Centre for Internet and Society

Taking Cognisance of the Deeply Flawed System That Is Aadhaar

praskrishna — 2017-05-19T14:52:58Z

Aadhaar and its many connotations have grown to be among the most burning issues on the Indian fore today, that every citizen aware of their rights should be taking note of.

The article by Shreyashi Roy was published in the Wire on May 10, 2017.

With the leak of 130 million Aadhaar numbers recently coming to light, several activists, lawyers and ordinary citizens are up in arms about what is increasingly being viewed as a government surveillance system. Keeping this in mind, on Tuesday, May 9, Software Freedom Law Centre India (SFLC) hosted an event that brought together a panel to clearly articulate the dangers of Aadhaar and to discuss whether the biometric identification system is capable of being reformed.

SFLC is a donor-supported legal services organisation that calls itself a protector of civil liberties in the digital age.

Titled ‘Revisiting Aadhaar: Law, Tech and Beyond’, the discussion, with several eminent personalities who have in-depth knowledge of Aadhaar and its working, threw light on the various problems that have cropped up with regard to India’s unique identification system. The discussion was moderated by Saikat Datta, policy director at Centre for Internet and Society, which published the report that studied the third-party leaks of Aadhaar numbers and other personal data.

The leaks

The discussion took off from the point of the leaks, with Srinivas Kodali, a panelist and one of the authors of the report, explaining his methodology for the study that proved that the Aadhaar database lacked the security required when dealing with private information of people. He highlighted the fact that during the course of his research, he had noticed several leaks from government websites and notified the Unique Identification Authority of India (UIDAI) about the same. Yet, at every step, UIDAI continued to deny and reject the possibility of this happening. Kodali says, however, that he had noticed that the websites that were unknowingly leaking data were, in fact, fixing the leaks after being notified without acknowledging that the leak had happened in the first place. Kodali reiterated at the discussion, as in his report, that a simple tweaking of URL query parameters of the National Social Assistance Programme website could unmask and display private information. Unfortunately, UIDAI cannot be brought to task for unknowingly leaking information because there is no such provision.

He also addressed the question of the conflict of interest that existed in the entire system of building Aadhaar, which was created by developers who later left the UIDAI and built their own private companies, monetising the mine of private information that they were sitting on. Kodali blames UIDAI for this even being allowed, since the developers, though clearly lacking ethics, were in fact, merely volunteers.

The system

One of the glaring issues with the technology behind Aadhaar is that the software is not open source. Anivar Aravind, a panelist, called it “defected by design” and “bound to fail” because not only is the technology completely untested but there are very obvious leaks that are taking place. Moreover, UIDAI does not allow any third-party audits or any other persons to look at the technology. Datta pointed to the fact that this is unheard of in other nations, where software is routinely subjected to penetration testing and hacking experts are called upon to check how secure a database is.

Anupam Saraph, another panelist and future designer, illuminated the creation of the Aadhaar database, pointing out that this is a system less about identification and more about verification. All of the verification, moreover, has been done by private parties, making the database itself suspect and leaving everyone’s private information loose at the time of enrolment. In addition, Aadhaar was meant for all residents and not just citizens. But now there is a mix of both, creating confusion in many aspects. Saraph also brought up how one rogue agency with access to all this information could pose an actual national security threat, unlike all the requests for information on breaches that the government keeps pointing fingers at. Referring to Nandan Nilekani’s statement about Aadhaar not being like AIDS, Saraph pointed out that it was exactly like it because much like the body, which cannot distinguish between an invasion and itself, the Aadhaar system is not being able to distinguish between aliens and citizens and has begun denying the latter benefits.

The Supreme Court has declared time and again that Aadhaar cannot be made mandatory, but the government continues to – in complete disregard of the apex court’s judgment – insist on Aadhaar for a multitude of schemes. More and more schemes are being made unavailable without the existence of an Aadhaar number as the government continues to function in a complete lack of cognisance of the fact that the poor are losing out on something as basic as their food because of a number. Prasanna S., an advocate and a panelist, called it a “voluntary but mandatory” system that is becoming an evidence collection mechanism. Moreover, everything is connected through this one number, making many options like financial fraud, selective treatment of citizens and other horrors possible. The collection of all this information is not dangerous, screams the government. Maybe not in the hands of this one. But what of the next? What of rogues?

The legal aspect

One of the panelists was Shyam Divan, a senior advocate of the Supreme Court, who has represented petitioners fighting against Aadhaar. Divan spoke about how along with a group of advocates he has been trying to get the apex court to rule on the issue but has been met with long queues before a ruling can be procured. He addressed the right to privacy aspect of the system and the recent declaration that the citizen does not have the absolute right to the body. He emphasised that the government cannot own the body and that for a free and democratic society, a limited government, instead of an all-knowing and all-seeing government, is essential. Unfortunately for India, there is no express right to privacy in the constitution, but that does not mean that rights can be taken away in exchange for a fingerprint. It is the government’s duty to respect privacy. For him, Aadhaar has become an instrument of oppression and exclusion, a point that Prasanna also agreed with, calling it a “systematic attack on consent”.

There is complete agreement that there has been a railroading of consent in this entire matter if Aadhaar being passed forcibly through the Lok Sabha as a money bill is anything to go by. If parliament’s consent can be disregarded in that fashion, what is an ordinary citizen to do in the face of this complete imbalance of power in the state’s hand?

Usha Ramanathan, a legal researcher and a long-time critic of Aadhaar, spoke about how India has turned into a state where there are more restrictions than fundamental rights, rather than the other way around. She related how there was no clarity at the beginning of Aadhaar of how it would be a card or a number and was never a government project in the first place. This is a private sector ambition that the government has jumped on board with, without considering that the private sector does not concern itself with civil liberties. As other panelists also pointed out, the private sector cannot and will not protect public interest. This is the job of the government, especially in an age of digitisation. But Aadhaar compromises the ability of the state to stand up for its citizens.

With June 30 approaching fast, many of those who have so far abstained from enrolling in the system are considering giving up their rebellion and going like sheep to get themselves registered in the database. In the words of Divan, they will have to “volunteer compulsorily for an Aadhaar”. The government is probably counting on this. Turning to the Supreme Court has been of no help, although a verdict can be hoped for in a couple of weeks. But what can we do if they rule for the government?

Some of the panelists are on board with the idea of a civil disobedience movement, a kind of a rebellion against Aadhaar. Some suggested thinking of out-of-the-box ways to register one’s protest and dissent against what is clearly becoming the architecture of a surveillance state. Saraph was particularly vehement about the need to completely destroy the Aadhaar database – “shred it”.

What all the panelists emphasised repeatedly was that there can be no improvements to a system that is so deeply flawed and that has had so many “teething problems” that are making millions suffer. The main takeaway from the discussion was that Aadhaar must see a speedy demise because it cannot be saved and cannot persist in its current state.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-10-2017-shreyashi-roy-taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar

Symposium on Human Rights and the Internet in India

praskrishna — 2015-02-07T00:50:00Z

On January 17, 2015 the Center for Communication Governance at National Law University, Delhi in collaboration with the UNESCO Chair on Freedom of Communication and Information at the University of Hamburg hosted a pubic symposium on “Human Rights and Internet in India” as a Network of Centers (NoC) regional event. Bhairav Acharya was a panelist.

See the concept note here.

The event convened a diverse group of collaborators working on issues of Privacy, Surveillance, Data Protection, Freedom of Expression and Intermediary Liability in India, the surrounding region, and internationally.

Agenda | Saturday, January 17 | Public Symposium

Opening words
Prof. (Dr.) Ranbir Singh, Vice Chancellor, National Law University, Delhi
Prof. (Dr.) Wolfgang Schulz, Director, Alexander von Humboldt Institute for Internet & Society

17:45 – 19:00 Panel I: Surveillance & Databases: Experiences & Privacy
The panel will explore how surveillance in India might become more consistent with international human rights standards and Indian constitutional values. It will also discuss the consequences of ubiquitous database programs for citizens’ human rights. This will include comparative perspectives around similar problems and a discussion of privacy-compatible practices in other countries.

Panelists:
Dr. Usha Ramanathan, Independent Law Researcher

Mr. Bhairav Acharya, Lawyer, Supreme Court of India and Adviser Centre for Internet & Society, Bangalore

Mr. Saikat Datta, Editor (National Security), Hindustan Times

Professor KS Park, Former Commissioner, Korea Communications Standards Commission and Professor, Korea University Law School

19:00 – 20:15 Panel II: Unpacking the Intermediary Liability Debate in India
The panel will focus on the legal framework governing Internet platforms in India, especially with regard to online content and its implications for rights of the citizens. It has been argued that the current legal framework creates incentives for online intermediaries to take down content even when no substantive notice or legitimate reasons have been offered. The panel will consider the debate around intermediary liability in India in light of the ongoing litigation at the Supreme Court. It will reflect on the international experience with intermediary liability legislation and discuss how to ensure that laws support an innovative and competitive environment for intermediaries, while ensuring that they prioritize the preservation of their users’ human rights.

Panelists:
Dr. Joris van Hoboken, Fellow, Information Law Institute at NYU School of Law

Professor (Dr.) Wolfgang Schulz, Director, Alexander von Humboldt Institute for Internet & Society (HIIG)

Mr. Raman Jit Singh Chima, Lawyer

Chinmayi Arun and Sarvjeet Singh, Centre for Communication Governance at National Law University, Delhi

For more details visit https://cis-india.org/internet-governance/news/symposium-on-human-rights-and-internet-in-india

Symposium on Data Privacy and Citizen's Rights

Admin — 2018-09-18T15:18:37Z

Shweta Mohandas was a panelist at the Symposium on Data Privacy and Citizen's Rights on September 9, 2018. The Symposium was organised by the Tech Law Forum of NALSAR University of Law, Hyderabad.

Concept Note

The National Academy of Legal Studies and Research (NALSAR) University of Law, Hyderabad is organising a Symposium on DATA PRIVACY AND CITIZEN’S RIGHTS to provide multiple stakeholders one platform to discuss and deliberate on the BN Srikrishna Committee Report and Draft Bill.

The Committee headed by Retd. Justice BN Srikrishna released its Report and Draft Bill on the 27th of July, 2018. It comes at a time when there is increasing discussion about the individual privacy and surveillance by both private organisations and state authorities. Especially in light of the 9-judge Puttaswamy judgment affirming the Fundamental Right to Privacy, there was a need to concretise the right in the form of a statute. The Bill proposes an elaborate data protection framework by utilising concepts such as anonymisation, pseudonymisation, data localisation, guardian data fiduciary, among others. While the Bill has been lauded for providing a data protection framework largely similar to the one proposed by civil society, there are several areas of concern with the Bill such as the amendments suggested to the RTI Act, the impact of the Bill on Free Speech and the lack of substantial provisions regarding surveillance. There has been further criticism that the discussions regarding these issues have been conducted in silos, with little to no dialogue taking place between the various stakeholders and experts in the field.

We believe that there is a need to provide a common forum for these stakeholders to interact with each other in providing suggestions that are representative in nature and nuanced in their expression.

Themes

Privacy and Free Speech This interaction aims to examine the juxtaposition of the constitutional right to free speech and the now constitutionally affirmed right to privacy. Will a new data protection law impact the publication of leaked documents or sting operations like the Radia tapes or Tehelka’s ‘Operation Westend’? If so, how can journalists mitigate the risk of getting sued for breach of privacy? While the jurisprudence concerning the right to privacy is in its most nascent state, it becomes important for us to explore its contours in light of already established constitutional guarantees.

Right to Information and Right to Privacy How does the right to privacy impact the right to information? The guarantee of these two rights arise from diametrically opposite ideologies, in that privacy aims to shield from the public domain information and data concerning individuals and institutions while the right to information aims to promote transparency and disclosure of information held by the state. However, the question remains, is the existence of these two rights necessarily mutually exclusive? Will a new data protection law make it difficult to promote transparency under the Right to Information Act? Is there is a possibility of a clash between the Information Commissions and the proposed Data Protection Authority? This panel would analyze the co-existence and competitive nature of these two rights in the context of the Indian legal space.

Surveillance - As we move towards a form of governance that is increasingly capable of surveilling individual movements and actions, it becomes extremely necessary for us to understand the nature of surveillance. Can data privacy be compromised for surveillance that may be necessary for increased safety in our physical and virtual living spaces? Are there any provisions that protects data in cases of it becoming exploitable? What is the interaction of international statutes (like ICCPR) and the latest Indian statute in terms of its recognition of necessity of surveillance in contrast to the necessity of protection of data.

For more details visit https://cis-india.org/internet-governance/news/symposium-on-data-privacy-and-citizens-rights

Syllabus: “Policy and regulation conducive to rapid ICT sector growth in Myanmar: An introductory course”

praskrishna — 2013-10-24T03:56:31Z

A five-day course is being offered by LIRNEasia in collaboration with Myanmar ICT Development Organization, with support from the Open Society Foundation and the International Development Research Centre of Canada in Myanmar from September 28 to October 5, 2013.

Sunil Abraham will be supporting Prof. Samarajiva on the last optional day of this course in Yangon. Read about the Introductory course on “Policy and regulation conducive to rapid ICT sector growth in Myanmar”

Goal

To enable members of Myanmar civil-society groups (including academics and those from the media) to marshal available research and evidence for effective participation in policy and regulatory processes, thereby improving policy processes and helping achieve the government’s objective of providing ICT access to all.

Outcomes

The objective of the course is to produce discerning and knowledgeable consumers of research who are able to engage in an informed manner in ICT policy and regulatory processes in Myanmar. The course will benefit those working in government and operators as well.

At the end of the course attendees will:

Have an understanding of telecom policy and regulatory processes
Be able to find and assess relevant research & evidence
Be able to summarize the research in a coherent and comprehensive manner
Have the necessary tools to improve their communication skills

- Have some understanding of how media functions and how to effectively interact with media

Assignments

Participants will be formed into teams on Day1. Each group will work on an assignment that addresses both substantive and procedural aspects of law, policy and regulation. Teams will be assigned topic areas that are being developed into regulations under the new Act. They will have to make presentations on what the desirable provisions should be. We will emphasize the procedural aspects as well as the substantive. Disciplined and focused team presentations, preferably using slides, are required.

It is necessary to use the Internet for the assignments. All who have laptops are encouraged to bring them. Arrangements will be made for Internet connectivity at the hotel.

Tentative topic areas

Licensing and authorization regulations
Essential facilities and anti-competitive practices
Universal service policy
Price and quality regulation
Independence of regulatory agency

Course schedule

	Day 1 (September 28)	Day 2 (September 29)	Day 3 (September 30)	Day4 (October 1)	Day 5 (October 2) (optional)
09:00-10:30	S1 Introduction to course: What have been the results of reform & rationale for regulation. Rohan Samarajiva (RS)	S5 Regulatory legitimacy, including procedural legitimacy (RS)	S10 Challenges of monitoring complex license commitments (HG)	S14 How does the Internet work? (TBA)	S16 Internet governance The big picture. Sunil Abraham (SA)
10:30-11:00	Break	Break	Break	Break
11:00-12:00	S2 Interrogating supply-side indicators & research based on them. Helani Galpaya (HG)	S6 Current status of telecom law and policy in Myanmar (RS)	S11 How evidence is used in policy & regulation (panel discussion, KS, RS	S15 The art of media interaction (RS)	S17 Economic & technical interface with telecom industry (RS)
12:00-13:00	S3 Finding information on the web. Roshanthi Lucas Gunaratne (RLG)	S7 Presenting evidence in slides & written submissions (HG)	S12 Essential facilities and anti-competitive practices (RS)	A3 Mock public hearing (RS & panel)	S18 How Internet is governed within India (SA)
13:00-14:00	Lunch	Lunch	Lunch	Lunch
14:00-15:00	A1 Group formation; Assignment explained (HG and RLG)	S8 Licensing and authorization (RS)	A2 Midpoint check on assignment/group work (HG and RLG)	A4 Mock public hearing & critique (RS & panel)	S19 Content regulation (TBA)
15:00-15:30	Break	Break	Break
15:30-17:00	S4 Demand-side research (RS)	S9 Price and quality regulation (RS & HG)	S13 Universal service subsidies: Theory & practice (RS & KS)	Reflection on the course	S20 Surveillance & privacy (SA & RS)
17:00	Group work	Group work	Group work
19:00	Welcome dinner Speaker: TBA

Faculty

Sunil Abraham is the Executive Director of CIS. He is also a social entrepreneur and Free Software advocate. He founded Mahiti in 1998 which aims to reduce the cost and complexity of Information and Communication Technology for the Voluntary Sector by using Free Software. Today, Mahiti employs more than 50 engineers and Sunil continues to serve on the board as a board member. Sunil was elected an Ashoka fellow in 1999 to 'explore the democratic potential of the Internet' and was granted a Sarai FLOSS fellowship in 2003. Between June 2004 and June 2007, he managed the International Open Source Network, a project of the UNDP's Asia-Pacific Development Information Programme serving 42 countries in the Asia-Pacific region. Between September 2007 and June 2008, he also managed ENRAP, an electronic network of International Fund for Agricultural Development projects in the Asia-Pacific facilitated and co-funded by International Development Research Centre, Canada.

Helani Galpaya is LIRNEasia’s Chief Executive Officer. Helani leads LIRNEasia’s 2012-2014 IDRC funded research on improving customer life cycle management practices in the delivery of electricity and e-government services using ICTs. She recently completed an assessment of how the poor in Bangladesh and Sri Lanka use telecenters to access government services. For UNCTAD and GTZ she authored a report on how government procurement practices can be used to promote a country’s ICT sector and for the World Bank/InfoDev Broadband Toolkit, a report on broadband strategies in Sri Lanka. She has been an invited speaker at various international forums on topics ranging from m-Government to ICT indicators to communicating research to policy makers. Prior to LIRNEasia, Helani worked at the ICT Agency of Sri Lanka, implementing the World-Bank funded e-Sri Lanka initiative. Prior to her return to Sri Lanka, she worked in the United States at Booz & Co., Marengo Research, Citibank, and Merrill Lynch. Helani holds a Masters in Technology and Policy from the Massachusetts Institute of Technology, and a Bachelor’s in Computer Science from Mount Holyoke College, USA.

Roshanthi Lucas Gunaratne is a Research Manager at LIRNEasia and is currently managing the Ford Foundation Funded project on Giving Broadband Access to the Poor in India. She is also contributing to the IDRC Customer Lifecycle Management Practices Project by conducting research on customer lifecycle management practices in telecommunication sector in Bangladesh. Before joining LIRNEasia, Roshanthi worked at the Global Fund to fight AIDS, Tuberculosis and Malaria, Geneva, Switzerland as a Strategic Information Officer. She contributed to the process of defining the Global Fund Key Performance Indicators, and also worked on improving the performance measurements of their grants. Prior to that, she worked as a telecom project manager at Dialog Telecom, and Suntel Ltd in Sri Lanka. As Suntel she managed the design and implementation of corporate customer projects. She holds a MBA from the Judge Business School, University of Cambridge, UK and a BSc. Eng (Hons) specializing in Electronics and Telecommunication from the University of Moratuwa, Sri Lanka.

Rajat Kathuria, PhD

Rohan Samarajiva, PhD, is founding Chair of LIRNEasia, an ICT policy and regulation think tank active across emerging Asian and Pacific economies. He was Team Leader at the Sri Lanka Ministry for Economic Reform, Science and Technology (2002-04) responsible for infrastructure reforms, including participation in the design of the USD 83 million e-Sri Lanka Initiative. He was Director General of Telecommunications in Sri Lanka (1998-99), a founder director of the ICT Agency of Sri Lanka (2003-05), Honorary Professor at the University of Moratuwa in Sri Lanka (2003-04), Visiting Professor of Economics of Infrastructures at the Delft University of Technology in the Netherlands (2000-03) and Associate Professor of Communication and Public Policy at the Ohio State University in the US (1987-2000). Dr. Samarajiva was also Policy Advisor to the Ministry of Post and Telecom in Bangladesh (2007-09).

Koesmarihati Sugondo

Resource Material

infodev, ICT regulation toolkit. http://www.ictregulationtoolkit.org/en/Index.html

infoDev. Broadband strategies toolkit. http://broadbandtoolkit.org/en/toolkit/contents

infoDev (2011). Tenth anniversary telecom regulation handbook. http://www.infodev.org/En/Publication.1057.html

ITU (2011). The role of ICT in advancing growth in least developed countries: Trends, challenges and opportunities. Geneva: ITU. http://www.itu.int/ITU-D/ldc/turkey/docs/The_Role_of_ICT_in_Advancing_Growth_in_LDCs_Trends_Challenges_and_Opportunities.pdf

Samarajiva, Rohan (2000). The role of competition in institutional reform of telecommunications: Lessons from Sri Lanka, Telecommunications Policy, 24(8/9): 699-717. http://www.comunica.org/samarajiva.html

Samarajiva, Rohan (2002). Why regulate?, chapter 2 of Effective regulation: Trends in Telecommunication Reform 2002. Geneva: International Telecommunication Union.

Samarajiva, Rohan (2006). Preconditions for effective deployment of wireless technologies for development in the Asia-Pacific, Information Technology and International Development, 3(2): 57-71. http://itidjournal.org/itid/article/view/224/94

Samarajiva, Rohan & Zainudeen, Ayesha (2008). ICT infrastructure in emerging Asia: Policy and regulatory roadblocks, New Delhi & Ottawa: Sage & IDRC http://www.idrc.ca/en/ev-117916-201-1-DO_TOPIC.html

For more details visit https://cis-india.org/news/policy-and-regulation-conducive-to-rapid-ict-growth-in-myanmar

Surveillance: Privacy Vs Security

praskrishna — 2013-08-19T05:32:55Z

The Foundation for Media Professionals is organizing a debate at the India International Centre, New Delhi on August 17, 2013. Shri Kapil Sibal will give the opening speech. Natgrid chief Raghu Raman is one of the debaters. Pranesh Prakash is participating in this event as a panelist.

This was published by the Foundation for Media Professionals on their website. Also read the blog post by Vivian Fernandes and Ninglun Hanghal.

In the backdrop of the recent disclosures by US defense contractor Edward Snowden about the activity of the National Security Agency (NSA) and reports that NSA may have collaborated with India on surveillance program in the country that have raised concerns about privacy and right of citizens, Foundation for Media Professionals (FMP) in partnership with Friedrich Ebert Stiftung (FES) invited Pranesh Prakash to a panel discussion on "Surveillance: Privacy vs. Security".

Guest Speaker
Kapil Sibal, Union Minister for Communications and Information Technology, Govt. of India

Panelists

Pranesh Prakash, Policy Director, Centre for Internet and Society

Dr. Usha Ramanathan, Independent Law Researcher
Saikat Datta, Resident Editor, DNA
Capt. Raghu Raman, National Intelligence Grid (Natgrid)

Moderator

Paranjoy Guha Thakurta

For more details visit https://cis-india.org/news/foundation-for-media-professionals-august-17-2013-surveillance-privacy-v-security

Surveillance technology companies operating in India - spreadsheet

maria — 2013-04-27T16:29:14Z

The Centre for Internet and Society has started investigating surveillance technology companies operating in India! This spreadsheet entails the first 77 companies which are being researched.

For more details visit https://cis-india.org/internet-governance/blog/surveillance-technology-companies-operating-in-india

Surveillance Technologies (Table 2)

praskrishna — 2013-05-09T10:22:41Z

For more details visit https://cis-india.org/internet-governance/blog/table-2.pdf

Surveillance Technologies (Table 1)

praskrishna — 2013-05-09T10:02:56Z

For more details visit https://cis-india.org/internet-governance/blog/table-1.pdf

Surveillance Technologies

elonnai — 2012-03-22T05:40:24Z

The following post briefly looks at different surveillance technologies, and the growing use of the them in India.

Surveillance...

New security technologies are constantly emerging that push the edge between privacy and a reasonable level of security. Society's tolerance level is constantly being tested by governments who use surveillance and monitoring technologies to protect the nation. Governments claim that they need absolute access to citizens life. They need to monitor phones, look through emails, peer into files – in-order to maintain security and protect against terrorism. Though as a side note, in an Economic Times article published on Nov. 4 2010 it was reported that government computers were being hacked into through viruses, and top secret documents were being stolen. The irony of the story is that the viruses were introduced to the computers through porn websites visited by officials.

...In a Car? On the Street? In an Airport?

Despite the fact that governmental monitoring might make the common man uncomfortable, the reality is that governments will always win the national security vs privacy fight. The story becomes more complicated when it moves from the government directly monitoring individuals, to security agencies monitoring individuals. For instance the use of full body scanners at airports, or trucks equipped with scatter x-ray machines used to control crime in neighborhoods - is a much more heated debate. There are other ways in which to check passengers for banned items, and other ways to keep crime off the streets without mandating that individuals submit themselves to invasive scans, or scanning unaware individuals.

...In the Movie Theater????..for Marketing Purposes????

Surveillance technology has now been taken even another step further. No longer is it being just used to prevent violent crimes or terrorist attacks. Today the movie industry is using controversial anti-piracy tools to protect the films they produce. For instance the security company Aralia Systems manufacturers products such as: CCTV cameras and anti-camcorder systems that shine infrared light beams on audiences as they watch a movie. The light beams reflect off camcorders and alerts the theater that there are camcorders present. Though this practice can be seen as invasive - individuals might be opposed to being probed by light beams throughout movies, the extent of potential privacy invasion does not stop there. Aralia Systems has partnered with Machine Vision Lab and has created a system that harvests audiences emotions and movements as they watch movies. The data can then be used by market researchers to better tailor their behavioral advertising schemes. Essentially movie theater monitoring has merged surveillance technologies with behavioral marketing technologies in a twisted invasion of movie watchers personal privacy.

Is this technology in India?

Though behavioral monitoring and piracy technologies such as ones produced by Aralia Systems are not yet used in Indian movie theaters – security measures against piracy are used. Movie theaters across India are equipped with metal detectors at the door, and security personel check your handbag or back pack for camcorders. According to a Indian Express article, the organization Allegiance Against Copyright Theft believes one of the reasons monitoring technology is not yet used in theaters is because there is no present Indian legislation that penalizes recording in halls. Once legislation is passed, they speculate there will be a push to use these technologies. Even though monitoring technology is not yet used in theaters, monitoring of consumers behavior is increasing. Recently in India the WPP owned research agency IMRB International has developed an online audience measurement system that uses tailored metering technology to track the sites that users visit. The Web Audience Measurement System has launched this technology in a sample size of 21,000 Indian households, covering 90,000 individuals. IMRB has said that the meters are capable of capturing usage data from multiple computers, and that they can then use the information to market to the individual. Does it seem ironic to anyone that companies now charge for a service – movie tickets, internet services, telephone services – and make an extra profit by data mining at the expense of a persons privacy?

Sources

http://economictimes.indiatimes.com/news/politics/nation/Govt-depts-asked-not-to-store-sensitive-info-on-Net-connected-computers/articleshow/6874631.cms
http://www.research-live.com/news/technology/imrb-unveils-web-measurement-service-for-indian-market/4003941.article
http://blogs.computerworld.com/17276/anti_piracy_tool_will_harvest_market_your_emotions?source=rss_blogs
http://www.indianexpress.com/news/antipiracy-unit-joins-hands-with-cinema-halls-to-curb-camcording/695439/2

For more details visit https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies

Surveillance Tec

praskrishna — 2013-05-07T10:31:27Z

Surveillance Tech

For more details visit https://cis-india.org/home-images/surveillancetechpic.jpg

Surveillance Talk

praskrishna — 2018-10-31T01:38:24Z

Surveillance Talk

For more details visit https://cis-india.org/home-images/Abraham.jpg

Surveillance Stories: Optimizing rights and governance

Admin — 2018-10-31T01:39:56Z

Sunil Abraham gave a talk at the National Centre for Biological Sciences, Tata Institute of Fundamental Research, Bangalore on October 16, 2018. Sunil used a series of stories to explain how surveillance works and fails in the context of theft, murder, insider trading, terrorism, demonetization and encounter killings.

These stories were used to explore multiple technical solutions for solving the “surveillance optimization problem”. Policy makers have to simultaneously maximize various rights — the right to privacy, the right to transparency, the right to free speech — and uphold the imperatives of the nation state: national security, law enforcement and effective governance.

Two decades ago, Lawrence Lessig introduced a socioeconomic theory of regulation called the ‘pathetic dot theory’, which discusses how individuals in a society are regulated by four forces — law, code or technical infrastructure, market and social norms. The talk will explore how these four regulatory options contribute to solving the surveillance optimization problem.

This was published on the website of National Centre for Biological Sciences

For more details visit https://cis-india.org/internet-governance/news/surveillance-stories-optimizing-rights-and-governance

Surveillance rises, privacy retreats

praskrishna — 2015-05-02T06:43:33Z

WikiLeaks founder Julian Assange and former US National Security Agency contractor Edward Snowden have, at considerable personal cost, revealed how surveillance has eroded the private space in a world driven by digital technology.

The article was published in the Business Standard on April 12, 2015. Sunil Abraham is quoted.

In India, the extent of surveillance became evident after Union human resource development minister Smriti Irani walked into the trial room of a FabIndia outlet in Goa last week, only to discover closed-circuit television (CCTV) cameras pointed towards the trial room. The country woke up to the porous divide between privacy and surveillance.

Now, senior officials of FabIndia find themselves embroiled in a case of voyeurism and seven of them have taken interim anticipatory bail from a district court. They claim the CCTV cameras were in the retail area, not the trial room.

The FabIndia incident might have blown the lid on how flimsily our privacy is protected but there is no doubt that India is slowly but surely moving towards a surveillance regime, both in the private and the public spheres.

“After the Snowden episode, there are only two kinds of nations: Ones that know they are being watched, and others that don’t,” said Pavan Duggal, an advocate at the Supreme Court of India.

Despite the surge in surveillance, there are hardly any specific laws governing this.

A few laws
In 2000, India enacted the Information Technology Act, primarily to bring e-commerce under legal framework. After the Mumbai terrorist attack in 2008, the Act was amended, to give the government sweeping powers for mass surveillance.

In the context of private surveillance, the 2008 amendment added two definitions: (a) communication device; (b) intermediary.

A communication device, according to the law, means cell phones, personal digital assistance, or a combination of both or any other device used to communicate, send or transmit any text, video, audio, or image. An intermediary was defined as any person who, on behalf of another person, stores or transmits message or provides any service with respect to that message.

Rules regarding CCTV surveillance are governed by the IT Act, 2008, as CCTVs are considered to be communication devices, with computerised memory. However, the laws in relation to a communication device and intermediary deal mostly with third-party data sharing.

“Article 21 of the Constitution guards the right to privacy as a Fundamental Right. We do not have an explicit Act in this regard, but Section 43A of the IT Act, 2000, along with the IT Rules, 2011, protects data privacy in India,” said Prashant Mali, a cyber law and cyber security lawyer.

There were no amendments of the laws governing CCTVs.

However, Section 66E of the IT Act, states: “Whoever, intentionally or knowingly, captures, publishes or transmits, the image of a private area of any person, without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment, which may extend to three years, or with a fine not exceeding Rs 2 lakh, or both, with explanation.”

“The IT Act is not a privacy enabling law. Hence, the challenges to privacy in surveillance are not fully addressed in it,” said Duggal.

Internationally, there are more stringent laws governing CCTV cameras. For example, in the UK, there is a prescribed code. A person filmed by a surveillance camera can seek the footage. In the US, too, there are state-specific laws which prohibit the unauthorised installation or use of cameras in private places, like restrooms and trial rooms.

“Privacy laws must be compliant with international practices. Laws governing CCTVs should be more comprehensive. It should not be specific to voyeurism,” said Sunil Abraham, the executive director of Bengaluru-based research organisation, the Centre for Internet and Society.

The government has been working on a Privacy (Protection) Bill, which provides safeguards on personal data of individuals and sets conditions under which surveillance is allowed. It is expected that the Bill will lead to the creation of the offices of privacy commissioner and data protection commissioner. However, it is mostly silent on laws governing CCTV usage.

“In India, the concern over enacting privacy laws, implementing them and our understanding of privacy are low, compared to the global context. The Privacy Protection Bill, 2013 is pending before Parliament. When this gets enacted, our laws would be at par with those in the West,” said Mali. “But doubts remain about their implementation.”

Government surveillance
Amendments to the IT Act in 2008 gave the government wide powers of interception, encryption and blocking. The amendment introduced Section 66A, which made sending “offensive” messages through a computer or any other communication device, such as a cell phone or a tablet, a punishable offense.

The Supreme Court recently struck down the provision as infringing the constitutional right of freedom of speech.

“Every nation is under the classical dilemma to balance national security with privacy and freedom of expression. Always, when there is a conflict between the two, national security wins hands down. However, apart from international consensus, we need customise national solutions,” said Duggal.

Today, some of the biggest government projects based on the powers vested to it under the IT Act. It has enabled the progression of surveillance procedures like the Central Monitoring System (CMS) and National Intelligence Grid (Natgrid), enabled through information on Aadhar card or unique identification number.

The CMS gives the government access to records of any mobile to landline calls, to read private emails, texts, and even browsing history through telecom operators. Natgrid could make the information available to nearly 11 central agencies.

“It is reported that the CMS can monitor close to 900 million people at one go. There is neither confirmation nor denial from the government,” said Duggal. However, compared to the US and China, that practice blanket surveillance, India is still considered a low-surveillance category nation.

“India is still low on surveillance. In India, we have targeted surveillance. At any given point in time, less than 200,000 phone calls are being intercepted. Not more than a couple of lakh of surveillance orders are given by both state and central governments,” said Abraham.

Surely, with so many surveillance devices around, it is a closely watched world like never before.

SALIENT FEATURES ON PRIVACY IN THE IT ACT, 2008

Communication Device: Cell phones, personal digital assistance, or combination of both or any other device used to communicate, send or transmit any text, video, audio, or image
Intermediary: Any person, who on behalf of another person, stores or transmits messages or provides any service
Sections 66A to 66F: Added to Section 66, prescribing punishment for offences such as sending obscene messages, identity theft, cheating by impersonation using computer resources, violation of privacy and cyber terrorism
Section 69: Amended to give power to the state to issue directions for interception or monitoring or decryption of any information through any computer resource
Sections 69A and B: These grant power to the state to issue directions for blocking public access of any information through any computer resource and to authorise to monitor and collect traffic data or information through any computer resource for cyber security.

For more details visit https://cis-india.org/internet-governance/news/business-standard-namrata-acharya-april-12-2015-surveillance-rises-privacy-retreats

Surveillance Project

sunil — 2016-04-05T15:21:27Z

The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.

The article will be published in Frontline, April 15, 2016 print edition.

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.

Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.

Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”

Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.

Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology

One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”

Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.

One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?

Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

For more details visit https://cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project

Surveillance in the name of Security

praskrishna — 2018-12-11T13:47:11Z

Surveillance in the name of Security

For more details visit https://cis-india.org/home-images/SurveillanceinthenameofSecurity.jpg