Centre for Internet and Society

Andhra Jyoti

praskrishna — 2016-12-17T01:29:59Z

Andhra Jyoti

For more details visit https://cis-india.org/home-images/AndhraJyothi12thDec.jpg

Andaman and Nicobar Chapter

praskrishna — 2014-03-06T16:18:42Z

For more details visit https://cis-india.org/accessibility/blog/andaman-nicobar.pdf

And now, Aadhaar-enabled smartphones for easy verification and money transfer

praskrishna — 2016-08-12T02:50:58Z

As reported earlier, the Indian government has planned to make Aadhaar-enabled smartphones , with which users would be able to self-authenticate and let businesses and banks verify the identity of their clients. This would also help in the government's aim of a cashless society.

The article was published in Business Insider on August 10, 2016. Sunil Abraham was quoted.

While applauding this plan Nandan Nikelani, former chairman of UIDAI told ET that, "Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)."

In July, senior executives of UIDAI and smartphone companies met to discuss ways to allow smartphones let citizens authenticate their fingerprints and iris on the phone, so that they could avail government services from the comfort of their homes.

The most immediate use for these smartphones would be the Unified Payment Interface (UPI), a new payment system which would allow money transfer between any two parties by simply using their mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani.

With time, Aadhaar authentication will also be made open to third party apps, said another person familiar with the ongoing discussions on the condition of anonymity.

This would let users allow apps to access their biometric and iris scans, just like they grant access to other features like camera, contacts, SMS etc. However, from their end, handset makers have raised security concerns about using iris scan for Aadhar authentication.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider.

For this, the he proposal includes a "hardware secure zone" which would encrypt biometric data before sending it out. However, even this isn't a foolproof idea.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

To this, Nilekani said, "the reluctance to make changes at the vendor level is mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons." He added that both ends, the handset and the Aadhaar database, will be using the highest level of encryption.

For more details visit https://cis-india.org/internet-governance/news/business-insider-august-10-2016-and-now-aadhaar-enabled-smartphones-for-easy-verification-and-money-transfer

Ananth Subray

praskrishna — 2019-09-22T23:31:12Z

Ananth Subray

For more details visit https://cis-india.org/home-images/Ananth.jpg

Ananth Guruswamy

praskrishna — 2013-07-30T04:31:57Z

Ananth Guruswamy

For more details visit https://cis-india.org/home-images/AnanthGuruswamy.png

Anand

praskrishna — 2012-02-06T03:55:01Z

For more details visit https://cis-india.org/home-images/Anand.jpg

Anand

praskrishna — 2012-07-10T08:49:44Z

Anand

For more details visit https://cis-india.org/home-images/anand.jpg

Anand

praskrishna — 2012-02-15T10:16:52Z

For more details visit https://cis-india.org/home-images/anan.jpg

Anamika

praskrishna — 2022-01-09T08:05:20Z

Anamika

For more details visit https://cis-india.org/about/people/AnamikaBW.png

Analyzing the Right to Privacy Bill

praskrishna — 2011-12-05T07:24:43Z

Privacy India in partnership with International Development Research Centre, Canada, Indian Institute of Technology, Bombay, the Godrej Culture Lab, Tata Institute of Social Sciences, Mumbai and the Centre for Internet and Society, Bangalore is organising "Privacy Matters", a public conference at IIT, Bombay on 21 January 2012 from 10.30 a.m. to 5.00 p.m. The event will focus on discussing the challenges and concerns to privacy in India.

For more details visit https://cis-india.org/internet-governance/analyzing-right-2-privacy-bill.pdf

Analyzing the Draft Human DNA Profiling Bill 2012

praskrishna — 2013-02-25T09:56:19Z

The Centre for Internet & Society invites you to a workshop on analyzing the Draft Human DNA Profiling Bill on March 1, 2013 in its Bangalore office, from 2.00 p.m. to 5.00 p.m.

The Draft Human DNA Profiling Bill seeks to establish DNA databases at the state, regional, and national level for the purposes of establishing identity in criminal and civil proceedings. The Draft Human DNA Profiling Bill has been critiqued by the committee chaired by Justice AP Shah in the “Report of Group of Experts on Privacy” for a lack of adequate privacy safeguards.

In Fall 2012 the Centre for Internet and Society held a series of public meetings to raise awareness about the Bill and submitted feedback to the Department of Biotechnology. This workshop is in response to an April 2012 draft of the Bill and seeks to analyze the text of the Bill, look at technical aspects of the Bill and DNA profiling, and compare the current draft of the Bill with previous drafts.

For more details visit https://cis-india.org/internet-governance/events/analyzing-draft-human-dna-profiling-bill

Analyzing Draft Human DNA Profiling Bill 2012

praskrishna — 2013-02-25T08:13:16Z

For more details visit https://cis-india.org/internet-governance/blog/draft-dna-profiling-bill-2012.pdf

Analytics to help govt read public mood online

praskrishna — 2015-03-09T16:57:14Z

The Union government is in the process of commissioning a project to analyse public sentiment about it on various online platforms.

The article by Surabhi Talwar published in the Business Standard quotes Pranesh Prakash.

The project will cover state-owned MyGov.in, social media portals such as Facebook and Twitter, and the top 10 news websites in the country. The analysis will also extend to Twitter and Facebook accounts of government ministries and departments, according to a document evincing interest from companies and defining scope of work that has been posted on the website of the electronics and information technology department. The Centre expects the platform to be ready in two months.

This is the first time that the Centre is deploying a tool to 'officially' listen in on social media conversations and monitor media reports as well as subsequent public reaction. The idea is not to see which journalist is saying what and tell the government "inhe ad dena band kar do" (don't give them ads), said a government official familiar with the plans. It has also got "nothing to do with politics or elections", the official added.

The stated objective is to gauge public opinion related to policy matters and get a "comprehensive picture of the larger issues concerning the people", the official said. According to the mandate, the company will analyse comments posted on MyGov.in, which sees about 50,000 responses every week. It will also scan through social media sites, articles posted on news portals and the comments section, and categorise these into three "tag clouds" - negative, positive and neutral.

"Analytics are not strong if you are looking at it with a tunnel vision," said the government official, adding they needed to be comprehensive and corroborated across different platforms. The idea behind extending the mandate to social media websites and news organisations, according to the official, is to make sure the government's policies and initiatives are in sync with the people's wishes.

However, the government claimed it would only study posts that are "public" and not build backend access into the network of social media companies to get a look at all content.

According to the official, the Centre was not interested in "listening to everything that people are talking about", rather it will restrict its queries that relate to its business of policymaking. "Anything beyond that is not our mandate," the official clarified.

According to Mahesh Murthy, founder of digital media firm Pinstorm, these kinds of sentiment-analysis tools have become quite popular lately with both companies and political parties, who use these to gauge public mood before elections.

"They can cost anywhere between Rs 2 lakh and Rs 10 lakh a month," he said, adding there were hardly any privacy implications since the data being analysed was in public domain.

Pranesh Prakash of the Centre for Internet and Society said, "Privacy concerns aren't as acute if there is no profiling that is happening." Prakash added the concept might be worrisome if algorithms became the determining factor for policymaking, as they could be dangerous for democratic functioning. "They are like black boxes and you don't how they function."

Launched about six months ago, MyGov.in is the National Democratic Alliance government's citizen-engagement platform through which it solicits ideas and inputs from the public on government business.

Once the sentiment-analysis project is implemented, the government will be able to automate the process of providing summary of inputs on discussion topics to the government agencies concerned.

The volume of comments received on the platform is making it difficult for the Centre to manually sift through these for the most relevant ones.

"The solution would display two sets of dashboards. One would be in public domain. The other would be restricted through the multi-level role-based access system provisioned by the solution," said the document evincing expression of interest from companies.

Those interested will have to provide a proof of concept before being selected.

For more details visit https://cis-india.org/internet-governance/news/business-standard-february-20-2015-surabhi-agarwal-analytics-to-help-govt-read-public-mood-online

Analysis: Data Protection in India - Getting It Right

praskrishna — 2017-04-28T01:42:42Z

Indian Government Plans Ambitious Data Protection Legislation Rollout by October

The blog post by Suparna Goswami and Varun Haran was published by Info Risk Today on April 26, 2017. Pranesh Prakash was quoted.

The government of India recently informed the Supreme Court of India that it expects to put in place a comprehensive data protection framework by October. The Telecom Regulatory Authority of India will be heading up the initiative and has already started consultations for preparing a draft framework.

The government on April 5 acknowledged that there was no proper regulatory framework to deal with privacy concerns of citizens arising out of "over-the-top" popular messaging services such as Whatsapp, Facebook and Skype. Consequently, the Department of Telecommunications is exploring creating a "regulatory framework" through legislation to address data protection and citizens' privacy concerns.

With the European Union already preparing to enforce its General Data Protection Regulation next year, India may be late to the party. But the need for a data protection and privacy law in India is pressing. And when it's enacted, it will define provisions for protecting sensitive personally identifiable information and spell out liabilities in the event PII gets breached.

Many security practitioners, however, say the government's goal of having a law by October seems aggressive.

Shivangi Nadkarni, co-founder & CEO at Arrka Consulting, points out that once the government publishes a draft regulation for public comment, it must allow two months for gathering feedback. "It has to align with the schedule of the Monsoon Session of Parliament if it has to meet the October deadline," Nadkarni says (see: It's Time to get Serious About Privacy).

Existing Provisions

India already has some data protection and privacy provisions in the Information Technology Act 2000, amended in 2008 and the subsequent IT rules defined in 2011. But the IT Act 2000/8 doesn't define sensitive personal information directly and only provides guidance for reasonable security practice and due diligence - the actual implementation standards have not been explicitly prescribed, says Bengaluru-based Na. Vijayashankar, a cyber law expert and information risk consultant.

The current data protection regime is under section 43A of the IT Act 2000/8, and the regulations made thereunder, says Pranesh Prakash, policy director at Bengaluru-based research think tank the Center for Internet and Society. He contends those regulations are weak, do not specify any governmental agency, and do not lay out penalties for violations. Other relevant provisions, such as section 72A, are also far too onerous and aren't ever applied in practice to such cases, he says (see: Pavan Duggal on Why India's Cyberlaw Must Rapidly Evolve).

"Section 43A and the 'reasonable security rules' didn't change much, given the lack of teeth in the regulations, and the onerous job of proving "wrongful gain or wrongful loss" of property due to data breaches," Prakash says. In addition, as a complement to a strong, yet flexible, data protection/data security regime, the government also needs to put in a privacy regime that covers both the private and public sectors, he adds.

Right to Privacy

India lacks a clear framework that categorically recognizes the sanctity of privacy, says J. Sai Deepak, an independent cyber law expert and arguing counsel at the Delhi High Court. Because the status of the fundamental right to privacy is yet to be adjudicated upon by the Supreme Court, Sai Deepak is uncertain of the basis on which the regulatory mechanism that the government is developing, would function (see: Why India Needs Comprehensive Privacy Law).

"This is important because if you treat privacy as a fundamental right, then the mechanism has to take into account the constitutional obligations and limitations that come with such treatment," Sai Deepak says. A telecom-centric or a single sector-centric approach to privacy as a reaction to a particular litigation may do more harm than good, he adds (see: Re-Evaluating Privacy in India).

"I hope the government goes beyond this context and addresses privacy comprehensively. It is for this reason that I am not sure TRAI is the best entity to vest this mandate with," he says. "After all, we are looking at safeguarding privacy even outside the telecom sphere" he adds.

The government needs to clearly spell out all principles and rights of individuals in the context of privacy as a foundation, experts say.

"Declare that privacy is a right of an Indian citizen and is protected by law," Vijayashankar says. The law should apply to protection of data in any form and require appropriate security measures to be adopted by anyone who collects, processes and manages PII, he adds (see: Privacy: Why India Inc. Needs It).

Viable Roadmap

Vinayak Godse, senior director at Data Security Council of India, says Indian companies, including IT services and outsourcing firms, are losing in European markets because of the high data protection standards followed in those countries.

"We have already been struggling in some markets as our data protection mechanisms don't match to the evolving global expectations for privacy," Godse says. "Questions have been raised by several geographies especially EU on India's regulatory posture in terms of data protection." (See: India's 2015 Data Privacy Agenda)

Vijayashankar says India needs to immediately appoint a data commissioner to efficiently address data privacy violations, which are currently being judged under ITA 2000/8. This will also help Indian enterprises that conduct business with the EU when the GDPR is enforced starting May 25, 2018 (see: How Will Europe's GDPR Affect Businesses Worldwide?).

Nadkarni of Arrka says the framework should:

Clearly define and articulate what qualifies a personal information.
Clearly spell out all principles and rights of individuals in the context of privacy and elaborate on specific aspects as required within each principle/ right.

The Justice AP Shah committee report of 2012 which proposed comprehensive set of data privacy principles and measures had a wide acceptance by various stakeholders, and should be a good starting point to draft an omnibus data privacy law in India, says Srinivas Poosarla, vice president and head (global), privacy & data protection at Infosys.

While the way the enforcement of any such law enacted, would differ at the center and at state level, some of the areas that Poosarla contends need attention are:

Mandating that organizations appoint data privacy officers;
Providing platforms to report grievances and receive compensation from organizations in a timely manner;
Ensuring accountability of organizations for data privacy and to have them promptly report any data breach to affected individuals where there is likely to be material impact;
Identifying and empowering a body at national or state level to enforce implementation of the law.

GDPR as a Model

Nadkarni suggests that the EU's GDPR would be a good benchmark for India. Poosarla and others also agree that the EU GDPR is a good template to draw from. Most importantly, the government should involve all stakeholders, especially privacy and data security advocates, in the drafting of the law, they say.

The best practices and principles from GDPR should be adopted, keeping the cultural and demographic needs of Indian society in mind, Vijayshankar adds.

Prakash of CIS notes: "Any law must keep the evolution of technology in mind. The law can't be so rigid that technological developments are prevented, nor can it be so flexible that technology defeats the basic guarantees provided by the law. For instance, the role of "consent" in a world where indefinite consent is easily obtained by inserting a clause in a long standard-form contract that no one reads, must be taken into account."

For more details visit https://cis-india.org/internet-governance/news/inforisk-today-april-26-2017-suparna-goswami-varun-haran-analysis-data-protection-in-india-getting-it-right

Analogue Dialogue

praskrishna — 2011-11-18T06:16:20Z

Links in the Chain, volume viii, issue iv

For more details visit https://cis-india.org/digital-natives/volume-viii-issue-iv.pdf