Centre for Internet and Society

January 2018 Newsletter

praskrishna — 2018-03-01T01:35:56Z

January 2018 Newsletter

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
The paper titled "Patent Working Requirements and Complex Products" has been published in the latest issue of the NYU Journal of Intellectual Property and Entertainment Law. It is one of the outputs of the Pervasive Technology project and has been authored by Prof. Jorge L. Contreras, Paxton M. Lewis, and Rohini Lakshané. CIS made a submission to the Department of Industrial Planning and Promotion on mobile patents. CIS offered its assistance on matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards sustained innovation, manufacture and availability of mobile technologies in India The use of Artificial Intelligence (AI) in healthcare in India is increasing with new startups and large ICT companies offering AI solutions for healthcare challenges in the country. The report by by Yesha Paul, Elonnai Hickok, Amber Sinha and Udbhav Tiwari seeks to map the present state of AI in the healthcare sector in India. About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent. The article by Sunil Abraham was published in Deccan Herald on January 20, 2018. CIS made a submission to TRAI Consultation on inputs to the National Telecom Policy. CIS in its submission also recommended what all should be the main objectives of TRAI while drafting the next edition of National Telecom Policy. Under a research grant from the Azim Premji University CIS has initiated a study of the ongoing updation process of the National Register of Citizens (NRC) in Assam and the resultant reform of citizen identification infrastructure in India. The 2G judgment of December 2017 provides a critique of how no proper evidence was presented on existence of an FCFS policy and its improper implementation, wrote Shyam Ponappa in his article in the Business Standard which was published on January 3, 2018.

Highlights

The paper titled "Patent Working Requirements and Complex Products" has been published in the latest issue of the NYU Journal of Intellectual Property and Entertainment Law. It is one of the outputs of the Pervasive Technology project and has been authored by Prof. Jorge L. Contreras, Paxton M. Lewis, and Rohini Lakshané.
CIS made a submission to the Department of Industrial Planning and Promotion on mobile patents. CIS offered its assistance on matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards sustained innovation, manufacture and availability of mobile technologies in India
The use of Artificial Intelligence (AI) in healthcare in India is increasing with new startups and large ICT companies offering AI solutions for healthcare challenges in the country. The report by by Yesha Paul, Elonnai Hickok, Amber Sinha and Udbhav Tiwari seeks to map the present state of AI in the healthcare sector in India.
About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of services for web and mobile applications are in English and therefore it is only 10% of us who can actually read them before we provide our consent. The article by Sunil Abraham was published in Deccan Herald on January 20, 2018.
CIS made a submission to TRAI Consultation on inputs to the National Telecom Policy. CIS in its submission also recommended what all should be the main objectives of TRAI while drafting the next edition of National Telecom Policy.
Under a research grant from the Azim Premji University CIS has initiated a study of the ongoing updation process of the National Register of Citizens (NRC) in Assam and the resultant reform of citizen identification infrastructure in India.
The 2G judgment of December 2017 provides a critique of how no proper evidence was presented on existence of an FCFS policy and its improper implementation, wrote Shyam Ponappa in his article in the Business Standard which was published on January 3, 2018.

The following articles were written by CIS members:

Digital native: Memory card is full (Nishant Shah; Indian Express; January 3, 2018).
The 2G Judgment of December 2017: What Was It About? (Shyam Ponappa; Business Standard; January 3, 2018).
Fixing Aadhaar: Security developers' task is to trim chances of data breach (Sunil Abraham; Business Standard; January 10, 2018).
Another Step towards Privacy Law (Elonnai Hickok; Governance Now; January 15, 2018).

Data Protection: We can innovate, leapfrog (Sunil Abraham; Deccan Herald; January 20, 2018).

CIS in the News:

From net neutrality to IBC & Aadhaar, how Vidhi is framing key government legislation (Surabhi Agarwal and Samanwaya Rautray; Economic Times; January 4, 2018).
UIDAI denies any breach of Aadhaar database (Komal Gupta; Livemint; January 7, 2018).
Token security or tokenized security? (Manasa Venkataraman and Ajay Patri; Livemint; January 9, 2018).
UIDAI introduces new two-layer security system to improve Aadhaar privacy (Economic Times; January 11, 2018).
Hammered government offers Virtual ID firewall to protect your Aadhaar (New Indian Express; January 11, 2018).
Virtual Aadhaar ID: too little, too late? (Yuthika Bhargava; Hindu; January 11, 2018).
India To Introduce Virtual ID For Aadhaar To Strengthen Privacy (Bloomberg Quint; January 11, 2018).
UIDAI's Virtual ID, limited KYC does little to protect Aadhaar data already collected, say critics (Business Today; January 12, 2018).
Aadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief (Sukriti Dwivedi; NDTV; January 13, 2018).
Bengaluru gives data safety tips to panel (Deccan Herald; January 14, 2018).
Is your personal information under lock and key? (Sravanthi Challapalli; Hindu Businessline; January 16, 2018).
Aadhaar-privacy debate: How the 12-digit number went from personal identifier to all pervasive transaction tool (First Post; January 18, 2018).
Paytm Payments Bank woos corporates with digital incentives (Komal Gupta and Remya Nair; Livemint; January 24, 2018).
Aadhaar's new security measures are good, it is still work in progress (Alnoor Peermohamed; Business Standard; January 25, 2018).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Wikipedia

Blog Entries

Government of Odisha adopting Creative Commons License to Promote Transparency and Access to Knowledge (Sailesh Patnaik; January 17, 2018).
Experience and Learning outcome from Wikipedia Education Program (Lakshmi Karlekar; January 30, 2018).

Events Organized

Marathi Wikipedia Workshop at Dept. of Mass Communication, Solapur University (Organized by CIS-A2K and Dept of Mass Communication, Solapur University; Solapur; January 2, 2018).
Marathi Wikipedia Workshop at Dayanand College, Solapur (Organized by CIS-A2K and Dayanand College, Solapur; Solapur; January 3, 2018).
Marathi Wikipedia Workshop at Willingdon College, Sangli (Organized by CIS-A2K and Willingdon College; Sangli; January 5, 2018).
Marathi Wikipedia Workshop at Govt.Science & Arts College, Aurangabad (Organized by CIS-A2K and Govt.Science & Arts College; Aurangabad; January 9, 2018).
Marathi Wikipedia Workshop at Dr.Babasaheb Ambedkar Marathwada Vidyapeeth (Organized by CIS-A2K and Dr. Babasaheb Ambedkar Marathwada University; Aurangabad; January 10, 2018).
Marathi Wikipedia Workshop at Shivaji University, Kolhapur (Organized by CIS-A2K and Shivaji University; Kolhapur; January 15, 2018).
Wikidata Workshop (Organized by CIS-A2K and Andhra Loyola College; Vijaywada; January 20 - 21, 2018).
Train the Trainer 2018 (Organized by CIS-A2K; Mysore; January 26 - 28, 2018).

►Pervasive Technologies

Research Paper

Patent Working Requirements and Complex Products (Jorge L. Contreras, Rohini Lakshané and Paxton M. Lewis; JIPEL NYU Journal of Intellectual Property & Entertainment Law, Vol. 7 - No.1 on January 16, 2018).

Submission

Submission to DIPP at Meeting with IP Stakeholders (Anubha Sinha; January 1, 2018). The submission was made in December 2017 but it was published on the website in January 2018.

►Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Blog Entry

Artificial Intelligence and the Healthcare Industry in India (Yesha Paul, Elonnai Hickok, Amber Sinha and Udbhav Tiwari (Ecosystem mapping by Shweta Mohandas, Sidharth Ray and Elonnai Hickok. Designed by Saumyaa Naidu under Creative Commons Attribution 4.0 International License; January 26, 2018).

Events Organized

Roundtable on A.I. and Manufacturing and Services (TERI, Bengaluru; January 19, 2018).

null Bangalore Meet: Special Session on Digital Identity and Privacy (CIS, Bengaluru; January 19, 2018). Sunil Abraham gave a talk.

►Free Speech and Expression

Blog Entries

Internet Governance Forum Report 2017 (Shweta Mohandas; January 11, 2018).

Mobile net ban during peaceful protest leaves farmers confused (Shruti Jain; January 19, 2018).

‘Hurt sentiments’ cost Udaipur internet access for four days (Shruti Jain; January 19, 2018).

-----------------------------------

Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

Submission to TRAI Consultation on "Inputs for Formulation of National Telecom Policy - 2018" (Pranesh Prakash; January 25, 2018).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Blog Entry

Life of a Tuple: National Register of Citizens (NRC) and the Reform of Citizen Identification Infrastructure in Assam (Sumandro Chattapadhyay; January 22, 2018). All posts related to the study can be found here.

-----------------------------------
About CIS
-----------------------------------

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/Qjanuary-2018-newsletter

AI and Healtchare Report

Admin — 2018-01-26T01:35:20Z

For more details visit https://cis-india.org/internet-governance/files/ai-and-healtchare-report

Aadhaar-privacy debate: How the 12-digit number went from personal identifier to all pervasive transaction tool

Admin — 2018-01-18T15:01:48Z

Depending on who you ask, the Aadhaar is either a convenience or a curse.

The article was published by First Post on January 18, 2018.

The ongoing hearing in the Supreme Court is testing the constitutional validity of a scheme that has been around in one shape or another since 2003, ever since the need for an identification project was first felt.

By the government's own estimates, the Aadhaar initiative has covered 98 percent of the adult population in India and, as of 7 September, the Unique Identification Authority of India (UIDAI) has generated cards for 105.11 crore people. So, if you are an Indian adult, chances are that you possess an Aadhaar card by now.

The Aadhaar database is one of the largest government databases on the planet, where a 12 digit unique-identity number has been assigned to the majority of the Indian citizens. This database contains both the demographic as well as biometric data of the citizens.

What started as a unique identification number to streamline the distribution of welfare to the needy has now turned into an all-pervasive tool that can arm the government with sensitive data of all Indians. At the heart of this issue is the sheer quantity of data being amassed as part of the scheme and the many privacy and security concerns generated as a result of it.

The Aadhaar of today, in addition to basic personal information, includes biometric data like your fingerprints, your iris scan and now even your facial scans (albeit introduced as a safety feature). This is designed to address the issue of failed biometric authentication, as an alternative for people having difficulty authenticating, due to factors like worn out fingerprints, or changing biometric data due to old age, hard work conditions, accidents and the like.

But what it fails to address is the growing unease among citizens about the scale of the project, its intent, and the actual legality of enabling such an architecture, which could threaten the citizens with the possibility of State surveillance.

The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy.

However, worst fears about Aadhaar have come true after the developments that have happened over the past few weeks. A recent investigation by The Tribune revealed that the details of any of the billion Aadhaar numbers issued in India were accessible for as little as Rs 500.

Since then, the UIDAI and every other government machinery have been in top gear, trying to allay the fears around Aadhaar. It even introduced a flurry of steps to make sure that the database is safe and secure, and that the data is protected. But not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State and that it does not make the State transparent to citizens.

"We warned the government six years ago, but they ignored us," Sunil Abraham, executive director of Bengaluru-based research organisation, Centre for Internet and Society, was quoted by The Hindu Business Line as saying.

According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.

On the other hand, finance minister Arun Jaitley said recently that an Aadhaar card could become the sole identifier for a person in future. "A stage may come that the unique identity will become the only card," Jaitley said. "There are many countries where such a situation exists. There is a social security number in America and in India it (Aadhaar) could be the counterpart."

Since its inception, the Aadhaar was always pitched as a scheme integral to the modernisation of social welfare in India.

But, according to a Scroll report, state governments are struggling to use Aadhaar-based fingerprint authentication in ration shops. Whereas, at the same time, a rising number of companies are integrating Aadhaar into their databases for private services that have nothing to do with the welfare delivery system.

So, why is the scheme failing at the very job it was created for, while proving useful to private endeavours elsewhere? Why did the BJP, a dispensation critical of Aadhaar in 2014, make a complete u-turn and become a champion for a cause backed by the UPA in its time? Are the security, privacy concerns a small price to pay for better delivery of welfare schemes or is it an instrument of surveillance and a potential goldmine for hackers?

The debate around Aadhaar and the explanations for its need and/or threats are biased, incomplete and solely depend on who you ask. Therefore, it might do well to trace the roots of the Aadhaar mission and retrace its critical moments.

Origins of Aadhaar

According to the Scroll report, India first fiddled with the idea to assign numbers to people in 2003, in the aftermath of the Kargil war.

With rising security concerns, the then BJP government under Atal Bihari Vajpayee wanted every Indian citizen to be accounted for. This desire eventually took the shape of the National Population Register, that aimed to identify citizens amongst the country's residents.

The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR).

The second and major push for an identity project was introduced subsequently by the UPA-1 government in late 2008. With welfare spending on the rise, adds the report, bureaucrats in the erstwhile Planning Commission were worried about leakages.

Thus, the idea of constituting an authority that would aggregate all databases of social welfare programmes to create a mother database emerged.

Such a database would "weed out ghosts and duplicates so that a person who gets the LPG subsidy doesn’t also get the kerosene subsidy," Scroll quoted a former UIDAI official as saying, on conditions of anonymity.

Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Biometric data was not in the picture at this time.

And then, in 2016, the Centre notified the new Aadhaar Act, which gives the unique identity number assigned to each Indian citizen statutory backing. The idea of this Act was to empower Aadhaar with legal backing for the purpose of transferring subsidies and government benefits to beneficiaries through designated bank accounts.

The government said in a notification that the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 will provide “efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals."

Another interesting aspect of the Aadhaar debate is the politics of it all. The Opposition, BJP back then and UPA now, has shaped much of the debate against the use of Aadhaar. But one thing that stands out in this melee is that many in the current dispensation, who are currently the biggest proponents of the scheme, had once opposed it vehemently.

"The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi had famously said when he was the Gujarat chief minister. He had alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.

In 2014, Modi had tweeted: "On Aadhaar, neither the team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick."

So, how was it that one of Aadhaar's most vehement opponents became its biggest proponent?

According to a report in The Hindu Business Line, the destiny of the Aadhaar scheme was shaped by two meetings – between Nilekani and Modi with Jaitley, and the second with Vijay Madan, the UIDAI director general and mission director.

Through the course of these meetings, the potential savings from plugging subsidy leakageswas put across to Modi, a figure of "up to ₹50,000 crore a year".

Modi in his keenness to showcase the arrival of "acche din", the report adds, immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project.

Thus, the current Aadhaar project was born.

Inclusion of biometric data

Although an extension of UPA's idea, the new Aadhaar act had some crucial differences:

- As per the new Act, "any person who has resided in India for 182 days (in the one year preceding the application for Aadhaar)". The UPA's Bill said any person residing in India.

- Further, the new Act says that the number can be used to verify the identity of any person, for any purpose, by any public or private entity. In the UPA's Bill, no such provision was there.

- The new Act stipulated all these identity facets to be maintained: photograph, biometric information (iris scan and fingerprint), demographic information (name, date of birth, address but excludes race, religion, caste, etc.), and Aadhaar number. The authority may specify any other biological and demographic information to be collected.

Data security debate

Over the last one year, there have been multiple instances of Aadhaar data leaking online through government websites or its mobile app. The most recent case was when an RTI query pushed UIDAI to reveal that about 210 government websites made the Aadhaar details of people with Aadhaar, public on the internet.

Centre for Internet and Society (CIS) also pointed out that about 130 million Aadhar numbers along with other sensitive data were available on the internet.

The recent Tribune report has only highlighted the deeper, infrastructural fallibility of singular mega-database of sensitive data.

As per this Firstpost piece, the UIDAI's response to such an obvious data breach and violation of privacy is extremely worrying. It is yet another reiteration of the privacy concerns with Aadhaar, and the constant denial of privacy concerns by the UIDAI instead of sitting up and addressing the problem at hand.

The large-scale collection of data and the binding of said data with almost all services raises a pertinent question: Is the government capable of safeguarding the massive amounts of data collected as part of the Aadhaar project? The answer, again, depends on who you ask.

Concerns over privacy

Apart from the security concerns, Aadhaar has brought up a question of the citizen's privacy, given that access to such sensitive data empowers the government to keep a close scrutiny of a person's financial, personal information.

The Supreme Court had held recently that privacy is a fundamental right under the Constitution with reasonable restrictions. This decision is bound to impact the Aadhaar project in one way or another, as collectively biometric data of citizens can be construed as a violation of said right.

The Supreme Court started hearing the crucial cases related to the constitutional validity of Aadhaar on Wednesday. A five-judge bench heard the arguments of the petitioner, maintaining that the government's mandatory biometric identification project is, in essence, seeking to change a people's Constitution into State's Constitution.

The petitioners made submissions ranging from the Standing Committee's observations, to the precedents as adopted by other nations to pointing out basic moral and administrative defects in amassing biometric data of citizens on such a large scale, perhaps trying to patiently drive the point that the Aadhaar project can never be safely assumed to be leakproof, hence safe, ergo, legal.

The petitioner also argued that Aadhaar could lead to millions of people being denied access to essential services and benefits in violation of their human rights, as he pointed out that biometric details of almost 6.2 crore people have been rejected, mainly due to calloused hands and fingertips, wherein biometric data could not be recorded.

"These are not dishonest people or ghosts," he said. Even the Standing Committee report on Aadhaar points out: "..it has been proven again and again that in the Indian environment, the failure to enrol with fingerprints is as high as 15 percent due to the prevalence of a huge population dependent on manual labour. These are essentially the poor and marginalised sections of the society. So, while the poor do indeed need identity proofs, Aadhaar is not the right way to do that"

In December 2017, the court had extended the deadline for mandatory linking of Aadhaar with various services and welfare schemes till 31 March, 2018. It had also modified its earlier order with regard to linking Aadhaar with mobile services and said the deadline of 6 February, 2018 for this purpose also stood extended till 31 March.

Right to Privacy and its effect on Aadhaar

In August 2017, the Supreme Court in a unanimous 9:0 judgment had declared the Right to Privacy to be a Fundamental Right. It was hailed as a big victory for pro-privacy advocates who could now point to the Constitutional Bench judgment should the right ever be questioned.

However, the judgment only established the theoretical Right to Privacy. It removed the earlier hurdles of the cases of MP Sharma and Kharak Singh which had held Right to Privacy not to be a Fundamental Right. However, the actual freedoms protected by the Right had to be enshrined into in separate judgments.

As far Aadhaar is concerned, the judgment did not invalidate it in any way. However, it did give a boost to anti-Aadhaar arguments which rely on privacy as now the government can no longer say that there is no Right to Privacy.

With 1.08 billion citizens already enrolled, the ‘mandatory vs. voluntary’ debate on Aadhaar is now mostly a thing of the past. What remains to be seen now is how the Supreme Court will rule on the constitutional validity of the Aadhaar and if the government will be willing to reform/modify the current scheme to allay fears over data security and privacy in order to retailer the project to meet its original goal, the timely and secure delivery of welfare to those who need it.

With inputs from agencies

For more details visit https://cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool

India To Introduce Virtual ID For Aadhaar To Strengthen Privacy

Admin — 2018-01-17T00:11:13Z

The government will introduce a virtual identification number for Aadhaar to help strengthen privacy following several instances of data leaks.

The blog post was published by Bloomberg Quint on January 11, 2018.

The additional layer of security is meant to help Aadhaar users avoid sharing their unique identification number at the time of authentication to avail various services and welfare schemes, UIDAI said in a circular seen by BloombergQuint. The virtual ID will be an optional feature and users will be allowed to provide Aadhaar for verification.

The Aadhaar-issuing body, Unique Identification Authority of India, will also introduce limited know-your-customer rules to eliminate the need for agencies to store the biometric ID. Migration to the new system will start from June 1, it added.

Virtual IDs should be made mandatory and the UIDAI should itself generate these codes instead of having the user do it, said Pranesh Prakash, policy director at the Center for Internet Security, which has published reports on the security flaws in the world’s largest database.

This takes into account concerns of third-party databases being combined without the consent of the individual but fails to address issues of government surveillance, exclusion and cybersecurity, he added.

The move comes barely a week after The Tribune, a Chandigarh-based newspaper, reported that it could access the Aadhaar database by paying Rs 500, raising privacy concerns. Petitions challenging the validity of Aadhaar and the government’s decision to make it mandatory for everything from bank accounts to mobile services are pending in the Supreme Court.

As of now, citizens are required to share their Aadhaar number for authentication to avail certain services. With the introduction of the virtual ID that would change.

It would be a randomly generated 16-digit number that'd be digitally linked to a person's Aadhaar number. This ID would be temporary and revocable. There can be only one active and valid virtual ID for an Aadhaar number at any given point in time. Aadhaar holders will be able to use the virtual ID whenever authentication is required.

Virtual ID, by design being temporary, cannot be used by agencies for duplication.
UIDAI Circular

Only Aadhaar holders themselves can generate a virtual ID and set a minimum validity period for that after which it will have to be replaced by a new one. The virtual IDs can be changed through UIDAI's portal, at an Aadhaar enrolment centre or using the mAadhaar mobile application, the circular said.

Who Can Store Your Aadhaar Data?

The UIDAI will limit the number of agencies that can access and store your Aadhaar number. For this purpose, it will divide the agencies that seek to use Aadhaar authentication for services into two categories—global and local.

Global authentication agencies will be allowed to "securely" store the Aadhaar number, while local agencies won't. The latter would be the ones that’d use the virtual IDs and a unique token for authentication.

The Aadhaar-issuing body has not clearly defined what would classify as a global agency. It has only said that it will "from time to time" evaluate authentication agencies "based on the laws governing them and categorise them" as global agencies. Any authentication agency that is not classified as global would be local.

Transition To New System

UIDAI has told all agencies that use Aadhaar authentication to update their applications and processes for accepting virtual IDs instead of the Aadhaar number and allow authentication using the UID token. This has to be done by June 1.

If an agency fails to migrate to the new system by then, their authentication services "may be discontinued" and a penalty may be imposed, UIDAI said.

UIDAI will release the updated tools and protocols required for building the authentication software by March 1. All authentication agencies would also receive technical documents, workshops and training session to ensure smooth implementation.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy

Is your personal information under lock and key?

Admin — 2018-01-16T16:54:33Z

Customers, be more careful about how you log in and log off!

The article by Sravanthi Challapalli was published by Hindu Businessline on January 16, 2018.

We’re coming off a year that was highlighted by several data breaches around the world. In India, the Aadhaar debate continues to make headlines, with allegations about its data theft and Big Brother potential for surveillance. And for quite a while now, the marketing world has been suffused with mention of artificial intelligence, chatbots, big data, data-driven analytics, and other such buzzwords. The ultimate, stated aim is to make life simpler for the citizen/customer. But how secure is our data, which we put out there both voluntarily and by mandate, and what can we do to protect it?

Laziness will hurt

A study by security services provider Gemalto found that retailers (76 per cent), banks (74 per cent) and social media sites (71 per cent) operating in India have a lot of work to do on this front. Consumers would leave if their personal information suffered a breach, it said. Even as the majority of customers said businesses don’t treat their data with due respect, they did not take enough precautions themselves, it observed. Fifty-one per cent of the study’s respondents used the same password across several online accounts and many did not use even available solutions such as two-factor authentication to protect social media accounts, making them susceptible to data breaches. They also believed the onus of protecting data lay on the business.

Caveats of little help

The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.

So, caveat emptor? “Caveat emptor has meaning only when the customer has enough knowledge to protect himself,” says Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society. Using the sausage factory analogy (no one knew what went into the products and how clean they were), he says few know how big data is used. Regulation can help in this regard. He expects India to have data protection rules in place in a couple of years.
The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.

Efficiency all round

ICICI Prudential Life Insurance Executive Director Puneet Nanda says digital data storage has catalysed efficiency on several fronts. “Technology helps us swiftly identify the nominee and facilitates faster payouts as compared to the times when the information was stored physically. It has improved turnaround times and enabled delivery of superior service leading to higher customer satisfaction. Corporations can provide customers instant gratification. Today, we can issue a policy in minutes. Proliferation of technology has enabled corporations to identify customer needs and make offers best suited to their requirements.”

CIS will offer comments to the Srikrishna Committee. Abraham says such laws in other countries define what personal information is, establish the office of the regulator, have powers to receive and investigate complaints and ensure marketers fall in line. Regulators have punitive powers as well. In 2014, telecom major Verizon had to pay $7.4 million in the US to settle a Federal Communications Commission complaint about advertising to customers without letting them know they had an opt-out option. The privacy conditions one routinely “agrees” to online does not give the data controller a free ticket to do what they want with the information, he says.

Not much one can do

Abraham says there is very little the customer can do, other than “acts of civil disobedience, tell lies, fill out false information” when there’s little protection. Rana Gupta, Vice President – APAC, Identity and Data Protection, Gemalto, says one is not left with many choices in an increasingly digital world, not to mention the social pressure. Imagine asking for time off from work to withdraw some cash from your bank because you are suspicious of ATMs? “Users have to rely on organisations doing the right thing,” he says. Regulation making data encryption and second-factor authentication mandatory will help. Customers have begun to ask how data is being secured, and whether it is encrypted. Addressing such concerns would help businesses such as e-commerce and banks, which are increasingly dependent on an online presence.

Even though they’re painful to remember and key in, long passwords that include a capital letter, a special character and a number are deterrents to misuse, as are one-time passwords and messages that alert/ confirm users logging in to an account or transacting a deal. Rohan Bhargava, Co-founder of cashback and coupons site CashKaro.com, says businesses have to design the best methods to thwart the worst intentions. “Companies are vulnerable when they take short cuts at basic processes.”

Bhargava says his company prefers to build most of the technical products it needs, itself, rather than resort to third-party builders/providers. Marketers, he says, experiment with a lot of untested products and the scripts they use can be the root of the problem.

Checks and balances at every stage, running security reviews whenever something changes, effectively managing the life cycle of the encryption keys and limiting access to customer data are vital. The responsibility for securing data lies with both customer and marketer but the latter’s is the larger responsibility as it is they who implement and have the infrastructure that the user does not, says Gemalto’s Gupta.

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key

Internet Governance Forum Report 2017

Admin — 2018-01-11T02:03:44Z

For more details visit https://cis-india.org/internet-governance/files/internet-governance-forum-report-2017

Fixing Aadhaar: Security developers' task is to trim chances of data breach

sunil — 2018-01-10T16:47:59Z

The task before a security developer is not only to reduce the probability of identity breach but to eliminate certain occurrences.

The article was published in Business Standard on January 10, 2017

I feel no joy when my prophecies about digital identity systems come true. This is because from a Popperian perspective these are low-risk prophecies. I had said that that all centralised identity databases will be breached in the future. That may or may not happen within my lifetime so I can go to my grave without worries about being proven wrong. Therefore, the task before a security developer is not only to reduce the probability but more importantly to eliminate the possibility of certain occurrences.

The blame for fragility in digital identity systems today can be partially laid on a World Bank document titled “Ten Principles on Identification for Sustainable Development” which has contributed to the harmonisation of approaches across jurisdictions. Principle three says, “Establishing a robust — unique, secure, and accurate — identity”. The keyword here is “a”. Like The Lord of the Rings, the World Bank wants “one digital ID to rule them all”. For Indians, this approach must be epistemologically repugnant as ours is a land which has recognised the multiplicity of truth since ancient times.

In “Identities Research Project: Final Report” funded by Omidyar Network and published by Caribou Digital — the number one finding is “people have always had, and managed, multiple personal identities”. And the fourth finding is “people select and combine identity elements for transactions during the course of everyday life”. As researchers they have employed indirect language, for layman the key takeaway is a single national ID for all persons and all purposes is an ahistorical and unworkable solution.

Revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers. Photo: Reuters

monoculture can be prevented. The traditional approach is followed in the US - you could have multiple documents that are accepted as valid ID. Or you could have multiple identity providers providing ID artifacts using an interoperable framework as they do in the UK. Another approach is tokenisation. The first time tokenisation was suggested in the Aadhaar context was in an academic paper published in August 2016 by Shweta Agrawal, Subhashis Banerjee and Subodh Sharma from IIT Delhi titled “Privacy and Security of Aadhaar: A Computer Science Perspective”.

Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.

On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.

The paper in its fourth key recommendation says “cryptographically embed Aadhaar ID into Authentication User Agency (AUAs) and KYC User Agency (aka KUAs) — specific IDs making correlation impossible”. The paper considers several designs for such local identifier where — 1) no linking is possible, 2) only unidirectional linking is possible, and 3) bidirectional linking is possible referring to a similar scheme in the LSE identity report.Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar

Digital native: The age of consent

nishant — 2018-01-10T02:17:00Z

Just like porn is not real life, all news is not real news. It’s time, therefore, to come of age in the 18th year of this century.

The article was published in Indian Express on December 31, 2017

WE ARE 18 years into this new century. If this century were a person, it would now legally be allowed to vote, to drive, and to engage in sexual activities with other consenting centuries of permissible age. As the century finally becomes ready for adulthood, we need to be giving it some advice. While there are many things about digital rights, responsibilities, and restrictions that it will have to learn, like most teenagers coming of age, I know that the century is not going to listen to me preach, so I am going to grab its attention and talk to it about porn.

Remember, the Internet is all about porn. Ok, so you know that is not true, but your entire future of watching porn and swiping on people you want to watch porn with, depends on the principles of Net Neutrality which is being diminished by private companies that want to profit from your pervert pleasures. Net Neutrality is the principle that ensures that no matter what you are accessing online, as long as you have the physical bandwidth and the infrastructure to access that information, no private company or regulatory body can privilege other people’s access over yours. You are not judged by what you consume and your own perverse and personal access remains unbiased. This is a big deal because it not only allows you to access porn in all your desire, but it also provides a level playing field for new companies, collectives and communities to find equal voice without facing technical discrimination or technological bias.

Second, you will often be told that what you see online is not to be trusted. You definitely need to learn that the world wide web is filled with a variety of information and that you need to make the distinction between porn and real sexual encounters. And while you are doing it, please pay attention to the fact that the same holds true for politics, facts, and information online. Just like porn is not real life, all news is not real news. One sure way of making sure that you can trust the information you consume is by making sure that you validate the sources. Check who is sending the information. Make sure that when you share it, you are sure that what you are sharing is credible. Just like you will not share your nude selfies with your family and friends, make sure you are not sharing untrue information with the circles that trust you. Fact check information before you share, forward, retweet and like posts, train your hands to not be trigger happy.

And third, you should be able to access porn as long as it is a healthy expression of your sexual fantasy. As you go down the smut route, you will encounter many different forms of porn and while they might titillate and stimulate in unexpected ways, please remember that all porn is not the same. There is porn which is between consenting performers and then there is porn that is shot without the knowledge or permission of the people involved in it. The internet of things has started providing surveillance opportunities in invisible ways, and there are people who use spycams on unsuspecting people, making us unwilling participants in their lives. These videos can destroy people’s lives by shaming, harassing and blackmailing them. Imagine what would happen the next time you are whistling to porntubes and somebody captures a video of it and shares it in your social networks. The next time you come across non-consenting porn, step back and report it or flag it as abuse.

This goes for all spaces of the internet. The internet is not a utopian place of forced happiness. It amplifies some of our most dangerous and dark desires and practices. However, the joy of the internet is that it is a self organised space and we need to take responsibility for not just our actions but our collective ethical behaviour online. We do not want the internet to be policed, but we definitely want to step up and be sure that it is not abused against those who do not have the power to fight back.

Welcome to adulthood, 2018. May you mature into your heart’s desires and find safe spaces to do it in. And on the way, take the responsibility of protecting the digital network that is going to define who you are and what you grow up to be in the future.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-december-31-2017-digitial-native-the-age-of-consent

December 2017 Newsletter

praskrishna — 2018-03-17T11:12:26Z

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
Shruthi Anand wrote a report that seeks to map the development of Artificial Intelligence both generally and in specific sectors culminating in a stakeholder analysis and contributions to policy making. CIS made a submission to the Department of Industrial Planning and Promotion on December 7, 2017. CIS also offered its assistance on other matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards sustained innovation, manufacture and availability of mobile technologies in India. The Office of the Controller General of Patents, Designs and Trademarks held a meeting with IP stakeholders on December 7, 2017, chaired by the Secretary, DIPP, to take suggestions on improving procedures and functioning of the Office. Anubha Sinha attended the meeting and requested the DIPP to improve compliance of uploading Form 27s by patentees and ensure proper enforcement of related provisions within the Indian Patent Act, 1970. A Kannada Wikipedia orientation workshop was held at the Entrepreneurship Centre, SID, Indian Institute of Science, Bengaluru on 26 November, 2017. The day long event was aimed at adding content to Kannada Wikimedia projects on topics such as ecology, environment, wildlife and sciences of Karnataka. Shyam Ponappa wrote an article on the tragedy of commons in the Business Standard on December 6, 2017. Just like porn is not real life, all news is not real news. It’s time, therefore, to come of age in the 18th year of this century, wrote Nishant Shah in an article in the Indian Express on December 31, 2017.

Highlights

Shruthi Anand wrote a report that seeks to map the development of Artificial Intelligence both generally and in specific sectors culminating in a stakeholder analysis and contributions to policy making.
CIS made a submission to the Department of Industrial Planning and Promotion on December 7, 2017. CIS also offered its assistance on other matters aimed at developing a suitable policy framework for SEPs and FRAND in India, and, working towards sustained innovation, manufacture and availability of mobile technologies in India.
The Office of the Controller General of Patents, Designs and Trademarks held a meeting with IP stakeholders on December 7, 2017, chaired by the Secretary, DIPP, to take suggestions on improving procedures and functioning of the Office. Anubha Sinha attended the meeting and requested the DIPP to improve compliance of uploading Form 27s by patentees and ensure proper enforcement of related provisions within the Indian Patent Act, 1970.
A Kannada Wikipedia orientation workshop was held at the Entrepreneurship Centre, SID, Indian Institute of Science, Bengaluru on 26 November, 2017. The day long event was aimed at adding content to Kannada Wikimedia projects on topics such as ecology, environment, wildlife and sciences of Karnataka.
Shyam Ponappa wrote an article on the tragedy of commons in the Business Standard on December 6, 2017.
Just like porn is not real life, all news is not real news. It’s time, therefore, to come of age in the 18th year of this century, wrote Nishant Shah in an article in the Indian Express on December 31, 2017.

CIS wrote the following articles:

New Recommendations to Regulate Online Hate Speech Could Pose More Problems Than Solutions (Amber Sinha; Wire; October 14, 2017). This was published in the month of December on the CIS website.
Breeding misinformation in virtual space (Amber Sinha; Asian Age; December 3, 2017).
India’s Data Protection Regime Must Be Built Through an Inclusive and Truly Co-Regulatory Approach (Amber Sinha; Wire; December 1, 2017).
Digital native: Memory card is full (Nishant Shah; Indian Express; December 3, 2017).
Should Aadhaar be mandatory? (Amber Sinha; Deccan Herald; December 9, 2017).
Digital native: The age of consent (Nishant Shah; Indian Express; December 31, 2017).

CIS in the News:

Aadhaar linking deadline approaches: Here are all the myths and facts (Business Today; December 7, 2017).
Checks and balances needed for mass surveillance of citizens, say experts (Hindu; December 9, 2017).
Masking personal data to protect privacy crucial for India, say experts (Deepti Govind; Livemint; December 11, 2017).
Paranoid about state surveillance? Here’s the FD Guide to living in the age of snoops (Sriram Sharma; Factor Daily; December 12, 2017).
Deadline For Linking Bank Accounts With Aadhaar To Be Extended To 31 March (Komal Gupta and Ramya Nair; Livemint; December 14, 2017).

►Copyright & Patent

Submission

Submission to DIPP at Meeting with IP Stakeholders (Anubha Sinha; December 12, 2017).
CIS' Submission to DIPP and CGPDTM at meeting with IP Stakeholders (Anubha Sinha; December 13, 2017).

►Openness

►Wikipedia

Blog Entries

Christ University Wikipedia Education Program Internship (Manasa Rao; December 11, 2017).
Wikipedia Orientation Program at Rotary Club of Salem (Manasa Rao; December 11, 2017).
Nichole Saad from the Wikimedia Foundation visits Christ University (Manasa Rao; December 17, 2017).
Kannada Wikipedia Orientation Workshop at IISc, Bengaluru (A. Gopalakrishna; December 19, 2017).
Wikimedia Technical Workshop at Savitribai Phule Pune University (Manasa Rao; December 19, 2017).
Marathi Wikipedia workshop for Sandarbh Science magazine writers (Manasa Rao; December 19, 2017).
Marathi Wikipedia - Vishwakosh Workshop for Science writers in IUCAA, Pune (Manasa Rao; December 20, 2017).

-----------------------------------

Internet Governance
-----------------------------------

►Free Speech & Expression

Blog Entries

It Hurts Them Too (Mir Farhat; December 19, 2017).
Internet Shutdowns: A Modern-day Siege (Ayswarya Murthy; December 19, 2017).
Days to Derail Work of Two Generations? (Mahesh Kumar Shiva; December 19, 2017).
Sorry, Business Closed until Internet is Back On (Nalanda Tambe; December 19, 2017).
Stock Brokers Don't Love an Internet Shutdown (Binita Parikh; December 19, 2017).
Was there an Unofficial Internet Shutdown in BHU & NTPC? (Saurabh Sharma; December 19, 2017).
How Media beat the Shutdown in Darjeeling (Manish Adhikary; December 19, 2017).
Internet and the Police: Tool to Some, Trash to Others (Manoj Kumar; December 19, 2017).
Business Woes from Saharanpur's Internet Ban (Mahesh Kumar Shiva; December 19, 2017).
Amid Unrest in the Valley, Students See a Dark Wall (Aakash Hassan; December 19, 2017).
The Rising Stars in Music Loath Losing their Only Platform (Umar Shah and Mir Farhat; December 19, 2017).
Internet and Banking: A Trust Broken (Roshan Gupta; December 19, 2017).
Online or Offline, Protest Goes On (Junaid Nabi Bazaz; December 19, 2017).
Digital Banking Dreams: Interrupted (Safeena Wani; December 19, 2017).
Will Darjeeling Regain the Trust of Tourists? (Roshan Gupta; December 20, 2017).
Silence on the Dera Front (Sat Singh; December 20, 2017).
ISPs in Kashmir Grappling with Mounting Losses Amid Recurrent Shutdowns (Safina Wani; December 20, 2017).
Taxes in the Time of Internet Shutdown (Avijit Sarkar; December 20, 2017).
Every Town had its Jio Dara (Ayswarya Murthy; December 20, 2017).
Education and Employment Opportunities Tossed out of the Window (Roshan Gupta; December 20, 2017).
Darjeeling’s e-commerce Crumbles after 100 days sans Internet (Avijit Sarkar; December 20, 2017).
E-administration Efforts are Lame Ducks without Internet (Amit Kumar and Sat Singh; December 20, 2017).

►Privacy

Blog Entries

Artificial Intelligence - Literature Review (Shruthi Anand; edited by Amber Sinha and Udbhav Tiwari with research assistance by Sidharth Ray; December 16, 2017).
AI and Healthcare in India: Looking Forward (Shweta Mohandas; edited by Roshni Ranganathan; December 16, 2017).

Participation in Event

FIGI Symposium 2017 (Organized by Telecommunication Standardization Bureau (TSB) of the International Telecommunication Union (ITU), jointly with the Bill & Melinda Gates Foundation, the World Bank and the Committee on Payments and Market Infrastructure (CPMI) and support of the Government of India; November 29 - December 1, 2017; Bangalore). Elonnai Hickok participated in the symposium and spoke in the "Security, Infrastructure, and Trust" working group on big data and privacy in DFS.

-----------------------------------

Article

The tragedy of the unused commons (Shyam Ponappa; Business Standard; December 6, 2017).

-----------------------------------
About CIS
-----------------------------------

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/december-2017-newsletter

It Hurts Them Too

Mir Farhat — 2017-12-19T15:12:31Z

Strap: Internet shutdown robs security forces' social media lifeline in J&K.

Srinagar, J&K: For Mahender*, a member of the Central Reserve Police Force (CRPF) posted in Srinagar for the last two years, the internet has been a way to feel virtually close to his children and wife in Bihar, nearly 1,900 kms away. After duty every day, he finds a quiet corner to start video-calling his wife. At the other end, she ensures their two children are beside her. “We discuss how our day went. Most of our conversations revolve around the kids, their schooling and food, and about my parents who live near our house,” says Mahender, who identified himself only with his first name.

However, Mahender and thousands of security personnel like him posted in the Kashmir Valley haven't found this easy connectivity always reliable, courtesy the government's frequent internet shutdowns, phone data connectivity cuts, and social media bans.

Jammu & Kashmir has faced 55 internet shutdowns between 2012 and 2017, as recorded by the Software Freedom Law Centre. The administration justifies this crackdown by citing "law-and-order situations" that occur during encounters of security forces with militants and, later, when protests and marches are carried out by civilians during militants' funerals.

Hizbul Mujahideen commander Burhan Wani was killed by security forces and police on 8 July 2016, triggering a six-month-long “uprising” among civilians in Kashmir. Immediately after the shootout, security agencies shut the internet down. With 55 internet shutdowns in 2017 itself, it is something of a standard practice in Kashmir today to block social media or internet in a district or entire Valley each time there is an encounter. It is also a recurring practice of precaution against protests on Independence and Republic Day every year.

Security forces and police are not untouched by these shutdowns though. There are 47 CRPF battalions posted in the Kashmir region. “Our jawans experience difficulties during internet bans as they are not able to communicate with their families and friends as frequently as they do when internet is working,” says Srinagar-based CRPF Public Relations Officer Rajesh Yadav.

The J&K police, who are at the forefront of quelling protests and maintaining law & order in the Valley with a strength of nearly 100,000, also suffer. There have been growing instances of clashes between the Kashmiri police and protesters who believe their home force is being brutal during crowd control. The policemen have had to hide or operate in plain clothes. A senior police officer in Srinagar, who does not want to be named, says, “Our families are worried about our well-being when we are dealing with frequent agitations. In such a situation, when there is a ban, we find it difficult to stay in touch with our families.”

More dangerously, internet bans also hit the official communication of cops in action. Their offices are equipped with BSNL landline connections, which are rarely shut down, and they usually communicate through wireless; but for mobile internet most of them depend on private internet service providers, owing to their better connectivity, as the rest of the state. A senior police officer who deals with counter-insurgency in Kashmir speaks of the impact of cutting off phone data connectivity. "We have our own WhatsApp groups for quick official communication. We use broadband in offices only and can’t take it to sites of counter-insurgency operations.”

Yadav of the CRPF says, “While we have several effective means of communication for official purposes, social media is one that has accentuated our communication network. During internet bans, our work is not entirely hampered, but there is a little bit of pinch, since that speed and ease of working is not there.” Nevertheless, he defends the ban, insisting that Facebook and WhatsApp are handy tools for people to "flare up" the situation and "mobilise youths" during protests. "So, it becomes a compulsion for the administration to impose the ban."

Counter-insurgency forces have in the last few years created social media monitoring and surveillance cells. They say it is to equally match the extremists, including those in Pakistan, who use social media services like Telegram, Facebook and WhatsApp now, instead of their phones which can be tapped. It is also to keep an eye on suspected rumour-mongers and propagandists. For instance, 22-year-old Burhan Wani had gained the attention of security forces precisely because of the way he used his huge following, amassed through Facebook posts and gun-toting pictures, to inspire young Kashmiris to militancy.

“There is always monitoring and surveillance. If militants are using it, then they are within the loop,” says Yadav.

There is widespread public outrage against the state government and agencies who impose frequent net bans in Kashmir, but the CRPF official says it hampers their attempts to build an image and do public relations in Kashmir too. “We promote and highlight programmes like Civic Action and Sadhbhavana online, and that's not possible when there's no social media.”

"The public's criticism of the ban is justified,” the counter-insurgency official says. But they are compelled to use it in situations like during the recent scare around braid chopping, which was caused due to “rumour-mongering by persons with vested interests”. Kashmiri civil society had suggested that the police keep the internet up to issue online clarifications trashing the rumours, but it was not to be.

"The internet has made it possible to identify culprits while sitting in an office. But we have to shut it down in case of communal tensions which have the tendency to engulf the whole state,” says the senior cop. “When we have no option left, we go back to traditional human intelligence.”

Name changed to protect identity.

Mir Farhat is a journalist from Jammu & Kashmir, with an experience of reporting politics, conflict, environment, development and governance issues. His primary interests lie in reporting environment and development. He is a member of 101Reporters.com, a pan-India network of grassroots reporters.

Shutdown stories are the output of a collaboration between 101 Reporters and CIS with support from Facebook.

For more details visit https://cis-india.org/internet-governance/blog/it-hurts-them-too

Checks and balances needed for mass surveillance of citizens, say experts

Admin — 2017-12-16T14:32:23Z

A number of measures are required to protect law-abiding citizens from mass surveillance and misuse of their personal data, according to top technology and legal experts.

The article by Peerzada Abrar was published in the Hindu on December 9, 2017

The measures include issuing of tokens by the Unique Identification Authority of India (UIDAI) instead of Aadhaar numbers and having an official in the judiciary give permission to vigilance.

The experts were participating in a panel discussion on ‘Navigating Big Data Challenges’ at Carnegie India’s Global Technology Summit here. They also said there was a need to implement ‘de-identification of data’ or preventing a person’s identity from being connected with information.

The moderator of the discussion was Justice B.N. Srikrishna, a former Supreme Court judge, who was also heading a government-appointed committee of experts to identify “key data protection issues” and recommend methods to address them. Justice Srikrishna told the panellists that Aadhaar or the unique identification number had empowered the people. But in situations where the State wants all the information about citizens from different service providers because of its suspicions related to terrorism or criminal activity, he asked, what is the method to create a balance?

“Surveillance is like salt in cooking which is essential in tiny quantities, but counterproductive even if slightly in excess,” responded Sunil Abraham, executive director of Bengaluru-based think tank, Centre for Internet and Society. He said there was a need to make a surveillance system which had privacy by design built into it.

Mr. Abraham said that his organisation had proposed to the UIDAI that it used ‘tokenisation,’ which meant that whenever there was a ‘know your customer’ requirement, the Aadhaar number was not accessed by organisations like telecom firms or the banks. Instead, when the citizens used various services via smart cards or pins, a token got generated, which was controlled by the UIDAI. Organisations like banks and telecom firms can store those token numbers in their database. He said this would make it harder for unauthorised parties to combine databases. But at the same time would enable law enforcement agencies to combine database using the appropriate authorizations and infrastructure.

“UIDAI is considering this, they call it the dummy Aadhaar numbers. We need technical as well as institutional checks and balances,” said Mr. Abraham.

Countries like the U.S also have processes like Foreign Intelligence Surveillance Court (FISA court) which entertains applications made by the U.S Government for approval of electronic surveillance, physical search, and certain other forms of investigative actions for foreign intelligence purposes.

“My concern is that in the current system, surveillance can be done by the State machinery. I don’t necessarily suggest FISA court.... but some kind of mechanism where (one can’t) be held at the mercy of incestuous State machinery,” said Rahul Matthan, a partner at law firm Trilegal. “But have some second person who is outside the influence of this system (and) who actually says ‘yes this is a terrorist which requires us to do mass surveillance,” he said.

Artificial Intelligence

A large amount of information or Big data ranging from financial, health to political insights of people is being collected by different organisations and service providers which is sitting in different silos. All of this is likely going to be linked through Aadhaar. Mr. Srikrishna asked what if a situation arises where all of this data is aggregated and using artificial intelligence and machine learning, one is able to analyse it and profile individuals. He said “would that be not a terrifying scenario” where the State can act super-monitor for citizens. He asked how can citizens be guarded against it?

Mr.Srikrishna was referring to the ‘Social Credit System’ proposed by the Chinese government for creating a national reputation system to rate the trustworthiness of its citizens including their economic and social status. It works as a mass surveillance tool and uses big data analysis technology.

“It is a possibility. What stands in the way of it becoming a reality (in India) is a robust law,” said Mr.Matthan. “Technology is so powerful that it could equally be used for good as well as bad.”

For more details visit https://cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts

Masking personal data to protect privacy crucial for India, say experts

Admin — 2017-12-16T14:27:34Z

Finding a way to protect privacy is critical, with the Supreme Court hearing petitions challenging the mandatory linking of Aadhaar to avail various social and welfare benefits.

The article by Deepti Govind was published in Livemint on December 11, 2017

Using the concept of de-identification to protect an individual’s right to privacy and creating laws that constantly re-evaluates the difference between harmful and good use of data is crucial for India, according to an expert panel on data privacy.

That could mean developing a token system that lets the Unique Identification Authority of India (UIDAI) hold a master-list of data through Aadhaar, while generating token numbers for all other Know Your Customer (KYC) requirements, suggested the panel at the Global Technology Summit hosted by think-tank Carnegie India.

“If we can implement de-identification principles in government collection and storage of data, even if that data is displayed on the website it cannot be correlated to an individual. And if it can’t be correlated to an individual then immediately that data is not as dangerous as it could be,” said Rahul Matthan, partner at Trilegal and a Mint columnist.

In theory, de-identification could include anything from deleting or masking personal identifiers, like names, to generalizing or suppressing others, like an individual’s pin code.

Finding a way to protect privacy is critical for India, with the Supreme Court hearing petitions challenging the mandatory linking of Aadhaar to avail various social and welfare benefits.

One of the grounds for challenge is that the use of biometric information of an individual encroaches upon the individual’s privacy.

The Centre for Internet and Society, a Bengaluru-based research organisation, proposed that the UIDAI use tokens for KYC requirements. Under this method an individual can use a smart card and a personal identification number (PIN), rather than biometrics, at a UIDAI-controlled booth and generate a token number. That token number can be submitted to a telephone operator or a bank.

“UIDAI is currently considering this. They call it the dummy or virtual Aadhaar numbers. Under this a single agency cannot pull off the surveillance completely by themselves. So there is both a technical and institutional check,” said Sunil Abraham, executive director of the Centre for Internet and Society.

Another method could be shifting the emphasis to revoking consent rather than grant of consent to collect and store data.

This could be done using the same method that currently exists to filter unwanted calls and messages on phones via the do-not-disturb registry. But over and above these, creating the right regulatory framework is important.

“It has become absolutely necessary to have in place a law which governs the usage of misuse of data,” said former Supreme Court justice B.N. Srikrishna.

Srikrishna used to head a 10-member committee of experts constituted by the government to study various issues related to data protection, make specific suggestions on the principles to be considered and suggest a draft data protection bill.

The data protection law must balance the interests of all three stakeholders—the common citizens, data collectors and the state—and not focus on just one or two, Srikrishna said on Friday. There should also be methods in place to penalize or impose fines on companies or agencies in case of data breaches or misuses, he added. But imposing fines is not the ideal solution, according to experts.

“It’s really critical that we think about building in incentives to do better. If every violation results in a huge penalty, for instance, then the posture of companies will be a secretive, protective, legal defence posture rather than one that strives to constantly improve practices and technologies,” said Facebook Inc.’s global deputy chief privacy officer, Stephen Deadman.

For more details visit https://cis-india.org/internet-governance/news/masking-personal-data-to-protect-privacy-crucial-for-india-say-experts

Paranoid about state surveillance? Here’s the FD Guide to living in the age of snoops

Admin — 2017-12-16T13:38:46Z

The US does it, so does China. Ever since Edward Snowden’s revelations back in 2013, which exposed the extent of the US’s global surveillance apparatus, the public has been fairly clued into the extent of mass surveillance.

The blog post by Sriram Sharma was published in Factor Daily on December 12, 2017

It doesn’t take a conspiracy theorist to worry that India does it (or wants to), too, especially with the high decibel campaigns by banks, telecom service providers and others to have Indians link Aadhaar, the unique citizen ID, to multiple services.

If you want a dystopian picture of the future of surveillance, look no further than China, considered the world’s worst abuser of internet freedom for the third year in a row, according to the new Freedom House, a US-based NGO that conducts research and analysis on the internet. With a score of 87/100 (higher is worse), the Chinese state is renowned for its Great Firewall, which filters access to the wider internet. “Digital activism has declined amid growing legal and technical restrictions as well as heavy prison sentences against prominent civil society figures,” the latest Freedom House report notes.

India is rated “Partly Free” with a score of 41/100 (lower is better) in Freedom House’s 2017 report on internet freedom

While it’s a long way away from China, India scores 41/100 on Internet Freedom in 2017 but is still considered only ‘partly free’ owing to blocking of internet and telecom service providers in Kashmir and detainment of citizens for expressing their views online. The India report from Freedom House highlights Aadhaar’s mandatory linking for a wide range of schemes and records concerns regarding its privacy and security implications.

In this guide, we take a look at the why, what and how of India’s surveillance apparatus, the legal provisions in the Indian constitution that enables them, ask domain experts to provide us with tips on living in an age of state surveillance. We also take a look at a variety of widely used tools and apps that help you countering state surveillance or tracking of any kind.

Know your Big Brother: India’s State Surveillance Programs

Right to privacy organisation Privacy International has a detailed dossier on the state of privacy in India, which examines India’s surveillance schemes, laws around interception and access, and central intelligence agencies that carry out surveillance. Apart from the state police and the army, surveillance is carried out at least 16 different intelligence agencies, it notes.

The Centre for Internet and Society (CIS) and Software Freedom Law Centre (SFLC) have done extensive research in the past on India’s surveillance apparatus. Earlier this year, CIS reported on the various programs and tech infrastructure behind India’s surveillance state: these include Central Monitoring System (CMS), National Intelligence Grid (NATGRID), Network Traffic Analysis System (NETRA), etc. An earlier CIS report highlights a boom in surveillance tech in India following the 26/11 terror attacks in Mumbai.

Based on an RTI (Right to Information) filing, SFLC’s 2014 report on India’s Surveillance State reveals that around 7,500 to 9,000 telephone interception orders are issued by the central government alone each month. State surveillance of citizens’ private communications is authorised by laws that let them monitor phone calls, texts, e-mails and Internet activity on a number of broadly worded grounds such as such as ‘security of the state’, ‘defence of India’, and ‘public safety’.

The Government of India is also known to said to work with private third parties, some of which go so far as to infect target devices using malicious software to extract information on the subject. A 2013 Citizen Lab report titled ‘The Commercialisation of Digital Spying’ found command and control servers (used to control the host system) for FinFisher (a remote computer monitoring software suite) in India. A Wikileaks expose in 2015 dumped over a million emails belonging to Italian surveillance malware vendor HackingTeam. The emails revealed how India’s top intelligence agencies and the government expressed interest in buying Hacking Team’s malware interception tools.

Fears of an Aadhaar Surveillance State

Thejesh G N, an infoactivist wrote in FactorDaily about Hyderabad’s surveillance hub, which wants to collect all manner of details. Aadhaar is one of the primary keys to matching profiles with external data sources, he notes.

A look at data points gathered by Hyderabad’s Integrated Information Hub

“The end product shows on a map where you live, what you consume, did you take PDS, move to some other place, your mobile number, gender… there’s a lot of data in the hands of the very lowest level of government, which doesn’t have any protection as by a parliamentary committee or anything like that. It’s run by bureaucrats, so that has huge implications,” he says. “If you see Citizen Four (a 2014 documentary about Edward Snowden), it shows a similar system, where you enter one’s SSN, and it shows everything you have done, and are planning to do. We are building the same system…Governments change, today we might have a good government, tomorrow we might have the worst possible government on the planet.”

Pranesh Prakash, Policy Director of CIS says he doesn’t regard Aadhaar as a surveillance project. “I see Aadhaar as something that can facilitate surveillance, but by and of itself, it isn’t surveillance,” he says, adding that it does so in a non-consensual manner. “By having Aadhaar numbers across multiple databases, you make surveillance easier. But you need to tie it up to a surveillance system. For instance, Aadhaar without NATGRID isn’t surveillance, but Aadhaar with NATGRID can be helpful for surveillance.” NATGRID (National Intelligence Grid) was first proposed in late 2009 following 26/11 attacks by the Union Home Minister, to enhance India’s counter-terror capabilities. It links 21 citizen databases for access to intelligence/enforcement agencies.

Ongrid’s website earlier had this visualisation depicting its verification service, which made privacy advocates cringe. Source: Twitter.

We discussed some worst-case scenarios around the commercial use of Aadhaar and India Stack companies with Thejesh. “Let’s say there’s a screening company and they have your Aadhaar ID. They will send it to Airtel, or Vodafone, and ask for a list of all the websites you have viewed. Maybe you’ve watched porn or something, at some point in your life, and that could hurt your employment,” he says.

Curbing your data exhaust

The EFF (Electronic Frontier Foundation) has published a number of useful articles and resources for countering internet surveillance. Recommendations include using end-to-end encryption through tools such as OTR (a messaging protocol available on Adium), PGP (to exchange secure emails), and Signal (messenger).

Other useful tips:

Use VPNs

VPNs (virtual private networks) use encryption protocols and secure tunneling techniques to keep your internet activity impervious to snooping. With a VPN, you can bypass ISP restrictions on blocked websites or access services (Spotify) not available in your country, making it appear that you are browsing from another part of the world. Keep in mind that you can still be outed by your VPN provider, so it’s important to choose one that respects your privacy. There are hundreds of VPN service providers to choose from, That One Privacy Guy maintains a detailed comparison chart of over a hundred VPN providers, with details on jurisdiction, price, ethics, logging policies, VPN protocols supported, and more. Out of these, the country that the VPN provider is based in is a key filter: you don’t want to choose a VPN service based out of the ‘14 eyes‘, as they are known to do mass surveillance.

Use TOR

Tor, an acronym for ‘The Onion Router’, is a free app that lets you anonymise your online communication by directing a web browser’s traffic through a volunteer-run network of thousands of servers. It is funded by the US-based National Science Foundation, Mozilla, and Open Technology Fund, among others. Tor is available for download on Windows, Mac, Linux, and Android.

Browsing on Tor can be far slower than a regular web browser, but it keeps you anonymous.

Encrypt your storage

It’s now a default feature on your phone, or computer, so there’s no reason why you shouldn’t make use of it. To check if it is turned on in Windows 10, Go to Settings > System > About, and look for a “Device encryption” setting at the bottom of the About tab. Keep in mind that you need to sign into Windows with a Microsoft account to enable this setting, so it’s likely that the NSA or FBI might be able to bypass it.

On a Mac, you turn on full-disk encryption through FileVault, accessible in > System Preferences > Security & Privacy.

On an iPhone, data protection is enabled once you set up a passcode on your device.

Android 5.0 and above devices support full-disk encryption. If it isn’t turned on by default on your device, you can turn on encryption under the Security menu.

Sensitive documents can also be encrypted using TrueCrypt. Though you must keep in mind that key disclosure laws apply in India, under the Section 69 of the Information Technology Act, which states that there’s a seven-year prison sentence for failing to assist the central and state governments in decrypting information on a computer resource.

Use an air-gapped PC

An air-gapped PC is one that is not connected to the internet or to any computers that are connected to the internet. Air-gapped PCs are typically used when handling critical infrastructure, and this is an extreme measure one can take when working with sensitive data that you don’t want to be leaked.

Use HTTPS everywhere

HTTPS Everywhere offers plugins for Firefox, Chrome, and Opera, and turns every link you open or key in, to a secure version of the HTTP protocol, which is encrypted by Transport Layer Security (TLS). The tool protects you from eavesdropping or tampering with the site you are visiting, but only works on sites that support HTTPS. Keep in mind that this tool won’t conceal the sites you have accessed from eavesdroppers but it won’t reveal the specific URL that you visited.

Turn on Advanced Protection in Gmail

If you trust Gmail with your data, take the relationship to the next level with Advanced Protection, which safeguards your account against phishing attacks, limits access to trusted apps, and adds extra verification features to block fraudulent account access. You will need a Bluetooth key and a USB key to turn this feature on.

Some other don’ts

Don’t leave any cameras open. Tape them up if you are a potential surveillance target.
Don’t use freemium apps, which trade in your privacy. A recent example of a worst-case scenario.
Don’t send any data via free email services that you would like to keep private.
Don’t use Google or Facebook, as Snowden says, if you value your privacy. Don’t take our word for it.

As for Aadhaar, Thejesh says that there isn’t much one can do as it is forcibly linked to many essential services. He recommends using different email ids for official work and unofficial work. “Use one email ID for Aadhaar and mobile related accounts, and use the other one for regular communication. It separates the accounts from surveillance and adds a layer of security,” he says. “Don’t use Aadhaar until is necessary. If you use Aadhaar and you are not in a mood to resist everything, then don’t use it where it is not required. Don’t use it like a regular address proof,” he adds.

If you are already an Aadhaar holder, it makes sense to use the biometric locking system provided by UIDAI on its website to protect against identity theft and unauthorised access. The biometric locking feature sends an OTP code to your registered mobile number to unlock or disable the locking system.

If someone is concerned about surveillance, CIS’s Prakash recommends not having a cell phone. “The cellphone is the single largest means of data gathering about you,” he says.

Surveillance can take many forms: it can be physical or off-the-air surveillance (an interception technique used to snoop on phone calls), he points out.

A CCTV camera fitted on top of a Hyderabad Police vehicle

Surveillance is not always bad: medical surveillance, for instance, an entire field around the spread of diseases, is necessary, Prakash clarifies. “Even state surveillance for national security purposes is absolutely necessary. A nation-state can’t survive without surveillance so I am quite clear that those who oppose all forms of surveillance are opposing all kinds of rights – because you can’t have rights without security. And indeed, individual security is a human right guaranteed under the Universal Declaration of Human Rights and guaranteed in Article 21 of the Indian Constitution. Without security of the person, you can’t have the right to freedom of speech, you can’t enjoy the right to privacy… If you’re in a state of war or in a state of terror, then you can’t enjoy rights – so clearly for me, surveillance is necessary,” he says.

That said, surveillance in India is highly problematic as the laws and the democratic framework for surveillance is very weak, and enforcement of that framework is even worse, Prakash adds. “One of the best ways of countering surveillance, I would suggest, is to actually demand a democratic framework for surveillance in India. Demand that your MLA and MP take up this issue at the state and central level… and that we have a democratic framework for both our intelligence agencies and for all the surveillance that is conducted by the state in India,” he says.

He calls everything else – “the technological stuff, using anonymising networks, end-to-end encryption” – a second order issue. “It can help you as an individual, but it doesn’t help us as a society.”

For more details visit https://cis-india.org/internet-governance/news/factor-daily-sriram-sharma-december-12-2017-paranoid-about-state-surveillance-here-s-the-fd-guide-to-living-in-the-age-of-snoops

Artificial Intelligence Literature Review

Admin — 2017-12-16T10:43:42Z

For more details visit https://cis-india.org/internet-governance/files/artificial-intelligence-literature-review

State-led interference in encrypted systems: A public debate on different policy approaches

Admin — 2017-12-05T14:03:09Z

State-led interference in encrypted systems. Sunil Abraham is a speaker for this event.

Proposer's Name: Mr. Carlos Alberto Afonso
Proposer's Organization: Instituto Nupef
Co-Proposer's Name: Mr. Hartmut Glaser
Co-Proposer's Organization: CGI.br

Co-Organizers:

Mr., Carlos, AFONSO,Civil Society, Instituto Nupef
Mr. Hartmut, GLASER, Technical Community, CGI.br
Ms. Jamila, VENTURINI,Technical Community, NIC.br
Mr. Diego, CANABARRO, Technical Community, NIC.br

Session Format: Other - 90 Min
Format description: The session is designed to host a dialectic debate segment followed by a traditional round-table segment structured around a Q&A format.

Proposer:
Country: Brazil
Stakeholder Group: Civil Society

Co-Proposer:
Country: Brazil
Stakeholder Group: Technical Community

Speakers

Christoph Steck (Telefonica, Spain)
Riana Pfefferkorn (Stanford CIS, EUA)
Cristine Hoepers (CERT.br, Brazil)
Carlos A. Afonso (Nupef Institute, Brazil)
Neide Oliveira (Federal Prosecution Service, Brazil)
Sunil Abraham (CIS India)
Monica Guise Rosina (Facebook Brazil)
Jonah F. Hill (NTIA, EUA)
Nina Leemhuis Janssen (Govt of The Netherlands)

Content of the Session

The workshop is built around a policy question that approaches some historical controversies inherent to the widespread use and availability of encryption in the Internet, with a special focus on the tension between the increasing use of cryptography after Snowden and the supposed challenges it poses to public and national security in a digital era. The session promotes a space for multistakeholder debate on: the state of the art in the development and employment of cryptography; different attitudes towards the freedom to use encryption in different jurisdictions; modes of state-led interference in/with encrypted systems; and the limits posed by national and international law to such interference, as well as the impacts it might have to the protection and promotion fundamental human rights and shared values, to permission-less innovation on the Internet and the open architecture of the network. The session will host two segments: one will consist of two presentations made by government officials from the UK and the Netherlands that will detail different policy approaches for dealing with the use of encryption. The second comprises a multistakeholder round-table that gathers comments and questions about the previous presentations. In the end, moderators will summarize discussions and an overarching and documented report of the session will be made available for the session. The unorthodox format chosen for this session allows public scrutiny over some very practical policy-oriented approaches. The bulk of discussions registered during the workshop can provide dialogued feedback into policy development processes elsewhere.

Relevance of the Session

The development and use of encryption to protect information and communication dates back to ancient times. Encryption has been mainly employed over the centuries to protect personal data, business information, governmental classified information, etc. Attempts to break encryption in general as well as the notion of inserting vulnerabilities (such as backdoors) in systems that rely on encryption have been a parallel phenomenon to (and also an integral part of) the longstanding efforts of cryptography. One might even say that those two processes function as the two different sides of the same coin.

The advent and the great pace of development of computing and networking technologies boosted the science behind cryptography to unprecedented levels of relevance for society in general. More recently, after the Snowden affairs, cryptography has been perceived as a necessary condition (not a sufficient one though) for Internet users to curb the abuses entailed by massive digital surveillance and espionage by an ever growing number of countries. In parallel, together with other measures, the deployment of encryption to commercial applications seems to have become a, somehow, sine qua non condition for some Internet companies to regain consumer trust and retain competitive advantages in relation to other players in the market.

The widespread use and availability of encryption tools however refueled tensions and entailed policy responses in a myriad of countries (e.g.: the Apple vs FBI case in the context of the San Bernadino Shooting; the announcement made by some European countries of their willingness to outlaw some uses of encryption as well as the public commitment of the Netherlands government to support encryption and oppose the development of backdoors; and the successive orders by Brazilian courts that aimed at blocking Whatsapp in the country due to the company’s denial to delivery communication records from some of its users). Those tensions generally revolve around the fact that as general-purpose technology, encryption can be also employed to conceal irregular and/or illicit activities, which would justify the creation of some narrow but allegedly needed exceptions to the constitutional limits built over the last century in several countries to impose limits to criminal investigation in order to uphold privacy and personal data protection.

The cases mentioned above gave rise to fierce discussions on whether or not the use of encryption increases by itself the likelihood of and facilitate the occurrence of crime and other illicit activities (most notably organized crime of all sorts and terrorism). Some law enforcement agencies and security forces have argued that encryption impairs crime investigation and the prosecution of criminals, and therefore the development of technology with embedded backdoors might be needed. Other actors, including representatives from the technical community, however, argue that such interference might disrupt regularly protected flows of information and communication as well as compromise privacy and the protection of other fundamental human rights. At this point, we are in a stage in which the trade-off between those two perspectives have to be settled through democratic means and public participation and that is why this workshop was submitted for the IGF 2017.

Besides dealing with several different topics that comprise the overarching agenda of Internet governance (human rights, cybersecurity, openness and permission-less innovation, economic development, infrastructure governance, etc), the topic of this workshop is directly connected to two different goals comprised in the UN SDGs: sound institutions and innovation. Discussions on the contours of sound political institutions and on challenges and incentives for innovation are integral components of any sort of political agenda that aims at reflecting upon the “digital future”, which is the case of the 2017 IGF and highlight the importance of adding this proposal to the overall agenda of the event.

For more details visit https://cis-india.org/internet-governance/news/state-led-interference-in-encrypted-systems-a-public-debate-on-different-policy-approaches