We are anonymous, we are legion

Creeped out by Netflix's 'You'? Here's how you can avoid online stalkers, data thieves

Admin — 2019-01-12T02:13:25Z

Several social media users have no idea of how much of their information is stored on the Internet and what kind of information they are allowing the applications to access.

The blog post by Sanyukta Dharmadhikari was published by the New Minute on January 10, 2019. Pranesh Prakash was quoted.

Imagine someone knowing exactly where you are, where you live, what your routine is, where you will be and then waiting there for a ‘chance encounter’ to happen. This near-horror phenomenon is something Netflix’s new show You delves into. It follows a seemingly charming bookstore manager and his ‘love story’ with an aspiring writer – except he stalks her, breaks into her home, steals her phone and keeps tabs on her location in an attempt to be ‘at the right place at the right time’ and weasel into her life.

The nightmarish experience of the woman he pursues in the series led many users to check their own privacy settings on social media. But several users still have no idea of how much of their information is stored on the cloud and what kind of information they are allowing the applications to access.

How social media uses your data

“There might be much more information about you out there on the Internet than you sign up for. People do not really realise how much of their data is out there. Things are made out to be very opaque, so it is difficult to know who stores how much of your data,” says Anja Kovacs, director at Delhi-based Internet Democracy Project.

Pranesh Prakash, a fellow at the Centre for Internet and Society, explains that most websites put the onus of privacy onto the user but recently, there have been some features that social media giants have introduced after privacy concerns were voiced.

“On Twitter, I think you don’t need to use your real name and you do not have to use your location. On Facebook, apart from your name, you can restrict other information to friends only or use the option ‘Only Me’. With these kinds of possibilities existing, one just needs to know how to navigate through these tools,” Pranesh says.

The problem with this, he adds, is that the onus of privacy is put onto the user. “It is a difficult situation for social networks. One of Facebook’s most used feature is the ‘people you may know’ feature. Sometimes, that can go really bad, sometimes it may throw up your ex as a suggestion or let your stalker see your profile or it may allow people who visit a common psychologist to see each other as suggestions without knowing why,” he says.

While it is difficult for social media giants to calibrate such settings, the users have recently been given options to help control what kind of audience sees what information.

After Google Plus was launched, Facebook introduced a feature that allows users to choose who can see their status updates. Pranesh adds that users should make use of such features.

Understanding your data online

Not many users realise that basic information about them can be used against them. Seemingly harmless information like your date of birth, your birthplace or the pages that you follow on social media may contain leads for identity thefts.

“All the information that you put up publicly can be used by police, future employees or even your stalkers as well. For example, your date of birth, which most users add to their social media profiles, is usually used to verify bank accounts. If that is public, anyone can pretend to be you,” says Pranesh.

A way out is to relay this information only to people you trust. Another thing is to remember that on the internet, information received from one website can be used to access information on another website.

“You might upload a picture with your pet and name your pet in that post. However, that name could be the answer to one of the security questions asked on another website. If you use the same email address and username across social media profiles, it is easier to find information about you. Users should be aware that websites can be connected,” Pranesh explains.

Apps and permissions

Another crucial thing to remember is that users must always look into privacy settings of social networks that they use.

When you install new applications on your mobile phones, they often ask for certain permissions – like seeking access to your location – and users usually mechanically click on allow.

Most of these permissions apps request are often based on the type of application – for example, it is natural for Google Maps to ask permission to access your location – and users need to be vigilant if apps ask for absurd permissions.

“I once saw a torchlight app that sought access to my address book. Why would my flashlight need access to my contacts? There are a lot of apps who don't read these permissions. It is quite easy to figure out what kind of permissions an app needs and users need to apply their mind when installing the apps,” Anja adds.

She states that there are a lot of people who do not read through the terms and conditions of a particular website or app or the permissions they seek. And once access is granted, there is no way of taking your data back.

Last year, it was revealed that a Facebook breach had exposed data of 50 million people. Last month, Facebook reported another security breach where nearly 6.8 million users risked their private photos being exposed to third-party apps.

Facebook also found itself refuting serious claims of wrongdoings in giving access to user information to certain device makers, including China-based Huawei, and certain large technology companies and popular apps like Netflix or Spotify.

Anja says users should be more critical of such companies and organisations that store data or sell users' data.

“People feel that things can’t change, but that is because they don't make enough noise. You must ask whether companies can store your data and not just who has what data – ask who can access it,” Anja said. “Think more critically about which companies you trust and why you trust them.”

For more details visit https://cis-india.org/internet-governance/news/news-minute-sanyukta-dharmadhikari-january-10-2019-creeped-out-by-netflixs-you

CPRsouth 2016 – Young Scholars Programme

praskrishna — 2016-05-30T02:01:21Z

Rohini Lakshané, Amber Sinha and Vidushi Marda have been selected to attend the two-day Young Scholars' Programme to be held in Zanzibar, Tanzania in early September this year. The programme is a part of the CPRSouth conference.

Read the original announcement published by CPRSouth here.

Following highly successful joint Afro-Asian CPR conferences in Mauritius in 2012, and India in 2013, CPRafrica and CPRsouth formally merged under the banner of CPRsouth in 2014. Since then, CPRsouth has hosted conferences in the Cradle of Humankind in South Africa (2014), and at the Innovation Center for Big Data and Digital Convergence at Yuan Ze University, Taiwan (2015).

This year’s conference is co-hosted by COSTECH and TCRA in Zanzibar, and will include sessions on cutting-edge developments on ICT policy and regulation in the South and discussion of the research-policy interface.

30 Young Scholars from Africa and the Asia-Pacific region will be selected to participate in a tutorial programme taught by recognised scholars and practitioners from Africa and Asia, and they will attend the main conference thereafter.

Tutorials are scheduled to be held on the 6^th and 7^th of September 2016, prior to the main CPRsouth conference.

Who will qualify?

Masters/PhD students in Economics, Public policy, Communications and Journalism
Officers of government/regulatory agencies undertaking ICT policy research, developing/gathering indicators (monitoring and evaluation)
Staff of private companies in the communication industries working in regulatory affairs
Officers in NGOs/INGOs working in policy and regulation
Researchers from think tanks, university research centres
Journalists covering communication public policy and regulation

Seminar

The seminar will cover a number of topics of the two days, such as:

policy analysis using supply-side or demand-side data;
ICT impact analysis;
convergence, net neutrality;
funding broadband network extension, open access networks, spectrum;
sector and competition regulation;
research to policy interventions;
Internet governance – privacy, surveillance, human rights online; and
introduction to big data, open data.

(2016 tutorial programme still to be confirmed)

Previous tutorial presentations can be accessed at http://www.cprsouth.org/

Application deadline: 22 April 2016

Application guidelines

Applications should be submitted via this link by 22 April 2016, and must contain the following:

one-page curriculum vitae; and
one-page write-up outlining why you wish to become an African or Asia-Pacific based expert capable of contributing to ICT related policy and regulatory reform in the region

Applicants’ write-ups and biographies should be in a single word document, and named: CPRsouth2016_YoungScholar_ApplicantLastName.

Kindly note: Late applications and applications that do not conform to the prescribed format above will automatically be disqualified.

Review Criteria

Applications will be reviewed according to the following criteria:

content of application;
evidence of interest in, and commitment to, policy-relevant research for Africa or the Asia-Pacific region;
quality of writing; and
gender and country representation

The selection committee may contact your supervisor or mentor before making the final selections.

Candidates selected to participate in the tutorial programme must:

provide a one-page research proposal upon acceptance onto the tutorial programme
participate in all tutorial sessions
participate in the entire CPRsouth 2016 conference

Funding

Selected young scholars who are passport holders of, and travelling from, low and middle income countries within the Asia Pacific and Africa (as classified by the World Bank http://data.worldbank.org/about/country-classifications/country-and-lending-groups#Low_income) will be provided with:

lowest-cost economy airfare to conference destination (less USD 150 registration fee);
ground transfers between the conference venue and airport; and
twin sharing accommodation on bed and breakfast basis, 5 lunches and 1 dinner for the duration of the conference and tutorials (6 – 10 September 2016). Not all meals are covered.

The registration fee for young scholars to attend the conference and tutorials is USD150, and airfares will be reimbursed less this registration fee. Participants will be required to cover:

transport to and from airports in their home countries;
visa fees (if any);
meals not provided; and
any other incidental costs

As the registration fee is so low and should be met personally even if there is no institutional support for attendance of the course and conference, please note that only under exceptional circumstances of extreme financial hardship may the organisers consider a waiver of the conference registration fee. Such waivers will be considered on a case-by-case basis and only where a scholar would otherwise be prevented from attending the YS programme and conference.

Visas

Letters of invitation will be provided for purposes of visa applications after participant selections have been made. Participants are responsible for securing their own visas to enter Tanzania, and are strongly advised to initiate visa approval procedures immediately on receipt of confirmation of their participation.

Kindly direct all enquiries to Ondine Bello: admin@researchictafrica.net orinfo@CPRsouth.org

For more details visit https://cis-india.org/internet-governance/news/cprsouth-2016-2013-young-scholars-programme

CPDP 2015

praskrishna — 2014-09-30T09:52:52Z

The eighth international conference on computers, privacy and data protection will be held in Brussels from January 21 to 23, 2015. The Centre for Internet and Society is a moral supporter of CPDP.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University and has grown into a platform carried by 20 academic centers of excellence from the EU, the US and beyond. As a world-leading multidisciplinary conference CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. Within an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world in Brussels offering them an arena to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world. CPDP2014 welcomed 854 guests including 343 speakers from 43 different countries dispersed over more than 60 panels which took place during three full days. It attracted another 500 people in several public evening events including debates, a pecha kucha evening and an art exhibition. CPDP2015 aims to repeat the success of last year and will stage panels within the following main topical themes: Data Protection Reform: European and Global Developments, Mobility (mobile technologies, wearable technologies, border surveillance), EU-US developments concerning the regulation of government surveillance, Health, privacy and data protection, Love and lust in the digital age, Internet governance and privacy.

In 2015 CPDP will take place from January 21 to 23, 2015 in the Halles de Schaerbeek, Brussels, Belgium. Registrations are already open: http://www.cpdpconferences.org/Registration.html. For more details see here.

For more details visit https://cis-india.org/internet-governance/news/cpdp-2015

CPDP 2014 Reforming Data Protection: The Global Perspective

praskrishna — 2013-12-11T03:39:50Z

Already in its 7th edition, the annual Computer Privacy and Data Protection conference (organised by CPDP) is being held in Brussels from January 22 to 24, 2014. Malavika Jayaram will be speaking at this event.

The Centre for Internet and Society is one of the sponsors for this event. Click here to read the full programme.

CPDP is a non-profit platform originally founded in 2007 by research groups from the Vrije Universiteit Brussel, the Université de Namur and Tilburg University, which has now grown significantly and incorporates a consortium of 21 conference partners.

CPDP offers the cutting edge in legal, regulatory, academic and technological development in privacy and data protection. In an atmosphere of independence and mutual respect, CPDP gathers academics, lawyers, practitioners, policy-makers, computer scientists and civil society from all over the world to exchange ideas and discuss the latest emerging issues and trends. This unique multidisciplinary formula has served to make CPDP one of the leading data protection and privacy conferences in Europe and around the world.

CPDP2014 has become truly global: it is co-organized by conference partners from Europe and the United States, and devotes panels to Latin-America and India. Moreover, CPDP is reaching out to the Asia-Pacific with speakers coming from all over the region.

The progressive growth of CPDP will culminate in an unprecedented 7^th edition. A terrific programme will include more than 60 panels held over three consecutive days. The panels will focus on key issues that cover all current debates: The data protection reform in the European Union, PRISM, big data, cybercrime, data retention, cloud computing, enforcement by Data Protection Authorities, biometrics, e-health, privacy by design, and much, much more. In addition, there will be a day event on the ethical issues of data collection on minorities, and the use of technology to advance the status of Roma.

CPDP will offer valuable contributions from the leading names in the field, including key representatives from all the major European institutions - the European Commission, the European Parliament, the European Data Protection Supervisor, and the Council of Europe.

In addition to the well-known classic Pecha Kucha side event, there will be several public debates held in the evenings – both in Dutch and English.

CDP2014 will continue to pay particular attention to high-level and innovative research from PhD Students and outstanding junior researchers by organizing sessions completely devoted to their work. CPDP2014 will also remain home to several award ceremonies, such as the award for the best Multidisciplinary Privacy Paper and the EPIC International Champion of Freedom Award.

Whether you are involved in the Conference as a sponsor, supporter, partner or participant or not, CPDP2014 welcomes you to join the event and contribute to the debate on emerging privacy and data protection issues.

For up to date information, registration and the programme, please visit http://www.cpdpconferences.org/ and follow CPDP on Facebook (cpdpconferences) and Twitter (@cpdpconferences).

If you have any questions please contact: info@cpdpconferences.org

For more details visit https://cis-india.org/events/cpdp-2014-reforming-data-protection-global-perspective

CPDP (Computers, Privacy and Data Protection) 2017

praskrishna — 2017-02-03T02:02:05Z

Amber Sinha participated as a panelist in a panel on 'EU Adequacy Status for International Data Transfers' in Brussels, Belgium on January 26, 2017. The event was organized by Privacy International.

EU Adequacy Status for International Data Transfers

According to EU data protection laws, countries only have blanket freedoms to receive and process personal data from the EU if they have been awarded an adequacy status by the Commission. Given the vital importance of data transfers between countries in the global economy, having such a status is a valuable asset, as other available legal means of transfer are more limited. India, for e.g. is said to be losing in excess of Euro 30 billion per year through lost trade with the EU, as it lacks such adequacy status. In the 20+ years since the data protection Directive was passed, only 11 states have been decided to be ‘adequate’ by the Commission – which include the US with its recently awarded Privacy Shield. The Commission methodology and procedures for granting adequacy to countries is increasingly under scrutiny – for e.g. a recent study found that the way it makes adequacy decisions for its trade partners could be accused of being obscure, inconsistent and without clear criteria or rules or timeframes. This also makes EU data protection laws vulnerable to challenge under world trade rules. This panel will address the following questions:

Questions to be considered:

On what basis does the EU and the Commission make decisions on whom to grant adequacy status?

In the light of the Schrems judgement defining adequacy as ‘essentially equivalent’, should all past decision be revised?

Given that more than 100 countries now have general data protection laws, how should countries be chosen for adequacy judgements?
What criteria and methodologies should be used to ensure all countries are treated equally, to ensure fundamental rights are equally upheld, and to avoid possible challenge under WTO rules?
(New) What are your views on the EC proposal to facilitate international transfers of personal data, recently published?

Panel:

Chair: Jan Albrecht MEP

Panel:

Kristina Irion, Institute of Information Law (IVIR), University of Amsterdam:

Kristina is expert academic in both data protection and related trade issues, author of recent study ‘Trade and Privacy: complicated bedfellows’

Amber Sinha, Centre for Internet and Society (CIS), India

Amber is policy researcher specialising in privacy and big data ; CIS is an India NGO and partner organisation of Privacy International.

Daniel Cooper, Covington and Burling ;

Dan is partner at this global law firm, which advises both business and government clients round the world ; he leads the data protection practice in London

Bruno Gencarelli, European Commission DG Justice ;

Bruno is the head of the new DG Justice unit on data flows and data protection, and as such the Commission boss of adequacy

Veronica Perez-Asinari, European Data Protection Supervisor (EDPS).

Veronica is the EDPS head of unit for supervision and enforcement; she has also recently spent some months working with the Argentina DPA (Argentina has EU adequacy).

Moderator: Anna Fielder, Privacy International

For more details visit https://cis-india.org/internet-governance/news/cpdp-computers-privacy-and-data-protection-2017

CoWIN Breach: What Makes India's Health Data an Easy Target for Bad Actors?

Shweta Mohandas and Pallavi Bedi — 2023-07-04T09:39:03Z

Recent health data policies have failed to even mention the CoWIN platform.

The article was originally published in the Quint on 19 June 2023.

Last week, it was reported that due to an alleged breach of the CoWIN platform, details such as Aadhaar and passport numbers of Indians were made public via a Telegram bot.

While Minister of State for Information Technology Rajeev Chandrashekar put out information acknowledging that there was some form of a data breach, there is no information on how the breach took place or when a past breach may have taken place.

This data leak is yet another example of our health records being exposed in the recent past – during the pandemic, there were reports of COVID-19 test results being leaked online. The leaked information included patients’ full names, dates of birth, testing dates, and names of centres in which the tests were held.

In December last year, five servers of the All India Institute of Medical Science (AIIMS) in Delhi were under a cyberattack, leaving sensitive personal data of around 3-4 crore patients compromised.

In such cases, the Indian Computer Emergency Response Team (CERT-In) is the agency responsible for looking into the vulnerabilities that may have led to them. However, till date, CERT-In has not made its technical findings into such attacks publicly available.

The COVID-19 Pandemic Created Opportunity

The pandemic saw a number of digitisation policies being rolled out in the health sector; the most notable one being the National Digital Health Mission (or NDHM, later re-branded as the Ayushman Bharat Digital Mission).

Mobile phone apps and web portals launched by the central and state governments during the pandemic are also examples of this health digitisation push. The rollout of the COVID-19 vaccinations also saw the deployment of the CoWIN platform.

Initially, it was mandatory for individuals to register on CoWIN to get an appointment for vaccination, and there was no option for walk-in-registration or to book an appointment. But, the Centre subsequently modified this rule and walk-in appointments and registrations on CoWIN became permissible from June 2021.

However, a study conducted by the Centre for Internet and Society (CIS) found that states such as Jharkhand and Chhattisgarh, which have low internet penetration, permitted on-site registration for vaccinations from the beginning.

The rollout of the NDHM also saw Health IDs being generated for citizens.

In several reported cases across states, this rollout happened during the COVID-19 vaccination process – without the informed consent of the concerned person.

The beneficiaries who have had their Health IDs created through the vaccination process had not been informed about the creation of such an ID or their right to opt out of the digital health ecosystem.

A Web of Health Data Policies

Even before the pandemic, India was working towards a Health ID and a health data management system.

The components of the umbrella National Digital Health Ecosystem (NDHE) are the National Digital Health Blueprint published in 2019 (NDHB) and the NDHM.

The Blueprint was created to implement the National Health Stack (published in 2018) which facilitated the creation of Health IDs. Whereas the NDHM was drafted to drive the implementation of the Blueprint, and promote and facilitate the evolution of NDHE.

The National Health Authority (NHA), established in 2018, has been given the responsibility of implementing the National Digital Health Mission.

2018 also saw the Digital Information Security in Healthcare Act (DISHA), which was to regulate the generation, collection, access, storage, transmission, and use of Digital Health Data ("DHD") and associated personal data.

However, since its call for public consultation, no progress has been made on this front.

In addition to documents that chalk out the functioning and the ecosystem of a digitised healthcare system, the NHA has released policy documents such as:

the Health Data Management Policy (which was revised three times; the latest version released in April 2022)
the Health Data Retention Policy (released in April 2021)
Consultation paper on the Unified Health Interface (UHI) (released in December 2022)

Along with these policies, in 2022, the NHA released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) – India’s state health insurance policy.

However these draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; the PM-JAY’s Data Sharing Guidelines, published in August 2022, did not even refer to the draft National Digital Health Data Management Policy (published in April 2022).

Interestingly, the recent health data policies do not mention CoWIN. Failing to cross-reference or mention preceding policies creates a lack of clarity on which documents are being used as guidelines by healthcare providers.

Can a Data Protection Bill Be the Solution?

The draft Data Protection Bill, 2021, defined health data as “…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services.”

However, this definition as well as the definition of sensitive personal data was removed from the current version of the Bill (Digital Personal Data Protection Bill, 2022).

Omitting these definitions from the Bill removes a set of data which, if collected, warrants increased responsibility and increased liability. Handling of health data, financial data, government identifiers, etc, need to come with a higher level of responsibility as they are a list of sensitive details of a person.

The threats posed as a result of this data being leaked are not limited to spam messages or fraud and impersonation, but also of companies that can get a hand on this coveted data and gather insights and train their systems and algorithms, without the need to seek consent from anyone, or without facing the consequences of harm caused.

While the current version of the draft DPDP Bill states that the data fiduciary shall notify the data principal of any breach, the draft Bill also states that the Data Protection Board “may” direct the data fiduciary to adopt measures that remedy the breach or mitigate harm caused to the data principal.

The Bill also prescribes penalties of upto Rs 250 crore if the data fiduciary fails to take reasonable security safeguards to prevent a personal data breach, and a penalty of upto Rs 200 crore if the fiduciary fails to notify the data protection board and the data principal of such breach.

While these steps, if implemented through legislation, would make organisations processing data take their data security more seriously, the removal of sensitive personal data from the definition of the Bill, would mean that data fiduciaries processing health data will not have to take additional steps other than reasonable security safeguards.

The absence of a clear indication of security standards will affect data principals and fiduciaries.

Looking to bring more efficiency to governance systems, the Centre launched the Digital India Mission in 2015. The press release by the central government reporting the approval of the programme by the Cabinet of Ministers speaks of ‘cradle to grave’ digital identity as one of its vision areas.

The ambitious Universal Health ID and health data management policies are an example of this digitisation mission.

However breaches like this are reminders that without proper data security measures, and a system for having a person responsible for data security, the data is always vulnerable to an attack.

While the UK and Australia have also seen massive data breaches in the past, India is at the start of its health data digitisation journey and has the ability to set up strong security measures, employ experienced professionals, and establish legal resources to ensure that data breaches are minimised and swift action can be taken in case of a breach.

The first step to understand the vulnerabilities would be to present the CERT-In reports of this breach, and guide other institutions to check for the same so that they are better prepared for future breaches and attacks.

For more details visit https://cis-india.org/internet-governance/blog/quint-shweta-mohandas-and-pallavi-bedi-june-19-2023-cowin-data-breach-health-sensitive-details-policies-solution

Court’s approval needed to tap phones: Panel

praskrishna — 2012-10-22T07:02:34Z

Investigators can monitor a person for 15-20 days on executive orders in case of emergencies, suggests panel.

Surabhi Agarwal's article was published in LiveMint on October 18, 2012. Sunil Abraham is quoted.

Government agencies need judicial permission before intercepting any communication or starting surveillance of any individual, a panel on the proposed privacy law suggested on Thursday.

If there is any urgency, investigators can tap phones or monitor a person’s movements for 15-20 days on executive orders but will then have to approach the courts to continue, the committee led by retired Delhi high court judge Ajit P. Shah recommended.

“Phone tapping under the present regime is done under executive permission whereas in other countries it is done only with the permission of the courts,” Shah said.

Security agencies currently require permission from home secretaries, either at the Centre or the states, to set up wiretaps or monitor emails. An oversight group of the cabinet, law and telecom secretaries at the Centre reviews all such authorizations.

	The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies. Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles. The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The government established the Shah committee in Feburary under the Planning Commission to study international best practices on privacy and surveillance after concerns arose on misuse of information collected by official agencies.

Shah said on Thursday that the committee was “not interested” in preparing a privacy law but has only laid down the principles.

The department of personnel and training will deliberate on the panel’s recommendations and then draft a legislation, said Ashwani Kumar, junior minister in the Planning Commission.

The Shah panel has recommended appointing privacy commissioners and a system under which organizations will have to develop privacy standards that will be approved by a commissioner as a means of self-regulation.

Sectoral industry associations would form a code of conduct for companies that will comply with law as they will be approved by the privacy commissioner, according to Kamlesh Bajaj, chief executive officer of Data Security Council of India, one of the members of the committee. “These associations could also act as alternative dispute-resolution mechanisms,” Bajaj said.

The committee’s other recommendations include giving individuals a choice to provide personal information, collection of only critical personal information, use of data only for the purpose for which it has been collected, and a penalty for violations.

“Without a comprehensive horizontal regulatory framework and the office of the regulator both private and public entities in India have been trampling on the rights of citizens without complying to any of the international best practices when it comes to protecting the right to privacy,” said Sunil Abraham, executive director of Centre for Internet and Society, a Bangalore-based advocacy group. After the privacy law is enacted and the office of a privacy commissioner is created, people will be able to seek redressal against these erring pubic and private entities if their rights are violated, he added.

The government has been looking to enact a privacy law to ensure data collected by various programmes such as the National Population Register, Unique Identification Authority of India and National Intelligence Grid was not misused. It was expected to scotch criticism of these programmes by privacy and Internet activists. It later expanded the scope of the proposed legislation after catching flak for a leak of tapped conversations between corporate lobbyist Niira Radia, industrialists and journalists.

The government now aims to uphold the right of all Indians against any misuse of personal information, interception of personal communication, unlawful surveillance and unwanted commercial communication. That means it effectively covers everything from the misuse of data collected by the government to spam.

However, there could be opposition from law enforcement agencies if the privacy law mandates that prior permission of the courts will be required before intercepting communication.

If judges begin taking a call on interception requests, there could be chances of leakage, “since there are so many judges at so many levels”, said Rumel Dahiya, deputy director general at Institute of Defence Studies and Analyses, a New delhi-based think tank. “The government carries out surveillance to gain fool-proof intelligence. That purpose will be defeated.”

Last week, Prime Minister Manmohan Singh said a fine balance needs to be maintained between the right to information and the right to privacy.

The Shah committee included representatives from the private sector, the department of information technology, ministry of home affairs, department of telecommunication, the law ministry and the department of personnel and training.

Kirthi V. Rao contributed to this story.

For more details visit https://cis-india.org/news/livemint-october-18-2012-surabhi-agarwal-courts-approval-needed-to-tap-phones

Counter-proposal by the Centre for Internet and Society: Draft Information Technology (Intermediary Due Diligence and Information Removal) Rules, 2012

pranesh — 2016-04-24T11:48:49Z

Any restriction on freedom of speech should embody and be guided by the following principles, as identified by the UN Special Rapporteur on Freedom of Opinion and Expression

For more details visit https://cis-india.org/internet-governance/counter-proposal-by-cis-draft-it-intermediary-due-diligence-and-information-removal-rules-2012.pdf

Counter-proposal by the Centre for Internet and Society: Draft Information Technology (Intermediary Due Diligence and Information Removal) Rules, 2012

pranesh — 2016-04-24T11:56:49Z

Any restriction on freedom of speech should embody and be guided by the following principles, as identified by the UN Special Rapporteur on Freedom of Opinion and Expression.

For more details visit https://cis-india.org/internet-governance/counter-proposal-by-cis-draft-it-intermediary-due-diligence-and-information-removal-rules-2012.odt

Counter Surveillance Panel: DiscoTech & Hackathon

praskrishna — 2014-02-28T05:36:15Z

We invite you to a Counter Surveillance DiscoTech and Hackathon at the Centre for Internet and Society in Bangalore on Saturday, March 1, 2014 (9.00 a.m. to 5.00 p.m.). The event is being co-organized by the Centre for Internet and Society in tandem with the MIT Centre for Civic Media Co-Design Lab, with support from members of Tactical Technology Collective, Hackteria.org and Srishti School of Art Design and Technology. Registrations begin at 9.00 a.m. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy, titled "Privacy for Humanity" at 5.00 p.m.

Overview

Mirroring the call by MIT Civic Media Lab Co-Design Studio, this event brings together students, technologists, designers and citizens to explore counter-surveillance strategies. The event will be held simultaneously across various locations including Boston, Palestine, Lisbon and Buenos Aires. Click here for the definition of DiscoTech.(Discovering Technology)

Agenda

We shall begin with brief contextualized introductions catalyzed by researchers in the field of privacy & surveillance, followed by workshops and hackathons led by expert practitioners. Participants are welcome from diverse backgrounds looking to be involved in designing engaging and creative ways to counter surveillance. The event shall close with a featured talk by renown information activist and maker lab innovator Smari McCarthy , titled "Privacy for Humanity" at 5.00 p.m.

Introductory Catalyst Sessions

Malavika Jayaram: Fellow at Berkman Center for Internet and Society at Harvard University and the Centre for Internet and Society, Bangalore
Laird Brown: DesiSec Project at the Centre for Internet and Society, Bangalore and University of Toronto
Kaustubh Srikant: Head of Technology, Tactical Technology Collective and Maya Indira Ganesh (Program Director)
Abhay Raj Naik: Assistant Professor, Azim Premji University

Design and Hackathon Lead Catalysts

Yashas Shetty:Faculty@ www.srishti.ac.in and Co-Founder Hackteria.org (DNA Spoofing, Surveillance Camera: Avoidance, Microscopic Re-Appropriation & Bacterial Discotheque)

Hari Dilip Kumar: Co, Founder, FluxGen: (Introducing data transmission protocols, Software Defined Radio (SDR) design and surveillance detection )

Sharath Chandra Ram: Researcher @ CIS Open Lab and Faculty@Srishti (Civic Media solutions using open citizen networks and the web, spectrum scanning, visual communication design strategies, finger print mash-up publishing)

Featured Talk and Interactive Closing Session by Smari McCarthy

(Executive Director, International Modern Media Institute and Founder, Icelandic Pirate Party & Icelandic Digital Freedom Society)

Title of Talk: PRIVACY for HUMANITY - 5.00 p.m.

Click to download the flyer invite
Date: Saturday, March 1, 2014
Time: 9.00 a.m. to 5.00 p.m. (Registration 9.00 a.m. sharp)
Venue: Centre for Internet and Society, Bangalore
Map : http://bit.ly /1fcDDLG

Please RSVP due to limited space and logistics for lunch and refreshments

For more details visit https://cis-india.org/events/counter-surveillance-panel-disco-tech-hackathon

Counter Comments on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

amber — 2017-11-23T14:29:06Z

The Centre for Internet & Society (CIS) has commented on the Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in three main parts. The first part 'Preliminary' introduces the document. The second part 'About CIS' is an overview of the organization. The third part contains the 'Counter Comments' on the Consultation Paper taking into account the submission made by other stakeholders.

Download the full submission here

For more details visit https://cis-india.org/internet-governance/blog/counter-comments-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector

Could better DNA testing facilities in India have saved the Talwars?

praskrishna — 2012-10-11T09:44:30Z

Over the last decade, the use of DNA tests to solve crimes has seen a significant rise in crime investigation in India. But forensic experts warn that the absence of standard practices, quality checks and regulation has resulted in irresponsible and inaccurate application of the technology.

This article by Pallavi Polanki was originally published in FirstPost on October 11, 2012. CIS press statement is mentioned.

The use of outdated technology and lack of expertise to competently collect and analyse DNA samples from the crime scene has compromised investigation and led to instances where courts have rejected DNA evidence as being unreliable or inconclusive.

Says GV Rao, DNA analyst and formerly chief staff scientist at the Hyderabad-based Centre For DNA Fingerprinting and Diagnostics (CDFD), “Today we are very much behind the rest of the World in upgradation of technology as required…Further, the backlog of cases is quite large in each of the DNA labs in India and not much is being done about it. Still we have not obtained or adopted the DNA techniques to identify difficult samples. The recent example of Bhanwari Devi case, where the CBI had to send the victim’s bones to FBI, USA for identification to get it identified. This is a sad reflection of the present status of DNA technology in India.”

Most recently, the demand for more advanced DNA tests to be conducted was unsuccessfully made by dentist couple Rajesh and Nupur Talwar, who have been charged with the murder of their teenage daughter Aarushi and domestic help Hemraj.

Perhaps, no other case has so fully exposed the pathetic state of the crime-scene investigation in India. With most of the crucial evidence either destroyed or contaminated due to shoddy police work, the prosecution’s case has come to depend entirely on circumstantial evidence, without a shred of material evidence to support it.

The police force’s lack of expertise to collect DNA evidence was flagged recently by senior scientist at the All India Institute of Medical Sciences (AIIMS) Anupama Raina at a public meeting by the Bangalore-based Centre for Internet and Society on the DNA profiling Bill, in the Capital.

Raina, speaking at the meeting, emphasized the usefulness of the technology but cautioned that the police were still perfecting the use of DNA samples for forensic purposes.

Elaborating on the inadequate training to cops on collecting DNA evidence, Rao said, “In India, there are no special crime case investigators. We have a law and order police station for each area and from bandobast duty to control crowds. It is a tall order expecting them to collect samples. In some states there are special teams which collect samples for DNA testing and then hand it over to the police….Till date none of the DNA labs have made any sample collection kits made available to police stations or other agencies.”

And what after the samples reach the DNA labs?

Painting a rather bleak picture of existing conditions under which many of the DNA labs are operating, Rao says “There is lack of standards, guidelines, accreditation, proficiency testing of the DNA labs and its experts. Each DNA lab is issuing DNA reports in its own style. Each DNA lab is again following different procedures for conducting the test. ”

“No proper records of the tests conducted are being maintained for production in a court of law for its inspection. DNA experts are not being tested for their proficiency in their expertise by a third party and presently they are getting away with such minimal expertise,” he said.

Will the new draft DNA Profiling Bill fix the problems that beset the use of DNA evidence for forensic purposes in India? And what is the context to the draft DNA profiling bill?

“India currently does not have a legislation specifically regulating the collection, use, and storage of DNA samples for forensics purposes. To address this gap, in 2007 a draft DNA Profiling Bill was created by the Centre for DNA Fingerprinting and Diagnostics. In February 2012 a new draft of the bill from the department of biotechnology was been leaked. The draft Bill envisions creating state level DNA databases that will feed into a national level DNA database for the purposes of solving crime.” (Read the full press statement by CIS here)

Raina endorsed the passing of the bill but with necessary safe-guards. The Bill has raised a degree of alarm for its sweeping proposals to collect DNA profiles and create DNA databases – a move experts believe violates the privacy of citizens.

Helen Wallace, director of GeneWatch UK (a not-for-profit group that monitors developments in genetic technologies from a public interest perspective), who participated in the public meeting on the DNA profiling bill, underlined the absence of a clear purpose for the DNA profiling system as proposed by the bill and its lack of clarity on the collection policy that wishes to profile not just those involved in criminal cases but also civil cases.

Jeremy Gruber, president and executive director of the US-based Council for Responsible Genetics, also warned against the bill’s blind faith in DNA results as the gospel truth and ignoring very real possibilities of false matches, cross-contamination and laboratory errors.

Expressing his disappointment with the draft bill, Rao said, “Unfortunately this bill does not provide for standardization, quality control and regulation except for collection of DNA samples of everybody involved in all civil and criminal cases, including suspects… We need standards, protocols, guidelines, amendments to IPC and CrPC for effective implementation of DNA testing.”

For more details visit https://cis-india.org/news/first-post-pallavi-polanki-oct-11-2012-could-better-dna-testing-facilities-in-india-have-saved-the-talwars

Cos spying on competitors, staff: Study

praskrishna — 2012-06-20T08:46:38Z

Most companies are spying on their competitors and their own employees, according to a recent survey conducted by the Associated Chambers of Commerce and Industry of India (Assocham).

The Statesman published this article on June 19, 2012. Sunil Abraham is quoted in it.

The survey's results raise questions about whether employees have enough privacy in the workplace. Rubbishing the survey's findings, head of the Indian Council of Corporate Investigators, Mr Kunwar Vikram Singh, said businesses are not spying but verifying facts.

The Assocham survey said almost 1,200 of 1,500 executives surveyed admitted to hiring people to spy on their employees and monitor their lifestyles. They said they watch former employees, too, especially those who had been laid off or kicked out for fraud.

In the survey, which was done between January and May this year in Ahmedabad, Bangalore, Chennai, the Delhi-National Capital Region and Mumbai, about 900 top industry officials said they carry out corporate espionage, bug the offices of their rivals and plant moles in other companies. About a quarter of respondents said they have hired computer experts to hack networks and track e-mails of their rivals.

Many more respondents — 1,110 of those questioned — said they use social media sites to track their rival companies and employees. “Most of the companies have mentioned their sensitive details including their data, plans, clients’ details, products and other confidential and trade-related secrets on their page and unknowingly share the same in the social media circuit,” said Mr DS Rawat, national secretary-general of Assocham, “which is why it is the most favoured spying activity being carried out by the companies.”

The practice of companies pilfering trade secrets and ideas may be bad for the country's business environment, said Mr Rawat. It “might dampen the spirit of innovation in the long-run,” he said.

The Indian Council of Corporate Investigators’ Mr Singh, however, disputed Assocham's picture of rampant corporate espionage. “I totally deny that corporates are spying on their employees,” he said. “It is not spying. It is verification of facts.”

Mr Singh said that when companies look into their employees or other companies, for example, before they enter into joint ventures, they are just carrying out “due diligence”. He said they legally gather information needed for companies to survive. He also denied there were any privacy issues.

Mr Sunil Abraham, executive director of the Centre for Internet and Society, though, said there are growing concerns about privacy in the workplace, including about intense video surveillance. “Managers started to object to this,” he said. “What they started saying was it really undermines the morale of these locations ... friends and relatives would ask, 'In spite of you being so educated, it's funny your companies don't trust you at all.'”

Companies need to develop more nuanced ways to deal with these problems — perhaps something more similar to the military's multiple levels of clearance — and different ways for people to acquire and lose trust, Mr Abraham said.

Whether or not surveillance is legal, depends on the type, Mr Abraham said. There is some private information a person will expect to remain private, and some information that is expected to be public — like Twitter feeds.

There is no law against monitoring this second type, known as “clear view surveillance”, he said, and blanket legislation could clash with freedom of expression. He said an ideal law for this should include a “proportional relation to power” clause, which would limit the legal ability of the powerful to monitor, but allow individual citizens more leeway.

For more details visit https://cis-india.org/news/co-spying-on-competitors-staff

Corporate push to Modi’s Rs.4.5-billion digital dream

praskrishna — 2015-07-16T02:26:24Z

Prime Minister Narendra Modi’s Rs. 4.5-billion digital dream seems to find favour with the corporate world, which calls it a “very progressive step” and “massive tech push”.

The article by Rakesh Kumar was published in the Statesman on July 13, 2015. Sumandro Chattapadhyay was quoted.

Modi shared his dreams at the recent Digital India Week in the capital and the event saw big names from the business world—Reliance Industries Ltd chairman Mukesh Ambani, Tata group chairman Cyrus Mistry, Wipro Ltd chairman Azim Premji, among others—supporting the initiative.

Showing its faith in Modi’s dream, Reliance Industries is all set to invest over Rs.2.5 lakh crore in the initiative that would focus on cloud computing and mobile applications, empowering every citizen with access to digital services, knowledge and information.

The initiative could boost the IT sector, which according to NASSCOM witnesses a robust growth in 2015, with the calculated revenue for FY 2015 at $147 billion, and a growth of 13 per cent from the corresponding period 2014.

“From an IT perspective, this is a sincere approach to problem solving with growth, realism and long-term transformation at the core,” said Manish Sharma, president, Consumer Electronics and Appliances Manufacturers Association (CEAMA) and managing director, Panasonic India, in an exclusive interview to thestatesman.com.

“Empowering citizens with the use of IT, we believe Digital India is a massive tech push to provide electronic governance and universal phone connectivity across the country,” he added.

CEAMA and Panasonic are willing to contribute to Digital India through technological expertise and commitment.

The Indian information Technology (IT) industry is reportedly pegged at $118-billion and DS Rawat, secretary general, ASSOCHAM, feels the Digital India initiative could be a “game-changer”.

Commenting on PM’s pledge to bring Internet connectivity to all Indians, Rawat told thestatesman.com: “The initiative is possible, provided the implementation of the schemes is done in a mission mode.”

“The business and industry will be the major beneficiary in terms of quality of governance, which is possible through digital initiative. Besides, the industry itself has to prepare to deal with new emerging business models such as e-commerce,” he added.

Modi, at the Digital India launch, said that “e-governance will be quickly changed into m-governance, and ‘M’ does not mean Modi governance, it means mobile governance.”

Both, big corporate houses and small players hailed the PM’s remark.

“It is good initiative for the railway sector in terms of passenger amenities, online procurement and technological up gradation,” said Amit Goel of Aggarwal Engineers in an interview to thestatesman.com.

The company is active in the railway sector.

When asked how Digital India initiative would help small companies, Goel said: “It will help us in many ways. By adopting e-governance, small companies can check and bid for the online procurement and will be able to interact with the concerned department through digital technology.”

Anil Valluri of NetApp India said: “Digital India is one of the most significant transformations the country will witness by eventually connecting over a billion people of India, with technology as its focal point.”

When it comes to IT transformation, cyber security emerges as a vital issue.

Sumandro Chattapadhyay, Research Director, The Centre for Internet and Society (CIS), described the issue of digital security as the key to the “operationalisation and sustainability of the Digital India initiative”. “We expect the government not only to build administrative structures for ensuring cyber-security of the information systems, but also enable legal frameworks for protecting citizens from unlawful and unforeseen abuses of their digital identities as well as their digital assets.” Having said that, he praised the PM’s move, saying it will bring together various existing and new initiatives for building “network infrastructures for expanded public access, electronic governance systems for effective delivery of services, under the national policy umbrella of 'Digital India’”.

Rajiv Kapur, managing director, Broadcom India, pointed out another benefit of the ubiquitous broadband sector, which according to a report, faces certain challenges such as low rural penetration, stagnant data usage over the years and limited broadband services.

“It will help bring parity between the rural and urban India,” he said and added: “Today, we need solutions that allow the majority of rural Indian population to continue to stay at their homes, and not migrate to cities.”

In a knowledge economy, the biggest difference that will make an impact is education.

"Healthcare is another area where having connectivity can make big difference in quality of life," he said.

“E-delivery of governance and services is important for the efficient use of government resources, and allows for collaborative, transparent and more efficient governance," the Broadcom managing director added.

For more details visit https://cis-india.org/internet-governance/news/the-statesman-rakesh-kumar-july-13-2015-corporate-push-modis-billion-digital-dream

Core Concepts and Processes

Shruti Trikanand and Amber Sinha — 2019-10-17T16:06:54Z

When we embarked on this research project, we began with the primary questions of what constitutes a digital identity system. In the last few years, with the rise in national digital identity projects, there has been significant academic and media attention to the idea, benefits and risks of a digital identity system.

However, there have been relatively few attempts to critically look at what makes an identity system digital, and what are its defining elements and characteristics. Through a preliminary study of existing identity systems, we have arrived at these core set of concepts and processes that mark a digital identity system. In arriving at this list, we have relied upon and referred to the works by Dave Birch et al, World Bank’s ID4D initiative, Mawaki Chango, Kaliya Young and Kayode Ezike.

By publishing this, we hope to arrive at a shared vocabulary to discuss and critically analyse digital identity systems, both within our team and in engagements with other stakeholders. This illustrated and interactive glossary can serve as an easy reference for anyone seeking an introduction to the core aspects of digital identity. Even though this is essentially a list of definitions with examples, it does not follow an alphabetical order like most glossaries, but the logical flow of concepts as they build upon each other in a working identity system. We have paid special emphasis to the core processes of Identification and Authentication, elucidating them through diagrams.

Click to read more

Credentials:

Research by Shruti Trikanad and Amber Sinha
Conceptualization by Pooja Saxena and Amber Sinha
Illustrations by Akash Sheshadri and Pooja Saxena

For more details visit https://cis-india.org/internet-governance/digital-identity/shruti-trikanand-and-amber-sinha-september-13-2019-core-concepts-processes