We are anonymous, we are legion

Aadhaar data leaks not from UIDAI: Centre

praskrishna — 2017-05-20T08:27:28Z

Aadhaar is foolproof, it tells SC

The article by Krishnadas Rajagopal was published in the Hindu on May 3, 2017.

Leaks of Aadhaar card details are not from the UIDAI, but at the State level, the Union government told the Supreme Court on Wednesday.

“As of today, Aadhaar is foolproof. Biometric technology is the best system in 2016. There has not been a single leak from the UIDAI. The leaks of details may have been from the States... their offices and agencies,” advocate Arghya Sengupta, counsel for the Centre, submitted in the court.

The Centre’s clarification comes in the midst of reports that data of over 130 million Aadhaar cardholders have been leaked from four government websites.

Reports, based on a study conducted by the Centre for Internet and Society (CIS), a Bengaluru-based organisation, said Aadhaar numbers, names and other personal details of people have been leaked.

The Centre was washing its hands of the alleged leaks for the second consecutive day in the Supreme Court.

A-G’s assurance

On Tuesday, Attorney-General Mukul Rohatgi had emphatically assured the Supreme Court that biometrics of Aadhaar cardholders were safe and had not fallen into other hands. He said the biometric details were kept in a central database run by the Centre.

For more details visit https://cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai

Around 130-135M Aadhaar Numbers published on 4 sites alone

praskrishna — 2017-05-20T10:52:26Z

“Therefore, there is no data leak, there is no systematic problem, but, if any one tries to be smart, the law ignites into action.” – Ravi Shankar Prasad, IT Minister, in the Rajya Sabha, on 10th April 2017.

The blog post by Nikhil Pahwa was published by Medianama on May 4, 2017.

Details of around 130-135 million Aadhaar Numbers, and around 100 million bank numbers have been leaked online by just four government schemes alone: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme (NREGA), Daily Online Payments Reports under NREGA (Govt of Andhra Pradesh), and the Chandranna Bima Scheme (Govt of Andhra Pradesh), as per a research report from the Centre for Internet and Society.

Download the report here. Read full story on Medianama website.

For more details visit https://cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-4-2017-around-130-135-m-aadhaar-numbers-published-on-four-sites-alone

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T11:10:37Z

The article was published by DNA on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit https://cis-india.org/internet-governance/news/dna-may-2-2017-report-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

১৩ কোটি আধার তথ্য ফাঁস চার সরকারি পোর্টাল থেকে! বিস্ফোরক দাবি রিপোর্টে

praskrishna — 2017-05-20T11:45:42Z

খোদ সরকারি পোর্টাল থেকে কয়েক কোটি আধার নম্বর ও যাবতীয় তথ্য ‘ফাঁস’!

This was published by Amar Bazar Patrika on May 2, 2017.

অভিযোগ, গত কয়েক মাসে প্রায় ১৩ কোটি আধার নম্বরের যাবতীয় ব্যক্তিগত ও সংবেদনশীল তথ্য ফাঁস হওয়ার ঘটনা ঘটেছে। আর এসবই হয়েছে চারটি সরকারি পোর্টাল থেকে তথ্যপ্রযুক্তি সুরক্ষার ঘাটতির জেরে! যা ঘিরে এখন তোলপাড় দেশ।

সম্প্রতি, এমনই বিস্ফোরক রিপোর্ট প্রকাশ করেছে অলাভদায়ক সংগঠন সেন্টার ফর ইন্টারনেট অ্যান্ড সোসাইটি (সিআইএস)। তাদের আশঙ্কা, চারটি সরকারি পোর্টালের মাধ্যমে ১০ কোটি মানুষের ব্যাঙ্ক অ্যাকাউন্ট নম্বরও ফাঁস হয়ে থাকতে পারে।

সংস্থার দাবি, যে চারটি পোর্টাল থেকে এই সব তথ্য ফাঁসের অভিযোগ, তার মধ্যে দু’টি অন্ধ্রপ্রদেশ সরকারের ওয়েবসাইট। বাকি দুটি পোর্টাল হল ন্যাশনাল সোশ্যাল অ্যাসিস্ট্যান্স প্রোগ্রাম এবং ন্যাশনাল রুরাল এমপ্লয়মেন্ট গ্যারান্টি স্কিম-এর।

এই গোটা ঘটনার জন্য ইউনিক আইডেন্টিফিকেশন অথরিটি অফ ইন্ডিয়া বা ইউআইডিএআই–কেই দায়ী করেছে সিআইএস। তাদের দাবি, আধার নিয়ন্ত্রক সংস্থার ‘দায়িত্বজ্ঞানহীনতার’ জন্যই এই উদ্ভুত পরিস্থিত সৃষ্টি হয়েছে।

সিএনআই-এর আরও দাবি, বিভিন্ন সরকারি ও বেসরকারি পোর্টাল—যারা আধার তথ্য ব্যবহার করে থাকে, তাদের নিজস্ব সুরক্ষা-ব্যবস্থা খতিয়ে দেখেনি ইউআইডিএআই। ফলত, এই বিপত্তির সম্মুখীন কয়েক কোটি মানুষ।

যদিও, ইউআইডিএআই -এর দাবি, তাদের ডেটাবেস থেকে কোনও তথ্য ফাঁস হয়নি।

For more details visit https://cis-india.org/internet-governance/news/amar-bazar-patrika-may-2-2017-13-crore-aadhaar-leaked-due-to-poor-security-in-4-govt-websites

UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

praskrishna — 2017-05-20T11:06:16Z

As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

Is UIDAI investigating the 13 crore Aadhaar leaks?

The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.

For more details visit https://cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals

Details of 135 million Aadhaar card holders may have leaked, claims CIS report

praskrishna — 2017-05-20T08:42:57Z

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

The news from the Press Trust of India was published in the Hindustan Times on May 2, 2017.

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS said.

Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

“Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number,” it cautioned.

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of “proper controls” in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

“The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern,” the report added.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-may-2-2017-details-of-135-million-aadhaar-card-holders-may-have-leaked-claims-cis-report

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T10:42:59Z

The news was published by the Press Trust of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit https://cis-india.org/internet-governance/news/pti-news-may-2-2017-aadhaar-numbers-of-135mn-may-have-leaked-claims-cis-report

Aadhaar Details Of 13.5 Crore People Available On Government Sites

praskrishna — 2017-05-20T11:00:55Z

Up to 13.5 crore Aadhaar numbers can be easily accessed through government portals and nearly three-fourths of these are linked to bank accounts, said non-profit research organisation the Centre For Internet & Society (CIS).

Calling the Unique Identification Authority of India (UIDAI) “extremely irresponsible” in maintaining privacy standards, CIS blamed the Aadhaar governing body for turning a "blind eye" to the lack of standards regarding use of Aadhaar data by private and public bodies

"It is staggering that while these databases have existed in the public domain for months, while framing the Aadhaar Act Regulations in late 2016, the UIDAI did not even deem these as important matters to be addressed by way of regulations or standards," CIS said in a report titled ‘Information Security Practices of Aadhaar (or lack thereof)’.

The CIS report points out several government sites which showcase inefficiently masked Aadhaar codes with sensitive personally identifiable information, also available for download as spreadsheets.

Read the full story on Bloomberg Quint

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-may-2-2017-mahima-kapoor-aadhaar-details-of-people-available-on-govt-sites

Comments on the Statistical Disclosure Control Report

Srinivs Kodali and Amber Sinha — 2019-03-13T00:28:44Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.

1. PRELIMINARY

CIS is thankful for the opportunity to put forth its views.
This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

2. ABOUT CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.

CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

3. Comments

3.1 General Comments

As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.

We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.

3.2 Integrity of Information and Data

We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.

3.3 Data Security

One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.

We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.

3.4 Anonymization of microdata

We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.

3.5 Data Dissemination

Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.

We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,

The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.

Thank you for this opportunity and we look forward to work with you in future.

For more details visit https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report

(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

Amber Sinha and Srinivas Kodali — 2019-03-13T00:29:01Z

Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.

Read the updated report: Download (pdf)

Read the first statement of clarification (May 16, 2017): Download (pdf)

Read the second statement of clarification (November 05, 2018): Link to page (html)

We are grateful to Yesha Paul and VG Shreeram for research support.

In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.

For more details visit https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1

Analysis: Data Protection in India - Getting It Right

praskrishna — 2017-04-28T01:42:42Z

Indian Government Plans Ambitious Data Protection Legislation Rollout by October

The blog post by Suparna Goswami and Varun Haran was published by Info Risk Today on April 26, 2017. Pranesh Prakash was quoted.

The government of India recently informed the Supreme Court of India that it expects to put in place a comprehensive data protection framework by October. The Telecom Regulatory Authority of India will be heading up the initiative and has already started consultations for preparing a draft framework.

The government on April 5 acknowledged that there was no proper regulatory framework to deal with privacy concerns of citizens arising out of "over-the-top" popular messaging services such as Whatsapp, Facebook and Skype. Consequently, the Department of Telecommunications is exploring creating a "regulatory framework" through legislation to address data protection and citizens' privacy concerns.

With the European Union already preparing to enforce its General Data Protection Regulation next year, India may be late to the party. But the need for a data protection and privacy law in India is pressing. And when it's enacted, it will define provisions for protecting sensitive personally identifiable information and spell out liabilities in the event PII gets breached.

Many security practitioners, however, say the government's goal of having a law by October seems aggressive.

Shivangi Nadkarni, co-founder & CEO at Arrka Consulting, points out that once the government publishes a draft regulation for public comment, it must allow two months for gathering feedback. "It has to align with the schedule of the Monsoon Session of Parliament if it has to meet the October deadline," Nadkarni says (see: It's Time to get Serious About Privacy).

Existing Provisions

India already has some data protection and privacy provisions in the Information Technology Act 2000, amended in 2008 and the subsequent IT rules defined in 2011. But the IT Act 2000/8 doesn't define sensitive personal information directly and only provides guidance for reasonable security practice and due diligence - the actual implementation standards have not been explicitly prescribed, says Bengaluru-based Na. Vijayashankar, a cyber law expert and information risk consultant.

The current data protection regime is under section 43A of the IT Act 2000/8, and the regulations made thereunder, says Pranesh Prakash, policy director at Bengaluru-based research think tank the Center for Internet and Society. He contends those regulations are weak, do not specify any governmental agency, and do not lay out penalties for violations. Other relevant provisions, such as section 72A, are also far too onerous and aren't ever applied in practice to such cases, he says (see: Pavan Duggal on Why India's Cyberlaw Must Rapidly Evolve).

"Section 43A and the 'reasonable security rules' didn't change much, given the lack of teeth in the regulations, and the onerous job of proving "wrongful gain or wrongful loss" of property due to data breaches," Prakash says. In addition, as a complement to a strong, yet flexible, data protection/data security regime, the government also needs to put in a privacy regime that covers both the private and public sectors, he adds.

Right to Privacy

India lacks a clear framework that categorically recognizes the sanctity of privacy, says J. Sai Deepak, an independent cyber law expert and arguing counsel at the Delhi High Court. Because the status of the fundamental right to privacy is yet to be adjudicated upon by the Supreme Court, Sai Deepak is uncertain of the basis on which the regulatory mechanism that the government is developing, would function (see: Why India Needs Comprehensive Privacy Law).

"This is important because if you treat privacy as a fundamental right, then the mechanism has to take into account the constitutional obligations and limitations that come with such treatment," Sai Deepak says. A telecom-centric or a single sector-centric approach to privacy as a reaction to a particular litigation may do more harm than good, he adds (see: Re-Evaluating Privacy in India).

"I hope the government goes beyond this context and addresses privacy comprehensively. It is for this reason that I am not sure TRAI is the best entity to vest this mandate with," he says. "After all, we are looking at safeguarding privacy even outside the telecom sphere" he adds.

The government needs to clearly spell out all principles and rights of individuals in the context of privacy as a foundation, experts say.

"Declare that privacy is a right of an Indian citizen and is protected by law," Vijayashankar says. The law should apply to protection of data in any form and require appropriate security measures to be adopted by anyone who collects, processes and manages PII, he adds (see: Privacy: Why India Inc. Needs It).

Viable Roadmap

Vinayak Godse, senior director at Data Security Council of India, says Indian companies, including IT services and outsourcing firms, are losing in European markets because of the high data protection standards followed in those countries.

"We have already been struggling in some markets as our data protection mechanisms don't match to the evolving global expectations for privacy," Godse says. "Questions have been raised by several geographies especially EU on India's regulatory posture in terms of data protection." (See: India's 2015 Data Privacy Agenda)

Vijayashankar says India needs to immediately appoint a data commissioner to efficiently address data privacy violations, which are currently being judged under ITA 2000/8. This will also help Indian enterprises that conduct business with the EU when the GDPR is enforced starting May 25, 2018 (see: How Will Europe's GDPR Affect Businesses Worldwide?).

Nadkarni of Arrka says the framework should:

Clearly define and articulate what qualifies a personal information.
Clearly spell out all principles and rights of individuals in the context of privacy and elaborate on specific aspects as required within each principle/ right.

The Justice AP Shah committee report of 2012 which proposed comprehensive set of data privacy principles and measures had a wide acceptance by various stakeholders, and should be a good starting point to draft an omnibus data privacy law in India, says Srinivas Poosarla, vice president and head (global), privacy & data protection at Infosys.

While the way the enforcement of any such law enacted, would differ at the center and at state level, some of the areas that Poosarla contends need attention are:

Mandating that organizations appoint data privacy officers;
Providing platforms to report grievances and receive compensation from organizations in a timely manner;
Ensuring accountability of organizations for data privacy and to have them promptly report any data breach to affected individuals where there is likely to be material impact;
Identifying and empowering a body at national or state level to enforce implementation of the law.

GDPR as a Model

Nadkarni suggests that the EU's GDPR would be a good benchmark for India. Poosarla and others also agree that the EU GDPR is a good template to draw from. Most importantly, the government should involve all stakeholders, especially privacy and data security advocates, in the drafting of the law, they say.

The best practices and principles from GDPR should be adopted, keeping the cultural and demographic needs of Indian society in mind, Vijayshankar adds.

Prakash of CIS notes: "Any law must keep the evolution of technology in mind. The law can't be so rigid that technological developments are prevented, nor can it be so flexible that technology defeats the basic guarantees provided by the law. For instance, the role of "consent" in a world where indefinite consent is easily obtained by inserting a clause in a long standard-form contract that no one reads, must be taken into account."

For more details visit https://cis-india.org/internet-governance/news/inforisk-today-april-26-2017-suparna-goswami-varun-haran-analysis-data-protection-in-india-getting-it-right

Now, Aadhaar details displayed in Mizoram too

praskrishna — 2017-04-27T16:59:37Z

Contrary to the Centre’s assurances, government websites are revealing digital details of the poor, leaving them vulnerable to financial frauds and identity theft.

The article by Sebastian PT was published in the National Herald on April 26, 2017. Sunil Abraham was quoted.

Could there be a method to the madness? Or is it just carelessness? From the Jharkhand Government to the Union Territory of Chandigarh to the Union Ministry of Water and Sanitation to even Mizoram’s Food and Civil Supplies Department, government websites are found to have displayed Aadhaar details of citizens, a crime under the law.

In Jharkhand, details of 16 lakh beneficiaries – their bank account details, ration card and the 12-digit Aadhaar number – were displayed on the website of the Directorate of Social Security. Similar blunders were witnessed from different corners of the country from Chandigarh to Kerala, where details of 35 lakh people have been breached. This flies in the face of the Government’s repeated claims on data privacy, that Aadhaar details are completely safe.

The law doesn’t allow this. The displaying of the Aadhaar data, for instance, is in clear violation of Section 29 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The provision clearly says that “no” Aadhaar number or core biometric information of an Aadhaar number holder shall be “published, displayed or posted publicly”.

“There appears to be no regulation worth the name as far as the Aadhaar project is concerned,” says economist Reetika Khera from IIT Delhi.

So, will these officials responsible be punished according to the Act? More importantly, what about the damage of leaking such sensitive, apparently confidential data?

Irreparable Damage

Several cyber security experts have been warning of the possibility of precisely such leaks and Opposition parties were vociferously pointing this out while the Centre was brazenly violating the Supreme Court’s orders and forcibly extending Aadhaar to almost everything – including it being linked to one’s Permanent Account Number (PAN), used for filing income tax.

“What has been broken through technology, can’t be fixed with the law,” says Sunil Abraham, Executive Director of Bangalore-based research organisation, the Centre for Internet and Society.

The data breach just made it easy for players in the black market for ID (identification) documents to be lapped up to create false ID cards, for instance.

When demonetisation was being implemented, sources say that black money hoarders apparently bought fake IDs which were made from stolen Aadhaar details to get the old notes exchanged – one way for doing this was perhaps by opening new bank accounts or to, say, utilise unused Jan Dhan accounts to deposit the money. Now, one can only imagine what terrorists can do with these details.

So far, perhaps, the only solace is that the biometric details of the beneficiaries weren’t leaked. But, in the backdrop of the lax attitude of the various government departments, even that too is just waiting to happen, fear experts.

Abraham warns that Aadhaar was always a risky proposition as it was based on biometrics, which “made it very insecure”. He terms it as a “mass surveillance technology” – that too a poorly-designed technology – which, in fact, “undermines security”. Once biometric data are compromised, it cannot be secured again. Instead of biometrics, he suggests the UIDAI shift to using smart cards.

The unfettered forcible linking of almost everything – from bank accounts to one’s PAN card – to Aadhaar only makes things worse. “The Centre is ‘seeding’ the various data bases with the Aadhaar number, which is a very bad move. And, involving various private and public agencies in this only makes the entire thing very precarious,” warns Abraham. He points out that, for instance, when the PAN cards are linked with the Aadhaar number, breach made possible.

Instead, he says, the government should adopt the ‘tokenisation approach’, instead of the ‘seeding approach’. What this means is that, say, if the PAN card is to be linked to Aadhaar, then UIDAI issues a token number and not the original 12-digit Aadhaar number. So, even if a breach happens, the hacker will not be able to get all the Aadhaar details, he says.

However, the government does not seem to be taking the issue of privacy very seriously. What perhaps is not being understood is that this is not just a privacy issue, but making the masses vulnerable to frauds. Instead of treading cautiously in implementing Aadhaar, the government seems to be in a hurry to extend it to almost every possible silo in an individual’s life.

“Given the callous attitude of central and state governments, I hope that the Supreme Court will stop the government from a forced linking of Aadhaar, on the one hand, and bank accounts and PAN numbers on the other hand,” says Khera.

For more details visit https://cis-india.org/internet-governance/news/national-herald-sebastian-pt-april-26-2017-now-aadhaar-details-displayed-in-mizoram-too

Stop the Haphazard Internet Shutdown Says MP Jay Panda

praskrishna — 2017-04-27T16:44:27Z

In just one year India lost $968M due to Internet shutdowns; “Cops may not be the right decision makers when it comes to imposing what is a digital curfew,” added an entrepreneur journalist.

The article by Regina Mihindukulasuriya was published in the Businessworld on April 26, 2017.

An entrepreneur from the troubled state of Kashmir, Muheet Mehraj, is cofounder and CEO of Kashmirbox.com. He said that businesses that run on the Internet are crippled by Internet shutdowns. “A lot of people's livelihood depends on the Internet. If you shut down the Internet, you shut down their lives. Also, hospitals and academic institutes need constant Internet access and a way must be found to ensure they are never impacted by a shutdown.”

In 2016, Brookings Institution released a survey of 19 countries and the Internet shutdowns each of them experienced. India was in that list and according to the century old research institute, suffered the biggest economic loss to GDP at 968 million dollars all due to Internet shutdowns.

The general secretary of Maha Gujarat Bank Employees Association was quoted in 2016 as saying that an Internet shutdown for 6 days across Gujarat culminated in a loss of rupees 7000 crore for banks in the state.

The Brookings survey recorded the maximum number of disruptions in India at 22. According to IndiaSpend.org, The Centre for Communication Governance at the National Law University of Delhi counts 37 shutdowns across 11 states since 2015 and 22 of them happened in the first 9 months of 2016.

The Software Freedom Law Centre (SFLC) claims there have been 72 instances of Internet shutdown in India since 2012 and that not all of them are justified.

The SFLC.in along with other civil society organizations addressed the increasing frequency of Internet shutdowns in the country. Baijayant 'Jay' Panda, Member of Parliament said that India needs effective checks and balances on the process and power to order Internet Shutdowns in India. He added that, “The power to shut Internet should be exercised by the district's Superintendent of Police only in rare cases when there is imminent threat to breakdown of law and order, and risk of loss of life and property".

He was speaking at a public discussion organized by SFLC.in, in association with Digital Empowerment Foundation (DEF); IT for Change, Internet Democracy Project (IDP); Centre for Internet and Society (CIS), and Foundation for Media Professionals (FMP).

Mr Panda remarked that this power should be limited to 24 or 48 hours. “If Internet must be shut down for a longer duration, the decision must be taken by Director General of Police or the chief secretary of state”, he said.

Abhinandan Sekhri, cofounder and CEO of Newslaundry raised concerns that there is a fundamental flaw in how Indians approach law making, in that they first look at the worst case scenario before taking a liberal and democratic point of view. “Cops may not be the right decision makers when it comes to imposing what is a digital curfew,” Mr. Sekhri said.

Snehashish Ghosh, associate manager for public policy at Facebook said, “Even though we may not have ready data to measure the impact of shutdowns, there is no denying that businesses suffer.” The Facebook Inc. – owned, WhatsApp is often reported as one of the most missed services whenever the Internet is shutdown in Kashmir during days of social unrest.

Mishi Choudhary, president and legal director of SFLC.in said, “According to our Internet Shutdown Tracker, India has experienced at least 72 instances of Internet Shutdowns since 2012. Several communities and states have suffered irreversible socioeconomic losses because they were denied Internet access for extended durations.”

Mishi continued, “The shutdown of Internet not only restrains basic human rights such as the right to freedom of speech and expression, but also cripples activities like e-commerce, e-governance, e-health and e-learning, entirely reliant on the Internet.”

For more details visit https://cis-india.org/internet-governance/news/business-world-regina-mihindukulasuriya-april-26-2017-stop-the-haphazard-internet-shutdown-says-mp-jay-panda

ISO/IEC JTC1/SC 27 Meetings

praskrishna — 2017-04-27T16:38:46Z

Udbhav Tiwari represented the Centre for Internet & Society in a series of meetings held at University of Waikato and Novotel in Hamilton, New Zealand between April 18 and 25, 2017.

The participation was by the virtue of our institutional membership in Information Systems Security Sectional Committee (LITD 17) at the Bureau of Indian Standards.

The first 5 days of the meetings (18 to 23 April, 2017) were the working group meetings, where Udbhav participated in Working Group 1 - Information security management systems and Working Group 5 - Identity management and privacy technologies. Udbhav's participation in WG1 was largely exploratory, where I made some connections and tagged projects for us to comment on prior to the next set of meetings. These projects were Cyber Security, Cyber Insurance, Government Use of the ISO 27001 Standards, International Framework for Cyber Security and the Standing Document on Regulatory Use of 27001.

In WG5, Udbhav was appointed as Co-Rapporteur in the Study Period on Smart Cities, which will go on for another 6 months. The plenary of SC 27 was held on April 24 and 25, 2017. The final resolutions from the Working Groups plenary can be accessed below:

WG1 Recommendations and Resolutions

WG5 Resolutions

For more details visit https://cis-india.org/internet-governance/news/iso-iec-jtc1-sc-27-meetings

India bans social media in Kashmir for one month

praskrishna — 2017-04-27T16:09:56Z

Authorities in Indian-controlled Kashmir have banned 22 social media sites including Facebook, WhatsApp and Twitter in an effort to calm tensions in the disputed region.

The article was published in the Telegraph on April 27, 2017. Pranesh Prakash was quoted.

The government said Wednesday that the one-month ban was necessary for public safety because social media were being "misused by anti-national and anti-social elements." Videos depicting the alleged abuse of Kashmiris by Indian forces fueled protests have been shown on social media in recent days.

"It's being felt that continued misuse of social networking sites and instant messaging services is likely to be detrimental to the interests of peace and tranquility in the state," the public order said.

The sites remained online Thursday as the local telecom company struggled to block them.

Pranesh Prakash, policy director for the Indian advocacy group the Center for Internet and Society, called the ban a "blow to freedom of speech" and "legally unprecedented in India."

An official with Kashmir's state-owned telecom company, Bharat Sanchar Nigam, said engineers were still working on shutting down the 22 sites, including Facebook and Twitter, but so far had been unable to do so without freezing the internet across the Himalayan region. The official spoke on condition of anonymity because he was not authorized to give technical details of the effort to the media.

Meanwhile, 3G and 4G cellphone service has been suspended for more than a week, but slower 2G service is still available.

Residents of Srinagar, the region's main city, were busily downloading documents, software and applications onto their smartphones which would likely be able to circumvent the social media block once it goes into effect. Many expressed relief to still have internet access Thursday morning.

"It was a welcome surprise," said Tariq Ahmed, a 24-year-old university student. "It appears they've hit a technical glitch to block social media en mass."

While the government has halted internet service in Kashmir in previous attempts to prevent anti-India demonstrations, this is the first time they have done so in response to the circulation of videos and photos showing alleged military abuse.

Others mocked the government. A Facebook post by Kashmiri writer Arif Ayaz Parrey said the ban showed "the Indian government has decided to take on the collective subversive wisdom of cyberspace humanity."

Indian police and paramilitary officials accuse agitators of using social media to instigate violence.

An international journalists' rights group urged Indian authorities to immediately revoke the "sweeping censorship of social media," saying it "will bring neither peace nor order" in the region.

"Such broad censorship clearly violates the democratic ideals and human rights India purports to uphold," said Steven Butler, Asia Program coordinator at the New York-based Committee to Protect Journalists.

Kashmiris have been uploading videos and photos of alleged abuse for some years, but several recently posted clips, captured in the days surrounding a violence-plagued local election on April 9, have proven to be especially powerful and have helped to intensify anti-India protests.

One video shows a stone-throwing teenage boy being shot by a soldier from a few meters (yards) away. Another shows soldiers making a group of young men, held inside an armored vehicle, shout profanities against Pakistan while a soldier kicks and slaps them with a stick.

The video pans to a young boy's bleeding face as he cries. Yet another clip shows three soldiers holding a teenage boy down with their boots and beating him on his back.

The video that drew the most outrage was of young shawl weaver Farooq Ahmed Dar tied to the hood of an army jeep as it patrolled villages on voting day. A soldier can be heard saying in Hindi over a loudspeaker, "Stone throwers will meet a similar fate," as residents look on aghast.

Protests and clashes are an almost daily occurrence in Indian-administered Kashmir, where anti-India sentiment runs deep among the mostly Muslim population after decades of military crackdowns. Disputes over control of the Kashmir region, claimed by both India and Pakistan, have sparked two wars between the nations since 1947.

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-april-27-2017-india-bans-social-media-in-kashmir-for-one-month