We are anonymous, we are legion

Activists welcome privacy Bill, but point out concerns

praskrishna — 2011-04-02T11:42:47Z

Experts have welcomed the government's move to bring in a law for protecting individual privacy, amid concerns about the potential misuse of personal data it is collecting to execute social welfare and security schemes.

But they warn that overlaps with existing laws, a limited consultation process and failure to keep up with technological advances could undercut the utility of the planned legislation.

The Union government has set up a panel of secretary-level officials to prepare a blueprint for a law to protect individual privacy and personal data from misuse, even by the government, Mint reported on Monday.

The government is collecting personal data to operate schemes such as Aadhaar--a project to provide numeric identity cards to all residents, and the National Intelligence Grid (Natgrid), which will track information obtained by 11 law enforcement and intelligence agencies.

These agencies can access details of phone calls, credit card transactions, visa, immigration and property records, and driving licences of all citizens, as well as their iris and thumb-prints.

Lawrence Liang, a lawyer who works with Bangalore-based Alternative Law Forum, said the planned law will check the manner in which private companies use the personal data of citizens.

"Currently, there are only private contracts between individuals and companies on how personal data is used. With this legislation, the individual is more empowered. The state can back him better in case of a dispute," he said.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, which has protested Aadhaar's project structure, also welcomed the move.

"The privacy Bill guidelines are fairly broad. It is early days yet. Their will be a large overlap between the privacy and Aadhaar Bills," he said.

Faking biometric data, for instance, isn't a violation of privacy in the proposed law but could be criminally cognizable under the Aadhaar Bill, Abraham said. "It will be interesting to see how these issues are tackled as there are several nuances and grey areas."

A scientist at the Institute for Genomics and Integrative Biology in New Delhi said new kinds of privacy issues will emerge because of the imminent rise of bioinformatics applications.

There are no products or applications today that rely solely on biometric information to breach individual privacy, he said, requesting anonymity.

"But within five years, it will be easier to collect biometric information and link it to other details such as credit card information and driving licence numbers on a large scale. There could then be issues of privacy that will emerge," he added.

Leo Saldanah, coordinator at the Bangalore-based Environment Support Group and another critic of Aadhaar, said the planned privacy Bill is a sham.

"Privacy is anyway enumerated in our constitutional rights under Article 21. But governments have anyway accessed information via phone taps unencumbered," he said. "I don't think the existence of legislation per se will change matters on the ground."

Link to the article on DailyMe

For the article in Livemint

For more details visit https://cis-india.org/news/privacy-bill

Activists demand judicial probe into WhatsApp snooping

KV Kurmanath — 2019-11-15T00:53:02Z

Calls for Parliamentary supervision over Government interception, legal hacking.

The article by K.V. Kurmanath was published in the Hindu Businessline on November 1, 2019. Sunil Abraham was quoted.

With reports of Israeli spyware being used to snoop on scores of WhatsApp subscribers, cyber security activists have appealed to the Supreme Court to take up the issue suo moto and order an inquiry. Kiran Chandra, a leader of the Free Software Movement of India, has said that the Government should rein in WhatsApp and mandate it to submit the source code, stating that the privacy of individuals is at stake.

Though reports of a breach of the WhatsApp network hit the headlines in the US six months ago, it is only in the last few days that the impact in India has become a burning issue.

“We, for long, have been arguing that the privacy of individuals on the Internet is at risk. The Government should have enough safeguards to ensure their safety,” said Chandra.

Sunil Abraham, Executive Director of the Centre for Internet and Society, has called for a dedicated law to ensure Parliamentary supervision for all Government interception and legal hacking programmes. "The data protection law which is being contemplated by the current administration will not address the surveillance policy question in totality," he pointed out.

"It is a truly worrying development that members of civil society are being targeted using sophisticated surveillance technologies without proper legal basis and without any oversight," he said.

Cyber security and privacy experts took to social media to express concern about the vulnerabilities that expose people to potential risks.

Srinivas Kodali, a privacy activist, said the use of Israeli firm NSO Group’s Pegasus spyware to monitor human rights defenders and academics is a clear violation of their fundamental rights. “The Supreme Court judgement on right to privacy has been very loud and clear that Indians’ fundamental rights can’t be exempted under national security without defining it,” he said, responding to a query on the breach of WhatsApp subscribers’ privacy.

“The operations of national security agencies are completely hidden and are not subjected to any legislative or judicial oversight. This cannot continue as they misuse the powers bestowed on themselves without any law on surveillance from Parliament,” he said.

The Internet Freedom Foundation has expressed concerns about the breaches. It wanted the Government to explain on how this spyware was used in India to hack citizens.

“The Government must issue an official public statement providing complete information. It must also clarify which law empowers it to install such spyware,” it said in a statement.

The US-based social media platform has started sending messages to subscribers whose accounts may have been compromised. It contains information about the breach and a link with a to-do list to stay safe.

The victims of the attack, which purportedly took place in April-May 2019, included human rights activists, journalists and Dalit activists.

At least two victims of the spyware attack confirmed receipt of alert messages from WhatsApp. “I received a call (from abroad) in the first week of October. But I ignored it as it was from an unknown number. I received a message from WhatsApp, alerting me about a probable intrusion,” a civil rights lawyer said.

How it happened

“In May, we stopped an attack where an advanced cyber actor exploited our video calling to install malware on user devices. There’s a possibility this phone number was impacted, and we want to make sure you know how to keep your mobile phone secure,” the message received by the victim said.

WhatsApp, a Facebook arm, sent these special messages to about 1,400 users who may have been impacted by the spyware attack. It is working with The Citizen Lab, a research group with the University of Toronto’s Munk School, to assess the impact of the attack on civil society.

In a statement, WhatsApp said: “We provide end-to-end encryption for all messages and calls by default. (But) This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones.”

WhatsApp moved a US court against the Israeli company NSO Group, and its parent company Q Cyber Technologies, alleging that they violated both US and California laws and WhatsApp’s Terms of Service, which prohibited such intrusions.

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-november-1-2019-kv-kurmanath-activists-demand-judicial-probe-into-whatsapp-snooping

Activists cry foul against Aadhaar

praskrishna — 2012-01-31T04:24:39Z

Biometric experts, jurists and social activists today urged the state government to immediately snap ties with the Unique Identification Authority of India (UIDAI) and stop offering Aadhaar numbers to residents.

Arguing that the creation of Aadhaar numbers had no legislative base as the National Identification Authority of India Bill, 2010, was pending with Parliament, civil society members said UIDAI’s project was unconstitutional.

They pointed out that the parliamentary standing committee had termed the biometric project “directionless”.

“The biometric database of citizens, management of which will remain in the hands of some private companies, severely infringes on the right of citizens to privacy. A rule relating to security of biometric data is yet to come up, but UIDAI is going on generating them,” said Usha Ramanathan, a jurist from Delhi at a meeting on the UID project here.

The meet on Aadhaar was convened in the state capital by the Indian Social Action Forum. The participants included social activist Dayamani Barla, director of Bangalore-based Centre for Internet and Society Sunil Abraham, biometric expert from Mumbai J.T. D’ Souza and member of Citizens’ Forum for Civil Liberties Gopal Krishna, among others.

The unique numbers are expected to be utilised extensively, from opening bank accounts to applying for LPG connections. UIDAI has already generated roughly 10 crore unique numbers.

Neither the Citizenship Act, 1955, nor Citizenship Rules of 2003 permit collection of biometrics, the experts added. “Both the UID and National Population Registrar projects adopt technology that risks national and individual security,” observed D’ Souza.

The news was published in the Telegraph on Thursday, 12 January 2012. Read the original story here

For more details visit https://cis-india.org/news/activists-cry-foul-against-aadhaar

Act now to protect yourself against future ransomware attacks

praskrishna — 2017-07-10T14:46:14Z

There was Wannacry, then Petya, and several other lesser-known ones: With ransomware attacks coming thick and fast, get proactive about protecting yourself.

The article by Sanjay Kumar Singh was published by Business Standard on July 5, 2017.

The Wannacry ransomware attack in May was followed by the Petya attack last week. This attack affected the Ukrainian government and large corporates like Maersk and Merck. In India it affected the operations of terminals at Jawaharlal Nehru Port Trust (JNPT), operated by Maersk. According to Kaspersky Lab, the rate of ransomware attacks on businesses grew from one every 120 seconds in January 2016 to one every 40 seconds by October that year. The rate of attack on individuals' computers rose from one every 20 seconds to one every 10 seconds over this period. Today, it has become imperative for everyone, including entrepreneurs and small business owners, to learn how to defend themselves against such attacks.

A trend witnessed in 2016 was the growth of ransomware-as-a-service business model. "Code creators offer their malicious product on demand, selling uniquely modified versions to criminals who then distribute it through spam and websites, paying a commission to the creator," says Altaf Halde, managing director, Kaspersky Lab (South Asia). He adds that the growth of cashless payments in India will undoubtedly attract the attention of cyber criminals and lead to more attacks in future.

Next, let us turn to how ransomware works. An operating system (OS) is a large and complicated piece of software with millions of lines of software code. A malware exploits vulnerabilities within the OS to infiltrate it. An infiltration can happen in multiple ways: if you download a malicious email attachment, visit a code-carrying web site, via an infected pen drive, and so on.

Ransomware is a form of malware that encrypts the files in a critical part of the computer, such as My Documents or Desktop, where people usually store their files. It could also encrypt specific file types, say, such .doc files. The user is then informed that his files have been encrypted along with the warning that unless he pays up within the next few hours his files will be deleted. Says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru: "You first have to first pay the attackers using anonymous money like bitcoins and then they give you the key for decrypting your files."

A ransomware attack can be dealt with in two ways: either pay the money and get the files unlocked, or find a way to circumvent the encryption. The latter option can, however, take a fair bit of time.

Safeguard measure you should adopt
Back up important files regularly. Check periodically that these files have not got damaged Enable ‘Show file extensions’ option in Windows settings. Stay away from extensions like “exe”, “vbs” and “scr”. Many familiar file types can be dangerous as scammers use multiple extensions (like hot-chics.avi.exe or doc.scr) If you discover an unknown process on your machine, cut off the Internet connection immediately If you have been infected, find the name of the ransomware. If it's an older version, your files can be restored. For restoration tools visit https://www.nomoreransom.org/

Among the safeguard measures you should adopt, first and foremost, never open a suspicious file. By being vigilant you can avoid a lot of ransomware attacks.

Most malware exploit vulnerabilities within the OS. "These vulnerabilities are frequently patched by the creators of the OS. But if people use pirated OS, or don't upgrade it regularly, they could land in trouble," says Tiwari. Soon after the Wannacry attack, Microsoft had issued a patch. People who updated their computers immediately didn't get affected by it. Also, use the latest version of an OS.

Use a quality antivirus (AV) solution, which is usually one you have to pay for. A high-quality AV can even protect you against vulnerabilities not patched by the OS manufacturer. AVs scan files. If they detect patterns indicating the presence of malware, they lock them apart from the rest of the computer, thereby preventing them from spreading.

One option is to use an OS that is less vulnerable, like Mac and Linux. Fewer malware are designed for these OS as fewer people use them.

Finally, if your files do get encrypted, don’t pay the ransom, unless instant access to those files is critical. "Each payment only fuels this unlawful business," says Halde.

For more details visit https://cis-india.org/internet-governance/news/business-standard-july-5-2017-sanjay-kumar-singh-act-now-to-protect-yourself-against-future-ransomware-attacks

Accountability of ICANN

smarika — 2014-05-28T10:50:22Z

The issue of how to ensure the legitimacy and accountability of ICANN is a concern which finds voice in many of the proposals. Four broad stands can be gleaned from the submissions to NETmundial '14 on this issue.

The issue of how to ensure the legitimacy and accountability of ICANN is a concern which finds voice in many of the proposals. Generally speaking, the issue of representation, and legitimacy of ICANN members is a point which all proposals regarding ICANN accountability consider. The issue of funding also came up in several of the submissions. The Brazilian Internet Steering Committee, Joint Contribution of Civil Society from Latin America, submissions from University of Gezira in Sudan and NIC Mexico, called for increased funding for participation of stakeholders from developing countries in ICANN and other multistakeholder meetings. The Government of Austria expressed concern over dwindling funding of IGF and called for improvement of the same. In this scenario of crunched funds, submissions by Article 19 and BestBits as well as Net Coalition proposed the use of a percentage of ICANN’s gTLD revenues to fund inclusive participation in the multistakeholder process.

Apart from these concerns, submissions to NetMundial '14 also raised a myriad of different issues around the functioning of ICANN. Nevertheless, four broad stands can be gleaned from the issue of accountability of ICANN. These are as follows:

I. Submissions which suggest that oversight over ICANN should end, and ICANN accountability should be internalised.

8 submissions to the NetMundial 2014 were of the opinion that ICANN should become an independent body with no oversight exercised by any other body on it. In other words, these proposals opposed the replacement of current US government oversight on ICANN, by oversight through any other body. In such a case, accountability of ICANN was sought to be ensured through strengthening multistakeholderism and reform within the ICANN structure.

Most of these submissions came from the civil society (4) or the technical community (2); 1 from Panel on Global Internet Cooperation and Governance Mechanisms, which identifies as “other”, and 1 from the Government of France. 3 of these proposals represent a global community, 2 come from North America or USA, 1 from France, 1 from New Zealand and 1 from the Democratic Republic of Congo.

The ICANN model proposed in the submission from Internet Governance Project (IGP), from the North American civil society, found support among other contributors in this category. The proposal was based on the principle that oversight of ICANN must not be internationalised but ended. The rationale behind such proposal was that giving additional stakeholders besides the NTIA a say in IANA function and ICANN oversight will only politicise ICANN and make it a subject of possible geopolitical power struggles by governments, ultimately ignoring the interests of internet users all over the world. While calling for an end to ICANN oversight through any or all government agencies, the proposal also called for the strengthening of multistakeholderism within ICANN. This proposal was explicitly supported by InternetNZ, from the New Zealand technical community, in its proposal, as well as to quite an extent by Article 19 and BestBits, from the global civil society, in their proposal.

IGP’s submission also suggested whittling down of ICANN’s powers in order to separate management of IANA functions from ICANN’s present mandate. This is a point where the submissions in this category diverge. Submissions from IGP with Article 19 and BestBits, Association for Progressive Communications (APC) from the civil society and InternetNZ and Avri Doria, from the technical community, recommended the separation of IANA functions from the ICANN. The French Government submission, on the other hand, did not envisage separation of management IANA function from ICANN, but rather the internalisation of the former within the latter, even as proposing an independent and multistakeholder structure for ICANN with suitable accountability mechanisms for all stakeholders.

The submission from Article 19 and BestBits, in fact, suggested further narrowing of ICANN’s mandate by explicitly including a clause in its bylaws to prevent it from engaging in content regulation or conduct that could violate freedom of expression or privacy on the internet, including technical policy making involving trademarks and intellectual property. Such suggestions were made based on the fear that, if unregulated, ICANN might increasingly make its foray into public policy issues like content regulation, as happened in the .xxx controversy. Consequently, the submission from Article 19 and BestBits also suggested that ICANN’s bylaws include a provision whereby private parties can legally challenge ICANN’s actions on grounds of human rights violations before local courts or arbitration tribunals.

This approval for local dispute resolution when the submission agrees with the suitability of Californian law for ICANN incorporation is, however, likely to cause consternation amongst non-American stakeholders. While the submission is not averse to the idea of ICANN expanding its reach globally through creation of subsidiaries (preferably in western Europe), it also takes a firm stand on ICANN not moving its headquarters out of the US. The advantages of such status quo are seen in stability of current agreements with registrars etc., but the idea of ICANN being ultimately subject to Californian law and its courts is unlikely to go down well with other global stakeholders.

One concern found across board, but more explicitly in submissions of Article 19 and BestBits and Avri Doria was the strengthening of ICANN board by making it more representative and accountable through mechanisms of internal accountability like the ATRT2 Transparency and Accountability Review process. Avri Doria of USA, in her submission suggested, the improvement of accountability mechanisms in ICANN by supplementing the ATRT process with a strong appeals mechanism, as found in IETF, for accountability process and results with powers to remove officers from their roles if they do not fulfil their responsibilities. Strengthening of GAC within ICANN by making it more participatory and representative is another concern which is highlighted.

II. Submissions which suggest that oversight of ICANN should be transferred to a multilateral or intergovernmental body

A second, small category of 4 submissions argued that the oversight function of the ICANN should be transferred from the present unilateral U.S. government (NTIA) oversight, to oversight by all countries. This was suggested to counter the power imbalance exercised by one country over critical internet infrastructure, over others, by sharing oversight of ICANN with all others.

In their details, submissions in this category can be vague. While some of them envisioned transfer of ICANN control by the US Government to an intergovernmental body like the ITU, others do not specify the details of the transfer, but merely mention that ICANN oversight should be multilateral in nature. Submissions from CIPIT, part of the Kenyan academia and The Society for Knowledge Commons, civil society stakeholder covering India and Brazil, mentioned that the oversight of technical policy functions should be “multilateral” in nature, while the submission by the Government of Iran called for restructuring ICANN as an “international” organisation.

The submission by Swiss civil society organisation, Association for Proper Internet Governance, referred to the response by the Syrian representative in ITU to RFC sought by the US Department of Commerce, to bring ICANN in the aegis of ITU by signing of a MoU between the two entities, as far as technical policy decisions (eg. development of policies relating to operation of root servers and those relating to operation and administration of gTLDs and ccTLDs) are concerned. Such a proposal was found necessary in light of the non-binding advisory nature of GAC in ICANN, especially when technical policy decisions by ICANN have public policy implications. In such a scenario, the submission dubs it “strange” to relegate government to a subsidiary role within ICANN and “unusual (to say the least)” for governments to constitute a sub-committee of the board of a private company like ICANN. Consequently, the MoU between ITU and ICANN is sought to make GAC a group within ITU so as to strengthen its legitimacy and accountability.

III. Submissions which suggest that oversight of ICANN should be transferred to another body not intergovernmental in nature.

10 submissions suggested the transfer of ICANN oversight to a non-intergovernmental or multilateral body. 2 of these proposals came from governments and 1 from the Brazilian Internet Steering Committee, which identifies as “other”, 3 from the private sector, 2 from civil society and 1 from technical community and academia each. Most of these proposals come from European stakeholders (5), 1 each from Brazil and Argentina, 1 from India, 1 from Nigeria, and 1 from the global civil society group, Just Net Coalition.

Like the last category, these submissions also expressed their dissatisfaction with the unilateral US Government oversight of ICANN, but suggested replacing it with a non-multilateral body. Details of the composition of such bodies vary. Some called for replacement by a technical body, other envision a wholly newly created multistakeholder body, yet others called for signing of the present ICANN AoC with US Government, by a number of stakeholders, which would not include just governments.

One such submission came from Portuguese academic, Luis Magalhaes, which called for the signature of ICANN AoCs with all the stakeholders in internet governance, thus effectively replacing oversight by NTIA to oversight by all stakeholders. This submission also expressed concern over the incorporation of ICANN under Californian law, and suggests that ICANN should be regulated in an international law framework, though without relinquishing its control to merely governments. Submission by the private sector stakeholder Orange Group also looked to expand the AoC of ICANN to include within it, the “ICANN community and stakeholders including Governments represented through the GAC.”

Private sector stakeholder from the UK, Nominet, similarly, called for wider engagement in the ICANN AoC and ensuring wider engagement for transparency and accountability in the AoC process. It also called to end ambiguity about the legal jurisdiction for ICANN, while including and strengthening ITU and IGF in the internet governance ecosystem. Submission by private player, Data Security Council of India, while endorsing “a multistakeholder model with defined roles of relevant stakeholders” was vaguer about the model it sought for ICANN. But it called for nomination of stakeholders by Governments rather than ICANN selecting them without transparency.

The Austrian Government submission, on the other hand, was more ambiguous. It envisaged the extension of AoCs regarding ICANN and IANA while ensuring “the full participation of all stakeholders, from both developed and developing countries, within their respective roles and responsibilities.” In its submission, the Government of Argentina sought to “promote the internationalisation of ICANN through a deep revision of the current structure,” and ensure “active representation from all regions and all actors in the ICANN structure, including representatives of governments on an equal footing,” especially in the structures of ICANN Board, SSAC and GNSO.

The submission by Brazilian Internet Steering Committee similarly, looked to export oversight to entities outside of ICANN in its submission, as long as such entities are recognised as representative of the international public interest. This was suggested with the rationale to avoid a situation where the same organisation is responsible is responsible for policy making as well as its implementation. The Committee also suggested strengthening of ATRT2 process, as well as reform of GNSO and of ALAC so that the latter can have transparent processes for nomination of members, as well as participate in policy development processes in GNSO, along with increased government participation in GNSO. It was also suggested that the number of ICANN Board seats allocated by NomCom should be reduced in order to increase slots for Board members directly elected by the SOs.

Other submissions offered a more detailed view into the composition of the oversight entity recommended to replace NTIA. The submission by global civil society organisation, Just Net Coalition, for example, proposed the formation of a “Internet Technical and Advisory Board” to discharge ICANN oversight function by replacing the present NTIA oversight role. In addition, this board was recommended to advice on public policy perspectives to various technical standards bodies, and thus act as the link between public policy bodies and these standards bodies. The composition of such a board was recommended to consist of people with specialised technical expertise but also with appropriate political legitimacy, ensured via a democratic process. 10-15 members were envisaged in such a board which could include 1 member from each of the Regional Internet Registries (RIRs). 2-3 members from each of the 5 geographic regions as understood in the UN system to be selected through an appropriate process by the relevant technical standards bodies and/or country domain name bodies of all the countries of the respective region were suggested to be part of the board. It was preferred that these members would come from the top recognised technical academic bodies of each country/region, but the entire constitution of the board was left open to other suggestions in Just Net Coalition’s submission.

The technical community stakeholder, Nigeria Internet Registration Association, on the other hand, offered a rather confused proposal for the formation of a “World Internet Governance Organisation (WIGO),”envisaged as “a global organisation with equal participation of the Government, Private sector, Civil Society, Technical Community in a multi-stakeholder consensus building NET-NATIONS.” But while in the beginning the submission suggests a multistakeholder composition of WIGO, seemingly for oversight of ICANN, later the submission sparks the idea that ICANN itself should be changed to WIGO.

Global Geneva’s submission proposed to transfer ICANN oversight to a body called World Internet Forum, which, while part of the UN system, is envisioned as a multistakeholder venue for citizens globally, where constituencies are not governments. ICANN is allowed to pursue technical policy functions like gTLD management under the supervision of WIF, while not encroaching on public policy matters. IANA function is envisaged to be managed separately from the ICANN.

In many of these submissions, like those of Argentinian Government and Brazilian Internet Steering Committee emphasis was also paid on the strengthening of GAC, while taking into consideration stakeholders other than governments.

IV. Submissions which endorse globalisation and multistakeholder governance of ICANN but are vague about the specifics of such governance model

Lastly, there are submissions which call for the globalisation of ICANN and express their dissatisfaction with the U.S. Government oversight of it, while endorsing multistakeholder governance. However, these submissions are also vague about the details of such ICANN globalisation, and the structures in which it will be held accountable. 4 such submissions emerge from governments (Spain, Norway, Mexico and the European Commission), 6 from the private sector, 2 from the technical community, and 2 from the civil society. Europe leads in this category of proposals with 6 of these proposals emerging from there, 2 from Latin America and Mexico each (4 altogether), 1 from Kuwait, 1 from Japan, 1 from the NRO (identifying itself from Mauritius) and 1 from the global GSM Association of mobile operators.

A list of these submissions is provided below.

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
	46	Norwegian Contribution to the Sao Paulo Meeting	Norwegian government	Government	Norway, Europe	http://content.netmundial.br/contribution/norwegian-government/137
	50	Contribution from the GSM Association to the Global Multistakeholder Meeting on the Future of Internet Governance	GSMA	Private Sector	Global	http://content.netmundial.br/contribution/contribution-from-the-gsm-association-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/141
	51	Contribution of Telefonica to NETmundial	Telefonica, S.A.	Private Sector	Spain	http://content.netmundial.br/contribution/contribution-of-telefonica-to-netmundial/143
	56	ETNO Contribution to NETmundial	ETNO [European Telecommunications Network Operators' Association]	Private Sector	Belgium	http://content.netmundial.br/contribution/etno-contribution-to-netmundial/148
	64	Submission by AHCIET to the Global Multistakeholder Meeting on the Future of Internet Governance. NETmundial	AHCIET	Private Sector	Latin America	http://content.netmundial.br/contribution/submission-by-ahciet-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance-netmundial/157
	70	Spanish Government Contribution to the Global Multi-stakeholder Meeting on the Future of Internet Governance	Ministry of Industry, Energy and Tourism, Spain	Government	Spain	http://content.netmundial.br/contribution/multistakeholder-human-rights-stability-gac/165
	80	Roadmap for the Further Evolution of the Internet Governance Ecosystem	European Commission	Government	Europe	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/177
10.	106	Submission on Internet Governance Principles and Roadmap for the Further Evolution of the Internet Governance Ecosystem	Kuwait Information Technology Society	Civil Society	Kuwait	http://content.netmundial.br/contribution/kuwait-information-technology-society-kits-submission-on-internet-governance-principles-and-roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/214
	111	Content Submission by the Federal Government of Mexico	Secretara de Comunicaciones y Transportes, Mexico	Government	Mexico	http://content.netmundial.br/contribution/content-submission-by-the-federal-government-of-mexico/219
10.	114	Better Understanding and Co-operation for Internet Governance Principles and Its Roadmap	Japan Internet Service Providers Association	Private Sector	Japan	http://content.netmundial.br/contribution/better-understanding-cooperation-for-internet-governance-principles-its-roadmap/222
11.	116	Deutsche Telekom’s Contribution for to the Global Multistakeholder Meeting on the Future of Internet Governance	Deutsche Telekom AG	Private Sector	Germany/Europe	http://content.netmundial.br/contribution/deutsche-telekom-s-contribution-for-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/225
12.	135	Joint Contributions of Civil Society Organisations from Latin America to NetMundial	Group of individuals and Civil Society Organizations from Latin America	Civil Society	Latin America	http://content.netmundial.br/contribution/joint-contributions-of-civil-society-organizations-from-latin-america-to-netmundial/251
13.	143	NRO Contribution to NETmundial	NRO (for AFRINIC, APNIC, ARIN, LACNIC, RIPE-NCC)	Technical Community	Mauritius	http://content.netmundial.br/contribution/nro-contribution-to-netmundial/259
14.	183	NETmundial Content Submission- endorsed by NIC Mexico	NIC Mexico	Technical Community	Mexico	http://content.netmundial.br/contribution/netmundial-content-submission-endorsed-by-nic-mexico/302

***

A previous version of this post performed preliminary analysis of the NETmundial submissions. It may be found here.

For more details visit https://cis-india.org/internet-governance/blog/accountability-of-icann

Accessing pirated content might lead to prison term & Rs 3-lakh fine

praskrishna — 2016-08-23T02:47:52Z

India puts onus of downloading and viewing pirated content on individuals.

The article by Alnoor Peermohammed was published in the Business Standard on August 22, 2016. Sunil Abraham was quoted.

The central government is putting the onus of downloading and viewing of copyrighted content from sites it has blocked (with the help of internet service providers) on users.

Visiting torrent (a particular type of files) websites while on Tata Communications’ network recently had users being shown a message that viewing or downloading content on those sites could land them in prison for up to three years and a fine of up to Rs 3 lakh.

“There is not enough room in our prisons to keep these infringers and enough time in our courts to try them. It might sound very exciting as a message to put out but, essentially, they’re trying to scare people into good behaviour,” said Sunil Abraham, executive director at research firm Centre for Internet and Society.

There has been no change to the Copyright Act of 1957 or the Information Technology Act of 2000 for the updated notice being shown to users upon visiting blocked sites. Under these provisions, visiting a site, which is blocked is not illegal, unless it is child pornography.

“Copyright infringement happens all the time and even in developed countries, the rates are very high. Crackdowns on individuals and consumers are never going to solve the problem,” added Abraham.

Experts say the most the government could do is prosecute a couple of people and make examples of them, to dissuade others. This practice is followed globally. There are no examples, though, in India of prosecution for copyright infringement of online content.

The recent alteration of the statement seen by users on Tata networks was done on the directives of the Bombay High Court, after the company appealed that showing individual messages for why each website was blocked was not feasible. The resulting message sparked media frenzy that visitors of blocked websites could now be imprisoned.

Other media reports revealed that the recent blocking of websites by internet service providers was prompted by court orders to prevent piracy of Dishoom, the Bollywood movie.

Globally, there’s been a move to clamp on torrent websites which host pirated content, aided by large information technology entities such as Apple or Facebook. Last month, the US authorities arrested Kickass Torrents’ founder, Arten Vaulin, and blocked all the domains of the website, only to have it resurface a day later.

For more details visit https://cis-india.org/internet-governance/news/business-standard-august-22-2016-accessing-pirated-content-might-lead-to-prison-term-and-rs-3-lakh-fine

Access at the cost of Net neutrality?

praskrishna — 2015-10-09T01:18:31Z

In the Net neutrality debate, there is a conflict between two core values: ease of access and neutrality. The ease of access promised by applications like Free Basics compromises neutrality and may later morph into a method of predatory pricingIf programs that bring access to a part of the Internet in the immediate future were to entrench themselves, it could eventually lead to telecom companies abusing their dominant positionsIn the absence of a specific law mandating a neutral Internet, telecom companies enjoy a virtual carte blanche to discriminate between different applications. Though they have not yet exploited this autonomy fully, they are certainly moving towards that.

The article by Suhrith Parthasarathy was published in the Hindu on October 8, 2015. Pranesh Prakash gave inputs.

Earlier this year, the social media giant, Facebook, formalised a partnership with Reliance Communications that enabled the Indian company to provide access to over 30 different websites, without any charge on mobile data accruing to the ultimate user. The platform, originally known as “Internet.org,” has now been rebranded as “Free Basics,” Facebook announced last month. Its fundamental ethos, though, remains unchanged. It allows Reliance’s subscribers to surf completely free of cost a bouquet of websites covered within the scheme, which includes, quite naturally, facebook.com. Mark Zuckerberg, Facebook’s founder, views this supposed initiative as a philanthropic gesture, as part of a purported, larger aim to bring access to the Internet to those people who find the costs of using generally available mobile data prohibitive.

Neutrality, an interpretive concept
On the face of it, this supposed act of altruism appears to be commendable. But, there are many critics — some of whom have come together to launch a website “savetheinternet.in” with a view to defending Internet freedom — who argue that Free Basics violates what has come to be known as the principle of network (or Net) neutrality.

While it is clear to all of us that a notion of Net neutrality involves some regulation of the Internet, it is less clear what the term actually means. Like any phrase that involves either a moral or a legal obligation, Net neutrality is also an interpretive concept. People who employ the term to denote some sort of binding commitment, or at the least an aspirational norm, often tend to disagree over precisely how the idea ought to be accomplished. Tim Wu — an American lawyer and presently a professor at the Columbia University — who coined the term, views the notion of Net neutrality as signifying an Internet that does not favour any one application over another. In other words, the idea is to ensure that Internet service providers do not discriminate content by either charging a fee for acting as its carrier or by incorporating any technical qualifications.

In India, there is no law that expressly mandates the maintenance of a neutral Internet. This March, the Telecom Regulatory Authority of India (TRAI) released a draft consultation paper seeking the public’s views on whether the Internet needed regulation. Unfortunately, much of its attention was focussed on the supposedly pernicious impact of applications such as WhatsApp and Viber. “In a multi-ethnic society there is a vital need,” wrote TRAI, “to ensure that the social equilibrium is not impacted adversely by communications that inflame passions, disturb law and order and lead to sectarian disputes.” The questions, therefore, in its view were these: should at least some Internet applications be amenable to a greater regulation, and should they compensate the telecom service providers in addition to the data charges that the consumers pay directly for the use of mobile Internet?

If the government eventually answers these questions in the affirmative, the consequences could be drastic. It could lead to a classification of Internet applications based on arbitrary grounds, by bringing some of them, whom the government views as harmful to society in some manner or another, within its regulatory net. Through such a move, the state, contrary to helping establish principles of Net neutrality as a rule of law, would be actively promoting an unequal Internet.

In any event, as things stand, in the absence of a specific law mandating a neutral Internet, telecom companies enjoy a virtual carte blanche to discriminate between different applications. Though these companies have not yet completely exploited this autonomy, they are certainly proceeding towards such an exercise. In April this year, Airtel announced Airtel Zero, an initiative that would allow applications to purchase data from Airtel in exchange for the telecom company offering them to consumers free of cost.

On the face of it, this programme appears opposed to Net neutrality. But what is even more alarming is that mobile Internet service providers could, in the future, plausibly also control the speeds at which different applications are delivered to consumers. For example, if WhatsApp were to subscribe to Airtel Zero by paying the fee demanded by the company, Airtel might accede to offering WhatsApp to consumers at a pace superior to that at which other applications are run. This kind of discrimination, as Nikhil Pahwa, one of the pioneers of the Save The Internet campaign, has argued, is prototypically opposed to Net neutrality. It tends to breed an unequal playing field, and, if allowed to subsist, it could create a deep division in the online world. Ultimately, we must view Net neutrality as a concept that stands for the values that we want to build as a society; it pertains to concerns about ensuring freedom of expression and about creating an open space for ideas where democracy can thrive. There is a tendency, though, to view those who support Net neutrality as representing a supercilious position. Such criticism is unquestionably blinkered, but it also highlights certain telling concerns.

Telecom companies that wish to discriminate between applications argue that in the absence of an Internet that has completely permeated all strata of society, an obligation to maintain neutrality is not only unreasonable on the companies, but also unfair on the consumer. After all, if nothing else, Airtel Zero and Free Basics bring, at the least, some portions of the Internet to people who otherwise have no means to access the web. What we have, therefore, at some level, is a clash of values: between access to the Internet (in a limited form) and the maintenance of neutrality in an atmosphere that is inherently unequal. This makes tailoring a solution to the problem a particularly arduous process.

The Internet, in its purest form, is a veritable fountain of information. At its core lies a commitment to both openness and a level playing field, where an ability to innovate is perennially maintained. It is difficult to argue against Facebook when it says that some access is better than no access at all. But one of the problems with Free Basics, and indeed with Airtel Zero too, is that the consumer has no choice in which websites he or she might want to access free of cost. If this decision is made only by Facebook, which might argue that it gives every developer an equal chance to be a part of its project as long as it meets a certain criteria, what we have is almost a paternalistic web. In such a situation, information, far from being free, is shackled by constraints imposed by the service provider.

Laudable end, unethical means
This is precisely one of the concerns raised by those arguing in favour of Net neutrality, who, it is worth bearing in mind, aren’t resistant to the idea of a greater penetration of the Internet. Their apprehensions lie in companies resorting to what they believe is an unethical means to achieving, at least in theory, a laudable end. According to them, negating Net neutrality, in a bid to purportedly achieve greater access to the Internet in the immediate future, could prove profoundly injurious in the long run. Yes, Airtel Zero and Free Basics would bring to the less-privileged amongst us some access to the Internet, but the question is this: at what cost?

The worry is that if the programs that bring access to a part of the Internet in the immediate future were to entrench themselves, it could eventually lead to these telecom companies abusing their dominant positions. No doubt, as Pranesh Prakash, policy director at the Centre for Internet and Society, has argued, it might require a deeper analysis to argue convincingly that packages such as Free Basics and Airtel Zero require immediate invalidation in their present forms; significantly, the former does not demand payments from the applications while the latter is premised on such consideration. But, viewed holistically, the companies’ actions could potentially be characterised as a form of predatory pricing, where consumers might benefit in the short run, only for serious damage to ensue to competition in the long run.

It is, therefore, necessary that any debate on the issue must address the tension between the two apparently conflicting goals — the importance of maintaining a neutral Internet and the need to ensure a greater access to the web across the country. Mr. Zuckerberg argues that these two values are not fundamentally opposed to each other, but can — and must — coexist. He is possibly correct at a theoretical level.

But the history of markets tells us that we have to be very careful in allowing predatory practices, devised to achieve short-term goals, to go unbridled. As citizens, each of us has a fundamental right to freedom of speech and expression. If we were to get the balance between these two values wrong, if we were to allow the domination, by a few parties, of appliances that facilitate a free exchange of ideas, in a manner that impinges on the Internet’s neutrality, our most cherished civil liberties could well be put to grave danger.

(Suhrith Parthasarathy is an advocate in the Madras High Court.)

For more details visit https://cis-india.org/internet-governance/news/the-hindu-october-8-2015-suhrith-parthasarathy-access-at-the-cost-of-net-neutrality

Abuse linked to Net fixation

Nina C. George — 2019-08-15T16:26:27Z

Addiction to surfing for explicit content and loss of privacy are big concerns when it comes to children, say counsellors.

The article by Nina C. George was published by Deccan Herald on August 13, 2019. Aayush Rathi was quoted.

About 15 children are rescued every day in Bengaluru by an organisation working in tandem with the police. Some children in distress are rescued after they call Makkala Sahayavani, a child helpline attached to the police commissioner’s office. Counsellors attribute the high numbers to many causes. Addiction to the Internet may be adding to the problem, they say.

Fr Mathew Thomas, executive director of BOSCO, categorises distress calls received at the helpline under three heads: child marriage, sexual and physical abuse, and child labour.

“When we deal with cases of child abuse, we need to be extremely sensitive and not blamethem,” he says.Rescued children show physical injuries, low self-esteem, and suffer from learning disorders.“In a day, we rescue at least 15 children who are victims of various abuses,” he says. Thomas isassociated with the helpline in a supervisory capacity.Studies show how social media and the Internet can alter the behaviour of children and makethem vulnerable to all kinds of abuse.Dr Manoj Kumar Sharma, professor of clinical psychology at Service for Healthy Use ofTechnology (SHUT Clinic) at Nimhans, says the loss of privacy is one of the biggest concerns.

“On the Internet, users can easily make contact with unsuspecting children through anonymous and unprotected social media pro􀁺les. Game forums can put children at risk for bullying or abuse,” he says. Dr Sharma calls for more measures to protect children, “Disadvantaged children may not understand online risks, including those of loss of privacy,” he says. It is common for children to seek the opinion of their peer group when they experience risks and harm online.

“This makes it difficult for parents to intervene. There is a need to enhance communication between the child and parent so they can identify signs of distress among the children andhelp them,” advises Sharma.Easy access to sexually explicit videos may be one of the reasons for increased sexual abuse of children, say counsellors at Makkala Sahayavani, the child helpline attached to the police commissioner’s office. Preethi Baliga, a senior counsellor, says early exposure to the Internet is leading to addiction, and physical, emotional, and sexual abuse of children. “How do we saveour children from this?” she wonders.The helpline receives 15 calls a day, five of them calling for immediate intervention.

Recent cases at helpline

A 16-year-old girl was sexually abused by her father for years. Her mother was aware but did nothing. Finally, unable to bear the torture, the girl gathered courage to report it to the police.An FIR was filed and the father was arrested. She was sent to a shelter for rescued children.

A 15-year-old girl was orphaned after her parents went their individual ways. Neither parent wanted to take her in. She was sent to a hostel where she became a victim of drug abuse and multiple sexual encounters. She slipped into depression. She received treatment after her case came to the notice of the child helpline.

A 16-year-old girl befriends a boy of the same age on social media and they begin chatting.They get close and soon chatting makes way for exchange of intimate pictures and physical intimacy. After a while, the boy begins to avoid the girl. Repeated attempts to contact him goes in vain. The girl realises that she has been sexually abused and exploited.

Counsellor's Concerns

Things that ought to be educative are glamorised, according to a counsellor. “Even a condom ad is glamorous. The message that it must be used against contracting sexually transmitteddiseases and preventing pregnancy is not highlighted,” says Preethi Baliga, who works at Makkala Sahayavani. She adds, “Teenagers gain access to pubs by showing fake identity cards. “Children with such tendencies have zero emotions and don’t come around to counselling.”

The Internet can be seen as an abettor

Aayush Rathi, Policy Officer with the Center for Internet and Society in Bengaluru, warns thatone should be wary of claims that the Internet causes child maltreatment such as emotional and sexual abuse. “Rather, the Internet can be seen as an abettor - a new medium through which child maltreatment may be pursued. An increase in the number of cases of such maltreatment needn’t necessarily only be because of wider Internet usage, but may also be because awareness initiatives may be working,” he tells Metrolife.

How to help abused children?

Communicate in a non-judgemental way.
Engage in of􀁻ine activities with them.
Recognise, appreciate positive behaviour.
Become a role model: don’t overuse tech.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-nina-c-george-august-13-2019-abuse-linked-to-net-fixation

ABLI Privacy Workshop

Admin — 2019-06-05T07:29:18Z

On May 21 and 22, 2019, Elonnai Hickok, participated in the ABLI privacy workshop along with side events in Singapore.

Click to view the agenda.

For more details visit https://cis-india.org/internet-governance/news/abli-privacy-workshop

Aadhar: Privacy is not a unidimensional concept

amber — 2017-08-23T01:50:19Z

Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all Indian citizens to defend their individual autonomy in the face of invasive state actions purportedly for the public good.

The article was published in the Economic Times on July 23, 2017.

The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all. In a disappointing case of judicial evasion by the apex court, it has taken over 600 days since a reference order was passed in August 11, 2015, for this bench to be constituted. Over two days of arguments, the counsels for the petitioners have presented before the court why the right to privacy, despite not finding a mention in the Constitution of India, is a fundamental right essential to a person’s dignity and liberty, and must be read into not one but multiple articles of the Constitution. The government will make its arguments in the coming week.

One must wonder why we are debating the contours of the right to privacy, which 40 years of jurisprudence had lulled us into believing we already had. The answer to that can be found in a series of hearings in the Aadhaar case that began in 2012. Justice KS Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court, questioning the validity of the Aadhaar project due its lack of legislative basis (since then the Aadhaar Act was passed in 2016) and its transgressions on our fundamental rights. Over time, a number of other petitions also made their way to the apex court, challenging different aspects of the Aadhaar project. Since then, five different interim orders by the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number. Aadhaar, according to the court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.

The real spanner in the works in the progress of this case was the stand taken by Mukul Rohatgi, then attorney general of India who, in a hearing before the court in July 2015, stated that there is no constitutionally guaranteed right to privacy. His reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench.

The reference to a larger bench has since delayed the entire matter, even as a number of government schemes have made Aadhaar mandatory. This reading of privacy as a unidimensional concept by the courts is, with due respect, erroneous. Privacy, as a concept, includes within its scope, spatial, familial, informational and decisional aspects. We all have a legitimate expectation of privacy in our private spaces, such as our homes, and in our personal relationships. Similarly, we must be able to exercise some control over how personal data, like our financial information, are disseminated. Most importantly, privacy gives us the space to make autonomous choices and decisions without external interference. All these dimensions of privacy must stand as distinct rights. In MP Sharma, the court rejected a certain aspect of the right of privacy by refusing to acknowledge a right against search and seizure. This, in no way prevented the court, even in the form of a smaller bench, from ruling on any other aspects of privacy, including those that are relevant to the Aadhaar case.

The limited referral to this bench means that the court will have to rule on the status of privacy and its possible limitations in isolation, without even going into the details of the Aadhaar case (based on the nature of protection that this bench accords to privacy, the petitioners and defendants in the Aadhaar case will have to argue afresh on whether the project does impede on this most fundamental right). There are no facts of the case to ground the legal principles in, and defining the contours of a right can be a difficult exercise. The court must be wary of how any limits they put on the right may be used in future. Equally, it is important to articulate that any limitations on the right to privacy due to competing interests such as national security and public interest must be imposed only when necessary and always be proportionate.

It will not be enough for the court to merely state that we have a constitutional right to privacy. They would be well advised to cut through the muddle of existing privacy jurisprudence, and unequivocally establish the various facets of the right. Without that, we may not be able to withstand the modern dangers of surveillance, denial of bodily integrity and self-determination through forcible collection of information. The nine judges, in their collective wisdom, must not only ensure that we have a right to privacy, but also clearly articulate a robust reading of this right capable of withstanding the growing interferences with our autonomy.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-july-23-2017-amber-sinha-aadhar-privacy-is-not-a-unidimensional-concept

Aadhaar’s moment of truth

praskrishna — 2011-07-05T07:16:58Z

It’s time for the unique identity project to answer tough questions it has dodged so far, writes MA Arun in the Deccan Herald.

On June 25, 2009, Prime Minister Manmohan Singh generated one of the biggest feel-good headlines of UPA2. He appointed former Infosys CEO Nandan Nilekani as Chairperson of Unique Identification Authority of India (UIDAI), which had been set up to assign a unique number to every resident of the country.

UIDAI – billed as the world’s largest e-governance project – presented a numbing technical challenge. Fingerprint and iris samples of one billion plus Indian residents had to be collected along with details of name, gender, birth date and address. A unique identity had to be assigned to each resident in return and then authenticate it online whenever called for.

Nilekani using his stature in the IT industry assembled a smart team of engineers, who could take the challenge head on. He also started tirelessly crisscrossing the country promoting the project and tying up with different government agencies and PSUs.

He addressed countless gatherings conveying a simple message: Indian growth has bypassed the poor and giving them legal identity was the first step in acknowledging their existence and making government services accessible.

In the last two years, there has been a little change in his script and in the response of the audience, which has by and large remained breathless and adulatory. There have been a few jarring notes. Once in a while he is accosted by individuals and organisations, who say the project takes away their privacy.

Most memorably, on January 7, 2011, Nilekani faced an uncharacteristically unruly audience at IISc, Bangalore, which demanded strong protection to privacy. People who attended the meeting found Nilekani evasive as protesting students waved placards outside the venue, urging him to go back.

But for the media, this reporter included, the dissenting opinion from possibly fringe protesters, sounded exaggerated, making too much of a small issue, debating an academic issue of little practical value.

Perhaps reflecting the larger prevailing sentiments on Aadhaar, Sujeet Pillai of Feecounter, says with the rise of social networking, privacy has already eroded. "We put more information on Facebook and Twitter than we share with Aadhaar. The benefits of the project outweigh the cost," he adds.

Many say it is only the middleclass which worries about privacy, while the poor would be more concerned about the benefits. Trying to address privacy concerns, Aadhaar officials have maintained they collect just basic details, enrollment is voluntary and information is encrypted. Your approval is required to authenticate your identity and while revealing who you are, the system just gives a yes or no response, they say.

Over the last year Aadhaar has picked up steam and observers, who expected the bureaucracy to resist, given its anti-corruption overtone, are mildly surprised. Various government departments are embracing it in competition. Several central ministries, state governments, PSUs have begun to tie their programmes to the Aadhaar number.

Aadhaar officials say they are on course to enroll 600 million by 2014 and by October this year they expect to start enrolling one million numbers a day. The pilot projects at Mysore, Tumkur and Hyderabad have already enrolled 85 per cent of the population and the project is ramping up to other districts and states.

Early last month the Cabinet Committee on Security in a seemingly unrelated move gave partial approval for a Home ministry project, National Intelligence Grid (Natgrid). The development alarmed the privacy advocates to again raise a cry over Aadhaar. Among other things, Natgrid, being run by an ex-army man, Capt Raghu Raman, reportedly seeks to integrate 21 databases - railways, airlines, stock exchanges, income tax, bank account details, credit card transactions, visa and immigration records, telecom service providers and chemical vendors.

Most of us reading this article appear in many these databases, which today are islands of information controlled by different government agencies. They cover different segments of the population and may overlap to some extent. Stitching together these disparate databases together would require a mammoth exercise to uniquely identify all Indian residents. That is precisely what Aadhaar, the missing link, is doing, say critics.

"If Aadhaar ever succeeds in assigning a unique number to all residents, it will take a maximum of two years to create a common Natgrid database. Using a terminal in his office, a cop would be able to watch whatever you do - travelling, talking, buying - in real time. The surveillance technology is pretty straightforward," says noted security expert and IIT Mumbai alumni, Dr Samir Kelekar of Teknotrends.

The system is being designed to catch terrorists and criminals, say Natgrid supporters. "But why subject the entire population to potentially the same level of surveillance," asks Sunil Abraham of Centre for Internet and Society.

Noted jurist Usha Ramanathan says since 2008 several measures such as the Collection of Statistics Act, The Information Technology Act, Aadhaar, National Grid have come about to collect information about people. “After 9/11 in the guise of homeland security USA expanded police powers. Something similar is happening in India after 26/11,” she says.

The claims of Aadhaar benefiting the poor is untested as there has been no feasibility study, she adds. "This is a security project masquerading as an anti-poverty project," says Abraham.

Aadhaar has eluded a debate so far on these issues, say critics. Ramanathan says she made three attempts in November 2009, July 2010 and February 2011 to engage Nilekani, Aadhaar Director General R S Sharma and few other project officials on the issue.

Dubious demands

A New Delhi-based Aadhaar government official, speaking on the condition of anonymity, said there was no discussion within the project on the potential risks it posed. "The main focus is in making a paradigm shift in governance and reaching out to the poor to ensure that the Rs 3,26,000 crore being spent on subsidy is not pilfered," he said.

But he went on to acknowledge that Aadhaar was like 'nuclear energy', which could be used to either make bombs or generate electricity. “It is for the media and civil society to apply pressure for the right safeguards," he said.

While the engineers and bureaucrats are steamrolling the project, the laws of the land and the promised safeguards are yet to catch up with it.

Indian judiciary has also given a free hand to the law enforcement authorities to conduct surveillance. According to the latest Google Transparency Report, Indian government officials made 67 requests to remove contentious items from various Google services between July to December 2010. Only 6 requests were backed by court orders and rest were demands made by police and other executive agencies.

Why is Nilekani who has emerged as the face of Aadhaar silent about the security dimension of the project, ask critics. After all, the Infosys credo is to ‘disclose when in doubt’, they point out. "Nilekani and team are good people without any evil intention. They have never lived in villages and believe that technology can solve any problem," says Abraham.

Ramanathan differs. "In 2009, I would have said he was unaware of the possible risks of Aadhaar. I will not attribute that innocence to him anymore. People in power tend to be blinded by it," she says.

"Their response has varied from ‘nobody else is asking these questions’, ‘have not come prepared to address these issues today’ and ‘we will get back to you’," she says.

Critics also accuse Aadhaar officials of presenting a misleading picture. Enrollment started as a voluntary exercise, but is now being made mandatory to get LPG cylinders. "They were supposed to collect only basic details, but Aadhaar enrollment forms now ask for email ids and phone numbers," Ramanathan said.

This news appeared in the Deccan Herald on 5 July 2011. The original post can be read here.

For more details visit https://cis-india.org/news/aadhaar-truth

Aadhaar: Ushering in a Commercialized Era of Surveillance in India

praskrishna — 2017-06-07T12:45:30Z

Since last year, Indian citizens have been required to submit their photograph, iris and fingerprint scans in order to access legal entitlements, benefits, compensation, scholarships, and even nutrition programs. Submitting biometric information is needed for the rehabilitation of manual scavengers, the training and aid of disabled people, and anti-retroviral therapy for HIV/AIDS patients. Soon police in the Alwar district of Rajasthan will be able to register criminals, and track missing persons through an app that integrates biometric information with the Crime and Criminal Tracking Network Systems (CCTNS).

The article by Jyoti Panday was published by the Electronic Frontier Foundation on June 1, 2017.

These instances demonstrate how intrusive India’s controversial national biometric identity scheme, better known as Aadhaar has grown. Aadhaar is a 12-digit unique identity number (UID) issued by the government after verifying a person’s biometric and demographic information. As of April 2017, the Unique Identification Authority of India (UIDAI) has issued 1.14 billion UIDs covering nearly 87% of the population making Aadhaar, the largest biometric database in the world. The government asserts that enrollment reduces fraud in welfare schemes and brings greater social inclusion. Welfare schemes that provide access to basic services for marginalized and vulnerable groups are essential. However, unlike countries where similar schemes have been implemented, invasive biometric collection is being imposed as a condition for basic entitlements in India. The privacy and surveillance risks associated with the scheme have caused much dissension in India.

Identity and Privacy in India

Initiated as an identity authentication tool, the critical problem with Aadhaar is that it is being pushed as a unique identifier to access a range of services. The government continues to maintain that the scheme is voluntary, and yet it has galvanized enrollment by linking Aadhaar to over 50 schemes. Aadhaar has become the de-facto identity document accepted at private, banks, schools, and hospitals. Since Aadhaar is linked to the delivery of essential services, authentication errors or deactivation has serious consequences including exclusion and denial of statutory rights. But more importantly, using a unique identifier across a range of schemes and services enables seamless combination and comparison of databases. By using Aadhaar, the government can match existing records such as driving license, ration card, financial history to the primary identifier to create detailed profiles. Aadhaar may not be the only mechanism, but essentially, it's a surveillance tool that the Indian government can use to surreptitiously identify and track citizens.

This is worrying, particularly in context of the ambiguity regarding privacy in India. The right to privacy for Indian citizens is not enshrined in the Constitution. Although, the Supreme Court has located the right to privacy as implicit in the concept of “ordered liberty” and held that it is necessary in order for citizens to effectively enjoy all other fundamental rights. There is also no comprehensive national framework that regulates the collection and use of personal information. In 2012, Justice K.S. Puttaswamy challenged Aadhaar in the Supreme Court of India on the grounds that it violates the right to privacy. The Court passed an interim order restricting compulsory linking of Aadhaar for benefits delivery, and referred the clarification on privacy as a right to a larger bench. More than a year later, the constitutional bench is yet to be constituted.

The delay in sorting out the nature and scope of privacy as right in India has allowed the government to continue linking Aadhaar to as many schemes as possible, perhaps with the intention of ensuring the scheme becomes too big to be rolled back. In 2016, the government enacted the 'Aadhaar Act' passing the legislation without any debate, discussion or even approval of both houses of Parliament. In April this year, Aadhaar was made compulsory for filing income tax or PAN number application and the decision is being challenges in Supreme Court. Defending the State , the Attorney-General of India claimed that the arguments on so-called privacy and bodily intrusion is bogus, and citizens cannot have an absolute right over their body! The State’s articulation is chilling, especially in light of the Human DNA Profiling Bill seeking the right to collect biological samples and DNA indices of citizens. Such anti-rights arguments are worth note because biometric tracking of citizens isn't just government policy - it is also becoming big business.

Role of Private Companies

Private companies supply hardware, software, programs, and the biometric registration services for rolling out Aadhaar to India’s large population. UIDAI’s Committee on Biometrics acknowledges that biometrics data are national assets though American biometric technology provider L-1 Identity Solutions, and consulting firms Accenture and Ernst and Young can access and retain citizens' data. The Aadhaar Act introduces electronic Know-Your-Customer (eKYC) that allows government agencies and private companies to download data such as name, gender and date of birth from the Aadhaar database at the time of authentication. Banks and telecom companies using authentication process to download data and auto-fill KYC forms and to profile users. Over the last few years, the number of companies or applications built around profiling of citizens’ personally sensitive data has grown exponentially.

A number of people linked with creating the UIDAI infrastructure have founded iSPIRT, an organisation that is pushing for commercial uses of Aadhaar. Private companies are using Aadhaar for authentication purposes and background checks. Microsoft has announced SkypeLite integration with Aadhaar to verify users. Others, such as TrustId and Eko are integrating rating systems into their authentication services and tracking users through platforms they create. In essence such companies are creating their own private database to track authenticated Aadhaar users and they may sell this data to other companies. The growth of companies that share and combine databases to profile users is an indication of the value of personal data and its centrality for both large and small companies in India.

Integrating and linking large biometrics collections to each other, which are then linked with traditional data points that private companies hold such as geolocation or phone number enables constant surveillance to take over. So far, there has been no parliamentary discussion on the role of private companies. UIDAI remains the ultimate authority in deciding the nature, level and cost of access granted to private companies. For example, there is nothing in Aadhaar Act that prevents Facebook from entering into an agreement with the Indian government to make Aadhaar mandatory to access WhatsApp or any of its other services. Facebook could also pay data brokers and aggregators to create customer profiles to add to its ever growing data points for tracking and profiling its users.

Security Risks and Liability

A series of data leakages have raised concerns about which private entities are involved, and how they handle personal and sensitive data. In February, UIDAI registered a complaint against three companies for storing and using biometric data for multiple transactions. Aadhaar numbers of over 130 million people and bank account details of about 100 million people have been publicly displayed through government portals owing to poor security practices. A recent report from Centre for Internet and Society (CIS) showed that a simple tweaking of URL query parameters of the National Social Assistance Programme (NSAP) website could unmask and display private information of a fifth of India's population.

Such data leaks pose a huge risk as compromised biometrics can never be recovered. The Aadhaar Act establishes UIDAI as the primary custodian of identity information, but is silent on the liability in case of data breaches. The Act is also unclear about notice and remedies for victims of identity theft and financial frauds and citizens whose data has been compromised. UIDAI has continued to fix breaches upon being notified, but maintains that storage in federated databases ensures that no agency can track or profile individuals.

After almost a decade of pushing a framework for mass collection of data, the Indian government has issued guidelines to secure identity and sensitive personal data in India. The guidelines could have come earlier, and given large data leaks in the past may also be redundant. Nevertheless, it is reassuring to see practices for keeping information safe and the idea of positive informed consent being reinforced for government departments. To be clear, the guidelines are meant for government departments and private companies using Aadhaar for authentication, profiling and building databases fall outside its scope. With political attitudes to corporations exploiting personal information changing the world over, the stakes for establishing a framework that limits private companies commercializing personal data and tracking Indian citizens are as high as they have ever been.

For more details visit https://cis-india.org/internet-governance/news/electronic-frontier-foundation-jyoti-panday-june-1-2017-aadhaar-ushering-in-a-commercialized-era-of-surveillance-in-india

Aadhaar: Still Too Many Problems

pranesh — 2016-04-06T15:31:32Z

While one wishes to welcome govt’s attempt to bring Aadhaar within a legislative framework, the fact is there are too many problems that still remain unaddressed for one to be optimistic.

The article was published by Livemint on March 7, 2016.

The Aadhaar Bill has been introduced as a money bill, even though it doesn’t qualify as such under Article 110 of the Constitution. If the Speaker agrees to this, it will render the Rajya Sabha toothless in this matter, and will weaken our democracy. The government should reintroduce it as an ordinary legislative bill, which is what it is.

While the government has in the past argued before the Supreme Court that Aadhaar is voluntary, Section 7 of the bill allows the government to mandate an Aadhaar number (or application for an Aadhaar number) as a prerequisite for obtaining some subsidies, benefits, services, etc. This undermines its arguments before the Supreme Court, which led the court to pass orders holding that Aadhaar should not be made mandatory. This move to make it mandatory will now need the government to argue that rather than contravene the apex court order, it has instead removed the rationale for it.

Interestingly, the Bharatiya Janata Party (BJP)-led National Democratic Alliance (NDA) government seems to have done a U-turn on the issue of the unique identification number not being proof of citizenship or domicile. The previous Congress-led United Progressive Alliance (UPA) government never meant the Aadhaar number to be proof of citizenship or domicile. This was attacked by the Yashwant Sinha-chaired standing committee on finance, which feared that illegal immigrants would get Aadhaar numbers. Now, the BJP and the NDA seem to be in agreement with the original UPA vision of Aadhaar.

Importantly, there is very strong language when it comes to the issue of privacy and confidentiality of the information that is held by the Unique Identification Authority of India (UIDAI). Section 29 (1), for instance, says that no biometric information will be shared for any reason whatsoever, or used for any purpose other than Aadhaar number generation and authentication. However, that provision is undermined wholly by Section 33, which says that “in the interest of national security”, the biometric info may be accessed if authorized by a joint secretary. This will only fan the fears of those who have argued that the real rationale for Aadhaar was not, in fact, delivery of services, but to create a national database of biometric data available to government snoops.

Also Read

Pros and cons of Aadhaar bill

Further, there are no remedies available for governmental abuse of this provision.

Lastly, in terms of privacy, the concern of those people who have been opposing Aadhaar is not just that the biometric and other identity information may be leaked to private parties, but also that having a unique Aadhaar number helps private parties to combine and use other databases that are linked with Aadhaar numbers in a manner that is not within the subject’s control. This is not at all addressed in this bill, and we need a robust data protection law in order to do that.

There are some other crucial details that the law doesn’t address: Is user consent, to be taken by third parties that use the UID database for authentication, needed for each instance of authentication, or would a general consent hold forever? How can consent be revoked?

There were many other objections that were raised against the Aadhaar scheme that have not been addressed by the government. For instance, in a recent article in the Economic and Political Weekly, Hans Varghese Mathews points out that going by the test data UIDAI made available in 2012, for a population of 1.3 billion people, the incidence of false positives—the probability of the identities of two people matching—is 1/112.

This is far too high a ratio to be acceptable.

Actual data from the field in Andhra Pradesh—of people who were unable to claim rations under the public distribution system (PDS)—paints a worse picture. A survey commissioned by the Andhra Pradesh government said 48% of respondents pointed to Aadhaar-related failures as the cause of their inability to claim rations.

So, even if the Aadhaar numbers were no longer issued to Lord Hanuman (Rajasthan), to dogs (e.g., Tommy Singh, a mutt in Madhya Pradesh), and with photos of a tree (New Delhi), it might not prove to be usable in a country of India’s size, given the capabilities of the fingerprint machines. As my colleague Sunil Abraham notes, the law cannot fix technological flaws.

So, while one wishes one could welcome the government’s attempt to bring Aadhaar within a legislative framework, the fact is there are too many problems that still remain unaddressed for one to be optimistic.

Pranesh Prakash is policy director at the Centre for Internet and Society, a think tank.

For more details visit https://cis-india.org/internet-governance/blog/livemint-march-7-2016-pranesh-prakash-aadhaar-still-too-many-problems

Aadhaar: Govt will not compromise on national security

praskrishna — 2016-03-22T15:51:13Z

The government is confident that the Aadhaar Bill will be passed.

The article by Shreeja Sen was published by Livemint on March 9, 2016. Pranesh Prakash gave inputs.

In what could raise concerns of privacy activists questioning India’s unique identification project Aadhaar, the government on Tuesday said national security will not be compromised at all.

“We will not compromise on national security; certainly we will not compromise. The Supreme Court has already highlighted certain areas for consideration. We are going ahead taking into consideration all the suggestions of the Supreme Court,” law minister D.V. Sadananda Gowda said at a press conference, when asked how the Aadhaar bill tabled in Parliament last week will balance the protection of core biometrics and national security concerns.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, there are measures to protect core biometric information like fingerprints and iris scans of the unique identification number holders.

However, Section 33 says for the purposes of national security, officials at the joint secretary level and above can access this information. The section has caused some worry to experts. In this analysis , policy director of the Centre for Internet and Society Pranesh Prakash says that the national security clause is worrisome. Adding to their concerns, the bill does not define what national security means.

The government is, however, confident that the bill will be passed. “Certainly it will be passed. The benefits that go from the exchequer to the beneficiaries will be taken care of by this bill,” Gowda said.

For more details visit https://cis-india.org/internet-governance/news/livemint-march-9-2016-shreeja-sen-aadhaar-govt-will-not-compromise-on-national-security

Aadhaar: Are a billion identities at risk on India's biometric database

praskrishna — 2017-05-20T06:38:26Z

"My fingerprints and iris are mine and my own. The state cannot take away my body," a lawyer told India's Supreme Court last week.

The article by Soutik Biswas was published by BBC News on May 4, 2017. Also see the blog post by Rawlson King published by Biometric Update.com on May 5, 2017.

Shyam Divan was arguing a crucial petition challenging a new law that makes it compulsory for people to submit a controversial biometric-based personal identification number while filing income tax returns.

Defending this law, the government's top law officer told the court on Tuesday that an individual's "right to body is not an absolute right".

"You can have right over your body but the state can restrict trading in body organs, so the state can exercise control over the body," Attorney General Mukul Rohatgi said.

At the heart of the latest challenge are rising concerns over the security of this mega biometric database and privacy of the number holders. (The government says it needs to link the identity number to income tax returns to improve compliance and prevent fraud.)

India's biometric database is the world's largest. Over the past eight years, the government has collected fingerprints and iris scans from more than a billion residents - or nearly 90% of the population - and stored them in a high security data centre. In return, each person has been provided with a randomly generated, unique 12-digit identity number.

For a country of 1.2 billion people with only 65 million passport-holders and 200 million with driving licenses, the portable identity number is a boon to the millions who have long suffered for a lack of one.

States have been using the number, also called Aadhaar (Foundation), to transfer government pensions, scholarships, wages for a landmark rural jobs-for-work scheme and benefits for cooking fuel to targeted recipients, and distribute cheap food to the poor.

Over the years, the number has taken a life of its own and begun exerting, what many say, is an overweening and stifling control over people's lives. For many like political scientist Pratap Bhanu Mehta, Aadhaar has transmuted from a "tool of citizen empowerment to a tool of state surveillance and citizen vulnerability".

People will soon need the number to receive benefits from more than 500 of India's 1,200-odd welfare schemes. Even banks and private firms have begun using it to authenticate consumers: a new telecom company snapped up 100 million subscribers in quick time recently by verifying the customer's identity through the number.

'Forcibly linked'

People are using the number to even get their marriages registered. The number, says Nikhil Pahwa, editor and publisher of Indian news site MediaNama, is "being forcibly linked to mobile numbers, bank accounts, tax filings, scholarships, pensions, rations, school admissions, health records and much much more, which thus puts more personal information at risk".

Some of the fears are not without basis.

The government has assured that the biometric data is "safe and secure in encrypted form", and anybody found guilty of leaking data can be jailed and fined.

But there have already been a number of leaks of details of students, pensioners and recipients of welfare benefits involving a dozen government websites. Even former Indian cricket captain MS Dhoni's personal information was mistakenly tweeted by an overzealous enrolment service provider.

Now a disturbing report by The Centre for Internet and Society claims that details of around 130-135 million Aadhaar numbers, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries have been leaked online by four key government schemes.

More than 230 million people nationwide are accessing welfare benefits using their numbers, and potentially, according to the report, "we could be looking at a data leak closer to that number". And linking the number to different databases - as the government is doing - is increasing the risk of data theft and surveillance.

The chief law officer believes that the outrage over the leaks is "much ado about nothing".

"Biometrics were not leaked, only Aadhaar numbers were leaked. It is nothing substantial. The idea is biometrics should not be leaked," Mukul Rohtagi told the Supreme Court on Tuesday.

The government itself has admitted that it has blacklisted or suspended some 34,000 service providers for helping create "fake" identification numbers or not following proper processes. Two years ago, a man was arrested for getting an identification number for his pet dog. The government itself has deactivated 8.5 million numbers for incorrect data, dodgy biometrics and duplication. Last month, crop loss compensation for more than 40,000 farmers was delayed because their Aadhaar numbers were "entered incorrectly by banks".

'Mass surveillance'

There are also concerns that the number can be used for profiling. Recently, authorities asked participants at a function in a restive university campus in southern India to provide their Aadhaar identity numbers. "This is not only a matter of privacy. The all pervasiveness of the Aadhaar number is a threat to freedom of expression, which is a constitutional right," Srinivas Kodali, who investigated the latest report on data leaks, told me.

Critics say the government is steaming ahead with making the number compulsory for a range of services, violating a Supreme Court order which said enrolment would be voluntary. "The main danger of the number," says economist Jean Dreze, "is that it opens the door to mass surveillance."

Nandan Nilekani, the technology tycoon who set up the programme popularly known by its acronym UIDAI, believes concerns about the safety of the biometric database are exaggerated.

He says the identity number has cut wastage, removed fakes, curbed corruption and made substantial savings for the government. He insists that the programme is completely encrypted and secure. "It's like you are creating a rule-based society," he told Financial Times recently, "it's the transition that is going on right now."

Abused

More than 60 countries around the world take biometric data from its people, says Mr Nilekani. But then there are nagging concerns worldwide about these databases being abused by hackers and state intelligence.

In 2016, personal details of some 50 million people in Turkey were reportedly leaked. (Turkey's population is estimated at 78 million.) In 2015, hackers stole more than five million fingerprints after breaching US government networks. In 2011, French experts discovered a hack involving the theft of millions of people's data in Israel.

Pratap Bhanu Mehta has written that the lack of a "clear transparent consent architecture, no transparent information architecture, no privacy architecture worth the name [India doesn't have a privacy law], and increasingly, no assurance about what exactly you do if the state decides to mess with your identity" could easily make Aadhaar a "tool of state suppression".

So a lot of lingering doubts remain. How pervasive should an identity number be? What about the individual freedom of citizens? How do you ensure the world's biggest biometric database is secure in a country with no privacy laws and a deficient criminal justice system?

In many ways, the debate about Aadhaar is also a debate about the future of India. As lawyer Shyam Divan argued forcefully in the top court, "people are reduced to vassals" when the state controls your body to this extent.

For more details visit https://cis-india.org/internet-governance/news/bbc-news-soutik-biswas-may-4-2017-aadhaar-are-a-billion-identities-at-risk-on-indias-biometric-database