We are anonymous, we are legion

How Facebook is Blatantly Abusing our Trust

nishant — 2012-06-28T12:42:32Z

‘Don’t fix it, if it ain’t broken’ is not an adage Facebook seems to subscribe to. Nishant Shah's column on privacy and Facebook was published in First Post on June 27, 2012.

Facebook is just re-emerging from the controversies around how it conducted the voting on its new privacy policies, when it goes and digs itself deeper by trying to push down its email services down the throats of its users. If you have recently logged-in to Facebook, you will have received a notification that says that you have been ‘gifted’ with a free Facebook email account.

However, that is a later phenomenon. A couple of days ago, the whole community of Facebook users went about their usual way, without knowing that something substantial had changed.

Facebook, who launched their email service as a part of their social networking empire, with or without your consent, has given us a ‘yourname@facebook.com’ email account. I know free things are considered good, but not an email account that I did not sign up for!

And to make things worse, this email account was, without our consent, added to our time-line and displayed as the primary email address.

In itself, it is a small move – with the redesign of the Timeline, Facebook had already introduced many such forced disclosures and changes that most of just had to accept, even if it might have had us fuming. However, with this change, Facebook has now started showing exactly what it can do in building your public profile and creating information about you, without your consent.

In their lame PR spiel, the company tried to pass it off as a freebie that they were gifting their users. But anybody who was not born yesterday realises that this is a desperate attempt to make a floundering service work.

Facebook messaging may work despite the clunky user interface, but its email services remain terribly underused. One of the paradoxes for this lies in the fact that you cannot open a Facebook account without a primary email account with another service, which is used as your authentication as well as the system through which Facebook notifications work.

Thus, many times, when introducing Facebook to first-time users of the web, we have to first train them in creating and using an email account before they can get on to the social network.

Hence, when Facebook did offer users the option of using a Facebook email service, most of them politely declined because nobody in their right mind is going to migrate to new a email services unless there was a substantial range of benefits being offered.

So how did Facebook respond? It just forced the email service upon its millions of users. While this is no different from the other kind of restrictions that are imposed upon us within the Facebook universe – the advertisements we see, the design and layout, the insipid white-and-blue background, the kind of information we can and cannot share and display – etc. this is the first time that Facebook actually added to our information profile and displayed it to the public.

Which means, that the next time somebody looks you up on Facebook – and let’s face it, one of the things we all use Facebook for, is to find people we know and get connected with them – they will see your Facebook email id listed as your contact address. And while you might get a notification in your primary email about any mails that you receive in your Facebook account, the fact is that, all those emails will become a part of Facebook’s huge data farms.

In a move that is almost a pale imitation of Google’s growing monopoly over our private information, Facebook seems to be now looking to expand its data empires. However, while Google did it through strategic design and marketing, offering innovations and incentives for its users to use their services, Facebook seems to have decided to build a Trojan horse and sneak these services in through the back door.

While this might not seem a big deal right now, it has deeper repercussions for what this corporate behemoth can do, not only with our data, but also to our data that we think is actually our own.

If your alarm bells aren’t already ringing, they should be, as Facebook demonstrates a blatant abuse of the trust that we have put in its system, to keep our private data safe.

The million dollar question – or maybe a slightly reduced price, given its public listing status on the stock-exchange right now – is that while Facebook might keep us safe from other people using our data, will it also be able to keep us safe from itself?

Read the original here

For more details visit https://cis-india.org/internet-governance/how-facebook-is-blatantly-abusing-our-trust

How does the government track all its legal cases?

praskrishna — 2016-09-14T10:17:07Z

The Legal Information Management and Briefing System , an integral part of the digital India initiative, aims to be a database of all the ongoing cases with the government.

The article by Shreeja Sen published by Livemint on September 13, 2016 has quoted Sunil Abraham.

More than one lakh cases currently exist on a law ministry platform curated in the last 13 months.The Legal Information Management and Briefing System (LIMBS), aimed to be a database of all the ongoing cases with the government as a party, is part of the government’s push towards digital India.

Law secretary Suresh Chandra said this is a big step under the Digital India project, intended to monitor and ultimately reduce spending on government litigation.

“The aim is to conduct cases properly. If our system works, along with the national litigation policy, we will be able to prevent 50% cases before they are even filed,” Chandra said.

According to the government, the project will help reduce delays in filing responses in cases , contempt notices because of such delays and consequent monetary penalties.

The website has also undergone the required security audit under the NIC (national informatics centre), to ensure the data is safe and protected. However, a database like this on the internet comes with its challenges.

“To ensure client confidentiality, communication should be bilateral between lawyer and client and should be encrypted and even watermarked. If this project allows access to documents by multiple stakeholders without encrypting it for the recipient, then if there is any leak, the documents cannot be traced back to the person who was responsible,” said Sunil Abraham, executive director at Centre for Internet and Society, a non-profit research organisation.

The LIMBS project began internally at the ministry of railway sometime in 2013, but was soon expanded as a single platform across ministries. In July 2015, it was hosted on the NIC server. The law ministry, by a gazette notification on 8 February, formally launched LIMBS to monitor cases filed against the Union government.

As of now, there is no special budget allocated for this project, which is being handled in house with a team of eight people – four developers on the technology side and four implementers for the case details. The development of the website is being handled by Ajay Gupta, deputy chief vigilance officer, northern railway. From the law ministry, Spriha Johari is the project director responsible for the website.

As of 12 September, the five ministries with the most uploads on the website were railways (69,469 cases), communications and information technology (7,830), finance (4452), environment (3,189) and defence (2,565).

Every day, nearly 400-500 cases are added to the portal. In all 58 ministries and their 202 departments have been brought under the LIMBS project.

For more details visit https://cis-india.org/internet-governance/news/livemint-september-13-2016-shreeja-sen-how-does-govt-track-all-its-legal-cases

How data privacy and governance issues have battered Facebook ahead of 2019 polls

Admin — 2018-12-25T01:43:59Z

Rohit S, an airline pilot, had enough of Facebook. With over 1,000 friends and part of at least a dozen groups on subjects ranging from planes to politics, the 34-year-old found himself constantly checking his phone for updates and plunging headlong into increasingly noisy debates, where he had little personal connect.

The article by Rahul Sachitanand was published in Economic Times on December 9, 2018. Elonnai Hickok was quoted.

While he had originally signed up with Facebook a decade ago to reconnect with school classmates, he found himself more and more disconnected from the sprawl the social network had become. “It was a mess of impersonal shares, unverified half-truths and barely any personal updates,” he says, a week after permanently logging out. “I’d rather reconnect the old-fashioned way.”

This kind of user disenchantment has become increasingly common among Facebook users. Many like Rohit, who signed up with more altruistic aims, find themselves distanced by how the social networking platform has evolved.

All through 2018, Facebook and its embattled cofounder, Mark Zuckerberg, have found themselves battling one fire after another. Starting with the mess involving Cambridge Analytica and ending with the document dump unearthed by UK’s Parliament this week (that showed the firm as a cut-throat corporation at best), this has been a year to forget. “Unfortunately, Facebook cannot be trusted with the privacy of its users’ data,” says Alessandro Acquisti, professor, Carnegie Mellon University. “Time and again, Facebook has shown a cavalier attitude towards the handling of users’ data as well as towards informing users clearly and without deception about the actual extent of Facebook’s data collection and handling policies.”

This perception has caused problems with Facebook, both around the world and at home, with privacy advocates pushing for stronger monitoring to counter the seeming free reign enjoyed by the platform.

Mishi Choudhary, legal director of Software Freedom Law Center in the US and Mishi Choudhary and Associates, a New Delhi-law firm, says the pay-for-data model necessitates a stronger data protection regime that doesn’t leave users at the mercy of self-governing corporate entities.

“The contrast between Facebook’s public statements and private strategies to monetise user data reveals the truth of surveillance capitalism carried out stealthily and steadily,” she says.

In an election year in India, this could cause problems for Facebook.

The company has already tried to clean up its act, implementing more transparent political advertising norms and looking to clean up fake news claims (on itself and WhatsApp, the messaging platform it owns) to try to win back user trust. Facebook has also launched video monetisation capabilities and Lasso, a short video offering similar to Tik Tok, the Chinese startup that has been massively popular here. The company, that has over 250 million users in India, plans to train five million people on digital technologies in three years, to try to increase awareness.

Facebook didn’t respond to an email seeking more specific comments for this piece.

In a country where privacy legislation is yet in the works, experts are worried about the overt and covert interest in users’ private data. Hundreds of millions of users here, many unwittingly, accepting user terms and giving apps too many permissions could easily give away confidential information, the experts argue. This is especially so in the case of Android users in the country, who access the web on cheap handsets and don’t have a full understanding of what they sign up for. “Very few people know about the origin or provenance of apps that they download or what data they track or phone features that they access,” says Shiv Putcha, founder and principal analyst, Mandala Insights, a telecom consultancy. “These are all potential security breaches of a massive order.”

Alessandro Acquisti, professor, Carnegie Mellon University. This situation has privacy advocates closely watching Facebook and pushing for more stringent rules to monitor the company. "The criticality of human rights impact assessment for all products and services by companies like Facebook is underscored," says Elonnai Hickok, from the Centre for Internet and Society, a think tank in Bengaluru. "To build user trust, these assessments should be made public."

As India finalises its privacy legislation, it is important to ensure that such assessments are undertaken according to law, citizens and their rights are upheld and companies are held accountable. "This also demonstrates that India needs a privacy legislation that allows the government to address a situation if data of Indian citizens is impacted."

For more details visit https://cis-india.org/internet-governance/news/economic-times-rahul-sachitanand-december-9-2018-how-data-privacy-and-governance-issues-have-battered-facebook

How Chinese apps are making inroads in Indian small towns

Admin — 2018-08-13T15:44:51Z

After selling a company he cofounded to Alibaba in 2013, Sichuan-born Forrest Chen wanted to look beyond China for his next venture. India was one of the countries on his list of potential markets, which included the US, the UK, Indonesia and Thailand.

The article by Mugdha Variyar was published in the Economic Times on August 10, 2018.

“We launched NewsDog in the US in 2015 and got 10,000 users but realised soon that retention was bad because of so much competition,” said Chen, CEO of NewsDog. “That is when we decided to come to India, since the number of (digital) media houses here were fewer and people were still using traditional media.”
After launching here in 2016, first in English, NewsDog has expanded to 10 Indian languages and has 18 million monthly active users, making it one of the top news apps in the country.

A slew of Chinese companies and entrepreneurs has quickly moved to launch mobile applications directly in India to capture the rapidly swelling next generation of internet users—a demographic global and Indian internet companies too are chasing. Several of these Chinese apps have catapulted to the top in India across categories such as entertainment (Tik Tok, Vigo Video), news (UC News, NewsDog), shopping (Club Factory, Shein), as well as browsers and data sharing (UC Browser, Shareit).

“China has seen maturity of content apps that are consumed widely there. With (many) Indians just waking up to digital content on their mobile phones, the Chinese have a head start to port their apps to India,” said Sreedhar Prasad, partner and head for internet business and ecommerce at KPMG India. “Especially in tier 2 cities and beyond, the use of apps that let consumers make short videos or edit images simply and share them is catching on fast. Many of the Chinese apps have been able to cater to this,” he added.

Of course, this would not have been possible without high-speed data connectivity and smartphones becoming more accessible to millions of Indians than ever before. The number of internet users in India is expected to increase to about 500 million this year from about 481 million in December, according to a report in March by the Internet and Mobile Association of India and consultancy firm Kantar IMRB.

Chinese app company ByteDance has launched Tik Tok (over 1 million Android installations) and Vigo Video (over 5 million Android installations) in India to let users upload short videos. Other Chinese apps in the same space such as Kwai are also raking up millions of users in India.

For these Chinese companies, the attraction of a large market, several untapped use-cases for non-metro consumers, and a growing internet base are good enough to place big bets in India.

Chen said it was the growing internet phenomenon and a lack of disruption by traditional media that attracted him to the Indian market. “When I went to rural places around Gurgaon with my COO Yi Ma, we found that a lot of people have smartphones and they use it very regularly.

However, they are still reading newspapers. That’s when we realised there is a gap, which we are trying to fill,” Chen said. Some of these Chinese apps, though, host content some would consider objectionable, and experts say these platforms cannot sustain solely on such material. TikTok was temporarily banned in Indonesia last month due to inappropriate content shared on the app. A highprofile Chinese investor, who did not want to be identified, said these apps may have only a short shelf life in India.

“We have faced some criticism over the content, and we understand that such content harms us,” Chen said. “We are trying to cut it out using artificial intelligence.” Chinese ecommerce apps such as Club Factory and Shein are also seeing thousands of orders daily from India.

For Club Factory, 35 million of its 70 million global customers are from India. “Our focus is towards a value-based customer, which by default includes tier 2 and 3 cities,” Ashwin Rastogi, country head for the ecommerce app, told ET in an interaction last month.

Club Factory is the eighth most used shopping app on Android phones in India in terms of monthly active users, according to App Annie. The company has roped in Bollywood actor Ranveer Singh and Miss World Manushi Chillar for its TV commercials, its first globally. “These Chinese ecommerce apps have invested on ads through social media to target customers, and since many of their products are cheap, under Rs 1,000, a customer is likely to place an order without the risk of losing too much money,” Prasad said.

Alibaba’s UC Browser has crossed 130 million monthly active users in India, catering mainly to non-metro consumers. Its users in India constitute 30% of its 430 million monthly active users globally.

Damon Xi, general manager for India and Indonesia, UCWeb, said UC Browser focuses on non-metro users and UC News on users in metro cities. “We provided data compression technology to make browsing and downloading faster for the users. For instance, there were regions in India where internet connectivity was still improving. In such regions, UC Browser’s data compression technology becomes a great help,” he said.

For several lending startups from China, India seemed a green pasture after business dried up at home following a crackdown by Chinese authorities on pay-day lending. ET reported earlier this year how several lending startups such as WeCash and FinUp were setting up operations in India.

WeCash’s Asia-Pacific head, James Chan, told ET in a previous interaction that the company— with its deep understanding of the lending business based on the “missing middle, new-to-credit, subprime borrowers in China”— saw significant market opportunity in India.

“India and China are similar, and with data and mobile penetration in the country, it is natural to attract Chinese entrepreneurs,” said K Ganesh, partner at entrepreneurship platform GrowthStory.

However, challenges abound for these Chinese companies in India, especially in traversing the gamut of languages while also dealing with a regulatory shadow over data security concerns. NewsDog’s Chen said many Chinese entrepreneurs realise the difficulties in entering the India market.

“There is no wave,” the Chinese investor quoted earlier said. “Only those Chinese companies who have a lot of money can come to India for business.” The proposals of the draft ecommerce policy and the draft data protection bill, if implemented, could also prove troublesome for these Chinese entrepreneurs chasing markets in India.

“(Data) localisation will have a definite impact on Chinese firms,” said Sunil Abraham, head of the Centre for Internet and Society thinktank. The data localization rule requires internet companies, fintech companies in particular, to store all their data only within India.

Sandy Shen, research director at technology researcher Gartner, said India’s data localisation rule could increase the cost of doing business, as services providers would “need to have multiple hosting relations and take additional steps to consolidate data.”

Chinese app makers have had to face tougher hurdles in India. Last year, the Indian Ministry of Defence ordered the Armed Forces to uninstall 42 Chinese apps that it had classified as spyware. Among these apps were UC Browser, UC News, NewsDog, Shareit, Weibo, WeChat, and NewsDog. Smartphone Xiaomi, with which NewsDog has partnered for sharing content, asked the company to prove that its data was not being shared outside India. “Xiaomi were worried about our name on the list. We proved to them that all our data (from India) is (stored) only in Mumbai,” Chen told ET.

Also, late last year, Google temporarily removed UC Browser from its app store after the app came under the Indian government’s radar for reportedly sending data to its servers in China.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2018-mugdha-variyar

How Aadhaar compromises privacy? And how to fix it?

sunil — 2017-04-01T07:00:06Z

Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

The op-ed was published in the Hindu on March 31, 2017.

When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.

Shift from biometrics to smart cards: In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database: The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.

Prohibit the use of Aadhaar number in other databases: We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it

Holding ID Issuers Accountable, What Works?

Shruti Trikanad and Amber Sinha — 2019-08-08T10:23:58Z

Together with the Institute of Technology & Society (ITS), Brazil, and the Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya, CIS participated at a side event in RightsCon 2019 held in Tunisia, titled Holding ID Issuers Accountable, What Works?, organised by the Omidyar Network. The event was attended by researchers and advocates from nearly 20 countries. Read the event report here.

For more details visit https://cis-india.org/internet-governance/blog/holding-id-issuers-accountable-what-works

Hits and Misses With the Draft Encryption Policy

sunil — 2015-09-26T16:46:53Z

Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.

The article was published in the Wire on September 26, 2015.

This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.

However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.

Plain-text storage requirement

First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.

Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.

Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.

Regulatory design

Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.

This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.

Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”

The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.

And the good news is…

On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.

Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.

The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.

Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy

Historic day for freedom of speech and expression in India

vidushi — 2015-03-26T02:19:17Z

In a petition that finds its origin in a simple status message on Facebook, Shreya Singhal vs Union of India marks a historic reinforcement of the freedom of speech and expression in India.

The article by Vidushi Marda was published in Bangalore Mirror on March 25, 2015.

Hearing a batch of writ petitions, the bench comprising Justices Rohinton F Nariman and J Chelameswar considered the constitutionality of three provisions of the Information Technology Act, 2000. The provisions under consideration were Section 66A, dealing with punishment of sending offensive messages through communication services, Section 69A which discusses website blocking and Section 79, dealing with intermediary liability.

The intent behind Section 66A was originally to regulate spam and cyber stalking, but in the last seven years not a single spammer has been imprisoned.

Instead, innocent academics have been arrested for circulating caricatures. The Court struck down the section in its entirety, declaring it unconstitutional.

It held that the language of the section was "nebulous" and "imprecise" and did not satisfy reasonable restrictions under A. 19(2) of the Constitution of India.

Section 79 was meant to result in the blossoming of free speech since it stated that intermediaries will not be held liable for content created by their users unless they refused to act on take-down notices. Unfortunately, intermediaries were unable to decide whether content was legal or illegal, and when the Centre for Internet and Society in 2011 sent flawed take-down notices to seven prominent national and international intermediaries, they erred on the side of caution and over-complied, often deleting legitimate content. By insisting on a court order, the Supreme Court has eliminated the chilling effect of this Section.

Block orders issued by the Indian government to telecom operators and ISPs were shrouded in opacity.

The process through which such orders were developed and implemented was not within public scrutiny. When a film is banned, it becomes part of public discourse, but website blocking does not enjoy the same level of transparency. The person whose speech has been censored is not notified or given an opportunity to be heard as part of the executive process. Unfortunately, in dealing with Section 69A, the Court chose to leave it intact, stating that it is a "narrowly drawn provision with several safeguards."

On balance, this is a truly a landmark judgment as it is the first time since the 1960s that the Supreme Court has struck down any law in its entirety for a violation of free speech.

For more details visit https://cis-india.org/internet-governance/blog/bangalore-mirror-vidushi-marda-march-25-2015-historic-day-for-freedom-of-speech-and-expression-in-india

HillHacks 2019

Admin — 2019-06-05T14:41:44Z

Karan Saini was a speaker at HillHacks 2019 organized by HillHacks in Bir, Himachal Pradesh from May 24 to May 26, 2019.

Karan's talk was on using web applications for intelligence gathering purposes. For more info on the event, click here

For more details visit https://cis-india.org/internet-governance/news/hillhacks-2019

High Level Comparison and Analysis of the Use and Regulation of DNA Based Technology Bill 2017

elonnai — 2017-08-11T02:16:52Z

This blog post seeks to provide a high level comparison of the 2017 and 2015 DNA Profiling Bill - calling out positive changes, remaining issues, and missing provisions.

In July 2017 the Law Commission published a report on DNA profiling and the “Draft Use and Regulation of DNA Based Technology Bill 2017”. India has been contemplating a draft DNA Profiling Bill since 2007. There have been two publicly available versions of the bill, 2012, and 2015, and one version in 2016. In 2013, the Department of Biotechnology formulated an Expert Committee to discuss different aspects and issues raised regarding the Bill towards finalizing the text. The Centre for Internet and Society was a member of the Expert Committee, and in its conclusion, issued a note of dissent to the Expert Committee for DNA Profiling.

This post provides a high level overview of the Use and Regulation of DNA Based Technology Bill 2017 and calls out positive changes from the 2015 Bill, remaining issues, and missing provisions. The post also calls out if, and where, CIS's recommendations to the Expert Committee have been incorporated.

If enacted, the 2017 Bill will establish national and regional DNA data banks that will maintain five different types of indices: a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. The data banks will be led by a Director, responsible for communicating information with requesting entities, foreign states, and international organizations. Information relating to DNA profiles, DNA samples, and records maintained in a DNA laboratory can be made available in six instances: to law enforcement and investigating agencies, in judicial proceedings, for facilitating prosecution and adjudication of criminal cases, for taking defence of an accused, for investigation of civil disputes, and other cases which might be specified by regulations. Offences related to unauthorized disclosure of information in the DNA data bank, obtaining information from DNA data banks without authorization, unlawful access to information in the DNA Data Bank, using DNA sample or result without authorization, and destroying, altering, contaminating, or tampering with biological evidence.

Below are some key positive changes from the 2015 Bill, remaining issues, and missing safeguards from the 2017 Bill:

Positive Changes: The Bill contains a number of positive changes from the 2015 draft. Key ones include:

Consent: Section 21 prohibits the taking of samples from arrested persons without consent, except in the case of a specified offence - a specified offence being any offence punishable with death or imprisonment for a term exceeding seven years. If consent is refused, a magistrate can order the taking of the sample. This can be in the case of any matter listed in the Schedule of the Act. Section 22 provides for consent from volunteers. It is important to note that despite being an improvement from the 2015 Bill, which did not address instances of collection with our without consent, this provision is still broad as the list of offences under the Schedule is expansive and can be further expanded by the Central Government. Furthermore, the Magistrate can overrule a refusal of consent of the parent or guardian of a voluneet who is a minor, which does not provide adequate protection to childrens' rights.
Deletion: Section 31 defines instances for deletion of suspect profiles, under trial profiles, and all other profiles. Though a step in the right direction, as the 2015 Bill only addressed retention and deletion of the offenders index, this provision does not address the automatic removal of innocents.
Purpose limitation: Section 33 limits the purpose of profiles in the DNA Data Bank to that of facilitating identification. This is a positive step from the 2015 Bill - which enabled use of DNA profiles for the creation and maintenance of a population statistics data bank. Section 34 also limits the purposes for which information relating to DNA profiles, samples, and records can be made available.
Destruction of samples: Section 20 defines instances for destruction of DNA samples. Destruction of samples was not address in the 2015 Bill, and is an important protection as it prevents samples from being re-analyzed.
Comparison of profiles: Section 29 clarifies that if the individual is not an offender or a suspect, their information will not be compared with DNA profiles in the offenders’ or suspects index. This creates an important distinction between types of indices held in the data bank and the purpose for the same i.e missing persons are not treated as potential offenders. In the 2015 Bill, profiles entered in the offenders or crime scene index could be compared by the DNA Data Bank Manger against all profiles contained in the DNA Data Bank.
Re-testing: Section 24 allows for an accused person to request for a re-examination of fresh bodily substances if it is believed the sample has been contaminated. The closest provision to this in the 2015 was the creation a post - conviction right for DNA profiling - which is now deleted. It is important to note that fresh samples can easily be obtained from individuals, but if contamination happens at a crime scene, it is much more difficult to obtain a fresh sample.
Limiting Indices and including a crime scene index: The 2017 Bill limits the number of indices to five - a crime scene index, missing persons, offenders, suspects, and unknown deceased persons. This is an improvement from the 2015 Bill which provides for the maintenance of indices in the DNA Bank and includes a missing person’s index, an unknown deceased person’s index, a volunteers’ index, and such other DNA indices as may be specified by regulation.

Remaining Issues: There are some remaining issues in the 2017 Bill. Some of these include:

Delegating and Expanding through Regulation: The Bill delegates a number of procedures to regulation - many which should be in the text of the Bill. For example: the format for receiving and storing DNA profiles, and additional criteria for entry, retention, and deletion of DNA profiles. Furthermore, a number of provisions allow for expansion through regulation. For example, the sources from which DNA can be collected from to be expanded as specified by regulations. Further purposes for making DNA profiles available can be defined by regulation. Important procedures such as privacy and security safeguards are also left to regulation.
Broad Powers and Composition of the Board: The Bill designates twenty one responsibilities to the Board. As pointed out in 1, many of these should be detailed in the text of the legislation.

While serving on the Expert Committee,CIS recommended that the functions of the DNA Profiling Board should be limited to licensing, developing standards and norms, safeguarding privacy and other rights, ensuring public transparency, promoting information and debate and a few other limited functions necessary for a regulatory authority. This recommendation has not been incorporated.

Ideally, the Board should also include privacy experts, an expert in ethics, as well as civil society. Towards this, the Board should be comprised of separate Committees to address these different functions. There should be a Committee addressing regulatory issues pertaining to the functioning of Data Banks and Laboratories and an Ethics Committee to provide independent scrutiny of ethical issues.

As a positive note, the reduction of the size of the Board was agreed upon by the Expert Committee from 16 members (2012 Bill) to 11 members. This reccomendation has been incorporated.

CIS also provided language regarding how the Board could consult with the public:The Board, in carrying out its functions and activities, shall be required to consult with all persons and groups of persons whose rights and related interests may be affected or impacted by any DNA collection, storage, or profiling activity. The Board shall, while considering any matter under its purview, co-opt or include any person, group of persons, or organisation, in its meetings and activities if it is satisfied that that person, group of persons, or organisation, has a substantial interest in the matter and that it is necessary in the public interest to allow such participation. The Board shall, while consulting or co-opting persons, ensure that meetings, workshops, and events are conducted at different places in India to ensure equal regional participation and activities. This language has not been fully incorporated

Lack of Authorization Procedure: Though the Bill defines instances of when DNA information can be made available, it fails to establish or refer to an authorization process for making information available and the decision currently seems to rest with the DNA Bank Director.
Expansive Schedule: The Bill creates a schedule containing a list of matters for DNA testing which includes whole acts and a range of civil disputes and matters that are broad and do not relate to criminal cases - most notably “issues relating to immigration or emigration and issues relating to establishment of individual identity.”
Unclear Data Stored: Though the Bill clarifies the circumstance that the identity of the individual will be associated with a profile, it allows for ‘information of data based on DNA testing and records relating thereto” to be stored, yet it is unclear what information this would entail.
Lack of procedures for chain of custody: Presently, the Bill defines quality assurance procedures for a sample that is already at the lab. There are no provisions defining a process for the examination of a crime scene and laying down standards for the chain of custody of a sample from the crime scene to a DNA laboratory.

Missing Safeguards:

There are some safeguards that, if added, would strengthen the Bill and ensure rights to the individual:

Notification to the individual: There are no provisions that ensure that notification is given to an individual if his/her information is accessed or made available.
Right to challenge: There are no provisions that give the individual the right to challenge the storage of their DNA.
Established profiling standard: Though the Law Commission report refers to the 13 CODIS standard, the Bill does not mandate the use of the 13 CODIS profiling standard.
Reporting standard: There are no standards for how matches or other information should be communicated from the DNA director to the authority or receiving entity including instances of partial matches.
Right to access and review: There are no provisions that allow an individual to review his/her information contained in the regional or the national database.
Lack of costing: There is no cost estimate in the report or a requirement for one to be carried out.
Study for the potential for false matches: This must consider the size of the population and large family size, i.e. relatively large numbers of closely related people and is particularly necessary given the the size over population as large as India's.

Importantly, in the DNA Expert Committee, CIS requested the Expert Committee that the Bill be brought in line with the nine national principles defined in the Report of Experts on Privacy led by Justice AP Shah. These include the principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness, and accountability. These principles have not been fully incorporated.

For more details visit https://cis-india.org/internet-governance/blog/high-level-comparison-and-analysis-of-the-use-and-regulation-of-dna-based-technology-bill-2017

Hiding behind rules on naming sites it banned, govt reveals fears

praskrishna — 2015-09-27T10:59:56Z

With the union government's ban on 857 porn sites in July creating brouhaha across the country, there had been a concern over the voice of the youth being stifled and censorship making a comeback.

The article by Harjeet Inder Singh Sahi was published in the Hindustan Times on September 3, 2015.

Even though there was a partial rollback of the ban, the government still seems intent on being obtrusive with information and deny access to it, especially about the internet and the way it intends to govern it.

This has been illustrated by the union government's department of telecommunications refusing to provide information on websites it has banned to a petition under the Right to Information (RTI) Act.

The reply

"The group coordinator, cyber law division, department of electronics and information technology, has been authorised as designated officer and issues instructions for blocking/unblocking of websites/URLs. The clause 16 of Information Technology Procedure and Safeguards for blocking access of information by Public, Rules 2009, says strict confidentiality shall be maintained regarding all requests and complaints received and actions taken thereof," says the reply to the RTI application filed by this correspondent on August 3.

The reply to the petition - filed at www.rtionline.gov.in with registration number DOTEL/R/2015/61348 - was received on August 27.

Background to the case

In July this year, the department of electronics and information technology had banned 857 pornographic websites listed in the petition of Indore-based advocate Kamlesh Vaswani in the supreme court. The websites were banned by citing 'morality' and 'decency' enshrined in Article 19 (2) of the Constitution of India and under provisions of the Information Technology Act, 2000. A few days later, the government did a flip-flop and revoked the ban partially.

The Centre for Internet and Society (CIS) had subsequently released the list online. Now, the government has refused to provide information on websites banned in the country.

Department tangle

The department of electronics and IT decided on the ban, but it was the department of telecom which served the order to the internet companies because it is the supervising authority for them. The RTI can be filed with the department of telecom as it issues guidelines for and notices to internet service providers. The same application could also have been filed with the department of electronics and information technology. This department might have replied to the application or forwarded it to the telecom department.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-september-3-2015-harjeet-inder-singh-sahi-hiding-behind-rules-on-naming-sites-it-banned-govt-reveals-fears

Here’s why we need a lot more discussion on India’s new DNA Profiling Bill

elonnai — 2017-08-21T23:48:03Z

The DNA Profiling Bill 2017 is still missing a number of safeguards that would enable individual rights. The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated.

The article was published in the Hindustan Times on August 7, 2017.

The first step towards a DNA Profiling Bill was taken in 2007 with the ‘Draft DNA Profiling Bill” by the Centre for DNA Fingerprinting and Diagnostics. Since then, there has been a 2012, 2015, and a 2016 version of the Bill - the last not available to the public. In 2013, the Department of Biotechnology formulated an Expert Committee to deliberate on concerns raised about the Bill and finalise the text. The “Use and Regulation of DNA Based Technology Bill 2017” and the report by the Law Commission is a further evolution of the legislation and dialogue. The 2017 Bill contains a number of improvements from previous versions - yet there are still outstanding concerns that remain.

Positive changes in the Bill include provisions for consent, defined instances for deletion of profiles, limitation on purpose of the use of data in the DNA Data Bank, defined instances fo r destruction of biological samples, and the ability for an individual to request a re-test of bodily substances if they believe contamination has occurred.

Despite these changes the Bill still has an overly broad schedule defining instances of when DNA profiling can be used and is missing a number of safeguards that would enable individual rights. These include a right to notification of storage and access to information on the DNA databank, the right to appeal and challenge storage of DNA samples, and right to access and review personal information stored on the DNA Data Bank.

It is concerning that the 2017 Bill has left the defining of privacy and security safeguards to regulation — including implementation and sufficiency of protection, appropriate use and dissemination of DNA information, accuracy, security and confidentiality of DNA information, timely removal and deletion of obsolete or inaccurate DNA information, and other steps as necessary. Furthermore, though the Law Commission cites the use of the 13 CODIS (Combined DNA Index System) profiling standard as a means to protecting privacy in its report — this standard has yet to find its way in the text of the Bill.

The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. DNA is not foolproof - false matches can take place for multiple reasons. Importantly, the usefulness of DNA based technology to a legal system and the impact on individual rights is dependent and reflective of the social, legal, and political environment the technology is used in. DNA based technology can be a powerful tool for law enforcement, and it is important that a robust process and structure is given to the collection of DNA samples from a crime scene to the laboratory for analysis, to the DNA Bank for storage and comparison, but this structure needs to also be fully cognizant of the rights of individuals and the potential for misuse of the technology.

As society continues to rapidly become more and more data centric, and that data increasingly is a direct extension of the person, it is critical that legislation that is developed has clear protections of rights. In addition to amendments to the text of the draft 2017 Bill, this includes enacting a comprehensive privacy legislation in India. It is worrying that in the conclusion of its report, the Law Commission has referred to whether privacy is an integral part of Article 21 of the Constitution as merely “a matter of academic debate.” Privacy is recognised as a fundamental right in many democratic contexts – including many of those reviewed by the Law Commission as examples of contexts with DNA Profiling laws.

Policy needs to evolve past protections that are limited to process oriented legal privacy provisions, but instead to protections that are comprehensive — accounting for process and enabling the individual to control and know how her/his data is being used and by whom. Other countries have recognised this and are taking important steps to empower the individual. India needs to do the same for its citizens.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill

Here is why government twitter handles have been posting offensive and partisan messages

praskrishna — 2016-10-16T03:24:45Z

You have failed us big time Mr Kejriwal, for your petty political gains you can become headlines for Pakistani press,” read a tweet on October 5 from @IndiaPostOffice, the official twitter handle of the Indian postal service.

The article by Danish Raza was published in the Hindustan Times on October 15, 2016. Nishant Shah was quoted.

It was a reference to Delhi Chief Minister Arvind Kejriwal urging the Prime Minister to counter Pakistan’s propaganda over surgical strikes.

Within hours, India Post tweeted an apology saying that the account was hacked.

This is the latest in a series of opinions and statements posted from official twitter handles of government departments and bodies. Of late, the Twitter handles meant to broadcast information related to government programmes have appeared like personal accounts tweeting slander and criticism.

Last month, the Twitter handle of Digital India tweeted a poem in Hindi calling on the Indian Army to persistently fire at protesters in Kashmir.

In August, the Twitter handle of Startup India retweeted a post suggesting that the Indian Army should ‘take care’ of #Presstitutes, a reference to sections of Indian media critical of the government.

The tweets expose loopholes in the government’s social media policy and raise questions about the norms followed in the recruitment of social media professionals for ministries and government institutions.

Work in Progress

The process of adopting new tools is work in progress. While the government agencies are trying to leverage social media to enhance citizen engagement, for the vast majority of government bodies, it is unexplored territory. Babus who have traditionally been dealing in paperwork and file notings are overwhelmed to see hash tags and trends. With a tech- savvy Prime Minister at the helm, every government department is trying to increase its digital footprint. At the same time, they face the challenge of reinterpreting existing work ethics and codes of conduct and applying them to the use of social media. Ministries such as the Ministry of External Affairs, Information & Broadcasting and the Prime Minister’s Office which have cohesive programmes and big mandate, have separate social media wings of their own with well- defined protocols. But these are exceptions.

Overall, the government bodies lack social media guidelines for their own efforts or which others can learn from. According to Chinmayi Arun, executive director, Centre for Communication Governance, National Law University, Delhi, mistakes are bound to happen given that everyone is new to social media. But it should be non-negotiable that when anything is said using an official governmental handle, the government should take more responsibility than just saying ‘oops’. “One of course is a clear and unequivocal statement apologising and taking back whatever was said. However, it should take pro-active measures to train and test people who handle its public-facing accounts and publish a clear monitoring and accountability mechanism by which they can be called to account. It should not be open to anyone to misuse the government’s official handles in this manner,” said Arun.

One of the areas where the lack of sensitisation is apparent is the usage of the same mobile device for multiple twitter handles – the most common reason for such goof-ups cited by social media consultants attached to various government departments. “I believe these were inadvertently posted by people handling these accounts. It may neither have been their mandate nor their intention. It happens when the person has configured multiple twitter handles from the same device and ends up posting from the wrong account,” said Amit Malviya, BJP’s National Convener, IT.

The majority of ministries and government departments do not give phones to members of the social media teams. It is up to the individual to use his personal device or get an additional one to manage the professional handle (s). A mistake will happen if a comment which was to be posted from the personal handle is posted from the official handle.

Twitter Goof-ups from GoI Accounts

“Because of the personalised and individual nature of social media, it is easy to forget that they are representing an institution and not themselves when using these handles. This also suggests the lack of public usage training in these organisations, and the need to educate our public actors in using social media with more responsibility as office bearers of an institution rather than a personal expression or an opinion,” said Nishant Shah, co-founder of the Centre for Internet and Society, Bangalore.

Another issue is that access to the account is given to multiple people. “Each one of them brings their individual personality and politics to their operation of the handle,” said Shah.

Hiring Issues

Part of the problem lies in the fact that there is no standard protocol on who can access the twitter handle of Indian government bodies and how this person or team is hired.

A few ministries (example: the ministry of railways) have a team comprising of government employees and staff of private agencies handling their account. Others have outsourced the job to agencies.

During the campaigning for the 2009 election, political parties got outside expertise to mark their presence online. The selection parameters of social media consultants – established public relations firms in some cases and individuals in others – was not uniform.

Unlike the traditional public relations officers who are from the Indian Information Services cadre, the social media consultants were selected based on their expertise in the field, political affiliation, and proximity to a party or leader.

Those who started handling social media accounts of political parties and leaders included trolls and social media influencers. “Parties got youngsters who were politically motivated and willing to work for political parties. They became cheaper alternatives for social media experts,” said Ishan Russel, political communication consultant.

After the NDA came to power, almost every ministry outsourced its digital expertise to agencies. Many individuals who were earlier directly working with leaders and parties got back with them via agencies. “If an agency is looking for people to handle the twitter account or Facebook page of a certain ministry in the BJP government, then those who are politically inclined towards the BJP will apply for the vacancies and their chances of getting hired are also much higher than someone who is neutral or known to be an AAP sympathiser,” said Vikas Pandey, 32-year-old software engineer, who headed the “I Support Namo” campaign on Facebook and Twitter, as a volunteer for the BJP.

Last year, the Prime Minister felicitated more than a dozen social media enthusiasts, including Vikas. The move raised eyebrows because many felt that the government was encouraging trolls. “It illuminates the fact that trolls have found gainful employment in the Government of India. Also that the entire edifice of the centre is being taken over by woefully undereducated bigots,” said Swati Chaturvedi, senior journalist and author.

Agency, the Soft Target

Till the time the government staff is well versed with social media tools, attributing the mistakes to an ‘outside agency’ appears to be the norm.

In the case of the twitter goof-up involving Startup India, Commerce and Industry minister Nirmala Sitharaman blamed a private agency that was managing the account of Startup India. “The retweets were done by an employee of the agency hired by the department of industrial policy and promotion. The person assigned by the agency for this particular job is not decided by the department and is the sole prerogative of the agency,” she said.

S Radha Chauhan, CEO of National e-Governance Division, attributed the controversial post from Digital India’s twitter handle to an agency called Trivone. “The person responsible had mistakenly tweeted from the official handle what he wanted to tweet from his personal account,” said Chauhan.

Those familiar with the functioning of the government’s social media verticals say that agencies are mentioned to cover up for mistakes often committed by someone from the government staff. “When in crisis, blame the agency, is the thumbrule the government follows. The fact is that each twitter post is approved by the client before it is posted,” said a senior executive with a digital marketing firm attached to a ministry which has recently earned lot of praise for its social media initiatives.

Nishtha Arora, social media and digital consultant in a reputed ad agency, was handling a political account till very recently. She said that the client required her to just randomly tweet or RT to be heard by the followers of a tech-savvy minister and be his digital mouthpiece. “I often had to draft tweets which looked like press releases,” she said.

“Digital faux pas is blamed on to someone who might be an expert in the field but yet has to bow down to the client pressure so that their agenda for the day is met and the said government body or ministry remains in the news,” she added.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-danish-raza-october-15-2016-here-is-why-government-twitter-handles-have-been-posting-offensive-and-partisan-messages

Here is the entire list of 'escorts service' websites that the government has banned

praskrishna — 2016-07-02T04:51:30Z

Another day and another opaque order asking Indian service providers to block websites that allegedly offer or advertise escort services in India. In total, the government has ordered ban on 237 websites. But as it happens whenever the Indian government bans website, there has been no public communication about the same.

The article was published in India Today on June 16, 2016

Also, it has not been explained what, if any, process was followed before these websites were banned and what norms were applied for the order that the internet service providers have received.

However, now Centre for Internet and Society has caught hold of the list of the websites that have been banned. Here is what the organisation says, "Unfortunately, the government does not make available publicly the list of websites they have ordered ISPs to block. Given that knowledge of what is censored by the government is crucial in a democracy, we are publishing the entire list of blocked websites."

As for the websites and URLs here they are:

www.sterlingbioscience.com
rawpoint.biz
www.onemillionbabes.com
www.mumbaihotcollection.in
simranoberoi.in
rubinakapoor.biz
talita.biz
www.mumbaiescortsagency.net
www.mumbaifunclubs.com
www.alishajain.co.in
www.ankitatalwar.co.in
https://www.jennyarora.ind.in
www.riya-kapoor.com
shneha.in
missinimi.in
www.mumbaiglamour.in
kalyn.in
www.saumyagiri.co.in/city/mumbai/
bookerotic.com
www.divyamalik.in
www.suhanisharma.co.in
www.ruhi.biz
umbaiqueens.in
www.aliyaghosh.com
priyasen.in
www.highprofilemumbaiescorts.co.in
charmingmumbai.com
www.poojamehata.in
kiiran.in/
mansikher.in
www.newmumbaiescorts.in
www.mumbaifunclubs.com
www.punarbas.in
www.discreetbabes.in
www.alisharoy.in
www.arpitarai.in
www.nidhipatel.in
navimumbailescort.com
www.zoyaescorts.com
www.juhioberoi.in
shoniya.in
panchibora.in
rehu.in
www.nehaanand.com
www.aditiray.co.in
www.rakhibajaj.in
www.alianoidaescorts.in
www.sobiya.in
www.alishaparul.in
mumbai-escorts.leathercurrency.com
ankita-ahuja.in
www.yamika.in
mumbailescort.co
www.ranjika.in
www.aditiray.com
www.alinamumbailescort.in
www.sonikaa.com/services/
riyamodel.in
soonam.in
www.sejalthakkar.com
www.yomika-tandon.in
www.asika.in
www.siyasharma.org/
www.rubikamathur.in
www.mumbaiescortslady.com
www.sexyshe.in
www.indepandentescorts.com
www.saanvichopra.co.in
www.goswamipatel.in
ojaloberoi.in
www.naincy.in
www.sonyamehra.com
www.pinkgrapes.in
anjalitomar.in/
www.nishakohli.com/
sagentia.co.in
mumbai.vivastreet.co.in/escort+mumbai
www.deseescortgirls.in
guides.wonobo.com/mumbai/mumbai-escorts-service/.4299
jasmineescorts.com
www.shalinisethi.com
www.highclassmumbailescort.com
www.vipescortsinmumbai.com
www.mumbaiescorts69.co.in
monikabas.co.in
www.riyasehgal.com
onlycelebrity.in
www.greatmumbaiescorts.com/escort-service-mumbai.html
www.aishamumbailescort.com
www.jennydsouzaescort.com
www.desifun.in
www.siyaescort.co.in
masti-escort.in
www.sofya.in
www.mumbaiwali.in/navi-mumbai-escort-service.php
www.mumbaiwali.in
www.calldaina.com
www.mumbaiescortsservice.co.in
www.escortsgirlsinmumbai.com
www.passionmumbai.escorts.com
www.nehakapoor.in
meerakapoor.com
www.dianamumbaiescorts.net .in
www.allmumbailescort.in
www.rakhiarora.in
www.ritikasingh.com
www.rekhapatil.com
www.mumbaidolls.com
www.piapandey.com
www.mumbaicuteescorts.in
www.mumbaiescortssevice.com
www.onlycelebrity.com
www.meetescortservice.com
onlyoneescorts.com
simirai.org
www.riyamumbaiescorts.in
www.neharana.in
www.mumbaihiprofilegirls.in
www.sexyescortsmumbai.in
www.sexymumbai.escorts.com
www.four-seasons-escort.in
www.mumbaiescortsgirl.com
www.vdreamescorts.com
www.passionatemumbaiescorts.in
www.payalmalhotra.in
www.shrutisinha.com
www.juliemumbaiescorts.com
www.indiasexservices.com/mumbai.html
www.mumbai-escorts.co.in
www.aliyamumbaiescorts.net.in
shivaniarora.co.in/escort-service-mumbai.html
www.pinkisingh.com
soyam.in
www.arpitaray.com
www.localescorts.in
www.jennifermumbaiescorts.com
www.yanaroy.com
escorts18.in/mumbai-escorts.html
www.tinamumbaiescorts.com
www.mumbaijannatescorts.com
www.deepikaroy.com
www.nancy.co.in
www.pearlpatel.in
30minsmumbaiescorts.in
www.datinghopes.com
https://www.riyaroy.com/services.html
www.sonalikajain.com
www.zainakapoor.co.in
kavyajain.in
www.kinnu.co.in
exmumbai.in/
www.mansimathur.in/pinkyagarwal
exmumbai.in
www.mansimathur.in/pinkyagarwal
www.devikabatra.in
katlin.in
riyaverma.in
escortsinindia.co/
www.snehamumbaiescorts.in
shimi.in
www.mumbaiescortsforu.com/about
www.chetnagaur.co.in/chetna-gaur.html
www.escortspoint.in
www.rupalikakkar.in
www.hemangisinha.co.in
1escorts.in/location/mumbai.html
www.salini.in/navi-mumbai-independent-escort-service.php
www.salini.in/navi-mumbai-independent-escort-service.php
www.mumbaibella.in
mohitescortservicesmumbai.com
www.anchu.in
www.aliyaroy.co.in
jaanu.co.in/mumbai-escorts-service-call-girls.html
www.andyverma.com
dreams-come-true.biz
feel-better.biz
jellyroll.biz
dreamgirlmumbai.com
role-play.biz
mansi-mathur.com
www.zarinmumbaiescorts.com
mymumbai.escortss.com
www.goldentouchescorts.com
www.mumbaipassion.biz
ishitamalhotra.com
happy-ending.biz
juicylips.biz
www.escortsmumbai.name
www.kirstygbasai.net
www.hiremumbaiescorts.com
www.meeraescorts.com/mumbai-escorts.php
3-5-7star.biz
www.pranjaltiwari.com
www.richagupta.biz
way2heaven.biz
piya.co/
pinkflowers.info
www.beautifulmumbaiescorts.com
www.bestescortsinmumbai.com/charges-html
www.mumbaiescorts.me
www.tanikatondon.com
www.escortsinmumbai.biz
www.escortgirlmumbai.com
www.mumbaicallgrils.com
www.quickescort4u.com
www.mayamalhotra.com
www.legal-escort.com
escortsbaba.com/mumbai-escorts.html
rupa.biz
www.mumbaiescorts.agency/erotic-service-mumbai.html
www.escortscelebrity.com
www.independentescortservicemumbai.com/mumbai%20escort%20servi..
garimachopra.com
kajalgupta.biz
lipkiss.site
aanu.in
bombayescort.in
hotkiran.co.in
khushikapoor.in
joyapatel.in
rici.in
aaditi.in
andheriescorts.org.in
www.jiyapatel.in
spicymumbai.in
rimpyarora.in
lovemaking.co.in
riyadubey.co.in
escortservicesmumbai.in
mumbaiescorts.co.in
midnightprincess.in/
vashiescorts.co.in/
angee.in/
www.rozakhan.in/
www.mumbaiescortsvilla.in/
kylie.co.in/
escortservicemumbai.co.in

For more details visit https://cis-india.org/internet-governance/news/india-today-june-16-2016-here-is-the-entire-list-of-escorts-service-websites-that-govt-has-banned

Health Data Management Policies - Differences Between the EU and India

shweta — 2023-07-10T16:36:25Z

Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

This issue brief was reviewed and edited by Pallavi Bedi

Introduction

Health data has seen an increased interest the world over, on account of the amount of information and inferences that can be drawn not just about a person but also about the population in general. The Covid 19 pandemic also brought about an increased focus on health data, and brought players that earlier did not collect health data to be required to collect such data, including offices and public spaces. This increased interest has led to further thought on how health data is regulated and a greater understanding of the sensitivity of such data, because of which countries are in varying processes to get health data regulated over and above the existing data protection regulations. The regulations not only look at ensuring the privacy of the individual but also look at ways in which this data can be shared with companies, researchers and public bodies to foster innovation and to monetise this valuable data. However for a number of countries the effort is still on the digitisation of health data. India has been in the process of implementing a nationwide health ID that can be used by a person to get all their medical records in one place. The National Health Authority (NHA) has also since 2017 been publishing policies that look at the framework and ecosystem of health data, as well as the management and sharing of health data. However these policies and a scattered implementation of the health ID are being carried out without a data protection legislation in place. In comparison, Europe, which already has an established health Id system, and a data protection legislation (GDPR) is looking at the next stage of health data management through the EU Health Data Space (EUHDS). Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

Background

EU Health Data Space

The EU Health Data Space (EUHDS) was proposed by the EU Council as a way to create an ecosystem which combines rules, standards, practices and infrastructure, around health data under a common governance framework. The EUHDS is set to rely on two pillars; namelyMyHealth@EU and HealthData@EU, where MyHealth@EU facilitates easy flow of health data between patients and healthcare professionals within member states, the HealthData@EU,faciliates secondary use of data which allows policy makers,researchers access to health data to foster research and innovation.^{^[1]} The EUHDS aims to provide a trustworthy system to access and process health data and builds up from the General Data Protection Regulation (GDPR), proposed Data Governance Act.^{^[2]}

India’s health data policies:

The last few years has seen a flurry of health policies and documents being published and the creation of a framework for the evolution of a National Digital Health Ecosystem (NDHE). The components for this ecosystem were the National Digital Health Blueprint published in 2019 (NDHB) and the National Digital Health Mission (NDHM). The BluePrint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs.^{^[3]} Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.^{^[4]}

The National Health Authority (NHA) established in 2018 has been given the responsibility of implementing the National Digital Health Mission. 2018 also saw the Digital Information Security in Healthcare Act (DISHA) which was to be a legislation that laid down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data ("DHD") and associated personal data.^{^[5]} However since its call for public consultation no progress has been made on this front.

Along with these three strategy documents the NHA has also released policy documents more particularly the Health Data Management Policy (which was revised three times; the latest version released in April 2022), the Health Data Retention Policy (released April 2021), and the Consultation Paper on Unified Health Interface (UHI) (released March 2021). Along with this in 2022 the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines published in August 2022 did not even refer to the draft National Digital Health Data Management Policy (published in April 2022). As stated through the examples above these documents do not cross-refer or mention preceding health data documents, creating a lack of clarity of which documents are being used as guidelines by health care providers.

In addition to this the Personal Data Protection Bill has been revised three times since its release in 2018. The latest version was published for public comments on November 18, 2022; the Bill has removed the distinction between sensitive personal data and personal data and clubbed all personal data under one umbrella heading of personal data. Health and health data definition has also been deleted; creating further uncertainty with respect to health data as the different policies mentioned above rely on the data protection legislation to define health data.

Comparison of the Health Data Management Approaches
Interoperability with Data Protection Legislations

At the outset the key difference between the EU and India’s health data management policies has been the legal backing of GDPR which the EUHDS has. EUHDS has a strong base in terms of rules for privacy and data protection as it follows, draws inference and works in tandem with the General Data Protection Regulation (GDPR). The provisions also build upon legislation such as Medical Devices Regulation and the In Vitro Diagnostics Regulation. With particular respect to GDPR the EUHDS draws from the rights set out for protection of personal data including that of electronic health data.

The Indian Health data policies however currently exist in the vacuum created by the multiple versions of the Data Protection Bill that are published and repealed or replaced. The current version called the Digital Personal Data Protection Bill 2022 seems to take a step backward in terms of health data. The current version does away with sensitive personal data (which health data was a part of) and keeps only one category of data - personal data. It can be construed that the Bill currently considers all personal data as needing the same level of protection but it is not so in practice. The Bill does not at the moment mandate more responsibilities on data fiduciaries^{^[6]} that deal with health data (something that was present in all the earlier versions of the Bill) and in other data protection legislation across different jurisdictions and leaves the creation of Significant Data Fiduciaries (who have more responsibilities) to be created by rules, based on the sensitivity of data decided by the government at a later date.^{^[7]} In addition to this the Bill does not define “health data”, the reason why this is a cause for worry is that the existing health data policies also do not define health data often relying on the definition mentioned in the versions of Data Protection Bill.

Definitions and Scope

The EUHDS defines ‘personal electronic health data’ as data concerning health and genetic data as defined in Regulation (EU) 2016/679^{^[8]}, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form. Health data by these parameters would then include not just data about the status of health of a person which includes reports and diagnosis, but also data from medical devices.

In India the Health Data Management Policy 2022, defines “Personal Health Records” (PHR) as a health record that is initiated and maintained by an individual. The policy also states that a PHR would be able to reveal a complete and accurate summary of the health and medical history of an individual by gathering data from multiple sources and making this accessible online. However there is no definition of health data which can be used by companies or users to know what comes under health data. The 2018, 2019 and 2021 version of the Data Protection Legislation had definitions of the term health data, however the 2022 version of the Bill does away with the definition.

Health data and wearable devices

One of the forward looking provisions in the EUHDS is the inclusion of devices that records health data into this legislation. This also includes the requirement of them to be added to registries to provide easy access and scrutiny. The document also requires voluntary labeling of wellness applications and registration of EHR systems and wellness applications. This is not just for the regulation point of view but also in the case of data portability, in order for people to control the data they share. In addition to this in the case where manufacturers of medical devices and high-risk AI systems declare interoperability with the EHR systems, they will need to comply with the essential requirements on interoperability under the EHDS.

In India the health data management policy 2022 while stating the applicable entities and individuals who are part of the ABDM ecosystem^{^[9]} mention medical device manufacturers, does not mention device sellers or use terms such as wellness applications or wearable devices. Currently the regulation of medical devices falls under the purview of the Drugs and Cosmetics Act, 1940 (DCA) read along with the Medical Device Rules, 2017 (MDR). However in 2020 possibly due to the pandemic the Indian Government along with the Drugs Technical Advisory Board (DTAB) issued two notifications the first one expanded the scope of medical devices which earlier was limited to only 37 categories excluding medical apps, and second one notified the Medical Device (Amendment) Rules, 2020. These two changes together brought all medical devices under the DCA as well as expanded the categories of medical devices. However it is still unclear whether fitness tracker apps that come with devices are regulated, as the rules and the DCA still rely on the manufacturer to self-identify as a medical device.^{^[10]} However, this regulatory uncertainty has not brought about any change in how this data is being used and insurance companies at times encourage people to sync their fitness tracker data.^{^[11]}

Multiple use of health data

The EUHDS states two types of uses of data: primary and secondary use of data. In the document the EU states that while there are a number of organisations collecting data, this data is not made available for purposes other than for which it was collected. In order to ensure that researchers, innovators and policy makers can use this data. the EU encourages the data holders to contribute to this effort in making different categories of electronic health data they are holding available for secondary use. The data that can be used for secondary use would also include user generated data such as from devices, applications or other wearables and digital health applications.However, the regulation cautions against using this data for measures and making decisions that are detrimental to the individual, in ways such as increasing insurance premiums. The EUHDS also states that as the data is sensitive personal data care should be taken by the data access bodies, to ensure that while data is being shared it is necessary to ensure that the data will be processed in a privacy preserving manner. This could include through pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data.

While the document states how important it is to have secondary use of the data for public health, research and innovation it also requires that the data is not provided without adequate checks. The EUHDS requires the organisation seeking access to provide several pieces of information and be evaluated by the data access body. The information should include legitimate interest, the necessity and the process the data will go through. In the case where the organisation is seeking pseudonymised data, there is a need to explain why anonymous data would not be sufficient. In order to ensure a comprehensive approach between health data access bodies, the EUHDS states that the European Commission should support the harmonisation of data application, as well as data request.

In India, while multiple health data documents state the need to share data for public interest, research and innovation, not much thought has been given to ensuring that the data is not misused and that there is harmonisation between bodies that provide the data. Most recently the PMJay documents states that the NHA shall make aggregated and anonymised data available through a public dashboard for the purpose of facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA. Such data can be accessed through a request to the Data Sharing Committee^{^[12]} for the sharing of such information through secure modes, including clean rooms and other such secure modes specified by NHA. However the document does not mention what clean rooms are in this context.

The Health Data Management Policy 2022 states that Data fiduciaries (data controllers/ processors according to the data protection legislation) can themselves make anonymised or de-identified data in an aggregated form available based in technical processes and anonymisation protocols which may be specified by the NDHM in consultation with the MeitY. The purposes mentioned in this policy included health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NDHMP. The policy states that in order to access the anonymised or de-identified data the entity requesting the data would have to provide relevant information such as name, purpose of use and nodal person of contact details. While the policy does not go into details about the scrutiny of the organisations seeking this data, it does state that the data will be provided based on the term as may be stipulated.

However the issue arises as both the documents published by the NHA do not have a similar process for getting the data, for example the NDHMP requires the data fiduciary to share the data directly, while the PMJay guidelines requires the data to be shared by the Data Sharing Committee, creating duplicate datasets as well as affecting the quality of the data being shared.

Recommendations for India
Need for a data protection legislation:

While the EUHDS is still a draft document and the end result could be different based on the consultations and deliberations, the document has a strong base with respect to the privacy and data protection based on the earlier regulations and the GDPR. The definitions of what counts as health data, and the parameters for managing the data creates a more streamlined process for all stakeholders. More importantly the GDPR and other regulations provide a way of recourse for people. In India the health data related policies and strategy documents have been published and enforced before the data protection legislation is passed. In addition to this India, unlike the EU has just begun looking at a universal health ID and digitisation of the healthcare system, ideally it would be better to take each step at a time, and at first look at the issues that may arise due to the universal health ID. In addition to this, multiple policies, without a strong data protection legislation providing parameters and definitions could mean that the health data management policies only benefit certain people. This also creates uncertainty in terms of where an individual will go in case of harms caused by the processing of their data, and who would be the authority to govern questions around health data. The division of health data management between different documents also creates multiple silos of data management which creates data duplication and issues with data quality.

Secondary use of data

While both the EUHDS and India's Health Data Management Policy look at the sharing of health data with researchers and private organisations in order to foster innovation, the division of sharing of data based on who uses the data is a good way to ensure that only interested parties have access to the data. With respect to the health data policies in India, a number of policies talk about the sharing of anonymised data with researchers, however the documents being scattered could cause the same data to be shared by multiple health data entities, making it possible to identify people. For example, the health data management policy could share anonymised data of health services used by a person, whereas the PMJAY policy could share data about insurance covers, and the researcher could probably match the data and be closer to identifying people. It has also been revealed in multiple studies that anonymisation of data is not permanent and that the anonymisation can be broken. This is more concerning since the polices do not put limits or checks on who the researchers are and what is the end goal of the data sought by them, the policies seem to rely on the anonymisation of the data as the only check for privacy. This data could be used to de-anonymise people, could be used by companies working with the researchers to get large amounts of data to train their systems,

train data that could lead to greater surveillance, increase insurance scrutiny etc. The NHA and Indian health policy makers could look at the restrictions and checks that the EUHDS creates for the secondary use of data and create systems of checks and categories of researchers and organisations seeking data to ensure minimal risks to an individual’s data.

Conclusion

While the EU Health data space has been criticised for facilitating vast amounts of data with private companies and the collecting of data by governments, the codification of the legislation does in some way give some way to regulate the flow of health data. While India does not have to emulate the EU and have a similar document, it could look at the best practices and issues that are being highlighted with the EUHDS. Indian lawmakers have looked at the GDPR for guidance for the draft data protection legislation, similarly it could do so with regard to health data and health data management. One possible way to ensure both the free flow of health data and the safeguards of a regulation could be to re-introduce the DISHA Act which much like the EUHDS could act as a legislation which provides an anchor to the multiple health data policies, including standard definition of health data, grievance redressal bodies, and adjudicating authorities and their functions. In addition a legislation dedicated to the health data would also remove the existing burden on the to be formed data protection authority.

^{^[1]} “European Health Data Space”, European Commission, 03 May 2022,https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space_en

^{^[2]}“European Health Data Space”

^{^[3]} “National Digital Health Blueprint”, Ministry of Health and Family Welfare Government of India, https://abdm.gov.in:8081/uploads/ndhb_1_56ec695bc8.pdf

^{^[4]} “National Digital Health Blueprint”

^{^[5]} “Mondaq” “DISHA – India's Probable Response To The Law On Protection Of Digital Health Data” accessed 13 June 2023,https://www.mondaq.com/india/healthcare/1059266/disha-india39s-probable-response-to-the-law-on-protection-of-digital-health-data

^{^[6]}“The Digital Personal Data Protection Bill 2022”, accessed 13 June 2023 , https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf

^{^[7]}The Digital Personal Data Protection Bill 2022

^{^[8]} Regulation (EU) 2016/679 defines health data as “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (1) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

^{^[9]} For creating an integrated, uniform and interoperable ecosystem in a patient or individual centric manner, all the government healthcare facilities and programs, in a gradual/phased manner, should start assigning the same number for providing any benefit to individuals.

^{^[10]} For example a manufacturer of a fitness tracker which is capable of monitoring heart rate could state that the intended purpose of the device was fitness or wellness as opposed to early detection of heart disease thereby not falling under the purview of the regulation.

^{^[11]}“Healthcare Executive” “GOQii Launches GOQii Smart Vital 2.0, an ECG-Enabled Smart Watch with Integrated Outcome based Health Insurance & Life Insurance, accessed 13 June 2023
https://www.healthcareexecutive.in/blog/ecg-enabled-smart-watch

^{^[12]} The guidelines only state that the Committee will be responsible for ensuring the compliance of the guidelines in relation to the personal data under its control. And does not go into details of defining the Committee.

For more details visit https://cis-india.org/internet-governance/blog/health-data-management-policies