We are anonymous, we are legion

Aadhaar seeding: benefits and concerns

Admin — 2017-11-23T02:02:45Z

Products and services such as bank accounts, life insurance policies and phone connections have to be linked with Aadhaar. But is this of any real help?

The article by Shaikh Zoaib Saleem was published by Livemint on November 14, 2017.

The government has made it mandatory for consumers to link many important services with Aadhaar. You too may be getting frequent reminders to link your banks account, mutual fund and mobile number with Aadhaar. Recently, the Reserve Bank of India also clarified that it is mandatory to link bank accounts with Aadhaar.

The latest addition to this list are insurance policies. In a circular, the Insurance Regulatory and Development Authority of India (Irdai) has stated that linking of Aadhaar number to insurance policies is mandatory under the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017.

The issue is being discussed intensively, with the Supreme Court taking a decision in favour of linking Aadhaar biometrics and the number with a host of services. Several petitions have been filed challenging not just the linking of these services with Aadhaar but also the validity of Aadhaar itself. We spoke to people who support and those who oppose this linking, to understand how either case impacts consumers.

The benefits

According to the Unique Identification Authority of India (UIDAI), government schemes are asking for Aadhaar as it helps to clean out duplications and fakes, and provides accurate data to enable implementation of direct benefit programmes. “Use of Aadhaar reduces the cost of identifying persons and provides increased transparency to the government in implementation of its schemes,” the Authority states under frequently asked questions on its website (read more at: https://uidai.gov.in/your-aadhaar/help/faqs.html) So, when you link your bank account with your Aadhaar, government benefits such as subsidy on LPG cylinders is credited directly to that account. The FAQs, however, do not elaborate how such linking helps an individual who does not get, or does not wish to get, such subsidies. In a tweet, UIDAI had said that verifying a bank account using Aadhaar adds an additional layer of security.

Nakul Saxena, a former banker who now works on policy advocacy at the software think tank iSpirt Foundation, said that linking of Aadhaar with these services will help eradicate fake accounts, fake insurance policies and unauthorised mobile connections. “It is possible that there are many accounts in the system that have been opened using such documents and copied signatures and even the banks may not be aware of it. Some people may not even be aware that an account exists in their name. These accounts need to be verified using Aadhaar now,” he said.

The government claims to have removed millions of fake beneficiaries for government benefits by Aadhaar linking. As reported by Mint in May 2017, over 23 million fake ration cards have been scrapped, potentially saving the government Rs14,000 crore in food subsidy every year. Another Mint report in August says, three states discovered that about 2,72,000 fake students were availing the mid-day meal (MDM) scheme.

However, those who are against linking Aadhaar disagree with these arguments. “Initially, Aadhaar was about delivery of services. But linking everybody’s phone number and bank account is not about that anymore. The real question is, what purpose this linking serves. If the intention is to update the databases, then there can be other means to update those,” said Rahul Narayan, a Supreme Court advocate who is among the lawyers representing petitioners who have challenged Aadhaar linking in court.

The concerns

The fundamental objection to this linking of services is that all information on an individual will be available at a single place, which could make surveillance easier and also increase the risks if this information is hacked. “As of now, your bank knows something about you, your insurance company knows something and your mobile phone company knows something about you. Each of these are different silos of information. When these converge, which is then accessible to a single person, that person knows almost everything about you,” said Narayan.

Moreover, a user’s Aadhaar number and fingerprint are permanent identifiers, and at least the Aadhaar number has been compromised for over 130 million citizens, as per a study by Centre for Internet & Society, said Nikhil Pahwa, co-founder of the SaveTheInternet.in (https://internetfreedom.in) campaign for net neutrality in India. “This leaves the users vulnerable to social hacks, some of which we have already been reading about in the news. To forcefully and mandatorily link Aadhaar to bank accounts means that their finances are at risk,” he said.

Saxena said the data leaks that have been highlighted have been typically about demographic details such as name, date of birth and address “which have been commonly available so far.” However, given the heightened sensitivities in this digital age, customers must ask their service providers to not publish such details, nor provide this information freely, he added.

Grievance redressal and data privacy

Another major concern is the absence of a clear redressal mechanisms for consumers in case of a data leak, misuse or hack. “When things go wrong, consumers need to have access to a proper complaints mechanism. In the case of Aadhaar, such access is to be provided through the establishment of ‘contact centres’ under the Regulation 32 of the UIDAI Enrolment and Update Regulations. To the best of our knowledge, not much beyond Regulation 32 has yet been specified by the UIDAI,” said Renuka Sane, associate professor at the National Institute of Public Finance and Policy, who has worked on data privacy and security issues.

Apart from this, Section 47 of the Aadhaar Act stipulates that only UIDAI or its authorised officers can file a criminal complaint for violations of the Act, she added.

“The UIDAI has been given complete discretion in determining if and when to file a criminal complaint for violations of the Act, and an individual aggrieved by actions of a third person is left to rely upon the bonafide actions of the UIDAI,” Sane added. The government is also working towards a data privacy legislation, that is needed to give citizens protection against misuse of their data, and them having some control over who gets their data, how it is used, and where it can be shared. “However, a data privacy legislation and mechanism will not ensure that data remains secure and protected, and that processes are followed. The Act disallowing people from sharing Aadhaar numbers did not prevent government departments from publishing details online,” said Pahwa. He also said that systems can get hacked, which could include the Aadhaar database, the parallel Aadhaar databases with state governments, or eKYC databases held with banks and telecom operators.

Saxena said the UIDAI has clarified that biometric information is not stored with user agencies, and stored biometrics can't be used for Aadhaar authentication or eKYC. “Hence, customers can be assured when using Aadhaar and biometrics with authorized entities,” he said. “The data privacy law will address data privacy and protection in all digital systems, not just Aadhaar. It will equally apply to social media and mobile apps. It should also go into the aspect of ‘right to be forgotten’,” said Saxena.

Pahwa, however, insists that the least that should be done is to give citizens the right to not link their Aadhaar and use other IDs for authentication, plus the ability to change their ID number if the system gets compromised.

What you should do

For now, the deadlines for linking bank accounts with Aadhaar is 31 December 2017, and for mobile phones it is 7 February 2018. In its latest hearing on the matter, the Supreme Court has directed service providers to mention these deadlines in their reminders. “Right now, regardless of what they say, nobody is going to shut down your bank account or disconnect your mobile connection, at least till the deadline. There are several petitions being heard in the Supreme Court. The matter is supposed to be taken up by the Supreme Court in the last week of November. The final word from the court is yet to come and it is quite possible that at least the deadlines gets extended,” said Narayan.

If you have already linked these services with Aadhaar, you are in no trouble. But if you are having second thoughts, the linking cannot be undone. If you are concerned about safety or other aspects, you can wait to get more clarity from the Supreme Court.

For more details visit https://cis-india.org/internet-governance/news/shaikh-zoaib-saleem-livemint-november-14-2017-aadhaar-seeding-benefits-and-concerns

UIDAI admits 210 government websites made Aadhaar details public

Admin — 2017-11-21T16:03:29Z

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were leaked on over 200 central and state government websites.

The article was published in the Financial Express on November 20, 2017.

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were made public on over 200 central and state government websites. According to an RTI reply, these websites publicly displayed name, address and other details of Aadhaar beneficiaries, which was removed when the breach was identified.

However, UIDAI does not have information about the time of the breach. It also said that Aadhaar details have never been made public by UIDAI. “However, it was found that approximately 210 websites of the central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of the general public,” it said.

UIDAI issues Aadhaar — a 12-digit unique identification number — which acts as a proof of identity and addresses anywhere in the country. Lately, Aadhaar has been creating furore for security and privacy reasons, especially after the Narendra Modi government began aggressively pushing the identification number to be linked with social benefits, banks, PAN, mobile number et al. In a landmark judgement this August, the Supreme Court ruled that privacy was a fundamental right of citizens, weakening the case for pushing Aadhar.

Currently, cases are being heard in the apex court on linking Aadhaar to banks and mobile numbers. In May, the Centre for Internet and Society had claimed that Aadhaar numbers of as many as 135 millions could have been leaked. “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS had said. Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it had added.

UIDAI and the government had been vehemently denying that Aadhaar details can be leaked despite apprehension from different sections of society. Soon after the RTI reply appeared in media, UIDAI refuted the news of leaks, calling it a “skewed presentation of facts. “Such report is a skewed presentation of the facts and poses as if the Aadhaar data is breached or leaked which is not the true presentation. Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI,” press release by PIB said.

It said that the data on these websites was placed in public domain as a measure of proactive disclosure under the RTI Act.

For more details visit https://cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public

National Privacy Workshop

Admin — 2017-12-05T14:24:16Z

Centre for Internet & Society is organizing a round-table to discuss the potential impact of numerous policy developments with wide ranging implications for recognition and governance of privacy in India. The round-table will be held on December 9, 2017 at India International Centre in New Delhi, 10.30 a.m. to 5.00 p.m.

Background

The recent past in India has seen numerous policy developments with wide ranging implications for recognition and governance of privacy in India. The emphatic and unanimous avowal of the right to privacy by the Supreme Court, the government’s stated commitment to a data protection law and the formation of the Sri Krishna Committee are developments which will continue to inform policymaking around privacy in India for a long time to come. The Supreme Court’s conception of a robust right to privacy encompassing different element - spatial, decisional and informational, and its guidance on strict limiting tests may have a wide impact on a range of issues. The impact of this judgment and a data protection law on informational privacy in India will be immense and it is important to delve in challenges and issues that it may throw up. In last year, we have also seen instances of purported conflict between the transparency instruments such as the right to information and the right to informational privacy. How these conflicts are resolved in law and practice will be key to these two essential human rights in the modern information society. Further, while these general consensus on privacy principles, the appropriate ways to govern and enforce privacy remains an open issue, and the success of any data protection framework will depend as much on what kind of privacy governance models are adopted.This roundtable will look to discuss the potential impact of these policy decisions, what theories should guide the data protection law in India, what models of privacy governance are workable and how privacy can co-exist with transparency principle and robust RTI regime.

Agenda

10.30 - 11.00	Tea
11.00 - 11.30	Welcome and setting the scene
11.30 - 12.30	Session 1: Policy Developments around Informational Privacy in India What do different policy developments indicate about privacy in India? What are the (potential) impacts of these developments? What questions are being asked and are these the right questions to ask? How do we expect the ‘state of privacy’ to change in India in response to these policy developments?
12.30 - 13.30	Session 2: Approaches to Privacy and Data Protection for India What are different approaches to privacy and government the Indian government can take? What cultural/political etc. aspects should be taken into consideration when thinking through this question? What are the pros and cons to different approaches? What are the pros and cons to the below approaches: - Privacy as control - Data as property - Utilitarian approaches - Technological Solutions
13.30 - 14.30	Lunch
14.30 - 15.30	Session 3: Transparency and Privacy How can transparency from the private sector enable the right to privacy? What are key principles that can guide this relationship? Where is transparency from the private sector most needed with respect to privacy? What are incentives that governments can adopt to encourage privacy?
15.30 - 16.30	Governance Models for Data Protection What kind of institutional framework is required for governance of privacy in India? How do we address questions of liability, penalties and enforcement? What role do sectoral players have in a data governance framework? What is best way for other stakeholders like industry, civil society and academia in collaborative governance of privacy?
16.30 - 17.00	Tea and snacks

Speakers

Usha Ramanathan
Rahul Sharma
Apar Gupta
Malavika Raghavan
Shankar Narayanan
Ujwala Uppaluri
Rebecca MacKinnon
Nikhil Pahwa
Kamlesh Bajaj
Manasa Venkatraman
Smitha K Prasad

Download the Agenda

For more details visit https://cis-india.org/internet-governance/events/national-privacy-workshop-at-india-international-centre

Breach Notifications: A Step towards Cyber Security for Consumers and Citizens

Amelia Andersdotter — 2017-11-14T15:38:15Z

Through the Digital India project the Indian government is seeking to establish India as a digital nation at the forefront. Increasingly, this means having good cyber-security policies in place and enabling a prosperous business environment for companies that implement sound cyber-security policies. This paper will look at one such policy, which enables investments in cyber-security for IT products and services through giving consumers a way to hold business owners and public authorities to account when their security fails.

Electronic data processing has awarded societies with lots of opportunities for improvements that would not have been possible without them. Low market entrance barriers for new innovators have caused a flood of applications and automations that have the potential to improve citizens’ and consumers’ lives, as well as government operations. But while the increasing prevalence of electronic hardware and programmable software in many different parts of society and industry, combined with the intricate value chains of international communications networks, devices and equipment markets and software markets, have created a large number of opportunities for economic, social and public activity, they have also brought with them a number of specific problems pertaining to consumer rights.

Read full report here

For more details visit https://cis-india.org/internet-governance/blog/breach-notifications-a-step-towards-cyber-security-for-consumers-and-citizens

Cross Border Sharing of Data: Challenges and Solutions

Admin — 2017-11-20T15:20:18Z

Centre for Internet & Society (CIS) has been following the debates around MLAT process taking place globally and researching potential areas of tension in the tools that India uses to access data across borders. As part of this research, CIS is hosting a workshop on cross border sharing of data on December 8, 2017 at India Islamic Centre from 10.30 a.m. to 5.00 p.m.

For more details visit https://cis-india.org/internet-governance/events/cross-border-sharing-of-data-challenges-and-solutions

Open House on Security Practices in FinTech

Admin — 2017-11-12T10:18:09Z

CIS in collaboration with Has Geek is organizing an Open House on security practices in FinTech.

The prevalence of fintech companies operating in India is growing with new actors entering the sector and traditional actors such as banks beginning to offer digital financial services. The push to digital payments has been particularly strong after the demonetization policy, the development and implementation of Aadhaar and India Stack. Services offered by Fintech firms can range from offering a loan or credit to a digital wallet and digital banking and payment services.

Presently, there is a regulatory gap for many of the fintech services and business models. The Reserve Bank of India has published consultation papers on Peer-to-Peer lending platforms as well as Account Aggregators, but comprehensive regulations, especially those surrounding minimum security practices, have yet to emerge – presenting a critical policy and research window. Furthermore, under Section 43A of the IT Act and its associated Rules, ‘body corporates’ are required to implement reasonably security procedures compliant with ISO27001 or a sectoral standard approved by the Central Government. However, currently such a sectoral standard is absent for the FinTech and Digital Payments space.

The growing prevalence of these fintech technologies and the criticality of security of the same to engender citizen trust, protect rights, and comprehensive national security posture demands debate and discussion.

On November 17th, the HasGeek in collaboration with the Centre for Internet and Society will be holding an Open House from 6pm - 8pm to discuss security practices in the fintech industry.

Pressing questions for discussion include: How secure are these services? What security standards are they adhering to? Who is holding them accountable for adherence to security standards? What can individuals do if there financial data is compromised?

Please join us for a robust discussion on these issues @HasGeek House, 2699, 19th Main Rd, HAL 2nd Stage, Indiranagar, 19th Main Rd, HAL 2nd Stage, Indiranagar, Bengaluru, Karnataka 560008 from 6PM - 8 PM on November 17th.

For more details visit https://cis-india.org/internet-governance/events/open-house-on-security-practices-in-fintech

A Comparison of Legal and Regulatory Approaches to Cyber Security in India and the United Kingdom

Authored by Divij Joshi and edited by Elonnai Hickok — 2017-11-14T15:26:46Z

This report is the first part of a three part series of reports that compares the Indian cyber security framework with that of the U.K, U.S and Singapore.

This report compares laws and regulations in the United Kingdom and India to see the similarities and disjunctions in cyber security policy between them. The first part of this comparison will outline the methodology used to compare the two jurisdictions. Next, the key points of convergence and divergence are identified and the similarities and differences are assessed, to see what they imply about cyber space and cyber security in these jurisdictions. Finally, the report will lay out recommendations and learnings from policy in both jurisdictions.

Read the full report here

For more details visit https://cis-india.org/internet-governance/blog/a-comparison-of-legal-and-regulatory-approaches-to-cyber-security-in-india-and-the-united-kingdom

#NAMAprivacy: Data standards for IoT and home automation systems

Admin — 2017-11-08T02:15:52Z

On 5th October, MediaNama held a #NAMAprivacy conference in Bangalore focused on Privacy in the context of Artificial Intelligence, Internet of Things (IoT) and the issue of consent, supported by Google, Amazon, Mozilla, ISOC, E2E Networks and Info Edge, with community partners HasGeek and Takshashila Institution. Part 1 of the notes from the discussion on IoT:

Link to the original published by Medianama on October 18 here

The second session of the #NAMAprivacy in Bangalore dealt with the data privacy in the Internet of Things (IoT) framework. All three panelists for the session – Kiran Jonnalagadda from HasGeek, Vinayak Hegde, a big data consultant working with ZoomCar and Rohini Lakshane a policy researcher from CIS – said that they were scared about the spread of IoT at the moment. This led to a discussion on the standards which will apply to IoT, still nascent at this stage, and how it could include privacy as well.

Hedge, a volunteer with the Internet Engineering Task Force (IETF) which was instrumental in developing internet protocols and standards such as DNS, TCP/IP and HTTP, said that IETF took a political stand recently when it came to privacy. “One of the discussions in the IETF was whether security is really important? For a long time, the pendulum swung the other way and said that it’s important and that it’s not big enough a trade-off until the bomb dropped with the Snowden revelations. The IETF has always avoided taking any political stance. But for the first time, they did take a political position and they published a request for comments which said: “Pervasive monitoring is an attack on the Internet” and that has become a guiding standard for developing the standards,” he explained.

He added that this led the development of new standards which took privacy into consideration by default.

“The repercussions has been pervasive across all the layers of the stack whether it is DNS and the development of DNS Sec. The next version of HTTP, does not actually mandate encryption but if you look at all the implementation on the browser side, all of them without exception have incorporated encryption,” he added.

Rohini added that discussion around the upcoming 5G standard, where large-scale IoT will be deployed, also included increased emphasis on privacy. “It is essentially a lot of devices connected to the Internet and talking to each other and the user. The standards for security and privacy for 5G are being built and some of them are in the process of discussion. Different standard-setting bodies have been working on them and there is a race of sorts for setting them up by stakeholders, technology companies, etc to get their tech into the standard,” she said.

“The good thing about those is that they will have time to get security and privacy. Here, I would like to mention RERUM which is formed from a mix of letters which stands for Reliable, Resilient, and Secure IoT for smart cities being piloted in the EU. It essentially believes that security should include reliability and privacy by design. This pilot project was thought to allow IoT applications to consider security and privacy mechanisms early in the design, so that they could balance reliability. Because once a standard is out or a mechanism is out, and you implement something as large as a smart city, it is very difficult to retrofit these considerations,” she explained.

Privacy issues in home automation and IoT

Rohini pointed out a report which illustrates the staggering amount of data collection which will be generated by home automation. “I was looking for figures, and I found an FTC report published in 2015 where one IoT company revealed in a workshop that it provides home automation to less than 10,000 households but all of them put together account for 150 million data points per day. So that’s one data point for every six seconds per household. So this is IoT for home automation and there is IoT for health and fitness, medical devices, IoT for personal safety, public transport, environment, connected cars, etc.”

In this sort of situation, the data collected could be used for harms that users did not account for.

“I received some data a couple of years back and the data was from a water flowmeter. It was fitted to a villa in Hoskote and the idea was simple where you could measure the water consumption in the villa and track the consumption. So when I received the data, I figured out by just looking at the water consumption, you can see how many people are in the house, when they get up at night, when they go out, when they are out of station. All of this data can be misused. Data is collected specifically for water consumption and find if there are any leakages in the house. But it could be used for other purposes,” Arvind P from Devopedia said.

Pranesh Prakash, policy director at Centre for Internet and Society (CIS), also provided an example of a Twitter handle called “should I be robbed now” where it correlates a user’s vacation pictures says that they could be robbed. “What we need to remember is that a lot of correlation analysis is not just about the analysis but it is also about the use and misuse of it. A lot of that use and misuse is non-transparent. Not a single company tells you how they use your data, but do take rights on taking your data,” he added.

Vinayak Hedge also added that the governments are using similar methods of data tracking to catch bitcoin miners in China and Venezuela from smart meters.

“In China, there are all these bitcoin miners. I was reading this story in Venezuela, where bitcoin mining is outlawed. The way they’re catching these bitcoin miners is by looking at their electricity consumption. Bitcoin mining uses a huge amount of power and computing capacity. And people have come out with ingenious ways of getting around it. They will draw power from their neighbours or maybe from an industrial setting. This could be a good example for a privacy-infringing activity.”

Pseudonymization

Srinivas P, head of security at Infosys, pointed out that a possible solution to provide privacy in home automation systems could be the concept of pseudonymity. Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers or pseudonyms.

“There are a number of home automation systems which are similar to NEST, which is extensively used in Silicon Valley homes, that connect to various systems. For example, when you are approaching home, it will know when to switch on your heating system or AC based on the weather. And it also has information on who stays in the house and what room and what time they sleep. And in a the car, it gives a full real-time profile about the situation at home. It can be a threat if it is hacked. This is a very common threat that is being talked about and how to introduce pseudo-anonymity. When we use these identifiers, and when the connectivity happens, how do we do so that the name and user are not there? Pseudonymity can be introduced so that it becomes difficult for the hacker to decipher who this guy is,” Srinivas added.

Ambient data collection

With IoT, it has never been able to capture ambient data. Ambient data is information that lies in areas not generally accessible to the user. An example for this is how users get traffic data from Internet companies. Kiran Jonnalagadda explained how this works:

“When you look at traffic data on a street map, where is that data coming from? It’s not coming from the fact that there is an app on the phone constantly transmitting data from the phone. It’s coming from the fact that cell phone towers record who is coming to them and you know if the cell phone tower is facing the road, and it has so many connections on it, you know that traffic is at a certain level in that area. Now as a user of the map, you are talking to a company which produces this map and it is not a telecom company. Someone who is using a phone is only dealing with a telecom company and how does this data transfer happen and how much user data is being passed on to the last mile user who is actually holding the phone.”

Jonnalagadda stressed on the need for people to ask who is aggregating this ambient data.

“Now obviously, when you look at the map, you don’t get to see, who is around you. And that would be a clear privacy violation and you only get to see the fact that traffic is at a certain level of density around the street around you. But at what point is the aggregation of data happening from an individually identifiable phone to just a red line or a green line indicating the traffic in an area. We also need to ask who is doing this aggregation. Is it happening on the telecom level? Is it happening on the map person level and what kind of algorithms are required that a particular phone on a cell phone network represents a moving vehicle or a pedestrian? Can a cell phone company do that or does a map company do that? If you start digging and see at what point is your data being anonymized and who is responsible for anonmyzing it and you think that this is the entity that is supposed to be doing it, we start realizing that it is a lot more complicated and a lot more pervasive than we thought it would be,” he said.

#NAMAprivacy Bangalore:

Will artificial Intelligence and Machine Learning kill privacy? [read]
Regulating Artificial Intelligence algorithms [read]
Data standards for IoT and home automation systems [read]
The economics and business models of IoT and other issues [read]

#NAMAprivacy Delhi:

Blockchains and the role of differential privacy [read]
Setting up purpose limitation for data collected by companies [read]
The role of app ecosystems and nature of permissions in data collection [read]
Rights-based approach vs rules-based approach to data collection [read]
Data colonisation and regulating cross border data flows [read]
Challenges with consent; the Right to Privacy judgment [read]
Consent and the need for a data protection regulator [read]
Making consent work in India [read]

For more details visit https://cis-india.org/internet-governance/news/medianama-october-18-2017-namaprivacy-data-standards-for-iot

#NAMAprivacy: The economics and business models of IoT and other issues

Admin — 2017-11-08T02:09:51Z

Link to the original published by Medianama on October 18, 2017 here

Part 1 of the notes from the discussion on IoT are here. Part 2:

The session on IoT shifted gears and the participants spoke more about the economics and business IoT. Participants expressed concern that data could be linked to very private aspects of their lives and build business models around them. For example, data from fitness trackers can be linked to a user’s insurance premiums. Or sensors on a car that monitors a user’s driving behavior and link motor insurance.

“I work for Zoomcar, and these are devices which our lives depend and are collecting and reporting data. And that data can be used against you. So it is very hard to know what is fair and what is unfair. Someone mentioned insurance, I feel it is useful to collect a lot of data and decide on insurance based on your driving behaviour and we have had markers for that. But is it fair to the user? The same kind of questions crops up elsewhere like in the US when it comes to healthcare,” Vinayak Hegde said.

An audience member pointed out to that in such a scenario, privacy can help businesses rather than inhibit them and cited a research study in UC Berkely. “If I use a health tracking device, some of those devices can be valuable for health insurance companies and using that data, they might increase the premiums. But I don’t know actually who might sell my data to someone,” he explained.

“Because I don’t know which tracking devices sell my data, I would like not to own the devices itself. So that itself harms the entire health tracker industry itself. He (the researcher) defines privacy as contextual integrity. So a health tracking device is supposed to help me track my health and not supposed to be used by insurance people to determine my premium. If the regulation mandates the contextual integrity of that, it helps that particular industry to avoid those feedback loops,” he explained.

Are fitness trackers in the hardware or services business?

Kiran Jonnalagadda of HasGeek added to the point on fitness trackers. He said that all of IoT is not in the business of hardware and that they are in the services business. “I had an unusual experience for the past one week, I was out in an area with no Internet connection. But I have two fitness trackers. I bought them mostly because I’m curious about how these companies operate and what they’re doing. And the differences between them are the way they think about things. Now both of these are capable of counting steps without an Internet connection…. But they cannot do anything to show the step count on my phone which it connects to until the data is sent to the Internet and brought back. So my phone would keep telling me that I am not moving and tell me the move but the watch is saying that I am doing 20,000 steps a day and that I am trekking a lot,” he explained.

“For whatever reason, these companies have decided to operate in this manner where validation of data happens on the cloud and not on the device. You only get the most rudimentary data from your device and your phone is just a conduit and not a processing centre at all,” Jonnalagadda said.

He explained both the devices were in the device sales business and has not asked money from them for enabling this sort of Internet-based processing of data. “It calls into question, what is the model here. One could bring the conspiracy theory that they’re selling my data and therefore they don’t worry about collecting data from me. The second is to say: be a little bit more charitable and they recognize that if they piss me off, I won’t buy their device again. And then just assume that a device has a lifetime of just 2-3 years and if you keep a person happy for 2-3 years, they will buy the device from you again. What’s interesting is ultimately not about devices and that it is about services. And this is what I want to say about IoT that it is not about hardware at all it is entirely about services. Without services, the entire business model of IoT breaks down. You do not get software updates, you get vulnerabilities, you get broken design, things have stopped working and no one supports you.”

The economics of processing data locally on a device

Thejesh GN, co-founder of DataMeet, questioned the need for data to be processed on the Internet and asked whether the data will be better protected and have better privacy if it were processed locally. “Considering the fact that we have such powerful phones which are affordable, and can do a lot of things without the Internet. I mean the biggest concept we had in IoT was that we didn’t have CPU or memory and processing power. Given that and the availability of EDGE devices, how long will we have economic cases where privacy can be sold as part of IoT. The processing happens 99% of the times locally without Internet and requires the Internet only when there is messaging. This could be true for your fitness trackers that can be connected to your phone. Your phone has all the capabilities to do all the analysis and doesn’t need to go to the server,” he said.

Pranesh Prakash of the CIS countered him and said that the economics for processing data works out cheaper for the companies.

“One on local processing, this I think is a perennial problem and it really is a question of economics versus principles. Free software is losing out the battle against using other people’s computers for computing—cloud computing—because of economics. So, you no longer own the software that you purchase and even the hardware, very often, with IOT might not actually be yours. It might come with a license, it might come with data that is tied to the company that is actually providing you the device. So the economics of this are for me clear: it’s much cheaper to do it on other computers than to do it locally,” Prakash explained.

He made a case for asserting for individual user’s rights to privacy in this kind of scenario. “It is a question of principles. Should we allow for that or should we assert for consumer protection laws and assert other manners of laws to say that ‘no, people who are purchasing devices’ ought to have greater control of the devices and the data that they produce,” he added.

Group privacy

The audience also suggested that privacy laws should not just look at protecting the rights of individuals but should look at protecting the rights of groups as well. They raised concerns that even in a group and if the data has been anonymized, it still can be weaponized and cause harms.

“For example, if there are 10-15 of us in this room and given our detailed medical histories, I can find a correlation between some of that. And then I can use that data in some other form when I run a test to see if I am vulnerable to something or use it as a way to discriminate further down the line. As a group, privacy matters a lot because when we talk about devices, we are talking about individuals. Maybe you can target via ethnicity or by age or by class and that can also be weaponized,” an audience member suggested.

Vinayak Hegde gave an example of how weather data captured by IoT can cause harms to a society at large. “If I’m using the weather sensor data and because of global warming, some places like Florida and south of India are going to be extremely hot, I can use surge pricing for a person’s electricity. Again I am not getting targeted as an individual, but as a group, I am being targeted. And sensors are closing that loop really fast.” he explained.

Srinivas P, head of security at Infosys, gave another example where gyroscopes in a phone could target a family. “Some companies in the US use gyroscope in a phone to surreptitiously monitor TV viewing habits. The mobile phone gets activated and over a period of time, they can tweak the advertisements. It is an interesting example, because in TV, when you watch at home, you cannot pinpoint TV a user, because it is shared by a family. This is because the guy who is watching the maximum amount of TV, their data gets circulated and the ads will be tailored to them. The person who does not watch that much amount of TV gets baffled to see advertisements that are not relevant to them. So when you want to process data, you want to assume that, this TV belongs to a user. The TV belongs to a group. And what if the viewing habits are so different, that once your privacy is violated, you don’t want your other family member to know what you are watching,” he added.

Perception of permissions for sensors

Rohini Lakshane of CIS raised an important point during the discussion. The users have different perceptions about the sensors that are embedded in smartphones. She pointed out that users are generally unaware that accelerometers are sensors and capture data and most apps do not ask permissions for the same. An accelerometer is a device used to measure acceleration forces. It is usually used in devices to measure movement and vibrations in devices such as fitness trackers.

“A researcher surveyed a control group and asked them if their GPS data was taken and their camera was made accessible, whether they would be comfortable with it? They were hugely uncomfortable. The question came to the accelerometer on the phone and the respondents said that ‘we are not all that afraid’. The accelerometer only counts the acceleration. So in that app which counts how many steps we have taken in a day, it uses the accelerometer and there is no permission required for it. The accelerometer is still on the phone and is still generating the data and you don’t see it because you don’t have an interface directly with it,” she commented.

#NAMAprivacy Bangalore:

Will artificial Intelligence and Machine Learning kill privacy? [read]
Regulating Artificial Intelligence algorithms [read]
Data standards for IoT and home automation systems [read]
The economics and business models of IoT and other issues [read]

#NAMAprivacy Delhi:

Blockchains and the role of differential privacy [read]
Setting up purpose limitation for data collected by companies [read]
The role of app ecosystems and nature of permissions in data collection [read]
Rights-based approach vs rules-based approach to data collection [read]
Data colonisation and regulating cross border data flows [read]
Challenges with consent; the Right to Privacy judgment [read]
Consent and the need for a data protection regulator [read]
Making consent work in India [read]

For more details visit https://cis-india.org/internet-governance/news/medianama-october-18-2017-namaprivacy-economics-and-business-models-of-iot

Big Data for governance

Admin — 2017-11-08T01:42:18Z

Recent times have witnessed an explosion of data as users started leaving a huge data footprint everywhere they go. Interestingly, this period has seen a phenomenal increase in computing power couple by a drop in costs of storage.

The article by Alekhya Hanumanthu was published in Telangana Today on November 4, 2017.

India is now sitting on the data so generated and subjecting it to data analytics for uses in various sectors like insurance, education, healthcare, governance, so on and so forth.

According to Centre for Internet and Society (CIS), in 2015, the Government of Narendra Modi launched Digital India Programme to ensure availability of government services to citizens electronically by improving online infrastructure and Internet connectivity.

Amongst other things, e-Governance and e-Kranti intend to reform governance through technology and enable electronic delivery of services. Needless to say, it will involve large scale digitisation, electronic collection of data from residents and processing. The Big data so created will help policy making evolve into a data backed, action oriented initiative with accountability asserted where it is due.

Let’s take a look at some Big Data based initiatives underway according to analyticsindiamag:

Project insight: Undertaken up by Indian tax agencies, Project Insight is an advanced analytical tool that is a comprehensive platform that encourages compliance of tax while at the same time it prevents non-compliance. Significantly, it will be used to detect fraud, support investigations and provide insights for policy making. For instance, it will detect the social media activity of a person to glean their spending and check if it is commensurate with the tax they have paid during that year. Needless to say, this will also unearth sources of black money.

Economic Development Board in Andhra: CORE-CM Office Realtime Executive Dashboard is an integrated dashboard established to monitor category-wise key performance indicators of various departments/schemes in real time. Users can check key performance indicators of various departments, schemes, initiatives, programmes, etc. With a panoply of services information ranging from Women and Child Welfare to Street lights monitoring, it has become an exemplary role model of governance.

Geo-tagging of assets under Mahatma Gandhi National Rural Employment Guarantee Act (MGNREGA): Under the guidance of Narendra Modi, online monitoring of assets to check leakages Ministry of Rural development was started. To achieve this, they were tied up with ISRO and National Informatics Centre to geo tag MGNREGA assets. According to India Today, the assets created range from plantations, rural infrastructure, water harvesting structures, flood control measures such as check dams etc. To do this, a junior engineer takes a photo of an asset and uploads it on the Bhuvan web portal run by ISRO’s National Remote Sensing Centre via a mobile app. Once a photo is uploaded, time and location gets encrypted automatically. Thus, the Government hopes to hold an ironclad control of the resources thus disseminated.

CAG’s centre for Data Management and Analytics: According to Comptroller and Auditor General of India, The CAG’s Centre for Data Management and Analytics (CDMA) is going to play a catalytic role to synthesise and integrate relevant data into auditing process. According to an announcement on National Informatics Centre (NIC), it aims to build up capacity in the Indian Audit and Accounts Department in Big Data Analytics to explore the data rich environment at the Union and State levels. What’s more, this initiative of CAG of India, puts it amongst the pioneers in institutionalising data analytics in government audit in the international community.

Task Force to spruce up Employment Data: The data provided by Labour Bureau is limited and not timely enough for policymakers to assess the need for job creation. To address this gap, the Government has set up a committee tasked to fill the employment data gap and ensure the timely availability of reliable information regarding job creation. Thus the top line of Government has a direct view of where the employment gaps are so that it can facilitate creation of appropriate jobs.

What’s the big picture?

Policy making and governance by Indian government have traditionally been rife with red tape, bureaucracy and corruption. Lack of accountability on part of Government workforce not only impacted the quantity and quality of work delivered but also invited corrupt practices and leakages. So, Big data is a welcome change in direction.

For more details visit https://cis-india.org/internet-governance/news/telangana-today-november-8-2017-alekhya-hanumanthu-big-data-for-governance

October 2017 Newsletter

praskrishna — 2018-01-10T00:53:03Z

October 2017 Newsletter

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
CIS submitted its comments on mobile accessibility guidelines to the Ministry of Electronics & IT, Govt. of India. Between 1 to 16 September, an online discussion took place on the creation of social media guidelines and strategy for Telugu Wikimedia handles online. Manasa Rao captured the developments in a blog post. Padma Venkataraman in a blog entry chronologically mapped CIS’ efforts at enhancing financial transparency and accountability at ICANN, while providing an outline of what remains to be done. Shyam Ponappa's article on NPAs and structural issues was published in the Business Standard on October 5, 2017.

Highlights

CIS submitted its comments on mobile accessibility guidelines to the Ministry of Electronics & IT, Govt. of India.
Between 1 to 16 September, an online discussion took place on the creation of social media guidelines and strategy for Telugu Wikimedia handles online. Manasa Rao captured the developments in a blog post.
Padma Venkataraman in a blog entry chronologically mapped CIS’ efforts at enhancing financial transparency and accountability at ICANN, while providing an outline of what remains to be done.
Shyam Ponappa's article on NPAs and structural issues was published in the Business Standard on October 5, 2017.

CIS in the News:

Attempted data breach of UIDAI, RBI, ISRO and Flipkart is worrisome (DailyO, October 4, 2017).
Sex, drugs and the dark web (Hindu; October 7, 2017).
Ahead of data protection law roll out, experts caution that it shouldn't limit collection and use of data (First Post; October 12, 2017).
#NAMAprivacy: The economics and business models of IoT and other issues (Medianama; October 18, 2017).
#NAMAprivacy: Data standards for IoT and home automation systems (Medianama; October 18, 2017).
Majority of top politicians' Twitter followers fake: audit (Furquan Moharkan; Deccan Herald; October 24, 2017).
Awards for those working on employment opportunities for disabled (Eastern Mirror; October 24, 2017).
Nibbling away into your bank account, salami attackers cart away a fortune (New Indian Express; October 25, 2017).
Nirmita Narasimhan wins the 18th NCPEDP-Mindtree Helen Keller Award 2017! (National Centre for Promotion of Employment for Disabled People; October 31, 2017).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Wikipedia

Blog Entries

Odia Wikisource Turns 3 (Manasa Rao; October 22, 2017).
Wikimedia Workshop at Ismailsaheb Mulla Law College, Satara (Subodh Kulkarni; October 24, 2017).
Marathi Wikipedia Edit-a-thon at Dalit Mahila Vikas Mandal, Satara (Subodh Kulkarni; October 24, 2017).
Marathi Wikipedia Workshop at MGM Trust's College of Journalism and Mass Communication, Aurangabad (Subodh Kulkarni; October 24, 2017).
Orientation Program at Kannada University, Hampi (A. Gopalakrishna; October 24, 2017).
Marathi Wikipedia Workshop at Solapur University (Subodh Kulkarni; October 24, 2017).
Discussion on Creation of Social Media Guidelines & Strategy for Telugu Wikimedia (Manasa Rao; October 24, 2017).

►Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Freedom of Expression

ICANN’s Problems with Accountability and the .WEB Controversy (Padma Venkataraman; October 24, 2017).
Why Presumption of Renewal is Unsuitable for the Current Registry Market Structure (Padma Venkataraman; October 29, 2017).
CIS’ Efforts Towards Greater Financial Disclosure by ICANN (Padma Venkataraman; October 29, 2017).

►Cyber Security

Participation in Event

CyFy 2017 (Organized by Observer Research Foundation; New Delhi; October 2 - 4, 2017). Sunil Abraham was a speaker.

►Privacy

Blog Entry

GDPR and India: A Comparative Analysis (Aditi Chaturvedi; October 17, 2017).

Participation in Event

Securing The Digital Payments Ecosystem (Organized by NITI Aayog; October 9, 2017).

►Big Data

Blog Entry

Revisiting Per Se vs Rule of Reason in Light of the Intel Conditional Rebate Case (Shruthi Anand; October 4, 2017).

Event Organized

Emerging Issues in the Internet of Things (CIS, Bengaluru; October 23, 2017). Andrew Rens gave a talk.

-----------------------------------

Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

NPAs & Structural Issues (Shyam Ponappa; Business Standard; October 4, 2017).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Articles

Digital Native: There is no spoon, There is no privacy (Nishant Shah; October 9, 2017).
Digital Native: Finger on the buzzer (Nishant Shah; October 22, 2017).

-----------------------------------
About CIS
-----------------------------------

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/october-2017-newsletter

Why Presumption of Renewal is Unsuitable for the Current Registry Market Structure

Padma Venkataraman — 2017-10-31T02:53:26Z

With the recent and much protested renewal of the .net legacy Top-Level-Domain (TLD), the question of the appropriate method of renewal has again come to the forefront. While this seems relatively uncontroversial to most, Padma Venkataraman, a law student and intern at CIS looks at presumptive renewal through a critical lens.

With the recent renewal of the .net legacy Top-Level-Domain (TLD), the question of the appropriate method of renewal is worth reconsidering. When we talk about presumption of renewal for registry agreements, it means that the agreement has a reasonable renewal expectancy at the end of its contractual term. According to the current base registry agreement, it shall be renewed for 10-year periods, upon expiry of the initial (and successive) term, unless the operator commits a fundamental and material breach of the operator’s covenants or breach of its payment obligations to ICANN.

Download the entire blog post here

For more details visit https://cis-india.org/internet-governance/blog/why-presumption-of-renewal-is-unsuitable-for-the-current-registry-market-structure

CIS’ Efforts Towards Greater Financial Disclosure by ICANN

Padma Venkataraman — 2017-10-31T02:10:11Z

CIS has been working towards enhancing transparency and accountability at ICANN since 2014. While initial efforts have resulted in ICANN revealing its sources of income in a granular fashion in 2015, we are yet to see this level of transparency become a default approach within ICANN. Here, Padma Venkataraman chronologically maps CIS’ efforts at enhancing financial transparency and accountability at ICANN, while providing an outline of what remains to be done.

With the $135 million sale of .web,^[1] the much protested renewal of the .net agreement^[2] and the continued annual increase in domain name registrations,^[3] among other things, it is no surprise that there are still transparency and accountability concerns within the ICANN Community. CIS, as part of its efforts to examine the functioning of ICANN’s accountability mechanisms, has filed many DIDP requests till date, in a bid for greater transparency of the organisation’s sources of revenues.

1.Efforts towards disclosure of revenue break-up by ICANN

- 2014

- 2015

- 2017

2.The need for granularity regarding historical revenues

-----

1.Efforts towards disclosure of revenue break-up by ICANN

- 2014

In 2014, CIS’ Sunil Abraham demanded greater financial transparency of ICANN at both the Asia Pacific IGF and the ICANN Open Forum at the IGF. Later that year, CIS was provided with a list of ICANN’s sources of revenue for the financial year 2014, including payments from registries, registrars, sponsors, among others, by ICANN India Head Mr. Samiran Gupta.^[4] This was a big step for CIS and the Internet community, as before this, no details on granular income had ever been publicly divulged by ICANN on request.

However, as no details of historical revenue had been provided, CIS filed a DIDP request in December 2014, seeking financial disclosure of revenues for the years 1999 to 2014, in a detailed manner - similar to the 2014 report that had been provided.^[5] It sought a list of individuals and entities who had contributed to ICANN’s revenues over the mentioned time period.

In its response, ICANN stated that it possessed no documents in the format that CIS had requested, that is, it had no reports that broke down domain name income and revenue received by each legal entity and individual.^[6] It stated that as the data for years preceding 2012 were on a different system, compiling reports of the raw data for these years would be time-consuming and overly burdensome. ICANN denied the request citing this specific provision for non-disclosure of information under the DIDP.^[7]

- 2015

In July 2015, CIS filed a request for disclosure of raw data regarding granular income for the years 1999 to 2014.^[8] ICANN again said that it would be a huge burden ‘to access and review all the raw data for the years 1999 to 2014 in order to identify the raw data applicable to the request’.^[9] However, it mentioned its commitment to preparing detailed reports on a go-forward basis - all of which would be uploaded on its Financials page.^[10]

- 2017

To follow up on ICANN’s commitment to granularity, CIS sought a detailed report on historical data for income and revenue contributions from domain names for FY 2015 and FY 2016 in June 2017.^[11] In its reply, ICANN stated that the Revenue Detail by Source reports for the last two years would be out by end July and that the report for FY 2012 would be out by end September.^[12]

2.The need for granularity regarding historical revenues

In 2014, CIS asked for disclosure of a list of ICANN’s sources of revenue and detailed granular income for the years 1999 to 2014. ICANN published the first but cited difficulty in preparing reports of the second. In 2015, CIS again sought detailed reports of historical granular revenue for the same period, and ICANN again denied disclosure claiming that it was burdensome to handle the raw data for those years. However, as ICANN agreed to publish detailed reports for future years, CIS recently asked for publication of reports for the FYs 2012, 2015 and 2016. Reports for these three years were uploaded according to the timeline provided by ICANN.

CIS appreciates ICANN’s cooperation with its requests and is grateful for their efforts to make the reports for FYs 2012 to 2016 available (and on a continued basis). However, it is important that detailed information of historical revenue and income from domain names for the years 1999 to 2014 be made publicly available. It is also crucial that consistent accounting and disclosure practices are adopted and made known to the Community, in order to avoid omissions of statements such as Detail Revenue by Source and Lobbying Disclosures, among many others, in the annual reports - as has evidently happened for the years preceding 2012. This is necessary to maintain financial transparency and accountability, as an organisation’s sources of revenues can inform the dependant Community about why it functions the way it does.

It will also allow more informed discussions about problems that the Community has faced in the past and continues to struggle with. For example, while examining problems such as ineffective market competition or biased screening processes for TLD applicants, among others, this data can be useful in assessing the long-term interests, motives and influences of different parties involved.

^[1] https://www.icann.org/news/announcement-2-2016-07-28-en

^[2] Report of Public Comment Proceeding on the .net Renewal. https://www.icann.org/en/system/files/files/report-comments-net-renewal-13jun17-en.pdf

^[3] https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2016-06-27-en

^[4] https://cis-india.org/internet-governance/blog/cis-receives-information-on-icanns-revenues-from-domain-names-fy-2014

^[5] DIDP Request no - 20141222-1, 22 December 2014. https://cis-india.org/internet-governance/blog/didp-request-2

^[6] https://www.icann.org/en/system/files/files/cis-response-21jan15-en.pdf

^[7] Defined Conditions for Non-Disclosure - Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual.

https://www.icann.org/resources/pages/didp-2012-02-25-en

^[8] DIDP Request no - 20150722-2, 22 July 2015. https://cis-india.org/internet-governance/blog/didp-request-12-revenues

^[9] https://www.icann.org/en/system/files/files/didp-response-20150722-2-21aug15-en.pdf

^[10] https://www.icann.org/en/system/files/files/didp-response-20150722-2-21aug15-en.pdf; https://www.icann.org/resources/pages/governance/financials-en

^[11] DIDP Request No. 20170613-1, 14 June 2017.

^[12] https://www.icann.org/en/system/files/files/didp-20170613-1-marda-obo-cis-response-13jul17-en.pdf

For more details visit https://cis-india.org/internet-governance/blog/cis2019-efforts-towards-greater-financial-disclosure-by-icann

Roundtable on Enhancing Indian Cyber Security through Multi-Stakeholder Cooperation

Admin — 2018-02-01T14:04:36Z

A closed door round-table on enhancing Indian cyber security is being organized on 4 November 2017 at Indian Islamic Centre, Lodhi Road in New Delhi.

With the proliferation of digital technologies and the central role they play in national infrastructure and governance, security of systems and services is fundamental to the economic, political, and social development and success of a nation. Digital India, the National Payments Corporation of India, IndiaStack, and the Aadhaar ecosystem are just a few examples of such digital infrastructure. Yet the digital realm is increasingly becoming more complex and difficult to secure and monitor for vulnerabilities, threats, breaches, and attacks. The responsibility of identifying and monitoring such vulnerabilities can be spearheaded by designated governmental bodies like CERT-IN and NCIIPC, but for effective identification of threats and vulnerabilities, collaboration is needed across stakeholder groups including security researchers, industry, and government bodies. Transparency about breaches and attacks is also key in enabling consumer awareness and building trust with the public. Examples of such mechanisms include bug bounty programs and breach notification frameworks.

This closed door roundtable will seek to bring together government, industry, civil society, academia, and security researchers to identify different areas and tools of collaboration between stakeholders towards enhancing Indian cyber security. It will broadly focus on vulnerability identification and reporting and vulnerability/breach notification. This will include a reflection on:

Existing frameworks, forms of collaborations, policies and practices in India.
Practices, standards, certifications, and programmes adopted in other jurisdictions.
The way forward for India addressing issues like establishing trust, harmonization and communication across stakeholders and sectors, and ensuring quality and response.

RSVP: pranav@cis-india.org

Download the Invite

See the Report

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-enhancing-indian-cyber-security-through-multi-stakeholder-cooperation

Nibbling away into your bank account, salami attackers cart away a fortune

Admin — 2017-11-27T15:35:33Z

A ‘salami’ might sound an innocuous term in the culinary sense. When it comes to cybercrime, a ‘salami’ is a dreaded attack which even the victims are hardly aware of. Like a salami slice, a hacker slices away small sums of money from multiple accounts on a daily basis. By the time the victims realise that they are being ‘sliced’, too little can be done or it’s already too late.

The article by Kiran Parashar KM and Akram Mohammed was published in New Indian Express on October 25, 2017.

This is among the various strategies allegedly used by some bank employees, working in cahoots with persons working in telecom companies to defraud customers of their savings. Cyber crime police, who have arrested several bank employees in the past in similar cases, warn that throwing caution to the wind while banking online or responding to calls claiming to be from banks could land you in serious financial trouble.

What’s shocking is law enforcement agencies have failed to nab the culprits in a majority of such crimes.
Speaking to Express, Shubhamangala Sunil, head, Global Cyber Security Response Team, said that of all the techniques used by bank insiders to siphon off funds, ‘salami attack’ is probably the stealthiest. “Imagine you have Rs 2,75,233 in to your account. If someone steals say `3 or 4 from your account every day, would you get an alert? If you did, would you go and complain to the bank that such a small amount is being stolen?” she questioned.

Due to lack of awareness about such threats, a complaint to the bank about such an issue is unlikely to bring any relief to the victim, she said. With time, many new techniques will be discovered by fraudsters and security might not be adequate to thwart all of them, she added.

Pranesh Prakash, Policy Director at the Centre for Internet and Society said the extent of fraud in the financial sector can be decreased “by improving security of financial processes, auditing software for vulnerabilities and fixing them and improving consumer protection laws.” Processes used by banks, both offline and while engaging with customers online and through systems such as Unified Payments Interface, should be improved, he said.

Bad practices
Prakash cited bad practices by different banks — such as preventing right click in password boxes (which curb positive security practices such as usage of password managers), limiting password lengths, and not supporting software-based OTPs and stronger security like “Universal 2nd Factor” — were also putting customers at risk. Stressing the need for consumer awareness, he said that even if everything works fine at the bank/financial institutions side customers commit mistakes, leaving them vulnerable. Therefore, spreading awareness about security best practices and hassle-free insurance to minimise harm to customers is essential, he said. “Bank fraud or any other online fraud is inevitable. We have to ensure that the harms from such fraud are as minimal as possible,” he added.

Insider frauds
While bank fraud cases — both online and offline — are increasing, police are finding the involvement of insiders who exploit loopholes in the banking systems. Sources in the CID-Cyber Crime Cell say there have been multiple cases where there is involvement of at least one bank employee. Digital banking has increased post demonetisation and yet the security features are not enhanced. Two days after police caught two employees of JP Morgan bank who had swindled `12 crore of a US-based client, police express concern over the security and background checks in the banking system as one of the accused had been working for four years with fake documents and on a fake name. An investigating official said the insider shares details of debit/credit cards with the conmen who clone cards for commission.

Banking security
Joint Commissioner of Police (Crime), Satish Kumar N said there is a co-ordination committee of police and Reserve Bank of India. “We share notes about cases of bank fraud and also recommend some security features to be adopted in the banking sector. The meeting is held on a regular basis,” he said. To a question on ‘salami attack’, he said that police have not come across any such complaints yet. “We have been vigilant about cyber related issues,” he added.

WHODUNNIT?

Case 1: June 2017
Vinod Kumar Pacchiyappan, manager of SBI Cards and Payment Services Pvt Ltd, located in Embassy Heights on Magrath Road filed a complaint with police that Know Your Customer (KYC) data of customers was compromised. Apart from this, fake credit cards were created resulting in a loss of `38.39 lakh. The investigating officials suspect the involvement of insiders in the case.
Status: No arrests yet

Case 2: May 2016

An US-couple living in Bengaluru was cheated of `6 lakh in just 2 hours.Cyber criminals, using their bank data credentials, had shopped online.The police, almost a year-and-half after the incident, are yet to know how their credit card details were extracted, but suspect that a bank employee was involved in the case.Status: No arrests yet

Case 3: January 2016
Police lodged a complaint of hacking against unknown persons, who cheated customers of several lakhs in Karnataka and Telangana. Police learnt that the fraud was committed by hacking into Axis Bank’s mobile wallet app LIME and SBI’s Buddy app. Bank account details of the victims, mobile phone numbers, etc., were stolen by the accused.
Status: Seven people, including G Gopalakrishna, deputy manager of Axis Bank’s Peddapalli branch in Karimnagar district of Telangana, and others involved in the crime were arrested.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-october-25-2017-nibbling-away-into-your-bank-account-salami-attackers-cart-away-a-fortune