Centre for Internet and Society

Comments on Draft National Policy on Official Statistics

Gurshabad Grover — 2018-06-07T01:58:22Z

For more details visit https://cis-india.org/internet-governance/files/comments-on-draft-national-policy-on-official-statistics

DP Compendium

Admin — 2018-05-31T16:00:24Z

For more details visit https://cis-india.org/internet-governance/files/dp-compendium

May 2018 Newsletter

praskrishna — 2018-06-12T14:03:24Z

CIS newsletter for the month of May 2018.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
The Centre for Internet & Society (CIS) has published a collection of stories of the impact of internet shutdowns on people's lives in the country. The stories were provided by 101 Reporters. The project was funded by Facebook and MacArthur Foundation. The report edited by Debasmita Haldar, Ambika Tandon and Swaraj Barooah can be accessed here. Anubha Sinha on behalf of CIS participated in the 36th Session of WIPO SCCR at Geneva from May 28 to June 1, 2018. CIS made statements on Draft Action Plan for Educational and Research Institutions and Persons with Other Disabilities, Draft Action Plan for Libraries, Archives and Museums, Limitations and Exceptions Agenda, and Proposed Treaty for the Protection of Broadcasting Organizations. CIS was one among the 14 NGOs which circulated a letter that raised concerns about the draft Broadcasting Treaty. India's Department of Telecommunications released a draft new telecom policy, titled ‘Draft National Digital Communications Policy 2018’. Anubha Sinha wrote an analysis on this in the Wire on May 6, 2018. Singapore based Asian Business Law Institute published a compendium on “Regulation of cross-border transfer of personal data in Asia”. The compendium contains 14 detailed reports. The chapter titled Jurisdictional Report India was authored by Amber Sinha and Elonnai Hickok. The purpose of privacy notices and choice mechanisms is to notify users of the data practices of a system, so they can make informed privacy decisions, wrote Saumyaa Naidu in a blog post which was edited by Elonnai Hickok. Divij Joshi wrote a report that assesses the compliance of the Indian intermediary liability framework with the Manila Principles on Intermediary Liability, and recommends substantive legislative changes to bring the legal framework in line with the Manila Principles. The report was edited by Elonnai Hickok and Swaraj Barooah. Data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way wrote Amber Sinha in an article published in the Economic & Political Weekly. Saman Goudarzi, Elonnai Hickok and Amber Sinha wrote a report titled AI in the Banking and Finance Industry in India which seeks to map the present state of use of AI in the banking and financial sector in India. The report was edited by Shyam Ponappa. Mapping was done by Shweta Mohandas. Pranav M Bidare, Sidharth Ray, and Aayush Rathi provided research assistance in preparing this report. The National Register of Citizens (NRC) exercise in Assam focuses on updating the list of Indian citizens in the state. Khetrimayum Monish Singh and Nazifa Ahmed wrote a research paper that has provided a discourse analysis of media content and user opinions on Facebook, and media responses on the NRC official website. All posts related to this study can be found here.

Highlights

The Centre for Internet & Society (CIS) has published a collection of stories of the impact of internet shutdowns on people's lives in the country. The stories were provided by 101 Reporters. The project was funded by Facebook and MacArthur Foundation. The report edited by Debasmita Haldar, Ambika Tandon and Swaraj Barooah can be accessed here.
Anubha Sinha on behalf of CIS participated in the 36th Session of WIPO SCCR at Geneva from May 28 to June 1, 2018. CIS made statements on Draft Action Plan for Educational and Research Institutions and Persons with Other Disabilities, Draft Action Plan for Libraries, Archives and Museums, Limitations and Exceptions Agenda, and Proposed Treaty for the Protection of Broadcasting Organizations. CIS was one among the 14 NGOs which circulated a letter that raised concerns about the draft Broadcasting Treaty.
India's Department of Telecommunications released a draft new telecom policy, titled ‘Draft National Digital Communications Policy 2018’. Anubha Sinha wrote an analysis on this in the Wire on May 6, 2018.
Singapore based Asian Business Law Institute published a compendium on “Regulation of cross-border transfer of personal data in Asia”. The compendium contains 14 detailed reports. The chapter titled Jurisdictional Report India was authored by Amber Sinha and Elonnai Hickok.
The purpose of privacy notices and choice mechanisms is to notify users of the data practices of a system, so they can make informed privacy decisions, wrote Saumyaa Naidu in a blog post which was edited by Elonnai Hickok.
Divij Joshi wrote a report that assesses the compliance of the Indian intermediary liability framework with the Manila Principles on Intermediary Liability, and recommends substantive legislative changes to bring the legal framework in line with the Manila Principles. The report was edited by Elonnai Hickok and Swaraj Barooah.
Data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way wrote Amber Sinha in an article published in the Economic & Political Weekly.
Saman Goudarzi, Elonnai Hickok and Amber Sinha wrote a report titled AI in the Banking and Finance Industry in India which seeks to map the present state of use of AI in the banking and financial sector in India. The report was edited by Shyam Ponappa. Mapping was done by Shweta Mohandas. Pranav M Bidare, Sidharth Ray, and Aayush Rathi provided research assistance in preparing this report.
The National Register of Citizens (NRC) exercise in Assam focuses on updating the list of Indian citizens in the state. Khetrimayum Monish Singh and Nazifa Ahmed wrote a research paper that has provided a discourse analysis of media content and user opinions on Facebook, and media responses on the NRC official website. All posts related to this study can be found here.

Articles:

The Huawei pointer (Shyam Ponappa; Business Standard and Organizing India Blogspot; May 3, 2018).

India's Draft Telecom Policy Needs to Bridge the Gap Between Intent and Execution (Anubha Sinha; Wire; May 6, 2018).
India's Data Protection Framework Will Need to Treat Privacy as a Social and Not Just an Individual Good (Amber Sinha; Economic & Political Weekly, Volume 53, Issue No. 18, 05 May, 2018).
Digital Native: Web of Wander (Nishant Shah; Indian Express; May 20, 2018).

CIS in the News:

India's National ID Project Brings Pain to Those it Aims to Help (Aayush Soni; Ozy.com; May 11, 2018).
Aadhaar Remains an Unending Security Nightmare for a Billion Indians (Karan Saini; Wire; May 11, 2018).
More errors in Aadhaar data in Andhra Pradesh than in voter database (U Sudhakar Reddy; Times of India; May 18, 2018).
Putting women human rights activists on the world map (Sarumathi K.; Hindu; May 19, 2018).
An open data ecosystem can boost India's GDP by $22 B and double farmer income (Sohini Mitter; Your Story; May 23, 2018).
Complying with Europe’s GDPR will be a “matter of survival” for Indian IT firms (Ananya Bhattacharya; Quartz India; May 24, 2018).
Don't blindly forward WhatsApp messages. You could be sued (Rajitha Menon and Surupasree Sarmmah; Deccan Herald; May 29, 2018).
Alexa’s recording leak in US ‘echoes’ privacy issues here (Mugdha Variyar; Economic Times; May 29, 2018).
Election Experiment Proves Facebook Just Doesn't Care About Fake News In India (Visvak; Huffington Post; May 30, 2018).
India Proposes Law to Give Indians Complete Control of their Digital Health Data (Madhur Singh; India Spend; May 31, 2018).
Patanjali's Kimbho swiftly retreats over security scare, ripped on Twitter (Alnoor Peermohamed and Manavi Kapur; Business Standard; May 31, 2018).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Copyright and Patent

Blog Entries

CIS participated in the 36th SCCR held in Geneva from May 28 to June 1, 2018 and made the following statements:

Statement on the Proposed Treaty for the Protection of Broadcasting Organizations (Anubha Sinha; May 28, 2018).
NGOs circulate letter at WIPO SCCR/36 raising serious concerns about draft Broadcasting Treaty (Anubha Sinha; May 29, 2018).
Draft Action Plan for Educational and Research Institutions and Persons with Other Disabilities (Anubha Sinha; May 31, 2018).
Statement on the Draft Action Plan for Libraries, Archives and Museums (Anubha Sinha; May 31, 2018).
Statement on Limitations and Exceptions Agenda (Anubha Sinha; May 31, 2018).

Participation in Event

RightsCon Toronto 2018 (Organized by RightsCon; Beanfield Centre at Exhibition Place, Toronto; May 17, 2018). Maggie Huang, Amba Kak, Rohini Lakshané, Vidushi Marda, Elonnai Hickok and Anubha Sinha were among the speakers at the event. Amber Sinha remotely participated in a private meeting on 'Strategizing Civil Society Roles in the Artificial Intelligence Debate'. Anubha Sinha, Maggie Huang, Rohini Lakshané and Vidushi Marda presented their findings from the Pervasive Technologies project in a panel titled "Cheap and Chipper: IP in India's Affordable Smartphones". Prof Michael Geist moderated the session. Anubha Sinha and Vidushi Marda participated remotely. Elonnai Hickok participated in these sessions: IDRC cyber policy meeting; GNI board meeting; GNI learning session on MLATs; FOC-AN meeting; GNI session on Intermediary Liability.

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Reports

Methods workshop on researching Future of Work in India (Natallia Khaniejo and Aayush Rathi; May 10, 2018).
AI in the Banking and Finance Industry in India (Saman Goudarzi, Elonnai Hickok and Amber Sinha; May 14, 2018)
Indian Intermediary Liability Regime: Compliance with the Manila Principles on Intermediary Liability (Divij Joshi; May 20, 2018). The report was edited by Elonnai Hickok and Swaraj Barooah.
Jurisdictional Report India (Compendium on Regulation of Cross-Border Transfers of Personal Data in Asia; Amber Sinha and Elonnai Hickok; May 31, 2018).

Blog Entry

Design Concerns in Creating Privacy Notices (Saumyaa Naidu; May 29, 2018). The blog post was edited by Elonnai Hickok.

Participation in Events

Meeting of Coalition for an Inclusive Approach on the Trafficking Bill (Organized by Alternative Law Forum; Bengaluru; May 3, 2018).
Fairness, Transparency and Accountable AI (Organized by DeepMind; London; May 10, 2018). Amber Sinha participated remotely in the inaugural meeting.
Rootconf 2018 (Organized by HasGeek; Bengaluru; May 11 - 12, 2018). Gurshabad Grover, Natallia Khaniejo and Aayush Rathi attended the event.
Inter Movements Open Forum: Trafficking Bill (Organized by Sangram, Naz Foundation, NNSW, Tarshi and VAMP; India International Centre, New Delhi; May 18, 2018).
IETF Indian Community Meetup: RFCs We Love (IoT edition) (Organized by Indian IETF Community; Zoomcar's office; Bengaluru; May 19, 2018). Gurshabad Grover and Sandeep Kumar attended 'RFCs We Love Meetup'.
Emerging Technologies: Issues & Way Forward (Organized by Technology Policy team at the National Institute of Public Finance and Policy; Bengaluru; May 23 - 24, 2018).
Privacy in the Digital Age: Addressing Common Challenges, Seizing Opportunities (Organized by DG Justice and Consumers and European Union; New Delhi; May 25, 2018).

►Free Speech and Expression

Report

Internet Shutdown Stories (Edited by Debasmita Haldar, Ambika Tandon and Swaraj Barooah; Foreword by Sunil Abraham; May 17, 2018). Case studies from the states of Jammu & Kashmir, Haryana, Rajasthan, Gujarat, Telangana, West Bengal, Tripura, Manipur, Nagaland, and Uttar Pradesh have been highlighted in this compilation.

Blog Entry

DIDP Request #30 - Enquiry about the employee pay structure at ICANN (Paul Kurian and Akriti Bopanna; May 26, 2018).

-----------------------------------
Telecom
-----------------------------------

CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Articles

The Huawei pointer (Shyam Ponappa; Business Standard and Organizing India Blogspot; May 3, 2018).
India's Draft Telecom Policy Needs to Bridge the Gap Between Intent and Execution (Anubha Sinha; Wire; May 6, 2018).

-----------------------------------
Researchers at Work
-----------------------------------

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Draft Research Paper

Infrastructure as Digital Politics: Media Practices and the Assam NRC Citizen Identification Project (Khetrimayum Monish Singh and Nafiza Ahmed; May 15, 2018).

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/may-2018-newsletter-1

36th SCCR: CIS Statement on Draft Action Plan for Educational and Research Institutions and Persons with Other Disabilities

sinha — 2018-05-31T09:46:45Z

Anubha Sinha, attending the 36th Session of the World Intellectual Property Organization (“WIPO”) Standing Committee on Copyright and Related Rights (“SCCR”) at Geneva from May 28, 2018 to June 1, 2018, made this statement on the Proposed Treaty for the Protection of Broadcasting Organizations on behalf of CIS on Day 4, May 31.

Thank you, Mr. Chair.

I’m speaking on behalf of the Centre for Internet and Society, India.

We have concerns about the plan’s focus on MOOCs and distance learning initiatives. Although they are related to increasing access to education, these initiatives are hardly a substitute for classroom learning – and the primary objective of the treaty should be to improve such classroom teaching, especially for developing countries where ICT penetration remains quite low. Unless the plan also chooses to develop Open Educational Resources as a priority in connection with MOOCs and distance learning initiatives, we suggest that this item in the plan be re-examined in light of other more beneficial action items.

Thank you.

Note: Please find the Draft Action Plan here (SCCR/36/3).

For more details visit https://cis-india.org/a2k/blogs/36th-sccr-cis-statement-on-draft-action-plan-for-educational-and-research-institutions-and-persons-with-other-disabilities

36th SCCR: CIS Statement on Limitations and Exceptions Agenda

sinha — 2018-05-31T09:43:08Z

Anubha Sinha, attending the 36th Session of the World Intellectual Property Organization (“WIPO”) Standing Committee on Copyright and Related Rights (“SCCR”) at Geneva from May 28, 2018 to June 1, 2018, made this statement on the Limitations and Exceptions agenda on behalf of CIS on Day 3, May 30.

Thank you, Mr. Chair.

I’m speaking on behalf of the Centre for Internet and Society, India.

As we move forward on this agenda, we believe that for a true balance to be realised, the rights of all users of copyrighted works will have to be treated on par with those of the rightholders for purposes of access to knowledge. We are disappointed with the state of the limitations and exceptions in the broadcast treaty, that made some progress yesterday (in terms of increasing rights).

Further, as we have submitted earlier, it is our belief that the present international legal framework does not sufficiently address the opportunities presented by new information and communication technologies. We reiterate the need for open ended exceptions and limitations in this area - which should also facilitate smooth cross border exchange of knowledge.

Thank you.

For more details visit https://cis-india.org/a2k/blogs/36th-sccr-cis-statement-on-limitations-and-exceptions-agenda

An open data ecosystem can boost India's GDP by $22 B and double farmer income

Admin — 2018-05-23T14:37:55Z

MeiTY says increased data transparency will drive growth and improve governance across key industry sectors in the time to come.

This was published in Your Story on May 22, 2018.

YES Bank in association with the Ministry of Electronics and Information Technology (MeitY) has released a study that says an ‘open data ecosystem’ can grow India’s GDP by $22 billion by 2020. It could impact critical sectors like agriculture and double farmer income by reducing wastage and system inefficiencies.

The report titled Open Government, Open Data – Re-imagining India observes that farmers’ income could be twice of what it is in less than five years from now. Universal Health coverage could be strengthened, and micro-loans could be disbursed to millions of MSMEs more effectively through a well-functioning open data ecosystem.

Empirical evidence shows that open data has aided agriculture world over. Combined with agricultural knowledge, remote sensing, and mapping, it helps create early warning systems for farmers. That enables them in “protecting crops from pests and extreme weather, increasing yields, monitoring water supplies, and anticipating changes brought on by climate change,” according to the World Bank.

While India was among the first countries in the world to set up an Open Government Data (OGD) platform that offered open and free access to data and information released by over 100 government departments, there have been loopholes in the project that has led to data being restricted in some cases. At present, OGD houses info-sets from 180,543 ministry resources and is presided over by a hundred-plus data officers.

YES Bank has recommended steps to eliminate the existing gaps and boost usage of OGD to improve governance across sectors. It has also said that emerging technologies like Blockchain, Machine Learning (ML) and the Internet of Things (IoT) would drive further efficiencies in the open data ecosystem, and lead to more tech-focused innovation.

One such innovation has been brought about by Silicon Valley agri startup, Harvesting, that recently launched its India operation. Harvesting uses remote sensing and geo-spatial imagery along with existing farmer data to monitor farmlands, assess them in real-time, and send out reports and analysis to all stakeholders, including farmers, agri lenders, rural banks, and so on.

Harvesting Founder-CEO Ruchit Garg told YourStory,

“There are over 500 million small farm-holders in emerging markets that feed 80 percent of the world. But there is a data asymmetry in the agricultural value chain. Most problems arise because of a massive data deficit. We started to look at how this could be solved by leveraging data and technology.”

Besides industries, the open data is available for citizen access too, and that is important.

Rana Kapoor, MD and CEO, Yes Bank, said,

“Data is collected from citizens for citizen welfare and should therefore be shared with them. Secondly, data like Government budget usage, welfare schemes and subsidies increases transparency, thereby building greater trust.”

YES Bank also recommends more public-private partnerships (PPP) for open data to be fully utilised. It proposes the formation of an Open Data Council comprising representatives from private and public sectors as well as technology service providers. The council would be chaired by MeitY and will work towards the identification of ‘priority sectors’ which require data digitisation.

But, merely having large amounts of open data sets is not enough. The Centre for Internet and Society (CIS) sounds a word of caution.

In a separate report titled Open Government Data Study: India, the CIS states,

“To ensure the relevance of open government data, mechanisms have to be put in place to take its benefits to ordinary people and to marginalised communities. Simply putting up raw data will not suffice.”

The report notes that a richer open data ecosystem can be created by harnessing records and information from rural internet kiosks, community e-centres, e-healthcare, geographic information systems (GISs), dairy sector applications, teacher training programmes, online agricultural systems, wireless local loop solutions, databases of rural innovations, land property registrations, women and children’s services, and more.

For more details visit https://cis-india.org/openness/news/your-story-sohini-mitter-may-22-2-018-open-data-ecosystem-can-boost-indias-gdp-22-b-double-farmer-income

Indian Intermediary Liability Regime

Admin — 2018-05-20T15:03:25Z

For more details visit https://cis-india.org/internet-governance/files/indian-intermediary-liability-regime

March 2018 Newsletter

praskrishna — 2018-05-20T14:55:25Z

March 2018 newsletter

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
CIS in partnership with DataMeet and Arghyam is exploring the early steps for making open data and tools to plan for water resources accessible to all. As a move to celebrate World Water Day 2018 we are sharing a paper that we had been working on titled Open Data for Water Studies in India and a web app to make open water data easily explorable and usable. Disability rights activist Javed Abidi, former Director of the National Centre for Promotion of Employment for Disabled People who was instrumental in bringing issues pertaining to various disabilities under an umbrella organisation, and ensuring greater visibility in mainstream media passed away recently. Remembering Abidi, Dr. Nirmita Narasimhan spoke to Ambika Tandon about how they worked together to push National Policy on Universal Electronics Accessibility. CIS, Wikimedia Foundation, Wikimedia India and other affiliates of India have initiated Chromebook for the Project Tiger to enable writers from various Indic languages to create quality content in Indic languages. The project will also help Wikipedia editors by supporting them with internet charges for 6 months and laptops to 50 volunteers to address content gaps. Sunil Abraham in an article in the Business Standard has thrown light on the Cambridge Analytica Scandal and explained how India needs to save democracy from hegemonic incumbents with open source alternatives. For this the government should use its procurement powers. CIS has been instrumental in having ICANN become transparent about their revenue with our persistent requests for their sources of revenue. In our latest analysis we have presented a picture of ICANN financials from 2012 to 2016. In an article published in the Business Standard Shyam Ponappa wrote about correcting misinformed impressions about NPAs, and the Swedish model for setting up a bad bank. In an initial literature survey CIS has focused on how scholars in a diversity of fields, ranging from Information Science and Science and Technology Studies to Anthropology and Political Science, have engaged with how state infrastructures mediate the state-citizen relationship.

Highlights

CIS in partnership with DataMeet and Arghyam is exploring the early steps for making open data and tools to plan for water resources accessible to all. As a move to celebrate World Water Day 2018 we are sharing a paper that we had been working on titled Open Data for Water Studies in India and a web app to make open water data easily explorable and usable.
Disability rights activist Javed Abidi, former Director of the National Centre for Promotion of Employment for Disabled People who was instrumental in bringing issues pertaining to various disabilities under an umbrella organisation, and ensuring greater visibility in mainstream media passed away recently. Remembering Abidi, Dr. Nirmita Narasimhan spoke to Ambika Tandon about how they worked together to push National Policy on Universal Electronics Accessibility.
CIS, Wikimedia Foundation, Wikimedia India and other affiliates of India have initiated Chromebook for the Project Tiger to enable writers from various Indic languages to create quality content in Indic languages. The project will also help Wikipedia editors by supporting them with internet charges for 6 months and laptops to 50 volunteers to address content gaps.
Sunil Abraham in an article in the Business Standard has thrown light on the Cambridge Analytica Scandal and explained how India needs to save democracy from hegemonic incumbents with open source alternatives. For this the government should use its procurement powers.
CIS has been instrumental in having ICANN become transparent about their revenue with our persistent requests for their sources of revenue. In our latest analysis we have presented a picture of ICANN financials from 2012 to 2016.
In an article published in the Business Standard Shyam Ponappa wrote about correcting misinformed impressions about NPAs, and the Swedish model for setting up a bad bank.
In an initial literature survey CIS has focused on how scholars in a diversity of fields, ranging from Information Science and Science and Technology Studies to Anthropology and Political Science, have engaged with how state infrastructures mediate the state-citizen relationship.

Articles:

NPAs & Bad Banks (Shyam Ponappa; Business Standard and Organizing India Blogspot; March 1, 2018).
Digital native: Our lonely connected lives (Nishant Shah; Indian Express; March 11, 2018).
Cambridge Analytica scandal: How India can save democracy from Facebook (Sunil Abraham; Business Standard; March 28, 2018).

CIS in the News:

CIS ranks amongst top think tanks for public policy in the region (March 2, 2018). Think Tanks and Civil Societies Program featured Centre for Internet & Society in its annual report.
Is there a case for penalizing fake news? (Nilesh Christopher; ET Tech; March 7, 2018).

Supreme Court extends Aadhaar linking deadline till it passes verdict (Priyanka Mittal and Komal Gupta; Livemint; March 13, 2018).

Aadhaar unique IDs in India: a qualified success? (Web Fraud Prevention and Online Authentication Market Guide 2017/2018 and Paypers; March 16, 2018).

Facebook breach: Privacy advocates in India seek stronger data laws (Surabhi Agarwal and Devina Sengupta; March 20, 2018).

Govt warns Facebook of stringent legal action if found misusing data (Komal Gupta; Livemint; March 21, 2018).

Without stringent law, threats to Mark Zuckerberg are hollow: Experts (Alnoor Peermohamed and Karan Choudhury; Business Standard; March 23, 2018).

‘If an Indian party acted like Cambridge Analytica, it will not be guilty under current laws’ (Amit Bhardwaj; Newslaundry; March 24, 2018).

Is Facebook too powerful without legal safeguards? (Vidhi Choudhary; Hindustan Times; March 24, 2018).

Digital Native: A new road to justice (Nishant Shah; Indian Express; March 25, 2018).

Aadhaar safety (Asian Age; March 25, 2018).

PM’s app also susceptible (Free Press Journal; March 25, 2018).

New Lock For EU’s Digital Mines (Arindam Mukherjee; Outlook; March 26; 2018).

Security experts say need to secure Aadhaar ecosystem, warn about third party leaks (Nilesh Christopher; March 26, 2018).

Data Breach: How will the biggest scandal that Facebook is mired in affect its credibility in India? (G. Seetharaman and Shephali Bhatt; Economic Times; March 26, 2018).

UIDAI servers or third parties, Aadhaar leaks are dangerous: Experts (Mayank Jain; Business Standard; March 27, 2018).

Narendra Modi’s personal app sparks India data privacy row (Financial Times; March 28, 2018).

The Narendra Modi app: The secret weapon in BJP’s elections arsenal (Jayadevan PK and Pankaj Mishra; Factor Daily; March 29, 2018).
Your mobile apps have the permission to spy on you (Economic Times; March 30, 2018).
Parties seek social media influencers to go viral (Ipsita Basu; Economic Times; March 31, 2018).
If data is the new oil, how much does an Indian citizen lose? (Saurya Sengpupta; Hindu; March 31, 2018).

Accessibility

India has an estimated 70 million disabled persons who are unable to read printed materials due to some form of physical, sensory, cognitive or other disability. The disabled need accessible content, devices and interfaces facilitated via copyright law and accessibility policies. CIS works to facilitate this.

Blog Entry

Groundbreaking disability rights activist Javed Abidi dies at 53 (Ambika Tandon; March 6, 2018).

Access to Knowledge

Access to Knowledge (A2K) is a campaign to promote the fundamental principles of justice, freedom, and economic development. It deals with issues like copyrights, patents and trademarks, which are an important part of the digital landscape. Our A2K program comprises 2 projects: Pervasive Technologies done under a grant from International Development Research Centre examining interplay between cost-effective pervasive technologies and intellectual property and encouraging development of such technologies for social good, and Wikipedia under a grant from Wikimedia Foundation to enable the growth of Indic language communities and cultivate new editors in different Indian languages.

Wikipedia

Events Organized

The reports for the events were published in March 2018:

Marathi Language Day events (February 27, 2018). Marathi Language day is celebrated all over world on February 27. Various events and activities were conducted by CIS-A2K in collaboration with community, institutions and government departments. A guest editorial was published in Sakal newspaper on February 10, 2018. There was a radio interview Tomato FM 94.3 Kolhapur on February 27, 2018 for which promotion was made through Facebook. News on the events was also covered in Pudhari, Lokmat and Samana.
Mini Train the Trainer 2018 (Organized by CIS-A2K; Jnana Prabodhini & Bhave High School; Sadashiv Peth, Pune; February 24 - 25, 2018).

Blog Entry

Chromebook for the Project Tiger- How it is helping me to contribute actively on Wikimedia project! (Sangram Keshari Senapati; March 26, 2018).

Openness

Innovation and creativity are fostered through openness and collaboration. Our work in the Openness program focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software.

Note: We missed carrying our updates in our Openness program in previous newsletter, hence reproducing them here.

Open Data

Open Data and Land Ownership - Environment Scan (Sumandro Chattapadhyay; February 12, 2018).
On World Water Day - Open Data for Water Resources (Craig Dsouza; March 22, 2018).

Open Access

Open Access India recently released a statement to promote openness in science and research communities. CIS contributed to the text and introduced it to the participants of OpenCon 2018, Delhi.

Delhi Declaration on Open Access (Open Access India; February 14, 2018).

Internet Governance

The Tunis Agenda of the second World Summit on the Information Society has defined internet governance as the development and application by governments, the private sector and civil society, in their respective roles of shared principles, norms, rules, decision making procedures and programs that shape the evolution and use of the internet. CIS is engaged in two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Free Speech & Expression

Blog Entry

Analysis of ICANN financials from 2012-2016 (Sunil Abraham, Arjun Venkatraman and Akriti Bopanna; March 15, 2018).

Cyber Security

Blog Entry

People Driven and Tech Enabled – How AI and ML are Changing the Future of Cyber Security in India (Shweta Mohandas; March 11, 2018).

Participation in Event

Cybersecurity: The Intersection of Policy and Technology (Organized by Synergia Foundation; Bengaluru; March 15, 2018).

Privacy

Events Organized

Roundtable on A.I. and Governance in India (Organized by CIS; India Islamic Centre, New Delhi; March 16, 2018).
A Methods Workshop for Researching Future of Work in India (Co-organized by CIS and the Department of Management Studies, IIT-Delhi; New Delhi; March 28, 2018).

Participation in Events

Siri, did you hear me? Adapting Privacy to New Technologies, Automated Decision-making, and Cloud Computing (Organized by USIBC; New Delhi; March 6, 2018). Amber Sinha was a panelist.
White Paper on Data Protection and Privacy (Organized by National Institute of Public Finance and Policy; New Delhi; March 8, 2018). Sunil Abraham was a moderator in the session on Rights and Protections and Amber Sinha was a panelist.
Listening Machines - New interfaces for Art-Science and Technology Policy (Organized by National Academy of Sciences, Washington D.C; Arthur M Sackler Colloquia; March 12, 2018). Sharath Chandra presented his work "Listening Machines - New interfaces for Art-Science and Technology Policy".
Quantified identities as a global phenomenon: analyzing the impact of biometric systems in our societies (Internet Freedom Festival; Valencia, Spain; March 2018). Amber Sinha made a presentation.

Telecom

Newspaper Column

NPAs & Bad Banks (Shyam Ponappa; Business Standard; February 28, 2018 and Organizing India Blogspot; March 1, 2018).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Blog Entry

Information Infrastructures, State, and Citizens: An Initial Literature Survey (Khetrimayum Monish Singh, Ranjit Singh, Palashi Vaghela, and Nazifa Ahmed; March 28, 2018).

Event Organized

Designing Urban Nervous Systems (Organized by CIS; Bengaluru; March 27, 2018). Dr. Anupam Saraph, a future designer and an expert on complex systems gave a talk on looking at cities as living organisms, with nervous systems at the center of their being.

-----------------------------------

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/march-2018-newsletter

India's Data Protection Framework Will Need to Treat Privacy as a Social and Not Just an Individual Good

amber — 2018-05-18T06:22:57Z

The idea that technological innovations may compete with privacy of individuals assumes that there is social and/or economic good in allowing unrestricted access to data. However, it must be remembered that data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way.

Published in Economic & Political Weekly, Volume 53, Issue No. 18, 05 May, 2018. Article can be accessed online here.

In July 2017, the Ministry of Electronics and Information Technology (MeITy) in India set up a committee headed by a former judge, B N Srikrishna, to address the growing clamour for privacy protections at a time when both private collection of data and public projects like Aadhaar are reported to pose major privacy risks (Maheshwari 2017). The Srikrishna Committee is in the process of providing its input, which will go on to inform India’s data-protection law.

While the committee released a white paper with provisional views, seeking feedback a few months ago, it may be discussing a data protection framework without due consideration to how data practices have evolved.

In early 2018, a series of stories based on investigative journalism by Guardianand Observer revealed that the data of 87 million Facebook users was used for the Trump campaign by a political consulting firm, Cambridge Analytica, without their permissions. Aleksandr Kogan, a psychology researcher at the University of Cambridge, created an application called “thisisyourdigitallife” and collected data from 270,000 participants through a personality test using Facebook’s application programming interface (API), which allows developers to integrate with various parts of the Facebook platform (Fruchter et al 2018). This data was collected purportedly for academic research purposes only. Kogan’s application also collected profile data from each of the participants’ friends, roughly 87 million people.

The kinds of practices concerning the sharing and processing of data exhibited in this case are not unique. These are, in fact, common to the data economy in India as well. It can be argued that the Facebook–Cambridge Analytica incident is representative of data practices in the data-driven digital economy. These new practices pose important questions for data protection laws globally, and how these may need to evolve to address data protection, particularly for India, which is in the process of drafting its own data protection law.

Privacy as Control

Most modern data protection laws focus on individual control. In this context, the definition by the late Alan Westin (2015) characterises privacy as:

The claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.

The idea of “privacy as control” is what finds articulation in data protection policies across jurisdictions, beginning with the Fair Information Practice Principles (FIPP) from the United States (US) (Dixon 2006). These FIPPs are the building blocks of modern information privacy law (Schwartz 1999) and not only play a significant role in the development of privacy laws in the US, but also inform data protection laws in most privacy regimes internationally (Rotenberg 2001), including the nine “National Privacy Principles” articulated by the Justice A P Shah Committee in India. Much of this approach is also reflected in the white paper released by the committee, led by Justice Srikrishna, towards the creation of data protection laws in India (Srikrishna 2017)

This approach essentially involves the following steps (Cate 2006):

(i) Data controllers are required to tell individuals what data they wish to collect and use and give them a choice to share the data.
(ii) Upon sharing, the individuals have rights such as being granted access, and data controllers have obligations such as securing the data with appropriate technologies and procedures, and only using it for the purposes identified.

The objective in this approach is to make the individual empowered and allow them to weigh their own interests in exercising their consent. The allure of this paradigm is that, in one elegant stroke, it seeks to “ensure that consent is informed and free and thereby also (seeks) to implement an acceptable tradeoff between privacy and competing concerns.” (Sloan and Warner 2014). This approach is also easy to enforce for both regulators and businesses. Data collectors and processors only need to ensure that they comply with their privacy policies, and can thus reduce their liability while, theoretically, consumers have the information required to exercise choice. In recent years, however, the emergence of big data, the “Internet of Things,” and algorithmic decision-making has significantly compromised the notice and consent model (Solove 2013).

Limitations of Consent

Some cognitive problems, such as long and difficult to understand privacy notices, have always existed with regard to the issue of informed consent, but lately these problems have become aggravated. Privacy notices often come in the form of long legal documents, much to the detriment of the readers’ ability to understand them. These policies are “long, complicated, full of jargon and change frequently” (Cranor 2012).

Kent Walker (2001) lists five problems that privacy notices typically suffer from:

(i) Overkill: Long and repetitive text in small print.
(ii) Irrelevance: Describing situations of little concern to most consumers.
(iii) Opacity: Broad terms that reflect limited truth, and are unhelpful to track and control the information collected and stored.
(iv) Non-comparability: Simplification required to achieve comparability will lead to compromising of accuracy.
(v) Inflexibility: Failure to keep pace with new business models.

Today, data is collected continuously with every use of online services, making it humanly impossible to exercise meaningful consent.
The quantity of data being generated is expanding at an exponential rate. With connected devices, smartphones, appliances transmitting data about our usage, and even the smart cities themselves, data now streams constantly from almost every sector and function of daily life, “creating countless new digital puddles, lakes, tributaries and oceans of information” (Bollier 2010).

The infinitely complex nature of the data ecosystem renders consent of little value in cases where individuals may be able to read and comprehend privacy notices. As the uses of data are so diverse, and often not limited by a purpose identified at the beginning, individuals cannot conceptualise how their data will be aggregated and possibly used or reused.

Seemingly innocuous bits of data revealed at different stages could be combined to reveal sensitive information about the individual. While the regulatory framework is designed such that individuals are expected to engage in cost–benefit analysis of trading their data to avail services, this ecosystem makes such individual analysis impossible.

Conflicts Between Big Data and Individual Control

The thrust of big data technologies is that the value of data resides not in its primary purposes, but in its numerous secondary purposes, where data is reused many times over (Schoenberger and Cukier 2013).

On the other hand, the idea of privacy as control draws from the “data minimisation” principle, which requires organisations to limit the collection of personal data to the minimum extent necessary to obtain their legitimate purpose and to delete data no longer required. Control is excercised and privacy is enhanced by ensuring data minimisation. These two concepts are in direct conflict. Modern data-driven businesses want to retain as much data as possible for secondary uses. Since these secondary uses are, by their nature, unanticipated, their practices run counter to the very principle of purpose limitation (Tene and Polonetsky 2012).

It is evident from such data-sharing practices, as demonstrated by the Cambridge Analytica–Facebook story, that platform architectures are designed with a clear view to collect as much data as possible. This is amply demonstrated by the provision of a “friends permission” feature by Facebook on its platform to allow individuals to share information not just about themselves, but also about their friends. For the principle of informed consent to be meaningfully implemented, it is necessary for users to have access to information about intended data practices, purposes and usage, so they consciously share data about themselves.

In reality, however, privacy policies are more likely to serve as liability disclaimers for companies than any kind of guarantee of privacy for consumers. A case in point is Mark Zuckerberg’s facile claim that there was no “data-breach" in the Cambridge Analytica–Facebook incident. Instead of asking each of the 87 million users whether they wanted their data to be collected and shared further, Facebook designed a platform that required consent in any form only from 270,000 users. Not only were users denied the opportunity to give consent, their consent was assumed through a feature which was on by default. This is representative of how privacy trade-offs are conceived by current data-driven business models. Participation in a digital ecosystem is by itself deemed as users’ consent to relinquish control over how their data is collected, who may have access to it, and what purposes it may be used for.

Yet, Zuckerberg would have us believe that the primary privacy issue of concern is not about how his platform enabled the collection of users’ data without their explicit consent, but in the subsequent unauthorised sharing of the data by Kogan. Zuckerberg’s insistence that collection of data of people without their consent is not a data breach is reminiscent of the UIDAI’s recent claims in India that publication of Aadhaar numbers and related information by several government websites is not a data breach, so long as its central biometric database in secure (Sharma 2018). In such cases also, the intended architecture ensured the seeding of other databases with Aadhaar numbers, thus creating multiple potential points of failure through disclosure. Similarly, the design flaws in direct benefit transfers enabled Airtel to create payments bank accounts with the customers’ knowledge (Hindu Business Line 2017). Such claims clearly suggest the very limited responsibility data controllers (both public and private) are willing to take for personal data that they collect, while wilfully facilitating and encouraging data practices which may lead to greater risk to data.

On this note, it is also relevant to point out that the Srikrishna committee white paper begins with identifying informational privacy and data innovation as its two key objectives. It states that “a firm legal framework for data protection is the foundation on which data-driven innovation and entrepreneurship can flourish in India.”

Conversations around privacy and data have become inevitably linked to the idea of technological innovation as a competing interest. Before engaging in such conversations, it is important to acknowledge that the value of innovation as a competing interest itself is questionable. It is not a competing right, nor a legitimate public interest endeavour, nor a proven social good.

The idea that in policymaking, technological innovations may compete with privacy of individuals assumes that there is social and/or economic good in allowing unrestricted access to data. The social argument is premised on the promises of mathematical models and computational capacity being capable of identifying key insights from data. In turn, these insights may be useful in public and private decision-making. However, it must be remembered that data is potentially a toxic asset, if it is not collected, processed, secured and shared in the appropriate way. Sufficient research suggests that indiscriminate data collection is greatly increasing the ratio of noise to signal, and can lead to erroneous insights. Further, the greater the amount of data you collect, the greater is the attack surface that leads to cybersecurity risks. Further, incidents such as Facebook–Cambridge Analytica demonstrate that toxicity of data in various ways and underscores the need for data regulation at every stage of the data lifecycle (Scheiner 2016). These are important tempering factors that need to be kept in mind while evaluating data innovation as a key mover of policy or regulation.

Privacy as Social Good

As long as privacy is framed as arising primarily from individual control, data controllers will continue to engage in practices that compromise the ability to exercise choice. There is a need to view privacy as a social good, and policymaking should ensure its preservation and enhancement. Contractual protections and legal sanctions can themselves do little if platform architectures are designed to do the exact opposite.

More importantly, policymaking needs to recognise privacy not merely as an individual right, available for individuals to forego when engaging with data-driven business models, but also as a social good. The recognition of something as a social good deems it desirable by definition, and a legitimate goal of law and policy, rather than rely completely on market forces for its achievement.

The Puttaswamy judgment (K Puttaswamy v Union of India 2017) lends sufficient weight to privacy’s social value by identifying it as fundamental to any individual development through its dependence on solitude, anonymity, and temporary releases from social duties.

Sociological scholarship demonstrates that different types of social relationships, be it Gesellschaft (interest groups and acquaintances) or Gemeinschaft (friendship, love, and marriage), and the nature of these relationships depend on the ability to conceal certain things (Simmel 1906). Demonstrating this in the context of friendships, it has been stated that such relationships “present a very peculiar synthesis in regard to the question of discretion, of reciprocal revelation and concealment.” Friendships, much like most other social relationships, are very much dependent on our ability to selectively present ourselves to others. Contrast this with Zuckerberg’s stated aim of making the world more “open” where information about people flows freely and effectively without any individual control. Contrast this also with government projects such as the Aadhaar which intends to act as one universal identity which can provide a 360-degree view of citizens.

Other scholars such as Julie Cohen (2012) and Anita Allen (2011) have demonstrated that data that a person produces or has control over concerns both herself and others. Individuals can be exposed not only because of their own actions and choices, but also made vulnerable merely because others have been careless with their data. This point is amply demonstrated in the Facebook–Cambridge Analytica incident. What this means is that protection of privacy requires not just individual action, but in a sense, requires group co-ordination. It is my argument that this group interest of privacy as a social good must be the basis of policymaking and regulation of data in the future, in addition to the idea of privacy as an individual right. In the absence of attention to the social good aspect of privacy, individual consumers are left to their own devices to negotiate their privacy trade-offs with large companies and governments and are significantly compromised.

What this translates into is a regulatory framework and data protection frameworks should not be value-neutral in their conception of privacy as a facet of individual control. The complete reliance of data regulation on the data subject to make an informed choice is, in my opinion, an idea that has run its course. If privacy is viewed as a social good, then the data protection framework, including the laws and the architecture must be designed with a view to protect it, rather than leave it entirely to the market forces.

The Way Forward

Data protection laws need to be re-evaluated, and policymakers must recognise Lawrence Lessig’s dictum that “code is law.” Like laws, architecture and norms can play a fundamental role in regulation. Regulatory intervention for technology need not mean regulation of technology only, but also how technology itself may be leveraged for regulation (Lessig 2006; Reidenberg 1998). It is key that the latter is not left only in the hands of private players.
Zuckerberg, in his testimony (Washington Post 2018) before the United States Senate's Commerce and Judiciary committees, asserted that "AI tools" are central to any strategy for addressing hate speech, fake news, and manipulations that use data ecosystems for targeting.

What is most concerning in his testimony is the complete lack of mention of standards, public scrutiny and peer-review processes, which “AI tools” and regulatory technologies need to be subject to. Further, it cannot be expected that data-driven businesses will view privacy as a social good or be publicly accountable.

As policymakers in India gear up for writing the country’s data protection law, they must acknowledge that their responsibility extends to creating norms and principles that will inform future data-driven platforms and regulatory technologies.

Since issues of privacy and data protection will have to be increasingly addressed at the level of how architectures enable data collection, and more importantly how data is used after collection, policymakers must recognise that being neutral about these practices is no longer enough. They must take normative positions on data collection, processing and sharing practices. These positions cannot be implemented through laws only, but need to be translated into technological solutions and norms. Unless a multipronged approach comprising laws, architecture and norms is adopted, India’s new data protection regime may end up with limited efficacy.

For more details visit https://cis-india.org/internet-governance/blog/epw-amber-sinha-may-18-2018-for-indias-data-protection-regime-to-be-efficient-policymakers-should-treat-privacy-as-a-social-good

Internet Shutdown Stories

Ambika Tandon — 2018-05-17T10:45:20Z

A collection of stories of the impact of internet shutdowns on the lives of Indian citizens.

For more details visit https://cis-india.org/internet-shutdown-stories

AI in Banking and Finance

Saman Goudarzi, Elonnai Hickok and Amber Sinha — 2018-06-19T11:38:06Z

For more details visit https://cis-india.org/internet-governance/files/ai-in-banking-and-finance

Aadhaar Remains an Unending Security Nightmare for a Billion Indians

Admin — 2018-05-13T16:28:40Z

Yesterday was the 38th and last day of hearings in the Supreme Court case challenging the constitutional validity of India’s biometric authentication programme. After weeks of arguments from both sides, the Supreme Court has now reserved the matter for judgement.

The article by Karan Saini was published in the Wire on May 11, 2018.

Since its inception, the Aadhaar project has lurched from controversy to scandal. In the last two years, the debate has heavily centred around issues of data security, privacy and government overreach. This debate, unfortunately, like with most things Aadhaar, has been obfuscated in no small part due to the manner in which the Unique Identification Authority of India (UIDAI) reacts to critical public discussion.

As India waits for the apex court’s judgement, this is as good time as any to take stock of the security and privacy flaws underpinning the Aadhaar ecosystem.

Poor security standards

Let’s start with the lackadaisical attitude towards information security. As has become evident in the past, harvesting and collecting Aadhaar numbers – or acquiring scans and prints of valid Aadhaar cards – has become a trivial matter.

There are several government websites which implement Aadhaar authentication while at the same time lack in basic security practices such as the use of SSL to encrypt user traffic and/or the use of captchas to protect against brute-force or scraping attacks. This includes the biometric attendance website of the Director General of Foreign Trade, the website for the National Food Security Mission and the Medleapr website.

With numerous government websites being susceptible, problematic issues such as the use of open directories to store sensitive data gives us a look into how even the bare minimum – when it comes to adhering to security best practices – isn’t enforced across the gamut of websites which interface with Aadhaar.

It should not be acceptable practice to have government websites with open web directories containing PDF scans of dozens of Aadhaar cards available for just about anyone to view and/or download. Yet, over the past year and even before, many government websites have been found to either inadvertently or knowingly publish this information without much regard for the potential consequences it could have.

The UIDAI has repeatedly shown an attitude of hostility and dismissiveness when it comes to fixing security and privacy issues which are present in the Aadhaar ecosystem. It has also shown no signs of how it plans to tackle this problem.

In my personal experience as a security researcher, I have found and reported a cache of more than 40,000 scanned Aadhaar cards being available through an unsecured database managed by a private company, which relied on those scans for the purposes of verifying and maintaining records of their customers.

What’s worse is that the media reports regarding Aadhaar information being exposed may only be scratching the surface of the issue as more data may actually be susceptible to access and theft, and simply yet to be found and publicly reported. For example, data could be leaking through publicly available data stores of third-party companies interfacing with Aadhaar, or through inadequately secured API and sensitive portals without proper access controls.

Not all security incidents become a matter of public knowledge, so what we know at any given point about the illegal exposure of Aadhaar information may just be a glimpse of what is actually out there.

It should be acknowledged that the possession of these 12-digit numbers and their corresponding demographic information can open up room for potential fraud – or at the very least make it easier for criminals to carry out identity theft and SIM and banking fraud.

A detailed analysis of all publicly-reported Aadhaar-related or Aadhaar-enabled fraud over the last few years shows that the problem is not only real but deserves far more attention than what it has received so far.

Threat level infinity

Taking a step back, it’s clear that the Aadhaar project snowballed into an ecosystem that it now struggles to control.

For instance, demographic information – as is stated in the draft for the Aadhaar Act (NIDAI Bill 2010) – was originally considered confidential information, meaning no entity could request your demographic information such as name, address, phone number etc. for purposes of eKYC.

However, as the ecosystem has progressed, the implementation and usage of eKYC have also changed and grown significantly with companies like PayTM utilising eKYC for the purposes of requesting and verifying customer information. It should be considered that data which has been collected by any of these companies through Aadhaar can be accessed by them in the future for an indefinite period of time depending on their own policies regarding storage and retention of the data.

If there ever is a breach of the CIDR or a mirrored silo containing a significant amount of Aadhaar-related data, it would directly affect more than one billion people. To put this in perspective, it would easily be the single largest breach of data in terms of the sheer number of people affected and it would have far-reaching consequences for everyone affected which might be very hard to offset.

On a comparatively smaller scale – although just as serious, if not more in terms of potential implications – would be a breach of any given state’s resident data hub (SRDH) repository. In some cases, SRDHs have been known to integrate data acquired from other sources containing information regarding parameters such as caste, banking details, religion, employment status, salaries, and then linking the same to residents’ corresponding Aadhaar data.

Damage control would be costly and painstaking due to the number of people enrolled. What adds to the disastrous consequences is that one cannot just deactivate their Aadhaar or opt-out of the programme the way they would with say a compromised Facebook or Twitter account. You can always deactivate Facebook. You cannot deactivate your Aadhaar. It should be noted that even with biometrics set to ‘disabled’, Aadhaar verification transactions can be verified through OTP.

Additionally, the Aadhaar ecosystem is such that information about individuals can be accessed not just from UIDAI servers but also from other third-party databases where Aadhaar numbers are linked with their own respective datasets. Due to this aspect – multiple points of failure are introduced for possible compromise of data, especially because third-party databases are almost certainly not as secure as the CIDR.

Recently, after taking a closer look at the ecosystem of websites which incorporate the use of Aadhaar based authentication, I discovered that it was possible to extract the phone number linked to any given Aadhaar through the use of websites which poorly implemented Aadhaar text-based (OTP) authentication.

This process worked by first retrieving the last four digits of the phone number linked to an Aadhaar using any website which reveals this information (this includes DigiLocker, NFSM.gov.in and seems to be standard practice which seems to be enforced by UIDAI) and then performing an enumeration attack on the first six digits using websites which allow the user to provide both their Aadhaar number and the verified phone number linked to it.

This again highlights that while secure practices might be followed by the UIDAI, the errors in implementation and other flaws are introduced neverthelessby third parties who interface with Aadhaar, posing a risk to the privacy and security of its data.

The bank mapper rabbit hole

As of February 24, 2017, it was possible to retrieve bank linking status information directly from UIDAI’s website without any prior verification.

However, after this information was reported, the ‘uidai.gov.in’ website was updated to first require requesters to prove their identity before retrieving Aadhaar bank-linking data from the endpoint on their website.

A year later – when business technology news site ZDNet published their report regarding a flawed API on the website of a state-owned utility company (later revealed to be Indane) – part of the data revealed included bank linking status information which was identical to what was previously revealed on UIDAI’s website without proper authentication.

This suggests that both the Indane API and UIDAI website utilised the National Payments Corporation of India (NPCI) to retrieve bank-linking data – but as of now, this remains conjecture since Indane never put out a statement or gave a public comment regarding the flawed API on their website.

More importantly, what this also suggests is that the NPCI never placed any controls or security mechanisms (such as request throttling or access controls) on the lookup requests it processed for the UIDAI (and seemingly for Indane as well).

This means that while the UIDAI may have fixed their website to not reveal bank linking data without proper verification – the issue was not rectified at its core by the NPCI – allowing the same to happen a year later in Indane’s case. This practice also classifies as a case of security through obscurity, which “is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms”.

Who is on the hook?

There is a lack of needed accountability when it comes to data breaches. Have any of the organisations against whom allegations of data breach been made been investigated and acted on? Have fines been imposed on those responsible for allowing access/theft of user data? Have there been reports published by any of the affected organisations in which they investigate any alleged breaches to either provide insight regarding the breach and its impact, the scale of data accessed, logs of access and other crucial evidence or dismiss the allegations by proving that there was no intrusion which took place?

Most of the times, organisations do not even accept that a breach has taken place, let alone take responsibility for the same and strive to better protect user data in the future.

Switching to ‘PR spin mode’ should never be the answer when dealing with the data of billion-plus Indian citizens and residents. This can be observed in almost all cases where a breach or security lapse was alleged.

The UIDAI has also acquired the dubious reputation of sending legal notices and slapping cases on journalists and security researchers who seek to highlight the security and privacy problems ailing the Aadhaar infrastructure.

In March 2017, a case against Sameer Kochhar – chairman of the Skoch Group – was filed on the basis of a complaint from Yashwant Kumar of the UIDAI allegedly for “spreading rumours on the internet about vulnerability of the Aadhaar system”. Kochhar had written an article in February 2017 titled “Is a Deep State at Work to Steal Digital India?” in which a request replay attack on biometric Aadhaar authentication was demonstrated.

Two months later, The Centre for Internet and Society published a report regarding several government websites which were inadvertently leaking millions of Aadhaar card numbers. A few days after this report was published, the UIDAI sent a legal notice to the organisation, stating that the people involved with the report had to be “brought to justice”.

In January 2018, an investigative story was published by Rachna Khaira of The Tribune newspaper – in which she reported that access to an Aadhaar portal was being sold by “agents” for as cheap as Rs 500. In response to this story – the UIDAI first sought to discredit the investigative work by calling it a ‘case of misreporting’ – after which they attempted to downplay the magnitude of the report by citing that biometrics were safe and had not been breached.

Following this, the Delhi crime branch registered an FIR against the reporter and others named in the article on the basis of a complaint by a UIDAI official, with charges ranging from forgery, cheating by impersonation and unauthorised access of a computer system.

In March 2018, ZDNet published a report about Aadhaar-related data leaking from an unsecured API on a utility provider’s website. This was the result of days of testing to first confirm the existence issue and its scope. It was preempted by more than a month of attempted communication through several channels of communication – email, phone, even direct messages via Twitter – with both Indane and the UIDAI (and even the Indian Consulate in New York).

But still, when the report was published after a lack of acknowledgement/response from affected parties, the UIDAI was quick to deny the report as well as any possibility of such a thing occurring. The Aadhaar agency then released a statement in which they said they were ‘contemplating legal action’ against the publication of their report.

Data security and privacy laws won’t do much to affect the dismissive and hostile attitude the UIDAI seems to have regarding the people that investigate and report on security and privacy issues relating to Aadhaar.

Hide and seek

In general, when it comes to reports of security breaches and security incidents, many authorities in India prefer playing the blame-game. This was seen latest in response to an internal letter (ironically marked as ‘SECRET’) that was circulated on social media – which mentioned that data was stolen from the Aadhaar Seeding portal of the EPFO by hackers exploiting a known vulnerability in the Apache Struts framework.

Following this – the EPFO quickly switched to PR mode and publicly issued a statement through their official Twitter account (@socialepfo) denying the breach – saying that “There is no leak from EPFO database. We have already shut down the alleged Aadhaar seeding site run by Common Service Centres on 22.03.2018.”

Every time reports of a potential breach or leak of data circulate, Indian government agencies are quick to come out and announce that no breach has taken place. However, this is always to be taken just on the basis of their saying so, as opposed to the reports which they’re meant to be arguing (in some cases) contain verifiable evidence which is the result of arduous investigative work.

Regardless, passing around the blame and in cases completely denying security incidents is not something authorities should be doing when it concerns the data of more than a billion people.

In response to a recent story by Asia Times regarding Aadhaar enrolment software being cracked and sold, the UIDAI sought to discredit and discount the report through messages shared on their social media profiles – where they stated that the report was “baseless, false, misleading and irresponsible”.

The UIDAI should have an interest in protecting any and all data which stems from or relates to Aadhaar as it has to do with a project they are ultimately responsible for. It should not matter whether the leak occurred from a portal on EPFO’s website, an API without proper access controls on Indane’s website, a website of the Andhra Pradesh state government, through biometric request replay attacks, through sold access to admin portals and cracked software, or however else. It should ultimately be the UIDAI’s responsibility to not only be reactive about these issues when they’re brought to light but to do so in such a way which does not hinder reporters from continuing their work.

Additionally, if the UIDAI wishes to keep its systems as secure as they could be – they should proactively seek such reports about flaws or vulnerabilities in critical infrastructure pertaining to their project.

The way forward

In April 2018, the head of the Indian Computer Emergency Response Team (CERT-IN), rather defensively noted that “not a single person had reported any incident” to the organisation.

CERT-In, a part of the IT ministry, is the central agency responsible for dealing with security issues and incidents. To put it bluntly, it has not done a very great job of outreach when it comes to the people it ultimately relies on: security researchers and hackers.

In India, there is an abundance of skills and talent when it comes to IT security and this could be of immense help to organisations responsible for managing critical infrastructure – but only if they cared enough to utilise it to the fullest extent.

Ajay Bhushan Pandey, the CEO of UIDAI, promised a secure and legal bug reporting environment for the Aadhaar ecosystem sometime in 2017. However, almost a year later, there are no tangible signs of any steps being taken to ensure the same. In fact, the UIDAI would already be straying from their usual course of action if they stopped harassing people reporting on issues of security and privacy with regard to Aadhaar.

It has been suggested that the UIDAI employ a bug bounty programme – which involves rewarding hackers with monetary compensation or through means such as an addition to a ‘Security Hall of Fame’ as an incentive.

I personally believe that there is no need for a bug bounty programme in its traditional sense – meaning that UIDAI should not have to provide material incentives to attract hackers to report valid issues to them. Simply acknowledging the work of those that discover and report valid issues should more than likely be incentive enough to get talent on-board.

The US Department of Defense (DoD) employs a similar approach where they invite hackers from the world over to test their systems for security vulnerabilities/bugs and then report them in a responsible manner. What the hackers get in return is the acknowledgement of their skill and devotion to ensuring the security of DoD’s platform. Something similar needs to be set up with regard to critical information infrastructures in India so that issues can be reported by anyone who wishes to do so – without hassle and/or fear of persecution hanging over the heads of hackers.

For more details visit https://cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians

India's National ID Project Brings Pain to Those it Aims to Help

Admin — 2018-05-12T00:53:39Z

Poor management, corruption and fraud are threatening to derail the world’s largest national identity project.

The blog post by Aayush Soni was published in Ozy.com on May 11, 2018.

For Phoolmati, a resident of the Kusumpur Pahari slum in south Delhi, standing every month in a queue at the neighborhood fair-price shop was a trusted routine. When her turn came up, she would place her thumb on a scanning machine that confirmed her identity. But on a biting-cold morning this past January, she had to return home empty-handed because, the shopkeeper told her, the “server was down.”

The next day, it happened again. On her third try, Phoolmati thought she had gotten lucky when the machine scanned her thumb successfully. But she was in for a shock. “The shopkeeper told me that, according to the computer records, I’ve already taken my quota of wheat flour for the month,” she says. When she protested and showed her ration card, another form of identification, the shopkeeper wouldn’t accept it.

Left with no choice, Phoolmati had to buy wheat flour from the open market at 25 rupees per kilogram — more than 12 times the amount she usually paid at fair-price shops. She wasn’t alone. At a weekly meeting of slum residents in a temple courtyard in April, many women complained about the difficulty of buying subsidized food grains to the Satark Nagrik Sangathan (Alert Citizens Organization), a nonprofit that seeks accountability from government agencies. Nanno Devi, a 67-year-old homemaker whose fingers are wrinkled with age, said that she didn’t receive her quota of wheat flour for January because a fingerprint-scanning machine couldn’t detect her thumb impression.

Nor are the urban poor, like Phoolmati, the only ones with such complaints. Students with government scholarships, senior citizens with pensions, farmers entitled to subsidies, religious minorities and backward castes eligible for benefits, patients at public hospitals, young couples trying to get married and professionals updating their bank details are all on the front line of an unparalleled experiment that was meant to help them but is hurting them instead.

Theirs is the lived experience of Aadhaar, a unique 12-digit identity system that includes an individual’s biometrics and demographic data — and that must verify an individual’s identity for the government, increasingly, to even recognize their existence. First rolled out in 2010, it is modeled on America’s Social Security number system, with the aim that government subsidies and welfare programs reach the intended beneficiaries and aren’t siphoned off by middlemen.

But over the past three years, India’s Narendra Modi government has cajoled, pressured and often effectively forced people into enrolling for this ID, even though it isn’t required by law. Today, a person’s bank account risks being frozen if it isn’t linked to her Aadhaar number. Her PAN (permanent account number) card, used to file income tax, could be declared invalid. Mobile phone companies can disconnect her number if it isn’t authenticated through biometrics. An Aadhaar number (or an enrollment number, in case someone has already applied for it) is mandatory to open a new bank account, get a new passport, invest in mutual funds or register a marriage. A joke making the rounds on Twitter is that very soon, Aadhaar will be mandatory for a person to swipe right on Tinder.

In the absence of any privacy law, much of the concern within sections of India’s educated middle class has focused on questions about personal freedom, data security and mass surveillance. But a parallel tide of complaints is rising from those the program was meant to help, rooted in complications it has instead imposed upon them. This growing frustration is threatening to derail the initiative in a manner privacy can’t, in a nation where millions live in cramped city apartments with strangers, and the distinction between personal and public is often blurred.

Cases of fraud, mismanagement and corruption hurting Aadhaar beneficiaries are tumbling out into the public domain almost every week. In late March, hackers used weaknesses in the Aadhaar database to steal data from a government organization that manages more than $120 billion in the pensions and savings of millions of Indians. In January, a 10-year-old girl from the Dalit community — historically at the bottom of India’s caste ladder — was denied a school scholarship because officials had misnamed her on her Aadhaar card. Last October, a farm loan waiver program in Maharashtra state ran into trouble after officials discovered that 100 farmers had the same Aadhaar identity number.

The Modi government maintains that it takes both the security of personal data and the concerns of Aadhaar beneficiaries seriously. But it is reluctant to answer any questions about identity theft, corruption, privacy or misappropriated benefits. Neither Ajay Bhushan Pandey, the current CEO of the Unique Identification Authority of India (UIDAI), which runs Aadhaar, nor Vikas Shukla, its spokesperson, responded to multiple requests for comment.

At a public rally in early May, Modi — who had himself opposed the program before he came to power in 2014 — called critics of Aadhaar “opponents of technology” unwilling to evolve with the times. Increasingly, though, many are questioning whether it’s Aadhaar’s own identity that has changed the most from when the idea first came up. “From a project of inclusion, it has become a project of exclusion,” says Usha Ramanathan, a lawyer who focuses on issues of development and poverty. Just ask Phoolmati.

Aadhaar was the brainchild of Nandan Nilekani, a former CEO of tech giant Infosys, who in a 2009 book argued that multiple forms of identification made it “difficult” to establish a “definitive identity” for India’s citizens.

A single identity linked to passports, PAN cards and other national databases, Nilekani argued, would not only solve this problem but also help eliminate the exasperating processes that India’s bureaucracy is notorious for — mountains of paper, proof of identity in triplicate and a glacial pace of work. It would help citizens avail government benefits that are rightfully theirs. Such a system would reduce a citizen’s dependence on distribution mechanisms susceptible to leakages and make “the moral scruples of our bureaucrats redundant,” Nilekani wrote. “An IT-enabled, accessible national ID system would be nothing less than revolutionary in how we distribute state benefits and welfare handouts.”

That same year, the Congress Party–led United Progressive Alliance government offered Nilekani a chance to translate his idea into reality, appointing him UIDAI chairman. Under Nilekani the UIDAI hired people from within the Indian bureaucracy as well as those outside it. The initial team of 50 included software engineers, designers and entrepreneurs from Silicon Valley as well as lawyers and policy wonks who worked at the head office in New Delhi. Each of the eight regional offices had a staff of 20.

In its early-stage avatar, the team had thought out solutions to problems such as the ones the residents of Kusumpur Pahari faced, says a policy consultant who worked with the UIDAI in 2010 and spoke on condition of anonymity. “You can use old methods and physically verify a person’s name and address [by going to their house] if biometrics aren’t working,” the consultant says. “It’s built into the architecture [of Aadhaar].” In his view, the current government under Modi — whose Bharatiya Janata Party defeated the Congress Party and came to power in 2014 — and the UIDAI setup have made a “mess” of the program. He also believes that the goal has shifted from inclusion to mass enrollment. Nilekani did not respond to a request for comment.

For sure, Aadhaar has staunch supporters too, who argue that it has helped reduce the misuse of government subsidies. In July 2017, India’s junior minister for consumer affairs, food and public distribution, C.R. Chaudhary, told the country’s Parliament that Aadhaar had helped the government delete nearly 25 million fake ration cards that the poor use to access subsidized food ingredients.

“This unnecessary fearmongering around Aadhaar is uncalled for,” says Sanjay Anandaram of iSpirit, a software industry think tank. In his view, it’s “last-mile deployment challenges” like fingerprint authentication, one-time-password systems and server glitches that need to be fixed, not Aadhaar. He juxtaposes anecdotal examples of people struggling to gain benefits with the “larger purpose” he believes Aadhaar serves. “It is a revolutionary system to ensure governance improves — especially for centrally administered programs,” he says.

The UIDAI has made some efforts too, if not to improve security of personal data then at least to allow citizens to check whether their Aadhaar identity has been misused. They can go online and view any occasions when their Aadhaar identity was used to access benefits.

But for millions of Indians dependent on subsidies, pensions, scholarships and other benefits, the concerns go well beyond privacy. Getting an Aadhaar identity can be a struggle. Earlier this year, the Punjab government conceded that it can’t process nearly 200,000 farm loan waiver claims either because intended beneficiaries don’t have Aadhaar cards or because the UIDAI is still processing their applications. At the same time, not signing on to Aadhaar is increasingly not an option. In February 2017, Chaudhary’s ministry made it mandatory for individuals to have an Aadhaar card to access subsidized food grains. Then, in October, an 11-year-old girl died of starvation in the central state of Jharkhand because the local ration dealer refused to give her family food grains for six months, as they had not linked their ration cards to Aadhaar. Facing criticism, the government asked states not to deny the poor the food grains they are entitled to, but the incident underscored how the Aadhaar initiative is cutting the needy off from subsidy access, rather than helping them, suggests Ramanathan, the lawyer. “People are dying because of Aadhaar,” she says.

But the Modi government has shown no signs of rethinking either the ways in which Aadhaar appears to hurt the poorest in Indian society or its data security protocols. Instead, it has appeared keener to target whistle-blowers pointing out weaknesses in the initiative.

It cost Rachna Khaira, a reporter, only 500 rupees ($7.50) to access the entire Aadhaar database — the names, addresses, fingerprint scans, iris scans, mobile phone numbers, email addresses, postal index numbers (PINs) and Aadhaar numbers of 830 million Indians. She “purchased” the service offered by anonymous sellers on WhatsApp and transferred the money via Paytm, a popular digital wallet company, to an “agent,” who created a “gateway” for Khaira. He then gave her a log-in ID and a password to that gateway, which allowed Khaira unrestricted access to the Aadhaar database. Her report, published in January in The Tribune, one of India’s oldest English dailies, created a national stir. Instead of trying to plug the holes the report had revealed, the UIDAI filed criminal cases against Khaira and the newspaper, accusing them of breaching privacy.

Khaira’s wasn’t the first piece of evidence to expose the vulnerability of the Aadhaar database. In May 2017, a report by the Centre for Internet and Society, a nonprofit organization, claimed that 130 million to 135 million Aadhaar numbers were published on four websites: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme and two projects run by Andhra Pradesh state. “This is the largest exercise in the world of the conversion of public information into an asset and then its privatization,” says Nikhil Pahwa, editor of MediaNama and a critic of Aadhaar.

These breaches of security highlight corruption and mismanagement that belie claims the government continues to peddle. In April 2017, Ravi Shankar Prasad, India’s minister of information and technology, told Parliament that “Aadhaar is robust. Aadhaar is safe. Aadhaar is secure, and totally accountable.” The government hasn’t appeared too perturbed by privacy concerns. On July 22, 2015, Mukul Rohatgi, the then attorney general, argued before the country’s Supreme Court that “the right of privacy is not a guaranteed right under our constitution.” That set off a two-year-long hearing before a nine-judge bench of the court, which unanimously ruled in 2017 that the right to privacy was indeed a fundamental right.

The criticism from social groups Aadhaar was meant to benefit, though, has left the Modi administration on the defensive. Since the passage of the 2016 Aadhaar law, civil society activists have filed 12 petitions in the Supreme Court challenging its legality. In January, the All India Kisan Sabha, one of India’s largest farmer organizations with millions of members, petitioned the top court against government moves to link subsidies to Aadhaar identities. Some leaders from Modi’s party, the BJP, have also started questioning their own government in Parliament about cases of beneficiaries denied their due because of the Aadhaar program. The Supreme Court, which is holding regular hearings on the case, has extended indefinitely the date by which citizens must link all identity documents to their Aadhaar number, until it rules on the validity of the legislation. At stake is the trust the Indian people can place in their government.

Back in Kusumpur Pahari, much of that trust has already eroded. In his 2014 election campaign, Modi had promised to stand guard as a chaukidaar (watchman) over the country’s resources, to prevent corruption. But when someone illegally withdrew Phoolmati’s grains by using her Aadhaar identity, the watchman wasn’t able to stop the theft.

For Phoolmati and other residents of Kusumpur Pahari, their ration cards guaranteed them food, and were a rare pillar of certainty in an unstable life. The Aadhaar-linked fingerprint authentication system is a source of frustration, and they don’t want it, they make clear at their weekly meeting. They now get their ration some months, and other months they don’t. Life on the fringes of society was already tough. Aadhaar, they say, has made it harder still.

For more details visit https://cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help

India's Draft Telecom Policy Needs to Bridge the Gap Between Intent and Execution

sinha — 2018-05-07T16:13:31Z

Earlier this week, India’s department of telecommunications (DoT) released a draft new telecom policy, titled ‘Draft National Digital Communications Policy 2018’.

The article originally published in the Wire on May 6, 2018 can be read here. Access the Draft National Digital Communications Policy 2018 here.

The three pillars of the draft policy are ‘Connect India’, ‘Propel India’ and ‘Secure India’, which primarily seek to improve broadband connectivity, accelerate development of next-generation technologies and services and institute measures for data sovereignty, security and safety, respectively.

Several strategies have been devised under each pillar – few carry on from previous national telecom policies, and some are new proposals.

The document is high on aspirations, a lot of which it seeks to fulfil by 2022. It also proposes several favourable institutional and regulatory changes and simplifies obtaining of permissions.

However, it remains quite open-ended in terms of how the details could evolve. For example, while it endeavours to develop a fair, flexible, simple and transparent method for spectrum assignments and allocations, by pricing spectrum at an ‘optimal price’ and linking spectrum usage charges (SUC) to reflect costs of regulation and administration of spectrum, it cannot be said if these measures will fully rejuvenate a debt-ridden telecom sector.

Ideally, the policy should have explicitly mentioned that revenue maximisation is not a goal for the government anymore, to reassure the industry that licence fees and SUC will not be astronomically priced – especially as it is in no mood to change the model of spectrum allocation from auction to revenue sharing (circa NTP-99). A clear commitment would have helped inspire more confidence in this strained sector. Regardless, these changes will also need approval from the finance ministry, where stiff resistance is expected.

Expanding both wireless and wired broadband is a clear priority of the government. It sets out four initiatives, encouraging public-private partnerships to serve both rural and urban centres (BharatNet, GramNet, NagarNet, JanWiFi), and several additional measures to accelerate laying of optical fibre, mobile towers and increase sharing of infrastructure.

Although the previous telecom policies (NTP-99, NTP-2012 and recommendations in ‘Fixing Broadband Quickly’ (TRAI, 2015)) determined the similar gaps and objectives, little has translated into concrete results so far. In 2017, ITU and UNESCO reported that India was the largest unconnected market, with 49.5% (approx. 660 million) of our population still unconnected. The report further noted that the penetration of mobile broadband was much higher than fixed-line broadband connections – and urban centres were better served than rural areas. One hopes that the new strategies and objectives will be better realised this time around.

The policy also seeks to boost domestic innovation in the field of standards in communications technologies. This is reflected in its aims to strengthen domestic IP portfolios by providing financial incentives for the development of standard-essential patents (SEPs) and promote them at standard setting organisations. It mandates access to critical, mostly foreign-owned SEPs on a fair, reasonable and non-discriminatory basis (FRAND basis). This is an approach to patent licensing that has been endorsed by courts and the Competition Commission of India in the context of mobile phone technologies, as well as in other jurisdictions.

However, it remains to be seen how this mandate will be implemented in TRAI’s forthcoming recommendations on promoting telecom equipment manufacturing in India. This is a real opportunity for the telecom regulator to help the low-cost smartphone manufacturing industry in India to overcome their disadvantage in terms of having to pay exorbitant royalties to foreign-SEP holders and getting sued for infringement in the process. Another strategy that should have found place was the creation of government-controlled patent pools for SEPs, which could have solved the issue of uncertainty for local manufacturers and ensured payments to SEP holders to a great extent.

Additionally, the policy proposes a few consumer-oriented changes such as establishing a ‘Telecom Ombudsman’ and a centralised web-based complaint redressal system. In the third pillar of ‘Secure India’, although the document does not reveal the DoT’s approach to net-neutrality nor data protection and privacy, it does say that the government will be amenable to changing the terms of license to fulfill their core principles.

Curiously, in order to ‘facilitate security and safety of citizens’ it proposes to set up ‘lawful interception agencies with state of the art lawful intercept and analysis systems for implementation of law and order and national security’. This measure did not exist in TRAI’s version of the draft policy.

On next-generation tech in the field of IoT and cloud, it retained TRAI’s suggestion of setting up ‘light-touch’ licensing frameworks. This may prove to be a barrier to innovation in the field.

While the policy is broad and forward-looking, the true intent and meaning of the listed steps will only be understood when complementary legislative and granular policy actions to support these strategies are crystallised. That will make all the difference.

For more details visit https://cis-india.org/telecom/blog/the-wire-anubha-sinha-may-6-2018-india-draft-telecom-policy

Digital India' in Dire Need of Safety Policy Reboot - Cybersecurity Experts

Admin — 2018-05-05T12:00:43Z

Some experts say the need of the hour is for India to update its cybersecurity policy to respond to growing threats in cyberspace. Information warfare specialists hint at the local storage of digital information as the key to the cybersecurity of the country.

The blog post was published by Sputnik on April 17, 2018. Sunil Abraham was quoted.

The afternoon of the first Friday of April was a telling statement on India's biggest nightmare — a digital meltdown. It was so glaring that the National Media Centre in the capital Delhi was abuzz with media persons seeking to ascertain the news of around 10 government websites, including those of the Ministry of Defense and the Ministry of Home Affairs, was hacked and the government seemed clueless. No government official was ready to speak, prompting the day's headlines to thrive on speculations with television channels running news flashes attributing the mischief to a "Chinese" hacker.

The Defense Ministry website was showing Mandarin characters in an error message which further gave strength to the conspiracy theory. In panic, the Ministry of Home Affairs shut down its portal, creating further speculations.

In the absence of an official statement, the press based their news reports on a tweet by Defense Minister Nirmala Sitaraman which confirmed the alleged hack. A sense of a massive cyberattack engulfed the air.

The general sense was that it was a digital offensive targeted against India and perpetrated by none other than its neighbor China. There was a sudden outrage among social media users who accused the government of failing to protect the nation's digital assets and letting India be vulnerable to cyber threats.

After Ministry of Defence, suspected Chinese hackers hack Ministry of Home Affairs’ website too. Welcome to Modi’s Digital India Jumla. #IndiaDoesNotTrustBJP #IndiaHatesBJP

However, late in the evening, National cybersecurity head Gulshan Rai conveyed that all 10 websites hosted by the National Informatics Centre (NIC) went down due to "a hardware failure" while declining to comment on the possibility of a cyberattack by any neighboring country.

"There is no hacking or coordinated cyberattack on the website of central ministries. There was a hardware failure in the storage network system at the NIC which resulted in a number of government websites being serviced by that system going down. We are working to replace the hardware and these websites will be up soon," Rai said in a statement putting to rest all speculations.

The National cybersecurity head, who directly works under thExperts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.e supervision of Indian Prime Minister Narendra Modi, also confirmed that a total of ten websites, including that of the Central Bureau of Investigation, the Central Vigilance Commission, the e-gazette of India, and the websites of the Ministries of Law, Civil Aviation, Defense, Home Affairs, Labor, Water Resources and Science & Technology suffered due to the hardware failure.

Nevertheless, experts say that India needs a robust framework not only to protect the cyber assets, but also quickly assess threats in view of the experience.

"Technical glitches happen, especially when you have so many hardware and software products connected online. The immediate reaction of the hack (on Friday, 6th April 2018) was in haste and caused all the confusion but no such hack took place. We need to have a more robust framework for response, reporting, and reaction," cyber expert Rakshit Tandon told Sputnik.

The brief period of inaccessibility of the government websites and the ensuing panic was symptomatic of a situation which India is facing. Even if it was not a hack, the hardware failure is worrying for the billion plus nation, say experts.

The cyber emergency in India was not the first. Last year, the Home Ministry websites had to be temporarily shut down following a cyberattack. This was in close heels to a hack of the website of the elite Indian special force National Security Guard (NSG) by a suspected Pakistan based group. In 2016, data from Indian missions in Africa and Europe were hacked and posted online by unknown hackers.

The Indian Computer Emergency Response Team (CERT-In), the premier cyber security agency of India had stated in a reply in Parliament that until June 2017 India had more than 27,000 cyberattacks of all levels and cost the economy around $4 billion.

The Hindustan Times in a report predicts that with India embarking on an ambitious digitalization mode, the total losses from cybersecurity threats for the country could touch $20 billion over the next ten years.

Experts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.

"We have a national cybersecurity policy but we don't have a clear commitment from the government when it comes to financial allocations. The government must fund small and medium-sized enterprises to produce innovative cybersecurity products and services. Separately, the government must fund research by corporations, civil society organizations, educational organizations, and individuals which should be published in peer-reviewed open access journals and also presented at national and international cybersecurity academic conference," Sunil Abraham, executive director, Centre for Internet and Society told Sputnik.

"India has the best minds when it comes to hacking. In fact, a majority of the top hackers in the world are Indians but they are not part of India's security apparatus and not in the country's service," Rizwan Shaikh, ethical hacker and one of the youngest information security consultants in South Asia told Sputnik.

Rizwan was in the news recently when he drew the attention of the government about the severe lacuna in the Indian Railway system which is called the backbone of Indian economy employing around 1.3 million people and running 13,000 passenger trains daily.

The ethical hackers cannot sustain in the government ecosystem, they need patronage and incentives in terms of recognition, but the government of India lacks any such program. There was a program launched recently by the Ministry of Information Technology but it has failed to attract good minds due to its lack-luster management. In India, even if I find a loophole, there is no reporting system to intimate and no proper heads to initiate action, Rizwan added.

The Indian government has multiple stakeholders to monitor and report on digital emergency situations. The plethora of agencies begin with the nodal agency of the Ministry of Electronics and Information Technology, there is a hub called the National Critical Infrastructure Information Protection Center, then there is the interior security ministry of Home Affairs which is the oversight authority over all investigative agencies in the country and there is a new institution by the name national Cyber Coordination Centre created recently.

Rakshit Tandon says that "a sudden spurt in online transactions especially after demonization (in October 2016), coming of 4G mobile networks, cheaper smartphones, and the prestigious vision of 'Digital India' have made the country and its population more prone to cyber threats."

Moreover, with the controversy of the British political consulting firm Cambridge Analytica allegedly using personal details of Indian social media users has created a sense of insecurity among the online population of the country.

In view of the threat to personal and national digital security, Sunil Abraham calls for an approach to a complete upheaval the country's cyber laws to combat the threat. He says simply user behavior change is not sufficient for keeping Indians safe from digital harm.

"First, India needs a comprehensive omnibus data protection law, in the lines of the GDPR which exists for the EU. Second, India needs amendments to our existing competition law. Once the law has been updated to give the regulator powers to go after Internet monopolies —we need a comprehensive investigation of the anti-competitive activities, especially in the digital advertising sector. Change in user behavior is not sufficient to mitigate harms resulting from Internet monopolies. These harms can only be addressed via appropriate, comprehensive and proactive action by lawmakers and regulators," Sunil Abraham said.

Information warfare specialists hint at the local storage of digital information as the key to cybersecurity of the country.

"A nation the size of India can never be a comfortable partner for other great powers who will always be uneasy of the latent power of this sleeping giant. Consequently unlike Japan, South Korea or Singapore, we cannot rely on a security umbrella from another great power to reach our full economic potential," Pavithran Rajan, information warfare specialist based out of Bangalore, told Sputnik.

Pavithran Rajan is a former Indian Army officer-turned writer and trainer on cyber issues.

The need for a data protection law was triggered by the debate on individual privacy. However, the importance of this data for national security must not be overlooked. The solution lies in localizing the sensitive data of Indian citizens within the boundaries of India. While currently the infrastructure for this may not exist, it would come up if the data controllers wish to continue to take advantage of the size of the Indian market, he added.

Rajan feels that data protection for India is vital as it is on the cusp of a major technological advancement and has opined that the country needs to put in place legal stipulations on data transfers.

"The advent of the IoT (Internet of Things technology) would exponentially increase the volume of data being generated. Any new infrastructure being created for IoT should also make arrangement for data to be stored in India. We understand that cross-border flows of data cannot be completely stopped. However, no sensitive personal data should be permitted to go outside the country. There should be legal restrictions on the transfer of data to controllers who have no presence in India," Pavithran Rajan told Sputnik.

The earliest technology-based law in India was the Indian Telegraph Act of 1885 which is still operational and encompasses the telephone services as well. With the advent of the digital age, India brought in the Information Technology Act in the year 2000 and lastly, a National Cybersecurity Policy was drafted and presented for action 2013, but its actual implementation has not yet taken place. With the fast changing digital ecosystem, India, the largest democracy in the world, struggles to keep pace with the threats it faces and the dangers seem imminent.

For more details visit https://cis-india.org/internet-governance/news/sputnik-april-17-2018-digital-india-in-dire-need-of-safety-policy-reboot-cybersecurity-experts