We are anonymous, we are legion

The Phishing Society: Why 'Facebook' is more Dangerous than the Government Spying on You - A Talk by Maria Xynou

maria — 2013-09-27T09:16:19Z

Next Wednesday, you are all invited to listen to Maria Xynou's crazy - or not-so-crazy theory of the "Phishing Society", in which surveillance, control and oppression is not imposed in a traditional top-down manner, but rather a personal and collective "choice"...come and engage in a heated debate!

We have read and heard a lot of theories on the contemporary "Surveillance Society"...but how much of that is about surveillance per se? Are we being spied on a top-down manner...or are we enabling our own surveillance? Have the masses ever directly or indirectly "pursued" their own surveillance in the past...or are we witnessing a new phenomenon in history?

Most geeks would probably agree that the term "phishing" is used to describe the act of attempting to acquire sensitive information, such as usernames, passwords, private encryption keys and credit card details, by masquerading as a trustworthy entity. In other words, "phishing" is commonly used to describe the acquisition of sensitive, personal data through the use of bait.

The aim of the talk on Wednesday is to discuss the possible existence of a "Phishing Society", through which the act of providing bait — whether it being security, commodities, services or relationships — is a common, contemporary practice on a social, political and economic level in the pursuit of the "Gold of the Digital Age": personal data. Through this discussion, the "Government spying vs. Corporate spying" debate will be looked at, in an attempt to understand why the dynamics of surveillance have changed over the last year.

Everyone with an open mind is welcome to attend this talk and to share all opinions, ideas and concerns!

Video

For more details visit https://cis-india.org/internet-governance/events/the-phishing-society-a-talk-by-maria-xynou

The Phantom Public: The Role of Social Media in Democracy

Admin — 2019-05-01T05:09:19Z

Amber Sinha delivered an open lecture at Ambedkar University, New Delhi on 3 April 2019.

India has over 500 million internet users — over a third of its total population — making it the country with the second largest number of Internet users after China. For the world’s largest democracy, the Internet should be a boon. After all, Sir Tim Berners-Lee, the inventor of the world wide web, had envisioned the Internet to as an “open platform that allows anyone to share information, access opportunities and collaborate across geographical boundaries.” The democratization of information it facilitated should have led to a more informed citizenry, but instead what we have is the complete opposite. The average digital citizen in India maintains a near perpetual information illiteracy about where they receive news and information from, whether or not it is true and how it is intended to manipulate them. This is, in large part, because social media has become the primary source of information.

The problems of the public, how it may get access to meaningful information, how it organises itself, and how public opinion is shaped are now deeply impacted by the rise of social media and messaging platforms as political tools of targeting, gathering and organising. How this new media thwarts and enables the goals of the public in India at present is the primary subject matter of this talk. We will cover a range of issues such as fake news and hate speech on social media, the use Facebook by Cambridge Analytica in elections, and how online platforms are governed, particularly with a view towards elections.

For more details visit https://cis-india.org/internet-governance/news/the-phantom-public-the-role-of-social-media-in-democracy

The Personal Data (Protection) Bill, 2013

prachi — 2013-08-30T14:53:11Z

Below is the text of the Personal Data (Protection) Bill, 2013 as discussed at the 6th Privacy Roundtable, New Delhi held on 24 August 2013. Note: This version of the Bill caters only to the Personal Data regime. The surveillance and privacy of communications regime was not discussed at the 6th Privacy Roundtable.

For more details visit https://cis-india.org/internet-governance/blog/the-personal-data-protection-bill-2013

The Perils of 'Hactivism'

Chinmayi Arun — 2012-08-20T09:58:55Z

Civil disobedience includes accepting the penalty for breaking the law. Untraceable hackers are far removed from this ethic.

Chinmayi Arun's article was published in LiveMint on August 20, 2012.

Earlier this year, India had an encounter with “Anonymous”, a diffuse alliance of what are commonly (and incorrectly) called hackers. In its much-publicized “Operation India”, Anonymous blocked public access to, hacked and defaced various websites in protest against the rising censorship of the Internet. This is a legitimate political cause. However, a movement cannot be judged purely by the legitimacy of its goals, and it is important to consider the legitimacy of the means used to achieve these goals.

Anonymous used distributed denial of service (DDoS) attacks to submerge, albeit temporarily, many websites. The DDoS attack bombards the target website with more user requests than it can bear, until it becomes unavailable to all others. Many compare this to picketing, and use the term “virtual sit-in” for it. The DDoS attack does not breach a website’s security, and is therefore not hacking (more correctly called “cracking”). In contrast, defacement of websites, deletion of data or leaking restricted data, entails hacking, which involves breaching a website’s security and is more analogous to breaking and entering physical premises. Anonymous has done this too in India—defacing some websites and leaking confidential data from others.

There are a few crucial differences between picketing as civil disobedience, and the DDoS attack. One is that picketing requires many people to come together and sit in protest. One or two peace protesters cannot successfully block a road. Although there was a time when DDoS attacks also required a large number of people to bombard the target, they can now be achieved by one person with the technological skills to “fire” a large number of computers at the target website.Therefore, a DDoS attack no longer implies that a sizeable section of the public cares enough to be part of a virtual sit-in.

The second difference between DDoS attacks and civil disobedience lies in the “hacktivists” unwillingness to be accountable. Martin Luther King and Gandhi made it clear that civil disobedience includes accepting the penalty for breaking the law. Faceless untraceable hackers are far removed from this ethic. While it is true that they risk harsh reprisal if identified, the legitimacy and heroic aura of civil disobedience comes from the willingness to risk that reprisal.

It may therefore be difficult to argue that even the DDoS attacks by Anonymous qualify as civil disobedience, which arguably is the most legitimate of the spectrum of options available to a political dissident. If political activists use varied and escalating tactics in the physical world, “hacktivists” use strategies ranging from DDoS to more intrusive defacement, disabling and leaking of data to draw attention to political causes. The legitimacy of these methods—the proportionality and justification of harm caused—can only be determined with reference to particular contexts. One has to evaluate the threat necessitating activism, innocent casualties of the activists’ actions and whether less harmful strategies have already been explored. This is difficult. For instance, the indirect repercussions of a DDoS attack or leaking data may not be apparent at first glance.

Anonymous tried setting boundaries to avoid harming innocent citizens during Operation India. It declared that infrastructure websites such as the railway booking portal were not to be attacked, and it prevented disclosure of sensitive financial information when a cinema tickets database was hacked. These precautions, though laudable, are however not quite enough. The influential members of Anonymous cannot successfully identify every action that may cause public harm. For instance, when Anonymous attacked the Supreme Court of India and the Reserve Bank of India websites, it seemed ignorant of the potential impact on litigants and the economy. When it leaked confidential police records, it seemed unaware of the significant hazards of leaking people’s names, addresses and other private data. The precautions taken by Anonymous may vanish next time, since the loosely knit, ever-changing nature of Anonymous community means that power and influence can shift; splinter groups with fewer scruples can emerge. Anonymous cannot achieve the control and accountability possible in a more tangible organized group.

This collective operates under disturbingly low levels of transparency and accountability, greatly exacerbated by its ability to veil itself in the shadows of the Internet. New recruits are sometimes endangered by misleading information about the legality and consequences of joining in DDoS attacks. Guerilla warfare is often used without properly exploring more peaceable means, thanks to the power and revenge mob-ethic by which Anonymous is driven. The use of technological arsenal to launch cyber-attacks ignores the likelihood of escalation— “hacktivists” tend to forget that technology is a neutral tool that governments can also use. The government may counter-attack, using its considerable resources to acquire the necessary technological capacity. Citizens may end up being the casualties of the exchange.

Phase one of Operation India was riddled with moral ambiguity. If OpIndia participants wish to show the world that they are more than bored nerds playing at a social movement like it is a video game, with all the accompanying air-punching, adrenaline boosting, self-aggrandising thrills, they will ensure that phase two’s constructive and legitimate Right to Information campaign is a roaring success.

Chinmayi Arun is an assistant professor of law at National Law University, Delhi and a Fellow at the Centre for Internet and Society, Bangalore

For more details visit https://cis-india.org/internet-governance/www-livemint-com-chinmayi-arun-aug-20-2012-perils-of-hactivism

The Perils and Prospects of Bringing the Next Billion Online

praskrishna — 2015-08-23T08:04:01Z

Sunil Abraham is the executive director of the Centre for Internet & Society, Bangalore. In his PDF talk, he explains the fight for net neutrality in India and how many solutions fall under the category of walled garden.

Video

For more see Personal Democracy Media

For more details visit https://cis-india.org/internet-governance/news/perils-and-prospects-of-bringing-next-billion-online

The PDP Bill 2019 Through the Lens of Privacy by Design

2020-11-13T07:51:03Z

This paper evaluates the PDP Bill based on the Privacy by Design approach. It examines the implications of Bill in terms of the data ecosystem it may lead to, and the visual interface design in digital platforms. This paper focuses on the notice and consent communication suggested by the Bill, and the role and accountability of design in its interpretation.

Background

The Personal Data Protection (PDP) Bill, 2019 was introduced in the Lok Sabha on December 11, 2019 by the Minister of Electronics and Information Technology. The Bill aims to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same [1]. The PDP Bill, 2019 contains several clauses that have implications on the visual design of digital products. These include the specific requirements for communication of notice and consent at various stages of the product. The Bill also introduces the Privacy by Design policy. Privacy by Design (PbD), as a concept, was proposed by Ann Cavoukian in the 1990s, with the purpose of approaching privacy from a design-thinking perspective [2]. She describes this perspective to be holistic, interdisciplinary, integrative, and innovative. The approach suggests that privacy must be incorporated into networked data systems and technologies, by default [3]. It challenges the practice of enhancing privacy as an afterthought. It expects privacy to be a default setting, and a proactive (not reactive) measure that would be embedded into a design in its initial stage and throughout the life cycle of the product [4]. While PbD is a conceptual framework, it’s application can change the way digital platforms are created and the way in which people interact with them. From devising a business model, to making technological decisions, PbD principles can make privacy integral to the processes and standards of a digital platform.

The PDP Bill states that data fiduciaries are required to prepare a Privacy by Design policy and have it certified by the Data Protection Authority. According to the Bill, the policy would contain the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal [5]. It would mention if the technology used in the processing of personal data is in accordance with the certified standards. It would also comprise of the ways in which privacy is being protected throughout the stages of processing of personal data, and that the interest of the individual is accounted for in each of these stages. Once certified by the Data Protection Authority, the data fiduciaries are also required to publish this policy on their website [6]. This forces the data fiduciaries to envision privacy as a fundamental requirement and not an afterthought. Such a policy would have a huge impact in the way digital platforms are conceptualised, both from the technological and the design point of view. The adoption of this policy by digital platforms would enable people to know if their privacy is protected by the companies, and what are the various steps being taken for this purpose. Besides the explicit Privacy by Design policy, the PDP Bill, 2019, also recommends the regulations for data minimisation, establishment of the Data Protection Authority (DPA), and the development of a consent framework. These steps are also part of the Privacy by Design approach.

This paper evaluates the PDP Bill based on the Privacy by Design approach. The Bill’s scope includes both the conceptual and technological aspects of a digital platform, as well as the interface aspect that the individual using the platform faces. The paper will hence analyse how PbD approach is reflected in both these aspects. At the conceptual level, it will look at the data ecosystem that the Bill unwittingly creates, and at the interface level, it will critically analyse the Bill’s implication on the notice and consent communication in the digital products. This includes the several points of communication or touchpoints between a company and an individual using their service, as dictated by the Bill, and how they would translate into visual design. Visual design forms an integral part of digital platforms. It is the way in which the platforms interact with the individuals. The choices made by individuals are largely driven by the visual structuring and presentation of information on these platforms. Presently, the interface design in several platforms is being used to perpetuate unethical data practices in the form of dark patterns. Dark Patterns are deceptive user interface interactions, designed to mislead or trick users to make them do something they don’t want to do [7]. The design of the notice and consent touchpoints can significantly influence the enforcement of this Bill, and how it benefits individuals. Moreover, digital platforms may technically follow the regulations but can still be manipulative through their interface design. Thus, the role and accountability of design becomes crucial in the interpretation of the data protection regulations.

The full paper can be read here.

[1] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[2] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

[3] https://iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf

[4] https://www.smashingmagazine.com/2019/04/privacy-ux-aware-design-framework/

[5] http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf

[6] https://sflc.in/key-changes-personal-data-protection-bill-2019-srikrishna-committee-draft

[7] https://uxdesign.cc/dark-patterns-in-ux-design-7009a83b233c

For more details visit https://cis-india.org/internet-governance/blog/the-pdp-bill-2019-through-the-lens-of-privacy-by-design

The Panama Papers and the question of privacy

praskrishna — 2016-04-24T14:03:35Z

This statement was originally published on privacyinternational.org on 4 April 2016.

Read the entry by Claire Lauterbach published in Big News Network on April 6, 2016. Sunil Abraham was quoted.

We do agree with Ramon Fonseca about one thing: that "Each person has a right to privacy, whether they are a king or a beggar."

But that's where our commonality with co-founder of disgraced Panama law firm Mossack Fonseca ends.

Last year, a whistleblower leaked 11.5 million documents about the firm's business brokering offshore companies, details of which were published yesterday. Reportedly the largest leak in journalistic history, the cache reveals hidden assets by a dozen current and former world leaders, and scores of celebrities and tycoons, some of which are linked to high level corruption scandals.

This scandal isn't about privacy, though. If anything, it's about the need for transparency about how the powerful wield their power. We need transparency - and good solid investigation - to understand where and how our right to privacy is eroded.

Privacy and transparency are not opposites. They are two sides of the same coin. As privacy advocates, we use transparency capabilities to investigate surveillance. Meanwhile, privacy as a right requires transparency from the institutions that gather and use our data.

Privacy International, like other human rights groups, conducts investigations in the public interest. That allows us to understand, for example, how Colombia built a shadow surveillance system despite evidence of illegal interceptions, or how UK police appear to be collecting private communications data at protests, according to a Vice News investigation.

Many of the Panama Papers' revelations are in the public interest insofar as they concern the transformation of public assets - like taxpayers' money and state funds - into private gains, and allow the powerful to avoid scrutiny. Privacy and transparency are not opposites. They are two sides of the same coin.

Fonseca called journalism around the leaked files an "international campaign against privacy".

But what Fonseca is really doing is advocating a status quo of 'privacy for the kings, and transparency for the beggars'. Or rather, privacy for the business moguls, politicians, corporations and government agencies, and transparency for the citizens, consumers, activists and journalists.

For the public, our financial systems are now surveiled by design. Our transactions are labelled as suspicious and sent for mining by intelligence agencies. We need IDs to open accounts, and our records are profiled by credit agencies who facilitate key decisions about us and our families. Secretive institutions collate this information to decide whether or not we are terrorists. While a certain degree of this is necessary for public order, what's clear is that we are watched while the 'kings' are able to circumvent many of these measures and escape scrutiny. We should never make the mistake of conflating the right to privacy for the individual with the desire to hide shadowy, ethically dubious, borderline-or-actual illegal activity for the immensely wealthy and powerful.

The real issues around privacy include: the spreading of draconian laws, from the UK, to Pakistan, to Kenya, that sanction warrantless surveillance and online monitoring, with insufficient protection for the public. It's the intrusive biometric registration of some of the most desperate people, like refugees from Dadaab to Calais, desperate for food and medical care. It's the instrumentalisation of consumer data to draw conclusions about us, with or without our consent. It's also the parallel trend of rolling back Freedom of Information laws (see: UK and United States). And, as the Panama Papers show, it is allowing transfers of public funds for private gain to be obscured.

That is the real "campaign against privacy" - not public interest journalism.

As our friend and partner Sunil Abraham, Executive Director of the Centre for Internet and Society in India states succinctly, the right to privacy should "be inversely proportionate to power and almost conversely the requirement of transparency to be directly proportionate to power."

For more details visit https://cis-india.org/internet-governance/news/big-news-network-april-6-2016-claire-lauterbach-panama-papers-and-question-of-privacy

The Omnishambles of UID, shrouded in its RTI opacity

elonnai — 2013-02-19T11:04:30Z

The Centre for Internet & Society sponsored Colonel Mathew Thomas to hold a workshop at the fourth National Right to Information (RTI) organized by the National Campaign for People's Right to Information, held in Hyderabad from February 15 to 18, 2013.

Click below to see Colonel Mathew Thomas's presentation

Omnishambles of UID Shrouded in its Opacity

For more details visit https://cis-india.org/internet-governance/blog/omnishambles-of-uid-shrouded-in-its-rti-opacity

The noose tightens on freedom of speech on the Internet

praskrishna — 2015-03-27T01:06:52Z

A WORRYING trend has emerged in the last few years, where intermediaries around the world are being used as chokepoints to restrict freedom of expression online, and to hold users accountable for content.

The blog post by Gabey Goh was published by Digital News Asia on March 26, 2015. Jyoti Panday gave her inputs.

“All communication across the Internet is facilitated by intermediaries: Service providers, social networks, search engines, and more,” said Electronic Frontier Foundation (EFF) senior global policy analyst Jeremy Malcolm.

“These services are all routinely asked to take down content, and their policies for responding are often muddled, heavy-handed, or inconsistent.

“That results in censorship and the limiting of people’s rights,” he told Digital News Asia (DNA) on the sidelines of RightsCon, an Internet and human rights conference hosted in Manila from March 24-25.

This year, the government of France is moving to implement regulation that makes Internet operators ‘accomplices’ of hate-speech offences if they host extremist messages.

In February, the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) urged ICANN (the Internet Corporation for Assigned Names and Numbers) to ensure that domain name registries and registrars “investigate copyright abuse complaints and respond appropriately.”

Closer to home, the Malaysian Government passed a controversial amendment to the Evidence Act 1950 – Section 114A – back in 2012.

Under Section 114A, an Internet user is deemed the publisher of any online content unless proven otherwise. The new legislation also makes individuals and those who administer, operate or provide spaces for online community forums, blogging and hosting services, liable for content published through their services.

Due to the potential negative impact on freedom of expression, a roadmap called the Manila Principles on Internet Liability was launched during RightsCon.

The EFF, Centre for Internet Society India, Article 19, and other global partners unveiled the principles, whose framework outlines clear, fair requirements for content removal requests and details how to minimise the damage a takedown can do.

For example, if content is restricted because it’s unlawful in one country or region, then the scope of the restriction should be geographically limited as well.

The principles also urge adoption of laws shielding intermediaries from liability for third-party content, which encourages the creation of platforms that allow for online discussion and debate about controversial issues.

“Our goal is to protect everyone’s freedom of expression with a framework of safeguards and best practices for responding to requests for content removal,” said Malcolm.

Jyoti Panday from the Centre for Internet and Society India noted that people ask for expression to be removed from the Internet for various reasons, good and bad, claiming the authority of myriad local and national laws.

“It’s easy for important, lawful content to get caught in the crossfire. We hope these principles empower everyone – from governments and intermediaries, to the public – to fight back when online expression is censored,” she said.

The Manila Principles can be summarised in six key points:

Intermediaries should be shielded by law from liability for third-party content.

Content must not be required to be restricted without an order by a judicial authority.

Requests for restrictions of content must be clear, be unambiguous, and follow due process.

Laws and content restriction orders and practices must comply with the tests of necessity and proportionality.

Laws and content restriction policies and practices must respect due process.

Transparency and accountability must be built in to laws and content restriction policies and practices.

“Right now, different countries have differing levels of protection when it comes to intermediary liability, and we’re saying that there should be expansive protection across all content,” said Malcolm (pic).

“In addition, there is no logic in distinguishing between intellectual property (IP) and other forms of content as in the case in the United States for example, where under Section 230 of the Communications Decency Act, intermediaries are not liable for third party content but that doesn’t apply to IP,” he added.

The Manila Principles have two main targets: Governments and intermediaries themselves. The coalition, led by EFF, will be approaching governments to present the document and discuss the recommendations on how best to establish an intermediary liability regime.

This includes immunising intermediaries from liability and requiring a court order before any content can be taken down.

With intermediaries, the list includes companies such as Facebook, Twitter and Google, to discuss establishing transparency, responsibility and accountability in any actions taken.

“We recognise that a lot of the time, intermediaries are not waiting for a court order before taking down content, and we’re telling them to avoid removing content unless there is a sufficiently good reason and users have been notified and presented that reason,” said Malcolm.

The overall aim with the Manila Principles is to influence policy changes for the better.

Malcolm pointed out that by coincidence, some encouraging developments have taken place in India. On the same day the principles were released, the Indian Supreme Court struck down the notorious Section 66A of the country’s Information Technology Act.

Since 2009, the law had allowed both criminal charges against users and the removal of content by intermediaries based on vague allegations that the content was “grossly offensive or has menacing character,” or that false information was posted “for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will.”

Calling it a “landmark decision”, Malcolm noted that the case shows why the establishment and promotion of the Manila Principles are important.

“Not only is the potential overreach of this provision obvious on its face, but it was, in practice, misused to quell legitimate discussion online, including in the case of the plaintiffs in that case – two young women, one of whom made an innocuous Facebook post mildly critical of government officials, and the other who ‘liked’ it,” he said.

The court however, upheld section 69A of the Act, which allows the Government to block online content; and Section 79(3), which makes intermediaries such as YouTube or Facebook liable for not complying with government orders for censorship of content.

Gabey Goh reports from RightsCon in Manila at the kind invitation of the South-East Asian Press Alliance or Seapa.

For more details visit https://cis-india.org/internet-governance/news/digital-news-asia-gabey-goh-march-26-2015-noose-tightens-on-freedom-of-speech-on-internet

The Niira Radia Tapes: Scrutinizing the Snoopers

praskrishna — 2011-04-02T07:29:21Z

There’s been plenty of outrage in India over taped phone calls between corporate lobbyist Niira Radia and local journalists, revealing what some people believe is evidence that star reporters at the country’s newspapers and TV channels are too cozy with the subjects they’re supposed to be reporting on.

Amid that firestorm, though, there’s been much less scrutiny of why and how the wiretaps happened in the first place, whether they were justified or a governmental overreach, and how these infamous tapes got from the government into the hands of media companies.

Here are just a few questions that merit more consideration: Who orders telephone surveillance in India and on what grounds? How often is it done? What protections are in place to ensure government officials don’t abuse their surveillance authority to settle scores with journalists, corporate officials or ordinary citizens they have a beef with?

The quick answer to all of these: India trusts its bureaucrats to do the right thing. The central government’s Home Secretary, along with some intelligence agencies and state officials, has the authority to approve wiretaps. Unlike in the U.S. and other countries, where investigators must generally obtain court warrants for surveillance to pursue matters ranging from drug-trafficking to insider trading, in India there is no such legal tradition or rule.

“There is no oversight infrastructure, either in parliament or in the judiciary,” said Sunil Abraham, executive director of the Bangalore-based Center for Internet and Society. There is only “post facto” protection in the sense that you can sue the government later if you feel you were wrongly wiretapped, he said.

According to local media reports, industrial giant Ratan Tata on Monday petitioned the Supreme Court over the leaking of the tapes, on which he is heard bantering with Ms. Radia (his lobbyist) about a range of topics related to the $70 billion Tata Group. The reports say he feels the episode violated his privacy and wants the leakers to be punished. (While there’s no explicit constitutional protection of privacy in India, the Supreme Court in some cases has held it is covered by Article 21 of the Constitution, which says, “No person shall be deprived of his life or personal liberty except according to procedure established by law.”)

A report in the Economic Times Monday said government is going to investigate the leak. A Home Ministry spokesman declined to comment on whether an inquiry has been launched but said India’s system of allowing a handful of security and intelligence officials to approve or deny wiretaps sufficiently guards Indian citizens’ privacy. “It isn’t an unchecked kind of thing, that anyone can just do it,” the spokesman said.

India draws its wiretap authority from a few laws, including the 1885 Telegraph Act and a separate information technology law enacted in 2000 and amended in 2008. The government can tap phones or intercept emails for reasons such as “any public emergency” or “in the interest of the public safety” – pretty broad language that gives a lot of leeway to bureaucrats, critics say.

A report in the Hindu last week claimed that more than 5,000 Indian phones are being bugged daily, citing anonymous sources. Mr. Abraham, of the Center for Internet and Society, says that breadth of surveillance in a country of 1.2 billion people wouldn’t be unreasonable. But his organization is planning a Right to Information request to find out more about the scope of government wiretapping.

The government may have had good reasons to conduct the wiretaps of Ms. Radia, which local media reports say were done by the income tax department for two four-month stints in 2008 and 2009, during which time they reportedly logged 5,851 calls.

The income tax agency hasn’t stated publicly what the rationale was and its officials declined to comment Monday.

Media reports suggest that the material was supposed to help probe the irregular allocation of mobile phone spectrum in 2008 to several Indian telecom firms. (The official in charge of that allocation, A. Raja, resigned as telecom minister Nov. 14 amid charges that he rigged the process to favor some companies over others.)

But much of the content in the several hours of so-called “2G tapes” that have leaked to Indian news organizations has little or nothing to do with taxes or 2G spectrum. There’s talk of the billionaire Ambani brothers’ natural gas pricing dispute, mining policy, a dog who is named Google because he is good at finding things, which corporate honchos are easy to get on the phone, and plenty of titillating exchanges between New Delhi’s power brokers on the politics of cabinet appointments. Some pretty top-notch gossip, in other words.

To be sure, the content on the tapes does raise disturbing and serious questions about whether some elements of the Indian media carry water for particular government ministers or corporations. And it pulls the veil back on how the titans of Indian business and politics shape policy away from the public spotlight, as Siddharth Varadarajan explained in Monday’s edition of the Hindu when he made a clever analogy to the movie The Matrix. (We’ve separately parsed the contents of some of the tapes for their potential significance.)

But it’s still worth asking tough questions about the legal and ethical foundations of wiretapping citizens, because, as Indian civil liberties expert Lawrence Liang said in an email, “if this can happen to a Nira Radia, then it can easily be used for a Nida Nobody.”

Update, 5:09 p.m.: “A Home Ministry spokesman confirmed the ministry has asked the Intelligence Bureau and Central Board of Direct Taxes to conduct a probe into the leak.”

Read the original in Wall Street Journal

For more details visit https://cis-india.org/news/niira-radia-tapes

The new tattler in town

praskrishna — 2015-09-26T16:31:00Z

WhatsApp messages, and in particular ‘admins’ of WhatsApp groups come under pressure as rumour-mongering catches the attention of the police.

The article by P. Anima was published in the Hindu Businessline on August 28, 2015. Sunil Abraham was quoted.

In early August, Solapur in southeast Maharashtra was gripped by a strange fear. Like most small towns, Solapur rarely makes the headlines except when drought deepens. That changed as alarmed villagers in almost all of the district’s 11 tehsils camped outdoors day and night, on the look out for an unseen enemy. “In the bastis (villages), residents kept night vigils, sitting around a fire,” Deepak Homkar, a local journalist, recalls. Rumours were flying thick — of theft, widespread looting and possible kidnapping of children. And all of it over WhatsApp, the instant messaging app. Similar scenes were reported from Ahmedabad a month earlier. Rumours of dacoity and terrorist attacks spread panic in areas around Ahmedabad. Arrests were made of those who had allegedly sent fear-mongering texts, but the damage had already been done.

With over 800 million, and growing, active users worldwide, WhatsApp is popular among the 160 million smartphone users in India too. Neatly slotting lives into groups of friends, work and family, it allows users to flit in and out of interactions. But a fair amount of trouble-making is also springing up from the app.

In Solapur, the police tasked with putting the rumours to an end had visited bastis, narrowed down the suspected smartphone users and randomly checked their WhatsApp messages. “We found these rumours on some, not other [phones],” says a police official. After 36 hours of search, 16 young men were held under IPC 505 1(B) for spreading alarm and fear in Pandharpur tehsil alone. It included those who allegedly sent the message and several ‘admins’ (those who open and manage the group accounts). After being questioned and warned against repeating such texts, the men were let off.

The complicity of the WhatsApp admin, whether as a passive onlooker or whether they forwarded the messages themselves, remains hazy. “It is possible that some admins may have forwarded the text, but I spoke to at least one who was held only because he managed the group,” says Homkar.

Are the admins culpable in such situations? “Not at all,” say internet experts, if the admin has had nothing to do with the fear-mongering texts. But if the admin has forwarded a potentially harmful message, he/she is accountable like anyone else. “It is then an act done knowingly,” says Prasanth Sugathan, counsel at the Delhi-based Software Freedom Law Centre. “The act of forwarding makes you accountable. The burden of truth is on you,” he adds. Chinmayi Arun, research director at Centre for Communication Governance, National Law University, Delhi, pitches in, “Just being an inactive administrator of a large group, who may not be able to vet all of its content, is very different from forwarding rumours. People who forward rumours should be responsible enough to at least highlight their doubtful veracity.”

However, if the admin is unconnected to the group activities, he cannot be held for merely starting the group, they say. “Unless, of course, you have started it for an illegal activity or to cause an offence,” says Sunil Abraham, executive director of the Bengaluru-based The Centre for Internet and Society. The WhatsApp admin, they point out, is a mere intermediary. One who isn’t vested with any power, except to add or remove members from the group.

Twenty-three-year-old Hrishikesh, from Dhanbad, is currently admin in six groups. In three, he is one among multiple admins. He hardly keeps tab on the goings-on in this space and is not acquainted with all members, he says. “A WhatsApp admin has no control, no facility to moderate or tweak a message,” says Sugathan. Abraham trots out Section 79 of the IT Act. “It gives the admin immunity from liability that emerges from content posted by the members,” he says. The best way to track the original senders in such cases, he says, is to rope in the help of the telecom department, the other intermediary (in the case of WhatsApp, the owner Facebook) and blend it with some ‘old-fashioned’ detective work.

“Counter bad speech with good speech,” says Abraham, and that is often the best way to deal with rumour-mongering. Instances like those at Solapur and Ahmedabad have been rare, he reasons. “Such stuff can be dealt better with education rather than regulation. All types of nuisance shouldn’t be regulated. The cost of implementing new laws and training police personnel for it is not cheap. In these cases, SMSes from the police could go to every single mobile user in the district, telling them the rumours are false.”

Sugathan concurs with this. Facebook, radio and other mass media should be used by the police to quell rumours, he says. He points out that in the aftermath of the 2011 London riots, although social media was blamed for aggravating the situation, there were ample warnings against shutting it down during such times. “Blocking the medium is blocking an avenue for information. One cannot arrest each and every person. So educating people works better,” says Sugathan. Some like Abraham consider these hiccups inevitable in our evolving use of social media. A new technology is often considered sacrosanct and reliable. “From repeated exposure emerges critical understanding. It will take us another five years to know that Wikipedia is not the source of truth.”

For more details visit https://cis-india.org/internet-governance/news/the-hindu-businessline-august-28-p-anima-the-new-tattler-in-town

The New Right to Privacy Bill 2011 — A Blind Man's View of the Elephunt

Prashant Iyengar — 2012-02-29T05:45:41Z

Over the past few days various newspapers have reported the imminent introduction in Parliament, during the upcoming Monsoon session, of a Right to Privacy Bill. Since the text of this bill has not yet been made accessible to the public, this post attempts to grope its way – through guesswork – towards a picture of what the Bill might look like from a combined reading of all the newspaper accounts, writes Prashant Iyengar in this blog post which was posted on the Privacy India website on June 8, 2011.

I am relying entirely on the following three newspaper accounts in the Times of India, the Hindu and the Deccan Chronicle.

A Constitutional/Fundamental Right?

The Times of India piece which broke the story seems to have misunderstood/misquoted Law Minister Veerappa Moily. The article is titled “Right to privacy may become fundamental right” which connotes a constitutional amendment. However this is inconsistent with the later portions of the same article as well as subsequent newspaper accounts in DC and the Hindu. So its safe to assume that this will not be a fundamental right to privacy, but a statutory right to privacy – like what the Right to Information Act grants us.

Preamble

I’m extrapolating here from the Hindu article:

"To provide for such a right [of privacy] to citizens of India AND to regulate collection, maintenance, use and dissemination of their personal information."

So it’s an omnibus Privacy and Data Protection Law that’s being passed. How nice. This addresses some of the misgivings that we had last year against the "Approach Paper on Privacy" released by the Department of Personnel and Training.

Definition of ‘Right to Privacy’

The Hindu article appears to quote directly from the Bill.

Every individual shall have a right to his privacy — confidentiality of communication made to, or, by him — including his personal correspondence, telephone conversations, telegraph messages, postal, electronic mail and other modes of communication; confidentiality of his private or his family life; protection of his honour and good name; protection from search, detention or exposure of lawful communication between and among individuals; privacy from surveillance; confidentiality of his banking and financial transactions, medical and legal information and protection of data relating to individual.

This is a wonderfully expansive definition of the right to privacy which spans diverse areas including privacy of communications, reputational privacy, bodily/physical privacy, confidentiality, privacy of records and data protection. I’m especially pleased that this section does not limit this right to privacy only to claims against the state (as in the Right to Information Act).

The Deccan Chronicle article contains a slightly different definition of 'right to privacy' under the Bill. Here the right to privacy includes "confidentiality of communication, family life, bank and health records, protection of honour and good name and protection from use of photographs, fingerprints, DNA samples and other samples taken at police stations and other places."

This wording is slightly more granular, but less broad. I’m wondering if it is a part of the same section, or a different one entirely.

Interception

What is most interesting is the attempt made in this Bill at harmonization of interception rules across all modes of "communication". (Currently there are different rules/procedures that followed depending on the mode of communication used – Indian Post Act, Telegraph Act, IT Act.)

Here are some of the sweeping changes sought to be introduced:

The bill prohibits interception of communications except in certain cases with approval of Secretary-level officer – not below the rank of home secretary at the Central level and home secretaries in state governments
Mandatory destruction of intercepted material by the service provider within two months of discontinuance of interception.
Constitution of a Central Communication Interception Review Committee (CCIRC) to examine and review all interception orders passed (under all Acts?).
CCIRC empowered to order destruction of material intercepted under the Telgraph Act.
"unauthorised interception" (by whom?) punishable with a maximum of five years’ imprisonment, or a fine of Rs 1 lakh, or both, for each such interception. This makes it a cognizable, non-bailable offense.
Disclosure of legally intercepted communication by “government officials, employees of service providers and other persons” will be punishable with imprisonment up to three years. (It is unclear whether this will be a cognizable offence or not)

Data Protection

The Bill adds muscle to the newly introduced Data Protection Rules under the IT Act, by creating an overarching statutory regime for Data Protection.

Thus, the bill forbids "any person having a place of business in India but has data using equipment located in India" from collecting or processing, using or disclosing "any data relating to individual to any person without consent of such individual". I assume that there will be exceptions to this section. The wording of this section seems to preclude its application to the government (unless you can interpret the ‘government’ to mean ‘a person having a place of business in India’. I have no views on the likelihood of that argument.

The bill evidently authorizes the establishment of an oversight body called “Data Protection Authority of India” that will investigate complaints about alleged violations of data protection. The following appear to be the functions of this body

to monitor development in data processing and computer technology;
to examine law and to evaluate its effect on data protection
to give recommendations and to receive representations from members of the public on any matter generally affecting data protection.
to investigate any data security breach and issue orders to safeguard the security interests of affected individuals whose personal data has or is likely to have been compromised by such breach.

Video Surveillance

The bill includes a very interesting prohibition on "closed circuit television or other electronic or by any other mode", except in certain cases as per the specified procedure.

No further details are provided about the exceptions or the procedure and one expects the devil to be in the details.

Bodily Privacy

The bill prohibits "surveillance by following a person".

This innocuously worded provision has the potential to effect sweeping changes in the criminal administration of this country (if it is even applicable to the state police machinery) . Currently, Police Acts in the various states contain no provisions that enable a person to challenge the surveillance imposed on them. This new section could provide a powerful new shield to the victims of police harassment.

Impersonation and Financial Fraud

In a section apparently dealing with identity theft, the Bill criminalises inter alia "posing as another person when apprehended for a crime" and "using another’s identity to obtain credit, goods and services".

I think the first (at least) is unnecessary since it is already covered by the crime of Impersonation under the IPC.

Residual

A curious provision appears to be a fine imposed on “any persons who obtain any record of information concerning an individual from any officer of the government or agency under false pretext”. Such a person shall be punishable with a fine of up to Rs. 5 lakh.(unclear whether there is a term of imprisonment in addition).

It will be interesting to see how this section conflicts with the Right to Information under which no 'pretext' need be given to the public authority.

I also think it is ill-conceived to penalise the person obtaining the record of information – the government body in custody of the information should be made more responsible in scrutinizing the 'pretext' before handing over such information.

Tailpiece

That’s all I can make out from the three articles referenced. Looks like it’s going to be a really interesting bill. I’m optimistic about it for the sincere attempt it appears to make to grapple with the protean nature of Privacy concerns we encounter. Veerappa Moily has claimed that this bill will be introduced in the monsoon session in July but has also cautioned that "it’s difficult to commit the timeframe". I think we should make haste slowly with this Bill and hope that the Law Ministry will have the wisdom to solicit public comment before introducing it in Parliament.

I’d greatly appreciate someone sending me a copy of the bill if you have access to it.

Read the article published on the Privacy India website here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/new-right-to-privacy-bill

The new Internet watchdogs

praskrishna — 2012-06-17T08:18:15Z

The Government has taken a series of measures to control the Internet, but should it be doing so? This article by Ronendra Singh was published in the Hindu Business Line on June 12, 2012. Sunil Abraham is quoted in this.

In March 2011, the Indian Government banned several Web sites like Typepad, Mobango and Clickatell without warning. The ban had created a hue and cry amongst netizens, some even comparing Indian authorities to the Chinese iron wall.

But despite these protests, on December 5, 2011 the Government had several social media sites and internet companies, including Google, Facebook and Yahoo “prescreen user content from India and remove disparaging, inflammatory or defamatory content before it goes online”.

The next day, the Communication and Information Technology minister Kapil Sibal held a press conference to explain his action. “We have to take care of the sensibilities of our people,” Mr Sibal told reporters during the press conference on the lawn at his bungalow in New Delhi. “Cultural ethos is very important to us,” he said.

Since then top officials from the Indian units of Google, Microsoft, Yahoo and Facebook have had several meetings with Sibal. In one of the meetings, the Telecom Minister asked these companies to use humans to screen content, not technology.

Proposed rules

Amidst all this, the Government quietly moved a proposal in October 2011 that, if implemented, will have major ramifications on use of the Internet not just in India but across the world. India has moved a UN resolution seeking the creation of a 50-nation super body to regulate the Internet. India has argued for a radical shift from the present model of multi-stakeholder led decision-making, to a purely Government-run multilateral body.

In addition to this, the Communications Ministry headed by Sibal has notified new Information Technology (Intermediaries Guidelines) Rules, 2011 giving various guidelines to be observed by all internet related companies. The rules give sweeping powers to the Government to blank out “messages or communication of any information which is grossly offensive or menacing in nature.” The new rules do not, however, define what is offensive or menacing. Bloggers and netizens are worried that this may be used by the Government to pull down websites and articles critical of the Government. The fact that all this has come about around the time when the Anna Hazare campaigners have used the Internet to drum up support only raises more doubts over the Government's real intention.

Worrying moves

According to Sunil Abraham, Executive Director at the internet advocacy firm Centre for Internet and Society (CIS), all Governments across the world have reserved to themselves the right to block or take-down Internet services completely or specific content on specific services such as a page on a website.

But at the moment, the Indian Government is not following the letter of the law and bypassing judicial safeguards in its crackdown on political speech.

“This aggressive enforcement is also having a chilling effect on access to knowledge and freedom of expression,” Abraham told The Hindu Business Line.

Therefore the Government's sudden move to push the UN resolution without consulting stakeholders has taken many by surprise. There was some limited consultation but it definitely did not meet the current standards of multi-stakeholders being developed at the Internet Governance Forum (IGF), Internet Corporation for Assigned Names and Numbers (ICANN) and existing institutions focused on Internet governance.

Member of Parliament Rajeev Chandrasekhar has also written a letter to the Prime Minister recently saying India's refusal to withdraw its UN statement was disappointing. The worry is that countries with dubious records on human rights and democracy have publicly aligned their positions to that of India.

“Contrary to India's statement in the UN (October 2011) and at World Summit on the Information Society (May 2012), India's proposal for Inter-Governmental oversight of Internet is against the letter and spirit of the Tunis Agenda, 2005,” Chandrasekhar wrote in the letter.

The Tunis Agenda in 2005 – far from supporting a 50-member, Inter-Governmental body manned by bureaucrats/ politicians, neither envisages a separate entity nor a superior role for Governments in the governance of the Internet.

“In sharp contrast to the ‘mandate enshrined' in the Tunis Agenda, if India's proposal is accepted, civil society, academia, engineers, private sector and international organisations by design will be regulated to the fingers of an advisory role,” the Member of Parliament said.

Government officials are tight-lipped and did not reply to questions sent by The Hindu Business Line via email.

Read the original here

For more details visit https://cis-india.org/news/the-new-internet-watchdogs

The New Aadhaar Bill in Plain English

Amber Sinha, Vanya Rakesh and Vipul Kharbanda — 2016-03-11T04:41:38Z

We have put together a plain English version of the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016

Chapter I. PRELIMINARY

Section 1

This Act is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
It will be applicable in whole of India (except the state of Jammu and Kashmir).
It will become applicable on a date to be notified by the Central Government.

Section 2

“Aadhaar number” is the identification number issued to an individual under the Act;
“Aadhaar number holder” is the person who has been given an Aadhaar number;
“authentication” is the process of verifying the Aadhaar number, demographic information and biometric information of any person by the Central Identities Data Repository (CIDR);
“authentication record” is the record of the authentication which will contain the identity of the requesting entity and the response of the CIDR;
“Authority” or “UIDAI” refers to the Unique Identification Authority of India established under this Act;
“benefit” means any relief or payment which may be notified by the Central Government;
“biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations;
“Central Identities Data Repository” or “CIDR” means a centralised database containing all Aadhaar numbers, demographic information and biometric information and other related information;
“Chairperson” means the Chairperson of the UIDAI;
“core biometric information” means fingerprint, Iris scan, or any biological attributes specified by regulations;
“demographic information” includes information relating to the name, date of birth, address and other relevant information as specified by regulations. This information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history;
“enrolling agency” means an agency appointed by the UIDAI or a Registrar for collecting demographic and biometric information of individuals for issuing Aadhaar numbers;
“enrolment” means the process of collecting demographic and biometric information from individuals for the purpose of issuing Aadhaar numbers;
“identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information;
“Member” includes the Chairperson and Member of the Authority appointed under section 12;
“notification” means a notification published in the Official Gazette and the expression “notified” with its cognate meanings and grammatical variations will be construed accordingly;
“prescribed” means prescribed by rules made by the Central Government under this Act;
“records of entitlement” means the records of benefits, subsidies or services provided to any individual under any government programme;
“Registrar” means any person authorized by the UIDAI to enroll individuals under the Act;
“regulations” means the regulations made by the UIDAI under this Act;
“requesting entity” means an agency that submits the Aadhaar number and other information of an individual to the CIDR for authentication;
“resident” means a person who has resided in India for atleast 182 days in the last twelve months before the date of application for enrolment;
“service” means any facility or assistance provided by the Central Government in any form;
“subsidy” means any form of aid, support, grant, etc. in cash or kind as notified by the Central Government.

Chapter II. ENROLMENT

Section 3

Every resident is entitled to get an Aadhaar number.
At the time of enrollment, the enrolling agency will inform the individual of the following details—

how their information will be used;
what type of entities the information will be shared with; and
that they have a right to see their information and also tell them how they can see their information.

After collecting and verifying the information given by the individuals, the UIDAI will issue an Aadhaar number to each individual.

Section 4

Once an Aadhaar number has been issued to a person, it will not be re-assigned to any other person.
An Aadhaar number will be a random number and will not contain any attributes or identity of the Aadhaar number holder.
if adopted by a service provider, an Aadhaar number may be accepted as proof of identity of the person.

Section 5

The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals.

Section 6

The UIDAI may require Aadhaar number holders to update their Aadhaar information, so that it remains accurate.

Chapter III. AUTHENTICATION

Section 7

As a condition for receiving subsidy for which the expenditure is incurred from the Consolidated Fund of India, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity. In the case a person does not have an Aadhaar number, he/she should make an application for enrolment. If an Aadhaar number is not assigned, the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service.

Section 8

The UIDAI will authenticate the Aadhaar information of people as per the conditions prescribed by the government and may also charge a fees for doing so.
Any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR;
The entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity.
The UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder but not share any biometric information.

Section 9

The Aadhaar number or its authentication will not be a proof of citizenship or domicile.

Section 10

The UIDAI may engage any number of entities to establish and maintain the CIDR and to perform any other functions specified by the regulations.

Chapter IV. UNIQUE IDENTIFICATION AUTHORITY OF INDIA

Section 11

The UIDAI will be established by the Central Government to be responsible for the processes of enrolment and authentication of Aadhaar numbers.
The UIDAI will be a body corporate with the power to buy and sell property, to enter into contracts and to sue or be sued.
The head office of the UIDAI will be in New Delhi.
The UIDAI may establish its offices at other places in India.

Section 12

The UIDAI will have a Chairperson, two part-time Members and a chief executive officer, who to be appointed by the Central Government.

Section 13

The Chairperson and Members will be competent people with at least 10 years experience and knowledge in technology, governance, law, development, economics, finance, management, public affairs or administration.

Section 14

The Chairperson and the Members will be appointed for 3 years and can be re-appointed after their term. But no Member or Chairperson will be more than 65 years of age.
The Chairperson and Members will take an oath of office and of secrecy.
The Chairperson or Member may— (a) resign from office, by giving an advance written notice of at least 30 days; or (b) be removed from his office because she/he gets disqualified on any of the grounds mentioned in section 15.
The salaries and allowances of the Members and Chairperson will be prescribed under the government.

Section 15

The Central Government may remove a Chairperson or Member, who—
(a) has gone bankrupt;
(b) is physically or mentally unable to do his/her job;
(c) has been convicted of an offence involving moral turpitude;
(d) has a financial conflict of interest in performing his/her functions; or
(e) has abused his/her position so that the government needs to remove him/her in public interest.
The Chairperson or a Member will be given a chance to present his/her side of the story before being removed, unless he/she is being removed on the grounds of bankruptcy or criminal conviction.

Section 16

An Ex-Chairperson or Ex-Member will have to take the approval of the Central Government,—

to accept any job in any entity (other than a government organization) which was associated with any work done for the UIDAI while that person was a Chairperson or Member, for a period of three years after ceasing to hold office;
to act or advise any entity on any particular transaction for which that person had provided advice to the UIDAI while he/she was the Chairperson or a Member;
to give advice to any person using information which was obtained as the Chairperson or a Member which is not available to the public in general; or
to accept any offer of employment or appointment as a director of any company with which he/she had direct and significant official dealings during his/her term of office, for a period of three years.

Section 17

The Chairperson will preside over the meetings of the UIDAI and have the powers and perform the functions of the UIDAI.

Section 18

The chief executive officer (CEO) of the UIDAI will not be below the rank of Additional Secretary to the Government of India.
The chief executive officer will be responsible for— (a) the day-to-day administration of the UIDAI; (b) implementing the programmes and decisions of the UIDAI; (c) making proposals for the UIDAI; (d) preparation of the accounts and budget of the UIDAI; and (e) performing any other functions prescribed in the regulations.
The CEO will annually submit the following things to the UIDAI for its approval — (a) a general report covering all the activities of the Authority in the previous year; (b) programmes of work; (c) the annual accounts for the previous year; and (d) the budget for the coming year.
The CEO will have administrative control over the officers and other employees of the Authority.

Section 19

The time and place of the meetings of the UIDAI and the rules and procedures of those meetings will be prescribed by regulations.
The meetings will be presided by the Chairperson, and if they are absent, then the senior most Member of the UIDAI.
All decisions at the meetings of the UIDAI will be taken by a majority vote. In case of a tie, the person presiding the meeting will have the casting vote.
All decisions of the UIDAI will be signed by the Chairperson or any other Member or the Member-Secretary authorised by the UIDAI in this behalf.
If any Member, who is a director of a company and because of this has any financial interest in matters coming up for consideration at a meeting, that member should disclose the financial interest and not take any further part in the discussions and decision on that matter.

Section 20

No actions or proceeding of the UIDAI will become invalid merely because of—

any vacancy in, or any defect in the constitution of, the UIDAI;
any defect in the appointment of a person as Chairperson or Member of the Authority; or
any irregularity in the procedure of the Authority not affecting the merits of the case.

Section 21

The UIDAI, with the approval of the Government, can decide on the number and types of officers and employees that it would require.
The salaries and allowances of the employees, officer and chief executive officer will be prescribed under the government.

Section 22.

Once the UIDAI is establishment—

all the assets and liabilities of the existing Unique Identification Authority of India, established by the Government of India through notification dated the 28th January, 2009, will stand transferred to the new UIDAI.
all data and information collected during enrolment, all details of authentication performed, by the existing Unique Identification Authority of India will be deemed to have been done by the UIDAI. All debts, liabilities incurred and all contracts entered into by the Unique Identification Authority of India will be deemed to have been entered into by the UIDAI;
all money due to the existing Unique Identification Authority of India will be deemed to be due to the UIDAI; and
all suits and other legal proceedings instituted by or against such Unique Identification Authority of India may be continued by or against the UIDAI.

Section 23

The UIDAI will develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform their authentication. The powers and functions of the UIDAI include—

specifying the demographic information and biometric information required for enrolment and the processes for collection and verification of that information;
collecting demographic information and biometric information from people seeking Aadhaar numbers;
appointing of one or more entities to operate the CIDR;
generating and assigning Aadhaar numbers to individuals;
performing authentication of Aadhaar numbers;
maintaining and updating the information of individuals in the CIDR;
omitting and deactivating an Aadhaar number;
specifying the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies and other purposes for which Aadhaar numbers may be used;
specifying the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of their appointments;
establishing, operating and maintaining of the CIDR;
sharing the information of Aadhaar number holders;
calling for information and records, conducting inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under this Act;
specifying processes relating to data management, security protocols and other technology safeguards under this Act;
specifying the conditions/procedures for issuance of new Aadhaar number to existing Aadhaar number holder;
levying and collecting the fees or authorising the Registrars, enrolling agencies or other service providers to collect fees for the services provided by them under this Act;
appointing committees necessary to assist the Authority in discharge of its functions;
promoting research and development for advancement in biometrics and related areas;
making and specifying policies and practices for Registrars, enrolling agencies and other service providers;
setting up facilitation centres and grievance redressal mechanisms;
other powers and functions as prescribed.

The Authority may,— (a) enter into agreements with various state governments and Union Territories for collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication; (b) appoint Registrars, engage and authorize agencies to collect, store, secure, process information or do authentication or perform other functions under this Act. The Authority may engage consultants, advisors and other persons required for efficient discharge of its functions.

Chapter V. GRANTS, ACCOUNTS AND AUDIT AND ANNUAL REPORT

Section 24

The Central Government may grant money to the UIDAI as it may decide, upon due appropriation by Parliament.

Section 25

Fees/revenue collected by the UIDAI will be credited to the Consolidated Fund of India

Section 26

The UIDAI will prepare an annual statement of accounts in the format prescribed by Central Government
The Comptroller and Auditor-General will audit the account of the UIDAI annually at intervals decided by him, at the UIDAI’s expense.
The Comptroller and Auditor-General or his appointees will have the same powers of audit they usually have to audit Government accounts.
The UIDAI will forward the statement of accounts certified by the Comptroller and Auditor-General and the audit report, to the Central Government who will lay it before both houses of Parliament.

Section 27

The UIDAI will provide returns, statements and particulars as sought, to the Central Government, as and when required.
The UIDAI will prepare an annual report containing the description of work for previous years, annual accounts of previous year, and the programmes of work for coming year.
The copy of the annual report will be laid before both houses of Parliament by the Central Government.

Chapter VI. PROTECTION OF INFORMATION

Section 28

The UIDAI will ensure the security and confidentiality of identity information and authentication records.
The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage.
The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons.
Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone.
An Aadhaar number holders may request UIDAI to provide access his information (excluding the core biometric information) as per the regulations specified.

Section 29

The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication.
Identity information, other than core biometric information, may be shared only as per this Act and regulations specified under it.
Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent.
Aadhaar numbers or core biometric information will not be made public except as specified by regulations.

Section 30

All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act.

Section 31

If the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR, as necessary.
The identity information in the CIDR will not be altered, except as provided in this Act.

Section 32

The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations.
Every Aadhaar number holder may obtain his authentication record as specified by regulations.
The UIDAI will not collect, keep or maintain any information about the purpose of authentication.

Section 33

The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing.
The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose.
An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above.
Any directions under 33 B above are valid for 3 months, after which they may be extended following a review by the Oversight Committee.

Chapter VII. OFFENCES AND PENALTIES

Section 34

Impersonating or attempting to impersonate another person by providing false demographic or biometric information will punishable by imprisonment of up to three years, and/or fine of up to ten thousand rupees.

Section 35

Changing or attempting to change any demographic or biometric information of an Aadhaar number holder by impersonating another person (or attempting to do so), with the intent of i) causing harm or mischief to an Aadhaar number holder, or ii) appropriating the identity of an Aadhaar number holder, is punishable with imprisonment up to three years and fine up to ten thousand rupees.

Section 36

Collection of identity information by one not authorised by this Act, by way of pretending otherwise, is punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 37

Intentional disclosure or dissemination of identity information, to any person not authorised under this Act, or in violation of any agreement entered into under this Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 38

The following intentional acts, when not authorised by the UIDAI, will be punishable with imprisonment up to three years and a fine not less than ten lakh rupees:

accessing or securing access to the CIDR;
downloading, copying or extracting any data from the CIDR;
introducing or causing any virus or other contaminant into the CIDR;
damaging or causing damage to the data in the CIDR;
disrupting or causing disruption to access to CIDR;
causing denial of access to an authorised to the CIDR;
revealing information in breach of (D) in Section 28, or Section 29;
destruction, deletion or alteration of any files in the CIDR;
stealing, destruction, concealment or alteration of any source code used by the UIDAI.

Section 39

Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable with imprisonment up to three years and a fine up to ten thousand rupees.

Section 40

Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 41

Violation of Section 8 (3) or Section 3 (2) by a requesting entity or enrolling agency will be punishable with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 42

Any offence against this Act or regulations made under it, for which no specific penalty is provided, will be punishable with be punishable with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Section 43

In case of an offence under Act committed by a Company, all person in charge of and responsible for the conduct of the company will also be held to be guilty and liable for punishment unless they can prove lack of knowledge of the offense or that they had exercised all due diligence to prevent it.
In case an offence is committed by a Company with the consent, connivance or neglect of a director, manager, secretary or other officer of a company, they will also be held guilty of the offence.

Section 44

This Act will also apply to offences committed outside of India by any person, irrespective of their nationality, if the offence involves any data in the CIDR.

Section 45

Offences under this Act will not be investigated by police officers below the rank of Inspector of Police.

Section 46

Penalties imposed under this Act will not prevent imposition of any other penalties or punishment under any other law in force.

Section 47

Courts will take cognizance of offences under this Act only upon complaint being made by the UIDAI or any officer authorised by it.
No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate will try any offence under this Act.

Chapter VIII. MISCELLANEOUS

Section 48

Central Government has the power to supersede the UIDAI, through a notification, not for longer than six months, in the following circumstances: i) In case of circumstances beyond the control of the UIDAI, ii) The UIDAI has defaulted in complying with directions of the Central Government, affecting financial position of the UIDAI, iii) Public emergency
Upon publication of notification, Chairperson and Members of the UIDAI must vacate the office
Powers, functions and duties will be performed by person(s) authorised by the President.
Properties controlled and owned by UIDAI will vest in the Central Government.
Central Government will reconstitute the UIDAI upon expiration of supersession, with fresh appointment of Chairperson and Members.

Section 49

Chairperson, members, employees etc. are deemed to be public servants within the meaning of section 21 of the Indian Penal Code.

Section 50

Central Government has the power to issue directions to the UIDAI on questions of policy (to be decided by the Government), except technical and administrative matters and the UIDAI will be bound by it.
The UIDAI will be given an opportunity to express views before direction is given.

Section 51

The UIDAI may delegate its powers and functions to a Member or officer of the UIDAI.

Section 52

No suit, prosecution or other legal proceedings will lie against the Central Government, UIDAI, Chairperson, any Member, officer, or other employees of the UIDAI for an act done in good faith.

Section 53

The Central Government has the power to makes Rules for matters prescribed under this provision.

Section 54

UIDAI has the power to make regulations for matters prescribed under this provision.

Section 55

Rules and regulations under this Act will be laid before each House of Parliament for a total period of thirty days, both Houses must agree in making modification, and then the Rules will come into effect.

Section 56

Provisions of this Act are in addition to, and not in derogation of any other law currently in effect.

Section 57

This Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

Section 58

The Central Government may pass an order to remove a difficulty in giving effect to the provisions of this Act, not beyond three years from the commencement of this Act.

Section 59

Action take by Central Government under the Resolution of the Government of India for setting up the UIDAI or by the Department of Electronics and Information Technology under the notification including the UIDAI under the Ministry of Communications and Information Technology will be deemed to have been validly done or taken.

STATEMENT OF OBJECTS AND REASONS

Correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government
This has proved to be a major hindrance for successful implementation of these programmes.
In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries.
The UIDAI was established to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number.
Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes.
With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created.
It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the UIDAI, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the UIDAI, maintenance and updating the information of individuals in the CIDR, state measures pertaining to security, privacy and confidentiality of information in possession or control of the UIDAI including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.

For more details visit https://cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english

The net is taking over

praskrishna — 2014-02-04T05:57:16Z

For many days to come, people will speculate what caused Sunanda Pushkar's death last week in a New Delhi hotel. Did Union minister Shashi Tharoor's wife die of poisoning or a drug overdose? Wasn't she unwell? Was it suicide? Or was it murder? No less a matter of speculation has been the social media's role in the whole affair.

The article by Veenu Sandhu and Surabhi Agarwal published in the Business Standard on January 24, 2014 quotes Sunil Abraham.

Writer Suketu Mehta has called it "murder by Twitter". Pushkar's very public spat with Mehr Tarar, a Pakistani journalist, on the micro-blogging site, many psychologists feel, may have multiplied her anguish. Apart from other things, Tarar had tweeted: "The blonde's aqal is weaker thn (sic) her grammar & spellings." Still others believe Pushkar had the premonition that end was near, and it was there for all to see on social media. "Hasta hua jayega," (will go laughing), she had tweeted a few days before her death.

Social media is no longer time-pass in the country, certainly not with over 90 million users. The line that divides online and offline lives has blurred. Networking sites have begun to impact human behaviour. Lives are being lived in the open: open to comment, analysis and abuse. Mahesh Murthy, the founder of digital brand management firm Pinstorm, calls it the "demise of the culture of secrecy". This is the age, he says, "of diversity, of coming out in the open with sexual preferences et cetera. Social media will help slaughter sacred cows. It is a good thing to happen, except for the sacred cows." According to Murthy, the pitfalls of uncensored speech are for those "who think they can control their lives or are insecure".

But pitfalls are showing up. Some time ago, a high-profile couple from Delhi approached marriage and family counsellor Nisha Khanna. Their problem was aggravated by the wife's obsession with Facebook, to the extent that she would put out everything, including the ups and downs of her relationship with her husband, as status messages for the consumption of her social media friends and acquaintances. The husband was livid - he felt exposed. It took six months of rigorous counselling before the wife started controlling, though marginally, her social media behaviour. "We are seeing obsession, irrationality and an inability to spot the very thick line that divides the private from the public," says Varkha Chulani, clinical psychologist, psychotherapist and consultant with Lilavati Hospital in Mumbai. People, she adds, are looking for Facebook 'like' buttons even in real life.

Feelings of extreme happiness, depression, loneliness and even suicidal thoughts are being shared not with family and friends but with Facebook 'connections' and Twitter 'followers'. Tweets or status updates that point to suicidal tendencies, in particular, can be telling. Some of these key expressions are "depressed", "feeling abused", "it's over" or "empty inside". A study - Tracking Suicide Risk Factors through Twitter - conducted in the US last year found a strong correlation between the number of tweets that indicated suicidal intentions and the number of suicides committed.

Having realised that the platform is also being used as a medium to vent and express personal trauma, Facebook has, for about a year, been sending reports on profiles of people with suicide risk to Mumbai-based suicide helpline Aasra. "In the last one year, we have received 350 such email intimations concerning Indians," says Aasra Director Johnson Thomas. Aasra then mails that person to subtly and sensitively convey that there is help at hand, in case it is needed. Facebook and Twitter did not offer any comment for this article.

Decoding Social Media Slang

I am an aggregator who has left a cookie crumb trail (while writing this) for a machine algorithm to follow. So, can it point out to my boss the scoops and their origin? In all probability, yes. For an all-devouring algorithm, no crumb, no target, is too small. Algorithms (at their core, a step-by-step method for doing a job) can sound scary, but social media analysts depend on these little-understood, obscure mathematical creatures.

So, information posted publicly on blogs, Facebook, Twitter, and other sites are fair game for these data predators. Suppose you click ‘like’ on Facebook, you’re giving away a lot more than you might think. Your ‘likes’ can be pieced together to form an eerily true portrait of yourself. A study of 58,000 volunteers by Michal Kosinski and David Stillwell (University of Cambridge) and Thore Graepel (Microsoft Research, Cambridge) charts the chances of an accurate prediction: 67 per cent for single versus in a relationship, 73 per cent for cigarette smoking, 70 per cent for alcohol drinking, 65 per cent for drug use, 88 per cent for male homosexuality, 75 per cent for female homosexuality, and 93 per cent for gender.

Another point is not all data out there are cold facts. Far from that, most are sentiments and slang: sweet, bitter and often intimate. “Wazup homie!! howz it going!!” is a profound example. “‘Yo, homie, I'll be at my house in case you want to come kick it later” is another. How is a number cruncher such as an algorithm expected to crunch slang and emotions? But experts insist there’s a bull market in sentiments and foul language. And an emerging field known as sentiment analysis is taking shape. The simplest algorithms here work by scanning keywords to categorise a statement as positive or negative, based on a simple binary analysis (‘love’ is good, ‘hate’ is bad). But a more reliable analysis requires decoding many linguistic shades of gray. For example, to get at the true intent of a statement like ‘dude, i'm like......duuuude,’ the software will have to activate several different filters, including polarity (is the statement positive or negative?), intensity (what is the degree of emotion being expressed?) and subjectivity (how partial or impartial is the source?)

“People first thought that emotions expressed on social media were just cute and stupid,” says Sreeju Thankan who has done computer science and engineering from the Indian Institute of Technology Roorkee and is now working at Mango Solutions. “Now, they are recognising it as a rich vein.” But translating slang into binary code can be much tougher. “Sentiments are different from conventional facts,” says Thankan. “There is a long way for slang patrol to go.” For casual web surfers, a simpler sentiment-analysis tool, Tweetfeel, is available. It tells you the numbers of positive and negative tweets on a given topic. It also gives you their percentages. Its analysis is based not just on emoticons, but also words and phrases.

Ashish Sharma

Last October in Mumbai, a 17-year-old college student, Aishwarya Dahiwal, killed herself after her parents barred her from using Facebook. "Is Facebook so bad? I cannot stay in a home with such restrictions as I can't live without Facebook," her suicide note reportedly read. The parents were in utter shock. "Girls are more prone to putting personal and emotional messages on social networking sites," says Manju Chhabra, child counsellor who runs an organisation called Cactus Lily in Delhi. And they tend to get more affected by what people say and how they react. "And comments on this very impersonal medium which we are giving a very personal space can be very cruel."

Seema Hingorrany, a Mumbai-based psychologist, says one of her recent patients is a girl studying in Class 9. Her friend from school had uploaded a photo of herself, which got 200 'likes'. That upset the patient terribly because it reinforced her belief that she was unattractive and she became extremely upset, to the extent that her parents felt she needed counselling. Constant use of Facebook can affect one's self-esteem, if it's already low. Another of Hingorrany's patient was a 30-year-old who took to social media after he lost his job. But seeing other people's photos and updates made him increasingly jealous, and he began posting nasty comments. The recipients of his ire began "unfriending" him, which only made him more withdrawn.

Irrational behaviour can also be seen in the world of random video chat. Sites like Omegle and Chatroulette aim to bring together surfers together with the help of webcams. The promise is irresistible: an endless stream of visitors in your room. When Ashish Sharma (the author of the accompanying article) logged on, he met a gaggle of girls who giggled endlessly, a German painter who was looking for his muse and wanted him to pose in a state of undress, a Swede who danced around and asked him to sing in praise of his bottom, and a man with an iron mask. It was crude and shocking. The excessively sexual behaviour can be unsettling for an unsuspecting (and young) visitor.

There is another side to it. "Twitter posts," says an article posted on rediff.com, "have saved lives. A man lost on a ski slope in Switzerland got help when he tweeted his predicament. Another got bail from arrest as his friends discovered from a tweet that he was jailed in a foreign country." Human resource managers check out the profiles of job applicants on social media. "People might mask many judgmental things in an interview; there is a possibility that they might express it on social media," says Debdas Sen, leader of technology consulting, PricewaterhouseCoopers. "Inclusion and diversity are important for us." But job seekers have become wise to it. That's why many airbrush their social media profiles. All politically incorrect posts are removed. Friends are treated lavishly offline so that they write nice posts on Facebook pages. Some even hire professional photographers for as much as Rs 20,000 to paste good profile pictures.

But those who hire have started to see through it. Says Murthy of Pinstrip, "One can easily figure out the truthfulness of your statements by seeing what your friends are saying." One human resource manager says he pays more attention to what people post after 10 pm because "it tends to be more truthful". A senior functionary of a Gurgaon-headquartered firm says that he had hired somebody after he had found nothing suspicious on his LinkedIn profile; it was only later he found out that this person had been involved in some financial misdemeanour in his earlier job. "His LinkedIn profile had no clues, he was not on Facebook. That should have struck me," he says. Of course, the person was asked to leave.

Sunil Abraham, the executive director of Bangalore-based Centre for Internet and Society, says social media has made people forget the distinction between private, semi-private and public statements. "Speech used to be ephemeral, but Internet has given it the power it never had," he says. "Internet never forgets." The fact that traces of a communication may remain in cyberspace even after they have been deleted has prompted a legislation called the Right to Erasure by the European Union. Under the law, earlier called Right to be Forgotten, an individual can request all his data to be erased, including by third parties. India is also mulling a similar legislation under its Privacy Bill.

Those at the bottom of the social pyramid, who have little to lose, express themselves most freely on social media, while those with reputations to protect are cautious. The consequences can be serious, as the Mumbai girl who questioned the city's shutdown after Bal Thackeray's death in November 2012 on Facebook and her friend who "liked" realised: both were called in by the police. It's not surprising why even standup comedians, who can't resist taking potshots at one and all, turn extremely careful before they tweet.

So, is social media good or bad? "Social media can help," Amartya Sen said at the recent Jaipur Literature Festival, "But you must read more books".

For more details visit https://cis-india.org/news/business-standard-january-24-2014-veenu-sandhu-surabhi-agarwal-the-net-is-taking-over