We are anonymous, we are legion

১৩ কোটি আধার তথ্য ফাঁস চার সরকারি পোর্টাল থেকে! বিস্ফোরক দাবি রিপোর্টে

praskrishna — 2017-05-20T11:45:42Z

খোদ সরকারি পোর্টাল থেকে কয়েক কোটি আধার নম্বর ও যাবতীয় তথ্য ‘ফাঁস’!

This was published by Amar Bazar Patrika on May 2, 2017.

অভিযোগ, গত কয়েক মাসে প্রায় ১৩ কোটি আধার নম্বরের যাবতীয় ব্যক্তিগত ও সংবেদনশীল তথ্য ফাঁস হওয়ার ঘটনা ঘটেছে। আর এসবই হয়েছে চারটি সরকারি পোর্টাল থেকে তথ্যপ্রযুক্তি সুরক্ষার ঘাটতির জেরে! যা ঘিরে এখন তোলপাড় দেশ।

সম্প্রতি, এমনই বিস্ফোরক রিপোর্ট প্রকাশ করেছে অলাভদায়ক সংগঠন সেন্টার ফর ইন্টারনেট অ্যান্ড সোসাইটি (সিআইএস)। তাদের আশঙ্কা, চারটি সরকারি পোর্টালের মাধ্যমে ১০ কোটি মানুষের ব্যাঙ্ক অ্যাকাউন্ট নম্বরও ফাঁস হয়ে থাকতে পারে।

সংস্থার দাবি, যে চারটি পোর্টাল থেকে এই সব তথ্য ফাঁসের অভিযোগ, তার মধ্যে দু’টি অন্ধ্রপ্রদেশ সরকারের ওয়েবসাইট। বাকি দুটি পোর্টাল হল ন্যাশনাল সোশ্যাল অ্যাসিস্ট্যান্স প্রোগ্রাম এবং ন্যাশনাল রুরাল এমপ্লয়মেন্ট গ্যারান্টি স্কিম-এর।

এই গোটা ঘটনার জন্য ইউনিক আইডেন্টিফিকেশন অথরিটি অফ ইন্ডিয়া বা ইউআইডিএআই–কেই দায়ী করেছে সিআইএস। তাদের দাবি, আধার নিয়ন্ত্রক সংস্থার ‘দায়িত্বজ্ঞানহীনতার’ জন্যই এই উদ্ভুত পরিস্থিত সৃষ্টি হয়েছে।

সিএনআই-এর আরও দাবি, বিভিন্ন সরকারি ও বেসরকারি পোর্টাল—যারা আধার তথ্য ব্যবহার করে থাকে, তাদের নিজস্ব সুরক্ষা-ব্যবস্থা খতিয়ে দেখেনি ইউআইডিএআই। ফলত, এই বিপত্তির সম্মুখীন কয়েক কোটি মানুষ।

যদিও, ইউআইডিএআই -এর দাবি, তাদের ডেটাবেস থেকে কোনও তথ্য ফাঁস হয়নি।

For more details visit https://cis-india.org/internet-governance/news/amar-bazar-patrika-may-2-2017-13-crore-aadhaar-leaked-due-to-poor-security-in-4-govt-websites

ভারতে পাঁচশোরও বেশি স্টেশনে ফ্রি ওয়াই-ফাই চালু হবে

praskrishna — 2015-10-02T14:19:34Z

"তবে ভারতে সেন্টার ফর ইন্টারনেট অ্যান্ড সোসাইটির গবেষণা-প্রধান সুমন্দ্র চট্টোপাধ্যায় মনে করেন এই পদক্ষেপগুলো মসৃণভাবে রূপায়ণ করাটাই হবে প্রধান চ্যালেঞ্জ।

তাঁর কথায়, ‘সিলিকন ভ্যালির এই নৈশভোজটা দারুণ ব্যাপার সন্দেহ নেই। কিন্তু যেটা তত দারুণ নয় তা হল এই যে নতুন পার্টনারশিপ হতে চলেছে তার গভর্ন্যান্স কীভাবে হবে, কোন আইনি নথি মেনে হবে তা একেবারেই পরিষ্কার নয়।’ মি চট্টোপাধ্যায় বলছেন সম্প্রতি ভারতে এনক্রিপশন পলিসি নিয়ে যে বিতর্ক হল তাতে এটা পরিষ্কার হয়ে গেছে যে এ দেশে যাবতীয় যা কমিউনিকেশন হবে সরকার কোনও না কোনওভাবে তা তাদের নাগালে রাখতে ইচ্ছুক! ফলে এই সব কর্মসূচী বাস্তবায়নের পর্যায়ে আসতে গেলেই মব কোম্পানি জানতে চাইবে এনক্রিপশন বা ট্রান্সপারেন্সির প্রশ্নে ভারতের অবস্থান কী। তখন সরকার কী করে সেটাই দেখার!’ বলছেন সুমন্দ্র চট্টোপাধ্যায়।"

This was published in BBC on September 28, 2015. Sumandro Chattapadhyay is quoted.

For more details visit https://cis-india.org/internet-governance/news/9ad9be9b09a49c7-9aa9be98199a9b69b0993-9ac9c79b69bf-9b89cd99f9c79b69a89c7-9ab9cd9b09bf-9939af9bc9be987-9ab9be987-99a9be9b29c1-9b99ac9c7

7th India Digital Summit 2013

praskrishna — 2013-02-13T06:32:31Z

This summitt organised by Internet and Mobile Association of India is being held in New Delhi from January 16 to 17, 2013 at the Lalit Hotel

Sunil Abraham is the moderator for Plenary Session 3: Discussion on Social Media – Freedom, Moderation or Regulation.

Click to download the agenda

Theme of the Summit

951 million mobile users with 448 million mobile data subscribers; 137 million Internet users and rural Internet growing 7x in the last two years make India one of the top three digital markets in the world. One of only top two at this scale with free market economy democratic polity; and the only one where there is still headroom for growth. The time to invest in Digital India is now.

By 2020 riding on a government investment of 4 billion USD [roughly 10 billion USD on PPP terms] Internet users is expected to be 600 million; and mobile would possibly penetrate 100% of rural India creating the largest free economy digital market in the world.

The Digital Opportunity now and in the next 5 years in India is explosive. And the need to create a Digital Economy on scale is a developmental necessity. The opportunity, however, lies in addressing the current challenges of the ability to provide: low cost connectivity, universal access, usable content, secure networks, affordable devices and enabling policy.

Building on the theme of “Creating the World’s Largest Free Market Digital Economy” the 7th India Digital Summit will focus on five tracks: Infrastructure, Regulatory Frameworks, Services & Content, Entrepreneurship / Innovation and Business 3.0.

Webcast of the Event

Day 1, January 16, 2013

Inaugural
Welcome Address Mr. Hitesh Oberoi, Chairman, IAMAI & Co-Founder and Chief Executive Officer, Info Edge India Limited Address by Chief Guest Mr. Montek Singh Ahluwalia, Deputy Chairman, Planning Commission, Government of IndiaKeynote Address by Mr. R Chandrashekhar, Chairman (TC) & Secretary , Department of Telecommunications, Ministry of Communications and IT
Plenary Session 1: 1000 digital startups a year: How to make it happen?
Session Chair and presenter: Mr. Satyan Gajwani, CEO, Times Internet Presenter ‐ Mr. Mahesh Murthy, Founder, Pinstorm and Co-founder, Seedfund Mr. Manish Vij, Founder, VUN Network Mr. Pranay Gupta, Joint CEO, Centre for Innovation Mr. Rajesh Sawhney, Founder, GSF Accelerator & Superangels Mr. Mukund Mohan, CEO in Residence, Microsoft Startup Accelerator
Business track Topic: Importance of Creativity to Digital Advertising
Session Chair and presenter Neville Taraporewalla, Sr. Director - Emerging Markets\| India, Malaysia,Thailand & Korea, Advertising and Online, Microsoft Discussion: M Mohit Hira, Senior Vice President & Regional Business Leader-Airtel, JWT Vineet Gupta, Managing Partner, 22feet Communications Arun Sharma, VP Marketing - Head Media & Rural, Bharti Airtel Vikas Tandon, Managing Director, Indigo Consulting Aditya Save, Head-Media & Digital Marketing, Marico Audience Interaction
“Lowering the barrier for mobile web - for both operators and users”
Keynote Address by Mr. Peter Panait Løjmand, Senior Vice President, Opera Software Interaction with Mr. Sanjay Goyal, Chief Executive Officer, ACL Wireless
Plenary Session 2: Cloud – Leveraging the Cloud for Business Efficiency
Session Chair and presenter Mr. Manoj Chugh, Regional President, Global Accounts-APJ, EMC Presenters: Mr. Manav Khanna, Sr. Consultant –Enterprise Security, SafeNet Inc. Mr. Jasminder Singh Gulati, Co-founder and Chief Executive Officer, Nowfloats Mr. Ravi Shankar, Chief Executive Officer, Nevales Networks Mr. Mandar Kulkarni, Vice President, Solution Engg & Pvt. Cloud Practice, Netmagic Mr. Balaka Baruah Aggarwal, Business Evangelist, Amazon Web Services Mr. Jaydeep Nargund, Head Services-India, AKAMAI Mr. Vivek Ravindran, Director-Core & App Platform, Microsoft
Email Marketing Roundtable with juvlon
Email Marketing in the Year of the Snake - 2013 Presented by Mr. Naresh Bhagtani, CEO, Juvlon, Niche Software
“Unique Identity and Its Positive Externalities for Inclusiveness"
Keynote Address by Mr. Nandan Nilekani , Chairman, UAIDI Interaction with Mr. Shubhashis Gangopadhyay, IDF research
“Bharat Broadband [NOFN]: Going extra mile with public investment”
Keynote Address by Mr. Sam Pitroda Interaction with Mr. Lalitesh Katragadda, Country Head-India Products, Google
Plenary Session 3: Discussion on Social media – Freedom, moderation or regulation
Session Chair & Moderator: Sunil Abraham, Executive Director, The Centre for Internet and Society
Discussion with: Rajesh Kalra, Chief Editor, Times Internet R Sukumar, Managing Editor, Mint Shivam Vij, Kafila.org
Track 3: The last mile of customer connect: m-Engagement from OPENHOUSE
Presenter: Mr. Ankit Singh, Senior Manager, Enterprise mobility, IMI Mobile Mr. Ramesh Raman , Senior manager, Marketing, IMI Mobile

Day 2, January 17, 2013

“Future of Apps and their Monetization”
Keynote Address by Mr. Ilja Laurs, Founder and Chairman, GetJar Moderated by : Mr. Kiruba Shankar
“Communications challenges in the age of Social media”
Keynote address by Dr Shashi Tharoor, Minister of State for Human Resource Development, Government of India Interaction with audience Moderated by Mr. R Jagannanthan
Track 4: CXOs Closed door discussion on Local Language – The Game Changer
Session moderated by Gyan Gupta, Chief Operating Officer, Dainik Bhaskar; Address by speakers Mr. Arvind Pani, Co-founder, Reverie language Technologies Mr. Ajay Gallwale, Founder, Maayboli Mr. C Mathew, DGM (Marketing), Malayala Manorama Mr. Manoj Gupta, Head, VAS & Applications, Micromax Audience Interaction Summarising by Moderator
Start-Up Unconference
A peer to peer, informal sharing of views between new entrepreneurs and start-ups of our industry
Chaired by: Mr. Sanjiv Bikhchandani, Founder and Executive Vice Chairman, Infoedge Moderator by: Kiruba Shankar
Plenary Session 5: Discussion on e-Commerce 2.0– Emerging trend
Session Chair & Moderator: Mr. Avnish Bajaj, Managing Director, Matrix Partners In Discussion with: Mr. Alok Mittal, Managing Director, Canaan Patners India Mr. Sachin Bansal, Co-founder & CEO, Flipkart Mr. Sundeep Malhotra, Chief Executive Officer, HomeShop18 Mr. Muralikrishnan B, Country Manager, eBay Mr. Mukesh Bansal, Founder, Myntra.com Mr. Ankur Warikoo, Chief Executive Officer, Groupon India
Plenary Session 6: Marketers Viewpoint – Online and Mobile Marketing
Session Chair: Mr. Upen Rai, Chief Operating Officer and Executive Director, AntFarm Presenters: Mr. Sanjay Tripathy, EVP - Head Marketing, Products and Direct Channels - HDFC Life Mr. Manish Kalra, Chief Marketing Officer, Makemytrip Mr. Vinay Bhatia, Customer Care Associate and VP - Marketing and Loyalty, Shoppers Stop Mr. Samil Malhotra, Vice President Sales and Marketing. The Lalit Suri Hospitality Group Mr. Manu Kumar Jain, Co-founder & Managing Director, Jabong
Plenary Session 7: Interaction: Attracting and retaining talent for Digital Industry
Thought sharing by Industry Leaders Interaction between Industry leaders and Students Industry Leaders: Mr. Sanjiv Bikhchandani, Founder and Executive Vice Chairman, Infoedge Mr. Deep Kalra, Founder and Chief Executive Officer, Makemytrip Mr. Anupam Mittal, Founder and Chief Executive Officer, People Group Mr. Dinesh Agarwal, Founder and Chief Executive Officer, IndiaMART Mr. Neville Taraporewalla, Sr. Director , Emerging Markets-India, Malaysia, Thailand & Korea, Advertising and Online, Microsoft Student Entrepreneurs: FMS IMT Ghaziabad IITD Moderated by Kiruba Shankar
India Digital Award Ceremony

For more details visit https://cis-india.org/news/7th-india-digital-summit-2013

7th Best Practices Meet 2015

praskrishna — 2015-07-17T13:11:20Z

Data Security Council of India (DSCI) organized the 7th edition of its Best Practices Meet (BPM) from July 9 - 10, 2015 at Hotel ITC Gardenia in Bengaluru. BPM2015 had “Architecting Security for Digital Transformation” as its theme. Sunil Abraham and Elonnai Hickok were speakers at this event.

The two-day deliberations, reflected on policy, endeavours at national and industry levels, proposed industry steps, market response, best practices, industry standards and technology designs and see how they play their roles in architecting of information systems and enterprise security within organizations. Sunil Abraham was a panelist in the session "Architecting Security for transformation to Digital India". Elonnai Hickok was a panelist in the session "Steering privacy in the age of extreme innovation technology & business models."

See the Agenda

For more details visit https://cis-india.org/internet-governance/news/best-practices-meet-2015

6th Biannual Surveillance and Society Conference

praskrishna — 2014-05-05T04:57:59Z

Malavika Jayaram is a speaker at the conference organized by Eticas Research and Consulting at the University of Barcelona and CCCB from April 24 to 26, 2014.

Malavika will present on the UID and biometrics at the session on “Surveillance: Ambiguities and Uncertainties". Malavika's talk title is "Biometrics in beta: experimenting on a nation (while normalising surveillance for 1.2 billion people)" and is being held on April 26. See the full event details on this page.

In the developing world, privacy is often portrayed as a luxury, as something alien to local culture and of interest only to the elite. This ignores the probability of the most marginalized sections of a society being disproportionately impacted by privacy intrusive technologies. The hype about ‘big data’, ‘open data’, ‘data for development’, ‘ICT4D’ and other buzzwords often ignores the fact that the global south is particularly vulnerable to data collection and processing. Literacy issues (lingual and technical), a massive digital divide, desperate socioeconomic conditions and the lack of a robust data protection law render ideas of consent or tradeoffs all but meaningless.

Techno-utopian welfare schemes present technology as progressive, neutral and frictionless – a seductive and compelling narrative in a region wracked by inequalities, corruption, lack of transparency and structural violence. This vision underpins the world’s largest biometric ID project, which has already registered the irises and fingerprints of 540 million people without even being completed. Yet the assumption that bodies can be rendered into infallible verifiers, as repositories of unchanging truth, ignores embedded biases and normative baselines within such technologies. Welfare projects are further complicated when they are architected as public-private partnerships: the collusion of governmental and corporate agendas in creating massive databases and profiles, in a manner that transforms the citizen-state relationship in profound ways, has sweeping implications for choice, autonomy, anonymity and ultimately, democracy. This is true even when the systems function as intended, without mechanical failure, data breaches, or other consequences of trading privacy for convenience, welfare and security.

I would like to discuss the risks of using technologies such as biometrics to solve socioeconomic problems, and their potential for excluding the very demographics that they seek to include. I intend to locate my presentation in the context of India’s growing surveillance state, which deliberately intends to use the unique identification number to link disparate databases. I propose to describe the new Centralised Monitoring System, the relative legal vacuum in which data is mined and harvested, and the shaky constitutional foundations on which many of these new regimes stand. In so doing, I will effectively have provided a tour of India’s Rogue’s Gallery of recent incursions into the zone of privacy, free speech, informational self-determination and dignity. I hope also to redress in some small measure the largely western focus of academic and policy debates in this field, despite the risks of developing countries seeking to commoditize and export identity schemes, normalize censorship or opportunistically benefit from the west no longer having the moral ground to resist third country surveillance practices.

For more details visit https://cis-india.org/news/ssn-2014-sixth-biannual-surveillance-and-society-conference

4th National Standards Conclave Evolving a Comprehensive National Strategy for Standards Sectoral and Regional Inclusiveness

praskrishna — 2017-05-20T08:06:15Z

Udbhav Tiwari represented CIS in the 4th National Standards Conclave held on the May 1 and 2, 2017 at The Lalit, New Delhi. The event was organized by the Ministry of Commerce and Industry and the Confederation of Indian Industry.

The event looked at creating a National Standards Strategy to focus on India's standardisation efforts in the global stage. The event also focused on the release on the National Standards Portal, a website that creats a one stop access of standards, technical regulations and TBT information. There were a few sessions that were useful in particular - the IT Standardisation, the Standards Portal and the theme paper for National Standards Strategy.

Download the Agenda

For more details visit https://cis-india.org/internet-governance/news/4th-national-standards-conclave-evolving-a-comprehensive-national-strategy-for-standards-sectoral-and-regional-inclusiveness

4 Popular Myths about UID

Prashant Iyengar — 2012-06-20T04:37:08Z

By now, there is already a lot of material in the public domain that is critical about the UID/Aadhar project, writes Prashant Iyengar in this blog entry published in Privacy India on January 22, 2011.

(See aadhararticles.blogspot.com for an exhaustive catalogue). Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme. Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme.

I do not intend to rehearse these arguments in this post. Instead, I pick four somewhat obscure, but troublesome assertions made about the UID and test their veracity against documents available on the UIDIA site itself. The purpose is to cut through all the equivocation behind the claims that UID officials have been making, and arrive at some minimal clarity on what the UID is (and isn’t).

Registration is voluntary!

How does one make sense of Nandan Nilenkani’s cryptic remark, “I wouldn’t call it compulsory. I would rather say that it will become ubiquitous”?

In a sense, this is true enough. Nowhere in the entire bulk of UID documentation will you encounter the express words “mandatory” or “compulsory”. Hence, proved! But that isn’t to say, however, that there is any way you will be able to avoid getting registered.

Very rapidly, accessing basic services and your very status as a citizen will be conditional on your possessing an Aadhar number. This is owing to the complex operational structure that the UID Scheme adopts which leaves the task of enrollment entirely in the hands of third party ‘Registrars’ who include a host of Central and State social security and welfare departments (including the Ministry of Rural Development which administers the Rural employment guarantee scheme), banks and insurance companies. There is nothing in the Aadhar Scheme that forbids these Registrars from making access to their services conditional on one’s consent to UID registration. In practice, many of them have and will continue to make UID registration a preliminary formality before access is granted to their services. So your ‘freedom’ to resist UID registration will depend on your ability to forego your minimum guarantee of the right to employment, cooking gas, banking and insurance services, food rations etc.

And if miraculously you are able to subsist without these services, there is still one minor detail that is seldom mentioned in conversations about UID: without a UID number, you will not be counted as a citizen of India. This is owing to the fact that the Registrar General of India, the authority responsible for compiling the National Population Register of India under the Citizenship Act, also happens to be a ‘Registrar’ for the purposes of the UID. Which means that one’s registration in the NPR will entail automatic enrollment in the UID. The Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules, 2003 makes it mandatory for everyone to be enrolled in the National Population Register. So, paradoxically, although the Aadhar number does not confer citizenship, one cannot be a citizen anymore without owning an Aadhar number.

In other words, the UID scheme avoids the charge of being compulsory, by outsourcing its compulsion entirely.

The UID Scheme will only collect a minimal set of information

A frequently made assertion about the UID scheme is that the data collected will be limited to a standard set of information like one’s name, residence, date of birth, photo, all 10 finger prints and iris image. Once again, this is only a half truth. As mentioned previously, the entire process of enrollment is carried out through Registrars who have absolute freedom to expand the categories of information collected to include data that is entirely orthogonal to the purposes of the UID. This freedom is typically guaranteed by a clause in the MOUs which the UIDAI has signed with Registrars enabling them to collect additional data that “is required for their business or service”. Thus, for instance, in Himachal Pradesh, citizens are asked to provide additional details such as information about their ration cards, PAN cards, LPG connection and bank accounts[i]

To employ a telling epithet found in one of the UID documents, the ‘Registrars own the process of enrollment’.

Privacy is guaranteed

Although the UIDAI makes repeated assertions regarding its intent to respect privacy and ensure data protection, the precise mechanism through which these objectives will be secured is extremely unclear.

To begin with, the entire responsibility for devising schemes for safeguarding information during the collection phase rests entirely on the Registrars. The UIDAI’s own responsibility for privacy begins only from the moment the information is transmitted to it by the Registrars – by which time the information has already passed through many hands including the Enrolling Agency, and the Intermediary who passes on information from the Registrar to the UIDAI.
Rather than setting out an explicit redressal mechanism and a liability regime for privacy violations, the UID’s documents stop at loosely describing the responsibility of the Registrars as a ‘fiduciary duty’ towards the resident/citizen’s information. The Registrars are tasked with maintaining records of the data collected for a minimum period of six months. No maximum period is specified and Registrars are free to make what use of the data they see fit.
In addition, the Registrars are mandated to keep copies of all documents collected from the Resident either in physical or scanned copies “till the UIDAI finalizes its document storage agency.”[ii]
The ‘Data Protection and Security Guidelines’ which the UIDAI requires all Registrars to observe merely contains pious injunctions calling on them to observe care at all stages of data collection and to develop appropriate internal policies. There is mention of the desirability of external audits and periodic reporting mechanisms, but the details of these schemes are left to the individual Registrar to draw up.
Although the Draft National Identification Authority of India Bill penalizes the intentional disclosure or dissemination of identity information collected in the course of enrollment or authentication, this does not guard against accidental leaks and does not mandate the service providers to positively employ heightened security procedures. Prosecution of offences under the Act can only proceed with the sanction of the UID Authority, which further burdens the task of criminal enforcement in these cases and would make it difficult for individuals to obtain redress quickly. The total absence of a provision for civil remedies against Registrars makes it unlikely that they will take the task of protecting privacy seriously.
In other words, the individual’s right to privacy is only as strong as the weakest link in the elaborate chain of information collection, processing and storage.

The UIDAI will not disclose any information and will only authenticate information with Yes/No answers

This is another of the frequently misleading claims made by the UID Authority. Thus, for instance, in April, 2010, in response to a question in the course of an interview, Nandan Nilekani said “UID itself has very limited fields, it has only four or five fields — name, address, date of birth, sex and all that. But it also does not supply this data to anybody. .. the only authentication you can get from our system is a yes or no. So, you can’t query and say what’s this guys name or what’s his date of birth, you can’t get all that.”[iii]

This statement is, however belied by many of the UIDAI’s own documents.

The draft NIA Bill, for instance, permits the Authority to issue regulations on the sharing of “the information of aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct”. In practice, prior “written consent” for sharing is obtained from the resident as a matter of course at the time of enrollment itself, and it is impossible to obtain an Aadhar number without consenting to sharing by the UID Authority.[iv] In practice, in India, a large number of forms will be filled in by assistants and the written consent box will be ticked as a matter of course without the resident understanding the full implications of her “consent”.
The draft NIA Bill permits the authority to “make any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge”. There is nothing in the Act that requires that this information be made available on an individual basis – in other words, it is possible for the data to be shared en-masse with any agency “in the interests of national security”.
There is nothing preventing “Registrars” who carry out the actual data collection functions from sharing this information with anyone they choose. Thus, for instance, the Aadhar information collected during the exercise of compiling the National Population Register will can be shared in whichever manner the Registrar General of India chooses – irrespective of what the UIDAI does with that information.

So, while ordinarily, the UIDAI would not authenticate information other than giving Yes/No responses, there are mechanisms already in place that presume that all this information will be made available, on demand, to whichever agency that happens to be interested.

[i] 2011. UID project picks up pace. Indian Express. Available at: http://www.indianexpress.com/story-print/735790 [Accessed January 22, 2011].
[ii] UIDAI – Document Storage Guidelines for Registrars Ver. 1.2, August 2010.
[iii] 2010. To issue first set of UIDs by Feb 2011: Nilekani – CNBC-TV18 -. Money Control. Available at: http://www.moneycontrol.com/news/business/to-issue-first-setuids-by-feb-2011-nilekani_449820-4.html [Accessed January 22, 2011].
[iv] For instance, a flowchart of the Resident Enrollment Process issued by the UID stipulates “Record Resident’s consent for Information Sharing” as the tenth step in the enrollment process. Unless this step is followed, the enrollment process cannot proceed!

Click to read the original here

For more details visit https://cis-india.org/internet-governance/popular-myths-about-uid

2nd India Think Tank Forum

praskrishna — 2017-07-07T01:16:00Z

Udbhav Tiwari participated in a panel titled "The New Cold War: Information and Cyber Wars" at the Second India Think Tank Forum organized by ORF, the Think Tank Programme at UPenn and the McKinsey Institute between 19 to 21 June 2017 at Claridges in New Delhi.

Agenda

June 19, 2017
18.00 – 18.30 – Registration
18.30 – 18.40 – Welcome Remarks
18.45 – 20.00 – Big Politics: OBOR, India, and the Liberal International Order

This panel will explore the emerging trends in geo-politics and the implications thereof on the liberal international order. It will explore the rise of China, in particular the ambitious Belt & Road Initiative and in its strategic and economic impact on Asia. It will discuss the role of the U.S. and Europe in what is now referred to as the Asian century. Lastly, it will discuss India’s role as a liberal actor in a rapidly changing global order.

Chair: Sanjaya Baru, Distinguished Fellow, USI
Speakers:
Indrani Bagchi, Diplomatic Editor, Times of India
Lt. Gen. Aditya Singh, Senior Fellow, Delhi Policy Group
Nitin Pai, co-Founder, Takshashila Institute
Seshdari Vasan, Chennai Centre for China Studies, Chennai

20.00 – 20.30 – Three Years of the Modi Government: Looking Back, Looking Ahead

In Conversation: Smt. Smriti Irani, Union Cabinet Minister for Textiles, Govt. of India.

20.30 - Dinner

For more details visit https://cis-india.org/internet-governance/news/2nd-india-think-tank-forum

10 tactics for turning information into action

radha — 2011-04-05T04:19:46Z

Tactical Technology Collective (TTC) with The Centre for Internet and Society (CIS) and the Alternative Law Forum, is happy to announce the Bangalore launch of TTC's newest toolkit - '10 tactics for turning information into action'.

‘10 tactics’ explores the use of technology and social media platforms such as Google Earth, Twitter and Facebook on human rights advocacy in the developing world. The film presents ten strategies for turning information into action and is aimed at global human rights advocates, as well as campaigners of all kinds.

The launch will be in the form of a screening organised by Tactical Technology Collective- India, CIS and ALF. After the screening, there will be an open discussion on the use of social media for advocacy.

This documentary is very important and timely viewing for all and most relevant to advocates working in the grassroots, campaigners, information actvists...

This event is open to all. Admission is free. Attendees will receive a copy of the toolkit in its offline form.

For more information about the film and the event log in to: http://www.informationactivism.org/, or call 080 4153 1129.

For more details visit https://cis-india.org/events/10-tactics-for-turning-information-into-action

(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

Amber Sinha and Srinivas Kodali — 2019-03-13T00:29:01Z

Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.

Read the updated report: Download (pdf)

Read the first statement of clarification (May 16, 2017): Download (pdf)

Read the second statement of clarification (November 05, 2018): Link to page (html)

We are grateful to Yesha Paul and VG Shreeram for research support.

In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.

For more details visit https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1

(re) conference

Admin — 2019-05-02T02:01:48Z

From 10 to 12 April 2019, Aayush Rathi participated in a "reconference" a global conference designed to provoke conversations around the new possibilities and opportunities for feminist movements. It was held in Kathmandu, and was organised by CREA, a feminist human rights organisation based in New Delhi.

At the (re)conference, Aayush Rathi spoke on a panel as a part of the technology track curated by Point of View. The research Ambika Tandon and Aayush have undertaken on reproductive health and its datafication in India, as a part of the BD4D project, was selected to be presented on the panel. The presentation can be found here. The agenda and theme of the (re) conference can be found here.

For more details visit https://cis-india.org/internet-governance/news/crea-reconference

'Why should we talk to Dunzo?' State regulators fume at liquor delivery

Admin — 2018-09-19T14:04:35Z

In 2016, the Chandigarh police ordered thirty bottles of liquor on getTalli, an online liquor ordering platform.

The blog post by Aroon Deep was published in Medianama on September 7, 2018

“We do not sell liquor. On your request, we procure liquor from a government authorized vendor on your behalf and deliver it to you,” getTalli explained on its website, according to a Hindustan Times report. The police weren’t exactly interested in consuming that liquor. The order was a trap. They arrested both Pratham Gupta and Anurag Awasthi, who founded the site. The two were charged with criminal conspiracy, fraud, and a state law prohibiting “unlawful import, export, transport, manufacture, possession, etc”. The site was shut down.

Excise is a state subject, so each state has varying levels of strictness in regulating services like Dunzo, which allow users to buy alcohol (among several other things) through them. Karnataka is among the stricter jurisdictions. Dunzo stopped delivering alcohol in the state when regulators made noise about online alcohol delivery not being a recognized mode of sale. “Why should we talk to [Dunzo]?” Rajendra Prasad, an excise official in Bangalore told MediaNama. Dunzo doesn’t seem to have government relations managers, so the company has chosen simply to shut down alcohol delivery rather than engage with regulators. Alcohol deliveries previously accounted for around one in thirty orders for Dunzo in Bangalore, an employee told The News Minute.

Alcohol delivery and the law

On the face of it, alcohol delivery — at least the kind used by Dunzo — doesn’t seem to be cause for regulatory concern. Third party delivery services can’t have their own inventory, so they must simply buy liquor from authorized retailers and deliver them to customers. This doesn’t seem to have any downsides, since the delivery is separately charged and taxed; and the tax on the alcohol is also paid. But regulators have continued to cry foul.

Aayush Rathi, a policy officer at the Centre for Internet and Society, pointed out that the Karnataka Excise Act — and possibly other states’ excise regimes — gives states a lot of control on regulating the movement of alcohol. “A ‘sale’ in the Karnataka Excise Act is defined as ‘any transfer otherwise than by way of gift’,” Rathi told MediaNama. This definition essentially makes online ordering and delivery of liquor illegal — even if the service doing it doesn’t maintain inventory. Since there is no license for online delivery of alcohol, there is little by way of legal standing services like Dunzo have when faced with regulatory scrutiny.

But that is assuming that the regulatory scrutiny comes in the first place. While Punjab and Karnataka have chosen to use the vast regulatory powers the law grants them, other states haven’t done the same. In Gurgaon and Pune, though, alcohol deliveries continue unabated. HipBar, which delivers alcohol across India, told The News Minute, “HipBar is engaging with multiple states and their respective regulators to move the needle on last mile deliveries of alcoholic beverages with reasonable restrictions and safeguards in place, such that the letter and spirit of the excise policy is not vitiated.” That brings the question of whether the current model of last-mile delivery by services like Dunzo and HipBar violate the spirit of excise law in the first place.

For more details visit https://cis-india.org/internet-governance/news/medianama-september-7-2018-aroon-deep-why-should-we-talk-to-dunzo-state-regulators-fume-at-liquor-delivery

'What Security Breach?' The Unchanging Tone of UIDAI's Denials

Admin — 2018-09-19T14:14:53Z

This week brought with it another instance of Aadhaar déjà vu. The narrative is now eerily familiar to people with even a passing acquaintance with the matter.

The article by Karan Saini was published in the Wire on September 12, 2018

A security vulnerability in the Aadhaar ecosystem comes to light, usually through civil society stakeholders or the media. The Unique Identification Authority of India (UIDAI) issues a standard denial, refuses to publicly acknowledge that it has to course-correct and fix the problem, and the public waits for the process to repeat.

Following a three-month-long investigation by Huffington Post into the known and documented problem of cracked Aadhaar enrolment software, several security experts from within the country and elsewhere were able to conclude that the authenticity of entries within the Aadhaar database was likely compromised to an unknown extent. This was a direct result of a patched version of the enrolment software with stripped security features being circulated and used by potential hostile actors – among others.

The patched software bypasses several crucial security features of the enrolment client and could have also been used to get around the biometric authentication which legitimate enrolment operators would have to undertake before attempting to add new entries to the database.

The UIDAI responded to this report with a statement which is nearly identical to many of the authority’s previous press releases on alleged security incidents.

In its statement, the UIDAI said that “the claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless”.

The statement which was issued by the authority seems straightforward but is actually cryptic in its very nature. The story published by Huffington Post did not categorically assert that the software bypass was being used ‘to generate multiple Aadhaar cards’, while the authority’s statement specifically refuted this claim.

This is, sadly, not new. The Aadhaar authority has always purposely misinterpreted what is actually being alleged in critical stories, and then presented their interpretations in their statements of rebuttal, which essentially amount to irresponsible dissemination of misleading information.

For instance, the UIDAI ignores that even without the issue of cracked enrolment software, there are already many proven cases of ghost entries in the database, including that of a Pakistani ISI spy as well as an Uzbek national involved in illegal sex-trade in the country. Both of these persons held real, valid Aadhaar cards which were issued to them under false identities.

The UIDAI also states that enrolments are verified at their backend system in order to prevent any such false entries from finding their way into the database. Given this, the question arises – how did these highlighted cases of false entries make it through the supposed checks and balances in place to the point where Aadhaar numbers for these persons were issued (and delivered)?

Similar events took place when in March 2018, ZDNet broke the story of an application programming interface (API) hosted on the website of utility provider Indane Gas, which could have been abused by hackers to steal information such as full names, Aadhaar numbers, names of linked banking institutions as well as details of the specific utility provider which a person uses for a major chunk of the population.

The UIDAI statement at the time baldly claimed that there was no breach of its central database (what is called the ‘CIDR’) and that biometric data were safe. The only problem? Neither of these issues were asserted or even hinted at in the original story.

Reporters from the publication had attempted to reach out to UIDAI repeatedly – and that too through several mediums of communication, such as phone, email and even direct messages to the official UIDAI Twitter account – all to no avail.

“We tried to contact UIDAI by phone and email after we learned of the Aadhaar data leak. We eventually sent all the details in a Twitter DM message — but only because UIDAI wouldn’t offer […] an email address to send this data leak issue to,” posted Zack Whittaker, the reporter who had broken the story for ZDNet, as a tweet on his public Twitter account.

This was not the first time the authority had done such a thing (and neither was it the last, as we see with the Huffington Post story), as witnessed in the January 2018 incident with the Tribune; where the UIDAI did not respond to the paper’s attempts at communication at all before publication and later used it to state that no security incident had taken place altogether.

Reporters from the Huffington Post had also attempted to reach out to UIDAI prior to publication of the story; attempts at communication which the UIDAI willingly left unanswered. After UIDAI’s rebuttal, the Huffington Post published a statement of their own in which they asserted that they stood by the claims made in their story, while also making it known that the UIDAI had never responded directly to any of their communication.

The UIDAI’s most recent statement deploys a bizarre array of security jargon including buzzwords such as “full encryption”, “access control” and “tamper resistance” – without providing any elaboration on what any of these things would help prevent with regard to the issues raised in the media report.

This obfuscation is very troubling, and particularly so for those people who do not actively follow news regarding the troubles of the programme or other media organisations that are not equipped to understand the nuances of security reporting. For both groups of people, the statements issued by the UIDAI would be enough of an assertion to lead them to believe that all is well with the project and that anyone saying otherwise is an “unscrupulous element” with “vested interests”.

After the first few incidents, the authority’s cookie-cutter response seems to be part of the playbook through which they seek to protect their image: by retaining the ability to publicly deny an incident, even if it has already taken place; which is done by never confirming (or even acknowledging) an issue before publication. This is presumably done out of fear of the reputational damage which would inevitably be caused by admittance of a compromise or fault on their part.

Consider what happened with the Tribune breach report. The UIDAI officially denied it (even though some of their lower-level officials were quoted in the story), filed an FIR against the journalist. When the dust settled down, a prominent business newspaper ran a story which strangely enough quoted anonymous officials who highlighted the steps that were taken to fix the problem.

The UIDAI understands that ‘the first step in solving a problem is to recognise that it does exist’. Acknowledging problems within the Aadhaar project would be catastrophically damaging for the authority as well as the public’s perception of them. This is why we are always presented with almost indistinguishable statements of rebuttal and denial from the UIDAI, which too are never backed with any evidence.

Seeing as how the UIDAI’s statements almost always end up backfiring, their decision to employ a social media agency to monitor the internet for chatter on Aadhaar starts to make a little sense. For a while now, the authority has wished to undertake mass digital surveillance through social media and other online forums in order to track “top detractors” of the Aadhaar scheme and counter them to effectively “neutralise negative sentiments” surrounding the project.

This move, however, was challenged by petitioner Mahua Moitra who saw it as “an attempt by the State to overreach the jurisdiction of the Hon’ble Supreme Court in matters where the legality of social media surveillance and Aadhaar itself is under challenge”.

For now, the next time we are hit with a sense of déjà vu when it comes to an Aadhaar-related security incident, we should see through the UIDAI’s statements for what they truly are: hopeless attempts at damage control for a system that is crumbling at its very foundation.

For more details visit https://cis-india.org/internet-governance/news/the-wire-karan-saini-september-12-2018-what-security-breach-the-unchanging-tone-of-uidai-denials

'Website not found' pop-ups leave net activists fuming

Tushar Kaushik — 2019-04-03T15:53:04Z

Internet activists are concerned over what they term as rising instances of websites being blocked by internet service providers (ISPs) and the government without citing any reason for doing so.

The article by Tushar Kaushik was published in the Economic Times on March 6, 2019. Gurshabad Grover was quoted.

Last year, the Ministry of Electronics and Information Technology (MeitY) blocked 2,799 URLs for allegedly hosting malicious content, marking a sharp increase from 2017, when 1,385 URLs were blocked.

These numbers were disclosed by minister of state for electronics and IT SS Ahluwalia in a written reply to a question in the Lok Sabha in February.

In 2016, the number of URLs that were blocked stood at 633.

The government has also withheld information on the list of blocked websites despite several queries under the right to information (RTI) Act, internet activists told ET.

The Centre for Internet and Society (CIS), a Bengaluru-based advocacy group, is compiling a list of URLs and websites that are being blocked, and has identified over 3,200 so far. Senior policy officer at CIS Gurshabad Grover said that among the blocked URLs are proxy servers and websites of NGOs that are deemed to have criticised government policy.

As per Grover, some of the websites and URLs reported to have been blocked at some point include the sites of human rights groups such as arabhra-.org, www.protectioninternational.org and www.drugsense.org.Also blocked were a site on feminism (feminist.org), the website of an environmental organisation (wedo.org) and a blog by activist Irom Sharmila (iromsharmilachanu.wordpress.com).

“Many blockades, when brought to the notice of courts, were revoked, but the URLs still remain inaccessible. The bigger problem is that of getting the list of blocked URLs,” Grover told ET.

'Restricting the Right to Receive Information'

A MeitY official, however, said no website is blocked arbitrarily. “No government machinery can order (blocking of a URL) without valid reason and without following valid procedure. And the only procedure available to us is (Section) 69A and 79 (of the IT Act). Rest is a court order,” the senior MeitY official, who did not want to be identified, told ET.

“Valid procedure is (Section) 69A, where we can order. But in addition there is (Section) 79, where notice is issued for any illegal activity happening on any platform. This notice can be issued by the appropriate government department. And the intermediary platform is free to agree to it or disagree,” the official said, adding that every complaint received against a website is considered individually.

Section 69A of the IT Act empowers the Centre to block websites in the interest of national security. Section 79 empowers the government to issue a notice to an intermediary to remove any content that it finds illegal.

A MeitY spokesperson could not respond immediately to ET’s emailed queries on the issue.

Grover of CIS said there was no way to determine if a website was blocked by the government or an ISP, unless a government order for the blocking was available.
For instance, last month, several users of the messenger service Telegram and music sharing website SoundCloud had reported that these websites had been blocked by Reliance Jio, according to the Internet Freedom Foundation.

Reliance Jio did not respond to queries from ET.

Internet Freedom Foundation’s executive director Apar Gupta expressed concern over the lack of information regarding reasons for blocking URLs.

“This is very worrying because it’s a secretive process that prevents the public from accessing a website, which restricts the right to receive information — a part of the fundamental right to freedom of speech and information,” he said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-6-2019-tushar-kaushik-website-not-found-pop-ups-leave-net-activists-fuming

'Pakistan' hackers target India's top police agency

praskrishna — 2011-04-02T01:26:57Z

Cyber-attackers who identified themselves as the "Pakistan Cyber Army" have hacked the website of India's top police agency, officials said on Saturday. The website of the Central Bureau of Investigation (CBI) was hacked by programmers who left a message saying that the attack was in revenge for similar Indian assaults on Pakistani sites, Press Trust of India said. The hackers signed their message on the Indian police website: "Long Live Pakistan."

CBI authorities said they were working to restore the site, which offered information to the public.

The spokeswoman said she could not comment on Indian media reports that more than 200 other Indian sites had also been attacked by Pakistani hackers.

"We came to know the CBI site had been compromised Friday night," the spokeswoman told AFP, asking not to be named. "It will take us a couple of days to restore the site."

She said she could not immediately say who was responsible for the attack.

The CBI has "registered a case" and is investigating the attack, she said.

The message posted on the CBI site said the attack was "in response to the Pakistani websites hacked by 'Indian Cyber Army'," the Press Trust of India (PTI) reported.

"Hacked hahaa funny," the message said. "Let us see what you investigating agency so called CBI can do" (sic).

Hackers had also infiltrated the server of the National Informatics Centre (NIC), which maintains most of the government's websites, PTI reported.

In August, a group also calling itself the "Pakistan Cyber Army" hacked into the website of independent Indian MP Vijay Mallya, a flamboyant liquor baron, who is also head of Kingfisher Airlines.

The group claims to have hacked a number of Indian websites in recent years, including India's state-run Oil and Natural Gas Corporation, in retaliation for Indian hackers accessing Pakistan sites.

Indian IT specialists have long lamented what they say is a lack of awareness about Internet security across the country, including in the corridors of power.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, said it would have been easy for attackers to get into the CBI public site as it was "not a particularly sensitive" one.

The Indian government "has a very low level of cyber awareness and cyber security. We don't take cyber security as seriously as the rest of the world," he said.

He added that the government needed to "make at least 10 times the current level of investment to get their standards to match the rest of the world."

According to the Indian Computer Emergency Response Team, a government agency that tracks IT security issues, more than 3,600 Indian websites were hacked in the first six months of this year.

Read the original news here

For more details visit https://cis-india.org/news/police-agency-targetted