Centre for Internet and Society

Concerns over central snoop

praskrishna — 2013-07-01T09:33:27Z

Eyebrows have been raised at the Centre’s single-window system to intercept phone calls and internet exchanges — the desi version of the US’s surveillance programme, PRISM — that is expected to roll out this year-end.

The article by Aloke Tikku was published in the Hindustan Times on June 28, 2013. Sunil Abraham is quoted.

The Rs. 400-crore project — tentatively called the Central Monitoring System (CMS) — will not only allow the government to listen to a target’s phone conversation but also track down a caller’s precise location, match his voice against known suspects’ before the call is completed and see what people have been up to on the internet.

And then, it can also use analytics to discover possible links — between suspected terrorists, criminals or just about anybody — from the internet and phone data. All this will be done from one place without keeping the internet or phone service provider in the loop — something the telecom and home ministries insist will enhance citizens’ privacy.

Both ministries also insist that the CMS won’t change the rules of the game. “The process to seek authorisation for interception will not be diluted,” a home ministry official promised.

So is everything hunky dory?

Hardly. But technology — in this case, the CMS — is a smaller part of the problem.

The bigger chunk is the process of approving “lawful interception” orders and the lack of transparency around it.

It was in December 1996 that the Supreme Court held that the State could spy on its citizens in extraordinary circumstances but, as an interim measure, made it mandatory for the home secretary to approve each and every such request. Telecom minister Kapil Sibal, who appeared in this case in the mid-1990s, convinced the court that it didn’t have the powers to order that a judge decide each phone-tapping case. Instead, Sibal suggested that this power remain with the executive on lines of the law in the UK. A former home secretary, however, conceded that they hardly have the time to apply their mind before signing a wiretap order.

That isn’t surprising. The home secretary approves around 7,500-9,000 interception orders every month. That means he or she has to sign an average of 300 orders every day without a break.

If he were to spend just 30 seconds on each case, he would have to keep aside four-and-a-half hours just approving interception orders every day.

An official said the ministry was considering a suggestion to pick up a fixed number of cases at random for closer scrutiny before approval.

Many believe this might not be enough. It is argued that the government — which was trying to replicate surveillance technology from the west — needs to adopt their safeguards and transparency norms too.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, said he didn’t have a problem with CMS as long as it didn’t go for blanket surveillance.

“But there is no reason why the executive — and not a judge — should have the powers to decide on phone-tapping requests,” he said. Or for that matter, why shouldn’t there be an independent audit of phone-tapping decisions, their implementation and outcome?

“The aggregated data should be put in the public domain,” Abraham said. The US has such provisions. So does Britain, which inspired Sibal to argue for retaining interception powers with the executive in the mid-1990s. It is time to follow-up on that model.

For more details visit https://cis-india.org/news/hindustan-times-aloke-tikku-june-28-2013-concerns-over-central-snoop

Way to watch

chinmayi — 2013-07-01T10:17:27Z

The domestic surveillance regime in India lacks adequate safeguards.

Chinmayi Arun's column was published in the Indian Express on June 26, 2013.

A petition has just been filed in the Indian Supreme Court, seeking safeguards for our right to privacy against US surveillance, in view of the PRISM controversy. However, we should also look closer home, at the Indian government's Central Monitoring System (CMS) and other related programmes. The CMS facilitates direct government interception of phone calls and data, doing away with the need to justify interception requests to a third party private operator. The Indian government, like the US government, has offered the national security argument to defend its increasing intrusion into citizens' privacy. While this argument serves the limited purpose of explaining why surveillance cannot be eliminated altogether, it does not explain the absence of any reasonably effective safeguards.

Instead of protecting our privacy rights from the domestic and international intrusions made possible by technological development, our government is working on leveraging technology to violate privacy with greater efficiency. The CMS infrastructure facilitates large-scale state surveillance of private communication, with very little accountability. The dangers of this have been illustrated throughout history. Although we do have a constitutional right to privacy in India, the procedural safeguards created by our lawmakers thus far offer us very little effective protection of this right.

We owe the few safeguards that we have to the intervention of the Supreme Court of India, in PUCL vs Union of India and Another. In the context of phone tapping under the Telegraph Act, the court made it clear that the right to privacy is protected under the right to life and personal liberty under Article 21 of the Constitution of India, and that telephone tapping would also intrude on the right to freedom of speech and expression under Article 19. The court therefore ruled that there must be appropriate procedural safeguards to ensure that the interception of messages and conversation is fair, just and reasonable. Since lawmakers had failed to create appropriate safeguards, the Supreme Court suggested detailed safeguards in the interim. We must bear in mind that these were suggested in the absence of any existing safeguards, and that they were framed in 1996, after which both communication technology and good governance principles have evolved considerably.

The safeguards suggested by the Supreme Court focus on internal executive oversight and proper record-keeping as the means to achieving some accountability. For example, interception orders are to be issued by the home secretary, and to later be reviewed by a committee consisting of the cabinet secretary, the law secretary and the secretary of telecommunications (at the Central or state level, as the case may be). Records are to be kept of details such as the communications intercepted and all the persons to whom the material has been disclosed. Both the Telegraph Act and the more recent Information Technology Act have largely adopted this framework to safeguard privacy. It is, however, far from adequate in contemporary times. It disempowers citizens by relying heavily on the executive to safeguard individuals' constitutional rights. Additionally, it burdens senior civil servants with the responsibility of evaluating thousands of interception requests without considering whether they will be left with sufficient time to properly consider each interception order.

The extreme inadequacy of this framework becomes apparent when it is measured against the safeguards recommended in the recent report on the surveillance of communication by Frank La Rue, the United Nations special rapporteur on the promotion and protection of the right to freedom of speech and expression. These safeguards include the following: individuals should have the legal right to be notified that they have been subjected to surveillance or that their data has been accessed by the state; states should be transparent about the use and scope of communication surveillance powers, and should release figures about the aggregate surveillance requests, including a break-up by service provider, investigation and purpose; the collection of communications data by the state, must be monitored by an independent authority.

The safeguards recommended by the special rapporteur would not undermine any legitimate surveillance by the state in the interests of national security. They would, however, offer far better means to ensure that the right to privacy is not unreasonably violated. The emphasis placed by the special rapporteur on transparency, accountability and independent oversight is important, because our state has failed to recognise that in a democracy, citizens must be empowered as far as possible to demand and enforce their rights. Their rights cannot rest completely in the hands of civil servants, however senior. There is no excuse for refusing to put these safeguards in place, and making our domestic surveillance regime transparent and accountable, in compliance with our constitutional and international obligations.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-june-26-2013-chinmayi-arun-way-to-watch

Govt mulls advisory on privacy issues related to Google, Facebook

praskrishna — 2013-07-02T14:31:48Z

The Government is set to harden its stand against foreign Internet firms in asking them to comply with Indian laws.

The article by Thomas K Thomas was published in the Hindu Business Line on June 10, 2013. Sunil Abraham is quoted.

According to a top Government source, an advisory may be issued in the interest of general public to make them aware of the privacy issued while using services offered by foreign Internet companies such as Google and Facebook.

This follows an international media expose on how US agencies were getting access to user data from Internet companies such as Google and Facebook.

Final Strategy Soon

Top official in the Ministry of Telecom and IT told Business Line that the National Security Advisor, under the Prime Minister’s Officer, is discussing the issue and will outline the final strategy on Wednesday.

The key concern is that the US security agencies may have collected data from key Indian accounts using services from any of the Internet companies. A number of Government officials also use email service from Google and MS Outlook, which may have been accessed by the US agencies.

The other major concern is that Indian security agencies have also been seeking access to data from these foreign companies but so far they have not obliged on grounds that they do not come under the purview of Indian laws.

“If the US Government can get access to data from these companies, why can’t the Indian Government be given access,” posed a top functionary of the telecom ministry.

While Google and other companies have denied knowledge to how the US agencies got access to their networks, industry experts said that it’s time India starts taking concrete steps to address the issue.

B.K. Syngal, Former Chairman, Videsh Sanchar Nigam Ltd, said, “If we believed that our privacy is sacred then we would have taken effective domestic measures, years ago, to ensure that the information of our citizens remains private. To now say that multiple US companies have betrayed our trust is meaningless.”

Double Standards

Syngal said that there are double standards in the way organisations and Government is handling the issue. “As a start, lets stop giving too much time and space to the so called “Foreign Funded NGOs” teaching us on privacy. Our problem is that we are not China. We are so ill equipped that the third party interests aided and abetted by these NGOs would prevail,” said Syngal.

According to Sunil Abraham, Executive Director, Centre for Internet and Society, companies such as Google and Facebook are foes when it comes to privacy issues and friends when it comes to freedom of speech. “An Indian consumer using any of these foreign websites has no privacy rights whatsoever. The Indian Government also cannot force these companies to follow Indian laws,” said Abraham.

For more details visit https://cis-india.org/news/hindu-businessline-thomas-k-thomas-june-10-2013-govt-mulls-advisory-on-privacy-issues-related-to-google-facebook

Privacy Protection Bill, 2013 (With Amendments based on Public Feedback)

elonnai — 2013-07-12T10:50:22Z

In 2013 CIS drafted the Privacy Protection Bill as a citizens' version of a privacy legislation for India. Since April 2013, CIS has been holding Privacy Roundtables in collaboration with FICCI and DSCI, with the objective of gaining public feedback to the Privacy Protection Bill and other possible frameworks for privacy in India.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

As a part of this process, CIS has been amending the Privacy Protection Bill based on public feedback. Below is the text of the Bill as amended according to feedback gained from the New Delhi, Bangalore, and Chennai Roundtables.

Click to download the Privacy Protection Bill, 2013 with latest amendments (PDF, 196 Kb).

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-with-amendments-based-on-public-feedback

Artificial Intelligence - Literature Review

Shruthi Anand — 2017-12-18T15:12:52Z

With origins dating back to the 1950s Artificial Intelligence (AI) is not necessarily new. However, interest in AI has been rekindled over the last few years, in no small measure due to the rapid advancement of the technology and its applications to real- world scenarios. In order to create policy in the field, understanding the literature regarding existing legal and regulatory parameters is necessary. This Literature Review is the first in a series of reports that seeks to map the development of AI, both generally and in specific sectors, culminating in a stakeholder analysis and contributions to policy-making. This Review analyses literature on the historical development of the technology, its compositional makeup, sector- specific impacts and solutions and finally, overarching regulatory solutions.

Edited by Amber Sinha and Udbhav Tiwari; Research Assistance by Sidharth Ray

With origins dating back to the 1950s Artificial Intelligence (AI) is not necessarily new. With an increasing number of real-world implications over the last few years, however, interest in AI has been reignited over the last few years.

The rapid and dynamic pace of development of AI have made it difficult to predict its future path and is enabling it to alter our world in ways we have yet to comprehend. This has resulted in law and policy having stayed one step behind the development of the technology.

Understanding and analyzing existing literature on AI is a necessary precursor to subsequently recommending policy on the matter. By examining academic articles, policy papers, news articles, and position papers from across the globe, this literature review aims to provide an overview of AI from multiple perspectives.

The structure taken by the literature review is as follows:

Overview of historical development
Definitional and compositional analysis
Ethical & Social, Legal, Economic and Political impact and sector-specific solutions
The regulatory way forward

This literature review is a first step in understanding the existing paradigms and debates around AI before narrowing the focus to more specific applications and subsequently, policy-recommendations.

Download the full literature review

For more details visit https://cis-india.org/internet-governance/blog/artificial-intelligence-literature-review

Should Aadhaar be mandatory?

amber — 2017-12-18T15:54:39Z

This week, a constitutional bench of the Supreme Court will adjudicate on limited questions of stay orders in the Aadhaar case. After numerous attempts by the petitioners in the Aadhaar case, the court has agreed to hear this matter, just shy of the looming deadline of December 31 for the linking of Aadhaar numbers to avail government services and benefits.

The article was published in Deccan Herald on December 9, 2017.

Getting their day in the court to hear interim matters is but a small victory in what has been a long and frustrating fight for the petitioners. In 2012, Justice K S Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court questioning the validity of the Aadhaar project due its lack of legislative basis (the Aadhaar Act was passed by Parliament in 2016) and its transgressions on our fundamental rights.

Over time, a number of other petitions also made their way to the apex court challenging different aspects of the Aadhaar project. Since then, five different interim orders of the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number.

Aadhaar, according to the Supreme Court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to only specific schemes, namely LPG, PDS, MNREGA, National Social Assistance Program, the Pradhan Mantri Jan Dhan Yojna and EPFO.

The then Attorney General, Mukul Rohatgi, in a hearing before the court in July 2015 stated that there is no constitutionally guaranteed right to privacy. But the judgement by the nine-judge bench earlier this year was an emphatic endorsement of the constitutional right to privacy.

In the course of a 547-page judgement, the bench affirmed the fundamental nature of the right to privacy, reading it into the values of dignity and liberty.

Yet months after the judgement, the Supreme Court has failed to hear arguments in the Aadhaar matter. The reference to a larger bench and subsequent deferrals have since delayed the entire matter, even as the government has moved to make Aadhaar mandatory for a number of government schemes.

At this point, up to 140 government services have made linking with Aadhaar mandatory to avail these services. Chief Justice of India Dipak Misra has promised a constitution bench this week, likely to look only into interim matters of stay on the deadline of Aadhaar-linking. It is likely that the hearings for the final arguments are still some months away. The refusal of the court to adjudicate on this issue has been extremely disappointing, and a grave disservice to the court's intended role as the champion of individual rights.

It is worth noting that the interim orders by the Supreme Court that no person should suffer because they do not have an Aadhaar number, and limiting its use only to specified schemes, still stand.

However, since the passage of the Aadhaar Act, which allows the use of Aadhaar by both private and public parties, permits making it mandatory for availing any benefits, subsidies and services funded by the Consolidated Fund of India, the spate of services for which Aadhaar has been made mandatory suggests that as per the government, the Aadhaar Act has, in effect, nullified the orders by the Supreme Court.

This was stated in so many words by Union Law Minister Ravi Shankar Prasad in the Rajya Sabha in April. This view is an erroneous one. While acts of Parliament can supersede previous judicial orders, they must do so either through an express statement in the objects of the Act, or implied when the two are mutually incompatible. In this case, the Aadhaar Act, while permitting the government authorities to make Aadhaar mandatory, does not impose a clear duty to do so.

Therefore, reading the orders and the legislation together leads one to the conclusion that all instances of Aadhaar being made mandatory under the Aadhaar Act are void.

The question may be more complicated for cases where Aadhaar has been made mandatory through other legislations, such as Prevention of Money Laundering Act, as they clearly mandate the linking of Aadhaar numbers, rather than merely allowing it. However, despite repeated appeals of the petitioners, the court has so far refused to engage with the question of the legality of such instances.

How may the issues finally be resolved? When the court deigns to hear final arguments, the Aadhaar case will be instructive in how the court defines the contours of the right to privacy. The right to privacy judgement, while instructive in its exposition of the different aspects of privacy, does not delve deeply into the question of what may be legitimate limitations on this right.

In one of the passages of the judgement, "ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients" is mentioned as an example of a legitimate incursion into the right to privacy. However, it must be remembered that none of the opinions in the privacy judgement were majority judgements.

Therefore, in future cases, lawyers and judges must parse through the various opinions to arrive at an understanding of the majority opinion, supported by five or more judges. While the privacy judgement was a landmark one, its actual impact on the rights discourse and on matters like Aadhaar will depend extensively on the how the judges choose to interpret it.

For more details visit https://cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory

Aadhaar linking deadline approaches: Here are all the myths and facts

Admin — 2018-01-01T16:04:25Z

Love it or hate it, you just can't escape it. We're talking about Aadhaar, which is a bigger buzzword than usual in the face of the looming end-December deadline for linkages with bank accounts, PPF, insurance policies, ration card and perhaps even PAN. As India rushes to comply, there are a number of myths and half-truth making the rounds.

The article was published by Business Today on December 7, 2017.

The official website of the Unique Identification Authority of India (UIDAI), the body issuing the biometrics-based Aadhaar number, helpfully lists out some of them, while others came to light when activists took up cudgels on behalf of Aadhaar-harassed citizens. But, either ways, you need to know the hard truth behind them.

Myth: Aadhaar-linkage is not only mandatory for every Indian citizen but also every person residing in the country.
Fact: In a notification dated May 11, 2017, the Central Board of Direct Taxes exempted the following categories from mandatory Aadhaar enrolment:
Those who are not citizens of India, non-resident Indians as per Income Tax Laws, those aged over 80 years at any time during the tax year, and the residents of Assam, Meghalaya and Jammu & Kashmir.

The UIDAI has also made it clear that NRIs and those holding the Overseas Citizen of India (OCI) card are not eligible to obtain Aadhaar as per the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. "NRI/OCI need not verify their bank account or SIM or PAN with Aadhaar. If required, they may inform the service provider(s) that they being NRI/OCI are exempted from Aadhaar verification," the UIDAI had said on Twitter way back in October, and followed it up with a circular in mid-November.

As per the Aadhaar Act, only a "resident" is entitled to obtain Aadhaar, which refers to an individual, irrespective of nationality, who has resided in India for a period aggregating 182 days or more in the year immediately preceding the date of application for enrolment. So, this means that even NRIs and expats fulfilling the above criteria can apply for Aadhaar, but they cannot be forced to link their Indian bank accounts with it.

Myth: I had to give my fingerprints to get a SIM card and now the telecom company will keep my biometrics for future use

Fact: According to UIDAI, a telecom company cannot store your biometrics at its end. All the biometrics collected should be encrypted by the service provider and sent to UIDAI at that instant itself. Any storage of biometric by any agency is a serious crime punishable with up to three years of imprisonment under the Aadhaar Act.

Myth: Aadhaar is prone to data breaches and leaks
Fact: Yes, there have been at least two serious leaks reported in the media, but the UIDAI has denied both of them.

In May 2017, The Centre for Internet and Society, a Bangalore-based non-profit research organisation, had reportedly investigated three government portals linked with social welfare schemes that together leaked Aadhaar information of around 1.3 crore people. Then, two months later, came news about over 200 government websites Aadhaar information public. This raised a lot of concerns and detractors cried themselves hoarse.

According to the UIDAI, some agencies of central or state governments had been proactively putting up details of their beneficiaries as required under the RTI Act. While the said information was promptly removed from the offending websites, the authority points out that no biometrics were displaced.

"Therefore to say that Aadhaar has been breached, data has been leaked, is completely incorrect and misleading," it says.

Moreover, the Aadhaar Act and IT Act are now in place, which impose restrictions on publication of Aadhaar numbers, bank account, and other personal details.

Myth: Aadhaar has a poorly verified database.
Fact: Several security measures are in place to ensure that Aadhaar enrolment system is secure. It is done through registrars-credible institutions like state government, banks, Common Service Centres which employ enrolment agencies empanelled by UIDAI. The latter, in turn, employ operators certified by the authority. Aadhaar enrolments are done only through customized software developed and provided by UIDAI. Every day, the operators have to log into the enrolment machine through their Aadhaar number and fingerprints. Once an enrolment is done, the operator is required to sign through his/ her biometrics. Moreover, at the time of enrolment itself, the captured data is encrypted and can't be read by anyone other than the UIDAI server.

Myth: People are being denied benefits and rations because they don't have Aadhaar or because of biometrics issues
Fact: UIDAI CEO Ajay Bhushan Pandey has clarified to the media that though Section 7 of the Aadhaar Act stipulates that benefits and subsidies from the Consolidated Fund of India shall be given on the basis of Aadhaar or proof of possession of an Aadhaar number, the lack of it cannot be grounds for denial. "Section 7 specifies that till Aadhaar number is prescribed, the benefits should be given through alternate means of identification," Pandey said to The Hindu.

The Act also provides for statutory protection to those who are unable to authenticate because of worn-out fingerprints, medical conditions like leprosy or other reasons such as technical faults. "The field agencies have been accordingly instructed through the notifications issued by the government. In spite of this, if a person is denied because he does not have Aadhaar or he is unable to biometrically authenticate, it is undisputedly a violation of instructions issued by the government and such violators have to be punished," added Pandey.

Myth: Publicly sharing the Aadhaar number, to track a lost Amazon package, for instance, makes one susceptible to identity fraud
Fact: Your Aadhaar number, just like your mobile phone number or bank account number, is not a secret though it is certainly sensitive personal information. Just as no one can hack into your bank account using just the account number, identity theft is impossible using the Aadhaar number alone.

What you need to assiduously protect are things like passwords, including OTPs, and PINs. A prudent practice would be to never put up any sensitive personal information on websites or social media platforms.

For more details visit https://cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts

India’s Data Protection Regime Must Be Built Through an Inclusive and Truly Co-Regulatory Approach

amber — 2018-01-01T16:18:54Z

We must move India past its existing consultative processes for rule-making, which often prompts stakeholders to take adversarial and extremely one-sided positions.

The article was published in the Wire on December 1, 2017.

Earlier this week, the Ministry of Electronics and Information Technology released a white paper by a “committee of experts” appointed a few months back led by former Supreme Court judge, Justice B.N. Srikrishna, on a data protection framework for India. The other members of the committee are Aruna Sundararajan, Ajay Bhushan Pandey, Ajay Kumar, Rajat Moona, Gulshan Rai, Rishikesha Krishnan, Arghya Sengupta and Rama Vedashree.

With the exception of Justice Srikrishna and Krishnan, the rest of the committee members are either part of the government or part of organisations that have worked closely with the government on separate issues relating to technology, with some of them also having taken positions against the fundamental right to privacy.

Refreshingly, the committee and the ministry has opted for a consultative process outlining the issues they felt relevant to a data protection law, and espousing provisional views on each of the issues and seeking public responses on them. The paper states that on the basis of the response received, the committee will conduct public consultations with citizens and stakeholders. Legitimate concerns were raised earlier about the constitution of the committee and the lack of inclusion of different voices on it. However, if the committee follows an inclusive, transparent and consultative process in the drafting of the data protection legislation, it would go a long way in addressing these concerns.

The paper seeks response to as many as 231 questions covering a broad spectrum of issues relating to data protection – including definitions of terms such as personal data, sensitive personal data, processing, data controller and processor – the purposes for which exemptions should be available, cross border flow of data, data localisation and the right to be forgotten.

While a thorough analysis of all the issues up for discussion would require a more detailed evaluation, at this point, the process of rule-making and the kind of governance model envisaged in this paper are extremely important issues to consider.

In part IV of the paper on ‘Regulation and Enforcement’, there is a discussion on a co-regulatory approach for the governance of data protection in India. The paper goes so far as to provisionally take a view that it may be appropriate to pursue a co-regulatory approach which involves “a spectrum of frameworks involving varying levels of government involvement and industry participation”.

However, the discussion on co-regulation in the white paper is limited to the section on regulation and enforcement. A truly inclusive and co-regulatory approach ought to involve active participation from non-governmental stakeholders in the rule-making process itself. In India, unfortunately, we lack a strong tradition of lawmakers engaging in public consultations and participation of other stakeholders in the process of drafting laws and regulation. One notable exception has been the Telecom Regulatory Authority of India (TRAI), which periodically seeks public responses on consultation papers it releases and also holds open houses occasionally. It is heartening to see the committee of experts and the ministry follow a similar process in this case.

However, these are essentially examples of ‘notice and comment’ rulemaking where the government actors stand as neutral arbiters who must decide on written briefs submitted to it in response to consultation papers or draft regulations that it notifies to the public.

This process is, by its very nature, adversarial, and often means that different stakeholders do not reveal their true priorities but must take extreme one-sided positions, as parties tend to at the beginning of a negotiation.This also prevents the stakeholders from sharing an honest assessment of the actual regulatory challenge they may face, lest it undermine their position.

This often pits industry and public interest proponents against each other, sometimes also leading to different kinds of industry actors in adversarial positions. An excellent example of this kind of posturing, also relevant to this paper, is visible in the responses submitted to the TRAI on the its recent consultation paper on ‘Privacy, Security and Ownership of data in Telecom Sector’. One of the more contentious issue raised by the TRAI was about the adequacy of the existing data protection framework under the license agreement with telecom companies, and if there was a need to bring about greater parity in regulation between telecom companies and over-the-top (OTT) service providers. Rather than facilitating an actual discussion on what is a complex regulatory issues, and the real practical challenges it poses for the stakeholders, this form of consultation simply led to the telecom companies and OTT services providers submitting contrasting extreme positions without much scope for engagement between two polar arguments.

A truly co-regulatory approach which also extends to rulemaking would involve collaborative processes which are far less adversarial in their design and facilitate joint problem solving through multiple face to face meetings. Such processes are also more likely to lead to better rule making by using the more specialised knowledge of the different stakeholders about technology, domain-specific issues, industry realities and low cost solutions. Further, by bringing the regulated parties into the rulemaking process, the ownership of the policy is shared, often leading to better compliance.

Within the domain of data protection law itself, we have a few existing models of robust co-regulation which entail the involvement of stakeholders not just at the level of enforcement but also at the level of drafting. The oldest and most developed form of this kind of privacy governance can be seen in the study of the Dutch privacy statute. It involved a central privacy legislations with broad principles, sectoral industry-drafted “codes of conduct”, government evaluations and certifications of these codes; and a legal safe harbour for those companies that follow the approved code for their sector. Over a period of 20 years, the Dutch experience saw the approval of 20 sectoral codes across a variety of sectors such as banking, insurance, pharmaceuticals, recruitment and medical research.

Other examples of policies espousing this approach include two documents from the US – first, a draft bill titled ‘Commercial Privacy Bill of Rights Act of 2011’ introduced before the Congress by John McCain and John Kerry, and second, a White House Paper titled ‘Consumer Data Privacy In A Networked World: A Framework For Protecting Privacy And Promoting Innovation In The Global Digital Economy’ released by the Obama administration. Neither of these documents have so far led to a concrete policy. Both of these policies envisioned broadly worded privacy requirements to be passed by the Congress, followed by the detailed rules to be drafted. The Obama administration white paper is more inclusive in mandating that ‘multi-stakeholder groups’ draft the codes that include not only industry representatives but also privacy advocates, consumer groups, crime victims, academics, international partners, federal and state civil and criminal law enforcement representatives and other relevant groups.

The principles that emerge out this consultative process are likely to guide the data protection law in India for a long time to come. Among democratic regimes with a significant data-driven market, India is extremely late in arriving at a data protection law. The least that it can do at this point is to learn from the international experience and scholarship which has shown that merits of a co-regulatory approach which entails active participation of the government, industry, civil society and academia in the drafting and enforcement of a robust data protection law.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-december-1-2017-inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime

FIGI Symposium 2017

Admin — 2018-01-01T16:29:42Z

Innovative Approaches to Digital Financial Inclusion Challenges.

The first edition of the Financial Inclusion Global Initiative (FIGI) Symposium was held in Bangalore, India, from 29 November to 1 December 2017. The Symposium was organized jointly by the Telecommunication Standardization Bureau (TSB) of the International Telecommunication Union (ITU), jointly with the Bill & Melinda Gates Foundation, the World Bank and the Committee on Payments and Market Infrastructure (CPMI) and the kind support of the Government of India.

Elonnai Hickok participated in the symposium and spoke in the "Security, Infrastructure, and Trust" working group on big data and privacy in DFS. For more info on the symposium, see here.

For more details visit https://cis-india.org/internet-governance/news/figi-symposium-2017

Attempted data breach of UIDAI, RBI, ISRO and Flipkart is worrisome

Admin — 2018-01-02T16:20:58Z

Perhaps, we got lucky this time, but the ongoing problem of massive cyber-security breaches wouldn't stop at one thwarted attempt to steal sensitive information from the biggest and most important databases.

This was published by DailyO on October 4, 2017.

An alarming report on a potential data breach impacting almost 6,000 Indian organisations — including the Unique Identification Authority of India (UIDAI) that hosts Aadhaar numbers, Reserve Bank of India, Bombay Stock Exchange and Flipkart — has surfaced and supposedly been contained.

A cyber security firm in Pune, Seqrite, had found in its Cyber Intelligence Labs that India's national internet registry, IRINN (Indian Registry for Internet Names and Numbers), which comes under NIXI (National Internet Exchange of India), was compromised, though the issue has reportedly been "addressed".

Sequite tracked an advertisement on the "dark net" — the digital underworld — offering access to servers and database dump of more than 6,000 Indian businesses and public assets, including the big ones such as UIDAI, RBI, BSE and Flipkart.

The report states that the "dealer could have had access to usernames, email ids, passwords, organisation name, invoices and billing documents, and few more important fields, and could have potentially shut down an entire organisation".

The UIDAI has denied the security breach of Aadhaar data in the IRINN attacks, in an expected move. "UIDAI reiterated that its existing security controls and protocols are robust and capable of countering any such attempts or malicious designs of data breach or hacking," said the report, which is basically a rebuttal from the powerful organisation at the heart of centralising all digital information of all Indians.

Though the aggrieved parties have been notified, and the NCIIPC (National Critical Information Infrastructure Protection Centre) is looking at the issue, what this means is that digital information is a minefield susceptible to all kinds of threats from criminals as well as foreign adversaries, along with being commercially exploited by major conglomerates.

Till August 2017 alone, around 37 incidents of ransomware attacks have been reported, including the notorious WannaCry attacks. But what makes the attacks very, very threatening is the government's insistence — illegal at that — to link Aadhaar with every service, and create a centralised nodal, superior network of all networks.

This "map of maps" has been rightly called out as a potential national security threat, as it makes a huge reservoir of data vulnerable to cyberthreats from mercenaries, the digital underworld and foreign adversaries.

A widely circulated report prepared by the Centre for Internet and Society (CIS) underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats. Photo: Reuters

That the data dump in the digital black market provides access to entire servers for a meagre sum of Rs 42 lakh, as mentioned in the report, is a sign of how insecure our personal information could be on the servers of the biggest government organisations and commercial/online retail giants. This includes the likes of Flipkart, which store our passwords, emails, phone numbers and other important information linked to our bank details and more.

Whilst UIDAI was declared a "protected system" under Section 70 of the Information Technology Act, and a critical information infrastructure, in practice, there are way too many breaches and leaks of Aadhaar data to merit that tag.

Because the current (officially thwarted) attempt to hack into these nodal databases involved the data of hundreds of millions of Indians, the matter has been dealt with the required seriousness. However, as the report states, "among the companies whose emails they found were Tata Consultancy Services, Wipro, Indian Space Research Organisation, Mastercard/Visa, Spectranet, Hathway, IDBI Bank and EY".

This is a laundry list of the biggest and most significant organisations, with massive digital footprints, which are sitting on enormous databanks. Hacking into ISRO, for example, could pose a formidable risk to India's space programmes as well as jeopardise information safety of crucial space projects that are jointly conducted with friendly countries such as Russia, China and the US.

A widely circulated report prepared by the Centre for Internet and Society (CIS) on the Aadhaar Act and its non-compliance with data protection law in India underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats.

Moreover, CIS also reported how government websites, especially "those run by National Social Assistance Programme under Ministry of Rural Development, National Rural Employment Guarantee Act (NREGA) run by Ministry of Rural Development, Daily Online Payment Reports under NREGA (Governemnt of Andhra Pradesh) and Chandranna Bima Scheme (also run by Government of Andhra Pradesh) combined were responsible for publicly exposing personal and Aadhaar details of over 13 crore citizens".

The government has been rather lackadaisical about the grave security threats posed by India's shaky digital infrastructure, saying it's robust when it's not: the UIDAI itself has been brushing the allegations of exclusion, data breach and leaking of data from various government and private operators' servers and there have been several documentations of the security threat as well as the human rights violations that the digital breaches pose for India's institutions and its citizens.

As noted welfare economist Jean Dreze says, "With Aadhaar immensely reinforcing the government's power to reward loyalty and marginalise dissenters, the embers of democracy are likely to be further smothered."

Even as India's jurisprudence held privacy and autonomy as supreme, Indians remain vulnerable to institutional failures and an abject lack of awareness on the gravity of digital destabilisation.

For more details visit https://cis-india.org/internet-governance/news/daily-o-october-4-2017-attempted-data-breach-of-uidai-rbi-isro-and-flipkart

UIDAI denies any breach of Aadhaar database

Admin — 2018-01-07T12:03:13Z

Personal data, including biometric information, of citizens safe and secure, says UIDAI on Aadhaar data breach.

The article by Komal Gupta was published by Livemint on January 7, 2018

The Unique Identification Authority of India (UIDAI) on Thursday clarified that there has not been any breach in the Aadhaar database and the personal data of citizens, including biometric information, is safe and secure.

The clarification comes in response to a news report titled ‘Rs 500, 10 minutes, and you have access to a billion Aadhaar details’ published in The Tribune on Thursday. The report claims that a WhatsApp group sold all Aadhaar data available with UIDAI for a sum of Rs. 500.

UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI clarified in a press statement that displayed demographic information cannot be misused; it would need to be paired with an individual’s biometrics.

There are more than 1.19 billion Aadhaar card holders in the country.

“If it is not a data breach, then this means that some people who have legitimate access to the data are selling it illegitimately. This poses a greater problem,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database

UIDAI introduces new two-layer security system to improve Aadhaar privacy

Admin — 2018-01-16T23:08:34Z

The Unique Identification Authority of India (UIDAI) has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the world's largest repository of citizen data.

The article was published in Economic Times on January 11, 2018.

In one of the most significant security upgrades by the eightyear old agency, the UIDAI announced the creation of a "virtual ID" which can be used in lieu of the 12-digit Aadhaar number at the time of authentication for any service.

The UIDAI has also limited access to stored personal information and mandated the use of unique tokens through which authenticating agencies can access required data. It claims that the measures will strengthen privacy and also prevent combining of databases linked to Aadhaar.

ET was the first to report about the UIDAI plan to introduce virtual numbers to address security concerns in its November 20 edition last year.

A top government official told ET that UIDAI has been working on this technology since July of 2016. "This is going to be one of the biggest innovations ever, people can change their virtual ID whenever they want or after every authentication or every 10 seconds." He added that this will silence most critics of Aadhaar.

"The Aadhaar number being the permanent ID for life, there is need to provide a mechanism to ensure its continued use while optimally protecting the collection and storage in many databases," the UIDAI said in a notification on Wednesday while announcing the new measures.

More Needed to be Done: Experts

"The collection and storage of Aadhaar number by various entities has heightened privacy concerns," it stated.

Under the new regime, for every Aadhaar number, the authority will issue a 16-digit virtual identity number which will be "temporary and revocable at any time."

This virtual ID can be generated only by the individual Aadhaar holder and can be replaced by a new one after a minimum validity period.

In addition, while some Authentication User Agencies (AUA) — categorised by the UIDAI as 'Global' — will have access to all the details or the e-KYC of a specific Aadhaar number, all other agencies will only have access to limited data through the virtual identity number.

"So this is a very very significant thing and I think this is a great step forward," said Nandan Nilekani, former chairman of UIDAI, in an interview to television channel ET Now on Wednesday.

Nilekani, widely regarded as the architect of Aadhaar, said that through these new security measures the possibility of the Aadhaar number being stored in many databases also goes away.

It will make a huge difference in allaying the concerns and it really "eliminates all the arguments against Aadhaar," he told ET Now.

Last week, Chandigarh-based daily The Tribune reported that demographic data from the Aadhaar database could be accessed for as little as Rs 500. The expose led to the UIDAI barring over 5,000 officials from accessing its portal through login ids and passwords. It also introduced biometric authentication for future access, as reported by ET on Tuesday.

The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data protection legislation. The country's apex court is scheduled to resume its hearing on the validity of the Aadhaar scheme next week on January 17.

Kamlesh Bajaj, former CEO of the Data Security Council of India said by limiting access to only those agencies mandated by law, the UIDAI has ensured that "someone will not be able to combine database. It's a positive development in my view and technologically feasible," he said

Expert Views

Privacy experts and activists were of the view that more needs to be done to ensure foolproof security for critical personal information.

The Bengaluru-based research organisation Centre for Internet and Society has suggested that all the Aadhaar seeding with all the existing databases should be revoked. "Until then, it is one step ahead and but not enough," said Sunil Abraham, executive director of CIS.

To enable a speedy rollout of the new safety standards, the UIDAI plans to release the required technical updates by March 1, 2018 and all the Authentication agencies using the Aadhaar database will need to upgrade their systems latest by June 1, 2018.

In its circular, UIDAI has also said that agencies not allowed to use or store the Aadhaar number should make changes inside their systems to replace Aadhaar number within their databases with UID Token.

"Unless there is complete revocation, some database with Aadhaar numbers will still float around and secondly there is no reason why some data controllers should be trusted, the tokenisation should be implemented for everyone," said CIS's Abraham.

The circular said that authentication using virtual ID will be performed in the same manner as the Aadhaar number and people can generate or retrieve their virtual numbers (in case they forget) at the UIDAI's resident portal, Aadhaar Enrolment Centers, or through the Aadhaar mobile application.

In addition to the virtual numbers, UIDAI will also provide "unique tokens" to each agency against an Aadhaar number to ensure that they are to establish the uniqueness of beneficiaries in their database such as for distributing government subsidies under cooking gas or scholarships.

Activists argue that most service providers — even digital ones — work with a paper ID card system. "They don't cross-check it with the UIDAI database. UIDAI is not issuing virtual ids for paper cards, and a new category of so called Global AUAs are exempted from using the virtual ids, so citizens are not protected almost anywhere that they need to use Aadhaar," said Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, who said the change doesn't help enough to secure the ecosystem.

For more details visit https://cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy

Hammered government offers Virtual ID firewall to protect your Aadhaar

Admin — 2018-01-16T23:34:12Z

Days after reports surfaced claiming security breaches, the Unique Identification Authority of India (UIDAI) on Wednesday announced the implementation of a new security protocol that would remove the need to divulge Aadhaar numbers during authentication processes and limit third-party access to KYC details.

The article was published in New Indian Express on January 11, 2018.

Admitting that the “collection and storage of Aadhaar numbers by various entities has heightened privacy concerns”, the UIDAI circular said Authentication User Agencies (AUAs) providing Aadhaar services have to be ready to implement the protocol from March 1, 2018. From June 1 use of Virtual ID for authentication would be mandatory.

The linchpin of the new protocol will be the virtual ID (VID) — a “temporary, revocable 16-digit random number” that can be used instead of Aadhaar to verify or link services. VIDs will have a limited validity and can be generated only by the Aadhaar holder. “UIDAI will provide various options to generate, retrieve and replace VIDs… these will be made available via UIDAI’s resident portal, Aadhaar Enrolment Centre, mAadhaar mobile application, etc.,” it said. While only one VID per Aadhaar number will be valid at a time, users can revoke and generate new VIDs as many times as desired.

UIDAI will also limit KYC details accessible by AUAs by classifying them as Global AUAs, which are required to use Aadhaar e-KYC by law, and Local AUAs. Only the former will have full access to e-KYC details and can store Aadhaar numbers. Local AUAs will only have access to limited KYC details and be prohibited from storing Aadhaar numbers. UIDAI will also generate UID tokens which will be used to identify customers within agencies’ systems, but these will not be usable by other AUAs.

However, cybersecurity experts say that even if the new “patch” is effective, verification processes will have to be redone to prevent misuse of already-leaked Aadhaar numbers. “The concept is attractive, but the devil is in the details,” observed Pavan Duggal, cyberlaw expert, adding that the new system does not address those who have already gained unauthorised access to Aadhaar numbers. Sunil Abraham, executive director, Centre for Internet and Society, was more categorical. “If it has to be effective, they will have to redo (Aadhaar-KYC) from scratch.”

For more details visit https://cis-india.org/internet-governance/news/indian-express-january-11-2018-

Aadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief

Admin — 2018-01-16T23:42:58Z

"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.

The blog post by Sukriti Dwivedi was published by NDTV on January 13, 2018.

Virtual ID, the 16-digit temporary number, announced by UIDAI this week had been suggested way back in 2009-10 when its architects were still designing the system. But the Aadhaar authority, which has called Virtual ID a unique innovation to enhance privacy and security, decided against rolling it out at that time.

It may be a step forward. But not everyone is as convinced.

Cyber security Jiten Jain is one of them. Mr Jain told NDTV that UIDAI should first of all decide if the Aadhaar number was confidential information or not because it had changed its stance on this aspect on more than one occasion.

Like when government departments put out lakhs of Aadhaar number, the government agency had insisted that there was nothing really confidential about the number which could not be misused. Or when The Tribune earlier this month claimed to have found gaps in UIDAI's security system that let the newspaper demographic details of an individual, UIDAI claimed that "the Aadhaar number is not a secret number" anyways.

Also, a point is being made that if hiding an Aadhaar number enhances privacy, then what about the crores of people who have been forced to share their Aadhaar numbers - and a copy of their Aadhaar cards - all these years.

Experts suggest the timing of the announcement may not have been a coincidence. The initiative came against the backdrop of mounting privacy concerns after the newspaper expose. The hearing by a five-judge Constitution Bench of the Supreme Court to decide if the Aadhaar project violates citizens' privacy is to start hearing from next week, January 17.

Srinivas Kodali, cyber security expert and an Aadhaar researcher, said it was clear that the UIDAI had brought it hurriedly. "They said they will release the codes by March 1. So it clearly looks like they haven't planned this thoroughly," he said.

There are also concerns about the ability of people living in remote areas to generate the Virtual IDs, in terms of connectivity and literacy. That means a large proportion of people would not be able to generate the Virtual IDs.

UIDAI chief Mr Pandey said there was nothing to prevent them from continuing to use their Aadhaar number. It is an option, he stressed.

This, experts at the Bengaluru-based research group, Centre for Internet and Society, which has long advocated for a token system such as the Virtual ID, said was a problem area.

UIDAI chief Mr Pandey said there was nothing to prevent them from continuing to use their Aadhaar number. It is an option, he stressed.

This, experts at the Bengaluru-based research group, Centre for Internet and Society, which has long advocated for a token system such as the Virtual ID, said was a problem area.

"Privacy can be protected by design and not by choice," said CIS executive director Sunil Abraham, who believes the biggest flaw with Aadhaar was its design.

"Since it is not mandatory most people will just use the Aadhaar number instead of getting into the hassle of generating a VID... This is privacy through hurdles instead of privacy by design. I suggest authorities should generate VIDs for people and ensure that third parties only use VID and not the Aadhaar number," Pranesh Prakash at the CIS' policy director told NDTV.

For more details visit https://cis-india.org/internet-governance/news/ndtv-sukriti-dwivedi-january-13-2018-aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief

Virtual Aadhaar ID: too little, too late?

Admin — 2018-01-16T23:59:21Z

Problems persist as many have already shared their 12-digit number with various entities, say experts

The article by Yuthika Bhargava was published in the Hindu on January 11, 2018

The move to introduce an “untested” virtual ID to address security concerns over Aadhaar database is a step in the right direction, but may be a case of too little, too late, according to experts, as many of the 119 crore Aadhaar holders have already shared their 12-digit numbers with various entities.

“What about all the databases that are already linked up with our Aadhaar number? Virtual ID will therefore not attack the root of the problem. At best, it is band-aid,” said Reetika Khera, faculty, Indian Institute of Technology-Delhi.

“Can we realistically expect rural folks to use this to protect themselves? Or are we pushing the barely literate into the hands of middlemen who will ‘help’ them navigate it?” she questioned.

The Unique Identification Authority of India (UIDAI) on Wednesday introduced the concept of a virtual ID that can be used in lieu of the Aadhaar number at the time of authentication, thus eliminating the need to share and store Aadhaar numbers. It can be generated only by the Aadhaar number-holder via the UIDAI website, Aadhaar enrolment centre, or its mobile application.

Experts pointed out that the virtual ID is voluntary and the Aadhaar number will still need to be used at some places.

“Unless all entities are required to use virtual IDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won’t really help,” said Pranesh Prakash, Policy Director, Centre for Internet and Society, Bengaluru.

Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, agreed. “The idea is good but it should have been done in 2010, as now all the data is already out. Now, what can be done is revoke everybody’s Aadhaar and give new IDs.”

Mr. Jonnalagadda added that Authentication User Agencies (AUAs) categorised as ‘global AUAs’ by the UIDAI will be exempted from using the virtual IDs. “These are likely to be entities which require de-duplication for subsidy transfer, such as banks and government agencies. All the leaks have happened till now from these entities. So, basically, the move will exempt the parties that are the problem,” he said.

Vipin Nair, one of the advocates representing the petitioners who have challenged the Aadhaar Act in the Supreme Court said, “It is potentially a case of unmitigated chaos purely from an Information Technology perspective.”

For more details visit https://cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late