We are anonymous, we are legion

How Long Have Banks Known About The Debit Card Fraud?

tiwari — 2016-10-22T08:06:51Z

The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.

The article was published by Bloomberg on October 22, 2016.

The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.

Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.

The Modus Operandi

According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.

The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.

Massive Financial Implications


Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News)

The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.

This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.

Are Banks Concealing Information?


A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)

The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.

Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud

How ISPs block websites and why it doesn’t help

praskrishna — 2012-08-25T06:56:41Z

Banning websites is ineffective against malicious users as workarounds are easy and well known.

Gopal Sathe's article was published by LiveMint on August 24, 2012. Pranesh Prakash is quoted.

India blocked 245 web pages for provocative content on Monday in an effort to prevent the spread of hate messages and lessen communal tensions in the country, and suggested via an official release on the website of the Press Information Bureau that more could follow.

As was widely reported in the days that followed, most websites blocked were not related to the ethnic clashes in Assam.

Pranesh Prakash, programme manager with the Bangalore-based Centre for Internet and Society, analysed the sites which were listed by the government. In his analysis, 33% of all blocked addresses were on Facebook, 27.8% on YouTube, 9.7% on Twitter and the rest were spread over a number of different websites including Wikipedia, Firspost.com and TimesofIndia.Indiatimes.com.

Prakash says, “I don’t believe that the decision to block sites was politically motivated, but I do believe that in trying to prevent harm, the government has gone overboard.”

He also writes in his analysis, “Even though many of the items on that list do deserve (in my opinion) to be removed [...] the people and companies hosting the material should have been asked to remove it, instead of ordering the ISPs to block them.”

Prakash also pointed out, “There are numerous egregious mistakes. Even people and posts debunking rumours have been blocked, and it is clear that the list was not compiled with sufficient care.”

Of course, India’s overall record on Internet censorship isn’t great, with the current laws encouraging Internet service providers (ISPs) to take down content without investigating individual cases properly. And that is not even taking into consideration official government orders, such as this decision to block websites.

The process of blocking content for an ISP is very simple. After all, any content that is coming from a website to your computer has to travel through the ISP, giving it ample opportunity to observe and censor banned content.

Think of it like this—you’re on an island, with no way to reach the mainland (Internet) where all the websites are. The ISP builds a bridge connecting you to the mainland, and charges you to let cars (data) from the sites come to you, by opening the road. Each web page has a unique ID, like a licence plate. If the government tells the ISP to block a specific page, it’s added to the blacklist, and isn’t allowed on the bridge. The government could also block a full domain, such as Facebook.com, which would be like blocking all cars with DL plates, instead of specific numbers.

New Delhi based cyber security consultant Dominic K. says, “The content is still there and can be accessed from outside India, so these measures are really very ineffective. People can use proxies or a virtual private network (VPN) to circumvent these measures with ease, by appearing to be a different site; so banning sites does nothing to deter malicious users.”

Proxies are websites that load blocked sites for you—if the proxy is not using the ISP doing the block, they can still load the content from the blocked site and present it to the users, since the blocklists simply block websites, and not their content.

VPNs work in a similar fashion, creating a virtual presence for the user outside of their own country. This can be done to circumvent blocks and access region-specific content, but is also a perfectly legitimate tool, and can increase your security greatly.

It’s a pretty crude system but it’s used around the world. In Australia, for example, the government has a page that directly lists their web censorship activities. It wants to block material that includes child sexual abuse imagery, bestiality, sexual violence, detailed instruction in crime, violence or drug use and/or material that advocates the doing of a terrorist act. However, as noted on the same page, these measures can be easily circumvented. Since the content remains on the Internet, and is only blocked, it can be accessed by “any technically competent user”.

China, meanwhile, is frequently criticized for what is called, tongue-in-cheek, “the great firewall of China”. Reporters without Borders, a French organization that works for freedom of the press, has a list of countries that are “enemies of the Internet”. China, Iran, North Korea and Burma are some of the worst offenders, but Australia, India, Egypt, France and South Korea are also on the watchlist as “countries under surveillance”.

Saudi Arabia and the UAE publish detailed information on their filtering practices but other countries such as China return connection errors, and fake “file not found” errors.

There is a long history of Internet censorhip in India, and a perception that the laws have been used for political ends. Net censorship has been around for a while—in 1999, VSNL blocked access to Pakistani newspapers. Later, in 2006 the government wanted to block certain separatist groups of the Yahoo! Groups platform. While the government issued specific pages for the ban, initially, the whole Yahoo! Groups domain was blocked by ISPs. In 2007, Orkut was told to remove “defamatory” pages created by users.

Cartoon pornography website Savitabhabi.com was also blocked in 2009, while several blogging services such as Typepad were blocked last year for a few weeks, and then the block was lifted, with no explanations.

Like Australia, in the UK too, child pornography is filtered by the government, though users there have to opt-in for this filtering. Other countries such as Denmark, Norway and Sweden also see such content being filtered. The Indian IT Act also notes various kinds of illegal content which is not permissible, such as child pornography and hate speech.

Other countries, such as the US, also have aggressive Internet censorship of copyrighted content. Prakash says, “Internet censorship is not restricted to India alone. Every country in the world has been doing this in different ways. The United States, for example, has even seized domains in copyright cases, which were legally hosted in other countries. With regards to political censorship, which some feel is a concern now, I don’t think that the Indian government is doing that. I believe that they are sincerely trying to address a serious issue, but people are going overboard.”

He adds, “The biggest concern is that there is no transparency about what is being blocked, or why, and this leaves things open for active misuse in the future.”

In Google’s 2011 Transparency Report, released in June this year, India did not feature very favourably. According to Google, the number of content removal requests the company received increased by 49% from 2010. There were five court orders from India ordering the Internet giant to remove content and there were 96 other requests by Indian government agencies for 246 individual items.

In comparison, the US made only 77 requests in the same period. They also revealed that 70% of the content removal requests from India were related to defamation. National security and religious offence attracted far fewer removal requests. Google received only one request from Indian agencies from July to December 2011 for removal of pornographic content.

Our government might not be politically motivated in this instance—however, the possibility for abuse is high, and what’s more, the measures that are being taken are limited at best. Instead of ordering ISPs to block content directly, the government should be working with the content owners and platforms offering the content to have it taken down properly. Instead, we get crude measures which do nothing to deter malicious users, and only serve to inconvenience the general users.

For more details visit https://cis-india.org/news/www-livemint-com-aug-24-2012-gopal-sathe-how-isps-block-websites-and-why-it-doesnt-help

How India Regulates Encryption

Pranesh Prakash & Japreet Grewal — 2016-07-23T13:24:58Z

Governments across the globe have been arguing for the need to regulate the use of encryption for law enforcement and national security purposes. Various means of regulation such as backdoors, weak encryption standards and key escrows have been widely employed which has left the information of online users vulnerable not only to uncontrolled access by governments but also to cyber-criminals. The Indian regulatory space has not been untouched by this practice and constitutes laws and policies to control encryption. The regulatory requirements in relation to the use of encryption are fragmented across legislations such as the Indian Telegraph Act, 1885 (Telegraph Act) and the Information Technology Act, 2000 (IT Act) and several sector-specific regulations. The regulatory framework is designed to either limit encryption or gain access to the means of decryption or decrypted information.

Limiting encryption

The IT Act does not prescribe the level or type of encryption to be used by online users. Under Section 84A, it grants the Government the authority to prescribe modes and methods of encryption. The Government has not issued any rules in exercise of these powers so far but had released a draft encryption policy on September 21, 2015. Under the draft policy, only those encryption algorithms and key sizes were permitted to be used as were to be notified by the Government. The draft policy was withdrawn due to widespread criticism of various requirements under the policy of which retention of unencrypted user information for 90 days and mandatory registration of all encryption products offered in the country were noteworthy.

The Internet Service Providers License Agreement (ISP License), entered between the Department of Telecommunication (DoT) and an Internet Service Provider (ISP) to provide internet services (i.e. internet access and internet telephony services), permits the use of encryption up to 40 bit key length in the symmetric algorithms or its equivalent in others.[1] The restriction applies not only to the ISPs but also to individuals, groups and organisations that use encryption. In the event an individual, group or organisation decides to deploy encryption that is higher than 40 bits, prior permission from the DoT must be obtained and the decryption key must be deposited with the DoT. There are, however no parameters laid down for use of the decryption key by the Government. Several issues arise in relation enforcement of these license conditions.

While this requirement is applicable to all individuals, groups and organisations using encryption it is difficult to enforce it as the ISP License only binds DoT and the ISP and cannot be enforced against third parties.
Further, a 40 bit symmetric key length is considered to be an extremely weak standard[2] and is inadequate for protection of data stored or communicated online. Various sector-specific regulations that are already in place in India prescribe encryption of more than 40 bits.

The Reserve Bank of India has issued guidelines for Internet banking^{^[3]} where it prescribes 128-bit as the minimum level of encryption and acknowledges that constant advances in computer hardware and cryptanalysis may induce use of larger key lengths. The Securities and Exchange Board of India also prescribes[4] a 64-bit/128-bit encryption for standard network security and use of secured socket layer security preferably with 128-bit encryption, for securities trading over a mobile phone or a wireless application platform. Further, under Rule 19 (2) of the Information Technology (Certifying Authorities) Rules, 2000 (CA Rules), the Government has prescribed security guidelines for management and implementation of information technology security of the certifying authorities. Under these guidelines, the Government has suggested the use of suitable security software or even encryption software to protect sensitive information and devices that are used to transmit or store sensitive information such as routers, switches, network devices and computers (also called information assets). The guidelines acknowledge the need to use internationally proven encryption techniques to encrypt stored passwords such as PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit), PKCS#5 Password Based Encryption Standard or PKCS#7 Cryptographic Message Syntax Standard as mentioned under Rule 6 of the CA Rules. These encryption algorithms are very strong and secure as compared to a 40 bit encryption key standard.
The ISP License also contains a clause which provides that use of any hardware or software that may render the network security vulnerable would be considered a violation of the license conditions.[5] Network security may be compromised by using a weak security measure such as the 40 bit encryption or its equivalent prescribed by the DoT but the liability will be imputed to the ISP. As a result, an ISP which is merely complying with the license conditions by employing not more than a 40 bit encryption may be liable for what appears to be contradictory license conditions.
It is noteworthy that the restriction on the key size under the ISP License has not been imported to the Unified Service License Agreement (UL Agreement) that has been formulated by the DoT. The UL Agreement does not prescribe a specific level of encryption to be used for provision of services. Clause 37.5 of the UL Agreement however makes it clear that use of encryption will be governed by the provisions of the IT Act. As noted earlier, the Government has not specified any limit to level and type of encryption under the IT Act however it had released a draft encryption policy that has been suspended due to widespread criticism of its mandate.

The Telecom Licenses (ISP License, UL Agreement, and Unified Access Service License) prohibit the use of bulk encryption by the service providers but they continue to remain responsible for maintaining privacy of communication and preventing unauthorized interception.

Gaining access to means of decryption or decrypted information

Besides restrictions on the level of encryption, the ISP License and the UL Agreement make it mandatory for the service providers including ISPs to provide to the DoT all details of the technology that is employed for operations and furnish all documentary details like concerned literature, drawings, installation materials and tools and testing instruments relating to the system intended to be used for operations as and when required by the DoT.[6] While these license conditions do not expressly lay down that access to means of decryption must be given to the government the language is sufficiently broad to include gaining such access as well. Further, ISPs are required to take prior approval of the DoT for installation of any equipment or execution of any project in areas which are sensitive from security point of view. The ISPs are in fact subject to and further required to facilitate continuous monitoring by the DoT. These obligations ensure that the Government has complete access to and control over the infrastructure for providing internet services which includes any installation or equipment required for the purpose of encryption and decryption.

The Government has also been granted the power to gain access to means of decryption or simply, decrypted information under Section 69 of the IT Act and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

A decryption order usually entails a direction to a decryption key holder to disclose a decryption key, allow access to or facilitate conversion of encrypted information and must contain reasons for such direction. In fact, Rule 8 of the Decryption Rules makes it mandatory for the authority to consider other alternatives to acquire the necessary information before issuing a decryption order.
The Secretary in the Ministry of Home Affairs or the Secretary in charge of the Home Department in a state or union territory is authorised to issue an order of decryption in the interest of sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign states or public order or preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. It is useful to note that this provision was amended in 2009 to expand the grounds on which a direction for decryption can be passed. Post 2009, the Government can issue a decryption order for investigation of any offence. In the absence of any specific process laid down for collection of digital evidence do we follow the procedure under the criminal law or is it necessary that we draw a distinction between the investigation process in the digital and the physical environment and see if adequate safeguards exist to check the abuse of investigatory powers of the police herein.
The orders for decryption must be examined by a review committee constituted under Rule 419A of the Indian Telegraph Rules, 1951 to ensure compliance with the provisions under the IT Act. The review committee is required to convene atleast once in two months for this purpose. However, we have been informed in a response by the Department of Electronics and Information Technology to an RTI dated April 21, 2015 filed by our organisation that since the constitution of the review committee has met only once in January 2013.

Conclusion

While studying a regulatory framework for encryption it is necessary that we identify the lens through which encryption is looked at i.e. whether encryption is considered as a means of information security or a threat to national security. As noted earlier, the encryption mandates for banking systems and certifying authorities in India are contradictory to those under the telecom licenses and the Decryption Rules. Would it help to analyse whether the prevailing scepticism of the Government is well founded against the need to have strong encryption? It would be useful to survey the statistics of cyber incidents where strong encryption was employed as well as look at instances that reflect on whether strong encryption has made it difficult for law enforcement agencies to prevent or resolve crimes. It would also help to record cyber incidents that have resulted from vulnerabilities such as backdoors or key escrows deliberately introduced by law. These statistics would certainly clear the air about the role of encryption in securing cyberspace and facilitate appropriate regulation.

[1] Clause 2.2 (vii) of the ISP License

[2] Schneier, Bruce (1996). Applied Cryptography (Second ed.). John Wiley & Sons

[3] Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations, 2011

[4] Report on Internet Based Trading by the SEBI Committee on Internet based Trading and Services, 2000; It is useful to note that subsequently SEBI had acknowledged that the level of encryption would be governed by DoT policy in a SEBI circular no CIR/MRD/DP/25/2010 dated August 27, 2010 on Securities Trading using Wireless Technology

[5] Clause 34.25 of the ISP License

[6] Clauses 22 and 23 of Part IV of the ISP License

For more details visit https://cis-india.org/internet-governance/blog/how-india-regulates-encryption

How India Makes E-books Easier to Ban than Books (And How We Can Change That)

pranesh — 2012-02-21T11:50:56Z

Without getting into questions of what should and should not be unlawful speech, Pranesh Prakash chooses to take a look at how Indian law promotes arbitrary removal and blocking of websites, website content, and online services, and how it makes it much easier than getting offline printed speech removed.

E-Books Are Easier To Ban Than Books, And Safer

Contrary to what Mr. Sibal's recent hand-wringing at objectionable online material might suggest, under Indian laws currently in force it is far easier to remove material from the Web, by many degrees of magnitude, than it is to ever get them removed from a bookstore or an art gallery. To get something from a bookstore or an art gallery one needs to collect a mob, organize collective outrage and threats of violence, and finally convince either the government or a magistrate that the material is illegal, thereby allowing the police to seize the books or stop the painting from being displayed. The fact of removal of the material will be noted in various records, whether in government records, court records, police records or in newspapers of record. By contrast, to remove something from the Web, one needs to send an e-mail complaining about it to any of the string of 'intermediaries' that handle the content: the site itself, the web host for the site, the telecom companies that deliver the site to your computer/mobile, the web address (domain name) provider, the service used to share the link, etc. Under the 'Intermediary Guidelines Rules' that have been in operation since 11th April 2011, all such companies are required to 'disable access' to the complained-about content within thirty-six hours of the complaint. It is really that simple.

"That's ridiculous," you think, "surely he must be exaggerating." Think again. A researcher working with us at the Centre for Internet and Society tried it out, several times, with many different intermediaries and always with frivolous and flawed complaints, and was successful six out of seven times . Thus it is easier to prevent Flipkart or Amazon from selling Rushdie's Midnight's Children than it is to prevent a physical bookstore from doing so: today Indira Gandhi wouldn't need to win a lawsuit in London against the publishers to remove a single line as she did then; she would merely have to send a complaint to online booksellers and get the book removed. It is easier to block Vinay Rai's Akbari.in (just as CartoonsAgainstCorruption.com was recently blocked) than it is to prevent its print publication. Best of all for complainants: there is no penalty for frivolous complaints such as those sent by us, nor are any records kept of who's removed what. Such great powers of censorship without any penalties for their abuse are a sure-fire way of ensuring a race towards greater intolerance, with the Internet — that republic of opinions and expressions — being a casualty.

E-Book Bans Cannot Be Challenged

In response to some of the objections raised, the Cyberlaw Division of the Department of Information Technology, ever the dutiful guardian of free speech, noted that if you have a problem with access to your content being 'disabled', you could always approach a court and get that ban reversed. Unfortunately, the Cyberlaw Division of the Department of Information Technology forgot to take into account that you can't contest a ban/block/removal if you don't know about it. While they require all intermediaries to disable access to the content within thirty-six hours, they forgot to mandate the intermediary to tell you that the content is being removed. Whoops. They forgot to require the intermediary to give public notice that content has been removed following a complaint from person ABC or corporation XYZ on such-and-such grounds. Whoops, again.

So while records are kept, along with reasons, of book bans, there are no such records required to be kept of e-book bans.

E-Book Censors Are Faceless

Vinay Rai is a brave man. He is being attacked by fellow journalists who believe he's disgracing the professional upholders of free-speech, and being courted by television channels who believe that he should be encouraged to discuss matters that are sub judice. He is viewed by some as a man who's playing politics in courts on behalf of unnamed politicians and bureaucrats, while others view him as being bereft of common-sense for believing that companies should be legally liable for not having been clairvoyant and removing material he found objectionable, though he has never complained to them about it, and has only provided that material to the court in a sealed envelope. I choose, instead, to view him as a scrupulous and brave man. He has a face, and a name, and is willing to openly fight for what he believes in. However, there are possibly thousands of unscrupulous Vinay Rais out there, who know the law better than he does, and who make use not of the court system but of the Intermediary Guidelines Rules, firmly assured by those Rules that their censorship activities will never be known, will never be challenged by Facebook and Google lawyers, and will never be traced back to them.

Challenging Invisible Censorship

Dear reader, you may have noticed that this is a bit like a trial involving Free Speech in which Free Speech is presumed guilty upon complaint, is not even told what the charges against it are, has not been given a chance to prove its innocence, and has no right to meet its accusers nor to question them. Yet, the Cyberlaw Division of the Department of Information Technology continues to issue press releases defending these Rules as fair and just, instead of being simultaneously Orwellian and Kafkaesque. These Rules are delegated legislation passed by the Department of Information Technology under s.79 of the Information Technology Act. The Rules were laid before Parliament during the 2011 Monsoon session. We at CIS believe that these Rules are *ultra vires* the IT Act as well as the Constitution of India, not only with respect to what is now (newly) proscribed online (which in itself is enough to make it unconstitutional), but how that which is purportedly unlawful is to be removed. We have prepared an alternative that we believe is far more just and in accordance with our constitutional principles, taking on best practices from Canada, the EU, Chile, and Brazil, while still allowing for expeditious removal of unlawful material. We hope that the DIT will consider adopting some of the ideas embodied in our draft proposal.

As Parliament passed the IT Act in the midst of din, without any debate, it is easy to be skeptical and wonder whether Rules made under the IT Act will be debated. However, I remain hopeful that Parliament will not only exercise its power wisely, but will perform its solemn duty — borne out of each MP's oath to uphold our Constitution — by rejecting these Rules.

Photo credit: Lynn Gardner, under CC-BY-NC-SA 2.0 licence*

This was reproduced in Outlook Magazine on 27 January 2012

For more details visit https://cis-india.org/internet-governance/blog/india-ebooks-easier-to-ban-than-books

How Function Of State May Limit Informed Consent: Examining Clause 12 Of The Data Protection Bill

amber — 2022-03-01T14:56:49Z

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.

The blog post was published in Medianama on February 18, 2022. This is the first of a two-part series by Amber Sinha.

In 2018, hours after the Committee of Experts led by Justice Srikrishna Committee released their report and draft bill, I wrote an opinion piece providing my quick take on what was good and bad about the bill. A section of my analysis focused on Clause 12 (then Clause 13) which provides for non-consensual processing of personal data for state functions. I called this provision a ‘carte-blanche’ which effectively allowed the state to process a citizen’s data for practically all interactions between them without having to deal with the inconvenience of seeking consent. My former colleague, Pranesh Prakash pointed out that this was not a correct interpretation of the provision as I had missed the significance of the word ‘necessary’ which was inserted to act as a check on the powers of the state. He also pointed out, correctly, that in its construction, this provision is equivalent to the position in European General Data Protection Regulation (Article 6 (i) (e)), and is perhaps even more restrictive.

While I agree with what Pranesh says above (his claims are largely factual, and there can be no basis for disagreement), my view of Clause 12 has not changed. While Clause 35 has been a focus of considerable discourse and analysis, for good reason, I continue to believe that Clause 12 remains among the most dangerous provisions of this bill, and I will try to unpack here, why.

The Data Protection Bill 2021 has a chapter on the grounds for processing personal data, and one of those grounds is consent by the individual. The rest of the grounds deal with various situations in which personal data can be processed without seeking consent from the individual. Clause 12 lays down one of the grounds. It allows the state to process data without the consent of the individual in the following cases —

a) where it is necessary to respond to a medical emergency
b) where it is necessary for state to provide a service or benefit to the individual
c) where it is necessary for the state to issue any certification, licence or permit
d) where it is necessary under any central or state legislation, or to comply with a judicial order
e) where it is necessary for any measures during an epidemic, outbreak or public health
f) where it is necessary for safety procedures during disaster or breakdown of public order

In order to carry out (b) and (c), there is also the added requirement that the state function must be authorised by law.

Twin restrictions in Clause 12

The use of the words ‘necessary’ and ‘authorised by law’ is intended to pose checks on the powers of the state. The first restriction seeks to limit actions to only those cases where the processing of personal data would be necessary for the exercise of the state function. This should mean that if the state function can be exercised without non-consensual processing of personal data, then it must be done so. Therefore, while acting under this provision, the state should only process my data if it needs to do so, to provide me with the service or benefit. The second restriction means that this would apply to only those state functions which are authorised by law, meaning only those functions which are supported by validly enacted legislation.

What we need to keep in mind regarding Clause 12 is that the requirement of ‘authorised by law’ does not mean that legislation must provide for that specific kind of data processing. It simply means that the larger state function must have legal backing. The danger is how these provisions may be used with broad mandates. If the activity in question is non-consensual collection and processing of, say, demographic data of citizens to create state resident hubs which will assist in the provision of services such as healthcare, housing, and other welfare functions; all that may be required is that the welfare functions are authorised by law.

Scope of privacy under Puttaswamy

It would be worthwhile, at this point, to delve into the nature of restrictions that the landmark Puttaswamy judgement discussed that the state can impose on privacy. The judgement clearly identifies the principles of informed consent and purpose limitation as central to informational privacy. As discussed repeatedly during the course of the hearings and in the judgement, privacy, like any other fundamental right, is not absolute. However, restrictions on the right must be reasonable in nature. In the case of Clause 12, the restrictions on privacy in the form of denial of informed consent need to be tested against a constitutional standard. In Puttaswamy, the bench was not required to provide a legal test to determine the extent and scope of the right to privacy, but they do provide sufficient guidance for us to contemplate how the limits and scope of the constitutional right to privacy could be determined in future cases.

The Puttaswamy judgement clearly states that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” By locating the right not just in Article 21 but also in the entirety of Part III, the bench clearly requires that “the drill of various Articles to which the right relates must be scrupulously followed.” This means that where transgressions on privacy relate to different provisions in Part III, the different tests under those provisions will apply along with those in Article 21. For instance, where the restrictions relate to personal freedoms, the tests under both Article 19 (right to freedoms) and Article 21 (right to life and liberty) will apply.

In the case of Clause 12, the three tests laid down by Justice Chandrachud are most operative —
a) the existence of a “law”
b) a “legitimate State interest”
c) the requirement of “proportionality”.

The first test is already reflected in the use of the phrase ‘authorised by law’ in Clause 12. The test under Article 21 would imply that the function of the state should not merely be authorised by law, but that the law, in both its substance and procedure, must be ‘fair, just and reasonable.’ The next test is that of ‘legitimate state interest’. In its report, the Joint Parliamentary Committee places emphasis on Justice Chandrachud’s use of “allocation of resources for human development” in an illustrative list of legitimate state interests. The report claims that the ground, functions of the state, thus satisfies the legitimate state interest. We do not dispute this claim.

Proportionality and Clause 12

It is the final test of ‘proportionality’ articulated by the Puttaswamy judgement, which is most operative in this context. Unlike Clauses 42 and 43 which include the twin tests of necessity and proportionality, the committee has chosen to only employ one ground in Clause 12. Proportionality is a commonly employed ground in European jurisprudence and common law countries such as Canada and South Africa, and it is also an integral part of Indian jurisprudence. As commonly understood, the proportionality test consists of three parts —

a) the limiting measures must be carefully designed, or rationally connected, to the objective
b) they must impair the right as little as possible
c) the effects of the limiting measures must not be so severe on individual or group rights that the legitimate state interest, albeit important, is outweighed by the abridgement of rights.

The first test is similar to the test of proximity under Article 19. The test of ‘necessity’ in Clause 12 must be viewed in this context. It must be remembered that the test of necessity is not limited to only situations where it may not be possible to obtain consent while providing benefits. My reservations with the sufficiency of this standard stem from observations made in the report, as well as the relatively small amount of jurisprudence on this term in Indian law.

The Srikrishna Report interestingly mentions three kinds of scenarios where consent should not be required — where it is not appropriate, necessary, or relevant for processing. The report goes on to give an example of inappropriateness. In cases where data is being gathered to provide welfare services, there is an imbalance in power between the citizen and the state. Having made that observation, the committee inexplicably arrives at a conclusion that the response to this problem is to further erode the power available to citizens by removing the need for consent altogether under Clause 12. There is limited jurisprudence on the standard of ‘necessity’ under Indian law. The Supreme Court has articulated this test as ‘having reasonable relation to the object the legislation has in view.’ If we look elsewhere for guidance on how to read ‘necessity’, the ECHR in Handyside v United Kingdom held it to be neither “synonymous with indispensable” nor does it have the “flexibility of such expressions as admissible, ordinary, useful, reasonable or desirable.” In short, there must be a pressing social need to satisfy this ground.

However, the other two tests of proportionality do not find a mention in Clause 12 at all. There is no requirement of ‘narrow tailoring’, that the scope of non-consensual processing must impair the right as little as possible. It is doubly unfortunate that this test does not find a place, as unlike necessity, ‘narrow tailoring’ is a test well understood in Indian law. This means that while there is a requirement to show that processing personal data was necessary to provide a service or benefit, there is no requirement to process data in a way that there is minimal non-consensual processing. The fear is that as long as there is a reasonable relation between processing data and the object of the function of state, state authorities and other bodies authorised by it, do not need to bother with obtaining consent.

Similarly, the third test of proportionality is also not represented in this provision. It provides a test between the abridgement of individual rights and legitimate state interest in question, and it requires that the first must not outweigh the second. The absence of the proportionality test leaves Clause 12 devoid of any such consideration. Therefore, as long as the test of necessity is met under this law, it need not evaluate the denial of consent against the service or benefit that is being provided.

The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state, by setting the threshold to circumvent informed consent extremely low. In the next post, I will demonstrate the ease with which Clause 12 can allow indiscriminate data sharing by focusing on the Indian government’s digital healthcare schemes.

For more details visit https://cis-india.org/internet-governance/blog/medianama-february-18-2021-amber-sinha-data-protection-bill-consent-clause-state-function

How Facebook is Blatantly Abusing our Trust

nishant — 2012-06-28T12:42:32Z

‘Don’t fix it, if it ain’t broken’ is not an adage Facebook seems to subscribe to. Nishant Shah's column on privacy and Facebook was published in First Post on June 27, 2012.

Facebook is just re-emerging from the controversies around how it conducted the voting on its new privacy policies, when it goes and digs itself deeper by trying to push down its email services down the throats of its users. If you have recently logged-in to Facebook, you will have received a notification that says that you have been ‘gifted’ with a free Facebook email account.

However, that is a later phenomenon. A couple of days ago, the whole community of Facebook users went about their usual way, without knowing that something substantial had changed.

Facebook, who launched their email service as a part of their social networking empire, with or without your consent, has given us a ‘yourname@facebook.com’ email account. I know free things are considered good, but not an email account that I did not sign up for!

And to make things worse, this email account was, without our consent, added to our time-line and displayed as the primary email address.

In itself, it is a small move – with the redesign of the Timeline, Facebook had already introduced many such forced disclosures and changes that most of just had to accept, even if it might have had us fuming. However, with this change, Facebook has now started showing exactly what it can do in building your public profile and creating information about you, without your consent.

In their lame PR spiel, the company tried to pass it off as a freebie that they were gifting their users. But anybody who was not born yesterday realises that this is a desperate attempt to make a floundering service work.

Facebook messaging may work despite the clunky user interface, but its email services remain terribly underused. One of the paradoxes for this lies in the fact that you cannot open a Facebook account without a primary email account with another service, which is used as your authentication as well as the system through which Facebook notifications work.

Thus, many times, when introducing Facebook to first-time users of the web, we have to first train them in creating and using an email account before they can get on to the social network.

Hence, when Facebook did offer users the option of using a Facebook email service, most of them politely declined because nobody in their right mind is going to migrate to new a email services unless there was a substantial range of benefits being offered.

So how did Facebook respond? It just forced the email service upon its millions of users. While this is no different from the other kind of restrictions that are imposed upon us within the Facebook universe – the advertisements we see, the design and layout, the insipid white-and-blue background, the kind of information we can and cannot share and display – etc. this is the first time that Facebook actually added to our information profile and displayed it to the public.

Which means, that the next time somebody looks you up on Facebook – and let’s face it, one of the things we all use Facebook for, is to find people we know and get connected with them – they will see your Facebook email id listed as your contact address. And while you might get a notification in your primary email about any mails that you receive in your Facebook account, the fact is that, all those emails will become a part of Facebook’s huge data farms.

In a move that is almost a pale imitation of Google’s growing monopoly over our private information, Facebook seems to be now looking to expand its data empires. However, while Google did it through strategic design and marketing, offering innovations and incentives for its users to use their services, Facebook seems to have decided to build a Trojan horse and sneak these services in through the back door.

While this might not seem a big deal right now, it has deeper repercussions for what this corporate behemoth can do, not only with our data, but also to our data that we think is actually our own.

If your alarm bells aren’t already ringing, they should be, as Facebook demonstrates a blatant abuse of the trust that we have put in its system, to keep our private data safe.

The million dollar question – or maybe a slightly reduced price, given its public listing status on the stock-exchange right now – is that while Facebook might keep us safe from other people using our data, will it also be able to keep us safe from itself?

Read the original here

For more details visit https://cis-india.org/internet-governance/how-facebook-is-blatantly-abusing-our-trust

How does the government track all its legal cases?

praskrishna — 2016-09-14T10:17:07Z

The Legal Information Management and Briefing System , an integral part of the digital India initiative, aims to be a database of all the ongoing cases with the government.

The article by Shreeja Sen published by Livemint on September 13, 2016 has quoted Sunil Abraham.

More than one lakh cases currently exist on a law ministry platform curated in the last 13 months.The Legal Information Management and Briefing System (LIMBS), aimed to be a database of all the ongoing cases with the government as a party, is part of the government’s push towards digital India.

Law secretary Suresh Chandra said this is a big step under the Digital India project, intended to monitor and ultimately reduce spending on government litigation.

“The aim is to conduct cases properly. If our system works, along with the national litigation policy, we will be able to prevent 50% cases before they are even filed,” Chandra said.

According to the government, the project will help reduce delays in filing responses in cases , contempt notices because of such delays and consequent monetary penalties.

The website has also undergone the required security audit under the NIC (national informatics centre), to ensure the data is safe and protected. However, a database like this on the internet comes with its challenges.

“To ensure client confidentiality, communication should be bilateral between lawyer and client and should be encrypted and even watermarked. If this project allows access to documents by multiple stakeholders without encrypting it for the recipient, then if there is any leak, the documents cannot be traced back to the person who was responsible,” said Sunil Abraham, executive director at Centre for Internet and Society, a non-profit research organisation.

The LIMBS project began internally at the ministry of railway sometime in 2013, but was soon expanded as a single platform across ministries. In July 2015, it was hosted on the NIC server. The law ministry, by a gazette notification on 8 February, formally launched LIMBS to monitor cases filed against the Union government.

As of now, there is no special budget allocated for this project, which is being handled in house with a team of eight people – four developers on the technology side and four implementers for the case details. The development of the website is being handled by Ajay Gupta, deputy chief vigilance officer, northern railway. From the law ministry, Spriha Johari is the project director responsible for the website.

As of 12 September, the five ministries with the most uploads on the website were railways (69,469 cases), communications and information technology (7,830), finance (4452), environment (3,189) and defence (2,565).

Every day, nearly 400-500 cases are added to the portal. In all 58 ministries and their 202 departments have been brought under the LIMBS project.

For more details visit https://cis-india.org/internet-governance/news/livemint-september-13-2016-shreeja-sen-how-does-govt-track-all-its-legal-cases

How data privacy and governance issues have battered Facebook ahead of 2019 polls

Admin — 2018-12-25T01:43:59Z

Rohit S, an airline pilot, had enough of Facebook. With over 1,000 friends and part of at least a dozen groups on subjects ranging from planes to politics, the 34-year-old found himself constantly checking his phone for updates and plunging headlong into increasingly noisy debates, where he had little personal connect.

The article by Rahul Sachitanand was published in Economic Times on December 9, 2018. Elonnai Hickok was quoted.

While he had originally signed up with Facebook a decade ago to reconnect with school classmates, he found himself more and more disconnected from the sprawl the social network had become. “It was a mess of impersonal shares, unverified half-truths and barely any personal updates,” he says, a week after permanently logging out. “I’d rather reconnect the old-fashioned way.”

This kind of user disenchantment has become increasingly common among Facebook users. Many like Rohit, who signed up with more altruistic aims, find themselves distanced by how the social networking platform has evolved.

All through 2018, Facebook and its embattled cofounder, Mark Zuckerberg, have found themselves battling one fire after another. Starting with the mess involving Cambridge Analytica and ending with the document dump unearthed by UK’s Parliament this week (that showed the firm as a cut-throat corporation at best), this has been a year to forget. “Unfortunately, Facebook cannot be trusted with the privacy of its users’ data,” says Alessandro Acquisti, professor, Carnegie Mellon University. “Time and again, Facebook has shown a cavalier attitude towards the handling of users’ data as well as towards informing users clearly and without deception about the actual extent of Facebook’s data collection and handling policies.”

This perception has caused problems with Facebook, both around the world and at home, with privacy advocates pushing for stronger monitoring to counter the seeming free reign enjoyed by the platform.

Mishi Choudhary, legal director of Software Freedom Law Center in the US and Mishi Choudhary and Associates, a New Delhi-law firm, says the pay-for-data model necessitates a stronger data protection regime that doesn’t leave users at the mercy of self-governing corporate entities.

“The contrast between Facebook’s public statements and private strategies to monetise user data reveals the truth of surveillance capitalism carried out stealthily and steadily,” she says.

In an election year in India, this could cause problems for Facebook.

The company has already tried to clean up its act, implementing more transparent political advertising norms and looking to clean up fake news claims (on itself and WhatsApp, the messaging platform it owns) to try to win back user trust. Facebook has also launched video monetisation capabilities and Lasso, a short video offering similar to Tik Tok, the Chinese startup that has been massively popular here. The company, that has over 250 million users in India, plans to train five million people on digital technologies in three years, to try to increase awareness.

Facebook didn’t respond to an email seeking more specific comments for this piece.

In a country where privacy legislation is yet in the works, experts are worried about the overt and covert interest in users’ private data. Hundreds of millions of users here, many unwittingly, accepting user terms and giving apps too many permissions could easily give away confidential information, the experts argue. This is especially so in the case of Android users in the country, who access the web on cheap handsets and don’t have a full understanding of what they sign up for. “Very few people know about the origin or provenance of apps that they download or what data they track or phone features that they access,” says Shiv Putcha, founder and principal analyst, Mandala Insights, a telecom consultancy. “These are all potential security breaches of a massive order.”

Alessandro Acquisti, professor, Carnegie Mellon University. This situation has privacy advocates closely watching Facebook and pushing for more stringent rules to monitor the company. "The criticality of human rights impact assessment for all products and services by companies like Facebook is underscored," says Elonnai Hickok, from the Centre for Internet and Society, a think tank in Bengaluru. "To build user trust, these assessments should be made public."

As India finalises its privacy legislation, it is important to ensure that such assessments are undertaken according to law, citizens and their rights are upheld and companies are held accountable. "This also demonstrates that India needs a privacy legislation that allows the government to address a situation if data of Indian citizens is impacted."

For more details visit https://cis-india.org/internet-governance/news/economic-times-rahul-sachitanand-december-9-2018-how-data-privacy-and-governance-issues-have-battered-facebook

How Chinese apps are making inroads in Indian small towns

Admin — 2018-08-13T15:44:51Z

After selling a company he cofounded to Alibaba in 2013, Sichuan-born Forrest Chen wanted to look beyond China for his next venture. India was one of the countries on his list of potential markets, which included the US, the UK, Indonesia and Thailand.

The article by Mugdha Variyar was published in the Economic Times on August 10, 2018.

“We launched NewsDog in the US in 2015 and got 10,000 users but realised soon that retention was bad because of so much competition,” said Chen, CEO of NewsDog. “That is when we decided to come to India, since the number of (digital) media houses here were fewer and people were still using traditional media.”
After launching here in 2016, first in English, NewsDog has expanded to 10 Indian languages and has 18 million monthly active users, making it one of the top news apps in the country.

A slew of Chinese companies and entrepreneurs has quickly moved to launch mobile applications directly in India to capture the rapidly swelling next generation of internet users—a demographic global and Indian internet companies too are chasing. Several of these Chinese apps have catapulted to the top in India across categories such as entertainment (Tik Tok, Vigo Video), news (UC News, NewsDog), shopping (Club Factory, Shein), as well as browsers and data sharing (UC Browser, Shareit).

“China has seen maturity of content apps that are consumed widely there. With (many) Indians just waking up to digital content on their mobile phones, the Chinese have a head start to port their apps to India,” said Sreedhar Prasad, partner and head for internet business and ecommerce at KPMG India. “Especially in tier 2 cities and beyond, the use of apps that let consumers make short videos or edit images simply and share them is catching on fast. Many of the Chinese apps have been able to cater to this,” he added.

Of course, this would not have been possible without high-speed data connectivity and smartphones becoming more accessible to millions of Indians than ever before. The number of internet users in India is expected to increase to about 500 million this year from about 481 million in December, according to a report in March by the Internet and Mobile Association of India and consultancy firm Kantar IMRB.

Chinese app company ByteDance has launched Tik Tok (over 1 million Android installations) and Vigo Video (over 5 million Android installations) in India to let users upload short videos. Other Chinese apps in the same space such as Kwai are also raking up millions of users in India.

For these Chinese companies, the attraction of a large market, several untapped use-cases for non-metro consumers, and a growing internet base are good enough to place big bets in India.

Chen said it was the growing internet phenomenon and a lack of disruption by traditional media that attracted him to the Indian market. “When I went to rural places around Gurgaon with my COO Yi Ma, we found that a lot of people have smartphones and they use it very regularly.

However, they are still reading newspapers. That’s when we realised there is a gap, which we are trying to fill,” Chen said. Some of these Chinese apps, though, host content some would consider objectionable, and experts say these platforms cannot sustain solely on such material. TikTok was temporarily banned in Indonesia last month due to inappropriate content shared on the app. A highprofile Chinese investor, who did not want to be identified, said these apps may have only a short shelf life in India.

“We have faced some criticism over the content, and we understand that such content harms us,” Chen said. “We are trying to cut it out using artificial intelligence.” Chinese ecommerce apps such as Club Factory and Shein are also seeing thousands of orders daily from India.

For Club Factory, 35 million of its 70 million global customers are from India. “Our focus is towards a value-based customer, which by default includes tier 2 and 3 cities,” Ashwin Rastogi, country head for the ecommerce app, told ET in an interaction last month.

Club Factory is the eighth most used shopping app on Android phones in India in terms of monthly active users, according to App Annie. The company has roped in Bollywood actor Ranveer Singh and Miss World Manushi Chillar for its TV commercials, its first globally. “These Chinese ecommerce apps have invested on ads through social media to target customers, and since many of their products are cheap, under Rs 1,000, a customer is likely to place an order without the risk of losing too much money,” Prasad said.

Alibaba’s UC Browser has crossed 130 million monthly active users in India, catering mainly to non-metro consumers. Its users in India constitute 30% of its 430 million monthly active users globally.

Damon Xi, general manager for India and Indonesia, UCWeb, said UC Browser focuses on non-metro users and UC News on users in metro cities. “We provided data compression technology to make browsing and downloading faster for the users. For instance, there were regions in India where internet connectivity was still improving. In such regions, UC Browser’s data compression technology becomes a great help,” he said.

For several lending startups from China, India seemed a green pasture after business dried up at home following a crackdown by Chinese authorities on pay-day lending. ET reported earlier this year how several lending startups such as WeCash and FinUp were setting up operations in India.

WeCash’s Asia-Pacific head, James Chan, told ET in a previous interaction that the company— with its deep understanding of the lending business based on the “missing middle, new-to-credit, subprime borrowers in China”— saw significant market opportunity in India.

“India and China are similar, and with data and mobile penetration in the country, it is natural to attract Chinese entrepreneurs,” said K Ganesh, partner at entrepreneurship platform GrowthStory.

However, challenges abound for these Chinese companies in India, especially in traversing the gamut of languages while also dealing with a regulatory shadow over data security concerns. NewsDog’s Chen said many Chinese entrepreneurs realise the difficulties in entering the India market.

“There is no wave,” the Chinese investor quoted earlier said. “Only those Chinese companies who have a lot of money can come to India for business.” The proposals of the draft ecommerce policy and the draft data protection bill, if implemented, could also prove troublesome for these Chinese entrepreneurs chasing markets in India.

“(Data) localisation will have a definite impact on Chinese firms,” said Sunil Abraham, head of the Centre for Internet and Society thinktank. The data localization rule requires internet companies, fintech companies in particular, to store all their data only within India.

Sandy Shen, research director at technology researcher Gartner, said India’s data localisation rule could increase the cost of doing business, as services providers would “need to have multiple hosting relations and take additional steps to consolidate data.”

Chinese app makers have had to face tougher hurdles in India. Last year, the Indian Ministry of Defence ordered the Armed Forces to uninstall 42 Chinese apps that it had classified as spyware. Among these apps were UC Browser, UC News, NewsDog, Shareit, Weibo, WeChat, and NewsDog. Smartphone Xiaomi, with which NewsDog has partnered for sharing content, asked the company to prove that its data was not being shared outside India. “Xiaomi were worried about our name on the list. We proved to them that all our data (from India) is (stored) only in Mumbai,” Chen told ET.

Also, late last year, Google temporarily removed UC Browser from its app store after the app came under the Indian government’s radar for reportedly sending data to its servers in China.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2018-mugdha-variyar

How Aadhaar compromises privacy? And how to fix it?

sunil — 2017-04-01T07:00:06Z

Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

The op-ed was published in the Hindu on March 31, 2017.

When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.

Shift from biometrics to smart cards: In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database: The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.

Prohibit the use of Aadhaar number in other databases: We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it

Holding ID Issuers Accountable, What Works?

Shruti Trikanad and Amber Sinha — 2019-08-08T10:23:58Z

Together with the Institute of Technology & Society (ITS), Brazil, and the Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya, CIS participated at a side event in RightsCon 2019 held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the Omidyar Network. The event was attended by researchers and advocates from nearly 20 countries. Read the event report here.

For more details visit https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works

Hits and Misses With the Draft Encryption Policy

sunil — 2015-09-26T16:46:53Z

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

The article was published in the Wire on September 26, 2015.

This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.

However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.

Plain-text storage requirement

First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.

Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.

Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.

Regulatory design

Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.

This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.

Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”

The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.

And the good news is…

On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.

Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.

The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.

Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy

Historic day for freedom of speech and expression in India

vidushi — 2015-03-26T02:19:17Z

In a petition that finds its origin in a simple status message on Facebook, Shreya Singhal vs Union of India marks a historic reinforcement of the freedom of speech and expression in India.

The article by Vidushi Marda was published in Bangalore Mirror on March 25, 2015.

Hearing a batch of writ petitions, the bench comprising Justices Rohinton F Nariman and J Chelameswar considered the constitutionality of three provisions of the Information Technology Act, 2000. The provisions under consideration were Section 66A, dealing with punishment of sending offensive messages through communication services, Section 69A which discusses website blocking and Section 79, dealing with intermediary liability.

The intent behind Section 66A was originally to regulate spam and cyber stalking, but in the last seven years not a single spammer has been imprisoned.

Instead, innocent academics have been arrested for circulating caricatures. The Court struck down the section in its entirety, declaring it unconstitutional.

It held that the language of the section was "nebulous" and "imprecise" and did not satisfy reasonable restrictions under A. 19(2) of the Constitution of India.

Section 79 was meant to result in the blossoming of free speech since it stated that intermediaries will not be held liable for content created by their users unless they refused to act on take-down notices. Unfortunately, intermediaries were unable to decide whether content was legal or illegal, and when the Centre for Internet and Society in 2011 sent flawed take-down notices to seven prominent national and international intermediaries, they erred on the side of caution and over-complied, often deleting legitimate content. By insisting on a court order, the Supreme Court has eliminated the chilling effect of this Section.

Block orders issued by the Indian government to telecom operators and ISPs were shrouded in opacity.

The process through which such orders were developed and implemented was not within public scrutiny. When a film is banned, it becomes part of public discourse, but website blocking does not enjoy the same level of transparency. The person whose speech has been censored is not notified or given an opportunity to be heard as part of the executive process. Unfortunately, in dealing with Section 69A, the Court chose to leave it intact, stating that it is a "narrowly drawn provision with several safeguards."

On balance, this is a truly a landmark judgment as it is the first time since the 1960s that the Supreme Court has struck down any law in its entirety for a violation of free speech.

For more details visit https://cis-india.org/internet-governance/blog/bangalore-mirror-vidushi-marda-march-25-2015-historic-day-for-freedom-of-speech-and-expression-in-india

HillHacks 2019

Admin — 2019-06-05T14:41:44Z

Karan Saini was a speaker at HillHacks 2019 organized by HillHacks in Bir, Himachal Pradesh from May 24 to May 26, 2019.

Karan's talk was on using web applications for intelligence gathering purposes. For more info on the event, click here

For more details visit https://cis-india.org/internet-governance/news/hillhacks-2019

High Level Comparison and Analysis of the Use and Regulation of DNA Based Technology Bill 2017

elonnai — 2017-08-11T02:16:52Z

This blog post seeks to provide a high level comparison of the 2017 and 2015 DNA Profiling Bill - calling out positive changes, remaining issues, and missing provisions.

In July 2017 the Law Commission published a report on DNA profiling and the “Draft Use and Regulation of DNA Based Technology Bill 2017”. India has been contemplating a draft DNA Profiling Bill since 2007. There have been two publicly available versions of the bill, 2012, and 2015, and one version in 2016. In 2013, the Department of Biotechnology formulated an Expert Committee to discuss different aspects and issues raised regarding the Bill towards finalizing the text. The Centre for Internet and Society was a member of the Expert Committee, and in its conclusion, issued a note of dissent to the Expert Committee for DNA Profiling.

This post provides a high level overview of the Use and Regulation of DNA Based Technology Bill 2017 and calls out positive changes from the 2015 Bill, remaining issues, and missing provisions. The post also calls out if, and where, CIS's recommendations to the Expert Committee have been incorporated.

If enacted, the 2017 Bill will establish national and regional DNA data banks that will maintain five different types of indices: a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. The data banks will be led by a Director, responsible for communicating information with requesting entities, foreign states, and international organizations. Information relating to DNA profiles, DNA samples, and records maintained in a DNA laboratory can be made available in six instances: to law enforcement and investigating agencies, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for taking defence of an accused, for investigation of civil disputes, and other cases which might be specified by regulations. Offences related to unauthorized disclosure of information in the DNA data bank, obtaining information from DNA data banks without authorization, unlawful access to information in the DNA Data Bank, using DNA sample or result without authorization, and destroying, altering, contaminating, or tampering with biological evidence.

Below are some key positive changes from the 2015 Bill, remaining issues, and missing safeguards from the 2017 Bill:

Positive Changes: The Bill contains a number of positive changes from the 2015 draft. Key ones include:

Consent: Section 21 prohibits the taking of samples from arrested persons without consent, except in the case of a specified offence - a specified offence being any offence punishable with death or imprisonment for a term exceeding seven years. If consent is refused, a magistrate can order the taking of the sample. This can be in the case of any matter listed in the Schedule of the Act. Section 22 provides for consent from volunteers. It is important to note that despite being an improvement from the 2015 Bill, which did not address instances of collection with our without consent, this provision is still broad as the list of offences under the Schedule is expansive and can be further expanded by the Central Government. Furthermore, the Magistrate can overrule a refusal of consent of the parent or guardian of a voluneet who is a minor, which does not provide adequate protection to childrens' rights.
Deletion: Section 31 defines instances for deletion of suspect profiles, under trial profiles, and all other profiles. Though a step in the right direction, as the 2015 Bill only addressed retention and deletion of the offenders index, this provision does not address the automatic removal of innocents.
Purpose limitation: Section 33 limits the purpose of profiles in the DNA Data Bank to that of facilitating identification. This is a positive step from the 2015 Bill - which enabled use of DNA profiles for the creation and maintenance of a population statistics data bank. Section 34 also limits the purposes for which information relating to DNA profiles, samples, and records can be made available.
Destruction of samples: Section 20 defines instances for destruction of DNA samples. Destruction of samples was not address in the 2015 Bill, and is an important protection as it prevents samples from being re-analyzed.
Comparison of profiles: Section 29 clarifies that if the individual is not an offender or a suspect, their information will not be compared with DNA profiles in the offenders’ or suspects index. This creates an important distinction between types of indices held in the data bank and the purpose for the same i.e missing persons are not treated as potential offenders. In the 2015 Bill, profiles entered in the offenders or crime scene index could be compared by the DNA Data Bank Manger against all profiles contained in the DNA Data Bank.
Re-testing: Section 24 allows for an accused person to request for a re-examination of fresh bodily substances if it is believed the sample has been contaminated. The closest provision to this in the 2015 was the creation a post - conviction right for DNA profiling - which is now deleted. It is important to note that fresh samples can easily be obtained from individuals, but if contamination happens at a crime scene, it is much more difficult to obtain a fresh sample.
Limiting Indices and including a crime scene index: The 2017 Bill limits the number of indices to five - a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. This is an improvement from the 2015 Bill which provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.

Remaining Issues: There are some remaining issues in the 2017 Bill. Some of these include:

Delegating and Expanding through Regulation: The Bill delegates a number of procedures to regulation - many which should be in the text of the Bill. For example: the format for receiving and storing DNA profiles, and additional criteria for entry, retention, and deletion of DNA profiles. Furthermore, a number of provisions allow for expansion through regulation. For example, the sources from which DNA can be collected from to be expanded as specified by regulations. Further purposes for making DNA profiles available can be defined by regulation. Important procedures such as privacy and security safeguards are also left to regulation.
Broad Powers and Composition of the Board: The Bill designates twenty one responsibilities to the Board. As pointed out in 1, many of these should be detailed in the text of the legislation.

While serving on the Expert Committee,CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. This recommendation has not been incorporated.

Ideally, the Board should also include privacy experts, an expert in ethics, as well as civil society. Towards this, the Board should be comprised of separate Committees to address these different functions. There should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues.

As a positive note, the reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This reccomendation has been incorporated.

CIS also provided language regarding how the Board could consult with the public:The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities. This language has not been fully incorporated

Lack of Authorization Procedure: Though the Bill defines instances of when DNA information can be made available, it fails to establish or refer to an authorization process for making information available and the decision currently seems to rest with the DNA Bank Director.
Expansive Schedule: The Bill creates a schedule containing a list of matters for DNA testing which includes whole acts and a range of civil disputes and matters that are broad and do not relate to criminal cases - most notably “issues relating to immigration or emigration and issues relating to establishment of individual identity.”
Unclear Data Stored: Though the Bill clarifies the circumstance that the identity of the individual will be associated with a profile, it allows for ‘information of data based on DNA testing and records relating thereto” to be stored, yet it is unclear what information this would entail.
Lack of procedures for chain of custody: Presently, the Bill defines quality assurance procedures for a sample that is already at the lab. There are no provisions defining a process for the examination of a crime scene and laying down standards for the chain of custody of a sample from the crime scene to a DNA laboratory.

Missing Safeguards:

There are some safeguards that, if added, would strengthen the Bill and ensure rights to the individual:

Notification to the individual: There are no provisions that ensure that notification is given to an individual if his/her information is accessed or made available.
Right to challenge: There are no provisions that give the individual the right to challenge the storage of their DNA.
Established profiling standard: Though the Law Commission report refers to the 13 CODIS standard, the Bill does not mandate the use of the 13 CODIS profiling standard.
Reporting standard: There are no standards for how matches or other information should be communicated from the DNA director to the authority or receiving entity including instances of partial matches.
Right to access and review: There are no provisions that allow an individual to review his/her information contained in the regional or the national database.
Lack of costing: There is no cost estimate in the report or a requirement for one to be carried out.
Study for the potential for false matches: This must consider the size of the population and large family size, i.e. relatively large numbers of closely related people and is particularly necessary given the the size over population as large as India's.

Importantly, in the DNA Expert Committee, CIS requested the Expert Committee that the Bill be brought in line with the nine national principles defined in the Report of Experts on Privacy led by Justice AP Shah. These include the principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness, and accountability. These principles have not been fully incorporated.

For more details visit https://cis-india.org/internet-governance/blog/high-level-comparison-and-analysis-of-the-use-and-regulation-of-dna-based-technology-bill-2017