We are anonymous, we are legion

Faking it on WhatsApp: How India's favourite messaging app is turning into a rumour mill

praskrishna — 2017-05-19T14:44:05Z

Spreading fast and wild on WhatsApp fake news about riots, ‘miracle’ currency

The article by Samarth Bansal was published in the Hindustan Times on May 19, 2017. Pranesh Prakash was quoted.

It didn’t take long after demonetisation for almost everyone to hear about the ‘special properties’ of the new Rs 2000 note, which was said to include a ‘built-in GPS-enabled nano-chip’. News of this high-tech feature spread rapidly, even though there was no notification about it from the Reserve Bank of India or any other government department. What there was, instead, was a popular WhatsApp message.

WhatsApp messages were involved in another fake-news controversy the very same month, when word of a salt shortage in North India spread widely. The fake news unleashed panic, and in Hyderabad, among other places, salt prices increased by a factor of four. It even extracted a victim, a woman died in Bakarganj Bazaar, Kanpur, when she slipped and fell into a drain in a panicked buying melee.

This isn’t the only time that fake news that circulated on WhatsApp led to violence. In 2013, messages sent on WhatsApp helped to incite riots in Muzaffarnagar. A two-year old video of a lynching in Pakistan was mischievously promoted as an attack on two Hindu boys by Muslims in Kawal village of Muzaffarnagar. The video, in turn, provoked calls for revenge. Though the police blocked the video on the internet, its spread could not be stopped on the app.

Facebook, WhatsApp’s parent company, has faced much flak for not curbing the circulation of fake news. On its part, Facebook has now said it will try to flag questionable news stories with the help of users and external fact checkers to cope with this problem.

But the instant messaging app poses similar challenges in a particularly intractable form. WhatsApp offers a particularly private medium of communication, something many people like about it. A case currently being heard at the Supreme Court of India concerns the protection of this very quality — while WhatsApp would like to allow Facebook to access its user data, a PIL contends that this move would be a violation of privacy.

The same factors of WhatsApp’s design that protect its users also make it difficult or impossible to study many aspects of communication on the platform. Even as anecdotal evidence piles up that WhatsApp is being used to distribute fake news, then, it remains hard to know just what is happening or what can be done in response.

Facebook vs WhatsApp

The differences between WhatsApp and Facebook dictate the ways people share news on each platform. “Facebook is a social platform where people express their concerns, react, and build perceptions based on an individual’s posts,” says Anoop Mishra, a digital marketing and social media consultant. “However, on WhatsApp, which is an end-to-end messaging platform, people share content in a more personal and closed way.”

It is because the primary mode of sharing on instant messaging apps is one-to-one, as opposed to the one-to-many relationship on Facebook, that the former feels more personal. This personal quality of most of the content shared directly or on small groups via WhatsApp carries with it the implicit endorsement of people you know. Given that the app is now a large and growing part of people’s lives on mobile devices, the way it influences news consumption demands more attention. “Lack of content moderation and privacy controls gives WhatsApp an edge over Facebook for sharing any type of multimedia content,” says Mishra.

For instance, to get your friends’ attention on Facebook, you need to tag them. Not every post by every friend shows up on your news feed; what you see is dictated by an algorithm. WhatsApp has a big advantage here since it works like a text message. You know that your message will be received by everyone you send it to.

A black hole for content

There is no non-anecdotal way to track the spread of content on WhatsApp. Facebook, for instance, is compatible with analytics tools capable of determining that a particular news report has been shared 7,000 times, say, or viewed 20,000 times.

Such analysis is not feasible with WhatsApp, which offers no way to mine social media data to understand the patterns, trends, or reach of any given message. Even its original source is completely opaque. What is true of particular texts also applies to the total sum of activity on WhatsApp: it is impossible to determine what kinds of messages the public is sharing most, what sorts of conditions people are sharing these messages in, or where in the world they are spreading.

Surpassing one billion

WhatsApp arrived in India at the beginning of the decade. At that time, chat apps were generally considered to be interchangeable with text messages. Today they’re widely understood to support sharing of all forms of multimedia content — photos, videos, audio files and even text documents.

Simplicity is one of WhatsApp’s signature virtues. All you need to do is download it: the programme automatically scans your phone book and links up with your contacts who are also users. Crucially, you don’t even need a password. According to Guide to Chat Apps, a report by the Tow Center for Digital Journalism at Columbia University, the requirement of a password is “a significant barrier to entry for many people in emerging markets when it comes to other apps and social media platforms.”

In February 2016, WhatsApp crossed the one billion mark for active users worldwide. India is its largest market, with about 160 million active users.

WhatsApping the news

WhatsApp’s reach and growing role in the consumption of photos and videos has prompted media companies to take it seriously as a distribution channel. A report by the Reuters Institute for the Study of Journalism highlights the increasing adoption of new social networks among young people and the growing importance of recommendations as a gateway to news. “The digital generation expects the news to come to them,” says the report’s author journalist Nic Newman in a press release. “Young people rarely go directly to a mainstream news website anymore.”

But unlike apps like WeChat and Snapchat, which are gaining currency among millennials, WhatsApp hasn’t positioned itself as a media distribution platform. Media organisations have been experimenting nonetheless. For instance, the BBC ran pilots on WhatsApp and WeChat for the Indian elections in 2014. Users subscribed to the BBC news service on WhatsApp by adding a number to their contacts and sending a request message to join. They were then put on a broadcast list that sent them up to three updates a day in Hindi and English. Many media outlets, including ours, now have a WhatsApp sharing icon on their mobile websites.

For all its susceptibility to the dissemination of fake news, WhatsApp presents unique challenges to the mass sharing of content, just as it does for the mass tracking of it. It has no official application program interface (API), the service which allows programmers to build applications that automate the functions of a platform. “An official WhatsApp API release could spawn an entirely new industry of startups, in much the same way that the release of Twitter’s API did,” says the Tow Center report. “Except this time, it could be even bigger, given WhatsApp’s near-billion account user base.” Reaching out to a wider audience on WhatsApp — with either fake or authentic news — needs to be performed manually, via broadcast lists, which allow you to send the same message to many people at once, and groups.

State of control

Fake news might lead only to harmless speculation or minor inconvenience, as it did with rumours about the Rs 2000 note, or it could be dangerous, as was the case during the Muzaffarnagar riots. Pranesh Prakash, a policy director at the Centre for Internet and Society, a research and advocacy group focused on digital technology, believes that social media rumours gain potency after the imposition of censorship, under which people begin to wonder what the government is trying to conceal. “There is no way rumours can be completely quelled,” he says, “but the state can act against rumours through clear communication that calls out particular rumours, and tells people not to believe them.”

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-samarth-bansal-faking-it-on-whatsapp-how-india-s-favourite-messaging-app-turned-into-a-rumour-mill

A 13-year-old's rape in TN highlights the major threat online sexual grooming poses to children

praskrishna — 2017-05-19T10:16:40Z

Predatory paedophiles online pose a major threat to children who form 7% of internet users in India.

The blog post by Priyanka Thirumurthy was published by News Minute on May 6, 2017. Pranesh Prakash was quoted.

It was a usual practice, for 13-year-old Meena* from Tirupur to log into her father's Facebook account when she came home from school. While she was scrolling through his timeline one day, she received and accepted a friend request from a profile named Siva Idiot on Facebook. When this 'new friend' sent her a “hi” on chat, the young girl found no reason to ignore this message. Over the next 10 days, they chatted incessantly and she revealed all her personal details - where she lived, studied, who her parents were and even her phone number. Siva Idiot then proceeded to begin calling her on a mobile phone and their conversations lasted hours.

Meanwhile, miffed by her lack of focus on her studies, Meena's parents often chastised her and threatened to take away her laptop and mobile phone. An upset Meena proceeded to complain to Siva Idiot about the 'problems' she faced, who provided emotional support to the teenager. He even offered to come meet her outside her home.

Meena's parents were out in their offices till 8pm every day and Siva Idiot knew this. He met Meena outside her home, when she was still upset about her parents' advice. Her 'friend' then convinced the teenager to leave her house and marry him. Fifteen days after she first spoke to him on Facebook, 13-year-old Meena ran away from home to 'get married' to 22-year-old Ibrahim.

Online sexual grooming

"This is a classic case of sexual grooming," says Vidya Reddy, of Tulir, Centre for Prevention and Healing of Child Sexual Abuse. "Abusers study a situation carefully to understand what a child's Achilles heel is and then exploit the situation. Now, with almost every child having accesses to technology and internet in the form of a laptop or phone, these criminals have found new platforms to target children," she adds.

What Vidya explains is called online sexual grooming, a worldwide phenomenon, that has spread along with the speed and easy access to the internet. According to UNICEF, it can be defined as preparing a child or adult for sexual abuse, exploitation or ideological manipulation. A report released by the organisation in 2014 states that the surge in mobile and internet usage in India had brought 400 million people online. Of this, seven percent of internet users in the country are reportedly children.

"Phones are now an extension of our hands and it has completely changed the way crime is committed and presented, " Vidya notes.

Even a report of the Parliamentary Committee on Information Technology in 2014 recognized the threat posed to children by predatory paedophiles online. It emphasises how these predators "conceal their true identity whilst using the internet to ‘groom’ potential victims for sexual purposes."

From home to horror

Meena too was unaware about the identity of the person she was chatting with. In fact, an officer told The News Minute, that it was only when Ibrahim called her on the phone that she even realised she had compromised all her data to an unknown man. But Ibrahim, as the police put it, was too smart for the girl.

"He spoke to her very nicely and formed an emotional connect before she even realised the dangers of the situation," a police officer told The News Minute. "He was just somebody who did odd jobs for a living but his real life was on Facebook. He has close to 5000 friends and they are all young girls," she admits.

On April 27, Ibrahim and Meena made their way to Puducherry, where they took shelter at his friend Prabhakar’s motel. That very night, Meena was allegedly raped. The next morning, Ibrahim's phone somehow came into her possession and when the child surfed through the picture gallery, fresh horror awaited her. It was filled with obscene pictures and videos of young women and children. Shocked, Meena confronted Ibrahim about this and the two got into a loud fight. An angry Ibrahim then abused the teenager who refused to leave with him and abandoned her in the lodge.

When the hotel manager and Ibrahim's friend Prabhakaran came to investigate the source of commotion, he found a devastated Meena alone in the room. In an effort to ‘cheer her up’ he took her out to eat and bought her clothes. As Meena changed in the room, Prabhakaran allegedly waited outside to make his move. He went into the room with a yellow thread in hand, and when she was ready, tied it around her neck and declared that they were married. He then proceeded, according to officials, to sexually assault the girl.

Prabhakaran had even mortgaged all her jewellery, given her some money and pocketed the rest. On April 29, the frightened and devastated teenager managed to escape from the lodge and make a call to her house from a nearby bus stop. By then, her parents had already filed a missing girl complaint with the Tirupur North police and were frantically searching for her.

The need to intervene

According to the UNICEF report, India falls largely short in terms of awareness about online child sexual abuse and exploitation. Parents, it claims, are not aware of the risks the internet poses and therefore do not respond effectively to this form of harassment.

"This case shows that parents and schools have to spend more time educating their wards on online safety. In many schools, non- digital safety lessons are imparted such as good touch and bad touch. But when it comes to the internet, they don't even impart basic lessons," says Pranesh Prakash, Director of the Centre for Internet and Society.

Pranesh argues that while parents cannot monitor children's activity on the internet the whole day, they can ensure they have a trusting relationship with their children. This he claims will create dialogue on the child's activity on the internet or social media and create awareness.

"In this crime, details shared online, led to an offline meeting. So, children must be taught to not share addresses, personal details or meet such 'friends' without their parents' knowledge." he adds.

In India, two major challenges are the lack of a uniform terminology and lacunae in law as far as sexual grooming of children is concerned. Some key legal instruments meant to protect children, predate technological advances. For example, the Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution and child pornography does not criminalize online sexual grooming.

Establishing the criminality of sexual grooming or even sexting is difficult in view of the potential for misuse of the law, states the UNICEF report.

Back home and healing

Following her desperate phone call, Tirupur police rescued Meena, and went on to arrest Ibrahim in Pondicherry on April 30. Prabhakaran was arrested on May 2. They have been booked under the Protection of Children from Sexual Offences Act (POCSO) and other sections of the Indian Penal Code. Police are now investigating if Ibrahim and Prabahakaran have been involved in crimes of this nature in the past as well.

"There is only so much parents can do. They work till eight in the night and children who come back from school at 4pm, have four unsupervised hours to themselves. The only thing they can do is keep a password and stop children from using social media accounts," says the investigating officer, who observes that a number of children chat with strangers, making it difficult to keep track.

Vidya Reddy too expresses shock at sheer number of teenagers who chat with strangers online. The Tulir Director recounts horrific cases, including one where a 16-year-old girl was sexually assaulted and then blackmailed with videos of the abuse. The perpetrator allegedly threatened to leak the images if girl did not bring another child for him to rape.

While sexual grooming and other forms of online sexual abuse are common across the world, in India it takes a unique shape in South Asia. "Our society creates a repressive atmosphere, as far as engagement with the other gender is concerned. So, when the conversation is online, teenagers will risk their safety to push boundaries and the anonymity the internet provides has made this whole set up even more dangerous," concludes Vidya Reddy.

*Name changed

For more details visit https://cis-india.org/internet-governance/news/newsminute-may-6-2017-a-13-year-olds-rape-in-tn-highlights-the-major-threat-online-sexual-grooming-poses-to-children

Aadhaar security: Here's how your private information can be protected

praskrishna — 2017-05-19T10:05:25Z

Lock Aadhaar, and notify UIDAI if you get a one-time-password for a transaction you did not initiate

The article by Sanjay Kumar Singh was published in the Business Standard on May 11, 2017. Udbhav Tiwari was quoted.

The linking of Aadhaar — the 12-digit unique identification number for Indian residents — across various benefits is going through a roller-coaster ride. On one hand, the government, keen to make it mandatory, is linking it with filing of income-tax returns and benefits. But, on the other, many are uncomfortable with it because of privacy issues and leakages that have been reported recently. The Supreme Court, on Tuesday, referred another fresh plea challenging the Aadhaar Act and its mandatory use in government schemes to a larger Constitution bench.

There has been several reports that say that Aadhaar numbers and other personal data are being leaked. Bengaluru-based Centre for Internet and Society (CIS) has published a report (titled Information security practices of Aadhaar, or lack thereof) where it lists four government departments that have posted Aadhaar numbers and other personal information of people. According to the report, an estimated 130-135 million Aadhaar numbers and 100 million bank account numbers were posted on the four portals that the CIS researchers checked. Normally such data should be kept on the government’s intranet, where only authorised people can access it. However, a few government departments have uploaded this data on their websites. In many cases, the data was in excel format, making it all the more easy for people to download and misuse it. The worst part: If your data is stolen, you cannot file even a First Information Report with the police. Only the nodal body, the Unique Identification Authority of India (UIDAI), can file a police complaint.

Your data can be misused: Experts say that leakage of Aadhaar numbers and other personal information into the public domain violates peoples’ privacy. “Your name, phone number, address, bank account number and Aadhaar number are personal information. Only you have the right to decide whether to release such information to others. Such data shouldn’t be complied in excel sheets in large numbers and be freely accessible on the internet to everyone," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru.

Tele-marketers and advertisers will have access to the personal information of all those people. More serious problems such as identity theft can occur. Says Smitha Krishna Prasad, project manager, Centre for Communication Governance at National Law University, Delhi: “The more sensitive information a person has about you, the easier it becomes to impersonate you when that person is speaking to, say, a bank." The impersonator could open a bank account or even take a loan in your name.

Suppose a hacker gets your email ID. “He will use the ‘password reset or forgot password’ feature to change your password and get access to your account. This feature poses questions based on personal info about you. Any such data collected about you comes useful here. Such hackers mine a lot of data about potential victims from all possible sources," says Shomiron Das Gupta of NetMonastery, a threat management provider. In the email, he could find info about your bank account, credit card account, etc, and cause financial losses to you.

Serious risks can also arise if someone manages to breach the biometric authentication or one-time password (OTP) required for using the Aadhaar system. “It is possible to copy an individual’s fingerprints, and replicate them using very commonly available resins. It is also possible for hackers to capture the data being communicated between a telephone tower and a mobile phone, especially if it is poorly encrypted. This will allow the hacker to see the OTP. Admittedly, this does require expertise and a targeted effort vis-a-vis an individual," says Tiwari. Now that the Aadhaar numbers of so many people have been divulged, someone could utilise their identities to steal their government-granted benefits, or obtain a SIM card, which could then be misused. Raman Jit Singh Chima, policy director, Access Now, says at many places where the Aadhaar number is required today, no biometric authentication is done. So just the number can be used to impersonate you.

Lock your biometrics: If your Aadhaar number and other personal information have been leaked, here are a few steps you can take to safeguard yourself. One, be wary of any calls you receive asking for additional details, which may not have been leaked already. Be equally wary if you receive a call wherein someone rattles off your personal data and asks you to verify it. The caller could pretend to be calling from your bank. It is best not to reveal or confirm any information over the phone at all. Two, you have the option to lock your biometric data online. Even if someone manages to steal your fingerprint, he will not be able to use it if you have locked your biometric data (see table). Also, if you get an OTP on your phone for an Aadhaar utilisation that you did not initiate, notify the UIDAI, and thus ensure that no transaction is carried out using your Aadhaar account.

Need for a privacy law: To prevent data leaks in the future, the government needs to sensitise state government officials who work with Aadhaar data about the need to protect the its privacy. More importantly, India needs a comprehensive data protection law. At present, there is limited provision in the Information Technology Act of 2008 under which you can file a civil case against a corporate that has leaked your personal information. “The person affected by data leakage has to show that he has suffered wrongful loss, or somebody else has enjoyed a wrongful gain, and then claim compensation," says Prasad.

After the Radia tapes incident, the government had said it would pass a comprehensive privacy law. “This law would lead to the creation of a data protection authority with enforcement powers, which would be able to penalise both companies and government bodies violating privacy principles. Despite the process beginning in 2012-13, and multiple drafts being leaked into the public domain, there has not been much progress on this count," says Chima. He adds that when the privacy law becomes a reality, any part of the Aadhaar Act that is contrary to it should also be amended.

How to lock your biometric data online

Go to the UIDAI web site: https://uidai.gov.inGo to Aadhaar services, then Lock/Unlock Biometrics Enter Aadhaar number Enter security code that appears below the Aadhaar numberYou will receive an OTP on your registered mobile number. Enter it Click ‘Verify’Click box against ‘Enable biometric lock’Click on Submit buttonSame procedure can be repeated to disable biometric lock.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-aadhaar-security-here-is-how-your-private-information-can-be-protected

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

Third Multistakeholder Consultation on Encryption

praskrishna — 2017-05-19T09:42:49Z

Udbhav Tiwari represented CIS at the Third and Final Multistakeholder Consultation on Encryption held at the Taj Palace, New Delhi on May 11, 2017. The event was organised by the Observer Research Foundation, New Delhi. Saikat Dutta and Japreet Grewal were also present at the round-table discussion.

The discussion centred around issues such as trust between the government and citizens, key lengths, standards for device encryption and sector-specific security regulations. The primary goal of the meeting was to influence the second iteration of the draft encryption policy, expected soon, which will have bearing on data protection policies, access of law enforcement agencies to electronic information, and the ease of doing business in India's digital economy.

The main questions in the discussion were:

Should the National Encryption policy mandate key lengths for encryption of communications?
Should the policy require the registration of encryption service providers to operate in the Indian market?
What are the challenged faced in the enforcement of the policy?
What steps can the Indian government take to encourage R&D in domestic cryptographic services and products?

Dr. Gulshan Rai, the National Cyber Security Coordinator, was also present in the meeting and provided valuable inputs.

For more details visit https://cis-india.org/internet-governance/news/third-multistakeholder-consultation-on-encryption

UIDAI puts posers to CIS over Aadhaar data leak claim

praskrishna — 2017-05-19T09:28:33Z

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.

The article originally published by PTI was also published by the Financial Express on May 19, 2017.

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.

Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.

Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.

The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.

The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.

However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.

For more details visit https://cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim

What’s Hard To Digest About The Zomato Hacking

praskrishna — 2017-05-19T09:22:37Z

Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.

The blog post by Aayush Ailawadi was published by Bloomberg Quint on May 19, 2017. Pranesh Prakash was quoted.

The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in its blog that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.

Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.

In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”

But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.

Late on Thursday night, the story took an interesting turn when the company updated its blog post yet again. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.

Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.

But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.

Disclose To Confuse?

Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.

What’s So Scary About The Zomato Hacking?

Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.

What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.

Genuine Disclosures Vs False Promises

Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.

Where’s My Privacy And Security?

Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.

Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”

For more details visit https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts

IT companies in Bengaluru on high alert over WannaCry ransomware

praskrishna — 2017-05-19T09:05:46Z

In the wake of the ransomware attack triggered by WannaCry virus, IT firms in Bengaluru are racing against time to updating their security systems. At some firms, employees have been asked to stay away from work for a few hours, while many other companies have declared holiday for a day or two for their employees.

The article by Kiran Parashar K M & Shruthi H M was published in the New Indian Express on May 17, 2017. Pranesh Prakash was quoted.

Sources said IT teams in many firms are working overtime to ensure such attacks do not harm their systems. Employees have been communicated to be aware of unsolicited emails and were asked to stay away from work at a few places where the security systems update was in progress.

A network engineer of a secondary source software firm, who provides security solutions, said, “We were asked to work on weekend and monitor the servers. The monitoring process is likely to continue. Some of the outsourcing companies have declared holiday as network engineers are flooded with work.”
“Recent developments have affected work at IT firms but there is no report of any company getting affected,” a techie said.

Wipro Ltd officials told Express: “Wipro has not seen any impact. However, we remain vigilant and have strengthened security controls at all layers to detect and mitigate any such threat.”

Companies providing financial technology are struggling to ensure that all ATMs are running on updated software. “We are in touch with the original equipment manufacturers for the patches that may be required to be rolled out on the ATMs running on Windows XP and Windows 7, to make them additionally secure,” said Radha Rama Dorai (Country Head - ATM & Allied Services), FIS, a financial technology provider.
“Fortunately ATMs in India have not been affected by WannaCry ransomware,” said Dorai.

Sudesh Shetty, Partner, Forensics, KPMG in India, said: “Banks need to apply the patch which Windows has released for outdated operating systems. Organisations need to make use of it.”

WannaCry under reported

The Indian Cyber Army sources said that there has been under reporting of such incidents as many individuals use pirated version of the Windows software. Also, people have no idea whom to report if they fall prey to WannaCry.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware

Google, Facebook's AI group adds new members

praskrishna — 2017-05-19T08:56:31Z

CIS is one of the organizations.

Written by Jens Meyer from AP this was mirrored by Axios on May 16, 2017.

A group trying to demystify artificial intelligence with backing from companies like Google, Facebook, Apple and Microsoft is bolstering its ranks with 22 organizations in total.

New members in the Partnership on AI include:

Companies like Salesforce, Sony and Intel.
Non-profit advocacy groups including the Electronic Frontier Foundation, the Center for Democracy and Technology and the Future of Privacy Forum.
The list also includes Washington-based consultancy Upturn, which has worked on issues related to how big data collides with civil rights. The ACLU was already involved as a partner in the group.

Why it matters: The new corporate members of the partnership show how widespread interest in AI has become. And the high-level advocacy non-profits joining the partnership shows how AI is on a collision course with questions about privacy and discrimination.

For more details visit https://cis-india.org/internet-governance/news/axios-may-16-2017-google-and-facebook-artificial-intelligence-group-adds-new-members

22 nieuwe leden voor Partnership on AI

praskrishna — 2017-05-19T06:54:20Z

Partnership on AI, een non-profit organisatie ter bevordering van het algemeen begrip van kunstmatige intelligentie en de ontwikkeling van best practices, heeft 22 nieuwe leden aangekondigd.

The news was published by Telecom Paper on May 17, 2017.

Tot de nieuwe leden behoren eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, Zalando, Cogitai, Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, en de XPRIZE Foundation. Partnership on AI werd vorig jaar september opgericht. Tot de oprichters behoren onder meer Amazon, Facebook, IBM, Microsoft, Google DeepMind en Apple.

For more details visit https://cis-india.org/internet-governance/news/telecom-paper-may-17-2017-22-nieuwe-leden-voor-partnership-on-ai

Intel, eBay, SAP, Salesforce y Sony colaborarán en inteligencia artificial

praskrishna — 2017-05-19T06:50:06Z

Junto a otras empresas como Zalando, McKinsey & Company o Cogitai han decidido unirse a la asociación Partnership on AI impulsada por Amazon, Google, Facebook, IBM y Microsoft.

The blog post by Monica Tilves was published by Silicon on May 17, 2017.

El año pasado, Amazon, Google, Facebook, IBM y Microsoft dieron vida a Partnership on AI, una organización “para avanzar en la comprensión pública de las tecnologías de inteligencia artificial” y “formular las mejores prácticas sobre los desafíos y oportunidades en el campo”.

A esta iniciativa se han ido uniendo con el paso del tiempo compañías como Apple, que se sumó en enero a Partnership on AI. Ahora sus responsables han anunciado la incorporación de nada más y nada menos que veintidós nuevos nombres.

Por un lado trabajarán con esta asociación las firmas tecnológicas Cogitai, eBay, Intel, Salesforce, SAP y Sony. Además de McKinsey & Company y Zalando.

Cabe destacar que por parte de Intel, Salesforce, SAP y Sony participarán, respectivamente, el responsable del AI Products Group formado hace unos meses en la compañía de Santa Clara, Yinyin Liu; el vicepresidente de Machine Learning, Markus Noga, el científico jefe Richard Socher; y el director de Sony Computer Science Laboratories, Hiroaki Kitano.

En la lista de nuevos socios también aparecen los nombres de catorce entidades sin ánimo de lucro como UNICEF. El resto serían: Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, Upturn y XPRIZE Foundation.

Se espera que nuevas compañías se vayan uniendo a Partnership on AI en el futuro para ahondar en el pujante tema de la inteligencia artificial.

Partnership on AI se encuentra en estos momentos en plena búsqueda de un director ejecutivo que se encargue de supervisar las operaciones de la organización.

For more details visit https://cis-india.org/internet-governance/news/silicon-monica-tilves-may-17-2017-intel-ebay-sap-salesforce-sony-collaboration-aritificial-intelligence

Partnership on AI adds new organizations to its network

praskrishna — 2017-05-19T06:40:08Z

The Partnership on AI to Benefit People and Society (Partnership on AI) is strengthening its network of partners by welcoming new organizations to share their diverse, unique perspectives on AI.

The blog post by Madison Moore was published in Software Development Times on May 17, 2017.

Earlier in the year, Partnership on AI brought in Apple and six nonprofit board members to serve on the board of directors. This week, the partnership announced that 22 new organizations will join the Partnership on AI, and these organizations will work and support the board of directors.

The Partnership on AI is welcoming eight new for-profit partners, including eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, and Zalando, along with the start-up Cogitai.

The fourteen non-profit Partners that joined include: Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, and the XPRIZE Foundation.

Some of the representatives from these newly added organizations include Dr. Hiroaki Kitano, who is the head of Sony Computer Science Laboratories. Other collaborators include Chris Fabian, who leads the Ventures team in UNICEF’s Office of Innovation. SAP’s Dr. Markus Noga, who has led efforts applying machine learning to business problems, is also joining the partnership.

Additionally, the partnership will move forward with one other initiative, and that is to form a cross-conference “AI, People, and Society” Best Paper Award, and start an AI Grand Challenge series, which will focus on addressing long-term social and societal issues around artificial intelligence.

The partnership is also in the process of finding an executive director, and that person will oversee day-to-day operation of the organization.

For more details visit https://cis-india.org/internet-governance/news/sd-times-may-17-partnership-on-ai-adds-new-organizations-to-its-network

WannaCry: ATMs not to shut down, clarifies RBI, but how safe are our machines?

praskrishna — 2017-05-19T06:30:49Z

SBI has denied there was any compromise in its ATMs.

The blog post by Soumya Chatterjee was published by Newsminute on May 16, 2017. Udbhav Tiwari was quoted.

In the wake of the onslaught by ransomware WannaCry across the globe, the Reserve Bank of India has denied that it has asked banks in the country to shut down ATMs despite multiple conflicting reports on the same.

Speaking to The News Minute, the central bank’s spokesperson clarified, “The RBI has not passed any circulars to banks on the issue. All circulars sent to banks by the RBI is on the official website if it’s not on the website that means there is no such circular.”

The State Bank of India, the largest consumer bank of India also denied any compromise in its ATMs.

“All our systems are updated as required. Some of those, we do it daily. There are two types of updates, one is at the server level and one at the machine level. Generally, server level updates are done on a daily basis because patches are released and these are managed centrally in addition to local firewalls. The ATM machines are updated typically once in 15 days that is when the maintenance engineers visit the sites, they carry the latest software patch with them. So, everything is updated, there is no problem regarding this. We have additional surveillance but none of the ATM networks in the world has been impacted," Mrityunjoy Mahapatra, CIO of SBI told TNM.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

“This particular vulnerability was exposed by the WikiLeaks in March saying that the US' NSA was using this vulnerability in Windows operating systems to target individuals. Following this, Microsoft had sent patches in its update in March itself to counter this particular form of threats,” Udhav told TNM.

Udhav said WannaCry is one of the viruses which exploits this vulnerability adding,"No operating system is completely secure be it Windows, Mac or Linux or others, but there are certain OSs that are more susceptible to such attacks due to their popular usage and subsequent research carried on them. Once such attacks come out in the public domain and they usually get patched by the maintainers of the OS."

“In my personal experience, I have come across that most of the ATMs run on customised versions/ embeds of Windows XP or better Windows 7 which came out in 2001 and 2009 respectively. The support period for XP has already lapsed which means that it is more susceptible to malicious attacks than patched versions of other OSs,” Udhav said.

"However, Microsoft made an exception for this current threat and issued patches just for this,” added Udhav, noting if the patches were not installed they remain open to the WannaCry threat.

He also says that as there is no central repository to know what operating system many ATMs run, it would be hard to get the number of machines which are prone to this particular attack.

The cyber security expert draws parallels with the data security breaches last September and October, where a malware attack forced Indian banks to replace or request users to change the security codes of 3.2 million debit cards.

Udhav explained, “The malware had propagated in a very similar manner, they propagated via the internal networks of the bank because of a vulnerability of the ATM machines and then started recording details stored in the magnetic strips of the card."

Apart from invading some systems in departments of some state government in India, WannaCry has penetrated high profile systems across the globe including UK’s health services, Germany’s railway.

For more details visit https://cis-india.org/internet-governance/news/newsminute-may-16-2017-soumya-chatterjee-wannacry-atms-not-to-shut-down-clarifies-rbi

Intel, Salesforce, eBay, Sony and others join the grand AI partnership club

praskrishna — 2017-05-19T06:25:24Z

Adding more ammunition to the grand AI alliance, Intel, Salesforce, eBay, Sony, SAP, McKinsey & Company, Zalando and Cogitai are joining the Partnership on AI, a collection of companies and non-profits that have committed to share best practices and communicating openly about the prospects and challenges of artificial intelligence research.

This was published by CIOL on May 17, 2017.

The group also announced a slew of non-profit partners including the Allen Institute for Artificial Intelligence, the AI Forum of New Zealand, the Centre for Democracy & Technology, the Centre for Internet and Society (India), Data & Society Research Institute among others.

The new members expand a group that already counts heavyweights like Facebook, Amazon, Google, IBM, Microsoft and Apple.

The platform will be hosting a series of AI Grand Challenges to encourage and incentivize researchers working on AI. It has also announced an award for best paper on the topic of “AI, People, and Society” to aid in addressing a similar goal.

The partnership group also said that it will create working groups to research and define best practices for specific topics and sectors within the field. It’s also creating a fellowship to assist nonprofits and nongovernmental organisations looking to participate in AI issues.

Interestingly, the group is still open which means the list will only get longer in the coming months.

For more details visit https://cis-india.org/internet-governance/news/ciol-may-17-2017-intel-salesforce-ebay-sony-and-others-join-the-grand-ai-partnership-club