We are anonymous, we are legion

Aadhaar: ‘Safety is regularly evolving‘

Admin — 2018-02-07T16:44:50Z

Experts say the new security features will significantly ensure there is no ‘large-scale theft of people‘s identity‘. Alnoor Peermohamed reports.

The blog post was published in Kaplan Herald on February 5, 2018.

While the introduction of new features such as face authentication, virtual ID, and limited know-your-customer (KYC) by the Unique Identification Authority of India are being seen as reactions to mounting public pressure over the security of Aadhaar, experts, who have helped build the citizen identity system, say these have been in the pipeline for a long time.

Pegged to be fully functional by July 1, the new features will make Aadhaar more secure, but that hasn‘t stopped the UIDAI from drawing flak over the recent issue of rogue agents selling demographic data of individuals.

Moreover, the agency‘s handling of the issue has not inspired confidence among the public and security researchers.

Experts say for a system of Aadhaar‘s size, security is continually evolving.

Lalitesh Katragadda, former head of Google‘s product centre in India and who also helped build Aadhaar, says as a country we need to understand there‘s ‘no such thing as a 100 per cent secure system‘.

While security gaps will always exist, he says it‘s the UIDAI‘s duty to ensure there‘s no ‘large-scale theft of people‘s identity‘.

According to him, the new security features will help significantly in this regard.

Face authentication will be another biometric Aadhaar will begin offering to combat the reportedly high failure rates of fingerprint authentication.

The system will use common Webcams to capture photos of individuals and match them with the existing photo on the UIDAI‘s database.

The system will not use any high-end hardware backed facial recognition like the recently launched iPhone X, which the company claims is more accurate than its previous fingerprint authentication technology.

The UIDAI will work around this issue by clubbing face authentication with other forms of authentication — fingerprint, iris scan or a one-time password sent to a user‘s mobile phone.

While it isn‘t known how exactly the feature will be built into apps relying on Aadhaar authentication, Srikanth Nadhamuni, the former chief technology officer of Aadhaar, envisions a scenario where a photo of an individual could be captured and matched when fingerprint authentication fails, in order to improve the probability of a match.

But even this isn‘t a foolproof plan, some believe.

“Your face is again a biometric, and that comes with the same host of issues that is plaguing the other biometrics that have so far been used,” says Sunil Abraham, executive director at the Bengaluru-based think-tank, Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/news/kaplan-herald-february-5-2018-aadhaar-safety-is-regularly-evolving

To protect data, don’t opt for plastic or laminated Aadhaar card: UIDAI

Admin — 2018-02-07T01:00:00Z

Unauthorized printing of Aadhaar cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, UIDAI says.

The article by Komal Gupta was published by Livemint on February 7, 2017

To protect information provided by holders of Aadhaar, the Unique Identification Authority of India (UIDAI) on Tuesday cautioned people against opting for plastic or laminated “smart” cards.

Unauthorized printing of the cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, it said in a statement on Tuesday.

Besides, opting for plastic or laminated cards opened up the possibility of Aadhaar details (personal sensitive demographic information) being shared with devious elements without the informed consent of holders, the statement added.

According to UIDAI, the Aadhaar letter sent by it, a cutaway portion or downloaded versions of Aadhaar on ordinary paper or mAadhaar are perfectly valid.

“If a person has a paper Aadhaar card, there is absolutely no need to get his/her Aadhaar card laminated or obtain a plastic Aadhaar card or so called smart Aadhaar card by paying money. There is no concept such as smart or plastic Aadhaar card,” UIDAI chief executive officer Ajay Bhushan Pandey said in a statement.

Printing Aadhaar on a plastic/PVC sheet privately can cost anywhere between Rs50 and Rs300 or more, UIDAI said. It added that a printout of the downloaded Aadhaar card, even in black and white, is as valid as the original Aadhaar letter sent by UIDAI.

It added that in case a person loses his Aadhaar card, he can download the card free from https://eaadhaar.uidai.gov.in.

Pandey asked holders not to share Aadhaar number or personal details with unauthorized agencies for getting the card laminated, or printed on plastic.

The agency also directed unauthorized agencies not to collect Aadhaar information from people, reminding them that collecting such information or unauthorized printing of Aadhaar card is a criminal offence punishable with imprisonment.

“I feel a lot more has to be done by UIDAI. Sadly, by encouraging people to rely on printed Aadhaar ‘cards’, UIDAI is ending up with the worst of both worlds with respect to personal data protection: photocopies of so-called Aadhaar cards/letter are being circulated to facilitate identity fraud as well as the kind of dangerous personal data disclosures that centralized databases enable,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.

Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar

CIS Submission to the Committee of Experts on a Data Protection Framework for India

amber — 2018-04-18T16:39:11Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ (“White Paper”) released by the Ministry of Electronics and Information Technology. The White paper was drafted by a Committee of Expert (“Committee”) constituted by the Ministry. CIS has conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. The submission was made on January 31, 2018.

The submission is divided into four parts — I. Preliminary, II. Scope and Exemption, III. Grounds of Processing, Obligations of Entities and Individual Rights and IV. Regulation and Enforcement. The submission follows the same the order as adopted by the White Paper.

Please access the full submission here.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india

Submission to the Committee of Experts on a Data Protection Framework for India

amber — 2018-02-05T13:39:00Z

For more details visit https://cis-india.org/internet-governance/submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india

January 2018 Newsletter

praskrishna — 2018-03-01T01:35:56Z

January 2018 Newsletter

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
The paper titled "Patent Working Requirements and Complex Products" has been published in the latest issue of the NYU Journal of Intellectual Property and Entertainment Law. It is one of the outputs of the Pervasive Technology project and has been authored by Prof. Jorge L. Contreras, Paxton M. Lewis, and Rohini Lakshané. CIS made a submission to the Department of Industrial Planning and Promotion on mobile patents. CIS offered its assistance on matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards sustained innovation, manufacture and availability of mobile technologies in India The use of Artificial Intelligence (AI) in healthcare in India is increasing with new startups and large ICT companies offering AI solutions for healthcare challenges in the country. The report by by Yesha Paul, Elonnai Hickok, Amber Sinha and Udbhav Tiwari seeks to map the present state of AI in the healthcare sector in India. About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent. The article by Sunil Abraham was published in Deccan Herald on January 20, 2018. CIS made a submission to TRAI Consultation on inputs to the National Telecom Policy. CIS in its submission also recommended what all should be the main objectives of TRAI while drafting the next edition of National Telecom Policy. Under a research grant from the Azim Premji University CIS has initiated a study of the ongoing updation process of the National Register of Citizens (NRC) in Assam and the resultant reform of citizen identification infrastructure in India. The 2G judgment of December 2017 provides a critique of how no proper evidence was presented on existence of an FCFS policy and its improper implementation, wrote Shyam Ponappa in his article in the Business Standard which was published on January 3, 2018.

Highlights

The paper titled "Patent Working Requirements and Complex Products" has been published in the latest issue of the NYU Journal of Intellectual Property and Entertainment Law. It is one of the outputs of the Pervasive Technology project and has been authored by Prof. Jorge L. Contreras, Paxton M. Lewis, and Rohini Lakshané.
CIS made a submission to the Department of Industrial Planning and Promotion on mobile patents. CIS offered its assistance on matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards sustained innovation, manufacture and availability of mobile technologies in India
The use of Artificial Intelligence (AI) in healthcare in India is increasing with new startups and large ICT companies offering AI solutions for healthcare challenges in the country. The report by by Yesha Paul, Elonnai Hickok, Amber Sinha and Udbhav Tiwari seeks to map the present state of AI in the healthcare sector in India.
About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent. The article by Sunil Abraham was published in Deccan Herald on January 20, 2018.
CIS made a submission to TRAI Consultation on inputs to the National Telecom Policy. CIS in its submission also recommended what all should be the main objectives of TRAI while drafting the next edition of National Telecom Policy.
Under a research grant from the Azim Premji University CIS has initiated a study of the ongoing updation process of the National Register of Citizens (NRC) in Assam and the resultant reform of citizen identification infrastructure in India.
The 2G judgment of December 2017 provides a critique of how no proper evidence was presented on existence of an FCFS policy and its improper implementation, wrote Shyam Ponappa in his article in the Business Standard which was published on January 3, 2018.

The following articles were written by CIS members:

Digital native: Memory card is full (Nishant Shah; Indian Express; January 3, 2018).
The 2G Judgment of December 2017: What Was It About? (Shyam Ponappa; Business Standard; January 3, 2018).
Fixing Aadhaar: Security developers' task is to trim chances of data breach (Sunil Abraham; Business Standard; January 10, 2018).
Another Step towards Privacy Law (Elonnai Hickok; Governance Now; January 15, 2018).

Data Protection: We can innovate, leapfrog (Sunil Abraham; Deccan Herald; January 20, 2018).

CIS in the News:

From net neutrality to IBC & Aadhaar, how Vidhi is framing key government legislation (Surabhi Agarwal and Samanwaya Rautray; Economic Times; January 4, 2018).
UIDAI denies any breach of Aadhaar database (Komal Gupta; Livemint; January 7, 2018).
Token security or tokenized security? (Manasa Venkataraman and Ajay Patri; Livemint; January 9, 2018).
UIDAI introduces new two-layer security system to improve Aadhaar privacy (Economic Times; January 11, 2018).
Hammered government offers Virtual ID firewall to protect your Aadhaar (New Indian Express; January 11, 2018).
Virtual Aadhaar ID: too little, too late? (Yuthika Bhargava; Hindu; January 11, 2018).
India To Introduce Virtual ID For Aadhaar To Strengthen Privacy (Bloomberg Quint; January 11, 2018).
UIDAI's Virtual ID, limited KYC does little to protect Aadhaar data already collected, say critics (Business Today; January 12, 2018).
Aadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief (Sukriti Dwivedi; NDTV; January 13, 2018).
Bengaluru gives data safety tips to panel (Deccan Herald; January 14, 2018).
Is your personal information under lock and key? (Sravanthi Challapalli; Hindu Businessline; January 16, 2018).
Aadhaar-privacy debate: How the 12-digit number went from personal identifier to all pervasive transaction tool (First Post; January 18, 2018).
Paytm Payments Bank woos corporates with digital incentives (Komal Gupta and Remya Nair; Livemint; January 24, 2018).
Aadhaar's new security measures are good, it is still work in progress (Alnoor Peermohamed; Business Standard; January 25, 2018).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Wikipedia

Blog Entries

Government of Odisha adopting Creative Commons License to Promote Transparency and Access to Knowledge (Sailesh Patnaik; January 17, 2018).
Experience and Learning outcome from Wikipedia Education Program (Lakshmi Karlekar; January 30, 2018).

Events Organized

Marathi Wikipedia Workshop at Dept. of Mass Communication, Solapur University (Organized by CIS-A2K and Dept of Mass Communication, Solapur University; Solapur; January 2, 2018).
Marathi Wikipedia Workshop at Dayanand College, Solapur (Organized by CIS-A2K and Dayanand College, Solapur; Solapur; January 3, 2018).
Marathi Wikipedia Workshop at Willingdon College, Sangli (Organized by CIS-A2K and Willingdon College; Sangli; January 5, 2018).
Marathi Wikipedia Workshop at Govt.Science & Arts College, Aurangabad (Organized by CIS-A2K and Govt.Science & Arts College; Aurangabad; January 9, 2018).
Marathi Wikipedia Workshop at Dr.Babasaheb Ambedkar Marathwada Vidyapeeth (Organized by CIS-A2K and Dr. Babasaheb Ambedkar Marathwada University; Aurangabad; January 10, 2018).
Marathi Wikipedia Workshop at Shivaji University, Kolhapur (Organized by CIS-A2K and Shivaji University; Kolhapur; January 15, 2018).
Wikidata Workshop (Organized by CIS-A2K and Andhra Loyola College; Vijaywada; January 20 - 21, 2018).
Train the Trainer 2018 (Organized by CIS-A2K; Mysore; January 26 - 28, 2018).

►Pervasive Technologies

Research Paper

Patent Working Requirements and Complex Products (Jorge L. Contreras, Rohini Lakshané and Paxton M. Lewis; JIPEL NYU Journal of Intellectual Property & Entertainment Law, Vol. 7 - No.1 on January 16, 2018).

Submission

Submission to DIPP at Meeting with IP Stakeholders (Anubha Sinha; January 1, 2018). The submission was made in December 2017 but it was published on the website in January 2018.

►Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Blog Entry

Artificial Intelligence and the Healthcare Industry in India (Yesha Paul, Elonnai Hickok, Amber Sinha and Udbhav Tiwari (Ecosystem mapping by Shweta Mohandas, Sidharth Ray and Elonnai Hickok. Designed by Saumyaa Naidu under Creative Commons Attribution 4.0 International License; January 26, 2018).

Events Organized

Roundtable on A.I. and Manufacturing and Services (TERI, Bengaluru; January 19, 2018).

null Bangalore Meet: Special Session on Digital Identity and Privacy (CIS, Bengaluru; January 19, 2018). Sunil Abraham gave a talk.

►Free Speech and Expression

Blog Entries

Internet Governance Forum Report 2017 (Shweta Mohandas; January 11, 2018).

Mobile net ban during peaceful protest leaves farmers confused (Shruti Jain; January 19, 2018).

‘Hurt sentiments’ cost Udaipur internet access for four days (Shruti Jain; January 19, 2018).

-----------------------------------

Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

Submission to TRAI Consultation on "Inputs for Formulation of National Telecom Policy - 2018" (Pranesh Prakash; January 25, 2018).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Blog Entry

Life of a Tuple: National Register of Citizens (NRC) and the Reform of Citizen Identification Infrastructure in Assam (Sumandro Chattapadhyay; January 22, 2018). All posts related to the study can be found here.

-----------------------------------
About CIS
-----------------------------------

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/Qjanuary-2018-newsletter

Aadhaar's new security measures are good, it is still work in progress

Admin — 2018-01-26T01:52:51Z

Here's a rundown of the three new features that the UIDAI will introduce to make Aadhaar seemingly more secure.

The article by Alnoor Peermohamed was published in Business Standard on January 25, 2018.

While public pressure over the security of Aadhaar might have forced the Unique Identification Authority of India (UIDAI) to introduce new features such as face authentication, virtual ID and limited KYC, experts who have worked on the system say such updates are incremental and need to keep happening.

Be it Google, Facebook or Aadhaar, a digital system serving billions of people needs to remain secure for which it continually has to evolve, sometimes adapting to issues that are found. The three new features will certainly help improve security, but many questions still remain over how the UIDAI will tackle the recently highlighted issue of rogue Aadhaar agents.

An article in the Tribune newspaper which claimed that Aadhaar information of individuals was on sale for as little as Rs 500, sparked off the biggest security scare against the digital identity keeper in a while. Even though the UIDAI asserted that its systems had not been breached, proof that Aadhaar details of an individual could be bought had been delivered. The agency has also not inspired confidence among public and security researchers with the way it has responded to Aadhaar data that has been put in public domain in violation of privacy of individuals.

"As an economy and an ecosystem, we have to understand that there is no such thing as a 100 percent secure system. When it was on paper it was not secure and now that it is digital, it is not a 100 percent secure. Security gaps may exist, but those should not cause large-scale theft of people's identity or cause significant damage. It's an arms race and this means that Aadhaar has to improve constantly," says Lalitesh Katragadda, former head of Google's product centre in India who has helped build Aadhaar.

Here's a rundown of the three new features that the UIDAI will introduce to make Aadhaar seemingly more secure:

Face Auth

Face Authentication or 'Face Auth' is an additional biometric that the UIDAI will roll out in order to cut down on the number of failed attempts which is increasingly being highlighted as an issue. By matching a user's face, captured through a camera at the time of authentication to the image of their face which was taken at the time of Aadhaar enrolment, the identity of an individual can be more accurately verified.

Facial recognition in the consumer landscape has once again been popularised by Apple's latest iPhone X device that uses an array of sensors and infrared light to map a person's face in three dimensions. The company claims this is more accurate than its previous fingerprint-based TouchID technology, but this isn't the case with UIDAI's facial recognition technology.

The UIDAI will utilise webcams and low-end hardware to enable Face Auth and therefore the conscious decision to use a person's face in conjunction to another layer of authentication - fingerprint, iris scan or a one-time password sent to the user's registered mobile device was taken.

How exactly applications built on Aadhaar will utilise this new Face Auth feature is not known yet, and neither are the technical specifications. Srikanth Nadhamuni, the former Chief Technology Officer of Aadhaar, envisions a scenario where a farmer using Aadhaar to get his PDS witnesses a failure to authenticate using his fingerprint, prompting the application to capture his photo and check whether it matches with the existing photo on the UIDAI's database.

Activists, however, point out that it's far easier to fake facial recognition software, which in some cases get fooled into giving out positives by simply holding photos of the user in front of a camera. "At the end of the day your face is again biometric, and that comes with the same host of issues that are plaguing the other biometrics that has so far been used," says Sunil Abraham, Executive at Bengaluru-based think tank Centre for Internet and Society (CIS).

Virtual ID

As its name suggests, Virtual ID gives users a stand-in for their 12-digit Aadhaar number if they're worried that it will be stolen, leaked online or misused in any way. Any Aadhaar user will be able to log into an online portal, visit an Aadhaar enrollment centre or use the mAadhaar app to generate a 16-digit Virtual ID.

By virtue, the UIDAI has built the Virtual ID to be temporary and a user can ask for any number of Virtual IDs - when a new one is generated, the old one is destroyed and can even be assigned to another user. The key here is that only the UIDAI will be able to make the link to a Virtual ID and Aadhaar number and no-one else.

After years of arguing that leaking of the Aadhaar number itself wasn't an issue, the UIDAI is finally giving users a tool that allows them to keep their Aadhaar number private. While Abraham agrees that the feature will make Aadhaar safer, he says its effectiveness will only be valid if a user opts in as it has not been made a feature by design.

Nadhamuni argues on the contrary, that making Virtual ID a mandatory process would hurt more people than it helps. "A lot of people in rural India are using their Aadhaar for authentication of PDS and MNREGA and so on and it's working for them.

You don't want to confuse all of them and ask them to create yet another number. You'd have to make a farmer understand the concept of Virtual ID when he's completely happy with the way things are today," he says.

Limited KYC

The process of KYC (Know Your Customer) through Aadhaar has all along given public bodies and private companies access to a user's details such as name, age, sex, address and photograph. With limited KYC, the UIDAI will categorise a body seeking aadhaar details into two buckets, ones that get the full information and ones with whom only partial information is shared.

Realising that not all bodies or companies need all the Aadhaar details, is the biggest change that Limited KYC will bring in. The idea is that the fewer places a person's Aadhaar details are stored, the fewer chances of it leaking. Moreover, by giving only critical services full Aadhaar details the UIDAI is hoping it will eliminate its problem of having to share details with less secure systems.

Limited KYC will also bring in a tokenized system for agencies to ensure uniqueness while not storing a user's Aadhaar number on their databases. A 72 digit alphanumeric UID Token will be generated at the time of authentication which only UIDAI will be able to map back to a particular Aadhaar number. However, there isn't clarity on who will be exempt from this as there is word that banks and tax authorities will be allowed to store user Aadhaar numbers.

The UID Tokens will also be backdated, meaning all previous KYC attempts a user had made with a particular body or company will also be migrated to the new system, ensuring that if two databases leak, the perpetrators are not able to easily use Aadhaar numbers to match users and improve the quality of the data they've stolen. Some details on this are still missing though.

Security: Work in Progress

Experts who worked on building Aadhaar say that such features were discussed during the very inception of the national biometric database, but were not rolled out until now to avoid complexity. Katragadda, who has worked on building many large APIs at Google agrees that all large systems avoid complexity during the kickoff and add them based on needs of users later.

Like him, both Nadhamuni and even Abraham agree that the new features will make Aadhaar more secure, while the latter had his reservations on how secure it would be which only the fine print would reveal. The experts also agree that the public discourse which Aadhaar security has taken is a good thing, since the digital security of over a billion people is now public discussion.

"Security breaches are like earthquakes. It's better to have many tiny tremors than be oblivious to gaps in our system and lose everything with that one massive earthquake. So it's better to have our ears close to the ground, have ethical hacking competitions where we ask people to hack the Aadhaar system, find gaps in security. The best APIs in the world do this," says Katragadda.

He adds that India should not be scared to build large digital systems for public good in the fear that there will be security breaches. Even the paper based system before Aadhaar had several security lapses, but were not visible. "Otherwise we need to have this holy grail of a system which is perfectly automated and we're at least 20 years away from full robotics," he adds.

For more details visit https://cis-india.org/internet-governance/news/business-standard-january-25-2018-alnoor-peermohamed-aadhaars-new-security-measures-are-good-it-is-still-work-in-progress

Artificial Intelligence in India: A Compendium

Centre for Internet & Society — 2023-05-09T06:56:25Z

Artificial Intelligence (AI) is fast emerging as a key technological paradigm in different sectors across the globe including India.

Towards understanding the state of AI in India, challenges to the development and adoption of the same, and ethical concerns that arise out of the use of AI - CIS is undertaking research to understand and document national developments, discourse, and impact (actual and potential) to ethical and regulatory solutions and compare the same against global developments in the space. As part of this, CIS is creating a compendium of reports that dive into the use of AI across sectors including healthcare, manufacturing, governance, and finance.

Each report seeks to map the present state of AI in the respective sector. In doing so, it explores: Use: What is the present use of AI in the sector? What is the narrative and discourse around AI in the sector? Actors: Who are the key stakeholders involved in the development, implementation and regulation of AI in the sector? Impact: What is the potential and existing impact of AI in the sector? Regulation: What are the challenges faced in policy making around AI in the sector?

The reports are as follows:

AI and the Healthcare Industry in India
AI and the Manufacturing and Services Sector in India
AI and the Banking and Finance Industry in India: (19th June 2018 Update: This case study has been modified to remove interview quotes, which are in the process of being confirmed. The link above is the latest draft of the report.)
AI in the Governance Sector in India

The research is funded by Google India. Comments and feedback are welcome. The reports are drafts.

For more details visit https://cis-india.org/internet-governance/blog/artificial-intelligence-in-india-a-compendium

Roundtable on AI and Finance in India

saman — 2018-03-11T14:58:55Z

Centre for Internet & Society (CIS) will hold a roundtable on artificial intelligence and finance in India on Wednesday, February 7, 2018 in association with HasGeek and the 50p Conference. The roundtable will take place from 2 p.m. to 5 p.m at TERI (The Energy Resources Institute) in Domlur, Bengaluru.

We invite you all to participate in this roundtable to share and build knowledge about trajectories of AI deployment across sub-sectors of banking in India and the emergent regulatory and public policy concerns.

The objective of the roundtable is to bring together various actors active across the fields of artificial intelligence, machine learning, cognitive computing, financial technologies,and big data credit scoring and online lending, to discuss pressing public policy issues in regards to the utilisation and implementation of AI in the banking and finance sectors of India.

These sectors currently find themselves at the early stages of AI adoption. Such technologies are being implemented to facilitate both front-end and back-end processes by a variety of players with the aim of improving the accessibility, customised user engagement, and quality of current financial services. Leading commercial banks in India have all been working to develop and deploy AI technologies either in house or in partnership with small and large-scale tech companies. Such initiatives have seen the deployment of numerous chatbots and humanoid robots for the purposes of customer service. More significant, however, is the use of such technology by banks and fintech actors to facilitate decision making behind the scenes, on a variety of financial issues including but not limited to credit-worthiness, fraud detection, and investments.

While these sectors are no strangers to the use of big data analytics and similar technologies in aiding with financial decision making and daily operations, the deployment of technologies such as machine learning and natural language processing is still very new. Due to the nascent nature of this phenomenon, little is known about the details of their implications for both producers and consumers. Furthermore, concerns regarding data ownership, liability, and consumer rights have all been raised in light of AI adoption. This roundtable will present us with an opportunity to discuss such issues and begin to fill this knowledge gap.

For agenda and event brochure click here. For RSVP click here. Read the event report here

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-ai-and-finance-in-india

Paytm Payments Bank woos corporates with digital incentives

Admin — 2018-01-24T23:52:36Z

Offerings will be an incentive to companies already using Paytm e-wallet services to shift employees’ salary accounts to the bank, says Paytm Payments Bank CEO Renu Satti.

The article was published by Komal Gupta and Remya Nair was published in Livemint on January 24, 2018

Looking to tap the ready customer base of salary accounts, Paytm Payments Bank is trying to attract corporate entities with digital offerings such as food and gift wallets for their employees.

The bank has set a target of reaching a customer base of 500 million over the next 2-3 years, managing director and chief executive Renu Satti said in an interview. The bank claims to have 170 million customers, including those using the Paytm e-wallet.

Satti said the offerings will be an incentive to companies already using Paytm e-wallet services to shift employees’ salary accounts to the bank. Around 500 corporate entities are using e-wallet services.

“These corporate offerings will ensure better accountability and convenience for both the employers and employees,” she said, giving the example of food wallets which are automatically debited when a customer buys food, due to the tagging of merchants done at the back-end by Paytm.

“We even offer customisation to the extent of restricting usage of food wallet to specific merchants like office cafeterias, basis requirement,” Satti said.

Food vouchers and gift coupons have been typically issued in a physical form by corporate entities, earlier as paper coupons and now as prepaid cards.

Paytm Payments Bank offers customers the convenience of using their food and gift wallets through the app across the merchant base of Paytm, Satti said. “It doesn’t require any card, which also does away with issues such as loss of card and expiry of coupons, plus avail the benefits of cashback running on any Paytm merchant,” she added.

Last week, Paytm Payments Bank launched physical debit cards for its customers to facilitate account holders to withdraw cash from ATMs and make offline payments. Hitherto, the bank had been issuing virtual debit cards which could only be used for online payments.

The bank also plans to set up around 100,000 banking outlets across the country in the next one year to cater largely to under-banked rural areas.

The list of these outlets will be available on the bank’s website where the customer will be able to access a range of services including net banking, National Electronic Funds Transfer (NEFT), Immediate Payment Service (IMPS) and Unified Payments Interface (UPI). There will be monetary incentives for these correspondents for every transaction they perform for the customer. These outlets could be a local kirana store or a chemist shop, Satti said.

“We will follow a stringent process to shortlist merchants. There will be screening, quality check, physical check to ensure whether the place is actually authorized to run a business,” she said.

The bank plans to onboard some from the existing merchant networks using Paytm wallets while others will be from areas where there is no Paytm presence as of now.

More than 6 million merchants are already a part of the Paytm ecosystem, primarily using wallet services.

Paytm Payments Bank was launched in November after receiving a payments bank license from RBI in January last year. Vijay Shekhar Sharma, founder of One97 Communications, holds the majority share in Paytm Payments Bank, with the rest being held by One97 Communications.

The bank currently has no minimum balance requirements and offers 4% interest on savings deposits. India has three other operational payment banks—Airtel Payments Bank, India Post Payments Bank and Fino Payments Bank. “The traditional banks that offer customized corporate services to its customers having a high amount of deposits would face competition from payments banks. They will have no other option but to offer those services to customers with deposits at the Payments bank limits, to stay relevant in the market,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank.

“Also, as a payment company, Paytm has data pertaining to the spending patterns of customers which help it be more competitive in the market,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-remya-nair-january-24-2018-paytm-payments-bank-woos-corporates-with-digital-incentives

Data Protection: We can innovate, leapfrog

sunil — 2018-01-22T01:45:46Z

About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent.

The article was published in the Deccan Herald on January 20, 2018.

Even if we can read them, we may not have the necessary legal training to understand them. According to a tweet thread by Pat Walshe (@privacymatters), the Tetris app, a popular video game, has a privacy policy that details the third-party advertising companies that they share data with. These third-parties include "123 Ad Networks; 13 Online Analytics companies; 62 Mobile Advertising Networks; 14 Mobile Analytics companies. The linked privacy policies for Tetris run to 407,000 words, compared to 450,000 words for the entire 'Lord of the Rings trilogy'." The child aged four and above that plays the game and her parents need an intermediary to deal with the corporations hiding behind Tetris.

Unlike the European Union, which has more than 37 years of history when it comes to data protection law, India is starting with a near blank slate after the Supreme Court confirmed that privacy is a constitutionally-guaranteed fundamental right in the Puttaswamy case judgement. While we would want to maintain adequacy and compatibility with the EU General Data Protection Regulation (GDPR) because it has become the global standard, we must realise that there is an opportunity for leapfrogging. This article attempts to introduce the reader to three different visions for intermediaries that have emerged within the Indian data protection debate around the accountability principle. I will also provide a brief sketch of an idea that we are developing at the Centre for Internet and Society. This is an incomplete list as there must be more proposals for regulatory innovation around the accountability principle that I am currently unaware of.

n Account Aggregators: The 'India Stack' ecosystem that has been built around the Aadhaar programme first proposed intermediaries called Account Aggregators. Account Aggregators manage consent artifacts. India Stack has traditionally been described as having four layers -- presenceless, paperless, cashless and consent. The consent layer is supposed to feature Account Aggregators. If, for example, a data subject wanting an insurance policy visits an insurance portal, the portal would collect personal information and a consent artifact from her and pass it on to multiple insurance companies. These insurance companies would send personalised bids to the portal, which would be displayed on a comparative grid to enable empowered selection.

The data structure consent artifact has been provided in the Master Direction from RBI titled "Non-Banking Financial Company Account Aggregator Directions," published in September 2016. How does this work? The fields includes (i) identity and optional contact information; (ii) nature of the financial information requested; (iii) purpose; (iv) the identity of the recipients, if any; (v) URL/address for notifications when the consent artifact is used; (vi) consent artifact creation date, expiry date, identity and signature/digital signature of the Account Aggregator; and (vii) any other attribute as may be prescribed by the RBI. While Account Aggregators make it frictionless for the grant of consent and also for the harvesting of consent by data controllers, it does not make it easy for you to manage and revoke your consent.

n Data Trusts: Most recently, Na.Vijayashankar, a Bengaluru-based cybersecurity and cyberlaw expert, has proposed intermediaries called 'Data Trusts' registered with the regulator and who (i) will work as escrow agents for the personal data (which would be classified by type for different degrees of protection); (ii) will make privacy notices accessible by translating them into accessible language and formats; (iii) disclose data minimally to different data controllers based on the purpose limitation; (iv) issue tokens or pseudonymous identifiers and monetise the data for the benefit of the data subject. To ensure that Data Trusts truly protect the interests of the data subject, Vijayashankar proposes three requirements: (a) public performance reviews (b) audits by the regulator and (c) "an arms-length relationship with the data collectors." In his proposal, Data Trusts are firms with "the ability to process a real-time request from the data subject to supply appropriate data to the data collector."

n Learned Intermediaries: The Takshashila Institution published a paper titled Beyond Consent: A New Paradigm for Data Protection, authored by Rahul Matthan, partner at the law firm Trilegal. Learned Intermediaries would perform mandatory audits on all data controllers above a particular threshold. Like Vijayashankar, Matthan also requires these intermediaries to be certified by an appropriate authority. The main harm that he focuses on is, bias or discrimination. He proposes three stages of audit which are designed for the age of Big Data and Artificial Intelligence: "(i) Database Query Review; (ii) Black Box Audits; and (iii) Algorithm Review". Matthan also tentatively considers a rating system. Learned Intermediaries are a means to address information asymmetry in the market by making data subjects more aware. The impact of churn on their bottom-lines, it is hoped, will force data controllers to behave in an accountable manner, protecting rights and mitigating harms.

n Consent Brokers: Finally, I have proposed the model of a 'Consent Broker' by modifying the concept of the Account Aggregator. Like the Account Aggregator proposal, we would want a competitive set of consent brokers who will manage consent artifacts for data subjects. However, I believe there should be a 1:1 relationship between data subjects and consent brokers so that the latter compete for the business of data subjects. Like Vijayashankar, I believe that the consent broker must have an "arms-length distance" from data controllers and must be prohibited from making any money from them. Consent brokers could also be trusted to take proactive actions for the data subjects, such as access and correction.

The need of the hour is the production of regulatory innovations and robust discussions around them for all the nine privacy principles in the Justice AP Shah committee report -- notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, openness and accountability.

For more details visit https://cis-india.org/internet-governance/blog/deccan-herald-january-20-2018-sunil-abraham-data-protection-we-can-innovate-leapfrog

Mobile net ban during peaceful protest leaves farmers confused

Shruti Jain — 2018-01-19T15:20:14Z

Strap: Administration says it was done to prevent rumours from spreading, protesters insist they needed internet to fight it.

In Sikar district, about 15,000 farmers had staged a protest at Krishi Upaj Mandi on 1 September 2017 under the banner of All India Kisan Sabha. Their major demands were farm loan waiver, pension for farmers and implementation of the recommendations of the Swaminathan Commission. The protest had the support of students, traders' associations, anganwadi workers, transport unions and a few other organisations. About 100,000 people joined farmers in a solidarity march during the next 13 days.

The demonstrations continued and when talks with the government failed, thousands of farmers set out to lay siege to the district collector's office and block highways on September 11.

Accordingly, the district administration clamped prohibitory orders under Section 144 of Criminal Procedure Code, restricting assembly of five or more people, and blocked mobile internet in the district.

Kishan Pareek, district secretary of Communist Party of India (Marxist) which took part in the protest, contended that though the government says the ban was enforced to check the spread of violence, the actual motive was something else. He says the administration was vying to stifle their movement but couldn’t use force as the protesters were peaceful.

"So, they resorted to spreading rumours to provoke us to commit any violent activity. If internet was working that time, we could have easily denied those [rumours],” he says.

According to Pareek, the rumours that circulated that day included: the protest has turned violent at some location, police have fired bullets/charged baton at the protesters, additional force has been called in from Jaipur etc. As broadband was operational, the organisers managed to counter falsehood with facts and the misinformation didn't spread outside Sikar. Pareek says whichever protest-spot the rumours portrayed as violence-ridden, their social media team shared videos from there on Facebook to counter them.

Pictures above: Thousands of farmers held a protest at Krishi Upaj Mandi, Sikar in September 2017.

Nevertheless, in the absence of mobile internet, farmers’ teams that had gathered at various highways to block roads had difficulty processing the false information that was trickling in. Though it created much confusion among them, it failed to instigate them.

Rajpal Singh, a Sikar-based member of CPI(M)'s social media wing, informed that the mainstream media didn't give much attention to the protest. He says it were local websites and newspapers that covered the event, which is why the administration banned internet, hoping restriction on the flow of information would throw a spanner in the works. Apart from local news websites, local Facebook pages -- Sikar Aapno, Sikar Sandesh, We love CPIM- Dhod and CPIM Sikar, etc. -- were giving minute-by-minute updates of the farmers' protest.

The internet services were resumed in Sikar a day later as the protest did not get violent and the protesters were not found circulating any provocative content.

A former CPI(M) MLA, president of All India Kisan Sabha and leader of the farmers' agitation, Amara Ram, told 101Reporters that one of the very reasons their movement enjoyed humongous public support was its peaceful nature. He says as their movement unfolded, people from Sikar and outside realised this protest would not turn violent and it’s a cause that needed support.

As cautious as the government might have been about the September 11 protest, police presence indicated that the law-enforcement agency did not perceive it as a threat. One of the protesters, Nemichand, says only 50-odd policemen had been deputed for the protest march of 15,000+ farmers to the district collectorate. He claimed that the number of men in khaki dwindled to 20 by the afternoon.

He alleged that the real reason for internet shutdown was stopping the dissemination of news about their protest as it exposes the Modi government's inconsiderate approach towards farmers.

“Everybody in Sikar was talking about the internet ban. Since there was no legitimate reason for the ban, the government couldn’t continue with it, fearing how they will justify,” he says.

	The administration confirmed that the ban was imposed fearing threat to law and order in the district due to the gathering of thousands. “Though they were protesting peacefully the initial ten days at the mahapadav, they had planned to block the district collectorate on September 11 in thousands. To restrict their movement, internet was suspended in Sikar. During such situations, no one writes positive about the administration. We didn’t want to provide them a platform for spreading rumours that could have made the protestors violent. If there had been no internet ban that day, something big would have happened,” Jai Prakash Narayan, additional district collector and additional district magistrate, told 101reporters. “Broadband was made working during the internet ban so that the private and government offices were not affected. While giving order for internet ban, it is made sure that normal call and broadband facilities are not debarred. General masses are affected but internet shutdown is the only option we have,” he added. “While their blockade continued for three days, we restricted internet services only for first 24 hours as the protest had gained stability till then.” Even three months after the high-powered ministerial committee was formed to look into the farmers’ demand, nothing has been done. Now, they plan to stage a protest in February 2018 when the state assembly will be in function. Former CPI(M) MLA Pema Ram says, “Preparation for February protest has already begun. Kisan Sansads are being organised in Sikar, where active farmers from each village participate to raise demands regarding implementation of the recommendations of the Swaminathan Commission report, a solution to the menace of stray cattle, complete farm loan waiver and pension for farmers. They then discuss it with other farmers in their villages.”

The administration confirmed that the ban was imposed fearing threat to law and order in the district due to the gathering of thousands. “Though they were protesting peacefully the initial ten days at the mahapadav, they had planned to block the district collectorate on September 11 in thousands. To restrict their movement, internet was suspended in Sikar. During such situations, no one writes positive about the administration. We didn’t want to provide them a platform for spreading rumours that could have made the protestors violent. If there had been no internet ban that day, something big would have happened,” Jai Prakash Narayan, additional district collector and additional district magistrate, told 101reporters.

“Broadband was made working during the internet ban so that the private and government offices were not affected. While giving order for internet ban, it is made sure that normal call and broadband facilities are not debarred. General masses are affected but internet shutdown is the only option we have,” he added. “While their blockade continued for three days, we restricted internet services only for first 24 hours as the protest had gained stability till then.”

Even three months after the high-powered ministerial committee was formed to look into the farmers’ demand, nothing has been done. Now, they plan to stage a protest in February 2018 when the state assembly will be in function.

Former CPI(M) MLA Pema Ram says, “Preparation for February protest has already begun. Kisan Sansads are being organised in Sikar, where active farmers from each village participate to raise demands regarding implementation of the recommendations of the Swaminathan Commission report, a solution to the menace of stray cattle, complete farm loan waiver and pension for farmers. They then discuss it with other farmers in their villages.”

Pictures above: Apart from local news websites, local Facebook pages - Sikar Aapno, Sikar Sandesh, We love CPIM- Dhod and CPIM Sikar, etc. - were giving minute-by-minute updates of the farmers' protest. Pictures courtesy: Shruti Jain

(Shruti Jain is a Jaipur-based journalist and a member of 101Reporters.com, a pan-India network of grassroots reporters.)

For more details visit https://cis-india.org/internet-governance/blog/mobile-net-ban-during-peaceful-protest-leaves-farmers-confused

‘Hurt sentiments’ cost Udaipur internet access for four days

Shruti Jain — 2018-01-19T13:51:51Z

Strap: Authorities suggest it was more than a Facebook post that led to shutdown.

Udaipur: In April 2017, a Facebook post led to 21-year-old Ibrahim* getting arrested and Rajasthan’s Udaipur city losing its mobile internet for four days (broadband banned only for first day). The authorities say the hateful content proliferating after Ibrahim’s social media post in praise of neighbouring nation Pakistan could be tackled only by curtailing internet service. Ibrahim’s family has since left the Fatehnagar locality where they were residing.

“On April 19, an FIR was filed by Fatehnagar resident Rahul Chawda” stating that Ibrahim “is a Muslim and has commented on Facebook ‘Pakistan zindabad tha, Pakistan zindabad hai aur Pakistan zindabad rahega’, which had hurt their religious sentiments. People from Vishwa Hindu Parishad and Shiv Sena had also come along with Rahul to press that a case of sedition be filed,” Subhash Chand, head constable of Fatehnagar police station, told 101reporters.

A case under section 153A (promoting enmity on grounds of religion, race, place of birth, etc.) of the Indian Penal Code (IPC) and section 67 of the Information Technology Act (punishment for publishing or transmitting obscene material in electronic form) was registered. “However, sedition charges were not registered as their report did not have sufficient basis for it,” Chand says.

Ibrahim, an undergraduate, lived in a slum in Fatehnagar and did odd jobs to earn money. His father works as a taxi driver to support a family of four children. “Ibrahim had no past criminal record. His family left the locality after the incident. Their house is locked since past few months. He was arrested the same day when FIR was registered, but is presently out on bail,” says Gopal Lal Sharma, station house officer, Fatehnagar police station.

In his locality though, Ibrahim’s reputation was that of a “notorious” boy. “His family was fed up with him. He used to post useless content on Facebook. The atmosphere in the city was tensed between the communities at that time. So, his post triggered the religious sentiments,” says Nadir Khan, 40, a neighbour.

Udaipur police say the content posted by Ibrahim on social media was hateful and could’ve lead to clashes between communities. “Isn’t it enough to say the post was inflammatory?” replied Anand Shrivastava, inspector general of police (IG), Udaipur, when questioned about the content of Ibrahim’s post. “Such messages get easily viral on social media. Some people use Facebook and WhatsApp to spread hatred, but there is no particular site, or content that is blocked during internet shutdown. Accessibility to the internet is completely restricted,” he added.

“Messages that could outrage the religious sentiments of the Hindu community were circulated, and we had to shut down internet in the district for four days,” Shrivastava says. When asked what happens if such inflammatory content finds its way back on internet once it is restored, the IG says, “We review the situation. If it is still in circulation, we can continue with the shutdown.”

‘More than an FB post’

Then Udaipur district magistrate Rohit Gupta, however, doesn’t attribute the shutdown to the post by Ibrahim. “It was not because of a particular kid. There were other reasons. Some incidents had happened in the city which led to a lot of improper posts being circulated on social media,” says Rohit Gupta, who is now the district magistrate for Kota.

Explaining the administrative procedure behind an internet shutdown, Gupta says, “Based on a report from the police, many agencies, including intelligence and the affected party, are consulted about the decision to implement internet shutdown. Curtailing internet doesn’t allow the situation to aggravate further. Its fallout affects the general masses, too, but that happens even in the case of a curfew when we restrict people’s movement.”

Gupta says internet shutdown is a preventive action to keep the situation from escalating into a full blown law and order problem. “People will then question why the administration didn’t act in time to prevent it.”

While the administration ensured that banking and lease-line providers were not affected during the internet ban, several other businesses dependent on internet were affected.

“Why all of us?”

“If four people post hateful content on social media, why should 20 lakh others be punished? When police are unable to control a situation, the easiest way they have is to curtail the internet. I couldn’t work for four days. Many others, who depend on internet for work like me, were affected. They should ban only the social media,” says Chhatrapati Sarupria, an online graphic designer who petitioned the sessions and district court against the arbitrary suspension of internet services in Udaipur.

Cyber experts feel there can be other ways to keep social and business activities out of the purview of ban during such law and order situation, but the competent authorities fail to make any attempts in this direction.

“Internet shutdown is not the only solution. Since, there is no procedure to stop only the hateful content on social media, the only option left is to turn off the internet completely. Facebook has a ‘report abuse’ mechanism, which allows review and removal of any post that goes against the Facebook community standards. We need to work on better alternatives to control inflammatory content on social media. Only if such alternative ways are initiated now, they can be regulated as we progress,” says Mukesh Choudhary, a cyber expert.

*Name changed to protect identity.

(Shruti Jain is a Jaipur-based journalist and a member of 101Reporters.com, a pan-India network of grassroots reporters.)

For more details visit https://cis-india.org/internet-governance/blog/2018hurt-sentiments2019-cost-udaipur-internet-access-for-four-days

null Bangalore Meet: Special Session on Digital Identity and Privacy

Admin — 2018-01-18T15:09:35Z

Sunil Abraham is giving a talk to the Bengaluru null community on January 19, 2018 at the Centre for Internet & Society office in Bengaluru. The event will be held from 6 p.m. to 8.10 p.m.

null meets are free for anyone to attend. There are absolutely no fees. Just come with an open mind and willingness to share and learn.

Proposed sessions for this event:

Note: The session details including schedule are available below.

Sunil Abraham will be hosting us for a special session on Digital Identity and Privacy issues around it. He will touch upon how the null community can start getting involved in security aspects of things happening around us on privacy and related topics.

Tentative Talking Points

Cover something about digital identities and privacy issues - We do a lot of security discussions but mostly don't cover privacy as much
Maybe touch upon how null folks should start getting involved with what is happening around us in terms of security etc
Talk about the IETF security standards and related topics

https://cis-india.org/

For more details visit https://cis-india.org/internet-governance/events/null-bangalore-meet-january-19

Aadhaar-privacy debate: How the 12-digit number went from personal identifier to all pervasive transaction tool

Admin — 2018-01-18T15:01:48Z

Depending on who you ask, the Aadhaar is either a convenience or a curse.

The article was published by First Post on January 18, 2018.

The ongoing hearing in the Supreme Court is testing the constitutional validity of a scheme that has been around in one shape or another since 2003, ever since the need for an identification project was first felt.

By the government's own estimates, the Aadhaar initiative has covered 98 percent of the adult population in India and, as of 7 September, the Unique Identification Authority of India (UIDAI) has generated cards for 105.11 crore people. So, if you are an Indian adult, chances are that you possess an Aadhaar card by now.

The Aadhaar database is one of the largest government databases on the planet, where a 12 digit unique-identity number has been assigned to the majority of the Indian citizens. This database contains both the demographic as well as biometric data of the citizens.

What started as a unique identification number to streamline the distribution of welfare to the needy has now turned into an all-pervasive tool that can arm the government with sensitive data of all Indians. At the heart of this issue is the sheer quantity of data being amassed as part of the scheme and the many privacy and security concerns generated as a result of it.

The Aadhaar of today, in addition to basic personal information, includes biometric data like your fingerprints, your iris scan and now even your facial scans (albeit introduced as a safety feature). This is designed to address the issue of failed biometric authentication, as an alternative for people having difficulty authenticating, due to factors like worn out fingerprints, or changing biometric data due to old age, hard work conditions, accidents and the like.

But what it fails to address is the growing unease among citizens about the scale of the project, its intent, and the actual legality of enabling such an architecture, which could threaten the citizens with the possibility of State surveillance.

The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy.

However, worst fears about Aadhaar have come true after the developments that have happened over the past few weeks. A recent investigation by The Tribune revealed that the details of any of the billion Aadhaar numbers issued in India were accessible for as little as Rs 500.

Since then, the UIDAI and every other government machinery have been in top gear, trying to allay the fears around Aadhaar. It even introduced a flurry of steps to make sure that the database is safe and secure, and that the data is protected. But not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State and that it does not make the State transparent to citizens.

"We warned the government six years ago, but they ignored us," Sunil Abraham, executive director of Bengaluru-based research organisation, Centre for Internet and Society, was quoted by The Hindu Business Line as saying.

According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.

On the other hand, finance minister Arun Jaitley said recently that an Aadhaar card could become the sole identifier for a person in future. "A stage may come that the unique identity will become the only card," Jaitley said. "There are many countries where such a situation exists. There is a social security number in America and in India it (Aadhaar) could be the counterpart."

Since its inception, the Aadhaar was always pitched as a scheme integral to the modernisation of social welfare in India.

But, according to a Scroll report, state governments are struggling to use Aadhaar-based fingerprint authentication in ration shops. Whereas, at the same time, a rising number of companies are integrating Aadhaar into their databases for private services that have nothing to do with the welfare delivery system.

So, why is the scheme failing at the very job it was created for, while proving useful to private endeavours elsewhere? Why did the BJP, a dispensation critical of Aadhaar in 2014, make a complete u-turn and become a champion for a cause backed by the UPA in its time? Are the security, privacy concerns a small price to pay for better delivery of welfare schemes or is it an instrument of surveillance and a potential goldmine for hackers?

The debate around Aadhaar and the explanations for its need and/or threats are biased, incomplete and solely depend on who you ask. Therefore, it might do well to trace the roots of the Aadhaar mission and retrace its critical moments.

Origins of Aadhaar

According to the Scroll report, India first fiddled with the idea to assign numbers to people in 2003, in the aftermath of the Kargil war.

With rising security concerns, the then BJP government under Atal Bihari Vajpayee wanted every Indian citizen to be accounted for. This desire eventually took the shape of the National Population Register, that aimed to identify citizens amongst the country's residents.

The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR).

The second and major push for an identity project was introduced subsequently by the UPA-1 government in late 2008. With welfare spending on the rise, adds the report, bureaucrats in the erstwhile Planning Commission were worried about leakages.

Thus, the idea of constituting an authority that would aggregate all databases of social welfare programmes to create a mother database emerged.

Such a database would "weed out ghosts and duplicates so that a person who gets the LPG subsidy doesn’t also get the kerosene subsidy," Scroll quoted a former UIDAI official as saying, on conditions of anonymity.

Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Biometric data was not in the picture at this time.

And then, in 2016, the Centre notified the new Aadhaar Act, which gives the unique identity number assigned to each Indian citizen statutory backing. The idea of this Act was to empower Aadhaar with legal backing for the purpose of transferring subsidies and government benefits to beneficiaries through designated bank accounts.

The government said in a notification that the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 will provide “efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals."

Another interesting aspect of the Aadhaar debate is the politics of it all. The Opposition, BJP back then and UPA now, has shaped much of the debate against the use of Aadhaar. But one thing that stands out in this melee is that many in the current dispensation, who are currently the biggest proponents of the scheme, had once opposed it vehemently.

"The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi had famously said when he was the Gujarat chief minister. He had alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.

In 2014, Modi had tweeted: "On Aadhaar, neither the team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick."

So, how was it that one of Aadhaar's most vehement opponents became its biggest proponent?

According to a report in The Hindu Business Line, the destiny of the Aadhaar scheme was shaped by two meetings – between Nilekani and Modi with Jaitley, and the second with Vijay Madan, the UIDAI director general and mission director.

Through the course of these meetings, the potential savings from plugging subsidy leakageswas put across to Modi, a figure of "up to ₹50,000 crore a year".

Modi in his keenness to showcase the arrival of "acche din", the report adds, immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project.

Thus, the current Aadhaar project was born.

Inclusion of biometric data

Although an extension of UPA's idea, the new Aadhaar act had some crucial differences:

- As per the new Act, "any person who has resided in India for 182 days (in the one year preceding the application for Aadhaar)". The UPA's Bill said any person residing in India.

- Further, the new Act says that the number can be used to verify the identity of any person, for any purpose, by any public or private entity. In the UPA's Bill, no such provision was there.

- The new Act stipulated all these identity facets to be maintained: photograph, biometric information (iris scan and fingerprint), demographic information (name, date of birth, address but excludes race, religion, caste, etc.), and Aadhaar number. The authority may specify any other biological and demographic information to be collected.

Data security debate

Over the last one year, there have been multiple instances of Aadhaar data leaking online through government websites or its mobile app. The most recent case was when an RTI query pushed UIDAI to reveal that about 210 government websites made the Aadhaar details of people with Aadhaar, public on the internet.

Centre for Internet and Society (CIS) also pointed out that about 130 million Aadhar numbers along with other sensitive data were available on the internet.

The recent Tribune report has only highlighted the deeper, infrastructural fallibility of singular mega-database of sensitive data.

As per this Firstpost piece, the UIDAI's response to such an obvious data breach and violation of privacy is extremely worrying. It is yet another reiteration of the privacy concerns with Aadhaar, and the constant denial of privacy concerns by the UIDAI instead of sitting up and addressing the problem at hand.

The large-scale collection of data and the binding of said data with almost all services raises a pertinent question: Is the government capable of safeguarding the massive amounts of data collected as part of the Aadhaar project? The answer, again, depends on who you ask.

Concerns over privacy

Apart from the security concerns, Aadhaar has brought up a question of the citizen's privacy, given that access to such sensitive data empowers the government to keep a close scrutiny of a person's financial, personal information.

The Supreme Court had held recently that privacy is a fundamental right under the Constitution with reasonable restrictions. This decision is bound to impact the Aadhaar project in one way or another, as collectively biometric data of citizens can be construed as a violation of said right.

The Supreme Court started hearing the crucial cases related to the constitutional validity of Aadhaar on Wednesday. A five-judge bench heard the arguments of the petitioner, maintaining that the government's mandatory biometric identification project is, in essence, seeking to change a people's Constitution into State's Constitution.

The petitioners made submissions ranging from the Standing Committee's observations, to the precedents as adopted by other nations to pointing out basic moral and administrative defects in amassing biometric data of citizens on such a large scale, perhaps trying to patiently drive the point that the Aadhaar project can never be safely assumed to be leakproof, hence safe, ergo, legal.

The petitioner also argued that Aadhaar could lead to millions of people being denied access to essential services and benefits in violation of their human rights, as he pointed out that biometric details of almost 6.2 crore people have been rejected, mainly due to calloused hands and fingertips, wherein biometric data could not be recorded.

"These are not dishonest people or ghosts," he said. Even the Standing Committee report on Aadhaar points out: "..it has been proven again and again that in the Indian environment, the failure to enrol with fingerprints is as high as 15 percent due to the prevalence of a huge population dependent on manual labour. These are essentially the poor and marginalised sections of the society. So, while the poor do indeed need identity proofs, Aadhaar is not the right way to do that"

In December 2017, the court had extended the deadline for mandatory linking of Aadhaar with various services and welfare schemes till 31 March, 2018. It had also modified its earlier order with regard to linking Aadhaar with mobile services and said the deadline of 6 February, 2018 for this purpose also stood extended till 31 March.

Right to Privacy and its effect on Aadhaar

In August 2017, the Supreme Court in a unanimous 9:0 judgment had declared the Right to Privacy to be a Fundamental Right. It was hailed as a big victory for pro-privacy advocates who could now point to the Constitutional Bench judgment should the right ever be questioned.

However, the judgment only established the theoretical Right to Privacy. It removed the earlier hurdles of the cases of MP Sharma and Kharak Singh which had held Right to Privacy not to be a Fundamental Right. However, the actual freedoms protected by the Right had to be enshrined into in separate judgments.

As far Aadhaar is concerned, the judgment did not invalidate it in any way. However, it did give a boost to anti-Aadhaar arguments which rely on privacy as now the government can no longer say that there is no Right to Privacy.

With 1.08 billion citizens already enrolled, the ‘mandatory vs. voluntary’ debate on Aadhaar is now mostly a thing of the past. What remains to be seen now is how the Supreme Court will rule on the constitutional validity of the Aadhaar and if the government will be willing to reform/modify the current scheme to allay fears over data security and privacy in order to retailer the project to meet its original goal, the timely and secure delivery of welfare to those who need it.

With inputs from agencies

For more details visit https://cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool

Another Step towards Privacy Law

elonnai — 2018-01-18T01:50:59Z

A comparison between the 2012 experts’ report and the 2017 white paper on data protection.

The column was published in Governance Now in January 15, 2018 issue.


(Illustration: Ashish Asthana)

On July 31 the ministry of electronics and information technology (MeitY) constituted a committee of experts, headed by justice (retired) BN Srikrishna, to deliberate on a data protection framework for India. The committee is another step in India’s journey in formulating a national-level privacy legislation.

The formulation of a privacy law started as early as 2010 with an approach paper for a legislation on privacy towards envisioning a privacy framework for India. In 2011, a bill on right to privacy was drafted. In 2012 the planning commission constituted a group of experts, with justice (retired) AP Shah as its chief, which prepared a report recommending a privacy framework.

A month after the formation of the committee, in August, the sectoral regulator, Telecom Regulatory Authority of India (TRAI), released the consultation paper, ‘Privacy, Security and Ownership of the Data in the Telecom Sector’. In the same month, the supreme court in a landmark decision recognised privacy as a fundamental right.

In November 2017, the expert group released a ‘White Paper of the Committee of Experts on a Data Protection Framework for India’ to solicit public comments on the contours of a data protection law for India.

To understand the evolution of the thinking around a privacy framework for India, this article outlines and analyses common themes and differences between (a) the 2012 group of experts’ report, and the 2017 expert committee’s white paper.

The white paper seeks to gather inputs from the public on key issues towards the development of a data protection law for India. The paper places itself in the context of the NDA government’s Digital India initiative, the justice Shah committee report, and the judicial developments on the right to privacy in India. It is divided into three substantive parts: (1) scope and exemptions, (2) grounds of processing, obligation and entities, individual rights, and (3) regulation and enforcement. Each part is comprised of deep dives into key issues, international practices, preliminary views of the committee, and questions for public consultation.

Broadly, the 2012 report defined nine national-level privacy principles and recommended a co-regulatory framework that consisted of privacy commissioners, courts, self-regulating organisations, data controllers, and privacy officers at the organisational level. At the outset, the 2017 white paper is different from that report simply by the fact that it is a consultation paper soliciting views as compared to a report that recommends a broad privacy framework for India. In doing so, the white paper explores a broader set of issues than those discussed in the justice Shah report – ranging from the implications of emerging technologies on the relevance of traditional privacy principles, data localisation, child’s consent, individual participation rights, the right to be forgotten, cross-border flow of data, breach notification etc. Given that the white paper is a consultation paper, this article examines the provisional views shared in it with the recommendations of the 2012 report.

Key areas that the both the documents touch upon (though not necessarily agree on) include:

Applicability

The 2012 report of experts recommended a privacy legislation that extends the right to privacy to all persons in India, all data that is processed by a company or equipment located in India, and to data that originate in India.

Provisional views in the white paper reflect this position, but also offer that applicability could be in part determined by the legitimate interest of the state, carrying on a business or offering services or goods in India, and if, despite location, the entity is processing the personal data of Indian citizens. The provisional views also touch upon retrospective application of a data protection law and agree with the 2012 report by recommending that a law apply to privacy and public bodies. They also go a step further by recommending specific exemptions in application for well defined categories of public or private entities.

Exceptions

The experts’ report defined the following exceptions to the right to privacy: artistic and journalistic purposes, household purposes, historic and scientific research, and the Right to Information. Exceptions that must be weighed against the principles of proportionality, legality, and necessary in a democratic state included: national security, public order, disclosure in public interest, prevention, detection, investigation, and prosecution of criminal offences, and protection of the individual or of the rights and freedoms of others.

Provisional views in the 2017 white paper broadly mirror the exemptions defined in the experts’ report, but do not weigh exceptions related to national security and public interest etc. against the principles of proportionality, legality, and necessary in a democratic state and instead explored a review mechanism for these exceptions.

Consent

Provisional views in the white paper on consent note that aspects of consent should include that it is freely given, informed and specific and that standards for implied consent need to be evolved.

Though the 2012 experts’ report defined a principle for choice and consent, this principle did not define aspects of what would constitute valid consent, yet it did incorporate an opt-out mechanism.

Notice

Provisional views in the white paper hold that notice is important in enabling consent and explore a number of mechanisms that can be implemented to effect meaningful notice such as codes of practice for designing notice, multilayered notices, assessing notices in privacy impact assessments, assigning ‘data trust scores’ based on their data use policy, and having a ‘consent dashboard’ to help individuals manage their consent across entities.

These views build upon and complement the principle of notice defined in the 2012 report which defined components of a privacy policy as well as other forms of notice including data breach (also addressed in the white paper) and legal access to personal information.

Purpose limitation/minimisation

Provisional views in the white paper recognise the challenges that evolving technology is posing to the principle of purpose limitation and recommend that layered privacy policies and the standard of reasonableness can be used to contextualise this principle to actual purposes and uses.

Though the 2012 report defined a purpose limitation principle, the principle does not incorporate a standard of reasonableness or explore methods of implementation.

Data Retention and Quality

Provisional views in the white paper suggest that the principles of data retention and data quality can be guided by the terms “reasonably and necessary” to ensure that they are not overly burdensome on industry.

The 2012 report of experts briefly touched on data retention in the principle of purpose limitation –holding that practices should be in compliance with the national privacy principles.

Right to Access

Provisional views in the white paper recognise the importance of the right confirmation, access, and rectify personal information of the individual, but note that this is increasingly becoming harder to enforce with respect to data that is observed behavioral data and derived from habits. A suggested solution is to impose a fee on individuals for using these rights to deter frivolous requests.

Though the 2012 report defined a principle of access and correction it did not propose a fee for using this right and it included the caveat that if the access would affect the privacy rights of others, access may not be given by the data controller.

Enforcement Mechanisms

Provisional views in the 2017 white paper broadly agree with the appropriateness of the model of co-regulation and development of codes of practice as suggested in the 2012 report. Within the system envisioned in the 2012 report of experts, self-regulating organisations at the industry level will have the ability to develop industry specific norms and standards in compliance with the national privacy principles to be approved by the privacy commissioner.

Accountability

The provisional views of the white paper go beyond the principle of accountability defined in the 2012 report by suggesting that data controllers should not only be held accountable for implementation of defined data protection standards, but in defined circumstances, also for harm that is caused to an individual.

Additional Obligations and Data Controllers

Provisional views in the white paper suggest the following mechanisms as methods towards ensuring accountability of specific categories of data controllers: registration, data protection impact assessment, data audits, and data protection officers that are centres of accountability.

The 2012 experts’ report also envisioned impact assessments and investigations carried out by the privacy commissioner and the role of a data controller, but did not explore registration of these entities.

Authorities and Adjudication

The both documents are in agreement on the need for a privacy commissioner/data protection authority and envision similar functions such as conducting privacy impact assessments, audits, investigation, and levying of fines. The white paper differs from the 2012 experts’ report in its view that the appellate tribunals under the IT Act and bodies like the National Commission Disputes Redressal Commission could potentially be appropriate venues for adjudicating and resolving disputes.

Though the 2012 experts’ report recommended that complaints can be issued through an alternative dispute resolution mechanism, to central and regional level commissioners, or to the courts – for remedies– enforcement of penalties should involve district and high-level courts and the supreme court. The 2012 report specified that a distinct tribunal should not be created nor should existing tribunals be relied upon as there is the possibility that the institution will not have the capacity to rule on a broad right of privacy. Individuals that can be held liable by individuals include data controllers, organisation directors, agency directors, and heads of governmental departments.

Penalty and Remedy

The white paper goes much further in its thinking on penalties, remedies and compensation than the 2012 report of experts – discussing potential models for calculation of civil penalties including nature and extent of violation of the data protection obligation, nature of personal information involved, number of individuals affected, whether infringement was intentional or negligent, measures taken by the data controller to mitigate the damage, and previous track record of the data controller.

The white paper is a progressive and positive step towards formulating a data protection law for India that is effective and relevant nationally and internationally. It will be interesting to see the public response to it and the response of the committee to the inputs received from the consultation as well as how the final recommendations differ, build upon, and incorporate previous policy steps towards a comprehensive privacy framework for India.

For more details visit https://cis-india.org/internet-governance/blog/governance-now-elonnai-hickok-another-step-towards-privacy-law-data-protection