We are anonymous, we are legion

Hiding behind rules on naming sites it banned, govt reveals fears

praskrishna — 2015-09-27T10:59:56Z

With the union government's ban on 857 porn sites in July creating brouhaha across the country, there had been a concern over the voice of the youth being stifled and censorship making a comeback.

The article by Harjeet Inder Singh Sahi was published in the Hindustan Times on September 3, 2015.

Even though there was a partial rollback of the ban, the government still seems intent on being obtrusive with information and deny access to it, especially about the internet and the way it intends to govern it.

This has been illustrated by the union government's department of telecommunications refusing to provide information on websites it has banned to a petition under the Right to Information (RTI) Act.

The reply

"The group coordinator, cyber law division, department of electronics and information technology, has been authorised as designated officer and issues instructions for blocking/unblocking of websites/URLs. The clause 16 of Information Technology Procedure and Safeguards for blocking access of information by Public, Rules 2009, says strict confidentiality shall be maintained regarding all requests and complaints received and actions taken thereof," says the reply to the RTI application filed by this correspondent on August 3.

The reply to the petition - filed at www.rtionline.gov.in with registration number DOTEL/R/2015/61348 - was received on August 27.

Background to the case

In July this year, the department of electronics and information technology had banned 857 pornographic websites listed in the petition of Indore-based advocate Kamlesh Vaswani in the supreme court. The websites were banned by citing 'morality' and 'decency' enshrined in Article 19 (2) of the Constitution of India and under provisions of the Information Technology Act, 2000. A few days later, the government did a flip-flop and revoked the ban partially.

The Centre for Internet and Society (CIS) had subsequently released the list online. Now, the government has refused to provide information on websites banned in the country.

Department tangle

The department of electronics and IT decided on the ban, but it was the department of telecom which served the order to the internet companies because it is the supervising authority for them. The RTI can be filed with the department of telecom as it issues guidelines for and notices to internet service providers. The same application could also have been filed with the department of electronics and information technology. This department might have replied to the application or forwarded it to the telecom department.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-september-3-2015-harjeet-inder-singh-sahi-hiding-behind-rules-on-naming-sites-it-banned-govt-reveals-fears

Here’s why we need a lot more discussion on India’s new DNA Profiling Bill

elonnai — 2017-08-21T23:48:03Z

The DNA Profiling Bill 2017 is still missing a number of safeguards that would enable individual rights. The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated.

The article was published in the Hindustan Times on August 7, 2017.

The first step towards a DNA Profiling Bill was taken in 2007 with the ‘Draft DNA Profiling Bill” by the Centre for DNA Fingerprinting and Diagnostics. Since then, there has been a 2012, 2015, and a 2016 version of the Bill - the last not available to the public. In 2013, the Department of Biotechnology formulated an Expert Committee to deliberate on concerns raised about the Bill and finalise the text. The “Use and Regulation of DNA Based Technology Bill 2017” and the report by the Law Commission is a further evolution of the legislation and dialogue. The 2017 Bill contains a number of improvements from previous versions - yet there are still outstanding concerns that remain.

Positive changes in the Bill include provisions for consent, defined instances for deletion of profiles, limitation on purpose of the use of data in the DNA Data Bank, defined instances fo r destruction of biological samples, and the ability for an individual to request a re-test of bodily substances if they believe contamination has occurred.

Despite these changes the Bill still has an overly broad schedule defining instances of when DNA profiling can be used and is missing a number of safeguards that would enable individual rights. These include a right to notification of storage and access to information on the DNA databank, the right to appeal and challenge storage of DNA samples, and right to access and review personal information stored on the DNA Data Bank.

It is concerning that the 2017 Bill has left the defining of privacy and security safeguards to regulation — including implementation and sufficiency of protection, appropriate use and dissemination of DNA information, accuracy, security and confidentiality of DNA information, timely removal and deletion of obsolete or inaccurate DNA information, and other steps as necessary. Furthermore, though the Law Commission cites the use of the 13 CODIS (Combined DNA Index System) profiling standard as a means to protecting privacy in its report — this standard has yet to find its way in the text of the Bill.

The implications of creating regional and national level DNA databanks need to be fully understood and publicly debated. DNA is not foolproof - false matches can take place for multiple reasons. Importantly, the usefulness of DNA based technology to a legal system and the impact on individual rights is dependent and reflective of the social, legal, and political environment the technology is used in. DNA based technology can be a powerful tool for law enforcement, and it is important that a robust process and structure is given to the collection of DNA samples from a crime scene to the laboratory for analysis, to the DNA Bank for storage and comparison, but this structure needs to also be fully cognizant of the rights of individuals and the potential for misuse of the technology.

As society continues to rapidly become more and more data centric, and that data increasingly is a direct extension of the person, it is critical that legislation that is developed has clear protections of rights. In addition to amendments to the text of the draft 2017 Bill, this includes enacting a comprehensive privacy legislation in India. It is worrying that in the conclusion of its report, the Law Commission has referred to whether privacy is an integral part of Article 21 of the Constitution as merely “a matter of academic debate.” Privacy is recognised as a fundamental right in many democratic contexts – including many of those reviewed by the Law Commission as examples of contexts with DNA Profiling laws.

Policy needs to evolve past protections that are limited to process oriented legal privacy provisions, but instead to protections that are comprehensive — accounting for process and enabling the individual to control and know how her/his data is being used and by whom. Other countries have recognised this and are taking important steps to empower the individual. India needs to do the same for its citizens.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-elonnai-hickok-august-7-2017-here-is-why-we-need-a-lot-more-discussion-on-indias-new-dna-profiling-bill

Here is why government twitter handles have been posting offensive and partisan messages

praskrishna — 2016-10-16T03:24:45Z

You have failed us big time Mr Kejriwal, for your petty political gains you can become headlines for Pakistani press,” read a tweet on October 5 from @IndiaPostOffice, the official twitter handle of the Indian postal service.

The article by Danish Raza was published in the Hindustan Times on October 15, 2016. Nishant Shah was quoted.

It was a reference to Delhi Chief Minister Arvind Kejriwal urging the Prime Minister to counter Pakistan’s propaganda over surgical strikes.

Within hours, India Post tweeted an apology saying that the account was hacked.

This is the latest in a series of opinions and statements posted from official twitter handles of government departments and bodies. Of late, the Twitter handles meant to broadcast information related to government programmes have appeared like personal accounts tweeting slander and criticism.

Last month, the Twitter handle of Digital India tweeted a poem in Hindi calling on the Indian Army to persistently fire at protesters in Kashmir.

In August, the Twitter handle of Startup India retweeted a post suggesting that the Indian Army should ‘take care’ of #Presstitutes, a reference to sections of Indian media critical of the government.

The tweets expose loopholes in the government’s social media policy and raise questions about the norms followed in the recruitment of social media professionals for ministries and government institutions.

Work in Progress

The process of adopting new tools is work in progress. While the government agencies are trying to leverage social media to enhance citizen engagement, for the vast majority of government bodies, it is unexplored territory. Babus who have traditionally been dealing in paperwork and file notings are overwhelmed to see hash tags and trends. With a tech- savvy Prime Minister at the helm, every government department is trying to increase its digital footprint. At the same time, they face the challenge of reinterpreting existing work ethics and codes of conduct and applying them to the use of social media. Ministries such as the Ministry of External Affairs, Information & Broadcasting and the Prime Minister’s Office which have cohesive programmes and big mandate, have separate social media wings of their own with well- defined protocols. But these are exceptions.

Overall, the government bodies lack social media guidelines for their own efforts or which others can learn from. According to Chinmayi Arun, executive director, Centre for Communication Governance, National Law University, Delhi, mistakes are bound to happen given that everyone is new to social media. But it should be non-negotiable that when anything is said using an official governmental handle, the government should take more responsibility than just saying ‘oops’. “One of course is a clear and unequivocal statement apologising and taking back whatever was said. However, it should take pro-active measures to train and test people who handle its public-facing accounts and publish a clear monitoring and accountability mechanism by which they can be called to account. It should not be open to anyone to misuse the government’s official handles in this manner,” said Arun.

One of the areas where the lack of sensitisation is apparent is the usage of the same mobile device for multiple twitter handles – the most common reason for such goof-ups cited by social media consultants attached to various government departments. “I believe these were inadvertently posted by people handling these accounts. It may neither have been their mandate nor their intention. It happens when the person has configured multiple twitter handles from the same device and ends up posting from the wrong account,” said Amit Malviya, BJP’s National Convener, IT.

The majority of ministries and government departments do not give phones to members of the social media teams. It is up to the individual to use his personal device or get an additional one to manage the professional handle (s). A mistake will happen if a comment which was to be posted from the personal handle is posted from the official handle.

Twitter Goof-ups from GoI Accounts

“Because of the personalised and individual nature of social media, it is easy to forget that they are representing an institution and not themselves when using these handles. This also suggests the lack of public usage training in these organisations, and the need to educate our public actors in using social media with more responsibility as office bearers of an institution rather than a personal expression or an opinion,” said Nishant Shah, co-founder of the Centre for Internet and Society, Bangalore.

Another issue is that access to the account is given to multiple people. “Each one of them brings their individual personality and politics to their operation of the handle,” said Shah.

Hiring Issues

Part of the problem lies in the fact that there is no standard protocol on who can access the twitter handle of Indian government bodies and how this person or team is hired.

A few ministries (example: the ministry of railways) have a team comprising of government employees and staff of private agencies handling their account. Others have outsourced the job to agencies.

During the campaigning for the 2009 election, political parties got outside expertise to mark their presence online. The selection parameters of social media consultants – established public relations firms in some cases and individuals in others – was not uniform.

Unlike the traditional public relations officers who are from the Indian Information Services cadre, the social media consultants were selected based on their expertise in the field, political affiliation, and proximity to a party or leader.

Those who started handling social media accounts of political parties and leaders included trolls and social media influencers. “Parties got youngsters who were politically motivated and willing to work for political parties. They became cheaper alternatives for social media experts,” said Ishan Russel, political communication consultant.

After the NDA came to power, almost every ministry outsourced its digital expertise to agencies. Many individuals who were earlier directly working with leaders and parties got back with them via agencies. “If an agency is looking for people to handle the twitter account or Facebook page of a certain ministry in the BJP government, then those who are politically inclined towards the BJP will apply for the vacancies and their chances of getting hired are also much higher than someone who is neutral or known to be an AAP sympathiser,” said Vikas Pandey, 32-year-old software engineer, who headed the “I Support Namo” campaign on Facebook and Twitter, as a volunteer for the BJP.

Last year, the Prime Minister felicitated more than a dozen social media enthusiasts, including Vikas. The move raised eyebrows because many felt that the government was encouraging trolls. “It illuminates the fact that trolls have found gainful employment in the Government of India. Also that the entire edifice of the centre is being taken over by woefully undereducated bigots,” said Swati Chaturvedi, senior journalist and author.

Agency, the Soft Target

Till the time the government staff is well versed with social media tools, attributing the mistakes to an ‘outside agency’ appears to be the norm.

In the case of the twitter goof-up involving Startup India, Commerce and Industry minister Nirmala Sitharaman blamed a private agency that was managing the account of Startup India. “The retweets were done by an employee of the agency hired by the department of industrial policy and promotion. The person assigned by the agency for this particular job is not decided by the department and is the sole prerogative of the agency,” she said.

S Radha Chauhan, CEO of National e-Governance Division, attributed the controversial post from Digital India’s twitter handle to an agency called Trivone. “The person responsible had mistakenly tweeted from the official handle what he wanted to tweet from his personal account,” said Chauhan.

Those familiar with the functioning of the government’s social media verticals say that agencies are mentioned to cover up for mistakes often committed by someone from the government staff. “When in crisis, blame the agency, is the thumbrule the government follows. The fact is that each twitter post is approved by the client before it is posted,” said a senior executive with a digital marketing firm attached to a ministry which has recently earned lot of praise for its social media initiatives.

Nishtha Arora, social media and digital consultant in a reputed ad agency, was handling a political account till very recently. She said that the client required her to just randomly tweet or RT to be heard by the followers of a tech-savvy minister and be his digital mouthpiece. “I often had to draft tweets which looked like press releases,” she said.

“Digital faux pas is blamed on to someone who might be an expert in the field but yet has to bow down to the client pressure so that their agenda for the day is met and the said government body or ministry remains in the news,” she added.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-danish-raza-october-15-2016-here-is-why-government-twitter-handles-have-been-posting-offensive-and-partisan-messages

Here is the entire list of 'escorts service' websites that the government has banned

praskrishna — 2016-07-02T04:51:30Z

Another day and another opaque order asking Indian service providers to block websites that allegedly offer or advertise escort services in India. In total, the government has ordered ban on 237 websites. But as it happens whenever the Indian government bans website, there has been no public communication about the same.

The article was published in India Today on June 16, 2016

Also, it has not been explained what, if any, process was followed before these websites were banned and what norms were applied for the order that the internet service providers have received.

However, now Centre for Internet and Society has caught hold of the list of the websites that have been banned. Here is what the organisation says, "Unfortunately, the government does not make available publicly the list of websites they have ordered ISPs to block. Given that knowledge of what is censored by the government is crucial in a democracy, we are publishing the entire list of blocked websites."

As for the websites and URLs here they are:

www.sterlingbioscience.com
rawpoint.biz
www.onemillionbabes.com
www.mumbaihotcollection.in
simranoberoi.in
rubinakapoor.biz
talita.biz
www.mumbaiescortsagency.net
www.mumbaifunclubs.com
www.alishajain.co.in
www.ankitatalwar.co.in
https://www.jennyarora.ind.in
www.riya-kapoor.com
shneha.in
missinimi.in
www.mumbaiglamour.in
kalyn.in
www.saumyagiri.co.in/city/mumbai/
bookerotic.com
www.divyamalik.in
www.suhanisharma.co.in
www.ruhi.biz
umbaiqueens.in
www.aliyaghosh.com
priyasen.in
www.highprofilemumbaiescorts.co.in
charmingmumbai.com
www.poojamehata.in
kiiran.in/
mansikher.in
www.newmumbaiescorts.in
www.mumbaifunclubs.com
www.punarbas.in
www.discreetbabes.in
www.alisharoy.in
www.arpitarai.in
www.nidhipatel.in
navimumbailescort.com
www.zoyaescorts.com
www.juhioberoi.in
shoniya.in
panchibora.in
rehu.in
www.nehaanand.com
www.aditiray.co.in
www.rakhibajaj.in
www.alianoidaescorts.in
www.sobiya.in
www.alishaparul.in
mumbai-escorts.leathercurrency.com
ankita-ahuja.in
www.yamika.in
mumbailescort.co
www.ranjika.in
www.aditiray.com
www.alinamumbailescort.in
www.sonikaa.com/services/
riyamodel.in
soonam.in
www.sejalthakkar.com
www.yomika-tandon.in
www.asika.in
www.siyasharma.org/
www.rubikamathur.in
www.mumbaiescortslady.com
www.sexyshe.in
www.indepandentescorts.com
www.saanvichopra.co.in
www.goswamipatel.in
ojaloberoi.in
www.naincy.in
www.sonyamehra.com
www.pinkgrapes.in
anjalitomar.in/
www.nishakohli.com/
sagentia.co.in
mumbai.vivastreet.co.in/escort+mumbai
www.deseescortgirls.in
guides.wonobo.com/mumbai/mumbai-escorts-service/.4299
jasmineescorts.com
www.shalinisethi.com
www.highclassmumbailescort.com
www.vipescortsinmumbai.com
www.mumbaiescorts69.co.in
monikabas.co.in
www.riyasehgal.com
onlycelebrity.in
www.greatmumbaiescorts.com/escort-service-mumbai.html
www.aishamumbailescort.com
www.jennydsouzaescort.com
www.desifun.in
www.siyaescort.co.in
masti-escort.in
www.sofya.in
www.mumbaiwali.in/navi-mumbai-escort-service.php
www.mumbaiwali.in
www.calldaina.com
www.mumbaiescortsservice.co.in
www.escortsgirlsinmumbai.com
www.passionmumbai.escorts.com
www.nehakapoor.in
meerakapoor.com
www.dianamumbaiescorts.net .in
www.allmumbailescort.in
www.rakhiarora.in
www.ritikasingh.com
www.rekhapatil.com
www.mumbaidolls.com
www.piapandey.com
www.mumbaicuteescorts.in
www.mumbaiescortssevice.com
www.onlycelebrity.com
www.meetescortservice.com
onlyoneescorts.com
simirai.org
www.riyamumbaiescorts.in
www.neharana.in
www.mumbaihiprofilegirls.in
www.sexyescortsmumbai.in
www.sexymumbai.escorts.com
www.four-seasons-escort.in
www.mumbaiescortsgirl.com
www.vdreamescorts.com
www.passionatemumbaiescorts.in
www.payalmalhotra.in
www.shrutisinha.com
www.juliemumbaiescorts.com
www.indiasexservices.com/mumbai.html
www.mumbai-escorts.co.in
www.aliyamumbaiescorts.net.in
shivaniarora.co.in/escort-service-mumbai.html
www.pinkisingh.com
soyam.in
www.arpitaray.com
www.localescorts.in
www.jennifermumbaiescorts.com
www.yanaroy.com
escorts18.in/mumbai-escorts.html
www.tinamumbaiescorts.com
www.mumbaijannatescorts.com
www.deepikaroy.com
www.nancy.co.in
www.pearlpatel.in
30minsmumbaiescorts.in
www.datinghopes.com
https://www.riyaroy.com/services.html
www.sonalikajain.com
www.zainakapoor.co.in
kavyajain.in
www.kinnu.co.in
exmumbai.in/
www.mansimathur.in/pinkyagarwal
exmumbai.in
www.mansimathur.in/pinkyagarwal
www.devikabatra.in
katlin.in
riyaverma.in
escortsinindia.co/
www.snehamumbaiescorts.in
shimi.in
www.mumbaiescortsforu.com/about
www.chetnagaur.co.in/chetna-gaur.html
www.escortspoint.in
www.rupalikakkar.in
www.hemangisinha.co.in
1escorts.in/location/mumbai.html
www.salini.in/navi-mumbai-independent-escort-service.php
www.salini.in/navi-mumbai-independent-escort-service.php
www.mumbaibella.in
mohitescortservicesmumbai.com
www.anchu.in
www.aliyaroy.co.in
jaanu.co.in/mumbai-escorts-service-call-girls.html
www.andyverma.com
dreams-come-true.biz
feel-better.biz
jellyroll.biz
dreamgirlmumbai.com
role-play.biz
mansi-mathur.com
www.zarinmumbaiescorts.com
mymumbai.escortss.com
www.goldentouchescorts.com
www.mumbaipassion.biz
ishitamalhotra.com
happy-ending.biz
juicylips.biz
www.escortsmumbai.name
www.kirstygbasai.net
www.hiremumbaiescorts.com
www.meeraescorts.com/mumbai-escorts.php
3-5-7star.biz
www.pranjaltiwari.com
www.richagupta.biz
way2heaven.biz
piya.co/
pinkflowers.info
www.beautifulmumbaiescorts.com
www.bestescortsinmumbai.com/charges-html
www.mumbaiescorts.me
www.tanikatondon.com
www.escortsinmumbai.biz
www.escortgirlmumbai.com
www.mumbaicallgrils.com
www.quickescort4u.com
www.mayamalhotra.com
www.legal-escort.com
escortsbaba.com/mumbai-escorts.html
rupa.biz
www.mumbaiescorts.agency/erotic-service-mumbai.html
www.escortscelebrity.com
www.independentescortservicemumbai.com/mumbai%20escort%20servi..
garimachopra.com
kajalgupta.biz
lipkiss.site
aanu.in
bombayescort.in
hotkiran.co.in
khushikapoor.in
joyapatel.in
rici.in
aaditi.in
andheriescorts.org.in
www.jiyapatel.in
spicymumbai.in
rimpyarora.in
lovemaking.co.in
riyadubey.co.in
escortservicesmumbai.in
mumbaiescorts.co.in
midnightprincess.in/
vashiescorts.co.in/
angee.in/
www.rozakhan.in/
www.mumbaiescortsvilla.in/
kylie.co.in/
escortservicemumbai.co.in

For more details visit https://cis-india.org/internet-governance/news/india-today-june-16-2016-here-is-the-entire-list-of-escorts-service-websites-that-govt-has-banned

Health Data Management Policies - Differences Between the EU and India

shweta — 2023-07-10T16:36:25Z

Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

This issue brief was reviewed and edited by Pallavi Bedi

Introduction

Health data has seen an increased interest the world over, on account of the amount of information and inferences that can be drawn not just about a person but also about the population in general. The Covid 19 pandemic also brought about an increased focus on health data, and brought players that earlier did not collect health data to be required to collect such data, including offices and public spaces. This increased interest has led to further thought on how health data is regulated and a greater understanding of the sensitivity of such data, because of which countries are in varying processes to get health data regulated over and above the existing data protection regulations. The regulations not only look at ensuring the privacy of the individual but also look at ways in which this data can be shared with companies, researchers and public bodies to foster innovation and to monetise this valuable data. However for a number of countries the effort is still on the digitisation of health data. India has been in the process of implementing a nationwide health ID that can be used by a person to get all their medical records in one place. The National Health Authority (NHA) has also since 2017 been publishing policies that look at the framework and ecosystem of health data, as well as the management and sharing of health data. However these policies and a scattered implementation of the health ID are being carried out without a data protection legislation in place. In comparison, Europe, which already has an established health Id system, and a data protection legislation (GDPR) is looking at the next stage of health data management through the EU Health Data Space (EUHDS). Through this issue brief we would like to highlight the differences in approaches to health data management taken by the EU and India, and look at possible recommendations for India, in creating a privacy preserving health data management policy.

Background

EU Health Data Space

The EU Health Data Space (EUHDS) was proposed by the EU Council as a way to create an ecosystem which combines rules, standards, practices and infrastructure, around health data under a common governance framework. The EUHDS is set to rely on two pillars; namelyMyHealth@EU and HealthData@EU, where MyHealth@EU facilitates easy flow of health data between patients and healthcare professionals within member states, the HealthData@EU,faciliates secondary use of data which allows policy makers,researchers access to health data to foster research and innovation.^{^[1]} The EUHDS aims to provide a trustworthy system to access and process health data and builds up from the General Data Protection Regulation (GDPR), proposed Data Governance Act.^{^[2]}

India’s health data policies:

The last few years has seen a flurry of health policies and documents being published and the creation of a framework for the evolution of a National Digital Health Ecosystem (NDHE). The components for this ecosystem were the National Digital Health Blueprint published in 2019 (NDHB) and the National Digital Health Mission (NDHM). The BluePrint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs.^{^[3]} Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.^{^[4]}

The National Health Authority (NHA) established in 2018 has been given the responsibility of implementing the National Digital Health Mission. 2018 also saw the Digital Information Security in Healthcare Act (DISHA) which was to be a legislation that laid down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data ("DHD") and associated personal data.^{^[5]} However since its call for public consultation no progress has been made on this front.

Along with these three strategy documents the NHA has also released policy documents more particularly the Health Data Management Policy (which was revised three times; the latest version released in April 2022), the Health Data Retention Policy (released April 2021), and the Consultation Paper on Unified Health Interface (UHI) (released March 2021). Along with this in 2022 the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines published in August 2022 did not even refer to the draft National Digital Health Data Management Policy (published in April 2022). As stated through the examples above these documents do not cross-refer or mention preceding health data documents, creating a lack of clarity of which documents are being used as guidelines by health care providers.

In addition to this the Personal Data Protection Bill has been revised three times since its release in 2018. The latest version was published for public comments on November 18, 2022; the Bill has removed the distinction between sensitive personal data and personal data and clubbed all personal data under one umbrella heading of personal data. Health and health data definition has also been deleted; creating further uncertainty with respect to health data as the different policies mentioned above rely on the data protection legislation to define health data.

Comparison of the Health Data Management Approaches
Interoperability with Data Protection Legislations

At the outset the key difference between the EU and India’s health data management policies has been the legal backing of GDPR which the EUHDS has. EUHDS has a strong base in terms of rules for privacy and data protection as it follows, draws inference and works in tandem with the General Data Protection Regulation (GDPR). The provisions also build upon legislation such as Medical Devices Regulation and the In Vitro Diagnostics Regulation. With particular respect to GDPR the EUHDS draws from the rights set out for protection of personal data including that of electronic health data.

The Indian Health data policies however currently exist in the vacuum created by the multiple versions of the Data Protection Bill that are published and repealed or replaced. The current version called the Digital Personal Data Protection Bill 2022 seems to take a step backward in terms of health data. The current version does away with sensitive personal data (which health data was a part of) and keeps only one category of data - personal data. It can be construed that the Bill currently considers all personal data as needing the same level of protection but it is not so in practice. The Bill does not at the moment mandate more responsibilities on data fiduciaries^{^[6]} that deal with health data (something that was present in all the earlier versions of the Bill) and in other data protection legislation across different jurisdictions and leaves the creation of Significant Data Fiduciaries (who have more responsibilities) to be created by rules, based on the sensitivity of data decided by the government at a later date.^{^[7]} In addition to this the Bill does not define “health data”, the reason why this is a cause for worry is that the existing health data policies also do not define health data often relying on the definition mentioned in the versions of Data Protection Bill.

Definitions and Scope

The EUHDS defines ‘personal electronic health data’ as data concerning health and genetic data as defined in Regulation (EU) 2016/679^{^[8]}, as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form. Health data by these parameters would then include not just data about the status of health of a person which includes reports and diagnosis, but also data from medical devices.

In India the Health Data Management Policy 2022, defines “Personal Health Records” (PHR) as a health record that is initiated and maintained by an individual. The policy also states that a PHR would be able to reveal a complete and accurate summary of the health and medical history of an individual by gathering data from multiple sources and making this accessible online. However there is no definition of health data which can be used by companies or users to know what comes under health data. The 2018, 2019 and 2021 version of the Data Protection Legislation had definitions of the term health data, however the 2022 version of the Bill does away with the definition.

Health data and wearable devices

One of the forward looking provisions in the EUHDS is the inclusion of devices that records health data into this legislation. This also includes the requirement of them to be added to registries to provide easy access and scrutiny. The document also requires voluntary labeling of wellness applications and registration of EHR systems and wellness applications. This is not just for the regulation point of view but also in the case of data portability, in order for people to control the data they share. In addition to this in the case where manufacturers of medical devices and high-risk AI systems declare interoperability with the EHR systems, they will need to comply with the essential requirements on interoperability under the EHDS.

In India the health data management policy 2022 while stating the applicable entities and individuals who are part of the ABDM ecosystem^{^[9]} mention medical device manufacturers, does not mention device sellers or use terms such as wellness applications or wearable devices. Currently the regulation of medical devices falls under the purview of the Drugs and Cosmetics Act, 1940 (DCA) read along with the Medical Device Rules, 2017 (MDR). However in 2020 possibly due to the pandemic the Indian Government along with the Drugs Technical Advisory Board (DTAB) issued two notifications the first one expanded the scope of medical devices which earlier was limited to only 37 categories excluding medical apps, and second one notified the Medical Device (Amendment) Rules, 2020. These two changes together brought all medical devices under the DCA as well as expanded the categories of medical devices. However it is still unclear whether fitness tracker apps that come with devices are regulated, as the rules and the DCA still rely on the manufacturer to self-identify as a medical device.^{^[10]} However, this regulatory uncertainty has not brought about any change in how this data is being used and insurance companies at times encourage people to sync their fitness tracker data.^{^[11]}

Multiple use of health data

The EUHDS states two types of uses of data: primary and secondary use of data. In the document the EU states that while there are a number of organisations collecting data, this data is not made available for purposes other than for which it was collected. In order to ensure that researchers, innovators and policy makers can use this data. the EU encourages the data holders to contribute to this effort in making different categories of electronic health data they are holding available for secondary use. The data that can be used for secondary use would also include user generated data such as from devices, applications or other wearables and digital health applications.However, the regulation cautions against using this data for measures and making decisions that are detrimental to the individual, in ways such as increasing insurance premiums. The EUHDS also states that as the data is sensitive personal data care should be taken by the data access bodies, to ensure that while data is being shared it is necessary to ensure that the data will be processed in a privacy preserving manner. This could include through pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data.

While the document states how important it is to have secondary use of the data for public health, research and innovation it also requires that the data is not provided without adequate checks. The EUHDS requires the organisation seeking access to provide several pieces of information and be evaluated by the data access body. The information should include legitimate interest, the necessity and the process the data will go through. In the case where the organisation is seeking pseudonymised data, there is a need to explain why anonymous data would not be sufficient. In order to ensure a comprehensive approach between health data access bodies, the EUHDS states that the European Commission should support the harmonisation of data application, as well as data request.

In India, while multiple health data documents state the need to share data for public interest, research and innovation, not much thought has been given to ensuring that the data is not misused and that there is harmonisation between bodies that provide the data. Most recently the PMJay documents states that the NHA shall make aggregated and anonymised data available through a public dashboard for the purpose of facilitating health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NHA. Such data can be accessed through a request to the Data Sharing Committee^{^[12]} for the sharing of such information through secure modes, including clean rooms and other such secure modes specified by NHA. However the document does not mention what clean rooms are in this context.

The Health Data Management Policy 2022 states that Data fiduciaries (data controllers/ processors according to the data protection legislation) can themselves make anonymised or de-identified data in an aggregated form available based in technical processes and anonymisation protocols which may be specified by the NDHM in consultation with the MeitY. The purposes mentioned in this policy included health and clinical research, academic research, archiving, statistical analysis, policy formulation, the development and promotion of diagnostic solutions and such other purposes as may be specified by the NDHMP. The policy states that in order to access the anonymised or de-identified data the entity requesting the data would have to provide relevant information such as name, purpose of use and nodal person of contact details. While the policy does not go into details about the scrutiny of the organisations seeking this data, it does state that the data will be provided based on the term as may be stipulated.

However the issue arises as both the documents published by the NHA do not have a similar process for getting the data, for example the NDHMP requires the data fiduciary to share the data directly, while the PMJay guidelines requires the data to be shared by the Data Sharing Committee, creating duplicate datasets as well as affecting the quality of the data being shared.

Recommendations for India
Need for a data protection legislation:

While the EUHDS is still a draft document and the end result could be different based on the consultations and deliberations, the document has a strong base with respect to the privacy and data protection based on the earlier regulations and the GDPR. The definitions of what counts as health data, and the parameters for managing the data creates a more streamlined process for all stakeholders. More importantly the GDPR and other regulations provide a way of recourse for people. In India the health data related policies and strategy documents have been published and enforced before the data protection legislation is passed. In addition to this India, unlike the EU has just begun looking at a universal health ID and digitisation of the healthcare system, ideally it would be better to take each step at a time, and at first look at the issues that may arise due to the universal health ID. In addition to this, multiple policies, without a strong data protection legislation providing parameters and definitions could mean that the health data management policies only benefit certain people. This also creates uncertainty in terms of where an individual will go in case of harms caused by the processing of their data, and who would be the authority to govern questions around health data. The division of health data management between different documents also creates multiple silos of data management which creates data duplication and issues with data quality.

Secondary use of data

While both the EUHDS and India's Health Data Management Policy look at the sharing of health data with researchers and private organisations in order to foster innovation, the division of sharing of data based on who uses the data is a good way to ensure that only interested parties have access to the data. With respect to the health data policies in India, a number of policies talk about the sharing of anonymised data with researchers, however the documents being scattered could cause the same data to be shared by multiple health data entities, making it possible to identify people. For example, the health data management policy could share anonymised data of health services used by a person, whereas the PMJAY policy could share data about insurance covers, and the researcher could probably match the data and be closer to identifying people. It has also been revealed in multiple studies that anonymisation of data is not permanent and that the anonymisation can be broken. This is more concerning since the polices do not put limits or checks on who the researchers are and what is the end goal of the data sought by them, the policies seem to rely on the anonymisation of the data as the only check for privacy. This data could be used to de-anonymise people, could be used by companies working with the researchers to get large amounts of data to train their systems,

train data that could lead to greater surveillance, increase insurance scrutiny etc. The NHA and Indian health policy makers could look at the restrictions and checks that the EUHDS creates for the secondary use of data and create systems of checks and categories of researchers and organisations seeking data to ensure minimal risks to an individual’s data.

Conclusion

While the EU Health data space has been criticised for facilitating vast amounts of data with private companies and the collecting of data by governments, the codification of the legislation does in some way give some way to regulate the flow of health data. While India does not have to emulate the EU and have a similar document, it could look at the best practices and issues that are being highlighted with the EUHDS. Indian lawmakers have looked at the GDPR for guidance for the draft data protection legislation, similarly it could do so with regard to health data and health data management. One possible way to ensure both the free flow of health data and the safeguards of a regulation could be to re-introduce the DISHA Act which much like the EUHDS could act as a legislation which provides an anchor to the multiple health data policies, including standard definition of health data, grievance redressal bodies, and adjudicating authorities and their functions. In addition a legislation dedicated to the health data would also remove the existing burden on the to be formed data protection authority.

^{^[1]} “European Health Data Space”, European Commission, 03 May 2022,https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space_en

^{^[2]}“European Health Data Space”

^{^[3]} “National Digital Health Blueprint”, Ministry of Health and Family Welfare Government of India, https://abdm.gov.in:8081/uploads/ndhb_1_56ec695bc8.pdf

^{^[4]} “National Digital Health Blueprint”

^{^[5]} “Mondaq” “DISHA – India's Probable Response To The Law On Protection Of Digital Health Data” accessed 13 June 2023,https://www.mondaq.com/india/healthcare/1059266/disha-india39s-probable-response-to-the-law-on-protection-of-digital-health-data

^{^[6]}“The Digital Personal Data Protection Bill 2022”, accessed 13 June 2023 , https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf

^{^[7]}The Digital Personal Data Protection Bill 2022

^{^[8]} Regulation (EU) 2016/679 defines health data as “Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (1) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

^{^[9]} For creating an integrated, uniform and interoperable ecosystem in a patient or individual centric manner, all the government healthcare facilities and programs, in a gradual/phased manner, should start assigning the same number for providing any benefit to individuals.

^{^[10]} For example a manufacturer of a fitness tracker which is capable of monitoring heart rate could state that the intended purpose of the device was fitness or wellness as opposed to early detection of heart disease thereby not falling under the purview of the regulation.

^{^[11]}“Healthcare Executive” “GOQii Launches GOQii Smart Vital 2.0, an ECG-Enabled Smart Watch with Integrated Outcome based Health Insurance & Life Insurance, accessed 13 June 2023
https://www.healthcareexecutive.in/blog/ecg-enabled-smart-watch

^{^[12]} The guidelines only state that the Committee will be responsible for ensuring the compliance of the guidelines in relation to the personal data under its control. And does not go into details of defining the Committee.

For more details visit https://cis-india.org/internet-governance/blog/health-data-management-policies

Hate speech: ban or ignore?

praskrishna — 2013-02-13T09:40:37Z

The Social Network discusses the hate speeches: whether they should be banned or ignored. Why does the state take action against some and not against some others. This on a day when Togadia and Owaisi were simultaneously trending on the social media.

This discussion was aired on NDTV on February 5, 2013

Pranesh Prakash, Policy Director, Centre for Internet and Society, and Shivam Vij of Kafila.com joined NDTV in the studio while actor and standup comic Sanjay Rajoura joined via webcam.

Pranesh said that the talk of banning these videos is foolish. He added, I don't think that is a solution. But the issue is one of criminal prosecution – whether that should happen or not, and with regard to the interesting dichotomy that Shivam pointed out some people are calling for somethings to be banned but not others. I think that kind of hypocrisy should be pointed out. I am happy that these small incidents of hate mongering are actually being blown out of proportion on social media because it actually gets people to react...to say wait a second...that is not right I might have a certain leanings towards Hindutva but that kind of speech is not what I support, or I might have a certain leanings towards what is called "pseudo-secularism" but that kind of speech is not what I support. So getting out that discussion out is important.

If we were on one hand a society where we had communal peace and then social media were focusing on these small kinds of incidents and blowing it out of proportion then that would be a problem.

Watch the full discussion aired on NDTV

For more details visit https://cis-india.org/news/ndtv-video-the-social-network-feb-5-2013-hate-speech-ban-or-ignore

HasGeek presents The Fifth Elephant

praskrishna — 2012-06-19T06:38:13Z

HasGeek and the Centre for Internet & Society invite you the Fifth Elephant at the NIMHANS Convention Centre, Bangalore on July 27 and 28, 2012.

Why The Fifth Elephant?

Modern technology with ubiquitous connectivity and cloud-hosted computing power is increasingly becoming important for making sense of data. The infrastructure, tools, processes and algorithms for storage, analytics and visualization shape the meanings and value that can be derived from the data. At the same time, these technologies are strongly intertwined i.e., the database infrastructure shapes how data is accessed for processing, as well as the tools you can (or cannot) use to represent the data in certain ways on the frontend. Similarly, the paradigms used for simplifying and storing data — MapReduce, NoSQL, RDBMS — variously enable the morphing of complex data into meaningful formats. Working with each one of them involves limitations and possibilities.

The Fifth Elephant is the first of its kind of events where you will meet different people working with different kinds of data. It is an opportunity for learning about new tools, technologies, platforms, processes and best practices, and engaging with business leaders, IT decision-makers, journalists, analysts and developers. It is also an opportunity to showcase data products, APIs, services and platforms.

A Conference? An Event?

The Fifth Elephant is not simply a series of lectures. It is a space for interactions with a diverse audience to serendipitously explore insights and solutions for your data problems, to understand how hidden meanings in data can be made manifest, and to learn how others are working with data. The event is open to data analysts and scientists, statisticians, geeks, enthusiasts, data-driven product managers and designers, enterprise architects, journalists, researchers, developers and database professionals.

The Agenda

The Fifth Elephant will be held on July 27 and 28, 2012 at the NIMHANS Convention Centre, Bangalore. Day 1 covers the technology track — big data infrastructure, analytics and visualization. Day 2 invites talks from business and industry — finance, retail, health, media, telecom — to showcase the nature of data in each of these sectors and how they are working (and not working) with the data.

Apart from demos, lectures and tutorials, there will be opportunities for open house discussions and presentations on Hadoop, NoSQL versus RDBMS paradigms, and legal and licensing frameworks for data sharing, among others. Hacker corners, a dedicated participant lounge and interactive sponsor booths will further the learning, showcasing and engagement at the event.

For submitting talks and speaking proposals, visit funnel.hasgeek.com/5el.
Corporate tickets available for company delegates and employees. For more information write to info@hasgeek.com
For sponsorship queries, write to zainab@hasgeek.com

For more details visit https://cis-india.org/internet-governance/has-geek-presents-the-fifth-elephant

Haryana Cops Say Internet Shutdowns Hurt Police Operations

praskrishna — 2018-09-18T15:57:12Z

India sees a very high number of Internet shutdowns, often to preserve law and order, but Haryana cops are arguing against the practice.

The article by Gopal Sathe was published by Huffington Post on September 19, 2018.

Ahead of a Haryana court verdict in a rape case against Dera Sacha Sauda (DSS) head Gurmeet Ram Rahim Singh, mobile Internet services were shut down in nearby areas such as Panchkula and Mohali. The Hindustan Times reported that SMSes, mobile Internet and all services apart from voice calls were suspended to keep the peace.

But as a result of the shutdown, police in Panchkula faced a challenge in estimating the size of crowds gathered at different locations. "We were until then sharing information and photos on WhatsApp to figure out the number of people pouring in the city from various points as it helped identify problem areas. DSS followers had started gathering August 22 onwards," Panchkula police commissioner Arshinder Singh Chawla has said, according to a report by Manoj Kumar first published by the Centre for Internet and Society.

This was a replay of events during the Jat agitation of 2016 as well—protestors were present in much greater numbers than police personnel, who were not aware of the scenario on the ground. The police also worried about sending messages asking for help over the radio, as this could have been tapped into by the protestors, according to the report.

The lack of mobile Internet during the DSS-related Internet shutdown also affected the use of technology such as drone cameras, Chawla said. And because the police could not communicate with security personnel at the court complex, the police inside had to scale walls to leave safely, as they could not ask their colleagues for backup.

The report points out that this is in stark contrast to what happened in Mumbai, where former police commissioner Rakesh Maria made use of WhatsApp and SMS messages to prevent a scuffle from turning into a riot during Eid celebrations in early 2015.

A study by the Software Freedom Law Centre stated that India has already over 100 Internet shutdowns in 2018, Medianama reported. The five states with the most shutdowns are Jammu and Kashmir, Rajasthan, Uttar Pradesh, Maharashtra and Bihar. This has been criticised by many, including the UN, and as the Haryana police's experience show, the shutdowns are not just harming citizens, but are counter-productive to maintaining order as well.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-gopal-sathe-september-17-2018-haryana-cops-say-internet-shutdowsn-hurt-police-operations

Hard to broad ban!

praskrishna — 2016-03-22T17:00:07Z

The provisions under the Telegraph Act are wispy and can’t be convincingly invoked to exercise a jurisdiction on the internet world.

The article by Taru Bhatia was published by Governance Now on March 9, 2016. Pranesh Prakash was quoted.

The Haryana government on February 19 suspended mobile internet services in the districts affected by the agitation caused by the Jat community over reservation. The ban was imposed under section 144 of criminal procedure code (CrPC) to control the situation from being fanned by rumours or inflammatory messages.Similar ban was imposed in Gujarat last year during violent protests stirred by Hardik Patel over reservation of Patel community. In a similar manner internet connectivity was snapped in Nagaland, Rajasthan and Jammu and Kashmir last year under section 144 in order to contain law and order situation.

The CrPC section allows an official authorised by the state government to “direct any person to abstain from a certain act or to take certain order” which is “likely to prevent, or tends to prevent, obstruction, annoyance or injury to any person lawfully employed or danger to human life, health or safety, or a disturbance of the public tranquility, or a riot, of an affray”. “An order under this section may, in cases of emergency or in cases where the circumstances do not admit of the serving in due time of a notice upon the person against whom the order is directed, be passed ex parte,” the section states.

However, the civil rights lawyers claim that section 144 is a general law. “Section 144 is a means to curb apprehended danger and nuisance in emergencies, but its use to ban internet access for a region is an excessive and arbitrary use of powers granted to the state government under this provision,” says Mishi Choudhary, legal director, software freedom law centre (SFLC).

They, moreover, believe that the above section is not specific and contextual in cases of communication ban. So what is the correct law that comes in disposal of state authorities during emergencies that call for an urgent step? It’s section 5 of the Indian Telegraph Act, 1885. The act specifically deals with blocking web domains or web pages or blanket ban. Section 5(2) says that states or central government can prevent transmission of any message(s) that cause incitement to unlawful situation. Looking carefully, this section focuses only on blocking of inflammatory message(s), not a blanket ban.

In the case of Gujarat, for example, Hardik Patel, leading the agitation, used WhatsApp to spread the word for Bharat bandh, which consequently caused a blanket ban on data services by the state authorities. Under section 5(2), the authorities could have gone ahead only with banning social media websites and messaging application, instead of a blanket ban.

Section 5(2) of the telegraph Act also allows the authorities to lawfully intercept messages during public emergency. The central government has laid out clear guidelines in 2014, defining circumstances that demands phone tapping and in what manner. Similar guidelines are not there for suspending internet services under same law, however.

“The way in which the ban is imposed is unreasonable. Problem is in the method that is being used in absence of guidelines, defining circumstances under which they can impose a restriction on internet sites,” says Arun Kumar, head of cyber initiatives at Observer Research Foundation (ORF).

If government formulates these rules or guidelines it will set a threshold for state or central authorities, which will define the urgency of imposing ban on internet services. It will also make authorities answerable, limiting the misuse of power under the section 144 of the CrPC.

The civil rights lawyers cite example of section 69 A of the IT Act, 2000, which grants power to the central government to direct notice to intermediaries (for example, Facebook and Twitter), to block public access to any information that could stir violence in the country. In this case the government formulated blocking rules in 2009, providing for examination of complaints. The authority to employ this power however lies with the central government, and so, a state not using this law for taking down any message or domain from public view is understandable, during riot-like situation.

For states to legitimately use their power, it is essential to have similar blocking rules for section 5(2) of telegraph act.

Is blanket ban needed, anyway?

“Blocking all internet access is clearly an unnecessary and disproportionate measure that cannot be countenanced as a ‘reasonable restriction’ on freedom of expression and the right to seek and receive information, which is an integral part of the freedom of expression,” says Pranesh Prakash, policy director, Centre for Internet and Society (CIS).

For instance, he adds, a riot-affected woman seeking to find out the address of the nearest hospital cannot do so on her phone. “Instead of blocking access to the internet, the government should seek to quell rumours by using social networks to spread the truth, and by using social networks to warn potential rioters of the consequences,” he says.

Former Mumbai police commissioner Rakesh Maria used WhatsApp to counter rumours spread after circulation of a fake photo in January 2015. A similar approach could have been taken by state authorities in the case of Gujarat or Haryana; countering miscreants, informing public about the truth and emergency help details.

“Instead of doing that, we saw that in Gujarat, the police themselves engaged in acts of violent vandalism (caught on CCTV cameras), and in Manipur the police shot dead nine Manipuri tribals, including a 11-year-old child,” retorts Pranesh.

Blocking internet should be used as a last resort, and taking a balanced approach that considers interest of every stakeholder in a society is essential, argue civil rights lawyers. It is also imperative on the part of the government to formulate guidelines or a rule book to tackle the arbitrariness exercised by the states and security forces.

For more details visit https://cis-india.org/internet-governance/news/governance-now-march-9-2016-taru-bhatia-hard-to-broad-ban

Haphazard censorship? Leaked list of blocked websites in India

praskrishna — 2012-08-23T06:18:45Z

An analysis of a leaked list of the websites blocked by Indian Internet Service Providers (ISPs) on directions from the Department of Telecom bring to light the inconsistencies in India's online censorship efforts.

Published in IBNLive on August 23, 2012. Pranesh Prakash is quoted.

Pranesh Prakash, programme manager at the Centre for Internet and Society (CIS), analysed the 309 specific items that were asked to be censored from August 18, till August 21, 2012 by the Indian government following the recent incidents of communal violence and the mass exodus of North East Indians from Bangalore.

"It is clear that the list was not compiled with sufficient care," Prakash writes in a post on the CIS website that reveals several egregious errors in the censorship process.

While the government put on its censor gear to apparently stop rumours from spreading, Prakash discovered that "people and posts debunking rumours have been blocked." Also there are some items on the list that do not even exist online.

The 309 items that were ordered to be blocked include URLs, Twitter accounts, img tags, blog posts, blogs, and a few websites.

Prakash, a graduate of the National Law School of India University, Bangalore, also raises the questions on the legal standing of the government's actions. "The blocking of many of the items on that list are legally questionable and morally indefensible, even while a some of the items ought, in my estimation, to be removed," he says.

Indian ISPs are also known to go overboard in their efforts to comply with any government order. There have been numerous incidents in the past when ISPs were asked to block a specific URL and they ended up blocking entire domains. The latest round of censorship is also no different. There have been reports of Airtel blocking the entire YouTube short URL youtu.be in some cities.

CIS hasn't published the complete list of the blocked items given "the sensitivity of the issue" but has posted a list of domains from which specific items have been asked to be blocked. The list follows:

ABC.net.au
AlJazeera.com
AllVoices.com
WN.com
AtjehCyber.net
BDCBurma.org
Bhaskar.com
Blogspot.com
Blogspot.in
Catholic.org
CentreRight.in
ColumnPK.com
Defence.pk
EthioMuslimsMedia.com
Facebook.com
Farazahmed.com
Firstpost.com
HaindavaKerelam.com
HiddenHarmonies.org
HinduJagruti.org
Hotklix.com
HumanRights-Iran.ir
Intichat.com
Irrawady.org
IslamabadTimesOnline.com
Issuu.com
JafriaNews.com
JihadWatch.org
KavkazCenter
MwmJawan.com
My.Opera.com
Njuice.com
OnIslam.net
PakAlertPress.com
Plus.Google.com
Reddit.com
Rina.in
SandeepWeb.com
SEAYouthSaySo.com
Sheikyermami.com
StormFront.org
Telegraph.co.uk
TheDailyNewsEgypt.com
TheFaultLines.com
ThePetitionSite.com
TheUnity.org
TimesofIndia.Indiatimes.com
TimesOfUmmah.com
Tribune.com.pk
Twitter.com
TwoCircles.net
Typepad.com
Vidiov.info
Wikipedia.org
Wordpress.com
YouTube.com
YouTu.be

For more details visit https://cis-india.org/news/www-ibnlive-in-com-haphazard-censorship-leaked-list-of-blocked-sites

Hammered government offers Virtual ID firewall to protect your Aadhaar

Admin — 2018-01-16T23:34:12Z

Days after reports surfaced claiming security breaches, the Unique Identification Authority of India (UIDAI) on Wednesday announced the implementation of a new security protocol that would remove the need to divulge Aadhaar numbers during authentication processes and limit third-party access to KYC details.

The article was published in New Indian Express on January 11, 2018.

Admitting that the “collection and storage of Aadhaar numbers by various entities has heightened privacy concerns”, the UIDAI circular said Authentication User Agencies (AUAs) providing Aadhaar services have to be ready to implement the protocol from March 1, 2018. From June 1 use of Virtual ID for authentication would be mandatory.

The linchpin of the new protocol will be the virtual ID (VID) — a “temporary, revocable 16-digit random number” that can be used instead of Aadhaar to verify or link services. VIDs will have a limited validity and can be generated only by the Aadhaar holder. “UIDAI will provide various options to generate, retrieve and replace VIDs… these will be made available via UIDAI’s resident portal, Aadhaar Enrolment Centre, mAadhaar mobile application, etc.,” it said. While only one VID per Aadhaar number will be valid at a time, users can revoke and generate new VIDs as many times as desired.

UIDAI will also limit KYC details accessible by AUAs by classifying them as Global AUAs, which are required to use Aadhaar e-KYC by law, and Local AUAs. Only the former will have full access to e-KYC details and can store Aadhaar numbers. Local AUAs will only have access to limited KYC details and be prohibited from storing Aadhaar numbers. UIDAI will also generate UID tokens which will be used to identify customers within agencies’ systems, but these will not be usable by other AUAs.

However, cybersecurity experts say that even if the new “patch” is effective, verification processes will have to be redone to prevent misuse of already-leaked Aadhaar numbers. “The concept is attractive, but the devil is in the details,” observed Pavan Duggal, cyberlaw expert, adding that the new system does not address those who have already gained unauthorised access to Aadhaar numbers. Sunil Abraham, executive director, Centre for Internet and Society, was more categorical. “If it has to be effective, they will have to redo (Aadhaar-KYC) from scratch.”

For more details visit https://cis-india.org/internet-governance/news/indian-express-january-11-2018-

Hakon 2016

praskrishna — 2016-10-15T10:04:41Z

Udbhav Tiwari attended attended Hakon 2016, a conference held between September 30 and October 2, 2016 at Indore, Madhya Pradesh, India,on behalf of CIS under the Hewlett Cyber Security Project.

Hakon 2016 was the third edition of the conference which has been organised by Ninja Information Security Systems, an ISO 27001:2013 & 9001:2008 certified training organisation and the primary sponsor of the conference from Indore. The conference was efficiently organised, had about 150 to 200 people attending overall and provided an unique window into the non-tech hub/big city ethical hacker ecosystem and their place within the cyber security setup in India. The agenda of this year's conference was the Underground Digital Black Market & Digital Terrorism, with a fair mix of participants from the industry, academia and the government. The conference website can be looked up at http://www.hakonindia.org/ for further details, including a look at past editions of the conference.

The technical workshops held during the first two days of the conference were well organised and networking with the teachers during and mostly at the end of the conference was very helpful in understanding a practitioners perspective on cutting edge aspects of cyber security. This was particularly true for Chuck Easttom Williams, an accomplished cyber security expert from the USA who regularly trains government agencies and in a fairly reputed industry veteran who has been an invited speaker at DEFCON and even has a couple of patents to his name.

For more details visit https://cis-india.org/internet-governance/news/hakon-2016

Hacking without borders: The future of artificial intelligence and surveillance

maria — 2013-07-12T15:30:27Z

In this post, Maria Xynou looks at some of DARPA´s artificial intelligence surveillance technologies in regards to the right to privacy and their potential future use in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Robots or computer systems controlling our thoughts is way beyond anything I have seen in science fiction; yet something of the kind may be a reality in the future. The US Defence Advanced Research Projects Agency (DARPA) is currently funding several artificial intelligence projects which could potentially equip governments with the most powerful weapon possible: mind control.

Combat Zones That See (CTS)

Source: swanksalot on flickr

Ten years ago DARPA started funding the Combat Zones That See (CTS) project, which aims to ´track everything that moves´ within a city through a massive network of surveillance cameras linked to a centralized computer system. Groundbreaking artificial intelligence software is being used in the project to identify and track all movement within cities, which constitutes Big Brother as a reality. The computer software supporting the CTS is capable of automatically identifying vehicles and provides instant alerts after detecting a vehicle with a license plate on a watch list. The software is also able to analyze the video footage and to distinguish ´normal´ from ´abnormal´ behavior, as well as to discover links between ´places, subjects and times of activity´ and to identify patterns. With the use of this software, the CTS constitute the world´s first multi-camera surveillance system which is capable of automatically analyzing video footage.

Although the CTS project was initially intended to be used for solely military purposes, its use for civil purposes, such as combating crime, remains a possibility. In 2003 DARPA stated that 40 million surveillance cameras were already in use around the world by law enforcement agencies to combat crime and terrorism, with 300 million expected by 2005. Police in the U.S. have stated that buying new technology which may potentially aid their work is an integral part of the 9/11 mentality. Considering the fact that literally millions of CCTV cameras are installed by law enforcement agencies around the world and that DARPA has developed the software that has the capability of automatically analyzing data gathered by CCTV cameras, it is very possible that law enforcement agencies are participating in the CTS network.

However if such a project was used for non-military level purposes, it could raise concerns in regards to data protection, privacy and human rights. As a massive network of surveillance cameras, the CTS ultimately could enable the sharing of footage between private parties and law enforcement agencies without individuals´ knowledge or consent. Databases around the world could be potentially linked to each other and it remains unclear what laws would regulate the access, use and retention of such databases by law enforcement agencies of multiple countries. Furthermore, there is no universal definition for ´normal´ and ´abnormal´ behaviour, thus if the software is used for its original purpose, to distinguish between “abnormal” and “normal” behaviour, and used beyond military purposes, then there is a potential for abuse, as the criteria for being monitored, and possibly arrested, would not be clearly set out.

Mind´s Eye

Source: watchingfrogsboil on flickr

A camera today which is only capable of recording visual footage appears futile in comparison to what DARPA´s creating: a thinking camera. The Mind´s Eye project was launched in the U.S. in early 2011 and is currently developing smart cameras endowed with ´visual intelligence´. This ultimately means that artificial intelligence surveillance cameras can not only record visual footage, but also automatically detect ´abnormal´ behavior, alert officials and analyze data in such a way that they are able to predict future human activities and situations.

Mainstream surveillance cameras already have visual-intelligence algorithms, but none of them are able to automatically analyze the data they collect. Data analysts are usually hired for analyzing the footage on a per instance basis, and only if a policeman detects ´something suspicious´ in the footage. Those days are over. General James Cartwright, the vice chairman of the Joint Chiefs of Staff, stated in an intelligence conference that “Star[ing] at Death TV for hours on end trying to find the single target or see something move is just a waste of manpower.” Today, the Mind´s Eye project is developing smart cameras equipped with artificial intelligence software capable of identifying operationally significant activity and predicting outcomes.

Mounting these smart cameras on drones is the initial plan; and while that would enable military operations, many ethical concerns have arisen in regards to whether such technologies should be used for ´civil purposes.´ Will law enforcement agencies in India be equipped with such cameras over the next years? If so, how will their use be regulated?

SyNAPSE

Source: A Health Blog on flickr

The Terminator could be more than just science fiction if current robots had artificial brains with similar form, function and architecture to the mammalian brain. DARPA is attempting this by funding HRL Laboratories, Hewlett-Packard and IBM Research to carry out this task through the Systems of Neuromorphic Adaptive Plastic Scalable Electronics (SyNAPSE) programme. Is DARPA funding the creation of the Terminator? No. Such artificial brains would be used to build robots whose intelligence matches that of mice and cats...for now.

SyNAPSE is a programme which aims to develop electronic neuromorphic machine technology which scales to biological levels. It started in the U.S. in 2008 and is scheduled to run until around 2016, while having received $102.6 million in funding as of January 2013. The ultimate aim is to build an electronic microprocessor system that matches a mammalian brain in power consumption, function and size. As current programmable machines are limited by their computational capacity, which requires human-derived algorithms to describe and process information, SyNAPSE´s objective is to create biological neural systems which can autonomously process information in complex environments. Like the mammalian brain, SyNAPSE´s cognitive computers would be capable of automatically learning relevant and probabilistically stable features and associations, as well as of finding correlations, creating hypotheses and generally remembering and learning through experiences.

Although this original type of computational device could be beneficial to predict natural disasters and other threats to security based on its cognitive abilities, human rights questions arise if it were to be used in general for surveillance purposes. Imagine surveillance technologies with the capacity of a human brain. Imagine surveillance technologies capable of remembering your activity, analyzing it, correlating it to other facts and/or activities, and of predicting outcomes; and now imagine such technology used to spy on us. That might be a possibility in the future.

Such cognitive technology is still in an experimental phase and although it could be used to tackle threats to security, it could also potentially be used to monitor populations more efficiently. No such technology currently exists in India, but it could only be a matter of time before Indian law enforcement agencies start using such artificial intelligence surveillance technology to supposedly enhance our security and protect us.

Brain-Computer Interface (BCI)

Remember Orwell's ´Thought Police´? Was Orwell exaggerating just to get his point across? Well, the future appears to be much scarier than Orwell's vision depicted in 1984. Unlike the ´Thought Police´ which merely arrested individuals who openly expressed ideas or thoughts which contradicted the Party´s dogma, today, technologies are being developed which can literally read our thoughts.

Once again, DARPA appears to be funding one of the world´s most innovative projects: the Brain-Computer Interface (BCI). The human brain is far better at pattern matching than any computer, whilst computers have greater analytical speed than human brains. The BCI is an attempt to merge the two together, and to enable the human brain to control robotic devices and other machines. In particular, the BCI is comprised of a headset (an electroencephalograph - an EEG) with sensors that rest on the human scalp, as well as of software which processes brain activity. This enables the human brain to be linked to a computer and for an individual to control technologies without moving a finger, but by merely thinking of the action.

Ten years ago it was reported that the brains of rats and monkeys could control robot arms through the use of such technologies. A few years later brainstem implants were developed to tackle deafness. Today, brain-computer interface technologies are able to directly link the human brain to computers, thus enabling paralyzed people to conduct computer activity by merely thinking of the actions, as well as to control robotic limbs with their thoughts. BCIs appear to open up a new gateway for disabled persons, as all previously unthinkable actions, such as typing on a computer or browsing through websites, can now be undertaken by literally thinking about them, while using a BCI.

Brain-controlled robotic limbs could change the lives of disabled persons, but ethical concerns have arisen in regards to the BCI´s mind-reading ability. If the brain can be used to control computers and other technologies, does that ultimately mean that computers can also be used to control the human brain? Researchers from the University of Oxford and Geneva, and the University of California, Berkley, have created a custom programme that was specially designed with the sole purpose of finding out sensitive data, such as an individuals´ home location, credit card PIN and date of birth. Volunteers participated in this programme and it had up to 40% success in obtaining useful information. To extract such information, researchers rely on the P300 response, which is a very specific brainwave pattern that occurs when a human brain recognizes something that is meaningful, whether that is personal information, such as credit card details, or an enemy in a battlefield. According to DARPA:

´When a human wearing the EEG cap was introduced, the number of false alarms dropped to only five per hour, out of a total of 2,304 target events per hour, and a 91 percent successful target recognition rate was introduced.´

This constitutes the human brain as a new warfighting domain of the twenty-first century, as experiments have proven that the brain can control and maneuver quadcopter drones and other military technologies. Enhanced threat detection through BCI´s scan for P300 responses and the literal control of military operations through the brain, definitely appear to be changing the future of warfare. Along with this change, the possibility of manipulating a soldier´s BCI during conflict is real and could lead to absolute chaos and destruction.

Security expert, Barnaby Jack, of IOActive demonstrated the vulnerability of biotechnological systems, which raises concerns that BCI technologies may also potentially be vulnerable and expose an individual's´ brain to hacking, manipulation and control by third parties. If the brain can control computer systems and computer systems are able to detect and distinguish brain patterns, then this ultimately means that the human brain can potentially be controlled by computer software.

Will BCI be used in the future to interrogate terrorists and suspects? What would that mean for the future of our human rights? Can we have human rights if authorities can literally hack our brain in the name of national security? How can we be protected from abuse by those in power, if the most precious thing we have - our thoughts - can potentially be hacked? Human rights are essential because they protect us from those in power; but the privacy of our thoughts is even more important, because without it, we can have no human rights, no individuality.

Sure, the BCI is a very impressive technological accomplishment and can potentially improve the lives of millions. But it can also potentially destroy the most unique quality of human beings: their personal thoughts. Mind control is a vicious game to play and may constitute some of the scariest political novels as a comedy of the past. Nuclear weapons, bombs and all other powerful technologies seem childish compared to the BCI which can literally control our mind! Therefore strict regulations should be enacted which would restrict the use of BCI technologies to visually impaired or handicapped individuals. Though these technologies currently are not being used in India, explicit laws on the use of artificial intelligence surveillance technologies should be enacted in India, to help ensure that they do not infringe upon the right to privacy and other human rights.

Apparently, anyone can buy Emotiv or Neurosky BCI online to mind control their computer with only $200-$300. If the use of BCI was imposed in a top-down manner, then maybe there would be some hope that people would oppose its use for surveillance purposes; but if the idea of mind control is being socially integrated...the future of privacy seems bleak.

For more details visit https://cis-india.org/internet-governance/blog/hacking-without-borders-the-future-of-artificial-intelligence-and-surveillance

Hacking of SIM card by spy agencies raises fears of sensitive documents being leaked

praskrishna — 2015-03-09T01:31:39Z

The hacking of SIM-card and digital security services provider Gemalto by American and British spy agencies has raised fears that sensitive communications, by the Indian government and hundreds of domestic companies, may have been at the risk of being spied on.

The article by PK Jayadevan and Neha Alawadhi was published in the Economic Times on February 25, 2015. Pranesh Prakash and Sunil Abraham were quoted.

The Netherlands-based Gemalto was jointly hacked by the US National Security Agency and Britain's Government Communications Headquarters, and encryption keys were stolen to monitor mobile communications, according to a news report published last week.

India's largest telecom vendors including Airtel, Vodafone and Idea Cellular use SIM cards supplied by Gemalto, the world's biggest maker of mobile-phone chips and provider of secure devices such as smart cards and tokens. Online publisher The Intercept in its report named Idea Cellular as one of the networks from which the spy agencies accessed encryption keys.

"Phone calls and text messages by military, government, diplomats, spy corporations and by ordinary citizen of India - all of those get affected by this hack," said Pranesh Prakash, Policy Director at research and advocacy firm Centre for Internet and Society.

The Intercept, which accessed top secret documents provided by NSA whistleblower Edward Snowden, said American and British spies dug into the private communications of Gemalto engineers and other employees to steal encryption keys.

Gemalto provides security services such as two-factor authentication and access management, and has hundreds of clients in India. The company in 2012 said it provided 25 million e-driver's licences and vehicle registration certificates in India that let the government "consolidate driver and vehicle registration information across the population in a central repository".

"We believe that the biggest risk stands for the large number of Vodafone users in the country as the company has deployed Gemalto's Near Field Communication services solutions to provide secure and convenient 'wave and pay' contactless transactions via mobile phone," said Sanchit Vir Gogia, Chief Analyst and Group CEO, Greyhound Research.

"We have no further details of these allegations, which are industry-wide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations," said a Vodafone spokesperson in an email response.

Emails to Idea and Airtel were unanswered till the time of going to Press.

"Indian operators typically go for cheaper Chinese vendors that are anyway low on security. Among the European SIM vendors, Gemalto has the largest share in India," said a senior mobile services executive, requesting anonymity.

The report on the hack comes at a time when Gemalto was looking to tap the Indian market, including e-governance initiatives. The company in a recent email to ET said it had plans to expand its center of excellence in India to develop multiple products, offer tech support and provide security solutions for the domestic market.

"We take this (breach) very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated attacks to obtain SIM card data," a Gemalto spokesperson said. "The target was not Gemalto, per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible."

Initial investigations indicate that SIM products as well as banking cards, passports and other products and platforms are secure, the company said. Gemalto is expected to announce the results of its investigation on Wednesday. British and US spy agencies have been under fire for hacking and spying on citizens after Snowden in mid-2013 began leaking documents that revealed massive surveillance programmes by the two governments. At the time, the Indian government said the NSA was only collecting meta-data and had no access to the actual contents of phone calls or text messages.

Experts suggest a multinational consensus or treaty that strikes a balance between national security concerns and privacy.

"Governments will have to debate this in the United Nations and some kind of rules for surveillance, maybe treaties, are relevant in the future," said Kamlesh Bajaj, Chief Executive at Data Security Council of India. "They shall have to have some kind of a limit to surveillance. They can't be vacuuming all data in the name of finding a needle in the haystack."

Sunil Abraham, Executive Director at Center for Internet and Society, suggested the Indian government should replace proprietary operating systems and Android on phones with pure free software projects, use of virtual private network on phones to carry voice and data traffic, and encrypt voice and data payloads separately.

"When it comes to all the other services provided by Gemalto, the India government should insist that they will do key management on their own. This will also mitigate the compromise of Gemalto's enterprise networks by the NSA," he said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-jayadevan-pk-neha-alawadhi-february-25-2015-hacking-of-sim-card-by-spy-agencies-raises-fears-of-sensitive-documents-being-leaked

Hackers Take Protest to Indian Streets and Cyberspace

praskrishna — 2012-06-18T04:02:21Z

First there was self-styled Gandhian activist Anna Hazare who took to the streets to protest corruption. Now a group agitating against censorship on the Internet has arrived in India.

This article by Shreya Shah was published in the Wall Street Journal on June 8, 2012 Pranesh Prakash is quoted in this article.

Only this time, the location is cyberspace and their modus operandi hacking.

In the last few months, Anonymous –a group of hackers, or hacktivists as they like to call themselves –has gone after Web sites of political parties, government sites and Internet service providers, the latest being MTNL, to protest censorship on the Internet.

The group says they are opposing laws including the 2008 Information Technology (Amendment) Act and the Information Technology (Intermediaries Guidelines) Rules of 2011, which they say unfairly restrict Internet freedom.

On Saturday, the hackers will take their protest to the streets, with an Occupy Wall Street-style march called ”Operation Occupy India” planned in 17 cities including Mumbai, Delhi, Indore in Madhya Pradesh, Nagpur in Maharashtra and Kundapur in Karnataka. The group has requested all protestors to wear Guy Fawkes masks, the symbol of Anonymous.

“This time the common man wants to help us,” an “anon,” which is what members of the group call themselves, told India Real Time.

Anonymous, which has a global presence, catapulted to fame with its attacks on Visa, Mastercard and Paypal.

This is how the group attacks Web sites: It overwhelms them with thousands of requests from different computer systems simultaneously. The Web site is unable to handle the load and crashes.

The group intensified its attacks after Internet Service Providers like Reliance, MTNL and Airtel temporarily blocked file sharing sites like Vimeo, Dailymotion, Patebin and Pirate bay, citing a Court order.

But many question the method used by Anonymous.

“I don’t believe in defacing or hacking government Web sites to prove a point,” says Ankit Fadia, a cyber security expert. “You can’t hold the government ransom,” he adds.

In an open letter to the government, Anonymous India defended its actions. It wrote that traditional ways of protesting are losing meaning and this is a new method to pressure the politicians.

Members of the group say that like a regular protest on the street, they too block the infrastructure of their opponents. Except in this case, the infrastructure is located in cyberspace.

This is a “geek method of attacking,” said the anon who spoke to India Real Time. The group does not plan to attacks sites like that of the Indian railways, for instance, which is used by the masses, he explained.

But not everyone is convinced.

The group attacked the Web site of India’s Supreme Court even when it says it does not attack Web sites used by the common man, says Pranesh Prakash, Program Director of the Center for Internet and Society.

The IT Act is another reason Anonymous is protesting. The Act gives the government the power to remove content it finds offensive. The government can also restrict public access to a Web site.

Anonymous is also protesting the Intermediary Guidelines of 2011. According to this Act, a site that hosts offensive content will have to remove it within 36 hours of a complaint against it.

As a result, Web sites like Google and Facebook are facing criminal cases for hosting objectionable content on their site.

“This government does not stand for censorship; this government does not stand for infringement of free speech. Indeed, this government does not stand for regulation of free speech,” Kapil Sibal, the Communications and Information Technology Minister told the Rajya Sabha, or the upper house of the Indian Parliament, last month.

Pranesh Prakash, of the Center for Internet and Society told India Real Time that he does not believe that Anonymous will influence policy makers. He says that the main aim of a protest is to get media attention, and in turn get the attention of the people.

But he agrees that India’s cyber laws are “hopelessly flawed” and create a framework by which not only the government but everyone can censor.

He adds, “The laws are a greater threat than Anonymous.”

Photo Source: Joel Saget/Agence France-Presse/Getty Images

For more details visit https://cis-india.org/news/hackers-take-protest-to-indian-streets-and-cyberspace