We are anonymous, we are legion

The law tries to catch up with tech

Admin — 2018-09-06T02:11:08Z

At his testimony before the U.S. Congress, Facebook CEO Mark Zuckerberg spoke about the upcoming elections in India.

The article by Arnika Thakur was published in Fortune India on May 22, 2018

“2018 is an incredibly important year for elections not just with the U.S. midterms, but around the world. There are important elections in India, in Brazil, in Mexico, in Pakistan, and in Hungary,” he said. “We want to make sure we do everything we can to protect the integrity of those elections.”

But is Zuckerberg’s assurance enough? Can Facebook truly ensure that there is no meddling in India’s general elections; political consulting firm Cambridge Analytica is accused of harvesting Facebook data of millions of people, and targeting them with ads designed to influence the Brexit referendum and the U.S. presidential election?

Instead, shouldn’t India proactively strengthen its data privacy laws?

India’s existing regulation on data protection—the Information Technology (IT) Act, 2000 in its original form, experts say, did not explicitly protect data. And even subsequent amendments were “retrofitting of the law”, says Sunil Abraham, executive director of the Centre for Internet & Society, a Bengaluru-based research and advocacy firm.

One amendment, Section 43-A, makes a “body corporate” possessing, dealing or handling any sensitive personal data or information liable to pay damages if it has been negligent in implementing and maintaining reasonable security practices, and thereby causing “wrongful loss or wrongful gain” to any person. The other amendment, Section 72-A, provides criminal remedy imprisonment of up to three years or a fine of up to Rs 5 lakh or both for disclosure of personal information in breach of lawful contract.

But Abraham says by specifying sensitive personal data, the law excludes breach or misuse of data that aren’t biometrics or the like. “Whenever you produce regulations in this manner those regulations are rarely comprehensive, and, therefore, we are in this situation,” he says. In other words, seemingly innocuous information such as a person’s pop culture interests, political ideology, literary preference, shopping history is not protected.

Under the current law, companies are also not responsible for notifying users if their data are breached. “The entire framework around notification, or how does a user know that their data has actually been affected by a breach; none of these provisions actually exist under Indian law,” says Amlan Mohanty, senior associate, technology and policy, PLR Chambers, a law firm.

Sahir Hidayatullah, CEO of Smokescreen Technologies, a cybersecurity firm, says since Indians are not culturally attuned to the idea of privacy, a comprehensive law is important.

India understands that the existing data protection law is behind the times. Last year, the government constituted a committee of experts chaired by former Supreme Court Justice B.N. Srikrishna to study the matter, make specific suggestions, and suggest a draft Data Protection Bill. In February, speaking on the sidelines of an international conference, India’s electronics and information technology minister Ravi Shankar Prasad said the committee will soon submit its report.

The lawmakers can perhaps take a cue from the European Union’s General Data Protection Regulation (GDPR), which will come into effect this May. Among other things, GDPR gives individuals greater rights to access data on them, correct inaccuracies, erase personal data in certain cases, and to even transfer their data from one firm to another.

GDPR also clearly defines consent. “The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language,” it says. The law gives the users the right to withdraw their consent at any time. Currently, most Internet companies seek consent to multiple matters at once, usually when a new user registers for or downloads its service and it is often difficult, if at all, to review it. GDPR will change that in the EU.

Supratim Chakraborty, associate partner at law firm Khaitan & Co, says a clear regulation on consent is requisite in India, where many are first-time Internet users or do not understand English or are even illiterate. “When you obtain consent, it has to be understood in a proper manner by the people, and secondly, the people who are receiving the data are also obligated to protect it in a particular manner. That is something that we should gun for in the new law,” says Chakraborty.

Mohanty of PLR Chambers says GDPR also spells out the principles of applicability with clarity by stating the law will be applicable even on a foreign entity if the breach impacts an EU citizen. “The problem in India is ensuring that foreign companies operating in India are held accountable,” he says. “One of the key issues that India has to deal with is ensuring that the law that India passes is going to be applicable to entities that function outside India.”

Sivarama Krishnan, partner and leader, cybersecurity, at consultancy PwC India, says India also needs to address the issue of who or which body will implement the data protection law. “In the Western world, there is usually a privacy commission or authority, and resources to enforce the regulation. In India, there is lack of enforcement capability in the government to implement the existing regulation,” he says.

There is also the matter of the government’s priority. The union government’s biometric identification programme, Aadhaar, does not have a spotless record on data protection users’ data have on multiple times been breached, or even published online, by third party service providers, hackers, and even by government websites.

But India has seen serious consequences of weak data protection: A judge’s report on the 1993 Bombay riots found that voters’ lists and business registers were used by perpetrators to identify victims and their businesses.

Today, there is a lot more data a criminal can get access to, from a government identification programme to your Facebook profile to your smartphone’s GPS signal. No data breach is innocuous.

For more details visit https://cis-india.org/internet-governance/news/fortune-india-arnika-thakur-may-22-2018-law-tries-to-catch-up-with-tech

Privacy in the Digital Age: Addressing Common Challenges, Seizing Opportunities

Admin — 2018-05-24T10:45:56Z

DG Justice and Consumers and European Union is organizing a conference on privacy in the digital age on May 25, 2018 in New Delhi.

Agenda

Friday 25 May 2018, Reception to follow, The Lalit Hotel, Barakhamba Avenue, Connaught Place, New Delhi, India

9:00 a.m. Registration and welcome coffee
9:20 a.m. Welcome: Vera Jourova, EU Commissioner for Justice and Consumers (by video)
9:30 a.m. Opening remarks: Justice B.N. Srikrishna, chair of the Committee of Experts on a Data Protection Framework for India
Tomasz Kozlowski, Ambassador of the European Union to India

10:00 a.m. Panel 1 - Setting the scene: India at the crossroads

Moderator: Sunil Abraham, Executive Director, Centre for Internet and Society, India
Vinayak Godse, Senior Director, Data Protection, Data Security Council of India
Raman Jit Singh Chima, Policy Director, Access Now, India
Amba Kak, Public Policy Advisor, Mozilla, India
11:00 a.m.: Coffee break

11:15 a.m. Panel 2 - Modern data protection laws: towards global convergence

Moderator: Clarisse Girot, Data Privacy Project Lead, Asian Business Law Institute, Singapore
Ralf Sauer, Deputy Head of Unit, International data flows and protection, European Commission, Brussels
Malavika Jayaram, Executive Director, Digital Asia Hub, Hong Kong
Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales, Australia (by video)

12:15 p.m. Panel 3 - Privacy and data security: a business opportunity

Moderator: Ralf Sauer, Deputy Head of Unit, International data flows and protection, European Commission, Brussels
Srinivas Poorsarla, Vice President and Head (Global), Privacy and Data Protection, Infosys, India
Ravi Sogi, Head - Product Security and Privacy, Philips
Riccardo Masucci, Global Director of Privacy Policy, Intel, Washington DC

1:15 p.m.: Reception

For more details visit https://cis-india.org/internet-governance/news/privacy-in-the-digital-age-addressing-common-challenges-seizing-opportunities

Indian Intermediary Liability Regime: Compliance with the Manila Principles on Intermediary Liability

divij — 2018-05-20T15:14:21Z

This report assesses the compliance of the Indian intermediary liability framework with the Manila Principles on Intermediary Liability, and recommends substantive legislative changes to bring the legal framework in line with the Manila Principles.

The report was edited by Elonnai Hickok and Swaraj Barooah

The report is an examination of Indian laws based upon the background paper to the Manila Principles as the explanatory text on which these recommendations have been based, and not an assessment of the principles themselves. To do this, the report considers the Indian regime in the context of each of the principles defined in the Manila Principles. As such, the explanatory text to the Manila Principles recognizes that diverse national and political scenario may require different intermediary liability legal regimes, however, this paper relies only on the best practices prescribed under the Manila Principles.

The report is divided into the following sections

Principle I: Intermediaries should be shielded by law from liability for third-party content
Principle II: Content must not be required to be restricted without an order by a judicial authority
Principle III: Requests for restrictions of content must be clear, be unambiguous, and follow due process
Principle IV: Laws and content restriction orders and practices must comply with the tests of necessity and proportionality
Principle V: Laws and content restriction policies and practices must respect due process
Principle VI: Transparency and accountability must be built into laws and content restriction policies and practices
Conclusion

Download the Full report here

For more details visit https://cis-india.org/internet-governance/blog/indian-intermediary-liability-regime

Fairness, Transparency and Accountable AI

Admin — 2018-05-20T14:26:59Z

Amber Sinha participated remotely in the inaugural meeting of Fairness, Transparency and Accountable AI working group of the Partnership on Artificial Intelligence on May 10, 2018. The meeting was held at DeepMind's office in London.

Agenda of the meeting here

For more details visit https://cis-india.org/internet-governance/news/fairness-transparency-and-accountable-ai

More errors in Aadhaar data in Andhra Pradesh than in voter database

Admin — 2018-05-20T14:04:00Z

As much as eight per cent of Aadhaar data collected in Andhra Pradesh has errors, mostly related to name, address and date of birth, which is more than the errors in the voter ID database. But still, 87% of rural residents approve mandatory linking of the unique ID with various schemes and services.

The article by U Sudhakar Reddy was published in the Times of India on May 18, 2018.

This was revealed in the State of Aadhaar report 2017-18 based on a survey carried out in three states — Andhra Pradesh, Rajasthan and West Bengal. The survey revealed that a majority of people in AP and Rajasthan preferred Aadhaar-based PDS delivery as they believed biometric authentication prevents identity fraud. On the flip side, at least 3 lakh people, which is 0.8% of PDS beneficiaries, were denied ration benefits due to Aadhaar issues, it found.

The survey found that among the three states, it was easiest to enrol for Aadhaar in AP. As many was 67% of people used Aadhaar as proof for opening bank accounts and 17% used it for Know Your Customer (KYC) verification. The survey also found that 96% of respondents valued privacy and wanted to know what the government will do with their data.

“The survey covered 2,947 rural households in 21 districts across the three states from Nov 2017 and Feb 2018,” the report by IDinsight, a development analytics firm, said. “Compared to voter IDs, the error-rate in Aadhaar was 1.5 times higher. While exclusion from PDS due to Aadhaar-related factors is significant, it is lower than exclusion explained by factors unrelated to Aadhaar,” said Ronald Abraham of IDinsight.

Reacting to the findings, Dr Ajay Bhushan Pandey, CEO of UIDAI, said: “The report highlights that Aadhaar has wide-scale support from people. Exclusion from PDS is due to failure of the local administration and should be taken very seriously.”

But critics found fault with the survey methodology. “If IDinsight asked respondents whether they preferred the UK system where you can get a SIM card without KYC or the Indian system with mandatory biometric authentication, then 100% of respondents would have opted for the UK approach. They have got an endorsement for use of biometrics due to their disingenuous survey design,” said Sunil Abraham, executive director, Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/news/times-of-india-may-18-2018-u-sudhakar-reddy-more-errors-in-aadhaar-data-in-andhra-pradesh-than-in-voter-database

Rootconf 2018

Admin — 2018-05-18T06:40:31Z

Rootconf is an annual conference on DevOps and IT Infrastructure and is organised by HasGeek. On May 11 and 12, 2018, Gurshabad Grover, Natallia Khaniejo and Aayush Rathi attended Rootconf 2018.

Rootconf 2018 had two major themes - an infrastructure and systems security track and an infrastructure architecture track. All talks at the event were streamed live and videos of the same can be found at HasGeek's YouTube channel here.

Of special interest were the talks entitled 'Death of enterprise security: introduction to abstraction and machine-to-machine orchestration' by Pukhraj Singh and 'On ground realities of Aadhaar' by Rachna Khaira. Of special interest were the talks entitled 'Death of enterprise security: introduction to abstraction and machine-to-machine orchestration' byPukhraj Singh and 'On ground realities of Aadhaar' by Rachna Khaira.

Additionally, the community table was helpful for the purposes of outreach within the tech community about CIS' work and potential ways in which interested parties may engage with CIS.

For more details visit https://cis-india.org/internet-governance/news/rootconf-2018

India's Data Protection Framework Will Need to Treat Privacy as a Social and Not Just an Individual Good

amber — 2018-05-18T06:22:57Z

The idea that technological innovations may compete with privacy of individuals assumes that there is social and/or economic good in allowing unrestricted access to data. However, it must be remembered that data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way.

Published in Economic & Political Weekly, Volume 53, Issue No. 18, 05 May, 2018. Article can be accessed online here.

In July 2017, the Ministry of Electronics and Information Technology (MeITy) in India set up a committee headed by a former judge, B N Srikrishna, to address the growing clamour for privacy protections at a time when both private collection of data and public projects like Aadhaar are reported to pose major privacy risks (Maheshwari 2017). The Srikrishna Committee is in the process of providing its input, which will go on to inform India’s data-protection law.

While the committee released a white paper with provisional views, seeking feedback a few months ago, it may be discussing a data protection framework without due consideration to how data practices have evolved.

In early 2018, a series of stories based on investigative journalism by Guardianand Observer revealed that the data of 87 million Facebook users was used for the Trump campaign by a political consulting firm, Cambridge Analytica, without their permissions. Aleksandr Kogan, a psychology researcher at the University of Cambridge, created an application called “thisisyourdigitallife” and collected data from 270,000 participants through a personality test using Facebook’s application programming interface (API), which allows developers to integrate with various parts of the Facebook platform (Fruchter et al 2018). This data was collected purportedly for academic research purposes only. Kogan’s application also collected profile data from each of the participants’ friends, roughly 87 million people.

The kinds of practices concerning the sharing and processing of data exhibited in this case are not unique. These are, in fact, common to the data economy in India as well. It can be argued that the Facebook–Cambridge Analytica incident is representative of data practices in the data-driven digital economy. These new practices pose important questions for data protection laws globally, and how these may need to evolve to address data protection, particularly for India, which is in the process of drafting its own data protection law.

Privacy as Control

Most modern data protection laws focus on individual control. In this context, the definition by the late Alan Westin (2015) characterises privacy as:

The claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.

The idea of “privacy as control” is what finds articulation in data protection policies across jurisdictions, beginning with the Fair Information Practice Principles (FIPP) from the United States (US) (Dixon 2006). These FIPPs are the building blocks of modern information privacy law (Schwartz 1999) and not only play a significant role in the development of privacy laws in the US, but also inform data protection laws in most privacy regimes internationally (Rotenberg 2001), including the nine “National Privacy Principles” articulated by the Justice A P Shah Committee in India. Much of this approach is also reflected in the white paper released by the committee, led by Justice Srikrishna, towards the creation of data protection laws in India (Srikrishna 2017)

This approach essentially involves the following steps (Cate 2006):

(i) Data controllers are required to tell individuals what data they wish to collect and use and give them a choice to share the data.
(ii) Upon sharing, the individuals have rights such as being granted access, and data controllers have obligations such as securing the data with appropriate technologies and procedures, and only using it for the purposes identified.

The objective in this approach is to make the individual empowered and allow them to weigh their own interests in exercising their consent. The allure of this paradigm is that, in one elegant stroke, it seeks to “ensure that consent is informed and free and thereby also (seeks) to implement an acceptable tradeoff between privacy and competing concerns.” (Sloan and Warner 2014). This approach is also easy to enforce for both regulators and businesses. Data collectors and processors only need to ensure that they comply with their privacy policies, and can thus reduce their liability while, theoretically, consumers have the information required to exercise choice. In recent years, however, the emergence of big data, the “Internet of Things,” and algorithmic decision-making has significantly compromised the notice and consent model (Solove 2013).

Limitations of Consent

Some cognitive problems, such as long and difficult to understand privacy notices, have always existed with regard to the issue of informed consent, but lately these problems have become aggravated. Privacy notices often come in the form of long legal documents, much to the detriment of the readers’ ability to understand them. These policies are “long, complicated, full of jargon and change frequently” (Cranor 2012).

Kent Walker (2001) lists five problems that privacy notices typically suffer from:

(i) Overkill: Long and repetitive text in small print.
(ii) Irrelevance: Describing situations of little concern to most consumers.
(iii) Opacity: Broad terms that reflect limited truth, and are unhelpful to track and control the information collected and stored.
(iv) Non-comparability: Simplification required to achieve comparability will lead to compromising of accuracy.
(v) Inflexibility: Failure to keep pace with new business models.

Today, data is collected continuously with every use of online services, making it humanly impossible to exercise meaningful consent.
The quantity of data being generated is expanding at an exponential rate. With connected devices, smartphones, appliances transmitting data about our usage, and even the smart cities themselves, data now streams constantly from almost every sector and function of daily life, “creating countless new digital puddles, lakes, tributaries and oceans of information” (Bollier 2010).

The infinitely complex nature of the data ecosystem renders consent of little value in cases where individuals may be able to read and comprehend privacy notices. As the uses of data are so diverse, and often not limited by a purpose identified at the beginning, individuals cannot conceptualise how their data will be aggregated and possibly used or reused.

Seemingly innocuous bits of data revealed at different stages could be combined to reveal sensitive information about the individual. While the regulatory framework is designed such that individuals are expected to engage in cost–benefit analysis of trading their data to avail services, this ecosystem makes such individual analysis impossible.

Conflicts Between Big Data and Individual Control

The thrust of big data technologies is that the value of data resides not in its primary purposes, but in its numerous secondary purposes, where data is reused many times over (Schoenberger and Cukier 2013).

On the other hand, the idea of privacy as control draws from the “data minimisation” principle, which requires organisations to limit the collection of personal data to the minimum extent necessary to obtain their legitimate purpose and to delete data no longer required. Control is excercised and privacy is enhanced by ensuring data minimisation. These two concepts are in direct conflict. Modern data-driven businesses want to retain as much data as possible for secondary uses. Since these secondary uses are, by their nature, unanticipated, their practices run counter to the very principle of purpose limitation (Tene and Polonetsky 2012).

It is evident from such data-sharing practices, as demonstrated by the Cambridge Analytica–Facebook story, that platform architectures are designed with a clear view to collect as much data as possible. This is amply demonstrated by the provision of a “friends permission” feature by Facebook on its platform to allow individuals to share information not just about themselves, but also about their friends. For the principle of informed consent to be meaningfully implemented, it is necessary for users to have access to information about intended data practices, purposes and usage, so they consciously share data about themselves.

In reality, however, privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers. A case in point is Mark Zuckerberg’s facile claim that there was no “data-breach" in the Cambridge Analytica–Facebook incident. Instead of asking each of the 87 million users whether they wanted their data to be collected and shared further, Facebook designed a platform that required consent in any form only from 270,000 users. Not only were users denied the opportunity to give consent, their consent was assumed through a feature which was on by default. This is representative of how privacy trade-offs are conceived by current data-driven business models. Participation in a digital ecosystem is by itself deemed as users’ consent to relinquish control over how their data is collected, who may have access to it, and what purposes it may be used for.

Yet, Zuckerberg would have us believe that the primary privacy issue of concern is not about how his platform enabled the collection of users’ data without their explicit consent, but in the subsequent unauthorised sharing of the data by Kogan. Zuckerberg’s insistence that collection of data of people without their consent is not a data breach is reminiscent of the UIDAI’s recent claims in India that publication of Aadhaar numbers and related information by several government websites is not a data breach, so long as its central biometric database in secure (Sharma 2018). In such cases also, the intended architecture ensured the seeding of other databases with Aadhaar numbers, thus creating multiple potential points of failure through disclosure. Similarly, the design flaws in direct benefit transfers enabled Airtel to create payments bank accounts with the customers’ knowledge (Hindu Business Line 2017). Such claims clearly suggest the very limited responsibility data controllers (both public and private) are willing to take for personal data that they collect, while wilfully facilitating and encouraging data practices which may lead to greater risk to data.

On this note, it is also relevant to point out that the Srikrishna committee white paper begins with identifying informational privacy and data innovation as its two key objectives. It states that “a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India.”

Conversations around privacy and data have become inevitably linked to the idea of technological innovation as a competing interest. Before engaging in such conversations, it is important to acknowledge that the value of innovation as a competing interest itself is questionable. It is not a competing right, nor a legitimate public interest endeavour, nor a proven social good.

The idea that in policymaking, technological innovations may compete with privacy of individuals assumes that there is social and/or economic good in allowing unrestricted access to data. The social argument is premised on the promises of mathematical models and computational capacity being capable of identifying key insights from data. In turn, these insights may be useful in public and private decision-making. However, it must be remembered that data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way. Sufficient research suggests that indiscriminate data collection is greatly increasing the ratio of noise to signal, and can lead to erroneous insights. Further, the greater the amount of data you collect, the greater is the attack surface that leads to cybersecurity risks. Further, incidents such as Facebook–Cambridge Analytica demonstrate that toxicity of data in various ways and underscores the need for data regulation at every stage of the data lifecycle (Scheiner 2016). These are important tempering factors that need to be kept in mind while evaluating data innovation as a key mover of policy or regulation.

Privacy as Social Good

As long as privacy is framed as arising primarily from individual control, data controllers will continue to engage in practices that compromise the ability to exercise choice. There is a need to view privacy as a social good, and policymaking should ensure its preservation and enhancement. Contractual protections and legal sanctions can themselves do little if platform architectures are designed to do the exact opposite.

More importantly, policymaking needs to recognise privacy not merely as an individual right, available for individuals to forego when engaging with data-driven business models, but also as a social good. The recognition of something as a social good deems it desirable by definition, and a legitimate goal of law and policy, rather than rely completely on market forces for its achievement.

The Puttaswamy judgment (K Puttaswamy v Union of India 2017) lends sufficient weight to privacy’s social value by identifying it as fundamental to any individual development through its dependence on solitude, anonymity, and temporary releases from social duties.

Sociological scholarship demonstrates that different types of social relationships, be it Gesellschaft (interest groups and acquaintances) or Gemeinschaft (friendship, love, and marriage), and the nature of these relationships depend on the ability to conceal certain things (Simmel 1906). Demonstrating this in the context of friendships, it has been stated that such relationships “present a very peculiar synthesis in regard to the question of discretion, of reciprocal revelation and concealment.” Friendships, much like most other social relationships, are very much dependent on our ability to selectively present ourselves to others. Contrast this with Zuckerberg’s stated aim of making the world more “open” where information about people flows freely and effectively without any individual control. Contrast this also with government projects such as the Aadhaar which intends to act as one universal identity which can provide a 360-degree view of citizens.

Other scholars such as Julie Cohen (2012) and Anita Allen (2011) have demonstrated that data that a person produces or has control over concerns both herself and others. Individuals can be exposed not only because of their own actions and choices, but also made vulnerable merely because others have been careless with their data. This point is amply demonstrated in the Facebook–Cambridge Analytica incident. What this means is that protection of privacy requires not just individual action, but in a sense, requires group co-ordination. It is my argument that this group interest of privacy as a social good must be the basis of policymaking and regulation of data in the future, in addition to the idea of privacy as an individual right. In the absence of attention to the social good aspect of privacy, individual consumers are left to their own devices to negotiate their privacy trade-offs with large companies and governments and are significantly compromised.

What this translates into is a regulatory framework and data protection frameworks should not be value-neutral in their conception of privacy as a facet of individual control. The complete reliance of data regulation on the data subject to make an informed choice is, in my opinion, an idea that has run its course. If privacy is viewed as a social good, then the data protection framework, including the laws and the architecture must be designed with a view to protect it, rather than leave it entirely to the market forces.

The Way Forward

Data protection laws need to be re-evaluated, and policymakers must recognise Lawrence Lessig’s dictum that “code is law.” Like laws, architecture and norms can play a fundamental role in regulation. Regulatory intervention for technology need not mean regulation of technology only, but also how technology itself may be leveraged for regulation (Lessig 2006; Reidenberg 1998). It is key that the latter is not left only in the hands of private players.
Zuckerberg, in his testimony (Washington Post 2018) before the United States Senate's Commerce and Judiciary committees, asserted that "AI tools" are central to any strategy for addressing hate speech, fake news, and manipulations that use data ecosystems for targeting.

What is most concerning in his testimony is the complete lack of mention of standards, public scrutiny and peer-review processes, which “AI tools” and regulatory technologies need to be subject to. Further, it cannot be expected that data-driven businesses will view privacy as a social good or be publicly accountable.

As policymakers in India gear up for writing the country’s data protection law, they must acknowledge that their responsibility extends to creating norms and principles that will inform future data-driven platforms and regulatory technologies.

Since issues of privacy and data protection will have to be increasingly addressed at the level of how architectures enable data collection, and more importantly how data is used after collection, policymakers must recognise that being neutral about these practices is no longer enough. They must take normative positions on data collection, processing and sharing practices. These positions cannot be implemented through laws only, but need to be translated into technological solutions and norms. Unless a multipronged approach comprising laws, architecture and norms is adopted, India’s new data protection regime may end up with limited efficacy.

For more details visit https://cis-india.org/internet-governance/blog/epw-amber-sinha-may-18-2018-for-indias-data-protection-regime-to-be-efficient-policymakers-should-treat-privacy-as-a-social-good

Indian Cricket Board Exposes Personal Data of Thousands of Players

Admin — 2018-05-18T05:01:50Z

The IT security researchers at Kromtech Security Center discovered a trove of personal and sensitive data belonging to around 15,000 to 20,000 Indian applicants participating in cricket seasons 2015-2018.

The blog post was published on Hack Read on May 15, 2018.

The authority responsible for protecting this data was The Board of Control for Cricket in India (BCCI) but it was left exposed to the public in two misconfigured AWS (Amazon Web Service) S3 cloud storage buckets.

According to the analysis from Kromtech researchers, the data was divided into different categories of players including those under 19 years old. The data was accessible to anyone with an Internet connection and basic knowledge of using AWS cloud storage.

The data was discovered earlier this month and included names, date of birth, place of birth, permanent addresses, email IDs, proficiency details, medical records, birth certificate number, passport number, SSC certificate number, PAN card number, mobile number, landline and phone number of the person who can be contacted in case of emergency.

Screenshot of one of the files that were exposed (Image credit: Kromtech)

At the time of publishing this article, the BCCI was informed by Kromtech researchers and both misconfigured buckets were secured. However, this is not the first time when such sensitive information was leaked online. In 2017, Bangalore-based Centre for Internet and Society (CIS) found that names, addresses, date of birth, PAN card details, Aadhaar card numbers and other relevant details of millions of Indian citizen could be found with just a simple Google search.

On the other hand, lately, AWS buckets have been making headlines for the wrong reasons. Until now, there have been tons of cases in which misconfigured AWS buckets have been found carrying highly sensitive and confidential data such as classified NSA documents or details about US Military’s social media spying campaign.

In two such cases, malicious hackers were able to compromise AWS buckets belonging to Tesla Motors and LA Times to secretly mine cryptocurrency. Therefore, if you are an AWS user make sure your cloud server is properly secured.

For more details visit https://cis-india.org/internet-governance/news/hack-read-waqas-may-15-2018-indian-cricket-board-exposes-personal-data-of-thousands-of-players

Internet Shutdown Stories

ambika — 2019-09-03T09:57:40Z

The Centre for Internet & Society (CIS) has published a collection of stories of the impact of internet shutdowns on people's lives in the country. This book seeks to give a glimpse into the lives of those directly affected by these internet shutdown experiments. When seen in a larger context, we hope that the stories in this book also demonstrate that access to the internet and freedom of speech is not just about an individual’s rights, but are also required for the collective good. This is a project funded by Facebook and MacArthur Foundation, and the stories were provided by 101 Reporters. Case studies from the states of Jammu & Kashmir, Haryana, Rajasthan, Gujarat, Telangana, West Bengal, Tripura, Manipur, Nagaland, and Uttar Pradesh have been highlighted in this compilation.

Read the report here: Download (PDF)

The report is shared under Creative Commons Attribution-NoDerivatives 4.0 International license.

Edited by Debasmita Haldar, Ambika Tandon, and Swaraj Barooah

Print Design by Saumyaa Naidu

Advisor: Nikhil Pahwa, Founder and Editor at MediaNama

Foreword

Aside from the waves of innovation that the digital revolution brought with it, the ever increasing pervasiveness of the internet has had a tremendous impact on empowerment and freedoms in society. We are seeing unprecedented levels of access to information, along with a democratization of the means of creation, production and dissemination of information to anyone with an internet connection. This in turn has greatly amplified, and in many cases even created the ability, particularly for those traditionally left in the margins, to more meaningfully participate in their global as well as local societies. Recognising the significance of the internet to the freedom of expression as well as for the development and exercising of human rights more broadly, the United Nations Human Rights Council unanimously passed a resolution confirming internet access being a fundamental human right.

Simultaneously however, we are seeing Indian states discover and experiment with their power to clamp down on these new modes of communication for a variety of reasons, ranging from the ill-intentioned to the ill-informed. An internet shutdown tracker maintained by the Software Freedom Law Centre, shows that the number of shutdowns in India is increasing every year, with 70 shutdowns reported in 2017,and 45 shutdowns already reported from 1st Jan, 2018 to 4th May, 2018. These shutdowns also come at a significant economic cost. A 2016 Brookings report estimates that India faced a loss of about $968 million due to internet shutdowns. However, the democratic harms we have been accruing are more difficult to quantify and demonstrate.

This book seeks to give a glimpse into the lives of those directly affected by these internet shutdown experiments. From Jammu and Kashmir to Telangana, from Gujarat to Nagaland, we have collected 30 stories from across the country for an up-close look at how the everyday lives of common citizens have been impacted by internet shutdowns and website blocks. From CRPF members posted in Srinagar who use the internet to connect with their family, to students who have been cut off from education resources for competitive exams; from the disruptions in day to day life brought about by non-functional bank services in Darjeeling, to stock brokers in Ahmedabad who faced costly slowdowns; the idea of a Digital India is facing severe setbacks with these continuously increasing internet shutdowns.

When seen in a larger context, we hope that the stories in this book also demonstrate that access to the internet and freedom of speech is not just about an individual’s rights, but are also required for the collective good. The diversity of perspectives and activities that a healthy democracy demands is not met by the versioning of dominant narratives, but by allowing for, if not directly encouraging, the voices and activities of the unheard, oppressed and marginalised. We hope that in the telling of these personal stories of the day-to-day of people affected by such internet shutdowns, this book joins in the effort to position the dehumanized internet kill switches more aptly as dangers to democracy.

Sunil Abraham
Executive Director
The Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/internet-shutdown-stories

AI in the Banking and Finance Industry in India

Saman Goudarzi, Elonnai Hickok and Amber Sinha — 2018-06-19T11:48:39Z

This is a draft report that seeks to map the present state of use of AI in the banking and financial sector in India.

This draft report was prepared by Saman Goudarzi, Elonnai Hickok and Amber Sinha. It was edited by Shyam Ponappa. Mapping was done by Shweta Mohandas. Pranav M Bidare, Sidharth Ray, and Aayush Rathi provided research assistance in preparing this report.

Executive Summary

In the last couple of years, the finance and banking sectors in India have increasingly deployed and implemented AI technologies. Such technologies are being implemented for front-end and back end processes – offering solutions for both financial and business management operations. At the moment, the AI landscape appears to be overwhelmingly populated by natural language processing and natural language generation technologies culminating in numerous chatbot initiatives by various banking and financial actors. Arguably more significant – but less documented – is the usage of said technologies for financial decision making on a variety of issues including, credit-scoring, transactions, wealth and risk management, and fraud detection. These trends are largely facilitated by technology service companies – both large-scale firms and startups – that either work with established banking and financial institutions to deploy AI technologies or develop and offer their own financial services directly to consumers.

This draft report seeks to map the present state of use of AI in the banking and financial sector in India. In doing so, it explores:

Uses: What is the present use of AI in banking and finance? What is the narrative and discourse around AI and banking/finance in India?
Actors: Who are the key stakeholders involved in the development, implementation and regulation of AI in the banking/finance sector?
Impact: What is the potential and existing impact of AI in the banking and finance sectors?
Regulation: What are the challenges faced in policy making around AI in the banking and finance sectors?

The draft report first offers an overview of the ways in which AI is being used in the sector. This is followed by an examination of existing challenges to the adoption of AI and the significant legal and ethical concerns that need to be considered in light of these trends. Lastly, the draft report draws attention to a number of key government actions and initiatives surrounding AI related to the banking and finance industry, discusses challenges to the adoption and implementation of AI and articulates recommendations towards addressing the same.

Download the draft report here

19th June Update: This case study has been modified to remove interview quotes, which are in the process of being confirmed. The link above is the latest draft of the report.

For more details visit https://cis-india.org/internet-governance/blog/ai-in-banking-and-finance

Aadhaar Remains an Unending Security Nightmare for a Billion Indians

Admin — 2018-05-13T16:28:40Z

Yesterday was the 38th and last day of hearings in the Supreme Court case challenging the constitutional validity of India’s biometric authentication programme. After weeks of arguments from both sides, the Supreme Court has now reserved the matter for judgement.

The article by Karan Saini was published in the Wire on May 11, 2018.

Since its inception, the Aadhaar project has lurched from controversy to scandal. In the last two years, the debate has heavily centred around issues of data security, privacy and government overreach. This debate, unfortunately, like with most things Aadhaar, has been obfuscated in no small part due to the manner in which the Unique Identification Authority of India (UIDAI) reacts to critical public discussion.

As India waits for the apex court’s judgement, this is as good time as any to take stock of the security and privacy flaws underpinning the Aadhaar ecosystem.

Poor security standards

Let’s start with the lackadaisical attitude towards information security. As has become evident in the past, harvesting and collecting Aadhaar numbers – or acquiring scans and prints of valid Aadhaar cards – has become a trivial matter.

There are several government websites which implement Aadhaar authentication while at the same time lack in basic security practices such as the use of SSL to encrypt user traffic and/or the use of captchas to protect against brute-force or scraping attacks. This includes the biometric attendance website of the Director General of Foreign Trade, the website for the National Food Security Mission and the Medleapr website.

With numerous government websites being susceptible, problematic issues such as the use of open directories to store sensitive data gives us a look into how even the bare minimum – when it comes to adhering to security best practices – isn’t enforced across the gamut of websites which interface with Aadhaar.

It should not be acceptable practice to have government websites with open web directories containing PDF scans of dozens of Aadhaar cards available for just about anyone to view and/or download. Yet, over the past year and even before, many government websites have been found to either inadvertently or knowingly publish this information without much regard for the potential consequences it could have.

The UIDAI has repeatedly shown an attitude of hostility and dismissiveness when it comes to fixing security and privacy issues which are present in the Aadhaar ecosystem. It has also shown no signs of how it plans to tackle this problem.

In my personal experience as a security researcher, I have found and reported a cache of more than 40,000 scanned Aadhaar cards being available through an unsecured database managed by a private company, which relied on those scans for the purposes of verifying and maintaining records of their customers.

What’s worse is that the media reports regarding Aadhaar information being exposed may only be scratching the surface of the issue as more data may actually be susceptible to access and theft, and simply yet to be found and publicly reported. For example, data could be leaking through publicly available data stores of third-party companies interfacing with Aadhaar, or through inadequately secured API and sensitive portals without proper access controls.

Not all security incidents become a matter of public knowledge, so what we know at any given point about the illegal exposure of Aadhaar information may just be a glimpse of what is actually out there.

It should be acknowledged that the possession of these 12-digit numbers and their corresponding demographic information can open up room for potential fraud – or at the very least make it easier for criminals to carry out identity theft and SIM and banking fraud.

A detailed analysis of all publicly-reported Aadhaar-related or Aadhaar-enabled fraud over the last few years shows that the problem is not only real but deserves far more attention than what it has received so far.

Threat level infinity

Taking a step back, it’s clear that the Aadhaar project snowballed into an ecosystem that it now struggles to control.

For instance, demographic information – as is stated in the draft for the Aadhaar Act (NIDAI Bill 2010) – was originally considered confidential information, meaning no entity could request your demographic information such as name, address, phone number etc. for purposes of eKYC.

However, as the ecosystem has progressed, the implementation and usage of eKYC have also changed and grown significantly with companies like PayTM utilising eKYC for the purposes of requesting and verifying customer information. It should be considered that data which has been collected by any of these companies through Aadhaar can be accessed by them in the future for an indefinite period of time depending on their own policies regarding storage and retention of the data.

If there ever is a breach of the CIDR or a mirrored silo containing a significant amount of Aadhaar-related data, it would directly affect more than one billion people. To put this in perspective, it would easily be the single largest breach of data in terms of the sheer number of people affected and it would have far-reaching consequences for everyone affected which might be very hard to offset.

On a comparatively smaller scale – although just as serious, if not more in terms of potential implications – would be a breach of any given state’s resident data hub (SRDH) repository. In some cases, SRDHs have been known to integrate data acquired from other sources containing information regarding parameters such as caste, banking details, religion, employment status, salaries, and then linking the same to residents’ corresponding Aadhaar data.

Damage control would be costly and painstaking due to the number of people enrolled. What adds to the disastrous consequences is that one cannot just deactivate their Aadhaar or opt-out of the programme the way they would with say a compromised Facebook or Twitter account. You can always deactivate Facebook. You cannot deactivate your Aadhaar. It should be noted that even with biometrics set to ‘disabled’, Aadhaar verification transactions can be verified through OTP.

Additionally, the Aadhaar ecosystem is such that information about individuals can be accessed not just from UIDAI servers but also from other third-party databases where Aadhaar numbers are linked with their own respective datasets. Due to this aspect – multiple points of failure are introduced for possible compromise of data, especially because third-party databases are almost certainly not as secure as the CIDR.

Recently, after taking a closer look at the ecosystem of websites which incorporate the use of Aadhaar based authentication, I discovered that it was possible to extract the phone number linked to any given Aadhaar through the use of websites which poorly implemented Aadhaar text-based (OTP) authentication.

This process worked by first retrieving the last four digits of the phone number linked to an Aadhaar using any website which reveals this information (this includes DigiLocker, NFSM.gov.in and seems to be standard practice which seems to be enforced by UIDAI) and then performing an enumeration attack on the first six digits using websites which allow the user to provide both their Aadhaar number and the verified phone number linked to it.

This again highlights that while secure practices might be followed by the UIDAI, the errors in implementation and other flaws are introduced neverthelessby third parties who interface with Aadhaar, posing a risk to the privacy and security of its data.

The bank mapper rabbit hole

As of February 24, 2017, it was possible to retrieve bank linking status information directly from UIDAI’s website without any prior verification.

However, after this information was reported, the ‘uidai.gov.in’ website was updated to first require requesters to prove their identity before retrieving Aadhaar bank-linking data from the endpoint on their website.

A year later – when business technology news site ZDNet published their report regarding a flawed API on the website of a state-owned utility company (later revealed to be Indane) – part of the data revealed included bank linking status information which was identical to what was previously revealed on UIDAI’s website without proper authentication.

This suggests that both the Indane API and UIDAI website utilised the National Payments Corporation of India (NPCI) to retrieve bank-linking data – but as of now, this remains conjecture since Indane never put out a statement or gave a public comment regarding the flawed API on their website.

More importantly, what this also suggests is that the NPCI never placed any controls or security mechanisms (such as request throttling or access controls) on the lookup requests it processed for the UIDAI (and seemingly for Indane as well).

This means that while the UIDAI may have fixed their website to not reveal bank linking data without proper verification – the issue was not rectified at its core by the NPCI – allowing the same to happen a year later in Indane’s case. This practice also classifies as a case of security through obscurity, which “is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms”.

Who is on the hook?

There is a lack of needed accountability when it comes to data breaches. Have any of the organisations against whom allegations of data breach been made been investigated and acted on? Have fines been imposed on those responsible for allowing access/theft of user data? Have there been reports published by any of the affected organisations in which they investigate any alleged breaches to either provide insight regarding the breach and its impact, the scale of data accessed, logs of access and other crucial evidence or dismiss the allegations by proving that there was no intrusion which took place?

Most of the times, organisations do not even accept that a breach has taken place, let alone take responsibility for the same and strive to better protect user data in the future.

Switching to ‘PR spin mode’ should never be the answer when dealing with the data of billion-plus Indian citizens and residents. This can be observed in almost all cases where a breach or security lapse was alleged.

The UIDAI has also acquired the dubious reputation of sending legal notices and slapping cases on journalists and security researchers who seek to highlight the security and privacy problems ailing the Aadhaar infrastructure.

In March 2017, a case against Sameer Kochhar – chairman of the Skoch Group – was filed on the basis of a complaint from Yashwant Kumar of the UIDAI allegedly for “spreading rumours on the internet about vulnerability of the Aadhaar system”. Kochhar had written an article in February 2017 titled “Is a Deep State at Work to Steal Digital India?” in which a request replay attack on biometric Aadhaar authentication was demonstrated.

Two months later, The Centre for Internet and Society published a report regarding several government websites which were inadvertently leaking millions of Aadhaar card numbers. A few days after this report was published, the UIDAI sent a legal notice to the organisation, stating that the people involved with the report had to be “brought to justice”.

In January 2018, an investigative story was published by Rachna Khaira of The Tribune newspaper – in which she reported that access to an Aadhaar portal was being sold by “agents” for as cheap as Rs 500. In response to this story – the UIDAI first sought to discredit the investigative work by calling it a ‘case of misreporting’ – after which they attempted to downplay the magnitude of the report by citing that biometrics were safe and had not been breached.

Following this, the Delhi crime branch registered an FIR against the reporter and others named in the article on the basis of a complaint by a UIDAI official, with charges ranging from forgery, cheating by impersonation and unauthorised access of a computer system.

In March 2018, ZDNet published a report about Aadhaar-related data leaking from an unsecured API on a utility provider’s website. This was the result of days of testing to first confirm the existence issue and its scope. It was preempted by more than a month of attempted communication through several channels of communication – email, phone, even direct messages via Twitter – with both Indane and the UIDAI (and even the Indian Consulate in New York).

But still, when the report was published after a lack of acknowledgement/response from affected parties, the UIDAI was quick to deny the report as well as any possibility of such a thing occurring. The Aadhaar agency then released a statement in which they said they were ‘contemplating legal action’ against the publication of their report.

Data security and privacy laws won’t do much to affect the dismissive and hostile attitude the UIDAI seems to have regarding the people that investigate and report on security and privacy issues relating to Aadhaar.

Hide and seek

In general, when it comes to reports of security breaches and security incidents, many authorities in India prefer playing the blame-game. This was seen latest in response to an internal letter (ironically marked as ‘SECRET’) that was circulated on social media – which mentioned that data was stolen from the Aadhaar Seeding portal of the EPFO by hackers exploiting a known vulnerability in the Apache Struts framework.

Following this – the EPFO quickly switched to PR mode and publicly issued a statement through their official Twitter account (@socialepfo) denying the breach – saying that “There is no leak from EPFO database. We have already shut down the alleged Aadhaar seeding site run by Common Service Centres on 22.03.2018.”

Every time reports of a potential breach or leak of data circulate, Indian government agencies are quick to come out and announce that no breach has taken place. However, this is always to be taken just on the basis of their saying so, as opposed to the reports which they’re meant to be arguing (in some cases) contain verifiable evidence which is the result of arduous investigative work.

Regardless, passing around the blame and in cases completely denying security incidents is not something authorities should be doing when it concerns the data of more than a billion people.

In response to a recent story by Asia Times regarding Aadhaar enrolment software being cracked and sold, the UIDAI sought to discredit and discount the report through messages shared on their social media profiles – where they stated that the report was “baseless, false, misleading and irresponsible”.

The UIDAI should have an interest in protecting any and all data which stems from or relates to Aadhaar as it has to do with a project they are ultimately responsible for. It should not matter whether the leak occurred from a portal on EPFO’s website, an API without proper access controls on Indane’s website, a website of the Andhra Pradesh state government, through biometric request replay attacks, through sold access to admin portals and cracked software, or however else. It should ultimately be the UIDAI’s responsibility to not only be reactive about these issues when they’re brought to light but to do so in such a way which does not hinder reporters from continuing their work.

Additionally, if the UIDAI wishes to keep its systems as secure as they could be – they should proactively seek such reports about flaws or vulnerabilities in critical infrastructure pertaining to their project.

The way forward

In April 2018, the head of the Indian Computer Emergency Response Team (CERT-IN), rather defensively noted that “not a single person had reported any incident” to the organisation.

CERT-In, a part of the IT ministry, is the central agency responsible for dealing with security issues and incidents. To put it bluntly, it has not done a very great job of outreach when it comes to the people it ultimately relies on: security researchers and hackers.

In India, there is an abundance of skills and talent when it comes to IT security and this could be of immense help to organisations responsible for managing critical infrastructure – but only if they cared enough to utilise it to the fullest extent.

Ajay Bhushan Pandey, the CEO of UIDAI, promised a secure and legal bug reporting environment for the Aadhaar ecosystem sometime in 2017. However, almost a year later, there are no tangible signs of any steps being taken to ensure the same. In fact, the UIDAI would already be straying from their usual course of action if they stopped harassing people reporting on issues of security and privacy with regard to Aadhaar.

It has been suggested that the UIDAI employ a bug bounty programme – which involves rewarding hackers with monetary compensation or through means such as an addition to a ‘Security Hall of Fame’ as an incentive.

I personally believe that there is no need for a bug bounty programme in its traditional sense – meaning that UIDAI should not have to provide material incentives to attract hackers to report valid issues to them. Simply acknowledging the work of those that discover and report valid issues should more than likely be incentive enough to get talent on-board.

The US Department of Defense (DoD) employs a similar approach where they invite hackers from the world over to test their systems for security vulnerabilities/bugs and then report them in a responsible manner. What the hackers get in return is the acknowledgement of their skill and devotion to ensuring the security of DoD’s platform. Something similar needs to be set up with regard to critical information infrastructures in India so that issues can be reported by anyone who wishes to do so – without hassle and/or fear of persecution hanging over the heads of hackers.

For more details visit https://cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians

India's National ID Project Brings Pain to Those it Aims to Help

Admin — 2018-05-12T00:53:39Z

Poor management, corruption and fraud are threatening to derail the world’s largest national identity project.

The blog post by Aayush Soni was published in Ozy.com on May 11, 2018.

For Phoolmati, a resident of the Kusumpur Pahari slum in south Delhi, standing every month in a queue at the neighborhood fair-price shop was a trusted routine. When her turn came up, she would place her thumb on a scanning machine that confirmed her identity. But on a biting-cold morning this past January, she had to return home empty-handed because, the shopkeeper told her, the “server was down.”

The next day, it happened again. On her third try, Phoolmati thought she had gotten lucky when the machine scanned her thumb successfully. But she was in for a shock. “The shopkeeper told me that, according to the computer records, I’ve already taken my quota of wheat flour for the month,” she says. When she protested and showed her ration card, another form of identification, the shopkeeper wouldn’t accept it.

Left with no choice, Phoolmati had to buy wheat flour from the open market at 25 rupees per kilogram — more than 12 times the amount she usually paid at fair-price shops. She wasn’t alone. At a weekly meeting of slum residents in a temple courtyard in April, many women complained about the difficulty of buying subsidized food grains to the Satark Nagrik Sangathan (Alert Citizens Organization), a nonprofit that seeks accountability from government agencies. Nanno Devi, a 67-year-old homemaker whose fingers are wrinkled with age, said that she didn’t receive her quota of wheat flour for January because a fingerprint-scanning machine couldn’t detect her thumb impression.

Nor are the urban poor, like Phoolmati, the only ones with such complaints. Students with government scholarships, senior citizens with pensions, farmers entitled to subsidies, religious minorities and backward castes eligible for benefits, patients at public hospitals, young couples trying to get married and professionals updating their bank details are all on the front line of an unparalleled experiment that was meant to help them but is hurting them instead.

Theirs is the lived experience of Aadhaar, a unique 12-digit identity system that includes an individual’s biometrics and demographic data — and that must verify an individual’s identity for the government, increasingly, to even recognize their existence. First rolled out in 2010, it is modeled on America’s Social Security number system, with the aim that government subsidies and welfare programs reach the intended beneficiaries and aren’t siphoned off by middlemen.

But over the past three years, India’s Narendra Modi government has cajoled, pressured and often effectively forced people into enrolling for this ID, even though it isn’t required by law. Today, a person’s bank account risks being frozen if it isn’t linked to her Aadhaar number. Her PAN (permanent account number) card, used to file income tax, could be declared invalid. Mobile phone companies can disconnect her number if it isn’t authenticated through biometrics. An Aadhaar number (or an enrollment number, in case someone has already applied for it) is mandatory to open a new bank account, get a new passport, invest in mutual funds or register a marriage. A joke making the rounds on Twitter is that very soon, Aadhaar will be mandatory for a person to swipe right on Tinder.

In the absence of any privacy law, much of the concern within sections of India’s educated middle class has focused on questions about personal freedom, data security and mass surveillance. But a parallel tide of complaints is rising from those the program was meant to help, rooted in complications it has instead imposed upon them. This growing frustration is threatening to derail the initiative in a manner privacy can’t, in a nation where millions live in cramped city apartments with strangers, and the distinction between personal and public is often blurred.

Cases of fraud, mismanagement and corruption hurting Aadhaar beneficiaries are tumbling out into the public domain almost every week. In late March, hackers used weaknesses in the Aadhaar database to steal data from a government organization that manages more than $120 billion in the pensions and savings of millions of Indians. In January, a 10-year-old girl from the Dalit community — historically at the bottom of India’s caste ladder — was denied a school scholarship because officials had misnamed her on her Aadhaar card. Last October, a farm loan waiver program in Maharashtra state ran into trouble after officials discovered that 100 farmers had the same Aadhaar identity number.

The Modi government maintains that it takes both the security of personal data and the concerns of Aadhaar beneficiaries seriously. But it is reluctant to answer any questions about identity theft, corruption, privacy or misappropriated benefits. Neither Ajay Bhushan Pandey, the current CEO of the Unique Identification Authority of India (UIDAI), which runs Aadhaar, nor Vikas Shukla, its spokesperson, responded to multiple requests for comment.

At a public rally in early May, Modi — who had himself opposed the program before he came to power in 2014 — called critics of Aadhaar “opponents of technology” unwilling to evolve with the times. Increasingly, though, many are questioning whether it’s Aadhaar’s own identity that has changed the most from when the idea first came up. “From a project of inclusion, it has become a project of exclusion,” says Usha Ramanathan, a lawyer who focuses on issues of development and poverty. Just ask Phoolmati.

Aadhaar was the brainchild of Nandan Nilekani, a former CEO of tech giant Infosys, who in a 2009 book argued that multiple forms of identification made it “difficult” to establish a “definitive identity” for India’s citizens.

A single identity linked to passports, PAN cards and other national databases, Nilekani argued, would not only solve this problem but also help eliminate the exasperating processes that India’s bureaucracy is notorious for — mountains of paper, proof of identity in triplicate and a glacial pace of work. It would help citizens avail government benefits that are rightfully theirs. Such a system would reduce a citizen’s dependence on distribution mechanisms susceptible to leakages and make “the moral scruples of our bureaucrats redundant,” Nilekani wrote. “An IT-enabled, accessible national ID system would be nothing less than revolutionary in how we distribute state benefits and welfare handouts.”

That same year, the Congress Party–led United Progressive Alliance government offered Nilekani a chance to translate his idea into reality, appointing him UIDAI chairman. Under Nilekani the UIDAI hired people from within the Indian bureaucracy as well as those outside it. The initial team of 50 included software engineers, designers and entrepreneurs from Silicon Valley as well as lawyers and policy wonks who worked at the head office in New Delhi. Each of the eight regional offices had a staff of 20.

In its early-stage avatar, the team had thought out solutions to problems such as the ones the residents of Kusumpur Pahari faced, says a policy consultant who worked with the UIDAI in 2010 and spoke on condition of anonymity. “You can use old methods and physically verify a person’s name and address [by going to their house] if biometrics aren’t working,” the consultant says. “It’s built into the architecture [of Aadhaar].” In his view, the current government under Modi — whose Bharatiya Janata Party defeated the Congress Party and came to power in 2014 — and the UIDAI setup have made a “mess” of the program. He also believes that the goal has shifted from inclusion to mass enrollment. Nilekani did not respond to a request for comment.

For sure, Aadhaar has staunch supporters too, who argue that it has helped reduce the misuse of government subsidies. In July 2017, India’s junior minister for consumer affairs, food and public distribution, C.R. Chaudhary, told the country’s Parliament that Aadhaar had helped the government delete nearly 25 million fake ration cards that the poor use to access subsidized food ingredients.

“This unnecessary fearmongering around Aadhaar is uncalled for,” says Sanjay Anandaram of iSpirit, a software industry think tank. In his view, it’s “last-mile deployment challenges” like fingerprint authentication, one-time-password systems and server glitches that need to be fixed, not Aadhaar. He juxtaposes anecdotal examples of people struggling to gain benefits with the “larger purpose” he believes Aadhaar serves. “It is a revolutionary system to ensure governance improves — especially for centrally administered programs,” he says.

The UIDAI has made some efforts too, if not to improve security of personal data then at least to allow citizens to check whether their Aadhaar identity has been misused. They can go online and view any occasions when their Aadhaar identity was used to access benefits.

But for millions of Indians dependent on subsidies, pensions, scholarships and other benefits, the concerns go well beyond privacy. Getting an Aadhaar identity can be a struggle. Earlier this year, the Punjab government conceded that it can’t process nearly 200,000 farm loan waiver claims either because intended beneficiaries don’t have Aadhaar cards or because the UIDAI is still processing their applications. At the same time, not signing on to Aadhaar is increasingly not an option. In February 2017, Chaudhary’s ministry made it mandatory for individuals to have an Aadhaar card to access subsidized food grains. Then, in October, an 11-year-old girl died of starvation in the central state of Jharkhand because the local ration dealer refused to give her family food grains for six months, as they had not linked their ration cards to Aadhaar. Facing criticism, the government asked states not to deny the poor the food grains they are entitled to, but the incident underscored how the Aadhaar initiative is cutting the needy off from subsidy access, rather than helping them, suggests Ramanathan, the lawyer. “People are dying because of Aadhaar,” she says.

But the Modi government has shown no signs of rethinking either the ways in which Aadhaar appears to hurt the poorest in Indian society or its data security protocols. Instead, it has appeared keener to target whistle-blowers pointing out weaknesses in the initiative.

It cost Rachna Khaira, a reporter, only 500 rupees ($7.50) to access the entire Aadhaar database — the names, addresses, fingerprint scans, iris scans, mobile phone numbers, email addresses, postal index numbers (PINs) and Aadhaar numbers of 830 million Indians. She “purchased” the service offered by anonymous sellers on WhatsApp and transferred the money via Paytm, a popular digital wallet company, to an “agent,” who created a “gateway” for Khaira. He then gave her a log-in ID and a password to that gateway, which allowed Khaira unrestricted access to the Aadhaar database. Her report, published in January in The Tribune, one of India’s oldest English dailies, created a national stir. Instead of trying to plug the holes the report had revealed, the UIDAI filed criminal cases against Khaira and the newspaper, accusing them of breaching privacy.

Khaira’s wasn’t the first piece of evidence to expose the vulnerability of the Aadhaar database. In May 2017, a report by the Centre for Internet and Society, a nonprofit organization, claimed that 130 million to 135 million Aadhaar numbers were published on four websites: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme and two projects run by Andhra Pradesh state. “This is the largest exercise in the world of the conversion of public information into an asset and then its privatization,” says Nikhil Pahwa, editor of MediaNama and a critic of Aadhaar.

These breaches of security highlight corruption and mismanagement that belie claims the government continues to peddle. In April 2017, Ravi Shankar Prasad, India’s minister of information and technology, told Parliament that “Aadhaar is robust. Aadhaar is safe. Aadhaar is secure, and totally accountable.” The government hasn’t appeared too perturbed by privacy concerns. On July 22, 2015, Mukul Rohatgi, the then attorney general, argued before the country’s Supreme Court that “the right of privacy is not a guaranteed right under our constitution.” That set off a two-year-long hearing before a nine-judge bench of the court, which unanimously ruled in 2017 that the right to privacy was indeed a fundamental right.

The criticism from social groups Aadhaar was meant to benefit, though, has left the Modi administration on the defensive. Since the passage of the 2016 Aadhaar law, civil society activists have filed 12 petitions in the Supreme Court challenging its legality. In January, the All India Kisan Sabha, one of India’s largest farmer organizations with millions of members, petitioned the top court against government moves to link subsidies to Aadhaar identities. Some leaders from Modi’s party, the BJP, have also started questioning their own government in Parliament about cases of beneficiaries denied their due because of the Aadhaar program. The Supreme Court, which is holding regular hearings on the case, has extended indefinitely the date by which citizens must link all identity documents to their Aadhaar number, until it rules on the validity of the legislation. At stake is the trust the Indian people can place in their government.

Back in Kusumpur Pahari, much of that trust has already eroded. In his 2014 election campaign, Modi had promised to stand guard as a chaukidaar (watchman) over the country’s resources, to prevent corruption. But when someone illegally withdrew Phoolmati’s grains by using her Aadhaar identity, the watchman wasn’t able to stop the theft.

For Phoolmati and other residents of Kusumpur Pahari, their ration cards guaranteed them food, and were a rare pillar of certainty in an unstable life. The Aadhaar-linked fingerprint authentication system is a source of frustration, and they don’t want it, they make clear at their weekly meeting. They now get their ration some months, and other months they don’t. Life on the fringes of society was already tough. Aadhaar, they say, has made it harder still.

For more details visit https://cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help

RightsCon Toronto 2018

Admin — 2018-06-07T14:31:20Z

RightsCon is organizing the 2018 edition of the event at Beanfield Centre at Exhibition Place, Toronto in Canada. A session on Pervasive Technologies project titled "Cheap and chipper: IP in India’s affordable smartphones" is scheduled on May 17, 5.15 p.m. to 6.15 p.m. in the International Trade and the Commons track. (Room #203B, Beanfield Centre).

We present the findings of the Centre for Internet and Society’s "Pervasive Technologies" research project that concluded last year. The project was an endeavour to study how Internet-enabled mobile phones sold for USD 100 or less interact with India's intellectual property laws. These low-cost technologies that lie in a grey zone of IP laws have been instrumental in bringing access to the Internet and, in turn, access to knowledge and information to people. The project undertook a study of the mobile device landscape in India while developing legal strategies to ensure that consumers continue to have access to inexpensive devices; that manufacturers, software developers and content creators operating in the budget device segment are not snuffed out by litigation; and that the rights of IP holders are not infringed upon.

Each researcher will elucidate on her findings in the areas of patents and copyright pertaining to the hardware, software and media content and the interaction of these findings with public policy.

Maggie Huang, Amba Kak, Rohini Lakshané, Vidushi Marda and Anubha Sinha are among the speakers at the event. For more info click here

Amber Sinha remotely participated in a private meeting on 'Strategizing Civil Society Roles in the Artificial Intelligence Debate'.
Anubha Sinha, Maggie Huang, Rohini Lakshané and Vidushi Marda presented their findings from the Pervasive Technologies project in a panel titled "Cheap and Chipper: IP in India's Affordable Smartphones". Prof Michael Geist moderated the session. Anubha Sinha and Vidushi Marda participated remotely.
Elonnai Hickok participated in these sessions: IDRC cyber policy meeting; GNI board meeting; GNI learning session on MLATs; FOC-AN meeting; GNI session on Intermediary Liability.

For more details visit https://cis-india.org/a2k/news/rightscon-toronto-2018

Meeting of Coalition for an Inclusive Approach on the Trafficking Bill

Admin — 2018-08-18T09:21:36Z

Gurshabad Grover attended a meeting of the Coalition for an Inclusive Approach on the Trafficking Bill at the Alternative Law Forum, Bangalore on May 3, 2018.

The coalition is working on a report highlighting the various concerns in the recently Cabinet-approved Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill, 2018.

Swaraj Barooah had written a blogpost about some provisions in the Bill that could potentially impact freedom of expression. These inputs have been incorporated into the report the Coalition is preparing.

Clarification (18th August, 2018): A letter sent to the Ministry of Women and Child Development mentioned the Centre for Internet & Society as instituionally endorsing a critique of the The Trafficking of Persons (Prevention, Protection and Rehabilitation) Bill, 2018. We seek to clarify that the Centre for Internet & Society did not endorse the letter to the Ministry.

For more details visit https://cis-india.org/internet-governance/news/meeting-of-coalition-for-an-inclusive-approach-on-the-trafficking-bill

Digital India' in Dire Need of Safety Policy Reboot - Cybersecurity Experts

Admin — 2018-05-05T12:00:43Z

Some experts say the need of the hour is for India to update its cybersecurity policy to respond to growing threats in cyberspace. Information warfare specialists hint at the local storage of digital information as the key to the cybersecurity of the country.

The blog post was published by Sputnik on April 17, 2018. Sunil Abraham was quoted.

The afternoon of the first Friday of April was a telling statement on India's biggest nightmare — a digital meltdown. It was so glaring that the National Media Centre in the capital Delhi was abuzz with media persons seeking to ascertain the news of around 10 government websites, including those of the Ministry of Defense and the Ministry of Home Affairs, was hacked and the government seemed clueless. No government official was ready to speak, prompting the day's headlines to thrive on speculations with television channels running news flashes attributing the mischief to a "Chinese" hacker.

The Defense Ministry website was showing Mandarin characters in an error message which further gave strength to the conspiracy theory. In panic, the Ministry of Home Affairs shut down its portal, creating further speculations.

In the absence of an official statement, the press based their news reports on a tweet by Defense Minister Nirmala Sitaraman which confirmed the alleged hack. A sense of a massive cyberattack engulfed the air.

The general sense was that it was a digital offensive targeted against India and perpetrated by none other than its neighbor China. There was a sudden outrage among social media users who accused the government of failing to protect the nation's digital assets and letting India be vulnerable to cyber threats.

After Ministry of Defence, suspected Chinese hackers hack Ministry of Home Affairs’ website too. Welcome to Modi’s Digital India Jumla. #IndiaDoesNotTrustBJP #IndiaHatesBJP

However, late in the evening, National cybersecurity head Gulshan Rai conveyed that all 10 websites hosted by the National Informatics Centre (NIC) went down due to "a hardware failure" while declining to comment on the possibility of a cyberattack by any neighboring country.

"There is no hacking or coordinated cyberattack on the website of central ministries. There was a hardware failure in the storage network system at the NIC which resulted in a number of government websites being serviced by that system going down. We are working to replace the hardware and these websites will be up soon," Rai said in a statement putting to rest all speculations.

The National cybersecurity head, who directly works under thExperts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.e supervision of Indian Prime Minister Narendra Modi, also confirmed that a total of ten websites, including that of the Central Bureau of Investigation, the Central Vigilance Commission, the e-gazette of India, and the websites of the Ministries of Law, Civil Aviation, Defense, Home Affairs, Labor, Water Resources and Science & Technology suffered due to the hardware failure.

Nevertheless, experts say that India needs a robust framework not only to protect the cyber assets, but also quickly assess threats in view of the experience.

"Technical glitches happen, especially when you have so many hardware and software products connected online. The immediate reaction of the hack (on Friday, 6th April 2018) was in haste and caused all the confusion but no such hack took place. We need to have a more robust framework for response, reporting, and reaction," cyber expert Rakshit Tandon told Sputnik.

The brief period of inaccessibility of the government websites and the ensuing panic was symptomatic of a situation which India is facing. Even if it was not a hack, the hardware failure is worrying for the billion plus nation, say experts.

The cyber emergency in India was not the first. Last year, the Home Ministry websites had to be temporarily shut down following a cyberattack. This was in close heels to a hack of the website of the elite Indian special force National Security Guard (NSG) by a suspected Pakistan based group. In 2016, data from Indian missions in Africa and Europe were hacked and posted online by unknown hackers.

The Indian Computer Emergency Response Team (CERT-In), the premier cyber security agency of India had stated in a reply in Parliament that until June 2017 India had more than 27,000 cyberattacks of all levels and cost the economy around $4 billion.

The Hindustan Times in a report predicts that with India embarking on an ambitious digitalization mode, the total losses from cybersecurity threats for the country could touch $20 billion over the next ten years.

Experts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.

"We have a national cybersecurity policy but we don't have a clear commitment from the government when it comes to financial allocations. The government must fund small and medium-sized enterprises to produce innovative cybersecurity products and services. Separately, the government must fund research by corporations, civil society organizations, educational organizations, and individuals which should be published in peer-reviewed open access journals and also presented at national and international cybersecurity academic conference," Sunil Abraham, executive director, Centre for Internet and Society told Sputnik.

"India has the best minds when it comes to hacking. In fact, a majority of the top hackers in the world are Indians but they are not part of India's security apparatus and not in the country's service," Rizwan Shaikh, ethical hacker and one of the youngest information security consultants in South Asia told Sputnik.

Rizwan was in the news recently when he drew the attention of the government about the severe lacuna in the Indian Railway system which is called the backbone of Indian economy employing around 1.3 million people and running 13,000 passenger trains daily.

The ethical hackers cannot sustain in the government ecosystem, they need patronage and incentives in terms of recognition, but the government of India lacks any such program. There was a program launched recently by the Ministry of Information Technology but it has failed to attract good minds due to its lack-luster management. In India, even if I find a loophole, there is no reporting system to intimate and no proper heads to initiate action, Rizwan added.

The Indian government has multiple stakeholders to monitor and report on digital emergency situations. The plethora of agencies begin with the nodal agency of the Ministry of Electronics and Information Technology, there is a hub called the National Critical Infrastructure Information Protection Center, then there is the interior security ministry of Home Affairs which is the oversight authority over all investigative agencies in the country and there is a new institution by the name national Cyber Coordination Centre created recently.

Rakshit Tandon says that "a sudden spurt in online transactions especially after demonization (in October 2016), coming of 4G mobile networks, cheaper smartphones, and the prestigious vision of 'Digital India' have made the country and its population more prone to cyber threats."

Moreover, with the controversy of the British political consulting firm Cambridge Analytica allegedly using personal details of Indian social media users has created a sense of insecurity among the online population of the country.

In view of the threat to personal and national digital security, Sunil Abraham calls for an approach to a complete upheaval the country's cyber laws to combat the threat. He says simply user behavior change is not sufficient for keeping Indians safe from digital harm.

"First, India needs a comprehensive omnibus data protection law, in the lines of the GDPR which exists for the EU. Second, India needs amendments to our existing competition law. Once the law has been updated to give the regulator powers to go after Internet monopolies —we need a comprehensive investigation of the anti-competitive activities, especially in the digital advertising sector. Change in user behavior is not sufficient to mitigate harms resulting from Internet monopolies. These harms can only be addressed via appropriate, comprehensive and proactive action by lawmakers and regulators," Sunil Abraham said.

Information warfare specialists hint at the local storage of digital information as the key to cybersecurity of the country.

"A nation the size of India can never be a comfortable partner for other great powers who will always be uneasy of the latent power of this sleeping giant. Consequently unlike Japan, South Korea or Singapore, we cannot rely on a security umbrella from another great power to reach our full economic potential," Pavithran Rajan, information warfare specialist based out of Bangalore, told Sputnik.

Pavithran Rajan is a former Indian Army officer-turned writer and trainer on cyber issues.

The need for a data protection law was triggered by the debate on individual privacy. However, the importance of this data for national security must not be overlooked. The solution lies in localizing the sensitive data of Indian citizens within the boundaries of India. While currently the infrastructure for this may not exist, it would come up if the data controllers wish to continue to take advantage of the size of the Indian market, he added.

Rajan feels that data protection for India is vital as it is on the cusp of a major technological advancement and has opined that the country needs to put in place legal stipulations on data transfers.

"The advent of the IoT (Internet of Things technology) would exponentially increase the volume of data being generated. Any new infrastructure being created for IoT should also make arrangement for data to be stored in India. We understand that cross-border flows of data cannot be completely stopped. However, no sensitive personal data should be permitted to go outside the country. There should be legal restrictions on the transfer of data to controllers who have no presence in India," Pavithran Rajan told Sputnik.

The earliest technology-based law in India was the Indian Telegraph Act of 1885 which is still operational and encompasses the telephone services as well. With the advent of the digital age, India brought in the Information Technology Act in the year 2000 and lastly, a National Cybersecurity Policy was drafted and presented for action 2013, but its actual implementation has not yet taken place. With the fast changing digital ecosystem, India, the largest democracy in the world, struggles to keep pace with the threats it faces and the dangers seem imminent.

For more details visit https://cis-india.org/internet-governance/news/sputnik-april-17-2018-digital-india-in-dire-need-of-safety-policy-reboot-cybersecurity-experts