We are anonymous, we are legion

TRAI and the Disclosure of Personal Information

Nehaa Chaudhari and Vidushi Marda — 2015-05-10T09:16:28Z

The Telecom Regulatory Authority of India (TRAI), in March 2015 invited comments on its Consultation Paper for the regulation of over-the-top (OTT) services. In an unprecedented wave of public participation, TRAI received over a million e-mails in support of net neutrality.

This note sets out the law in relation to the unauthorized disclosure of personal information. Many thanks to Bhairav Acharya for his inputs on this.

Subsequently, on April 27, 2015, TRAI made all responses received by it public, including personal information like email addresses along with any information contained in email signatures, which invariably include a phone number or address. While disclosure of names was needed to ensure transparency in the consultation process, disclosure of personal information gave rise to criticism and questions around the legality of such disclosure.

This note sets out the law in relation to the unauthorized disclosure of personal information:
Section 43A of the IT Act provides for subordinate legislation to govern the manner in which sensitive personal data is collected and processed. The governance of personal information is dealt with under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“2011 Rules”). The 2011 Rules are made to give effect to Section 43A of the IT Act.

TRAI is a body corporate as per Section 3(2) of the TRAI Act. Hence, TRAI’s collection, storage, and disclosure of personal information is governed by the 2011 Rules. Rule 5(8) requires personal information collected to be held securely. TRAIs publishing of email addresses is a violation of Rule 5(8).

Rule 4 of the 2011 rules requires a body corporate to have a privacy policy. On its website, TRAI publishes a Privacy Policy. However, the Policy speaks of information gathered from the TRAI- Website. Even the wording on the Home Page of the TRAI website (that links to these policies) says “Website Policies”. It is unclear therefore, whether the Privacy Policy applies ONLY to the collection of information over the TRAI- Website or whether the Privacy Policy applies to TRAI overall.

Either way there is an argument to be made. TRAI has failed to draft and publicize a privacy policy for the personal information it collects directly. Without prejudice to the above, if the privacy policy on the TRAI website governs this collection of email addresses, then its unauthorized disclosure is a contravention of its own Privacy Policy, specifically paragraph 2.

Since the IT Act does not enact a specific penalty for contravention of section 43A in respect of personal information, TRAI’s unauthorized disclosure will be penalized through the residuary penalty contained in section 45 of the IT Act.

Hence TRAI is liable under Section 45 of the IT Act read with Rules 4 and 5(8) of the 2011 Rules. Section 45 provides a “residuary penalty”; for those provisions under the IT Act or Rules for whose contravention no other penalty has been prescribed. For this contravention, TRAI would have to pay a compensation of 25,000/- to the affected persons or a penalty of 25,000/- rupees.

TRAI may argue that it disclosed that personal information would be disclosed/published. However, the Call for Comments Press Release says that Comments will be published. Email addresses are not comments, and therefore TRAI did not issue a prior disclaimer for the publication of this personal information – hence the disclosure of e-mail addresses is still a violation.

The remedy for violation of Section 43A of the IT Act is the Adjudicating Authority appointed under Section 46(1), which requires a person not below the rank of Director in the appropriate government to receive complaints. Since TRAI is a body corporate as per the Act, it is unclear as to who the adjudicating officer in the present case should be; and is the matter of a separate research question.

The Appellate authority is the Cyber Appellate Tribunal constituted under Section 48 of the IT Act . It is not known if the tribunal has been constituted, and if it has; it is unknown whether it is staffed.

In the absence of clarity with regard to statutory authorities, a citizen whose personal information has been disclosed by TRAI without authorization may file a writ petition in the Delhi High Court under Article 226, or in the Supreme Court under Article 32 for issue of a writ of mandamus or prohibition, for appointment of the first adjudicating officer and also for issuance of directions in lieu of such an officer.

For more details visit https://cis-india.org/telecom/blog/trai-and-the-disclosure-of-personal-information

Towards an Equitable and Just Internet

praskrishna — 2014-02-17T11:20:19Z

IT for Change is organizing an international meeting to formulate a progressive response to issues of global governance of the Internet. Bhairav Acharya will be participating in this event to be held in New Delhi on February 14 and 15.

The Internet is emerging as a central feature of contemporary human life. We use it to access and disseminate information, to communicate and build community, to transact business and to practise democracy. Ever increasing dimensions of our social, economic, cultural and political life are tied to the Internet.

However, the benefits of the Internet - knowledge and power, wealth and influence, are distributed unevenly. A technology built on the egalitarian peer-to-peer principle, ironically, is emerging as a key axis of inequality, an instrument perpetuating and reinforcing longstanding social, economic, cultural and political injustices. Snowden's dramatic exposé of a deep nexus between the US government and a few global corporations to enable global surveillance, confirmed just one aspect of the problem. The truth about the Internet and how its socio-technical architecture is being shaped is considerably more complex and insidious. The rapid colonisation of the Internet by a few monopolizing global corporations, and its governance being subject, in a highly disproportionate manner, to the laws and policy priorities of one country, impacts not just privacy, but a huge range of very important social, economic, cultural and political issues. (To a lesser extent, policy frameworks developed by clubs of rich countries like the the OCED also impact the emerging shape of the Internet.)

Questions of democracy, social justice and equity need to become central to how the Internet, and how an Internet-mediated society, are evolving. The smokescreen of technical-neutrality has prevented for too long a critical, political examination of the social underpinnings of the Internet, its normative boundaries and legalinstitutional frames. In addition, self-serving formulations like 'Multistakeholderism' and 'Internet Freedom', are employed by the status quo to maintain a facade of legitimacy. Beyond the rhetoric, it is clear that the Internet – in its dominance by the powerful, is neither genuinely multi-stakeholder nor genuinely free.

There are foundational questions to be pursued, in this regard : How is the Internet redistributing power and resources? How does this impact those at the margins, those on the peripheries of an increasingly globalised world? How is such redistribution connected to the socio-technical architecture of the Internet? What kind of Internet would promote social justice and equity? What needs to be done to make it more just, more egalitarian? Who governs the Internet, and how can its governance be democratized? From the standpoint of global justice, two urgent priorities lie ahead of us.

A progressive conception and vision of the Internet, and
A common global ownership of the Internet that protects and promotes its public-ness, and its evolution as a 'global commons'. The Internet was envisaged as a decentralized network, with control from the peripheries. This characteristic of the network is rapidly eroding, What is urgently needed is a recasting of this technical principle into a socio-political framework for a truly people-owned and people-controlled Internet, and one that works for all. The global governance of the Internet requires a proper institutionalization and legal framework incorporating the true spirit of participatory democracy. It should inter alia serve to insulate the Internet both from corporatist and from statist dominations.

An international meeting, entitled 'Towards a Just and Equitable Internet', is envisaged to address the key issues identified above. It will be held in New Delhi, India, on February 14th and 15th, 2013. The meeting will bring together actors engaged in social justice movements and ICT, communication and media rights advocacy to dialogue with some of those already engaged with Internet governance issues, with a view to chart a progressive response to issues related to global governance of the Internet.

Potential outcomes from the meeting include:

A 'charter for Internet justice and equity';
Specific proposals for democratizing the global governance of the Internet as contributions to the 'Global Multistakeholder Meeting on the Future of Internet Governance' being hosted by Brazilian government in April, 2013, the UN Working Group on Enhanced Cooperation and the WSIS + 10 process.

For more details visit https://cis-india.org/news/towards-an-equitable-and-just-internet

Towards Algorithmic Transparency

Radhika Radhakrishnan, and Amber Sinha — 2020-07-15T13:16:44Z

This policy brief examines the issue of transparency as a key ethical component in the development, deployment, and use of Artificial Intelligence.

This brief proposes a framework that seeks to overcome the challenges in preserving transparency when dealing with machine learning algorithms, and suggests solutions such as the incorporation of audits, and ex ante approaches to building interpretable models right from the design stage. Read the full report here.

The Regulatory Practices Lab at CIS aims to produce regulatory policy suggestions focused on India, but with global application, in an agile and targeted manner and to promote transparency around practices affecting digital rights.
The Regulatory Practices Lab is supported by Google and Facebook.

For more details visit https://cis-india.org/internet-governance/blog/towards-algorithmic-transparency

Towards a Multi-Stakeholder Consultation on ‘Internet Rights, Accessibility, Regulation & Ethics’

praskrishna — 2012-05-31T07:14:42Z

This event was organised by Digital Empowerment Foundation, National Internet Exchange of India and Association for Progressive Communications at Mirza Ghalib Hall, SCOPE Complex, New Delhi from 9.00 a.m. to 2.30 p.m. on May 3, 2012. Pranesh Prakash participated as a speaker in the session on Access to Internet: Right to Information.

9.00 a.m. to 9.30 a.m. (Registration)

9.30 a.m. to 11.00 a.m.

Inauguration & Plenary: Internet Rights, Accessibility, Regulation & Ethics

Introduction: Osama Manzar, Founder & Director, Digital Empowerment Foundation
Chair: Aruna Roy, Head, Mazdoor Kisan Shakti Sangathan (MKSS) & Member, National Advisory Council (NAC), Govt. of India
Co-Chair: Ajay Kumar, Joint Secretary, DIT, Govt. of India
Plenary Speakers:

Honey Tan, Human Rights Lawyer, Malaysia, APC
Venkatesh Nayak, Co-convener, Secretary, National Campaign for Peoples’ Right to Information
Jitendra Kohli, Executive Member, Transparency International India Summary of the Session by the Chair

11.00 to 11.15 a.m. (Tea break)

11.15 a.m. to 12.30 p.m.

Working Session I - Access to Internet: Right to Information

Chairperson: Basheerhamad Shadrach, Development Consultant
Plenary Speakers:

Pranesh Prakash, Programme Manager, Centre for Internet & Society
NA Vijayashankar, E-Business Consultant, Founder Secretary of Cyber Society of India, Founder Trustee of International Institute of Information Technology Law
Pavan Duggal, Advocate, Supreme Court of India
Varsha Iyenger, Member, Centre for Law and Policy Research
Amitabh Singhal, Former CEO, National Internet Exchange of India (NIXI)
Prof Jagdeep Chhokar, Founding Member, Association for Democratic Reforms

12.30 p.m. to 1.30 p.m.
Working Session II - Internet Right as Human Right: Need for a Holistic Framework towards Universal Access in India

Chairperson: Dr. Govind, CEO, National Internet Exchange of India (NIXI), Govt. of India
Co-chair & Moderator: R. Sukumar , Managing Editor, Live Mint Newspaper
Panel Members:

Subho Ray, President, Internet & Mobile Association of India (IMAI)
Deepak Maheshwari, Vice President - Public Policy, South Asia, MasterCard
Ravina Agarwal, Program Officer, Ford Foundation
Honey Tan, Human Rights Lawyer, Malaysia, APC
Suhas Chakma, Director, Asian Centre for Human Rights
Anoop Saha, Co-Founder, CGNet Swara
Shivam Vij, Writer, Kafila.org

Click to see the original

For more details visit https://cis-india.org/news/towards-a-multi-stakeholder-consultation

Towards a Global Network of Internet and Society Centres

praskrishna — 2013-06-05T07:29:43Z

This event was held in Istanbul by Bilgi University as part of the collaboration on Global Network of Interdisciplinary Internet and Society Research Centres.

Chinmayi Arun spoke on the Internet Governance panel at the conference on 'ICT, Law and Innovation: Recent Developments, Challenges, and Lessons Learned'.

Tough neighbourhood tests India's e-tolerance

praskrishna — 2011-06-15T10:51:48Z

The combination of having restrictive neighbours as well as security threats could make freedom on the web in India a casualty, writes Anahita Mukherji in this article published by the Times of India on June 12, 2011.

While Indians have enjoyed relatively free cyberspace, growing security threats have resulted in new laws that may tighten the screws on India's freedom on the web. This is one of the findings of a global report titled Freedom on the Net 2011.

There is a widespread fear that the lack of internet freedom in neighbouring countries, like China and Pakistan, may adversely impact India. "If restrictions are placed in certain countries, information links get weakened. Also, governments tend to copy moves of other countries when it comes to a restriction of freedom on the net," said Ketan Tanna, the India researcher for the report.

However, Sarah Cook, Asian research analyst and assistant editor for Freedom on the Net, said that while India may be in a tough neighborhood, it is also possible to seek out the "best practices from countries further afield, or even design its own, and not follow the 'worst practices' from the countries next door".

"It is ultimately up to the Indian government and people to decide how adversely they let being in a tough neighborhood impact internet freedom. It is true that there are objective threats that India faces. All of these can be used as justifications for why the government should be given wide authority to block certain content or monitor internet traffic. But in a democratic society, such needs must be balanced against citizens' rights to free expression and privacy. Ensuring transparency, accountability and legal specificity in any measures taken to restrict the free flow of information is an important way of balancing those factors," said Cook in an email interview with TOI.

Recent regulations have given the government more freedom to censor content. In 2008, Parliament passed amendments to the IT Act, which came into effect in 2009 and have expanded the government's monitoring capabilities. Two months ago, the government enforced another set of guidelines on internet usage. They make it mandatory for intermediaries (ISPs, websites, blogs etc) to notify users not to publish or use information that could be harmful, defamatory or cause annoyance in any way. If an intermediary is informed of such information by the government, it has to block it within 36 hours.

According to the new rules, content that "threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states or public order" is entitled to a ban.

An RTI activist from The Centre for Internet and Society managed to get a list of 11 officially banned websites in India in April 2011.

Nikhil Pahwa, the founder editor of Medianama, a digital media portal, feels the new guidelines could result in a further slide in India's rank.

Read the original published in the Times of India here

For more details visit https://cis-india.org/news/india-e-tolerance

Too Clever By Half: Strengthening India’s Smart Cities Plan with Human Rights Protection

vanya — 2016-03-22T13:49:32Z

The data involved in planning for urbanized and networked cities are currently flawed and politically-inflected. Therefore, we must ensure that basic human rights are not violated in the race to make cities “smart”.

The article was published in the Wire on March 21, 2016

As Indian cities reposition themselves to play a significant role in development due to urban transformation, the government has envisioned building 100 smart cities across the country. Due to the lack of a precise definition as to what exactly constitutes a smart city, the mutual consensus that has evolved is that modern technology will be harnessed, which will lead to smart outcomes.

Here, Big Data and analytics will play a predominant role by the way of cloud, mobile technology and other social technologies that gather data for the purpose of ascertaining and accordingly addressing concerns of people.

Role of Big Data

Leveraging city data and using geographical information systems (GIS) to collect valuable information about stakeholders are some techniques that are commonly used in smart cities to execute emergency systems, creating dynamic parking areas, naming streets, and develop monitoring. Other sources which would harness such data would be from fire alarms, in disaster management situations and energy saving mechanisms, which would sense, communicate, analyze and combine information across platforms to generate data to facilitate decision making and manage services.

According to the Department of Electronics and Information Technology, the government’s plan to develop smart cities in the country could lead to a massive expansion of an IoT (Internet of Things) ecosystem within the country. The revised draft IoT policy aims at developing IoT products in this domain by using Big Data for government decision-making processes. For example, in India a key opportunity that has been identified is with regard to traffic management and congestion. Here, collecting data during peak hours, processing information in real time and using GPS history from mobile phones can give insight into the routes taken and modes of transportation preferred by commuters to deal with traffic woes. The Bengaluru Transport Information System (BTIS) was an early adopter of big data technology which resorted to aggregating data streams from multiple sources to enable planning of travel routes by avoiding traffic congestions, car-pooling, etc.

Challenges

The idea of a data-driven urban city has drawn criticism as the initiative tends to homogenize Indian culture and change the fabric of cities by treating them alike in terms of their political economy, culture, and governance.

Despite basing the idea of a smart city on the assumption that technology-based solutions and techniques would be a viable solution for city problems in India, it is pertinent to note that the collection of personal real-time data may blur the line between personal data with the large data collected from multiple sources, leaving questions around privacy considerations, use and reuse of such data, especially by companies and businesses involved in providing services in legally and morally grey areas.

Privacy concerns cloud the dependence on big data for functioning of smart cities as it may lead to erosion of privacy in different forms, for example if it is used to carry out surveillance, identification and disclosures without consent, discriminatory inferences, etc.

Apart from right to privacy, a number of rights of an individual like the right to access and security rights would be at risk as it may enable practices of algorithmic social sorting (whether people get a loan, a tenancy, a job, etc.), and anticipatory governance using predictive profiling (wherein data precedes how a person is policed and governed). Dataveillance raises concerns around access and use of data due to increase in digital footprints (data they themselves leave behind) and data shadows (information about them generated by others). Also, the challenges and the realities of getting access to correct and standardized data, and proper communication seem to be a hurdle which still needs to be overcome.

The huge, yet untapped, amount of data available in India requires proper categorization and this makes a robust and reliable data management system prerequisite for realization of the country’s smart city vision. Cooperation between agencies in Indian cities and a holistic technology-based approach like ICT and GT (geospatial technologies) to resolve issues pertaining to wide use of technology is the need of the hour. The skills to manage, analyze and develop insights for effective policy decisions are still being developed, particularly in the public sector. Recognizing this, Nasscom in India has announced setting up a Centre of Excellence (CoE) to create quality workforce.

Though it is apparent that data will play a considerable role in smart city mission, the peril is lack of planning in terms of policies to govern the big data mechanics and use of data. This calls for development of suitable standards and policies to guide technology providers & administrators to manage and interpret data in a secured environment.

Legal hurdles

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 deals with accountability regarding data security and protection as it applies to ‘body corporates’ and digital data. It defines a ‘body corporate’ as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities” under the IT Act. Therefore, it can be ascertained that government bodies or individuals collecting and using Big Data for the smart cities in India would be excluded from the scope of these Rules. This highlights the lack of a suitable regulatory framework to take into account potential privacy challenges, which currently seem to be underestimated by our planners and administrators.

Regarding access to open data, though the National Data Sharing and Accessibility Policy 2012 recognizes sensitive data, the term has not been clearly defined under it. However, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 clearly define sensitive personal data or information. Therefore, the open data framework must refer to or adopt a clear definition drawing from section 43A Rules to bring clarity in this regard.

Way forward

As India moves toward a digital transformation, highlighted by flagship programmes like Smart Cities Mission, Digital India and the UID project, data regulation and recognition of use of data will change the nature of the relationship between the state and the individual. However, this seems to have been overlooked. Policies that regulate the digital environment of the country will intertwine with urban policies due to the smart cities mission. Use of ICTs in the form of IoT and Big Data entails access to open data, bringing another policy area in its ambit which needs consideration. Identification/development of open standards for IoT particularly for interoperability between cross sector data must be looked at.

To address privacy concerns due to the use of big data techniques, nuanced data legislation is required. For a conducive big data and technologically equipped environment, the governments must increase efforts to create awareness about the risks involved and provide assurance about the responsible use of data.

Additionally, a lack of skilled and educated manpower to deal with such data effectively must also be duly considered.

The concept note produced by the government reflects how it visualizes smart cities to be a product of marrying the physical form of cities and its infrastructure to a wider discourse on the use of technology and big data in city governance. This makes the role of big data quite indispensable, making it synonymous with the very notion of a smart city. However, the important issue is to understand that data analytics is only a part of the idea. What is additionally required is effective governance mechanism and political will. Collaboration and co-operation is the glue that will make this idea work. It is important to merge urban development policies with principles of democracy. The data involved in planning for urbanized and networked cities are currently flawed and politically-inflected. Therefore, collective efforts must go into minimizing pernicious effects of the same to ensure the basic human rights are not violated in the race to make cities “smart”.

Vanya Rakesh is Programme Officer, The Centre for Internet & Society (CIS), Bangalore. Elonnai Hickok, Policy Director of CIS, also provided inputs for this story.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-march-21-2016-vanya-rakesh-too-clever-by-half-strengthening-indias-smart-cities-plan-with-human-rights-protection

Tomorrow, Today

nishant — 2013-01-02T05:00:41Z

Our present is the future that our past had imagined. Around the same time last year, I remember taking stock of the technologies that we live with and wondering what 2012 would bring in.

Nishant Shah's end of the year column was published in the Indian Express on December 29, 2012.

And I find myself in a similar frame of mind, celebrating with joy the promises that were kept, reflecting sombrely on the opportunities we missed, and speculating about what the new year is going to bring in for the future of digital and internet technologies, and how they are going to change the ways in which we understand what it means to be human, to be social, and to be the political architects of our lives.

We all know that dramatic change is rare. Nothing transforms overnight, and a lot of what we can look forward to in the next year, is going to be contingent on how we have lived in this one. And yet, the rapid pace at which digital technologies change and morph, and the ways in which they produce new networked conditions of living, make it worthwhile to speculate on what are the top five things to look out for in 2013, when it comes to the internet and how it is going to affect our techno-social lives.

Head in the Cloud

If the last year was the year of the mobile, as more and more smartphones started penetrating societies, providing new conditions of portable and easy computing, making ‘app’ the word of the year, then the next year definitely promises to be the year of the cloud. As internet broadband and mobile data access become affordable, increasingly we are going to see services that no longer require personal computing power. All you will need is a screen and a Wi-Fi connection and everything else will happen in the cloud. No more hard drives, no more storage, no more disconnectivity, and data in the cloud.

More Talk

One of the biggest problems with the internet has been that it has been extremely text heavy. We often forget that the text is still a matter of privilege as questions of illiteracy and translation still hound a large section of the global population. However, with the new protocols of access, availability of 4G spectrum and the release of IPV6 as the new standard, we can expect faster voice and video-based communication at almost zero costs. It might be soon time to say goodbye to the SMS.

Big Data

You think you are suffering from information overload now? Wait for the next year as mobile and internet penetration are estimated to rise by 30 per cent around the world! This is going to be the year of Big Data — data so big that it can no longer be fathomed or understood by human beings. We will be dependent on machines to read it, process it, and show us patterns and trends because we are now at a point in our information societies where we are producing data faster than we can process it. Our governments, markets and societies are going to have to produce new ways of governing these data landscapes, leading to dramatic changes in notions of privacy, property and safety.

No Next Big Thing

If you haven’t noticed it, the pace of dramatic innovation has slowed down in the last few years and it will slow down even more. We have been riding the wave of the next big thing, in the last few years, constantly in search of new gadgets, platforms and ways of networking. However, the coming year is going to make innovation granular. It will be a year where things become better, and innovation happens behind the scene. So if you thought this was the year that Facebook will finally become obsolete and something else will take over, you might want to reconsider deleting your account, and start looking at the changes that shall happen behind the scenes, for better or for worse.

The Return of the Human

The rise of the social network has distracted us from looking at the human conditions. We have been so engaged in understanding friendship in the time of Facebook, analysing relationships, networked existences and our own performance as actors of information, that we haven’t given much thought to what it means to be human in our rapidly digitising worlds. And yet, the revolutions and the uprisings we have witnessed have been about people using these social networks to reinforce the ideas of equity, justice, inclusion, peace and rights across the world. As these processes strengthen and find new public spaces of collaboration, we will hopefully see social and political movements which reinforce, that at the end of the day, what really counts, is being human.

The future, specially in our superconnected times, is always unpredictable. But the rise of digital technologies has helped us revisit some of the problems that have been central to a lot of emerging societies — problems of inequity, injustice, violence and violation of rights. And here is hoping that the tech trends in the coming year, will be trends that help create a better version of today, tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-nishant-shah-december-29-2012-tomorrow-today

Token security or tokenized security?

Admin — 2018-01-17T00:17:41Z

Implementing a system of tokenization for Aadhaar verification will address the security loopholes highlighted in recent reports.

The article by Manasa Venkataraman and Ajay Patri was published in Livemint on January 9, 2018.

Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in The Tribune on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.

These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.

There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.

Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.

One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.

Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.

Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.

The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.

Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.

The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.

Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in The Tribune. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.

These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.

Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.

For more details visit https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security

Token disclosures?

praskrishna — 2013-08-07T09:30:39Z

Snowden’s Xkeyscore expose makes a mockery of Twitter’s transparency revelations.

The article by Deepa Kurup was published in the Hindu on August 4, 2013. Sunil Abraham is quoted.

This week, roughly around the same time, two ‘revelations’ made headlines in the world of technology. The first, the U.S. National Security Agency’s top secret web surveillance programme, codenamed Xkeyscore, another expose from the house of Edward Snowden & Co.; and second, microblogging site Twitter’s third biannual Transparency Report for the first half of 2013.

The former exposed a global surveillance net, cast far and wide to freely (no formal authorisation required) access and mine emails, chats and browsing histories of millions. The content of the latter report not only pales in comparison but also raises fundamental questions on just how much goes on beyond the arguably modest claims made on Twitter’s transparency charts.

Documents published by The Guardian have the NSA claiming that the “widest-reaching” system mining intelligence from the web had, over a month in 2012, retrieved and stored no less than 41 billion records on its Xkeyscore servers. These mind-boggling numbers make a mockery of Twitter’s few hundred access request disclosures, advocates of online privacy and freedom point out. Then, it is hardly surprising that a large chunk of global requests came from the U.S. government: no less than 902 of the total 1,157 requests, accounting for 78 per cent. A far second is Japan at 8 per cent followed by the U.K.

India References

Interestingly, both Twitter’s report and the NSA’s Xkeyscore document have India references. While a map titled 'Where is Xkeyscore' in the training manual released showing India as one of 150 sites (hosting a total of 700 servers) indicates that India's very much on the global surveillance radar of the United States government; the fact that the India is a new entrant on Twitter's ‘Country Withheld Content Tool’ means that the government here is also making active interventions in microblogging content. This is very much in line with stances the Indian government has taken over the last year, swinging indecisively between asking internet firms to pre-screen content and asking service providers to take down what it finds offensive.

India, A Bit-Player

The Twitter report states that over the last six months it has seen an increase in the number of requests received (and eventual withholding of content) in five new countries: India, Brazil, Japan, Netherlands and Russia. In terms of numbers, India is still very much a bit player in the game given it falls under the ‘less than 10 category, a list where the number of requests for user information made by the government during this period is fewer than 10. It appears from the report that Twitter did not honour any of these requests, indicating that either the requests were too broad or failed to identify individual accounts.

In the same period, Twitter received two requests from India to remove content, one from the “government/law enforcement agency” and the other through a court order. In all, three tweets were removed by Twitter. No details on the nature of content removed were available.

Transparency Trends

A late entrant to transparency initiatives, Twitter's bi-annual reports have been applauded by privacy activists as an initiative that at least attempted to offer a glimpse into the otherwise opaque medium/industry. According to 'Who Has Your Back' an initiative by the Electronic Frontier Foundation, which tracks which corporate helps protect your data from the government, only a third of the 18 internet majors publish Transparency Reports – in fact, Facebook, WordPress and Tumblr all don't publish.

This article by Deepa Kurup was published in the Hindu on August 4, 2013. Sunil Abraham is quoted.

While it's definitely good that Twitter's providing data for India, post-Edward Snowden and his revealing PRISM leaks, netizens would question to what extent this data is representative of the magnitude or extent of user data tracking. Do governments like the U.S. need to approach Twitter (or other internet service providers) at all to access detailed user activity logs, content and metadata?

Secret Orders Excluded

Twitter makes it clear that its current report does not include "secret orders" or FISA disclosures. In another blog related to the Transparency Report, Jeremy Kessel, Manager, Legal Policy at Twitter Inc, writes that since 2012, Twitter's seen an uptick in requests to withhold content from two to seven countries. He writes that while Twitter wants to publish “numbers of national security requests – including FISA (Foreign Intelligence Surveillance Act) disclosures – separately from non-secret requests.” It claims it has “insisted” that the United States government allow for increased transparency into “secret orders”. “We believe it’s important to be able to publish numbers of national security requests – including FISA disclosures – separately from non-secret requests." Unfortunately, we are still not able to include such metrics, Twitter states.

'Not the Whole Truth'

In the absence of these metrics, Sunil Abraham, director of Centre for Internet and Society, feels transparency reports “may not tell us the whole truth”. The Xkeyscore revelations then may explain why the U.S. government has made only 902 information requests. “A rogramme like XKeyScore potentially allows them to capture the very same data without having to approach Twitter. This is the very same imperative behind the CMS project in India. Governments across the world want to automate private sector involvement in blanket surveillance measures so that it wont serve as a check on their unbridled appetite for data”

He warns that there's a likely “race to the bottom”, given that an unintended consequence of transparency may be that governments, rather than being shamed into respect for free speech and privacy, would be emboldened by the scale of surveillance and censorship in the so-called democracies such as the US and EU members that are on top of the global blanket surveillance game.

For more details visit https://cis-india.org/news/the-hindu-august-4-2013-deepa-kurup-token-disclosures

TOI literary festival kicks off today

praskrishna — 2015-02-05T15:37:21Z

The Times Litfest 2015, Bengaluru, kicks off on Saturday at the Jayamahal Palace Hotel. The two-day festival is among the biggest such literary enclaves in Bengaluru. It'll see some of India's foremost creative minds talk, argue, debate, discuss and engage with vital topics which touch our lives.

Over two busy days, achievers from every field will talk about reading, writing, culture, journalism, food, comedy, sport, films and much, much more. Speakers on Day 1 include historian Ramachandra Guha, NR Narayana Murthy and Snapdeal CEO Kunal Bahl, star chef Manu Chandra, and comedians Radhika Vaz and Rubi Chakravarti.

It's not all fun and games. Our serious sessions include Raghavendra Joshi talking about his father Bhimsen Joshi's legacy; Rohan Murty (founder of the Murty Classical Library), author and historian Vikram Sampath and translator Arunava Sinha on preserving our cultural heritage; and Pranesh Prakash of Centre for Internet and Society, Lawrence Liang of Alternative Law Forum, and author and journalist Vivek Kaul on internet censorship and net neutrality.

Read the full coverage on the Times of India newspaper here

For more details visit https://cis-india.org/internet-governance/news/times-of-india-january-31-2015-toi-literary-kicks-off-today

To regulate Net intermediaries or not is the question

sunil — 2012-08-26T06:12:48Z

Given the disruption to public order caused by the mass exodus of North-Eastern Indians from several cities, the government has had for the first time in many years, a legitimate case to crackdown on Internet intermediaries and their users.

Sunil's column was published in the Deccan Herald on August 26, 2012.

There was, of course, much room for improvement in the manner in which the government conducted the censorship. But the policy question that becomes most pertinent now is: do we need to regulate Internet intermediaries further? The answer is yes and no.

There are areas where these intermediaries need to be regulated in order to protect citizen and consumer interest. But to deal with rumour-mongering and hate speech, there is sufficient provisions in Indian law to deal with the current disruption in public order and any similar disruptions in the future.

It is a common misunderstanding to assume that all civil society organisations that advocate civil liberties on networked technologies are regulatory doves that wish to dismantle regulation of the private sector and allow them complete free hand for innovation and, perhaps, causing harm to public interest.

The opposite is also not necessarily true. We are not hawks, those that believe in maximal regulation of the private sector. The state should regulate the private sector in areas where the citizens are unable to protect their own interest and self-regulation is inadequate. But there are many other areas where regulation needs to be dismantled in the interests of citizen and public interest.

Dr Rohan Samarajiva, founder of a Colombo-based regional policy think tank LIRNEasia, explains this best using the ‘law of soft toys’. When his daughter was young he told her that in Sri Lanka there was a law which mandated that every time she got a new soft toy, she would have to necessarily give away another one.

The regulatory lesson here is: the mandate for regulation cannot keep endlessly expanding. As the government moves into new areas of regulation, it should also exit other older areas where regulatory rupee is providing limited returns. These decisions should be based on evidence of harm caused to citizens and consumers. The following are a list of areas where regulation is required for Internet intermediaries:

Privacy: India needs the office of the privacy commissioner established and an articulation of national privacy principles through the enactment of the long awaited Privacy Act. This privacy commissioner should be able to investigate complaints against intermediaries, proactively investigate companies, order remedial action and fine companies that violate the principles and other policies in force. Remedial action could require change in policies, features, data retention policies and services etc.

Competition: Many of these intermediaries have been taken to court on anti-trust complaints, fined and subjected to remedial action by regulators in America and Europe.

Earlier this year, BharatMatrimony.com has filed a complaint against Google at the Competition Commission of India (CCI) alleging anti-competitive practices in its Adwords program. In addition, based on a report submitted by Consumer Unity & Trust Society (CUTS), a civil society organisation, CCI has initiated an investigation into Google's search engine for anti-competitive practices. If they are found guilty of breaking competition law they could be fined up to 10 per cent of their turnover.

Speech: Article 19(2) of the Constitution permits Parliament to enact laws that place eight categories of reasonable restrictions on speech. Unfortunately, the Information Technology Act and its associated rules attempts to expand these restrictions and in addition does not comply with the principles of natural justice. Ideally, all those impacted by the censorship should be informed and should be able to seek redress and reinstatement for the censured speech.

The policy sting operation conducted by the Centre for Internet and Society (CIS) last year demonstrated that intermediaries are risk-averse and tend to over-comply with takedown notices. There is a clear chilling effect on speech online and it is important that the Act and rules be amended at the earliest.

Intellectual Property: Policies that fall under this inappropriate umbrella term for many differently configured laws make the yet unproven fundamental assumption that granting limited monopolies to rights holders, usually corporations, will result in greater innovation. However, citizen and consumer interest is protected through provisions for exceptions and limitations in laws such as copyright, patent, trademarks etc. Some examples of these safeguards that guarantee access to knowledge in Indian law include compulsory licences, patent opposition, fair-dealing etc.

There are many other areas where special treatment may be required for intermediaries. For example tax law needs to handle evasion techniques like the Double Irish and the Dutch Sandwich. Given my lengthy wish-list of regulation of Internet intermediaries, why then has CIS become an NGO member of the Global Network Initiative?

This is because I believe that technological development happen too quickly for us to purely depend on government regulation. Self-regulation has an important role to play in keeping up with these rapid changes. As self-regulatory norms mature they could be formalised into policy by the government.

Therefore, I consider it a privilege that CIS has been accepted as a member of this self-regulatory initiative and we influence GNI norms using our Indian perspective. However, when self-regulation fails to protect public interest, then the government must step in to regulate Internet intermediaries.

For more details visit https://cis-india.org/internet-governance/www-deccan-herald-aug-26-2012-to-regulate-net-intermediaries-or-not-is-the-question

To protect data, don’t opt for plastic or laminated Aadhaar card: UIDAI

Admin — 2018-02-07T01:00:00Z

Unauthorized printing of Aadhaar cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, UIDAI says.

The article by Komal Gupta was published by Livemint on February 7, 2017

To protect information provided by holders of Aadhaar, the Unique Identification Authority of India (UIDAI) on Tuesday cautioned people against opting for plastic or laminated “smart” cards.

Unauthorized printing of the cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, it said in a statement on Tuesday.

Besides, opting for plastic or laminated cards opened up the possibility of Aadhaar details (personal sensitive demographic information) being shared with devious elements without the informed consent of holders, the statement added.

According to UIDAI, the Aadhaar letter sent by it, a cutaway portion or downloaded versions of Aadhaar on ordinary paper or mAadhaar are perfectly valid.

“If a person has a paper Aadhaar card, there is absolutely no need to get his/her Aadhaar card laminated or obtain a plastic Aadhaar card or so called smart Aadhaar card by paying money. There is no concept such as smart or plastic Aadhaar card,” UIDAI chief executive officer Ajay Bhushan Pandey said in a statement.

Printing Aadhaar on a plastic/PVC sheet privately can cost anywhere between Rs50 and Rs300 or more, UIDAI said. It added that a printout of the downloaded Aadhaar card, even in black and white, is as valid as the original Aadhaar letter sent by UIDAI.

It added that in case a person loses his Aadhaar card, he can download the card free from https://eaadhaar.uidai.gov.in.

Pandey asked holders not to share Aadhaar number or personal details with unauthorized agencies for getting the card laminated, or printed on plastic.

The agency also directed unauthorized agencies not to collect Aadhaar information from people, reminding them that collecting such information or unauthorized printing of Aadhaar card is a criminal offence punishable with imprisonment.

“I feel a lot more has to be done by UIDAI. Sadly, by encouraging people to rely on printed Aadhaar ‘cards’, UIDAI is ending up with the worst of both worlds with respect to personal data protection: photocopies of so-called Aadhaar cards/letter are being circulated to facilitate identity fraud as well as the kind of dangerous personal data disclosures that centralized databases enable,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.

Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar

To preserve freedoms online, amend the IT Act

gurshabad — 2019-04-16T10:09:41Z

Look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.

The article by Gurshabad Grover was published in the Hindustan Times on April 16, 2019.

The issue of blocking of websites and online services in India has gained much deserved traction after internet users reported that popular services like Reddit and Telegram were inaccessible on certain Internet Service Providers (ISPs). The befuddlement of users calls for a look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.

Among other things, Section 69A of the Information Technology (IT) Act, which regulates takedown and blocking of online content, allows both government departments and courts to issue directions to ISPs to block websites. Since court orders are in the public domain, it is possible to know this set of blocked websites and URLs. However, the process is much more opaque when it comes to government orders.

The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, issued under the Act, detail a process entirely driven through decisions made by executive-appointed officers. Although some scrutiny of such orders is required normally, it can be waived in cases of emergencies. The process does not require judicial sanction, and does not present an opportunity of a fair hearing to the website owner. Notably, the rules also mandate ISPs to maintain all such government requests as confidential, thus making the process and complete list of blocked websites unavailable to the general public.

In the absence of transparency, we have to rely on a mix of user reports and media reports that carry leaked government documents to get a glimpse into what websites the government is blocking. Civil society efforts to get the entire list of blocked websites have repeatedly failed. In response to the Right to Information (RTI) request filed by the Software Freedom Law Centre India in August 2017, the Ministry of Electronics and IT refused to provide the entire of list of blocked websites citing national security and public order, but only revealed the number of blocked websites: 11,422.

Unsurprisingly, ISPs do not share this information because of the confidentiality provision in the rules. A 2017 study by the Centre for Internet and Society (CIS) found all five ISPs surveyed refused to share information about website blocking requests. In July 2018, the Bharat Sanchar Nagam Limited rejected the RTI request by CIS which asked for the list of blocked websites.

The lack of transparency, clear guidelines, and a monitoring mechanism means that there are various forms of arbitrary behaviour by ISPs. First and most importantly, there is no way to ascertain whether a website block has legal backing through a government order because of the aforementioned confidentiality clause. Second, the rules define no technical method for the ISPs to follow to block the website. This results in some ISPs suppressing Domain Name System queries (which translate human-parseable addresses like ‘example.com’ to their network address, ‘93.184.216.34’), or using the Hypertext Transfer Protocol (HTTP) headers to block requests. Third, as has been made clear with recent user reports, users in different regions and telecom circles, but serviced by the same ISP, may be facing a different list of blocked websites. Fourth, when blocking orders are rescinded, there is no way to make sure that ISPs have unblocked the websites. These factors mean that two Indians can have wildly different experiences with online censorship.

Organisations like the Internet Freedom Foundation have also been pointing out how, if ISPs block websites in a non-transparent way (for example, when there is no information page mentioning a government order presented to users when they attempt to access a blocked website), it constitutes a violation of the net neutrality rules that ISPs are bound to since July 2018.

While the Supreme Court upheld the legality of the rules in 2015 in Shreya Singhal vs. Union of India, recent events highlight how the opaque processes can have arbitrary and unfair outcomes for users and website owners. The right to access to information and freedom of expression are essential to a liberal democratic order. To preserve these freedoms online, there is a need to amend the rules under the IT Act to replace the current regime with a transparent and fair process that makes the government accountable for its decisions that aim to censor speech on the internet.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act

Time to bury e-mail?

praskrishna — 2011-04-02T07:30:10Z

Earlier this week, Mark Zuckerberg, founder of Facebook, had a simple message to the world: email is outdated since it can no longer handle the sort of digital communication that we’ve got used to. Facebook Messages, which integrates email, SMS, instant messaging and social networking, is the way forward, he claimed.

Zuckerberg isn’t the first one to point out the limitations of email. Last year Google too said that email, a technology invented in the ’60s, was not equipped to serve our current needs. “Wave is what email would look like if it were invented today,” Google proclaimed during the launch of Google Wave.

As it turned out, Wave was a great product but served an entirely different purpose — collaboration. While this made sense at the enterprise level, it didn’t offer much added value to email users engaging in one-to-one conversations. Google Wave today is defunct since users didn’t buy into Google’s argument. Will Facebook Messages suffer the same fate?

The answer depends a lot on whether users face the problem that Zuckerberg claims they do. “A lot of people are trying to solve the problem of email. But I don’t know what that problem is,” says Mahesh Murthy, CEO, Pinstorm, a digital marketing agency. According to Murthy, there are three main issues with email: storage space, spam filtering and prioritising messages. And modern email services such as Gmail have evolved to address these concerns.

Facebook obviously thinks otherwise. According to the company we need one inbox for all our digital communication, which includes emails, chats and SMS. Second, messages from your Facebook contacts will be considered more important and will go into Social Inbox. All other messages will go into a separate folder. Third, messages will be threaded according to people and not subject lines as is the case with Gmail and other email services.

According to Gaurav Mishra, head, social media practise, MS&L Group, these are compelling reasons to start using Facebook Messages. But enough to ditch your email account? Not quite, say experts.

“Integration is a marketing myth,” says Nishant Shah, director, Centre for Internet and Society, a Bangalore-based research organisation, “Many of us like to keep our information in different silos. We have heard of young people getting fired from their jobs because they were not able to keep personal information compartmentalised.”

Secondly, giving greater priority to messages from people in your contact list may be misplaced. “The nature of conversation on Facebook is casual and the criticality of a message and hence the need for an immediate response may not be that high,” points out Murthy. An email from, say, a client or a prospective recruiter who may not be on your friends list, may be more critical.

There’s no doubting that Facebook Messages could change the way we conduct our casual conversations. But email serves basic and universal needs. For example, while introducing the new service, Zuckerberg pointed out how school kids felt email was too slow. According to Shah, however, it is important to understand what the kids found email slow for. A movie plan can be made quicker through SMS, but the same kids might submit their assignments via email.

Of course, Zuckerberg has not claimed that Facebook Messages will be an email — or more specifically Gmail — killer. But Facebook’s PR machinery would have known how the media would react. By undermining the very concept of email — one of Google’s strongest products — Facebook has managed to make Google look like the hero of yesteryears.

Analysts agree that Facebook Messages is really about retaining users on its website — if Facebook can give its users a reason to spend more time on its website rather than that of an email service, it can serve more ads. “It is about economics. But Facebook is trying to turn it into a cultural argument,” says Shah.

Still, one thing is certain; Facebook Messages will not suffer the same fate as Google Wave, partly because it is simply an update (and a rather good one) to an existing feature within Facebook. But it is far from a replacement to email. As Mishra puts it, “I will not close down my existing email ids. But I will start using Facebook to message my relatives and friends. It is going to be the future of messaging, not the future of email.”

Read the original in DNA

For more details visit https://cis-india.org/news/bury-email