We are anonymous, we are legion

Security experts say need to secure Aadhaar ecosystem, warn about third party leaks

Admin — 2018-03-26T22:37:30Z

The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming.

The article by Nilesh Christopher was published in Economic Times on March 26, 2018. Sunil Abraham was quoted.

While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.

“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication ZDnet citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company Indane that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.

UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.

There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.

“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.

In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.

UIDAI could take a leaf from Indian Space Research Organisation while handling data breach reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.

“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane.

“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks

Indian IT firms not ready for European Union's proposed privacy laws, only a few compliant with GDPR

Admin — 2018-04-18T00:56:20Z

Only a third of Indian IT firms are compliant with the European Union's General Data Protection Regulation (GDPR), which will come into force on 25 May, according to a media report.

The article was published in First Post on March 26, 2018.

The GDPR, the EU's new online privacy rules, is designed to protect users' online privacy. The European Parliament has adopted the regulation but European governments have yet to approve the text.

“Only 30-35 percent of all IT/ITeS companies have started their journey to work towards GDPR compliance,” Jaspreet Singh, Cyber Security Partner at EY, was quoted as saying by The Economic Times.

The GDPR is applicable to companies globally, and has significant potential financial penalties. Damages of any breach of privacy of user data from Europe could cost companies as much as four percent of their revenue, according to The Economic Times. For the Indian IT sector, Europe ranks number two in terms of the amount of business it drives, with US still taking the lead.

Indian firms, according to Business Standard, are struggling to understand the GDPR policies. A survey by EY had shown that 60 percent of Indian respondents were unfamiliar with the new regulation.

"When asked to describe their company’s current status with respect to complying with the GDPR, only 33 percent of respondents said that they have a plan, while 39 percent said that they are not familiar with the GDPR at all and 17 percent said that they have heard of the GDPR but have not yet taken any action," EY’s Global Forensic Data Analytics Survey 2018 had said.

What the GDPR is all about?

The GDPR attempts to unify data protection laws across the EU. It applies to all companies, regardless of location, that process the personal data of people living in the European Union. It aims to strengthen the protection of EU citizens' personal details. It will apply to all companies, including those outside of the EU.

The GDPR is considered the biggest shake-up of personal data privacy rules since the birth of the internet. It is intended to give European citizens more control over their online information.

Under the new regulation, users will be asked once and for all whether to accept cookies, rather than every time they visit a new website. Users will have the option of going invisible online, while the rules enshrine the so-called "right to be forgotten" legislation. The industries most deeply affected will be those that collect large amounts of customer data and include technology companies, retailers, healthcare providers, insurers and banks.

Companies must be able to provide European customers with a copy of their personal data and under some circumstances delete it at their behest. They will also be required to report data breaches within 72 hours.

How Indian firms will be affected?

According to a study published by The Centre for Internet and Society, as a result of GDPR, data protection procedures like breach notification; excessive documentation and appointment of data protection officer may have to be incorporated in the Indian laws as well.

"As non – compliance involves high fines, inability of India or the organizations situated in India to qualify as data secure destinations is likely to divert business opportunities to safer locations," the study said.

(With inputs from agencies)

For more details visit https://cis-india.org/internet-governance/news/first-post-march-26-2018-indian-it-firms-not-ready-for-european-unions-proposed-privacy-laws-only-a-few-compliant-with-gdpr

Modi Govt compromising privacy of individuals: Cong

Admin — 2018-04-18T01:10:42Z

Charging the Narendra Modi Governemt with compromising the privacy of individuals by leaking user information on the Narendra Modi app, the Congress on Monday said the counter allegations by the BJP that the Opposition party was indulging in 'data theft' were an attempt to divert attention from the issue.

This was published by United News of India on March 26, 2018.

Talking to reporters here, AICC spokesperson Abhishek Manu Singhvi said, 'we have said repeatedly that the biggest assault on individual privacy has occurred under the watch of the Narendra Modi Government. Not only people’s money, but people’s privacy is also in question.

Even as startling revelations that the Narendra Modi app, run by the BJP is sharing data of millions of users with American companies emerge, the Modi Government mocks and flouts the ‘Right to Privacy’ with brazen impunity. While the Prime Minister’s Office, PMO India app, asks users to voluntarily part with their identity on 14 data points, the NaMo app asks for a sweeping access to 22 data points. The NaMo app records audio, video, contacts of your friends and family and even tracks your location via GPS. No wonder, Modi ji is like the ‘Bigg Boss’ who with brazenness likes to spy on Indians. The BJP whose IT (Identity Theft?) Minister does daily press conferences on the issue of data security and democracy, has much to answer to the people of India on the unscrupulous means by which Shri Narendra Modi’s personal app is accessing data and passing on data of more than 50 lakh Indians,' he alleged.

Describing the BJP allegations that the Congress was indulging in 'data theft' through its mobile app, Mr Singhvi said. 'the Modi Government is resorting to deflectionary and diversionary tactics. The Congress application had just 15,000 downloads against the 50 lakh Indians who downloaded the NaMo app. Also, the Congress application was discontinued as most of the users wanted to register offline.'

Accusing Mr Modi of misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by the government, Mr Singhvi said, 'Why does Mr Modi, in his own book ‘Exam Warriors’ urge you to download the NaMo app. Is he now planning to snoop in on minors? Mr Modi is misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by Government. If as PM he wants to use tech to communicate with India, there is no problem in that. But use the official PMO app for it, not the NaMo app. This data belongs to India, not to Mr Modi.

Shockingly, data of atleast 13 lakh NCC cadets which include personal mobile phone numbers and email ID’s are being given to the Prime Minister’s Office for an interaction.'

Citing in this regard the report of a committee of experts appointed by the government on the issue of data protection, Mr Singhvi said, 'importantly, a Government appointed Committee of Experts (CoE) to look into a framework for data protection, headed by Justice (retd) BN Srikrishna has made scathing observations in a paper released in November 2017, against the Government and has shockingly implied (according to the media reports) that the Modi Government is collecting personal data illegally. The committee, which is currently in the process of conducting consultations, has also considered the SC judgment on privacy, says in its paper “The public and private sector are collecting and using personal data on an unprecedented scale. While data can be put to beneficial use, unregulated and arbitrary use of data, especially personal data, raise concerns relating to centralisation of databases, profiling of individuals, increased surveillance and a consequent erosion of individual autonomy.”

Alleging that under the Modi Government, not only the personal data of citizens was under serious threat, but there were multiple reports of data breaches in banks, Mr Singhvi said, 'astonishingly, under the Modi Government, not only the personal data of citizens is under serious threat, but multiple breaches in the banks. In an atmosphere where every single day there has been a bank fraud worth thousands of crores of rupees being reported, have resulted in one single question - how safe is our money in banks?

Banks and PSU’s have reported multiple breaches in recent past. A newspaper report on Monday said two online security experts have claimed that the Aadhaar database of two public-sector enterprises leaked select data and the vulnerability was fixed only a month after attention was drawn to it. This exposes their names, the 12-digit Aadhaar number and information of the services they have linked their Aadhaar card to. These services include bank details, policy details and other private information. This was corroborated by the UIDAI statement released on Sunday.

“It was left up there for more than a month — even though it had been reported to them directly,” claim the security experts. On February 23, 2018 a report had claimed that there was a data breach which had hit the the Punjab National Bank, whereby sensitive credit, debit card details of 10,000 customers were leaked. Quick Heal, a reputed software company in October 2017 had also claimed that there was a massive data breach in 6,000 government offices including banks. Earlier in 2016, as per media reports -- 32 lakh debit/credit cards of various Indian banks were compromised. The worst-hit was the State Bank of India along with certain private banks.'

He also charged the present Government of breach of Aadhaar data of individuals.

'In April 2014, the then Gujarat Chief Minister Narendra Modi had attacked Aadhaar and the UPA Government on its possible ‘security threat’. Life has now come full circle for the BJP. Just like numerous other issues, their blatant hypocrisy on Aadhaar is exposed. In January, this year, when a reputed newspaper in a sting exposed how 1 crore Aadhaar details can be accessed in just 10 minutes, by paying just Rs 500 in Chandigarh, the UIDAI had then filed an FIR against the reporter. Now the editor of the reputed media house has also been replaced.

We have seen it in May 4, 2017, when the Modi Government is on record in Supreme Court, accepting data breach in the Aadhaar scheme. Now the Attorney General in Supreme Court, while arguing that Aadhaar data remains safe and secure, says that the Aadhaar data remains secure behind a complex that has 13-ft high and five-feet thick walls, which is laughable and ludicrous, to say the least. On November 20, 2017, the UIDAI had accepted on record that –“More than 210 central and state government websites publicly displayed details such as names and addresses of Aadhaar beneficiaries”. Earlier too, ‘Centre for Internet and Society’, a Bengaluru-based organisation (CIS) in a study published on May 1, 2017, had found that data of more than 130 million Aadhaar card holders has been leaked from just four government websites. Therefore this is a serious issue. Clearly, neither our money, nor our Aadhaar details or our personal details are secure under the Modi Government.'

For more details visit https://cis-india.org/internet-governance/news/united-news-of-india-march-26-2018-modi-govt-compromising-privacy-of-individuals-congress

Aadhaar safety

Admin — 2018-03-26T17:09:26Z

We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.

The article was published in Asian Age on March 25, 2018.

Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.

‘Safety claims are bogus’
Hrishikesh Bhaskaran, Privacy Activist
Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).

The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.

‘Multi-level security assumes added significance’
Jaideep Mehta, CEO of VCCircle.com
Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.

‘Tightening system, or line of human command more important’
Ershad Kaleebullah, Technology Editor
There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar’s size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI’s datacentre and even fortifying it with the world’s thickest and tallest wall is not going to protect them. I’m really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can’t keep a secret to save their lives.

‘Your data security is in your hands, always be cautious’
Viraj Kumar Pratapwant, Senior Software Design Engineer
First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.

Sunil Abraham, Executive Director at Centre for Internet and Society
Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data in encrypted in the CIDR - the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.

For more details visit https://cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety

Listening Machines - New interfaces for Art-Science and Technology Policy

Admin — 2018-03-25T03:37:00Z

Sharath Chandra presented his work "Listening Machines - New interfaces for Art-Science and Technology Policy" at the National Academy of Sciences, Washington D.C, at the Arthur M Sackler Colloquia on March 12, 2018.

For more info on the program click here

For more details visit https://cis-india.org/internet-governance/news/listening-machines-new-interfaces-for-art-science-and-technology-policy

Cybersecurity: The Intersection of Policy and Technology

Admin — 2018-03-25T03:24:23Z

Sunil Abraham and Aayush Rathi attended a round-table on 'Cybersecurity: The Intersection of Policy and Technology'. The event was organised by Synergia Foundation, Bengaluru.

The speakers for the round-table were Deborah Housen-Couriel, Professor at the Kennedy School of Government, Gaurav Gupta - Principal Secretary for IT, BT, and S&T, Government of Karnataka, and Dana Kursh, Consul General of Israel to South India.

The discussion at the round-table centred around developing approaches aimed at resolving the 'grand challenge' of cyber security. The role of deeper collaborations between various stakeholders such as academia, corporate enterprises, law enforcement and the government in arriving at cogent solutions was emphasised upon. For more on the discussion at the round-table, a press note can be found here.

For more details visit https://cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology

Siri, did you hear me? Adapting Privacy to New Technologies, Automated Decision-making, and Cloud Computing

Admin — 2018-03-25T03:21:24Z

Amber Sinha participated as a panelist in the discussion on adapting privacy to new technologies organised by the USIBC on March 6, 2018 in New Delhi.

The way consumers interact with technology is quickly evolving, and there are distinct implications for privacy as these new applications and products become embedded in our daily lives. Many new technologies eliminate the need for consumers to interface with a screen, relying on sensor data, verbal interactions, or innate human communications – a grin or hand gesture. As technology evolves, so must the privacy protections.

Moderator: Ashutosh Chadha, Group Director, government Affairs & Public policy, Microsoft India

Panelists:

Shaundra Watson, Director, Policy, BSA | The Software Alliance
Betsy Broder, Counsel for International Consumer Protection, U.S. FTC
Amber Sinha, Senior Programme Manager, Centre for Internet and Society (CIS)
Riccardo Masucci, Global Director of Privacy Policy, Intel
Srinivas Poosarla, Vice President & Head (Global), Privacy & Data Protection, Infosys Limited

For more details visit https://cis-india.org/internet-governance/news/siri-did-you-hear-me-adapting-privacy-to-new-technologies-automated-decision-making-and-cloud-computing

Govt warns Facebook of stringent legal action if found misusing data

Admin — 2018-03-25T03:14:28Z

IT minister Ravi Shankar Prasad says that under the IT Act, Facebook’s chief executive officer, Mark Zuckerberg, can be summoned to India if required.

The article by Komal Gupta was published by Livemint on March 21, 2018.

The government on Wednesday warned Facebook of stringent legal action if it is found misusing data, with law and information technology (IT) minister Ravi Shankar Prasad saying that under the IT Act, the social media giant’s chief executive officer, Mark Zuckerberg, can be summoned to India if required.

The warning came after the ruling Bharatiya Janata Party (BJP) alleged that the Congress party was associated with London-based analytics firm Cambridge Analytica, which is at the centre of a global storm on the alleged misuse of data from 50 million Facebook users.

Prasad said the Congress indulged in “theft of online data” to help with its election campaigns, a charge that the opposition party denied.

“Will the Congress party depend on data manipulation and theft to woo voters? What is Cambridge Analytica’s role in (Congress president) Rahul Gandhi’s social media profile,” Prasad, who is also a senior BJP spokesperson, said in an interaction with reporters.

“Indian National Congress or the Congress president have never used and never hired the services of the company called Cambridge Analytica mentioned by the Union law minister. This is a fake agenda, a white lie being dished out on fake facts by the law minister unfortunately, and this has become a daily order,” Randeep Surjewala, the Congress party’s chief spokesperson, said.

Cambridge Analytica’s chief executive Alexander Nix—who was suspended on Tuesday—was secretly recorded in a Channel 4 sting claiming that the company ran Donald Trump’s campaign during the 2016 US presidential election. The firm is accused of harvesting private data from millions of Facebook profiles to influence and identify voter behaviour.

As of January, there were around 250 million Facebook users in India.

According to security experts, the incident yet again highlights the need for a stronger data protection law in the country.

“It has been almost six years since the report of the Justice AP Shah group of experts on privacy, but India still doesn’t have a data protection law. We urgently need a law that enshrines privacy by design — that would prevent entities like Truecaller from gaining access to third parties’ data without their consent, and entities like Facebook from providing it— as well as a liability regime that would enable an Indian data protection authority to hold accountable those who violate the law,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-march-21-2018-govt-warns-facebook-of-stringent-legal-action-if-found-misusing-data

Without stringent law, threats to Mark Zuckerberg are hollow: Experts

Admin — 2018-03-25T02:24:12Z

IT Minister Ravi Shankar Prasad on Wednesday warned Facebook and other social networks of tough action, if they attempted to influence the Indian elections.

The article by Alnoor Peermohamed and Karan Choudhury was published in the Business Standard on March 23, 2018.

The best way of keeping a check on the manipulation of elections through campaigns on Facebook is by introducing a strong data protection policy, said experts. After the Cambridge Analytica row, all eyes are on the use of such tools during the upcoming general election in India.

Union Law and Information Technology (IT) Minister Ravi Shankar Prasad on Wednesday warned Facebook and other social networks of tough action, if they attempted to influence the Indian elections. However, experts said these threats are hollow because the current law protecting user data lacks teeth.

“Without a strong data protection law, we wouldn't quite be able to take any action as what has happened is not a breach. While Section 43A of the IT Act talks about lack of consent from the users, it does not spell out any consequence for violating the same,” said Pranesh Prakash, policy director at think tank The Centre for Internet and Society (CIS). “Essentially, it's a toothless tiger.”

Having a data protection law might not directly stop firms from buying data from third-party developers and then deploying it for targeted users, but it is a great pre-emptive measure to stop unnecessary data collection. If users are asked to give consent for their data, it would vastly reduce the risk.

“The government's statement would be well supported, if it would be bringing a law, listening to key voices of experts and civil society. Even though the Justice Srikrishna Committee is currently examining and is expected to come out with a draft law, the timeline, transparency and willingness to safeguard user rights need to be better demonstrated,” said Apar Gupta, an independent lawyer.

Other experts have voiced their concerns over allowing tech giants to take sensitive user data out of the country. Once the data is out of India's jurisdiction, there is no way to ensure these companies are following the laws mandated by the government.

“Facebook is not an Indian company. We do not know how far it is complying with India’s IT Act. We should not be compromising on security and allow tech firms to play in the market without complying with the laws,” says Pavan Duggal, cyber law expert and Supreme Court advocate.

While both the Congress and the BJP have accused each other of working with Cambridge Analytica and denied their own affiliation with the company, the UK-based firm was already functioning in India through its partner Ovleno Business Intelligence (OBI). The OBI website, which has now been taken down, had listed the BJP, the Congress and Janata Dal (United) as its clients.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-and-karan-choudhury-without-stringent-law-threats-to-mark-zuckerberg-are-hollow-experts

‘If an Indian party acted like Cambridge Analytica, it will not be guilty under current laws’

Admin — 2018-03-25T02:01:18Z

Sunil Abraham, Executive Director of Centre for Internet and Society, says Indians are vulnerable in the absence of a data protection law.

The blog post by Amit Bhardwaj was published by Newslaundry on March 24, 2018.

What exactly is the nature of the Facebook data breach? What went wrong?

Technically, this is not a data breach. There is an internet standard called O-auth (open-authorisation). Through it, different applications on the internet that don’t want to build their own authorisation infrastructure can use the authorisation infrastructure provided by internet giants such as Facebook, Google, Twitter, etc. There was a personality quiz application, which used the Facebook O-auth service. In this protocol, the authorisation server can also give some data to the application which is using its services.

Does that mean that when we ‘sign up with Facebook’, we also authorise such transfer of data?

What you are doing is that you are a user of the application (personality application). Once you try to use the service, it will give you a choice - whether you want to authenticate yourself using Facebook, Twitter etc. So basically you are authorising a third-party application to use your data. Previously, Facebook’s authorisation service allowed the third-party application to harvest data on your profile as well as that on your friends’ list. Facebook is designed to allow this kind of data harvesting.

How is the data harvesting being done by the third-party application dangerous for users of Facebook?

It is you who has given consent for data harvesting, and not your friends. But the application was abusing the consent given by you to harvest the data of people who have not given consent. Facebook had, however, discontinued this API in 2014 as mentioned by Mark Zuckerberg in his statement.

How can Cambridge Analytica (CA) - the British data consultant which also provides services to political parties - influence the choice of these Facebook users?

The CA has experts that focus on psychological manipulation. Thus, the more personal information they have about you, the more they can do what is called “micro-targeting of advertisements”. Suppose they know you are an undecided Republican (now governing party in the US) voter, so they can target you with information and propaganda - including misinformation - in order to push you over the fence. For example, it could discourage an African-American voter, who is going to vote for the Democrats, from going out to vote that day by showing him depressing content. They can also encourage a Republican voter to go out and vote by scaring them that if they don’t vote, the Democrats will win.

How do you take Zuckerberg’s statement? Can it even be considered a valid apology?

Whether he has apologised or not is irrelevant to our situation. What we Indians need is a regulatory response. For the past eight years, my centre has been working towards getting a data protection law. As the situation stands today, what Cambridge Analytica did in the US can be repeated in India. And that won’t be illegal under the present set of laws in India.

Union IT minister Ravi Shankar Prasad said Indian laws are stringent and they can also summon Mr Zuckerberg. How strong is the law that Mr Prasad could be referring to?

Section 43 of the Information Technology Act has been commonly misunderstood as the data protection law. In reality, it only has data security provisions, i.e. under Indian law if you lose property or money as the result of a breach of your personal information, you can approach the court. While in case of data harvesting it amounts to infringement of the right to privacy.

Ever since this scandal surfaced, both the BJP and Congress have been distancing themselves from the CA and are also accusing each other of using the CA or its Indian wing’s services. Why are these accusations making these political parties so nervous?

Unfortunately, I am only a policy researcher and I don’t follow a political party. It is better to ask a political analyst that kind of question.

Hypothetically, even if these parties – the BJP and the Congress - have used the CA’s service, have they been on the wrong side by doing so?

As I said previously, there is no law in our country. Suppose a political party did exactly what Cambridge Analytica did, it will still not be guilty under any law in India.

A commoner’s argument could be - even if my personal data is with these companies, how is it going to affect my voting choice?

What has been clear from the CA episode is that personal data can be used to manipulate you. They can make you depressed, they can make you feel suicidal, they can make you buy products that you don’t want, they can even make you vote for parties you don’t like. The most important aspect of the story is that it is undermining free will.

Since the 2014 general elections, India has been witnessing the rise of troll culture where dissenting voices are crushed. A narrative is being created in favour of one party or against any party standing against this party. Do you think services of such agencies could have been used to do so?

No, trolling is a separate thing, while manipulation is more subtle. Unlike manipulation, where you are unaware of the influences, in trolling you know when you are being targeted. The trolls are trying to silence and intimidate you – that is not done through the use of personal information.

There were media reports which said that 70 per cent of the applications used in India do not explicitly take user consent at the time of installation. Also, many of these apps do not even delete the personal information of users once they have been uninstalled from mobile phones. How dangerous is this situation?

It is not just that these applications don’t take your consent, or that they retain data after you’ve stopped using their services, what is scarier is that many of these applications take extensive permissions on your phone. For example, the torch application sometimes asks for permission to read your messages. What they can do using this is harvest your one-time passwords (OTPs) from your SMS folder in order to conduct fraudulent financial transactions.

They can also collect your personal photographs, and maybe later that can be used to blackmail you. A lot of horrible things can happen because we have, what is called, a regulatory battle.

According to media reports, the CA’s Indian subsidiary - Ovleno Business Intelligence, whose Indian operations are headed by the son of JDU leader KC Tyagi - was hired for elections in India - Bihar polls in 2010 and 2015, and in state polls. Could it be possible that data harvested by this company was used to influence voters?

Again, I don’t know the specifics connected to the behaviour of Cambridge Analytica and its subsidiary in India. I don’t think anybody has done any research on this question.

There is already the conundrum over Aadhaar in India and pressure to link it with our bank accounts and phone numbers. Do you think the Facebook data breach or data harvesting will press the question of privacy here?

It's a very different type of privacy concern. With Aadhaar, the primary concern is of biometrics and the storage of biometrics in a centralised database. Here, it’s a concern of unauthorised third-party applications being able to harvest our personal data. Though different, they are two excellent case studies for us to test the effectiveness of our draft Data Protection Bill, which will come out in April or May.

The Facebook CEO didn’t mention that Facebook will stop collecting our data. Do you feel Facebook too is on the wrong side when speaking of attempts to harvest personal data?

You cannot accuse Facebook of doing wrong. Being wrong or right is an ethical question and subjective. For instance, I might think that Facebook is doing something wrong, however, Facebook, which is trying to maximise its shareholding value, might think it is doing right.

Also, at the end, it’s all about the legal framework. In US jurisdiction, what Facebook did is completely legal. Under the European data protection law, what they did is illegal.

(Transcribed by Newslaundry interns Priyali Dhingra and Maitri Dwivedi.)

For more details visit https://cis-india.org/internet-governance/news/newslaundry-march-24-2018-amit-bhardwaj-facebook-data-breach-cambridge-analytica-privacy-law-sunil-abraham

Is Facebook too powerful without legal safeguards?

Admin — 2018-03-25T01:38:57Z

The absence of a data protection law and a competition watchdog to oversee Internet companies are key shortcomings, according to some experts.

The article by Vidhi Choudhary was published in Hindustan Times on March 24, 2018

It’s time India moves to put in place legal safeguards to contain the potential harm that Internet giants like Facebook Inc. can cause, experts say, amid a raging scandal over access gained by political marketing firm Cambridge Analytica to user data on the social media network. India is a key market for Facebook with 217 million people using the platform every month.

Concerns centre around protection of user privacy and freedom of speech, harassment by Internet trolls, spread of misinformation and fake news, said Apar Gupta, a Delhi-based lawyer who is part of Save The Internet , a group of individuals and non-government organisations fighting to preserve net neutrality. It’s time to take stock of the concerns and the sufficiency of India’s legal framework to address them, Gupta said.

“Companies like Facebook have grown too big and too powerful without adequate legal safeguards,” he said.

On Thursday, Facebook founder and CEO Mark Zuckerberg pledged to stop the misuse of user data on its site to manipulate voters in India,Brazil and the US. The social media network is under scrutiny after a whistleblower alleged that London-based Cambridge Analytica accessed user data to prepare voter profiles that helped Donald Trump win the US presidential election in 2016.

Information technology and law minister Ravi Shankar Prasad on Wednesday warned social media platforms such as Facebook of “stringent action” in case of any attempt to sway the country’s electoral process. The government is considering a new regulatory framework for online content, including on social media and websites, Union minister for information and broadcasting Smriti Irani said on 17 March at the News18 Rising India Summit , conceding that the law is not clear about online news and broadcast content.

“We remain strongly committed to protecting people’s information. We have announced that we are planning to introduce improvements to our settings and give people more prominent controls ,” an India-based Facebook spokesperson said in response to an emailed query from Hindustan Times .” We have a lot of work to do to regain people’s trust and are working hard to tackle past abuse, prevent future abuse and will continue to engage with the Election Commission of India and relevant stakeholders to answer any questions they may have.”

The absence of a data protection law and a competition watchdog to oversee Internet companies are key shortcomings, said Sunil Abraham, founder of the think tank Centre for Internet and Society.

“Evil is a function of power. As internet giants get bigger and bigger, they’ll become more and more evil. In fact, in jurisdictions like India, where we don’t have a data protection law and a sufficiently agile competition commission to take on these Internet giants, they can do whatever they want to..,” said Abraham.

Internet networks have helped undermine the business model for real news and replace it with a vibrant fake news model, in the process cornering the lion’s share of the digital advertising revenue, said Abraham . Facebook and Google dominate the Rs 9,490 crore digital advertising market in India.

“Since they don’t see themselves as a media company, their primary objective is to maximize the amount of time their users spend on the platform,” he said, adding that social media networks aren’t concerned whether the content they present is the truth or lies

“It would be laziness on our part to just blame Facebook and then feel morally superior. We have to regulate them using competition law and a data protection law so that they behave themselves on our jurisdiction,” Abraham said.

The legal framework for Indian social media users is limited. Section 43 (A) of the IT Act operates merely as a data security law applicable only to someone whose privacy has been infringed and can demonstrate that he/she has suffered a financial loss in the process.

“Whatever is known from the Cambridge Analytica episode is that none of the users have lost money or property but democracy has been undermined. So we cannot use the IT Act in India to save our democracy,” he said.

Facebook operates in an opaque manner in the manner in which it regulates content, said Geeta Seshu, consulting editor for media website The Hoot.

“When complaints are launched, they are upheld if they meet Facebook’s so-called community standards. Often users who are dissenting voices against hate or discrimination or misogyny have found themselves blocked. The process to appeal back to Facebook is very arbitrary. Users spend months and years being blocked on the platform. Facebook manipulates user data, when it decides to use algorithms to push content or boost certain articles for a certain sum of money,” she added.

In December, Alex Hardiman, head of news products at Facebook, said restoring trust and credibility to news on Facebook is one of the biggest priorities for the company.

“There is a lot that we are doing to make sure that we eradicate any false news or misinformation on Facebook. We’ve found that false news is actually a very small percentage of content. But there were a lot of financial motivations for posting false news,” she said in an interview to Mint when he was in Delhi to attend the Hindustan Times Leadership Summit. “So, one of the first things we have done is remove any financial incentives. We have also done a lot to make sure we can quickly identify and remove fake accounts. Also, we have been doing a lot to better understand clickbait content and train classifiers to identify and downlink it.We have also started third-party fact-checking. We have partnered with third-party organizations in the US, France, Germany and a few other countries,” said Hardiman.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-march-24-2018-vidhi-choudhary-is-facebook-too-powerful-without-legal-safeguards

‘If an Indian party acted like Cambridge Analytica, it will not be guilty under current laws’

Admin — 2018-04-05T16:24:18Z

Sunil Abraham, Executive Director of Centre for Internet and Society, says Indians are vulnerable in the absence of a data protection law.

The interview was published by Newslaundry on March 24, 2018.

What exactly is the nature of the Facebook data breach? What went wrong?

Does that mean that when we ‘sign up with Facebook’, we also authorise such transfer of data?

Previously, Facebook’s authorisation service allowed the third-party application to harvest data on your profile as well as that on your friends’ list. Facebook is designed to allow this kind of data harvesting.

How is the data harvesting being done by the third-party application dangerous for users of Facebook?

How can Cambridge Analytica (CA) - the British data consultant which also provides services to political parties - influence the choice of these Facebook users?

How do you take Zuckerberg’s statement? Can it even be considered a valid apology?

Union IT minister Ravi Shankar Prasad said Indian laws are stringent and they can also summon Mr Zuckerberg. How strong is the law that Mr Prasad could be referring to?

Unfortunately, I am only a policy researcher and I don’t follow a political party. It is better to ask a political analyst that kind of question.

Hypothetically, even if these parties – the BJP and the Congress - have used the CA’s service, have they been on the wrong side by doing so?

As I said previously, there is no law in our country. Suppose a political party did exactly what Cambridge Analytica did, it will still not be guilty under any law in India.

A commoner’s argument could be - even if my personal data is with these companies, how is it going to affect my voting choice?

They can also collect your personal photographs, and maybe later that can be used to blackmail you. A lot of horrible things can happen because we have, what is called, a regulatory battle.

Again, I don’t know the specifics connected to the behaviour of Cambridge Analytica and its subsidiary in India. I don’t think anybody has done any research on this question.

The Facebook CEO didn’t mention that Facebook will stop collecting our data. Do you feel Facebook too is on the wrong side when speaking of attempts to harvest personal data?

Also, at the end, it’s all about the legal framework. In US jurisdiction, what Facebook did is completely legal. Under the European data protection law, what they did is illegal.

(Transcribed by Newslaundry interns Priyali Dhingra and Maitri Dwivedi.)

For more details visit https://cis-india.org/internet-governance/news/newslaundry-amit-bhardwaj-march-24-2018-facebook-data-breach-cambridge-analytica-privacy-law-sunil-abraham

India Trilateral Forum

Admin — 2018-04-10T15:09:21Z

Sunil Abraham was a panelist in the session "The Promise and Peril of Technology" at the 14th edition of India Trilateral Forum organized by the German Marshall Fund of the United States, Observer Research Foundation and Ministry of Foreign Affairs, Government of Sweden in Goa from March 22 - 23, 2018.

The Promise and Peril of Technology

The emergence of new technologies create possibilities for change, yet also carry risks of the emergence of “soft wars,” privacy issues, ethical challenges, among others. With global military spending on the rise, we may now be on the cusp of a series of new technological innovations that will fundamentally change the way we conduct warfare. The rise of low-cost real-time satellite surveillance has the potential for privacy violation, intrusive controls, and hacking. Many credit the digital revolution with creating new possibilities for democratic engagement, because information technology has made institutions like mass media less hierarchical. There are hidden costs to the digital revolution and the transformative technologies, which needs to be carefully understood. The panel discussed the deeper layers of opportunities and risks associated with transformative technologies on war and peace and discuss whether the U.S., India, and Europe are falling behind China in this crucial area.

For more details visit https://cis-india.org/internet-governance/news/india-trilateral-forum

A Methods Workshop for Researching Future of Work in India

Admin — 2020-03-05T18:59:11Z

Centre for Internet & Society and the Department of Management Studies, Indian Institute of Technology (IIT) Delhi is conducting a workshop in New Delhi on March 28, 2018.

Read the event report in pdf format here.

Industry 4.0 is widely understood as the technical integration of cyber physical systems into production and logistics, and the use of IoTs and services in processes, which are designed to bring about significant changes in business models, downstream services and work organisations.

Labour markets are complex and are impacted by wide variety of contextual factors such as policy, informal sectors, and immigration. Technological adoption is increasingly a key factor impacting labour markets. The impact and effect of technological adoption is also complex.Questions such as whether the technology is augmenting the job, automating the job/parts of the job, digitizing the job/part of the job, and if this is resulting in unemployment or a change and re-shuffling in tasks arise. In a similar vein, as pointed out in a 2017 McKinsey Report on labour markets in India, declining labourparticipation also does not necessarily equate to unemployment and could mean instead more people are staying in education etc. International studies have concluded that jobs in developing countries will be more at risk than those in developed countries because of a larger workforce employed in routine jobs, yetit is unclear if these studies have fully accounted for context and local labour market structures.

With the goal of exploring research questions and methodologies and facilitating the exchange of ideas, prior to commencing research, CIS in collaboration withthe Department of Management at IITD, will organise a roundtable on the 28th of March 2018 from 10am - 4pm at Committee room, 4th floor, Vishwakarma Bhawan,Dept of Management Studies, IIT Delhi . The event will bring experts and relevant stakeholders together to discuss research questions, methodologies, and sources of data necessary for researching the impact of automation on labour markets in developing countries.

Questions

What are the kinds of quantitative and qualitative changes in employment in response to technological adoption that need to be studied? What methods are needed to study these? What data is needed to study these?
What are the policy processes that are most critical for the research to speak to? Will it be focussed on education? Re-skilling? Market control?
Who are the key stakeholders needed to engage with to undertake this research with respect to the quantitative, qualitative, and policy oriented research.

Agenda (Tentative)

10:00 a.m. Welcome and Tea
10:30 a.m. to 11:30 a.m.

Session 1: Exploring Research Questions for the Study of Future of Work

11:30 a.m. to 12:30 p.m.

Session 2: Primary Data and the Future of Work: Challenges and Prospects

12:30 p.m. to 1:30 p.m.Lunch
1:30 p.m. to 2:30 p.m.

Session 3: Research Methodologies for the Future of Work

2:30 p.m. to 3:30 p.m.

Session 4: Identifying Stakeholders for the studying Future of Work

3:30 p.m. to 4:00 p.m. Evening High Tea

For more details visit https://cis-india.org/internet-governance/events/a-methods-workshop-for-researching-future-of-work-in-india

Facebook breach: Privacy advocates in India seek stronger data laws

Admin — 2018-03-20T23:37:04Z

Privacy advocates in India underlined the urgent need for stronger data privacy laws in India with the debate coming under focus after reports alleged that British data analysis firm Cambridge Analytica had tapped into the profiles of more than 50 million Facebook users, without their permission, during the last US elections.

The article by Surabhi Agarwal and Devina Sengupta was published in the Economic Times on March 20, 2018. Pranesh Prakash was quoted.

Advocates of data privacy told ET that even in India — where issues around data privacy have been on the boil — voter opinion may be targeted by using their personal information without their approval. “The government has not moved with necessary pace on data protection,” said advocate Apar Gupta.

“Election commission (EC) has not taken up this issue of data protection for regulatory scrutiny. EC has in the past issued guidelines to protect election integrity and restrained exit polls and also required candidates to disclose social media handles. However, much more needs to be done,” he added.

His concerns around India’s voting process being potentially vulnerable to similar influence like in the US come amid a “case study” on the Cambridge Analytica website said the company had worked for Indian political parties as well.

It said that the British firm was “contracted to undertake an indepth electorate analysis for the Bihar Assembly Election in 2010…Our client achieved a landslide victory, with over 90% of total seats targeted by CA being won”.

Media reports quoted sources at Cambridge Analytica, and its Indian partner, Oveleno Business Intelligence, as saying that the local company was in talks with leading Indian political parties for a pact for their 2019 parliamentary poll campaigns.

“This shows integrity of elections and voter trust may be undermined through data analytics and target voters on the basis of their personal data,” said Gupta Pranesh Prakash, policy director at Center for Internet and Society, said India urgently needs a strong data protection regulation, that require companies to have oversight and pin liabilities on them if they fail to have oversight over data they transact with.

“So, in this case for instance, the companies that provided Cambridge Analytica DATA are seriously culpable and Facebook --right now it is unclear if under any current law it is culpable --there are some discussions in the US etc. Regardless of it, they should be required to exercise greater diligence when it comes to personable data that they have taken consent for,” said Prakash.

“Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook. If these reports are true, it's a serious abuse of our rules.

All parties involved — including the SCL Group/Cambridge Analytica, Christopher Wylie and Aleksandr Kogan — certified to us that they destroyed the data in question. In light of new reports that the data was not destroyed, we are suspending these three parties from Facebook, pending further information. We will take whatever steps are required to see that the data in question is deleted once and for all —and take action against all offending parties.”

In a statement to ET, Facebook said there was no breach of its data base and that protecting people’s information was core to the company. “Like all app developers, Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” Paul Grewal, VP & Deputy General Counsel, Facebook said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-20-2018-surabhi-agarwal-devina-sengupta-facebook-breach-privacy-advocates-in-india-seek-stronger-data-laws