We are anonymous, we are legion

DSCI Best Practices Meet

praskrishna — 2017-07-07T01:39:23Z

Udbhav Tiwari represented CIS on a Panel titled "Reposing Trust in Citizen Identity Systems" at the DSCI Best Practices Meet held at the ITC Gardenia on June 22 and 23, 2017 in Bangalore.

The event discussions featured around privacy and Aadhaar.

For more details visit https://cis-india.org/internet-governance/news/dsci-best-practices-meet

BIS LITD 17 Privacy Panel meeting

praskrishna — 2017-07-07T01:31:35Z

Udbhav Tiwari represented CIS at this meeting organized by National Law School of India University in Bangalore on June 21, 2017.

The bare-bones structure for what as discussed at the meeting can be found in the trailing email below. The standard itself is still in the drafting stage, which makes it confidential. I will share it on this thread once it hits the public draft stage, which should happen by September 2017. (approx)

For more details visit https://cis-india.org/internet-governance/news/bis-litd-17-privacy-panel-meeting

2nd India Think Tank Forum

praskrishna — 2017-07-07T01:16:00Z

Udbhav Tiwari participated in a panel titled "The New Cold War: Information and Cyber Wars" at the Second India Think Tank Forum organized by ORF, the Think Tank Programme at UPenn and the McKinsey Institute between 19 to 21 June 2017 at Claridges in New Delhi.

Agenda

June 19, 2017
18.00 – 18.30 – Registration
18.30 – 18.40 – Welcome Remarks
18.45 – 20.00 – Big Politics: OBOR, India, and the Liberal International Order

This panel will explore the emerging trends in geo-politics and the implications thereof on the liberal international order. It will explore the rise of China, in particular the ambitious Belt & Road Initiative and in its strategic and economic impact on Asia. It will discuss the role of the U.S. and Europe in what is now referred to as the Asian century. Lastly, it will discuss India’s role as a liberal actor in a rapidly changing global order.

Chair: Sanjaya Baru, Distinguished Fellow, USI
Speakers:
Indrani Bagchi, Diplomatic Editor, Times of India
Lt. Gen. Aditya Singh, Senior Fellow, Delhi Policy Group
Nitin Pai, co-Founder, Takshashila Institute
Seshdari Vasan, Chennai Centre for China Studies, Chennai

20.00 – 20.30 – Three Years of the Modi Government: Looking Back, Looking Ahead

In Conversation: Smt. Smriti Irani, Union Cabinet Minister for Textiles, Govt. of India.

20.30 - Dinner

For more details visit https://cis-india.org/internet-governance/news/2nd-india-think-tank-forum

Cybersecurity Compilation: Indian Context

Leilah Elmokadem and edited by Elonnai Hickok — 2017-06-18T13:16:39Z

This document intends to serve as a comprehensive source compiling all the cyber-security related regulations, policies, guidelines, notifications, executive orders, court rulings, etc.

Ultimately, it attempts to collect all the cyber security initiatives that have been put out by Indian regulatory bodies and organizations. To approach this end, we identified they actors and institutions in cyber security and record their published guidelines, frameworks, ongoing projects and any policies released to strengthen cyber security. We have mostly followed a general framework in which, for each document found, we indicate the definition of cyber security (if stated), the objectives, recommendations/guidelines and scope. This format was sometimes difficult to follow for some types of initiatives in the documents. For example, a document of questions and answers to parliament could not be recorded in this fashion. As a result, the document is not entirely uniform in structure. This research compendium is in continuous progress, expanding along with the base of our knowledge and ongoing research.

Download the Compendium

For more details visit https://cis-india.org/internet-governance/blog/cybersecurity-compilation-indian-context

International Symposium on Electronic Art (ISEA 2017)

praskrishna — 2017-07-07T01:49:34Z

Sharat Chandra Ram was part of a 90 minute academic panel at ISEA 2017 organized by the University of Caldas, Manizales in Columbia. The event was held from June 11 to 16, 2017.

The Panel was titled - “Biocreation of Informatics: Rethinking Data Ecosystems in the Network Economy. The Panel consisted of 4 papers:

1. Pilar Saenz - Karisma Foundation, Bogota - Data and Public Policy

2. Offray Vladimir Luna - HackBo & University of Caldas - Civic Media and Data (H)ac(K)tivism

3. Jose Cuartas - Los Libertadores & University of Caldas - Democratisation of Data and Internet of Things

4. Sharath Chandra Ram - Signal Territories, Infrastructures and Intermediaries

For more details visit https://cis-india.org/internet-governance/news/international-symposium-on-electronic-art-isea-2017

Are biometrics hack-proof?

praskrishna — 2017-06-12T01:39:14Z

There are growing concerns over biometric security in India. We ask the experts if biometrics can really be hacked.

The article by Shaikh Zoaib Saleem was published by Livemint on June 11, 2017. Pranesh Prakash was quoted.

There are growing concerns over biometric security. A compromised password can be changed but not a stolen biometric. We ask experts about biometrics security in India.

Pranesh Prakash, policy director, The Centre for Internet & Society

Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner's finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.

Earlier this year, researchers at NYU and Michigan State University revealed that they were able to generate a "MasterPrint", which is a "partial fingerprint that can be used to impersonate a large number of users". While there are potential safeguards, they require re-capturing everyone's biometrics.

Even other technologies like iris scanner, gait recognition, face recognition, and others, are getting better, but all have problems. Our laws haven't evolved either, leaving many unanswered questions: who can demand your biometrics and under what circumstances? Can your biometrics be captured without your consent? Who is liable for failure? What remedies does one have?

This is an evolving area of technology studies, and every day new kinds of attacks are discovered. Further, they are probabilistic technologies unlike passwords. Given this, if you seek a reliable identity verification system, it doesn't make sense to deploy a system exclusively based on biometrics.

Umesh Panchal, vice-president, Biomatiques Identification Solutions

Biometric devices are instruments delivering added security check functions over traditional methods and these devices can be hack-proof, if the process of exploiting vulnerabilities to gain unauthorised access to systems or resources, is taken care of. With liveliness detection, iris biometric devices are far more hack-proof than fingerprint devices. Even Pentagon has been hacked. Theoretically, a biometric device can internally store or copy fingerprints or iris scans. Depending upon the use-case and ecosystem, a biometric device can internally store templates. However, the UID system (Unique Identification Authority of India) doesn’t permit storage of any biometric data in any biometric devices.

Several security measures can be incorporated to ensure strong transaction security and end-to-end traceability to prevent misuse. This can be achieved by implementing specification of authentication ecosystem. These include deploying signed application, host and operator authentication, usage of multi-factor authentication, SMS/email alerts, encryption of sensitive data, biometric locking, device identification with unique device identifier for analytics/fraud management, eliminating use of stored biometrics and so on.

For a consumer, the device security is determined by the certification it holds from the competent certification authority.

Bryce Boland, chief technology officer-Asia Pacific, FireEye

Biometrics take many forms. Most often people think biometrics are the actually measured biological feature, but they are actually measurements of a feature turned into a sequence of data that is compared against another set of data. You don’t actually need the physical feature, you need the measurements to generate the sequence of data to make a match. If you can inject that data into a biometric, bypassing the reader, you can potentially trick a biometric system.

Most successful biometric implementations have a controlled enrolment process where identity validation is undertaken, and have physically secured, tamperproof and closely monitored readers. Systems like those used for passport biometric enrolment with restricted deployments of readers at airports are an example. Self-enrollment is prone to fraud. Widely distributed readers are prone to tampering. Insecure paths from readers to central credential repositories are prone to credential theft.

Once biometric information is stolen, it usually cannot be changed. So stolen data can potentially be used for a long time, creating problems. This isn’t the case for airport fingerprint readers, but it is a problem for biometric devices in the hands of the public. The best way to check this is to keep the system’s environment physically secured, tamperproof and closely monitored.

Rajesh Babu, CEO, Mirox Cyber Security & Technology

Biometrics devices can be hacked. They have fingerprint sensors, which only check the pattern. It is possible to recreate these patterns through various techniques. Technically, it is difficult to recreate biometrics from a high-resolution picture. However, by using other image rendering tools we can recreate the patterns. Security experts and hackers have already proved that they can bypass mobile fingerprint scanners using a collection of high-resolution photographs taken from different angles using standard photo cameras to make a latex replica print.

Most of the biometric scanners have a date set of all fingerprints and other identities inside the device database. Not every manufacturer in India undergoes enough security auditing. Most of the companies manufacture low-cost biometric devices which are highly vulnerable. These devices are imported from China and other countries but they do not conduct or go through any security audits in our country. They may have kernel level back doors, which are highly vulnerable and can lead to launch of an any kind of attack, including compromising an organization’s network. Only a handful of companies conduct audits of their products as part of security practice.

Organizations and the government must have a clear and concise Security Devices Policy based on standard applicable laws and regulation framework.

For more details visit https://cis-india.org/internet-governance/news/livemint-june-11-2017-shaikh-zoaib-saleem-are-biometrics-hack-proof

Why did Nandan Nilekani praise a Twitter troll?

praskrishna — 2017-06-12T01:34:53Z

As the Supreme Court upholds the linking of ‘Aadhar’ with PAN, questions around ex-UIDAI chairman Nandan Nilekani praising iSPIRT head Sharad Sharma Twitter troll and ‘Aadhar’s privacy properties will continue to be asked.

The article by Kiran Jonnalgadda was published in the Indian Express on June 10, 2017.

Last month, Sharad Sharma, the head of the Indian Software Product Industry Round Table (iSPIRT) Foundation, an organisation that promotes Aadhaar to industry, was outed as the operator of at least two anonymous Twitter troll accounts that viciously harassed and defamed critics of Aadhaar. The shocking revelation was first met with denial by iSPIRT, and then followed by what may be understood as a reticent apology from Mr Sharma.

In a bizarre sequence of events, the apology received praise from several quarters. iSPIRT’s Guidelines and Compliance Committee (IGCC) investigated Mr Sharma and the ‘Sudham’ team that coordinated the trolling campaign. Two members of the investigating committee subsequently resigned, although only one confirmed.

The committee’s findings, confirming that Mr Sharma was responsible, were summarised for the public by Mr Sharma himself, who then announced that his role as a public spokesperson would now be handled by Sanjay Jain. Mr Jain was once with the Unique Identification Authority of India (UIDAI), launched by Nandan Nilekani, is currently a director at Nandan Nilekani’s EkStep Foundation, and a close confidante of Mr Sharma. The two have often pitched iSPIRT’s IndiaStack initiative together.

In an internal email questioning this decision, an iSPIRT member asked whether Mr Jain was a part of the ‘Sudham’ team, and whether he was also “at least partially culpable for the [troll] campaign and the violation of the code of conduct.”

The victims of the trolling have received no report, and the two apologies posted by Mr Sharma were both for having “condoned uncivil behaviour”, but not for personally orchestrating the attacks. Among those who praised him was Nandan Nilekani, former chairman of UIDAI and chief mentor of iSPIRT.

Critics have been pointing out for years that Aadhaar lacks sufficient checks and balances, and that claims of benefits are overstated. These concerns have been met with denial, condemnation of critics, and often outright refusal to engage in debate. This has unfortunately only served to alienate an even larger section of the population, turning ordinary citizens into activists.

We can gain an insight into how Aadhaar is promoted by examining iSPIRT. The organisation was founded in 2013 by volunteers who had been working together on the sidelines of the NASSCOM Product Conclave. These volunteers felt the need for an independent grassroots organisation to represent tech entrepreneurs who were building products for India and the world. iSPIRT has grown phenomenally influential over its few years, largely by the work of volunteers who were truly interested in building a mutual assistance community.

Level playing fields are a recurring topic. Just as there is a desire to lower bureaucratic hurdles to give every entrepreneur a fair chance, there is also the question of how a startup can compete against a foreign competitor that has the advantage of a stronger home market.

Flipkart and Ola are two prominent examples in their fight to defend their market share against Amazon and Uber, competitors armed with global experience, more capital, and better trained talent. iSPIRT’s take is that for Indian companies to thrive they must have a supportive ecosystem that enables rapid growth, and so iSPIRT must step up as an “activist think tank”.

One aspect of this activism is IndiaStack, which seeks to help startups by promoting a suite of ‘public goods’: Aadhaar and eKYC for id verification, eSign and Digilocker for digital contracts and certificates, and UPI for payments. If one accepts at face value that these services are well intentioned, then IndiaStack is on a noble quest. The details, unfortunately, are less pristine.

iSPIRT is a private non-profit, but its volunteers include several former members of UIDAI. The guidance and compliance committee (IGCC) investigating the trolling included a current member of government. iSPIRT helped build and evangelise the UPI (United Payments Interface) platform and BHIM app for NPCI, but the level of involvement and terms of the agreement are not public.

For an organisation that claims to champion public goods, iSPIRT is opaque on the level of influence they wield with government (Mr Sharma once claimed some influence but no control), and on who exactly built the various components of IndiaStack, within or outside of government.

They showed a remarkable degree of influence when foisting UPI on a change-resistant banking sector. They have funding from four banks (IDFC, SBI, Bank of Baroda and Axis Bank) and from fintech startups. Despite this level of responsibility, they also have no accountability since they are a pro bono volunteer force, allowing them to distance themselves from failures (UPI failures are NPCI’s problem and Aadhaar failures are UIDAI’s problem, etc) and unpleasant incidents such as the ‘Sudham’ trolling project. (No one has accepted responsibility for operating a troll account.)

At the core of IndiaStack is ‘Aadhaar’, which as it currently stands has serious concerns from its technical architecture to institutional safeguards. Aadhaar lacks publicly verifiable audits, a data breach disclosure policy, or an engagement process for researchers to report concerns.

For reasons best known to them, the promoters of ‘Aadhaar’ are in a tearing hurry to impose it everywhere, in every aspect of an Indian’s life, out of an apparent fear that it will die if adoption slows down. This is eerily reminiscent of startup mantras like “fake it till you make it” and “move fast and break things”.

But ‘Aadhaar’ already has a billion enrollments and the backing of legal measures pushed by the Union Government. There is no threat of imminent demise. And yet, as the Twitter trolling shows, this fear continues to exist for ‘Aadhaar’s proponents, so much so that critics must be silenced at any cost.

Where trolling failed to work, subtler attacks are sure to follow. There have been some in the recent past.

The Centre for Internet and Society (CIS) is facing one such attack for its report on the leak of 130 million Aadhaar numbers. The report received wide coverage and was followed by new rules from MEITy (ministry of Electronics & Information Technology) regarding the handling of Aadhaar numbers, but instead of commending CIS for its role in improving safeguards, UIDAI is accusing it of hacking, demanding the identity of the researcher so that he or she may be individually prosecuted.

When Sameer Kochhar demonstrated that previously captured fingerprints were being reused because Aadhaar’s API lacked technical safeguards, UIDAI responded by prosecuting him. A News18 journalist was also prosecuted for demonstrating how double application for enrollment was possible using different names.

As of September 30, 2017, ‘registered’ devices will be mandatory as the current devices are not secure against fingerprint reuse, and an unknown number of fingerprints have already been captured and stored. This sort of forced technological upgrade will happen again as more problems surface into public consciousness, with more researchers and critics harassed for pointing these out.

‘Aadhaar’ pursues inherently contradictory goals. The process of ‘inorganic seeding’, for instance, allows a database to be seeded with ‘Aadhaar’ numbers, to help a service provider identify and eliminate duplicates without the individual’s cooperation. (Inorganic seeding is an official UIDAI scheme.) And yet, the law prohibits using and sharing ‘Aadhaar’ numbers without the individual’s consent.

‘Aadhaar’ aims to be an inclusive project, providing an identity for everyone, and yet easily lends itself to being an instrument of exclusion. There is technical exclusion when biometrics fail to match, and there is institutional exclusion when Aadhaar is made mandatory and an individual is then blacklisted from a service or denied Aadhaar enrollment.

Aviation minister Jayant Sinha recently announced a proposal to use digital id for just this purpose. ‘Aadhaar’ in its current state makes it extraordinarily simple for an organisation to demand it for authentication, but what of the necessary safeguards to protect an individual’s rights? Or of ensuring that grievance redressal mechanisms are in place and actually functional? These are not solved by a technical API integration.

Just as we’ve seen with nuclear power, weak institutions which are sensitive to criticism and fail to ensure effective oversight amplify the risks of the underlying technology. Aadhaar’s supporting institutions, whether government bodies like UIDAI or private bodies like iSPIRT, are immature for the mandate they carry. All technology improves with time, but weak institutions hamper their benefit to society.

As the leading promoter of Aadhaar, founding chairman of UIDAI, and chief mentor of iSPIRT, Mr Nilekani must step up and commit to improving the institutions he commands, and take responsibility for their failures. Condemning critics instead does not help build institutions.

For more details visit https://cis-india.org/internet-governance/news/indian-express-kiran-jonnalgadda-june-10-2017-why-did-nandan-nilekani-praise-a-twitter-troll

Placements at NUJS: Class of 2017 Scores 100%

praskrishna — 2017-06-12T01:23:07Z

The Campus Recruitment Committee of the Class of 2017, NUJS is proud to confirm that NUJS has once again topped the placement tally among the premier national law schools, in terms of number of jobs, for the year 2016-17 with the graduating class having secured offers for all its 78 members who partook in the recruitment process.

The blog post by Simran Sahni was published in Livelaw on June 10, 2017.

The number of students hired by the domestic law firms on Day Zero with a tally totaling 57, inclusive of the 24 accepted pre-placement offers (PPOs).

The ‘Big 7’ firms contributed to 53 of these jobs and ICICI Bank recruited 4. New recruiters including Indus Partners and Singh & Associates hired from campus this year, picking three students each. Three students bagged offers from international law firms: Herbert Smith Freehills, Linklaters, and Allen & Overy respectively.

The salaries remain the same as last year with the average foreign firm package ranging from INR 38 lakhs to 44 lakhs for traineeships and the average domestic firm packages ranging from INR 8 lakhs to 18 lakhs. The firm with the highest domestic package was AZB and Partners, Mumbai.

Additionally, more than six students this year have decided to pursue higher education. Students have received admission offers in LLM from Harvard Law School, Cambridge Faculty of Law, NYU Faculty of Law, London School of Economics and Graduate Institute Geneva respectively. Charting new courses, while one student opting for a master’s in management has been offered admission at the renowned London Business School, another joined as a policy officer at the Centre for Internet and Society in Bangalore. Interestingly, even the topper of the class opted out of placements this year and set a new record by being the third in the line of scholars from NUJS to secure the prestigious Rhodes scholarship to Oxford University. Similarly, students have also decided to take up the meritorious one year Young India Fellowship program at Ashoka University.

With the current placement figures, NUJS beats all market trends to secure the highest number of job offers among premier law schools. The Class of 2017 also marginally trumps the record of the Class of 2016 in terms of total number of ‘Big 7’ jobs, even with a large chunk of the batch opting out of campus recruitment and pursing litigation, higher education, civil and judicial services and roles in think tanks and other non-profit organization's - the results of which shall be released by us as and when they come.

This entire feat would not have been possible without the support of the respected Vice Chancellor, Prof. P. Ishwara Bhat, CRC team and faculty advisor Ms. Vaneeta Patnaik, and all the faculty members at NUJS.

NUJS has built an exceedingly steady placement record for itself over the years. The placement figures for the Class of 2017 of NUJS are now live on the website here.

For more details visit https://cis-india.org/internet-governance/news/livelaw-june-10-2017-simran-sahni-placements-at-nujs

New law to unlock data economy

praskrishna — 2017-06-12T01:10:06Z

Proposal has been sent to PMO for approval.

The article by Yuthika Bhargava was published in the Hindu on June 9, 2017.

The government is mulling a new data protection law to protect personal data of citizens, while also creating an enabling framework to allow public data to be mined effectively. The move assumes significance amid the debate over security of individuals’ private data, including Aadhaar-linked biometrics, and the rising number of cyber-crimes in the country.

“The Ministry of Electronics and Information Technology (MEIT) is working on a new data protection law. A proposal to this effect has been sent to the Prime Ministers’ Office for approval,” a senior ministry official told The Hindu.

Once the PMO approves it, the ministry will set up a “cross-functional committee” on the issue.

“We want to include all stakeholders. It will be a high-level committee, and all current and future requirements of the sector will be discussed.”

Two chief aims

The official said: “We are working with two main aims – to ensure that personal data of individuals remain protected and is not misused, and to unlock the data economy.”

The official explained that a lot of benefits can be derived from the data that is publicly available, by using technology and big data analytics. “The information can be used for the benefit of both individuals and companies,” the official said.

“The underlying infrastructure of the digital economy is data. India is woefully unprepared to protect its citizens from the avalanche of companies that offer services in exchange for their data, with no comprehensive framework to protect users,” Software Freedom Law Centre (SFLC.in), a non-profit, said in an emailed reply.

Currently, India does not have a separate law for data protection, and there is no body that specifically regulates data privacy.

“There is nominally a data protection law in India in the form of the Reasonable Security Guidelines under Section 43A of the Information Technology Act. However, it is a toothless law and is never used. Even when data leaks such as the ones from the official Narendra Modi app or McDonald’s McDelivery app have happened, section 43A and its rules have not proven of use,” said Pranesh Prakash, policy director at CIS.

Some redress for misuse of personal data by commercial entities is also available under the Consumer Protection Act enacted in 2015, according to information on the website of Privacy International, an NGO. As per the Act, the disclosure of personal information given in confidence is an unfair trade practice.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-yuthika-bhargava-june-9-2017-new-law-to-unlock-data-economy

Explore money apps but watch your data

praskrishna — 2017-06-08T12:46:11Z

Financial apps may appear to be free but before you install them, read their privacy policies to know what you may be signing away.

The article by Shaikh Zoaib Saleem was published in Livemint on June 8, 2017. Pranesh Prakash was quoted.

With the increasing usage of smartphones and other smart devices, our use of and dependence on mobile applications also increases. These apps, while being installed on your device, ask for a lot of permissions. Most users do not take a detailed look at all the permissions being granted to any particular app’s publisher. Moreover, even fewer users look at the privacy policies and terms of use of apps, which detail how the publisher intends to utilize the data you share.

In most cases, the data collected is analysed and used for targeted marketing campaigns by the apps’ publishers, based on the users’ profiles and habits. Read more about it here: bit.ly/2q3ByA3. While this phenomena is spread across the board for all categories of apps, we take a look at the privacy policies and terms of use of the top 10 Android financial apps in India (top 10 as of June 1, according to App Annie, a mobile apps market research company based in California). The 10 apps are: PhonePe, BHIM, SBI Anywhere Personal, Kotak – 811 and Mobile Banking, JioMoney Wallet, Money View Money Manager, State Bank Buddy, Bank Balance Check, All Bank Balance Enquiry, iMobile by ICICI Bank.

Collecting information

The common theme across privacy policies of these apps is that the information is collected to enhance customer experience while using an app, respond to customer complaints and resolve disputes. Another theme is tracking consumer behaviour. For instance, PhonePe, in its privacy policy states, “We may automatically track certain information about you based upon your behaviour on our app. We use this information to do internal research on our users’ demographics, interests, and behaviour to better understand, protect and serve our users. This information is compiled and analysed on an aggregated basis.”

Similarly, the privacy policy of BHIM app says, “…once you give us your personal information, you are not anonymous to us. We may automatically track certain information about you based upon your behaviour on our app to the extent we deem fit.” It further adds that if you choose to transact on the app, then “we collect information about your transaction behaviour.” All the apps collect some or the other information like device IDs and location.

Sharing Information

The information gathered by the apps is not just used by these companies themselves, but also shared with third parties, subsidiaries, parent companies and agents of the companies. iMobile by ICICI Bank, for instance, in its privacy policy states that the bank will limit the collection and use of customer information only on a need-to-know basis to deliver better service to the customers. “ICICI Bank may use and share the information provided by the customers with its affiliates and third parties for providing services and any service-related activities such as collecting subscription fees for such services, and notifying or contacting the customers regarding any problem with, or the expiration of, such services. In this regard, it may be necessary to disclose the customer information to one or more agents and contractors of ICICI Bank and their sub-contractors, but such agents, contractors, and sub-contractors will be required to agree to use the information obtained from ICICI Bank only for these purposes,” the policy reads.

Similarly, PhonePe in its privacy policy has said that the company may share personal information with its other corporate entities and affiliates. “We and our affiliates will share/sell some or all of your personal information with another business entity should we (or our assets) plan to merge with, or be acquired by that business entity, or re-organization, amalgamation, restructuring of business. Should such a transaction occur that other business entity (or the new combined entity) will be required to follow this privacy policy with respect to your personal information,” it reads.

While installing, the Kotak app seeks your “irrevocable consent” to its privacy policy, which, among others things, states: “We may disclose the customer information to third parties for following, among other purposes, and will make reasonable efforts to bind them to obligation to keep the same secure and confidential and an obligation to use the information for the purpose for which the same is disclosed, and you hereby give your irrevocable consent for the same.”

JioMoney Wallet, while disclosing upfront that the publishing company and its affiliates do not sell or rent personal information to any third-party entities, also adds that the company “engages a number of vendors, consultants, contractors and takes support of our group companies or affiliates. We may provide our partners access to or share your personal information to enable them to provide the services subscribed by you.” Terms and conditions of the BHIM app state: “For the protection of both the parties, and as a tool to correct misunderstandings, the user understands, agrees and authorises NPCI, at its discretion, and without further prior notice to the user, to monitor and record any or all telephone conversations between the user(s) and NPCI only.”

It is imperative to note that most of these apps announce it upfront in their privacy policies that the policy could change anytime without prior information to the users. At the same time, it should be noted that sharing of some data is required for proper functioning of many apps. While most app publishers may not misuse the data being gathered, you should know exactly what data is being used.

Pranesh Prakash, policy director at the Centre for Internet and Society said that their research outputs show that laws to deal with misuse of personal data are very weak in India. “We need a strong privacy law to address these issues, of which we have proposed a citizens’ draft. Clearly, the prevailing situation shows that the industry is not taking enough initiative on self-regulation. At the same time, even the government isn’t taking much interest in consumer protection.”

For more details visit https://cis-india.org/internet-governance/news/livemint-june-8-2017-shaikh-zoaib-saleem-explore-money-apps-but-watch-your-data

Privacy is culture specific, MNCs hit by Aadhaar, says TRAI chief

praskrishna — 2017-06-07T13:57:08Z

A clutch of petitions filed by those opposing what they call the unchecked use of Aadhaar is currently in the Supreme Court.

The article by Pranav Mukul was published in the Indian Express on June 1, 2017.

Questioning the anti-Aadhaar campaigns by non-governmental organisations and civil society groups, Telecom Regulatory Authority of India’s (TRAI) Chairman R S Sharma, who is also the former Director General of Unique Identification Authority of India (UIDAI), said that various multinational companies were being affected by Aadhaar as it was in conflict with their attempts to create their own database of users.

“It’s making a mountain out of a molehill. There are motivated campaigns being launched. Various multinationals are getting affected. There are companies, which are creating their own identities. Someone has called it digital colonisation. The fingerprint scanners on smartphones can be easily used for authenticating Aadhaar but they don’t allow it. A lot of fraudulent or benami transactions can go down because of Aadhaar,” Sharma told The Indian Express. While he refused to elaborate on these multinationals, the remarks are an apparent reference to Silicon Valley giants such as Facebook and Google.

Sharma’s remarks come at a time when civil society groups have flagged serious concerns on issues such as privacy and accountability that arise from the Centre’s increasing use of Aadhaar. A clutch of petitions filed by those opposing what they call the unchecked use of Aadhaar is currently in the Supreme Court.

Recently, a Bengaluru-based NGO — Centre for Internet & Society (CIS) — released a report suggesting 130 million Aadhaar numbers were leaked on government portals. CIS later updated its report to say that there were no “leaks” or “leakages” but a “public disclosure”. The UIDAI served a show-cause notice to CIS, asking it to explain its claims.

The TRAI chairman defended UIDAI’s decision to send the notice to CIS and said that there were no leakages from Aadhaar, or decryption of of biometric data from the UIDAI server. At the same time, Sharma made a case for having a comprehensive data protection law in the country. “There is a need for a larger data protection law. In today’s digitally connected world, data protection law is a must. Data security, its protocols, rules, responsibilities, accountabilities, damage, payments, compensations, all these issues must come in that law,” he said.

“Aadhaar Act, itself, is very self-contained, which takes into account all data protection and privacy issues,” Sharma said, adding that privacy was a cultural concept. “Privacy is a culture specific concept, which they are trying to import here. Except for NGOs, has any individual or poor person complained, or filed a case about privacy?” he asked.

In a recent interview to The Indian Express, Minister of Law & Justice and Electronics & Information Technology Ravi Shankar Prasad had tried to allay fears of any loopholes in the Aadhaar security system and said “this systematic campaign against Aadhaar comes as a surprise for me”. He said that the voter ID information was also in public domain, but “I don’t see any campaign there”.

For more details visit https://cis-india.org/internet-governance/news/indian-express-june-1-2017-pranav-mukul-privacy-is-culture-specific-mncs-hit-by-aadhaar-says-trai-chief

New rules for govt agencies to ensure security of personal data

praskrishna — 2017-06-07T13:51:29Z

The new rules put the onus on government departments and agencies to safeguard personal data or information held by them.

The article by Komal Gupta was published by Livemint on June 2, 2017.

Government departments handling personal data or information will have to ensure that end-users are made aware of the data usage and collection and their consent is taken either in writing or electronically, according to new guidelines issued by the government for security of personal data. Sensitive personal data such as passwords, financial information (bank account, credit card, debit card and other payment instrument details), medical records and history, sexual orientation, physical and mental health, and biometric information cannot be stored by agencies without encryption, say the guidelines issued by the ministry of electronics and information technology (IT) on 22 May.

The rules put the onus on government departments and agencies to safeguard personal data or information held by them. To be sure, the Information Technology Act 2000 and Aadhaar Act 2016 have laid down most of these rules. The new guidelines seek answers to questions being asked on data protection under the Aadhaar Act. “If agency is storing Aadhaar number or sensitive personal information in database, data must be encrypted and stored. Encryption keys must be protected securely, preferably using Hardware Security Modules (HSMs). If simple spreadsheets are used, it must be password protected and securely stored,” according to the guidelines.

In April, the IT Ministry issued a notification directing all government departments to remove any personal data published on their websites or through other avenues. The guidelines require regular audits to ensure effectiveness of data protection and also call for swift action on any breach of personal data. In cases where an Aadhaar number has to be printed, it should be truncated or masked. The guidelines say only the last four digits of the 12-digit unique identity number can be displayed or printed.

According to a research report issued by Bengaluru-based think tank Centre for Internet and Society on 1 May, four government portals could have made public around 130-135 million Aadhaar numbers and around 100 million bank account numbers.

For more details visit https://cis-india.org/internet-governance/news/livemint-june-2-2017-komal-gupta-new-rules-for-govt-agencies-to-ensure-security-of-personal-data

Aadhaar: Ushering in a Commercialized Era of Surveillance in India

praskrishna — 2017-06-07T12:45:30Z

Since last year, Indian citizens have been required to submit their photograph, iris and fingerprint scans in order to access legal entitlements, benefits, compensation, scholarships, and even nutrition programs. Submitting biometric information is needed for the rehabilitation of manual scavengers, the training and aid of disabled people, and anti-retroviral therapy for HIV/AIDS patients. Soon police in the Alwar district of Rajasthan will be able to register criminals, and track missing persons through an app that integrates biometric information with the Crime and Criminal Tracking Network Systems (CCTNS).

The article by Jyoti Panday was published by the Electronic Frontier Foundation on June 1, 2017.

These instances demonstrate how intrusive India’s controversial national biometric identity scheme, better known as Aadhaar has grown. Aadhaar is a 12-digit unique identity number (UID) issued by the government after verifying a person’s biometric and demographic information. As of April 2017, the Unique Identification Authority of India (UIDAI) has issued 1.14 billion UIDs covering nearly 87% of the population making Aadhaar, the largest biometric database in the world. The government asserts that enrollment reduces fraud in welfare schemes and brings greater social inclusion. Welfare schemes that provide access to basic services for marginalized and vulnerable groups are essential. However, unlike countries where similar schemes have been implemented, invasive biometric collection is being imposed as a condition for basic entitlements in India. The privacy and surveillance risks associated with the scheme have caused much dissension in India.

Identity and Privacy in India

Initiated as an identity authentication tool, the critical problem with Aadhaar is that it is being pushed as a unique identifier to access a range of services. The government continues to maintain that the scheme is voluntary, and yet it has galvanized enrollment by linking Aadhaar to over 50 schemes. Aadhaar has become the de-facto identity document accepted at private, banks, schools, and hospitals. Since Aadhaar is linked to the delivery of essential services, authentication errors or deactivation has serious consequences including exclusion and denial of statutory rights. But more importantly, using a unique identifier across a range of schemes and services enables seamless combination and comparison of databases. By using Aadhaar, the government can match existing records such as driving license, ration card, financial history to the primary identifier to create detailed profiles. Aadhaar may not be the only mechanism, but essentially, it's a surveillance tool that the Indian government can use to surreptitiously identify and track citizens.

This is worrying, particularly in context of the ambiguity regarding privacy in India. The right to privacy for Indian citizens is not enshrined in the Constitution. Although, the Supreme Court has located the right to privacy as implicit in the concept of “ordered liberty” and held that it is necessary in order for citizens to effectively enjoy all other fundamental rights. There is also no comprehensive national framework that regulates the collection and use of personal information. In 2012, Justice K.S. Puttaswamy challenged Aadhaar in the Supreme Court of India on the grounds that it violates the right to privacy. The Court passed an interim order restricting compulsory linking of Aadhaar for benefits delivery, and referred the clarification on privacy as a right to a larger bench. More than a year later, the constitutional bench is yet to be constituted.

The delay in sorting out the nature and scope of privacy as right in India has allowed the government to continue linking Aadhaar to as many schemes as possible, perhaps with the intention of ensuring the scheme becomes too big to be rolled back. In 2016, the government enacted the 'Aadhaar Act' passing the legislation without any debate, discussion or even approval of both houses of Parliament. In April this year, Aadhaar was made compulsory for filing income tax or PAN number application and the decision is being challenges in Supreme Court. Defending the State , the Attorney-General of India claimed that the arguments on so-called privacy and bodily intrusion is bogus, and citizens cannot have an absolute right over their body! The State’s articulation is chilling, especially in light of the Human DNA Profiling Bill seeking the right to collect biological samples and DNA indices of citizens. Such anti-rights arguments are worth note because biometric tracking of citizens isn't just government policy - it is also becoming big business.

Role of Private Companies

Private companies supply hardware, software, programs, and the biometric registration services for rolling out Aadhaar to India’s large population. UIDAI’s Committee on Biometrics acknowledges that biometrics data are national assets though American biometric technology provider L-1 Identity Solutions, and consulting firms Accenture and Ernst and Young can access and retain citizens' data. The Aadhaar Act introduces electronic Know-Your-Customer (eKYC) that allows government agencies and private companies to download data such as name, gender and date of birth from the Aadhaar database at the time of authentication. Banks and telecom companies using authentication process to download data and auto-fill KYC forms and to profile users. Over the last few years, the number of companies or applications built around profiling of citizens’ personally sensitive data has grown exponentially.

A number of people linked with creating the UIDAI infrastructure have founded iSPIRT, an organisation that is pushing for commercial uses of Aadhaar. Private companies are using Aadhaar for authentication purposes and background checks. Microsoft has announced SkypeLite integration with Aadhaar to verify users. Others, such as TrustId and Eko are integrating rating systems into their authentication services and tracking users through platforms they create. In essence such companies are creating their own private database to track authenticated Aadhaar users and they may sell this data to other companies. The growth of companies that share and combine databases to profile users is an indication of the value of personal data and its centrality for both large and small companies in India.

Integrating and linking large biometrics collections to each other, which are then linked with traditional data points that private companies hold such as geolocation or phone number enables constant surveillance to take over. So far, there has been no parliamentary discussion on the role of private companies. UIDAI remains the ultimate authority in deciding the nature, level and cost of access granted to private companies. For example, there is nothing in Aadhaar Act that prevents Facebook from entering into an agreement with the Indian government to make Aadhaar mandatory to access WhatsApp or any of its other services. Facebook could also pay data brokers and aggregators to create customer profiles to add to its ever growing data points for tracking and profiling its users.

Security Risks and Liability

A series of data leakages have raised concerns about which private entities are involved, and how they handle personal and sensitive data. In February, UIDAI registered a complaint against three companies for storing and using biometric data for multiple transactions. Aadhaar numbers of over 130 million people and bank account details of about 100 million people have been publicly displayed through government portals owing to poor security practices. A recent report from Centre for Internet and Society (CIS) showed that a simple tweaking of URL query parameters of the National Social Assistance Programme (NSAP) website could unmask and display private information of a fifth of India's population.

Such data leaks pose a huge risk as compromised biometrics can never be recovered. The Aadhaar Act establishes UIDAI as the primary custodian of identity information, but is silent on the liability in case of data breaches. The Act is also unclear about notice and remedies for victims of identity theft and financial frauds and citizens whose data has been compromised. UIDAI has continued to fix breaches upon being notified, but maintains that storage in federated databases ensures that no agency can track or profile individuals.

After almost a decade of pushing a framework for mass collection of data, the Indian government has issued guidelines to secure identity and sensitive personal data in India. The guidelines could have come earlier, and given large data leaks in the past may also be redundant. Nevertheless, it is reassuring to see practices for keeping information safe and the idea of positive informed consent being reinforced for government departments. To be clear, the guidelines are meant for government departments and private companies using Aadhaar for authentication, profiling and building databases fall outside its scope. With political attitudes to corporations exploiting personal information changing the world over, the stakes for establishing a framework that limits private companies commercializing personal data and tracking Indian citizens are as high as they have ever been.

For more details visit https://cis-india.org/internet-governance/news/electronic-frontier-foundation-jyoti-panday-june-1-2017-aadhaar-ushering-in-a-commercialized-era-of-surveillance-in-india

Centre brings in new safeguards following cases of Aadhaar data leaks on government websites

praskrishna — 2017-06-06T15:41:16Z

The Centre has put in new safeguards following a number of cases of Aadhaar data leaks on government websites. All ministries are being asked to encrypt all Aadhaar data and personal financial details. Also, officials are being "sensitised" about legal consequences of data breach. And every government department is to now have one official responsible for Aadhaar data protection.

The article by Nidhi Sharma was published in the Economic Times on June 2, 2017.

The ministry of electronics and information technology has written to all departments on better data security. ET has reviewed the new guidelines. Aadhaar, a 12-digit unique identity number issued on the basis of biometric data, is linked to a person's bank account and used by government agencies to directly transfer benefits of several social welfare schemes.

Senior officials, who spoke off record, told ET all departments have been asked to immediately review their website content to check if personal data is on display.

A set of 27 dos and 9 don'ts has been circulated on data handling. This includes instructions on masking Aadhaar data and bank details as well as encrypting data. The government has mandated regular audits to check safety of personal data.

The ministry letter says, "It has come to notice there have been instances wherein personal identity or information of residents, along with Aadhaar numbers and demographic information, and other sensitive personal data ... have been published online."

The letter also spells out legal consequences of such data breach and warns the government departments to check future leaks. "Publishing identity information, i.e. Aadhaar number along with demographic information is in clear contravention of the provisions of the Aadhaar Act 2016 and constitutes an offence punishable with imprisonment up to 3 years. Further, publishing of financial information including bank details, being sensitive personal data, is also in contravention of provision under IT Act 2000 with violations liable to pay damages by way of compensation to persons affected."

The move to protect personal data comes after reports that data of 130 million Aadhaar cardholders has been leaked from four government websites. Reports, based on a study conducted by the Centre for Internet and Society (CIS) said Aadhaar numbers and details have been leaked.

For more details visit https://cis-india.org/internet-governance/news/economic-times-june-2-2017-nidhi-sharma-centre-brings-in-new-safeguards-following-cases-of-aadhaar-data-leaks-on-government-websites

Tweets from the afterlife

praskrishna — 2017-06-06T12:46:06Z

What happens to the digital legacy that celebrities leave behind after they die. Heena Khandelwal asks if their families must inherit their digital assets or can social media managers stake a claim.

The article by Heena Khandelwal was published by DNA on May 28, 2017.

Famous personalities and celebrities with millions of followers on social media platforms enjoy the stature comparable to high-value brands. Their Facebook posts, tweets and Instagram images not only have the potential to influence society but often become fodder for news, online discussions and even prime time debates. But have you paused to wonder what happens to their social media accounts in the event of their death? What becomes of the huge bank of online data that they leave behind? Do these digital assets naturally pass onto the next of kin, to the digital platform or to a third party that managed the said account/s in the first place?

While these are not new questions, the tussle over the social media accounts of former president late Dr APJ Abdul Kalam between his family and Kalam's former aide who managed his social media affairs, has thrown the issue under the spotlight. Nearly two years after Kalam's sudden demise, his family and Srijan Pal Singh find themselves on the opposing sides. It all started when Singh began handling Kalam's Twitter and Facebook accounts after his death on July 27, 2015. When the family sought the account details, stating their rights over Kalam's digital assets, Singh changed the username and the handle of his verified Twitter account from @apjabdulkalam to @KalamCentre. At the time of Kalam's death, his verified Twitter account (@apjabdulkalam) had nearly 1.5 million followers and 886 tweets. When this was renamed to @KalamCentre, it stopped being a 'verified' handle. Singh did not hand over the details of this account to the family but the details of a new Twitter account that he'd created with the same handle, @apjabdulkalam, which had barely 50 followers. Incidentally, Kalam's original Twitter account had 829 tweets (at the time of going to press), implying that some of Kalam's tweets have been deleted since his death. Regarding Kalam's Facebook page (Facebook.com/kalamcentre), Singh maintains that its username has always been Kalam Centre and that it doesn't belong to the family.

"These are digital assets of a former President of India. He (Singh) is changing the legacy by changing the name and handle of his Twitter account," says Kalam's grandnephew APJMJ Sheik Dawood, insisting that the account details should be given to the family. "Everybody was following Kalam and not anything or anybody else. He shouldn't have changed the name or handle."

Singh contends that since he was the one who created and managed Kalam's social media presence, he has sole rights over these assets. "Dr Kalam's social media accounts were started to spread the message about his ideologies. I am here to continue his mission... whoever handles his accounts should be in sync with his ideologies," says the 32-year-old. "I practically lived with him in the same house in the last few years of his life and was very close to him. I understood him."

Trust in times of tweets

Ask if his actions tantamount to misleading Kalam's followers and the public at large, Singh is dismissive. "On March 18, 2017, we informed our (Kalam Centre) users of the name change through a tweet, and so it is up to them to follow who they like. There are already plenty of fan pages and other accounts running in his name," says Singh.

Even as he defends his position, the fact that he was using Kalam's verified account for nearly 20 months after his demise can be seen as a breach of the right of reputation. "Posting or tweeting on behalf of a deceased person is breaching their right of reputation," says Chinmayi Arun, executive director, Centre for Communication Governance (CCG) at National Law University, Delhi. Third party agents, according to Arun, should refrain from impersonating their principals in the same manner that secretaries and administrators refrain from impersonating their employers. "In case of an individual's demise, the agents are expected to handover everything to the heirs and this should also apply to digital accounts," she says.

On its part, Twitter India refused to comment when contacted and pointed this reporter to the site's support page on deceased or incapacitated users. The micro-blogging site makes it clear on its website that it does not provide account access to anyone regardless of their relationship with the deceased person, and added that "this policy is about deactivating accounts, not transferring ownership of accounts".

Emails to Facebook India's corporate communication head remained unanswered. The social networking site states on its pages that it neither approves the inheritance of a user's account nor permits using an account following a user's demise. Instagram lists a similar policy and states that an account can be memoralised or removed after the user's demise.

Black, white & grey

While social networking sites' policies clearly mention that an individual user account should be operated by the person him/herself, it is common knowledge that celebrities often outsource the management of their social media accounts to digital and social media agencies or to a select team under their direct watch. They too tread nebulous waters. Digital marketing agency, EveryMedia Technologies, which manages celebrity accounts, states that although there is no clause regarding the protocol to be followed in the case of a client's death, they would do as per the social platform's guidelines after due consent from the family. "Our contracts do not have a clause that states the way forward in case of demise of the account holder and we hope such a day doesn't come," says Gautam B Thakker, CEO, EveryMedia Technologies. "In the event of such an unfortunate incident, the standard operating procedure would be to convert the account into a legacy account and memorialise it for fans and well-wishers or to deactivate and close it — whatever the social platforms' and the client's family permits."

Daksh Juneja says of Avignyata Inc specifies that the work is based on strict contracts, which never mention the course of action to be taken in case of the personality's death. "There is no contractual obligation towards the IPR rights for a celebratory client on both sides but it's important to share the access of the social media pages with the person's manager or a family member," says Juneja, the chief operating officer of the Mumbai-based digital agency, which handles social media accounts of Bollywood celebrities and sportsmen.

Supreme Court advocate and an expert in cyber law, Pavan Duggal, points out that the terms and conditions of social networking sites aren't clear. "Deactivating accounts can amount to loss of data, which can be used for reference and research. I think more clarity is required," says Duggal. "When a person has an account, only he/she should access it. However, if a person has an agent, then (in the case of death), the principle of agent applies."

Courtside view

Given the reluctance of social media platforms to engage and the lack of clarity as highlighted in the case of Kalam's accounts points to several questions — from handing over the digital accounts, intellectual property rights, right to reputation as well as unambiguous policies by service providers. Taking about Kalam's accounts, Duggal feels his family is the rightful legal heir to his digital assets. "The family should approach the court and file a case against Singh under the Information Technology Act and under IPC section 408 — criminal breach of trust," he says. "They can also reach out to service providers, and if they don't co-operate, they too can be sued under the IT Act."

Duggal strongly believes that "if a person has died without specifying, then his/her digital presence or accounts being a digital property, should be treated as movable assets and should pass on to the legal heir or representatives of the deceased person rather than to an NGO".

According to Sunil Abraham, executive director at Centre for Internet and Society, Twitter India should help settle the Kalam case using its existing policy. "And if there is no space for a legacy contact, they might consider resetting the password so that nobody has access to it and then they can memorialise the account," says Abraham. "Social media accounts are increasingly being enumerated under digital assets in wills. Once the asset has been transferred to the heir, the heir can choose to transfer the account to another person or organisation for their services in maintaining the account. While this is not explicitly provided for in the law, there is no prohibition either."

WHEN THEY DIED...

Among the eminent personalities whose social media accounts continue to be operational after their demise are anti-apartheid leader and former president of South Africa Nelson Mandela, pop star Michael Jackson and boxing legend Muhammad Ali.

While Mandela's account has been turned into a foundation, Ali's account states that it pays tribute to the boxing legend. Jackson's account mentions nothing about the fact that he died in 2009. Their Twitter and Facebook pages witness a tweet or a post every few days. Both Jackson and Ali also have verified accounts on Instagram; their photos are posted every now and then.

Among the celebrities whose accounts have been left inactive are Bollywood actress Jiah Khan, television actress Pratyusha Banerjee and British singer-songwriter George Michael. While Khan's last tweet (on May 23, 2013) was an apology message for staying away from the social networking site, Michael had shared his song Heartbreak a day before Valentine's Day on February 12, 2016. Banerjee had tweeted '#prayforparis #prayfortheworld' on November 15, 2015, showing her support against the terrorist attack in Paris on November 13, 2015. This was her last tweet before she was found hanging in her apartment in Mumbai on April 1, 2016.

For more details visit https://cis-india.org/internet-governance/news/dna-may-28-2017-heena-khandelwal-tweets-from-the-afterlife