Centre for Internet and Society

Clarification on the Information Security Practices of Aadhaar Report

praskrishna — 2017-05-16T16:41:58Z

For more details visit https://cis-india.org/internet-governance/files/clarification-on-the-information-security-practices-of-aadhaar-report

Updated Aadhaar Report

praskrishna — 2017-05-16T16:37:30Z

For more details visit https://cis-india.org/internet-governance/files/updated-aadhaar-report.pdf

Tech Anthropology Today: Collaborate, Rather than Fetishize from Afar

Geert Lovink and Ramesh Srinivasan — 2017-05-16T14:51:09Z

"That is why the 'offline' if you will is so critical to understanding the 'online'—because they do not exist in isolation and what we have constructed is an illusory binary between the two." In this interview, Geert Lovink discusses with Ramesh Srinivasan: “how can we embrace the realities of communities too-often relegated to the margins?”

Cross-posted from nettime.org.

“How can we embrace the realities of communities too-often relegated to the margins?”

In Whose Global Village? (NYUPress, 2017) UCLA scholar Ramesh Srinivasan travels the globe in order to find out much techno-autonomy there’s still left. Now that more than half of the world has moved to urban centres, the rural population is literary a minority and is kindly asked to adjust accordingly. This makes Srinivasan’s work even more urgent when he asks “what the internet, mobile phone or social media platforms may look like when considered from the perspectives of diverse cultures.”

The communities Ramesh Srinivasan visits are on the defensive, in a process of fragmentation. “There is a disconnection not just from one another,” he writes, “but also from the common threads of their history and culture. The tribes and villages experience “placelessness, fragmentation of identity, and dissolution of social bonds.” Throughout the study, which took place between 2004-2013, Srinivasan reports from the rising gap between the proposed technologies (such as videos, websites, databases) and the ‘techno-solutionism’ (as described by Morozov) that he wants to prevent. Ramesh is so honest to present this dilemma as an inner struggle of today’s anthropologist with a technology background. Computers and smart phones are an integral part of the everyday life—no matter where we go—and can no longer be presented as liberating tools. This put the ‘ICT for development’ researcher is an awkward position. Post-colonial theories have widely been read and their influence (from Fanon, Said to Spivak) is having an inevitable impact. This in turn leads to a new attitude that I would describe as ‘radical modesty’ (if not ‘vital pessimism’).

While studying the impact of the Tribal Peace system that he and others installed to connect the different Navajo tribes in San Diego County, Srinivasan realises that he has to work with rather than ignore the networks that exist. “It was neither the technology nor institutions that connected the people I had met. Instead, the very few threads of kinship I noted were related to revered individuals, regarded by most with collective respect and as a source of inspiration.” It is with and through the elders that he starts to draw up information architectures (or ‘ontologies’), listing topics, themes, and values across the native reservations. How can ‘lateral networks’ be supported in a a process of what James Carey calls ‘ritual communication’?

Needless to say this approach takes us light years away from Facebook and other social media. This is only in part a question of translating interfaces to local indigenous languages. The proposed systems require the design of its own visual metaphors, reminding us of 1990s multi-media navigation screens, meant to represent digital storytelling. This is dealt with in closed, or semi-open networks, paying respect to the different experiences of time and space. These ideas are put to the test in the last part of the book that describes the encounter with the Zuni tribe (Arizona/New Mexico), where Ramesh Srinivasan worked together with Robin Boast. It is amongst the Zuni peoples that the researchers encounter the distrust against anthropologists. “Our Zuni friends voiced feelings of misrepresentation and anger at their objectification. They explained that social scientists would visit their community, exoticize their traditions and customs, and extract what they could to benefit their own agendas rather than those of the community.”

The gained detachment aims to put the researcher “at the service of our friends and partners.” Important is no longer the one-way transfer of knowledge but the art of listening. Towards the end of his study Ramesh asks: “What would it mean to step away from top-down understandings of the internet and instead ‘splinter’ the way we think about technologies and the communities they may support?” As an activist in Egypt explained: “We do not need another NGO or a new dialogue.com to solve our problems—we just need you to listen, support our voices, an pay attention to what we we do.” Whose Global Village? adequately describes the moral and methodological crisis in the ‘ICT for Development’ field. The wide condemnation of Facebook’s neo-colonial internet.org balloon campaign to bring access (to Facebook) to hundreds of millions of rural poor in India clearly marks a paradigm shift. Access is no longer a benevolent project. It’s clear that ICT for Development as such does not contribute to a redistribution of wealth and makes global inequality only worse. So much for internet charity.

Ramesh admits: “Trained as a designer and engineer, I recognize my innate tendency to valorize my power to come up with a set of solutions for any challenge at hand. Yet every project I have described illustrates the valuable insights gained when I put aside my own agenda and bias as much as possible to open myself to experiences that could not have been predicted from afar.” This modesty sounds like a new starting point. But is it also resulting into new concepts and narratives? This might be too much to ask of a single publication (in fact, the first book publication of this author). The ‘tactical distance’, created out of respect for the communities-in-defence, results into rather sparse information about the places we visit. There are no interview fragments included in the book, and the few local leaders that we encounter do not speak to the reader in a direct manner. The chosen way to report creates a vague cloud of secrecy around the research itself. What happens when we listen but do not acknowledge the Other? Were more detailed research results published elsewhere or only accessible for donors (a common practice in NGO land)? What happens when we listen but do not acknowledge the Other? Is it too risky to give them a voice? Might their opinions and desires be too ordinary, too radical, or simply not what we want to hear? What if they do not fit our Western expectations? The Others are humans, after all, and, like us, tend not to live up to expectations. These, and more, are some of the questions we encounter once we give up on the development rhetoric.

Geert Lovink: You’ve been in a lucky, privileged position to travel so often and witness events and encounter communities in diverse places such as Cairo during the 2011 uprising, with the Zapatistas Chiapas, doing research in the land of your ancestors, South India and on reservations in the South-West of the United States. The offline encounter in-real-life seems to be constitutional for your theory. In the past scholars travelled through the library and many these days do not leave their screens while processing their ‘big data’. Digital ethnography, on the other hand, seems to require direct exchanges with the Other. This assumption pops in all chapters. Is travelling the new luxury? Or should we say that it is rather dedicated time? Once you arrive elsewhere there is suddenly another time regime.

Ramesh Srinivasan: Indeed, I think all of us as researchers and teachers are nothing if not 'lucky' or 'privileged'. And you're certainly on point to recognize that the root of my scholarship and activism locates technologies within an assemblage of other factors - peoples, places, infrastructures, and environments. Yet it is essential that I do not collaborate with (rather than ‘study of’) any community unless I am invited to do so and where our efforts are focused on initiatives that live and are owned by that group itself.

That is why the 'offline' if you will is so critical to understanding the 'online'—because they do not exist in isolation and what we have constructed is an illusory binary between the two. If we want to be of service and understand the complex relationships between technologies, politics, and cultures—as I attempt to do via the multiple case studies discussed in the book, we need to put our bodies and hearts in places rather than our distant gaze. It's critical for me to not step foot anywhere where I am not invited first, and to critically think about my role and power as I enter different environments. Indeed, the book is full of ethnographies of attempting to listen more than make, and how I eschew the 'study of' any community and instead write about what we create and work on together. My goal is to collaborate rather than study, rather than fetishize from afar.

GL: Whose Global Village? has an unusual time span of 10-14 years. First research goes back to 2003-2004. Some case study closed in 2005 while most literature dates from 2012-2013. In between, the 2008 global financial crisis occurred, the smart phone was launched and apps became mainstream. How did you deal with these constant changes? Are you proposing a ‘longue durée’ in media studies and internet criticism’? What are the benefits of this approach? How do you see ‘grassroots storytelling’ dealing with the relentless changes of platforms, interfaces and protocols? Do remote communities have a different approach to the latest fashion and the famous ‘fear of missing out’?

RS: There are some dynamics that don't change no matter what app, gadget or platform has captured the popular imagination. That is—the realities of power over how technologies are designed, owned, and politically or economically appropriated. The book starts with the simple but surprisingly ignored sociotechnical truism - People and societies shape and are shaped by technologies. Yet such a small percentage of Internet users have any power over the design process let alone any sovereignty over what occurs with their data and identities as they are refracted onto digital networks. Those issues are timeless and all the more urgent today. I focus on the political and cultural flashpoints where by users and communities can reign in their blind trust of new digital platforms and instead take power over these in relation to their local concerns and agendas.

GL: As a media activist you have a background in engineering. However, at UCLA you work inside library science (called ‘information studies’). However, you seem to relate most to the role of anthropologist, in that you deeply desire not make past mistakes in encounters with ‘the Other’. In this context you work with Mary Louise Pratt’s theory of the contact zones and apply this to the design of ‘multiple ontologies’. I never hear IT engineers talking about contact zones. How do you want to carry your insights into the tech world? After all, you live in California. Who else is going to do this? What could be a good strategy? How do you look at the Bay Area and the global geek class they still dominate in terms of its global imaginary?

RS: I see myself as a scholar who can contribute to fields that tend to remain mostly distinct in the academy—design, engineering, cultural studies, media studies are but a few. If I was ever an IT ‘geek’ that was decades ago!

To engage in the charge of the book, of locating our understandings of digital networks and systems in relation to diverse cultures and users worldwide, all of these fields are useful to invoke and bring into dialogue with one another. I'm fortunate to be in a department that supports this interdisciplinarity and indeed as you stated, coming from California and trained in engineering here, I believe it is all the more important to question the black boxes not just of Silicon Valley hardware and software platform design but to push these incredibly powerful technologies to open up to an engaged, conversational social contract with diverse publics.

GL: Over the past 10-15 years we’ve seen the closing down of the possibility space of the Web and the rise of the ‘easy to use’ template culture of social media. The technologies that you’ve proposed and built seem to move away from the consumer culture. In South India you’re spread video cameras, elsewhere you’ve developed a dedicated Tribal Peace system interface (as part of a stand-alone website) while for the Zuni communities you’ve utilized the FileMaker Pro Advanced database software. Not Facebook, Twitter, Instagram or YouTube (and no wikis either). Can you elaborate on this?

RS: It's important to not assume that naively putting content online is somehow empowering. Indeed, that which we ‘share’ (eg; sharing economy) asymmetrically builds power and value for the platform holder and all those that can monetize it. As a result, we increasingly know that corporate proprietary platforms such as Facebook or Google are hardly designed to directly support a user's sovereignty or agency. The interest, across each of the book's chapters, is to instead think about how the communities with which I collaborate can have their interests served via technologies either that we design together or appropriate/subvert in various ways. Far too often we see examples where such 'participation' actually does little to shape any cultural or political cause from the grassroots. So we think agnostically and critically about the systems, networks and infrastructures we use in relation to our collaborations.

GL: Can you tell us what you’ve been doing over the past few years? Did you continue to work in the same direction? The book indicates that your collaboration with Robin Boast and the work with the Zuni Native American Reservation seems to continue.

RS: My interests lie in that important space between understanding how technologies may aid and support grassroots political movements and diverse user communities. The Zuni collaboration, described in chapter 4, is interested in that cause in relation to the political and cultural sovereignty of a tribe that was not just historically colonized but still faces the objectification and misrepresentation of new forms of coloniality online.

The cases in the book look at both political movements as well as diverse cultures and communities. Currently, I am collaborating with activists and indigenous Zapotec and Mixtec communities in the Oaxaca Mexico region, one of the most biodiverse and culturally/linguistically diverse parts of our world. In this work, I am writing about the Rhizomatica project (invoking Deleuze/Guarttari's rhizome) where these communities are designing their own collectively-owned cell phone networks in cloud forests all around the region. This has massive political and economic effects. What we see here is a rhizome in the making, a set of networks, systems, and infrastructures shaped and produced from the grassroots, by communities and for communities, and not for the major corporations of our world that tend to on the surface exploit and monitor the activities of these people. More on this amazing project, including some videos at www.rhizomatica.org . I believe that as we start to think about this new effort, that Lisa Parks and I describe as 'network sovereignty', we can start to embark on a path I describe in detail in chapter 5 of the book, of getting back the social contract and communitarian potential of technology to serve democratic agendas located in people's politics and cultures.

I am hopeful we can start that conversation now. I attempt to continue it via my soon to be released second book, After the Internet (with Adam Fish, Polity, end 2017) which looks at examples ranging from Iceland’s Pirate Party, hacktivism, the Silk Road, the Arab Spring, and other activist movements that re-imagine new technologies in relation to grassroots power and voice.

Reference

Ramesh Srinivasan, Whose Global Village? Rethinking How Technology Shapes Our World, New York University Press, New York, 2017.

Profiles

Ramesh Srinivasan is Associate Professor of Information Studies with a courtesy appointment in Design|Media Arts. Srinivasan, who holds M.S and Doctoral degrees, from the MIT Media Laboratory and Harvard's Design School respectively, has focused his research globally on the development of information systems within the context of culturally-differentiated communities. He is interested in how an information system can function as a cultural artifact, as a repository of knowledge that is commensurable with the ontologies of a community. As a complement, he is also interested in how an information system can engage and re-question the notion of diaspora and how ethnicity and culture function across distance. This research allows one to uncover mechanisms by which indigenously-articulated forms of development can begin to occur, as relating to his current work in pastoral and tribal communities in Southern India. His research therefore involves engaging communities to serve as the designers, authors, and librarians/archivists of their own information systems. His research has spanned such bounds as Native Americans, Somali refugees, Indian villages, Aboriginal Australia, and Maori New Zealand.

Geert Lovink is a media theorist, internet critic and author of Dark Fiber (2002), Zero Comments (2007), Networks Without a Cause (2012) and Social Media Abyss (2016). Since 2004 he is researcher in the Faculty of Digital Media and Creative Industries at the Amsterdam University of Applied Sciences (HvA) where he is the founder of the Institute of Network Cultures. His centre recently organized conferences, publications and research networks such as Video Vortex (the politics and aesthetics of online video), Unlike Us (alternatives in social media), Critical Point of View (Wikipedia), Society of the Query (the culture of search), MoneyLab (internet-based revenue models in the arts) and a project on the future of art criticism. From 2004-2013 he was also associate prof. at Mediastudies (new media), University of Amsterdam. Since 2009 he is professor at the European Graduate School (Saas-Fee/Malta) where he supervises PhD students.

For more details visit https://cis-india.org/raw/tech-anthropology-today-collaborate-rather-than-fetishize-from-afar

India is building a biometric database for 1.3 billion people — and enrollment is mandatory

praskrishna — 2017-05-12T16:22:35Z

Inside the buzzing enrollment agency, young professionals wearing slim-fitting jeans and lanyards around their necks tapped away at keyboards and fiddled with fingerprint scanning devices as they helped build the biggest and most ambitious biometric database ever conceived.

The article by Shashank Bengali was published in the Los Angeles Times on May 12, 2017.

Into the office stepped Vimal Gawde, an impoverished 75-year-old widow dressed in a floral print sari. She had come to secure her ticket to India’s digital future — to enroll in the identity program, called Aadhaar, or “foundation,” that aims to record the fingerprints and irises of all 1.3 billion Indian residents.

Nearly 9 out of 10 Indians have registered, each assigned a unique 12-digit number that serves as a digital identity that can be verified with the scan of a thumb or an eye. But Gawde came to the enrollment office less out of excitement than desperation: If she didn’t get a number, she worried that she wouldn’t be able to eat.

Designed as a showcase of India’s technological prowess — offering identity proof to the poor and reducing waste in welfare programs — Aadhaar’s grand promises have been muddied by controversy as the government makes enrollment mandatory for a growing number of essential services.

Indians now need an Aadhaar number to pay taxes, collect pensions and obtain certain welfare benefits. The rapid expansion of a program that was originally described as voluntary has sparked criticism that India is vacuuming up citizens’ personal information with few privacy safeguards and creating hardship for the very people the initiative was supposed to help.

Like many Indians living in poverty, Gawde uses a ration card to purchase her monthly allotment of subsidized rice and cooking gas. But the shopkeeper told her that starting next month, he would sell to her only if she produced an Aadhaar number.

She had visited the enrollment agency three times but had yet to be approved, for reasons she did not understand. (Enrollment agents would not comment on individual cases.)

Reaching into her canvas bag, Gawde pulled out the familiar panoply of documents — ration card, voter card, electricity bill, income tax ID — that Indians use to navigate a dizzying bureaucracy. Aadhaar, she was told, would supplant all these papers.

But she had to get the number first.

“I’m nervous,” Gawde said outside the enrollment office on a sweltering morning. “I first applied three years ago and submitted all my documents, but didn’t follow up. Now that it’s becoming compulsory, I’m doing everything I can to get it.”

Indian Prime Minister Narendra Modi, who had criticized Aadhaar as a “political gimmick” before he took office, has embraced the futuristic idea of an all-in-one digital identity. His party pushed through a law last year that paved the way for a dramatic expansion of Aadhaar, allowing government entities and private businesses wide latitude to access the database, which collects not just people’s names and birth dates but also phone numbers, email addresses and other information.

Soon, as more private companies use the database, it could become difficult to open a bank account, get a new cellphone number or buy plane or train tickets without being enrolled.

Supporters say the program, which has cost about $1 billion to implement, will save multiples of that by curbing tax evasion and ensuring that welfare subsidies are not stolen by middlemen.

“Aadhaar was always meant to be an instrument of inclusion,” Nandan Nilekani, a tech billionaire and the program’s first chairman, said in an interview. “I’m really happy that the current government is completely endorsing Aadhaar and using it for a wide variety of services that will transform governance.”

Nilekani calls Aadhaar “hugely empowering” for the poor, but not long ago even he argued that enrollment should remain optional so that no Indians were prevented from accessing essential services. India’s Supreme Court agreed, ruling in 2015 that the government could not require Aadhaar for any benefit to which a person was otherwise entitled, as long as they could prove their identity by some other means.

Yet the court has stayed silent as Aadhaar creeps into every facet of Indian life, even for children.

A 12-year-old girl named Saiba is a case in point. After the girl’s grandmother passed away in their family’s ancestral village in northern India, Saiba’s mother moved her and her four siblings to a crowded neighborhood on the rough fringes of New Delhi, near a car parts market thick with the smell of grease.

When Saiba’s mother, Rani, went to the local school in April to register her for the sixth grade, administrators turned her down, saying every student must have an Aadhaar number.

But to get a number, a child usually needs a birth certificate — and like one-quarter of children born in this country, Saiba and her siblings did not have them because their village did not routinely register births.

Sitting with her mother in the cramped offices of the local advocacy group Pardarshita, above a noisy street lined with vegetable sellers, the girl puffed her round cheeks in an expression of helplessness.

“I don’t know anything about this,” said Saiba, who, like many Indians, has only one name. “I just want to go to school.”

Rakesh Thakur, a board member of Pardarshita, is trying to obtain Aadhaar numbers for dozens of children barred from Delhi schools. He called the policy “a clear violation” by the municipal government of both the Supreme Court order and India’s Right to Education Act, which guarantees every child younger than 14 free schooling.

A Twitter account called “Rethink Aadhaar” logs new instances almost daily of Indians who have suffered because scanners couldn’t read their fingerprints or because of errors in the database.

In Jawhar, a forested zone about 60 miles north of Mumbai, administrators have told local tribal communities that they will soon use Aadhaar to distribute welfare rations and school lunches. But the area lies outside cellphone range, leading residents to wonder how scanners will connect to the Internet to verify their identities.

“The idea of Aadhaar and the technology may be good, but do we have the infrastructure to make it mandatory?” said Vivek Pandit, a former lawmaker who runs a nonprofit group in the area. “The law is city-centric, and it would only lead to the social exclusion of rural India.”

This month lawyers opposing Aadhaar argued before the Supreme Court that the government could not force Indians to share their biometric data. Atty. Gen. Mukul Rohatgi countered that Indians had no constitutional right to privacy and could not claim an “absolute right” over their bodies.

Without privacy protections, activists worry that as Aadhaar numbers are linked to more and more services, intelligence agencies could use the database to more easily track Indians’ calls, travels and purchases.

“It’s become very clear that this is not a project about the poor,” said Usha Ramanathan, a lawyer and anti-Aadhaar activist. “The government’s ambitions have gotten greater over time.”

This month, the Center for Internet and Society, a New Delhi think tank, reported that federal and state agencies had published up to 135 million Aadhaar numbers — some including sensitive information such as a person’s caste and religion, or details of pension payments — on unsecured websites accessible through just a few clicks.

It’s become very clear that this is not a project about the poor. — Usha Ramanathan, a lawyer and anti-Aadhaar activist

Pranesh Prakash, the center’s policy director, said that when Indian authorities can’t even keep Aadhaar numbers private, as the law requires, it suggests the entire database is vulnerable — particularly after sensitive information involving 22 million Americans was exposed when federal databases were hacked in 2015.

“When these kinds of leaks are happening, it’s rather foolhardy to maintain a database of 1.2 billion people’s biometrics, because once this gets breached, it becomes completely unusable,” Prakash said.

“If your PIN number or password leaks, you can change it. You can’t change your fingerprints.”

Praveen Chakravarty, a former investment banker who worked with Nilekani to launch Aadhaar, believes the lack of safeguards undermines the project’s ideals of efficiency and empowerment. He said many Indians were right to worry that Modi’s government, which has cracked down on political activists and nonprofit groups it opposes, could use Aadhaar to snoop on citizens.

“Maybe Aadhaar didn’t need to be this big,” Chakravarty said, adding that the government could simply have worked to fix inefficiencies in individual welfare programs.

“People could ask, ‘Did we need this at all?’” he said. “It’s a good question.”

For Gawde, the widow, Aadhaar remained an idea of the future. She left the enrollment agency that day empty-handed, told by a young employee that her number had not been assigned. But she retained hope that the new ID would make life easier.

“We are just poor people,” she said. “We have to trust what the government tells us.”

For more details visit https://cis-india.org/internet-governance/news/los-angeles-times-shashank-bengali-may-12-2017-india-is-building-a-biometric-database-for-1.3-billion-people-and-enrollment-is-mandatory

SoI’s Open Series Maps Fails to Implement Public Sharing of Govt Data

sumandro — 2017-05-04T12:19:01Z

Although it has made the topographic maps or the Open Series Maps available to general public, Survey of India’s (SoI) Nakshe portal will have to go through a variety of litmus test, as the initiative fails to implement the mandates of public sharing of government data using open standards and open license as put forward by the NMP 2005 and NDSAP 2012, says Sumandro Chattapadhyay, Research Director, The Centre for Internet and Society. This interview was published by Geospatial World on May 02, 2017.

Cross-posted from Geospatial World.

What are your views on the Nakshe Portal initiative from Survey of India?

It is a most welcome initiative by the Survey of India to realize the mandate of the National Map Policy (NMP) 2005 to publicly distribute “Open Series Maps of scales larger than 1:1 million”. The Survey of India has also drawn from and implemented the mandate of the National Data Sharing and Accessibility Policy (NDSAP) 2012 to make available the shareable and non-sensitive Open Series Maps documents without any necessary fees to access and use them.

The initiative, however, fails to achieve the goal of of public sharing of government data using open standards and open license as put forward by the NMP 2005 and NDSAP 2012. This substantively raises the barrier to access the Open Series Maps data and reduces its possibilities of reuse, especially for commercial innovation, in a very serious way. This undermining of the open data agenda is not only a concern for the Nakshe portal in particular, but also sets a dangerous precedent for future open government data initiatives in India.

What is your view on the data provided and its usability?

The Nakshe portal has created several barriers to access and use of the Open Series Maps data, all of which are in violation of the NMP 2005 and NDSAP 2012:

NDSAP 2012 mandates that shareable and non-sensitive government data (such as Open Series Maps) are made public through the data.gov.in portal created under the guidance of the NDSAP 2012. Survey of India may of course decide to publish the Open Series Maps data on the Nakshe portal along with on the data.gov.in portal. Publishing of the data only through the Nakshe portal not only violates the mandate of NDSAP 2012, they make such data much less discoverable.
NDSAP 2012 allows for “registered access” to open government data. That is, it allows for data to be shared only with users who have registered with the data publishing portal. Making registration only possible via Aadhaar number, however, significantly limits the number of users who can access this data. For example, non-Indian researchers form an important potential sub-section of users of Open Series Maps but they will not be able to access the data. The website neither has a privacy policy that clarifies how these submitted Aadhaar numbers will be stored, protected, and shared (if at all) by the Survey of India.
NMP 2005 instructs Survey of India to “allow a user to add value to the maps obtained (either in analogue or digital formats) and prepare his own value-added maps”. The Government Open Data License has been recently notified under NDSAP 2012 to guide permitted uses of open government data in India.

The very restricted approach to permitted end-uses of Open Series Maps by the Survey of India neither follow the NMP instruction, nor adopt the Government Open Data License. Data available from Nakshe portal cannot be exported (which is technically an absurd demand due to globally distributed nature of servers), commercialized, or altered. This creates a most serious barrier to using the Open Series Maps data available via the Nakshe portal.
The Nakshe portal has published geospatial data in PDF format. This is a clear violation of open data practices globally and the NDSAP Implementation Guidelines more specifically, which states that open geospatial data standards, like GML and KML, should be used).

Does this fall in line with the larger government aim of having open and accessible data? If not why?

In a nutshell, the Open Series Maps data being published on the Nakshe portal is neither open (as it does not use open standards to share the data and does not share the data under an open licenses) nor universally accessible (due to the requirement for registration via Aadhaar number).

What improvements do you suggest in the approach of SoI about the portal?

I have listed four major conflicts that the Nakshe portal has with the directives and guidelines offered by the NMP 2005 and NDSAP 2012. I sincerely hope that the Survey of India and the Department of Science and Technology will address them soon, as they significantly limit the ability of users to access and use the Open Series Maps data.

These changes will make the Open Series Maps data open, and ensure that the data can be accessed and innovated with by various stakeholders.

For more details visit https://cis-india.org/openness/survey-of-india-open-series-maps-fails-to-implement-public-sharing-of-govt-data

With digitisation at the forefront, government departments need to be cautious about digital security

praskrishna — 2017-05-20T08:33:37Z

The huge leak of Aadhar data from four websites belonging to a central ministry and the Andhra Pradesh government has been on the government radar for a while. The leak, caused by poor security protocols, had left around 130 million numbers and their allied information, like bank and post office account details, open to access for several months. As the last website finally plugged loophole, violation echoed in Supreme Court.

The blog post by Manas Pratap Singh was published by NDTV on May 4, 2017.

Deliberate revelation of Aadhaar can lay people open to financial fraud and it is a punishable offence and this is what the Electronics and Information ministry has reminded all government departments.

"Aadhaar numbers and demographic information and other sensitive personal data" collected by "ministries/departments, state departments" have been published online, read a letter from the ministry dated April 24.

Such publishing, it added, "is in clear contravention of the provisions of the Aadhaar Act 2016 and constitutes an offence punishable with imprisonment upto 3 years". Such outing of financial information is also a violation of IT Act, it said.

Besides asking web managers to sensitise the ministries, the letter also said that display of such information be stopped immediately.

On May 1, a report by non-profit research organisation Centre for Internet & Society said two of the websites from where the data leak took place, belongs to the Union Ministry of Rural Development.

One stored data for the MNREGA - the mammoth Central scheme for rural employment which caters to 25.46 crore people. The other was the National Social Assistance Programme, another Central scheme under which pension is provided to the elderly people, widows and persons with disabilities.

Amber Sinha, co-author of the CIS report, told NDTV, "For portals that had not masked data, we informed the relevant authorities and asked them to take down the available information."

The Rural Development ministry has now decided to form an expert group on IT and cyber security, which will be headed by Kiran Karnik, a former chief of Nasscom. The ministry, however, is yet to comment on the data leak.

For more details visit https://cis-india.org/internet-governance/news/ndtv-may-4-2017-manas-pratap-singh-government-knew-of-mega-aadhaar-leak-ministries-were-warned

J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say experts

praskrishna — 2017-05-04T02:12:23Z

Jammu and Kashmir's social media ban: Legal experts are not convinced this is a viable order

The article by Shruti Dhapola was published in the Indian Express on April 28, 2017. Pranesh Prakash was quoted.

For residents of Jammu and Kashmir, there’s a blanket ban on social media for the next one month. This means no access to Facebook, WhatsApp, Twitter, Snapchat, Skype WeChat, YouTube, Telegram and other social networks.

As The Indian Express reported, this ‘social media ban’ was ordered by the state government after Chief Minister Mehbooba Mufti chaired a meeting of the Unified Command Headquarters in Srinagar. The total list includes 22 social media websites, and the order, a copy of which is available with The Indian Express, says this is being done “in the interest of maintenance of public order.”

The order to block the sites was issued by RK Goyal, Principal Secretary in the Home department, and cites Section 5 of Indian Telegraph Act, which “confers powers upon the Central government or the state government to take possession of license telegraphs and order stoppage of transmission or interception or detention of messages”.

The order reasons that social media sites are “being used by anti-national and anti-social elements by transmitting inflammatory messages in various forms”. It directs all ISPs to block these websites in the state of Jammu and Kashmir.

But questions are already being raised over its legality.

“This is an illegal order because the Telegraph Act and Rules, which the order cites, doesn’t give the government the power to block websites. The Telegraph Act is a colonial-era legislation first passed in 1885 in the aftermath of the Mutiny, making telegraphs a monopoly of the colonial British government, and restricting Indians’ access to communications technologies. In 1996, in the PUCL case, the Supreme Court laid down that powers to intercept or block transmission of messages cannot be exercised without procedural safeguards in place. In 2007, procedural safeguards were made for interception, but not for blocking of telegraphic communications,” points out Pranesh Prakash, Policy Director at Centre for Internet and Society.

Pavan Duggal, senior lawyer specialising in cyberlaw, concurs. “Legally, the order is not viable. This is because the IT Act applies for blocking, under Section 69 (A). Also Section 81 of the IT Act also make it clear that this is a special law, which will prevail over any other older law. The IT ACT deals with everything related to the internet.”

The IT ACT notes in Section 1, that “It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention there under committed outside India by any person.”

But even blocking under the IT Act isn’t something that can be ordered over night, and the powers for this rest with the central government.

“There’s a provision (69A) in the Information Technology Act which provides for blocking of specific web pages for national security reasons, but only by the Central government. The J&K government, thus can only request the Central government to block. The central government has in the past denied requests by state governments as they were unlawful requests,” Prakash said.

However, blocking of URLs or in fact complete internet shutdowns is not new in India. “This is an example of Internet manipulation by the governments world over. The first casualty of any disturbance is now the Internet and the government, even the democratic ones living under rule of law have decided that is a-okay to prevent people from communicating in the name of law and order,” said Mishi Choudhary, President and Legal Director at SFLC.in

SFLC.in has also been keeping a track of internet shutdowns in India. It has a dedicated website Internetshutdowns.in which crowd-sources information on these bans, and India has already seen seven shut internet shutdowns in first three months of 2017. For instance, in the state of Nagaland internet and mobile services were down for nearly a month from January 30 to February 20.

The issue of url blocking and internet shutdowns inevitably gets linked to one of freedom of speech. While reasonable restrictions can be imposed under Article 19 (2) of the Constitution, experts are not convinced the current order makes enough of a case to justify such a blanket ban.

“The citizens of J&K are Indian citizens and can challenge the order as violative of Article 19 (1) (a) of the Constitution, violative of right to free speech and expression,” says Choudhary.

“Any kind of blocking must conform to the Constitutional guarantees of freedom of expression, and any blocking must be legally “reasonable” for it to be acceptable as a legitimate restriction under Art.19(2). This blanket ban of 22 arbitrarily chosen service — why block QQ or WeChat, but not LinkedIn — and that too for a month, cannot be called reasonable under any circumstances,” argues Prakash.

Prakash adds that the order also raises other international concerns for India. “It also violates India’s international legal obligations under the International Covenant on Civil and Political Rights (ICCPR), whose Article 19 protects the freedom of thought, opinion and expression. Only those restrictions that are provided by law, have a legitimate aim, are necessary with less restrictive option being available, and are proportionate to the harm being address are allowed. For instance, targeting of hate speech that is calling for genocide is reasonable. But such blanket bans of communications platforms are not,” he argues.

So can the citizens challenge such an order, which puts a blanket ban on social networks? The answer is yes, as in this case this order “is legally untenable,” explains Duggal.

On the practice of blocking, he points that in today’s world it can only be seen an antiquated practice. “To give an analogy it is like fixing a leaking roof with a band-aid. It will only increase traffic to the blocked websites, and there are indirect ways to reach these sites via proxies and other tools as well,” he adds.

The orders can always be reviewed by the courts. “While the IT Act allows for blocking, it should be remembered the process is always open to judicial review. Courts have final authority, and they can examine whether the principles of law were applied when passing such a blocking order,” explains Duggal.

The affected social media websites or ISPs don’t yet have a response to this order. When we reached out, Facebook said it did not have an official comment on the ban. Mobile internet service providers Vodafone and Airtel also refused to comment.

For more details visit https://cis-india.org/internet-governance/news/indian-express-april-28-2017-shruti-dhapola-j-k-social-media-ban

130 Million Aadhaar Numbers Were Made Public, Says New Report

praskrishna — 2017-05-20T06:32:32Z

The research report looks at four major government portals whose poor information security practices have exposed personal data including bank account details.

The article was published in the Wire on May 1, 2017. This was also mirrored on MensXP.com on May 5, 2017.

Irresponsible information security practices by a major central government ministry and a state government may have exposed up to 135 million Aadhaar numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central government and state government departments.

This new report, released by the Centre for Internet and Society, studied four government databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own NREGA portal and the online dashboard of a state government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The data leaks come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and Aadhaar number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download pption on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the government agency that manages the Aadhaar initiative, in the data leaks.

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these government databases are still leaking data. Over the last two months, some of information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about Aadhaar leaks,” the report notes.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-1-2015-130-million-aadhaar-numbers-were-made-public-says-new-report

UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

praskrishna — 2017-05-20T11:06:16Z

As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

Is UIDAI investigating the 13 crore Aadhaar leaks?

The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.

For more details visit https://cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals

Comments on the Statistical Disclosure Control Report

Srinivs Kodali and Amber Sinha — 2019-03-13T00:28:44Z

This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.

1. PRELIMINARY

CIS is thankful for the opportunity to put forth its views.
This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.

2. ABOUT CIS

CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.

CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.

3. Comments

3.1 General Comments

As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.

We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.

3.2 Integrity of Information and Data

We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.

3.3 Data Security

One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.

We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.

3.4 Anonymization of microdata

We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.

3.5 Data Dissemination

Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.

We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,

The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.

Thank you for this opportunity and we look forward to work with you in future.

For more details visit https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report

Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

Amber Sinha and Srinivas Kodali — 2017-05-01T13:13:33Z

In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers.

For more details visit https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information

Comments on the Right to Information Rules, 2017

amber — 2017-04-27T09:25:42Z

On March 31st, 2017, the Ministry of Personnel, Public Grievances and Pensions, Department of Personnel and Training released a Circular framing rules under the Right to Information Act, 2005 (“RTI Rules”). The Ministry invited comments on on the RTI Rules. CIS submitted its comments on April 25, 2017.

1. Preliminary

1.1 On March 31st, 2017, the Ministry of Personnel, Public Grievances and Pensions, Department of Personnel and Training released a Circular framing rules under the Right to Information Act, 2005 (“RTI Rules”). The Ministry invited comments on on the RTI Rules.

2. The Centre for Internet and Society

2.1. The Centre for Internet and Society, (“CIS”), is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.

3. Comments

3.1 General Comments

The new RTI Rules introduce various procedural hurdles and provides a great deal of discretionary power to the CIC in dealing with RTI applications and appeals. One of the provisions which has attracted attention in the past also is the abatement of appeals upon the death of the RTI applications. This provision, explored in more detail is especially objectionable in light of the threats that RTI activists face.

3.2 Specific Comments

3.2.1 Rule 4 of the RTI Rules states that the fees for providing information under the RTI Act would be ‘as notified by Central Government from time to time’. While the RTI Rules also prescribe the fee for filing RTI applications, this phrase provides a window to increase the fees through subsequent notifications. We recommend that the phrase “or as notified by Central Government from time to time” be deleted in order prevent prohibitive increase in the fees in future.

3.2.2 Rule 4 of the RTI Rules also specifies the fees for provision of information via floppies and diskettes. There is no plausible reason to engage in continued rulemaking applicable to outdated modes of data storage. It would be of much more help if the rules were to prescribe fees for CDs, DVDs and email. We also submit that no fees need be charged for information provided through emails, and this mode of communication must be adopted where possible.

3.2.3 Rule 8 (1)(viii) states that every appellant must affirm that they have not filed an appeal pertaining to similar matters before the Commission or any court. However, the same matter can lead to multiple counts of causes of actions, and the principle of res judicata barring further action should not apply in these cases. Therefore, it is recommended that this requirement is deleted.

3.2.4 Rule 12 permits the withdrawal of an appeal on the request of the appellant and the abatement of an appeal on the death of the appellant. This provisions needs to be evaluated in light of the increasing number of cases of threats received by RTI activists. There have been close to 400 documented cases of attacks on RTI applicants,[1] including cases of murder and physical assault. This provision will serve to enable withdrawal of RTI appeals through harassment and other means of coercion.

Further, the abatement of an appeal upon death of an RTI appellant is a clause without any merit and could translate into murders of appellants to cause abatement of the appeal. Additionally, the Supreme Court’s judgment in the matter of Union of India v. Namit Sharma[2] must be kept in mind which clarified the position that RTI applications and appeals are not in the nature of lis and deal with the question of whether requested information ought to be disclosed. Therefore, there is no reason why appeals should abate upon the demise of the appellant.

3.2.5 Rule 14 permits the CIC to return complaints due to non-compliance with the procedural rules in Rule 13. Such rules[3] have been used in the past to return complaints on unreasonable or artificial grounds. This is an example of additional procedural hurdles introduced by through the rulemaking process instead of making the process more citizen friendly.

3.2.6 Rule 15 (iii) of the RTI Rules gives the CIC the discretion to close a case without even allowing hearing to the applicant. There is no requirement on the CIC to provide a detailed reasoning of its determination either. This rule is in violation of the right to be heard before adjudication under natural justice principles.

3.7 The redressal mechanism under Rule 16 of the RTI Rules leaves a lot to be desired. Beginning with the use of the term ‘communication’ to refer to the complaint regarding a non-compliance of the CIC’s order, the rule takes a cavalier approach to addressing the significant number of cases of non-compliance with the CIC’s order. Further, there is no clear procedure spelt out with regard to how the CIC will deal with such matters and whether parties may be heard before making an adjudication. Further, there is an inconsistency in that a communication may be rejected if not submitted in the prescribed format, whereas in the case of appeals it clearly stated that they may not be returned/rejected only on the ground of non-compliance with the format.

[1] http://attacksonrtiusers.org

[2] https://indiankanoon.org/doc/47938967/

[3] Rule 9 of the RTI Rules, 2012.

For more details visit https://cis-india.org/openness/blog-old/comments-on-the-right-to-information-rules-2017

Economic, Social and Cultural Rights in India: Opportunities for Advocacy in Intellectual Property

Sunil Abraham and Vidushi Marda — 2017-04-23T05:22:01Z

Centre for Internet & Society worked on a three part case study. The first case study on digital protection of traditional knowledge was published by GIS Watch in December 2016. The other two case studies along with the synthesis overview has also been published.

The rights established in the International Covenant on Economic, Social and Cultural Rights (ICESCR) are socioeconomic rights and are easily mapped onto rights to education, work, science and culture. These rights, however, are not as easily mapped onto intellectual property rights. This three-part case study contemplates the ICESCR through aspects of intellectual property in India, namely, mobile patents, free and open source software (FOSS), and India’s Traditional Knowledge Digital Library. Through these, it demonstrates the potential of these technologies in realising ESCRs.

A distinguishing factor of the ICESCR is the emphasis on the progressive realisation of rights within the Covenant, which indicates the necessity of parties to take steps for the realisation of ESCRs to the best of their ability given the resources available, with a view to fully realising these rights in the long term. This is particularly relevant in India, where the large population and scarcity of resources require gradual realisation and sustained planning. This case study advocates for the progressive realisation of the rights outlined below, and sheds light on the current state of progress in India, as well as providing an overview of the framework within which these rights will be realised.

Although these three case studies focus on distinct areas – mobile patents, FOSS and open standards, and traditional knowledge – they can also be understood as tied together through the central theme of a mobile phone. The first case study on mobile patents deals with the hardware of the phone, the second deals with the software in discussing open software and standards, and the third case study on traditional knowledge focuses on the person holding the phone who consumes information-embedded products such as traditional foods and medicines.

The report on digital protection of traditional knowledge was published by GIS Watch earlier and the rest of the reports have been published by the Association for Progressive Communications.

For more details visit https://cis-india.org/openness/apc-april-23-2017-sunil-abraham-and-vidushi-marda-economic-social-and-cultural-rights-in-india

Economic, social and cultural rights in India: FOSS

praskrishna — 2017-04-23T05:14:13Z

For more details visit https://cis-india.org/openness/files/economic-social-and-cultural-rights-in-india-foss

Economic, social and cultural rights in India: Opportunities for advocacy in intellectual property rights - The Traditional Knowledge Digital Library

praskrishna — 2017-04-20T16:40:50Z

For more details visit https://cis-india.org/openness/files/economic-social-and-cultural-rights-in-india-opportunities-for-advocacy-in-intellectual-property-rights-the-traditional-knowledge-digital-library