The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 131 to 145.
Who is Following Me: Tracking the Trackers (IGF2012)
https://cis-india.org/news/who-is-following-me
<b>The Internet Society and the Council of Europe are co-organising a workshop at the IGF (Baku - 8 November 2012 - 09:00 - 10:30) regarding online tracking. Malavika Jayaram is a speaker.</b>
<p style="text-align: justify; ">Interest in online tracking as a policy issue spiked with the release of the Preliminary Federal Trade Commission Staff Report in December 2010 entitled <i>Protecting Consumer Privacy in an Era of Rapid Change – A Proposed Framework for Businesses and Policymakers</i> calling for a “do not track” mechanism, the launch of the W3C Tracking Protection Workng Group and the recent entry into force of the so-called European “Cookie Directive” provisions. However, the actual and potential observation of individuals’ interactions online has long been a concern for privacy advocates and others.</p>
<p>Much of the policy attention is currently focused on cookies used to track users to build profiles for more targeted advertising, but some of the more difficult issues are:</p>
<ul class="rteindent1">
<li style="text-align: justify; "> How to deal with less-observable tracking (e.g. browser and/or device fingerprinting, monitoring of publicly disclosed information)</li>
<li style="text-align: justify; "> How to develop laws that accommodate different tracking scenarios – for example:
<ul>
<li> different entities (law enforcement, companies, etc.); </li>
<li> different and sometimes multiple purposes (security, personalising user experience, targeting advertising, malicious activity; etc.); </li>
<li> first-party and third-party tracking o single site and multiple site tracking</li>
</ul>
</li>
<li style="text-align: justify; "> Transparency (particularly on small mobile devices)</li>
<li style="text-align: justify; "> Whether a traditional consent model is sufficient and effective</li>
</ul>
<p>The panel:</p>
<ul class="rteindent1">
<li> Wendy Seltzer, Policy Council, World Wide Web Consortium (W3C)</li>
<li> Kimon Zorbas, Vice President, Interactive Advertising Bureau (IAB) Europe</li>
<li> Cornelia Kutterer, Director of Regulatory Policy, Corporate Affairs, LCA, Microsoft EMEA</li>
<li> Malavika Jayaram, partner at Jayaram & Jayaram, Bangalore</li>
<li> Shaundra Watson, Counsel for international consumer protection, USA Federal Trade Commission</li>
<li> Rob van Eijk, Council of Europe expert, Leiden University (PhD student)</li>
</ul>
<p>The moderators:</p>
<ul class="rteindent1">
<li> Christine Runnegar, Internet Society</li>
<li> Sophie Kwasny, Council of Europe</li>
</ul>
<p>The remote moderator:</p>
<ul class="rteindent1">
<li> James Lawson, Council of Europe</li>
</ul>
<p>This workshop will explore:</p>
<ul class="rteindent1">
<li> Current and emerging trends in online tracking (and their related purposes)</li>
<li> How to give individuals full knowledge of the tracking that occurs when they go online</li>
<li> Mechanisms to give individuals greater control over tracking and data use</li>
<li> The respective roles of all actors (government, law enforcement, Internet intermediaries, businesses, browser vendors, application developers, advertisers, data brokers, users, Internet technical community, etc.) </li>
<li> Whether effective data protection online can be ensured solely by law.</li>
<li> Whether self-regulation and voluntary consensus standards offer better options for tuning privacy choice to the rapidly advancing technology environment.</li>
</ul>
<p style="text-align: justify; ">Please read our <b><a href="http://www.internetsociety.org/sites/default/files/Tracking%20-%20Background%20paper%2020120711_0.pdf">background paper</a></b> and <a href="http://www.internetsociety.org/doc/who-following-me-tracking-trackers-part-2"><b>update</b></a></p>
<p>
For more details visit <a href='https://cis-india.org/news/who-is-following-me'>https://cis-india.org/news/who-is-following-me</a>
</p>
No publisherpraskrishnaInternet Governance ForumInternet Governance2012-12-07T17:17:32ZNews ItemDebate on Section 66A rages on
https://cis-india.org/news/the-hindu-sci-tech-internet-december-10-2012-vasudha-venugopal-debate-on-section-66a
<b>Last week, a reputed BPO in Chennai took down its Facebook page and introduced stricter moderation for posts on its bulletin board. </b>
<hr />
<p style="text-align: justify; ">Vasudha Venugopal's article was <a class="external-link" href="http://www.thehindu.com/sci-tech/internet/debate-on-section-66a-rages-on/article4181938.ece">published in the Hindu</a> on December 10, 2012. Pranesh Prakash is quoted.</p>
<hr />
<p style="text-align: justify; ">The measure, an official said, was aimed at avoiding any "callous remark by any employee." "We have discussions on many raging topics here, and we are just making sure the content is clean with no intended defamation."</p>
<p style="text-align: justify; ">The need to present only ‘unobjectionable content’ is just one off-shoot of a controversy that has gripped the country after at least five persons were arrested in recent months for posting their views online. But what started as an outcry by a few voices against the IT Act has now turned into a campaign against the constitutional validity of the Act itself. Last week also saw concerted protests to demand the repeal of Section 66A of the IT Act, under which most of the accused were booked. Human chains and protests were conducted in Chennai, Bangalore, Pune, Hyderabad, Guntur, Kakinada, Vijaywada, Visakhapatnam, Pune, Kozhikode and Kannur, among others.</p>
<p class="body" style="text-align: justify; ">In the past few months, the debate on the use of Section 66A in particular, and the Act in general, has gathered momentum. The arrests of Jadavpur University professor Ambikesh Mahapatra for circulating a cartoon lampooning West Bengal Chief Minister Mamata Banerjee; cartoonist Aseem Trivedi; businessman Ravi Srinivasan for tweets against Union Finance Minister P. Chidambaram’s son Karti Chidambaram; and the two girls in Maharashtra for criticising the bandh after Shiv Sena leader Bal Thackeray’s death have sparked popular anger.</p>
<p class="body" style="text-align: justify; ">“Public anger and media attention have been so strong that the government has been forced to retreat, which is a good first step,” says Alagunambi Welkin, president of the Free Software Foundation Tamil Nadu, which organised the protests in Chennai. "The next step would be to plug the loopholes in the IT Act. After all, this same government has declared in various international forums that it is all for promoting openness online."</p>
<p class="body" style="text-align: justify; ">Activists say that along with the increased pressure on the government, collecting information on cases of the misuse of the Act are the tasks that have to be fulfilled immediately. Human rights activist A. Marx, who has filed a public interest litigation petition against Section 66A, says the selective application of the law is very troubling. From a broader perspective though, this is also an issue of global proportions. Recently, a man in the U.K. was jailed for 18 months after he was found guilty of posting abusive messages on an online memorial. In July this year, a young Moroccan was arrested in Casablanca on the charge of posting “insulting caricatures of the Prophet Mohammed on Facebook.”</p>
<p class="body" style="text-align: justify; ">As recently as Tuesday, a Shenzen resident was arrested for posting a letter online, accusing a senior village official of corruption, and last week, a man in Kent was arrested for posting an image of a burning poppy on a social network site.</p>
<p class="body" style="text-align: justify; ">However, Pranesh Prakash, policy director, Centre For Internet And Society, Bangalore, notes that the more problematic parts in India’s laws are ones that result from adaptation. India’s own adaptation of the U.K. law, for instance, considerably increases punishment from six months to three years. However, if it is any consolation, there are voices worldwide being raised on this issue. Till last week, Google’s search page had a message: "Love the free and open Internet? Tell the world’s governments to keep it that way," and a link for comments directed to the Dubai conference, which will see a wide-ranging discussions and key decisions on global internet governance.</p>
<p>
For more details visit <a href='https://cis-india.org/news/the-hindu-sci-tech-internet-december-10-2012-vasudha-venugopal-debate-on-section-66a'>https://cis-india.org/news/the-hindu-sci-tech-internet-december-10-2012-vasudha-venugopal-debate-on-section-66a</a>
</p>
No publisherpraskrishnaIT ActInternet GovernancePublic Accountability2012-12-10T09:44:31ZNews ItemNew rules leave social media users vulnerable: Experts
https://cis-india.org/internet-governance/news/deccan-herald-krupa-joseph-june-10-2021-new-rules-leave-social-media-users-vulnerable
<b>They analyse the implications of the government vs Twitter controversy on individual privacy</b>
<p>The article by Krupa Joseph was <a class="external-link" href="https://www.deccanherald.com/metrolife/metrolife-your-bond-with-bengaluru/new-rules-leave-social-media-users-vulnerable-experts-993460.html">published in the Deccan Herald</a> on 10 June 2021. Torsha Sarkar has been quoted.</p>
<hr />
<p style="text-align: justify; ">The government had notified the changes on February 25, and allowed social media companies three months to comply. Twitter and WhatsApp had then separately approached the Delhi High Court against the new regulations, fearing they could compromise user privacy.</p>
<p class="Default" style="text-align: justify; ">On Monday, the court gave Twitter three weeks to file a response to the government’s charge that it had not appointed a grievance officer as claimed.</p>
<p class="Default"><strong>Vague rules</strong></p>
<p class="Default" style="text-align: justify; ">Karthik Srinivasan, communications consultant, who uses his blog Beast of Traal to comment on social media, says the new rules are “vague and open-ended”.</p>
<p class="Default" style="text-align: justify; ">“Coupled with the fact that we still do not have a data protection law, the rules could be severely misused both by government and private entities,” he says.</p>
<p class="Default" style="text-align: justify; ">Users are particularly vulnerable in a country where anything and everything offends a lot of people, he says.</p>
<p class="Default"><strong>Law overreach</strong></p>
<p class="Default" style="text-align: justify; ">Torsha Sarkar, researcher with the Centre for Internet and Society, says the rules introduce additional obligations for social media platforms and classify intermediaries.</p>
<p style="text-align: justify; ">“Intermediaries with over five million users would have obligations to introduce traceability, instal automated filtering, provide detailed grievance redressal mechanisms, and publish compliance <span> reports detailing action taken on takedown orders,” she says.</span></p>
<p class="Default" style="text-align: justify; ">While some of these obligations are similar to those laid down internationally, some alterations are causing concern. The traceability requirement, for example, is highly contentious as it would erode user privacy.</p>
<p class="Default" style="text-align: justify; ">“It is also concerning that the user threshold, for a country like India, with such vast Internet usage, is set at a very low level. This means that even smaller social media platforms might becompelled to carry out economically crippling obligations,” she explains.</p>
<p class="Default" style="text-align: justify; ">The legislative overreach is seen in how the initial draft , which only covered entities like Twitter and Facebook, now seeks to cover digital news media and content curators like Netfl ixand Hulu, she says.</p>
<p class="Default">Stretching the scope of the legislation this way is undemocratic since it was not subject to any public consultation, she notes.</p>
<p class="Default"><b>Case in High Court</b></p>
<p class="Default" style="text-align: justify; ">Mishi Choudhary, technology lawyer and founder of SFLC.in, a legal services organisation specialising in law, technology and policy, says the IT rules notified by the government are unconstitutional. “In the garb of addressing misinformation and regulating technology companies, the government has been exceeding the powers granted through subordinate legislation and using it for political purposes,” she says. It is on these grounds that the Free and Open Source Software community has challenged the new rules in the Kerala High Court. “Technology companies need regulation but not at the expense of user rights,” she says.</p>
<p class="Default"><b>Congress </b><span>‘</span><b>toolkit</b><span>’ </span><b>row</b></p>
<p style="text-align: justify; ">A few weeks after social media platforms were asked to take down posts critical of thegovernment’s management of India’s Covid-19 crisis, Twitter once again found itself at thereceiving end. Last week, Twitter labelled a tweet by BJP leader Sambit Patra, accusing theCongress of working with a ‘toolkit, as ‘manipulated media’. Twitter says it gives the label totweets that include media (videos, audio, and images) that are “deceptively altered orfabricated”. The Delhi police then sent a notice to Twitter in connection and asked the micro-blogging site to explain the reasons for assigning the tag. The police also conducted raids onTwitter offices in India. Things escalated when Twitter said the government was intimidating it. The government hit back saying law-making was its privileges, and Twitter, being a social media platform, should not dictate legal policy framework.</p>
<p class="Default"><b>New rules</b></p>
<p class="Default" style="text-align: justify; ">Under the new IT rules, social media companies like Facebook, WhatsApp and Twitter will be responsible for identifying the originator of a flagged message within 36 hours. They also have to appoint a chief compliance officer, a nodal contact person and a resident grievance officer. Failing to comply with these rules would cause the platforms to lose their status as intermediaries, and make them liable for whatever is posted on their platforms.</p>
<p class="Default"> </p>
<p style="text-align: justify; "><span><br /></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/deccan-herald-krupa-joseph-june-10-2021-new-rules-leave-social-media-users-vulnerable'>https://cis-india.org/internet-governance/news/deccan-herald-krupa-joseph-june-10-2021-new-rules-leave-social-media-users-vulnerable</a>
</p>
No publisherKrupa JosephFreedom of Speech and ExpressionSocial MediaInternet Governance2021-06-14T11:27:53ZNews ItemThe All India Privacy Symposium: Conference Report
https://cis-india.org/internet-governance/all-india-privacy-delhi-report
<b>Privacy India, the Centre for Internet and Society and Society in Action Group, with support from the International Development Research Centre, Privacy International and Commonwealth Human Rights Initiative had organised the All India Privacy Symposium at the India International Centre in New Delhi, on February 4, 2012. Natasha Vaz reports about the event.</b>
<p>The symposium was organized around five thematic panel discussions:<br />
Panel 1: Privacy and Transparency<br />
Panel 2: Privacy and E-Governance Initiatives<br />
Panel 3: Privacy and National Security<br />
Panel 4: Privacy and Banking<br />
Panel 5: Privacy and Health</p>
<h2>Introduction</h2>
<p>Elonnai Hickok (Policy Advocate, Privacy India) introduced the
objectives of Privacy India. The primary objectives were to raise
national awareness about privacy, do an in-depth study of privacy in
India and provide feedback on the proposed ‘Right to Privacy’ Bill.
Privacy India has reviewed case laws, legislations, including the
upcoming policy and conducted state-level privacy workshops and
consultations across India in Kolkata, Bangalore, Ahmedabad, Guwahati,
Chennai, and Mumbai. India like the rest of the world is answering some
fundamental questions about the powers of the government and citizen’s
rights and complications that arise from emerging technologies. Through
our research we have come to understand that privacy varies across
cultures and contexts, and there is no one concept of privacy but
instead several distinct core notions that serve as complex duties,
claims and obligations. </p>
<h2>Privacy and Transparency</h2>
<p>Panelists: Ponnurangam K, (Assistant Professor, IIIT New Delhi), ),
Chitra Ahanthem (Journalist, Imphal), Nikhil Dey (Social & Political
Activist), Deepak Maheshwari (Director, Corporate Affairs, Microsoft),
Gus Hosein (Executive Director, Privacy International, UK), and Prashant
Bhushan, (Senior Advocate, Supreme Court of India).<br />
Moderator: Sunil Abraham (Executive Director, Centre for Internet and Society, Bangalore) <br />
Poster: Srishti Goyal (Law Student, NUJS)</p>
<p>Srishti Goyal provided the general contours, privacy protections,
limits to privacy and loopholes of policy relating to transparency and
privacy, specifically analyzing the Right to Information Act, Public
Interest Disclosures Act, and the Official Secrets Act.</p>
<p>Nikhil Dey commented on the interaction between the right to privacy
and the right to information (RTI). He referred to Gopal Gandhi, the
former Governor of West Bengal, “we must ensure that tools like the UID
must help the citizen watch every move of government; not allow the
government watch every move of the citizen.” Currently, the RTI and the
UID stand on contrary sides of the information debate. A privacy law
could allow for a backdoor to curb RTI. So, utmost care has to be taken
while drafting legislation with respect to right to privacy.</p>
<table class="plain">
<tbody>
<tr>
<td align="center"><img src="https://cis-india.org/home-images/1.JPG/image_preview" alt="p1" class="image-inline image-inline" title="p1" /></td>
<td>Data and information has leaked furiously in India and it has leaked
to the powerful. A person who is in a position of power can access
private information irrespective of any laws in place to safeguard
privacy. It is necessary to look at the power dynamics, which exists in
the society before formulating legislation on right to privacy.
According to Nikhil Dey, there should be different standards of privacy
with respect to public servants. A citizen should be entitled to
information related to funds, functions and functionaries. The main
problem arises while defining the private space of a public servant or
functionaries.<br /><br />The RTI Act has failed to address the legal protection for the right
to privacy. Perhaps, rules regarding privacy can be added to the Act. It
can be defined by answering the questions: (i) what is ‘personal
information’? (ii) what is it’s relation to public activity or public
interest? (iii) what is the unwarranted invasion of the privacy of an
individual? and (iv) what is the larger public good? Expanding on these
four points can provide greater legal protection for the right to
privacy. <br /></td>
</tr>
</tbody>
</table>
<p>Gus Hosein described the intersection and interaction of the right to
information and the right to privacy. He referred to a petition filed by
Privacy International requesting information on the expenses of members
of parliament. Privacy and transparency of the government are
compatible in the public interest. Gross abuse of the public funds by
MPs was revealed by this particular petition such as pornography or
cleaning of moats of MPs homes. Privacy advocates are supporters of RTI,
however, it cannot be denied that there is no tension between
transparency and privacy. In order chalk out the differences, there is a
need of a legal framework. According to Gus Hosein, in many countries
the government office that deals with right to information also deals
with cases related to right to privacy.</p>
<p>Mumbai and New Delhi police have started using social media very
aggressively, encouraging citizens to take photographs of traffic
violations and upload them to Facebook or Twitter. In reference to this,
Ponnurangam described the perceptions of privacy and if it agreed or
conflicted with his research findings. Ponnurangam has empirically
explored the awareness and perspective of privacy in India with respect
to other countries. He conducted a privacy survey in Hyderabad, Chennai
and Mumbai. People are very comfortable in posting pictures of others
committing a traffic violation or running a red light. Ironically, many
people have posted pictures of police officers committing a traffic
violation such as not wearing a helmet or running a red light.<br />
<br />
Chitra Ahanthem described the barriers and challenges of using RTI in
Manipur. There are more than 40 armed militia groups, which are banned
by the central and state government. The central government provides
economic packages for the development of the north-east region. However,
the state government officials and armed groups pocket the economic
packages. These armed groups have imposed a ban on RTI. Furthermore,
Manipur is a very small community. If people try and access information
through RTI they risk getting threatened by the Panchayat members and
being ostracized from the community or their clan. <br />
<br />
People are apprehensive about filing RTI because they believe that these
procedures are costly and the police and government may also get
involved. Officials use the privacy plea to avoid giving out
information. Since certain information are private and not in the public
domain, government officials, use the defense of privacy to hide
information. In addition, the police brutality prevalent in the area
deters people to even have interactions with government officials. <br />
<br />
According to Deepak Maheshwari, the open data initiative is a subset
within the larger context of open information. There is an onus on the
government to publish information, which is in the public domain. As a
result, one does not necessarily have to go through the entire process
of filing an RTI to get information, which is already there in the
public domain. Moreover, if it is freely available in public domain,
then one can anonymously access such information; this further
strengthens the privacy aspects of requesting information and
facilitating anonymity with respect to access to such information in the
public domain. It has also to be noted that it is not sufficient to put
data out in the public domain but it should also disclose the basis of
the data for example, if there is representation of a data on a pie
chart, the data which was used to arrive at the pie chart should also be
available in the public domain. The main intention of releasing data to
the public domain or having open data standards should not only be to
provide access to such data but also should be in such a fashion so as
to enable people to use the data for multiple purposes.</p>
<p>Prashant Bhushan noted that one of the grounds for withholding
information in the RTI Act is privacy. An RTI officer can disclose
personal information if he feels that larger public interest warrants
the disclosure, even if it is personal information, which has no
relationship to public activity or interest. This raises the important
question, “what constitutes personal information?” He referred to the
Radia Tapes controversy. Ratan Tata has filed a petition in the Supreme
Court on the grounds that the Nira Radia tapes contained personal
information and that the release of these tapes into the public domain
violated his privacy. The Centre for Public Interest Litigation has
filed a counter petition on the grounds that the nature of the
conversations was not personal but in relation to public activity. They
were between a lobbyist and bureaucrats, journalists and ministers.
Prashant Bhushan stressed the importance of releasing these tapes into
the public domain to show glimpses of all kinds of fixing, deal-making
and show how the whole ruling establishment functions. It is absurd for
Ratan Tata to claim that this is an invasion of privacy. Lastly, he felt
when drafting a privacy law, clearly defining and distinguishing
personal information and public is extremely important.</p>
<p>One of the interesting comments made during the panel was on the
assumption that data is transparent. Transparency can be staged;
questions have to be asked around whether the word is itself
transparent.</p>
<h2>Privacy and E-Governance Initiatives</h2>
<p>Panelists: Anant Maringanti, (Independent Social Researcher), Usha
Ramanathan, (Advocate & Social Activist), Gus Hosein, (Executive
Director, Privacy International, UK), Apar Gupta, (Advocate, Supreme
Court of India), and Elida Kristine Undrum Jacobsen (Doctoral
Researcher, The Peace Research Institute Oslo).<br />
Moderator: Sudhir Krishnaswamy (Centre for Law and Policy Research)<br />
Poster: Adrija Das (Law Student, NUJS)</p>
<p>Adrija Das discussed the legal provision relating to identity
projects and e-governance initiatives in India. The objective of any
e-governance project is to increase efficiency and accessibility of
public services. However, a major problem that arises is the linkage of
the data results in the creation of a central database, accessible by
every department of the government. Furthermore, implementing data
protection and security standards are very expensive.</p>
<p>Sudhir Krishnaswamy highlighted the default assumptions surrounding
e-governance initiatives: e-governance initiatives solve governance
problems, increase efficiency, increase transparency and increase
accountability. It is important to analyze the problems that arise from
e-governance initiatives, such as privacy. </p>
<table class="plain">
<tbody>
<tr>
<td>Usha Ramanathan described the increased number and vastness of
e-governance initiatives such as UID, NPR, IT Rules and NATGRID. There
are also many burdens on privacy that emanate from the introduction and
existence of electronic data management systems. Electronic data
management systems have allowed state to collect, store and use personal
information of individual. Currently, the DNA Profiling Bill is pending
before the Parliament. It is important to question the purpose and need
for the government to collect such personal information. It is also to
be noted that, there are certain laws such as Collection of Statistics
Act, 2008 that penalize individuals if they do not comply with the
information requests of the government.</td>
<td><img src="https://cis-india.org/home-images/Usha.JPG/image_preview" title="Usha" height="124" width="148" alt="Usha" class="image-inline image-inline" /></td>
</tr>
</tbody>
</table>
<p>Anant Maringanti discussed the limitations of data sharing that once
existed. Currently, data can move across space in a very short time. He
analyzed the state and market rationalities involved in e-governance
initiatives, which raise the question “who can access data and at what
price?”. Data may seem to be innocent or neutral, but data in the hands
of wrong people becomes very crucial due to abuse and misuse. For
example, Andhra Pradesh was praised as the model state for UID
implementation. However, during the process of collecting data for UID a
company bought personal information and sold the data to third parties.<br />
<br />
Apar Gupta discussed the dilemmas of e-governance. Generally information
in the form of an electronic record is presumed to be authentic. The
data which government collects is most often inaccurate and wrong. So
the digital identity of a person can be totally different from the real
identity of that particular person. The process for correcting such
information is also very inconvenient and sometimes impossible. <br />
Under the evidence law any electronic evidence is presumed to be
authentic and admissible as evidence. The Bombay High Court decided a
case involving the authenticity of a telephone bill generated by a
machine. The judgment said that since it is being generated by a
machine, through and automated process, there is no need to challenge
the authenticity of the document, it is presumed to true and authentic.
The main danger in such case is that one does away with the process of
law and attaches certain sanctity to the electronic record and evidence.
<br />
<br />
It should be also observed that how government maintains secrecy as to
the ways in which it collects data. For example, the Election Commission
has refused to disclose the functioning and design of electronic voting
machines. The reason given for such secrecy is that if such information
is put in the public domain then the electronic voting machines will be
vulnerable and can be tampered with. But we, who use the voting
machines, will never find out its vulnerabilities.</p>
<table class="plain">
<tbody>
<tr>
<td>According to Gus Hosein, politicians generally have this wrong notion
that technology can solve complex administrative problems. Furthermore,
the industry is complicit; they indulge in anti-competitive market
practice to sell these technologies as a solution to problems. However,
such technology does not solve any problems rather it gives rise to
problems.<br /><br />Huge amount of government funds is associated with collection of
personal data but such data is rendered useless or rather misused,
because the government does not have clue as to how to use the data for
development and security purposes. The UK National Health Records
project estimated to cost around twelve to twenty billion pounds.
However, a survey carried out by a professor in University College
London showed that the hospital and other health institutions do not use
the information collected by the National Health Records. Similarly,
the UK Identity Card scheme was estimated to cost 1.3 billion pounds and
finally it was estimated to cost five billion pounds. The identity
cards are rendered obsolete, the sole department interested in the
identity card was the Home Office Department, no other department
intended on using it.<br /></td>
<td><img src="https://cis-india.org/home-images/Gus.JPG/image_preview" alt="Gus " class="image-inline image-inline" title="Gus " /></td>
</tr>
</tbody>
</table>
<p>Technology should be built in such a manner that it empowers the
individual. Technology should allow the individual to control his
identity and as well as access all kinds of information available to the
government and private bodies on that individual. <br />
<br />
According to Elida Kristine Undrum Jacobsen, technology is regarded in
this linear manner. It is increasingly being naturalized and as an
all-encompassing solution. The use of biometric systems in the UID
raises three areas of concern: power, value and social relationships. </p>
<table class="plain">
<tbody>
<tr>
<td><img src="https://cis-india.org/home-images/Elida.JPG/image_preview" alt="Elida" class="image-inline image-inline" title="Elida" /></td>
<td>With regards to power, there is a difference between providing
documentation and information for identification. However, problems
arise when the mode of identification becomes one’s body. It also leads
to absolute reliance on technology, if the machine says that this is an
individual’s identity then it is considered to be the absolute truth and
it does not matter even if the individual is someone else. It becomes
furthermore problematic with biometric system because it is generally
used for forensic purposes. <br /><br />The other component of UID or any national identification scheme is
the question of consent and its relationship to privacy. In the case of
UID project, people are totally unaware about how their information will
be used and what purposes can it be used or misused for. Therefore,
there is no informed consent when it comes to collection of biometric
data under the UID project. <br />
<br /></td>
</tr>
</tbody>
</table>
<p>On the issue of social value it is to be noted that the value of
efficiency becomes the most important value, which is valued. Many of
the UIDAI documents state that the UID will provide a transactional
identity. However, at the same time it takes away societal layers, which
is inherently part of one’s identity. In addition, it makes it possible
for the identity of a person to become a commodity to be sold. This
also means that the personal information has economic value and players
in the market such as insurance companies, banks can buy and sell the
information.<br />
<br />
When there is identification projects using biometrics it gives the
State a lot of power; the power to determine and dictate one’s identity
irrespective of the difference in real identity. Moreover, when such
identifications projects are carried out at a national level it also
gives rise to problem related to exclusion and inclusion of people or
various purposes. The classification of the society based on various
factors becomes easy and there is a huge risk involved with such
classification. </p>
<p>The issues, which came out from the Q&A session, were:</p>
<ul><li>The interplay between fairness and lawfulness in the context of
privacy and data collection. There has to be a question asked as to why
certain information is required by the State and how is it lawful. </li><li>In the neo-liberal era corporations are generally considered to be
private. This has to be questioned and furthermore the difference
between what is private and what is public. There are also concerns
about corporations increasingly collaborating with the State. Can it be
still considered as private?</li></ul>
<h2>Privacy and National Security</h2>
<p>Panelists: PK Hormis Tharakan (Former Chief of Research and Analysis
Wing, Government of India), Saikat Datta (Journalist), Menaka Guruswamy,
(Advocate, Supreme Court, New Delhi), Prasanth Sugathan, (Legal
Counsel, Software Freedom Law Center), and Oxblood Ruffin, (Cult of the
Dead Cow Security and Publishing Collective).<br />
Moderator: Danish Sheikh (Alternative Law Forum)<br />
Poster: Suchitra Menon (Law Student, NUJS) </p>
<p>Suchitra Menon discussed the legal provisions for national security
in relation to privacy. Specifically, she described the guidelines and
procedural safeguards with respect to phone tapping and interception of
communication decisional jurisprudence.</p>
<p>In the year 2000, the Information Technology Act (IT Act), 2000 was
enacted, this Act had under section 69 allowed the State to monitor and
intercept information through intermediaries. Prasanth Sugathan
described how the government has been trying to bypass the procedural
safeguard laid down by the Supreme Court in the PUCL case by using
Section 28 of the IT Act, 2000. The provision deals with certifying
authority for digital signatures. The certifying authority under the Act
also has the authority to investigate offences under the Act. The
provision mainly deals with digital signature but it is used by the
government to intercept communication without implementing the
procedural safeguards laid down for such interception. Furthermore, the
IT Rules which was notified by the government in April, 2007 allows the
government to intercept any communication with the help of the
intermediaries. The 2008 amendment to the IT Act was an after effect of
the 26/11 attacks in Mumbai. The legislation has become draconian since
then and privacy has been sacrificed to meet the ends of national
security.</p>
<p>Oxblood Ruffin read out his speech and the same is reproduced below.</p>
<p>“The online citizenry of any country is part of its national security
infrastructure. And the extent to which individual privacy rights are
protected will determine whether democracy continues to succeed, or
inches towards tyranny. The challenge then is to balance the legitimate
needs of the state to secure its sovereignty with protecting its most
valuable asset: The citizen.<br />
<br />
It has become trite to say that 9/11 changed everything. Yet it is as
true for the West as it is for the global South. 9/11 kick started the
downward spiral of individual privacy rights across the entire internet.
It also ushered in a false dichotomy of choice, that in choosing
between security and privacy, it was privacy that had adapted to the new
realities, or so we’ve been told.<br />
<br />
Let’s examine some of the fallacies of this argument.<br />
<br />
The false equation which many argue is that we must give up privacy to
ensure security. But no one argues the opposite. We needn’t balance the
costs of surveillance over privacy, because rarely banning a security
measure protects privacy. Rather, protecting privacy typically means
that government surveillance must be subjected to judicial oversight and
justification of the need to surveillance. In most cases privacy
protection will not diminish the state’s effectiveness to secure itself.<br />
<br />
The deference argument is that security advocates insist that the courts
should defer to elected officials when evaluating security measures.
But when the judiciary weighs privacy against surveillance, privacy
almost always loses. Unless the security measures are explored for
efficacy they will win every time, especially when the word terrorism is
invoked. The courts must take on a more active role to balance the
interests of the state and its citizens.<br />
<br />
For the war time argument security proponents argue that the war on
terror requires greater security and less privacy. But this argument is
backwards. During times of crisis the temptation is to make unnecessary
sacrifices in the name of security. In the United States, for example,
we saw that Japanese-American internment and the McCarthy-era witch-hunt
for communists was in vain. The greatest challenge for safeguarding
privacy comes during times when we are least inclined to protect it. We
must be willing to be coldly rational and not emotional during such
times.<br />
<br />
We are often told that if you have nothing to hide, you have nothing to
fear. This is the most pervasive argument the average person hears. But
isn’t privacy a little like being naked? We might not be ashamed of our
bodies but we don’t walk around naked. Being online isn’t so different.
Our virtual selves should be as covered as our real selves. It’s a form
of personal sovereignty. Being seen should require our consent, just as
in the real world. The state has no business taking up the role of
Peeping Tom.<br />
<br />
I firmly believe that the state has a right and a duty to secure itself.
And I equally believe that its citizens are entitled to those same
rights. Citizens are part of the national security infrastructure. They
conduct business; they share information; they are the benefactors of
democratic values. Privacy rights are what, amongst others, separate us
from the rule of tyrants. To protect them is to protect and preserve
democracy. It is a fight worth dying for, as so many have done before
us.</p>
<p>PK Hormis Tharakan discussed the importance of interception
communication in intelligence gathering. In the western liberal
democracies, restrictions of privacy were introduced for the
anti-terrorism campaigns and these measures are far restrictive than
what the Indian legislations contemplate. Preventive intelligence is a
major component in maintenance of national security and this
intelligence is generated and can be procured through interception. <br />
<br />
We do need laws to make sure that the power of interception is not
excessive or out of proportion. But the graver issue is that the
equipment used for interception of communication is freely available in
the market at a cheap price. This allows private citizens also to snoop
into others conversation. So, interception by civilians should be the
main concern.<br />
<br />
Menaka Guruswamy discussed the lack of regulation of Indian intelligence
agencies that creates burdens on privacy. When there is a conflict
between individual privacy and national security, the court will always
rule in favour of the national security. Public interest always takes
precedence over individual interest. <br />
<br />
When there is a claim right to privacy vis-à-vis national security,
generally these claims are characterized by dissent, chilling effects on
freedom of expression and government accountability. In India, privacy
is fragile and relatively a less justifiable right. Another challenge to
privacy is that, when communication is intercepted, which part of the
conversation can be considered to be private and which part cannot be
considered so.<br />
<br />
Saikat Datta described his experience of being under illegal
surveillance by an unauthorized intelligence agency. When a person is
under surveillance, he or she is already considered to be suspect. If
the State commits any mistake as to surveillance, carrying surveillance,
who is not at all a person of interest in such case upon discovery,
there is no penalty for such discrepancy.<br />
He warned of the dangers of excessive wiretapping, a practice that
currently generates such a “mountain” of information that anything with
real intelligence value tends to be ignored until it is too late, as
happened with the Mumbai bombings in 2008. It is clear that the Indian
government’s surveillance and interception programmes far exceed what is
necessary for legitimate law enforcement.<br />
<br />
The issues, which came during the Q&A session was:</p>
<ul><li>In case of national security vis-à-vis privacy in heavily
militarized zone, legislations such as Armed Forces Special Powers Act
actually give authority to the army to search and seizure on mere
suspicion? This amounts gross violation of privacy.</li></ul>
<h2>Privacy and Banking</h2>
<p>Panelists: M R Umarji, (Chief Legal Advisor, Indian Banks Associations), N A Vijayashankar, (Cyber Law Expert), Malavika Jayaram, (Advocate, Bangalore)<br />Moderator: Prashant Iyengar (Associate Professor, Jindal Law University)<br />Poster: Malavika Chandu (Law Student, NUJS)</p>
<p>Prashant Iyengar highlighted how privacy has been a central feature in banking and finance. Even before the notion of privacy came into existence, banks had developed an evolved notion of secrecy and confidentiality, which was fairly robust. Every legislation dealing with banking and finance generally have a clause related to privacy and confidentiality. It might seem that it would be easy to implement privacy in banking and finance given the long relationship between banking and secrecy and confidentiality. However, this is not the case in the contemporary times. Specifically, with the growth in issues related to national security, transparency and technology, the highly regarded notion of privacy seems to be slowly depleting.</p>
<p>Malavika Chandu described the data protection standards that govern the banking industry. As part of the know-you-customer guidelines, banks are required to provide the Reserve Bank with customer profiles and other identification information. Lastly, she described case laws in relation to privacy with respect to financial records.</p>
<table class="plain">
<tbody>
<tr>
<td>N A Vijayashankar noted that the confidentiality and secrecy practices
in the banking sector emanate from the banker-customer relationship. In
the present context, secrecy and privacy maintained by the banks should
be analyzed from the perspective of the right of the customer to
safeguard his or her information from any third party. Generally, banks
and other financial institutions protect personal information as a fraud
control measure and not as duty to protect the privacy of a customer.<br /><br />There has been a paradigm shift in banking practices from traditional
banking practices to more efficient but less secure banking practice.
Some of the terms and conditions of internet banking are illegal and do
not stand the test of law. In contemporary times, banking institutions
use confidentiality to cover up problems and data breach rather than
protecting the customer. But the banks are not ready to disclose data
breach as it apprehends that it will result in public losing faith in
the system. The Reserve Bank of India, has recently notified that
protection which is provided to the customers in banking services should
also be extended to e-banking services. However, the banks have not
properly implemented this. <br /></td>
<td><img src="https://cis-india.org/home-images/Naavi.JPG/image_preview" alt="NA Vijayashankar" class="image-inline image-inline" title="NA Vijayashankar" /></td>
</tr>
</tbody>
</table>
<p>M R Umarji highlighted fourteen laws related to banking which carries confidentiality clauses. In India, public sector banks dominate the market. These banks are created under a statute and such statute governs them. Therefore, they are duty bound to maintain secrecy and confidentiality. Private banks and cooperative banks are not bound by any statute. They do not have any obligations to maintain secrecy, but they do strictly observe confidentiality as a form of banking practice. <br /><br />Banks are not allowed to reveal any personal information of an individual unless it is sought by some authority that has a legitimate right to claim such information. There has been a constant erosion of confidentiality due to various laws which empowers authorities to seek confidential information from the banks. Recently, in the light of the growing national security concerns, banks also have an obligation to report suspicious transactions. These have caused heavy burdens on right to privacy of an individual.<br /><br />Under the Right to Information Act, 2005 public sector banks are considered to be public authorities. By the virtue of the Statute, any person can access information from banks. For example, in a recent case an information officer directed Reserve Bank of India, to disclose Inspection Reports. These reports generally contain information regarding doubtful accounts, non-performing account, etc. There is a need that banks should be exempted from the Right to Information Act, 2005. Since they are not dealing with public funds there is no need to apply transparency law to the banks. <br /><br />Malavika Jayaram described the major conflicts and tensions with respect to privacy vis-à-vis banking and financial systems and financial data. Other privacy and transparency issues include: the publication of online tax information and income data. <br /><br />Surveillance is built in the design of banking system, so it is capable of tracking personal information and activity. There is a need to implement more privacy friendly and privacy by design systems in the banking sector. Customers are generally ignorant about privacy policies and this influences informed consent and furthermore marketing institution may influence customers to behave in a particular manner. In this context privacy by design becomes very important.<br /><br />Data minimization principles should be applied; since the more data collected the more there is a risk of data breach and misuse. In case of data retention it is necessary that person giving such data should know how much proportion of the data is being retained and for how long it is stored and also what is the scope of the data and for what purpose will it be used. <br /><br />Personal information and data, which was previously collected by the government, are gradually being outsourced to private bodies. On one hand it is a good thing that private sector get their technology and security measures right as compared to the government agencies but it comes with the risk that it can be sold out by private bodies as commodities in the market. Private bodies that are harvesting the data can also be forced by the government to disclose it under a particular law or statute without taking into consideration the consent of the individual whose personal information is sought for. <br /><br />There is multiplicity of documentation for identification, which makes transactions less efficient. This has attracted customers to more convenient systems such as one-access point systems, but people tend to forget the issues related to privacy, in using such a system. What is portrayed as efficient for the consumer is a tool for social control and who has access and authority to use such information. <br /><br />Often the reason given for collecting information is that it will help the service provider to combat fraud. However, studies have shown people more often fake situation rather than identity. The other concerns are that of sharing of information and lack of choice with respect to such sharing. There should be check as to sharing of personal information as the data belongs to the individual and not the bank or any other institution which requires furnishing personal information in lieu of services. This gives rise to a binary choice to the user; either the individual has to provide information to avail the service or else one cannot avail the services.</p>
<p>There is supposed to be market for privacy. The notion of personal information is subjective and varies from person to person. For example, one might be comfortable to share certain information. However, others might not be.<br /><br />The issues that came out of the Q&A sessions are:</p>
<ul><li>The default settings are generally put at the low protection settings. Unless the user is aware of the privacy protection setting, he or she is prone to breach of privacy. Should the default privacy setting be set to maximum security and option can be given to the user to change it according to his or her preference?</li><li>Is there any system in the banks, which allows the customers of bank to know about which all third parties the bank has shared his or her personal information with?</li></ul>
<h2>Health Privacy</h2>
<p>Panelists: K. K. Abraham, (President, Indian Network for People with HIV), Dr. B. S. Bedi, (Advisor, CDAC & Media Lab Asia), and Raman Chawla, (Senior Advocacy Officer, Lawyers Collective).<br />Moderator: Ashok Row Kavi (Journalist and LGBT Activist) <br />Poster: Danish Sheikh (Researcher, Alternative Law Forum)</p>
<p>Danish Sheikh outlined the possible health privacy violations. These included the disclosure of personal health information to third parties without consent, inadequate notification to a patient of a data breach, the purpose of collecting data is not specified and improper security standards, storage and disposal. The disclosure of personal health information has the potential to be embarrassing, stigmatizing or discriminatory. <br /><br />Subsequently, Danish Sheikh examined the status of sexual minorities’ vis-à-vis the privacy framework. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, he also described privacy violations committed by both individuals as well as state authorities. <br /><br />Ashok Row Kavi recounted how privacy was very contextual when debating section 377 in the LGBT community. The paradigm upon which they were going to fight the anti-sodomy law was that it was consenting sex between two adults in private space. However, this paradigm was not well received by women, as women did not see private space as safe space, due to domestic violence. Perceptions of privacy are very subjective and it differs from person to person.<br /><br />Raman Chawla recounted the history of the Draft HIV/AIDS Bill. In 2002, the need for law related to HIV/AIDS was realized in order to protect right to consent, right against discrimination and right to confidentiality of HIV patients. The bill was finalized in the year 2006. Alarmingly, it is yet to be tabled before the Parliament. <br /><br />The privacy provisions in the HIV bill clearly state that no person can be tested, treated or researched for HIV without the consent of the patient. It also casts that in a fiduciary relationship the health care provider must maintain confidentiality, however if the patient provides written consent then their status may be disclosed. The HIV condition of the patient can also revealed by the doctor if there is a court order demanding such disclosure. The doctor may disclose the status of the patient to his or her partner but he has to follow a particular protocol. The doctor should have sufficient belief that his or her partner is at risk of contracting HIV. The person who is infected will be asked for his/her views and counseled before his/her partner is informed. However, there are doubts as to the implementation and enforcement of this protocol.</p>
<p>Danish Sheikh outlined the possible health privacy violations. These included the disclosure of personal health information to third parties without consent, inadequate notification to a patient of a data breach, the purpose of collecting data is not specified and improper security standards, storage and disposal. The disclosure of personal health information has the potential to be embarrassing, stigmatizing or discriminatory. <br /><br />Subsequently, Danish Sheikh examined the status of sexual minorities’ vis-à-vis the privacy framework. Culling out some real life examples based on various studies, media reports and judgments from the Supreme Court and the High Courts of Delhi and Allahabad, he also described privacy violations committed by both individuals as well as state authorities. <br /><br />Ashok Row Kavi recounted how privacy was very contextual when debating section 377 in the LGBT community. The paradigm upon which they were going to fight the anti-sodomy law was that it was consenting sex between two adults in private space. However, this paradigm was not well received by women, as women did not see private space as safe space, due to domestic violence. Perceptions of privacy are very subjective and it differs from person to person.<br /><br />Raman Chawla recounted the history of the Draft HIV/AIDS Bill. In 2002, the need for law related to HIV/AIDS was realized in order to protect right to consent, right against discrimination and right to confidentiality of HIV patients. The bill was finalized in the year 2006. Alarmingly, it is yet to be tabled before the Parliament. <br /><br />The privacy provisions in the HIV bill clearly state that no person can be tested, treated or researched for HIV without the consent of the patient. It also casts that in a fiduciary relationship the health care provider must maintain confidentiality, however if the patient provides written consent then their status may be disclosed. The HIV condition of the patient can also revealed by the doctor if there is a court order demanding such disclosure. The doctor may disclose the status of the patient to his or her partner but he has to follow a particular protocol. The doctor should have sufficient belief that his or her partner is at risk of contracting HIV. The person who is infected will be asked for his/her views and counseled before his/her partner is informed. However, there are doubts as to the implementation and enforcement of this protocol.</p>
<p align="center"><img src="https://cis-india.org/home-images/AP.JPG/image_preview" alt="AI" class="image-inline image-inline" title="AI" /></p>
<h2>Conclusion</h2>
<p>Natasha Vaz (Policy Advocate, Privacy India) brought the symposium to a close by thanking the partners, the panelists, the moderators and the participants for their sincere efforts in making the All India Privacy Symposium a grand success. In India, a public discussion regarding privacy has been long over due. The symposium provided a platform for dialogue and building greater awareness around privacy issues in health, banking, national security, transparency and e-governance. Using our research, expert opinions, personal experiences, questions and comments various facets of privacy were explored.</p>
<hr />
<h2>Press Coverage</h2>
<p>The event was featured in the media as well:</p>
<ol><li><a class="external-link" href="http://articles.economictimes.indiatimes.com/2012-02-02/news/31017368_1_privacy-law-privacy-international-cis">India needs an independent privacy law, says NGO Privacy India</a>, Economic Times, February 2, 2012</li><li><a class="external-link" href="http://www.tehelka.com/story_main51.asp?filename=Ws060212Privacy.asp">New Bill to decide on individual’s right to privacy</a>, Tehelka, February 6, 2012 </li><li><a class="external-link" href="http://www.dnaindia.com/analysis/column_lack-of-strong-privacy-law-in-healthcare-a-big-worry_1649366">Lack of strong privacy law in healthcare a big worry</a>, Daily News & Analysis, February 13, 2012</li><li><a class="external-link" href="http://www.washingtonpost.com/world/asia_pacific/privacy-concerns-grow-in-india/2012/01/26/gIQAyM0UmQ_story.html">Privacy concerns grow in India</a>, Washington Post, February 3, 2012</li></ol>
<hr />
<ul><li><a href="https://cis-india.org/internet-governance/privacy-symposium-agenda.pdf" class="internal-link" title="All India Privacy Symposium - Profiles & Speakers">Click </a>to download the Agenda and Profile of Speakers (PDF, 1642 Kb)</li></ul>
<ul><li><a href="https://cis-india.org/internet-governance/all-privacy-symposium.pdf" class="internal-link" title="All India Privacy Symposium (File)">Download the PDF</a> (555 Kb)</li><li><a href="https://cis-india.org/all-india-privacy-symposium-webcast" class="external-link">Follow the webcast of the event</a><br /></li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/all-india-privacy-delhi-report'>https://cis-india.org/internet-governance/all-india-privacy-delhi-report</a>
</p>
No publishernatashaFeaturedInternet GovernancePrivacy2012-04-30T05:16:41ZBlog EntryWill Only Legal Backing For Aadhaar Suffice?
https://cis-india.org/internet-governance/new-indian-express-march-14-2016-will-only-legal-backing-for-aadhaar-suffice
<b>Aadhaar is set to become mandatory, but the opponents of the scheme are not amused. Concerns about privacy of the Aadhaar number and the authenticity of the biometric data being collected have been expressed by people right from the beginning. But the government has not done much to address these issues.</b>
<p>The article was published in <a class="external-link" href="http://www.newindianexpress.com/nation/Will-Only-Legal-Backing-For-Aadhaar-Suffice/2016/03/14/article3326144.ece">New Indian Express </a>on March 14, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">“It does not matter what legislative backing they give it, it is still a surveillance programme. How can you have a privacy Bill for a surveillance programme? Legislative backing would be band-aid. I do not agree with it,” says Sunil Abraham, Executive Director of The Centre for Internet and Society. The society is a Bengaluru-based organisation looking at multi-disciplinary research and advocacy.</p>
<p style="text-align: justify; ">Abraham says that ever since the Aadhaar scheme was implemented, there was a massive degradation of civil liberties. “It is an opaque technology. Why should the government have such a database?” he asks.</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Aadhaar1.jpg" alt="Aadhaar" class="image-inline" title="Aadhaar" /></p>
<p style="text-align: justify; ">Abraham says that the keys to the data should not have rested with the government where it is vulnerable. Instead, the government should have explored the concept of introducing smart cards issued to the citizen with the data stored on it.</p>
<p style="text-align: justify; ">Access to this data could not be had without the permission of the citizen, he says. At present, if something goes wrong or if the data is compromised, the government can always blame a lapse in technology, Abraham adds.</p>
<p style="text-align: justify; ">He questions the government’s logic where it assumes that only the poor section of society can misuse the benefits and says that it is well known that the problem exists in the supply chain and that the government has done nothing to address this.</p>
<p style="text-align: justify; ">Mathew Thomas of The Fifth Estate, an NGO, wonders what advantage the BJP suddenly found that they decided to pursue Aadhaar rather than send it to the trash bin as they had promised before the general elections.</p>
<p style="text-align: justify; ">Thomas says Aadhaar is flawed and is a fraud on the Constitution and the government has taken the money bill route simply to avoid a debate on it.</p>
<p style="text-align: justify; ">“Just passing a Bill is meaningless. This is radically wrong and we all know that protection of privacy is nonsense. How do they plan to plug the leakages? Have they even conducted a study, because there is no evidence of it. The correct beneficiary can get an LPG cylinder, but what is stopping the person from using it for an auto or for his car? That the government can lie to its own people is terrible,” he says.</p>
<p style="text-align: justify; ">A five-judge bench of the Supreme Court, which is hearing the matter on privacy concerns about Aadhaar, is expected to have a hearing by the end of this month.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/new-indian-express-march-14-2016-will-only-legal-backing-for-aadhaar-suffice'>https://cis-india.org/internet-governance/new-indian-express-march-14-2016-will-only-legal-backing-for-aadhaar-suffice</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-16T02:31:52ZNews ItemPress Release, March 11, 2016: The Law cannot Fix what Technology has Broken!
https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken
<b>We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</b>
<p> </p>
<p>The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</p>
<p>The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy,
benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the
Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.</p>
<h3>Key Issues</h3>
<h4>1. Identification without Consent</h4>
<p>Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the
right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.</p>
<h4>2. Fallible Technology</h4>
<p>The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.</p>
<p>We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with
pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.</p>
<p>At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positive— the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. <strong>[1]</strong></p>
<h3>Endnote</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process">http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process</a></p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken'>https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken</a>
</p>
No publisherJapreet Grewal and Sunil AbrahamUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-16T10:10:40ZBlog EntryList of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament
https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016
<b>On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and
Assembly. Based on these concerns, and numerous others, we submitted an initial list of recommendations to the Members of Parliaments to highlight the aspects of the Bill that require immediate attention.</b>
<p> </p>
<h4>Download the submission letter: <a href="https://github.com/cis-india/website/raw/master/docs/CIS_Aadhaar-Bill-2016_List-of-Recommendations_2016.03.16.pdf">PDF</a>.</h4>
<p> </p>
<h3>Text of the Submission</h3>
<p>On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for all Indian to enroll for Aadhaar in order to receive any subsidy, benefit, or service from the Government whose expenditure is incurred from the Consolidate Fund of India. Apart from the issue of centralisation of the national biometric database leading to a deep national vulnerability, the Bill also keeps unaddressed two serious concerns regarding the technological framework concerned:</p>
<ul><li><strong>Identification without Consent:</strong> Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used to correct the problems in the technological design of the project.<br /><br /></li>
<li><strong>Fallible Technology:</strong> The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. The technology has been tested and found feasible only for a population of 200 million. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. For the current Indian population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. <strong>[1]</strong></li></ul>
<p>Based on these concerns, and numerous others, we sincerely request you to ensure that the Bill is rigorously discussed in Rajya Sabha, in public, and, if needed, also by a Parliamentary Standing Committee, before considering its approval and implementation. Towards this, we humbly submit an initial list of recommendations to highlight the aspects of the Bill that require immediate attention:</p>
<ol><li><strong>Implement the Recommendations of the Shah and Sinha Committees:</strong> The report by the Group of Experts on Privacy chaired by the Former Chief Justice A P Shah <strong>[2]</strong> and the report by the Parliamentary Standing Committee on Finance (2011-2012) chaired by Shri Yashwant Sinha <strong>[3]</strong> have suggested a rigorous and extensive range of recommendations on the Aadhaar / UIDAI / NIAI project and the National Identification Authority of India Bill, 2010 from which the majority sections of the Aadhaar Bill, 2016, are drawn. We request that these recommendations are seriously considered and incorporated into the Aadhaar Bill, 2016.<br /><br /></li>
<li><strong>Authentication using the Aadhaar number for receiving government subsidies, benefits, and services cannot be made mandatory:</strong> Section 7 of the Aadhaar Bill, 2016, states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. This sharply contradicts the claims made by UIDAI earlier that the Aadhaar number is “optional, and not mandatory”, and more importantly the directive given by the Supreme Court (via order dated August 11, 2015). The Bill must explicitly state that the Aadhaar number is only optional, and not mandatory, and a person without an Aadhaar number cannot be denied any democratic rights, and public subsidies, benefits, and services, and any private services.<br /><br /></li>
<li><strong>Vulnerabilities in the Enrolment Process:</strong> The Bill does not address already documented issues in the enrolment process. In the absence of an exhaustive list of information to be collected, some Registrars are permitted to collect extra and unnecessary information. Also, storage of data for elongated periods with Enrollment agencies creates security risks. These vulnerabilities need to be prevented through specific provisions. It should also be mandated for all entities including the Enrolment Agencies, Registrars, CIDR and the requesting entities to shift to secure system like PKI based cryptography to ensure secure method of data transfer.<br /><br /></li>
<li><strong>Precisely Define and Provide Legal Framework for Collection and Sharing of Biometric Data of Citizens:</strong> The Bill defines “biometric information” is defined to include within its scope “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition gives broad and sweeping discretionary power to the UIDAI / Central Government to increase the scope of the term. The definition should be exhaustive in its scope so that a legislative act is required to modify it in any way.<br /><br /></li>
<li><strong>Prohibit Central Storage of Biometrics Data:</strong> The presence of central storage of sensitive personal information of all residents in one place creates a grave security risk. Even with the most enhanced security measures in place, the quantum of damage in case of a breach is extremely high. Therefore, storage of biometrics must be allowed only on the smart cards that are issued to the residents.<br /><br /></li>
<li><strong>Chain of Trust Model and Audit Trail:</strong> As one of the objects of the legislation is to provide targeted services to beneficiaries and reduce corruption, there should be more accountability measures in place. A chain of trust model must be incorporated in the process of enrolment where individuals and organisations vouch for individuals so that when a ghost is introduced someone has can be held accountable blame is not placed simply on the technology. This is especially important in light of the questions already raised about the deduplication technology. Further, there should be a transparent audit trail made available that allows public access to use of Aadhaar for combating corruption in the supply chain.<br /><br /></li>
<li><strong>Rights of Residents:</strong> There should be specific provisions dealing with cases where an individual is not issued an Aadhaar number or denied access to benefits due to any other factor. Additionally, the Bill should make provisions for residents to access and correct information collected from them, to be notified of data breaches and legal access to information by the Government or its agencies, as matter of right. Further, along with the obligations in Section 8, it should also be mandatory for all requesting entities to notify the individuals of any changes in privacy policy, and providing a mechanism to opt-out.<br /><br /></li>
<li><strong>Establish Appropriate Oversight Mechanisms:</strong> Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down that shall act as the guiding principles for such oversight mechanisms. The provision should include data minimisation, and “necessity and proportionality” principles as guiding principles for any exceptions to Section 29.<br /><br /></li>
<li><strong>Establish Grievance Redressal and Review Mechanisms:</strong> Currently, there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body. An independent national grievance redressal body with state and district level bodies under it, should be set up. Further, the NIAI Bill, 2010, provided for establishing an Identity Review Committee to monitor the usage pattern of Aadhaar numbers. This has been removed in the Aadhaar Bill 2016, and must be restored.</li></ol>
<p> </p>
<h3>Endnotes</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf.">http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf</a>.</p>
<p><strong>[2]</strong> See: <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf">http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016'>https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016</a>
</p>
No publisherAmber Sinha, Sumandro Chattapadhyay, Sunil Abraham, and Vanya RakeshUIDBig DataPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-03-21T08:50:09ZBlog EntryA scheme in India to help the poor raises privacy concerns
https://cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns
<b>India’s legislators are on Wednesday debating a law that would allow the government to collect biometric and demographic information from people in return for distributing to them government benefits and subsidies. </b>
<p style="text-align: justify; ">The article by John Ribeiro published by IDG News Service on March 16, 2016 was also mirrored on <a class="external-link" href="http://www.csoonline.com/article/3044722/security/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns.html">CSO</a>.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">A number of legislators and civil rights activists are concerned about the absence of strong privacy safeguards in the legislation and a provision in the law that allows the government to access the data collected for national security reasons. There is also concern that such a large centralized database of personal information could be hacked and critical information leaked.</p>
<p style="text-align: justify; ">Biometric information, once leaked cannot be 'revoked,' and identity fraud may in fact become harder to detect if Aadhaar is used for authentication of transactions, said Pranesh Prakash, policy director at the Centre for Internet and Society in Bangalore, in an email.</p>
<p style="text-align: justify; ">Activists are also wary that the program could be extended by the government to make it a mandatory digital ID card for people in the country. Already some telecommunications services and financial services companies use the biometric identity as an optional way for verifying customers. Currently, people can keep their personal information in silos, as for example their insurance company can't combine their database with that of a hospital, Prakash said. "However, with Aadhaar as a unique linking factor, they could, even without the person's consent," he added.</p>
<p style="text-align: justify; ">The biometric ID, which assigns a person a 12-digit number called the Aadhaar number, requires the collection of photos, fingerprints, iris scans and other information such as the name, date of birth and address of the individual. Every time a person has to be verified, he has to present the Aadhaar number, and his biometric information has to match the data stored in a centralized repository.</p>
<p style="text-align: justify; ">The digital identity is expected to provide proof of identification to the large number of poor Indians who do not have house addresses, school certificates, birth certificates or other documents that are usually used to prove identity in India.</p>
<p style="text-align: justify; ">The traditional paper ration books used in the country are notoriously stuffed with people who are nonexistent or who do not typically qualify for benefits, so the government hopes to save some money by linking the benefits to a digital identity. But the new scheme addresses only end-user fraud and not the large-scale theft prevalent in the entire supply chain, according to analysts.</p>
<p style="text-align: justify; ">Rajeev Chandrasekhar, a member of India’s Parliament, has proposed amendments to the bill that would ensure that Aadhaar numbers should not be used as proof of identity for purposes other than subsidies and benefits. Chandrasekhar also wants the Unique Identification Authority of India that manages the project to be responsible for ensuring the security and privacy of the biometric and demographic information of the account holder, with liability for damages in a civil court in the case of a breach.</p>
<p style="text-align: justify; ">The Aadhaar program has been allotting IDs for a number of years, even under a previous government, but the program was the offshoot of an executive order and had no legal sanction. The country’s Supreme Court <a href="http://www.pcworld.com/article/2049364/indian-biometric-id-project-faces-court-hurdle.html"><span>ruled in 2013</span></a> in an interim order that people cannot be required to have Aadhaar identification to collect state subsidies. Aware of the legal minefield it was treading on, the government had said the scheme was voluntary.</p>
<p style="text-align: justify; ">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 passed recently in the Lok Sabha, one of the houses of India’s parliament, now aims to make the scheme mandatory. The bill sailed through the Lok Sabha where the government has a majority, but will likely meet with strong opposition from the other house, the Rajya Sabha. But the government has classified the bill as a money bill and the Rajya Sabha does not have the final say on such bills. So the legislation is likely to be passed in any case despite its limitations.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns'>https://cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-17T03:08:33ZNews ItemVulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016
https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016
<b>In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.</b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.png">PNG</a>.</h4>
<p> </p>
<p><strong>Credits:</strong> The illustration uses the following icons from The Noun Project - <a href="https://thenounproject.com/term/fingerprint/231547/">Thumpbrint</a> created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, <a href="https://thenounproject.com/term/copy/377777/">Copy</a> created by Mahdi Ehsaei.</p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.png" alt="Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016" />
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016'>https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016</a>
</p>
No publisherPooja Saxena and Amber SinhaUIDBig DataPrivacyInternet GovernanceInfographicDigital IndiaAadhaarBiometrics2016-03-21T08:33:53ZBlog EntryAadhaar: Govt will not compromise on national security
https://cis-india.org/internet-governance/news/livemint-march-9-2016-shreeja-sen-aadhaar-govt-will-not-compromise-on-national-security
<b>The government is confident that the Aadhaar Bill will be passed.</b>
<p style="text-align: justify; ">The article by Shreeja Sen was <a class="external-link" href="http://www.livemint.com/Politics/dt7ODlffwvbWvKH93jfR3K/Aadhaar-Govt-will-not-compromise-on-national-security.html">published by Livemint</a> on March 9, 2016. Pranesh Prakash gave inputs.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In what could raise concerns of privacy activists questioning India’s unique identification project Aadhaar, the government on Tuesday said national security will not be compromised at all.</p>
<p style="text-align: justify; ">“We will not compromise on national security; certainly we will not compromise. The Supreme Court has already highlighted certain areas for consideration. We are going ahead taking into consideration all the suggestions of the Supreme Court,” law minister D.V. Sadananda Gowda said at a press conference, when asked how the Aadhaar bill tabled in Parliament last week will balance the protection of core biometrics and national security concerns.</p>
<p style="text-align: justify; ">Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, there are measures to protect core biometric information like fingerprints and iris scans of the unique identification number holders.</p>
<p style="text-align: justify; ">However, Section 33 says for the purposes of national security, officials at the joint secretary level and above can access this information. The section has caused some worry to experts. In this <b><a href="http://www.livemint.com/Opinion/VSqpBps7Y5YrUhvS5mGgSO/Aadhaar-still-too-many-problems.html" target="_blank"><span style="text-decoration: underline;">analysis</span></a> </b> , policy director of the Centre for Internet and Society Pranesh Prakash says that the national security clause is worrisome. Adding to their concerns, the bill does not define what national security means.</p>
<p style="text-align: justify; ">The government is, however, confident that the bill will be passed. “Certainly it will be passed. The benefits that go from the exchequer to the beneficiaries will be taken care of by this bill,” Gowda said.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/livemint-march-9-2016-shreeja-sen-aadhaar-govt-will-not-compromise-on-national-security'>https://cis-india.org/internet-governance/news/livemint-march-9-2016-shreeja-sen-aadhaar-govt-will-not-compromise-on-national-security</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-22T15:51:13ZNews ItemIndia Still Trying To Turn Optional Aadhaar Identification Number Into A Mandatory National Identity System
https://cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system
<b>from the sliding-down-the-slippery-slope-to-disaster dept</b>
<p style="text-align: justify; ">The blog post was published by <a class="external-link" href="https://www.techdirt.com/articles/20160314/10271433902/india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system.shtml"><span style="text-decoration: underline;">Tech Dirt</span></a> on March 22, 2016. CIS research on Aadhaar was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Last year, we wrote about India's attempt to turn the use of its <a href="https://www.techdirt.com/articles/20150704/06313831544/aadhaar-soon-india-everyone-will-be-number.shtml"><span style="text-decoration: underline;">Aadhaar</span></a> system, which assigns a unique 12-digit number to all Indian citizens, into a <a href="https://www.techdirt.com/articles/20150819/07244632004/indias-attorney-general-privacy-not-fundamental-right.shtml"><span style="text-decoration: underline;">requirement</span></a> for accessing government schemes. An article in the Hindustan Times shows that the Indian government is still <a href="http://www.hindustantimes.com/india/privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme/story-E3o0HRwc6XOdlgjqgmmyAM.html"><span style="text-decoration: underline;">pushing to turn Aadhaar into a mandatory national identity system</span></a>. A Bill has just been passed by both houses of the country's parliament, which seeks to give statutory backing to the scheme -- in the teeth of opposition from India's Supreme Court: <i> </i></p>
<blockquote style="text-align: justify; "><i>There have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government's argument that Aadhaar is voluntary.</i></blockquote>
<p style="text-align: justify; ">The article notes that in some respects, the new Bill brings improvements over a previous version: <i> </i></p>
<blockquote style="text-align: justify; "><i>It places stringent restrictions on when and how the UID [Unique Identification] Authority (UIDAI) can share the data, noting that biometric information -- fingerprint and iris scans -- will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.</i></blockquote>
<p style="text-align: justify; "><i> </i> But it also contains some huge loopholes: <i> </i></p>
<blockquote style="text-align: justify; "><i>The government will get sweeping power to access the data collected, ostensibly for "efficient, transparent, and targeted delivery of subsidies, benefits and services" as it pleases "in the interests of national security", thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.</i></blockquote>
<p style="text-align: justify; ">The fact that an optional national numbering system now seems to be morphing into a way to monitor what people are doing will hardly come as a surprise to Techdirt readers, but this continued slide down the slippery slope is still troubling, as are other aspects of the new legislation. For example, it was introduced as a "Money Bill," which is normally reserved for matters related to taxation, not privacy. That suggests a desire to push it through without real scrutiny. What makes this attempt to give the Aadhaar number a much larger role in Indian society even more dangerous is the possibility that it won't work: <i> </i></p>
<blockquote><i>A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the [Centre for Internet and Society], shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.</i></blockquote>
<p><i> </i> A mandatory national identity system that can't even uniquely identify people: sounds like a recipe for disaster.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system'>https://cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-24T06:34:21ZNews ItemEncryption policy would have affected emails, operating systems, WiFi
https://cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi
<b>Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security, said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society. </b>
<p>The article by Amrita Madhukalya was published in <a class="external-link" href="http://www.dnaindia.com/india/report-encryption-policy-would-have-affected-emails-operating-systems-wifi-2127715">DNA</a> on September 23, 2015.</p>
<hr />
<p>The <a href="http://www.dnaindia.com/topic/draft-national-policy">Draft National Policy</a> on Encryption, withdrawn by the Department of Electronics and Information Technology (DeiTY) after it created a furore on privacy issues, would have had allowed the government access to any form of digital data that required encryption. Not limited to just WhatsApp or Viber data, it would have affected email services, WiFi, phone operating systems, etc.</p>
<p>"Our email data would have to be stored. If we connect to a WiFi, that data would have to be stored, and that's plain ridiculous. There is a problem when the government tries to target citizens to ensure national security," said Pranesh Prakash, policy director at the Bangalore-based Centre for Internet and Society.</p>
<p>The government, criticised heavily for the policy, withdrew it on Tuesday afternoon. It said that a new policy will be brought in its place.</p>
<p>Nikhil Pahwa of internet watchdog Medianama said that data about normal day-to-day activities would have to be stored if the policy was implemented. "The policy would have affected everyday business to consumer data.<br /> This would mean that if a doctor or lawyer had your data digitised, they will be open to access, and would have to be kept for at least 90 days," said Pahwa.</p>
<p>However, he added that a robust encryption is needed. "It is believed that companies like Google, <a href="http://www.dnaindia.com/topic/facebook">Facebook</a> allow the NSA to access user data in the US, putting our personal security, and the national security largely, at risk," said Pahwa.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi'>https://cis-india.org/internet-governance/news/dna-september-23-2015-amrita-madhukalya-encryption-policy-would-have-affected-emails-operating-systems-wifi</a>
</p>
No publisherpraskrishnaIT ActInternet Governance2015-09-25T01:23:10ZNews ItemOpen sesame
https://cis-india.org/internet-governance/news/the-hindu-september-22-2015-atul-kabra-open-sesame
<b>The government’s email is shockingly vulnerable.</b>
<p class="body" style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.thehindubusinessline.com/opinion/open-sesame/article7678142.ece">Hindu</a> on September 22, 2015. CIS research on private email accounts is mentioned.</p>
<hr />
<p class="body" style="text-align: justify; ">As the Centre moves towards smart cities and a Digital India, some critics have cited the country’s increased vulnerability to cyber attacks. To be sure, cyber threat groups could disrupt our infrastructure by taking control of many systems. Such attacks could be quite damaging. Yes, they are rare today, but are much more likely to arise in conjunction with traditional armed conflicts. Cyber criminal groups target Indian organisations on a daily basis.</p>
<p class="body" style="text-align: justify; ">Almost two years ago, the IT minister’s office triggered national outrage when it used a public email service for official communication. There was much hand-wringing about security practices in a ministry responsible for setting the technology direction (secure email policy) for the country. Then in December 2013, the Centre for Internet and Society revealed that up to 90 per cent of Indian government officials used private email accounts for professional purposes.</p>
<p style="text-align: justify; "><b>A big deal</b></p>
<p class="body" style="text-align: justify; ">Between then and now, we’ve read about a new email policy and revelations of several cyber attacks on government officials. And FireEye revealed a decade-long cyber espionage operation by a group we call ‘APT30’, which is likely to be sponsored by China. How did they break in? By sending targeted ‘spear-phish’ emails with malware attached.</p>
<p class="body" style="text-align: justify; ">Email doesn’t sound like a big deal. Most of us have been using it for over a decade, and think we know how to use it right. But when you’re in a position of authority with access to sensitive information, you shouldn’t leave it to chance.</p>
<p class="body" style="text-align: justify; ">Today, state-sponsored attackers craft these spear-phishing emails after considerable research. APT30 carefully researched their targets and crafted mails which would appear extremely relevant, with interesting content. The moment a victim would open an attachment, an exploit would secretly install a backdoor. Through that backdoor, groups can compromise the employee’s entire network and extricate sensitive data. Groups bent on destruction can deploy malware to destroy the data. They could also take control of systems managing infrastructure or industrial processes and create havoc.</p>
<p class="body" style="text-align: justify; ">Spear-phishing has an open rate of 70 per cent, while regular mass emails had an open rate of just 3 per cent. Email is the front- door for today’s threat groups. That’s why governments around the world are improving the security of their email systems to fend off these spear-phishing threats.</p>
<p style="text-align: justify; "><b>Public concerns</b></p>
<p class="body" style="text-align: justify; ">When government employees use webmail for official business, they trade away their security for convenience. The emails they receive are no longer screened by cyber security solutions, which detect advanced targeted email attacks before they reach the inbox. In addition, because people typically retrieve their webmail in a browser, attackers have a larger attack surface to exploit when carrying out their attacks. For example, attackers can coax victims to click on a link to a website, which delivers an exploit via Adobe Flash.</p>
<p class="body" style="text-align: justify; ">Webmail opens the door to threats that would otherwise have been intercepted. When our government employees use webmail for official business, they leave the front door wide open to threats. One of the best steps we can take towards improving our government’s cyber security defences is abandoning public email services.</p>
<p class="body" style="text-align: justify; "><i>The writer is a software architect at the cyber security firm FireEye</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-hindu-september-22-2015-atul-kabra-open-sesame'>https://cis-india.org/internet-governance/news/the-hindu-september-22-2015-atul-kabra-open-sesame</a>
</p>
No publisherpraskrishnaInternet Governance2015-09-25T01:31:49ZNews ItemGovt presses 'undo' button on draft encryption policy
https://cis-india.org/internet-governance/news/business-standard-september-23-2015-govt-presses-undo-button-on-draft-encryption-policy
<b>The decision came a day before PM embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.business-standard.com/article/economy-policy/govt-presses-undo-button-on-draft-encryption-policy-115092201014_1.html">Business Standard</a> on September 23, 2015. Sunil Abraham gave inputs.</p>
<hr />
<p style="text-align: justify; ">The government on Tuesday scrapped a draft <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=National+Encryption+Policy" target="_blank">national encryption policy </a>that mandated firms and individuals to allow authorities access to all encrypted information on email, apps, websites and business servers.<br /><br />The decision came a day before Prime Minister<a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Narendra+Modi" target="_blank">Narendra Modi </a>embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Google" target="_blank">Google </a>and Tesla. Activists and executives from technology firms had expressed outrage on the draft policy, saying the move would have taken India a step back in technology adoption.<br /><br />At a meeting of the Union Cabinet on Tuesday, Modi was livid at the controversy generated by the draft policy and directed officials to withdraw it ahead of his US trip, sources said.<br /><br />The draft had global ramifications, as Facebook,<a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Twitter" target="_blank">Twitter </a>and messaging apps such as <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Whatsapp" target="_blank">WhatsApp </a>were named in it.<br /><br />Ravi Shankar Prasad, Union minister for communications and information technology, distanced the government from the draft hosted on the IT department site, but admitted it gave “uncalled-for misgivings”. He directed officials to rework the draft but did not set a timeframe for seeking feedback from the public.<br /><br />“Yesterday (Monday), it was brought to our notice that the draft had been put in the public domain for, seeking comment. I read the draft. I understand that the manner in which it was written could lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded. I personally feel some of the expressions used in the draft are giving rise to uncalled-for misgivings,” Prasad said. “Experts had framed the draft policy. It is not the government’s final view.”<br /><br />According to the original draft, the encryption policy sought every message sent by a user, be it through services such as WhatsApp, an SMS or an email, be mandatorily stored in plain text format for 90 days and made available on demand to security agencies. Failure to do so, it added, would draw legal action.<br /><br />This was because typically, all messaging apps and services such as WhatsApp, Viber, Line, Google Chat and Yahoo! Messenger have high levels of encryption, which security agencies find hard to crack and intercept.<br /><br />Early on Tuesday, before Prasad announced the withdrawal of the draft policy, the government had issued an addendum to keep social media and web applications such as WhatsApp, Twitter and <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Facebook" target="_blank">Facebook </a>out of its purview.<br /><br />In a three-point clarification, the Department of Electronics and Information Technology (DeitY) said some encryption products were exempt. “Mass-use encryption products, currently being used in web applications, social media sites and social media applications, such as WhatsApp, Facebook and Twitter…SSL/TLS encryption products being used in internet banking and payment gateways, as directed by the Reserve Bank of India”, and SSL/TLS encryption products being used for e-commerce and password based transactions,” it said.<br /><br />“Ideally, the new policy should only focus on two objectives: It should mandate encryption standards within the government, military, law enforcement and intelligence agencies. It shouldn’t regulate the use of encryption by the private sector; the private sector should be allowed to use whatever it believes is appropriate, as long as it is considered a reasonable security measure by courts, under section 43A of the IT Act,” said Sunil Abraham, director,<a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Centre+For+Internet+And+Society" target="_blank">Centre for Internet and Society </a>(CIS).<br /><br />Prasad reiterated the government, under the leadership of Prime Minister Narendra Modi, had promoted social media activism. “The right of articulation and freedom we fully respect. But at the same time, we need to acknowledge that cyber space transaction is rising enormously for individuals, businesses, the government and companies,” he said.<br /><br />Opposition parties slammed the Draft policy. Congress communications in-charge Randeep Surjewala said, “Subjugation of individual freedom, surveillance of the citizen and suppression of dissent have emerged as the DNA of the Narendra Modi-led BJP government. The draft policy on encryption, first circulated, then amended and now, withdrawn with a rider for re-issuing it, is a totalitarian, misconceived and a failed attempt of the Modi government to override all sense of individual freedom of speech and expression and encroach upon the right to privacy of communication…With 243.1 million internet users in India at the end of 2014 (173 million being mobile internet users), 112 million Facebook users, 80 million WhatsApp users, 22 million Twitter users and 950 million mobile connections, the intrusion of individual liberty is fraught with dangerous dimensions under the Modi government.”<br /><br />Aam Aadmi Party spokesperson Raghav Chadha said, “Only a fascist government can bring such a policy. The draft policy was in violation of the right to personal liberty and the fundamental tenets of freedom of speech and expression…the draft policy was for snooping. It presupposes the 1.2 billion people of India are potential criminals. It reflects the inclination of the government and its intention to turn India into a totalitarian state.”<br /><br /><b>ABOUT THE NATIONAL ENCRYPTION POLICY</b><br /><br /><b>Five things the government draft policy wanted</b></p>
<ul style="text-align: justify; ">
<li>Information security for individuals, businesses and government agencies</li>
<li>Development of indigenous encryption standards</li>
<li>Use of digital signatures to authenticate transactions</li>
<li>Legal interception and data retention</li>
<li>Service providers to register under appropriate government agency</li>
</ul>
<p style="text-align: justify; "><b>Things that caused outrage</b></p>
<ul style="text-align: justify; ">
<li>Regulation of private sector encryption</li>
<li>Storage of all encrypted communications for</li>
</ul>
<p style="text-align: justify; "><b>90 days</b></p>
<ul style="text-align: justify; ">
<li>Gaining backdoor into private communications of users</li>
</ul>
<p style="text-align: justify; "><b>Amendment & withdrawal</b></p>
<ul style="text-align: justify; ">
<li>Omission of mass encryption products such as those used by social networks</li>
<li> Withdrawal of draft policy following Ravi Shankar Prasad’s statement</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/business-standard-september-23-2015-govt-presses-undo-button-on-draft-encryption-policy'>https://cis-india.org/internet-governance/news/business-standard-september-23-2015-govt-presses-undo-button-on-draft-encryption-policy</a>
</p>
No publisherpraskrishnaInternet Governance2015-09-25T01:55:57ZNews ItemHits and Misses With the Draft Encryption Policy
https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy
<b>Most encryption standards are open standards. They are developed by open participation in a publicly scrutable process by industry, academia and governments in standard setting organisations (SSOs) using the principles of “rough consensus” – sometimes established by the number of participants humming in unison – and “running code” – a working implementation of the standard. The open model of standards development is based on the Free and Open Source Software (FOSS) philosophy that “many eyes make all bugs shallow”.
</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://thewire.in/2015/09/26/hits-and-misses-with-the-draft-encryption-policy-11708/">published in the Wire</a> on September 26, 2015.</p>
<hr />
<p style="text-align: justify; ">This model has largely been a success but as Edward Snowden in his revelations has told us, the US with its large army of mathematicians has managed to compromise some of the standards that have been developed under public and peer scrutiny. Once a standard is developed, its success or failure depends on voluntary adoption by various sections of the market – the private sector, government (since in most markets the scale of public procurement can shape the market) and end-users. This process of voluntary adoption usually results in the best standards rising to the top. Mandates on high quality encryption standards and minimum key-sizes are an excellent idea within the government context to ensure that state, military, intelligence and law enforcement agencies are protected from foreign surveillance and traitors from within. In other words, these mandates are based on a national security imperative.<br /><br />However, similar mandates for corporations and ordinary citizens are based on a diametrically opposite imperative – surveillance. Therefore these mandates usually require the use of standards that governments can compromise usually via a brute force method (wherein supercomputers generate and attempt every possible key) and smaller key-lengths for it is generally the case that the smaller the key-length the quicker it is for the supercomputers to break in. These mandates, unlike the ones for state, military, intelligence and law enforcement agencies, interfere with the market-based voluntary adoption of standards and therefore are examples of inappropriate regulation that will undermine the security and stability of information societies.</p>
<h3 style="text-align: justify; ">Plain-text storage requirement</h3>
<p style="text-align: justify; ">First, the draft policy mandates that Business to Business (B2B) users and Consumer to Consumer (C2C) users store equivalent plain text (decrypted versions) of their encrypted communications and storage data for 90 days from the date of transaction. This requirement is impossible to comply with for three reasons. Foremost, encryption for web sessions are based on dynamically generated keys and users are not even aware that their interaction with web servers (including webmail such as Gmail and Yahoo Mail) are encrypted. Next, from a usability perspective, this would require additional manual steps which no one has the time for as part of their daily usage of technologies. Finally, the plain text storage will become a honey pot for attackers. In effect this requirement is as good as saying “don’t use encryption”.<br /><br />Second, the policy mandates that B2C and “service providers located within and outside India, using encryption” shall provide readable plain-text along with the corresponding encrypted information using the same software/hardware used to produce the encrypted information when demanded in line with the provisions of the laws of the country. From the perspective of lawful interception and targeted surveillance, it is indeed important that corporations cooperate with Indian intelligence and law enforcement agencies in a manner that is compliant with international and domestic human rights law. However, there are three circumstances where this is unworkable: 1) when the service providers are FOSS communities like the TOR project which don’t retain any user data and as far as we know don’t cooperate with any government; 2) when the service provider provides consumers with solutions based on end-to-end encryption and therefore do not hold the private keys that are required for decryption; and 3) when the Indian market is too small for a foreign provider to take requests from the Indian government seriously.<br /><br />Where it is technically possible for the service provider to cooperate with Indian law enforcement and intelligence, greater compliance can be ensured by Indian participation in multilateral and multi-stakeholder internet governance policy development to ensure greater harmonisation of substantive and procedural law across jurisdictions. Options here for India include reform of the Mutual Legal Assistance Treaty (MLAT) process and standardisation of user data request formats via the Internet Jurisdiction Project.</p>
<h3 style="text-align: justify; ">Regulatory design</h3>
<p style="text-align: justify; ">Governments don’t have unlimited regulatory capability or capacity. They have to be conservative when designing regulation so that a high degree of compliance can be ensured. The draft policy mandates that citizens only use “encryption algorithms and key sizes will be prescribed by the government through notification from time to time.” This would be near impossible to enforce given the burgeoning multiplicity of encryption technologies available and the number of citizens that will get online in the coming years. Similarly the mandate that “service providers located within and outside India…must enter into an agreement with the government”, “vendors of encryption products shall register their products with the designated agency of the government” and “vendors shall submit working copies of the encryption software / hardware to the government along with professional quality documentation, test suites and execution platform environments” would be impossible for two reasons: that cloud based providers will not submit their software since they would want to protect their intellectual property from competitors, and that smaller and non-profit service providers may not comply since they can’t be threatened with bans or block orders.<br /><br />This approach to regulation is inspired by license raj thinking where enforcement requires enforcement capability and capacity that we don’t have. It would be more appropriate to have a “harms”-based approach wherein the government targets only those corporations that don’t comply with legitimate law enforcement and intelligence requests for user data and interception of communication.<br /><br />Also, while the “Technical Advisory Committee” is the appropriate mechanism to ensure that policies remain technologically neutral, it does not appear that the annexure of the draft policy, i.e. “Draft Notification on modes and methods of Encryption prescribed under Section 84A of Information Technology Act 2000”, has been properly debated by technical experts. According to my colleague Pranesh Prakash, “of the three symmetric cryptographic primitives that are listed – AES, 3DES, and RC4 – one, RC4, has been shown to be a broken cipher.”<br /><br />The draft policy also doesn’t take into account the security requirements of the IT, ITES, BPO and KPO industries that handle foreign intellectual property and personal information that is protected under European or American data protection law. If clients of these Indian companies feel that the Indian government would be able to access their confidential information, they will take their business to competing countries such as the Philippines.</p>
<h3 style="text-align: justify; ">And the good news is…</h3>
<p style="text-align: justify; ">On the other hand, the second objective of the policy, which encourages “wider usage of digital Signature by all entities including Government for trusted communication, transactions and authentication” is laudable but should have ideally been a mandate for all government officials as this will ensure non-repudiation. Government officials would not be able to deny authorship for their communications or approvals that they grant for various applications and files that they process.<br /><br />Second, the setting up of “testing and evaluation infrastructure for encryption products” is also long overdue. The initiation of “research and development programs … for the development of indigenous algorithms and manufacture of indigenous products” is slightly utopian because it will be a long time before indigenous standards are as good as the global state of the art but also notable as an important start.<br /><br />The more important step for the government is to ensure high quality Indian participation in global SSOs and contributions to global standards. This has to be done through competition and market-based mechanisms wherein at least a billion dollars from the last spectrum auction should be immediately spent on funding existing government organisations, research organisations, independent research scholars and private sector organisations. These decisions should be made by peer-based committees and based on publicly verifiable measures of scientific rigour such as number of publications in peer-reviewed academic journals and acceptance of “running code” by SSOs.<br /><br />Additionally the government needs to start making mathematics a viable career in India by either employing mathematicians directly or funding academic and independent research organisations who employ mathematicians. The basis of all encryptions standards is mathematics and we urgently need the tribe of Indian mathematicians to increase dramatically in this country.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy'>https://cis-india.org/internet-governance/blog/the-wire-26-09-2015-sunil-abraham-hits-and-misses-with-draft-encryption-policy</a>
</p>
No publishersunilOpen StandardsInternet GovernanceSurveillanceFOSSB2B2015-09-26T16:46:53ZBlog Entry