We are anonymous, we are legion

Aadhar: Privacy is not a unidimensional concept

amber — 2017-08-23T01:50:19Z

Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all Indian citizens to defend their individual autonomy in the face of invasive state actions purportedly for the public good.

The article was published in the Economic Times on July 23, 2017.

The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all. In a disappointing case of judicial evasion by the apex court, it has taken over 600 days since a reference order was passed in August 11, 2015, for this bench to be constituted. Over two days of arguments, the counsels for the petitioners have presented before the court why the right to privacy, despite not finding a mention in the Constitution of India, is a fundamental right essential to a person’s dignity and liberty, and must be read into not one but multiple articles of the Constitution. The government will make its arguments in the coming week.

One must wonder why we are debating the contours of the right to privacy, which 40 years of jurisprudence had lulled us into believing we already had. The answer to that can be found in a series of hearings in the Aadhaar case that began in 2012. Justice KS Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court, questioning the validity of the Aadhaar project due its lack of legislative basis (since then the Aadhaar Act was passed in 2016) and its transgressions on our fundamental rights. Over time, a number of other petitions also made their way to the apex court, challenging different aspects of the Aadhaar project. Since then, five different interim orders by the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number. Aadhaar, according to the court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.

The real spanner in the works in the progress of this case was the stand taken by Mukul Rohatgi, then attorney general of India who, in a hearing before the court in July 2015, stated that there is no constitutionally guaranteed right to privacy. His reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench.

The reference to a larger bench has since delayed the entire matter, even as a number of government schemes have made Aadhaar mandatory. This reading of privacy as a unidimensional concept by the courts is, with due respect, erroneous. Privacy, as a concept, includes within its scope, spatial, familial, informational and decisional aspects. We all have a legitimate expectation of privacy in our private spaces, such as our homes, and in our personal relationships. Similarly, we must be able to exercise some control over how personal data, like our financial information, are disseminated. Most importantly, privacy gives us the space to make autonomous choices and decisions without external interference. All these dimensions of privacy must stand as distinct rights. In MP Sharma, the court rejected a certain aspect of the right of privacy by refusing to acknowledge a right against search and seizure. This, in no way prevented the court, even in the form of a smaller bench, from ruling on any other aspects of privacy, including those that are relevant to the Aadhaar case.

The limited referral to this bench means that the court will have to rule on the status of privacy and its possible limitations in isolation, without even going into the details of the Aadhaar case (based on the nature of protection that this bench accords to privacy, the petitioners and defendants in the Aadhaar case will have to argue afresh on whether the project does impede on this most fundamental right). There are no facts of the case to ground the legal principles in, and defining the contours of a right can be a difficult exercise. The court must be wary of how any limits they put on the right may be used in future. Equally, it is important to articulate that any limitations on the right to privacy due to competing interests such as national security and public interest must be imposed only when necessary and always be proportionate.

It will not be enough for the court to merely state that we have a constitutional right to privacy. They would be well advised to cut through the muddle of existing privacy jurisprudence, and unequivocally establish the various facets of the right. Without that, we may not be able to withstand the modern dangers of surveillance, denial of bodily integrity and self-determination through forcible collection of information. The nine judges, in their collective wisdom, must not only ensure that we have a right to privacy, but also clearly articulate a robust reading of this right capable of withstanding the growing interferences with our autonomy.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-july-23-2017-amber-sinha-aadhar-privacy-is-not-a-unidimensional-concept

Calls for law change after Indians left in dark over data leaks

Admin — 2017-07-20T14:38:51Z

Fears Indian telecom upstart Reliance Jio suffered a major data breach, compromising the personal data of over 100 million customers, have prompted calls for India to adopt more robust laws to protect consumers.

The blog post by Rahul Bhatia and Sankalp Phartiyal was published by Reuters on July 14, 2017.

Jio has repeatedly denied any breach took place and said that names, telephone numbers and email addresses of Jio users on a website called "Magicapk" appeared to be "unauthentic." The website was later shut down.

The company, part of conglomerate Reliance Industries Ltd, said on Monday that its subscriber data was safe and protected by the highest levels of security.

However, Jio filed a complaint the same day alleging unlawful access to its systems, police have told Reuters.

Jio did not respond to requests for comment.

In contrast to companies in the European Union, which has stringent data protection standards, companies in India do not have to disclose data breaches to clients, information security professionals said.

"It raises questions of security and accountability," said Pranesh Prakash, policy director at the Centre for Internet and Society (CIS), a research organization.

People complained on Twitter about personal information of Jio users being available on the Magicapk site. Several local news outlets said their checks had led them to believe a leak had occurred.

"A rule to report breaches exists, but it is unenforceable," says Prakash. "It says you're not liable if you're following reasonable security practices. What 'reasonable' means is not defined."

Advocates of stronger laws in India say a data breach in countries with more stringent cyber laws, such as Britain or the United States, would prompt an inquiry by regulators.

After reports of a data leak at Verizon earlier this week, for example, the U.S. telecoms firm quickly responded with an explanation of what had occurred, how it had happened and the extent of the problem.

"India is at a nascent stage. For good norms in Asia, look to Singapore. It's been praised for not having cyber security issues by the UN," Srinivas Kodali, an independent security researcher, said.

Not a Priority

"We don't have full-menu data protection laws," said Apar Gupta, a Supreme Court lawyer working on data privacy issues. "We don't even have an institutional framework or expert body to implement the limited data protection regulations that do exist. It's so limited it's more accurate to say no law exists."

In May alone, there were two data security incidents in India.

The records of 17 million customers of Zomato, a popular food-delivery app, were put on sale online. Zomato initially advised customers that their passwords were secure, but later advised users to change them.

Separately, a CIS report said the Aadhaar numbers of as many as 135 million Indians had leaked from government databases and could be found online. (bit.ly/2tOseSV)

The number, similar to a U.S. social security number, is unique to each Indian citizen and the Aadhaar database also stores a user's biometric data. The government is pushing for Aadhaar numbers to be used in everything from opening bank accounts to filing tax returns.

For India, data privacy is not a priority, said Amry Junaideen, a risk advisor at audit firm Deloitte.

"From an organizational perspective there's really no incentive other than being a good corporate citizen, to report a breach," he said, noting that in the European Union and United States the regulatory framework is basically for the good of the consumer, but that this is not the case in India.

India, home to the back offices of many large multinationals and outsourcing companies, has also unsuccessfully sought "data-secure" status from the European Union since 2012.

The status is vital for information sharing between entities in the EU and India, because it means the EU is satisfied that data protection rules in a country meet its standards, so data of EU citizens can be sent to that jurisdiction.

Raman Chima, policy director at Access Now, which advocates stronger digital rights, says weak data privacy laws are likely the main stumbling block to "data-secure" status.

In 2010, a European Union study of data protection in India noted there were "no aspects of India's data protection which would unequivocally be regarded as 'adequate' by European Union standards as yet".

Reporting by Rahul Bhatia and Sankalp Phartiyal; Editing by Euan Rocha and Neil Fullick

For more details visit https://cis-india.org/internet-governance/news/reuters-july-14-2017-rahul-bhatia-and-sankalp-phartiyal-calls-for-law-change-after-indians-left-in-dark-over-data-leaks

Social Activist Alleges Threat By Police Officer Over Possession of Aadhaar

Admin — 2017-07-20T14:31:12Z

Social activist Shabnam Hashmi recorded a policeman telling her those without address proof and Aadhaar could be “eliminated”.

The article by Gaurav Vivek Bhatnagar was published in the Wire on July 16, 2017. Pranesh Prakash was quoted.

Well-known social activist Shabnam Hashmi held a press conference to say she was threatened on the telephone by a police officer at the Lajpat Nagar police station warning her that the government had launched a ‘surround and eliminate’ campaign against people whose addresses are not known and who do not possess Aadhaar numbers or cards. This is now a standing instruction to all police stations, Hashmi was told. Moreover, the officer – accused of threatening and abusing Hashmi when she called him on the night of July 14 to know why the husband of a woman, who learns stitching at a training centre run by the NGO Pehchan at Jaitpur in south-east Delhi, had been summoned at a late hour – insisted that police personnel were well within their rights to act in this way.

The police may brush aside this assertion as the concerned officer’s personal opinion, or they may deny the veracity of the conversation, which Hashmi recorded and shared with the media; but she and other anti-Aadhaar activists say the interaction raises questions about the consequences – intended or unintended – of the Centre’s stress on making Aadhaar mandatory for the personal liberty and civil rights of ordinary residents.

Many Aadhaar critics have, in the past, expressed the fear that the irresponsible use or misuse of Aadhaar could lead to India becoming a ‘surveillance state’ or ‘police state’ by placing enormous discretionary powers in the hands of unscrupulous state officials.

Petitioners in SC had cautioned against misuse of Aadhaar

Earlier this year, Communist Party of India leader Binoy Viswam had filed a petition in the Supreme Court questioning the introduction of Section 139 AA of the IT Act to link Aadhaar cards with PAN cards. Subsequently, in an interview in April this year, he had noted that “the citizens are becoming instruments in the hands of the state” as “by taking fingerprints, iris scans and other details of the citizens of the country, the state is becoming the custodian of its people.” He had also expressed the fear that “the state can use this data according to its whims and fancies”.

Viswam could not have been more correct. Much before the use of data, “elements” of the state have started using the ruse of creation of data itself as a convenient tool to threaten and intimidate people and this is precisely what happened in the case of Hashmi.

Recalling the incident, Hashmi, who is the founding trustee of Pehchan, said the NGO runs a small centre in Jaitpur extension where it teaches school dropouts to appear for class 10 and 12 examinations and also runs sewing classes for women.

Hashmi said that at around 9 pm on July 14, Haseen, the husband of Mubina, one of the trainees, was summoned by a sub-inspector to the Lajpat Nagar police station regarding a complaint. When Hashmi called up the police station to find out what the summons was about, the policeman allegedly “hurled abuses”, and used “highly derogatory and uncivilised language” during the conversation.

Though Hashmi did not have a recorder in her phone at the time of the first call, she subsequently downloaded one and later recorded her conversation with the same officer.

In this conversation, the policeman is heard reasoning with Hashmi that he had not summoned Haseen at a late hour. He claimed that he used harsh language in the first conversation since she had not identified herself and had only proclaimed herself to be a social worker. It also comes across in the conversation that Hashmi had told the man in the earlier conversation that he was drunk while being on duty and that this had irked him. It emerged that the cop had got an inkling that she was recording the later conversation, because of which he apparently mellowed down.

The issue assumes significance as after declaring twice in the past that Aadhaar cannot be made mandatory for delivering services, the Supreme Court had recently upheld the validity of an Income Tax law amendment linking PAN with Aadhaar for filing tax returns.

Former Attorney General Mukul Rohatgi had argued that the government was “entitled to have identification” and that “as constituents of society people can’t claim immunity from identification.” Rohatgi had insisted that “no right is absolute, right to body is not absolute. Under extreme cases even right to life can be taken away, under due process.”

Experts have often cautioned against Aadhaar misuse

According to legal experts, the illegalities related to Aadhaar do not just end with such arguments. Writing for The Wire, Prashant Reddy T., a research associate at the School of Law, Singapore Management University, had noted that in the past couple of months the “Modi government has increasingly used its rule-making powers under various laws in a manner which is contrary to the law of the land.” He was referring to the Centre’s announcement to mandatorily link Aadhaar numbers to all non-small bank accounts, failing which, access to the bank accounts would be disabled after December 31.

“As is often the case with this government, the question now is whether this new mandatory Aadhaar requirement (and the threatened punishment) is legal,” the expert had asked.

Earlier this year, writing for the Hindustan Times, Pranesh Prakash, policy director at the Centre for Internet and Society, and an affiliated fellow at Yale Law School’s Information Society Project, had referred to the immense potential of Aadhaar for profiling and surveillance. He had called for fundamentally altering Aadhaar, saying that if the rampant misuse of surveillance and wilful ignorance of the law by the state were anything to go by, the future looked bleak.

For more details visit https://cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar

Aadhaar privacy: Key issues that all Aadhaar card holders should bear in mind

Admin — 2017-07-20T14:18:28Z

As the Supreme Court hears petitions whether the right to privacy is a fundamental right, there are some key aspects that Aadhar Card holders should bear in mind, especially, because the government has made Aadhaar mandatory for a number of schemes and official purposes, including the filing of income tax returns.

The article was published by Business Today on July 19, 2017.

Linking of PAN with Aadhaar: What it means

The government claims that by linking the Aadhaar with PAN, authorities will be able to crack down on people with multiple PAN cards, and those who are escaping the tax net. The government has also made it clear that all bank accounts will have to be linked to Aadhar by the end of this year. This, essentially, implies that the government will be able track financial transactions.

Amit Maheshwari, Partner, Ashok Maheshwary & Associates LLP, says, "As the bank accounts of the person would already have PAN as his/her KYC requirement, once Aadhaar is linked with PAN, it will certainly lead to automatic link with the bank accounts as well."

"Since Aadhaar is based on biometrics, the chances of duplication are much less as compared to PAN, which is not based on biometrics," Maheshwari adds.

According to the latest data, there are more than 24.37 crore PANs registered in the country, while Aadhaar card has been issued to 113 crore people. Against this, only 2.87 crore individuals filed income tax returns (in the assessment year 2012-2013), out of which 1.62 crore did not pay any tax - leaving the number of taxpayers at just one per cent of the country's total population. Given the abysmally low number of tax payers in the country, the government intends to keep a close watch on tax evaders with this move.

Although the judgment is awaited, here's a low-down on how to link your PAN card with Aadhaar:

Register on the e-Filing portal of the Income Tax Department, www.incometaxindiaefiling.gov.in
Enter log-in ID, password and date of birth
After logging in, go to your profile setting which has the option of linking your Aadhaar Card. Generally, a pop-up window appears, prompting you to link your PAN card with Aadhaar card.
Check if the details such as name, date of birth and gender appearing on screen match with those on your Aadhaar card.
Enter your Aadhaar card number and click on the 'link now' button. If details on both the cards match, your card will be linked instantly.

Aadhaar prone to financial frauds

Many civil rights activists have raised concerns about privacy and security of data under Aadhar. Bangalore-based civil society group, The Centre for Internet and Society (CIS), has expressed concerns over the lack of security features associated with Aadhaar-linked financial transactions.

Authored by Amber Sinha and Srinivas Kodali, the CIS report pointed out that unless sufficient security features are added, the system is prone to financial frauds.

"The availability of large datasets of Aadhaar numbers along with bank account numbers and phone numbers on the Internet increases the risk of financial fraud," the report said.

According to the authors, social engineering is often used to find out bank account details, credit card numbers and passwords to steal money from people's accounts.

"One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions. In the US, the ease of getting Social Security Numbers from public databases has resulted in numerous cases of identity theft. These risks increase multifold in India due the proliferation of Aadhaar numbers and other related data available," the report pointed out.

How secure is Aadhar Pay?

In May, when malicious ransomware (in which the attacker locks down your computer and demands money to unlock it) infected hundreds of computers in different countries, questions were raised on how safe are we from cyber attacks, especially when digital transactions are increasing by leaps and bounds?

The government launched Aadhaar Pay, a platform that allows you to make payments using Aadhaar number-linked bank accounts. It is a merchant version of Aadhaar-enabled payment system which lets you make payments without a smartphone. One just requires the fingerprint of the payer for authentication; there is no need for a POS machine to swipe the card.

However, when passwords are fallible, how reliable can biometric authentication from Aadhaar Pay be, particularly when there have been cases of leakage of Aadhaar data? According to some experts, Aadhaar authentication is pretty strong because you cannot connect to the Aadhaar database except through secured APIs.

For more details visit https://cis-india.org/internet-governance/news/business-today-july-19-2017-aadhaar-privacy-key-issues-that-all-aadhaar-card-holders-should-bear-in-mind

Indians Call For More Stringent Data Protection Laws

praskrishna — 2017-07-18T13:36:49Z

The government is India is facing calls to establish better cybersecurity laws to protect consumers’ data after fears have crept up that Reliance Jio, the telecom startup in India, suffered a major data leak.

This report was published by PYMNTS on July 17, 2017. Pranesh Prakash was quoted.

According to a report in Reuters announcing the news, Jio denied the data leak took place, saying the names, telephone numbers and email addresses of Jio users that showed up on Magicpak, a website, were unauthentic. Its parent Reliance Industries said customers’ data was safe and protected.

But at the same time that it was issuing reassurances, Jio filed a complaint claiming unlawful access to its computer systems, reported Reuters. That discrepancy has led Indians to call for better laws for data protection for consumers.

“It raises questions of security and accountability,” said Pranesh Prakash, policy director at the Centre for Internet and Society (CIS), a research organization, in the report. “A rule to report breaches exists, but it is unenforceable. It says you’re not liable if you’re following reasonable security practices. What ‘reasonable’ means is not defined.”

Supporters of stronger data protection laws in India said that countries that have stronger cybersecurity laws on the books would have started an inquiry into what happened with Reliance Jio. They point to the data breach last week at Verizon. Verizon quickly responded with an explanation of what went down, how it occurred and how many customers’ data privacy it impacted.

“India is at a nascent stage. For good norms in Asia, look to Singapore. It’s been praised for not having cybersecurity issues by the UN,” Srinivas Kodali, an independent security researcher, said in the same Reuters report.

The report noted that in May there were two data privacy breaches of Indian companies with the records of 17 million Zomato customers being compromised. In another breach, as many as 135 million of India’s Aadhaar numbers had been stolen from government databases and placed online. Aadhaar numbers are similar to social security numbers.

For more details visit https://cis-india.org/internet-governance/news/pymnts-july-17-2017-indians-call-for-more-stringent-data-protection-laws

Centre to form panel to 'encrypt' MGNREGA-DBT database and prevent leaks

praskrishna — 2017-07-14T10:46:45Z

Around 5 crore bank accounts of active MGNREGA workers yet to be seeded with Aadhaar.

The article by Sanjeeb Mukherjee was published in the Business Standard on July 14, 2017.

Alarmed over reports of ‘public disclosure’ of sensitive Aadhaar data through various portals and payment gateways, the Centre is in the process of appointing a high-powered panel of almost 20 experts to suggest ways and means through which data, particularly one which can be accessed through the MGNREGA-DBT platform can be encrypted.

Encryption, officials believe, would prevent the Aadhaar data and other related information from falling into wrong hands.

The need for proper encryption of Aadhaar data rose after the government made it mandatory for availing almost all benefits - be it school scholarships, payments of MGNREGA wages, identification of beneficiaries under mid-day meal scheme and even public distribution system along with others.

Ensuring cyber security has become all the more necessary as the Central government, in a notification issued last month, has made it mandatory for all bank accounts to be seeded with Aadhaar numbers by December 31, 2017, or else they would cease to be operational until the time the account holder furnishes his Aadhaar number.

This could seriously hamper payment of wages to MGNREGA workers because as per available information almost 5 crore active workers don’t have their bank accounts seeded with Aadhaar.

To complete the process before December 2017, the ministry of rural development has planned special Aadhaar camps to be held in villages from July 20 to September 2017.

Recently, a website published all confidential details of customers of a private telecom company including Aadhaar numbers and other information.

The breach was another instance of secure confidential information falling into public domain.

Officials of the panel, which would be headed by former NASSCOM head Kiran Karnik are expected to submit their report on the same within the next few months.

Other members of the panel include Director General of National Institute of Smart Governance (NISG), officials from Indian Computer Emergency Response Team (ICERT) and others.

However, cyber security experts believe that encrypting Aadhaar-DBT details mainly for those schemes and programmes which have a direct linkage with the public at this later stage has its own challenges as the entire ecosystem around Aadhaar has grown manifold ever since it was made mandatory for a variety of programmes.

Also, in the absence of a national encryption policy, such a move will have its own legal and regulatory challenges.

“Ever since the government made Aadhaar mandatory for many things, the entire ecosystem around it including the Central Identities Data Repository (the agency which stores Aadhaar data is exposed to leaks,” noted cyber law expert Pawan Duggal told Business Standard.

He said that without a proper national encryption law, it would be extremely challenging to provide legal and regulatory backing to encrypt all Aadhaar- DBT data details for MGNREGA. “Also now that the ‘cat is out of the bag,’ encryption of Aadhaar details will be hugely challenging,” Duggal said.

Already, civil society activists said that after some concern, the central government has removed all Aadhaar numbers and bank details from MGNREGA website, which has made tracking payments difficult.

A recent study by Amber Sinha and Srinivas Kodali from the Centre for Internet and Society (CIS) found that granular details about individuals including sensitive personally identifiable information such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away through government schemes dashboard and portals.

“While initiatives such as the government open data portals may be laudable for providing easy access to government data condensed for easy digestion, however in the absence of proper controls exercised by the government departments the results can be disastrous by divulging sensitive and adversely actionable information about the individuals who are responding units of such databases,” the report said.

It specifically studied two major schemes of the ministry of rural development; the National National Social Assistance Programme and MGNREGA along with some state schemes.

Pointers

a) Centre to form a panel to encrypt all MGNREGA-DBT database to prevent leaks.

b) The panel might also suggest ways and means in which such ‘encryption’ could be applied in other platforms.

c) The panel is expected to be headed by former NASSCOM head Kiran Karnik.

d) The encryption is essential as from January 2018 all non-Aadhaar seeded bank accounts will cease to be operational unless the holders seed them.

e) A recent study found that vivid details about individuals can be easily accessed from government platforms and databases.

f) The MGNREGA database was one such publicly available platform which formed part of the study.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjeeb-mukherjee-july-14-2017-centre-to-form-panel-to-encrypt-mgnrega-dbt-database-and-prevent-leaks

Supreme Court sets up constitution bench to hear Aadhaar privacy issues

praskrishna — 2017-07-14T10:55:04Z

The Supreme Court ‘s five-judge constitution bench will also decide if the Aadhaar privacy issue should be heard by a larger bench.

The article by Priyanka Mittal was published in Livemint on July 12, 2017. Sunil Abraham was quoted.

A five-judge constitution bench will hear arguments on 18-19 July as to whether Indian citizens have the right to privacy, and whether the Aadhaar unique identity project breaches the right.

Chief Justice of India (CJI) J.S. Khehar on Wednesday set the dates for the hearing by the constitution bench, which will decide whether the issue should be heard by a larger bench.

Should the five-judge bench decide to rule on the case itself and not refer it to a larger bench, it will decide the future of Aadhaar, which has become the backbone of government welfare programmes, the tax administration network and online financial transactions.

This will be based on whether the right to privacy is a fundamental right of Indian citizens.

Privacy rights activists argue that personal data gathered under the Aadhaar programme, aimed at giving a unique 12-digit identity number to every Indian, is vulnerable to abuse. Then attorney general Mukul Rohatgi told the Supreme Court in 2015 that Indian citizens don’t have a fundamental right to privacy under the Indian Constitution—an argument he repeated subsequently.

“In the two-day hearing, the court is not going to decide the full issue of privacy,” said Alok Prasanna Kumar, a lawyer and visiting fellow at think tank Vidhi Centre for Legal Policy, explaining how the Constitution bench is likely to proceed. “They are going to take a call on whether, in light of precedents, there is a need to refer the issue to a larger bench. There are past judgements and the court will have to look at the scope of privacy under each to decide the number of judges.”

He added: “If the five-judge bench agrees with the precedents, then it would continue to address the angle of privacy; if not, then it would be referred back to the CJI to constitute a larger bench of nine judges.”

All cases related to Aadhaar, including the right to privacy, will be heard by the constitution bench; the court decided to set up the constitution bench to hear the privacy case in August 2015.

The CJI’s decision came on a plea by advocate Shyam Divan, who has appeared in several cases opposing Aadhaar, and attorney general K.K. Venugopal seeking the speedy creation of a Constitution bench. It came a week after justice J. Chelameswar said that all matters related to Aadhaar should be addressed by a constitution bench.

“I see it as a step in the right direction. Personally, I hope that the privacy issue is heard by a five-judge bench as against a larger bench as that can bring more disagreement,” said Sunil Abraham, executive director of Bengaluru-based research think tank Centre for Internet and Society.

Last month, the Supreme Court court upheld the government’s decision to link Aadhaar with the permanent account number (PAN) for filing of income-tax returns but ruled that non-compliance with the law will carry no retrospective consequences.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits.

For more details visit https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-july-12-2017-supreme-court-sets-up-constitution-bench-to-hear-aadhaar-privacy-issues

Reliance Jio data leaked on website : report

praskrishna — 2017-07-10T14:53:42Z

Reliance Jio customer data was leaked on independent website magicapk.com, including details such as names, mobile numbers and email IDs , said a report.

The article was published by Livemint on July 10, 2017.

Reliance Jio Infocomm Ltd’s customer data was allegedly leaked on an independent website, magicapk.com, a report said. Jio, which crossed the 100 million mark in February, barely six months after it was launched, ended the financial year with 108.9 million subscribers as of 31 March.

The report, published first in a late-night article on Sunday on Fonearena.com, alleged that “several sensitive details” were exposed, including customers’ first and last names, mobile numbers, email IDs, circles, SIM activation dates and even the Aadhaar numbers. The Aadhaar numbers, however, were redacted on magicapk.

“To my disbelief I found my own details in the database and also couple of my colleagues are affected too,” wrote Varun Krish, the author of the article. However, if you now click on Magicapk.com, it reads: “This Account has been suspended .” The Registrar of the site, according to the whois database, is Godaddy.com, LLC.

When contacted, a Reliance Jio spokesperson said, “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”

Fonearena.com, on its site, has responded with a: “We still stand by our story.”

The report assumes significance because the site exposed redacted Aadhaar card details. There are nearly 1.2 billion Aadhaar number holders in the country. Aadhaar aims to plug leakages in the delivery of state benefits, such as subsidized grains to the poor, and aid in generating a savings of about Rs70,000 crore a year for the government. But data breaches have rattled citizens, especially since India does not have a Privacy Act.

In March, the Unique Identification Authority of India (UIDAI) blacklisted a common services centre for 10 years after it shared the Aadhaar details of former cricket captain Mahendra Singh Dhoni. On 25 April, Mint reported that many government departments, including the ministry of drinking water and sanitation, the Jharkhand Directorate of Social Security, and the Kerala government’s pension department, had published Aadhaar numbers of beneficiaries of the schemes they run in violation of the Aadhaar Act .

On 1 May, Bengaluru-based think tank Centre for Internet and Society (CIS) reported that a Central government ministry and a state government may have made public up to 135 million Aadhaar numbers .

Under the Aadhaar (Targeted Delivery of Financial Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits. However, tagging of the Aadhaar number is being made mandatory by the government for various schemes including PAN (permanent account number) accounts for taxation. On 7 July, the Supreme Court refused to pass any interim order against the mandatory use of Aadhaar for various government schemes. It, instead, suggested that petitioners call for immediate formation of a Constitution bench to decide on the case .

News of the alleged data leak also comes at a time when there have been a spate of cyber hacks.

For instance, just when companies started believing that WannaCry—the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom—was on the wane, a virus christened GoldenEye (a variant of the Petya ransomware) by security firm Bitdefender Labs attacked companies, mostly in Ukraine. And while the target primarily appeared to be European countries, the ransomware was also reported to be making inroads in countries like India.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report

Act now to protect yourself against future ransomware attacks

praskrishna — 2017-07-10T14:46:14Z

There was Wannacry, then Petya, and several other lesser-known ones: With ransomware attacks coming thick and fast, get proactive about protecting yourself.

The article by Sanjay Kumar Singh was published by Business Standard on July 5, 2017.

The Wannacry ransomware attack in May was followed by the Petya attack last week. This attack affected the Ukrainian government and large corporates like Maersk and Merck. In India it affected the operations of terminals at Jawaharlal Nehru Port Trust (JNPT), operated by Maersk. According to Kaspersky Lab, the rate of ransomware attacks on businesses grew from one every 120 seconds in January 2016 to one every 40 seconds by October that year. The rate of attack on individuals' computers rose from one every 20 seconds to one every 10 seconds over this period. Today, it has become imperative for everyone, including entrepreneurs and small business owners, to learn how to defend themselves against such attacks.

A trend witnessed in 2016 was the growth of ransomware-as-a-service business model. "Code creators offer their malicious product on demand, selling uniquely modified versions to criminals who then distribute it through spam and websites, paying a commission to the creator," says Altaf Halde, managing director, Kaspersky Lab (South Asia). He adds that the growth of cashless payments in India will undoubtedly attract the attention of cyber criminals and lead to more attacks in future.

Next, let us turn to how ransomware works. An operating system (OS) is a large and complicated piece of software with millions of lines of software code. A malware exploits vulnerabilities within the OS to infiltrate it. An infiltration can happen in multiple ways: if you download a malicious email attachment, visit a code-carrying web site, via an infected pen drive, and so on.

Ransomware is a form of malware that encrypts the files in a critical part of the computer, such as My Documents or Desktop, where people usually store their files. It could also encrypt specific file types, say, such .doc files. The user is then informed that his files have been encrypted along with the warning that unless he pays up within the next few hours his files will be deleted. Says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru: "You first have to first pay the attackers using anonymous money like bitcoins and then they give you the key for decrypting your files."

A ransomware attack can be dealt with in two ways: either pay the money and get the files unlocked, or find a way to circumvent the encryption. The latter option can, however, take a fair bit of time.

Safeguard measure you should adopt
Back up important files regularly. Check periodically that these files have not got damaged Enable ‘Show file extensions’ option in Windows settings. Stay away from extensions like “exe”, “vbs” and “scr”. Many familiar file types can be dangerous as scammers use multiple extensions (like hot-chics.avi.exe or doc.scr) If you discover an unknown process on your machine, cut off the Internet connection immediately If you have been infected, find the name of the ransomware. If it's an older version, your files can be restored. For restoration tools visit https://www.nomoreransom.org/

Among the safeguard measures you should adopt, first and foremost, never open a suspicious file. By being vigilant you can avoid a lot of ransomware attacks.

Most malware exploit vulnerabilities within the OS. "These vulnerabilities are frequently patched by the creators of the OS. But if people use pirated OS, or don't upgrade it regularly, they could land in trouble," says Tiwari. Soon after the Wannacry attack, Microsoft had issued a patch. People who updated their computers immediately didn't get affected by it. Also, use the latest version of an OS.

Use a quality antivirus (AV) solution, which is usually one you have to pay for. A high-quality AV can even protect you against vulnerabilities not patched by the OS manufacturer. AVs scan files. If they detect patterns indicating the presence of malware, they lock them apart from the rest of the computer, thereby preventing them from spreading.

One option is to use an OS that is less vulnerable, like Mac and Linux. Fewer malware are designed for these OS as fewer people use them.

Finally, if your files do get encrypted, don’t pay the ransom, unless instant access to those files is critical. "Each payment only fuels this unlawful business," says Halde.

For more details visit https://cis-india.org/internet-governance/news/business-standard-july-5-2017-sanjay-kumar-singh-act-now-to-protect-yourself-against-future-ransomware-attacks

IViR Summer Course on Privacy Law and Policy

Admin — 2017-08-23T02:00:50Z

attended the 2016 IViR Summer Course on International Privacy Law as a beneficiary of the OSF Civil Society Scholarship in Amsterdam from July 3 to 7, 2017.

The University of Amsterdam’s Institute for Information Law (IViR) announces the 6th IVIR Summer Course on Privacy Law and Policy. The course will focus on privacy law and policy related to the Internet, electronic communications and online and social media. It will explore the broader trends and recent developments in this rapidly changing field and explain how businesses, governments and other stakeholders can achieve their goals within it. The course will feature a distinguished faculty of European and US academics, regulators and practitioners who will investigate the EU and US legal frameworks and how they operate together. Participants will acquire the essential knowledge necessary to navigate privacy law and policy for online services that operate in the EU and the US. The seminar format promotes interaction among participants and faculty, and incorporates a range of practical exercises to apply the knowledge.

For more information see the website

For more details visit https://cis-india.org/internet-governance/news/ivir-summer-course-on-privacy-law-and-policy

UIDAI declining multiple requests by police to share Indian citizens’ biometrics

praskrishna — 2017-07-06T15:25:32Z

The Unique Identification Authority of India (UIDAI), the governing agency in charge of Aadhaar, has declined multiple requests from all law enforcement agencies, including the Delhi Police, for biometrics of citizens for criminal investigations, according to a report by The Indian Express.

The blog post by Justin Lee was published by Biometric Update on July 4, 2017.

Investigating agencies such as CBI and NIA have been repeatedly requesting the details of Aadhaar cardholders including their biometrics, UIDAI said.

UIDAI Deputy Director General Rajesh Kumar Singh has written to the heads of each agency, ordering them to stop asking for such details.

“This is regarding requests frequently received by the UIDAI from police and other law enforcement agencies, seeking demographic and biometric information of residents for facilitating identification of individuals in different cases,” Singh said in his letter. “In this regard, I would like to draw your kind attention to provisions under Sections 28 and 29 of the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Act, 2016, which prohibits sharing of core biometric and identity related information with other authorities.”

Rather than asking forensic labs to match fingerprints, state police and investigating agencies are requesting biometrics data from UIDAI.

“Identity information cannot be shared by UIDAI,” Singh said. “The requests received from law enforcement agencies lead to avoidable delays in investigation by the police authorities and unnecessary increase in the workload of subordinate authorities.”

UIDAI is also concerned about data potentially leaking as the central government has confirmed that identities of individuals, including Aadhaar numbers and other private information, has been leaked to the public.

In May, the Centre for Internet and Society published a report that claimed between 130 to 135 million numbers in India’s Aadhaar biometric registry system, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries, have been leaked online by four key government programs.

For more details visit https://cis-india.org/internet-governance/news/biometric-update-july-4-2017-justin-lee-uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics

Data Protection: Understanding the General Data Protection Regulation

Aditi Chaturvedi — 2017-07-04T16:12:56Z

As recently as May 27, 2016, the General Data Protection Regulation (REGULATION (EU) 2016/679) (hereinafter referred to as GDPR) was adopted. The Data Protection Directive (1995/46/EC) (hereinafter referred to as DPD) will be replaced by this Regulation.

It will come into force on 25th May 2018 and it is expected that under this Regulation data privacy will be strengthened. Substantive and procedural changes have been introduced and for compliance, industries and law enforcement agencies will have to adjust the ways in which they have operated thus far. Click here to read the report

For more details visit https://cis-india.org/internet-governance/blog/data-protection-understanding-the-general-data-protection-regulation

Freedom of Expression on the Internet : Possibilities and Challenges

praskrishna — 2017-07-09T02:30:32Z

Sharat Chandra Ram was a speaker at an international seminar organized by Bolivar Technological University, Cartagena in Colombia on June 29, 2017. The theme of the seminar was ‘Freedom of Expression on the Internet : Possibilities and Challenges”.

For more info on the event, click here

For more details visit https://cis-india.org/internet-governance/news/freedom-of-expression-on-the-internet-possibilities-and-challenges

GoldenEye ransomware attack hit operations at Pipavav Port, JNPT

praskrishna — 2017-07-06T22:53:13Z

Shipping ministry says the GoldenEye ransomware attack at JNPT and Pipavav port may result in bunching of inbound and outbound cargo.

The article by Jyotika Sood and Utpal Bhaskar was published in Livemint on June 28, 2017. Pranesh Prakash was quoted.

Operations at one of three terminals at India’s largest container port, Jawaharlal Nehru Port Trust (JNPT) run by AP Moller-Maersk, near Mumbai, were disrupted by a global ransomware attack, the port said on Wednesday. The version that caused the disruption has been dubbed GoldenEye by security firm Bitdefender Labs.

Operations at the Danish firm’s terminal at Gujarat Pipavav Port were also affected, but by the Petya variant of the ransomware.

Ransomware typically logs users out of their own systems and asks them to pay a ransom if they want to access the encrypted data.

“The central server is in Europe which we can’t control. It is not a problem aimed at India... we have become collateral damage,” said a senior Indian government official involved in cybersecurity operations.

The ransomware hit the integrated transport and logistics firm’s global operations on Tuesday across its 75 terminals. It also impacted Chernobyl’s radiation monitoring system, law firm DLA Piper, pharma firm Merck, a number of banks, an airport, the Kiev metro, British advertising giant WPP and Russian oil firm Rosneft, according to Bitdefender Labs.

“The IT (information technology) department of JNPT became aware of the attack at around 4.30pm on Tuesday. The Windows server started conking off and the master file got encrypted and we couldn’t access any data. The operations immediately came to a standstill,” said a JNPT official requesting anonymity.

AP Moller-Maersk operates the Gateway Terminals India (GTI) at JNPT which has a capacity to handle 1.8 million standard container units. JNPT, which ships more than half the containerized cargo passing through India’s ports, serves a vast hinterland comprising all of northern and western India.

“While DP World and JNPT terminals are operational, the Gateway Terminals India operated by APM is completely shut,” said the JNPT official.

This is the second major ransomware attack since May after hackers exploited a loophole that was first identified by the US National Security Agency, to create WannaCry, that affected several businesses in more than 150 countries including India.

The ministry of corporate affairs and the Andhra Pradesh Police were affected, besides several large organizations..

“While the terminal operator is taking steps to address the issues disrupting operations, it is anticipated that there could be bunching of in-bound and out-bound container cargo,” India’s shipping ministry said in a statement.

Maersk group, through its terminal and infrastructure business, has invested $800 million in India.

“The global attack has impacted APM terminal of the JNPT port. The operations at the terminal have slowed down and are being entered manually. We are trying to handle the crisis by diverting traffic to other terminals,” JNPT chairman Anil Diggikar said, adding that JNPT’s operations have not been affected to a great extent.

He said it would take around 24 hours to clear the backlog.

Gujarat Pipavav Port told stock exchanges that the ransomware did not have “any major impact on the company at this point in time”.

Concerns have been expressed about the safety of India’s infrastructure projects with power generation and transmission projects figuring high on terrorist threat lists.

Ravi Shankar Prasad, minister of electronics and information technology, on Wednesday said advisories have been issued and the government is keeping a close watch on developments.

The Indian Computer Emergency Response Team (CERT-In), the agency coordinating efforts on cybersecurity issues, in a 27 June advisory warned, “It has been reported that variants of Petya ransomware with work-like capabilities are spreading.”

Such attacks pose a grave threat to the economy and businesses. Cybersecurity Ventures predicts global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion by 2021.

Experts believe India is ill-equipped to face such attacks.

“These cases of malware attacks highlight the need for proper planning of cybersecurity at all levels, especially for the government infrastructure networks,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

“Transportation and shipping companies are ill-prepared for cyberattacks,” added Amit Jaju, executive director, fraud investigation and dispute services, EY.

The emergency playing out at the ports assumes significance, given India’s Rs8 trillion investment plan until 2035 under the Sagarmala programme, which involves the construction of new ports to harness the country’s 7,517km coastline and setting up of as many as 142 cargo terminals at major ports.

“Indian companies lose approximately Rs40,000 crore due to cybercrime every year. India is among the top 5 countries today in terms of the frequency and the number of cyber attacks,” Jaju said.

“We are not prepared at all. This is a question of cyber literacy because the latest attack has reused the same Windows vulnerability that was exploited by WannaCry ransomware last month and for which security patches were released almost three months ago by Microsoft,” added cybersecurity expert Mohit Kumar.

Anirudh Laskar, Mayank Aggarwal, Shally Seth & Komal Gupta contributed to the story.

For more details visit https://cis-india.org/internet-governance/news/livemint-june-28-2017-jyotika-sood-utpal-bhaskar-golden-eye-ransomware-attack-hit-operations-at-pipavav-port-jnpt

Second India China Think-Tank Forum

praskrishna — 2017-07-07T02:43:09Z

The second India-China Think-Tank Forum was held in Beijing from June 22 to 27, 2017. The Forum was jointly organized by the Institute of Chinese Studies, the Indian Council of World Affairs, and the Chinese Academy of Social Sciences. Saikat Dutta represented an Indian think tank.

The Forum was set up following an MoU between India and China during the visit of Prime Minister Narendra Modi in 2015. The idea of the forum is to explore contentious issues and new areas of cooperation between India and China as a Track 1.5 dialogue. Read More

Click here for the report

Click to read Saikat Dutta's presentation

For more details visit https://cis-india.org/internet-governance/news/second-india-china-think-tank-forum