We are anonymous, we are legion

BIS LITD 17 Privacy Panel meeting

praskrishna — 2017-07-07T01:31:35Z

Udbhav Tiwari represented CIS at this meeting organized by National Law School of India University in Bangalore on June 21, 2017.

The bare-bones structure for what as discussed at the meeting can be found in the trailing email below. The standard itself is still in the drafting stage, which makes it confidential. I will share it on this thread once it hits the public draft stage, which should happen by September 2017. (approx)

For more details visit https://cis-india.org/internet-governance/news/bis-litd-17-privacy-panel-meeting

BIS LITD 17 meeting

Admin — 2019-07-21T13:58:29Z

On July 3, 2019, Gurshabad Grover attended the sixteenth meeting of the Information Systems Security and Biometrics Section Committee (LITD17) at the Bureau of Indian Standards (BIS) in New Delhi.

In a previous meeting, a panel was formed to review two biometric standards: ISO/ IEC 24745 'Security Techniques - Biometric Information Protection' (2011), and ISO/IEC 19792 'Security techniques - Security evaluation of biometrics' (2009). Elonnai Hickok, Karan Saini and Gurshabad Grover had reviewed the documents and sent comments to BIS in December 2018 and January 2019 respectively. The Centre for Internet & Society (CIS) had also shared a document that compared the security guidelines in the standards to the provisions of the draft data protection bill.

The committee discussed whether the aforementioned standards should be adopted as Indian standards by BIS. A decision will be taken on the matter after future discussions that CIS will participate in.

Members updated the committee on their participation at the ISO/IEC. Iupdated the committee on the progress of the study period on the impact of machine learning on privacy, which I am a co-rapporteur for in the identity management and privacy group working group at ISO/IEC IT Security Techniques committee. We also planned our participation at the next ISO/IEC SC 27 meeting, which is in October.

For more details visit https://cis-india.org/internet-governance/news/bis-litd-17-meeting

BIS International Seminar on Internet of Things

Admin — 2017-11-25T16:35:42Z

To create awareness among Indian community and to provide a platform to all stakeholders to discuss the technology, challenges and the way forward with an emphasis on the role of standards, BIS organized a half day International seminar on Internet of Things on 15 November 2017 at India Habitat Centre in New Delhi. Amber Sinha attended the event.

Click to see the agenda.

For more details visit https://cis-india.org/internet-governance/news/bis-international-seminar-on-internet-of-things

Biometry Is Watching

praskrishna — 2011-04-02T12:08:26Z

In its first steps, the UID drive encounters practical problems, raises ethical questions, reports Sugata Srinivasaraju in Outlook.

Three women are fighting to take one chair in a classroom of a government school in Chelur village, in Gubbi taluka of Tumkur district. One sits on the lap of another and the third tries to push them both off the chair. What all three want is to be the first to be profiled under the Centre’s ambitious Aadhaar or unique identity number (UID) project. Their squabbling holds up the documentation by nearly 20 minutes, and the crowd outside, standing in line in the afternoon sun, grows restless. To calm them, the village revenue secretary orders the distribution of another round of buttermilk.

Chelur is one of four villages in the district picked for field trials before the 12-digit UIDs are assigned to people later in the year. Besides Tumkur, the pilot project is simultaneously running in seven villages of Mysore district. Each village has been given a target of 2,400-2,500 profiles to be completed in 20 days. This involves photographing the face, imaging the iris and scanning all ten digits of each person profiled and assigned a UID.

Villagers are enthusiastic about this rigorous profiling process even though there’s little awareness about the true purpose of the exercise. This is because of some falsehoods that have somehow spread in these areas. Nagamma, an elderly woman coming out after being profiled, thinks her eyes had been tested and found to be in perfect condition. Another middle-aged woman thought the exercise would bring her a new ration card—one that would entitle her family to an extra four kilos of rice. Some others were in a tizzy that if they didn’t undergo this “photography” their BPL cards would be taken away. Most, however, had queued up because they didn’t want to be left out of a sarkari exercise their neighbours were submitting to. Of the dozen people Outlook spoke to, only Muniswamy could tell us that this process would ensure that no one had more than one voter ID card or ration card—the way it should be, unlike some in his village who had illegally acquired two of each.

The village authorities have been doing little to counter the misinformation because their attention is focused on other compelling matters, like meeting the assigned target. This is an important issue because gram panchayat elections have been declared in Karnataka and lots of youngsters set off for campaigning early in the morning and would be difficult to locate for profiling.

According to official figures, Chelur has a population of 5,000, with 3,640 people above the age of 18. A random selection of 2,400 has been made from this to meet the UID target. The number seems small, but handling it at the village level can be demanding for the local authorities—there’s no police for crowd control, refreshments have to be distributed and the computerised work has to be done despite the power outages. Using generators has become inevitable, for the villages get hardly four or five hours’ power supply.

Another problem lies in obtaining the fingerprints of rural folk: most of them are engaged in manual labour or farm work and arrive with dirty palms that defeat the biometric reading machines. Pails of water, detergent and towels are provided for cleaning up. Much time is lost in such rescanning and it goes against the official estimate of five minutes for the young, nine for the elderly.

Prasanna Kumar, the village secretary, admits to the problems. “We did not make an open announcement for the UID pilot because we didn’t want to attract large crowds. We quietly prepared a random list of 2,400 people from the ration card database and went door-to-door to invite them,” he says. “We have left out people above the age of 80 and under 18. We told people this identity number will help them access various government schemes. Fingerprinting is the toughest problem. Initially people were reluctant, but suddenly they have become curious.”

H. Gnanesh, the tehsildar, says the ongoing step is only “concept testing”; the next will be rechecking, in which those already profiled will verify their identity details against what has been stored. Only after that will the UID be issued. In Chelur village, the concept testing ended on May 4; rechecking began the very next day.

Some NGOs observing the process have noted the lack of awareness in villagers. “They are clueless about what they are taking part in,” say Mahadev Prasad and Murthy, of the Basava Seva Trust. Murthy says fingerprinting is a big problem. He speaks of Hommaragalli, in Mysore district, where some foreign experts had to be called in to take a look at the scanning machines.

Then there are larger issues. Away from the surging crowds in Chelur, civil society organisations like the Centre for Internet & Society, the Alternative Law Forum and PUCL have been demanding greater dialogue. In fact, they have even suggested a review of the scheme. They argue there is no clarity on how the government proposes to store and secure personal and biometric data, given the fact that various agencies such as banks, telecom companies and government departments would potentially access it. Security is a huge concern also because the software, hardware and expertise of foreign companies is being used. These NGOs say the UID data, the National Population Registry and the NATGRID, when connected, could prove a grave threat to civil liberties.

“First, a centralised database, like the UID will create, has never been safe,” says Sunil Abraham of CIS. “It needs to be decentralised like our various mail servers. Second, we feel the collection of biometric data is happening at the wrong end of the pyramid. Instead of putting the poor through the process first, why not start with those with financial dealings of Rs 1 crore and above. Third, one study says 48 per cent of our people cannot remember a 12-digit ID. Fourth, we need privacy laws in place before the UID regime sets in.”

Those problems apart, even raising the level of the current exercise—from small samples of a few thousand each to profiling the billion-plus population of India—could place severe demands on our shaky administration. There’s a mountain to be moved.

Read the original article in the Outlook

For more details visit https://cis-india.org/news/biometry-is-watching

Biometrics: An ‘Angootha Chaap’ nation?

Mukta Batra — 2014-09-19T06:12:17Z

This blog post throws light on the inconsistencies in biometric collection under the UID and NPR Schemes.

Introduction

Fingerprints and iris scans. The Unique Identification (UID) Number aims to serve as a proof of identity that can be easily verified and linked to subsidies and to bank accounts. Four years into its implementation, the UID Scheme seems to have the vote of confidence of the public. More than 65 Crore Indians have been granted UID Numbers,[1] and only a few have been concerned enough to seek clarity through Right to Information Requests to the UIDAI about the finances and legal authority backing the scheme.[2] Parallel to the UID scheme, the National Population Register scheme is also under way, with enrolment in some areas, such as Srinagar, Shimla and Panchkula, having reached 100% of the estimated population.[3]

The NPR scheme is an offshoot of the census. It began in census cycle 2010-11, pursuant to the amendment of the Citizenship Act in 2004, under which national identity cards are to be issued. The desired outcome of the NPR scheme is an NPR card with a chip embedded with three bits of information built into a card: (i) biometric information, (ii) demographic information and (iii) UID Number.

Both the UID and NPR schemes aspire to be conduits that subsidies, utilities, and other benefits are routed through. While the UID and NPR schemes are distinct in terms of their legal sanctity, purpose and form, the harmonization of these two schemes is one of the UIDAI’s functions.

There are substantial overlaps in the information collected and the purpose they serve leading to the argument that having two schemes is redundant. The compatibility of the two schemes was questioned and it was initially thought that a merger would be unreasonable. While there has been speculation that the UID scheme may terminate, or that it would be taken over by the Home Ministry, it has been reported that the new government has directed expedited enrolments through the UID scheme. [4]

Both schemes are incomplete and suffer from vagaries, including, but not limited to: their legality, safeguards against misuse of the data, the implementation of the schemes – including the collection and storage of biometric information and their convergence or divergence.

This blog will focus on understanding the process of collecting biometric data in each scheme – calling out similarities and differences – as well as areas in which data collected under one scheme is incompatible with the other scheme. It will look at existing and missing safeguards in the collection of biometrics, overlap in the collection of biometrics by the two schemes, and existing practice in the collection of biometrics. In doing so the blog will highlight the lack of privacy safeguards for the biometric information and conclude that since the policies for data collection and use policy are unclear, the data subjects do not know how their data is being collected, used, and shared between the UID and the NPR schemes.

Unreliability of Biometric Data

Biometric data has been qualified as being unreliable.[5] It cannot always be successfully used to identify a person, especially in India, where manual labour degrades the fingerprint[6] and nutritional deficiencies mar the iris. Even experts working with the UIDAI[7] admit that fingerprints are not always good indicators of identity. If the very identification of a person fails, which is what the UID seeks to do, then the purpose of the UID is defeated.

Biometric Data Collection under the UID Scheme

In the current structure of the scheme, collected biometric information is stored by, and vests with the UIDAI for an undefined period. The data if used only for identification and authentication purposes, as originally intended, could very well fail to serve its intended purpose. But amassing the personal data of the entire country is lucrative, particularly to the service providers who collect the information and are mandated with the task to manually collect the data before it is fed into the UID system and encrypted. Most of the service providers that collect information, including biometric data, for the UID are engaged in information services such as IT or online marketing service providers.[8]

The below chart delineates the process followed for the collection of biometrics under the UID Scheme:

Under the NIAI Bill, all data collected or authenticated by the UIDAI, until the Bill is enacted and the National Identification Authority of India is created, vests with the UIDAI. In practice this means that the UIDAI owns the biometric data of the data-subject, without clear safeguards against misuse of the data.

In the UID scheme, the collection of biometrics at the time of enrollment by the UIDAI is severely flawed for a number of reasons:

1. Lack of clear legal authority and procedure for collection of biometrics: The only legal authority the UIDAI has to collect biometric information is via the notification of its constitution. Even then, the powers of the UIDAI are vague and broad. Importantly, the notification tells us nothing of how biometric data is to be collected and how it is to be used. These standards have only been developed by the UIDAI in an ad-hoc manner when the need arises or after a problem is spotted. The lack of purpose-specification is in violation of the law[9] and prevents the data subject from giving informed consent to data collection. This is discussed at a later stage.

2. The collection of Biometrics is regulated through only a Bill, which delegates the development of safeguards to Rules: The National Identification Authority of India (NIAI) Bill[10] confers the National Information Authority of India (NOT THE UIDAI) with the power to pass rules to collect biometric data and to prescribe standards for collection.[11] This is a rule-making power, which is conferred under a Bill. Neither has the Bill been enacted, nor have rules for the collection of biometrics been framed and notified.

3. Collection of biometric data only with implied consent: Though collection of biometrics is mentioned in the enrolment form, explicit consent for the collection of biometrics is not collected and only implied consent may be inferred. The last line in the enrollment form is titled ‘CONSENT’ and is a declaration that all data, including biometric information, is true.[12]

4. Collection of biometric data outsourced to third party: Collection of biometric information in the UID scheme is outsourced to third parties through tenders. For instance, Accenture has been declared a biometric service provider under a contract with the UID.[13] The third party may be a company, firm, educational institution or an accreditation agency. The eligibility criteria are quite straightforward, they relate to the entity’s structure and previous experiences with small projects.[14] Since the ability to protect privacy of the data subject is entirely absent from the eligibility criteria, a successful bidder may not have adequate procedure in place or sufficient experience in managing confidential data, to ensure the privacy of the data subject. By outsourcing the data collection, the UIDAI has arguably delegated a function it never had the legal authority to perform. Thus, the agency of the data collection is equally defective. To heighten the irregularity, these contract agents can sub-contract the job of physical data collection.[15] This means that the data operator and the ground supervisors, who come into direct contact with the raw data, including biometric data, are not appointed by the government, or the UIDAI, but by a private agency, who is further removed from the chain. The data operator scans the documents submitted for verification and has physical access to the document.[16]

5. Biometric data is admittedly vulnerable to sale and leakage: In an ongoing case in the Supreme Court of India, the national Capital Territory of Delhi has, in its counter-affidavit, admitted that data collected under the UID is vulnerable to sale and leakage.[17] To quote from the counter-affidavit ‘..in any exercise of gathering identities whether it is by census authority… or through the present process… there is always a possibility of leakage. Enumerators can scan and keep copies of all the forms and sell them for a price.- this (sic) it can never be said that the data gathered… is safe.’[18] Anyone who has registered for either UID is therefore a candidate for identity theft or unsolicited commercial information. This is also true for the NPR, as census data is the basis for the NPR.

Data collection under the NPR Scheme

The declaration of courts that it is unnecessary to link the UID number for public utilities and the admission by Delhi in the case that a data subject cannot be compelled to provide biometrics or to obtain a UID Number under the Aadhaar scheme[19] are steps forward in ensuring the voluntariness of UID. However, the UID Number is mandatory by implication. It is a pre-requisite for registration under the National Population Register, which is compulsory, pursuant to S. 14-A of the Citizenship Act. The below diagram delineates the collection of biometric information under the NPR scheme:

DATA FLOW PROCESS

Flaws in the collection of biometric data under the NPR scheme

Compulsion: Registration in the NPR is legally mandated and individuals who fail to do so can face penalty. As a note, arguably, the compulsion to register for the NPR is untenable, as the Rules prescribe penalty, whereas the Act does not. [20] A word of caution is appropriate here. The penalty under the Rules stands till it is deleted by the legislature or declared void by courts and one may be held liable for refusing to register for the NPR, though the above argument may be a good defense.
Duplicity: Duplicity is a problem under the NPR Scheme. Biometric data is collected twice before the NPR exercise is completed. Even if one has registered under the UID scheme, they have to give their biometric information again under the NPR scheme. The first instance of collection of biometric information is for the UID number and the second, under the NPR scheme. The latter is necessary even if the data has already been collected for the UID number. Since the parties collecting biometric information for NPR are empanelled by the UIDAI and the eligibility is the same, the data is subject to the same or similar threats of data leakage that may arise when registering for the UID. The multi-level data collection only amplifies the admitted vulnerability of data as unauthorized actors can unlawfully access the data at any stage. This, coupled with the fact that UIDAI has to harmonize the NPR and UID schemes, and that the data comes to the UIDAI for de-duplication, means that the NPR data could be used by the UIDAI, but it may not result in a UID Number. There is no data that disproves this potential. This is a matter of concern, as one who wishes not to register for a UID number, in protection of their privacy, is at peril for their data falls into the hands of the UIDAI.
Biometric data collectors under the NPR scheme empanelled by the UIDAI: The service providers collecting biometric data under the NPR are selected through bids and need to be empanelled with the UIDAI.[21] Most enrolment agencies that are empanelled with the UIDAI are either IT or online marketing companies[22], making the fear of targeted marketing even more likely.
Public display and verification: Under the NPR scheme, the biometric and demographic information and UID number of registrants is publicly displayed in their local area for verification.[23] However, it is a violation of privacy to have sensitive personal data, such as biometrics put up publicly. Not only will the demographic information be readily accessible, nothing will prohibit the creation of a mailing list or collection of data for either data theft or for sending unsolicited commercial communication. The publicly available information is the kind of information that can be used for verification (Know Your Customer) and to authorize financial transactions. Since the personal information is displayed in the data subject’s local area, it is arguably a more invasive violation of privacy, since the members of the local area can make complex connections between the data subject and the data.
Smart Card: The desired outcome of the NPR scheme is an NPR card. This card is to contain a chip, which is embedded with information such as the UID Number, biometrics and the demographic information. It is still unclear as to whether this information will be machine-readable. If so, this information may be just a swipe away. However, this cannot be confirmed without information on the level encryption and how the data will be stored on the chip.

‘Privacy safeguards available under the UID and NPR schemes are ad-hoc and incomplete

The safeguards under both the UID and NPR schemes are quite similar, since the UIDAI and its empanelled biometric service providers are involved in collecting biometric information for both the UID and the NPR.

Pilot studies for the UID scheme, including the use of biometrics, were not conducted in advance to implementation. In line with this, the enactment of a legislation governing the UID and the implementation of policies with respect to data handling and use will be made as and when the need arises. The development of safeguards in relation to the NPR will also be ad-hoc.

Also, the data standards for one will potentially influence that of the other scheme. For instance, the change in privacy standards for handling biometrics under the UID may affect the empanelment of biometric service providers. This will automatically affect the data security level the NPR can seek to achieve.

Being developed ad-hoc and after the fact, there is a risk that these regulations may unreasonably curtail the rights of data subjects.

The existing Indian laws on data protection and privacy are not comprehensive. Certain laws protect privacy only in specific situations. For instance, the IT Act and related rules protect privacy in relation to digital information.

Any body that collects sensitive personal data such as biometric data, or any other data for processing and storage has a legal mandate under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 to make certain disclosures BEFORE OR WHILE THE DATA IS COLLECTED. This includes, inter-alia, disclosures of (i) the purpose of information collection, (ii) the intended recipients of the information and (iii) name and addresses of the collector and of the party retaining the data.[24]

Under the Rules, the data collector has a duty to give the data subject an option to withhold personal sensitive information.[25] A conversation with a data subject shows that this safeguard has not been upheld. The subject also conveyed a lack of knowledge of who the collection agency was. This is a problem of lack of accountability, as the data path cannot be traced and the party responsible for misuse or breach of security cannot be held liable.

Conclusion

The data collection under the NPR and UID schemes shows several vulnerabilities. Apart from the vulnerabilities with biometric information, there is a real risk of misuse of the data and documents submitted for enrolment under these schemes. Since the data collectors are primarily online marketing or IT service providers, there is likelihood that they will use this data for marketing.

We can only hope that in time, data subjects will be able to withdraw their personal data from the UID database and surrender their UID number. We can only wait and watch to see whether (i) the UID Number is a legal prerequisite for the NPR Card and (ii) whether the compulsion to register for NPR is done away with.

[1] https://portal.uidai.gov.in/uidwebportal/dashboard.do accesed: 21 August, 2014

[2] As of January 2013, only 25 RTI requests were made to the UIDAI http://uidai.gov.in/rti/rti-requests.html accessed: 21 August, 2014

[3] DIT-NPR Management Information System accessed: 22 August, 2014 http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx

[4] Cloud Still Hangs Over Aadhaar’s Future, Business Standard, accessed 28 August, 2014. http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html

[5] Frost & Sullivan, Best Practices Guide to Biometrics, accessed: 13 August, 2014 http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0CD8QFjAE&url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&ei=6VbsU4m8HcK58gWx64DYDQ&usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&sig2=cOOPm1JJ79AcJq2Gfq1_3Q&bvm=bv.73231344,d.dGc

[6] Malavika Jayaram, “India’s Identity Crisis”, Internet Monitor 2013, reflections of a digital world, accessed: 13 August, 2014 http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1

[7]M. Vatsa, et.al, “Analyzing Fingerprints of Indian Population Using Image Quality: A UIDAI Case Study” , accessed: 13 August, 2014 https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf

[8] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[9] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[10] National Identification Authority of India Bill, 2010 (Bill No. LXXV of 2010), accessed: 26 August,2014 http://164.100.24.219/BillsTexts/RSBillTexts/asintroduced/national%20ident.pdf

[11] Clause 23 of the NIAI Bill, 2010

[12]The UID Enrollment form, accessed: 26 August, 2014 http://uidai.gov.in/images/uid_download/enrolment_form.pdf

[13] Documents filed and relied on in Puttuswamy v Union of India

[14] Request for empanelment, accessed: 28 August, 2014. http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf

[15] This information is available from the documents filed and relied on in Puttuswamy v Union Of India, which is being heard in the Supreme Court of India

[16] An anonymous registrant observes that the data was scanned behind a screen and was not visible from the registered counter. The registrant is concerned that, in addition to collection of information for the UID, photocopies or digital copies could be taken for other uses and the registrant would not know.

[17] Counter Affidavit filed in the Supreme Court of India on behalf on New Delhi in K. Puttuswamy v Union of India

It is also admitted that the census is equally vulnerable. The information collected through census is used for the NPR exercise.

[18] Para. 48 in the Counter Affidavit filed by NCR Delhi.

[19] Affidavit in K. Puttuswamy v Union of India.

See also: FAQs: Enrollment Agencies, accessed 22 August, 2014 http://uidai.gov.in/faq.html?catid=37

[20] Usha Ramanathan, A Tale of Two Turfs, The Statesman, accessed: 20 August, 2014 http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3

[21] RFQ for Engaging MSP for Biometric Enrolment for the Creation of NPR, accessed: 26 August, 2014 http://ditnpr.nic.in/pdf/120102_RFQBiometricUrban_rebidding-Draft.pdf

[22] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[23] http://censusindia.gov.in/2011-Common/IntroductionToNpr.html, accessed: 26 August, 2014

[24] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[25] R. 5(7) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011.

For more details visit https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation

Biometrics or bust? India's Identity Crisis

praskrishna — 2013-07-01T09:49:48Z

Malavika Jayaram is speaking at an event organized by the Oxford Internet Institute on July 2, 2013. The talk will be held at Oxford Internet Institute, University of Oxford, 1 St Giles Oxford OX1 3JS.

This info was published on the Oxford Internet Institute website.

India's mammoth biometric ID project, which has registered around 270 million people and is yet to be fully realized, is already the worldís largest such endeavor. It is marketed as a potential game-changer both domestically (where it is touted as a silver bullet to solve most problems) and internationally (where countries wait and watch this experiment before importing it into their own jurisdictions). Alongside all the hype about the scale of the scheme, its potential for transforming the delivery of services and the scope for private participation in traditionally state-controlled functions, there are fears of function creep, of subversion to create new types of fraud and corruption, of increased profiling and targeting, and of a citizenry becoming transparent to its government in an unprecedented way, all in the name of ambiguous benefits and the rhetoric of inclusion.

The government praises the ease and efficiency of centralized databases, the promise of technology (including the myth of biometrics uniquely and unambiguously identifying people in a foolproof way) and the construction of the identified self. However, there is growing awareness of the dangers of joined-up databases resulting in exclusion rather than inclusion, and persecution rather than democratization.

The scheme is technically voluntary, but with the provision of benefits, goods and services being increasingly linked to the scheme, it will soon become impossible to function in India without a biometric ID. If every facet of everyday life is linked to this single number, it renders all claims of voluntariness meaningless. The lack of information self-determination in a biometrically mediated universe has important ramifications for anonymity, free speech and the maintenance of an essential private sphere.

In this talk, Malavika will provide an overview of the scheme as well as the debate around privacy and autonomy that it has triggered, framed against the backdrop of a larger civil liberties crisis. She will also describe Indiaís efforts to craft new privacy and data protection legislation.

For more details visit https://cis-india.org/news/biometrics-or-bust-indias-identity-crisis

Biometrics or Bust? Implications of the UID for Participation and Inclusion

praskrishna — 2014-01-06T08:56:51Z

Malavika Jayaram will give a talk on biometrics and the implications of UID for participation and inclusion at the office of the Centre for Internet and Society in Bangalore on January 10, 2014 at 6.00 p.m.

Abstract

Privacy is often portrayed as a luxury, as the intellectual preoccupation of nerdy privileged liberals, and an issue of salience only to the elite. This ignores the reality of the most marginalized sections of a society being disproportionately impacted by privacy intrusive technologies. The collusion of public and private agendas towards implementing large welfare projects is generally seen as progressive and neutral, yet the consequences of even well-intentioned efforts that trade privacy for convenience, welfare, security or a host of other compelling goals is troubling. The use of biometric technologies further complicates matters: the assumption that bodies can be rendered into infallible verifiers, as repositories of unchanging truth, is not without its catalogue of failures. This talk will examine the notion of biometric representations as a kind of capital, the possibility that failures are endemic to their functioning, and the implications of systemic errors on equality, participation and democracy.

Malavika Jayaram

Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard University, focusing on privacy, identity and free expression. She is also a Fellow at the Centre for Internet and Society, Bangalore, and the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series.  Malavika is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India’s leading lawyers and one of only 8 women to be featured in the “40 under 45” survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. During 2012-2013, she was a Visiting Scholar at the Annenberg School for Communication, University of Pennsylvania. She is working on completing her PhD at the National Law School.

For more details visit https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion

Biometric Identification: Specified Error, Accuracy and Efficiency, Considered for the Operations of the UIDAI — A Talk by Hans Varghese Mathews

praskrishna — 2012-09-10T08:07:28Z

Hans Varghese Mathews gave a public lecture on biometric identification at the Centre for Internet & Society office in Bangalore on August 17, 2012 at 5.00 p.m.

Click to read UID Summary by Hans Varghese Mathews

For more details visit https://cis-india.org/internet-governance/biometric-identification

Bill to create bank for DNA profiling of accused coming

praskrishna — 2012-10-22T09:15:43Z

Access to data only for victim’s or suspect’s relatives.

This article by Aarthi Dhar was published in the Hindu on October 21, 2012.

A Bill to create a DNA data centre to profile people accused of serious crimes and unknown deceased is in the works. The proposal was originally mooted in 2007 but was dropped to factor in ethical, moral and legal issues on the sensitive matter.

Crafted by the Department of Biotechnology, it allows Deoxyribose Nucleic Acid (DNA) profiling for cases of culpable homicide, murder, death by negligence, miscarriage, dowry deaths, causing death of new born child, sexual assault, unnatural offences, outraging the modesty of a woman, co-habitation with a woman by deceit, adultery, enticing a married woman with criminal intent, among others.

Protecting privacy

Addressing issues related to protecting privacy of individuals, the draft Bill envisages that access to the information in the National DNA Data Bank will be restricted to those related to the victim or suspect; any individual undergoing a sentence of imprisonment or death sentence can apply to the court which convicted him, for an order of DNA testing of specific evidence under specific conditions.

The Human DNA Profiling Bill seeks to establish a DNA Profiling Board that will lay down the standards for laboratories, collection of human body substances and custody trail from collection to reporting. It also has a provision for setting up a National DNA Data Bank.

The DNA analysis of body substances that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and to establish the biological relationship, if any, between two individuals.

The “forensic material” from which the DNA sample can be lifted is biological material from the body and represents intimate body samples. They include blood, semen, or any other tissue fluid.

DNA Profiling Board

As envisaged in the Bill, the DNA Profiling Board at the national level, with similar structures at the State level, will be headed by a renowned molecular biologist with the other members being from police, legal, biological and related fields.

It will deliberate and advise on all ethical and human rights issues emanating out of DNA profiling in consonance with the United Nations vis-à-vis the rights and privacy of citizens, civil liberties and issues having ethical and other social implications.

The Board will make recommendations on the use and dissemination of DNA information, ensure the accuracy, security and confidentiality of DNA and guidelines destruction of obsolete, expunged or inaccurate information.

Jail, fine for data misuse

It will also will lay down standards and procedures for establishment and functioning of DNA laboratories and Data Banks and prepare guidelines for storage of biological substances and their destruction. Any misuse of DNA data will attract imprisonment up to three years and monetary fine.

The working draft of the Bill has been sent to the Centre for Internet and Society for analysis and comments. The Citizens Forum for Civil Liberties has already opposed the proposed legislation and sought pre-emptive intervention to stop “dangerous” erosion of privacy by DNA profiling of citizens.

In a representation submitted to the National Human Rights Commission, the Forum has said DNA profiling is “undesirable, particularly as forensic DNA developments are intertwined with significant changes in legislation and contentious issues of privacy, civil liberty and social justice.”

The Forum has sought “immediate intervention to safeguard citizens’ privacy and their civil liberties, which face an unprecedented onslaught from the provisions of the DNA Profiling Bill and other related surveillance measures being bulldozed by unregulated and ungovernable technology.”

For more details visit https://cis-india.org/news/the-hindu-aarti-dhar-october-21-2012-bill-to-create-bank-for-dna-profiling-of-accused-coming

Biggest blast on Aadhaar leak so far: govt sites leaked data of 13 crore people

praskrishna — 2017-05-03T14:35:23Z

In yet another shocking report of personal data breach in India, it has emerged that Aadhaar data of 13 crore people was put out on websites of four major government projects in the country. The leaked data include bank account details of over one crore people linked to Aadhar numbers under the direct benefit scheme. Over eight crore people lost their private data on the national job guarantee scheme website alone.

The article by Jikku Varghese Jacob was published by Manorama on May 2, 2017.

The shocking details have surfaced in a report released by the Center for Internet Society (CIS) which deals with the publication of Aadhaar data and their security. It appears to be the biggest blast on Aadhaar data leak yet. The report says these pieces of information were available on Internet since last November. Once detected, the CIS officials had initiated steps to remove them.

The CIS report cites two central government portals and websites from Andhra Pradesh as violators. Following are the websites that published the data:

National Social Assistance Programme (under the Ministry of Rural Development).
The national portal of the job guarantee scheme.
Daily online payment reports (Government of Andhra Pradesh)
Chandranna Bheema project (Government of Andhra Pradesh)

Private data of 1,59,42,083 people were leaked on the social assistance scheme site. The two Andhra Pradesh sites breached the privacy of three crore people.

Information leaked on most of the sites could be downloaded as Excel sheet. It is estimated that data on 23 crore people is linked to Aadhaar under the direct benefit scheme.

The CIS fears that if other government sites have also handled such data without care there could have occurred a massive data base breach. The CIS put in months of effort before finalizing this report.

It was recently found that Aadhaar data on 35 lakh people in Kerala was found disclosed on the state's Sevana Pension website. In Jharkhand, 14 lakh people had their privacy violated when their Aadhaar information was put out on a government website.

Such leaks of Aadhaar data is a crime that can fetch up to three years of imprisonment. Complaints have arisen that government departments did not bother to comply with an IT ministry directive last month to remove the Aadhaar data from websites.

Experts point out that criminals can misuse personal data on Aadhaar and bank account. The data could be used to obtain SIM cards and carry out transactions online.

Aadhaar, the world's largest bio-metric enrolment in India, will enrol 1.2 billion people in a 12-digit unique number for each person to be issued to each resident in the country. The number with its biometric information – photograph, fingerprints and iris scan – of each individual is easily verifiable in an online.

For more details visit https://cis-india.org/internet-governance/news/manorama-may-2-2017-jikku-varghese-jacob-biggest-blast-on-aadhaar-leak-so-far-govt-sites-leaked-data-of-13-crore-people

BigDog is Watching You! The Sci-fi Future of Animal and Insect Drones

maria — 2013-07-12T15:38:33Z

Do you think robotic aeroplanes monitoring us are scary enough? Wait until you read about DARPA´s new innovative and subtle way to keep us all under the microscope! This blog post presents a new reality of drones which is depicted in none other than animal and insect-like robots, equipped with cameras and other surveillance technologies.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Just when we thought we had seen it all, the US Defence Advanced Research Projects Agency (DARPA) funded another controversial surveillance project which makes even the most bizarre sci-fi movie seem like a pleasant fairy-tale in comparison to what we are facing: animal and insect drones.

Up until recently, unmanned aerial vehicles (UAVs), otherwise called drones, depicted the scary reality of surveillance, as robotic pilot-less planes have been swarming the skies, while monitoring large amounts of data without people´s knowledge or consent. Today, DARPA has come up with more subtle forms of surveillance: animal and insect drones. Clearly animal and insect-like drones have a much better camouflage than aeroplanes, especially since they are able to go to places and obtain data that mainstream UAVs can not.

India´s ´DARPA´, the Defence Research and Development Organisation (DRDO), has been creating UAVs over the last ten years, while the Indian Army first acquired UAVs from Israel in the late 1990s. Yet the use of all UAVs in India is still poorly regulated! Drones in the U.S. are regulated by the Federal Aviation Administration (FAA), whilst the European Aviation Safety Agency (EASA) regulates drones in the European Union. In India, the Ministry of Civil Aviation regulates drones, whilst the government is moving ahead with plans to replace the Directorate General of Civil Aviation (DGCA) with a Civil Aviation Authority. However, current Indian aviation laws are vague in regards to data acquired, shared and retained, thus not only posing a threat to individual´s right to privacy and other human rights, but also enabling the creation of a secret surveillance state.

The DRDO appears to be following DARPA´s footsteps in terms of surveillance technologies and the questions which arise are: will animal and insect drones be employed in India in the future? If so, how will they be regulated?

BigDog/LS3

Apparently having UAVs flying above us and monitoring territories and populations without our knowledge or consent was not enough. DARPA is currently funding the BigDog project, which is none other than a drone dog, a four-legged robot equipped with a camera and capable of surveillance in disguise. DARPA and Boston Dynamics are working on the latest version of BigDog, called the Legged Squad Support System (LS3), which can carry 400 pounds of gear for more than 20 miles without refuelling. Not only can the LS3 walk and run on all types of surfaces, including ice and snow, but it also has ´vision sensors´ which enable it to autonomously maneuver around obstacles and follow soldiers in the battle field. The LS3 is expected to respond to soldiers' voice commands, such as 'come', 'stop' and 'sit', as well as serve as a battery charger for electronic devices.

BigDog/LS3 is undoubtedly an impressive technological advancement in terms of aiding squads with surveillance, strategic management and a mobile auxiliary power source, as well as by carrying gear. Over the last century most technological developments have manifested through the military and have later been integrated in societies. Many questions arise around the BigDog/LS3 and its potential future use by governments for non-military purposes. Although UAVs were initially used for strictly military purposes, they are currently also being used by governments on an international level for civil purposes, such as to monitor climate change and extinct animals, as well as to surveille populations. Is it a matter of time before BigDog is used by governments for ´civil purposes´ too? Will robotic dogs swarm cities in the future to provide ´security´?

Like any other surveillance technology, the LS3 should be legally regulated and current lack of regulation could create a potential for abuse. Is authorisation required to use a LS3? If so, who has the legal right to authorise its use? Under what conditions can authorisation be granted and for how long? What kind of data can legally be obtained and under what conditions? Who has the legal authority to access such data? Can data be retained and if so, for how long and under what conditions? Do individuals have the right to be informed about the data withheld about them? Just because it´s a ´dog´ should not imply its non-regulation. This four-legged robot has extremely intrusive surveillance capabilities which may breach the right to privacy and other human rights when left unregulated.

Humming Bird Drone


Source: HighTech Edge

TIME magazine recognised DARPA for its Hummingbird nano air vehicle (NAV) and named the drone bird one of the 50 best inventions of 2011. True, it is rather impressive to create a robot which looks like a bird, behaves like a bird, but serves as a secret spy.

During the presentation of the humming bird drone, Regina Dugan, former Director of DARPA, stated:

"Since we took to the sky, we have wanted to fly faster and farther. And to do so, we've had to believe in impossible things and we've had to refuse to fear failure."

Although believing in 'impossible things' is usually a prerequisite to innovation, the potential implications on human rights of every innovation and their probability of occurring should be examined. Given the fact that drones already exist and that they are used for both military and non-military purposes, the probability is that the hummingbird drone will be used for civil purposes in the future. The value of data in contemporary information societies, as well as government's obsession with surveillance for ´national security´ purposes back up the probability that drone birds will not be restricted to battlefields.

So should innovation be encouraged for innovation’s sake, regardless of potential infringement of human rights? This question could open up a never-ending debate with supporters arguing that it´s not technology itself which is harmful, but its use or misuse. However the current reality of drones is this: UAVs and NAVs are poorly regulated (if regulated at all in many countries) and their potential for abuse is enormous, given that ´what happens to our data happens to ourselves....who controls our data controls our lives.´ If UAVs are used to surveille populations, why would drone birds not be used for the same purpose? In fact, they have an awesome camouflage and are potentially capable of acquiring much more data than any UAV! Given the surveillance benefits, governments would appear irrational not to use them.

MeshWorms and Remote-Controlled Insects


Source: NY Daily News

Think insects are creepy? Now we can have a real reason to be afraid of them. Clearly robotic planes, dogs and birds are not enough.

DARPA´s MeshWorm project entails the creation of earthworm-like robots that crawl along surfaces by contracting segments of their bodies. The MeshWorm can squeeze through tight spaces and mold its shape to rough terrain, as well as absorb heavy blows. This robotic worm will be used for military purposes, while future use for ´civil purposes´ remains a probability.

Robots, however, are not only the case. Actual insects are being wirelessly controlled, such as beetles with implanted electrodes and a radio receiver on their back. The giant flower beetle´s size enables it to carry a small camera and a heat sensor, which constitutes it as a reliable mean for surveillance.

Other drone insects look and fly like ladybugs and dragonflies. Researchers at the Wright State University in Dayton, Ohio, have been working on a butterfly drone since 2008. Former software engineer Alan Lovejoy has argued that the US is developing mosquito drones. Such a device could potentially be equipped with a camera and a microphone, it could use its needle to abstract a DNA sample with the pain of a mosquito bite and it could also inject a micro RFID tracking device under peoples´ skin. All such micro-drones could potentially be used for both military and civil purposes and could violate individuals´ right to privacy and other civil liberties.

Security vs. Privacy: The wrong debate

09/11 was not only a pioneering date for the U.S., but also for India and most countries in the world. The War on Terror unleashed a global wave of surveillance to supposedly enable the detection and prevention of crime and terrorism. Governments on an international level have been arguing over the last decade that the use of surveillance technologies is a prerequisite to safety. However, security expert, Bruce Schneier, argues that the trade-off of privacy for security is a false dichotomy.

Everyone can potentially be a suspect within a surveillance state. Analyses of Big Data can not only profile individuals and populations, but also identify ‘branches of communication’ around every individual. In short, if you know someone who may be considered a suspect by intelligence agencies, you may also be a suspect. The mainstream argument “I have nothing to hide, I am not a terrorist’ is none other than a psychological coping mechanism when dealing with surveillance. The reality of security indicates that when an individual’s data is being intercepted, the probability is that those who control that data can also control that individual’s life. Schneier has argued that privacy and security are not on the opposite side of a seesaw, but on the contrary, the one is a prerequisite of the other. Governments should not expect us to give up our privacy in exchange for security, as loss of privacy indicates loss of individuality and essentially, loss of freedom. We can not be safe when we trade-off our personal data, because privacy is what protects us from abuse from those in power. Thus the entire War on Terror appears to waged through a type of phishing, as the promise of ´security´ may be bait to acquire our personal data.

Since the 2008 Mumbai terrorist attacks, India has had more reasons to produce, buy and use surveillance technologies, including drones. Last New Year´s Eve, the Mumbai police used UAVs to monitor hotspots, supposedly to help track down revellers who sexually harass women. The Chennai police recently procured three UAVs from Anna University to assist them in keeping an eye on the city´s vehicle flow. Raj Thackeray´s rally marked the biggest surveillance exercise ever launched for a single event, which included UAVs. The Chandigarh police are the first Indian police force to use the ´Golden Hawk´ - a UAV which will keep a ´bird´s eye on criminal activities´. This new type of drone was manufactured by the Aeronautical Development Establishment (one of DRDO's premier laboratories based in Bangalore) and as of 2011 is being used by Indian law enforcement agencies.

Although there is no evidence that India currently has any animal or insect drones, it could be a probability in the forthcoming years. Since India is currently using many UAVs either way, why would animal and/or insect drones be excluded? What would prevent India from potentially using such drones in the future for ´civil purposes´? More importantly, how are ´civil purposes´ defined? Who defines ´civil purposes´and under what criteria? Would the term change and if so, under what circumstances? The term ´civil purposes´ varies from country to country and is defined by many political, social, economic and cultural factors, thus potentially enabling extensive surveillance and abuse of human rights.

Drones can potentially be as intrusive as other communications surveillance technologies, depending on the type of technology they´re equipped with, their location and the purpose of their use. As they can potentially violate individuals´ right to privacy, freedom of expression, freedom of movement and many other human rights, they should be strictly regulated. In Europe UAVs are regulated based upon their weight, as unmanned aircraft with an operating mass of less than 150kg are exempt by the EASA Regulation and its Implementation Rules. This should not be the case in India, as drones lighter than 150kg can potentially be more intrusive than other heavier drones, especially in the case of bird and insect drones.

Laws which explicitly regulate the use of all types of drones (UAVs, NAVs and micro-drones) and which legally define the term ´civil purposes´ in regards to human rights should be enacted in India. Some thoughts on the authorisation of drones include the following: A Special Committee on the Use of All Drones (SCUAD) could be established, which would be comprised of members of the jury, as well as by other legal and security experts of India. Such a committee would be the sole legal entity responsible for issuing authorisation for the use of drones, and every authorisation would have to comply with the constitutional and statutory provisions of human rights. Another committee, the Supervisory Committee on the Authorisation of the Use of Drones (lets call this ´SCAUD´), could also be established, which would also be comprised by (other) members of the jury, as well as by (other) legal and security experts of India. This second committee would supervise the first and it would ensure that SCUAD provides authorisations in compliance with the laws, once the necessity and utility of the use of drones has been adequately proven.

It´s not about ´privacy vs. security´. Nor is it about ´privacy or security´. In every democratic state, it should be about ´privacy and security´, since the one cannot exist without the other. Although the creation of animal and insect drones is undoubtedly technologically impressive, do we really want to live in a world where even animal-like robots can be used to spy on us? Should we be spied on at all? How much privacy do we give up and how much security do we gain in return through drones? If drones provided the ´promised security´, then India and all other countries equipped with these technologies should be extremely safe and crime-free; however, that is not the case.

In order to ensure that the use of drones does not infringe upon the right to privacy and other human rights, strict regulations are a minimal prerequisite. As long as people do not require that the use of these spying technologies are strictly regulated, very little can be done to prevent a scary sci-fi future. That´s why this blog has been written.

For more details visit https://cis-india.org/internet-governance/blog/big-dog-is-watching-you

Big Tech’s privacy promise to consumers could be good news — and also bad news

Rajat Kathuria and Isha Suri — 2023-01-18T23:25:28Z

Rajat Kathuria, Isha Suri write: Its use as a tool for market development must balance consumer protection, innovation, and competition.

In February, Facebook, rebranded as Meta, stated that its revenue in 2022 is anticipated to reduce by $10 billion due to steps undertaken by Apple to enhance user privacy on its mobile operating system. More specifically, Meta attributed this loss to a new AppTrackingTransparency feature that requires apps to request permission from users before tracking them across other apps and websites or sharing their information with and from third parties. Through this change, Apple effectively shut the door on “permissionless” internet tracking and has given consumers more control over how their data is used. Meta alleged that this would hurt small businesses benefiting from access to targeted advertising services and charged Apple with abusing its market power by using its app store to disadvantage competitors under the garb of enhancing user privacy.

Access the full article published in the Indian Express on April 13, 2022

For more details visit https://cis-india.org/internet-governance/blog/indian-express-rajat-kathuria-isha-suri-big-tech-consumers-privacy-policy

Big Democracy: Big Surveillance - A talk by Maria Xynou

maria — 2013-12-12T10:23:21Z

Next Tuesday, Maria Xynou will be presenting her latest research on surveillance in India. Come and engage in a discussion on India's controversial surveillance schemes, surveillance industry and much much more!

And so we've heard a lot about the Edward Snowden leaks and about the NSA's controversial mass surveillance projects. But what's happening in India?

It turns out that the world's largest democracy has some of the most controversial surveillance schemes in the world! Some of India's laws, schemes, projects and technologies are unbeatable when it comes to mass surveillance, censorship and control. While India may be a developing country with issues ranging from poverty to corruption, it nonetheless appears to be at the forefront of surveillance on an international level.

Join us at the Centre for Internet and Society (CIS) on 3rd December 2013 to hear about India's surveillance laws, schemes and technologies and to engage in a discussion on the potential implications. All that is required is an open mind, critical thought and a will to challenge that which has not been challenged!

We look forward to seeing you all and to hearing your thoughts, ideas and opinions!

VIDEO

For more details visit https://cis-india.org/internet-governance/events/big-democracy-big-surveillance-a-talk-by-maria-xynou

Big Democracy, Big Surveillance: India's Surveillance State

maria — 2014-02-28T10:35:09Z

In India, surveillance is on the rise by the state to tackle crime and terrorism, and private companies are eager to meet the demand.

This article by Maria Xynou was published by OpenDemocracy on 10 February 2014.

Worried about the secret, mass surveillance schemes being carried out by the NSA? While we should be, some of the surveillance schemes in the world's largest democracy, India, are arguably in the same league.

Surveillance is being globalised to the extent that even India, a country with huge poverty issues, is investing millions of dollars in creating an expansive surveillance regime. However, why would communications monitoring interest Indian authorities, when the majority of the population lives below the line of poverty and only 17% of the population has access to the Internet?

The official political motivation behind surveillance in India appears to be the government's determination to tackle terrorism in the country. The 2008 Mumbai terrorist attacks were arguably a similar landmark to the 9/11 terrorist attacks in the US, and both governments officially announced their intention to carry out surveillance as a counter-terrorism measure. However, unlike in the west, terrorist attacks in India are much more common, and the National Security Adviser reported in 2008 that 800 terrorist cells were operational in the country. With India’s history of major terror attacks in India over the last 25 years, it's easy for one to be persuaded that terrorism is actually a major threat to national security.

India's surveillance schemes

India’s surveillance programs mostly started following the 2008 Mumbai terror attacks. That was when the Ministry of Home Affairs first proposed the creation of a National Intelligence Grid (NATGRID), which will give 11 intelligence and investigative agencies real-time access to 21 citizen data sources to track terror activities. These citizen data sources will be provided by various ministries and departments, otherwise called “provider agencies”, and will include bank account details, telephone records, passport data and vehicle registration details, among other types of data.

The Ministry of Home Affairs has sought over Rs. 3,400 crore (around USD 540 million!) for the implementation of NATGRID, which aims to create comprehensive patterns of intelligence by collecting sensitive information from databases of departments like the police, banks, tax and telecoms to supposedly track any terror suspect and incident.

But NATGRID is far from India's only data sharing scheme. In 2009 the Cabinet Committee on Economic Affairs approved the creation and implementation of the Crime and Criminal Tracking Network & Systems (CCTNS), which would facilitate the sharing of databases among 14,000 police stations across all 35 states and Union Territories of India, excluding 6,000 police offices which are high in the police hierarchy. Rs. 2,000 crore (around USD 320 million) have been allocated for the CCTNS, which is being implemented by the National Crime Records Bureau under the national e-governance scheme. The CCTNS not only increases transparency by automating the function of police stations, but also provides the civil police with tools, technology and information to facilitate the investigation of crime and detection of criminals.

But apparently, sharing data and linking databases is not enough to track criminals and terrorists. As such, in the aftermath of the 2008 Mumbai terror attacks, the Indian government also implemented various interception systems. In September 2013 it was reported that the Indian government has been operating Lawful Intercept & Monitoring (LIM) systems, widely in secret. In particular, mobile operators in India have deployed their own LIM systems allowing for the so-called “lawful interception” of calls by the government. And possibly to enable this, mobile operators are required to provide subscriber verification to the Telecom Enforcement, Resource and Monitoring (TERM) cells of the Department of Telecommunications.

In the case of Internet traffic, the LIM systems are deployed at the international gateways of large Internet Service Providers (ISPs) and expand to a broad search across all Internet traffic using “keywords” and “key-phrases”. In other words, security agencies using LIM systems are capable of launching a search for suspicious words, resulting in the indiscriminate monitoring of all Internet traffic, possibly without court oversight and without the knowledge of ISPs.

India has also automated and centralized the interception of communications through the Central Monitoring System (CMS). This project was initially envisioned in 2009, following the 2008 Mumbai terror attacks and was approved in 2011. The CMS intercepts all telecommunications in India and centrally stores the data in national and regional databases. The CMS will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Intelligence Bureau (IB), the Central Bureau of Investigation (CBI), the Directorate of Revenue Intelligence (DRI), the Research and Analysis Wing (RAW) and the National Investigation Agency (NIA).

Unlike mainstream interception, where service providers are required to intercept communications and provision interception requests to law enforcement agencies, the Central Monitoring System will automate the entire process of interception. This means that the CMS authority will have centralized access to all intercepted data and that the authority can also bypass service providers in gaining such access. Once security agencies have access to this data, they are equipped with Direct Electronic Provisioning, filters and alerts on the target numbers, as well as with Call Details Records (CDR) analysis and data mining tools to identify the personal information of target numbers.

Given that roughly 73% of India's population uses mobile phones, this means that the Central Monitoring System can potentially affect about 893 million people, more than double the population of the United States! However, how is it even possible for Indian authorities to mine the data of literally millions of people? Who supplies Indian authorities with the technology to do this and what type of technology is actually being used?

India's surveillance industry

India has the world's second largest population, consisting of more than a billion people and an expanding middle class. Undoubtedly, India is a big market and many international companies aspire in investing in the country. Unfortunately though, along with everything else being imported into India, surveillance technologies are no exception.

Some of the biggest and most notorious surveillance technology companies in the world, such as ZTE, Utimaco and Verint, have offices in India. Even FinFisher command and control servers have been found in India. However, in addition to allowing foreign surveillance technology companies to create offices and to sell their products and solutions in the country, local companies selling controversial spyware appear to be on the rise too.

Kommlabs Dezign is an Indian company which loves to show off its Internet monitoring solutions at various ISS trade shows, otherwise known as “the Wiretapper's Ball”. In particular, Kommlabs Dezign sells VerbaNET, an Internet Interception Solution, as well as VerbaCENTRE, which is a Unified Monitoring Centre that can even detect cognitive and emotional stress in voice calls and flag them! In other words, Kommlabs Dezign makes a point that not only should we worry about what we text and say over our phones, but that we should also worry about what we sound like when on the phone.

Vehere is another Indian company which sells various surveillance solutions and notably sells vCRIMES, which is a Call Details Records (CDR) analysis system. VCRIMES is used to analyse and gather intelligence and to unveil hidden interconnections and relations through communications. This system also includes a tool for detecting sleeper cells through advanced statistical analysis and can analyse more than 40 billion records in less than 3 seconds.

Paladion Networks is headquartered in Bangalore, India and sells various Internet Monitoring Systems, Telecom Operator Interception Systems, SSL Interception and Decryption Systems and Cyber Cafe Monitoring Systems to law enforcement agencies in India and abroad. In fact, Paladion Networks even states in its website that its customers include India's Ministry of Information Technology and the U.S Department of Justice.

ClearTrail Technologies is yet another Indian company which not only sponsors global surveillance trade shows but also sells a wide range of monitoring solutions to law enforcement agencies in India and abroad. ComTrail is a solution for the centralised mass interception and monitoring of voice and data networks, including Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls. Furthermore, ComTrail is equipped to handle millions of communications per day, correlating identities across multiple networks, and can instantly analyse data across thousands of terabytes.

ClearTrail also sells xTrail, which is a solution for the targeted interception, decoding and analysis of data traffic over IP networks and which enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. Interestingly, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID.

Apparently, some the biggest challenges that law enforcement agencies face when monitoring communications include cases when targets operate from public Internet networks and/or use encryption. However, it turns out that ClearTrail's QuickTrail solution is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. This device can remotely deploy spyware into a target's computer and supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS.

Additionally, QuickTrail can identify a target machine on the basis of metadata, such as an IP address, and can monitor Ethernet LANs in real time, as well as monitor Gmail, Yahoo and all other HTTPS-based communications. ClearTrail's mTrail is designed for the passive 'off-the-air' interception of GSM communications, including the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information. MTrail also identifies a target's location by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation of so-called “lawfully intercepted” calls in near real-time.

In short, it looks like India is reaching the top league when it comes to surveillance technologies, especially since many of its companies and their products appear to be just as scary as some of the most sophisticated spying gear sold by the West. India may be the world's largest (by population) democracy, but that means that it has a huge population with way too many opinions...and apparently, the private and public sectors in India appear to be joining forces to do something about it.

So do Indians have nothing to hide?

A very popular rhetoric in both India and the west is that citizens should not be concerned about surveillance because, after all, if they are not terrorists, they should have nothing to hide. However, privacy advocate Caspar Bowden has rightfully stated that this rhetoric is fundamentally flawed and that we should all indeed “have something to hide”. But is privacy just about “having something to hide”? Jacob Appelbaum has stated that this rhetoric is merely a psychological copying mechanism when dealing with security.

It's probably rather comforting and reassuring to think that we are not special or important enough for surveillance to affect us personally. But is that really up to us to decide? Unfortunately not. The very point of data mining is to match patterns, create profiles of individuals and to unveil hidden interconnections and relations. A data analyst can uncover more information about us than what we are even aware of and it is they who decide if our data is “incriminating” or not. Or even worse: in many cases it's up to data mining software to decide how “special” or “important” we are. And unfortunately, technology is not infallible.

The world's largest democracy, which is also one of the most corrupt countries in the world, is implementing many controversial surveillance schemes which lack transparency, accountability and adequate legal backing, and which are largely being carried out in secret. And to make matters worse, India lacks privacy legislation. Over a billion people in a democratic regime are exposed to inadequately regulated surveillance schemes, while a local surveillance industry is thriving without any checks or balances whatsoever. What will this mean for the global future of democracy?

For more details visit https://cis-india.org/internet-governance/blog/big-democracy-big-surveillance-indias-surveillance-state

Big Data in the Global South International Workshop

praskrishna — 2015-11-06T02:04:49Z

Institute for Technology and Society of Rio de Janeiro welcomes you to an international workshop on Big Data at Hotel Windsor Florida, Rua Ferreira Viana, Flamengo, Rio de Janeiro, Brazil on November 16 and 17, 2015. Open Society Foundations and British Embassy Brasilia are sponsors for the event. The Centre for Internet & Society (CIS) is a research partner. Sunil Abraham, Pranesh Prakash and Vipul Kharbanda will be speaking at this event.

The event will bring together key representatives from government, civil society, the business sector and academia from Brazil, India, United Kingdom and several other countries. This is a closed multistakeholder round-table to discuss and map international examples of Big Data uses and regulation, both by private and public sectors, in order to develop practical strategies to promote adoption of harmonized rules by different actors. The event will also map existing initiatives involving the use of Big Data and present the results of a joint research initiative conducted by ITS and CIS in this field.

Resources

For more details visit https://cis-india.org/internet-governance/events/big-data-in-the-global-south-international-workshop