Centre for Internet and Society

Privacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme

Pranesh Prakash and Amber Sinha — 2016-03-17T16:12:26Z

Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.

The article was published in the Hindustan Times on March 12, 2016.

There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.

Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.

In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But a second reading reveals the loopholes.

The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.

Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.

The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.

None of the above arguments even get to the question of implementation.

Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme

India's billion-member biometric database raises privacy fears

praskrishna — 2016-03-17T15:25:45Z

India's parliament is set to pass legislation that gives federal agencies access to the world's biggest biometric database in the interests of national security, raising fears the privacy of a billion people could be compromised.

The article by Sanjeev Miglani and Manoj Kumar was published by Reuters on March 16, 2016. Sunil Abraham was quoted.

The move comes as the ruling Bharatiya Janata Party (BJP) cracks down on student protests and pushes a Hindu nationalist agenda in state elections, steps that some say erode India's traditions of tolerance and free speech.

It could also usher in surveillance far more intrusive than the U.S. telephone and Internet spying revealed by former National Security Agency (NSA) contractor Edward Snowden in 2013, some privacy advocates said.

The Aadhaar database scheme, started seven years ago, was set up to streamline payment of benefits and cut down on massive wastage and fraud, and already nearly a billion people have registered their finger prints and iris signatures.

Now the BJP, which inherited the scheme, wants to pass new provisions including those on national security, using a loophole to bypass the opposition in parliament.

"It has been showcased as a tool exclusively meant for disbursement of subsidies and we do not realize that it can also be used for mass surveillance," said Tathagata Satpathy, a lawmaker from the eastern state of Odisha.

"Can the government ... assure us that this Aadhaar card and the data that will be collected under it – biometric, biological, iris scan, finger print, everything put together – will not be misused as has been done by the NSA in the U.S.?"

Finance Minister Arun Jaitley has defended the legislation in parliament, saying Aadhaar saved the government an estimated 150 billion rupees ($2.2 billion) in the 2014-15 financial year alone.

A finance ministry spokesman added that the government had taken steps to ensure citizens' privacy would be respected and the authority to access data was exercised only in rare cases.

According to another government official, the new law is in fact more limited in scope than the decades-old Indian Telegraph Act, which permits national security agencies and tax authorities to intercept telephone conversations of individuals in the interest of public safety.

"POLICE STATE"

Those assurances have not satisfied political opponents and people from religious minorities, including India's sizeable Muslim community, who say the database could be used as a tool to silence them.

"We are midwifing a police state," said Asaduddin Owaisi, an opposition MP.

Raman Jit Singh Chima, global policy director at Access, an international digital rights organization, said the proposed Indian law lacked the transparency and oversight safeguards found in Europe or the United States, which last year reformed its bulk telephone surveillance program.

He pointed to the U.S. Foreign Intelligence Surveillance Court, which must approve many surveillance requests made by intelligence agencies, and European data protection authorities as oversight mechanisms not present in the Indian proposal.

The Indian government brought the Aadhaar legislation to the upper house of parliament on Wednesday in a bid to secure passage before lawmakers go into recess.

To get around its lack of a majority there, the BJP is presenting it as a financial bill, which the upper chamber cannot reject. It can return it to the lower house, where the ruling party has a majority.

In its assessment of the measure, New Delhi-based PRS Legislative Research said law enforcement agencies could use someone's Aadhaar number as a link across various datasets such as telephone and air travel records.

That would allow them to recognize patterns of behavior and detect potential illegal activities.

But it could also lead to harassment of individuals who are identified incorrectly as potential security threats, PRS said.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, said Aadhaar created a central repository of biometrics for almost every citizen of the world's most populous democracy that could be compromised.

"Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station," he said.

"It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

For more details visit https://cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears

Aadhaar is actually surveillance tech: Sunil Abraham

praskrishna — 2016-03-16T17:07:39Z

On March 12, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, paving the way for giving legal status to Aadhaar, a 12-digit unique identification number generated after collecting biometric and other details of an Indian resident.

Sahil Makkar on behalf of Business Standard interviewed Sunil Abraham. The article was published on March 12, 2016.

The government intends to use Aadhaar to roll out more subsidy schemes and allay privacy concerns. However, activists are not convinced. Sunil Abraham, executive director of Bengaluru based-research organisation The Centre for Internet & Society, tells Sahil Makkar that the concept of Aadhaar is principally flawed and it doesn't substantially help in plugging leakages in government schemes. Edited excerpts:

What is your position on Aadhaar and the UIDAI Bill?

What technology has broken cannot be fixed by the law. Aadhaar is a broken technology; it is surveillance technology disguised as developmental intervention that identifies people without their consent and authenticates transactions on their behalf. The architecture is a disaster from the security perspective and there is no recourse in law for citizens whose rights have been infringed. The other objection should be to the subtitle of the Bill that mentions "services": it is unclear whether Aadhaar is to be provided to the residents or the citizens. A bulk of the government services is meant for citizens.

What are the repercussions of this "broken technology"?

Consent happens without conscious cooperation during the authentication process of getting access to a subsidy or a service. Also, the person providing the service is holding a biometric reader and he may say the device is not working and hence, refuse the subsidy. Yet the database will reflect that the subsidy has been availed of because authentication has already been completed. So you have to accept what the person is saying because only that person and the UIDAI have access to the information. Aadhaar makes the citizen transparent to the state but makes the state completely opaque and unaccountable to its citizens.

Will the beneficiary not receive a message about the transaction?

That will only happen when the banks are involved. At the subsidised ration shop the beneficiary will get nothing. The world over security professionals don't trust biometric-based authentication, relying rather on other revocable authentication factors. It is irrevocable if the biometric details are compromised. Instead, writable smart cards could be used to record details of government officers on the cards of beneficiaries and make both the state and the resident transparent to each other.

Hasn't the National Population Register under the Ministry of Home Affairs been advocating the use of smart cards?

In this case biometrics should be used only to link the individual to the smart card. Biometric information should be stored on smart cards and under no circumstances should there be a central repository of biometrics at one place. Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station. The chances of getting a central database compromised depend on the nature of information stored in it. For the sake of security one can't create a honey pot to be attacked by many. The internet is secure because it doesn't have a central database. The other difference is that faking biometrics is much easier than faking smart cards.

So your principle opposition is to the setting up of a central repository of biometrics?

I am also opposed to the use of biometrics for identification and authentication; this is nothing but surveillance. It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation when the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

But if the security agencies are able to identify those who create law and order problems, what is the hitch?

It is exactly the same argument that Apple is giving while refusing back-door entry to intelligence and investigating agencies. Once you build surveillance capacity for good governance, it may be misused by a repressive government, a rogue corporation or by criminals. Fear of this type of surveillance will deter people from holding any protest.

Doesn't the Aadhaar or the UIDAI conform to safety and security provisions in the IT Act?

The standards in our IT Act are woefully inadequate in comparison to European regulators and courts. If it adhered to the highest standards, the European privacy commissioner and data protection authorities would have given India adequacy status. The second problem is that the current IT Act doesn't apply to the government. If the government holds your data, it is under no obligation to protect your rights.

You have been part of the Justice A P Shah Committee on privacy. How important is it to have a separate privacy law in the present context?

It is not only important for the purpose of safeguarding human rights, but also to protect the competitiveness of our BPO, ITeS and KPO sectors. We need a data protection law that is compliant with European Data Protection Regulation.

How will such a law help a common man whose data have been compromised?

It will provide clarity to an individual about where he or she stands with regard to privacy. It is strange that the government took diametrically opposite stands in two cases related to privacy in the Supreme Court. When some activists demanded that the UIDAI be scrapped, the government argued before the court that there was no Constitutional right to privacy. When the police asked for the biometric records from the UIDAI, the same government argued there was a right to privacy and that it couldn't divulge the details to the police. The government is not speaking in the same voice; even courts are not speaking in the same voice, because there have been conflicting judgements. So the proposed law will provide clarity on privacy and people will be able to seek compensation under it.

At the same time it cannot be denied that Aadhaar can plug leakages and save hundreds and thousands of rupees for the exchequer....

Aadhaar is only answering two questions: Is this particular biometric unique (enrolment) and does it match the template in the database? If you bring a Bangladeshi into the system, it will answer both the questions in the affirmative. The Aadhaar only eliminates the possibility of one person receiving the benefits twice. At the same time it is very easy to put a ghost beneficiary back into the system. If Aadhaar has to work, we need a publicly visible auditable trail of subsidy moving from Delhi to the villages. That will eliminate corruption in the supply chain.

Isn't it difficult for a large number of ghost beneficiaries to get into the system?

There is no way to check whether a genuine or a ghost beneficiary has been removed from the list. It is not a foolproof system because no one is vouching for anybody. In the current system it is difficult to find out who created this ghost beneficiary. Nobody loses a job for creating a ghost; in fact, here everyone has an incentive.

If there are problems with the UIDAI system, why is the government upbeat about it?

As techno-utopians our government wants technology to answer everything and solve all our problems. If anything goes wrong, it can easily be blamed on technology.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham

Govt narrative on Aadhaar has not changed in the last six years: Sunil Abraham

praskrishna — 2016-03-16T16:37:19Z

The bill is basically the same as the UPA version, with some cosmetic changes, and some tokenism towards the right to privacy, says Abraham.

Shreeja Sen interviewed Sunil Abraham. The article was published in Livemint on March 8, 2016.

The government’s bid to push financial inclusiveness and access to government services has received a fresh boost, with finance minister Arun Jaitley introducing a proposed law to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

This project, which uses a person’s biometric data like fingerprints and iris scans to authenticate identity of people receiving subsidies and other state benefits, will move India towards a cashless economy and help digital initiatives such as biometric attendance, Pradhan Mantri Jan Dhan Yojana, digital certificates, pension payments and the proposed introduction of payments banks.

Sunil Abraham, 42

Abraham is executive director of Centre for Internet and Society, a Bengaluru-based think tank focusing on accessibility, access to knowledge, telecom and Internet governance. He has written extensively on the UID scheme, and the intersection of privacy and security. He founded Mahiti—an enterprise that aims to reduce the cost and complexity of information and communications technology for the voluntary sector by using free software.

The Aadhaar project has faced its share of roadblocks with cases challenging it pending before the Supreme Court. A constitution bench of the court will decide whether the right to privacy is a fundamental right and if Aadhaar violates it.

Sunil Abraham, the executive director of Centre for Internet and Society, a Bengaluru-based policy research institute, is a critic of Aadhaar for several reasons. He explained his concerns in an interview. Edited excerpts:

Have any of the concerns regarding the Aadhaar project since its inception in 2009 been addressed?

Whatever we complained about six or seven years ago, whatever complaints were made by the civil society...all of those complaints remain in the exact same situation.

Nothing has changed.

What kind of concerns?

The first thing to remember is that privacy and security are just two sides of the same coin. You cannot have one without the other.

Our first concern with the project is centralization. Whenever you build an information system, and you create a central point of failure, then it will fail because the possibility of failure exists. The Internet has no central point of failure. That is why it is so difficult for you to bring the Internet down. Complaint number 2 is the opaque technology.

UIDAI keeps saying that “we have built a technology using a free software and open standard stack”. The first is a de-duplication software and the second one is the authentication software—those are the most important pieces of software.

This software is proprietary and nobody knows how they work and nobody can independently audit them.

The third complaint is the use of an irrevocable and non-consensual authentication factor. In the UID scheme, the biometrics serve two purposes: it can be used to identify a citizen and it can be used to authenticate a transaction. Authentication factors, commonly known as passwords, should always be revocable. That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid. The use of biometrics eliminates those two important requirements.

Further, in most other authentication, the process of authentication ensures that you are consenting. For example, PIN (personal identity number) authentications. But suppose I am authenticating you through your irises, then as long as your eyes are open, the machine will think you’re authenticating. There’s no way of saying I don’t want to authenticate. Or if you’re sleeping, somebody can hold your fingers over a biometric reader and open your iPhone. So that’s complaint number three.

The fourth complaint from the privacy perspective is: there is a very important database that they don’t talk about. I call it the transactions database. Suppose there is somebody who is using the UIDAI service to authenticate a transaction, then UIDAI should keep a record of that successful or unsuccessful transaction authentication. That means you have been registered into the database.

You go to a fair price shop to purchase subsidized grain and at that fair price shop or ration shop, you use your finger on the biometric reader, and then the UIDAI system says “yes you are indeed who you say you are”.

So, at that point, later the shop should not be able to say X never came here, or X came twice. So, in order for them to not say all those things, a record should be made on the UID database, that on this day, from this geographical location, this particular biometric reader sent us X’s biometric template and asked if the template matched against X’s UID number...the transaction database can be used for profiling. They never talk about it.

They never tell us what that database holds and how long they’re keeping all those records. None of that is clear.

Does Aadhaar bill help assuage your doubts about the project?

The government narrative has not changed in the last six years; the bill is basically the same as the UPA (United Progressive Alliance) version, with some cosmetic changes, and some tokenism towards the right to privacy. The proof that the technology is fallible is in the bill.

If the technology was infallible, as the UIDAI would like us to believe, then the bill would not criminalize the following: (1) impersonation at the time of enrolment; (2) unauthorized access to the Central Identities Data Repository.

Imagine that the bill admits that every Indian’s biometric can be stolen from one single centralized database. Now why don’t we have a similar offence for stealing all private keys from the Internet—we don’t because that is technical impossibility thanks to decentralization.

Therefore we don’t need a law to make (it) illegal. We’ve suggested changes to both the technology and the law. We’ve written seven open letters to the UIDAI, and we’ve never gotten any response. Very few of our concerns have been addressed. We’ve seen dogs getting UID, various other things getting UID, so there’s a lot of evidence that the system does not work. From Kerala we have stories of one person getting several UIDs, so we have no idea about technological feasibility of the project.

One of our distinguished fellows, Hans Varghese Mathews, has published an academic paper in the latest EPW (Economic and Political Weekly), by extrapolating UIDAI field trial data to national scale. He predicts that by the time the number crosses 1 billion, every time UIDAI tries to register someone new, they will match with about 850 people already in the database positively. So, the unique identification capability of the UIDAI will not scale above the billion. The consequence of the technology failing is not trivial. If someone replaces your biometrics in the central database, then the onus is on you to prove that you are a resident of India.

Previously, human beings determined the answer to this question, and they had to find proof that you were not a resident. Now, a fallible technology will be asked to answer this important question.

Isn’t the basic function of the Aadhaar project to ensure that benefits reach the person they are meant for, and it’s easier for people to get an identity proof for those who have no other ID, like migrant workers?

Two responses: is it good anti- corruption technology? Unfortunately not, because it is intended at retail fraud. The person under surveillance is very poor. But the person responsible for corruption is not poor. So, I believe you should be surveilling those responsible for corruption.

What I had said is UID should be first given to every single bureaucrat and every single politician in the country. From Delhi till the Panchayat office, till the ration shop in the village, that supply chain must be monitored and documented using cryptography, so that nobody can deny anything. We need non-repudiatable audit trail from New Delhi to the village because according to all analyses, that is where the theft is happening—in the supply chain. The villager who is taking false benefits, that is called retail fraud.

The bulk of the fraud is actually wholesale fraud. Please tackle wholesale fraud using non-repudiatable public audit trail from New Delhi to the village first, before you start surveilling the poor.

The second point is that people find it easy to get the UID. That is fine, but there is a problem; that it’s not uniquely identifying anybody. So, people will keep registering and the UID system will keep giving them more and more UIDs because there are no human checks and balances. Because you’ve gone with a pure technological solution, it’s very easy to fool (the system).

So, the ease of registration has not served the purpose.

For more details visit https://cis-india.org/internet-governance/news/livemint-march-8-2016-shreeja-sen-govt-narrative-on-aadhaar-has-not-changed-in-last-six-years-sunil-abraham

Press Release, March 11, 2016: The Law cannot Fix what Technology has Broken!

Japreet Grewal and Sunil Abraham — 2016-03-16T10:10:40Z

We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy, benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.

Key Issues

1. Identification without Consent

Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.

2. Fallible Technology

The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.

We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.

At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positiveâ€” the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. [1]

Endnote

[1] See: http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken

Critique of the Aadhaar Bill 2016

2016-05-02T04:49:14Z

The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 on March 11, 2016, to give legislative basis to the Aadhaar number assigning being done by the Unique Identification Authority of India (UIDAI). The Bill was introduced, by Finance Minister, Mr. Arun Jaitley, as a money bill, and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. Since its inception in 2009, the UIDAI project has been shrouded in controversy due to various questions raised about privacy, technological limitations, security concerns, and legal basis. We have documented various concerns with the Aadhaar Bill 2016, as well as with the project at large.

About the Aadhaar Bill 2016

FAQ on the Aadhaar Project and the Bill

This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research.

The New Aadhaar Bill in Plain English

This post summarizes the provisions of Aadhaar Bill 2016 in a simplified language.

What's New in the Aadhaar Bill 2016?

Simple comparison of the texts of the The National Identification Authority of India Bill, 2010 and The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Bill, 2016.

Comparison of the Aadhaar Bill 2016 and the NIAI Bill 2010

A detailed provision-by-provision comparison of the Bills.

Salient Points in the Aadhaar Bill and Concerns

This post contributes to the growing body of analysis and critique of the Aadhaar Bill 2016, and foregrounds the major concerns identified by CIS with the Bill.

Public Statements and Letters

An Urgent Need for the Right to Privacy

Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.

List of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament

On Friday, March 11, the Aadhaar Bill, 2016, was introduced and passed as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. Based on these concerns, and numerous others, we submitted an initial list of recommendations to the Members of Parliaments to highlight the aspects of the Bill that require immediate attention.

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment.

Press Release, March 11, 2016: The Law cannot Fix what Technology has Broken!

Infographics

Can the Aadhaar Act 2016 be Classified as a Money Bill?

In this infographic, we show if the Aadhaar Act 2016, recently tabled in and passed by the Lok Sabha as a money bill, can be classified as a money bill. The infographic is designed by Pooja Saxena, based on information compiled by Amber Sinha and Sumandro Chattapadhyay.

Can the Matters Dealt with in the Aadhaar Act be the Objects of a Money Bill?

In this infographic, we highlight the matters dealt with in the Aadhaar Act 2016, recently tabled in and passed by the Lok Sabha as a money bill, and consider if these can be objects of a money bill. The infographic is designed by Pooja Saxena, based on information compiled by Sumandro Chattapadhyay and Amber Sinha.

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address.

Aadhaar Bill 2016 Evaluated against the National Privacy Principles

In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012.

Legal Critique of the Aadhaar Bill 2016

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Aadhaar Act and its Non-compliance with Data Protection Law in India

This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Aadhaar Bill Fails to Incorporate Suggestions by the Standing Committee

An analysis of how recommendations made by the Standing Committee on UID were not incorporated in the Aadhaar Bill 2016.

Govt Narrative on Aadhaar has Not Changed in the Last Six Years: Sunil Abraham

In this article, Sunil Abraham says that bill is fundamentally the same as the UPA version, with some cosmetic changes, and some token statements towards the "right to privacy."

Privacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme

Amber Sinha and Pranesh Prakash discuss how the privacy concerns remain, and are reinforced through loopholes, in the Aadhaar Bill 2016.

Technical Critique of the Aadhaar / UIDAI Project

Flaws in the UIDAI Process

The accuracy of biometric identification depends on the chance of a false positive: the probability that the identifiers of two persons will match. An experiment performed at an early stage of the programme has allowed us to estimate the chance of a false positive. For the current population of 1.2 billion the expected proportion of duplicands is 1/121, a ratio which is far too high.

Aadhaar is Actually Surveillance Tech: Sunil Abraham

In this interview, Sunil Abraham argues that the concept of Aadhaar is fundamentally flawed, and it doesn't substantially help in plugging leakages in government schemes.

For more details visit https://cis-india.org/aadhaar-bill-2016

Will Only Legal Backing For Aadhaar Suffice?

praskrishna — 2016-03-16T02:31:52Z

Aadhaar is set to become mandatory, but the opponents of the scheme are not amused. Concerns about privacy of the Aadhaar number and the authenticity of the biometric data being collected have been expressed by people right from the beginning. But the government has not done much to address these issues.

The article was published in New Indian Express on March 14, 2016. Sunil Abraham was quoted.

“It does not matter what legislative backing they give it, it is still a surveillance programme. How can you have a privacy Bill for a surveillance programme? Legislative backing would be band-aid. I do not agree with it,” says Sunil Abraham, Executive Director of The Centre for Internet and Society. The society is a Bengaluru-based organisation looking at multi-disciplinary research and advocacy.

Abraham says that ever since the Aadhaar scheme was implemented, there was a massive degradation of civil liberties. “It is an opaque technology. Why should the government have such a database?” he asks.

Abraham says that the keys to the data should not have rested with the government where it is vulnerable. Instead, the government should have explored the concept of introducing smart cards issued to the citizen with the data stored on it.

Access to this data could not be had without the permission of the citizen, he says. At present, if something goes wrong or if the data is compromised, the government can always blame a lapse in technology, Abraham adds.

He questions the government’s logic where it assumes that only the poor section of society can misuse the benefits and says that it is well known that the problem exists in the supply chain and that the government has done nothing to address this.

Mathew Thomas of The Fifth Estate, an NGO, wonders what advantage the BJP suddenly found that they decided to pursue Aadhaar rather than send it to the trash bin as they had promised before the general elections.

Thomas says Aadhaar is flawed and is a fraud on the Constitution and the government has taken the money bill route simply to avoid a debate on it.

“Just passing a Bill is meaningless. This is radically wrong and we all know that protection of privacy is nonsense. How do they plan to plug the leakages? Have they even conducted a study, because there is no evidence of it. The correct beneficiary can get an LPG cylinder, but what is stopping the person from using it for an auto or for his car? That the government can lie to its own people is terrible,” he says.

A five-judge bench of the Supreme Court, which is hearing the matter on privacy concerns about Aadhaar, is expected to have a hearing by the end of this month.

For more details visit https://cis-india.org/internet-governance/new-indian-express-march-14-2016-will-only-legal-backing-for-aadhaar-suffice

Are we Losing the Right to Privacy and Freedom of Speech on Indian Internet?

Amber Sinha — 2016-03-16T14:44:19Z

The article was published in DNA on March 10, 2016.

Last month, it was reported that National Security Council Secretariat (NSCS) had proposed the setting up of a National Media Analytics Centre (NMAC). This centre’s mandate would be to monitor blogs, media channels, news outlets and social media platforms. Sources were quoted as stating that the centre would rely upon a tracking software built by Ponnurangam Kumaraguru, an Assistant Professor at the Indraprastha Institute of Information Technology in Delhi. The NMAC seems to mirror other similar efforts in countries such as US, Canada, Australia and UK, to monitor online content for the reasons as varied as prevention of terrorist activities, disaster relief and criminal investigation.

The NSCS, the parent body that this centre will fall under, is a part of the National Security Council, India’s highest agency looking to integrate policy-making and intelligence analysis, and advising the Prime Minister’s Office on strategic issues as well as domestic and international threats. The NSCS represents the Joint Intelligence Committee and its duties include the assessment of intelligence from the Intelligence Bureau, Research and Analysis Wing (R&AW) and Directorates of Military, Air and Naval Intelligence, and the coordination of the functioning of intelligence agencies.

From limited reports available, it appears that the tracking software used by NMAC will generate tags to classify post and comments on social media into negative, positive and neutral categories, paying special attention to “belligerent” comments. The reports say that the software will also try to determine if the comments are factually correct or not. The idea of a government agency systematically tracking social media, blogs and news outlets and categorising content as desirable and undesirable is bound to create a chilling effect on free speech online. The most disturbing part of the report suggested that the past pattern of writers’ posts would be analysed to see how often her posts fell under the negative category, and whether she was attempting to create trouble or disturbance, and appropriate feedback would be sent to security agencies based on it. Viewed alongside the recent events where actors critical of the government and holding divergent views have expressed concerns about attempts to suppress dissenting opinions, this initiative sounds even more dangerous, putting at risk individuals categorised as “negative” or “belligerent”, for exercising their constitutionally protected right to free speech.

Getty Images

It has been argued that the Internet is a public space, and should be treated as subject to monitoring by the government as any other space. Further, this kind of analysis does not concern itself with private communication between two or more parties but only with publicly available information. Why must we raise eyebrows if the government is accessing and analysing it for the purposes of legitimate state interests? There are two problems with this argument. First, any surveillance of communication must always be limited in scope, specific to individuals, necessary and proportionate, and subject to oversight. There are no laws passed by the Parliament in India which allow for mass surveillance measures. Such activities are being conducted through bodies like NSC which came into existence through an Executive Order and have no clear oversight mechanisms built into its functioning. A quick look at the history of intelligence and surveillance agencies in India will show that none of them have been created through a legislation. A host of surveillance agencies have come up in the last few years including the Central Monitoring System, which was set up to monitor telecommunications, and the absence of legislative pedigree translates into lack of appropriate controls and safeguards, and zero public accountability.

The second and the larger issue is that the scale and level of granularity of personal information available now is unprecedented. Earlier, our communications with friends and acquaintances, our movements, our association, political or otherwise, were not observable in the manner it is today. It would be remiss to underestimate the importance of personal information merely because it exists in the public domain. The ability to act without being subject to monitoring and surveillance is key to the right to free speech and expression. While we accept the importance of free speech and the value of an open internet and newer technologies to enable it, we do not give sufficient importance to how these technologies are affecting the right to privacy.

Getty Images

In the last few years, the social media scene in India has been characterised by extreme polemic with epithets such as ‘bhakt’, ‘sanghi’, ‘sickular’ and ‘presstitutes’ thrown around liberally, turning political discussions into a mess of ugliness. It remains to be seen whether the NMAC intends to deal with the professional trolls who rely on a barrage of abuse to disrupt public conversations online. However, the appropriate response would not be greater surveillance, let alone a body like NMAC, with a sweeping mandate and little accountability.

Link to the original here.

For more details visit https://cis-india.org/internet-governance/blog/dna-amber-sinha-march-10-2016-are-we-losing-right-to-privacy-and-freedom-of-speech-on-indian-internet

Aadhaar Bill fails to incorporate suggestions by the Standing Committee

amber — 2016-03-10T15:58:57Z

In 2011, a standing committee report led by Yashwant Sinha had been scathing in its indictments of the Aadhaar BIll introduced by the UPA government. Five years later, the NDA government has introduced a new bill which is a rehash of the same. I look at the concerns raised by the committee report, none of which have been addressed by the new bill.

The article was published by The Wire on March 10, 2016

In December, 2010, the UPA Government introduced the National Identification Authority of India Bill, 2010 in the Parliament. It was subsequently referred to a Standing Committee on Finance by the Speaker of Lok Sabha under Rule 331E of the the Rules of Procedure and Conduct of Business in Lok Sabha. This Committee, headed by BJP leader Yashwant Sinha took evidence from the Minister of Planning and the UIDAI from the government, as well as seeking the view of parties such as the National Human Rights Commission, Indian Banks Association and researchers like Dr Reetika Khera and Dr. Usha Ramanathan. In 2011, having heard from various parties and considering the concerns and apprehensions about the UID scheme, the Committee deemed the bill unacceptable and suggested a re-consideration of the the UID scheme as well as the draft legislation.

The Aadhaar programme has so far been implemented under the Unique Identification Authority of India, a Central Government agency created through an executive order. This programme has been shrouded in controversy over issues of privacy and security resulting in a Public Interest Litigation filed by Judge Puttaswamy in the Supreme Court. While the BJP had criticised the project as well as the draft legislation when it was in opposition, once it came to power and particularly, after it launched various welfare schemes like Digital India and Jan Dhan Yojna, it decided to continue with it and use Aadhaar as the identification technology for these projects. In the last year, there have been orders passed by the Supreme Court which prohibited making Aadhaar mandatory for availing services. One of the questions that the government has had to answer both inside and outside the court on the UID project is the lack of a legislative mandate for a project of this size. About five years later, the new BJP led government has come back with a rehash of the same old draft, and no comments made by the standing committee have been taken into account.

The Standing Committee on the old bill had taken great exception to the continued collection of data and issuance of Aadhaar numbers, while the Bill was pending in the Parliament. The report said that the implementation of the provisions of the Bill and continuing to incur expenditure from the exchequer was a circumvention of the prerogative powers of the Parliament. However, the project has continued without abeyance since its inception in 2009. I am listing below some of the issues that the Committee identified with the UID project and draft legislation, none of which have been addressed in current Bill.

One of the primary arguments made by proponents of Aadhaar has been that it would be useful in providing services to marginalized sections of the society who currently do not have identification cards and consequently, are not able to receive state sponsored services, benefits and subsidies. The report points that the project would not be able to achieve this as no statistical data on the marginalized sections of the society are being used to by UIDAI to provide coverage to them. The introducer systems which was supposed to provide Aadhaar numbers to those without any form of identification, has been used to enroll only 0.03% of the total number of people registered. Further, the Biometrics Standards Committee of UIDAI has itself acknowledged the issues caused due to a high number of manual laborers in India which would lead to sub-optimal fingerprint scans. A report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. In this manner, the project could actually end up excluding more people.

The Report also pointed to a lack of cost-benefit analysis done before going ahead with scheme of this scale. It makes a reference to the report by the London School of Economics on the UK Identity Project which was shelved due to a) huge costs involved in the project, b) the complexity of the exercise and unavailability of reliable, safe and tested technology, c) risks to security and safety of registrants, d) security measures at a scale that will result in substantially higher implementation and operational costs and e) extreme dangers to rights of registrants and public interest. The Committee Report insisted that such global experiences remained relevant to the UID project and need to be considered. However, the new Bill has not been drafted with a view to address any of these issues.

The Committee comes down heavily on the irregularities in data collection by the UIDAI. They raise doubts about the ability of the Registrars to effectively verify the registrants and a lack of any security audit mechanisms that could identify issues in enrollment. Pointing to the news reports about irregularities in the process being followed by the Registrars appointed by the UIDAI, the Committee deems the MoUs signed between the UIDAI and the Registrars as toothless. The involvement of private parties has been under question already with many questions being raised over the lack of appropriate safeguards in the contracts with the private contractors.

Perhaps the most significant observation of the Committee was that any scheme that facilitates creation of such a massive database of personal information of the people of the country and its linkage with other databases should be preceded by a comprehensive data protection law. By stating this, the Committee has acknowledged that in the absence of a privacy law which governs the collection, use and storage of the personal data, the UID project will lead to abuse, surveillance and profiling of individuals. It makes a reference to the Privacy Bill which is still at only the draft stage. The current data protection framework in the Section 43A rules under the Information Technology Act, 2000 are woefully inadequate and far too limited in their scope. While there are some protection built into Chapter VI of the new bill, these are nowhere as comprehensive as the ones articulated in the Privacy Bill. Additionally, these protections are subject to broad exceptions which could significantly dilute their impact.

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee

The Crypto Wars Are Global

praskrishna — 2016-04-01T16:06:30Z

The blog post by Joseph Cox was published by Motherboard on March 4, 2016

American politicians, media, and the public may be focused on the ongoing battle between Apple and the FBI over encryption in the iPhone, but the so-called Crypto Wars are far from just a national issue.

The proliferation of encryption—and law enforcement’s efforts to defeat it—is a wordwide phenomenon, and one that might have much more urgent consequences outside of Europe and the US.

On top of that, some governments’ reactions to the increased use of cryptography have been more kinetic and drastic.

This was starkly demonstrated with the arrest of a senior Facebook executive in Brazil on Tuesday, seemingly carried out because WhatsApp was unable to fulfill a court order to intercept messages on the service. That case was likely an exceptional one, but it was symptomatic of growing frustration amongst governments and law enforcement around the world.

Plenty of countries already seemingly target devices to circumvent encryption

So as foreign authorities clamp down on crypto in their own way, how will this affect users?

“Outside the US, the consequences for users, the risks, the threats that they face; the reasons they use crypto, are going to be much more pronounced,” Amie Stepanovich, US Policy Manager at Access Now, a digital rights group told Motherboard in a phone call.

For some users, Stepanovich said, “encryption really is a matter of life or death.” She pointed to LGBQT communities in the Middle East or North Africa, where their sexual preference might be illegal.

Various countries have taken wildly different approaches to tackling crypto. Late last year, the Kazakhstan government announced a plan to force all internet users to download a digital certificate that would allow the authorities to snoop on encrypted traffic. And in 2014, the Russian government called for researchers to find a way to crack the Tor anonymity network. Both of those plans have seemingly failed to materialise in any concrete results, but the intention was certainly there.

Others have looked at attacking devices of individuals, something that the FBI is also keen to develop.

“The future might be in the hacking of the device, hacking the end-point,” said Richard Tynan, a technologist at activist group Privacy International.

Indeed, plenty of countries already seemingly target devices to circumvent encryption. Italian surveillance company Hacking Team had at least 70 customers from all over the world, according to hacked internal documents.

The legislative approach has also been fairly popular. In December, China passed a law requiring technology firms to assist in the decryption of information.

This legal route parallels the current battle between Apple and the FBI, where the agency has asked the company to write code that would override the iPhone’s security features. Some feel that if the FBI is successfully in making the technology giant write malicious code, then a precedent will be set for other countries to follow.

“I think that if the US government is successful in ordering Apple to write code, we're going to see other countries also try to push Apple in the same direction,” Stepanovich said. (In its recent amicus brief in the Apple case, Intel wrote that if the FBI is successful in its demands, other countries, particularly those with less protective privacy laws, might see an invitation to require companies to undermine the security of their products.)

J. Carlos Lara, research and policy director from Derechos Digitales in Chile, said “There are many reasons to be following the debate, even if it does not appear to be directly about us, or about our country, because it might become one of the issues in our country at any point in the future.”

Carolina Botero, director of Fundación Karisma, a Colombian civil society organization, told Motherboard that she could imagine a situation similar there to that ongoing in the US if Apple does lose this fight.

“Colombia has a real need to fight against terrorists; there is a real national security issue here,” she said.

Others remained sceptical, saying that some countries may follow their own path, as they've already been doing.

“U.S. commentators greatly over-estimate the positive impact of U.S. self-imposed restrictions in national security matters on how foreign countries will act,” Pranesh Prakash, policy director at the Centre for Internet and Society in India, told Motherboard in an email.

Although it’s not a case strictly dealing with the same issues as Apple and the FBI, Prakash pointed to when the Indian government pressured BlackBerry to install a server in the country, so messages could be more easily intercepted.

“Though the U.S. government does not put restrictions on the encryption that may be deployed by telecom networks and ISPs, the Indian government does. And we aren't even talking about an 'authoritarian' government here, but the world's largest democracy,” he wrote.

The encryption debate is clearly not one limited to only the US, or even Europe. Rather, the spread of cryptography, and how governments respond to that, is likely an immediately more important issue elsewhere in the world.

“The global threat is much more serious,” than in the US, Stepanovich said.

For more details visit https://cis-india.org/internet-governance/news/motherboard-march-4-2016-joseph-cox-crypto-wars-are-global

Sean McDonald - Ebola: A Big Data Disaster

sumandro — 2016-04-21T09:57:26Z

We are proud to initiate the CIS Papers series with a fascinating exploration of humanitarian use of big data and its discontents by Sean McDonald, FrontlineSMS, in the context of utilisation of Call Detail Records for public health response during the Ebola crisis in Liberia. The paper highlights the absence of a dialogue around the significant legal risks posed by the collection, use, and international transfer of personally identifiable data and humanitarian information, and the grey areas around assumptions of public good. The paper calls for a critical discussion around the experimental nature of data modeling in emergency response due to mismanagement of information has been largely emphasized to protect the contours of human rights.

Read

Download the paper: PDF.

Preface

This study titled “Ebola: A Big Data Disaster” by Sean Martin McDonald, undertaken with support from the Open Society Foundation, Ford Foundation, and Media Democracy Fund, explores the use of Big Data in the form of Call Detail Record (CDR) data in humanitarian crisis.

It discusses the challenges of digital humanitarian coordination in health emergencies like the Ebola outbreak in West Africa, and the marked tension in the debate around experimentation with humanitarian technologies and the impact on privacy. McDonald’s research focuses on the two primary legal and human rights frameworks, privacy and property, to question the impact of unregulated use of CDR’s on human rights. It also highlights how the diffusion of data science to the realm of international development constitutes a genuine opportunity to bring powerful new tools to fight crisis and emergencies.

Analysing the risks of using CDRs to perform migration analysis and contact tracing without user consent, as well as the application of big data to disease surveillance is an important entry point into the debate around use of Big Data for development and humanitarian aid. The paper also raises crucial questions of legal significance about the access to information, the limitation of data sharing, and the concept of proportionality in privacy invasion in the public good. These issues hold great relevance in today's time where big data and its emerging role for development, involving its actual and potential uses as well as harms is under consideration across the world.

The paper highlights the absence of a dialogue around the significant legal risks posed by the collection, use, and international transfer of personally identifiable data and humanitarian information, and the grey areas around assumptions of public good. The paper calls for a critical discussion around the experimental nature of data modelling in emergency response due to mismanagement of information has been largely emphasized to protect the contours of human rights.

This study offers an important perspective for us at the Centre for Internet and Society, and our works on Privacy, Big Data, and Big Data for Development, and very productively articulates the risks of adopting solutions to issues important for development without taking into consideration legal implications and the larger impact on human rights. We look forward to continue to critically engage with issues raised by Big Data in the context of human rights and sustainable development, and bring together diverse perspectives on these issues.

- Elonnai Hickok, Policy Director, the Centre for Internet and Society

CIS Papers

The CIS Papers series publishes open access monographs and discussion pieces that critically contribute to the debates on digital technologies and society. It includes publication of new findings and observations, of work-in-progress, and of critical review of existing materials. These may be authored by researchers at or affiliated to CIS, by external researchers and practitioners, or by a group of discussants. CIS offers editorial support to the selected monographs and discussion pieces. The views expressed, however, are of the authors' alone.

For more details visit https://cis-india.org/papers/ebola-a-big-data-disaster

Netizen Report: The EU Wrestles With Facebook Over Privacy

praskrishna — 2016-02-27T07:39:01Z

Global Voices Advocacy's Netizen Report offers an international snapshot of challenges, victories, and emerging trends in Internet rights around the world.

The blog post published in Global Voices on February 11, 2016 quotes Pranesh Prakash and Subhashish Panigrahi.

In the latest development in the negotiations between the United States and European Union over data transfer rules, Reuters reports France’s data protection authority gave Facebook three months to stop tracking non-users’ Web activity without their consent, and ordered Facebook to cease some transfers of personal data to the United States or face fines. In response, Facebook asserted it does not use the now-defunct Safe Harbor agreement to move data to the United States and instead has set up alternative legal structures to keep its data transfers in line with EU law. Despite this, Facebook was forced last year to stop tracking Belgian non-users after it was taken to court by the Belgian regulator. Last week, the United States and European Union agreed upon a new legal framework to replace Safe Harbor, but as it is not yet operational, several European data protection authorities are still deciding whether data transfers should be restricted.

Big Blow for Facebook’s Free Basics

Indian regulators officially banned “differential pricing”or discriminatory tariffs placed on data services depending on their content. This means that Internet users in India are guaranteed equal access to any website they want, regardless of how they connect to the Internet, ays Global Voices’ Subhashish Panigrahi. The decision is a particular blow to Facebook’s Free Basics application, which uses differential pricing mechanisms to make accessing Facebook, WhatsApp and a limited number of other websites free to users who do not pay for mobile data plans. Though Facebook promotes the program as a means to increasing digital access, it has come under backlash in India and a number of other countries. Internet policy expert Pranesh Prakash emphasizedthat though the ruling is a win for open access in India, these efforts must continue until India is truly and equally connected.

Google’s new scheme to combat online extremism

In an effort to combat groups like ISIS that recruit online, Google has launched apilot schemeto point users who search for extremist terms toward anti-radicalization links. It announced the new effort on February 2 at a meeting with the U.K. Home Affairs Select Committee on Countering Extremism. Representatives of Twitter and Facebook were also challenged by members of Parliament on their role in combatting the spread of terrorist material. Twitter announcedthat it had suspended 125,000 accounts associated with extremism since mid-2015 in response to pressure from the US government. However, as the New York Times’ Mike Isaac notes, “these companies must walk a fine line between bearing responsibility for their platforms and avoiding becoming the arbiter of what constitutes free speech.”

What’s going to happen to Ukraine’s database of ‘explicit content’?

The Ukrainian censorship body, National Expert Commission for Protection of Public Morality, dissolved last year, but its legacy lives on as a database of “explicit content” that no one in the government seems to know what to do with. The database includes a sizeable amount of content “containing elements of sexual nature and erotica,” but the commission was also well known for its attempt to ban Spongebob Squarepants, Shrek, and Teletubbies. Users have suggested the team responsible for dissolving the commission make the content more widely available, so they can see where taxpayers’ money went.

How to protect yourself from government hacking

Hacking human rights workers, journalists, and NGOs has become common practice for governments around the world, according to Amnesty International’s Morgan Marquis-Boire and Electronic Frontier Foundation’s Eva Galperin. In a post for Amnesty International, the two provide a brief history of government hacking and give suggestions for NGOs and human rights organizations to protect themselves.

Taking on Russia’s invasive surveillance

Two Russian Internet service providers are taking the Federal Security Service to court to challenge the surveillance system employed by Russian federal police to spy on Internet use. ISPs play a critical role in making surveillance possible, by installing expensive equipment that provides police access—making this case a significant affront to Russia’s invasive surveillance apparatus.

Telegram in Iran

Messaging app Telegram’s growing influence is being characterized as a major factor in the dissemination and spread of information leading up to Iran’s Feb. 26 parliamentary elections, but the platform’s susceptibility to state manipulation is also becoming more apparent. After the arrest of former BBC journalist Bahman Doroshafaei, the government took over his Telegram account and started to message his contacts. Some believe this was an effort to extract sensitive information or to distribute spyware. Fatemeh Shams, a friend of Doroshafaei, posted the following warning to her Facebook account:

Someone has been talking to me for two hours from Bahman's hacked Telegram account and now is chatting with my friends with my account..If anyone messaged you on Telegram [from my account] please ignore it. I've lost access to my account.

Mahsa Alimardani, Ellery Roberts Biddle, Hae-in Lim and Sarah Myers West contributed to this report.

For more details visit https://cis-india.org/internet-governance/news/global-voices-february-11-2016-netizen-report

World Trends in Freedom of Expression and Media Development

pranesh — 2016-02-17T16:41:28Z

For more details visit https://cis-india.org/internet-governance/blog/world-trends-in-freedom-of-expression-and-media-development

Internet Freedom

Sunil Abraham and Vidushi Marda — 2016-02-15T02:51:10Z

The modern medium of the web is an open-sourced, democratic world in which equality is an ideal, which is why what is most important is Internet freedom.

The article by Sunil Abraham and Vidushi Marda was published by Asian Age on February 14, 2016.

What would have gone wrong if India’s telecom regulator Trai had decided to support programmes like Facebook’s Free Basics and Airtel’s Zero Rating instead of issuing the regulation that prohibits discriminatory tariffs? Here are possible scenarios to look at in case the discriminatory tarrifs were allowed as they are in some countries.

Possible impact on elections

Facebook would have continued to amass its product — eyeballs. Indian eyeballs would be more valuable than others for three reasons 1. Facebook would have an additional layer of surveillance thanks to the Free Basics proxy server which stores the time, the site url and data transferred for all the other destinations featured in the walled garden 2. As part of Digital India, most government entities will set up Facebook pages and a majority of the interaction with citizens would happen on the social media rather than the websites of government entities and, consequently, Facebook would know what is and what is not working in governance 3. Given the financial disincentive to leave the walled garden, the surveillance would be total.

What would this mean for democracies? Eight years ago, Facebook began to engineer the News Feed to show more posts of a user’s friends voting in order to influence voting behavior. It introduced the “I’m Voting” button into 61 million users’ feeds during the 2010 US presidential elections to increase voter turnout and found that this kind of social pressure caused people to vote. Facebook has also admitted to populating feeds with posts from friends with similar political views. During the 2012 Presidential elections, Facebook was able to increase voter turnout by altering 1.9 million news feeds.

Indian eyeballs may not be that lucrative in terms of advertising. But these users are extremely valuable to political parties and others interested in influencing elections. Facebook’s notifications to users when their friends signed on to the “Support Free Basics” campaign was configured so that you were informed more often than with other campaigns. In other words, Facebook is not just another player on their platform. Given that margins are often slim, would Facebook be tempted to try and install a government of its choice in India during the 2019 general elections?

In times of disasters

Most people defending Free Basics and defending forbearance as the regulatory response in 2015/16 make the argument that “95 per cent of Internet users in developing countries spend 95 per cent of their time on Facebook”.

This is not too far from the truth as LirneAsia demonstrated in 2012 with most people using Facebook in Indonesia not even knowing they were using the internet. In other words, they argue that regulators should ignore the fringe user and fringe usage and only focus on the mainstream. The cognitive bias they are appealing to is smaller numbers are less important.

Since all the sublime analogies in the Net Neutrality debate have been taken, forgive us for using the scatological. That is the same as arguing that since we spend only 5% of our day in toilets, only 5% of our home’s real estate should be devoted to them.

Everyone agrees that it is far easier to live in a house without a bedroom than a house without a toilet. Even extremely low probabilities or ‘Black Swan’ events can be terribly important! Imagine you are an Indian at the bottom of the pyramid. You cannot afford to pay for data on your phone and, as a result, you rarely and nervously stray out of the walled garden of Free Basics.

During a natural disaster you are able to use the Facebook Safety Check feature to mark yourself safe but the volunteers who are organising both offline and online rescue efforts are using a wider variety of platforms, tools and technologies.

Since you are unfamiliar with the rest of the Internet, you are ill equipped when you try to organise a rescue for you and your loved ones.

Content and carriage converge

Some people argue that TRAI should have stayed off the issue since the Competition Commission of India (CCI) is sufficient to tackle Net Neutrality harms. However it is unclear if predatory pricing by Reliance, which has only 9% market share, will cross the competition law threshold for market dominance? Interestingly, just before the Trai notification, the Ambani brothers signed a spectrum sharing pact and they have been sharing optic fibre since 2013.

Will a content sharing pact follow these carriage pacts? As media diversity researcher, Alam Srinivas, notes “If their plans succeed, their media empires will span across genres such as print, broadcasting, radio and digital. They will own the distribution chains such as cable, direct-to-home (DTH), optic fibre (terrestrial and undersea), telecom towers and multiplexes.”

What does this convergence vision of the Ambani brothers mean for media diversity in India? In the absence of net neutrality regulation could they use their dominance in broadcast media to reduce choice on the Internet? Could they use a non-neutral provisioning of the Internet to increase their dominance in broadcast media? When a single wire or the very same radio spectrum delivers radio, TV, games and Internet to your home — what under competition law will be considered a substitutable product? What would be the relevant market? At the Centre for Internet and Society (CI S), we argue that competition law principles with lower threshold should be applied to networked infrastructure through infrastructure specific non-discrimination regulations like the one that Trai just notified to protect digital media diversity.

Was an absolute prohibition the best response for TRAI? With only two possible exemptions — i.e. closed communication network and emergencies - the regulation is very clear and brief. However, as our colleague Pranesh Prakash has said, TRAI has over regulated and used a sledgehammer where a scalpel would have sufficed. In CIS’ official submission, we had recommended a series of tests in order to determine whether a particular type of zero rating should be allowed or forbidden. That test may be legally sophisticated; but as TRAI argues it is clear and simple rules that result in regulatory equity. A possible alternative to a complicated multi-part legal test is the leaky walled garden proposal. Remember, it is only in the case of very dangerous technologies where the harms are large scale and irreversible and an absolute prohibition based on the precautionary principle is merited.

However, as far as network neutrality harms go, it may be sufficient to insist that for every MB that is consumed within Free Basics, Reliance be mandated to provide a data top up of 3MB.

This would have three advantages. One, it would be easy to articulate in a brief regulation and therefore reduce the possibility of litigation. Two, it is easy for the consumer who is harmed to monitor the mitigation measure and last, based on empirical data, the regulator could increase or decrease the proportion of the mitigation measure.

This is an example of what Prof Christopher T. Marsden calls positive, forward-looking network neutrality regulation. Positive in the sense that instead of prohibitions and punitive measures, the emphasis is on obligations and forward-looking in the sense that no new technology and business model should be prohibited.

What is Net neutrality?

According to this principle, all service providers and governments should not discriminate between various data on the internet and consider all as one. They cannot give preference to one set of apps/ websites while restricting others.

2006: TRAI invites opinions regarding the regulation of net neutrality from various telecom industry bodies and stakeholdersFeb. 2012: Sunil Bharti Mittal, CEO of Bharti Airtel, suggests services like YouTube should pay an interconnect charge to network operators, saying that if telecom operators are building highways for data then there should be a tax on the highway
July 2012: Bharti Airtel’s Jagbir Singh suggests large Internet companies like Facebook and Google should share revenues with telecom companies.
August 2012: Data from M-Lab said You Broadband, Airtel, BSNL were throttling traffic of P2P services like BitTorrent
Feb. 2013: Killi Kiruparani, Minister for state for communications and technology says government will look into legality of VoIP services like Skype
June 2013: Airtel starts offering select Google services to cellular broadband users for free, fixing a ceiling of 1GB on the data
Feb. 2014: Airtel operations CEO Gopal Vittal says companies offering free messaging apps like Skype and WhatsApp should be regulated
August 2014: TRAI rejects proposal from telecom companies to make messaging application firms share part of their revenue with the carriers/government
Nov. 2014: Trai begins investigation on Airtel implementing preferential access with special packs for WhatsApp and Facebook at rates lower than standard data rates
Dec. 2014: Airtel launches 2G, 3G data packs with VoIP data excluded in the pack, later launches VoIP pack.
Feb. 2015: Facebook launches Internet.org with Reliance communications, aiming to provide free access to 38 websites through single app
March 2015: Trai publishes consultation paper on regulatory framework for over the top services, explaining what net neutrality in India will mean and its impact, invited public feedback
April 2015: Airtel launches Airtel Zero, a scheme where apps sign up with airtle to get their content displayed free across the network. Flipkart, which was in talks for the scheme, had to pull out after users started giving it poor rating after hearing about the news
April 2015: Ravi Shankar Prasad, Communication and information technology minister announces formation of a committee to study net neutrality issues in the country
23 April 2015: Many organisations under Free Software Movement of India protested in various parts of the country. In a counter measure, Cellular Operators Association of India launches campaign , saying its aim is to connect the unconnected citizens, demanding VoIP apps be treated as cellular operators
27 April 2015: Trai releases names and email addresses of users who responded to the consultation paper in millions. Anonymous India group, take down Trai’s website in retaliation, which the government could not confirm
Sept. 2015: Facebook rebrands Internet.org as Free Basics, launches in the country with massive ads across major newspapers in the country. Faces huge backlash from public
Feb. 2016: Trai rules in favour of net neutrality, barring telecom operators from charging different rates for data services.

The writers work at the Centre for Internet and Society, Bengaluru. CIS receives about $200,000 a year from WMF, the organisation behind Wikipedia, a site featured in Free Basics and zero-rated by many access providers across the world

For more details visit https://cis-india.org/internet-governance/blog/asian-age-february-14-2016-sunil-abraham-vidushi-marda-internet-freedom

Concept Note: UNICEF & Nasscom Foundation Workshop on Child Online Protection

praskrishna — 2016-02-14T10:16:34Z

For more details visit https://cis-india.org/internet-governance/blog/concept-note-unicef-nasscom-foundation-workshop-on-child-online-protection