To ICO

The ICO decided to delve deeper into what Facebook intended to do with the WhatsApp user data. Elizabeth Denham, Information Commissioner, ICO stated in her blog that users haven’t been given enough information about what Facebook plans to do with the information, and WhatsApp hasn’t got valid consent from users to share the information.

I also believe users should be given ongoing control over how their information is used, not just a 30-day window.
Elizabeth Denham, Information Commissioner, ICO

Denham further elaborated ICO’s stand - that it’s important users have control over their personal information, even if services don’t charge them a fee.

We’ve set out the law clearly to Facebook, and we’re pleased that they’ve agreed to pause using data from U.K. WhatsApp users for advertisements or product improvement purposes.
Elizabeth Denham, Information Commissioner, ICO

The ICO has now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to users how their data will be used, and to giving users ongoing control over that information. Additionally, the ICO also wants WhatsApp to give users an unambiguous choice before Facebook starts using that information and for them to be given the opportunity to change that decision at any point in the future. Facebook and WhatsApp are yet to agree to this, Denham stated.

If Facebook starts using the data without valid consent, it may face enforcement action from my office.
Elizabeth Denham, Information Commissioner, ICO

In the U.K., protections in the European Data Protection Directive have been incorporated into local law via the Data Protection Act 1998. The ICO is both the privacy regulator and the transparency (right to information) regulator, Sunil Abraham, executive director at the Centre for Internet and Society pointed out. The regulator can issue enforcement notices and also fine errant actors in the market place, he said.

This is a regulator with expertise, experience and teeth. Come May 25, 2018, the General Data Protection Regulation will come into force and this will give more comprehensive powers to the regulator to investigate and remedy cases like this. The regulator will take each principle from the Directive or Regulation and examine Facebook’s actions comprehensively before deciding on a response.
Sunil Abraham, Executive Director, Centre for Internet and Society

For example, if the regulator determines that the principle of choice and consent has not been complied with, it can force Facebook to reverse its decisions and provide greater transparency and clearer choices, Abraham added.

Karmanya Sareen’s Grievance

Back home in India, just two months ago, Karmanya Sareen, a WhatsApp user, argued before the Delhi High Court against the company’s new privacy policy. The argument was that WhatsApp’s August 2016 notice to its users about the proposed change in the privacy policy violated the fundamental rights of users under Article 21 of the Constitution. Article 21 promises protection of life and personal liberty.

Proposed change in the privacy policy of WhatsApp would result in altering/changing the most valuable, basic and essential feature of WhatsApp i.e. the complete protection provided to the privacy of details and data of its users.
Karmanya Sareen vs Union of India

The Delhi High Court struck down the Article 21 argument saying that the Supreme Court was still deliberating over including right to privacy as a fundamental right. It also pointed to WhatsApp’s 2012 Privacy Policy that allowed the company to transfer user information in case of an acquisition or merger with a third party. The 2012 policy also allowed WhatsApp to change the terms periodically.

Consequently, the Delhi High Court held that it is not open to the users now to contend that WhatsApp should be compelled to continue the same terms of service. However, the court gave WhatsApp two directions to protect users.

WhatsApp to delete from its servers and not share with Facebook or its group companies any information belonging to users who delete their account.

Users who continue to be on WhatsApp, their existing information up to September 25, 2016 cannot be shared with Facebook or any of its group companies.

Did The Delhi High Court Go Easy On Facebook And WhatsApp?

Apar Gupta, an advocate specializing in information technology, points out that the directions given by the Delhi High Court to WhatsApp did not contemplate any additional protection to a user than what was already provided by WhatsApp.

The Delhi Court essentially reproduced WhatsApp’s privacy policy. It did not compel or provide any additional safeguard.
Apar Gupta, Lawyer

Apar attributes this to the absence of a regulatory framework.

The lack of substantive safeguard and enforcement framework in India led to the Delhi High Court upholding WhatsApp’s new privacy policy.
Apar Gupta, Lawyer

Abraham added that the court did not examine the privacy policy from the perspective of data protection principles as would have been the case in EU or any other jurisdictions with a proper data protection law.

The court too admitted this in its order that there existed a regulatory vacuum in India and asked TRAI to look into the matter. Facebook did not respond to BloombergQuint’s query on whether it would implement its U.K. commitments in India as well.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-november-17-2016-payaswini-upadhyay-how-the-uk-got-a-better-deal-from-facebook-than-india-did

How the government gains when private companies use Aadhaar

praskrishna — 2016-04-01T15:58:38Z

This blog post by M. Rajshekhar and Anumeha Yadav was published in Scroll.in on March 24, 2016. Sunil Abraham was quoted.

Last week, Rajya Sabha made a last-ditch attempt to modify the contentious Aadhaar legislation introduced by the Modi government. Since the legislation was introduced as a Money Bill, the Upper House had no powers to amend it. It could only send back the bill with recommended amendments.

One of the clauses which Rajya Sabha wished to amend related to the use of the Aadhaar number, the 12-digit unique identification number assigned after the collection of an individual’s biometrics in the form of fingerprints and iris scans.

Clause 57 said that anyone, whether an individual or a public or private organisation, could use the Aadhaar number. Rajya Sabha voted to restrict the use of the number to the government. After all, the government had justified introducing Aadhaar legislation as a Money Bill by stating that it would be used for delivering government subsidies and benefits funded out of the Consolidated Fund of India. If the delivery of government welfare is the aim of Aadhaar, why should private companies be allowed to use it?

The Rajya Sabha recommended dropping clause 57 to limit the use of Aadhaar to government agencies. But the Lok Sabha rejected its recommendation, and cleared the Bill in its original form, paving the way for private companies to use Aadhaar.

Strikingly, however, well before the Bill was cleared, a private company started advertising its services as “India’s 1st Aadhaar based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone else instantly”. In an article for Scroll.in, legal researcher Usha Ramanathan said, “A private company is advertising that it can use Aadhaar to collate information about citizens at a price. It says this openly, even as a case about the privacy of the information collected for the biometrics-linked government database is still pending in the Supreme Court.”

LinkedIn for plumbers

The company that owns the mobile app called TrustID believes it is not doing anything wrong.

Monika Chowdhry, who heads the marketing division of Swabhimaan Distribution Services, the company that created TrustID, defended the app, saying it offers the valuable service of verifying people's identities. “In our day to day life, we do a lot of transactions with people – like maids or plumbers. Till now, you would have to trust them on what they said about themselves and what others said about the quality of their work.” The company is solving that problem, she said. “We are saying ask the person for their Aadhaar number and name and we will immediately tell you if they are telling the truth or not,” Chowdhry said.

Chowdhry said that over time, the Aadhaar number of individuals will be used to create a private verified database of TrustIDs. “Our plan is to create a rating mechanism,” she said. Referring to the option for maid, plumbers and other service providers on the app, she added: “People like you and me, we have Linkedin and Naukri. What do these people have?”

How does the company use Aadhaar for verification and is there a reason to be concerned?

Aadhaar authentication

After you have logged into the TrustID app, you can choose from a dropdown menu of categories. You can send anyone's Aadhaar number, gender and name – or even biometrics – and the app claims it can verify their identity.

The app performs Aadhaar authentication – which means it matches an Aadhaar number with the information stored against that number in the servers of the Unique Identification Authority of India. At the time an individual enrols for an Aadhaar number, they disclose their name, gender, address and give biometric scans. This information is held in a database maintained by the UID authority.

One of the criticisms of Aadhaar has been that the database of millions of people could be misused in the absence of a privacy law in India. First, there is the question about whether the biometrics are secure. Second, there are risks that accompany the uncontrolled use of unique numbers.

In response, the proponents of Aadhaar have said that the data is encrypted and secure, and can be accessed only by the authority. Those wanting to authenticate – or match – the Aadhaar number cannot directly access the database. They can simply make requests to the authority which authenticates the number for them.

So far, it appeared that the authority was taking Aadhaar authentication requests solely from government agencies. For instance, to pay wages to workers of the rural employment guarantee programme.

But TrustID’s example showed that private companies too have been sending authentication requests to the authority. This is not entirely surprising for those who have followed the blueprint for Aadhaar as envisioned by Nandan Nilekani, its founder. In an interview in 2012, Nilekani spoke about creating a "thriving application system" using Aadhaar for both the public and private sector.

Chowdhary said Swabhimaan Distribution Services registered as an Aadhaar authentication agency in November 2015, and the app was launched in January 2016.

TrustID, or Swabhimaan, is not the only private company that has signed up as an authentication agency for Aadhaar. A quick Google search throws up the name of Alankit, which wants to “provide Aadhaar Enabled Services to its beneficiaries, clients and customers and can further verify the correctness of the Aadhaar numbers provided ” .

This shows the authority entered into agreements with private companies well before the Aadhaar law was passed in Parliament. The companies were running ahead of legislation in a space unbounded by law, and the UIDAI supported them in this.

It is unclear how many private companies were sending requests for Aadhaar authentication. Scroll's questions to Harish Agrawal, the deputy director general of Aadhaar's Authentication and Application Division, remained unanswered.

In an interview to Business Standard, ABP Pandey, the director general of the UIDAI, said, "Usually what happens is that first a law is passed and thereafter the institutions are built and operations start. Here it has happened the other way around. The operations – the enrolment – is almost complete. The organisation is also there and has been working under executive orders. Now everything has to be kind of retrofitted in to the acts and the regulations."

Why is this problematic?

For one, allowing private companies to use the Aadhaar number shows that the government’s stated aims of Aadhaar are misleading.

Both in the Supreme Court and in Parliament, the government has pushed for the use of Aadhaar as an instrument of welfare delivery. It justified passing Aadhaar legislation as a Money Bill by emphasising its importance to its welfare schemes. But as the case of Swabhimaan shows, Aadhaar's uses clearly go well beyond what the Bill's preamble describes as the “targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India.”

Two, biometrics and unique identification numbers are a qualitatively new form of private information. As such, they bring unknown risks. India does not have a privacy law, and a law defining the use of biometrics and unique numbers is yet to be created. Delhi-based lawyer Apar Gupta said, “Even the Aadhaar Bill is yet to be approved by the president. Its rules are yet to be drafted. There is not enough legal guidance on its use.”

Three, companies like Swabhimaan would be in a position to construct databases of their own. Take TrustID. When it starts retaining Aadhaar numbers, and adds ratings to them, it creates a database of its own, which amounts to creating profiles of people.

Here, as Ramanathan said, the analogy with the networking site LinkedIn doesn't work. “When I have an account on LinkedIn, I update my data,” she said. But the TrustID app generates profiles out of the ratings that others give. Even if a prospective employee shares his/her Aadhaar number, it does not amount to free consent since getting a job hinges on giving that number.

In the future, companies could use Aadhaar numbers in unknown ways, for instance, to combine multiple databases – banks, telecom companies, hospitals – to create detailed profiles of you and me that they can monetise. In effect, Aadhaar becomes a commercial instrument for private companies, and not just a mechanism for the delivery of government welfare.

Gains for the government

Sunil Abraham, the executive director of the Centre for Internet and Society, further explained the risks that arise when databases are combined. He cited the example of OCEAN, the system created by researchers at the Indraprastha Institute of Information Technology to raise privacy awareness. OCEAN used publicly available information held by the government (voter identity card, PAN card, driving licence) to access details about citizens in Delhi. This public data was combined with people's Facebook and Twitter accounts, and the aggregated results were visualised as a family tree which showed information extending to a person’s parents, siblings and spouse.

"If a company like TrustID tied up with OCEAN, it can create a very detailed profile of an individual," said Abraham. "To continue with the example of a job-seeker, if a employer uses TrustID to verify applicants' identity or profiles, the App may combine a database like OCEAN to track that you logged into Twitter at, say 2 am on most nights. It can profile you as someone who might not turn up at work on time in the morning."

Abraham pointed out that the government too stands to gain by allowing private companies to use Aadhaar for authentication. "Use of authentication by private companies will mean UIDAI can have information on authentications performed on you, or by you, over time in the private sphere as well, say during such a job search," he said. For instance, when TrustID runs a search for your prospective employers using your Aadhaar number, the government knows you have applied for a job at certain companies. "This is unnecessary involvement of the government, giving it access to information in an area that it should not have access to."

Over time, such Aadhaar authentication for private services in companies, hospitals, or hotels will "help the government gain granular data on citizens", he said.

Perhaps that explains why the government rushed the Aadhaar Bill through Parliament, allowing little time and room for public debate.

For more details visit https://cis-india.org/internet-governance/news/scroll.in-march-24-2016-rajshekhar-anumeha-yadav-how-the-govt-gains-when-private-companies-use-aadhaar

How Surveillance Works in India

pranesh — 2013-07-15T10:20:45Z

When the Indian government announced it would start a Centralized Monitoring System in 2009 to monitor telecommunications in the country, the public seemed unconcerned. When the government announced that the system, also known as C.M.S., commenced in April, the news didn’t receive much attention.

This article by Pranesh Prakash was published in the New York Times on July 10, 2013.

After a colleague at the Centre for Internet and Society wrote about the program and it was lambasted by Human Rights Watch, more reporters started covering it as a privacy issue. But it was ultimately the revelations by Edward J. Snowden about American surveillance that prompted Indians to ask questions about its own government’s surveillance programs.

In India, we have a strange mix of great amounts of transparency and very little accountability when it comes to surveillance and intelligence agencies. Many senior officials are happy to anonymously brief reporters about the state of surveillance, but there is very little that is officially made public, and still less is debated in the national press and in Parliament.

This lack of accountability is seen both in the way the Big-Brother acronyms (C.M.S., Natgrid, T.C.I.S., C.C.T.N.S., etc.) have been rolled out, as well as the murky status of the intelligence agencies. No intelligence agency in India has been created under an act of Parliament with clearly established roles and limitations on powers, and hence there is no public accountability whatsoever.

The absence of accountability has meant that the government has since 2006 been working on the C.M.S., which will integrate with the Telephone Call Interception System that is also being rolled out. The cost: around 8 billion rupees ($132 million) — more than four times the initial estimate of 1.7 billion — and even more important, our privacy and personal liberty. Under their licensing terms, all Internet service providers and telecom providers are required to provide the government direct access to all communications passing through them. However, this currently happens in a decentralized fashion, and the government in most cases has to ask the telecoms for metadata, like call detail records, visited Web sites, IP address assignments, or to carry out the interception and provide the recordings to the government. Apart from this, the government uses equipment to gain access to vast quantities of raw data traversing the Internet across multiple cities, including the data going through the undersea cables that land in Mumbai.

With the C.M.S., the government will get centralized access to all communications metadata and content traversing through all telecom networks in India. This means that the government can listen to all your calls, track a mobile phone and its user’s location, read all your text messages, personal e-mails and chat conversations. It can also see all your Google searches, Web site visits, usernames and passwords if your communications aren’t encrypted.


A man surfing a Facebook page at an internet cafe in Guwahati, Assam, on Dec. 6, 2011. Image Credit: Anupam Nath/Associated Press

You might ask: Why is this a problem when the government already had the same access, albeit in a decentralized fashion? To answer that question, one has to first examine the law.

There are no laws that allow for mass surveillance in India. The two laws covering interception are the Indian Telegraph Act of 1885 and the Information Technology Act of 2000, as amended in 2008, and they restrict lawful interception to time-limited and targeted interception.The targeted interception both these laws allow ordinarily requires case-by-case authorization by either the home secretary or the secretary of the department of information technology.

Interestingly, the colonial government framed better privacy safeguards into communications interception than did the post-independence democratic Indian state. The Telegraph Act mandates that interception of communications can only be done on account of a public emergency or for public safety. If either of those two preconditions is satisfied, then the government may cite any of the following five reasons: “the sovereignty and integrity of India, the security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offense.” In 2008, the Information Technology Act copied much of the interception provision of the Telegraph Act but removed the preconditions of public emergency or public safety, and expands the power of the government to order interception for “investigation of any offense.” The IT Act thus very substantially lowers the bar for wiretapping.

Apart from these two provisions, which apply to interception, there are many laws that cover recorded metadata, all of which have far lower standards. Under the Code of Criminal Procedure, no court order is required unless the entity is seen to be a “postal or telegraph authority” — and generally e-mail providers and social networking sites are not seen as such.

Unauthorized access to communications data is not punishable per se, which is why a private detective who gained access to the cellphone records of Arun Jaitley, a Bharatiya Janata Party leader, has been charged under the weak provision on fraud, rather than invasion of privacy. While there is a provision in the Telegraph Act to punish unlawful interception, it carries a far lesser penalty (up to three years of imprisonment) than for a citizen’s failure to assist an agency that wishes to intercept or monitor or decrypt (up to seven years of imprisonment).

To put the ridiculousness of the penalty in Sections 69 and 69 B of the IT Act provision in perspective, an Intelligence Bureau officer who spills national secrets may be imprisoned up to three years. And under the Indian Penal Code, failing to provide a document one is legally bound to provide to a public servant, the punishment can be up to one month’s imprisonment. Further, a citizen who refuses to assist an authority in decryption, as one is required to under Section 69, may simply be exercising her constitutional right against self-incrimination. For these reasons and more, these provisions of the IT Act are arguably unconstitutional.

As bad as the IT Act is, legally the government has done far worse. In the licenses that the Department of Telecommunications grants Internet service providers, cellular providers and telecoms, there are provisions that require them to provide direct access to all communications data and content even without a warrant, which is not permitted by the existing laws on interception. The licenses also force cellular providers to have ‘bulk encryption’ of less than 40 bits. (Since G.S.M. network encryption systems like A5/1, A5/2, and A5/3 have a fixed encryption bit length of 64 bits, providers in India have been known use A5/0, that is, no encryption, thus meaning any person — not just the government — can use off-the-air interception techniques to listen to your calls.)

Cybercafes (but not public phone operators) are required to maintain detailed records of clients’ identity proofs, photographs and the Web sites they have visited, for a minimum period of one year. Under the rules designed as India’s data protection law (oh, the irony!), sensitive personal data has to be shared with government agencies, if required for “purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offenses.”

Along similar lines, in the rules meant to say when an Internet intermediary may be held liable for a user’s actions, there is a provision requiring the Internet company to “provide information or any such assistance to government agencies legally authorized for investigative, protective, cybersecurity activity.” (Incoherent, vague and grammatically incorrect sentences are a consistent feature of laws drafted by the Ministry of Communications and IT; one of the telecom licenses states: “The licensee should make arrangement for monitoring simultaneous calls by government security agencies,” when clearly they meant “for simultaneous monitoring of calls.”)

In a landmark 1996 judgment, the Indian Supreme Court held that telephone tapping is a serious invasion of an individual’s privacy and that the citizens’ right to privacy has to be protected from abuse by the authorities. Given this, undoubtedly governments must have explicit permission from their legislatures to engage in any kind of broadening of electronic surveillance powers. Yet, without introducing any new laws, the government has surreptitiously granted itself powers — powers that Parliament hasn’t authorized it to exercise — by sneaking such powers into provisions in contracts and in subordinate legislation.

For more details visit https://cis-india.org/internet-governance/blog/nytimes-july-10-2013-pranesh-prakash-how-surveillance-works-in-india

How Sai Baba Was Made To Spy On Your Phone For Credit Ratings

Gopal Sathe — 2019-07-08T14:04:35Z

Researchers revealed that Hyderabad-based CreditVidya—a highly successful fintech company that rated people’s creditworthiness—collected data from people using music apps and Sai Baba apps.

The article by Gopal Sathe was published by Huffington Post on July 4, 2019. CIS research was quoted.

An Indian start-up that few outside the fintech industry would have heard of embedded tracking software inside popular apps, including one that streamed Sai Baba stories and another that streamed Ilaiyaraaja songs, to scoop up sensitive user data including GPS locations, and business SMSes from ecommerce sites and banks to monitor spending activity, personal contacts, and much more, HuffPost India has found.

CreditVidya, a Hyderabad-based fin-tech company, ran this snooping code (technically known as a Software Development Kit or SDK) for several months in 2017 until a new version of Google’s Android operating system made it harder to scrape such data. The data, scooped up from users, was used to power CreditVidya’s self-learning algorithms that help lending companies determine the credit-worthiness of loan applicants. (Fin-tech is industry speak for financial technology, a fast growing category of software firms).

SDKs like the one developed by CreditVidya are called “Middleware”. If you assume an app is like a machine, middleware would be a component or a cog in that machine. As apps grow more complex, developers often rely on middleware developed by third parties, increasing the risk that user data is scraped and sold on for a fee.

Upon installing these apps, many of which were developed by a third party app developer call Winjit, users would have been asked for access permissions that are increasingly common and intrusive, but would have had no idea that their personal data was being scraped and sold further in a manner that could affect their credit-worthiness.

“Even though there might not be proper notice / informed consent, at least it’s understandable that lending apps that user uses is downloaded consciously and some night have knowledge on the fact that app,” said Srikanth L., a contributor to Cashless Consumer, a collective studying digital payments and fintech businesses in India. “The Creditvidya SDK was also found in a Sai Baba app, Ilaiyaraaja Hits app and other music apps of popular record labels with its SDK where user is clueless about this background data collection.”

Thus a user could consent to an app collecting data without knowing how such data would be used.

CreditVidya, Srikanth said, “used the data from unsuspecting users as part of the huge database it uses to generate the trust score, but there is opaqueness about where this data comes from and how many data brokers were engaged in trading personal data with companies like CreditVidya.”

Worse, given that many of these algorithms are proprietary and hence un-auditable, it is unclear if these credit-rating apps even work. Users could find themselves denied credit, or charged high interest rates on the basis of purely arbitrary decision making by CreditVidya algorithms trained on data scraped on the sly.

“Given how untransparent the industry is,” said Fredrike Kaltheuner, from the Data Exploitation Programme of Privacy International, a privacy-focused global non-profit organisation that investigates and advocates for user privacy. “It’s hard to say if this information is actually helping anyone get a loan. There are a lot of companies in this space now, but their algorithms are a black box, and the data they use is usually not clear either.”

CreditVidya and Winjit did not reply to HuffPost India’s emailed requests for comment. We will update this story if the companies share a response.

Meet CreditVidya

CreditVidya does not offer loans directly to consumers. Instead, the company offers its services to over 50 lenders, ranging from banks like Axis Bank, DBS, Yes Bank, and financing companies like Tata Capital, TVS Credit, and Hero FinCorp, according CreditVidya’s website.

This means that when consumers approach these companies for loans, CreditVidya’s software helps determine if the loan should be given or not. To do so, the company compares a given loan application with its giant database, to evolve something called “Trust-score” that, the company claims, determines if the applicant is likely to pay back the loan.

The company raised Series A funding from Kalaari Capital, and Matrix Partners joined in its Series B round. It has raised a third round of funding as well, led by the Bharat Innovation Fund. One of the partners at the fund is Sanjay Jain, former Chief Product Officer at the UIDAI, and a volunteer at Bengaluru-based think-tank iSPIRT.

In a blog post, Kailash Nath, a Senior Associate at Bharat Innovation Fund wrote that CreditVidya processes over 500GB of data every day. It uses data related to over 10,000 parameters to assess creditworthiness, and plugs its SDK into the lenders’ apps, to make the decision to approve the loan or not. He added that the platform has processed over 25 million profiles so far. The post does not mention anything about the sources of this vast amount of data.

“It’s not necessary that the data is coming from nefarious means,” said Saravanan K., a Bengaluru-based security consultant. “There could be any number of ways in which the company has acquired this data, and a lot of it is above board — people aren’t always aware of what they are signing up for, where they are giving their data.”

“Your phone number acts as a unifying element, and then the amount of data that becomes available about you simply from offline sources will boggle your mind. But getting data directly from your phone can be very valuable, because it’s happening in real time and gives a very clear picture of what you are doing.”

The companies doing all this data gathering are keeping quiet about the matter. For example, Srikanth found CreditVidya’s SDK in a number of applications made by Winjit, which has developed a number of music apps, including for huge companies like Times Music. However, the nature of the relationship between the two companies is not clear; nor have they made any public statement on why Winjit’s apps on music carried CreditVidya’s lending SDK.

When a user downloaded a Winjit app, it would create a profile linked to their phone number, and then update this, analysis of the SDK by Cashless Consumer showed. APIs in the SDK revealed code for the user being initialised, and the data being updated.

A report by Aayush Rathi and Shweta Mohandas for the Centre for Internet and Society that researched the privacy commitments taken by Indian fin-tech companies also goes over some of this ground.

“The unprecedented growth of this sector with a number of players that have an amorphous nature (not banking entities) has concomitantly come with regulatory challenges around inter alia privacy and security concerns,” Rathi and Mohandas say in their report. “For instance, a survey of 1,300 senior executives in the global financial services, and fintech industries revealed that 54% of respondents identified privacy and data protection as barriers to fintech innovation.”

They also noted that a study stated identified that 79.4 percent of the surveyed participants stated that they did not read the privacy policies and only 11 percent of them stated that they understood them. They also wrote that another study conducted on the most popular apps in India also observed that the privacy policies were drafted to protect the service providers from liability, rather than to help the consumers.

What’s in the SDK?

Analysis of the SDK by Srikanth suggests CreditVidya collected the following info:

Mobile IMEI
All contacts
Measured frequency of SIM changes to see if this is a person who frequently swaps SIMs
GPS location
Business SMS to monitor spending activity
Wifi ON/OFF

Given that CreditVidya talks of over 10,000 data points, it’s safe to say that this is not all the information that the company is collecting about potential borrowers. What’s particularly worrying in this case though is how the information was being collected through applications that have nothing to do with lending.

“They are collecting user specific data, and also location specific data for demographic mapping,” said Srikanth L. of Cashless Consumer.

Getting data directly from your phone can be very valuable, because it’s happening in real time and gives a very clear picture of what you are doing.

Kaltheuner, from Privacy International, said this kind of arrangement with SDKs is not uncommon.

“A lot of researchers have come across such arrangements,” said Kaltheuner, “but it is very hard to find actual evidence.” In that sense, the work done by Cashless Consumer is very important, she added, as it shows how companies are quietly collecting user data.

“But a bigger concern is the use of pre-installed applications for tracking,” she added. “These apps are installed by the phone manufacturers, or by the telecom companies, and that’s how you get very cheap smartphones being subsidised by third party trackers.”

“These pre-installed trackers often don’t need to ask you for permission before getting access to your data, and they can have access to deeper information than the third-party trackers,” she said. This is made worse by how opaque the industry is; information flows in only one direction.”

“Middleware is very hard to track because there are a number of ways in which companies are going around regulations. Even if a developer doesn’t mean to take your data, it’s often very hard to know what all an SDK is going to do. This is a systemic problem in the industry, with a lot of reliance on third party software.”

Standard procedure in India

Although a number of developers who spoke to HuffPost India confirmed that practices like these are common in the Indian ecosystem, they refused to go on the record, explaining that this is normal business practice, and speaking out about it will lead to a loss of opportunities in the future.

“The big change was Google cracking down on this stuff, but otherwise it’s all over the place,” one developer based in Bengaluru said. “Like, there’s a company in Bombay whose business model is to offer its SDK for apps, and it basically gives you solutions like OTP capture — but it also keeps tracking SMS data afterwards, which is used to build a financial profile. And they offer a cut for doing this, so it subsidises the cost of developing the app.”

Another developer said that IBM’s analytics middleware has also created similar problems but refused to give any details fearing reprisals from the company which has offered his startup projects in the past. However, IBM denied the allegation—a representative said that it would require more technical details from the developer to give a detailed response, but the developer refused to share further information.

But the problem is actually not limited to India. In May 2019, mobile app developer QuarkWorks found that one of its apps on the Google Play store was flagged and removed for violating store policies. According to Devun Schmutzler, Native Mobile Developer QuarkWorks, Google said their app was violating Android’s advertising ID policy.

Google had identified that the app collected and transmitted the Android advertising identifier, which could be used to identify and target a user.

Except, according to Schmutzler, the app wasn’t either collecting, or transmitting any data as far as the developers were aware. It was at this point that the team carried out an investigation into the matter, and found their app was using an old version of Fabric Crashlytics—middleware developed by a third party, which was embedded in the Quarkworks app to analyze crashes and other software errors. The Crashlytics component was collecting this information without Quarkworks’s knowledge.

But this was just the only bit of middleware they found tracking sensitive user information.

Firebase, which is a mobile and Web development platform acquired by Google also does this, though it’s very easy to change the settings to stop sending this data, Schmutzler noted.

OneSignal, which is used for high volume mobile and Web push notifications also tracks this user information, and QuarkWorks had to tweak the app to limit the data being shared. These were just the ones found in the case of a small app with limited libraries by one developer, but given the scale of the industry, the number of providers that are collecting user data in an opaque manner is simply staggering.

Google and Apple have evolved policies against the sharing of background data through apps which are available online. Although the companies did not share details about the size of teams in India that audit apps, for both platforms privacy has become a big talking point with Apple highlighting this for multiple years now, and Google also strongly talking about privacy in the last Google IO developer conference.

In India though, companies like this are likely to soon get another tool to use to track and profile users—Aadhaar. The Aadhaar Amendment bill is expected to pass in the Lok Sabha, and once it becomes a law, the use of Aadhaar by the private sector opens up again.

Once that happens, aside from your phone number, there is also a permanent, immutable identity that can be used to track a person, or collate their information.

Is this data even useful?

It is possible that companies are compromising users’ privacy on a broad scale, but coming up with results that are not more accurate than traditional lending was.

HuffPost India reached out to several lending companies who did not wish to comment on this story once we explained that it was about the covert collection of user data, in the past, some of these companies have commented about the use of data.

Speaking to this reporter in the past, Bala Parthasarathy, the Chairman and CEO of lending app MoneyTap said that “the data is not sophisticated enough. We use mostly traditional data. Right now, there are a lot of low hanging fruit whom the banks are too rigid for, and that’s where we can make a difference.”

“Typically, companies look at a number of different factors, so they’ll look at your account data, or they might read your SMS messages to track your spending,” he had said. “This is of course a privacy concern. But they read your transaction SMSes to understand your financial history. They might take a look at the apps on your phone, or your social media logins to see what kind of relationships you have, how strong a local circle you have, so they know you’re not going to disappear.”

MoneyTap, on the other hand, he said was mostly using user data only to make filling the forms simpler since they had to be entered through the company’s app on the phone.

As Privacy International’s Kaltheuner pointed out—such algorithms being a black box means that there is no clarity on whether anyone is actually benefiting from such use of data, yet it’s quickly becoming the norm.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-gopal-sathe-july-4-2019-fintech-apps-privacy-snooping-credit-vidya

How private companies are using Aadhaar to try to deliver better services (but there's a catch)

praskrishna — 2016-12-23T02:04:59Z

They are gathering more information on you.

The article by M. Rajshekhar was published in Scroll.in on December 22, 2016. Sunil Abraham was quoted.

In 2006, Ajay Trehan set up AuthBridge, a background verification company in Gurgaon. That was a time when business process outsourcing was booming. Global companies like Citibank were relocating back-office functions to India. Outfits like AuthBridge sprang up in response to help these companies find qualified staffers. They vetted applicants by running identity checks, verifying education and employment records, doing reference checks and more.

Ten years later, AuthBridge’s client profile has changed. With rising insecurity over crimes in India’s cities, like the December 2012 gangrape in Delhi, or the rape of a young woman in an Uber taxi in 2014, local companies – sizeably from e-commerce and businesses with delivery services – have also started vetting employees and partners to check if they have any criminal history. “Now, we have about 700-800 clients,” said Trehan. “Of them, just 20%-30% are foreign companies.”

AuthBridge’s verification process has changed too. Earlier, its employees used to physically verify the credentials of an applicant by travelling to her school or college, meeting her previous employer, vetting her identity papers with the government department that issued them, and so on.

Now they simply run a query on an electronic database.

Aadhaar enters the private sector

Aadhaar, as India’s Unique Identity Project is called, aims to give a 12-digit unique identity number to all residents by collecting their fingerprint and iris scans. As of September, its database, maintained by the Unique Identity Authority of India, held the names, addresses and biometric information of more than 105 crore people.

The project was created by the United Progressive Alliance government in 2009 to reduce leakages in the country’s welfare programmes.

But, quietly, a range of private sector companies have started using it. This includes verification firms like Authbridge, banks like HDFC, telecommunications companies like Reliance Jio, among others.

So far, most discussions on Aadhaar have focused on its utility for welfare delivery and the risk of government surveillance. But as private sector companies incorporate Aadhaar into their systems, fresh questions and concerns are emerging about what this means. A recent tweet by a journalist that went viral encapsulated these concerns.

To understand the rewards and risks of the use of Aadhaar by private companies, here is a detailed look at how they are using it.

Five ways of using Aadhaar

The first way in which companies are using Aadhaar is pure authentication. This is how Authbridge uses Aadhaar. It sends a name and Aadhaar number to the Unique Identity Authority’s server, which responds to say whether they have matched.

Apart from background verification companies, Aadhaar-based authentication can also be used by employers. “A factory hiring women or a security agency hiring guards and wanting to be sure these people are who they claim to be,” said Pramod Varma, the chief architect and technology advisor for the Aadhaar project.

It could also be used by regulated entities with strong Know Your Customer or KYC norms like banks or telecommunications companies. In the old days of branch-based banking, KYC was not a problem, said Varma, since “the bank manager knew all his customers”. But now, KYC is much harder since banks have moved to “core banking with millions of accounts in the server”. Instant Aadhaar-authentication, he said, is useful for verifying customers.

The second is authentication plus. Here, at the time of authentication, a company also downloads the customer’s data from the Aadhaar database. This is what companies like Reliance Jio are doing.

When a customer provides his Aadhaar number to the company, the company not only runs a query on the Aadhaar database to verify the name and number, it also downloads other information about the customer held on the server, like address, date of birth and gender.

This data can be used to electronically fill out the Know Your Customer forms, replacing what is right now a manual process, said Anupam Varghese, the head (products) of Eko India Financial Services, a financial services startup in the phone banking and remittances segment.

It is a disruptive proposition that companies find useful. In India, the cost of enrolling customers is so high, said Abhishek Sinha, the founder of Eko, that it prices a set of financial products beyond the reach of most Indians. “Authenticating a credit card customer and vetting her identity papers will cost anywhere between Rs 150-Rs 200,” he said. A company can recover that investment only if the customer racks up at least Rs 10,000 on the card, assuming a 2% margin on card transactions.

With its instant authentication and automatic form filling, Aadhaar-based electronic Know Your Customer, said Sinha, slashes those costs and makes it easier for companies to offer financial products which become viable even with a smaller volume of transactions. This allows the growth of financial products for less affluent customer segments.

Subsequently, these companies might pad up those databases by adding their own data. This is a third model of using Aadhaar: authentication plus private database.

For instance, TrustID, a mobile app which claims it can verify “your maid, driver, electrician, tutor, tenant and all service professionals” using Aadhaar, wants users to rate the services of the people they eventually employ. In effect, it is creating a private database.

Others, like Eko, are adding financial transaction histories to the Aadhaar data.

While these three uses are built around Aadhaar-based authentication, the remaining three uses – database sharing, data broking, deduplication – pivot around use of just the Aadhaar number. They are based on recent changes in how companies use customer data.

The customer data boom

Customer data has acquired centrality for several Indian companies, particularly startups in e-commerce and financial services.

In some sectors, Varma said, “the cost of switching [between rival companies] is very low,” which heightens the need for customisation. “The better you can serve, they more sticky you get for a customer.” In other sectors, said Varghese, competition chips away at margins. Which is another reason to try and come up with better services and products.

This is where data can help.

In a conversation in October, Nandan Nilekani, software entrepreneur and the first chairperson of the Unique Identity Authority of India, explained why. “Companies like Ola compete with global companies like Uber which have a tremendous advantage in that they have more data – more customers globally – and better algorithms,” he said. If Ola has 5 million customers, Uber has 100 million. Which means Uber’s algorithms – thanks to pattern recognition and machine learning – will be more accurate.

For all these reasons, said Varma, companies in a handful of business verticals are trying to create “a 360 degree view of their customer”.

What has enabled this is a couple of technological trends. The ability to store and process data, said Nilekani, has gone up enormously in the last 15 years. At the same time, data itself has proliferated as electronic devices like mobile phones create records of voice, photos, messages and the locations of customers.

“All this is realtime data. So, on scale, speed and frequency, we have seen a jump,” said Nilekani.

This rising appetite for data is resulting in a couple of novel outcomes.

Enter, the sharing of customer data

Indian companies have begun sharing databases.

A good example is an experimental partnership between Eko, the banking and remittances company, and Capital Float, a financial services startup which gives short term loans.

The two companies worked out an arrangement where Eko shared a part of its database about its distributors with Capital Float. This shared information contained aggregated and anonymised information on distributors and their working capital positions, said Varghese. Capital Float evaluated the database and came back with a list of distributors it could lend to. Eko, then, forwarded these offers to the distributors. After taking their consent, data about the distributors who were interested in the loans was shared with Capital Float.

On the surface, this is a counter-intuitive development: if customer data holds the key to competitive advantage, companies should closely safeguard their data.

But as it turns out, there are strong reasons to share data.

Both Eko and Capital Float, for instance, are small, specialised players in the financial services market which is dominated by banks. Data sharing is one way to compete with banks by offering complementary services to customers.

It is not clear how endemic data-sharing will get. According to Varma, it will be used selectively. “I cannot see organisations sharing databases at will,” he said. “They will be shared only if they can be used to offer an additional service to the client.”

But a programmer who works at iSpirt, a product software evangelising association based in Bangalore, and who did not want to be identified, said the trend will grow. In the financial sector, as new players like mobile wallet companies acquire more customers, banks that refuse to share data will miss out on emergent markets, he said. “Keeping everything behind closed doors – not participating in data exchanges – is now harmful,” he said.

Sunil Abraham, who heads the Centre For Internet and Society, foresees the rise of another kind of data-sharing – by companies that aggregate customer data from multiple sources and market that to clients. These could be data brokers like US-based Acziom, he said. These could also be more specialised firms like medical transcription companies, which simultaneously serve hospitals, insurance and pharmaceutical companies.

The question is: what does all this have to do with Aadhaar?

The utility of Aadhaar

Aadhaar makes it easier to compare and combine diverse databases.

This is what India’s microfinance companies are doing. As Scroll.in reported recently, Microfinance Institutions Network, an association of microlenders, has told its member companies to seed the Aadhaar numbers of their borrowers into their databases. By searching the databases for the Aadhaar number of a prospective borrower, it will be possible to identify if she has already taken too many loans.

This is a scenario Nilekani bristles at. “You do not need Aadhaar for that,” he said. “You can triangulate databases using email or phone number or name.”

But the iSpirt programmer said, “With Aadhaar, the level of certainty is higher than what you would get by using name, phone number or email.” Between databases, the spelling of names might vary. Phone numbers change, especially in a country like India where prepaid mobile connections outnumber postpaid connections. Only a small part of the country’s population uses email. With Aadhaar, said the programmer, it gets easier to correlate databases.

Aadhaar, added Varma, can also be used to clean up databases. Banks, he said, can use the Aadhaar number to create better customer profiles by identifying all accounts owned by a person. This is the fifth use – deduplication.

What it all means

The implications are obvious. A lot of companies already had databases about their customers. Now, as Nilekani said, technology is allowing the collection of ever greater amounts of information about us. The sharing of databases means companies will have ever more detailed customer profiles.

In a sense, we are entering a future where multiple databases – including several that we are not even aware of – will contain information about us. A hospital and an insurance company might share their records. Or intermediary companies, which service both of them, might create their own databases.

This information will materially affect our lives. As already happens online, companies will increasingly base their products on algorithms that parse data about our behaviour and then offer a customised price – which could be geared to serve or exploit us.

These algorithms, as Propublica reported, can be opaque.

In a sense, much of this is a familiar trajectory. The United States too, as the iSpirt programmer said, “saw a lot of irresponsible data sharing without enough control for civilians”.

That is where India is heading as well. As Scroll noted in its article about TrustID, when the company creates scores for the workers who use its app, they might not always be aware of that rating – or be in a position to challenge that rating.

There are large questions here. Who owns the data about you in a company’s database? Take your information in, say, Ola’s database – the address from where you get picked up or dropped, the phone number, the places you visit most often. Is the data owned by you, Ola or the driver? Should you have a say if a company wants to share this data? If you grant permission, how does one ensure it is used correctly?

Right now, as the next story in this series will show, this is a poorly regulated landscape.

This is the third part in a series on the expansion of Aadhaar and the concerns around it. The first two parts can be read here.

We welcome your comments at letters@scroll.in.

For more details visit https://cis-india.org/internet-governance/news/scroll-m-rajshekhar-how-private-companies-are-using-aadhaar-to-deliver-better-services-but-theres-a-catch

How privacy fares in the 2019 election manifestos | Opinion

Aayush Rathi and Ambika Tandon — 2019-05-02T01:49:39Z

We now have a rights-based language around privacy in the mainstream political discourse but that’s where it ends.

The article by Aayush Rathi and Ambika Tandon was published in the Hindustan Times on May 1, 2019.

In August 2017, the Supreme Court, in Puttaswamy vs Union of India, unanimously recognised privacy as a fundamental right guaranteed by the Constitution. Before the historic judgment, the right to privacy had remained contested and was determined on a case-by-case basis. By understanding privacy as the preservation of individual dignity and autonomy, the judgment laid the groundwork to accommodate subsequent landmark legislative moves — varying from decriminalising homosexuality to limiting the use of the Aadhaar by private actors.

Reflecting the importance gained by privacy within public imagination, the 2019 elections are the first time it finds mention across major party manifestos. In 2014, the Communist Party of India (Marxist) was the only political party to have made commitments to safeguarding privacy, albeit in a limited fashion. For the 2019 election, both the Congress and the CPI(M) promise to protect the right to privacy if elected to power. The Congress promises to “pass a law to protect the personal data of all persons and uphold the right to privacy”. However, it primarily focuses on informational privacy and its application to data protection, limited to the right of citizens to control access and use of information about themselves.

The CPI(M) focuses on privacy more broadly while promising to protect against “intrusion into the fundamental right to privacy of every Indian”. In a similar vein, both the Congress and the CPI(M) also commit to bringing about surveillance reform by incorporating layers of oversight. The CPI(M) manifesto further promises to support the curtailment of mass surveillance globally. It promises to enact a data privacy law to protect against “appropriation/misuse of private data for commercial use”, albeit without any reference to misuse by government agencies.

On the other hand, the Samajwadi Party manifesto proposes the reintroduction of the controversial NATGRID, an overarching surveillance tool proposed by the Congress in the aftermath of the 26/11 Mumbai attacks. In this backdrop, digital rights for individuals are conspicuous by their absence from the Bharatiya Janata Party’s manifesto. Data protection is only seen in a limited sense as being required in conjunction with increasing digital financialisation.

The favourable articulation of privacy in some of the manifestos should be read along with other commitments across parties around achieving development goals through the digital economy. Central to the operation of this is aggregating citizen data. Utilising this aggregated data for predictive abilities is key to initiatives being proposed in the manifestos —digitising health records, a focus on sunrise technologies, such as machine learning and big data, and readiness for “Industry 5.0” are some examples.

The right is then operationalised in a manner that leads data subjects to pick between their privacy and accessing services being provided by the data collector. Relinquishing privacy becomes the only option especially when access to welfare services is at stake.

The discourse around privacy in India has historically been used to restrict individual freedoms. In the Puttaswamy case, Justice DY Chandrachud, in his plurality opinion, acknowledges feminist scholarship to broaden the understanding of the right to privacy to one that protects bodily integrity and decisional privacy for marginalised communities. This implies protection against any manner of State interference with decisions regarding the self, and, more broadly, the right to create a private space to allow the personality to develop without interference. This includes protection from undue violations of bodily integrity such as protecting the freedom to use public spaces without fear of harassment, and criminalising marital rape.

While the articulation of privacy in the manifestos is a good start, it should be much more. Governance must implement the right to look beyond the individualised conception of privacy so as to allow it to support a whole range of freedoms, rather than limiting it to data protection. This could take the shape of modifying traditional legal codes. Family law, for instance, could be reshaped to allow for greater exercise of agency by women in marriage, guardianship, succession etc. Criminal law, too, could render inadmissible evidence obtained through unjustified privacy violations. The manifestos do mark the entry of a rights-based language around privacy and bodily integrity into mainstream political discourse. However, there appears to be a lack of imagination of the extent to which these protections can be used to further individual liberty collectively.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-may-1-2019-aayush-rathi-and-ambika-tandon-how-privacy-fares-in-the-2019-election-manifestos

How Next-Gen Smartphone Users are Being Bought and Sold

praskrishna — 2013-09-05T10:48:18Z

After facebook and google, Twitter became the latest to buy millions of Indian smartphone users in July.

This article by Rohin Dharmakumar was published by Forbes India Magazine on August 13, 2013, and later mirrored in IBN Live on August 19, 2013. Sunil Abraham is quoted.

Now, the actual announcement was about how Twitter had partnered with Vodafone India to offer its services ‘free of cost’ to mobile subscribers for three months. It had already inked similar deals with Airtel and Reliance, according to Medianama, a digital media news site. Google and Facebook, too, announced such agreements during the past year, whereby mobile subscribers could use their service ‘free of cost’ through their phones.

Nothing is really ‘free’ on the web, which is why we have the adage: “If you’re not paying for it, you are the product”. So these large web companies are actually buying millions of first-time mobile internet users by paying off their respective mobile operators. Of India’s 137 million internet users, roughly 120 million access mobile internet.

Sunil Abraham, director of the Centre for Internet & Society in Bangalore, thinks India could be going down the Indonesia route. “If you ask the average Indonesian mobile user if he or she has internet access, they might say no. Ask them if they have Facebook or Twitter, and they’ll say yes!” Incidentally, 96 percent of Indonesians use social media, mostly from their phones.

Smaller competitors to Facebook, Google and Twitter who can’t afford to pay mobile operators on similar terms will find their competitiveness shrinking. Meanwhile, a large number of Indians will balk at paying for internet usage on their phones because the social networks are all ‘free’.

For more details visit https://cis-india.org/news/forbesindia-august-13-2013-rohin-dharmakumar-how-nextgen-smartphone-users-are-being-bought-and-sold

How Media beat the Shutdown in Darjeeling

Manish Adhikary — 2017-12-19T15:57:10Z

Strap:Journalists did what the state was expected to do: fight rumours.

Darjeeling, West Bengal: The West Bengal government banned internet in the hills of north Bengal on June 18. The ban was lifted on September 25, one hundred days later. The precautionary “law and order measure”, introduced in the wake of violence following the breakout of a fresh stir for separate Gorkhaland state, was used as a virtual tool by the administration to bargain for peace with protesters in subsequent weeks. Quite naturally, it caused severe hardships to over one million people. Journalists covering the agitation were among the most severely affected.

“It was a first for me — reporting breaking stories from the ground and having to dictate the development on the phone to my office back in Delhi,” says Amrita Madhukalya, a senior reporter with the DNA newspaper. “The first story I broke after reaching Darjeeling was how the agitation had caused losses in excess of Rs 100 crore ($15.6 million) for the tea industry. I sent that story via a string of five SMSes to office before reading it out to one of our subeditors to ensure no discrepancies crept in.”

Sometimes even phone networks were down. “I have a friend who owns a shop in a small market complex near Chowk Bazaar,” says another senior print journalist from New Delhi. “On this one occasion when even SMSes were not going through, this friend helped me access data from a location that only he knew of. There were at least five to ten journalists from national newspapers looking for internet in Darjeeling in mid-July. He clearly didn’t want to attract their or the district magistrate’s attention.”

The clampdown on internet connectivity began a day after three people died of bullet injuries following clashes between pro-Gorkhaland protesters and the police in the heart of Darjeeling town on June 17. One policeman was feared killed. It later came to light that, having braved a near fatal blow from a khukuri, a traditional Gorkha blade, he was severely injured but alive.

By the evening, several videos of an underprepared but infuriated police force thrashing protesters began to circulate on social media. The state intelligence informed Kolkata that the protesters were planning to march around town with the bodies of the three victims the next afternoon and that the social media outcry against the use of force by police was turning increasingly vitriolic. Internet services were clamped early next morning.

As the Gorkhaland movement lingered on and the intensity of violence waned, data services continued to remain a casualty. Chief Minister Mamata Banerjee said the service would be resumed once normality was restored. As the cycle of news shifted to more compelling narratives and senior journalists from big cities returned from Darjeeling, the vacuum was filled by Facebook news pages run by young social media activists, like With You Darjeeling, Chautari24, North Bengal Today, North Bengal Express, etc.

“A blanket ban on internet since June 17th, 2017 was the biggest challenge we faced,” says Rinchu D Dukpa, who edits the very popular Darjeeling Chronicle, a Facebook news page with over 140,000 subscribers. “Imagine over two months of no internet. Getting word out on important news events from the region was such a challenge those days. In addition, countering distorted, biased and unverified news and narratives spewed by mainstream media and even social media platforms paid for by the state was almost impossible due to lack of internet.”

On several occasions, especially after clashes between locals and the police, rumours quoting death toll would surface. During one such clash in Sukna near Siliguri, one news channel claimed three people had died. It later turned out that there was no casualty. One more interesting rumour that did the rounds was the imposition of President's rule in Darjeeling. Much of it was fuelled by a lack of healthy flow of information. That there was an internet ban did not help.

The administration of another popular Facebook page run from Darjeeling, which has over 35,000 likes, was taken over by the administrator’s friends in the US. Requesting that his and his page’s name be kept secret, the administrator says he requested his friends in the US to scour content from website reports and e-paper versions of the relevant newspapers.

The ban was eventually lifted on September 25, just five days after the Mamata Banerjee government succeeded in weaning away rebel leader Binay Tamang from the Gorkha Janmukti Morcha, the party leading the agitation. Binay went on to be appointed as the chairman of a new board of administrators for Darjeeling hills.

“The ban may have been very severe but Darjeeling’s geography did offer respite at certain locations,” says Biswa Yonzon, a freelance journalist. “Those area that face the hills of neighbouring Sikkim, would receive internet signals. The connectivity wasn’t always great but it did the job for most local journalists reporting for papers such as The Statesman, The Telegraph and The Times of India.”

In fact the area just behind Darjeeling’s town square Chowrasta, which faces the towns of Jorethang and Namchi in South Sikkim, is now known as the Jio hill, after the Reliance 4G network. In Kalimpong, the misty Carmichael hill too is called by the same name.

Manish Adhikary is a Siliguri-based freelance writer and a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/how-media-beat-the-shutdown-in-darjeeling

How Long Have Banks Known About The Debit Card Fraud?

tiwari — 2016-10-22T08:06:51Z

The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.

The article was published by Bloomberg on October 22, 2016.

The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.

Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.

The Modus Operandi

According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.

The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.

Massive Financial Implications


Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News)

The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.

This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.

Are Banks Concealing Information?


A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)

The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.

Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud

How ISPs block websites and why it doesn’t help

praskrishna — 2012-08-25T06:56:41Z

Banning websites is ineffective against malicious users as workarounds are easy and well known.

Gopal Sathe's article was published by LiveMint on August 24, 2012. Pranesh Prakash is quoted.

India blocked 245 web pages for provocative content on Monday in an effort to prevent the spread of hate messages and lessen communal tensions in the country, and suggested via an official release on the website of the Press Information Bureau that more could follow.

As was widely reported in the days that followed, most websites blocked were not related to the ethnic clashes in Assam.

Pranesh Prakash, programme manager with the Bangalore-based Centre for Internet and Society, analysed the sites which were listed by the government. In his analysis, 33% of all blocked addresses were on Facebook, 27.8% on YouTube, 9.7% on Twitter and the rest were spread over a number of different websites including Wikipedia, Firspost.com and TimesofIndia.Indiatimes.com.

Prakash says, “I don’t believe that the decision to block sites was politically motivated, but I do believe that in trying to prevent harm, the government has gone overboard.”

He also writes in his analysis, “Even though many of the items on that list do deserve (in my opinion) to be removed [...] the people and companies hosting the material should have been asked to remove it, instead of ordering the ISPs to block them.”

Prakash also pointed out, “There are numerous egregious mistakes. Even people and posts debunking rumours have been blocked, and it is clear that the list was not compiled with sufficient care.”

Of course, India’s overall record on Internet censorship isn’t great, with the current laws encouraging Internet service providers (ISPs) to take down content without investigating individual cases properly. And that is not even taking into consideration official government orders, such as this decision to block websites.

The process of blocking content for an ISP is very simple. After all, any content that is coming from a website to your computer has to travel through the ISP, giving it ample opportunity to observe and censor banned content.

Think of it like this—you’re on an island, with no way to reach the mainland (Internet) where all the websites are. The ISP builds a bridge connecting you to the mainland, and charges you to let cars (data) from the sites come to you, by opening the road. Each web page has a unique ID, like a licence plate. If the government tells the ISP to block a specific page, it’s added to the blacklist, and isn’t allowed on the bridge. The government could also block a full domain, such as Facebook.com, which would be like blocking all cars with DL plates, instead of specific numbers.

New Delhi based cyber security consultant Dominic K. says, “The content is still there and can be accessed from outside India, so these measures are really very ineffective. People can use proxies or a virtual private network (VPN) to circumvent these measures with ease, by appearing to be a different site; so banning sites does nothing to deter malicious users.”

Proxies are websites that load blocked sites for you—if the proxy is not using the ISP doing the block, they can still load the content from the blocked site and present it to the users, since the blocklists simply block websites, and not their content.

VPNs work in a similar fashion, creating a virtual presence for the user outside of their own country. This can be done to circumvent blocks and access region-specific content, but is also a perfectly legitimate tool, and can increase your security greatly.

It’s a pretty crude system but it’s used around the world. In Australia, for example, the government has a page that directly lists their web censorship activities. It wants to block material that includes child sexual abuse imagery, bestiality, sexual violence, detailed instruction in crime, violence or drug use and/or material that advocates the doing of a terrorist act. However, as noted on the same page, these measures can be easily circumvented. Since the content remains on the Internet, and is only blocked, it can be accessed by “any technically competent user”.

China, meanwhile, is frequently criticized for what is called, tongue-in-cheek, “the great firewall of China”. Reporters without Borders, a French organization that works for freedom of the press, has a list of countries that are “enemies of the Internet”. China, Iran, North Korea and Burma are some of the worst offenders, but Australia, India, Egypt, France and South Korea are also on the watchlist as “countries under surveillance”.

Saudi Arabia and the UAE publish detailed information on their filtering practices but other countries such as China return connection errors, and fake “file not found” errors.

There is a long history of Internet censorhip in India, and a perception that the laws have been used for political ends. Net censorship has been around for a while—in 1999, VSNL blocked access to Pakistani newspapers. Later, in 2006 the government wanted to block certain separatist groups of the Yahoo! Groups platform. While the government issued specific pages for the ban, initially, the whole Yahoo! Groups domain was blocked by ISPs. In 2007, Orkut was told to remove “defamatory” pages created by users.

Cartoon pornography website Savitabhabi.com was also blocked in 2009, while several blogging services such as Typepad were blocked last year for a few weeks, and then the block was lifted, with no explanations.

Like Australia, in the UK too, child pornography is filtered by the government, though users there have to opt-in for this filtering. Other countries such as Denmark, Norway and Sweden also see such content being filtered. The Indian IT Act also notes various kinds of illegal content which is not permissible, such as child pornography and hate speech.

Other countries, such as the US, also have aggressive Internet censorship of copyrighted content. Prakash says, “Internet censorship is not restricted to India alone. Every country in the world has been doing this in different ways. The United States, for example, has even seized domains in copyright cases, which were legally hosted in other countries. With regards to political censorship, which some feel is a concern now, I don’t think that the Indian government is doing that. I believe that they are sincerely trying to address a serious issue, but people are going overboard.”

He adds, “The biggest concern is that there is no transparency about what is being blocked, or why, and this leaves things open for active misuse in the future.”

In Google’s 2011 Transparency Report, released in June this year, India did not feature very favourably. According to Google, the number of content removal requests the company received increased by 49% from 2010. There were five court orders from India ordering the Internet giant to remove content and there were 96 other requests by Indian government agencies for 246 individual items.

In comparison, the US made only 77 requests in the same period. They also revealed that 70% of the content removal requests from India were related to defamation. National security and religious offence attracted far fewer removal requests. Google received only one request from Indian agencies from July to December 2011 for removal of pornographic content.

Our government might not be politically motivated in this instance—however, the possibility for abuse is high, and what’s more, the measures that are being taken are limited at best. Instead of ordering ISPs to block content directly, the government should be working with the content owners and platforms offering the content to have it taken down properly. Instead, we get crude measures which do nothing to deter malicious users, and only serve to inconvenience the general users.

For more details visit https://cis-india.org/news/www-livemint-com-aug-24-2012-gopal-sathe-how-isps-block-websites-and-why-it-doesnt-help

How India Regulates Encryption

Pranesh Prakash & Japreet Grewal — 2016-07-23T13:24:58Z

Governments across the globe have been arguing for the need to regulate the use of encryption for law enforcement and national security purposes. Various means of regulation such as backdoors, weak encryption standards and key escrows have been widely employed which has left the information of online users vulnerable not only to uncontrolled access by governments but also to cyber-criminals. The Indian regulatory space has not been untouched by this practice and constitutes laws and policies to control encryption. The regulatory requirements in relation to the use of encryption are fragmented across legislations such as the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) and several sector-specific regulations. The regulatory framework is designed to either limit encryption or gain access to the means of decryption or decrypted information.

Limiting encryption

The IT Act does not prescribe the level or type of encryption to be used by online users. Under Section 84A, it grants the Government the authority to prescribe modes and methods of encryption. The Government has not issued any rules in exercise of these powers so far but had released a draft encryption policy on September 21, 2015. Under the draft policy, only those encryption algorithms and key sizes were permitted to be used as were to be notified by the Government. The draft policy was withdrawn due to widespread criticism of various requirements under the policy of which retention of unencrypted user information for 90 days and mandatory registration of all encryption products offered in the country were noteworthy.

The Internet Service Providers License Agreement (ISP License), entered between the Department of Telecommunication (DoT) and an Internet Service Provider (ISP) to provide internet services (i.e. internet access and internet telephony services), permits the use of encryption up to 40 bit key length in the symmetric algorithms or its equivalent in others.[1] The restriction applies not only to the ISPs but also to individuals, groups and organisations that use encryption. In the event an individual, group or organisation decides to deploy encryption that is higher than 40 bits, prior permission from the DoT must be obtained and the decryption key must be deposited with the DoT. There are, however no parameters laid down for use of the decryption key by the Government. Several issues arise in relation enforcement of these license conditions.

While this requirement is applicable to all individuals, groups and organisations using encryption it is difficult to enforce it as the ISP License only binds DoT and the ISP and cannot be enforced against third parties.
Further, a 40 bit symmetric key length is considered to be an extremely weak standard[2] and is inadequate for protection of data stored or communicated online. Various sector-specific regulations that are already in place in India prescribe encryption of more than 40 bits.

The Reserve Bank of India has issued guidelines for Internet banking^{^[3]} where it prescribes 128-bit as the minimum level of encryption and acknowledges that constant advances in computer hardware and cryptanalysis may induce use of larger key lengths. The Securities and Exchange Board of India also prescribes[4] a 64-bit/128-bit encryption for standard network security and use of secured socket layer security preferably with 128-bit encryption, for securities trading over a mobile phone or a wireless application platform. Further, under Rule 19 (2) of the Information Technology (Certifying Authorities) Rules, 2000 (CA Rules), the Government has prescribed security guidelines for management and implementation of information technology security of the certifying authorities. Under these guidelines, the Government has suggested the use of suitable security software or even encryption software to protect sensitive information and devices that are used to transmit or store sensitive information such as routers, switches, network devices and computers (also called information assets). The guidelines acknowledge the need to use internationally proven encryption techniques to encrypt stored passwords such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard as mentioned under Rule 6 of the CA Rules. These encryption algorithms are very strong and secure as compared to a 40 bit encryption key standard.
The ISP License also contains a clause which provides that use of any hardware or software that may render the network security vulnerable would be considered a violation of the license conditions.[5] Network security may be compromised by using a weak security measure such as the 40 bit encryption or its equivalent prescribed by the DoT but the liability will be imputed to the ISP. As a result, an ISP which is merely complying with the license conditions by employing not more than a 40 bit encryption may be liable for what appears to be contradictory license conditions.
It is noteworthy that the restriction on the key size under the ISP License has not been imported to the Unified Service License Agreement (UL Agreement) that has been formulated by the DoT. The UL Agreement does not prescribe a specific level of encryption to be used for provision of services. Clause 37.5 of the UL Agreement however makes it clear that use of encryption will be governed by the provisions of the IT Act. As noted earlier, the Government has not specified any limit to level and type of encryption under the IT Act however it had released a draft encryption policy that has been suspended due to widespread criticism of its mandate.

The Telecom Licenses (ISP License, UL Agreement, and Unified Access Service License) prohibit the use of bulk encryption by the service providers but they continue to remain responsible for maintaining privacy of communication and preventing unauthorized interception.

Gaining access to means of decryption or decrypted information

Besides restrictions on the level of encryption, the ISP License and the UL Agreement make it mandatory for the service providers including ISPs to provide to the DoT all details of the technology that is employed for operations and furnish all documentary details like concerned literature, drawings, installation materials and tools and testing instruments relating to the system intended to be used for operations as and when required by the DoT.[6] While these license conditions do not expressly lay down that access to means of decryption must be given to the government the language is sufficiently broad to include gaining such access as well. Further, ISPs are required to take prior approval of the DoT for installation of any equipment or execution of any project in areas which are sensitive from security point of view. The ISPs are in fact subject to and further required to facilitate continuous monitoring by the DoT. These obligations ensure that the Government has complete access to and control over the infrastructure for providing internet services which includes any installation or equipment required for the purpose of encryption and decryption.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

A decryption order usually entails a direction to a decryption key holder to disclose a decryption key, allow access to or facilitate conversion of encrypted information and must contain reasons for such direction. In fact, Rule 8 of the Decryption Rules makes it mandatory for the authority to consider other alternatives to acquire the necessary information before issuing a decryption order.
The Secretary in the Ministry of Home Affairs or the Secretary in charge of the Home Department in a state or union territory is authorised to issue an order of decryption in the interest of sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order or preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. It is useful to note that this provision was amended in 2009 to expand the grounds on which a direction for decryption can be passed. Post 2009, the Government can issue a decryption order for investigation of any offence. In the absence of any specific process laid down for collection of digital evidence do we follow the procedure under the criminal law or is it necessary that we draw a distinction between the investigation process in the digital and the physical environment and see if adequate safeguards exist to check the abuse of investigatory powers of the police herein.
The orders for decryption must be examined by a review committee constituted under Rule 419A of the Indian Telegraph Rules, 1951 to ensure compliance with the provisions under the IT Act. The review committee is required to convene atleast once in two months for this purpose. However, we have been informed in a response by the Department of Electronics and Information Technology to an RTI dated April 21, 2015 filed by our organisation that since the constitution of the review committee has met only once in January 2013.

Conclusion

While studying a regulatory framework for encryption it is necessary that we identify the lens through which encryption is looked at i.e. whether encryption is considered as a means of information security or a threat to national security. As noted earlier, the encryption mandates for banking systems and certifying authorities in India are contradictory to those under the telecom licenses and the Decryption Rules. Would it help to analyse whether the prevailing scepticism of the Government is well founded against the need to have strong encryption? It would be useful to survey the statistics of cyber incidents where strong encryption was employed as well as look at instances that reflect on whether strong encryption has made it difficult for law enforcement agencies to prevent or resolve crimes. It would also help to record cyber incidents that have resulted from vulnerabilities such as backdoors or key escrows deliberately introduced by law. These statistics would certainly clear the air about the role of encryption in securing cyberspace and facilitate appropriate regulation.

[1] Clause 2.2 (vii) of the ISP License

[2] Schneier, Bruce (1996). Applied Cryptography (Second ed.). John Wiley & Sons

[3] Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations, 2011

[4] Report on Internet Based Trading by the SEBI Committee on Internet based Trading and Services, 2000; It is useful to note that subsequently SEBI had acknowledged that the level of encryption would be governed by DoT policy in a SEBI circular no CIR/MRD/DP/25/2010 dated August 27, 2010 on Securities Trading using Wireless Technology

[5] Clause 34.25 of the ISP License

[6] Clauses 22 and 23 of Part IV of the ISP License

For more details visit https://cis-india.org/internet-governance/blog/how-india-regulates-encryption

How India Makes E-books Easier to Ban than Books (And How We Can Change That)

pranesh — 2012-02-21T11:50:56Z

Without getting into questions of what should and should not be unlawful speech, Pranesh Prakash chooses to take a look at how Indian law promotes arbitrary removal and blocking of websites, website content, and online services, and how it makes it much easier than getting offline printed speech removed.

E-Books Are Easier To Ban Than Books, And Safer

Contrary to what Mr. Sibal's recent hand-wringing at objectionable online material might suggest, under Indian laws currently in force it is far easier to remove material from the Web, by many degrees of magnitude, than it is to ever get them removed from a bookstore or an art gallery. To get something from a bookstore or an art gallery one needs to collect a mob, organize collective outrage and threats of violence, and finally convince either the government or a magistrate that the material is illegal, thereby allowing the police to seize the books or stop the painting from being displayed. The fact of removal of the material will be noted in various records, whether in government records, court records, police records or in newspapers of record. By contrast, to remove something from the Web, one needs to send an e-mail complaining about it to any of the string of 'intermediaries' that handle the content: the site itself, the web host for the site, the telecom companies that deliver the site to your computer/mobile, the web address (domain name) provider, the service used to share the link, etc. Under the 'Intermediary Guidelines Rules' that have been in operation since 11th April 2011, all such companies are required to 'disable access' to the complained-about content within thirty-six hours of the complaint. It is really that simple.

"That's ridiculous," you think, "surely he must be exaggerating." Think again. A researcher working with us at the Centre for Internet and Society tried it out, several times, with many different intermediaries and always with frivolous and flawed complaints, and was successful six out of seven times . Thus it is easier to prevent Flipkart or Amazon from selling Rushdie's Midnight's Children than it is to prevent a physical bookstore from doing so: today Indira Gandhi wouldn't need to win a lawsuit in London against the publishers to remove a single line as she did then; she would merely have to send a complaint to online booksellers and get the book removed. It is easier to block Vinay Rai's Akbari.in (just as CartoonsAgainstCorruption.com was recently blocked) than it is to prevent its print publication. Best of all for complainants: there is no penalty for frivolous complaints such as those sent by us, nor are any records kept of who's removed what. Such great powers of censorship without any penalties for their abuse are a sure-fire way of ensuring a race towards greater intolerance, with the Internet — that republic of opinions and expressions — being a casualty.

E-Book Bans Cannot Be Challenged

In response to some of the objections raised, the Cyberlaw Division of the Department of Information Technology, ever the dutiful guardian of free speech, noted that if you have a problem with access to your content being 'disabled', you could always approach a court and get that ban reversed. Unfortunately, the Cyberlaw Division of the Department of Information Technology forgot to take into account that you can't contest a ban/block/removal if you don't know about it. While they require all intermediaries to disable access to the content within thirty-six hours, they forgot to mandate the intermediary to tell you that the content is being removed. Whoops. They forgot to require the intermediary to give public notice that content has been removed following a complaint from person ABC or corporation XYZ on such-and-such grounds. Whoops, again.

So while records are kept, along with reasons, of book bans, there are no such records required to be kept of e-book bans.

E-Book Censors Are Faceless

Vinay Rai is a brave man. He is being attacked by fellow journalists who believe he's disgracing the professional upholders of free-speech, and being courted by television channels who believe that he should be encouraged to discuss matters that are sub judice. He is viewed by some as a man who's playing politics in courts on behalf of unnamed politicians and bureaucrats, while others view him as being bereft of common-sense for believing that companies should be legally liable for not having been clairvoyant and removing material he found objectionable, though he has never complained to them about it, and has only provided that material to the court in a sealed envelope. I choose, instead, to view him as a scrupulous and brave man. He has a face, and a name, and is willing to openly fight for what he believes in. However, there are possibly thousands of unscrupulous Vinay Rais out there, who know the law better than he does, and who make use not of the court system but of the Intermediary Guidelines Rules, firmly assured by those Rules that their censorship activities will never be known, will never be challenged by Facebook and Google lawyers, and will never be traced back to them.

Challenging Invisible Censorship

Dear reader, you may have noticed that this is a bit like a trial involving Free Speech in which Free Speech is presumed guilty upon complaint, is not even told what the charges against it are, has not been given a chance to prove its innocence, and has no right to meet its accusers nor to question them. Yet, the Cyberlaw Division of the Department of Information Technology continues to issue press releases defending these Rules as fair and just, instead of being simultaneously Orwellian and Kafkaesque. These Rules are delegated legislation passed by the Department of Information Technology under s.79 of the Information Technology Act. The Rules were laid before Parliament during the 2011 Monsoon session. We at CIS believe that these Rules are *ultra vires* the IT Act as well as the Constitution of India, not only with respect to what is now (newly) proscribed online (which in itself is enough to make it unconstitutional), but how that which is purportedly unlawful is to be removed. We have prepared an alternative that we believe is far more just and in accordance with our constitutional principles, taking on best practices from Canada, the EU, Chile, and Brazil, while still allowing for expeditious removal of unlawful material. We hope that the DIT will consider adopting some of the ideas embodied in our draft proposal.

As Parliament passed the IT Act in the midst of din, without any debate, it is easy to be skeptical and wonder whether Rules made under the IT Act will be debated. However, I remain hopeful that Parliament will not only exercise its power wisely, but will perform its solemn duty — borne out of each MP's oath to uphold our Constitution — by rejecting these Rules.

Photo credit: Lynn Gardner, under CC-BY-NC-SA 2.0 licence*

This was reproduced in Outlook Magazine on 27 January 2012

For more details visit https://cis-india.org/internet-governance/blog/india-ebooks-easier-to-ban-than-books

How Function Of State May Limit Informed Consent: Examining Clause 12 Of The Data Protection Bill

amber — 2022-03-01T14:56:49Z

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.

The blog post was published in Medianama on February 18, 2022. This is the first of a two-part series by Amber Sinha.

In 2018, hours after the Committee of Experts led by Justice Srikrishna Committee released their report and draft bill, I wrote an opinion piece providing my quick take on what was good and bad about the bill. A section of my analysis focused on Clause 12 (then Clause 13) which provides for non-consensual processing of personal data for state functions. I called this provision a ‘carte-blanche’ which effectively allowed the state to process a citizen’s data for practically all interactions between them without having to deal with the inconvenience of seeking consent. My former colleague, Pranesh Prakash pointed out that this was not a correct interpretation of the provision as I had missed the significance of the word ‘necessary’ which was inserted to act as a check on the powers of the state. He also pointed out, correctly, that in its construction, this provision is equivalent to the position in European General Data Protection Regulation (Article 6 (i) (e)), and is perhaps even more restrictive.

While I agree with what Pranesh says above (his claims are largely factual, and there can be no basis for disagreement), my view of Clause 12 has not changed. While Clause 35 has been a focus of considerable discourse and analysis, for good reason, I continue to believe that Clause 12 remains among the most dangerous provisions of this bill, and I will try to unpack here, why.

The Data Protection Bill 2021 has a chapter on the grounds for processing personal data, and one of those grounds is consent by the individual. The rest of the grounds deal with various situations in which personal data can be processed without seeking consent from the individual. Clause 12 lays down one of the grounds. It allows the state to process data without the consent of the individual in the following cases —

a) where it is necessary to respond to a medical emergency
b) where it is necessary for state to provide a service or benefit to the individual
c) where it is necessary for the state to issue any certification, licence or permit
d) where it is necessary under any central or state legislation, or to comply with a judicial order
e) where it is necessary for any measures during an epidemic, outbreak or public health
f) where it is necessary for safety procedures during disaster or breakdown of public order

In order to carry out (b) and (c), there is also the added requirement that the state function must be authorised by law.

Twin restrictions in Clause 12

The use of the words ‘necessary’ and ‘authorised by law’ is intended to pose checks on the powers of the state. The first restriction seeks to limit actions to only those cases where the processing of personal data would be necessary for the exercise of the state function. This should mean that if the state function can be exercised without non-consensual processing of personal data, then it must be done so. Therefore, while acting under this provision, the state should only process my data if it needs to do so, to provide me with the service or benefit. The second restriction means that this would apply to only those state functions which are authorised by law, meaning only those functions which are supported by validly enacted legislation.

What we need to keep in mind regarding Clause 12 is that the requirement of ‘authorised by law’ does not mean that legislation must provide for that specific kind of data processing. It simply means that the larger state function must have legal backing. The danger is how these provisions may be used with broad mandates. If the activity in question is non-consensual collection and processing of, say, demographic data of citizens to create state resident hubs which will assist in the provision of services such as healthcare, housing, and other welfare functions; all that may be required is that the welfare functions are authorised by law.

Scope of privacy under Puttaswamy

It would be worthwhile, at this point, to delve into the nature of restrictions that the landmark Puttaswamy judgement discussed that the state can impose on privacy. The judgement clearly identifies the principles of informed consent and purpose limitation as central to informational privacy. As discussed repeatedly during the course of the hearings and in the judgement, privacy, like any other fundamental right, is not absolute. However, restrictions on the right must be reasonable in nature. In the case of Clause 12, the restrictions on privacy in the form of denial of informed consent need to be tested against a constitutional standard. In Puttaswamy, the bench was not required to provide a legal test to determine the extent and scope of the right to privacy, but they do provide sufficient guidance for us to contemplate how the limits and scope of the constitutional right to privacy could be determined in future cases.

The Puttaswamy judgement clearly states that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” By locating the right not just in Article 21 but also in the entirety of Part III, the bench clearly requires that “the drill of various Articles to which the right relates must be scrupulously followed.” This means that where transgressions on privacy relate to different provisions in Part III, the different tests under those provisions will apply along with those in Article 21. For instance, where the restrictions relate to personal freedoms, the tests under both Article 19 (right to freedoms) and Article 21 (right to life and liberty) will apply.

In the case of Clause 12, the three tests laid down by Justice Chandrachud are most operative —
a) the existence of a “law”
b) a “legitimate State interest”
c) the requirement of “proportionality”.

The first test is already reflected in the use of the phrase ‘authorised by law’ in Clause 12. The test under Article 21 would imply that the function of the state should not merely be authorised by law, but that the law, in both its substance and procedure, must be ‘fair, just and reasonable.’ The next test is that of ‘legitimate state interest’. In its report, the Joint Parliamentary Committee places emphasis on Justice Chandrachud’s use of “allocation of resources for human development” in an illustrative list of legitimate state interests. The report claims that the ground, functions of the state, thus satisfies the legitimate state interest. We do not dispute this claim.

Proportionality and Clause 12

It is the final test of ‘proportionality’ articulated by the Puttaswamy judgement, which is most operative in this context. Unlike Clauses 42 and 43 which include the twin tests of necessity and proportionality, the committee has chosen to only employ one ground in Clause 12. Proportionality is a commonly employed ground in European jurisprudence and common law countries such as Canada and South Africa, and it is also an integral part of Indian jurisprudence. As commonly understood, the proportionality test consists of three parts —

a) the limiting measures must be carefully designed, or rationally connected, to the objective
b) they must impair the right as little as possible
c) the effects of the limiting measures must not be so severe on individual or group rights that the legitimate state interest, albeit important, is outweighed by the abridgement of rights.

The first test is similar to the test of proximity under Article 19. The test of ‘necessity’ in Clause 12 must be viewed in this context. It must be remembered that the test of necessity is not limited to only situations where it may not be possible to obtain consent while providing benefits. My reservations with the sufficiency of this standard stem from observations made in the report, as well as the relatively small amount of jurisprudence on this term in Indian law.

The Srikrishna Report interestingly mentions three kinds of scenarios where consent should not be required — where it is not appropriate, necessary, or relevant for processing. The report goes on to give an example of inappropriateness. In cases where data is being gathered to provide welfare services, there is an imbalance in power between the citizen and the state. Having made that observation, the committee inexplicably arrives at a conclusion that the response to this problem is to further erode the power available to citizens by removing the need for consent altogether under Clause 12. There is limited jurisprudence on the standard of ‘necessity’ under Indian law. The Supreme Court has articulated this test as ‘having reasonable relation to the object the legislation has in view.’ If we look elsewhere for guidance on how to read ‘necessity’, the ECHR in Handyside v United Kingdom held it to be neither “synonymous with indispensable” nor does it have the “flexibility of such expressions as admissible, ordinary, useful, reasonable or desirable.” In short, there must be a pressing social need to satisfy this ground.

However, the other two tests of proportionality do not find a mention in Clause 12 at all. There is no requirement of ‘narrow tailoring’, that the scope of non-consensual processing must impair the right as little as possible. It is doubly unfortunate that this test does not find a place, as unlike necessity, ‘narrow tailoring’ is a test well understood in Indian law. This means that while there is a requirement to show that processing personal data was necessary to provide a service or benefit, there is no requirement to process data in a way that there is minimal non-consensual processing. The fear is that as long as there is a reasonable relation between processing data and the object of the function of state, state authorities and other bodies authorised by it, do not need to bother with obtaining consent.

Similarly, the third test of proportionality is also not represented in this provision. It provides a test between the abridgement of individual rights and legitimate state interest in question, and it requires that the first must not outweigh the second. The absence of the proportionality test leaves Clause 12 devoid of any such consideration. Therefore, as long as the test of necessity is met under this law, it need not evaluate the denial of consent against the service or benefit that is being provided.

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state, by setting the threshold to circumvent informed consent extremely low. In the next post, I will demonstrate the ease with which Clause 12 can allow indiscriminate data sharing by focusing on the Indian government’s digital healthcare schemes.

For more details visit https://cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function