Centre for Internet and Society

AI in Banking and Finance

Saman Goudarzi, Elonnai Hickok and Amber Sinha — 2018-06-19T11:38:06Z

For more details visit https://cis-india.org/internet-governance/files/ai-in-banking-and-finance

Aadhaar Remains an Unending Security Nightmare for a Billion Indians

Admin — 2018-05-13T16:28:40Z

Yesterday was the 38th and last day of hearings in the Supreme Court case challenging the constitutional validity of India’s biometric authentication programme. After weeks of arguments from both sides, the Supreme Court has now reserved the matter for judgement.

The article by Karan Saini was published in the Wire on May 11, 2018.

Since its inception, the Aadhaar project has lurched from controversy to scandal. In the last two years, the debate has heavily centred around issues of data security, privacy and government overreach. This debate, unfortunately, like with most things Aadhaar, has been obfuscated in no small part due to the manner in which the Unique Identification Authority of India (UIDAI) reacts to critical public discussion.

As India waits for the apex court’s judgement, this is as good time as any to take stock of the security and privacy flaws underpinning the Aadhaar ecosystem.

Poor security standards

Let’s start with the lackadaisical attitude towards information security. As has become evident in the past, harvesting and collecting Aadhaar numbers – or acquiring scans and prints of valid Aadhaar cards – has become a trivial matter.

There are several government websites which implement Aadhaar authentication while at the same time lack in basic security practices such as the use of SSL to encrypt user traffic and/or the use of captchas to protect against brute-force or scraping attacks. This includes the biometric attendance website of the Director General of Foreign Trade, the website for the National Food Security Mission and the Medleapr website.

With numerous government websites being susceptible, problematic issues such as the use of open directories to store sensitive data gives us a look into how even the bare minimum – when it comes to adhering to security best practices – isn’t enforced across the gamut of websites which interface with Aadhaar.

It should not be acceptable practice to have government websites with open web directories containing PDF scans of dozens of Aadhaar cards available for just about anyone to view and/or download. Yet, over the past year and even before, many government websites have been found to either inadvertently or knowingly publish this information without much regard for the potential consequences it could have.

The UIDAI has repeatedly shown an attitude of hostility and dismissiveness when it comes to fixing security and privacy issues which are present in the Aadhaar ecosystem. It has also shown no signs of how it plans to tackle this problem.

In my personal experience as a security researcher, I have found and reported a cache of more than 40,000 scanned Aadhaar cards being available through an unsecured database managed by a private company, which relied on those scans for the purposes of verifying and maintaining records of their customers.

What’s worse is that the media reports regarding Aadhaar information being exposed may only be scratching the surface of the issue as more data may actually be susceptible to access and theft, and simply yet to be found and publicly reported. For example, data could be leaking through publicly available data stores of third-party companies interfacing with Aadhaar, or through inadequately secured API and sensitive portals without proper access controls.

Not all security incidents become a matter of public knowledge, so what we know at any given point about the illegal exposure of Aadhaar information may just be a glimpse of what is actually out there.

It should be acknowledged that the possession of these 12-digit numbers and their corresponding demographic information can open up room for potential fraud – or at the very least make it easier for criminals to carry out identity theft and SIM and banking fraud.

A detailed analysis of all publicly-reported Aadhaar-related or Aadhaar-enabled fraud over the last few years shows that the problem is not only real but deserves far more attention than what it has received so far.

Threat level infinity

Taking a step back, it’s clear that the Aadhaar project snowballed into an ecosystem that it now struggles to control.

For instance, demographic information – as is stated in the draft for the Aadhaar Act (NIDAI Bill 2010) – was originally considered confidential information, meaning no entity could request your demographic information such as name, address, phone number etc. for purposes of eKYC.

However, as the ecosystem has progressed, the implementation and usage of eKYC have also changed and grown significantly with companies like PayTM utilising eKYC for the purposes of requesting and verifying customer information. It should be considered that data which has been collected by any of these companies through Aadhaar can be accessed by them in the future for an indefinite period of time depending on their own policies regarding storage and retention of the data.

If there ever is a breach of the CIDR or a mirrored silo containing a significant amount of Aadhaar-related data, it would directly affect more than one billion people. To put this in perspective, it would easily be the single largest breach of data in terms of the sheer number of people affected and it would have far-reaching consequences for everyone affected which might be very hard to offset.

On a comparatively smaller scale – although just as serious, if not more in terms of potential implications – would be a breach of any given state’s resident data hub (SRDH) repository. In some cases, SRDHs have been known to integrate data acquired from other sources containing information regarding parameters such as caste, banking details, religion, employment status, salaries, and then linking the same to residents’ corresponding Aadhaar data.

Damage control would be costly and painstaking due to the number of people enrolled. What adds to the disastrous consequences is that one cannot just deactivate their Aadhaar or opt-out of the programme the way they would with say a compromised Facebook or Twitter account. You can always deactivate Facebook. You cannot deactivate your Aadhaar. It should be noted that even with biometrics set to ‘disabled’, Aadhaar verification transactions can be verified through OTP.

Additionally, the Aadhaar ecosystem is such that information about individuals can be accessed not just from UIDAI servers but also from other third-party databases where Aadhaar numbers are linked with their own respective datasets. Due to this aspect – multiple points of failure are introduced for possible compromise of data, especially because third-party databases are almost certainly not as secure as the CIDR.

Recently, after taking a closer look at the ecosystem of websites which incorporate the use of Aadhaar based authentication, I discovered that it was possible to extract the phone number linked to any given Aadhaar through the use of websites which poorly implemented Aadhaar text-based (OTP) authentication.

This process worked by first retrieving the last four digits of the phone number linked to an Aadhaar using any website which reveals this information (this includes DigiLocker, NFSM.gov.in and seems to be standard practice which seems to be enforced by UIDAI) and then performing an enumeration attack on the first six digits using websites which allow the user to provide both their Aadhaar number and the verified phone number linked to it.

This again highlights that while secure practices might be followed by the UIDAI, the errors in implementation and other flaws are introduced neverthelessby third parties who interface with Aadhaar, posing a risk to the privacy and security of its data.

The bank mapper rabbit hole

As of February 24, 2017, it was possible to retrieve bank linking status information directly from UIDAI’s website without any prior verification.

However, after this information was reported, the ‘uidai.gov.in’ website was updated to first require requesters to prove their identity before retrieving Aadhaar bank-linking data from the endpoint on their website.

A year later – when business technology news site ZDNet published their report regarding a flawed API on the website of a state-owned utility company (later revealed to be Indane) – part of the data revealed included bank linking status information which was identical to what was previously revealed on UIDAI’s website without proper authentication.

This suggests that both the Indane API and UIDAI website utilised the National Payments Corporation of India (NPCI) to retrieve bank-linking data – but as of now, this remains conjecture since Indane never put out a statement or gave a public comment regarding the flawed API on their website.

More importantly, what this also suggests is that the NPCI never placed any controls or security mechanisms (such as request throttling or access controls) on the lookup requests it processed for the UIDAI (and seemingly for Indane as well).

This means that while the UIDAI may have fixed their website to not reveal bank linking data without proper verification – the issue was not rectified at its core by the NPCI – allowing the same to happen a year later in Indane’s case. This practice also classifies as a case of security through obscurity, which “is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms”.

Who is on the hook?

There is a lack of needed accountability when it comes to data breaches. Have any of the organisations against whom allegations of data breach been made been investigated and acted on? Have fines been imposed on those responsible for allowing access/theft of user data? Have there been reports published by any of the affected organisations in which they investigate any alleged breaches to either provide insight regarding the breach and its impact, the scale of data accessed, logs of access and other crucial evidence or dismiss the allegations by proving that there was no intrusion which took place?

Most of the times, organisations do not even accept that a breach has taken place, let alone take responsibility for the same and strive to better protect user data in the future.

Switching to ‘PR spin mode’ should never be the answer when dealing with the data of billion-plus Indian citizens and residents. This can be observed in almost all cases where a breach or security lapse was alleged.

The UIDAI has also acquired the dubious reputation of sending legal notices and slapping cases on journalists and security researchers who seek to highlight the security and privacy problems ailing the Aadhaar infrastructure.

In March 2017, a case against Sameer Kochhar – chairman of the Skoch Group – was filed on the basis of a complaint from Yashwant Kumar of the UIDAI allegedly for “spreading rumours on the internet about vulnerability of the Aadhaar system”. Kochhar had written an article in February 2017 titled “Is a Deep State at Work to Steal Digital India?” in which a request replay attack on biometric Aadhaar authentication was demonstrated.

Two months later, The Centre for Internet and Society published a report regarding several government websites which were inadvertently leaking millions of Aadhaar card numbers. A few days after this report was published, the UIDAI sent a legal notice to the organisation, stating that the people involved with the report had to be “brought to justice”.

In January 2018, an investigative story was published by Rachna Khaira of The Tribune newspaper – in which she reported that access to an Aadhaar portal was being sold by “agents” for as cheap as Rs 500. In response to this story – the UIDAI first sought to discredit the investigative work by calling it a ‘case of misreporting’ – after which they attempted to downplay the magnitude of the report by citing that biometrics were safe and had not been breached.

Following this, the Delhi crime branch registered an FIR against the reporter and others named in the article on the basis of a complaint by a UIDAI official, with charges ranging from forgery, cheating by impersonation and unauthorised access of a computer system.

In March 2018, ZDNet published a report about Aadhaar-related data leaking from an unsecured API on a utility provider’s website. This was the result of days of testing to first confirm the existence issue and its scope. It was preempted by more than a month of attempted communication through several channels of communication – email, phone, even direct messages via Twitter – with both Indane and the UIDAI (and even the Indian Consulate in New York).

But still, when the report was published after a lack of acknowledgement/response from affected parties, the UIDAI was quick to deny the report as well as any possibility of such a thing occurring. The Aadhaar agency then released a statement in which they said they were ‘contemplating legal action’ against the publication of their report.

Data security and privacy laws won’t do much to affect the dismissive and hostile attitude the UIDAI seems to have regarding the people that investigate and report on security and privacy issues relating to Aadhaar.

Hide and seek

In general, when it comes to reports of security breaches and security incidents, many authorities in India prefer playing the blame-game. This was seen latest in response to an internal letter (ironically marked as ‘SECRET’) that was circulated on social media – which mentioned that data was stolen from the Aadhaar Seeding portal of the EPFO by hackers exploiting a known vulnerability in the Apache Struts framework.

Following this – the EPFO quickly switched to PR mode and publicly issued a statement through their official Twitter account (@socialepfo) denying the breach – saying that “There is no leak from EPFO database. We have already shut down the alleged Aadhaar seeding site run by Common Service Centres on 22.03.2018.”

Every time reports of a potential breach or leak of data circulate, Indian government agencies are quick to come out and announce that no breach has taken place. However, this is always to be taken just on the basis of their saying so, as opposed to the reports which they’re meant to be arguing (in some cases) contain verifiable evidence which is the result of arduous investigative work.

Regardless, passing around the blame and in cases completely denying security incidents is not something authorities should be doing when it concerns the data of more than a billion people.

In response to a recent story by Asia Times regarding Aadhaar enrolment software being cracked and sold, the UIDAI sought to discredit and discount the report through messages shared on their social media profiles – where they stated that the report was “baseless, false, misleading and irresponsible”.

The UIDAI should have an interest in protecting any and all data which stems from or relates to Aadhaar as it has to do with a project they are ultimately responsible for. It should not matter whether the leak occurred from a portal on EPFO’s website, an API without proper access controls on Indane’s website, a website of the Andhra Pradesh state government, through biometric request replay attacks, through sold access to admin portals and cracked software, or however else. It should ultimately be the UIDAI’s responsibility to not only be reactive about these issues when they’re brought to light but to do so in such a way which does not hinder reporters from continuing their work.

Additionally, if the UIDAI wishes to keep its systems as secure as they could be – they should proactively seek such reports about flaws or vulnerabilities in critical infrastructure pertaining to their project.

The way forward

In April 2018, the head of the Indian Computer Emergency Response Team (CERT-IN), rather defensively noted that “not a single person had reported any incident” to the organisation.

CERT-In, a part of the IT ministry, is the central agency responsible for dealing with security issues and incidents. To put it bluntly, it has not done a very great job of outreach when it comes to the people it ultimately relies on: security researchers and hackers.

In India, there is an abundance of skills and talent when it comes to IT security and this could be of immense help to organisations responsible for managing critical infrastructure – but only if they cared enough to utilise it to the fullest extent.

Ajay Bhushan Pandey, the CEO of UIDAI, promised a secure and legal bug reporting environment for the Aadhaar ecosystem sometime in 2017. However, almost a year later, there are no tangible signs of any steps being taken to ensure the same. In fact, the UIDAI would already be straying from their usual course of action if they stopped harassing people reporting on issues of security and privacy with regard to Aadhaar.

It has been suggested that the UIDAI employ a bug bounty programme – which involves rewarding hackers with monetary compensation or through means such as an addition to a ‘Security Hall of Fame’ as an incentive.

I personally believe that there is no need for a bug bounty programme in its traditional sense – meaning that UIDAI should not have to provide material incentives to attract hackers to report valid issues to them. Simply acknowledging the work of those that discover and report valid issues should more than likely be incentive enough to get talent on-board.

The US Department of Defense (DoD) employs a similar approach where they invite hackers from the world over to test their systems for security vulnerabilities/bugs and then report them in a responsible manner. What the hackers get in return is the acknowledgement of their skill and devotion to ensuring the security of DoD’s platform. Something similar needs to be set up with regard to critical information infrastructures in India so that issues can be reported by anyone who wishes to do so – without hassle and/or fear of persecution hanging over the heads of hackers.

For more details visit https://cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians

India's National ID Project Brings Pain to Those it Aims to Help

Admin — 2018-05-12T00:53:39Z

Poor management, corruption and fraud are threatening to derail the world’s largest national identity project.

The blog post by Aayush Soni was published in Ozy.com on May 11, 2018.

For Phoolmati, a resident of the Kusumpur Pahari slum in south Delhi, standing every month in a queue at the neighborhood fair-price shop was a trusted routine. When her turn came up, she would place her thumb on a scanning machine that confirmed her identity. But on a biting-cold morning this past January, she had to return home empty-handed because, the shopkeeper told her, the “server was down.”

The next day, it happened again. On her third try, Phoolmati thought she had gotten lucky when the machine scanned her thumb successfully. But she was in for a shock. “The shopkeeper told me that, according to the computer records, I’ve already taken my quota of wheat flour for the month,” she says. When she protested and showed her ration card, another form of identification, the shopkeeper wouldn’t accept it.

Left with no choice, Phoolmati had to buy wheat flour from the open market at 25 rupees per kilogram — more than 12 times the amount she usually paid at fair-price shops. She wasn’t alone. At a weekly meeting of slum residents in a temple courtyard in April, many women complained about the difficulty of buying subsidized food grains to the Satark Nagrik Sangathan (Alert Citizens Organization), a nonprofit that seeks accountability from government agencies. Nanno Devi, a 67-year-old homemaker whose fingers are wrinkled with age, said that she didn’t receive her quota of wheat flour for January because a fingerprint-scanning machine couldn’t detect her thumb impression.

Nor are the urban poor, like Phoolmati, the only ones with such complaints. Students with government scholarships, senior citizens with pensions, farmers entitled to subsidies, religious minorities and backward castes eligible for benefits, patients at public hospitals, young couples trying to get married and professionals updating their bank details are all on the front line of an unparalleled experiment that was meant to help them but is hurting them instead.

Theirs is the lived experience of Aadhaar, a unique 12-digit identity system that includes an individual’s biometrics and demographic data — and that must verify an individual’s identity for the government, increasingly, to even recognize their existence. First rolled out in 2010, it is modeled on America’s Social Security number system, with the aim that government subsidies and welfare programs reach the intended beneficiaries and aren’t siphoned off by middlemen.

But over the past three years, India’s Narendra Modi government has cajoled, pressured and often effectively forced people into enrolling for this ID, even though it isn’t required by law. Today, a person’s bank account risks being frozen if it isn’t linked to her Aadhaar number. Her PAN (permanent account number) card, used to file income tax, could be declared invalid. Mobile phone companies can disconnect her number if it isn’t authenticated through biometrics. An Aadhaar number (or an enrollment number, in case someone has already applied for it) is mandatory to open a new bank account, get a new passport, invest in mutual funds or register a marriage. A joke making the rounds on Twitter is that very soon, Aadhaar will be mandatory for a person to swipe right on Tinder.

In the absence of any privacy law, much of the concern within sections of India’s educated middle class has focused on questions about personal freedom, data security and mass surveillance. But a parallel tide of complaints is rising from those the program was meant to help, rooted in complications it has instead imposed upon them. This growing frustration is threatening to derail the initiative in a manner privacy can’t, in a nation where millions live in cramped city apartments with strangers, and the distinction between personal and public is often blurred.

Cases of fraud, mismanagement and corruption hurting Aadhaar beneficiaries are tumbling out into the public domain almost every week. In late March, hackers used weaknesses in the Aadhaar database to steal data from a government organization that manages more than $120 billion in the pensions and savings of millions of Indians. In January, a 10-year-old girl from the Dalit community — historically at the bottom of India’s caste ladder — was denied a school scholarship because officials had misnamed her on her Aadhaar card. Last October, a farm loan waiver program in Maharashtra state ran into trouble after officials discovered that 100 farmers had the same Aadhaar identity number.

The Modi government maintains that it takes both the security of personal data and the concerns of Aadhaar beneficiaries seriously. But it is reluctant to answer any questions about identity theft, corruption, privacy or misappropriated benefits. Neither Ajay Bhushan Pandey, the current CEO of the Unique Identification Authority of India (UIDAI), which runs Aadhaar, nor Vikas Shukla, its spokesperson, responded to multiple requests for comment.

At a public rally in early May, Modi — who had himself opposed the program before he came to power in 2014 — called critics of Aadhaar “opponents of technology” unwilling to evolve with the times. Increasingly, though, many are questioning whether it’s Aadhaar’s own identity that has changed the most from when the idea first came up. “From a project of inclusion, it has become a project of exclusion,” says Usha Ramanathan, a lawyer who focuses on issues of development and poverty. Just ask Phoolmati.

Aadhaar was the brainchild of Nandan Nilekani, a former CEO of tech giant Infosys, who in a 2009 book argued that multiple forms of identification made it “difficult” to establish a “definitive identity” for India’s citizens.

A single identity linked to passports, PAN cards and other national databases, Nilekani argued, would not only solve this problem but also help eliminate the exasperating processes that India’s bureaucracy is notorious for — mountains of paper, proof of identity in triplicate and a glacial pace of work. It would help citizens avail government benefits that are rightfully theirs. Such a system would reduce a citizen’s dependence on distribution mechanisms susceptible to leakages and make “the moral scruples of our bureaucrats redundant,” Nilekani wrote. “An IT-enabled, accessible national ID system would be nothing less than revolutionary in how we distribute state benefits and welfare handouts.”

That same year, the Congress Party–led United Progressive Alliance government offered Nilekani a chance to translate his idea into reality, appointing him UIDAI chairman. Under Nilekani the UIDAI hired people from within the Indian bureaucracy as well as those outside it. The initial team of 50 included software engineers, designers and entrepreneurs from Silicon Valley as well as lawyers and policy wonks who worked at the head office in New Delhi. Each of the eight regional offices had a staff of 20.

In its early-stage avatar, the team had thought out solutions to problems such as the ones the residents of Kusumpur Pahari faced, says a policy consultant who worked with the UIDAI in 2010 and spoke on condition of anonymity. “You can use old methods and physically verify a person’s name and address [by going to their house] if biometrics aren’t working,” the consultant says. “It’s built into the architecture [of Aadhaar].” In his view, the current government under Modi — whose Bharatiya Janata Party defeated the Congress Party and came to power in 2014 — and the UIDAI setup have made a “mess” of the program. He also believes that the goal has shifted from inclusion to mass enrollment. Nilekani did not respond to a request for comment.

For sure, Aadhaar has staunch supporters too, who argue that it has helped reduce the misuse of government subsidies. In July 2017, India’s junior minister for consumer affairs, food and public distribution, C.R. Chaudhary, told the country’s Parliament that Aadhaar had helped the government delete nearly 25 million fake ration cards that the poor use to access subsidized food ingredients.

“This unnecessary fearmongering around Aadhaar is uncalled for,” says Sanjay Anandaram of iSpirit, a software industry think tank. In his view, it’s “last-mile deployment challenges” like fingerprint authentication, one-time-password systems and server glitches that need to be fixed, not Aadhaar. He juxtaposes anecdotal examples of people struggling to gain benefits with the “larger purpose” he believes Aadhaar serves. “It is a revolutionary system to ensure governance improves — especially for centrally administered programs,” he says.

The UIDAI has made some efforts too, if not to improve security of personal data then at least to allow citizens to check whether their Aadhaar identity has been misused. They can go online and view any occasions when their Aadhaar identity was used to access benefits.

But for millions of Indians dependent on subsidies, pensions, scholarships and other benefits, the concerns go well beyond privacy. Getting an Aadhaar identity can be a struggle. Earlier this year, the Punjab government conceded that it can’t process nearly 200,000 farm loan waiver claims either because intended beneficiaries don’t have Aadhaar cards or because the UIDAI is still processing their applications. At the same time, not signing on to Aadhaar is increasingly not an option. In February 2017, Chaudhary’s ministry made it mandatory for individuals to have an Aadhaar card to access subsidized food grains. Then, in October, an 11-year-old girl died of starvation in the central state of Jharkhand because the local ration dealer refused to give her family food grains for six months, as they had not linked their ration cards to Aadhaar. Facing criticism, the government asked states not to deny the poor the food grains they are entitled to, but the incident underscored how the Aadhaar initiative is cutting the needy off from subsidy access, rather than helping them, suggests Ramanathan, the lawyer. “People are dying because of Aadhaar,” she says.

But the Modi government has shown no signs of rethinking either the ways in which Aadhaar appears to hurt the poorest in Indian society or its data security protocols. Instead, it has appeared keener to target whistle-blowers pointing out weaknesses in the initiative.

It cost Rachna Khaira, a reporter, only 500 rupees ($7.50) to access the entire Aadhaar database — the names, addresses, fingerprint scans, iris scans, mobile phone numbers, email addresses, postal index numbers (PINs) and Aadhaar numbers of 830 million Indians. She “purchased” the service offered by anonymous sellers on WhatsApp and transferred the money via Paytm, a popular digital wallet company, to an “agent,” who created a “gateway” for Khaira. He then gave her a log-in ID and a password to that gateway, which allowed Khaira unrestricted access to the Aadhaar database. Her report, published in January in The Tribune, one of India’s oldest English dailies, created a national stir. Instead of trying to plug the holes the report had revealed, the UIDAI filed criminal cases against Khaira and the newspaper, accusing them of breaching privacy.

Khaira’s wasn’t the first piece of evidence to expose the vulnerability of the Aadhaar database. In May 2017, a report by the Centre for Internet and Society, a nonprofit organization, claimed that 130 million to 135 million Aadhaar numbers were published on four websites: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme and two projects run by Andhra Pradesh state. “This is the largest exercise in the world of the conversion of public information into an asset and then its privatization,” says Nikhil Pahwa, editor of MediaNama and a critic of Aadhaar.

These breaches of security highlight corruption and mismanagement that belie claims the government continues to peddle. In April 2017, Ravi Shankar Prasad, India’s minister of information and technology, told Parliament that “Aadhaar is robust. Aadhaar is safe. Aadhaar is secure, and totally accountable.” The government hasn’t appeared too perturbed by privacy concerns. On July 22, 2015, Mukul Rohatgi, the then attorney general, argued before the country’s Supreme Court that “the right of privacy is not a guaranteed right under our constitution.” That set off a two-year-long hearing before a nine-judge bench of the court, which unanimously ruled in 2017 that the right to privacy was indeed a fundamental right.

The criticism from social groups Aadhaar was meant to benefit, though, has left the Modi administration on the defensive. Since the passage of the 2016 Aadhaar law, civil society activists have filed 12 petitions in the Supreme Court challenging its legality. In January, the All India Kisan Sabha, one of India’s largest farmer organizations with millions of members, petitioned the top court against government moves to link subsidies to Aadhaar identities. Some leaders from Modi’s party, the BJP, have also started questioning their own government in Parliament about cases of beneficiaries denied their due because of the Aadhaar program. The Supreme Court, which is holding regular hearings on the case, has extended indefinitely the date by which citizens must link all identity documents to their Aadhaar number, until it rules on the validity of the legislation. At stake is the trust the Indian people can place in their government.

Back in Kusumpur Pahari, much of that trust has already eroded. In his 2014 election campaign, Modi had promised to stand guard as a chaukidaar (watchman) over the country’s resources, to prevent corruption. But when someone illegally withdrew Phoolmati’s grains by using her Aadhaar identity, the watchman wasn’t able to stop the theft.

For Phoolmati and other residents of Kusumpur Pahari, their ration cards guaranteed them food, and were a rare pillar of certainty in an unstable life. The Aadhaar-linked fingerprint authentication system is a source of frustration, and they don’t want it, they make clear at their weekly meeting. They now get their ration some months, and other months they don’t. Life on the fringes of society was already tough. Aadhaar, they say, has made it harder still.

For more details visit https://cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help

India's Draft Telecom Policy Needs to Bridge the Gap Between Intent and Execution

sinha — 2018-05-07T16:13:31Z

Earlier this week, India’s department of telecommunications (DoT) released a draft new telecom policy, titled ‘Draft National Digital Communications Policy 2018’.

The article originally published in the Wire on May 6, 2018 can be read here. Access the Draft National Digital Communications Policy 2018 here.

The three pillars of the draft policy are ‘Connect India’, ‘Propel India’ and ‘Secure India’, which primarily seek to improve broadband connectivity, accelerate development of next-generation technologies and services and institute measures for data sovereignty, security and safety, respectively.

Several strategies have been devised under each pillar – few carry on from previous national telecom policies, and some are new proposals.

The document is high on aspirations, a lot of which it seeks to fulfil by 2022. It also proposes several favourable institutional and regulatory changes and simplifies obtaining of permissions.

However, it remains quite open-ended in terms of how the details could evolve. For example, while it endeavours to develop a fair, flexible, simple and transparent method for spectrum assignments and allocations, by pricing spectrum at an ‘optimal price’ and linking spectrum usage charges (SUC) to reflect costs of regulation and administration of spectrum, it cannot be said if these measures will fully rejuvenate a debt-ridden telecom sector.

Ideally, the policy should have explicitly mentioned that revenue maximisation is not a goal for the government anymore, to reassure the industry that licence fees and SUC will not be astronomically priced – especially as it is in no mood to change the model of spectrum allocation from auction to revenue sharing (circa NTP-99). A clear commitment would have helped inspire more confidence in this strained sector. Regardless, these changes will also need approval from the finance ministry, where stiff resistance is expected.

Expanding both wireless and wired broadband is a clear priority of the government. It sets out four initiatives, encouraging public-private partnerships to serve both rural and urban centres (BharatNet, GramNet, NagarNet, JanWiFi), and several additional measures to accelerate laying of optical fibre, mobile towers and increase sharing of infrastructure.

Although the previous telecom policies (NTP-99, NTP-2012 and recommendations in ‘Fixing Broadband Quickly’ (TRAI, 2015)) determined the similar gaps and objectives, little has translated into concrete results so far. In 2017, ITU and UNESCO reported that India was the largest unconnected market, with 49.5% (approx. 660 million) of our population still unconnected. The report further noted that the penetration of mobile broadband was much higher than fixed-line broadband connections – and urban centres were better served than rural areas. One hopes that the new strategies and objectives will be better realised this time around.

The policy also seeks to boost domestic innovation in the field of standards in communications technologies. This is reflected in its aims to strengthen domestic IP portfolios by providing financial incentives for the development of standard-essential patents (SEPs) and promote them at standard setting organisations. It mandates access to critical, mostly foreign-owned SEPs on a fair, reasonable and non-discriminatory basis (FRAND basis). This is an approach to patent licensing that has been endorsed by courts and the Competition Commission of India in the context of mobile phone technologies, as well as in other jurisdictions.

However, it remains to be seen how this mandate will be implemented in TRAI’s forthcoming recommendations on promoting telecom equipment manufacturing in India. This is a real opportunity for the telecom regulator to help the low-cost smartphone manufacturing industry in India to overcome their disadvantage in terms of having to pay exorbitant royalties to foreign-SEP holders and getting sued for infringement in the process. Another strategy that should have found place was the creation of government-controlled patent pools for SEPs, which could have solved the issue of uncertainty for local manufacturers and ensured payments to SEP holders to a great extent.

Additionally, the policy proposes a few consumer-oriented changes such as establishing a ‘Telecom Ombudsman’ and a centralised web-based complaint redressal system. In the third pillar of ‘Secure India’, although the document does not reveal the DoT’s approach to net-neutrality nor data protection and privacy, it does say that the government will be amenable to changing the terms of license to fulfill their core principles.

Curiously, in order to ‘facilitate security and safety of citizens’ it proposes to set up ‘lawful interception agencies with state of the art lawful intercept and analysis systems for implementation of law and order and national security’. This measure did not exist in TRAI’s version of the draft policy.

On next-generation tech in the field of IoT and cloud, it retained TRAI’s suggestion of setting up ‘light-touch’ licensing frameworks. This may prove to be a barrier to innovation in the field.

While the policy is broad and forward-looking, the true intent and meaning of the listed steps will only be understood when complementary legislative and granular policy actions to support these strategies are crystallised. That will make all the difference.

For more details visit https://cis-india.org/telecom/blog/the-wire-anubha-sinha-may-6-2018-india-draft-telecom-policy

Digital India' in Dire Need of Safety Policy Reboot - Cybersecurity Experts

Admin — 2018-05-05T12:00:43Z

Some experts say the need of the hour is for India to update its cybersecurity policy to respond to growing threats in cyberspace. Information warfare specialists hint at the local storage of digital information as the key to the cybersecurity of the country.

The blog post was published by Sputnik on April 17, 2018. Sunil Abraham was quoted.

The afternoon of the first Friday of April was a telling statement on India's biggest nightmare — a digital meltdown. It was so glaring that the National Media Centre in the capital Delhi was abuzz with media persons seeking to ascertain the news of around 10 government websites, including those of the Ministry of Defense and the Ministry of Home Affairs, was hacked and the government seemed clueless. No government official was ready to speak, prompting the day's headlines to thrive on speculations with television channels running news flashes attributing the mischief to a "Chinese" hacker.

The Defense Ministry website was showing Mandarin characters in an error message which further gave strength to the conspiracy theory. In panic, the Ministry of Home Affairs shut down its portal, creating further speculations.

In the absence of an official statement, the press based their news reports on a tweet by Defense Minister Nirmala Sitaraman which confirmed the alleged hack. A sense of a massive cyberattack engulfed the air.

The general sense was that it was a digital offensive targeted against India and perpetrated by none other than its neighbor China. There was a sudden outrage among social media users who accused the government of failing to protect the nation's digital assets and letting India be vulnerable to cyber threats.

After Ministry of Defence, suspected Chinese hackers hack Ministry of Home Affairs’ website too. Welcome to Modi’s Digital India Jumla. #IndiaDoesNotTrustBJP #IndiaHatesBJP

However, late in the evening, National cybersecurity head Gulshan Rai conveyed that all 10 websites hosted by the National Informatics Centre (NIC) went down due to "a hardware failure" while declining to comment on the possibility of a cyberattack by any neighboring country.

"There is no hacking or coordinated cyberattack on the website of central ministries. There was a hardware failure in the storage network system at the NIC which resulted in a number of government websites being serviced by that system going down. We are working to replace the hardware and these websites will be up soon," Rai said in a statement putting to rest all speculations.

The National cybersecurity head, who directly works under thExperts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.e supervision of Indian Prime Minister Narendra Modi, also confirmed that a total of ten websites, including that of the Central Bureau of Investigation, the Central Vigilance Commission, the e-gazette of India, and the websites of the Ministries of Law, Civil Aviation, Defense, Home Affairs, Labor, Water Resources and Science & Technology suffered due to the hardware failure.

Nevertheless, experts say that India needs a robust framework not only to protect the cyber assets, but also quickly assess threats in view of the experience.

"Technical glitches happen, especially when you have so many hardware and software products connected online. The immediate reaction of the hack (on Friday, 6th April 2018) was in haste and caused all the confusion but no such hack took place. We need to have a more robust framework for response, reporting, and reaction," cyber expert Rakshit Tandon told Sputnik.

The brief period of inaccessibility of the government websites and the ensuing panic was symptomatic of a situation which India is facing. Even if it was not a hack, the hardware failure is worrying for the billion plus nation, say experts.

The cyber emergency in India was not the first. Last year, the Home Ministry websites had to be temporarily shut down following a cyberattack. This was in close heels to a hack of the website of the elite Indian special force National Security Guard (NSG) by a suspected Pakistan based group. In 2016, data from Indian missions in Africa and Europe were hacked and posted online by unknown hackers.

The Indian Computer Emergency Response Team (CERT-In), the premier cyber security agency of India had stated in a reply in Parliament that until June 2017 India had more than 27,000 cyberattacks of all levels and cost the economy around $4 billion.

The Hindustan Times in a report predicts that with India embarking on an ambitious digitalization mode, the total losses from cybersecurity threats for the country could touch $20 billion over the next ten years.

Experts also blame the lack of a clear commitment on the part of the government as a reason for loopholes in India's cybersecurity net, calling for greater participation of the individual and private institutions in the country's digital preparedness.

"We have a national cybersecurity policy but we don't have a clear commitment from the government when it comes to financial allocations. The government must fund small and medium-sized enterprises to produce innovative cybersecurity products and services. Separately, the government must fund research by corporations, civil society organizations, educational organizations, and individuals which should be published in peer-reviewed open access journals and also presented at national and international cybersecurity academic conference," Sunil Abraham, executive director, Centre for Internet and Society told Sputnik.

"India has the best minds when it comes to hacking. In fact, a majority of the top hackers in the world are Indians but they are not part of India's security apparatus and not in the country's service," Rizwan Shaikh, ethical hacker and one of the youngest information security consultants in South Asia told Sputnik.

Rizwan was in the news recently when he drew the attention of the government about the severe lacuna in the Indian Railway system which is called the backbone of Indian economy employing around 1.3 million people and running 13,000 passenger trains daily.

The ethical hackers cannot sustain in the government ecosystem, they need patronage and incentives in terms of recognition, but the government of India lacks any such program. There was a program launched recently by the Ministry of Information Technology but it has failed to attract good minds due to its lack-luster management. In India, even if I find a loophole, there is no reporting system to intimate and no proper heads to initiate action, Rizwan added.

The Indian government has multiple stakeholders to monitor and report on digital emergency situations. The plethora of agencies begin with the nodal agency of the Ministry of Electronics and Information Technology, there is a hub called the National Critical Infrastructure Information Protection Center, then there is the interior security ministry of Home Affairs which is the oversight authority over all investigative agencies in the country and there is a new institution by the name national Cyber Coordination Centre created recently.

Rakshit Tandon says that "a sudden spurt in online transactions especially after demonization (in October 2016), coming of 4G mobile networks, cheaper smartphones, and the prestigious vision of 'Digital India' have made the country and its population more prone to cyber threats."

Moreover, with the controversy of the British political consulting firm Cambridge Analytica allegedly using personal details of Indian social media users has created a sense of insecurity among the online population of the country.

In view of the threat to personal and national digital security, Sunil Abraham calls for an approach to a complete upheaval the country's cyber laws to combat the threat. He says simply user behavior change is not sufficient for keeping Indians safe from digital harm.

"First, India needs a comprehensive omnibus data protection law, in the lines of the GDPR which exists for the EU. Second, India needs amendments to our existing competition law. Once the law has been updated to give the regulator powers to go after Internet monopolies —we need a comprehensive investigation of the anti-competitive activities, especially in the digital advertising sector. Change in user behavior is not sufficient to mitigate harms resulting from Internet monopolies. These harms can only be addressed via appropriate, comprehensive and proactive action by lawmakers and regulators," Sunil Abraham said.

Information warfare specialists hint at the local storage of digital information as the key to cybersecurity of the country.

"A nation the size of India can never be a comfortable partner for other great powers who will always be uneasy of the latent power of this sleeping giant. Consequently unlike Japan, South Korea or Singapore, we cannot rely on a security umbrella from another great power to reach our full economic potential," Pavithran Rajan, information warfare specialist based out of Bangalore, told Sputnik.

Pavithran Rajan is a former Indian Army officer-turned writer and trainer on cyber issues.

The need for a data protection law was triggered by the debate on individual privacy. However, the importance of this data for national security must not be overlooked. The solution lies in localizing the sensitive data of Indian citizens within the boundaries of India. While currently the infrastructure for this may not exist, it would come up if the data controllers wish to continue to take advantage of the size of the Indian market, he added.

Rajan feels that data protection for India is vital as it is on the cusp of a major technological advancement and has opined that the country needs to put in place legal stipulations on data transfers.

"The advent of the IoT (Internet of Things technology) would exponentially increase the volume of data being generated. Any new infrastructure being created for IoT should also make arrangement for data to be stored in India. We understand that cross-border flows of data cannot be completely stopped. However, no sensitive personal data should be permitted to go outside the country. There should be legal restrictions on the transfer of data to controllers who have no presence in India," Pavithran Rajan told Sputnik.

The earliest technology-based law in India was the Indian Telegraph Act of 1885 which is still operational and encompasses the telephone services as well. With the advent of the digital age, India brought in the Information Technology Act in the year 2000 and lastly, a National Cybersecurity Policy was drafted and presented for action 2013, but its actual implementation has not yet taken place. With the fast changing digital ecosystem, India, the largest democracy in the world, struggles to keep pace with the threats it faces and the dangers seem imminent.

For more details visit https://cis-india.org/internet-governance/news/sputnik-april-17-2018-digital-india-in-dire-need-of-safety-policy-reboot-cybersecurity-experts

Comments on Draft Digital Information Security in Healthcare Act

Amber Sinha and Shweta Mohandas — 2018-05-01T01:54:48Z

For more details visit https://cis-india.org/internet-governance/files/comments-on-draft-digital-information-security-in-healthcare-act

April 2018 Newsletter

praskrishna — 2018-05-20T14:57:47Z

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing? Sunil Abraham and Aayush Rathi explores this in an article which was published in Asia Times on April 20, 2018. CIS submitted comments to the Ministry of Health & Family Welfare, Government of India on the draft Digital Information Security in Healthcare Act on April 21, 2018. CIS had conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views. A blog post by Swaraj Paul Barooah examines two badly drafted provisions of the new Anti-Trafficking bill that have the potential to severely impinge upon the Freedom of Expression, including through a misunderstanding of intermediary liability. A chapter by P.P. Sneha was published in 'Making Things and Drawing Boundaries: Experiments in the Digital Humanities' edited by Jentery Sayers. The chapter throws light on some of the questions that arise around the processes by which digital objects are ‘made’ and made available for arts and humanities research and practice, by drawing on recent work in text and film archival initiatives in India. CIS made a submission to the Indian Patent Office on the issue of Statement of Working as per Form 27 under the Patents Act, 1970. Select stakeholders were invited to the consultation meeting held on April 6, 2018. Anubha Sinha attended it along with a few other public-spirited stakeholders. She made a statement stressing on the requirement of the patent system to serve the welfare-purpose and not create mere non-working/ blocking monopolies; and that the argument of representatives of patentees about non-working of patents being the existing norm, and that they cannot be questioned about this, is absolutely against the central tenets of patent law.

Highlights

In 2016, WhatsApp Inc announced it was rolling out end-to-end encryption, but is the company doing what it claims to be doing? Sunil Abraham and Aayush Rathi explores this in an article which was published in Asia Times on April 20, 2018.
CIS submitted comments to the Ministry of Health & Family Welfare, Government of India on the draft Digital Information Security in Healthcare Act on April 21, 2018. CIS had conducted research on the issues of privacy, data protection and data security since 2010 and is thankful for the opportunity to put forth its views.

A blog post by Swaraj Paul Barooah examines two badly drafted provisions of the new Anti-Trafficking bill that have the potential to severely impinge upon the Freedom of Expression, including through a misunderstanding of intermediary liability.

A chapter by P.P. Sneha was published in 'Making Things and Drawing Boundaries: Experiments in the Digital Humanities' edited by Jentery Sayers. The chapter throws light on some of the questions that arise around the processes by which digital objects are ‘made’ and made available for arts and humanities research and practice, by drawing on recent work in text and film archival initiatives in India.
CIS made a submission to the Indian Patent Office on the issue of Statement of Working as per Form 27 under the Patents Act, 1970. Select stakeholders were invited to the consultation meeting held on April 6, 2018. Anubha Sinha attended it along with a few other public-spirited stakeholders. She made a statement stressing on the requirement of the patent system to serve the welfare-purpose and not create mere non-working/ blocking monopolies; and that the argument of representatives of patentees about non-working of patents being the existing norm, and that they cannot be questioned about this, is absolutely against the central tenets of patent law.

Articles:

Digital Native: Delete Facebook? (Nishant Shah; Indian Express; April 8, 2018).

Digital Native: The e-wasteland of our times (Nishant Shah; Indian Express; April 22, 2018).
What’s up with WhatsApp? (Aayush Rathi and Sunil Abraham; Asia Times; April 23, 2018).

CIS in the News:

Cambridge Analytica row: Facebook data breach hit 560K Indian users (Vidhi Choudhury and Yashwant Raj; Hindustan Times; April 5, 2018).
Govt websites face major outage; hacking ruled out (Hindu Businessline; April 6, 2018).
After data leak row, Facebook imposes restrictions on user data access (Romita Majumdar and Kiran Rathee; Business Standard; April 6, 2018).
It Took Just 355 Indians to Mine the Data of 5.6 Lakh Facebook Users. Here's How (CNN-News 18; April 7, 2018).
It feeds on you! (Anita Babu; The Week; April 8, 2018).
Pension won’t be denied for want of Aadhaar, says EPFO (Prashant K. Nanda and Komal Gupta; Livemint; April 11, 2018).
Facebook’s fake news clean-up hits language barrier (Nilesh Christopher; Economic Times; April 13, 2018).
Is This The Beginning Of The End For Facebook? (Bloomberg Quint; April 15, 2018).
Metrolife: Brutality porn has sadly many takers in India (Nina C. George; Deccan Herald; April 18, 2018).
Aadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online (New Indian Express; April 27, 2018).
You Are Not the Only One: India stares at a loneliness epidemic (Asad Ali and Tabassum Barnagarwala; Indian Express; April 29, 2018).
Now, Twitter too caught up in Cambridge Analytica controversy (Prasun Sonwalkar and Vidhi Choudhury; Hindustan Times; April 30, 2018).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Copyright and Patent

Submission

CIS' Submission on Statement of Working of Patents (Anubha Sinha; April 10, 2018).

►Wikipedia

Event Organized

Sambad Health and Women Edit-a-thon (April 15, 2018).

Blog Entries

Telugu Wikisource Feature Book in Pustakam.net (Pavan Santhosh; April 17, 2018).
Institutional Partnership with Tribal Research & Training Institute (Subodh Kulkarni; April 18, 2018).
Exploring Wikimedia platforms in Dialogue on the Urban Rivers of Maharashtra (Subodh Kulkarni; April 22, 2018).

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Submission

Comments on the Draft Digital Information Security in Healthcare Act (Amber Sinha and Shweta Mohandas; April 22, 2018).

Analysis

Revenge Porn Laws across the World (Shradha Nigam; April 25, 2018).

Blog Entries

Government gives free publicity worth 40k to Twitter and Facebook (Akriti Bopanna; April 10, 2018).

Artificial Intelligence in Governance: A Report of the Roundtable held in New Delhi (Saman Goudarzi and Natallia Khaniejo; April 19, 2018).

►Free Speech and Expression

Blog Entries

A look at two problematic provisions of the draft Anti-trafficking bill (Swaraj Paul Barooah; April 21, 2018).

DIDP Request #29 - Revenue breakdown by source for FY 2017 (Akriti Bopanna; April 26, 2018).

►Cyber Security

Event Organized

Workshop on Python (April 14, 2018; CIS, Bengaluru).

-----------------------------------
Researchers at Work
-----------------------------------

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Article

Making Humanities in the Digital: Embodiment and Framing in Bichitra and Indiancine.ma (P.P. Sneha; Making Things and Drawing Boundaries: Experiments in the Digital Humanities (2017), edited by Jentery Sayers, University of Minnesota Press, Minneapolis, London April 1, 2018).

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/april-2018-newsletter

Digital Native: The e-wasteland of our times

nishant — 2018-05-06T03:21:49Z

How digitising isn’t necessarily a fast-track to a sustainable future.

The article was published in the Indian Express on April 22, 2018.

Digitise Everything” is the mantra of the day. Offices take pride in being paperless, hot-desking because our laptops and mobile computing devices have, more or less, become our workspaces. Governments are investing heavily in digitising archives, putting faith in the notion that digital preservation is the way forward for the future. Magazines and newspapers have had no alternative but to move into the digital realm to keep up with the new information ecosystems. Various campaigns make us believe that to be smart we need to be digital, and that it is more sustainable to have digital real estate which enables ease of access and reduced travel time and energy in engaging with different information systems.

The digital infrastructure is often presented as green, sustainable and efficient. These claims might have had some merit in the early days when computing was still exclusive and open only to a select few. The classic example that would be given within the research circles in the late ’90s would be, that in order to do historical archival research from India, a researcher would have to travel all the way to the archives of the British Library in England. The costs of travel, the energy required for the overseas journey, the finances of access that would be required to complete such research were characteristic of the pre-digital era. Now, a historian looking at the same archives through a simple broadband connection, can access this information at a fraction of the cost, speed and time.

However, it is difficult to take at face value the fact that this efficiency is sustainable in any form. As we go increasingly digital in almost all our devices, there are three massive environmental costs which are often made invisible. The first is in the sheer amount of electricity that our digital ecosystems consume. We all know the frustration that arises out of batteries dying and phones not carrying enough charge is, indeed, a harrowing experience. But at the back-end of it is an enormous power surge. The large network of service providers, surveys, information storage and distribution consumes an extraordinary amount of energy which is, generally, still dependent on fossil fuels. It is estimated that one hour of cellphone usage with data connection uses the same amount of energy that a family house uses in an entire day. Because while your device might be energy compliant and very low in emissions, the large array of the Internet of Things that needs to be in place to support your device, is an invisible energy cost that takes its tolls on the environment.

Even more than active usage, it is the storing of everything on the cloud that is, perhaps, more problematic. As we stream everything on Netflix, Spotify and YouTube, we have to realise that all this information is being stored in huge data centres powered by massive electricity sources to keep it all alive. The energy cost of our digital histories is almost impossible to compute in environmental measures.

The third big problem that we often don’t recognise is our obsession with updating our devices. We throw and exchange our electronic devices at the blink of a trend. Mostly, older phones and laptops are not recycled but broken down into e-waste. Huge landfills are now the graveyards of old electronics which have components that cannot be recycled, and have elements that are no longer useful. Most of these electronic devices are made with metals and precious components that are mined at huge environmental costs.

I was recently at a conference where we were given books as mementos. One of the delegates jokingly exclaimed, “Why am I being given a dead-tree object?” referring to the pages of the book and the trees that must have been felled to make the book. It was telling that he didn’t realise that his ebook, loaded on his tablet, probably killed more trees than that one physical book, which will lend itself to recycling more easily than his tablet would.

For more details visit https://cis-india.org/raw/digital-native-the-e-wasteland-of-our-times

Data Protection Submission

amber — 2018-04-18T16:37:05Z

For more details visit https://cis-india.org/internet-governance/files/data-protection-submission

Institutional Partnership with Tribal Research & Training Institute

subodh — 2018-05-07T16:29:02Z

CIS-A2K has been building partnerships with major state government departments in Maharashtra to promote free & open knowledge resources. One such effort resulted into official Govt.Resolution of Tribal Research & Training Institute under State Tribal Development department on Expert's Study Group Formation for developing Open Knowledge Platforms.

Community Advocate for Marathi Language is representing CIS-A2K in this group. The mandate of the group is given in GR. We will be facilitating primarily No.1 & 2, which says - Developing new and utilising existing Open & free platforms like Wikimedia Projects to build knowledge resources on Community Forest Management, Development of training modules in Unicode & make it accessible by common man, Digitisation of reference books, training booklets, govt docs, archives,images etc and making it accessible.

Plan

The Tribal Research & Training Institute(TRTI), Pune was established on 1st May, 1962.The Institute undertakes research studies on various aspects of tribals. It has Tribal Cultural Museum located in its premises. All facets of life of tribals of Maharashtra are displayed in the Museum.The Institute has got a rich Library which serves as reference library on tribals. This is a very good opportunity to explore various aspects of open knowledge with research organisation like TRTI.

After extensive discussions, the project proposal on Van Bodh (a free & open knowledge repository on Biodiversity, Forest Management for Tribal communities) is prepared. The implementing agency is Vrikshamitra under leadership of Prof. Madhav Gadgil. Three other organisations - Mumbai University's Economics department, Vigyan Ashram, Dataspect, Datameet are other partners in this project. The content generation on free & open source platforms & Wikimedia Projects would be facilitated by A2K.

Impact

Many tribal communities have started managing their Community forests vested under Forest Rights Act 2006. All the information pertaining to this field is not easily available in local language. The online content is also not available. Under this project, the knowledge resource would be created in collaboration with grass-root communities in tribal areas. The youth will be trained in unicode, open source applications and content generation in Wikimedia projects. The knowledge resource thus created would be accessed by people in 2500 villages active in community forest management.

For more details visit https://cis-india.org/a2k/blogs/institutional-partnership-with-tribal-research-training-institute

Government gives free publicity worth 40k to Twitter and Facebook

Akriti Bopanna — 2018-04-27T09:52:26Z

We conducted a 2 week survey of newspapers for links between government advertisement to social media giants. As citizens, we should be worried about the close nexus between the Indian government and digital behemoths such as Facebook, Google and Twitter. It has become apparent to us after a 2 week print media analysis that our Government has been providing free publicity worth Rs 40,000 to these entities. There are multiple issues with this as this article attempts at pointing out.

We analyzed 5 English language newspapers daily for 2 weeks from March 12^th to 26^th, one week of the newspapers in Lucknow and the second week in Bangalore. Facebook, Twitter, Instagram and Alphabet backed services such as Youtube and Google Plus were part of our survey. Of a total of 33 advertisements (14 in Lucknow+19 in Bangalore), Twitter stands out as the most prominent advertising platform used by government agencies with 30 ads but Facebook at 29 was more expensive. In order to ascertain the rates of publicity, current advertisement rates for Times of India as our purpose was to solely give a rough estimation of how much the government is spending.

Advertising of this nature is not merely an inherent problem of favoring some social media companies over others but also symptomatic of a bigger problem, the lack of our native e-governance mechanisms which cause the Government to rely and promote others. Where we do have guidelines they are not being followed. By outsourcing their e-governance platforms to Twitter such as TwitterSeva, a feature created by the Twitter India team to help citizens connect better with government services, there is less of an impetus to construct better websites of their own.

If this is so because we currently do not have the capacity to build them ourselves then it is imperative that this changes. We should either be executing government functions on digital infrastructure owned by them or on open and interoperable systems. If anything, the surveyed social media platforms can be used to enhance pre-existing facilities. However, currently the converse is true with these platforms overshadowing the presence of e-governance websites. Officials have started responding to complaints on Twitter, diluting the significance of such complaint mechanisms on their respective department’s portal. Often enough such features are not available on the relevant government website. This sets a dangerous precedent for a citizen management system as the records of such interactions are then in the hands of these companies who may not exist in the future. As a result, they can control the access to such records or worse tamper with them. Posterity and reliability of such data can be ensured only if they are stored within the Government’s reach or if they are open and public with a first copy stored on Government records which ensures transparency as well. Data portability is an important facet to this issue as well as being a right consumers should possess. It provides for support of many devices, transition to alternative technologies and lastly, makes sure that all the data like other public records will be available upon request through the Right to Information procedure. The last is vital to uphold the spirit of transparency envisioned through the RTI process since interactions of government with citizens are then under its ambit and available for disclosure for whomsoever concerned.

Secondly, such practices by the Government are enhancing the monopoly of the companies in the market effectively discouraging competition and eventually, innovation. While a certain elite strata of the population might opt for Twitter or Facebook as their mode of conveying grievance, this may not hold true for the rest of the online India population.

Picking players in a free market is in violation of technology and vendor neutrality, a practice essential in e-governance to provide a level playing field for all and competing technologies. Projecting only a few platforms as de facto mediums of communication with the government inhibits the freedom of choice of citizens to air their grievances through a vendor or technology they are comfortable with. At the same time it makes the Government a mouthpiece for such companies who are gaining free publicity and consolidating their popularity. Government apps such as the SwachBharat one which is an e-governance platform do not offer much more in terms of functionality but either reflect the website or are a less mature version of the same. This leads to the problem of fracturing with many avenues of complaining such as the website, app, Twitter etc. Consequently, the priority of the people dealing with the complaints in terms of platform of response is unsure. Will I be responded to sooner if I tweet a complaint as opposed to putting it up on the app? Having an interoperable system can solve this where the Government can have a dashboard of their various complaints and responses are then made out evenly. Twitter itself could implement this by having complaints from Facebook for example and then the Twitter Seva would be an equal platform as opposed to the current issue where only they are favored.

Recent events have illustrated how detrimental the storage of data by these giants can be in terms of privacy. Data security concerns are also a consequence of such leaks. Not only is this a long overdue call for a better data protection law but at the same time also for the Government to realize that these platforms cannot be trusted. The hiring of Cambridge Analytica to influence voters in the US elections, based on their Facebook profiles and ancillary data, effectively put the governance of the country on sale by exploiting these privacy and security issues. By basing e-governance on their backbone, India is not far from inviting trouble as well. It is unnecessary and dangerous to have a go-between for matters that pertain between an individual and state.

As this article was being written, it was confirmed by the Election Commission that they are partnering with Facebook for the Karnataka Assemby Elections to promote activities such as encourage enrollment of Voter ID and voter participation. Initiatives like these tying the government even closer to these companies are of concern and cementing the latter’s stronghold.

Note: Our survey data and results are attached to this post. All research was collected by Shradha Nigam, a Vth year student at NLSIU, Bangalore.

Survey Data and Results

This report is based on a survey of government advertisements in English language newspapers in relation to their use of social media platforms and dedicated websites (“Survey”). For the purpose of this report, the ambit of the social media platforms has been limited to the use of Facebook, Twitter, YouTube, Google Plus and Instagram. The report was prepared by Shradha Nigam, a student from National Law School of India University, Bangalore. Read the full report here.

For more details visit https://cis-india.org/internet-governance/blog/government-giving-free-publicity-worth-40-k-to-twitter-and-facebook

Digital Native: Delete Facebook?

nishant — 2018-05-06T03:08:25Z

You can check out any time you like, but you can never leave.

The article was published in Indian Express on April 8, 2018.

One fine day, we all woke up and were told that Facebook sold our data to Cambridge Analytica and then they made dastardly profiles of us to target us with advertisement and political propaganda, so, we made a beeline for #DeleteFacebook. The most surprising part about the expose is how much of a non-event it is. We have been warned, at least since the Edward Snowden revelations, if not earlier, that our data is the new oil, coal and gold. It is being used as a resource, it is being mined from our everyday digital transactions, and it is precious because it can result in a massive social engineering without our consent or knowledge. Ever since Facebook started expanding its domain from being a friends-poke-friends-with-livestock website, we have been warned that the ambition of Facebook was never to connect you with your friends but to be your friend.

Time and again, we have been told that the sapient Facebook algorithm remembers everything you say and do, anticipates all your future needs, and listens to the most banal litany of your life. More than your mom, your partner or your shrink, it’s the Facebook algorithm which is interested in all your quotidian uselessness. It is not the stranger who accesses your post that should worry you. The biggest perpetrator of privacy violations on Facebook is Facebook itself. There is good reason why a company that offers its prime products for free is valuated as one of the richest corporations in the world. The product of Facebook – it has always been known – is us.

Why, then, are we suddenly taken aback at the fact that Facebook sold us? And while we are sharing our thoughts (ironically on Facebook) about deleting our profiles, the question that remains is this: How much of your digital life are you willing to erase? Because, and I am sorry if this pricks your filter bubble, Facebook’s problem is not really a Facebook problem. It is almost the entire World Wide Web, where we lost the battle for data ownership and platform openness more than two decades ago. Name one privately owned free service that you use on the internet and I will show you the section in its “terms and services” where you have surrendered your data. In fact, you can’t even find government services, tied up with their private partners, where your data is safe and stored in privacy vaults where it won’t be abused.

It is time to realise that the popular ’90s meme “All your base are belong to us” is the lived reality of our digital lives. As we forego ownership for convenience, as our governments sold our sovereignty for profits, and as digital corporations became behemoths that now have the capacity to challenge and write our constitutional and fundamental rights, we are waking up to a battle that has already been fought and resolved. A large part of our physical hardware to access the internet is privately owned. This means that almost all our PCs, tablets, phones, servers are owned and open to exploitation by private companies. Every time your phone does an automatic update or your PC goes into house-cleaning mode, you have to realise that you are being stored, somewhere in the cloud in ways that you cannot imagine.

It is tiring to hear this alarm and panic around Facebook’s data trading. Not only is it legal, it is something that has been happening for a while, most of us have been aware of it, and we have resolutely ignored it because, you know, cute cats. If somebody tells you that they are against privately owned physical property and are going to start a revolution to take away all private property and make it equally shared with the public, you would laugh at them because they are arriving at the battle scene after the war is over. This digital wokeness trend to #DeleteFacebook is the digital equivalent of that moment. If you want to fight, fight the governments and nations who can still protect us. Participate in conversations around Internet governance. Take responsibility to educate yourself about the politics of how the digital world operates. But stop trying to feel virtuous because you pulled out of a social media network, pretending that that is the end of the problem.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-april-8-2018-digital-native-delete-facebook

It Took Just 355 Indians to Mine the Data of 5.6 Lakh Facebook Users. Here's How

Admin — 2018-04-07T15:33:46Z

Data privacy in India is still a nascent subject. Experts say cheap data has led to unprecedented Facebook penetration. Often, it is seen that those who open an account are not aware of the privacy concerns.

The blog post by Subhajit Sengupta was published in CNN-News 18 on April 7, 2018. Sunil Abraham was quoted.

Over 5.6 lakh Indian Facebook profiles have allegedly been compromised and their data leaked to the controversial data analytics firm Cambridge Analytica. As per the company, only 335 people in India installed the App yet they managed to penetrate over half a million profiles.

So, how does this work?

Once a user downloaded the quiz app called “thisisyourdigitallife”, Global Science Research Limited got access to the entire treasure trove of data. There are two mechanisms which are used for this.

First, the Application Program Interface (API) of Facebook called ‘Social Graph’ allows any app to harvest the entire contact list and everything else that could be seen on a users’ friend’s profile. This would take place even for private profiles, says Sunil Abraham, Executive Director of Bangalore based research organization ‘Centre for Internet and Society’.

The second way is when users have a public profile. The algorithm seeks out public profiles from the friend list and would go on multiplying from one public profile to another without any of the users even coming to know what is happening. This is like the ‘True Caller’ application, for it to get your number, you don’t need to download the software. If anyone has the app and your number, then it gets automatically logged there.

Facebook says "Cambridge Analytica’s acquisition of Facebook data through the app developed by Dr Aleksandr Kogan and his company Global Science Research Limited (GSR) happened without our authorisation and was an explicit violation of our Platform policies."

GSR continued to access this data from all the Facebook profiles throughout the entire lifespan of the app on the Facebook platform, which was roughly two years between 2013 and 2015. This means, even if a user is careful enough to not download the application but his/her profile’s privacy settings are weak, the algorithm would infiltrate the data bank.

Amit Dubey, a Cyber Security Expert goes into the details of what the app did, “The app called 'thisisyourdigitallife', which was created for research work by Aleksandr Kogan, was eventually used for psychometric profiling of users and then manipulating their political biases. The app was offered to users on the pretext to take a personality test and it agreed to have their data collected for academic use only. But the app has exploited a security vulnerability of Facebook application.”

Facebook “platform policy” allowed only collection of friends’ data to improve user experience in the app and barred it from being sold or used for advertising.

But this kind of data scrapping is not just limited to Cambridge Analytica. The Social Media Algorithm is often abused in the world of data scavenging and analytics. Even law enforcement agencies have often used similar means to locate possible miscreants.

According to Shesh Sarangdhar, Chief Executive Officer in Seclabs & Systems Pvt Ltd, similar data scrapping helped them unearth the terror module behind one of the attacks at an airbase last year. Shesh said that through Social Media Algorithm they would often narrow down on unknown terror modules. What his team did was to connect to the profile the whereabouts of multiple known nods converging. That is how the mastermind was located.

Data privacy in India is still a nascent subject. Experts say cheap data has led to unprecedented Facebook penetration.

Often, it is seen that those who open an account are not aware of the privacy concerns. But as Sunil Abraham puts it, Caveat emptor or ‘Let the Buyers Beware’ does not even apply here. It is not possible for anyone to go through the entire privacy policy.

“So it is not even right to ask if the consumer can protect his/her own interest. Thus, the state should proactively regulate the industry,” said Abraham.

Facebook has brought in a number of changes to its privacy settings. It now allows you to remove third-party apps in bulk. This welcome change has come after sustained pressure on the tech giant from users and a number of regulatory bodies across the world.

For more details visit https://cis-india.org/internet-governance/news/news-18-subhajit-sengupta-how-just-355-indians-put-data-of-5-6-lakh-facebook-users-at-risk

CIS Submission to the Committee of Experts on a Data Protection Framework for India

amber — 2018-04-06T08:09:09Z

For more details visit https://cis-india.org/internet-governance/files/cis-submission-to-the-committee-of-experts-on-a-data-protection-framework-for-india

Annual Report 2017-2018

praskrishna — 2019-01-29T01:57:43Z

For more details visit https://cis-india.org/about/reports/annual-report-2017-2018.pdf