We are anonymous, we are legion

Phishing Attacks on the Rise

praskrishna — 2011-12-13T16:15:52Z

It is very difficult to spot a fake website from the real one these days...with all the new technologies to clearly deceive the eyes. However, there are some ways to make the real from the fake ones with the help of two visual cues. Sunil Abraham was on News 9 on December 2, 2011 speaking about two visual cues to distinguish between the fake and the real websites.

Speaking to Nolan Pinto, Sunil said that in the URL instead of "http" you will find an "https" and the second there will be a digital certificate that precedes the url which will give details about the authenticity of this particular website. The locket, the bottom of the browser is just a repetition of the same visual cue which is a difference between http and https, if there is encrypted traffic between you and the website then you are using a protocol called https and you can tell that https exists in the URL and there is also a lock at the bottom of the browser. If there is no encryption then "https" will be missing and also the lock icon will appear open.

The news was broadcasted on News 9. Watch the recorded video below:

VIDEO

For more details visit https://cis-india.org/news/phishing-attacks-on-rise

Perumal Murugan and the Law on Obscenity

Japreet Grewal — 2016-08-09T13:01:03Z

On July 5, 2016, the Madras High Court saved Perumal Murugan’s novel, Mathorubhagan from oblivion when it dismissed the claims against Murugan on the grounds of obscenity, spreading disharmony between communities, blasphemy, and defamation and upheld his freedom of expression in S. Tamilselvan & Perumal Murugan versus Government of Tamil Nadu. This judgment has received wide appreciation for its support for freedom of expression. What made it applause-worthy? Do we have reservations with the view of the High Court?

Murugan’s book is about a married couple, Kali and Ponna, who fail to have a child despite decades of their marriage. They succumb to social and familial pressures to allow Ponna (the wife) to participate in a sexual orgy (unrestrained sexual encounter involving many people) at a religious festival (the Vaikasi Car Festival) that takes place in Arthanareeswarar Temple, for begetting a child. The local community claimed that in the book, Murugan denigrated the Arthanareeswarar Temple, the deity, Lord Arthanareeswarar, festivities relating to Vaikasi Car Festival and the women of the Kongu Vellala Gounder community. Some sections of the community believed that the facts in the story were not true and found that the sexual mores associated with the community in the book were offensive.

The Court was required to evaluate, whether the novel was obscene (Section 292 of Indian Penal Code, 1860 (IPC)), offensive to the community (Section 153A of IPC) and the religion (Section 295 of IPC); and whether the State had the responsibility to protect the writer from mob violence on account of his controversial book. The Court held that the book was neither offensive nor did it hurt community or religious sentiments. The Court also held that the State had a positive obligation to protect Murugan against the mob. It would be useful to look at the analysis of the Court in drawing these conclusions and see if we completely agree with it.

The Court relied on the standard for determining obscenity in Aveek Sarkar v. State of West Bengal wherein, it was held that what is lascivious/appealing to the prurient interest/depraved or corrupt has to be tested using the contemporary ‘community standards. The Court was of the view that the novel was not offensive by the current mores (para 150 and 151). The Court further relied on MF Hussain v. Rajkumar Pandey, (also decided by Justice Sanjay Kishan Kaul) wherein it was held, that while evaluating obscenity in a work, “the judge has to place himself in the position of the author in order to appreciate what the author really wishes to convey and thereafter, placing himself in the position of the reader in every age group in whose hand the book is likely to fall, arrive at a dispassionate conclusion.”It is necessary to mention here that the community standards test has been criticised by scholars, worldwide, as it is difficult to divorce subjective morality of an individual and ascertain what those standards are. This indeterminacy interferes with the ability of judges to apply these standards. There is established scholarship that says that judges cannot divorce themselves from their subjectivities while evaluating obscenity in work of art or literature and may often reinforce the moral norms of the majority in the society thus crushing the moral standards of the minority. In India, we have a mixed bag of judgments that address the issue of obscenity. Seeing the difficulty in application of the community standards test, it is noteworthy that the ultimate fate of a book, painting or a film is dependent on the morality of an individual judge. In fact, the Court had asked a pertinent question in the judgment, “Would it be desirable for the Courts to intervene or should it be left to the readers to learn for themselves what they think and feel of the issue in question?” (para 136) However, it eventually reinforced these standards by applying the existing precedents on obscenity. The Court added thatunder Section 292, it was required to first prove whether the novel was obscene at all and only if it was found to be obscene it should be tested within the parameters of exceptionsit would fall under. The Court found that the novel was not obscene. There was no need to evaluate its social character to save it from a ban. While drawing this conclusion, the Court stated that, “sex, per se, was not treated as undesirable, but was an integral part right from the existence of civilization” (para 149) and that “in our society, we seem to be more bogged down by conservative Victorian philosophy rather than draw inspiration from our own literature and scriptures.”The Court also said, “there are different kinds of books available on the shelves of book stores to be read by different age groups from different strata. If you do not like a book, simply close it.”(para 148) While this reflects a progressive view of the judges on sexual morality, we have reservations on court’s reliance on ancient literature to justify why sex and its depiction in art or literature is not obscene.
We appreciate the observations that the Court has made while determining whether the novel hurt community or religious sentiments. The Court has acknowledged the declining tolerance level of the society (para 154) and stated that “any contra view or social thinking is met at times with threats or violent behaviour” (para 142).
The Court addressed the issue of harassment of writers and artists at the hands of a mob and held that there should “be a presumption in favour of free speech and expression as envisaged under Article 19(1)(a) of the Constitution of India” and emphasized the need for the State to protect those who suffer from hostility of several sections of a society as a consequence of holding a different view (para 175).Citing MF Hussain v. Rajkumar Pandey, the Court said “freedom of speech has no meaning if there is no freedom after speech.”The Court has identified the problematic sphere of mob violence and how it affects freedom of expression. However, we do not agree with what the Court held subsequently.

Reproducing an extract of the judgment here, “There is bound to be a presumption in favour of free speech and expression as envisaged under Article 19(1)(a) of the Constitution of India unless a court of law finds it otherwise as falling within the domain of a reasonable restriction under Article 19(2) of the Constitution of India.” (para 184) The words, “unless a court of law finds it otherwise as falling within the domain of a reasonable restriction under Article 19(2) of the Constitution of India.” indicate that the judiciary has the power to determine whether a certain type of speech could be restricted under Article 19 (2) of the Constitution of India. This understanding is incorrect. The language of Article 19 (2) makes it clear that speech could only be restricted by ‘law’ and judiciary cannot assume the authority to restrict speech. It has the authority to decide the applicability and the constitutionality of the law that restricts speech. The relevant part of Article 19 (2) is reproduced below for reference. “(2) Nothing in sub clause (a) of clause ( 1 ) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right….” The Court further acknowledged that “the State and the police authorities would not be the best ones to judge such literary and cultural issues, which are best left to the wisdom of the specialists in the field and thereafter, if need be, the Courts” (para 181). The Court thus issued directions to the Government to constitute an expert body to deal with situations arising from such conflicts of views so that an independent opinion is forthcoming, keeping in mind the law evolved by the judiciary(para 181). There are concerns with this mandate of the Court; firstly, constituting an expert body to resolve conflict of views will not serve any purpose unless there are guidelines to evaluate work. It is difficult to dissociate subjectivity and ascertain objective standards for evaluating offensiveness of literary or artistic work. Secondly, reliance on expert opinion and then courts completely disregards existing law. Under Section 95 of the Code of Criminal Procedure,1973, the Government has the power to declare forfeiture of works which, it considers in violation of section 153A or section 153B or section 292 or section 293 or section 295A of the Indian Penal Code, 1860. The power to evaluate a piece of writing or other work has already been given to the government. The Court has created a parallel mechanism for evaluation by giving directions to constitute an expert panel. In the event this mechanism fails to resolve the conflict, it is suggested that courts would then be approached to address the matter. This is in complete disregard of the powers of the Government under Section 95.

In the Murugan judgment, the Court has attempted to provide a narrow interpretation of what is considered obscene, emphasized the need for the society to be more tolerant and for State to protect those members of the society who, on account of their views, suffer at the hands of an intolerant society. It is for these reasons, the judgment is, undoubtedly a sound precedent for protection of speech in India. However, it is concerning to see that in drawing these conclusions, the Court has reinforced vague legal standards of obscenity and in that regard, it remains yet another addition to the mixed bag of judgments.

For more details visit https://cis-india.org/internet-governance/perumal-murugan-and-the-law-on-obscenity

Personal Data, Public Profile

nishant — 2012-02-14T06:19:52Z

Whether we like it or not, we live in a world that is rapidly being Googlised, writes Nishant Shah in an article published by the Financial Express on February 13, 2012.

Apart from its core functions like search and email, we consume Google services and products around the clock and around the click—YouTube, Calendar, Docs, Google+, Google Reader, Google Analytics et al. On March 1, 2012, our increasingly co-dependent relationship with Google will reach a new stage of commitment as Google consolidates its privacy policies for the entire Google universe. If you are logged into your Google account, all your information across Google’s different platforms will be clubbed together to form a comprehensive profile of what you do online.

Google has suggested this will personalise your interactions with Google platforms. The videos you watch on YouTube might influence your search results; the links that you click on will affect the advertisements displayed to you; the mails that you read will establish proximity with your friends on Google+ ... A comprehensive profile of who you are, what you do, what you like, what you share and what you hide will be created. Google has shown unmatched commitment to transparency on user data retention, storage and usage over the years. However, a centralised profile on users rings a few alarm bells for me. There are three use-cases that immediately crop up with apocalyptic implications.

Death of anonymity: One of the biggest strengths of the internet, as a space for both political dissent and freedom of expression, is that it has allowed people to talk through their avatars without putting themselves in conditions of bodily harm. So, it was good to have a scenario where my activities on YouTube did not get mapped onto my more identifiable profile on Google+ and did not get correlated with my personal interactions on Gmail. Mapping all the actions of a user who might want a more distributed identity might lead to precarious conditions for users living in critical times.

Negotiation with governments: While Google claims that it is committed to protecting the safety of its users, we know that it is eventually subject to the rules of the countries that it operates in. In the past, say in skirmishes with China, we have seen that despite its powerful status, it is not exempt from the demands of different governments. Given the current state of negotiations around censorship that are ongoing in India, it is a little scary to think how users’ data can be abused by authoritative government officials. A multi-tiered, distributed system offers users safety which a consolidated one doesn’t.

Inter-platform repercussions: If something I do on a platform gets flagged as objectionable, does it mean that all my rights to Google World get revoked?

Hidden data collection: One of the things that a lot of people don’t realise is that Google, in its attempts at enriching our user experience, collects more data than you disclose. So, apart from the personal data that you have more control over, there is a range of other data—pages you visit, the time you spend there, links you click on, comments that you write, information you share, etc—which form a part of Google’s algorithms for you. Consolidation of this data through services like Ad Sense and Double Click might also expose you to third party advertisers who might abuse this information that is about you but not under your control.

Google’s consolidation of its privacy policies across platforms signal a new wave of information management on the web, where the earlier free-form distributed information practice is getting mapped on to the physical bodies of the users. While it might lead to better web services, it also means that we need to be more aware of our information practices and start preparing for a web that is going to demand more accountability from its users than ever before.

The author is a digital humanities scholar and Director-Research at the Bangalore-based Centre for Internet and Society.

The original article was published in the Financial Express

For more details visit https://cis-india.org/internet-governance/personal-data-public-profile

Personal Data Protection Bill must examine data collection practices that emerged during pandemic

Shweta Mohandas and Anamika Kundu — 2022-03-30T15:15:21Z

The PDP bill is speculated to be introduced during the winter session of the parliament soon. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen’s data in order to fulfil its responsibilities. The bill could ensure that employers have some responsibility towards the data they collect from the employees.

The article by Shweta Mohandas and Anamika Kundu was originally published by news nine on November 29, 2021.

The Personal Data Protection Bill (PDP) is speculated to be introduced during the winter session of the parliament soon, and the report of the Joint Parliamentary Committee (JPC) has already been adopted by the committee on Monday. The Report of the JPC comes after almost two years of deliberation and secrecy over how the final version of the Personal Data Protection Bill will be. Since the publication of the 2019 version of the PDP Bill, the Covid 19 pandemic and the public safety measures have opened the way for a number of new organisations and reasons to collect personal data that was non-existent in 2019. Hence along with changes that have been suggested by multiple civil society organisations, the dissent notes submitted by the members of the JPC, the new version of the PDP Bill must also look at how data processing has changed over the span of two years.

Concerns with the bill

At the outset there are certain parts of the PDP Bill which need to be revised in order to uphold the spirit of privacy and individual autonomy laid out in the Puttaswamy judgement. The two sections that need to be in line with the privacy judgement are the ones that allow for non consensual processing of data by the government, and by employers. The PDP Bill in its current form provides wide-ranging exemptions which allow government agencies to process citizen's data in order to fulfil its responsibilities.

In the 2018 version of bill, drafted by the Justice Srikrishna Committee exemptions granted to the State with regard to processing of data was subject to a four pronged test which required the processing to be (i) authorised by law; (ii) in accordance with the procedure laid down by the law; (iii) necessary; and (iv) proportionate to the interests being achieved. This four pronged test was in line with the principles laid down by the Supreme Court in the Puttaswamy judgement. The 2019 version of the PDP Bill has diluted this principle by merely retaining the 'necessity principle' and removing the other requirements which is not in consonance with the test laid down by the Supreme Court in Puttaswamy.

Section 35 was also widely discussed in the panel meetings where members had argued the removal of 'public order' as a ground for exemption. The panel also insisted for 'judicial or parliamentary oversight' to grant such exemptions. The final report did not accept these suggestions stating a need to balance national security, liberty and privacy of an individual. There ought to be prior judicial review of the written order exempting the governmental agency from any provisions of the bill. Allowing the government to claim an exemption if it is satisfied to be "necessary or expedient" can be misused.

Another clause which gives the data principal a wide berth is with respect to employee data Section 13 of the current version of the bill provides the employer with a leeway into processing employee data (other than sensitive personal data) without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer.

The personal data so collected can only be collected for recruitment, termination, attendance, provision of any service or benefit, and assessing performance. This covers almost all of the activities that require data of the employee. Although the 2019 version of the bill excludes non-consensual collection of sensitive personal data (a provision that was missing in the 2018 version of the bill), there is still a lot of scope to improve this provision and provide employees further right to their data. At the outset the bill does not define employee and employer, which could result in confusion as there is no one definition of these terms across Indian Labour Laws.

Additionally, the bill distinguishes between employee and consumer, where the consumer of the same company or service has a greater right to their data than an employee. In the sense that the consumer as a data principal has the option to use any other product or service and also has the right to withdraw consent at any time, in the case of an employee the consequence of refusing consent or withdrawing consent would be being terminated from the employment. It is understood that there is a requirement for employee data to be collected, and that consent does not work the same way as it does in the case of a consumer.

The bill could ensure that employers have some responsibility towards the data they collect from the employees, such as ensuring that they are only used for the purpose for which they were collected, the employee knows how long their data will be retained, and know if the data is being processed by third parties. It is also worth mentioning that the Indian government is India's largest employer spanning a variety of agencies and public enterprises.

Concerns highlighted by JPC Members

Going back to the few members of the JPC who have moved dissent notes, specifically with regard to governmental exemptions. Jairam Ramesh filed a dissent note, to which many other opposition members followed suit. While Jairam Ramesh praised the JPC's functioning, he disagreed with certain aspects of the Report. According to him, the 2019 bill is designed in a manner where the right to privacy is given importance only in cases of private activities. He raised concerns regarding the unbridled powers given to the government to exempt itself from any of the provisions.

The amendment suggested by him would require parliamentary approval before exemption would take place. He also added that Section 12 of the bill which provided certain scenarios where consent was not needed for processing of personal data should have been made 'less sweeping'. Similarly, Gaurav Gogoi's note stated that the exemptions would create a surveillance state and similarly criticised Section 12 and 35 of the bill. He also mentioned that there ought to be parliamentary oversight for the exemptions provided in the bill.

On the same issue, Congress leader Manish Tiwari noted that the bill creates 'parallel universes' - one for the private sector which needs to be compliant and the other for the State which can exempt itself. He has opposed the entire bill stating there exists an "inherent design flaw". He has raised specific objections to 37 clauses and stated that any blanket exemptions to the state goes against the Puttaswamy Judgement.

In their joint dissent note, Derek O'Brien and Mahua Mitra have said that there is a lack of adequate safeguards to protect the data principals' privacy and the lack of time and opportunity for stakeholder consultations. They have also pointed out that the independence of the DPA will cease to exist with the present provision of allowing the government powers to choose members and the chairman. Amar Patnaik is to object to the lack of inclusion of state level authorities in the bill. Without such bodies, he says, there would be federal override.

Conclusion

While a number of issues were highlighted by civil society, the members of the JPC, and the media, the new version of the bill should also need to take into account the shifts that have taken place in view of the pandemic. The new version of the data protection bill should take into consideration the changes and new data collection practices that have emerged during the pandemic, be comprehensive and leave very little provisions to be decided later by the Rules.

For more details visit https://cis-india.org/internet-governance/blog/news-nine-shweta-mohandas-and-anamika-kundu-personal-data-protection-bill-must-examine-data-collection-practices-that-emerged-during-pandemic

Perché l'India ha tagliato internet al Kashmir

Raffaele Angius — 2019-08-22T01:31:46Z

Lo stato di isolamento imposto a più di 12,5 milioni di persone rischia di causare importanti disagi al Paese, nel quale è diventato praticamente impossibile comunicare con l’esterno. Problemi per ospedali e farmacie

The article by Raffaele Angius was published in WIRED.IT on August 19, 2019. Gurshabad Grover was quoted.

Dopo dodici giorni di blocco totale delle telecomunicazioni, l’India ha concesso il parziale ripristino delle linee telefoniche del Kashmir. Il 5 agosto il governo centrale di Nuova Delhi aveva sospeso lo statuto speciale di cui gode la regione, schierando decine di migliaia di soldati, arrestando diversi rappresentanti politici e sospendendone le linee telefoniche e iltraffico internet.

La decisione, presa unilateralmente dal primo ministro indiano Narendra Modi, mira a rimuovere i privilegi sanciti dalla costituzione del Kashmir, che settant’anni fa crearono le basi per l’unione dei due Paesi. Principale obiettivo di Nuova Delhi è l’abrogazione della legge che vieta l’acquisto di proprietà immobiliari ai cittadini non kashmiri, che secondo Modi impedirebbe la piena integrazione dell’area – l’unica a maggioranza musulmana – con l’India.

Blackout nelle comunicazioni

Ma lo stato di isolamento imposto a più di 12,5 milioni di persone rischia di causare importanti disagi al Paese confinante con il Pakistan, nel quale è diventato praticamente impossibile comunicare con l’esterno e in cui le infrastrutture critiche che fanno affidamento a Internet vivono profondi disagi. Come nel caso di ospedali e farmacie, che utilizzano la rete per ordinare nuovi medicinali.

“Le reti per le telecomunicazioni sono infrastrutture critiche e stavolta [il loro blocco] ha avuto un impatto decisivo sul funzionamento del Kashmir”, ha spiegato a Wired Gurshabad Grover, funzionario del Center for Internet and Society di Bangalore: “Alcuni report indicano che le linee di comunicazione non sono accessibili neanche per ospedali e cliniche: il risultato è che il personale si sta arrangiando per soddisfare le esigenze sanitarie”.

“Il governo indiano ha un record di sospensione delle telecomunicazioni e dei servizi internet nel Kashmir: secondo i dati rilevati dallo strumento di monitoraggio della rete del Software Freedom Law Center, questa è la sessantesima volta che succede solamente quest’anno”, ha spiegato Grover via mail.

Ma stavolta l’operazione di isolamento dell’area è stata più incisiva, con un blocco totale “di internet, reti mobili, linee terrestri, posta e televisione via cavo”, giustificate con l’esigenza di contenere la diffusione di informazioni false e gli episodi di violenza, come hanno spiegato gli stessi rappresentanti del governo. “Ma impedire ai giornalisti di fare il proprio lavoro, al contrario, favorisce la diffusione di notizie false -, ha obiettato Grover -. Inoltre, numerosi studi mostrano come lo spegnimento dei canali di comunicazione renda il coordinamento delle proteste pacifiche molto più difficili, con il rischio di portare a episodi di violenza”.

Dopo che per quasi due settimane anche le forze dell’ordine hanno dovuto utilizzare i telefoni satellitari per comunicare, parte delle linee telefoniche del Kashmir sono state ripristinate. Una ragione potrebbe essere che proprio il blackout informativo ha creato ulteriori allarmismi, avendo di fatto impedito a milioni di persone di comunicare con i propri familiari. “Ora i social network sono pieni di post allarmati provenienti da cittadini kashmiri che vivono in altri posti”, osserva Grover. Ma le contromisure non si sono fatte attendere, con la richiesta a Twitter da parte del governo indiano di rimuovere decine di account che scrivono della crisi, tra cui quelli di giornalisti e attivisti.

La crisi

Apparentemente lontana dal suo epilogo, l’ennesima crisi del Kashmir è approdata sul tavolo del Consiglio di sicurezza delle Nazioni Unite il 16 agosto, per la prima volta dal 1971. In una riunione a porte chiuse, come riporta la Cnn, sono intervenuti anche i diplomatici di Pakistan – il Paese musulmano direttamente confinante con la regione e che da anni sostiene segretamente i gruppi paramilitari dell’area – e Cina, che hanno chiesto all’India di garantire una risoluzione del conflitto. Così come negli ultimi settant’anni, gli emissari di Nuova Delhi hanno replicato che il Kashmir è una questione domestica che non riguarda la diplomazia internazionale. E per assicurarsi che la situazione rimanga tale, sembra che l’unica strategia sia quella di sottoporre a isolamento più di dodici milioni di persone.

For more details visit https://cis-india.org/internet-governance/news/raffaele-angius-august-19-2019-india-kashmir-internet

People voice their support for net neutrality, say Internet a utility not a luxury

praskrishna — 2015-05-08T01:56:28Z

As the campaign and support for net neutrality is picking up, Politicians, celebrities and a cross section of people are voicing their support for it. Net neutrality means all data and sites are treated and charged equally be it mobile app or any other app.

The blog post was published in IBN Live on April 13, 2015. Pranesh Prakash gave his inputs.

According to AIB whose video on net neutrality has gone viral, more than one lakh emails have been sent to the Telecom Regulatory Authority of India (TRAI) through the website savetheinternet.in. This is in response to the regulator's call for public consultation.

MK Stalin, DMK treasurer: The Internet is changing India. For the first time there is a platform that gives equal opportunity for everyone to gain knowledge and reap economic benefits. TRAI, the government telecom regulatory body is proposing to change this by allowing telecom companies to allow preferential access to websites. If this is allowed, companies will be allowed to charge extra for commonly used services like Whatsapp, YouTube, web based voice calling and many more. This will also allow telcos to allow preferential treatment of websites, allowing the big companies to destroy start-ups and internet based small business by blocking or slowing them down. This goes against the very concept of the Internet where every legal website or service is considered equal. This attempt to increase the profits of the telecom companies by surrendering social gains should be condemned. I request the TRAI to dismiss this proposal and let the Internet continue to be a neutral medium which serves our country and community instead of a select few companies.

Tathagata Satpathy, Dhenkanal MP: My concern was that why should TRAI get involved with private profit making companies and give them the facility to become a profiteering company. While saying this we must remember that Internet is not free anywhere in the world. That is accepted. My issue is with TRAI which has not even bothered to reply to my letter, I do not know why TRAI is getting involved and it has put itself in a situation where its interntions are suspect.

Nikhil Pahwa, Editor and publisher of Medianama: Startups may have to get license to provide services in India. Another outcome is communications firms will buy license. Third outcome is TRAI will allow ISP's to make some sites slow.

Pranesh Prakash, cyber security expert: So what the TRAI is proposing is something that should have every single Internet user very worried. There is some truth at least to what companies like Airtel etc. are saying which is that there is a difference in the regular trade standard for the Internet services and the telecom operators. But the correct solution for that is not to increase and sort a new license raj for Internet services but rather to decrease those over onerous burdens.

Riteish Deshmukh, actor: Net neutrality is as important as Freedom of Speech. Our Basic Right

Siddharth Malhotra, actor: Save The Internet push for net neutrality, Internet is a utility not a luxury.

Parineeti Chopra, actress: Save the Internet! Net neutrality is crucial! Proud of you boyses!

Shekhar Ravjiani, singer: Time to stand up and take a stand. Time to fight for what's right. Head to savetheinternet.in to make a difference.

Raghu Ram, Ex Roadies judge: PEOPLE!! Your internet and freedom are under attack in India! Listen to the AIB boys and join the fight.

For more details visit https://cis-india.org/internet-governance/news/ibn-live-april-13-2015-people-voice-their-support-for-net-neutrality-say-internet-a-utility-not-a-luxury

People should resist enforcement of UID scheme, say experts

praskrishna — 2013-03-11T06:45:23Z

Internationally recognized expert on law and poverty Dr. Usha Ramanathan Saturday urged citizens of the country to question the enforcement of the UID scheme that has no legitimacy.

This was published in newzfirst on March 3, 2013. CIS organized a workshop at the event.

Addressing the gathering of people from various sections of the society at a workshop- The Unique Identity Number (UID), National Population Register (NPR), and Governance - organized by the ‘Centre for Internet and Society’ and the ‘Say No to UID Campaign’ Ramanathan said that the enforcement of UID scheme is unconstitutional and a mere a experiment on the population.

The scheme is full of ambiguity, confusions and suspicions; while UIDAI says it as voluntary, other government agencies and enterprises have made them mandatory. Neither the government nor the UIDAI officials have the satisfactory answers for the concerns of citizens, she said.

Saying that the ‘Data’ is one of the important properties today, she elaborated that how the individual’s privacy and confidential data was breached after sharing with many companies and agencies, despite the assurances from the authorities.

Emphasizing the resistance against enforcement of UID scheme, another speaker Col. Mathew Thomas of Citizen Action Forum Bangalore, said “If we don’t resist this scheme now, we are putting pushing poor people of the country into more vulnerable situation. We need to fight it by protests and legal means.”

The workshop also discussed the National Population register (NPR), its impact on citizenship and the governance, and how they are linked with national security.

For more details visit https://cis-india.org/news/newzfirst-march-3-2013-people-should-resist-enforcement-of-uid-scheme-say-experts

People Should Have Right To Their Data, Not Companies, Says TRAI

Admin — 2018-07-29T05:44:51Z

Rules for protection of personal data in the telecom space are not sufficient, regulator TRAI said today while suggesting that consumers be given the right to choice, consent and to be forgotten to safeguard their privacy.

This was published by Bloomberg Quint on July 16, 2018. Pranesh Prakash was interviewed.

Recommending a series of measures of "privacy, security and ownership of data in telecom networks", the Telecom Regulatory Authority of India held that consumers are owners of their data and that entities controlling, processing their information are "mere custodians and do not have primary rights over this data".

"The Right to Choice, Notice, Consent, Data Portability, and Right to be Forgotten should be conferred upon the telecommunication consumers," TRAI recommended to the Department of Telecom. In order to ensure sufficient choices to the users of digital services, granularities in the consent mechanism should be built-in by the service providers, the regulator added.

TRAI has suggested that all entities in the digital ecosystem including telecom operators should transparently disclose the information about the privacy breaches on their websites along with the actions taken for mitigation, and preventing such breaches in future.

“This is the first time I’ve seen TRAI being bold enough to venture into this area,” said Pranesh Prakash, a policy director at the Centre for Internet Society. “There are many positives here in terms of the data protection regime that they want to set up,” he told BloombergQuint in an interview. “It talks about user choice, consent, about notice being mandatory and simplified in language that people understand rather than two hundred pages of legal forms.”

There are many things in it that law and technology nerds will rejoice over, for example, the need for greater amounts of encryption and asks DoT to revisit the limitations it has put on encryption because those limitations actually harm national security and user privacy.

Pranesh Prakash, Policy Director, Centre for Internet Society

Here are the highlights from the TRAI’s recommendation:

All entities in the digital ecosystem, which control or process the data, should be restrained from using meta-data to identify the individual users.
A study should be undertaken to formulate the standards for annonymisation/de-identification of personal data generated and collected in the digital eco-system.
Till such time a general data protection law is notified by the government, the existing rules/licence conditions applicable to TSPs for protection of users' privacy be made applicable to all the entities in the digital ecosystem.
The Right to Choice, Notice, Consent, Data Portability, and Right to be forgotten should be conferred upon the telecommunication consumers.
Data Controllers should be prohibited from using "preticked boxes" to gain users consent. Clauses for data collection and purpose limitation should be incorporated in the agreements.
Sharing of information concerning to data security breaches should be encouraged and incentivised to prevent/mitigate such occurrences in future.

The recommendations from TRAI come at a time when there are rising concerns around privacy and safety of user data, especially through mobile apps and social media platforms.

The regulator had issued a consultation paper entitled Privacy, Security and Ownership of Data in the Telecom Sector on Aug 9 last year and an open house discussion was held on Feb. 2. The TRAI had also invited comments and counter comments as part of the consultation.

(With inputs from PTI)

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-july-16-2018-people-should-have-right-to-their-data-not-companies-says-trai

People Driven and Tech Enabled – How AI and ML are Changing the Future of Cyber Security in India

Shweta Mohandas — 2018-03-11T15:30:50Z

On the 27th of February, Peter Sparkes the Senior Director, Cyber Security Services, Symantec conducted a webinar on the ‘5 Essentials of Every Next-Gen SOC’. In this webinar, he evaluated the problems that Security Operations Centers (SOCs) are currently facing, and explored possible solutions to these problems. The webinar also put emphasis on AI and ML as tools to improve cyber security. This blog draws key insights from the webinar, and explains how AI and ML can improve the cyber security process of Indian enterprises.

Introduction

In a study conducted by Cisco, it was found that in the past 12-18 months, cyber attacks have caused Indian companies to incur financial damages amounting to USD 500,000.

There is a need to strengthen the nodal agencies in an enterprise that can deal with these threats to prevent irreparable damage to enterprises and their customers. An SOC within any organization is the team responsible for detecting, monitoring, analyzing, communicating and remedying security threats. The SOC technicians employ a combination of technologies and processes to ensure that an enterprise’s security is not compromised. As instances of cyber attacks increase both in number and sophistication, SOCs need to use state of the art technologies to stay one step ahead of the attackers. Presently, SOCs face a number of infrastructural problems such as the low priority given to a cyber security budget, slower and passive response to threats, dearth of skilled technicians, and the absence of a global intelligence network for cyber-threats. This is where technologies such as Artificial Intelligence and Machine learning are helping, by monitoring the system to identify cyber attacks, and analyse the severity of the threat, and in some cases by blocking such threats.

Evolution of Security Operations Centers

In the same study, Cisco looked at the evolution of cyber threats and how companies were using technologies such as AI and ML to ameliorate those threats. Another key insight the study brought out was that 53 and 51 percent of the subject companies were reliant on ML and AI respectively. One of the reasons behind AI and ML’s effectiveness in cyber security is their capacity not only to detect known threats but also to use their learnings from data to detect unknown threats. In his webinar, Peter Sparkes also stated that SOCs were evolving into a ‘people driven and tech enabled’ system.

People Driven and Tech Enabled

In the case of cyber security, which in itself is a relatively new field, technologies such as AI and ML are helping companies to not only overcome infrastructural barriers but also to respond proactively to threats. A study conducted by the Enterprise Strategy Group, revealed that one-third of the respondents believed that ML technology could detect new and unknown malware.

The study also stated that the use of machine learning to detect and prevent threats from unknown malware reduced the number of cases the cyber security team had to investigate.

Similarly, the tasks of monitoring and blocking which were earlier conducted by entry level analysts were now done by systems, using machine learning. Typically, the AI acts as the first monitoring system after which the threat is examined by the company’s technicians who possess the requisite skill set and experience. By delegating the time consuming task of continuous monitoring to an ML system, the technicians now have time to look at serious threats. In this way AI and humans are working together to build a stronger and responsive security protocol.

Detecting the Unknown

Cyber criminals are becoming increasingly sophisticated, and in order to prevent attacks the monitoring systems (both human and automated) need to be able to detect them before the security is compromised. The detection of threats through AI and ML is done in a similar way as it is done for the identification of spam, where the system is trained on a large amount of data which teaches the algorithm to identify right from wrong.

There have been numerous cases of stealthy cyber attacks such as wannacry and ransomware, that have evaded detection by conventional security firewalls and caused crippling damage. There is also the need to use deception technology which involves automatic detection and analysis of attacks. This technology then tricks the attackers and defeats them to bring back normalcy to the system.

The systems that can handle threats by themselves do so by following a predetermined procedure, or playbook where the AI detects activities that go against the procedure/playbook. This is more effective compared to the earlier system where the technicians would analyse the attacks on a case by case basis.

AI and ML can help in reducing the time required to detect threats enabling technicians to act proactively and prevent damage. As AI and ML systems are less prone to make mistakes compared to human beings, each threat is dealt with in a prompt and accurate manner. AI systems also help by categorising attacks based on their propensity for damage. These systems can use the large volumes of data collected about previous attacks and adapt over time to give enterprises a strong line of defence against attacks.

Passive to Active Defense

Threat to cyber security can emerge even in seemingly safe departments, such as Human Resources. It is therefore important to proactively hunt for threats across all departments uniformly.

In order to detect an anomaly, the AI and ML system will require both large volumes of data as well as a significant amount of processing power, which is difficult for smaller companies to provide. A possible solution to improve defense is to have a system of sharing SOC data between companies, and thereby creating a global database of intelligence. A system of global intelligence and threat data sharing could help smaller companies combat cyber threats without having to compromise on core business development.

Use of AI in Cyber Security in India

In 2017, Indian enterprises were infected by two lethal cyber attacks called Nyetya that crept through a trusted software - Ccleaner and infected computers

. These attacks may just be the tip of the iceberg , since there may be many other attacks that might have gone unreported, or worse, undetected. Cisco reported that less than 55 per cent of the Indian enterprises were reliant on AI or ML for combating cyber threats. Although the current numbers seem bleak, there are a number of Indian enterprises that have recently begun using AI and ML in cyber security.

One such example is HDFC bank which is in the process of introducing an AI based Cyber Security Operations Centre (CSOC).

This CSOC is based on a four point approach to dealing with threats - prevent, detect, respond and recover. The government of India has also taken its first step towards the use of AI in cyber security through a project that aims to provide cyber forensic services to the various agencies of the government including law enforcement.

Indian intelligence agencies have also entered into an agreement with tech startup Innefu, which utilizes AI, to process data and decipher threats by looking at the patterns of past threats.

As India is increasingly becoming data dense both private and public organizations need to consider cyber security with utmost seriousness and protect the data from crippling attacks.

Conclusion

Enterprises have become storehouses of user data and the SOCs have a responsibility to protect this data. The companies’ SOCs have been plagued with several problems such as lack of skilled technicians, delay in response time and the inability to proactively respond to attacks. AI and ML can help in a system of continuous monitoring as well as take over the more repetitive and time consuming tasks, leaving the technicians with more time to work on damage control. Although it must be kept in mind that AI is not a silver bullet, since attackers will try their best to confuse the AI systems through evasion techniques such as adversarial AI (where the attackers design machine learning models that are intended to confuse the AI model into making a mistake).

Hence, human intervention and monitoring of AI and ML systems in cyber security is essential to maintain the defence and protection mechanisms of enterprises.

A few topics that Indian SOCs need to consider while using AI and ML :

1. The companies need to understand that AI and ML need human expertise and supervision to be effective and hence substituting people for AI is not ideal.

2. The companies need to give equal if not more importance to data security.

3. The companies need to constantly upgrade their systems and re-skill their technicians to combat cyber security threats.

4. The AI and ML systems need to be regularly audited to ensure that they are not compromised by cyber attacks and also to ensure that they are not generating false positives.

[]. Cisco, (2018, February). Annual Cybersecurity Report. Retrieved March 8, 2018, from https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2

[]. Ibid.

[]. Enterprise Strategy Group (2017, March ). Top-of-mind Threats and Their Impact on Endpoint Security Decisions. Retrieved March 8, 2018 from https://www.cylance.com/content/dam/cylance/pdfs/reports/ESG-Research-Insights-Report-Summary-Cylance-Oct-2017.pdf

[]. Ibid.

[]. Vorobeychik,Y (2016). Adversarial AI. Retrieved March 8, 2018, from https://www.ijcai.org/Proceedings/16/Papers/609.pdf

[]. Quora. ( 2081, February 15). How Will Artificial Intelligence And Machine Learning Impact Cyber Security? Retrieved March 8, 2018, from https://www.forbes.com/sites/quora/2018/02/15/how-will-artificial-intelligence-and-machine-learning-impact-cyber-security/#569454786147

[]. Sparkes, P. (2018, February 27). The 5 Essentials of Every Next-Gen SOC. Retrieved March 8, 2018, from https://www.brighttalk.com/webcast/13389/303251/the-5-essentials-of-every-next-gen-soc

[]. PTI. ( 2018, February 21).Indian companies lost $500,000 to cyber.Retrieved March 8, 2018, from https://economictimes.indiatimes.com/tech/internet/indian-companies-lost-500000-to-cyber-attacks-in-1-5-years-cisco/articleshow/63019927.cms

[]. Raval, A. ( 2018,January 30). AI takes cyber security to a new level for HDFC Bank.Retrieved March 8, 2018, from http://computer.expressbpd.com/magazine/ai-takes-cyber-security-to-a-new-level-for-hdfc-bank/23580/

[]. “The Centre for Development of Advanced Computing (C-DAC) under the Ministry of Electronics and Information Technology (MeitY) is working on a project to provide cyber forensic services to law-enforcing and other government and non-government agencies.” Ohri, R. (2018, February 15. Government readies AI-muscled cyber security plan. Retrieved March 8, 2018, from https://economictimes.indiatimes.com/news/politics-and-nation/government-readies-ai-muscled-cyber-security-plan/articleshow/62922403.cms utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

[]. Chowdhury, P.A. (2017, January 30). Cyber Warfare at large in Southeast Asia, India leverages AI for the same cause Retrieved March 8, 2018, from https://analyticsindiamag.com/cyber-warfare-large-southeast-asia-india-leverages-ai-cause/

[]. Open AI.(2017 February 24). Attacking Machine Learning with Adversarial Examples. Retrieved March 8, 2018, from https://blog.openai.com/adversarial-example-research/

For more details visit https://cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india

Pension won’t be denied for want of Aadhaar, says EPFO

Admin — 2018-04-10T22:33:39Z

The move is aimed at ensuring that no retired government employee is deprived of pension for want of Aadhaar or failure of fingerprint authentication.

The article by Prashant K. Nanda and Komal Gupta published by Livemint on April 11, 2018 quoted Pranesh Prakash.

Tens of thousands of pensioners under the employees pension scheme will not be denied their monthly pension if their Aadhaar authentication fails or they do not have the 12-digit unique ID, the Employees Provident Fund Organisation (EPFO) has indicated.

The retirement fund manager has asked banks and post offices to facilitate pension disbursement without making senior citizens do the rounds.

The move comes after EPFO received several complaints of denial of pension by banks.

For paying pension to those whose fingerprint authentication fails, “banks may make provisions for iris scanner, along with the fingerprint scanner in bank branches. It has been observed that in many cases, iris authentication is successful even though fingerprint authentication may have failed. This is particularly true for many senior citizens. In such cases, digital life certificate may be generated on the basis of iris authentication and pension may be given,” the EPFO said in a circular on Monday.

And when both iris and fingerprint authentication are not feasible, “an entry should be made in the exception register with reasons and pension may be provided on the basis of paper life certificate and physical Aadhaar card or E-Aadhaar card of the pensioner after due verification as deemed fit by the bank,” the circular said.

The move is aimed at ensuring that no senior citizen is deprived of pension for want of Aadhaar or failure of fingerprint authentication.

Banks have been advised to ensure that benefits of the pension scheme reach the citizens and a proper mechanism for “handling exceptions” is put in place.

“Banks should make special arrangements for the bed-ridden, differently abled, or senior citizens who are unable to visit the Aadhaar enrolment centre,” the circular said.

EPFO has also instructed pension disbursing banks and post offices to make necessary arrangements for enrolling pensioners for Aadhaar and to carry out authentication through iris, especially for those who cannot be verified through fingerprints.

The Unique Identification Authority of India (UIDAI) has been under the scanner over the past few months over allegations of access to pension being denied as the fingerprints of the elderly do not match biometrics in the Aadhaar database.

So far, pensioners had to furnish a life certificate and needed to authenticate it using biometrics.

“The fact that it is coming now means that the Unique Identification Authority of India’s claim in the Supreme Court about no person having been denied any benefit due to the lack of Aadhaar is simply untrue,” said Bengaluru-based Pranesh Prakash, an affiliated fellow with the Yale Law School’s Information Society Project that works on issues related to the intersection of law, technology and society.

Prakash, however, welcomed EPFO’s move laying down “a procedure both for those who don’t have an Aadhaar number, as well as those whose biometrics fail for any reason”.

Prakash further said that “as per the UIDAI’s own data, failure rates for iris authentication are higher (8.54%) than for fingerprints (6%). So the utility of pushing for iris authentication is unclear.”

There are more than 1.2 billion Aadhaar holders in the country.

For more details visit https://cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo

Peering behind the veil of ICANN’s DIDP (I)

Padmini Baruah — 2015-10-15T02:42:14Z

One of the key elements of the process of enhancing democracy and furthering transparency in any institution which holds power is open access to information for all the stakeholders. This is critical to ensure that there is accountability for the actions of those in charge of a body which utilises public funds and carries out functions in the public interest.

As the body which “...coordinates the Internet Assigned Numbers Authority (IANA) functions, which are key technical services critical to the continued operations of the Internet's underlying address book, the Domain Name System (DNS)”^{^[1]}, the centrality of ICANN in regulating the Internet (a public good if there ever was one) makes it vital that ICANN’s decision-making processes, financial flows, and operations are open to public scrutiny. ICANN itself echoes the same belief, and upholds “...a proven commitment to accountability and transparency in all of its practices”^{^[2]}, which is captured in their By-Laws and Affirmation of Commitments. In furtherance of this, ICANN has created its own Documentary Information Disclosure Policy, where it promises to “...ensure that information contained in documents concerning ICANN's operational activities, and within ICANN's possession, custody, or control, is made available to the public unless there is a compelling reason for confidentiality.”^{^[3]}

ICANN has a vast array of documents that are already in the public domain, listed here. These include annual reports, budgets, registry reports, speeches, operating plans, correspondence, etc. However, their Documentary Information Disclosure Policy falls short of meeting international standards for information disclosure. In this piece, I have focused on an examination of their defined conditions for non-disclosure of information, which seem to undercut the entire process of transparency that the DIDP process aims towards upholding. The obvious comparison that comes to mind is with the right to information laws that governments the world over have enacted in furtherance of democracy. While ICANN cannot be equated to a democratically elected government, it nonetheless does exercise sufficient regulatory power of the functioning of the Internet for it to owe a similar degree of information to all the stakeholders in the internet community. In this piece, I have made an examination of ICANN’s conditions for non-disclosure, and compared it to the analogous exclusions in India’s Right to Information Act, 2005

ICANN’ꜱ Defined Conditions for Non-Disclosure versus Exclusions in Indian Law :

ICANN, in its DIDP policy identifies a lengthy list of conditions as being sufficient grounds for non-disclosure of information. One of the most important indicators of a strong transparency law is said to be minimum exclusions.^{^[4]} However, as seen from the table below, ICANN’s exclusions are extensive and vast, and this has been a barrier in the way of free flow of information. An analysis of their responses to various DIDP requests (available here) shows that the conditions for non-disclosure have been invoked in over 50 of the 85 requests responded to (as of 11.09.2015); i.e., over two-thirds of the requests that ICANN receives are subjected to the non-disclosure policies.

In contrast, an analysis of India’s Right to Information Act, considered to be among the better drafted transparency laws of the world, reveals a much narrower list of exclusions that come in the way of a citizen obtaining any kind of information sought. The table below compares the two lists:

No.	ICANN^{^[5]}	India	Analysis
1.	Information provided by or to a government or international organization which was to be kept confidential or would materially affect ICANN’s equation with the concerned body.	Information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, "strategic, scientific or economic" interests of the State, relation with foreign State or lead to incitement of an offense^{^[6]}/ information received in confidence from foreign government^{^[7]}	The threshold for both the bodies is fairly similar for this exclusion.
2.	Internal (staff/Board) information that, if disclosed, would or would be likely to compromise the integrity of ICANN's deliberative and decision-making process	Cabinet papers including records of deliberations of the Council of Ministers, Secretaries and other officers, provided that such decisions the reasons thereof, and the material on the basis of which the decisions were taken shall be made public after the decision has been taken, and the matter is complete, or over (unless subject to these exemptions)^{^[8]}	The Indian law is far more transparent as it ultimately allows for the records of internal deliberation to be made public after the decision is taken.
3.	Information related to the deliberative and decision-making process between ICANN, its constituents, and/or other entities with which ICANN cooperates that, if disclosed, would or would be likely to compromise the integrity of the deliberative and decision-making process	No similar provision in Indian Law.	This is an additional restriction that ICANN introduces in addition to the one above, which in itself is quite broad.
4.	Records relating to an individual's personal information	Information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual (but it is also provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied by this exemption);^{^[9]}	Again, the Indian law contains a proviso for information with “relationship to any public activity or interest”
5.	Proceedings of internal appeal mechanisms and investigations.	Information which has been expressly forbidden to be published by any court of law or tribunal or the disclosure of which may constitute contempt of court;^{^[10]}	While ICANN prohibits the disclosure of all proceedings, in India, the exemption is only to the limited extent of information that the court prohibits from being made public.
6.	Information provided to ICANN by a party that, if disclosed, would or would be likely to materially prejudice the commercial interests, financial interests, and/or competitive position of such party or was provided to ICANN pursuant to a nondisclosure agreement or nondisclosure provision within an agreement.	Information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;^{^[11]}	This is fairly similar for both lists.
7.	Confidential business information and/or internal policies and procedures.	No similar provision in Indian Law. This is encapsulated in the abovementioned provision	This is fairly similar in both lists.
8.	Information that, if disclosed, would or would be likely to endanger the life, health, or safety of any individual or materially prejudice the administration of justice.	Information, the disclosure of which would endanger the life or physical safety of any person or identify the source of information or assistance given in confidence for law enforcement or security purposes;^{^[12]}	This is fairly similar for both lists.
9.	Information subject to any kind of privilege, which might prejudice any investigation	Information, the disclosure of which would cause a breach of privilege of Parliament or the State Legislature^{^[13]}/Information which would impede the process of investigation or apprehension or prosecution of offenders;^{^[14]}	This is fairly similar in both lists.
10.	Drafts of all correspondence, reports, documents, agreements, contracts, emails, or any other forms of communication.	No similar provision in Indian Law	This exclusion is not present in Indian law, and it is extremely broadly worded, coming in the way of full transparency.
11.	Information that relates in any way to the security and stability of the Internet	No similar provision in Indian Law	This is perhaps necessary to ICANN’s role as the IANA Functions Operator. However, given the large public interest in this matter, there should be some proviso to make information in this regard available to the public as well.
12.	Trade secrets and commercial and financial information not publicly disclosed by ICANN.	Information including commercial confidence, trade secrets or intellectual property, the disclosure of which would harm the competitive position of a third party, unless the competent authority is satisfied that larger public interest warrants the disclosure of such information;^{^[15]}	This is fairly similar in both cases.
13.	Information requests: ● which are not reasonable; ● which are excessive or overly burdensome ● complying with which is not feasible ● which are made with an abusive or vexatious purpose or by a vexatious or querulous individual.	No similar provision in Indian Law	Of all the DIDP exclusions, this is the one which is most loosely worded. The terms in this clause are not clearly defined, and it can effectively be used to deflect any request sought from ICANN because of its extreme subjectivity. What amounts to ‘reasonable’? Whom is the process going to ‘burden’? What lens does ICANN use to define a ‘vexatious’ purpose? Where do we look for answers?
14.	No similar provision in ICANN’s DIDP.	Information available to a person in his fiduciary relationship, unless the competent authority is satisfied that the larger public interest warrants the disclosure of such information;^{^[16]}	-
15.	No similar provision in ICANN’s DIDP.	Information which providing access to would involve an infringement of copyright subsisting in a person other than the State.^{^[17]}	-

Thus, the net cast by the DIDP exclusions policy is more vast than even than that of a democratic state’s transparency law. Clearly, the exclusions above have effectively allowed ICANN to dodge answers to most of the requests floating its way. One can only hope that ICANN realises that these exclusions come in the way of the transparency that they are so committed to, and does away with this unreasonably wide range on the road to the IANA Transition.

^{^[1]} https://www.icann.org/resources/pages/welcome-2012-02-25-en

^{^[2]} https://www.icann.org/resources/accountability

^{^[3]} https://www.icann.org/resources/pages/didp-2012-02-25-en

^{^[4]} Shekhar Singh, India: Grassroot Initiatives in Tʜᴇ Rɪɢʜᴛ ᴛᴏ Kɴᴏᴡ 19, 44 (Ann Florin ed., 2007)

^{^[5]} In a proviso, ICANN’s DIDP states that all these exemptions can be overridden if the larger public interest is higher. However, this has not yet been reflected in their responses to any DIDP requests.

^{^[6]} Section 8(1)(a), Right to Information Act, 2005.

^{^[7]} Section 8(1)(f), Right to Information Act, 2005.

^{^[8]} Section 8(1)(i), Right to Information Act, 2005.

^{^[9]} Section 8(1)(j), Right to Information Act, 2005.

^{^[10]} Section 8(1)(b), Right to Information Act, 2005.

^{^[11]} Section (1)(d), Right to Information Act, 2005

^{^[12]} Section 8(1)(g), Right to Information Act, 2005.

^{^[13]} Section 8(1)(c), Right to Information Act, 2005.

^{^[14]} Section 8(1)(h), Right to Information Act, 2005.

^{^[15]} Section (1)(d), Right to Information Act, 2005

^{^[16]} Section 8(1)(e), Right to Information Act, 2005.

^{^[17]} Section 9, Right to Information Act, 2005.

For more details visit https://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icann2019s-didp

Peering behind the veil of ICANN's DIDP (II)

Padmini Baruah — 2015-10-15T03:14:18Z

In a previous blog post, I had introduced the concept of ICANN’s Documentary Information Disclosure Policy (“DIDP”) and their extremely vast grounds for non-disclosure. In this short post, I have made an analysis of every DIDP request that ICANN has ever responded to, to point out the flaws in their policy that need to be urgently remedied.

Read the previous blog post here. Every DIDP request that ICANN has ever responded to can be accessed here.

The table here is a comprehensive breakdown of all the different DIDP requests that ICANN has responded to. This table is to be read with this document, which has a numbered list of the different non-disclosure exceptions outlined in ICANN’s policy. What I sought to scrutinize was the number of times ICANN has provided satisfactory information, the number of times it has denied information, and the grounds for the same. What we found was alarming:

Of a total of 91 requests (as of 13/10/2015), ICANN has fully and positively responded to only 11.
It has responded partially to 47 of 91 requests, with some amount of information (usually that which is available as public records).
It has not responded at all to 33 of 91 requests.
The Non-Disclosure Clause (1)^{^[1]} has been invoked 17 times.
The Non-Disclosure Clause (2)^{^[2]} has been invoked 39 times.
The Non-Disclosure Clause (3)^{^[3]} has been invoked 31 times.
The Non-Disclosure Clause (4)^{^[4]} has been invoked 5 times.
The Non-Disclosure Clause (5)^{^[5]} has been invoked 34 times.
The Non-Disclosure Clause (6)^{^[6]} has been invoked 35 times.
The Non-Disclosure Clause (7)^{^[7]} has been invoked once.
The Non-Disclosure Clause (8)^{^[8]} has been invoked 22 times.
The Non-Disclosure Clause (9)^{^[9]} has been invoked 30 times.
The Non-Disclosure Clause (10)^{^[10]} has been invoked 10 times.
The Non-Disclosure Clause (11)^{^[11]} has been invoked 12 times.
The Non-Disclosure Clause (12)^{^[12]} has been invoked 18 times.

This data is disturbing because it reveals that ICANN has in practice been able to deflect most requests for information. It regularly utilised its internal processes and discussions with stakeholders clauses, as well as clauses on protecting financial interests of third parties (over 50% of the total non-disclosure clauses ever invoked - see chart below) to do away with having to provide information on pertinent matters such as its compliance audits and reports of abuse to registrars. We believe that even if ICANN is a private entity legally, and not at the same level as a state, it nonetheless plays the role of regulating an enormous public good, namely the Internet. Therefore, there is a great onus on ICANN to be far more open about the information that they provide.

Finally, it is extremely disturbing that they have extended full disclosure to only 12% of the requests that they receive. An astonishing 88% of the requests have been denied, partly or otherwise. Therefore, it is clear that there is a failure on part of ICANN to uphold the transparency it claims to stand for, and this needs to be remedied at the earliest.

^{^[1]} “Information provided by or to a government or international organization, or any form of recitation of such information, in the expectation that the information will be kept confidential and/or would or likely would materially prejudice ICANN's relationship with that party”

^{^[2]} “Internal information that, if disclosed, would or would be likely to compromise the integrity of ICANN's deliberative and decision-making process by inhibiting the candid exchange of ideas and communications, including internal documents, memoranda, and other similar communications to or from ICANN Directors, ICANN Directors' Advisors, ICANN staff, ICANN consultants, ICANN contractors, and ICANN agents”

^{^[3]} “Information exchanged, prepared for, or derived from the deliberative and decision-making process between ICANN, its constituents, and/or other entities with which ICANN cooperates that, if disclosed, would or would be likely to compromise the integrity of the deliberative and decision-making process between and among ICANN, its constituents, and/or other entities with which ICANN cooperates by inhibiting the candid exchange of ideas and communications”

^{^[4]} “Personnel, medical, contractual, remuneration, and similar records relating to an individual's personal information, when the disclosure of such information would or likely would constitute an invasion of personal privacy, as well as proceedings of internal appeal mechanisms and investigations”

^{^[5]} “Information provided to ICANN by a party that, if disclosed, would or would be likely to materially prejudice the commercial interests, financial interests, and/or competitive position of such party or was provided to ICANN pursuant to a nondisclosure agreement or nondisclosure provision within an agreement”

^{^[6]} “Confidential business information and/or internal policies and procedures”

^{^[7]} “Information that, if disclosed, would or would be likely to endanger the life, health, or safety of any individual or materially prejudice the administration of justice”

^{^[8]} “Information subject to the attorney– client, attorney work product privilege, or any other applicable privilege, or disclosure of which might prejudice any internal, governmental, or legal investigation”

^{^[9]} “Drafts of all correspondence, reports, documents, agreements, contracts, emails, or any other forms of communication”

^{^[10]} “Information that relates in any way to the security and stability of the Internet, including the operation of the L Root or any changes, modifications, or additions to the root zone”

^{^[11]} “Trade secrets and commercial and financial information not publicly disclosed by ICANN”

^{^[12]} “Information requests: (i) which are not reasonable; (ii) which are excessive or overly burdensome; (iii) complying with which is not feasible; or (iv) are made with an abusive or vexatious purpose or by a vexatious or querulous individual”

For more details visit https://cis-india.org/internet-governance/blog/peering-behind-the-veil-of-icanns-didp-ii

Peeping Toms In Your Inbox

praskrishna — 2011-04-02T11:42:11Z

Nothing’s safe any more—not your mobile number, nor your e-mail—as they’re put on offer for the benefit of telemarketers, writes Namrata Joshi and Neha Bhatt in an article published in the Outlook.

It was Saturday morning and Sneha Gupta wanted to book a table for dinner at a Delhi restaurant called Rodeo. So she called up a telephone directory service and procured the restaurant’s phone number, firmly nixing the operator’s seemingly casual offer to also provide numbers of similar restaurants. But that wasn’t the end of the story. The next day, Sunday brunch with her extended family was interrupted by calls from sundry restaurants enquiring if she’d be interested in hosting parties and events—at a discount.

“Instead of enjoying the food, the company and the conversation, I was busy ticking off these guys. Why were they assuming I wanted to organise a party? How did they get my mobile number to blatantly infringe on my private family time?” asks Sneha. She got no answers from them, but the sequence of events is clear: the telephone directory service sold Sneha’s contact details to marketers who broadly assumed, from her Rodeo outing, that she was a party animal, and decided to bombard her with similar offers.

Something similar happened to media professional Raghav Agarwal. He paid off his bank loan for a car in two-and-a-half years instead of the stipulated five, happy to stop living off credit. But from the next day, he was inundated with calls offering him bigger and better credit for everything—from house to car to education. “It was awfully distracting to deal with this while trying to meet deadlines,” he recounts. The fact that he had paid back the loan ahead of time had, by hook or by crook, reached financial outfits who used the information to serenade what they saw as an attractive catch.

For Kuhu Tanvir, these attentions come laced with a hint of menace. The film student was startled to find herself receiving unsolicited calls from unknown vendors offering to maintain the water purifier installed in the recesses of her kitchen. “It’s scary to think,” she says, “that there are people out there who even know which products you’ve bought for your house.” It was equally unnerving for film producer Gaurang Jalan to have his personal details passed on to data-miners by none other than a prominent Calcutta club (“strangers now call you on your birthday, offering schemes”). All those out there accosted by calls offering car insurance just at the time their policy is up for renewal will know exactly how they felt....

8 Ways In Which You’re Being Intruded Upon

Privacy is being redefined in India, with the lines between the public and the private blurring not just for celebrities but also for ordinary citizens...
Personal details like your phone number, date of birth, credit history, bank loans, insurance policies, white goods purchases, favourite restaurants and nightclubs are bought and sold among cellphone operators, banks, shops, telephone directory services, credit card companies, hospitals, hotels, elite clubs and even your locality’s residents’ welfare association.
Unsolicited telemarketing calls, spam SMSes and e-mails intrude incessantly on your private space, time
Your online purchases and searches, archived e-mails and documents are being tracked for marketing purposes. Social networking groups and search engines stand accused of sharing user information and contact details.
Personal pictures, information about relationships on social networking sites are being misused by online predators and molesters.
Identity theft is fast emerging as a threat.
Surveillance cameras and intrusive frisking have become a way of life, at airports, cinema halls, malls, hospitals, hotels, etc.
TV cameras and sting operations blur the line between individual privacy and public interest.
People encouraged and offered inducements to bare all about their lives on TV. Shows like Emotional Atyachar, Splitsvilla, Truth Love Cash play out individual dating rituals and infidelity games for the masses.

7 Steps You Can Take To Protect Yourself

Give out your mobile number cautiously, if at all; don’t print it on the visiting cards you hand out generously. Give only your landline number if you have to, to avoid being constantly disturbed.
Be wary of filling in random forms at retail stores and restaurants, or the gift voucher you’re offered in return for your friends’ names and phone numbers.
Be alert while shopping with your debit or credit card. The retailer may be also swiping the card on his computer to feed your contact information into it.
Even though the Do Not Call facility has not worked for a majority of users, you lose nothing by registering for it on www.donotcall.gov. You can’t complain about unsolicited calls unless you register.
Online, be cautious of the personal information you reveal, such as your date of birth and photographs, which make you especially vulnerable to identity theft. Use Google dashboard and the new Facebook privacy settings to protect yourself.
Get the latest browser that allows you to delete cookies-as-you-go, delete your browsing history regularly, learn to encrypt your e-mail.
Always read privacy clauses in bank and other forms, and on websites carefully, and remember to tick opt-out boxes if you don’t want to be besieged with new product information.

For celebrities, the lines between the private and the public have always been blurred. But in a transforming India, ordinary people like Sneha, Raghav, Kuhu and Gaurang are finding themselves intruded upon in newer ways—from the trivial to the serious—and across varied platforms, from the mobile phone to the internet, TV to the surveillance camera. And, with citizens like them mostly dimly aware of how to safeguard, renegotiate or fight for their right to privacy—enshrined in the Constitution, but vaguely defined—in a changing world, and no effective laws to rein in those who violate it, the infringements and threats are set to increase.

Take telemarketing, perhaps the most insistent manifestation today of this marauding culture. It started out as an irritant, became a nuisance and is now a virtually unchecked invasion. “In the West, telemarketing is an unobtrusive experience thanks to opt-in services by which users get calls only if they ask for them. Moreover, governments discourage telemarketers through strict regulations. In India, it’s a menace,” says Supreme Court advocate Harsh Pathak, who has litigated against telemarketing calls and the sale of personal data to companies.

Indeed, you can chart an entire day in your life with these intrusions as markers. You get woken up with the SMS: “Hare Krishna. Today is Ekadashi. Fasting from grains and beens (sic). Chant Hare Krishna mahamantra 25 rounds (sic) and be happy. Hari bol.” Through the day, they keep coming, both SMSes and human voices, trying to sell you everything from houses and farmland to hotel deals, sauna belts, equity tips and public speaking skills. And, if you happen to be even an occasional club-hopper, your phone could carry on beeping till two or three am, with SMSes announcing the next gig in town.

It’s clear from this virtually round-the-clock barrage that our personal lives are up for sale in an aggressive marketing-driven environment. Be it telecom companies, banks, shops, credit card firms, DVD rental libraries, insurance, auto dealers, clubs or hotels, they all profit from sharing personal information—phone numbers, credit history, spending patterns, shopping preferences and much else—about their customers. “The irony is that the corporate world has no accountability or transparency in India but the public has turned transparent for them,” says media analyst and columnist Sudheesh Pachauri.

Those often identified as the prime offenders in this game are quick to shrug off blame, or not respond, as Outlook found. ICICI Bank could not “participate in this story”, Airtel declined comment while Vodafone did not respond at all. Rajat Mukarji, chief corporate officer, Idea Cellular, who did respond, said phone companies were unfairly blamed for unsolicited calls. “Such data is available everywhere now, you can buy it off the Net for Rs 150,” he argued. HDFC Bank’s chief information security officer Vishal Salvi also stoutly denies that databases are sold, and when asked why existing customers are deluged with new product and service offers, says: “It only happens on a need-to-know, need-to-do-basis.” That’s the theory, but in practice, many customers find that the “need” seems to be defined by the banks, not their clients.

So where does that leave the consumer? Well, says Bangalore-based freelance writer and photographer Darshan Manakkal, “On a good day, I plead with the telemarketer to never call me again. With the more persistent ones, I try a different approach, like putting them on hold while I go for a bath. On really bad days, I just abuse them.” Others, like Chennai professional P.K. Pradeep, who shared with us pages upon pages of (extremely polite) e-mails to Airtel and Vodafone requesting them to halt unsolicited calls and SMSes, have been more persistent, but have achieved little beyond the robotic response, “We’re looking into it.”

Signing up, along with some 66 million souls, at the National Do Not Call (NDNC) Registry set up in October 2007, provided no protection to Pradeep, nor did changing phone numbers. “I got a new number from Vodafone recently, and would you believe it, the very next day I was bombarded with promotional messages. They had clearly passed on my number,” he says. The NDNC of the Telecom Regulatory Authority of India (TRAI) is now widely acknowledged as a failure. There was a brief dip in calls, but they resumed with renewed gusto. You could get lost in the maze of explanations for why NDNC doesn’t work; what’s clear, though, is that it has no capacity to deal with telemarketers who fail to register with it—like all those unknown real estate companies who bombard you with SMSes—and little teeth to deal with those who do. Fines are laughably minuscule—ranging from Rs 500 to Rs 1,000—and the threat of disconnecting a telemarketer’s line is an empty one when it can quickly sign up and assault consumers from another connection. In view of its failure, a Do Call registry has been mooted, on the more consumer-friendly principle that those who want to be called should opt in rather than opt out. Consultations are on but its future shape is still unclear, with telecom companies (no surprise there) opposed to it. “We have gone far with dnc. To now backtrack and try something new doesn’t seem feasible,” says Mukarji.

“The whole problem of unregistered telemarketers will continue and telecom companies will go on blaming them,” S. Saroja, legal coordinator for the Chennai-based Citizen Consumer and Civic Action Group, predicts pessimistically. The group has tried, to no avail, to get phone companies to trace bulk SMSes, which she maintains are easily traceable. “Telemarketing is a Rs 50,000-crore industry and growing at 20 per cent every year. Nobody wants to upset it as everybody is making money out of it, including the government,” says Supreme Court advocate Nivedita Sharma, who has fought her own battles against the sale of privacy.

Meanwhile, an expanding online world is throwing up its own challenges. By 2013, according to some estimates, India will have the third-largest internet user base in the world. Already, with 50 million-plus users and growing, it is a magnet for marketers, who as we know—without perhaps fully internalising the fact—avidly follow the telltale digital pugmarks and trails we leave on the Net as we e-mail, search, shop and obsessively communicate with each other on platforms like Facebook and Twitter.

These spaces on the Net, and their counterparts on other media, seem to be drawing us into an open, sharing, even confessional, culture, without our being fully aware of our vulnerability. We occasionally get intimations of it—like when our e-mail account is hacked into and bizarre mail sent out on our behalf; our Facebook pictures downloaded and their obscene versions floated on Orkut, as happened to two Delhi airhostesses recently; or vicious, revealing comments on our personal lives posted amid the banter on our favourite chat sites.

However, as media analysts point out, there is little push in the Indian environment to do what Western users of Facebook did recently: forcing it to change privacy policies and settings by protesting against its inadequate privacy controls. Here too, as with telemarketing, the regulatory environment is missing.

“In India, there are no regulatory bodies related to online privacy concerns like in the US and Canada where there are privacy commissions which force corporations to make changes in their privacy policy in the interest of citizens,” says Sunil Abraham, executive director, the Centre for Internet and Society, Bangalore.

But individuals are to blame too. Saad Akhtar of naukri.com points out: “We don’t even read the fine print on privacy policies on websites, not realising that a lot of the data we upload even on Indian social networking websites becomes their property, which they can share with advertisers.”

Indeed, Akhila Sivadas of the Centre for Advocacy and Research, says that privacy issues are creating a cultural crisis of sorts, with no understanding of them, leave alone resolution. “Privacy is something that has been negotiated in a personal, intimate, micro universe. We have drawn our individual lakshman rekhas. But we have not debated on privacy norms as a society in a public space, which is very significant in the wake of how the mass media and social networking media is exploding in our country,” she says. It’s leading to an uneasy blend of the very closed and guarded, and the extremely open and no-holds-barred in our society. “There is no robust normative system in place, and corporate entities are exploiting that void,” she says. “The market is primed to take advantage and exploit existing conditions for profit. We are allowing the market to overreach itself,” agrees adman and social commentator Santosh Desai.

So what should be done? Obviously, the R-word—regulation—is critical, and hopefully, the cry for it from the ground will become stronger, as intrusions gather apace. But it would help for consumers to get smarter. Some of the questions to ask ourselves are: should I really be patronising a phone directory service, as Sneha did, that states that it shares information with third-party members and is not responsible for that information being misused by third parties? Should I hand out my visiting card, with my mobile number on it, to all and sundry? Should I reflexively press the “I agree to the terms & conditions” button while signing up for net services without reading the fine print? As Desai puts it, we need to be “mindful, suspicious and careful”. Without, of course, descending into paranoia. The irony, getting sharper and sharper in our lives, is that the very platforms that are used to invade our privacy also enrich our lives in manifold ways.

Read the original article in Outlook

For more details visit https://cis-india.org/news/peeping-toms-in-inbox

Paytm Payments Bank woos corporates with digital incentives

Admin — 2018-01-24T23:52:36Z

Offerings will be an incentive to companies already using Paytm e-wallet services to shift employees’ salary accounts to the bank, says Paytm Payments Bank CEO Renu Satti.

The article was published by Komal Gupta and Remya Nair was published in Livemint on January 24, 2018

Looking to tap the ready customer base of salary accounts, Paytm Payments Bank is trying to attract corporate entities with digital offerings such as food and gift wallets for their employees.

The bank has set a target of reaching a customer base of 500 million over the next 2-3 years, managing director and chief executive Renu Satti said in an interview. The bank claims to have 170 million customers, including those using the Paytm e-wallet.

Satti said the offerings will be an incentive to companies already using Paytm e-wallet services to shift employees’ salary accounts to the bank. Around 500 corporate entities are using e-wallet services.

“These corporate offerings will ensure better accountability and convenience for both the employers and employees,” she said, giving the example of food wallets which are automatically debited when a customer buys food, due to the tagging of merchants done at the back-end by Paytm.

“We even offer customisation to the extent of restricting usage of food wallet to specific merchants like office cafeterias, basis requirement,” Satti said.

Food vouchers and gift coupons have been typically issued in a physical form by corporate entities, earlier as paper coupons and now as prepaid cards.

Paytm Payments Bank offers customers the convenience of using their food and gift wallets through the app across the merchant base of Paytm, Satti said. “It doesn’t require any card, which also does away with issues such as loss of card and expiry of coupons, plus avail the benefits of cashback running on any Paytm merchant,” she added.

Last week, Paytm Payments Bank launched physical debit cards for its customers to facilitate account holders to withdraw cash from ATMs and make offline payments. Hitherto, the bank had been issuing virtual debit cards which could only be used for online payments.

The bank also plans to set up around 100,000 banking outlets across the country in the next one year to cater largely to under-banked rural areas.

The list of these outlets will be available on the bank’s website where the customer will be able to access a range of services including net banking, National Electronic Funds Transfer (NEFT), Immediate Payment Service (IMPS) and Unified Payments Interface (UPI). There will be monetary incentives for these correspondents for every transaction they perform for the customer. These outlets could be a local kirana store or a chemist shop, Satti said.

“We will follow a stringent process to shortlist merchants. There will be screening, quality check, physical check to ensure whether the place is actually authorized to run a business,” she said.

The bank plans to onboard some from the existing merchant networks using Paytm wallets while others will be from areas where there is no Paytm presence as of now.

More than 6 million merchants are already a part of the Paytm ecosystem, primarily using wallet services.

Paytm Payments Bank was launched in November after receiving a payments bank license from RBI in January last year. Vijay Shekhar Sharma, founder of One97 Communications, holds the majority share in Paytm Payments Bank, with the rest being held by One97 Communications.

The bank currently has no minimum balance requirements and offers 4% interest on savings deposits. India has three other operational payment banks—Airtel Payments Bank, India Post Payments Bank and Fino Payments Bank. “The traditional banks that offer customized corporate services to its customers having a high amount of deposits would face competition from payments banks. They will have no other option but to offer those services to customers with deposits at the Payments bank limits, to stay relevant in the market,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank.

“Also, as a payment company, Paytm has data pertaining to the spending patterns of customers which help it be more competitive in the market,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-remya-nair-january-24-2018-paytm-payments-bank-woos-corporates-with-digital-incentives

Patanjali's Kimbho swiftly retreats over security scare, ripped on Twitter

Admin — 2018-06-01T14:15:44Z

Swadeshi" messaging app targeted at WhatsApp taken off from app stores hours after launch.

The article by Alnoor Peermohamed and Manavi Kapur was published in the Business Standard on May 31, 2018. Gurshabad Grover was quoted.

The fate of Patanjali’s “swadeshi” instant messaging app Kimbho was sealed in the span of just a few hours, thanks to viral messages being shared on Facebook-owned WhatsApp, the app that the Baba Ramdev-promoted company was trying to combat.

Patanjali on Thursday launched Kimbho with the sole intent of checking the rise of messaging giant WhatsApp in India. However, after Kimbho’s various data vulnerabilities were exposed by the security expert and whistleblower who goes by the pseudonym Elliot Alderson on Twitter, the app made a quiet exit from Google’s Play Store.

Jokes surrounding the app’s quick retreat spread like wildfire on rival platform WhatsApp. It was perhaps the quickest rise and fall in the popularity of a mobile application.

Alderson, who has exposed data breaches in the UIDAI’s website, took to Twitter to rip apart the Kimbho app. “This @KimbhoApp is a joke, next time before making press statements, hire competent developers... If it is not clear, for the moment don't install this app,” he wrote. His next tweet sent alarm bells ringing among users: “The #Kimbho #android #app is a security disaster. I can access the messages of all the users...”

Kimbho, though, claims that every message on its platform is encrypted by the Advance Encryption Standard and that it saves “no data on our servers or cloud”. But Alderson pointed out that the one-time password security could be worked around. “It's possible to choose a security code between 0001 and 9999 and send it to the number of your choice,” he tweeted. Kimbho, explained as a Sanskrit greeting by S K Tijarawala, Ramdev’s spokerperson, on Twitter, is also a patched-up application over the existing Bolo messaging app.

This is most likely the reason the app was taken off the Google Play Store. “There were basic authentication and authorisation related vulnerabilities where an end user can see the data of other users. These flaws may be the reason the developers took down the app. Google flags such things,” said Anand Prakash, a Bengaluru-based ethical hacker.

“WhatsApp uses end-to-end encryption that essentially means even they can’t access the messages you send. But Kimbho, on the other hand, was not using end-to-end security and probably even saving every message as plain text on its server,” adds Gurshabad Grover, policy officer at the Centre for Internet and Society.

Google did not respond to queries about whether the developer took the app down or Google flagged it as unsecure. Kimbho declared on its Twitter handle that its app was removed from the Play Store because of heavy traffic, claiming that it was downloaded 150,000 times in a mere three hours since its launch.

On Apple’s App Store, it was trending in the social networking category at the fourth position in India, just below WhatsApp, Facebook and Facebook’s Messenger, and above popular messaging apps such as Skype, LinkedIn and hike messenger.

Tijarawala had announced Kimbho’s launch on Twitter, calling it an app developed by the “shishyas” (disciples) and “navdikshit sadhus” (newly ordained priests) of Ramdev and Acharya Balkrishna, managing director, Patanjali Ayurved and co-founder, Patanjali Yogpeeth in Haridwar. Tijarawala’s tweet also claimed that this app was built using “swadeshi” techniques, though what these are remains a mystery. Emails, text messages and calls to Tijarawala went unanswered.

In keeping with an “Indian” aesthetic, the app’s logo has a “shankh” (conch shell), perhaps signifying a war cry against foreign-born WhatsApp, which has over 200 million active users in India. The conch shell also blends well with Kimbho’s tag line, “Ab Bharat Bolega” (now India will speak). But that is where its tenuous Indianness begins to crumble.

While the app was registered as a product of Patanjali Ayurved on the Play Store, the developer on Apple’s App Store is Appdios Inc, a San Francisco-based app development company. Aditi Kamal and Sumit Kumar are this company’s founders according to LinkedIn. The duo has worked with technology giants such as Google and Apple and hold masters degrees from University of Southern California in the US. A blonde man features on the screenshots that the app has featured on its landing page on the App Store.

Taking forward Bolo’s keyboard suggestions, cheekily called “Quickies”, Kimbho offers pre-typed messages such as “hugs and kisses”, “what the heck” and “parents are watching”. Whether these millennial-friendly features and Kimbho itself are an attempt to get young millennials in touch with their “swadeshi” roots remains to be seen.

For more details visit https://cis-india.org/internet-governance/news/business-standard-manavi-kapur-alnoor-peermohamed-may-31-2018-patanjali-s-kimbho-swiftly-retreats-over-security-scare-ripped-on-twitter