Centre for Internet and Society

Call for submissions: The Surveillance Industry and Human Rights.pdf

karan — 2019-02-20T10:46:58Z

For more details visit https://cis-india.org/internet-governance/resources/the-surveillance-industry-and-human-rights.pdf

CIS Submission to the UN Special Rapporteur on Freedom of Speech and Expression: Surveillance Industry and Human Rights

2019-02-20T10:48:24Z

CIS responded to the call for submissions from the UN Special Rapporteur on Freedom of Speech and Expression. The submission was on the Surveillance Industry and Human Rights.

CIS is grateful for the opportunity to submit the United Nations (UN) Special Rapporteur on call for submissions on the surveillance industry and human rights.1 Over the last decade, CIS has worked extensively on research around state and private surveillance around the world. In this response, individuals working at CIS wish to highlight these programs, with a special focus on India.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/cis-submission-to-the-un-special-rapporteur-on-freedom-of-speech-and-expression-surveillance-industry-and-human-rights

Submission to UN High Level Panel on Digital Cooperation

Admin — 2019-02-19T00:55:04Z

For more details visit https://cis-india.org/internet-governance/files/submission-to-un-high-level-panel-on-digital-cooperation

2019 International Asia Conference

Admin — 2019-02-19T00:23:43Z

ITECHLAW organized the 2019 edition of International Asia Conference at JW Marriott hotel in Bangalore on January 31, 2019 and February 1, 2019. Sunil Abraham was a panelist in the session "Policy Making for the Emerging Tech in India".

The rush of emerging technologies of Machine Learning, Internet of Things (IoT) and Virtual Reality (VR) is revolutionising the landscape in which humans exist. Innovators of the generation are ambitious, and their contributions have significantly impacted on various fields like healthcare, media and entertainment, agriculture, and other service models. As these technology advancements are driving new business and service models, there is a need for stakeholders and governments to ensure security and stability of the market without stifling innovations, stigmatising incentives or creating obstacles. Rapid spreading technology applications are resulting in drastic changes in today’s regulatory model, posing the difficult challenges for regulators. In India, the expeditiously developing start-up ecosystem and online consumer base, has stirred the regulators.

Intermediary liability, surveillance, data and privacy, digital taxation, data governance and sovereignty are the dominating debatable topics in India. The debates are not only between regulators and stakeholders, but consumers also joining in it. As the competition between Indian and Foreign Technology intensifies in the turf, the debate on tech-policy is considerably being mentioned in run-up of political parties to the general elections as well. Over the past one year, the country has witnessed some landmark judgments and contentious government proposals related to data and privacy, implications of which have affected over-the-top (“OTT”) services, online media, social media, e-commerce platforms, IoT services etc. The Indian regulatory framework on tech-policy is becoming stricter due to a very disruptive phase last year. The tech-giants like Facebook, Google, Twitter, and Amazon are themselves realising their enormous market influence. After the episodes of lynching, hate speeches etc., they are participating in policy-making efforts related to fake news and digital malfeasance. In this process legal industry is making considerable lobbying efforts for corporations to work with government to curb the menace of digital malpractice and make the internet safer.

As the legal industry is participating in the process of creating an innovators-friendly regulatory regime, they are also striving to understand the disruptive technologies and adopt them for their own convenience. However, legal firms must understand that the technology cannot do their job for clients but can only upgrade the business model for them. The traditional law firm business model is not in sync with legal buyers. Effective deployment of technology will ameliorate the factor of its approachability to its clients.

With the growing technology-based start-ups in India, it is going to be a hub for investments by big corporations. In order to keep attracting the investors there is a need for government to remove the potential hindrances that may make investors double-think. The government should prepare a level-playing field in the market by making citizens aware of the standard tech-policies and fostering the innovators-friendly regulatory regime.

For more info see the website

For more details visit https://cis-india.org/internet-governance/news/2019-international-asia-conference

Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?

Aayush Rathi and Ambika Tandon — 2019-12-30T16:44:32Z

In order to bring out certain conceptual and procedural problems with health monitoring in the Indian context, this article by Aayush Rathi and Ambika Tandon posits health monitoring as surveillance and not merely as a “data problem.” Casting a critical feminist lens, the historicity of surveillance practices unveils the gendered power differentials wedded into taken-for-granted “benign” monitoring processes. The unpacking of the Mother and Child Tracking System and the National Health Stack reveals the neo-liberal aspirations of the Indian state.

The article was first published by EPW Engage, Vol. 54, Issue No. 6, on 9 February 2019.

Framing Reproductive Health as a Surveillance Question

The approach of the postcolonial Indian state to healthcare has been Malthusian, with the prioritisation of family planning and birth control (Hodges 2004). Supported by the notion of socio-economic development arising out of a “modernisation” paradigm, the target-based approach to achieving reduced fertility rates has shaped India’s reproductive and child health (RCH) programme (Simon-Kumar 2006).

This is also the context in which India’s abortion law, the Medical Termination of Pregnancy (MTP) Act, was framed in 1971, placing the decisional privacy of women seeking abortions in the hands of registered medical practitioners. The framing of the MTP act invisibilises females seeking abortions for non-medical reasons within the legal framework. The exclusionary provisions only exacerbated existing gaps in health provisioning, as access to safe and legal abortions had already been curtailed by severe geographic inequalities in funding, infrastructure, and human resources. The state has concomitantly been unable to meet contraceptive needs of married couples or reduce maternal and infant mortality rates in large parts of the country, mediating access along the lines of class, social status, education, and age (Sanneving et al 2013).

While the official narrative around the RCH programme transitioned to focus on universal access to healthcare in the 1990s, the target-based approach continues to shape the reality on the ground. The provision of reproductive healthcare has been deeply unequal and, in some cases, in hospitals. These targets have been known to be met through the practice of forced, and often unsafe, sterilisation, in conditions of absence of adequate provisions or trained professionals, pre-sterilisation counselling, or alternative forms of contraception (Sama and PLD 2018). Further, patients have regularly been provided cash incentives, foreclosing the notion of free consent, especially given that the target population of these camps has been women from marginalised economic classes in rural India.

Placing surveillance studies within a feminist praxis allows us to frame the reproductive health landscape as more than just an ill-conceived, benign monitoring structure. The critical lens becomes useful for highlighting that taken-for-granted structures of monitoring are wedded with power differentials: genetic screening in fertility clinics, identification documents such as birth certificates, and full-body screeners are just some of the manifestations of this (Adrejevic 2015). Emerging conversations around feminist surveillance studies highlight that these data systems are neither benign nor free of gendered implications (Andrejevic 2015). In continual remaking of the social, corporeal body as a data actor in society, such practices render some bodies normative and obfuscate others, based on categorisations put in place by the surveiller.

In fact, the history of surveillance can be traced back to the colonial state where it took the form of systematic sexual and gendered violence enacted upon indigenous populations in order to render them compliant (Rifkin 2011; Morgensen 2011). Surveillance, then, manifests as a “scientific” rationalisation of complex social hieroglyphs (such as reproductive health) into formats enabling administrative interventions by the modern state. Lyon (2001) has also emphasised how the body emerged as the site of surveillance in order for the disciplining of the “irrational, sensual body”—essential to the functioning of the modern nation-state—to effectively happen.

Questioning the Information and Communications Technology for Development (ICT4D) and Big Data for Development (BD4D) Rhetoric

Information and Communications Technology (ICT) and data-driven approaches to the development of a robust health information system, and by extension, welfare, have been offered as solutions to these inequities and exclusions in access to maternal and reproductive healthcare in the country.

The move towards data-driven development in the country commenced with the introduction of the Health Management Information System in Andhra Pradesh in 2008, and the Mother and Child Tracking System (MCTS) nationally in 2011. These are reproductive health information systems (HIS) that collect granular data about each pregnancy from the antenatal to the post-natal period, at the level of each sub-centre as well as primary and community health centre. The introduction of HIS comprised cross-sectoral digitisation measures that were a part of the larger national push towards e-governance; along with health, thirty other distinct areas of governance, from land records to banking to employment, were identified for this move towards the digitalised provisioning of services (MeitY 2015).

The HIS have been seen as playing a critical role in the ecosystem of health service provision globally. HIS-based interventions in reproductive health programming have been envisioned as a means of: (i) improving access to services in the context of a healthcare system ridden with inequalities; (ii) improving the quality of services provided, and (iii) producing better quality data to facilitate the objectives of India’s RCH programme, including family planning and population control. Accordingly, starting 2018, the MCTS is being replaced by the RCH portal in a phased manner. The RCH portal, in areas where the ANMOL (ANM Online) application has been introduced, captures data real-time through tablets provided to health workers (MoHFW 2015).

A proposal to mandatorily link the Aadhaar with data on pregnancies and abortions through the MCTS/RCH has been made by the union minister for Women and Child Development as a deterrent to gender-biased sex selection (Tembhekar 2016). The proposal stems from the prohibition of gender-biased sex selection provided under the Pre-Conception and Pre-Natal Diagnostics Techniques (PCPNDT) Act, 1994. The approach taken so far under the PCPNDT Act, 2014 has been to regulate the use of technologies involved in sex determination. However, the steady decline in the national sex ratio since the passage of the PCPNDT Act provides a clear indication that the regulation of such technology has been largely ineffective. A national policy linking Aadhaar with abortions would be aimed at discouraging gender-biased sex selection through state surveillance, in direct violation of a female’s right to decisional privacy with regards to their own body.

Linking Aadhaar would also be used as a mechanism to enable direct benefit transfer (DBT) to the beneficiaries of the national maternal benefits scheme. Linking reproductive health services to the Aadhaar ecosystem has been critiqued because it is exclusionary towards women with legitimate claims towards abortions and other reproductive services and benefits, and it heightens the risk of data breaches in a cultural fabric that already stigmatises abortions. The bodies on which this stigma is disproportionately placed, unmarried or disabled females, for instance, experience the harms of visibility through centralised surveillance mechanisms more acutely than others by being penalised for their deviance from cultural expectations. This is in accordance with the theory of "data extremes,” wherein marginalised communities are seen as living on the extremes of data capture, leading to a data regime that either refuses to recognise them as legitimate entities or subjects them to overpolicing in order to discipline deviance (Arora 2016). In both developed and developing contexts, the broader purpose of identity management has largely been to demarcate legitimate and illegitimate actors within a population, either within the framework of security or welfare.

Potential Harms of the Data Model of Reproductive Health Provisioning

Informational privacy and decisional privacy are critically shaped by data flows and security within the MCTS/RCH. No standards for data sharing and storage, or anonymisation and encryption of data have been implemented despite role-based authentication (NHSRC and Taurus Glocal 2011). The risks of this architectural design are further amplified in the context of the RCH/ANMOL where data is captured real-time. In the absence of adequate safeguards against data leaks, real-time data capture risks the publicising of reproductive health choices in an already stigmatised environment. This opens up avenues for further dilution of autonomy in making future reproductive health choices.

Several core principles of informational privacy, such as limitations regarding data collection and usage, or informed consent, also need to be reworked within this context.^[1] For instance, the centrality of the requirement of “free, informed consent” by an individual would need to be replaced by other models, especially in the context of reproductive health of rape survivors who are vulnerable and therefore unable to exercise full agency. The ability to make a free and informed choice, already dismantled in the context of contemporary data regimes, gets further precluded in such contexts. The constraints on privacy in decisions regarding the body are then replicated in the domain of reproductive data collection.

What is uniform across these digitisation initiatives is their treatment of maternal and reproductive health as solely a medical event, framed as a data scarcity problem. In doing so, they tend to amplify the understanding of reproductive health through measurable indicators that ignore social determinants of health. For instance, several studies conducted in the rural Indian context have shown that the degree of women’s autonomy influences the degree of usage of pregnancy care, and that the uptake of pregnancy care was associated with village-level indicators such as economic development, provisioning of basic infrastructure and social cohesion. These contextual factors get overridden in pervasive surveillance systems that treat reproductive healthcare as comprising only of measurable indicators and behaviours, that are dependent on individual behaviour of practitioners and women themselves, rather than structural gaps within the system.

While traditionally associated with state governance, the contemporary surveillance regime is experienced as distinct from its earlier forms due to its reliance on a nexus between surveillance by the state and private institutions and actors, with both legal frameworks and material apparatuses for data collection and sharing (Shepherd 2017). As with historical forms of surveillance, the harms of contemporary data regimes accrue disproportionately among already marginalised and dissenting communities and individuals. Data-driven surveillance has been critiqued for its excesses in multiple contexts globally, including in the domains of predictive policing, health management, and targeted advertising (Mason 2015). In the attempts to achieve these objectives, surveillance systems have been criticised for their reliance on replicating past patterns, reifying proximity to a hetero-patriarchal norm (Haggerty and Ericson 2000). Under data-driven surveillance systems, this proximity informs the preexisting boxes of identity for which algorithmic representations of the individual are formed. The boxes are defined contingent on the distinct objectives of the particular surveillance project, collating disparate pieces of data flows and resulting in the recasting of the singular offline self into various 'data doubles' (Haggerty and Ericson 2000). Refractive, rather than reflective, the data doubles have implications for the physical, embodied life of individual with an increasing number of service provisioning relying on the data doubles (Lyon 2001). Consider, for instance, apps on menstruation, fertility, and health, and wearables such as fitness trackers and pacers, that support corporate agendas around what a woman’s healthy body should look, be or behave like (Lupton 2014). Once viewed through the lens of power relations, the fetishised, apolitical notion of the data “revolution” gives way to what we may better understand as “dataveillance.”

Towards a Networked State and a Neo-liberal Citizen

Following in this tradition of ICT being treated as the solution to problems plaguing India’s public health information system, a larger, all-pervasive healthcare ecosystem is now being proposed by the Indian state (NITI Aayog 2018). Termed the National Health Stack, it seeks to create a centralised electronic repository of health records of Indian citizens with the aim of capturing every instance of healthcare service usage. Among other functions, it also envisions a platform for the provisioning of health and wellness-based services that may be dispensed by public or private actors in an attempt to achieve universal health coverage. By allowing private parties to utilise the data collected through pullable open application program interfaces (APIs), it also fits within the larger framework of the National Health Policy 2017 that envisions the private sector playing a significant role in the provision of healthcare in India. It also then fits within the state–private sector nexus that characterises dataveillance. This, in turn, follows broader trends towards market-driven solutions and private financing of health sector reform measures that have already had profound consequences on the political economy of healthcare worldwide (Joe et al 2018).

These initiatives are, in many ways, emblematic of the growing adoption of network governance reform by the Indian state (Newman 2001). This is a stark shift from its traditional posturing as the hegemonic sovereign nation state. This shift entails the delayering from large, hierarchical and unitary government systems to horizontally arranged, more flexible, relatively dispersed systems.^[2] The former govern through the power of rules and law, while the latter take the shape of self-regulating networks such as public–private contractual arrangements (Snellen 2005). ICTs have been posited as an effective tool in enabling the transition to network governance by enhancing local governance and interactive policymaking enabling the co-production of knowledge (Ferlie et al 2011). The development of these capabilities is also critical to addressing “wicked problems” such as healthcare (Rittel and Webber 1973).^[3] The application of the techno-deterministic, data-driven model to reproductive healthcare provision, then, resembles a fetishised approach to technological change. The NHSRC describes this as the collection of data without an objective, leading to a disproportional burden on data collection over use (NHSRC and Taurus Glocal 2011).

The blurring of the functions of state and private actors is reflective of the neo-liberal ethic, which produces new practices of governmentality. Within the neo-liberal framework of reproductive healthcare, the citizen is constructed as an individual actor, with agency over and responsibility for their own health and well-being (Maturo et al 2016).

“Quantified Self” of the Neo-liberal Citizen

Nowhere can the manifestation of this neo-liberal citizen can be seen as clearly as in the “quantified self” movement. The quantified self movement refers to the emergence of a whole range of apps that enable the user to track bodily functions and record data to achieve wellness and health goals, including menstruation, fertility, pregnancies, and health indicators in the mother and baby. Lupton (2015) labels this as the emergence of the “digitised reproductive citizen,” who is expected to be attentive to her fertility and sexual behaviour to achieve better reproductive health goals. The practice of collecting data around reproductive health is not new to the individual or the state, as has been demonstrated by the discussion above. What is new in this regime of datafication under the self-tracking movement is the monetisation of reproductive health data by private actors, the labour for which is performed by the user. Focusing on embodiment draws attention to different kinds of exploitation engendered by reproductive health apps. Not only is data about the body collected and sold, the unpaid labour for collection is extracted from the user. The reproductive body can then be understood as a cyborg, or a woman-machine hybrid, systematically digitising its bodily functions for profit-making within the capitalist (re)production machine (Fotoloulou 2016). Accordingly, all major reproductive health tracking apps have a business model that relies on selling information about users for direct marketing of products around reproductive health and well-being (Felizi and Varon nd).

As has been pointed out in the case of big data more broadly, reproductive health applications (apps) facilitate the visibility of the female reproductive body in the public domain. Supplying anonymised data sets to medical researchers and universities fills some of the historical gaps in research around the female body and reproductive health. Reproductive and sexual health tracking apps globally provide their users a platform to engage with biomedical information around sexual and reproductive health. Through group chats on the platform, they are also able to engage with experiential knowledge of sexual and reproductive health. This could also help form transnational networks of solidarity around the body and health (Fotopoulou 2016).

This radical potential of network-building around reproductive and sexual health is, however, tempered to a large extent by the reconfiguration of gendered stereotypes through these apps. In a study on reproductive health apps on Google Play Store, Lupton (2014) finds that products targeted towards female users are marketed through the discourse of risk and vulnerability, while those targeted towards male users are framed within that of virility. Apart from reiterating gendered stereotypes around the male and female body, such a discourse assumes that the entire labour of family planning is performed by females. This same is the case with the MCTS/RCH.

Technological interventions such as reproductive health apps as well as HIS are based on the assumption that females have perfect control over decisions regarding their own bodies and reproductive health, despite this being disproved in India. The Guttmacher Institute (2014) has found that 60% of women in India report not having control over decisions regarding their own healthcare. The failure to account for the husband or the family as stakeholder in decision-making around reproductive health has been a historical failure of the family planning programme in India, and is now being replicated in other modalities. This notion of an autonomous citizen who is able to take responsibility of their own reproductive health and well-being does not hold true in the Indian context. It can even be seen as marginalising females who have already been excluded from the reproductive health system, as they are held responsible for their own inability to access healthcare.

Concluding Remarks

The interplay that emerges between reproductive health surveillance and data infrastructures is a complex one. It requires the careful positioning of the political nature of data collection and processing as well as its hetero-patriarchal and colonial legacies, within the need for effective utilisation of data for achieving developmental goals. Assessing this discourse through a feminist lens identifies the web of power relations in data regimes. This problematises narratives of technological solutions for welfare provision.

The reproductive healthcare framework in India then offers up a useful case study to assess these concerns. The growing adoption of ICT-based surveillance tools to equalise access to healthcare needs to be understood in the socio-economic, legal, and cultural context where these tools are being implemented. Increased surveillance has historically been associated with causing the structural gendered violence that it is now being offered as a solution to. This is a function of normative standards being constructed for reproductive behaviour that necessarily leave out broader definitions of reproductive health and welfare when viewed through a feminist lens. Within the larger context of health policymaking in India, moves towards privatisation then demonstrate the peculiarity of dataveillance as it functions through an unaccountable and pervasive overlapping of state and private surveillance practises. It remains to be seen how these trends in ICT-driven health policies affect access to reproductive rights and decisional privacy for millions of females in India and other parts of the global South.

For more details visit https://cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india

What the government's draft IT intermediary guidelines say

Admin — 2019-02-13T00:31:29Z

Intermediaries will have to hand over to government agencies any information within 72 hours. Intermediaries will have to use automated tools to trace the person posting unlawful content.

The article by Abhijit Ahaskar was published in Livemint on February 12, 2019. CIS research was quoted.

With voices for regulating tech companies getting stronger in the wake of growing incidence of fake news being circulated through social media platforms, the Ministry of Electronics and Information Technology (MEITY) of India has decided to re-examine the Information Technology (IT) Intermediary Guidelines, 2011, under the IT Act, 2000.

Setting the wheel in motion, the ministry proposed a draft called Information Technology Intermediaries Guidelines (Amendment), 2018, and released the recommendations on its website for public comments in December 2018. The first round of comments ended on 31 January, 2019 and was made public last week. The second round of comments and counter-comments will close on 14 February, 2019.

What the draft proposes

The term intermediary refers to all tech companies that are hosting user data or are providing users with a platform for communication. This brings all internet, social media, telecom companies in its ambit.

The draft amendment proposes that intermediaries will have to hand over to governmentagencies any information that might be related to cyber security, national security and related with the investigation, prosecution or prevention of an offence, within 72 hours.

They will have to take down or disable content considered defamatory or against national security under Article 19 (2) of the Constitution within 24 hours on being notified by the appropriate government or its agency in addition to using automated tools to identify, remove and trace the origin of such content. Intermediaries with over 55 lakh users will be required to have a permanent registered office with physical address and a senior official who would be available for coordination with law enforcement agencies.

Concerns over the draft guidelines

Microsoft notes that the problem MEITY is trying to address is of fake news. “Existing regulations provide enough powers to work with social media platforms. There may be a case to bring out additional guidelines for certain types of intermediaries like social media platforms. There may also be a case to strengthen other laws which make the punishment of fake news and misuse of social media stringent. The focus should be on the perpetrators of the crime rather than the intermediaries," it has said in response to the guidelines. Regarding deployment of tools to proactively identify and remove unlawful content, Microsoft cautions that intermediaries will have to monitor all content passing through their systems for this, which is a violation of their individual privacy and right to freedom of expression. It will also be technically impractical due to the high cost of deploying such tech.

According to Broadband India Forum, one of the grounds for the Supreme Court striking down Section 66A of the IT Act, 2000, in Shreya Singhal vs Union of India was the vagueness of the terms used in the provision, such as offensive, menacing and dangerous, which invaded the right of free speech. However, words with a similar level of vagueness, such as grossly harmful, harassing and hateful exist in the proposed draft.

The Centre for Internet and Society (CIS) pointed out that existing laws provide enough teeth to the Indian agencies to act. For instance, Section 505 of the IPC has provisions to penalise disinformation while Sections 290 and 153A of the IPC have provisions if the disinformation is being used to create communal strife. CIS has also flagged the scope of the term unlawful as it is not clearly defined, leaving room for broad interpretation. On the traceability clause, CIS draws attention to the lack of clarity on whether it applies on just social media platforms and messaging services or all intermediaries.

This can be a bit of problem for ISPs which may have no access to contents of an encrypted communication sent and received on its network.

Threat to privacy

The traceability clause, which requires intermediaries to use automated tools to trace the person posting unlawful content, came in for a lot of criticism. While the Ministry in an official tweet in January 2018 clarified that it only requires intermediaries to trace the origin of messages which lead to unlawful activities without breaking encryption, experts believe it isn’t possible without lowering encryption standards or building a backdoor to access encrypted communications.

Amnesty International slammed the clause, arguing, “While governments can legitimately use electronic surveillance to protect people from crime, forcing companies to weaken encryption will affect all users’ online privacy. Such measures would be inherently disproportionate, and therefore impermissible under international human rights law."

Wipro in its response rues such a traceability requirement could lead to breaking of encryption on apps such as WhatsApp and Signal, and this will be a major threat to the privacy rights of citizens as enshrined in the Puttaswamy judgment of the Supreme Court.

Undue burden on small companies

Commenting on the 72 hours timeline for furnishing user data, the Internet Freedom Foundation says that such short deadline for compliance can only be fulfilled by large social media platforms. This might make smaller companies over compliant to government demands for immunity resulting in a total disregard for user privacy.

Regarding taking down of unlawful content, technology policy researchers form National Institute of Public Finance & Policy (NIPFP) caution that overzealous implementation along with over reliance on technological tools for the detection of unlawful content would lead to the curtailment of online speech. They pointed out the instance where Facebook had removed posts documenting the ethnic cleansing of Rohingyas as it had classified Rohingya organisations as dangerous militant groups.

For more details visit https://cis-india.org/internet-governance/news/livemint-abhijit-ahaskar-february-12-2019-what-the-governments-draft-it-intermediary-guidelines-say

Intermediary Liability Rules 2018.pdf

karan — 2019-02-07T07:32:23Z

For more details visit https://cis-india.org/internet-governance/resources/Intermediary%20Liability%20Rules%202018.pdf

Submission to UN High Level Panel on Digital Co-operation.pdf

karan — 2019-02-07T07:18:44Z

For more details visit https://cis-india.org/internet-governance/submission-to-un-high-level-panel-on-digital-co-operation.pdf

Dissent on Aadhaar: New book highlights limitations of ID project, legal and tech opposition to it

Admin — 2019-02-02T13:13:07Z

In 2010, a year after the UIDAI was constituted, three of its functionaries visited internationally-renowned developmental economist Professor Reetika Khera.

The article by Partha P Chakrabartty was published in First Post on February 2, 2019.

They were hoping to get her endorsement on how Aadhaar would prove ‘transformational’ for reducing corruption in social schemes like PDS and NREGA. Khera writes, ‘Upon reading their policy documents on PDS and NREGA, I was aghast because they betrayed a complete lack of understanding of the problem they were trying to address’. What had begun as a PR exercise by the UIDAI ended up creating one of its most acute critics. Professor Khera’s latest salvo, Dissent on Aadhaar: Big Data Meets Big Brother, has just been published by Orient BlackSwan, and is on shelves now.

Dissent on Aadhaar, edited by Professor Khera, brings together in one volume an array of experts commenting on the universal ID project. Given its many facets, she has included Anumeha Yadav, a journalist, who has been tirelessly reporting on Aadhar from the field; economists, including the celebrated Jean Drèze; lawyers, including civil liberties expert Dr Usha Ramanathan; and technologists like Sunil Abraham, of Mozilla Foundation and the Center for Internet and Society. The book is rounded off by international experts comparing Aadhaar to digital/universal ID projects in other countries. The picture they paint is not rosy.

‘Dissent’ on Aadhaar might not seem new to us, the English-speaking population of India. We all remember the storm of tweets and memes when Aadhaar was declared mandatory for everything from bank accounts to a mobile phone connection. We also saw through the September 2018 Supreme Court verdict, where Aadhaar was ruled optional for opening a bank account, but secretly remained mandatory due to its link with the PAN card. While some of the themes mentioned in this book, like concerns over privacy, have filtered down to our conversations, the book reveals that we haven’t even begun to scratch the surface.

Khera debunks the prevailing popular wisdom around Aadhaar in the opening chapters, sometimes even using the Government’s own data. Was Aadhaar necessary to create because there were many Indians without a legal ID? Aadhaar data says, only 0.03 percent of Aadhaar enrollments were by people without existing IDs, using the ‘introducer’ system. Were existing IDs compromised, necessitating an overhaul of our national ID systems? If so, how is it that those very compromised IDs were used to create the Aadhaar database? And what of the loopholes in the Aadhaar system, like cards for dogs and gods? These egregious pranks may have been caught, but what of less obvious aberrations?

Does Aadhaar prevent fraud? Here, Khera points out there are three kinds of fraud: identity fraud, eligibility fraud, and quantity fraud; Aadhaar only provides some measure of protection against the first. Khera’s previous studies have shown that the most prominent kind of fraud in India’s social schemes is quantity fraud. Even eligibility fraud, where citizens claim benefits reserved for others, cannot be checked by Aadhaar, as eligibility depends upon a separate set of documents.

Finally, does Aadhaar ease access to government schemes and benefits for the poorest? Here, what has seemed farcical quickly becomes tragic.

In a country where basic infrastructure in terms of electricity and mobile phone connections is poor, can a digital ID system like Aadhaar really ease the process of disbursement? Anumeha Yadav provides the on-ground reality — in Bhim Block, Rajsamand District, Rajasthan, 1,799 pensioners were declared dead because they failed to open Aadhaar-linked bank accounts in time. A door-to-door campaign conducted by the Mazdoor Kisan Shakti Sanghatan found that 1,308 of these were actually alive, and had been denied their rightful pensions. Yadav quotes a Dainik Bhaskar estimate that 1 lakh of Rajasthan’s 2.97 lakh pensioners had been inaccurately declared dead.

If these ideas are so far off the mark, how did they come to take root in our minds? How come there was no meaningful opposition to prevent this Himalayan blunder? Khera quotes the father of Aadhaar himself, Nandan Nilekani, who outlined his three-point strategy to overwhelm opposition: Do it quickly, do it quietly, and build a coalition of powerful interests who will overpower any opposition.

Nilekani’s strategy worked beautifully. A damning 2011 Parliamentary Standing Committee on Finance Report, which deemed UIDAI categorically unacceptable, was mostly ignored. The Rajya Sabha’s concerns and suggested amendments were circumvented by passing off the Aadhaar bill as a Money bill (requiring passage only in the Lok Sabha), even though its ambit was much wider than just allotment of financial resources. The Supreme Court itself had a lone dissenter, Justice Chandrachud, who published a note to that effect.

Opposition has not come just from activist, legal and parliamentary sources. Sunil Abraham, a technologist, speaks of the many alternatives UIDAI had to its present system of a centralised biometric database, and its many vulnerabilities, including the theft of data, and the difficulty of correcting input errors. An alternative would have been to have smart cards that stored encrypted biometric information on the card itself, instead of in a centralised database; a conjunction of card-and-fingerprint would make the system secure from identity fraud. Abraham warns of high-resolution cameras that can be used by governments and private interests to identify fingerprints even at a distance, for instance of protestors in a marching crowd.

But what happened when Abraham’s Centre for Internet and Society (CIS) published a report stating the Government had inadvertently leaked millions of identification numbers? The Government sent them several legal notices. A researcher from CIS also spoke of visits from officials from the Home Ministry and from the police. One policeman even asked the researcher, ‘How was that trip to Turkey?’, demonstrating the extent of their surveillance.

If Aadhaar was not created for all the things the UIDAI claimed, what was its true intent? We can guess from the way Aadhaar insiders, like ex-Chief Product Manager Vivek Raghavan, who ‘volunteered’ for Aadhaar between October 2010 and June 2013, went on to found Khosla Labs, with its for-profit Aadhaar Bridge product. When the Supreme Court struck down the sharing of Aadhaar data with private companies in its September 2018 judgment, private interests dropped their masks and have started campaigning for a reversal. Dr Usha Ramanathan covers this in her chapter, making sense of the new, hybrid public-private entity that UIDAI represented, and its consequences.

And what did the government get out of it? Considering how it used its existing might to harass CIS, can you imagine what its expanded capabilities with Aadhaar will achieve for anyone who critiques their functioning? And how many critics who see something wrong in policy or execution will hesitate before saying something for fear of persecution? This ‘chilling effect’ is already spreading — just speak to anyone who critiques the government, and how often they have been advised to stop doing so.

Many of the big battles when it comes to Aadhaar have already been lost. 1.2 billion people have yielded up their biometric information; Aadhaar, which had started off as voluntary, has become mandatory to access basic rights of citizenship, and this has been upheld by the Supreme Court; India has ignored best practices from other countries and lessons from other such attempts, and has therefore squandered a historic opportunity to do this digital ID right.

Far though this juggernaut has rolled, the experts in this book are still offering warnings; while there has been substantial harm already, especially to the rural poor and the elderly, the worst damage is yet to occur. While the State has power to gain from defending UIDAI, and private interests have millions in profits to reap, the scholars and activists in this book have no millions to make, and are indeed staking both their personal safety, and their professional reputations in putting forward a narrative that goes so far against the dominant one. I trust readers will give their thoroughly-researched essays a fair hearing.

The writer wishes to acknowledge the contribution of Prasun Chakrabartty in researching and clarifying this piece.

For more details visit https://cis-india.org/a2k/news/first-post-partha-p-chakrabartty-february-2-2019-dissent-on-aadhaar

January 2019 Newsletter

praskrishna — 2019-03-03T16:34:21Z

The Centre for Internet & Society (CIS) welcomes you to the first issue of its e-Newsletter for 2019.

The CIS newsletter aims to highlight developments in copyright and patent, free speech and expression, privacy, cyber security, telecom, etc. as well as Industry 4.0, big data, additive manufacturing and so on which are revolutionizing and moving the digital world forward. Through this newsletter we look to engage you with our research and build a strong bond by bringing you insightful articles and blog posts which will be beneficial for you and your business. Throughout the year we will send you stories and insights from our board, staff and community leaders. We welcome your feedback, suggestions or comments regarding our newsletter or any other aspect of our research.

Welcome to r@w blog!

CIS researchers@work programme (RAW) is delighted to announce the launch of its new blog hosted on Medium. The RAW blog will feature works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media, and society. The blog will also feature highlights and materials from ongoing research and events at the researchers@work programme.

Highlights for January 2019

Ambika Tandon and Aayush Rathi have produced a research paper that contextualises the narrative around Industry 4.0 and the future of work with reference to the female labour force in India.
Gurshabad Grover, Nikhil Srinath and Aayush Rathi (with inputs from Anubha Sinha and Sai Shakti) presented a response to the Telecom Regulatory Authority of India’s Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services. CIS appreciates the continual efforts of TRAI to have consultations on the regulatory framework that should be applicable to OTT services and Telecom Service Providers (TSPs).
Pranesh Prakash, Karan Saini and Elonnai Hickok authored a policy brief that recommends several changes pertaining to current legislation, policy and practice to the Government of India regarding coordinated vulnerability disclosure (“CVD”) for improving the overarching information and cyber security posture of the country.
The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe opened a public comment procedure to solicit comments and obtain additional feedback. Arindrajit Basu, Gurshabad Grover and Elonnai Hickok responded to the public call-offering comments on all six norms and proposing two further norms.

CIS and the News

The following news pieces were authored by CIS and published on its website in January:

How to make EVMs hack-proof, and elections more trustworthy (Pranesh Prakash; Times of India; December 9, 2018).
Registering for Aadhaar in 2019 (Sunil Abraham; Business Standard; January 2, 2019).
The DNA Bill has a sequence of problems that need to be resolved (Shweta Mohandas and Elonnai Hickok; Newslaundry; January 15, 2019).
India should reconsider its proposed regulation of online content (Gurshabad Grover; Hindustan Times; January 24, 2019). Akriti Bopanna and Aayush Rathi provided feedback for the article.
India’s proposed new internet bill is as repressive as the worst of Chinese laws (Nishant Shah; Indian Express; January 27, 2019).

CIS in the News

CIS was quoted in these news articles published elsewhere:

Creeped out by Netflix's 'You'? Here's how you can avoid online stalkers, data thieves (Sanyukta Dharmadhikari; The News Minute; January 10, 2019).
Civic activism over WhatsApp and stories of and from cab drivers are part of a new narrative in Bengaluru (Sowmya Rajaram; Bangalore Mirror; January 13, 2019).
They know where you are (Tini Sara Anien; Deccan Herald; January 17, 2019).
Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears (Nishant Sharma; Bloomberg Quint; January 16, 2019).
Is the viral #10YearChallenge just another sneaky way for tech firms to gather users’ personal data? (Devarsi Ghosh; Scroll.in; January 18, 2019).
Google Gives Wikimedia Millions—Plus Machine Learning Tools (Wired; January 22, 2019).
New movies lose out due to piracy (Surupasree Sarmmah; Deccan Herald; January 23, 2019).
Submitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data (Vidya Raja; Better India; January 24, 2019).
India’s largest bank SBI leaked account data on millions of customers (Zack Whittaker; Tech Crunch; January 30, 2019).
Open standards can disrupt Facebook’s messaging monopoly (Abhimanyu Ghoshal; The Next Web; January 30, 2019).
Conmen seed fake phone numbers in Google to trap people looking for customer care details (Tushar Kaushik; Economic Times; January 30, 2019).
Amazon and Walmart are about to take a big hit in India (Q13 Fox; January 31, 2019).

Internet Governance

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

Cyber Security

Submission

Response to GCSC on Request for Consultation: Norm Package Singapore (Gurshabad Grover, Arindrajit Basu and Elonnai Hickok; January 22, 2019).

Policy Brief

Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India (Pranesh Prakash; Karan Saini and Elonnai Hickok; January 23, 2019).

Privacy

Submission

CIS Submission to UN High Level Panel on Digital Co-operation (Aayush Rathi, Ambika Tandon, Arindrajit Basu and Elonnai Hickok; January 30, 2019).

Gender

Research Paper

A Gendered Future of Work (Ambika Tandon and Aayush Rathi; December 19, 2018).

Event Organized

RFCs We Love meetup (Organized by CIS and India Internet Engineering Society; CIS, Bangalore; January 19, 2019).

Events Participated / Partnered In

Webinar on the draft Intermediary Guidelines Amendment Rules (Organized by CCAOI and the ISOC Delhi Chapter; New Delhi; January 10, 2019). Gurshabad Grover was a discussant in the panel.
MediaNama roundtables on intermediary liability rules (St. Marks Hotel, Bangalore; January 25, 2019). CIS was a community partner. Gurshabad Grover participated in the meeting.
DSCI's Bangalore chapter meet (Organized by Data Security Council of India; Bangalore; January 29, 2019). Karan Saini and Gurshabad Grover participated in the meet.

Telecom

The growth in telecommunications in India has been impressive. While the potential for growth and returns exist, a range of issues need to be addressed for this potential to be realized. One aspect is more extensive rural coverage and the second aspect is a countrywide access to broadband which is low at about eight million subscriptions.

Submission

Response to TRAI Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services (Gurshabad Grover, Nikhil Srinath and Aayush Rathi with inputs from Anubha Sinha and Sai Shakti; January 10, 2019).

Researchers at Work (RAW)

The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Announcement

Internet Researchers' Conference 2019 (IRC19): #List, Jan 30 - Feb 1, Lamakaan (P.P. Sneha; January 9, 2019).

About CIS

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/january-19-newsletter

GCSC_RFC-CIS.pdf

Arindrajit Basu, Gurshabad Grover and Elonnai Hickok — 2019-01-22T08:12:38Z

For more details visit https://cis-india.org/response-to-gcsc-on-request-for-consultation-norm-package-singapore

CPC Gathering Agenda

Admin — 2019-01-20T02:42:40Z

For more details visit https://cis-india.org/internet-governance/files/cpc-gathering-agenda.pdf

Response to the Consultation Paper on Regulatory Framework for Over-The-Top (OTT) Communication Services

Gurshabad Grover, Nikhil Srinath and Aayush Rathi — 2019-01-11T15:59:59Z

For more details visit https://cis-india.org/internet-governance/files/response-to-the-consultation-paper-on-regulatory-framework-for-over-the-top-ott-communication-services

Welcome to r@w blog!

sneha-pp — 2019-01-02T11:48:04Z

We from the researchers@work programme at the Centre for Internet and Society (CIS) are delighted to announce the launch of our new blog, hosted on Medium. It will feature works by researchers and practitioners working in India and elsewhere at the intersections of internet, digital media, and society; and highlights and materials from ongoing research and events at the researchers@work programme.

r@w blog: Visit (Medium)

A space for reflections on internet and society, r@w blog is also an attempt to facilitate conversations around contemporary debates and foster creative engagement with research and practice through text, images, sounds, videos, code, and other media forms offered by the internet.

r@w blog opens with an essay on ‘Information Offline: Labour, Surveillance, and Activism in the Indian IT & ITES Industry’ by Rianka Roy - as part of an essay series exploring social, economic, cultural, political, infrastructural, and aesthetic dimensions of the "offline" - and audio recording from a session titled #ILoveYou by Dhiren Borisa and Dhrubo Jyoti, which was part of the Internet Researchers’ Conference 2018 - #Offline.

We will publish our (including commissioned/supported) writings and works on this blog, as well as submitted and compiled materials. Please write to raw[at]cis-india[dot]org to submit your works to be considered for publication. Copyright to all material published on this blog are owned by CIS and author(s) concerned, and they are shared under Creative Commons Attribution 4.0 International license.

For more details visit https://cis-india.org/raw/welcome-to-raw-blog

The constitutionality of MHA surveillance order

nehaa — 2018-12-31T14:06:04Z

The rules require review committees to examine all surveillance orders issued under this section every couple of months.

The article by Nehaa Chaudhari was published in Asian Age on December 30, 2018.

The MHA notification authorising 10 agencies to intercept, monitor and decrypt “any information” generated, transmitted, received or stored in “any computer” has kicked up a row. One section calls it electronic surveillance at the behest of the Big Brother. This time the qualitative difference is data stored anywhere, not just data in motion, can be intercepted.

Privacy is a fundamental right in India. Nine Supreme Court judges agreed on this in late August, last year. It is “the constitutional core of human dignity” and flows primarily from the “guarantee of life and personal liberty” of our Constitution, they said, in the case of K.S.Puttaswamy vs Union of India. This meant two rules for the Indian state. Rule number 1.) Do not intrude upon a citizen’s right to life and personal liberty; and rule number 2.) Take all necessary steps to safeguard individual privacy.

However, because no fundamental right is absolute, the Indian state is allowed to deviate from rule number 1 in certain situations. It can restrict individual privacy provided that it first fulfills three conditions: The restriction must be backed by law; it must be for a legitimate state aim; and, it must be proportionate.

All laws (including existing ones) and government actions, with consequences for individual privacy, must meet the three conditions listed above to be valid.

Those that fail to do so are unconstitutional, and must be suitably amended, or will be struck down, as was the case with Section 377 of the Indian Penal Code, earlier this year. Section 69 of the Information Technology Act, under which the Ministry of Home Affairs has issued its recent surveillance order, warrants similar scrutiny.

Section 69 empowers the Centre and all state governments to authorise any of their officers to surveil citizens’ electronic communications and information. They may do so for any of the reasons laid down in the same section, including India’s sovereignty, integrity, defence, security and foreign relations, or public order, or to prevent the incitement of certain offences, or to investigate any offence. Government orders issued under this section must be reasoned, and in writing. These orders, and the resultant surveillance activity, must follow the procedure laid down in a set of rules framed under the Information Technology Act in 2009. The rules require review committees to examine all surveillance orders issued under this section every couple of months. The review committee at the Centre examines the Union government’s surveillance orders, while state governments’ orders are examined by committees at their respective states. But, review committees, whether at the Centre, or at any of the states, only have
three members each, tasked with reviewing hundreds of orders every day. Moreover, they consist only of government officials. Neither the Information Technology Act, nor the accompanying 2009 rules, require Parliamentary or judicial oversight of electronic surveillance by the executive.

In the past week, at least two petitions have been filed before the Supreme Court,which claim that the MHA’s surveillance order violates the fundamental right to privacy and is unconstitutional. This order for electronic surveillance is a clear deviation from rule number 1, and so the question before the court will be if it meets each of the conditions above to be valid.

Is the MHA order lawful? Yes, given as it was framed under the framework of the IT Act. There remains however, a larger question of the constitutionality of Section 69 itself. If the court finds Section 69 itself to be unconstitutional, any action taken pursuant to Section 69, including the recent MHA order, will also be unconstitutional.

Is the MHA order pursuant to a legitimate state aim? The order itself does not specify what in particular the government hopes to achieve. However, given as it was issued under Section 69, the government could well argue that it was only for the six purposes laid down in the statute.

Moreover, according to the Supreme Court in the right to privacy judgment, legitimate state aims are “matters of policy to be considered by the Union government.” The court even offered examples of possible legitimate state aims, which included the grounds listed under Section 69.

Is the MHA order proportionate? No; and neither is the IT Act’s framework dealing with electronic surveillance. The IT Act allows government surveillance of citizens, unchecked by either the legislature, or the judiciary. It creates a scenario where tiny government committees must review the government’s own decisions to curtail citizens’ fundamental rights. Moreover, it penalises individuals with up to seven years in jail, in addition to fines, for not complying with any interception, monitoring, or decryption request by an authorised government agency.

In light of the recent MHA order, this means that individuals must comply with surveillance requests by 10 government agencies including tax authorities, the police, and civil and military intelligence agencies, or be prepared to face jail time. This is unethical, undemocratic, and unconstitutional.

Unchecked government surveillance threatens not just an individual’s fundamental right to privacy, but also her fundamental freedoms of speech, movement, and assembly among others, also guaranteed fundamental rights under the Indian Constitution.

These rights and freedoms are the very essence of what it means to be a free citizen in a modern democracy. A democratic state must only exercise its police powers in the narrowest of circumstances, within bright lines, clearly defined.

In August, 2017, the Supreme Court laid down the framework to identify these narrow circumstances and bright lines in so far as the fundamental right to privacy was concerned. But, the promise of Puttaswamy is only as good as its implementation, and here lies its biggest challenge.

As Pranesh Prakash, Fellow at the Centre for Internet and Society, said on a television channel recently, perhaps it is about time that we stopped relying solely on the courts to step in to safeguard our fundamental rights, and started demanding that our elected law-markers did their jobs, or did them better. After all, a general election is but a few months away.

For more details visit https://cis-india.org/internet-governance/news/nehaa-chaudhari-asian-age-december-30-2018-constitutionality-of-mha-surveillance-order