We are anonymous, we are legion

Govt wants to scrub the Internet clean

praskrishna — 2011-12-07T04:07:03Z

Web advocacy groups, experts say govt’s move to evolve content guidelines amounts to censorship. This article by Surabhi Agarwal & Leslie D’monte was published in Livemint on 7 December 2011. Sunil Abraham has been quoted in this article.

India, the world’s largest democracy, may force companies such as Google Inc., Microsoft Corp., Yahoo Inc. and Facebook Inc. to take down online content that it deems offensive because they haven’t been able to come up with an effective self-censorship mechanism governing millions of users.

The Congress-led United Progressive Alliance government had no option but to "evolve guidelines" to ensure that "blasphemous content on the Internet or television is not allowed", with Internet and social networking sites such as those above "failing to respond to and cooperate with" the government’s request to keep "objectionable" content out of their websites, Kapil Sibal, minister of communications and information technology (IT), said in New Delhi on Tuesday.

His comments unleashed a firestorm of criticism by Internet advocacy groups and experts, who said the move amounted to censorship and was anti-democratic, impractical and unwarranted since existing laws were comprehensive enough to remove "objectionable" content. The move, they argued, would also stem the growth of user-generated content sites, and thus the Internet itself.

The government has been battling a series of corruption scandals and criticism of its inability to move forward on policy reforms. A campaign against corruption fuelled by online support has also challenged the government’s authority to legislate, forcing its own version of an anti-graft legislation onto the agenda.

The latest move by the government follows the introduction of new rules to the Information Technology Act, 2008, that were published earlier this year, also heavily criticized, that called on Internet service providers (ISPs) along with other entities to police online postings, including blogs.

Sibal referred to what he considered objectionable content as a "matter of grave concern", which affects the "sensibility of our people and is against our cultural ethos".

Once the new policy framework is implemented, companies “will be duty-bound to share information about those who post content, even if it (the content) is posted outside India”. He didn’t say by when the policy would be put in place.

Discussions with executives from the firms mentioned above had begun in September, Sibal said. They had been asked to come up with solutions to address the perceived problem in a month’s time and had failed to do so, he said.

According to local media reports, the move follows posts about some senior Congress leaders, including party president Sonia Gandhi. The minister, who is also one of India’s top lawyers, did not refer to any specific "objectionable" material during his press briefing, but rued that “the content has still not been removed".

Google India defended the right of free speech, while saying that it didn’t condone illegality.

"Even where content is legal but breaks our own terms and conditions, we take that down too, once we’ve been notified about it," Google India said in a release. "But it also means that when content is legal but controversial, we don’t remove it because people’s differing views should be respected, so long as they are legal."

Facebook India also said that it would remove any content that crossed the line.

It "has policies and onsite features in place that enable people to report abusive content", the company said. "We will remove any content that violates our terms, which are designed to keep material that is hateful, threatening, incites violence or contains nudity off the service."

While Yahoo India declined to comment, Microsoft did not respond to an email till press time.

Internet censorship is a rising trend, with approximately 40 countries filtering the Web in varying degrees, including democratic and non-democratic governments. Governments are using increasingly sophisticated censorship and surveillance techniques, including blocking social networks, to restrict a variety of types of content, says the 2010 Global Network Initiative (GNI) report. GNI seeks to protect freedom of speech online.

This August, for instance, the Centre had written to the department of telecommunications, asking it to "ensure effective monitoring of Twitter and Facebook", which minister of state for communications and IT Milind Deora acknowledged a few days later in a written reply to a question in the Rajya Sabha. He mentioned access to “encrypted data” on social networking sites, but did not elaborate on the subject.

Currently, the Indian Telegraph Act and the IT Act, 2008, (amendments were introduced in IT Act, 2000) give the government the power to monitor, intercept and even block online conversations and websites. The Centre for Internet and Society (CIS) has put up a list of 11 such websites blocked by a government order. The data was received from the department of information technology (DIT).

Moreover, under section 79 of the IT Intermediary (Rules and Guidelines), 2011, intermediaries (comprising telcos, ISPs, network services providers, search engines, cyber cafes, Web-hosting companies, online auction portals and online payment sites) are mandated to exercise "due diligence" and advise users not to share/distribute information violative of the law or a person’s privacy and rights. Intermediaries are expected to act on a complaint within 36 hours of receiving it, and remove such content when warranted.

In case the intermediary doesn’t find the content objectionable, the matter will have to be contested in a court of law.

"Currently, you need a court of law to direct a company in case something has to be removed. That takes a lot of time. So there has to be a mechanism that is faster in dealing with such content as (it) can be very damaging," said a DIT official, who did not want to be named.

"The Indian government can, and should, monitor conversations and websites if it believes the content can harm the security, defence, sovereignty and integrity of the country," said Pavan Duggal, a Supreme Court lawyer and cyber law expert. However, he wondered how the government would go about implementing the task of monitoring each and every conversation on an unstructured Internet.

Bangalore-based CIS, an Internet advocacy group, said "this pre-emptive manual screening of content, if implemented, would sound the death knell of freedom of expression in India".

"This screening is worrisome. Companies will err on the side of caution in a bid to please the government, and the courts will not be involved," said Sunil Abraham, executive director of CIS. “This is not only unconstitutional, but technically impossible too. Speech and words have nuances. Can humans decipher these with accuracy?"

The move will undermine key principles on which the Internet was built, said Nikhil Pahwa, editor and publisher of digital industry news and analysis blog MediaNama.

"It is completely impossible to enforce this. There is no way that content can be prescreened before it is placed online," he said. “It also kills the concept of immediate communication, which the Internet stands for."

Cyber law expert NA Vijayashankar, who runs cyber law information portal Naavi, said: "The government has valid reason to control anti-national activities on the Internet. But there are existing laws for it. The current proposition is impractical since pre-scrutiny of content on the Internet is not possible. It will affect the growth of user-generated content, which is helping Internet penetration grow in India."

Internet censorship happens frequently in countries such as Myanmar, Cuba, China (which had blocked keyword searches of the word "Egypt" on the Internet as well as on Weibo, the Chinese equivalent of Twitter), Iran, Egypt and Saudi Arabia. On the very day the Egyptian government set out to block Internet services in the country (in January), US Republican senator Susan Collins floated the COICA Bill, popularly called the "kill switch" Bill, which, if approved, would give the US president similar powers.

Read the original published in Livemint here

For more details visit https://cis-india.org/news/scrub-the-internet-clean

Govt wants to monitor Facebook, Twitter

praskrishna — 2011-08-09T09:21:55Z

The Union home ministry has written to the department of telecom asking it to "ensure effective monitoring of Twitter and Facebook".

Milind Deora, minister of state for communications and information technology, said in written reply to a question on Friday in the Rajya Sabha that DoT has received a letter from MHA to ensure monitoring of social networking websites like Facebook and Twitter in order to "strengthen cyber security paraphernalia".

He said that in cases where the data is encrypted, the department works with all concerned parties to obtain lawful access to it.

Citing security a reason, India in the recent months has sought more surveillance and monitoring from internet service providers as well as companies like Research In Motion, which sells BlackBerry phones capable of encrypted emails and messaging.

In April the government notified a new set of IT rules, virtually making intermediaries like internet service providers and web hosts and websites like Facebook and Twitter responsible for any wrongdoings on their networks. The rules were widely criticized by privacy activists.

Sunil Abraham, executive director of Centre for Internet and Society said these "blanket surveillance practices" are counterproductive.

"People advocating greater surveillance don't understand how the web works. In some cases, if there is evidence, targeted monitoring can be done but if governments wants to go through each tweet and every status update, it's just waste of money and resources. Agencies involved in monitoring can do better work by focusing on core issues. This will also save ordinary law-abiding citizens from unnecessary harassment," said Abraham.

According to their policies, Twitter and Facebook don't share any private information available on their servers without valid court order or subpoena. Twitter had said in the past that even if there was a court order, it would first inform the users in question before sharing information related to them.

This article was published in the Times of India on August 8, 2011. The original can be read here.

For more details visit https://cis-india.org/news/govt-to-monitor-facebook-twitter

Govt vs Tweeple: Has clampdown hit free speech?

praskrishna — 2012-08-24T12:46:27Z

Has the Government crossed the line by ordering the blocking of several Twitter accounts, many belonging to prominent journalists? The debate was featured in NDTV on August 23, 2012.

Sunil Abraham spoke to Sonia Singh of NDTV. Sunil said that "we should focus on designing of the censorship regime in the country and the lack of compliance with the principles of natural justice".

Watch the full video on NDTV here

For more details visit https://cis-india.org/news/www-ndtv-com-aug-23-2012-govt-vs-tweeple-has-clampdown-hit-free-speech

Govt tweaks enforcement of IT Act after spate of arrests

praskrishna — 2012-11-30T08:27:01Z

The government on Thursday tweaked the law to make it tougher for citizens to be arrested for online comments that are deemed offensive after recent arrests came in for heavy criticism by Internet activists, the media and other groups.

Surabhi Agarwal's article was published in LiveMint on November 29, 2012. Pranesh Prakash is quoted.

This took place just before the Supreme Court was to hear a public interest litigation seeking an amendment to the Information Technology (IT) Act.

Complaints under the controversial Section 66A of the IT Act, which criminalizes “causing annoyance or inconvenience” online or electronically, can be registered only with the permission of an officer of or above the rank of deputy commissioner of police, and inspector general in metro cities, said a senior government official.

The government, however, has not amended the terms in the section that are said to be vague and subject to interpretation.

The public interest litigation against Section 66A filed by student Shreya Singhal came up in chief justice Altamas Kabir’s court on Thursday. The matter will be heard on Friday.

Two girls near Mumbai were arrested last week for criticizing on Facebook the shutdown in the city for Shiv Sena chief Bal Thackeray’s funeral. Earlier in November, a businessman in Puducherry was arrested for comments made on Twitter against finance minister P. Chidambaram’s son Karti Chidambaram.

According to people present at the meeting of the cyber regulatory advisory committee on Thursday, the Union government will issue guidelines to states with respect to the compliance of the new enforcement rules soon. The people didn’t want to be named. An official said the move was not related to the case.

Pranesh Prakash, policy director at the Centre for Internet and Society think tank, said that while the change in the law is a step in the right direction and will eliminate a lot of frivolous complaints, more needs to be done to make the legislation specific.

Chief justice Kabir said the apex court was considering taking suo motu cognisance of recent incidents.

Singhal contended in her plea that “the phraseology of section 66A of the IT Act, 2000, is so wide and vague and incapable of being judged on objective standards, that it is susceptible to wanton abuse and, hence, falls foul of Article 14, 19 (1)(a) and Article 21 of the Constitution.”

She submitted that “unless there is judicial sanction as a prerequisite to the setting into motion the criminal law with respect to freedom of speech and expression, the law as it stands is highly susceptible to abuse and for muzzling free speech in the country.”

The PIL was argued by Mukul Rohatgi, who said in his opening remarks that Section 66A was vague. Terms such as “offensive” and “annoyance” should be clearly defined as the section is part of criminal law, he said.

Senior advocate Harish Salve, who was also present during the hearing, said India guaranteed the right to “annoy” and there was no need to have a separate law.

Salve, who is in the process of filing an intervention on behalf of some technology companies, added that the section needed to be narrowed to specifically cater to private messages sent electronically and not social media communications.

He said the existing law of defamation should suffice and could be extended to include electronic communications. According to a lawyer who is part of the team representing Singhal, the petition also demanded that the law be made non-cognisable so that the police can’t make an arrest without an order from a magistrate.

“There has been a lot of misuse and abuse of the law recently and we want it to be struck down absolutely and also the court to issue guidelines,” he said.

Apart from the incident at Palghar in Thane district involving the two girls, Singhal’s PIL referred to an April incident in which a professor of chemistry from Jadavpur University in West Bengal, Ambikesh Mahapatra, was arrested for posting a cartoon concerning chief minister Mamata Banerjee on a social networking site.

She also referred to the Puducherry case as well as the May arrests of two Air India Ltd employees, V. Jaganatharao and Mayank Sharma, by the Mumbai Police under the IT Act for posting content on Facebook and Orkut against a trade union leader and some politicians.

Singhal has sought guidelines from the apex court to “reconcile Section 41 and 156 (1) of the Criminal Procedure Code (CPC) with Article 19 (1)(a) of the Constitution” and that offences under the Indian Penal Code and any other legislation, if they involve the freedom of speech and expression, be treated as a non-cognizable offences for the purposes of Sections 41 and 156 (1).

Section 41 of CPC empowers the police to arrest any person without an order from a magistrate and without a warrant in the event that the offence involved is a cognizable offence. Section 156 (1) empowers the investigation by the police into a cognizable offence without an order from a magistrate.

The government official present at the cyber regulatory advisory committee said the expressions used in Section 66A had been taken from different statutes around the world, including the UK and the US.

“There has been a broad consensus that the parameters of the law concerned might be in order but from a procedural standpoint there might be difficulty,” the official said.

Prakash said that while some of the terms in the section may be taken from legislation overseas, the penalty imposed under the Indian law is far more stringent at three years of imprisonment than, for instance, six months under the UK law. “Criminal offences can’t be put at the same level as something which causes insult.”

The cyber regulatory advisory committee meeting was attended by minister for communications and information technolgy Kapil Sibal, and secretaries of the department of telecommunications and information technology, besides representatives of technology companies such as Google and Facebook, industry associations and civil society.

The official also said that the situation will be reviewed every three to four months based on “ground realities”.

A government official said on condition of anonymity that the decision to revive the cyber regulatory advisory committee had been taken at a meeting in August. Section 66A was put on the agenda since it was the subject of much debate, he said. The meeting, however, was not a pre-emptive measure ahead of the PIL that was taken up in the Supreme Court. The official also said that the government will spell out its position in court in favour of the legislation.

For more details visit https://cis-india.org/news/livemint-politics-november-29-2012-surabhi-agarwal-govt-tweaks-enforcement-of-it-act-after-spate-of-arrests

Govt to keep Aadhaar record for 7 years, activists worried

praskrishna — 2016-10-17T01:53:24Z

The government will keep for seven years a record of all the services and benefits availed using the Aadhaar number, say new rules, prompting fears that the database could be used for surveillance.

The article by Aloke Tikku was published in the Hindustan Times on October 17, 2016. Sunil Abraham was quoted.

The Unique Identification Authority of India (UIDAI), which issues the 12-digit biometric identity to all Indian residents, will be required to preserve its record of verification of an Aadhaar number for the duration.

“This is an unprecedented centralised data retention provision,” said Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society.

UIDAI chief executive officer ABP Pandey said the concerns were exaggerated. The agency was keeping records in case a dispute arose over a transaction.

The information will be retained online for two years and another five years in the offline archives, say the rules notified in September.

Users will be able to check the records but only for two years.

This restriction won’t apply to security agencies. Pandey, however, said the records would not be available to them without a district judge’s permission.

But, HT found that the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.

“Once Aadhaar becomes mandatory for all services, it can be used by benign and malignant actors to conduct a 360-degree surveillance on any individual,” Abraham said.

This is how the system, which will need millions of fingerprint-reading machines, works.

Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.

The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail LPG subsidy, cheap ration and even passport, a day against a capacity to verify 100 million requests daily.

“You can think of it as Natgrid Plus,” Abraham said, a reference to the National Intelligence Grid being built by the government.

A one-stop database for counter-terrorism agencies, Natgrid will collate information real time from databases of various agencies such as bank, rail and airline networks.

“…we do not record the purpose for which an authentication request was received but only the details of the agency that sent it,” UIDAI’s Pandey said.

But seven years is a long time. Only a select category of government files are kept for longer than five years.

Asked about two-year deadline for users, Pandey said it would have been a logistic nightmare to let people access the records once the information was offline.

The Supreme Court has a ruled that Aadhaar is not a must for availing welfare schemes and is to decide if collecting biometric data for the 12-digit number infringed an individual’s privacy.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-october-17-2016-govt-to-keep-aadhaar-record-for-seven-years-activitsts-worried

Govt releases white paper on data protection framework

Admin — 2017-11-28T14:34:09Z

Public comments are welcome till 31 December on the data protection white paper, which is aimed at securing digital transactions and addressing privacy issues.

The article by Komal Gupta was published in Livemint on November 28, 2017

A nuanced approach towards data protection will have to be followed in India, keeping in mind the fact that individual privacy is a fundamental right limited by reasonable restrictions, according to a white paper issued by the government on a data protection framework.

The government has sought public comments till 31 December on the white paper, which is aimed at securing digital transactions and addressing customer and privacy protection issues.

The white paper, drafted by the committee of experts on data protection framework, was released by the ministry of electronics and information technology on Monday.

On 31 July, the government constituted a 10-member committee of experts headed by former Supreme Court justice B.N. Srikrishna to study various issues relating to data protection and make specific suggestions on the principles to be considered for data protection as well as suggest a draft Data Protection bill.

Other members of the committee include telecom secretary Aruna Sundararajan, Unique Identification Authority of India chief executive Ajay Bhushan Pandey, and additional secretary in the information technology ministry Ajay Kumar.

The committee seeks to put the onus on stakeholders and the public through a questionnaire on issues such as collection of personal data, consent of consumers, penalties and compensation, code of conduct and an enforcement model that should be set up.

“The sensitivity of the data could also develop based on its combination with other types of information. For example, an email address taken in isolation, is not sensitive. However, if it is combined with a password, then it could become sensitive as it opens access to many other websites and systems, which may expose the individual to harm such as cyberattacks and phishing frauds,” the white paper said.

It is also possible that personal or even non-personal data, when processed using big data analytics, could be transformed into sensitive personal data. Therefore, there may be a need to create safeguards which will prevent misuse of personal information in these contexts of use, it added.

The white paper also seeks “to designate certain lawful grounds under which data can be processed, even in the absence of consent.”

In some situations, seeking consent prior to a data processing activity would not be possible, or it may defeat the purpose of the processing. For instance, where law enforcement officials need to apprehend a criminal, seeking the consent of the criminal prior to processing would defeat the purpose of the investigation, it said.

“It seems to be an eminently reasonable white paper which raises the right questions. However, it lacks analysis of data protection vis-a-vis Aadhaar,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

Safeguarding privacy rights needs much more than a data protection law; it needs a larger consultation that includes issues like surveillance as well, added Prakash.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-28-2017-komal-gupta-govt-releases-white-paper-on-data-protection-framework

Govt proposal to muzzle bloggers sparks outcry

praskrishna — 2011-04-01T15:46:23Z

A government proposal seeking to police blogs has come in for severe criticism from legal experts and outraged the online community. The draft rules, drawn up by the government under the Information Technology Amendment Act, 2008, deal with due diligence to be observed by an intermediary. This article was published in the Times of India on March 10, 2011.

Under the Act, an 'intermediary' is defined as any entity which on behalf of another receives, stores or transmits any electronic record. Hence, telecom networks, web-hosting and internet service providers, search engines, online payment and auction sites as well as cyber cafes are identified as intermediaries. The draft has strangely included bloggers in the category of intermediaries, setting off the online outcry.

Blogs are clubbed with network service providers as most of them facilitate comment and online discussion and preserve the traffic as an electronic record, but equating them with other intermediaries is like comparing apples with oranges, says Pavan Duggal, advocate in the Supreme Court and an eminent cyber law expert.

'This will curtail the freedom of expression of individual bloggers because as an intermediary they will become responsible for the readers' comments. It technically means that any comment or a reader-posted link on a blog which according to the government is threatening, abusive, objectionable, defamatory, vulgar, racial, among other omnibus categories, will now be considered as the legal responsibility of the blogger," he explains.

Even Google, the host of Blogger, among India's most popular blogging sites, expressed displeasure at the proposal. "Blogs are platforms that empower people to communicate with one another, and we don't believe that an internet middlemen should be held unreasonably liable for content posted by users," a spokesperson told TOI.

Blogs, which are typically maintained and updated by individuals, have showcased their political importance in recent times and the internet community views these rules as a lopsided attempt to curtail an individual's right to expression.

"If individual blogs are an intermediary, then why can't Facebook and Twitter also be classified as such, as they too receive, store and transmit electronic records and facilitate online discussions," retorts the spokesperson of the Centre for Internet and Society (CIS), a Bangalore-based organization, which works on digital pluralism. "These rules will not only bring bloggers and the ISP provider on the same platform, but the due diligence clause will also result in higher power of censorship to the larger player. Imagine your ISP provider blocking your blog because it finds that certain user-comments fit these omnibus terms," the CIS spokesperson added.

Most experts, including Duggal, see these rules as the outcome of the government's one-size-fits-all approach — at least in regulating online activities — and ask for an amendment to the IT Act.

Read the original article in the Times of India here

For more details visit https://cis-india.org/news/govt-proposal

Govt presses 'undo' button on draft encryption policy

praskrishna — 2015-09-25T01:55:57Z

The decision came a day before PM embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla.

The article was published in Business Standard on September 23, 2015. Sunil Abraham gave inputs.

The government on Tuesday scrapped a draft national encryption policy that mandated firms and individuals to allow authorities access to all encrypted information on email, apps, websites and business servers.

The decision came a day before Prime MinisterNarendra Modi embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla. Activists and executives from technology firms had expressed outrage on the draft policy, saying the move would have taken India a step back in technology adoption.

At a meeting of the Union Cabinet on Tuesday, Modi was livid at the controversy generated by the draft policy and directed officials to withdraw it ahead of his US trip, sources said.

The draft had global ramifications, as Facebook,Twitter and messaging apps such as WhatsApp were named in it.

Ravi Shankar Prasad, Union minister for communications and information technology, distanced the government from the draft hosted on the IT department site, but admitted it gave “uncalled-for misgivings”. He directed officials to rework the draft but did not set a timeframe for seeking feedback from the public.

“Yesterday (Monday), it was brought to our notice that the draft had been put in the public domain for, seeking comment. I read the draft. I understand that the manner in which it was written could lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded. I personally feel some of the expressions used in the draft are giving rise to uncalled-for misgivings,” Prasad said. “Experts had framed the draft policy. It is not the government’s final view.”

According to the original draft, the encryption policy sought every message sent by a user, be it through services such as WhatsApp, an SMS or an email, be mandatorily stored in plain text format for 90 days and made available on demand to security agencies. Failure to do so, it added, would draw legal action.

This was because typically, all messaging apps and services such as WhatsApp, Viber, Line, Google Chat and Yahoo! Messenger have high levels of encryption, which security agencies find hard to crack and intercept.

Early on Tuesday, before Prasad announced the withdrawal of the draft policy, the government had issued an addendum to keep social media and web applications such as WhatsApp, Twitter and Facebook out of its purview.

In a three-point clarification, the Department of Electronics and Information Technology (DeitY) said some encryption products were exempt. “Mass-use encryption products, currently being used in web applications, social media sites and social media applications, such as WhatsApp, Facebook and Twitter…SSL/TLS encryption products being used in internet banking and payment gateways, as directed by the Reserve Bank of India”, and SSL/TLS encryption products being used for e-commerce and password based transactions,” it said.

“Ideally, the new policy should only focus on two objectives: It should mandate encryption standards within the government, military, law enforcement and intelligence agencies. It shouldn’t regulate the use of encryption by the private sector; the private sector should be allowed to use whatever it believes is appropriate, as long as it is considered a reasonable security measure by courts, under section 43A of the IT Act,” said Sunil Abraham, director,Centre for Internet and Society (CIS).

Prasad reiterated the government, under the leadership of Prime Minister Narendra Modi, had promoted social media activism. “The right of articulation and freedom we fully respect. But at the same time, we need to acknowledge that cyber space transaction is rising enormously for individuals, businesses, the government and companies,” he said.

Opposition parties slammed the Draft policy. Congress communications in-charge Randeep Surjewala said, “Subjugation of individual freedom, surveillance of the citizen and suppression of dissent have emerged as the DNA of the Narendra Modi-led BJP government. The draft policy on encryption, first circulated, then amended and now, withdrawn with a rider for re-issuing it, is a totalitarian, misconceived and a failed attempt of the Modi government to override all sense of individual freedom of speech and expression and encroach upon the right to privacy of communication…With 243.1 million internet users in India at the end of 2014 (173 million being mobile internet users), 112 million Facebook users, 80 million WhatsApp users, 22 million Twitter users and 950 million mobile connections, the intrusion of individual liberty is fraught with dangerous dimensions under the Modi government.”

Aam Aadmi Party spokesperson Raghav Chadha said, “Only a fascist government can bring such a policy. The draft policy was in violation of the right to personal liberty and the fundamental tenets of freedom of speech and expression…the draft policy was for snooping. It presupposes the 1.2 billion people of India are potential criminals. It reflects the inclination of the government and its intention to turn India into a totalitarian state.”

ABOUT THE NATIONAL ENCRYPTION POLICY

Five things the government draft policy wanted

Information security for individuals, businesses and government agencies
Development of indigenous encryption standards
Use of digital signatures to authenticate transactions
Legal interception and data retention
Service providers to register under appropriate government agency

Things that caused outrage

Regulation of private sector encryption
Storage of all encrypted communications for

90 days

Gaining backdoor into private communications of users

Amendment & withdrawal

Omission of mass encryption products such as those used by social networks
Withdrawal of draft policy following Ravi Shankar Prasad’s statement

For more details visit https://cis-india.org/internet-governance/news/business-standard-september-23-2015-govt-presses-undo-button-on-draft-encryption-policy

Govt plans inter-ministerial panel on Internet policy

praskrishna — 2012-09-25T10:28:08Z

The government may set up an inter-ministerial panel to improve coordination among the various arms of the government on Internet-related issues such as governance, commerce and security, according to a senior government official who didn’t want to be named.

Surabhi Agarwal's article was originally published in LiveMint on September 19, 2012. Sunil Abraham is quoted.

The panel will have representation from government departments including information technology, telecom, home, external affairs and commerce among others. The proposal is being considered because there are multiple stakeholders involved, said the official. The panel will be most likely be headed by the department of electronics and information technology, which is currently the policymaking body on the Internet.

Over the past year, the government has been criticized over several Internet-related issues, all of them to do with censorship. It received flak recently for the way it sought to contain the spread of hate messages over the Internet that had led to communal violence and a panic exodus by people from the north-eastern states in some cities.

Moreover, with the underlying aim of having a bigger say in global policymaking pertaining to the Internet, the government had proposed the establishment of the United Nations Committee on Internet Related Policy (UN-CIRP). The agency’s mandate will include developing and establishing international public policies relating to the Internet; coordinating and overseeing bodies responsible for the technical and operational functioning of the Internet; facilitating negotiation of treaties; undertaking arbitration and dispute resolution; and crisis management, among others.

The government has said that the intent behind proposing such a body was not to control the Internet but to develop a mechanism for globally acceptable and harmonized policy making. The move though has largely been construed as an effort by governments to regulate the Internet.

Currently, the Internet is largely governed by the not-for-profit Internet Corporation for Assigned Names and Numbers (ICANN). However, the government says ICANN is dominated mostly by the US, explaining the need for a body such as UN-CIRP.

Another government official confirmed that an inter-ministerial panel is currently being “mulled” over. This official, who also did not want to be identified, said the Internet governance policy is increasing in importance and there was a need to discuss whether the current global policymaking structure would be relevant in the next five years.

“We need to firm up the country’s stand at international forums of the Internet and an inter-ministerial committee will aid in bringing some kind of clarity,” he said.

Any proposal for better coordination between different wings of the government would be welcome, said Sunil Abraham, executive director of Bangalore-based research organization Centre for Internet and Society.

“The thumb rule with governance, be it international or national, is that coordination policy formulation bodies is a good idea, but we can’t damn or praise them over the process,” he said. “We have to see what coordination results out of the body.”

Rajya Sabha member of Parliament Rajeev Chandrasekhar, who wrote to Prime Minister Manmohan Singh opposing UN-CIRP, had said that India’s proposal was made without much discussion and stakeholder consultation.

There wasn’t enough clarity about what the government trying to regulate through the body, Abraham said.

“Is it to regulate citizens or industry or government activity or for regulation around IP (intellectual property), competition, data protection, crime or tax, we don’t know,” he said.

The problem with UN-CIRP is that India would be supported by countries that are against free access to the Internet such as Cuba, China and Russia to name a few, Naresh Ajwani, a member of the Asia Pacific Network Information Center (APNIC) said on Wednesday on the sidelines of a meet in Delhi on the issue.

However, the government feels that not only will UN-CIRP lead to India having a bigger role in global policymaking for the Internet, it will also help in dealing with crises better as it will lead to enhanced cooperation between nations.

Photo: Aniruddha Chowdhury/Mint

For more details visit https://cis-india.org/news/www-livemint-com-sep-19-2012-surabhi-agarwal-govt-plans-inter-ministerial-panel-on-internet-policy

Govt panel wants curbs on phone taps

praskrishna — 2012-10-22T09:57:05Z

A government-appointed panel on Thursday recommended several measures, including guidelines on interception of telephonic conversations, video and audio recordings, use and storage of data as well as setting up of dispute resolution entities at Centre and state-level to protect the privacy of individuals.

Read the original published in the Times of India on October 19, 2012.

The group led by former Delhi High Court chief justice A P Shah was set up by the Planning Commission to identify privacy issues and prepare a document to facilitate the proposed Privacy Act.

The group was set after concerns were raised about the impact on privacy of individuals with the emergence of several national programmes such as Unique Identification number, NATGRID, DNA profiling, Reproductive Rights of Women, privileged communications and brain mapping, most of which will be implemented through information and communication technology (ICT) platforms.

The panel recommended that reasons for interception must be specified and be recorded in writing and the provisions establish conditions for authorization by the competent authority. It said that all interceptions can be in force for 60 days and renewed for not more than 180 days. The panel said records of interception be destroyed by the security agencies after six months or nine months and service providers must destroy records after two months or six months. It also said that intermediaries must provide an internal check to ensure the security, confidentiality and privacy of intercepted material, and intermediaries would be held legally responsible for any unauthorized access or disclosure of intercepted materials.

The panel said the proposed Act should extend the right of privacy to individuals and bring under its regulation data controllers, which includes all corporates, public/ governmental bodies and organizations. Minister of State for Planning Ashwani Kumar said, "The group has evaluated what is happening in the other country and what is the constitutional position in India... how imperatives of national security and right to privacy of individual can be harmonized."

It said the Act should clarify that publication of personal data for artistic and journalistic purposes in public interest, use of personal information for household purposes and disclosure of information as required by the RTI Act should not constitute an "infringement of privacy".

The proposed Privacy Act should also articulate national privacy principles. The principles will extend and be binding to all private/ public data controllers. It said the principles must establish safeguards and procedures over the collection, processing, storage, retention, access, disclosure, destruction of sensitive personal information, personal identifiable information and identifiable information.

The Act should establish the Central office of the privacy commissioner, regional level privacy commissioner, self regulating organizations at the industry level and data controllers and privacy officers if required at the organization level, the report recommended.

The panel also recommended that the infringement of any provision under the Act should constitute as an "offence" and individuals may seek "compensation" from organizations/ bodies held accountable.

The group agreed that any proposed framework for privacy legislation must be technologically neutral and interoperable with international standards. "Specifically, the Privacy Act should not make any reference to specific technologies and must be generic enough such that principle and enforcement mechanisms adaptable to changes in society, the market place, technology and government," the report said.

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned.

For more details visit https://cis-india.org/news/times-of-india-october-19-2012-govt-panel-wants-curbs-on-phone-taps

Govt orders blocking of 300 specific URLs including 16 Twitter accounts

praskrishna — 2012-08-24T13:29:40Z

The government stepped up its efforts to stop what it feels is an online campaign of misinformation and rumour mongering in the wake of lower Assam riots and ordered blocking of 16 Twitter accounts, including two belonging to journalists, considered sympathetic to the right in India.

Published in the Times of India on August 24, 2012. Pranesh Prakash is quoted.

The department of telecommunications (DoT) ordered blocking of the accounts on August 20. The blocked accounts include those maintained by a columnist and a journalist working for a TV channel. Twitter accounts @sanghparivar, @drpraveentogadia and @i_panchajanya are also mentioned.

The 16 Twitter accounts are part of a list containing over 300 specific URLs that internet service providers (ISPs) in India have been told to block. The list is dominated by URLs belonging to Facebook and Youtube. Indian government allegedly found 102 URLs on Facebook and 85 URLs on YouTube where communally sensitive content was posted. According to a blogpost at Centre for Internet and Society (CIS), a non-profit organization that got hold of the list on Wednesday, almost "all of the blocked items have content that are related to communal issues and rioting".

At the same time, Pranesh Paraksh, a CIS official, noted on the blog that it was unclear if the government exercised its powers responsibly in this case. "The blocking of many of the items on the list are legally questionable and morally indefensible, even while a large number of the items ought to be removed," he wrote.

According to the leaked list, Indian government also blocked 30 Twitter URLs, 3 Wikipedia URLs, 11 Blogger URLs and 8 Wordpress URLs. Some URLs belong to Pakistani websites. The list also contained URLs belonging to several mainstream media websites, including The Telegraph and Al Jazeera.

The blocking of Twitter accounts was partial due to technical challenges. The accounts have been blocked with the help of ISPs and not Twitter. Accessing them from India shows web users a message, saying "This website/URL has been blocked until further notice either pursuant to Court orders or on the Directions issued by the Department of Telecommunications". Also, the block works only if the accounts are accessed using HTTP and not HTTPS protocol. Twitter allows users to force HTTPS, which is a secure protocol and doesn't let ISPs see the content that a user is accessing.

Due to the partial block, accounts remained active. When Nirupama Rao, India's ambassador to the US, talked on Twitter about a discussion on a news channel on the subject of social media and government's current policy, one of the "blocked" accounts tweeted back to her saying, "@NMenonRao Is that why UPA Govt has blocked my Twitter handle? Is that the reason? A reply would help." Following the Twitter profile ban, which was reported around midnight on Wednesday, several Twitter users in India started hashtag #Emergency2012. A few hours later, #Emergency2012 and #GOIBlocks were among the top trending topics on Twitter for India.

For more details visit https://cis-india.org/news/times-of-india-aug-24-2012-govt-orders-blocking-of-300-specific-urls-including-16-twitter-accounts

Govt narrative on Aadhaar has not changed in the last six years: Sunil Abraham

praskrishna — 2016-03-16T16:37:19Z

The bill is basically the same as the UPA version, with some cosmetic changes, and some tokenism towards the right to privacy, says Abraham.

Shreeja Sen interviewed Sunil Abraham. The article was published in Livemint on March 8, 2016.

The government’s bid to push financial inclusiveness and access to government services has received a fresh boost, with finance minister Arun Jaitley introducing a proposed law to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

This project, which uses a person’s biometric data like fingerprints and iris scans to authenticate identity of people receiving subsidies and other state benefits, will move India towards a cashless economy and help digital initiatives such as biometric attendance, Pradhan Mantri Jan Dhan Yojana, digital certificates, pension payments and the proposed introduction of payments banks.

Sunil Abraham, 42

Abraham is executive director of Centre for Internet and Society, a Bengaluru-based think tank focusing on accessibility, access to knowledge, telecom and Internet governance. He has written extensively on the UID scheme, and the intersection of privacy and security. He founded Mahiti—an enterprise that aims to reduce the cost and complexity of information and communications technology for the voluntary sector by using free software.

The Aadhaar project has faced its share of roadblocks with cases challenging it pending before the Supreme Court. A constitution bench of the court will decide whether the right to privacy is a fundamental right and if Aadhaar violates it.

Sunil Abraham, the executive director of Centre for Internet and Society, a Bengaluru-based policy research institute, is a critic of Aadhaar for several reasons. He explained his concerns in an interview. Edited excerpts:

Have any of the concerns regarding the Aadhaar project since its inception in 2009 been addressed?

Whatever we complained about six or seven years ago, whatever complaints were made by the civil society...all of those complaints remain in the exact same situation.

Nothing has changed.

What kind of concerns?

The first thing to remember is that privacy and security are just two sides of the same coin. You cannot have one without the other.

Our first concern with the project is centralization. Whenever you build an information system, and you create a central point of failure, then it will fail because the possibility of failure exists. The Internet has no central point of failure. That is why it is so difficult for you to bring the Internet down. Complaint number 2 is the opaque technology.

UIDAI keeps saying that “we have built a technology using a free software and open standard stack”. The first is a de-duplication software and the second one is the authentication software—those are the most important pieces of software.

This software is proprietary and nobody knows how they work and nobody can independently audit them.

The third complaint is the use of an irrevocable and non-consensual authentication factor. In the UID scheme, the biometrics serve two purposes: it can be used to identify a citizen and it can be used to authenticate a transaction. Authentication factors, commonly known as passwords, should always be revocable. That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid. The use of biometrics eliminates those two important requirements.

Further, in most other authentication, the process of authentication ensures that you are consenting. For example, PIN (personal identity number) authentications. But suppose I am authenticating you through your irises, then as long as your eyes are open, the machine will think you’re authenticating. There’s no way of saying I don’t want to authenticate. Or if you’re sleeping, somebody can hold your fingers over a biometric reader and open your iPhone. So that’s complaint number three.

The fourth complaint from the privacy perspective is: there is a very important database that they don’t talk about. I call it the transactions database. Suppose there is somebody who is using the UIDAI service to authenticate a transaction, then UIDAI should keep a record of that successful or unsuccessful transaction authentication. That means you have been registered into the database.

You go to a fair price shop to purchase subsidized grain and at that fair price shop or ration shop, you use your finger on the biometric reader, and then the UIDAI system says “yes you are indeed who you say you are”.

So, at that point, later the shop should not be able to say X never came here, or X came twice. So, in order for them to not say all those things, a record should be made on the UID database, that on this day, from this geographical location, this particular biometric reader sent us X’s biometric template and asked if the template matched against X’s UID number...the transaction database can be used for profiling. They never talk about it.

They never tell us what that database holds and how long they’re keeping all those records. None of that is clear.

Does Aadhaar bill help assuage your doubts about the project?

The government narrative has not changed in the last six years; the bill is basically the same as the UPA (United Progressive Alliance) version, with some cosmetic changes, and some tokenism towards the right to privacy. The proof that the technology is fallible is in the bill.

If the technology was infallible, as the UIDAI would like us to believe, then the bill would not criminalize the following: (1) impersonation at the time of enrolment; (2) unauthorized access to the Central Identities Data Repository.

Imagine that the bill admits that every Indian’s biometric can be stolen from one single centralized database. Now why don’t we have a similar offence for stealing all private keys from the Internet—we don’t because that is technical impossibility thanks to decentralization.

Therefore we don’t need a law to make (it) illegal. We’ve suggested changes to both the technology and the law. We’ve written seven open letters to the UIDAI, and we’ve never gotten any response. Very few of our concerns have been addressed. We’ve seen dogs getting UID, various other things getting UID, so there’s a lot of evidence that the system does not work. From Kerala we have stories of one person getting several UIDs, so we have no idea about technological feasibility of the project.

One of our distinguished fellows, Hans Varghese Mathews, has published an academic paper in the latest EPW (Economic and Political Weekly), by extrapolating UIDAI field trial data to national scale. He predicts that by the time the number crosses 1 billion, every time UIDAI tries to register someone new, they will match with about 850 people already in the database positively. So, the unique identification capability of the UIDAI will not scale above the billion. The consequence of the technology failing is not trivial. If someone replaces your biometrics in the central database, then the onus is on you to prove that you are a resident of India.

Previously, human beings determined the answer to this question, and they had to find proof that you were not a resident. Now, a fallible technology will be asked to answer this important question.

Isn’t the basic function of the Aadhaar project to ensure that benefits reach the person they are meant for, and it’s easier for people to get an identity proof for those who have no other ID, like migrant workers?

Two responses: is it good anti- corruption technology? Unfortunately not, because it is intended at retail fraud. The person under surveillance is very poor. But the person responsible for corruption is not poor. So, I believe you should be surveilling those responsible for corruption.

What I had said is UID should be first given to every single bureaucrat and every single politician in the country. From Delhi till the Panchayat office, till the ration shop in the village, that supply chain must be monitored and documented using cryptography, so that nobody can deny anything. We need non-repudiatable audit trail from New Delhi to the village because according to all analyses, that is where the theft is happening—in the supply chain. The villager who is taking false benefits, that is called retail fraud.

The bulk of the fraud is actually wholesale fraud. Please tackle wholesale fraud using non-repudiatable public audit trail from New Delhi to the village first, before you start surveilling the poor.

The second point is that people find it easy to get the UID. That is fine, but there is a problem; that it’s not uniquely identifying anybody. So, people will keep registering and the UID system will keep giving them more and more UIDs because there are no human checks and balances. Because you’ve gone with a pure technological solution, it’s very easy to fool (the system).

So, the ease of registration has not served the purpose.

For more details visit https://cis-india.org/internet-governance/news/livemint-march-8-2016-shreeja-sen-govt-narrative-on-aadhaar-has-not-changed-in-last-six-years-sunil-abraham

Govt mulls advisory on privacy issues related to Google, Facebook

praskrishna — 2013-07-02T14:31:48Z

The Government is set to harden its stand against foreign Internet firms in asking them to comply with Indian laws.

The article by Thomas K Thomas was published in the Hindu Business Line on June 10, 2013. Sunil Abraham is quoted.

According to a top Government source, an advisory may be issued in the interest of general public to make them aware of the privacy issued while using services offered by foreign Internet companies such as Google and Facebook.

This follows an international media expose on how US agencies were getting access to user data from Internet companies such as Google and Facebook.

Final Strategy Soon

Top official in the Ministry of Telecom and IT told Business Line that the National Security Advisor, under the Prime Minister’s Officer, is discussing the issue and will outline the final strategy on Wednesday.

The key concern is that the US security agencies may have collected data from key Indian accounts using services from any of the Internet companies. A number of Government officials also use email service from Google and MS Outlook, which may have been accessed by the US agencies.

The other major concern is that Indian security agencies have also been seeking access to data from these foreign companies but so far they have not obliged on grounds that they do not come under the purview of Indian laws.

“If the US Government can get access to data from these companies, why can’t the Indian Government be given access,” posed a top functionary of the telecom ministry.

While Google and other companies have denied knowledge to how the US agencies got access to their networks, industry experts said that it’s time India starts taking concrete steps to address the issue.

B.K. Syngal, Former Chairman, Videsh Sanchar Nigam Ltd, said, “If we believed that our privacy is sacred then we would have taken effective domestic measures, years ago, to ensure that the information of our citizens remains private. To now say that multiple US companies have betrayed our trust is meaningless.”

Double Standards

Syngal said that there are double standards in the way organisations and Government is handling the issue. “As a start, lets stop giving too much time and space to the so called “Foreign Funded NGOs” teaching us on privacy. Our problem is that we are not China. We are so ill equipped that the third party interests aided and abetted by these NGOs would prevail,” said Syngal.

According to Sunil Abraham, Executive Director, Centre for Internet and Society, companies such as Google and Facebook are foes when it comes to privacy issues and friends when it comes to freedom of speech. “An Indian consumer using any of these foreign websites has no privacy rights whatsoever. The Indian Government also cannot force these companies to follow Indian laws,” said Abraham.

For more details visit https://cis-india.org/news/hindu-businessline-thomas-k-thomas-june-10-2013-govt-mulls-advisory-on-privacy-issues-related-to-google-facebook

Govt may turn to supercomputing for better use of Aadhaar database

praskrishna — 2015-03-08T05:53:03Z

Technology experts working with the Aadhaar project have spotted other potential uses for it, all to be powered by a string of supercomputers.

The article by Moulishree Srivastava was published in Livemint on February 10, 2015. Sunil Abraham is quoted.

When India launched a scheme in 2009 to give every one of its residents a unique identity number called Aadhaar, there were two main objectives: an efficient delivery of welfare services, and a tool for monitoring government schemes.

Six years on, as the government moves a step closer to covering all 1.25 billion citizens with Aadhaar, technology experts working with the project have spotted other potential uses, all to be powered by a string of supercomputers. With Aadhaar having crossed the 700 million milestone in 2014, the government is preparing to launch supercomputing applications to make more sense of the scheme’s massive database. These will help link the database to public services by running data analytics, which in turn will throw up trends that can help promote better-informed policy-making.

“We are talking about the Aadhaar database and the huge population data associated with it. Right now it is only a collection of data, but once we start rolling out applications, the amount of information that will be generated and the amount of usage that will happen will be enormous,” said Rajat Moona, director general of the Pune-based Centre for Development of Advanced Computing (CDAC), the research and development arm of the department of electronics and information technology responsible for the National Supercomputing Mission.

“Big data analysis and big data visualization, these are supercomputing problems. It (handling Aadhaar database) is actually visualization of huge data that can help in the planning,” he added. “When you have that much amount of information, you can do a lot of data analysis and figure out trends. We can thus see what are the policies needed to be defined. Therefore proactive policymaking based on previous trends is possible provided we have data,” he said.

Aadhaar is being used by the government for transferring cash subsidies directly into the bank accounts of beneficiaries in order to plug leakages. It is used to identify beneficiaries for transferring funds under scholarship schemes, pension money, cooking gas subsidy as well as seeding of bank accounts to weed out multiple beneficiaries under the government’s financial inclusion programme.

There are also plans to use Aadhaar to curb black money in real estate transactions. Developing these applications further, says Moona, needs supercomputers, which will give far better results. “In order to develop these applications we need to understand supercomputing and use of supercomputing,” he said. “We don’t have such applications developed…we usually take larger applications developed elsewhere and customize it according to our needs. So applications that are developed for solving India-centric problems will actually give a better output,” he said.

“We are talking about creating related applications that can run on supercomputing cloud of million cores (cloud supported by million-core supercomputers),” he added. “It will be a platform, where we can solve a large number of problems using shared model.” “It (supercomputing cloud) will not be a public cloud. There will be research institutes, research organizations, security agencies, government departments and each of them will have its own data and access pattern.

This is going to be a part of our application-centric usage of (the proposed) supercomputing (grid).” The million-core supercomputing cloud is a part of the government’s Rs.4,500 crore project aimed at setting up a grid of more than 70 supercomputers to be hooked up across these institutions and organizations over the next five to seven years. This will enable Indian researchers to build applications on the network, as well as to harness the power of supercomputers for research and development. India has 12 of the world’s 500 most powerful supercomputers, the largest currently deployed being a 500 teraflops (equivalent to half a petaflop) computer, administered by the CDAC. To work on supercomputing applications in areas such as the Aadhaar database, terrorism, advanced weather monitoring— including cyclone and flood prediction—and geo exploration, the government plans to train 22,000 high-quality professionals over 5-7 years.

Some experts point out that a centralized Aadhaar database faces cybersecurity risks that can threaten people’s privacy. Centralization is a terrible idea from the perspective of cybersecurity, said Sunil Abraham, executive director of the Bengaluru-based research organization Centre for Internet and Society. “This is a honeypot (a computer system that is set up to attract and trap people who attempt to penetrate other people’s computer systems) and variety of bad actors, i.e. criminals, terrorists, as well as states and corporations, will target this database hoping to compromise it.”

A petition filed by former Justice K.S. Puttaswamy in 2012 said that Aadhaar scheme infringes citizens’ privacy as applicants need to provide personal information on biometrics, iris and fingerprints, which infringes their right to privacy that is a part of the fundamental right to life under Article 21 of the Constitution. Security experts have been raising concerns about lack of secure and foolproof system to ensure that all the data will be safe and will not be misused. “How do we address the security and innovation imperative without compromising on the right to privacy? We must build individual transaction databases for each government department/ministry and (have) decentralised authentication. Only anonymized dataset should be made available to the supercomputing applications that are being built,” Abraham said. “For innovation and improved e-governance, anonymized data is sufficient.”

For more details visit https://cis-india.org/internet-governance/news/livemint-february-10-2015-moulishree-srivastava-govt-may-turn-to-supercomputing-for-better-use-of-aadhaar-database

Govt may have made 135 million Aadhaar numbers public: CIS report

praskrishna — 2017-05-03T15:43:37Z

CIS report says Aadhaar numbers leaked through government databases could be 100-135 million and bank accounts numbers leaked about 100 million.

The article by Komal Gupta was published in Livemint on May 2, 2017.

A central government ministry and a state government may have made public up to 135 million Aadhaar numbers, according to a research report issued by Bengaluru-based think tank Centre for Internet and Society (CIS) late on Monday.

The report titled Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information studied four government databases.

The first two belong to the rural development ministry—the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act’s (NREGA) portal.

The other two databases deal with Andhra Pradesh—the state’s own NREGA portal and the online dashboard of a government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” said Amber Sinha and Srinivas Kodali, the authors of the research report.

The report claims these government dashboards and databases revealed personally identifiable information (PII) due to a lack of proper controls exercised by the departments.

“While the availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” said the report.

The report said the NSAP portal lists 94,32,605 bank accounts and 14,98,919 post office accounts linked with Aadhaar.

“While the UIDAI (Unique Identification Authority of India) has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data,” said the report.

UIDAI did not respond to an email from Mint seeking comments.

For more details visit https://cis-india.org/internet-governance/news/livemint-may-2-2017-komal-gupta-govt-may-have-made-135-million-aadhaar-numbers-public-cis-report