We are anonymous, we are legion

Blockchain: A primer for India

Anusha Madhusudhan — 2020-03-30T13:32:58Z

This report is presently being updated.

For more details visit https://cis-india.org/internet-governance/blog/blockchain-a-primer-for-india

BJP outspends Congress, others in social media advertising

Vidhi Choudhary — 2019-05-14T15:21:35Z

The data shows that so far the BJP has spent Rs 25 crore in advertisements across Facebook, Instagram, Google and YouTube.

The article by Vidhi Choudhary was published in Hindustan Times on May 3, 2019. Sunil Abraham was quoted.

The ruling Bharatiya Janata Party (BJP) is way ahead of the Congress in advertising expenditure on social media at the end of the fourth phase of the ongoing Lok Sabha elections, according to data from advertising transparency reports by Google and Facebook - but the spending across parties is being described as much lower than expected by media experts.

The data shows that so far the BJP has spent ₹25 crore in advertisements across Facebook, Instagram, Google and YouTube.

It has spent ₹11.6 crore andRs 13.43 crore on Google and Facebook respectively. The Congress, the main opposition party has spent a total of ₹1.42 crore for ads on Facebook (Rs 74 lakh) and Google (₹62 lakh).

The total spend on political ads across Facebook, Google and their affiliates stood atRs 42.3 crore between February 2019 to the end of April 2019 across 108,968 ads.

The balance political ad spend ofRs 15.9 crore have been incurred by regional parties such as the Telugu Desam Party (TDP) and individual leaders such as Odisha chief minister Naveen Patnaik of the Biju Janata Dal (BJD).

These spends are part of the Facebook and Google political ad transparency reports - a measure most social media companies took as part of a voluntary code of ethics developed to ensure free, fair and ethical usage of social media platforms to maintain the integrity of the electoral process for the general elections 2019.

According to Sunil Abraham, founder and executive director for think tank, Centre for Internet and Society, the poll expenditure on social media appears to be abysmally low.

“Over all these number look low to me. It is possible that political parties are using astroturfing strategies to avoid public scrutiny through the transparency reports published by Facebook and Google. For those unfamiliar with the term, astroturfing is the creation of fake grassroots support - named after the fake grass that is used in sports fields,” he said.

But other experts suggested these figures don’t reflect the full picture.

“These are only the media spends by major political parties. Media spends don’t reflect the total spend on social media because a lot of money is spent on both content creation and manpower to oversee online campaigns.

Major parties collectively are likely to spend a total ofRs 350- 400 crore on social media this time, especially to tap into the first time voter who are regular users of Internet in the country,” said Ashish Bhasin, chairman and chief executive (CEO) at Dentsu Aegis Network - India and Greater South, a media buying agency.

In 2014, political parties would have spent overRs 175 crore on social media, Bhasin added.

The 2019 Lok Sabha elections have being widely touted as India’s first social media election with close to 600 million Internet users in the country, more than double of 2014.

Some other digital media experts contended that the social media spends by the BJP are more conservative compared to the 2014 general elections.

“The focus is back to booth level marketing as opposed to online spends perhaps because the Election Commission has put stringent audit checks and are closely monitoring all the invoices and ads put up on social media,” said Jyothirmayee JT, founder and chief executive of HiveMinds, a Bangalore based digital marketing agency.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-vidhi-choudhary-may-3-2019-bjp-outspends-congress-others-in-social-media-advertising

Biz moving to IPv6 but lower costs, support needed

praskrishna — 2012-06-14T05:01:34Z

Organisations such as Cisco Systems, Equinix and Singapore Internet Exchange are all gearing up for migration to IPv6 in time for the World IPv6 Launch day slated on Jun. 6,which involved everything from redesigning their backend infrastructure to assessing their systems’ readiness.

Published in intellasia.net on June 8, 2012

However, one industry player noted that the costs and effort in doing so is one key reason why more companies are not making the transition.

Cisco, for one, told ZDNet Asia that is had been preparing for the migration on Wednesday since the test run was conducted last year. Joshua Soh, managing director for Cisco Singapore and Brunei, pointed out that switching IPv6 on permanently demanded a certain level of production quality and this required a lengthy preparation time.

The first step was to work on its backend IT architecture and design, Soh revealed, adding that their primary goals were to leverage network infrastructure already in place to avoid spending on parallel networks, as well as to ensure production quality and ability to maintain overall service levels.

To meet these goals, the networking giant redesigned their data centre based on the reverse proxy model, in which the proxy server retrieves resources from the server to deliver to a client before returning these resources to the original server.

It also used its Application Control Engine (ACE) load-balancing platform to configure incoming IPv6 sessions to be proxied to the IPv4 tier so that the network will be dual-stacked to include existing ISP (Internet service provider) connections, the managing director explained.

The Singapore Internet Exchange did likewise. According to Yeo See Kiat, its sales and marketing director, the organisation enabled dual-stack networks on their servers for public-facing services, which would enable it to obtain IPv6 streams and turn on the service permanently.

“Meet in the middle” saves cost

Another company making a similar transition to the new Web protocol is Equinix. Its director of network engineering & operations for the Asia-Pacific office, Raphael Ho, told ZDNet Asia that the migration would require existing networks to be upgraded and expanded to support the additional bandwidth and power.

This is especially so for facilities such as the company’s International Business Exchange (IBX) data centers where the volume of interconnection is consistently high, he added.

In order to facilitate the switch, the company used its IPv6 Exchange to simplify the process for its networks to enhance traffic within an IPv6 environment, Ho stated. The central switching capability also helped create a “unicast” peering virtual local area network (LAN).

This “meet in the middle” approach helped reduce costs as it enabled its servers to more efficiently establish IPv6 peering, he explained.

Assess systems’ readiness

Cisco’s Soh noted that after the redesigning of the data centre is complete, the company performed an assessment to determine if existing devices in its demilitarised zone (DMZ) and datacenter networks were capable of supporting the new protocol. It also enhanced its network management systems to support network, devices and application monitoring over IPv6, he added.

At this late stage, the company is conducting system-level testing and quality assurance engineers are going about the functional and performance checks, the executive pointed out. Its last test will be a practice run in which it will switch on the IPv6 service for a few hours to make sure everything works fine, including the content delivery network and ISP services, he said.

Beyond the technical preparations, it also put together a training programme to ensure employees, from the frontline to the network engineers, were equipped with knowledge of the new protocol and skills appropriate for their roles, the executive stated.

No impetus for change

The amount of time and costs reflected in these companies’ migration efforts were cited as one of the main reasons why there are not more companies considering making the switch.

According to a statement issued by Tata Communications and India-based centre for Internet and Society on Wednesday, costs and infrastructure as well as having a minimum number of service providers and users utilising the network were identified as the two main impediments for IPv6 adoption.

One the first obstacle, they said: “IPv6 platforms do not communicate easily with IPv4 networks. This idea of abandoning IPv4 and moving to a new protocol is not only redundant, it is also futile because IPv4 is already running the largest network in human history quite efficiently.”

To make the transition more palatable, they believed “translators”, or technologies able to “speak” in both protocols, are needed. However, these translators are still expensive and there is a need to divert more resources to make these technologies more affordable, the statement noted.

As for the second reason, both Tata and the centre for Internet and Society stated that as long as the deployment of IPv6 remains nascent, there will be no concentrated energy to bridge both protocol versions.

“We are going to need a systemic change among all stakeholders to make IPv6 a reality, toward a faster, safer and more robust Internet,” they said.

For more details visit https://cis-india.org/news/biz-moving-to-ip-v-6

Bitcoin & Open Source with Aaron Koenig

praskrishna — 2014-02-06T01:40:24Z

Aaron Koenig, director of bitfilm.org and a global Bitcoin entrepreneur will give a talk at the Centre for Internet and Society, Bangalore on February 7 at 6.00 p.m.

Learn more about Bitcoin and its global path as we explore concepts and ideaologies behind the technology behemoth.


Above is an image of a Bitcoin Expert giving a presentation. Image source: http://bit.ly/1keLpwi

For more details visit https://cis-india.org/events/bitcoin-and-open-source-aaron-koenig

Bit by byte protecting her privacy

Admin — 2018-07-29T01:46:38Z

The Srikrishna committee draft law on data protection is days away. Here’s a bucket list of issues that will matter

The article by Mihir Dalal and Anirban Sen was published in Livemint on July 26, 2018. Amber Sinha was quoted.

In an era dominated by “free” platforms such as Google, Facebook and Amazon, among others, data privacy had largely been considered an academic matter. However, in the past one year that notion has changed forever, bringing data privacy to the fore, as one of the defining issues of the internet, both in India and abroad.

Last August, the Supreme Court ruled that privacy was a fundamental right under the Constitution of India. Concomitantly, the debate over Aadhaar and its potential misuse picked up steam on the back of reports about data breaches in the biometric ID system though these reports were denied by the Unique Identification Authority of India, which built Aadhaar. (The apex Court will deliver its verdict on petitions that have challenged the constitutional validity of Aadhaar and its legal framework)

Globally, Facebook came under severe criticism after it was revealed that the social media giant had compromised user data in the run up to the US elections. Finally, in May, Europe introduced its landmark data privacy law, General Data Protection Regulation (GDPR), which has put users in control of their data through various measures.

The stage is now set for the much-delayed draft law on data protection, which is expected to be submitted soon by the 10-member panel headed by former Supreme Court justice B.N. Srikrishna.

The committee, which had been set up last July, has attracted criticism from some quarters. Earlier this month, more than 150 lawyers, activists and journalists, among others, wrote to the Srikrishna committee, complaining about the lack of transparency in its process, the lack of diversity in the views held by members of the committee, besides other issues. In an earlier letter in November last, activists, lawyers and others had alleged that too many members of the committee held pro-Aadhaar views. Some experts believe that the mandate of the committee was flawed to begin with. “Given that personal information is omnipresent in so many different sectors, it is better to have a light touch legislation that deals mostly with key principles of data privacy and empowers a data commissioner to frame more detailed regulations,” said Stephen Mathias, partner, Kochhar and Co.

Last week, the Telecom Regulatory Authority of India (Trai) released a set of recommendations on data privacy that favour giving users control of their data and personal information, while severely restricting the ways in which telecom and internet companies can use customer data. Here are the major issues to watch out for in the draft data protection law.

Users vs. collectors

This broad umbrella includes mandatory consent of users for data collection, data portability, the right to be forgotten and the right to erasure. Last week, Trai gave its recommendations on some of these issues in what were considered pro-privacy and progressive suggestions. Those recommendations tracked GDPR measures. The Srikrishna committee is also expected to suggest pro-privacy measures, though the details will be all-important. The committee is also expected to define what is ‘sensitive’ or ‘critical’ data. “In India, government agencies, private entities and others collect various forms of data on individuals,” said Chetan Nagendra, partner, AZB Partners. “The committee will have to clarify what category of data is allowed to be collected and whether this should this be standardized across different entities. It will also have to standardize rules on how long is it okay to store such user-collected data.”

The flip side of user rights is the role of data repositories that collect and process user data. The committee will be required to clarify what data firms and government agencies can gather on users and what will be their responsibilities toward the usage of that data. This includes the principle of privacy by design, that is, companies must ensure by default that their platforms are designed to protect rather than exploit user data and privacy.

IndusLaw partner Namita Viswanath said that in terms of data repositories, there was a need to distinguish between a data controller and a data processor. A data controller is the user-facing platform that gathers data, whereas a data processor is often a third-party firm that provides infrastructure for the platform. “Responsibilities of user personal data should be shared between a data controller and processor. The nature and extent of liability should depend on the nature of data, the party responsible for handling data and the measures adopted, but ultimately, the data controller should most responsibility,” Viswanath said.

Regulation vs. Self-control

Given that data is such a broad-ranging topic, the Srikrishna committee will be expected to recommend who should have oversight of data-related matters. Will there be a new data protection authority? If so, what will be its scope, given that regulators, such as the RBI, Sebi and Trai, will all be affected by a privacy framework in their respective areas? And what will be the punitive measures and fines for offenders on data matters?

Some experts said the government should appoint a data protection authority. As the recent travails at Facebook show, relying solely on self-regulation of internet platforms, is a disastrous policy. But it’s unlikely that the entire burden of regulation will fall on one authority.

“Logistical problems are likely, especially in the early days, with having a top-down regulatory approach,” said Kriti Trehan, partner, Panag and Babu. “The process of training, requirement of funding and access to skilled human resources will necessitate organisational and administrative inputs. With this in mind, I believe that a co-regulatory framework for data protection will be efficient. With this approach, established parameters may guide escalation in specific instances.”

Data localisation

In April, the RBI had issued norms on the storage of payments system data, which requires digital payment providers to store data in India. That has sparked another debate over the possible stance of the Srikrishna committee. Many start-ups and firms use data servers located in overseas locations because of several reasons, including economies of scale and tax planning. “Data protection should not be confused with data access,” said Kartik Maheshwari, leader, Nishith Desai Associates. “For instance, if a firm is storing user data abroad, that should be fine as long as it is secure and access in India is provided, whenever required. Storing data locally is not necessarily the best solution from the perspective of data security as better infrastructure may be available abroad. However, the government may, in exceptional cases of sensitivity, legitimately require local storage of very narrowly defined streams of data.”

Surveillance is key

The law will also need to clearly define the contours of the contentious issue of surveillance and how to ensure that India does not end up replicating the policies in place in countries such as China, which are notorious for mass surveillance practices. Surveillance that has been legally sanctioned is part of the exceptions to regular privacy practices. The committee will have to define the parameters of these exceptions. In the case of surveillance, some experts, including Amber Sinha of Centre for Internet and Society, said that while it needs to be allowed in specific instances such as issues related to national security, a judicial system needs to be in place to protect the rights of the parties that are being put under surveillance. This, in many ways, is the heart of a very important matter.

The Aadhaar factor

The most hot-button of all issues for the committee is, of course, Aadhaar. Former UIDAI chairman Nandan Nilekani told Mint this week that “if something needs to be modified in the Aadhaar law, it will be done” by the Srikrishna committee. The changes that the committee will suggest to the Aadhaar law will go a long way in determining whether its draft law is truly pro-privacy.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-26-2018-mihir-dalal-and-anirban-sen-byte-by-byte-protecting-her-privacy

BIS LITD 17 Privacy Panel meeting

praskrishna — 2017-07-07T01:31:35Z

Udbhav Tiwari represented CIS at this meeting organized by National Law School of India University in Bangalore on June 21, 2017.

The bare-bones structure for what as discussed at the meeting can be found in the trailing email below. The standard itself is still in the drafting stage, which makes it confidential. I will share it on this thread once it hits the public draft stage, which should happen by September 2017. (approx)

For more details visit https://cis-india.org/internet-governance/news/bis-litd-17-privacy-panel-meeting

BIS LITD 17 meeting

Admin — 2019-07-21T13:58:29Z

On July 3, 2019, Gurshabad Grover attended the sixteenth meeting of the Information Systems Security and Biometrics Section Committee (LITD17) at the Bureau of Indian Standards (BIS) in New Delhi.

In a previous meeting, a panel was formed to review two biometric standards: ISO/ IEC 24745 'Security Techniques - Biometric Information Protection' (2011), and ISO/IEC 19792 'Security techniques - Security evaluation of biometrics' (2009). Elonnai Hickok, Karan Saini and Gurshabad Grover had reviewed the documents and sent comments to BIS in December 2018 and January 2019 respectively. The Centre for Internet & Society (CIS) had also shared a document that compared the security guidelines in the standards to the provisions of the draft data protection bill.

The committee discussed whether the aforementioned standards should be adopted as Indian standards by BIS. A decision will be taken on the matter after future discussions that CIS will participate in.

Members updated the committee on their participation at the ISO/IEC. Iupdated the committee on the progress of the study period on the impact of machine learning on privacy, which I am a co-rapporteur for in the identity management and privacy group working group at ISO/IEC IT Security Techniques committee. We also planned our participation at the next ISO/IEC SC 27 meeting, which is in October.

For more details visit https://cis-india.org/internet-governance/news/bis-litd-17-meeting

BIS International Seminar on Internet of Things

Admin — 2017-11-25T16:35:42Z

To create awareness among Indian community and to provide a platform to all stakeholders to discuss the technology, challenges and the way forward with an emphasis on the role of standards, BIS organized a half day International seminar on Internet of Things on 15 November 2017 at India Habitat Centre in New Delhi. Amber Sinha attended the event.

Click to see the agenda.

For more details visit https://cis-india.org/internet-governance/news/bis-international-seminar-on-internet-of-things

Biometry Is Watching

praskrishna — 2011-04-02T12:08:26Z

In its first steps, the UID drive encounters practical problems, raises ethical questions, reports Sugata Srinivasaraju in Outlook.

Three women are fighting to take one chair in a classroom of a government school in Chelur village, in Gubbi taluka of Tumkur district. One sits on the lap of another and the third tries to push them both off the chair. What all three want is to be the first to be profiled under the Centre’s ambitious Aadhaar or unique identity number (UID) project. Their squabbling holds up the documentation by nearly 20 minutes, and the crowd outside, standing in line in the afternoon sun, grows restless. To calm them, the village revenue secretary orders the distribution of another round of buttermilk.

Chelur is one of four villages in the district picked for field trials before the 12-digit UIDs are assigned to people later in the year. Besides Tumkur, the pilot project is simultaneously running in seven villages of Mysore district. Each village has been given a target of 2,400-2,500 profiles to be completed in 20 days. This involves photographing the face, imaging the iris and scanning all ten digits of each person profiled and assigned a UID.

Villagers are enthusiastic about this rigorous profiling process even though there’s little awareness about the true purpose of the exercise. This is because of some falsehoods that have somehow spread in these areas. Nagamma, an elderly woman coming out after being profiled, thinks her eyes had been tested and found to be in perfect condition. Another middle-aged woman thought the exercise would bring her a new ration card—one that would entitle her family to an extra four kilos of rice. Some others were in a tizzy that if they didn’t undergo this “photography” their BPL cards would be taken away. Most, however, had queued up because they didn’t want to be left out of a sarkari exercise their neighbours were submitting to. Of the dozen people Outlook spoke to, only Muniswamy could tell us that this process would ensure that no one had more than one voter ID card or ration card—the way it should be, unlike some in his village who had illegally acquired two of each.

The village authorities have been doing little to counter the misinformation because their attention is focused on other compelling matters, like meeting the assigned target. This is an important issue because gram panchayat elections have been declared in Karnataka and lots of youngsters set off for campaigning early in the morning and would be difficult to locate for profiling.

According to official figures, Chelur has a population of 5,000, with 3,640 people above the age of 18. A random selection of 2,400 has been made from this to meet the UID target. The number seems small, but handling it at the village level can be demanding for the local authorities—there’s no police for crowd control, refreshments have to be distributed and the computerised work has to be done despite the power outages. Using generators has become inevitable, for the villages get hardly four or five hours’ power supply.

Another problem lies in obtaining the fingerprints of rural folk: most of them are engaged in manual labour or farm work and arrive with dirty palms that defeat the biometric reading machines. Pails of water, detergent and towels are provided for cleaning up. Much time is lost in such rescanning and it goes against the official estimate of five minutes for the young, nine for the elderly.

Prasanna Kumar, the village secretary, admits to the problems. “We did not make an open announcement for the UID pilot because we didn’t want to attract large crowds. We quietly prepared a random list of 2,400 people from the ration card database and went door-to-door to invite them,” he says. “We have left out people above the age of 80 and under 18. We told people this identity number will help them access various government schemes. Fingerprinting is the toughest problem. Initially people were reluctant, but suddenly they have become curious.”

H. Gnanesh, the tehsildar, says the ongoing step is only “concept testing”; the next will be rechecking, in which those already profiled will verify their identity details against what has been stored. Only after that will the UID be issued. In Chelur village, the concept testing ended on May 4; rechecking began the very next day.

Some NGOs observing the process have noted the lack of awareness in villagers. “They are clueless about what they are taking part in,” say Mahadev Prasad and Murthy, of the Basava Seva Trust. Murthy says fingerprinting is a big problem. He speaks of Hommaragalli, in Mysore district, where some foreign experts had to be called in to take a look at the scanning machines.

Then there are larger issues. Away from the surging crowds in Chelur, civil society organisations like the Centre for Internet & Society, the Alternative Law Forum and PUCL have been demanding greater dialogue. In fact, they have even suggested a review of the scheme. They argue there is no clarity on how the government proposes to store and secure personal and biometric data, given the fact that various agencies such as banks, telecom companies and government departments would potentially access it. Security is a huge concern also because the software, hardware and expertise of foreign companies is being used. These NGOs say the UID data, the National Population Registry and the NATGRID, when connected, could prove a grave threat to civil liberties.

“First, a centralised database, like the UID will create, has never been safe,” says Sunil Abraham of CIS. “It needs to be decentralised like our various mail servers. Second, we feel the collection of biometric data is happening at the wrong end of the pyramid. Instead of putting the poor through the process first, why not start with those with financial dealings of Rs 1 crore and above. Third, one study says 48 per cent of our people cannot remember a 12-digit ID. Fourth, we need privacy laws in place before the UID regime sets in.”

Those problems apart, even raising the level of the current exercise—from small samples of a few thousand each to profiling the billion-plus population of India—could place severe demands on our shaky administration. There’s a mountain to be moved.

Read the original article in the Outlook

For more details visit https://cis-india.org/news/biometry-is-watching

Biometrics: An ‘Angootha Chaap’ nation?

Mukta Batra — 2014-09-19T06:12:17Z

This blog post throws light on the inconsistencies in biometric collection under the UID and NPR Schemes.

Introduction

Fingerprints and iris scans. The Unique Identification (UID) Number aims to serve as a proof of identity that can be easily verified and linked to subsidies and to bank accounts. Four years into its implementation, the UID Scheme seems to have the vote of confidence of the public. More than 65 Crore Indians have been granted UID Numbers,[1] and only a few have been concerned enough to seek clarity through Right to Information Requests to the UIDAI about the finances and legal authority backing the scheme.[2] Parallel to the UID scheme, the National Population Register scheme is also under way, with enrolment in some areas, such as Srinagar, Shimla and Panchkula, having reached 100% of the estimated population.[3]

The NPR scheme is an offshoot of the census. It began in census cycle 2010-11, pursuant to the amendment of the Citizenship Act in 2004, under which national identity cards are to be issued. The desired outcome of the NPR scheme is an NPR card with a chip embedded with three bits of information built into a card: (i) biometric information, (ii) demographic information and (iii) UID Number.

Both the UID and NPR schemes aspire to be conduits that subsidies, utilities, and other benefits are routed through. While the UID and NPR schemes are distinct in terms of their legal sanctity, purpose and form, the harmonization of these two schemes is one of the UIDAI’s functions.

There are substantial overlaps in the information collected and the purpose they serve leading to the argument that having two schemes is redundant. The compatibility of the two schemes was questioned and it was initially thought that a merger would be unreasonable. While there has been speculation that the UID scheme may terminate, or that it would be taken over by the Home Ministry, it has been reported that the new government has directed expedited enrolments through the UID scheme. [4]

Both schemes are incomplete and suffer from vagaries, including, but not limited to: their legality, safeguards against misuse of the data, the implementation of the schemes – including the collection and storage of biometric information and their convergence or divergence.

This blog will focus on understanding the process of collecting biometric data in each scheme – calling out similarities and differences – as well as areas in which data collected under one scheme is incompatible with the other scheme. It will look at existing and missing safeguards in the collection of biometrics, overlap in the collection of biometrics by the two schemes, and existing practice in the collection of biometrics. In doing so the blog will highlight the lack of privacy safeguards for the biometric information and conclude that since the policies for data collection and use policy are unclear, the data subjects do not know how their data is being collected, used, and shared between the UID and the NPR schemes.

Unreliability of Biometric Data

Biometric data has been qualified as being unreliable.[5] It cannot always be successfully used to identify a person, especially in India, where manual labour degrades the fingerprint[6] and nutritional deficiencies mar the iris. Even experts working with the UIDAI[7] admit that fingerprints are not always good indicators of identity. If the very identification of a person fails, which is what the UID seeks to do, then the purpose of the UID is defeated.

Biometric Data Collection under the UID Scheme

In the current structure of the scheme, collected biometric information is stored by, and vests with the UIDAI for an undefined period. The data if used only for identification and authentication purposes, as originally intended, could very well fail to serve its intended purpose. But amassing the personal data of the entire country is lucrative, particularly to the service providers who collect the information and are mandated with the task to manually collect the data before it is fed into the UID system and encrypted. Most of the service providers that collect information, including biometric data, for the UID are engaged in information services such as IT or online marketing service providers.[8]

The below chart delineates the process followed for the collection of biometrics under the UID Scheme:

Under the NIAI Bill, all data collected or authenticated by the UIDAI, until the Bill is enacted and the National Identification Authority of India is created, vests with the UIDAI. In practice this means that the UIDAI owns the biometric data of the data-subject, without clear safeguards against misuse of the data.

In the UID scheme, the collection of biometrics at the time of enrollment by the UIDAI is severely flawed for a number of reasons:

1. Lack of clear legal authority and procedure for collection of biometrics: The only legal authority the UIDAI has to collect biometric information is via the notification of its constitution. Even then, the powers of the UIDAI are vague and broad. Importantly, the notification tells us nothing of how biometric data is to be collected and how it is to be used. These standards have only been developed by the UIDAI in an ad-hoc manner when the need arises or after a problem is spotted. The lack of purpose-specification is in violation of the law[9] and prevents the data subject from giving informed consent to data collection. This is discussed at a later stage.

2. The collection of Biometrics is regulated through only a Bill, which delegates the development of safeguards to Rules: The National Identification Authority of India (NIAI) Bill[10] confers the National Information Authority of India (NOT THE UIDAI) with the power to pass rules to collect biometric data and to prescribe standards for collection.[11] This is a rule-making power, which is conferred under a Bill. Neither has the Bill been enacted, nor have rules for the collection of biometrics been framed and notified.

3. Collection of biometric data only with implied consent: Though collection of biometrics is mentioned in the enrolment form, explicit consent for the collection of biometrics is not collected and only implied consent may be inferred. The last line in the enrollment form is titled ‘CONSENT’ and is a declaration that all data, including biometric information, is true.[12]

4. Collection of biometric data outsourced to third party: Collection of biometric information in the UID scheme is outsourced to third parties through tenders. For instance, Accenture has been declared a biometric service provider under a contract with the UID.[13] The third party may be a company, firm, educational institution or an accreditation agency. The eligibility criteria are quite straightforward, they relate to the entity’s structure and previous experiences with small projects.[14] Since the ability to protect privacy of the data subject is entirely absent from the eligibility criteria, a successful bidder may not have adequate procedure in place or sufficient experience in managing confidential data, to ensure the privacy of the data subject. By outsourcing the data collection, the UIDAI has arguably delegated a function it never had the legal authority to perform. Thus, the agency of the data collection is equally defective. To heighten the irregularity, these contract agents can sub-contract the job of physical data collection.[15] This means that the data operator and the ground supervisors, who come into direct contact with the raw data, including biometric data, are not appointed by the government, or the UIDAI, but by a private agency, who is further removed from the chain. The data operator scans the documents submitted for verification and has physical access to the document.[16]

5. Biometric data is admittedly vulnerable to sale and leakage: In an ongoing case in the Supreme Court of India, the national Capital Territory of Delhi has, in its counter-affidavit, admitted that data collected under the UID is vulnerable to sale and leakage.[17] To quote from the counter-affidavit ‘..in any exercise of gathering identities whether it is by census authority… or through the present process… there is always a possibility of leakage. Enumerators can scan and keep copies of all the forms and sell them for a price.- this (sic) it can never be said that the data gathered… is safe.’[18] Anyone who has registered for either UID is therefore a candidate for identity theft or unsolicited commercial information. This is also true for the NPR, as census data is the basis for the NPR.

Data collection under the NPR Scheme

The declaration of courts that it is unnecessary to link the UID number for public utilities and the admission by Delhi in the case that a data subject cannot be compelled to provide biometrics or to obtain a UID Number under the Aadhaar scheme[19] are steps forward in ensuring the voluntariness of UID. However, the UID Number is mandatory by implication. It is a pre-requisite for registration under the National Population Register, which is compulsory, pursuant to S. 14-A of the Citizenship Act. The below diagram delineates the collection of biometric information under the NPR scheme:

DATA FLOW PROCESS

Flaws in the collection of biometric data under the NPR scheme

Compulsion: Registration in the NPR is legally mandated and individuals who fail to do so can face penalty. As a note, arguably, the compulsion to register for the NPR is untenable, as the Rules prescribe penalty, whereas the Act does not. [20] A word of caution is appropriate here. The penalty under the Rules stands till it is deleted by the legislature or declared void by courts and one may be held liable for refusing to register for the NPR, though the above argument may be a good defense.
Duplicity: Duplicity is a problem under the NPR Scheme. Biometric data is collected twice before the NPR exercise is completed. Even if one has registered under the UID scheme, they have to give their biometric information again under the NPR scheme. The first instance of collection of biometric information is for the UID number and the second, under the NPR scheme. The latter is necessary even if the data has already been collected for the UID number. Since the parties collecting biometric information for NPR are empanelled by the UIDAI and the eligibility is the same, the data is subject to the same or similar threats of data leakage that may arise when registering for the UID. The multi-level data collection only amplifies the admitted vulnerability of data as unauthorized actors can unlawfully access the data at any stage. This, coupled with the fact that UIDAI has to harmonize the NPR and UID schemes, and that the data comes to the UIDAI for de-duplication, means that the NPR data could be used by the UIDAI, but it may not result in a UID Number. There is no data that disproves this potential. This is a matter of concern, as one who wishes not to register for a UID number, in protection of their privacy, is at peril for their data falls into the hands of the UIDAI.
Biometric data collectors under the NPR scheme empanelled by the UIDAI: The service providers collecting biometric data under the NPR are selected through bids and need to be empanelled with the UIDAI.[21] Most enrolment agencies that are empanelled with the UIDAI are either IT or online marketing companies[22], making the fear of targeted marketing even more likely.
Public display and verification: Under the NPR scheme, the biometric and demographic information and UID number of registrants is publicly displayed in their local area for verification.[23] However, it is a violation of privacy to have sensitive personal data, such as biometrics put up publicly. Not only will the demographic information be readily accessible, nothing will prohibit the creation of a mailing list or collection of data for either data theft or for sending unsolicited commercial communication. The publicly available information is the kind of information that can be used for verification (Know Your Customer) and to authorize financial transactions. Since the personal information is displayed in the data subject’s local area, it is arguably a more invasive violation of privacy, since the members of the local area can make complex connections between the data subject and the data.
Smart Card: The desired outcome of the NPR scheme is an NPR card. This card is to contain a chip, which is embedded with information such as the UID Number, biometrics and the demographic information. It is still unclear as to whether this information will be machine-readable. If so, this information may be just a swipe away. However, this cannot be confirmed without information on the level encryption and how the data will be stored on the chip.

‘Privacy safeguards available under the UID and NPR schemes are ad-hoc and incomplete

The safeguards under both the UID and NPR schemes are quite similar, since the UIDAI and its empanelled biometric service providers are involved in collecting biometric information for both the UID and the NPR.

Pilot studies for the UID scheme, including the use of biometrics, were not conducted in advance to implementation. In line with this, the enactment of a legislation governing the UID and the implementation of policies with respect to data handling and use will be made as and when the need arises. The development of safeguards in relation to the NPR will also be ad-hoc.

Also, the data standards for one will potentially influence that of the other scheme. For instance, the change in privacy standards for handling biometrics under the UID may affect the empanelment of biometric service providers. This will automatically affect the data security level the NPR can seek to achieve.

Being developed ad-hoc and after the fact, there is a risk that these regulations may unreasonably curtail the rights of data subjects.

The existing Indian laws on data protection and privacy are not comprehensive. Certain laws protect privacy only in specific situations. For instance, the IT Act and related rules protect privacy in relation to digital information.

Any body that collects sensitive personal data such as biometric data, or any other data for processing and storage has a legal mandate under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 to make certain disclosures BEFORE OR WHILE THE DATA IS COLLECTED. This includes, inter-alia, disclosures of (i) the purpose of information collection, (ii) the intended recipients of the information and (iii) name and addresses of the collector and of the party retaining the data.[24]

Under the Rules, the data collector has a duty to give the data subject an option to withhold personal sensitive information.[25] A conversation with a data subject shows that this safeguard has not been upheld. The subject also conveyed a lack of knowledge of who the collection agency was. This is a problem of lack of accountability, as the data path cannot be traced and the party responsible for misuse or breach of security cannot be held liable.

Conclusion

The data collection under the NPR and UID schemes shows several vulnerabilities. Apart from the vulnerabilities with biometric information, there is a real risk of misuse of the data and documents submitted for enrolment under these schemes. Since the data collectors are primarily online marketing or IT service providers, there is likelihood that they will use this data for marketing.

We can only hope that in time, data subjects will be able to withdraw their personal data from the UID database and surrender their UID number. We can only wait and watch to see whether (i) the UID Number is a legal prerequisite for the NPR Card and (ii) whether the compulsion to register for NPR is done away with.

[1] https://portal.uidai.gov.in/uidwebportal/dashboard.do accesed: 21 August, 2014

[2] As of January 2013, only 25 RTI requests were made to the UIDAI http://uidai.gov.in/rti/rti-requests.html accessed: 21 August, 2014

[3] DIT-NPR Management Information System accessed: 22 August, 2014 http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx

[4] Cloud Still Hangs Over Aadhaar’s Future, Business Standard, accessed 28 August, 2014. http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html

[5] Frost & Sullivan, Best Practices Guide to Biometrics, accessed: 13 August, 2014 http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0CD8QFjAE&url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&ei=6VbsU4m8HcK58gWx64DYDQ&usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&sig2=cOOPm1JJ79AcJq2Gfq1_3Q&bvm=bv.73231344,d.dGc

[6] Malavika Jayaram, “India’s Identity Crisis”, Internet Monitor 2013, reflections of a digital world, accessed: 13 August, 2014 http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1

[7]M. Vatsa, et.al, “Analyzing Fingerprints of Indian Population Using Image Quality: A UIDAI Case Study” , accessed: 13 August, 2014 https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf

[8] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[9] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[10] National Identification Authority of India Bill, 2010 (Bill No. LXXV of 2010), accessed: 26 August,2014 http://164.100.24.219/BillsTexts/RSBillTexts/asintroduced/national%20ident.pdf

[11] Clause 23 of the NIAI Bill, 2010

[12]The UID Enrollment form, accessed: 26 August, 2014 http://uidai.gov.in/images/uid_download/enrolment_form.pdf

[13] Documents filed and relied on in Puttuswamy v Union of India

[14] Request for empanelment, accessed: 28 August, 2014. http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf

[15] This information is available from the documents filed and relied on in Puttuswamy v Union Of India, which is being heard in the Supreme Court of India

[16] An anonymous registrant observes that the data was scanned behind a screen and was not visible from the registered counter. The registrant is concerned that, in addition to collection of information for the UID, photocopies or digital copies could be taken for other uses and the registrant would not know.

[17] Counter Affidavit filed in the Supreme Court of India on behalf on New Delhi in K. Puttuswamy v Union of India

It is also admitted that the census is equally vulnerable. The information collected through census is used for the NPR exercise.

[18] Para. 48 in the Counter Affidavit filed by NCR Delhi.

[19] Affidavit in K. Puttuswamy v Union of India.

See also: FAQs: Enrollment Agencies, accessed 22 August, 2014 http://uidai.gov.in/faq.html?catid=37

[20] Usha Ramanathan, A Tale of Two Turfs, The Statesman, accessed: 20 August, 2014 http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3

[21] RFQ for Engaging MSP for Biometric Enrolment for the Creation of NPR, accessed: 26 August, 2014 http://ditnpr.nic.in/pdf/120102_RFQBiometricUrban_rebidding-Draft.pdf

[22] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[23] http://censusindia.gov.in/2011-Common/IntroductionToNpr.html, accessed: 26 August, 2014

[24] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[25] R. 5(7) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011.

For more details visit https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation

Biometrics or bust? India's Identity Crisis

praskrishna — 2013-07-01T09:49:48Z

Malavika Jayaram is speaking at an event organized by the Oxford Internet Institute on July 2, 2013. The talk will be held at Oxford Internet Institute, University of Oxford, 1 St Giles Oxford OX1 3JS.

This info was published on the Oxford Internet Institute website.

India's mammoth biometric ID project, which has registered around 270 million people and is yet to be fully realized, is already the worldís largest such endeavor. It is marketed as a potential game-changer both domestically (where it is touted as a silver bullet to solve most problems) and internationally (where countries wait and watch this experiment before importing it into their own jurisdictions). Alongside all the hype about the scale of the scheme, its potential for transforming the delivery of services and the scope for private participation in traditionally state-controlled functions, there are fears of function creep, of subversion to create new types of fraud and corruption, of increased profiling and targeting, and of a citizenry becoming transparent to its government in an unprecedented way, all in the name of ambiguous benefits and the rhetoric of inclusion.

The government praises the ease and efficiency of centralized databases, the promise of technology (including the myth of biometrics uniquely and unambiguously identifying people in a foolproof way) and the construction of the identified self. However, there is growing awareness of the dangers of joined-up databases resulting in exclusion rather than inclusion, and persecution rather than democratization.

The scheme is technically voluntary, but with the provision of benefits, goods and services being increasingly linked to the scheme, it will soon become impossible to function in India without a biometric ID. If every facet of everyday life is linked to this single number, it renders all claims of voluntariness meaningless. The lack of information self-determination in a biometrically mediated universe has important ramifications for anonymity, free speech and the maintenance of an essential private sphere.

In this talk, Malavika will provide an overview of the scheme as well as the debate around privacy and autonomy that it has triggered, framed against the backdrop of a larger civil liberties crisis. She will also describe Indiaís efforts to craft new privacy and data protection legislation.

For more details visit https://cis-india.org/news/biometrics-or-bust-indias-identity-crisis

Biometrics or Bust? Implications of the UID for Participation and Inclusion

praskrishna — 2014-01-06T08:56:51Z

Malavika Jayaram will give a talk on biometrics and the implications of UID for participation and inclusion at the office of the Centre for Internet and Society in Bangalore on January 10, 2014 at 6.00 p.m.

Abstract

Privacy is often portrayed as a luxury, as the intellectual preoccupation of nerdy privileged liberals, and an issue of salience only to the elite. This ignores the reality of the most marginalized sections of a society being disproportionately impacted by privacy intrusive technologies. The collusion of public and private agendas towards implementing large welfare projects is generally seen as progressive and neutral, yet the consequences of even well-intentioned efforts that trade privacy for convenience, welfare, security or a host of other compelling goals is troubling. The use of biometric technologies further complicates matters: the assumption that bodies can be rendered into infallible verifiers, as repositories of unchanging truth, is not without its catalogue of failures. This talk will examine the notion of biometric representations as a kind of capital, the possibility that failures are endemic to their functioning, and the implications of systemic errors on equality, participation and democracy.

Malavika Jayaram

Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard University, focusing on privacy, identity and free expression. She is also a Fellow at the Centre for Internet and Society, Bangalore, and the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series.  Malavika is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India’s leading lawyers and one of only 8 women to be featured in the “40 under 45” survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. During 2012-2013, she was a Visiting Scholar at the Annenberg School for Communication, University of Pennsylvania. She is working on completing her PhD at the National Law School.

For more details visit https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion

Biometric Identification: Specified Error, Accuracy and Efficiency, Considered for the Operations of the UIDAI — A Talk by Hans Varghese Mathews

praskrishna — 2012-09-10T08:07:28Z

Hans Varghese Mathews gave a public lecture on biometric identification at the Centre for Internet & Society office in Bangalore on August 17, 2012 at 5.00 p.m.

Click to read UID Summary by Hans Varghese Mathews

For more details visit https://cis-india.org/internet-governance/biometric-identification

Bill to create bank for DNA profiling of accused coming

praskrishna — 2012-10-22T09:15:43Z

Access to data only for victim’s or suspect’s relatives.

This article by Aarthi Dhar was published in the Hindu on October 21, 2012.

A Bill to create a DNA data centre to profile people accused of serious crimes and unknown deceased is in the works. The proposal was originally mooted in 2007 but was dropped to factor in ethical, moral and legal issues on the sensitive matter.

Crafted by the Department of Biotechnology, it allows Deoxyribose Nucleic Acid (DNA) profiling for cases of culpable homicide, murder, death by negligence, miscarriage, dowry deaths, causing death of new born child, sexual assault, unnatural offences, outraging the modesty of a woman, co-habitation with a woman by deceit, adultery, enticing a married woman with criminal intent, among others.

Protecting privacy

Addressing issues related to protecting privacy of individuals, the draft Bill envisages that access to the information in the National DNA Data Bank will be restricted to those related to the victim or suspect; any individual undergoing a sentence of imprisonment or death sentence can apply to the court which convicted him, for an order of DNA testing of specific evidence under specific conditions.

The Human DNA Profiling Bill seeks to establish a DNA Profiling Board that will lay down the standards for laboratories, collection of human body substances and custody trail from collection to reporting. It also has a provision for setting up a National DNA Data Bank.

The DNA analysis of body substances that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and to establish the biological relationship, if any, between two individuals.

The “forensic material” from which the DNA sample can be lifted is biological material from the body and represents intimate body samples. They include blood, semen, or any other tissue fluid.

DNA Profiling Board

As envisaged in the Bill, the DNA Profiling Board at the national level, with similar structures at the State level, will be headed by a renowned molecular biologist with the other members being from police, legal, biological and related fields.

It will deliberate and advise on all ethical and human rights issues emanating out of DNA profiling in consonance with the United Nations vis-à-vis the rights and privacy of citizens, civil liberties and issues having ethical and other social implications.

The Board will make recommendations on the use and dissemination of DNA information, ensure the accuracy, security and confidentiality of DNA and guidelines destruction of obsolete, expunged or inaccurate information.

Jail, fine for data misuse

It will also will lay down standards and procedures for establishment and functioning of DNA laboratories and Data Banks and prepare guidelines for storage of biological substances and their destruction. Any misuse of DNA data will attract imprisonment up to three years and monetary fine.

The working draft of the Bill has been sent to the Centre for Internet and Society for analysis and comments. The Citizens Forum for Civil Liberties has already opposed the proposed legislation and sought pre-emptive intervention to stop “dangerous” erosion of privacy by DNA profiling of citizens.

In a representation submitted to the National Human Rights Commission, the Forum has said DNA profiling is “undesirable, particularly as forensic DNA developments are intertwined with significant changes in legislation and contentious issues of privacy, civil liberty and social justice.”

The Forum has sought “immediate intervention to safeguard citizens’ privacy and their civil liberties, which face an unprecedented onslaught from the provisions of the DNA Profiling Bill and other related surveillance measures being bulldozed by unregulated and ungovernable technology.”

For more details visit https://cis-india.org/news/the-hindu-aarti-dhar-october-21-2012-bill-to-create-bank-for-dna-profiling-of-accused-coming

Biggest blast on Aadhaar leak so far: govt sites leaked data of 13 crore people

praskrishna — 2017-05-03T14:35:23Z

In yet another shocking report of personal data breach in India, it has emerged that Aadhaar data of 13 crore people was put out on websites of four major government projects in the country. The leaked data include bank account details of over one crore people linked to Aadhar numbers under the direct benefit scheme. Over eight crore people lost their private data on the national job guarantee scheme website alone.

The article by Jikku Varghese Jacob was published by Manorama on May 2, 2017.

The shocking details have surfaced in a report released by the Center for Internet Society (CIS) which deals with the publication of Aadhaar data and their security. It appears to be the biggest blast on Aadhaar data leak yet. The report says these pieces of information were available on Internet since last November. Once detected, the CIS officials had initiated steps to remove them.

The CIS report cites two central government portals and websites from Andhra Pradesh as violators. Following are the websites that published the data:

National Social Assistance Programme (under the Ministry of Rural Development).
The national portal of the job guarantee scheme.
Daily online payment reports (Government of Andhra Pradesh)
Chandranna Bheema project (Government of Andhra Pradesh)

Private data of 1,59,42,083 people were leaked on the social assistance scheme site. The two Andhra Pradesh sites breached the privacy of three crore people.

Information leaked on most of the sites could be downloaded as Excel sheet. It is estimated that data on 23 crore people is linked to Aadhaar under the direct benefit scheme.

The CIS fears that if other government sites have also handled such data without care there could have occurred a massive data base breach. The CIS put in months of effort before finalizing this report.

It was recently found that Aadhaar data on 35 lakh people in Kerala was found disclosed on the state's Sevana Pension website. In Jharkhand, 14 lakh people had their privacy violated when their Aadhaar information was put out on a government website.

Such leaks of Aadhaar data is a crime that can fetch up to three years of imprisonment. Complaints have arisen that government departments did not bother to comply with an IT ministry directive last month to remove the Aadhaar data from websites.

Experts point out that criminals can misuse personal data on Aadhaar and bank account. The data could be used to obtain SIM cards and carry out transactions online.

Aadhaar, the world's largest bio-metric enrolment in India, will enrol 1.2 billion people in a 12-digit unique number for each person to be issued to each resident in the country. The number with its biometric information – photograph, fingerprints and iris scan – of each individual is easily verifiable in an online.

For more details visit https://cis-india.org/internet-governance/news/manorama-may-2-2017-jikku-varghese-jacob-biggest-blast-on-aadhaar-leak-so-far-govt-sites-leaked-data-of-13-crore-people