Centre for Internet and Society

Aadhaar: Ushering in a Commercialized Era of Surveillance in India

praskrishna — 2017-06-07T12:45:30Z

Since last year, Indian citizens have been required to submit their photograph, iris and fingerprint scans in order to access legal entitlements, benefits, compensation, scholarships, and even nutrition programs. Submitting biometric information is needed for the rehabilitation of manual scavengers, the training and aid of disabled people, and anti-retroviral therapy for HIV/AIDS patients. Soon police in the Alwar district of Rajasthan will be able to register criminals, and track missing persons through an app that integrates biometric information with the Crime and Criminal Tracking Network Systems (CCTNS).

The article by Jyoti Panday was published by the Electronic Frontier Foundation on June 1, 2017.

These instances demonstrate how intrusive India’s controversial national biometric identity scheme, better known as Aadhaar has grown. Aadhaar is a 12-digit unique identity number (UID) issued by the government after verifying a person’s biometric and demographic information. As of April 2017, the Unique Identification Authority of India (UIDAI) has issued 1.14 billion UIDs covering nearly 87% of the population making Aadhaar, the largest biometric database in the world. The government asserts that enrollment reduces fraud in welfare schemes and brings greater social inclusion. Welfare schemes that provide access to basic services for marginalized and vulnerable groups are essential. However, unlike countries where similar schemes have been implemented, invasive biometric collection is being imposed as a condition for basic entitlements in India. The privacy and surveillance risks associated with the scheme have caused much dissension in India.

Identity and Privacy in India

Initiated as an identity authentication tool, the critical problem with Aadhaar is that it is being pushed as a unique identifier to access a range of services. The government continues to maintain that the scheme is voluntary, and yet it has galvanized enrollment by linking Aadhaar to over 50 schemes. Aadhaar has become the de-facto identity document accepted at private, banks, schools, and hospitals. Since Aadhaar is linked to the delivery of essential services, authentication errors or deactivation has serious consequences including exclusion and denial of statutory rights. But more importantly, using a unique identifier across a range of schemes and services enables seamless combination and comparison of databases. By using Aadhaar, the government can match existing records such as driving license, ration card, financial history to the primary identifier to create detailed profiles. Aadhaar may not be the only mechanism, but essentially, it's a surveillance tool that the Indian government can use to surreptitiously identify and track citizens.

This is worrying, particularly in context of the ambiguity regarding privacy in India. The right to privacy for Indian citizens is not enshrined in the Constitution. Although, the Supreme Court has located the right to privacy as implicit in the concept of “ordered liberty” and held that it is necessary in order for citizens to effectively enjoy all other fundamental rights. There is also no comprehensive national framework that regulates the collection and use of personal information. In 2012, Justice K.S. Puttaswamy challenged Aadhaar in the Supreme Court of India on the grounds that it violates the right to privacy. The Court passed an interim order restricting compulsory linking of Aadhaar for benefits delivery, and referred the clarification on privacy as a right to a larger bench. More than a year later, the constitutional bench is yet to be constituted.

The delay in sorting out the nature and scope of privacy as right in India has allowed the government to continue linking Aadhaar to as many schemes as possible, perhaps with the intention of ensuring the scheme becomes too big to be rolled back. In 2016, the government enacted the 'Aadhaar Act' passing the legislation without any debate, discussion or even approval of both houses of Parliament. In April this year, Aadhaar was made compulsory for filing income tax or PAN number application and the decision is being challenges in Supreme Court. Defending the State , the Attorney-General of India claimed that the arguments on so-called privacy and bodily intrusion is bogus, and citizens cannot have an absolute right over their body! The State’s articulation is chilling, especially in light of the Human DNA Profiling Bill seeking the right to collect biological samples and DNA indices of citizens. Such anti-rights arguments are worth note because biometric tracking of citizens isn't just government policy - it is also becoming big business.

Role of Private Companies

Private companies supply hardware, software, programs, and the biometric registration services for rolling out Aadhaar to India’s large population. UIDAI’s Committee on Biometrics acknowledges that biometrics data are national assets though American biometric technology provider L-1 Identity Solutions, and consulting firms Accenture and Ernst and Young can access and retain citizens' data. The Aadhaar Act introduces electronic Know-Your-Customer (eKYC) that allows government agencies and private companies to download data such as name, gender and date of birth from the Aadhaar database at the time of authentication. Banks and telecom companies using authentication process to download data and auto-fill KYC forms and to profile users. Over the last few years, the number of companies or applications built around profiling of citizens’ personally sensitive data has grown exponentially.

A number of people linked with creating the UIDAI infrastructure have founded iSPIRT, an organisation that is pushing for commercial uses of Aadhaar. Private companies are using Aadhaar for authentication purposes and background checks. Microsoft has announced SkypeLite integration with Aadhaar to verify users. Others, such as TrustId and Eko are integrating rating systems into their authentication services and tracking users through platforms they create. In essence such companies are creating their own private database to track authenticated Aadhaar users and they may sell this data to other companies. The growth of companies that share and combine databases to profile users is an indication of the value of personal data and its centrality for both large and small companies in India.

Integrating and linking large biometrics collections to each other, which are then linked with traditional data points that private companies hold such as geolocation or phone number enables constant surveillance to take over. So far, there has been no parliamentary discussion on the role of private companies. UIDAI remains the ultimate authority in deciding the nature, level and cost of access granted to private companies. For example, there is nothing in Aadhaar Act that prevents Facebook from entering into an agreement with the Indian government to make Aadhaar mandatory to access WhatsApp or any of its other services. Facebook could also pay data brokers and aggregators to create customer profiles to add to its ever growing data points for tracking and profiling its users.

Security Risks and Liability

A series of data leakages have raised concerns about which private entities are involved, and how they handle personal and sensitive data. In February, UIDAI registered a complaint against three companies for storing and using biometric data for multiple transactions. Aadhaar numbers of over 130 million people and bank account details of about 100 million people have been publicly displayed through government portals owing to poor security practices. A recent report from Centre for Internet and Society (CIS) showed that a simple tweaking of URL query parameters of the National Social Assistance Programme (NSAP) website could unmask and display private information of a fifth of India's population.

Such data leaks pose a huge risk as compromised biometrics can never be recovered. The Aadhaar Act establishes UIDAI as the primary custodian of identity information, but is silent on the liability in case of data breaches. The Act is also unclear about notice and remedies for victims of identity theft and financial frauds and citizens whose data has been compromised. UIDAI has continued to fix breaches upon being notified, but maintains that storage in federated databases ensures that no agency can track or profile individuals.

After almost a decade of pushing a framework for mass collection of data, the Indian government has issued guidelines to secure identity and sensitive personal data in India. The guidelines could have come earlier, and given large data leaks in the past may also be redundant. Nevertheless, it is reassuring to see practices for keeping information safe and the idea of positive informed consent being reinforced for government departments. To be clear, the guidelines are meant for government departments and private companies using Aadhaar for authentication, profiling and building databases fall outside its scope. With political attitudes to corporations exploiting personal information changing the world over, the stakes for establishing a framework that limits private companies commercializing personal data and tracking Indian citizens are as high as they have ever been.

For more details visit https://cis-india.org/internet-governance/news/electronic-frontier-foundation-jyoti-panday-june-1-2017-aadhaar-ushering-in-a-commercialized-era-of-surveillance-in-india

May 2017 Newsletter

praskrishna — 2017-06-17T02:46:03Z

Welcome to the Centre for Internet & Society (CIS) newsletter for May 2017.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
CIS compiled a report that highlighted four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites. Article 19 had put out a call for applications for its Internet of Rights Fellowship in February 2017. Vidushi Marda was selected for Internet of Rights Fellowship. CIS gave inputs on a document on implementing digital accessibility to Ministry of Electronics and Information Technology on May 2, 2017. The 34th session of the Standing Committee on Copyright and Related Rights (SCCR) was held in Geneva from May 1 to 5, 2017. Anubha Sinha participated in the event and a summary report is available here. She made statements on behalf of CIS on the Discussion on Limitations and Exceptions for Libraries and Archives and on the Proposal for Analysis of Copyright Related to the Digital Environment. CIS-A2K’s widely well-regarded flagship skill building program, Train The Trainer and MediaWiki Training was conducted in Kolkata earlier this year. Tito Dutta captured the developments in a blog post. Although it has made the topographic maps or the Open Series Maps available to general public, Survey of India’s (SoI) Nakshe portal will have to go through a variety of litmus test, as the initiative fails to implement the mandates of public sharing of government data using open standards and open license as put forward by the NMP 2005 and NDSAP 2012, said Sumandro Chattapadhyay in an interview with Geospatial World on May 02, 2017. In an interview with nettime.org, Geert Lovink discussed with Ramesh Srinivasan Tech Anthropology Today and "how can we embrace the realities of communities too-often relegated to the margins". In an article published in the Business Standard on May 3, 2017, Shyam Ponappa examined whether policies can be better framed to harness the market potential. Why is so much investment flowing into India's securities markets?

CIS in the news:

130 Million Aadhaar Numbers Were Made Public, Says New Report (The Wire; May 1, 2017 and MensXP.com; May 5, 2017).
Aadhaar Details Of 13.5 Crore People Available On Government Sites (Mahima Kapoor; Bloomberg Quint; May 2, 2017).
Aadhaar numbers of 135 mn may have leaked, claims CIS report (Press Trust of India; May 2, 2017).
Details of 135 million Aadhaar card holders may have leaked, claims CIS report (Hindustan Times; May 2, 2017).
UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals (Shruti Menon; Newslaundry; May 2, 2017).
১৩ কোটি আধার তথ্য ফাঁস চার সরকারি পোর্টাল থেকে! বিস্ফোরক দাবি রিপোর্টে (Amar Bazar Patrika; May 2, 2017).
13 crore Aadhaar numbers on four government websites compromised: Report (Akram Mohammed; New Indian Express; May 2, 2017).
Aadhaar numbers of 135 mn may have leaked, claims CIS report (DNA; May 2, 2017).
Biggest blast on Aadhaar leak so far: govt sites leaked data of 13 crore people (Jikku Varghese Jacob; Manorama; May 2, 2017).
Around 13 crore Aadhaar numbers easily available on government portals, says report (Scroll.in; May 2, 2017).
What privacy? 13 crore Aadhaar numbers accessible on government portals (Anusha Ravi; Oneindia; May 2, 2017).
Govt may have made 135 million Aadhaar numbers public: CIS report (Komal Gupta; Livemint; May 2, 2017).
Aadhaar numbers of 135 mn may have leaked, claims CIS report (The Times of India; May 2, 2017)
Aadhaar data leaks not from UIDAI: Centre (Krishnadas Rajagopal; Hindu; May 3, 2017).
135 MEELLION Indian government payment card details leaked (Richard Chirgwin; The Register; May 3, 2017).
Aadhaar data of over 13 crore people exposed: New report (Indian Express; May 3, 2017).
In The Biggest Data Leak, Info Of 13 Crore Aadhaar Card Holders Has Been Compromised And Is Available Online (Bobins Abraham; The Times of India; May 3, 2017).
Around 130-135M Aadhaar Numbers published on 4 sites alone (Nikhil Pahwa; Medianama; May 4, 2017).
Aadhaar's the largest biometric database globally but it is leaky by design (Rohith Jyotish; Global Voices; May 2, 2017 and Business Standard; May 5, 2017).
Why Aadhaar leaks should worry you, and is biometrics really safe? (Rakesh Mehar; Newsminute; May 4, 2017).
Indian Government says it is still drafting privacy law, but doesn’t give timelines (Vivek Pai; Medianama; May 4, 2017).
आधार नंबर, नाम, पता, बैंक अकाउंट और दूसरी संवेदनशील जानकारियां लीक: CIS रिपोर्ट (Aaj Tak; May 4, 2017).
With digitisation at the forefront, government departments need to be cautious about digital security (Manas Pratap Singh; NDTV; May 4, 2017).
Kashmir: Telecom firms struggle to block 22 banned social media sites (Aijaz Hussain; Livemint; May 4, 2017).
Aadhaar data of 130 millions, bank account details leaked from govt websites: Report (India Today; May 4, 2017).
Aadhaar: Are a billion identities at risk on India's biometric database (Soutik Biswas; BBC News; May 4, 2017 and Rawlson King; Biometric Update.com; May 5, 2017).
135 million aadhaar details, 100 million bank accounts "leaked" from government websites: Researchers (Counterview; May 5, 2017).
Suicide videos: Facebook beefs up team to monitor content (Kim Arora; The Times of India; May 5, 2017).
Aadhaar assurances fail to assuage privacy concerns (Anirban Sen; Livemint; May 5, 2017).
A 13-year-old's rape in TN highlights the major threat online sexual grooming poses to children (Priyanka Thirumurthy; May 6, 2017).
Experts stress on need for enhanced security (New Indian Express; May 6, 2017).
Taking Cognisance of the Deeply Flawed System That Is Aadhaar (Shreyashi Roy; Wire; May 10, 2017).
Plug data leak before imposing Aadhaar (Deccan Herald; May 11, 2017).
Aadhaar data leak: Take precautions while sharing info on websites, MEITy tells all depts (Indian Express; May 11, 2017).
Aadhaar security: Here's how your private information can be protected (Sanjay Kumar Singh; Business Standard; May 11, 2017).
Online Trolls Attack Critics of India's Aadhaar State ID System (Rohith Jyothish; Global Voices; May 31, 2017).
India is building a biometric database for 1.3 billion people — and enrollment is mandatory (Shashank Bengali; Los Angeles Times; May 12, 2017).
Watch: Aadhaar has become a whipping boy: Nandan Nilekani (Alnoor Peermohamed and Raghu Krishnan; Business Standard; May 13, 2017).
Partnership on AI Adds Corporate, NGO Members, Charts Initial Course (Benjamin Romano; Xconomy; May 16, 2017).
WannaCry: ATMs not to shut down, clarifies RBI, but how safe are our machines? (Soumya Chatterjee; May 16, 2017).
Google, Facebook's AI group adds new members (Jens Meyer; Axios; May 16, 2017).
22 companies join Partnership on AI, begin to study AI's impact on work and society (Alison DeNisco; TechRepublic; May 17, 2017).
Intel, Salesforce, eBay, Sony and others join the grand AI partnership club (CIOL; May 17, 2017).
IT companies in Bengaluru on high alert over WannaCry ransomware (Kiran Parashar K M & Shruthi H M; New Indian Express; May 17, 2017).
Partnership on AI adds new organizations to its network (Madison Moore; Software Development Times; May 17, 2017).
Intel, eBay, SAP, Salesforce y Sony colaborarán en inteligencia artificial (Monica Tilves; Silicon; May 17, 2017).
22 nieuwe leden voor Partnership on AI (Telecom Paper; May 17, 2017).
Provide hacker details, outfit that claimed data leak told (Mahendra Singh; The Times of India; May 18, 2017).
UIDAI asks Centre for Internet & Society to provide hacker details (Mahendra Singh; Economic Times; May 18, 2017).
Hack exposes Zomato's weak protection of customer data, say Cyber experts (Alnoor Peermohamed; Business Standard; May 19, 2017).
What’s Hard To Digest About The Zomato Hacking (Aayush Ailawadi; Bloomberg Quint; May 19, 2017).
UIDAI puts posers to CIS over Aadhaar data leak claim (Press Trust of India and Financial Express; May 19, 2017).
Faking it on WhatsApp: How India's favourite messaging app is turning into a rumour mill (Samarth Bansal; Hindustan Times; May 19, 2017).
Debate over #Aadhaar Turns Nasty as Critics Accuse Supporters of Online Trolling (Ajoy Ashirwad Mahaprahasta; The Wire; May 19, 2017).
Hacker steals 17 million Zomato users’ data, briefly puts it on dark web (Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar; The Times of India; May 19, 2017).
UIDAI goes after org that disclosed government departments were releasing Aadhaar data (Nikhil Pahwa; May 19, 2017).
Developer releases WannaCry key-recovery tool for Windows XP (Cirilo Laguardia; Hoyen TV; May 20, 2017).
Will Aadhaar leaks be used as an excuse to shut out scrutiny of welfare schemes? (Anumeha Yadav; Scroll.in; May 20, 2017).
Microsoft says WannaCry ransomware must be a wake-up call for governments (Journaldu Maghreb; May 20, 2017).
Noida cyber cell gives tips on preventing WannaCry attack (Juana McKenzie; World News Journal; May 20, 2017).
Chinese state media says U.S. should take some blame for cyber attack (Ellis Neal; Villages Suntimes; May 21, 2017).
Zomato hack: You need to enhance online security with a password manager (Sanjay Kumar Singh; Business Standard; May 23, 2017).
Sharad Sharma Apologises for Trolling Aadhaar Critics; Unmasking Ispirit's Controversial Trolling Program (Shweta Modgil; Inc 42; May 23, 2017).
iSpirt's Sharad Sharma: Sorry, I trolled Aadhaar critics (Shalina Pillai and Anand J; The Times of India; May 24, 2017).
Sharad Sharma's case shows how rampant troll culture has become under Modi (Catch News; May 25, 2017).
Aadhaar Card: One Identity, Multiple Disorders (Gaurav Raj; India Saga; May 25, 2017).
Tweets from the afterlife (Heena Khandelwal; DNA; May 28, 2017).
BBMP faces ire for publishing pourakarmikas' Aadhaar details on website (Bharat Joshi; Economic Times; May 29, 2017).

CIS members wrote the following articles

Aadhaar Case: Beyond Privacy, An Issue of Bodily Integrity (Amber Sinha and Aradhya Sethia; Quint; May 1, 2017).
Digital native: Free speech? You must be joking! (Nishant Shah; Indian Express; May 14, 2017).
Digital native: Look before you (digitally) leap (Nishant Shah; Indian Express; May 28, 2017).

-------------------------------------
Accessibility & Inclusion
-------------------------------------
India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities, we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

Submission

Comments on the draft Policy on IT Accessibility for People with Disabilities (Nirmita Narasimhan; May 19, 2017).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Copyright

Blog Entries

34th SCCR: A Summary Report (Anubha Sinha; May 15, 2017).
34th SCCR: CIS Statement on the Proposal for Analysis of Copyright Related to the Digital Environment (Anubha Sinha; May 15, 2017).
34th SCCR: CIS Statement on the Discussion on Limitations and Exceptions for Libraries and Archives (Anubha Sinha; May 15, 2017).
34th SCCR: Observer Statements on Proposal for Analysis of Copyright related to the Digital Environment (Anubha Sinha; May 30, 2017).
34th SCCR: Observer Statements on Limitations and Exceptions for Educational and Research Institutions (Anubha Sinha; May 30, 2017).
34th SCCR: Observer Statements on Limitations and Exceptions for Libraries and Archives (Anubha Sinha; May 30, 2017).

Participation in Event

Fixing Copyright for Education (SCCR34 Side Event) (Hosted by Communia, EIFL, Creative Commons, and PIJIP; May 5, 2017). Anubha Sinha was a speaker.

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Wiki Loves Mayabazaar (Pavan Santhosh; May 1, 2017).
Marathi Wikipedia Symposium at Gokhale Institute Of Politics & Economics (Subodh Kulkarni; May 1, 2017).
Digitisation, Wikimedia Commons and Wikisource Orientation Workshop at Vigyan Ashram, Pabal, Pune District (Subodh Kulkarni; May 4, 2017).
Thematic Edit-a-thon at J.P.Naik Centre for Education & Development, Pune (Subodh Kulkarni; May 10, 2017).
Train The Trainer 2017 (Manasa Rao; May 10, 2017).
Continuing community engagement: Communities of interest and Quarrying (Manasa Rao; May 19, 2017).
Preliminary research result on Wikipedia gender gap in India (Ting-Yi Chang; May 22, 2017).
MediaWiki Training 2017 (Tito Dutta and Ananth Subray; May 23, 2017).
Mini TTT and MWT held in Kolkata (Tito Dutta; May 23, 2017).

Note: The workshops for the above blog posts were held earlier but the reports were published during the month of May.

►Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Blog Entry

SoI’s Open Series Maps Fails to Implement Public Sharing of Govt Data (Geospatial World; May 4, 2017). Sumandro Chattapadhyay was interviewed.

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Freedom of Speech and Expression

Submission

Comments from the Centre for Internet and Society on Renewal of .NET Registry Agreement (Vidushi Marda with inputs from Pranesh Prakash and Sunil Abraham; May 31, 2017).

Event Organized

Communication Design and Visualising Information (CIS, Bengaluru; May 5, 2017). Saumyaa conducted a session on the broad principles of communication design and visualising information.

Participation in Events

World Press Freedom Day 2017 (UNESCO and the Digital Empowerment Foundation; New Delhi; May 3, 2017). Udbhav Tiwari participated in the event.
Consilience 2017 - A Conference on Artificial Intelligence & Law (Organized by National Law School of India University; May 20, 2017). Vidushi Marda was a panelist.

►Privacy

Submission

Comments on the Statistical Disclosure Control Report (Srinivs Kodali and Amber Sinha; May 2, 2017).

Blog Entry

(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information (Amber Sinha and Srinivas Kodali; May 1, 2017).

Events Organized

Stand Shielded of Digital Rights (CIS; New Delhi; May 5, 2017). Amutha Arunachalam gave a talk.
Meeting on Proactive Disclosure and Personal Data (CIS; New Delhi; May 13, 2017).

Participation in Events

4th National Standards Conclave Evolving a Comprehensive National Strategy for Standards Sectoral and Regional Inclusiveness (Organized by Ministry of Commerce and Industry and the Confederation of Indian Industry; May 1 - 2, 2017).
Stockholm Internet Forum 2017 (Organized by Swedish International Development Cooperation Agency; Stockholm; May 15 to 18, 2017). Elonnai Hickok was a panelist in the session, "Private sector and civil society collaboration to advance freedom online".
Open house on information breaches (Organized by Has Geek; Bengaluru; May 26, 2017). Udbhav Tiwari was a speaker.
T20 Germany and Beyond: Digital Economy (Organized by GIZ and EPF; May 29 - 30, 2017). Elonnai Hickok participated in a round-table discussion.

-----------------------------------

Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Newspaper Column

Policies to Sustain India's Market (Shyam Ponappa; Business Standard; May 3, 2017 and Organizing India Blogspot; May 4, 2017).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Blog Entry

Tech Anthropology Today: Collaborate, Rather than Fetishize from Afar (Geert Lovink and Ramesh Srinivasan; nettime.org; May 16, 2017).

Participation in Event

Consultative Meeting for a Digital Archive Lab (Organized by Ambedkar University, New Delhi; May 20, 2017). P.P. Sneha participated in the meeting.

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit https://cis-india.org/about/newsletters/may-2017-newsletter

Online Trolls Attack Critics of India's Aadhaar State ID System

praskrishna — 2017-06-07T13:34:00Z

India's biometric state ID system has been leaking citizens’ data for months. When this information surfaced in April 2017, it stoked fears that the system could be used as an instrument of surveillance against Indian residents.

The blog post by Rohith Jyothish was published by Global Voices on May 31, 2017.

The Unique Identity Authority of India (UIDAI), which administrates the system known as Aadhaar (meaning foundation in Hindi) maintains that it only collects minimal personal data and stores it securely. But critics have firmly expressed doubts about these claims.

The implications of these leaks, and of any system flaw in Aadhaar technology, are substantial, especially for Indians who depend on the Aadhaar system in order to authenticate their identities when they use any number of government services. The Aadhaar system has become the gatekeeper of state systems and services ranging from voting to financial savings to food subsidies.

The digital sphere is now starting to see a pushback against Aadhaar critics through articles and blogposts that describe concerned citizens and privacy experts as the ‘anti-Aadhaar brigade‘ and accuse them of publishing “half-truths” and “spread[ing] confusion to advance their own interests.” One such article was even featured on the UIDAI website.

Some of the most well-researched critiques of the system have come from the Centre for Internet and Society (CIS), an inter-disciplinary research organisation in Bangalore that has now become a target of the pro-Aadhaar lobby. Shortly after CIS released a report that pointed out security flaws in the Aadhaar ecosystem, the UIDAI accused the organization of hacking into the Aadhaar system themselves.

In fact, CIS had investigated databases of four specific government websites. Three were available publicly, the fourth one was accessible by simply changing one of the URL parameters. Following the accusation from UIDAI, CIS clarified that the Aadhaar numbers along with other sensitive personal financial information like bank account details were made available by government websites themselves, putting a sizeable portion of Indian citizens at risk of financial fraud.

The Press Trust of India (India's largest news agency) referred to it as a “flip-flop”, which was contested by researchers at CIS.

Independent technology news platform Medianama reported that the accusation by the UIDAI is regrettably consistent with previous actions in which they filed a case against a journalist for exposing flaws in Aadhaar's enrollment mechanism.

A website called ‘Support Aadhaar‘ and its Twitter handle sought to collate opinions supporting Aadhaar and quell those speaking against it. However, most of their messages appear to evade or deflect the concerns that critics have raised by touting the benefits of the system and portraying critics as having a poor understanding of the benefits of technology.

Many Twitter users have also begun noticing patterns in the pro-Aadhaar posts:

Meanwhile, several critics of Aadhaar have repeatedly been trolled by anonymous handles on Twitter. These ‘sock puppet’ accounts seemed to be targeting those who criticise Aadhaar on social media.

One of the most active trolls issued an open challenge to reveal their identity with just their Aadhaar number. Technology entrepreneur Kiran Jonnalagadda accepted the challenge and found that ‘@Confident_India’, one of the many anonymous troll Twitter handles, is Sharad Sharma, the co-founder and director of iSPIRT Foundation (Indian Software Product Industry Roundtable), the software lobby that built the backbone of the Aadhaar ecosystem.

Sharma accidentally tweeted a denial from the troll account which has since been deleted. He then tweeted again from his personal handle which was captured.

iSPIRT officially denied allegations by Jonnalgadda that the “evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack.” India Stack is the digital infrastructure that has been built over Aadhaar.

But several other Twitter users have confirmed that Sharma's phone number is linked to ‘@Confident_India’. By their own admission, iSPIRT seemed to have an officially sanctioned project intended to systematically challenge anti-Aadhaar campaigners in online platforms. But they refuse to term these actions as “trolling”.

However, Sharma later made an apology for trolling and called it a “lapse of judgement”. CIS Executive Director Sunil Abraham seemed to appreciate the message. He tweeted: Bravo to @sharads for this! All of us at @cis_india look fwd to collaborating with @Product_Nation & @sharads to serve Indian s/w sector. https://twitter.com/sharads/status/866943195678035968 …

iSPIRT is an initiative which finds far-reaching support from several IT industry leaders in India. What is worrying is that there is still no clarification from iSPIRT on the identities of the other anonymous trolls and their position on trolling against genuine concerns raised by citizens.

More than a week after the trolling revelations, iSPIRT announced on its website, the results of an investigation carried out by an Internal Guidelines and Compliance Committee over the allegations against Sharma of operating the anonymous handles, ‘@Confident_India’ and ‘@Indiaforward2′. Jonnalgadda was one of the trolling victims who testified in the internal meeting. A summary of the investigation was posted bafflingly by the accused himself in which he says that project Sudham has been dissolved and that he has been told to not make public appearances on behalf of iSPIRT for four months while he remains Director and the face of the organisation. FactorDaily reported that iSPIRT members on the condition of anonymity said that Pallav Nadhani (Founder, Chief Executive, FusionCharts) and Naveen Tewari (Co-founder, InMobi) who quit iSPIRT were upset with their excessive focus on India Stack.

One wonders whether this kind of behavior would be treated differently if it took place offline. Is intimidating those who appear to be ‘detractors’ the most effective way of dealing with criticism? Why is a software lobby taking it upon themselves to defend the idea of Aadhaar and India Stack through such means?

Many are hoping that experts on both sides of the issue can find a way to debate questions around the privacy and security of Aadhaar's technology — that affect some 1.3 billion people — in a more democratic way.

For more details visit https://cis-india.org/internet-governance/news/global-voices-rohith-jyothish-may-31-2017-online-troll-attack-critics-of-indias-aadhaar-state-id-system

Sharad Sharma Apologises for Trolling Aadhaar Critics; Unmasking Ispirit's Controversial Trolling Program

praskrishna — 2017-05-26T01:08:09Z

Last weekend I was at Aditi Mittal’s standup comedy show in Mumbai where she made a cheeky remark that stayed with me – “Do you guys know what India’s soft power is today? It is trolling!”

The blog post by Shweta Modgil was published by Inc 42 on May 23, 2017.

While she was poking fun at the Snapchat-Snapdeal-Evan Spiegel controversy, in a bizarre coincidence those words came back to haunt me three days later. That was when one of biometric authentication system Aadhaar’s most vocal critics, Kiran Jonnalagadda, co-founder of Internet Freedom Foundation (IFF), an advocacy group, revealed in a series of tweets that @Confident_India, one of the anonymous accounts arguing in favour of Aadhaar and attacking its critics on Twitter, was being operated by none other than Sharad Sharma, the founder of software products think tank iSPIRT.

At the time, Sharad had completely denied that he was tweeting from an anonymous account. But today, on Twitter, Sharad apologised for the anonymous trolling on Twitter.

In a tweet, Sharad stated that “There was a lapse of judgement on my part. I condoned tweets with uncivil comments. So I’d like to unreservedly apologise to everybody who was hurt by them.”

He added that “Anonymity seemed easier than propriety, and tired as I was by personal events and attacks on iSPIRT’s reputation, I slipped.” Furthermore, he stated that he would not be part of anything like this again or allow such behaviour to continue. He also revealed that an iSPIRT Guidelines and Compliance Committee (IGCC) has been set up to investigate the matter and recommend corrective action.

On Catching a Troll

On 17 May, Kiran tweeted out a revelation, which shook a lot of people – “Have we caught an Aadhaar troll?” Kiran used Twitter’s account reset option on Confident_India with Sharad Sharma’s number to see if it is was accepted. And, as per a screenshot posted by him, it did.

This was further corroborated by many other Twitter users. Medianama’s Nikhil Pahwa (and co-founder of IFF) also confirmed the same, tweeting that the troll account does link to Sharad Sharma.

In a detailed Medium post, Kiran then revealed how he investigated the rise of anonymous Twitter accounts and trolls responding to critics of Aadhaar. But what he revealed next was the shocking part – that at the 27th Fellows meeting of the think tank, a plan was hatched to respond to critics of India Stack which involved the use of trolls. A group called Sudham, created earlier, divided people who were broadcasting different views on Aadhaar, into different categories and then underlined various proposals on dealing with them. One of the groups called “archers” was entrusted to carry out the mainstream debate, while another group of “swordsmen” was entrusted to challenge people who were categorised as informed yet “trolling.” Swordsmen would do this by coordinating on WhatsApp with quick responses and in numbers.

Kiran got a hold of the presentation and also shared how one controversial slide also showed a detractor matrix.

It is this slide which Kiran uses to illustrate the fact that: “ iSPIRT has an officially sanctioned trolling program where the trolls coordinate on WhatsApp and attack together on Twitter, exactly the behaviour seen in all the tweets above—and I’ve only covered the leader’s tweets. There are at least a dozen known troll accounts that attack in packs.”

First Denial

Back when the information was first revealed, Sharad Sharma responded by denying that he was tweeting from the @Confident_India Twitter account.

He further added that he was in for a family emergency in the US. And that he was clueless as to why his number was linked with that account.

But, interestingly, what roused the investigator’s suspicions was that Sharad shared the same denial from another troll account @indiaforward2 – which was captured by another Twitter user before it was deleted.

The denial from Sharad’s true account came half an hour later. But the damage had been done and all fingers pointed in the direction of Sharad Sharma engaging in trolling from those accounts. Kiran then wrote another damning post on Sharad’s dubious denial.

As can be guessed, all the tweets related to this matter from Sharad’s and Indiaforward’s accounts have been deleted. The last tweet from Confident India’s account on 17 May professed that he is not Sharad Sharma.

Meanwhile, iSPIRT finally responded to Kiran’s revelations on Medium –“We want to categorically state that the allegations against iSPIRT coordinating and/or promoting any troll campaign are false and the evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack.”

The post further explained that in its Fellows meeting held in February and April 2017, it did address the issue of the chatter around India Stack. It says, “Our volunteer, Tanuj Bhojwani, led the discussion and we outlined our strategy for dealing with our detractors. The slide in question is clearly titled “Detractor Matrix.” The slide outlines how we classify those speaking against India Stack, and how we are engaging with them. We called one category of people “informed yet trolling (IYT),” a category of people deliberately misleading people, despite understanding the nuance behind the debate.”

The post admitted that the think tank encouraged volunteers to respond to these IYT Twitter handles directly from their own personal handles. However, at no point did it endorse or recommend anonymous trolling.

“We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.”

It concluded with: “Kiran’s motivated misrepresentation of the slides perhaps speaks to his biases against iSPIRT.” The post added that it plans to investigate the confusion around the alleged mobile number and account link and clarify all outstanding questions.

Meanwhile coming back to trolling from where we started. Though Sharad’s apology did not say directly whether he operated the two Twitter accounts — @Confident_ India and @Indiaforward2 — which he was suspected of using for trolling- he signs off by saying that he requests “those who I have disappointed to look at this as an exception.”

The Aadhaar Controversy

While the series of incidents raises many doubts over an esteemed organisation such as iSPIRT, the controversy over Aadhaar, India’s massive biometric identification programme, has been raging for many months now.

Over the last few months, it has come under fire for not addressing the privacy concerns of an individual and leaking individual data. Aadhaar critics have pointed out that it is more a mass surveillance tool, can lead to identity thefts, and linking basic services with it spells doom.

This month, a CIS (Centre for Internet and Society ) report revealed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals, due to lack of IT security practices. The report claimed that the absence of “proper controls” in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about the address, photographs, and financial data. It also added that as many as 100 Mn bank account numbers could have been “leaked.”

However, on May 16, the CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is at “best characterised as an illegal data disclosure or publication and not a breach or a leak.” It also claimed that some of its findings were “misunderstood or misinterpreted” by the media and that it never suggested that the biometric database had been breached.

Meanwhile, the Aadhaar-issuing authority UIDAI has asked CIS to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. The UIDAI also wants CIS to clarify what kind of “sensitive data” is still with the Centre or anyone else. The UIDAI has strongly denied any breach of its database and has asked CIS to provide details such as the servers where the downloaded “sensitive data” is stored.

While the security of the above-mentioned Aadhaar data is still being debated, the government’s push towards making it compulsory across industries has become a major topic of debate in India.

From linking bank accounts, to PAN numbers, to obtaining free gas connections under the Pradhan Mantri Ujjwala Yojana, to linking scholarships to linking Aadhaar numbers to social welfare schemes for electronically disbursing money to specific beneficiaries, or the Aadhaar-enabled Payment System (AEPS), the government has been pushing on with Aadhaar to make it a mandatory ID rather than the voluntary one it was envisaged to be originally. India still does not have a data protection and privacy law and making Aadhaar mandatory in such a country is not without risks.

Given the fact that the UIDAI cannot afford to carry out authentication-based rollouts across schemes in haste as the failure rate of AEPS can lead to denial of direct benefits, it makes more sense to retain Aadhaar as a voluntary authenticator, at least until the government solves on-ground issues around Aadhaar-based authentication. Because any failure can erode public faith in Aadhaar as the beneficiary would not get his rightful ration over authentication failure— and, to that extent, in the government itself. So, for beneficiaries who depend on public distribution systems (PDS) for rice, sugar, kerosene or oil, authentication failure is a serious problem.

It is to this effect that PILs (public interest litigation suits) have been filed in the Supreme Court stating that making Aadhaar compulsory is illegal and would virtually convert citizens into “slaves” as they would be under the government’s surveillance all the time. The Supreme Court had itself stated in August 2015 that Aadhaar cards will not be mandatory for availing benefits of government’s welfare schemes and had also barred authorities from sharing personal biometric data collected for enrollment under the scheme.

Last month too, it lambasted the Narendra Modi-led BJP government at the Centre for making Aadhaar card a mandatory prerequisite to avail government services. The court will examine all applications against Aadhaar on June 27 2017, while the government remains steadfast on not extending the deadline of June 30 by which various schemes such as the grant of scholarships, Sarva Shiksha Abhiyan and various other social welfare schemes were to seek mandatory Aadhaar number.

While the debate rages on, controversies keep on piling up. Recently, linking people living with HIV/ AIDS with Aadhaar cards has allegedly driven away patients from hospitals and antiretroviral therapy (ATR) centres in Madhya Pradesh. As per health department sources, the MP State AIDS Control Society made Aadhaar card number compulsory from February this year for those affected by the virus to get free medicines and treatment in accordance with the Central government’s policy making Aadhaar mandatory to avail benefits of any government scheme.

However, this led to negative fallout as many patients and suspected victims started avoiding ATR centres and district hospitals after the new rule came into effect. The patients feared that the compulsory submission of Aadhaar card to get free medicines and medical check-ups could lead to the disclosure of their identity, inviting social stigma.

While there is no denying the fact that, in a welfare state, technology can play a big role in enabling the state to hand out entitlements more efficiently and distribute public services at scale. But doing the same at the cost of an individual citizen’s privacy and resting it all on one mandatory number whose authentication is still not completely foolproof, is hardly the way a welfare state would like to operate.

For more details visit https://cis-india.org/internet-governance/news/inc42-may-23-2017-shweta-modgil-sharad-sharma-aplogises-for-trolling-aadhaar-critics

Aadhaar Card: One Identity, Multiple Disorders

praskrishna — 2017-05-26T00:01:54Z

It is still hazy to see the desperation of the union government to imposing the Aadhaar Card mandatory when matters related to Aadhaar Card are already sub judice.

This was blog post by Gaurav Raj was published by India Saga on May 25, 2017.

The constitutionality of Aadhaar is yet to be decided by the Supreme Court, however, the enrolment of Aadhaar has reached the mark of more than one billion. Recently, the government declared Aadhaar mandatory to file Income Tax Return (ITR) while the Supreme Court is opined not to treat Aadhaar mandatory, but voluntarily. Now it is imperative of the government to confide the citizens that the Aadhaar information- demography and biometrics-are in safe hands, a debate which has been heating up, and the contempt of the court’s decision by the government is for greater good. But the uproar against the speculation of identity revelation threat and possible misuse of Aadhaar details by the government-corporate nexus, plausible reasons to doubt the security of privacy, which is a fundamental right of Indian citizen. Ironically, after the Finance Minister Arun Jaitley defended the ‘Aadhaar Money Bill controversy’ filed by former congress MP Jairam Ramesh in the court, the Supreme Court is in dilemma and yet to decide whether ‘Right to Privacy' is a fundamental right or not.

Why Aadhaar Card Mandatory?

Nandan Nilekani, the co-founder of Infosys and the ideologue of Aadhaar, said that Aadhaar will change the PDS system in India since it ensures no ghost or fake beneficiaries to avail unentitled benefits of the various welfare schemes and subsidies. Nilekani also says that there might be margin of error up to 5 per cent in distributing the subsidies or benefits of various welfare schemes to the masses. The top-honcho technocrat has also defended Aadhaar that any breach of privacy of citizens is not possible as the Unique Identification Authority of India (UIDAI) is efficient to secure the public data under CIDR.

The government claims that the corruption-mounted Public Distribution System (PDS) in India is reformed due to the introduction of the 12 digit unique identification number. More than 40000 crore have been saved in the form of exchequer due to curb of fake and ghost beneficiaries in the PDS system. Now if we believe Nilekani claim of 5% error, then more than 5 crore beneficiaries would be losing their benefits due the error in the biometric identification. The Infosys co-founder later said that if there is a margin of error then ‘One Time Password’ (OTP) comes in. However, he didn’t define what if there is a congestion of network in the remotest Indian villages where phone signals are rare? Standing on the PDS shop waiting for food grains and network, is certainly not an ideal way to avail the benefits of the government welfare schemes. In 2011, activist and writer Ruchika Gupta said in an interview to Tahalka, “The UID cannot address the bulk of delivery problems in the two of the biggest social sectors programmes like MGNREGA and PDS. Linking UID with social sector legislation is completely baseless.”

PAN Card Linked with Aadhaar Card?

The government has directed the Reserve Bank of India to make Aadhaar mandatory for Income Tax Return filing. Currently, there are approximately 24.37 crores PAN holders in India, however 3.8 crore people file income tax return every year. There have been cases of people owned not more than one but 100 PAN Cards with them. PAN cards in India are mostly used by the citizens as a proof of identity. The government believes that PAN card linking with Aadhaar will curb the tax evasion.

How Safe Is Your Data In This Panopticon Model Of Mass Surveillance?

In the late 18th century, the well-known English social reformer and jurist Jeremy Bentham wanted to build a ‘panoptican’ for a mass surveillance of the prisoners in England. He advocated designing an institutional building be used to keep an eye on all the jail inmates by a single watchman. Very similarly, India is witnessing the biggest surveillance program ever under the name of single identity and availing benefits of governments’ schemes. Another logic behind enrolment of Aadhaar is the ‘national security’. National security? How can any government ensure national security backing Aadhaar, when international companies have been hired in consortium to collect residents’ biometric and demography details? In 2010, Accenture, Mahindra-Satyam Morpho and L1 identity solutions were pooled in by UIDAI for leveraging de-duplication exercise of Aadhaar and data collection. L1 Identity Solutions’ top brasses are the former Director CIA George Tenet and former Homeland Security deputy secretary Adm James. With its headquarters in Connecticut, this company is one of the biggest defence contractors specialised in facial recognition and biometrics. L1 Identity Solutions and Accenture work in a close affinity to US intelligence agencies. This is an age of information. Corporate houses and big telecom players are dying to get details of consumers. Obvious are the concerns about the safety and security of the people’s data. It is feared that the database can be used for various marketing and business purposes.

CIDR, A Single Database Of People’s Data

Central Identities Data Repository (CIDR) is a data management and storing agency in India which is initiated for the Aadhaar project. It is regulated by the statutory body of Unique Identification Authority of India (UIDAI). This centralised database is probably one of the biggest repositories on this planet.

In 2010, experts had claimed that more than a thousand government sites and portals were attacked more than 4000 times by China alone in one year. In April 2011, 77 million Sony Playstations and digital media delivery service Qriocity were hacked which resulted into a shutdown of the network for a week. The London School of Economics also reported that a central database of vulnerable to hacking and other terrorist and cyber crime activities. Recently Wannacry Ransomware virus hits the globe. More than 99 countries were affected.

Building one single repository for billions of Aadhaar Card data seems to be a big risk in the most vulnerable country where dat breach is at most.

Data Leak Crisis

UIDAI has so far spent approximately 5982.62 crores for more than a billion enrolments of Aadhaar Cards. 1615.34 crores have been spent between the financial year 2015-2016. Centre for Internet and Society, Bengaluru-based organization (CIS) has learned that data of more than 130 million Aadhaar card holders has been leaked from four government websites. They are National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme and Daily Online Payments Reports of NREGA. It also includes Bank details and other confidential details of millions of residents.

What is Next?

The Lok Sabha has passed the Aadhaar Bill as Money Bill. Mukul Rohatgi said in the Supreme Court that according to Article 110 of the constitution, there is use of consolidated funds of India so the bill is a Money bill. Chief Justice Khehar said, “Your object might be good but whether it is a ‘Money Bill’ or not is the question.” Justice Ramana referred to a 2014 judgment passed by the Apex court that courts had no jurisdiction over procedurals matters of legislative.” In response P. Chidambram, the counsel for Jairam Ramesh said, “This petition is not about a procedural matter. There has been substantive infraction.”

For more details visit https://cis-india.org/internet-governance/news/the-indiasaga-may-25-2017-aadhaar-card-one-identity-multiple-disorders

April 2017 Newsletter

praskrishna — 2017-05-20T12:59:17Z

Welcome to the CIS newsletter for April 2017.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
In a report on the information security practices of Aadhaar, Amber Sinha and Srinivas Kodali documented numerous instances of publicly available Aadhaar numbers along with other personally identifiable information of individuals on government websites. CIS along with like minded organizations made a submission to the Government of India to frame a feasible accessibility guidelines for mobile apps since there is no single standard in existence at the moment. A two-day 100 Women Edit-a-thon was held in March 2017 by CIS-A2K team along with Odisha's biggest newspaper Sambad. The event was inspired by BBC’s 100 Women series and edit-a-thons with the same name in December 2016. More than 20 female journalists participated and registered as new Odia Wikipedians. On March 31, 2017, the Ministry of Personnel, Public Grievances and Pensions, Department of Personnel and Training released a Circular framing rules under the Right to Information Act, 2005 (“RTI Rules”). The Ministry invited comments on on the RTI Rules. CIS submitted its comments. In an article originally published in Hindu Businessline on March 31, Sunil Abraham lists out 11 reasons why Aadhaar is not just non-smart but also insecure. Shuttleworth Foundation has announced Sunil Abraham as Honorary Steward for its September 2017 fellowship round. CIS worked on a three part case study. The first case study on digital protection of traditional knowledge was published by GIS Watch in December 2016. The other two case studies along with the synthesis overview has also been published.

CIS in the news:

NGOs, individuals urge state CMs to curb Internet shutdown (The Times of India; April 4, 2017).
India’s National ID Program May Be Turning The Country Into A Surveillance State (Pranav Dixit; BuzzFeed News; April 4, 2017).
Privacy, what? Bengaluru police leaks 46,000 phone numbers on Twitter (Neha Vashishth; India Today; April 6, 2017).

Bengaluru cops' twitter handle in ethical storm (Umesh Yadav; The Times of India; April 6, 2017).

Opposition questions govt move to make Aadhaar must (Komal Gupta; Livemint; April 12, 2017).
Aadhaar: A widening net (Komal Gupta, Apurva Vishwanath and Suranjana Roy; Livemint; April 21, 2017).
Chemistry research in India 'still not in big league' (IANS and India Online News Portal; April 24, 2017).
Stop the Haphazard Internet Shutdown Says MP Jay Panda (Regina Mihindukulasuriya; Businessworld; April 26, 2017).
Now, Aadhaar details displayed in Mizoram too (Sebastian P.T.; National Herald; April 26, 2017).
After SPB-Ilaiyaraaja, Sony Music and Sun Network lock horns over copyrights (Priyanka Thirumurthy; Newsminute; April 26, 2017).
Analysis: Data Protection in India - Getting It Right (Suparna Goswami and Varun Haran; Info Risk Today; April 26, 2017).
India bans social media in Kashmir for one month (Telegraph; April 27, 2017).
J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say experts (Shruti Dhapola; Indian Express; April 28, 2017).

CIS members wrote the following articles:

How Aadhaar compromises privacy? And how to fix it? (Sunil Abraham; Hindu; April 1, 2017).
Digital native: You can check out, you can never leave (Nishant Shah; Indian Express; April 2, 2017).
Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’ (Pranesh Prakash; Hindustan Times; April 3, 2017).
It’s the technology, stupid (Sunil Abraham; Hindu Businessline; April 7, 2017).
Privacy in the Age of Big Data (Amber Sinha; Asian Age; April 10, 2017).
Digital native: Are You Still Having Fun? (Nishant Shah; Indian Express; April 17, 2017).
Digital native: Snap out of outrage mode (Nishant Shah; Indian Express; April 30, 2017).

Submission

Mobile Accessibility Practices (Nirmita Narasimhan; April 12, 2017).

Event

Global Accessibility Awareness Day 2017 (Organized by Prakat Solutions, Mithra Jyothi and CIS; Bengaluru; May 18, 2017).

-----------------------------------

Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Wikipedia

Blog Entries

Note: All the following events were held earlier but the reports were published in the month of April:

Women's Day Edit-a-thon at Jeewan Jyoti Women's Empowerment Centre, Pune (Subodh Kulkarni; April 10, 2017).
Marathi Wikipedia Edit-a-thon at Savitribai Phule Mahila Ekatma Samaj Mandal, Aurangabad (Subodh Kulkarni; April 13, 2017).
Google-translated Telugu articles prioritisation exercise: January iteration (Pavan Santhosh; April 15, 2017).
Telugu Wikipedia stall at Vijayawada Book Festival (Pavan Santhosh; April 15, 2017).
Women's Day Edit-a-thon at Jnana Prabodhini (Subodh Kulkarni; April 15, 2017).
Bargarh Manuscript Digitisation Project (Sailesh Patnaik; April 16, 2017).
Imperial College Orientation Program, Bargarh (Sailesh Patnaik; April 16, 2017).
Orientation & Training session for Environmental Activists in Satara (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Rajarshi Chhatrapati Shahu College, Kolhapur (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Shivaji University, Kolhapur (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Sangli, Maharashtra (Subodh Kulkarni; April 16, 2017).
Orientation & Training session of Jalbiradari Activists (Subodh Kulkarni; April 16, 2017).
"Free-license Wings To Your Books" in Guntur (Pavan Santhosh; April 16, 2017).
"Free-license Wings To Your Books" in Vijayawada (Pavan Santhosh; April 16, 2017).
Adikavi Nannaya University Telugu Wikipedia Workshop (Pavan Santhosh; April 16, 2017).
Odia Wikipedia Workshop in IIMC, Dhenkanal (Sailesh Patnaik; April 17, 2017).
Sambad 100 Women Edit-a-thon (Ting Yi Chang and Sailesh Patnaik; April 18, 2017).
Google-translated Telugu articles prioritisation exercise: February iteration (Pavan Santhosh; April 18, 2017).

►Copyright and Patent

National Conference on Intellectual Property Rights and Public Interest (Organized by Indian Law Institute; New Delhi; April 7 - 8, 2017). Maggie Huang took part in the event.

►Openness

Publication

Economic, Social and Cultural Rights in India: Opportunities for Advocacy in Intellectual Property (Sunil Abraham and Vidushi Marda; GIS Watch and Association for Progressive Communications; April 23, 2017). Total 4 reports: Synthesis Overview, Access to Mobile Technology, Traditional Knowledge Digital Library, and FOSS and Open Standards.

Submission

Comments on the Right to Information Rules, 2017 (Amber Sinha; April 27, 2017).

Event Organized

NASA Space Apps Challenge 2017 (CIS, Bengaluru, April 22, 2017).

-----------------------------------

Internet Governance
-----------------------------------

►Privacy

Blog Entries

Analysis of Key Provisions of the Aadhaar Act Regulations (Amber Sinha; April 3, 2017).
Right to be Forgotten: A Tale of Two Judgements (Amber Sinha; April 7, 2017).

►Free Speech and Expression

Blog Entries

Killing of Yameen Rasheed Reveals Worsening Human Rights Situation in the Maldives (Pranesh Prakash; April 25, 2017).
Internet Shutdowns in 2016 (Japreet Grewal; April 27, 2016).

►Miscellaneous

Blog Entry

Regulating Bitcoin in India (Vipul Kharbanda; April 20, 2017).

Event

Amutha Arunachalam - Stand Shielded of Digital Rights (CIS; New Delhi; May 5, 2017).

Participation in Event

ISO/IEC JTC1/SC 27 Meetings (Organized by Bureau of Indian Standards; University of Waikato and Novotel; New Zealand; April 18 - 25, 2017). Udbhav Tiwari attended the meetings.

►Cyber Security

Event Organized

Dr. Madan M. Oberoi - Digital Forensics and Cyber Investigations (CIS; New Delhi; April 7, 2017).

Participation in Event

Brainstorming Session on the Global Conference on Cyberspace (GCCS 2017) (Organized by the Ministry of Electronics & Information Technology; New Delhi; April 12, 2017). Japreet Grewal attended the session.

-----------------------------------

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/april-2017-newsletter

February 2017 Newsletter

praskrishna — 2017-05-20T12:46:41Z

Welcome to the February 2017 newsletter of the Centre for Internet & Society (CIS).

Dear readers,

We are pleased to bring you the Centre for Internet & Society's February newsletter. Previous issues of the newsletters can be accessed here.

Highlights
Submitted comments on the Vision Document 2030 published by the Department of Empowerment of Persons with Disabilities in February 2017. Our submission recommended that the vision articulate more clearly in terms of quantifiable targets what it seeks to achieve at different points of time and that these targets are not so minimally set as to undermine the aims of the Act and the national commitments outlined therein. Ting-Yi Chang wrote an article on the state of women editors in Wikipedia. In a write-up published by Your Story on February 7, Ting-Yi explored the reasons for the low percentage of women centric articles on the social media platform and how could the gender gap be bridged. In a research paper Anisha Gupta has assessed the privacy protections under 15 e-governance schemes. The paper analysed the schemes rolled out by the government, starting from 2010. Amber Sinha, Vanya Rakesh and Vidushi Marda authored a research paper that has sought to understand the most effective way of researching Big Data in the Global South. The second edition of the Internet Researchers' Conference, an annual conference initiated by CIS to bring researchers, academicians and others on a common platform to share insights and chart the way foreword was held in Bengaluru. Divij Joshi and Aditya Chawla in a report studied five Indian telecommunication companies and three Indian online service providers. The report has evaluated the practices and policies of companies which provide internet infrastructure or internet services, and are integral intermediaries to the everyday experience of the internet in India. General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. In this light CIS requests you to take part in a survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union.

CIS in the news:

India WhatsApp Privacy Fight May Affect Multinationals (Nayanima Basu; Bloomberg BNA; February 1, 2017).
Crowdsourced innovation for government projects and services is easier said than done (Kunal Talgeri; The Times of India; February 3, 2017).
Giving out your fingerprint for Aadhar payments is as bad as telling the seller your banking password (Nimish Sawant; First Post Tech 2; February 3, 2017).
Don't dive headlong into money-making schemes on the internet (Sanjay Kumar Singh; Business Standard; February 7, 2017).
Indian public concerned about fingerprint payment scheme (Rawlson King; Biometricupdate.com; February 9, 2017).
India's Aadhaar with biometric details of its billion citizens is making experts uncomfortable (Mashable India; February 14, 2017).
No Genie At Your Fingertips (Arindam Mukherjee; Outlook; February 20, 2017).
LinkedIn will help people in India train for semi-skilled jobs (John Riberio; IDG News Service and mirrored on CIO Blog; February 21, 2017).
India To Let Private Companies Access Citizens’ Biometric Data (Joshua Kopstein; Vocativ; February 21, 2017).
Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally (Outlook; February 24, 2017).

CIS members wrote the following articles:

Digital Native: Do not go Gently into the Good Night (Nishant Shah; Indian Express; February 9, 2017).
Digital Native: Who will Watch the Watchman? (Nishant Shah; Indian Express; February 19, 2017).
Can the Judiciary Upturn the Lok Sabha Speaker’s Decision on Aadhaar? (Amber Sinha; Wire; February 21, 2017).

Jobs

Policy Officer (Cyber Security)
Senior Policy Officer (Cyber Security)
Internship - Application accepted throughout the year
Survey Participants for Research on Musician Livelihood

Submission

Comments on Department of Empowerment of Persons with Disabilities 'Vision Document 2030' (Nirmita Narasimhan; February 28, 2017).

►Wikipedia

Blog Entries

Marathi Wikipedia Edit-a-thon (Subodh Kulkarni; February 8, 2017)
Only 8.5pc of Wikipedia Editors are Women. How do we fix the Gender Gap on the Internet? (Ting-Yi Chang; February 9, 2017).
WikiTungi: Bhubaneswar City Wiki Community Turns 1 (Sailesh Patnaik; February 27, 2017).

Event Organized

Marathi Wikisource & Digitisation Workshop (Organized by CIS, Maharashtra Granthottejak Sanstha, Maharashtra Knowledge Corporation Limited and Jnana Prabhodini; Jnana Prabodhini, Sadashiv Peth, Pune; February 17, 2017 and C Trade Tower, Senapati Bapat Road, Pune; February 18, 2017).

-----------------------------------
Internet Governance
-----------------------------------

►Privacy

Research Papers

Comparison of General Data Protection Regulation and Data Protection Directive (Aditi Chaturvedi and Edited by Leilah Elmokadem; February 7, 2017).
Ranking Digital Rights in India (Divij Joshi and Aditya Chawla; February 12, 2017).

Privacy Gaps in India's Digital India Project (Anisha Gupta; edited by Amber Sinha; February 21, 2017).

Survey

Survey on Data Protection Regime (Aditi Chaturvedi and Elonnai Hickok; February 10, 2017).

Participation in Events

Surveillance in India: Policy and Practice (Organized by National Institute of Public Finance and Policy; New Delhi; February 9, 2017). Pranesh Prakash was a speaker.
T20 Mumbai 2017: Dialogue on the Emerging World Economy (Organized by Gateway House, Indian Council on Global Relations; Mumbai; February 13 - 14, 2017). Elonnai Hickok attended the event.

►Big Data

Research Paper

Big Data in Governance in India: Case Studies (Amber Sinha, Vanya Rakesh and Vidushi Marda and Edited by Elonnai Hickok, Sumandro Chattapadhyay and Sunil Abraham; February 19, 2017).

►Freedom of Expression and Cyber Security

Participation in Event

Digital Security for Journalists (February 2 and 3, 2017). Pranesh Prakash conducted two workshops on consecutive days. The first one organized by IndiaSpend was held in their office. The second one organized by a fellow with the International Center Journalists was held in the Hindustan Times office.
Securing Digital Payments: Imperatives for a Growing Ecosystem (Organized by ORF and Koan Advisory; The Claridges, New Delhi; February 3, 2017). Udbhav Tiwari attended the round-table conference.
Fake News, Rumors & Online Content Regulation (Organized by Medianama and Mint; India Habitat Centre; February 22, 2017). Japreet Grewal and Amber Sinha attended the event.

-----------------------------------
Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

A Pathfinding Approach for Digital India (Shyam Ponappa; Business Standard; January 31, 2017 and Organizing India Blogspot; February 1, 2017).

Event Organized

Internet Researchers' Conference 2017 (Organized by the Centre for Information Technology and Public Policy and CIS; International Institute of Information Technology, Bengaluru; March 3 - 5, 2017).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit https://cis-india.org/about/newsletters/february-2017-newsletter

Aadhaar assurances fail to assuage privacy concerns

praskrishna — 2017-05-20T06:23:32Z

While Aadhaar may be secure from external attacks, a failsafe system hasn’t been developed to protect it from Edward Snowden-style leakages and hacks.

The article by Anirban Sen was published by Livemint on May 5, 2017. Pranesh Prakash was quoted.

As calls for a privacy and data protection law grow louder with each passing day amid reports of a central government ministry having made up to 130 million Aadhaar numbers public on its website, widespread concerns continue to emerge over loopholes in the security of the unique identification programme, though the man who created the system continues to defend the security and integrity of the system.

Most worryingly, a consensus is emerging among security and privacy experts, who have argued that while the Aadhaar system may be secure from external attacks, a failsafe system has not been developed to protect it from Edward Snowden-style internal leaks or hacks.

“(What has been suggested by the Unique Identification Authority of India and Nandan Nilekani) is that there will never be a data breach like what we saw in the US with the National Security Agency, Central Intelligence Agency, or Office of Personnel and Management breaches (data of federal government personnel, including more than 5.6 fingerprints, was leaked), or in Mexico or Turkey, or even in India when the department of defence was breached for cyber-espionage for multiple years without detection,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

“While the system may be secure from external attacks, there is no failsafe system to make it invulnerable to Snowden-style breaches,” he added.

In an interview, former UIDAI chairman and Infosys Ltd co-founder Nandan Nilekani continued to defend the security of the system and said steps are being taken everyday to enhance the failsafe processes surrounding the system.

“I think the Aadhaar system is extremely well-designed. It’s not an online system that is exposed to the Internet. When enrolment happens, the packet is encrypted at source and sent, so that there can’t be a man-in-the-middle attack. And when the authentication happens, that is also encrypted—not compared to the original data, but to a digital minutiae. The point is that the system is very, very secure. So, if the objection is to centralization, then you should not have clouds. Clouds are also centralized,” said Nilekani. He added that Aadhaar was also safe from internal breaches, an assumption that is being challenged by security experts all across.

“Within seven years of its launch, the Aadhaar system has made a remarkable leap in terms of its security and privacy and it will keep improving things. Technology does not come through immaculate conception, where one morning some perfect technology is born. It has to evolve. It’s called learning by doing,” added Nilekani. He added that improving the security of the system is an ongoing process and conceded that a data protection and privacy law needs to be in place to supplement the current Aadhaar law.

“I know the government has sent a notice to everyone. If somebody has done it; they ought not to have done it—there’s a law for that,” said Nilekani when asked about recent instances of Aadhaar numbers being made public by government departments.

“We should have a data protection and privacy law which is an umbrella law, which looks at all these phenomena and certainly Aadhaar should be part of that. That’s perfectly fine—but people are behaving as if Aadhaar is the only reason why we should have a privacy law,” added Nilekani.

The last few weeks and months have witnessed a steady stream of negative news surrounding Aadhaar and three main cases are currently being fought in the Supreme Court, including one challenging the government’s decision to make the 12-digit ID mandatory for filing income tax returns as well as for obtaining and retaining a PAN Card.

Meanwhile, as Mint reported in April, questions are being raised on the Aadhaar biometric authentication failure rate in the rural job guarantee scheme in areas such as Telangana.

The report of Aadhaar numbers being listed on the government ministry website has caused widespread uproar, although a lawyer pointed out that it is not due to a breach in the Aadhaar system.

“It’s a misnomer to say this a leak because this was voluntarily, very actively put up there. A leak is when some information being kept securely gets breached somehow and comes out. Now, why is this information up on government websites? This is the problem of our government’s perception of transparency...The fact that the Aadhaar numbers are on the government website is not a flaw of the Aadhaar system, but it is a flaw of the understanding of what needs to be done to demonstrate transparency,” said Rahul Matthan, partner at Trilegal.

In a column in Mint, Matthan had also pointed out that while Aadhaar has been a transformative project, there remains enough scope of misusing the database.

“There is a legitimate fear that this identity technology will open us all up to discrimination, prejudice and the risk of identity theft,” Matthan wrote. “Aadhaar has given us the tools to harness data in large volumes. If used wisely, this technology can transform the nation. If not, it can cause us untold harm. We need to be prepared for the impending flood of data—we need to build dams, sluice gates and canals in its path so that we can guide its flow to our benefit.”

Even as both sides debate the issue of Aadhaar’s security, calls are getting louder to revamp the unique identification database.

“The point is that the UIDAI knows the device ID of the machine with which the biometric transaction took place along with the time and date, which means that by just using basic data analytics, any one with access to the transaction logs from the UIDAI (which have to be kept for a period of 5 years and 6 months) can have a complete view of a person’s Aadhaar-based interactions that are increasing day by day.”

“Further, the UIDAI has built up a biometric profile of the entire country. This means that courts can order UIDAI to provide law enforcement agencies the biometrics for an entire state (as the Bombay high court did) to check if they match against the fingerprints recovered from a crime scene. This too is surveillance, since it collects biometrics of all residents in advance rather than just that of criminal suspects,” said Prakash of CIS.

“The UIDAI could have chosen to derive unique 16 digit numbers from your Aadhaar number and provide a different one to each requesting entity. That would have prevented much of these fears. But the UIDAI did not opt for that more privacy-friendly design,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-may-5-2017-anirban-sen-aadhaar-assurances-fail-to-assuage-privacy-concerns

Taking Cognisance of the Deeply Flawed System That Is Aadhaar

praskrishna — 2017-05-19T14:52:58Z

Aadhaar and its many connotations have grown to be among the most burning issues on the Indian fore today, that every citizen aware of their rights should be taking note of.

The article by Shreyashi Roy was published in the Wire on May 10, 2017.

With the leak of 130 million Aadhaar numbers recently coming to light, several activists, lawyers and ordinary citizens are up in arms about what is increasingly being viewed as a government surveillance system. Keeping this in mind, on Tuesday, May 9, Software Freedom Law Centre India (SFLC) hosted an event that brought together a panel to clearly articulate the dangers of Aadhaar and to discuss whether the biometric identification system is capable of being reformed.

SFLC is a donor-supported legal services organisation that calls itself a protector of civil liberties in the digital age.

Titled ‘Revisiting Aadhaar: Law, Tech and Beyond’, the discussion, with several eminent personalities who have in-depth knowledge of Aadhaar and its working, threw light on the various problems that have cropped up with regard to India’s unique identification system. The discussion was moderated by Saikat Datta, policy director at Centre for Internet and Society, which published the report that studied the third-party leaks of Aadhaar numbers and other personal data.

The leaks

The discussion took off from the point of the leaks, with Srinivas Kodali, a panelist and one of the authors of the report, explaining his methodology for the study that proved that the Aadhaar database lacked the security required when dealing with private information of people. He highlighted the fact that during the course of his research, he had noticed several leaks from government websites and notified the Unique Identification Authority of India (UIDAI) about the same. Yet, at every step, UIDAI continued to deny and reject the possibility of this happening. Kodali says, however, that he had noticed that the websites that were unknowingly leaking data were, in fact, fixing the leaks after being notified without acknowledging that the leak had happened in the first place. Kodali reiterated at the discussion, as in his report, that a simple tweaking of URL query parameters of the National Social Assistance Programme website could unmask and display private information. Unfortunately, UIDAI cannot be brought to task for unknowingly leaking information because there is no such provision.

He also addressed the question of the conflict of interest that existed in the entire system of building Aadhaar, which was created by developers who later left the UIDAI and built their own private companies, monetising the mine of private information that they were sitting on. Kodali blames UIDAI for this even being allowed, since the developers, though clearly lacking ethics, were in fact, merely volunteers.

The system

One of the glaring issues with the technology behind Aadhaar is that the software is not open source. Anivar Aravind, a panelist, called it “defected by design” and “bound to fail” because not only is the technology completely untested but there are very obvious leaks that are taking place. Moreover, UIDAI does not allow any third-party audits or any other persons to look at the technology. Datta pointed to the fact that this is unheard of in other nations, where software is routinely subjected to penetration testing and hacking experts are called upon to check how secure a database is.

Anupam Saraph, another panelist and future designer, illuminated the creation of the Aadhaar database, pointing out that this is a system less about identification and more about verification. All of the verification, moreover, has been done by private parties, making the database itself suspect and leaving everyone’s private information loose at the time of enrolment. In addition, Aadhaar was meant for all residents and not just citizens. But now there is a mix of both, creating confusion in many aspects. Saraph also brought up how one rogue agency with access to all this information could pose an actual national security threat, unlike all the requests for information on breaches that the government keeps pointing fingers at. Referring to Nandan Nilekani’s statement about Aadhaar not being like AIDS, Saraph pointed out that it was exactly like it because much like the body, which cannot distinguish between an invasion and itself, the Aadhaar system is not being able to distinguish between aliens and citizens and has begun denying the latter benefits.

The Supreme Court has declared time and again that Aadhaar cannot be made mandatory, but the government continues to – in complete disregard of the apex court’s judgment – insist on Aadhaar for a multitude of schemes. More and more schemes are being made unavailable without the existence of an Aadhaar number as the government continues to function in a complete lack of cognisance of the fact that the poor are losing out on something as basic as their food because of a number. Prasanna S., an advocate and a panelist, called it a “voluntary but mandatory” system that is becoming an evidence collection mechanism. Moreover, everything is connected through this one number, making many options like financial fraud, selective treatment of citizens and other horrors possible. The collection of all this information is not dangerous, screams the government. Maybe not in the hands of this one. But what of the next? What of rogues?

The legal aspect

One of the panelists was Shyam Divan, a senior advocate of the Supreme Court, who has represented petitioners fighting against Aadhaar. Divan spoke about how along with a group of advocates he has been trying to get the apex court to rule on the issue but has been met with long queues before a ruling can be procured. He addressed the right to privacy aspect of the system and the recent declaration that the citizen does not have the absolute right to the body. He emphasised that the government cannot own the body and that for a free and democratic society, a limited government, instead of an all-knowing and all-seeing government, is essential. Unfortunately for India, there is no express right to privacy in the constitution, but that does not mean that rights can be taken away in exchange for a fingerprint. It is the government’s duty to respect privacy. For him, Aadhaar has become an instrument of oppression and exclusion, a point that Prasanna also agreed with, calling it a “systematic attack on consent”.

There is complete agreement that there has been a railroading of consent in this entire matter if Aadhaar being passed forcibly through the Lok Sabha as a money bill is anything to go by. If parliament’s consent can be disregarded in that fashion, what is an ordinary citizen to do in the face of this complete imbalance of power in the state’s hand?

Usha Ramanathan, a legal researcher and a long-time critic of Aadhaar, spoke about how India has turned into a state where there are more restrictions than fundamental rights, rather than the other way around. She related how there was no clarity at the beginning of Aadhaar of how it would be a card or a number and was never a government project in the first place. This is a private sector ambition that the government has jumped on board with, without considering that the private sector does not concern itself with civil liberties. As other panelists also pointed out, the private sector cannot and will not protect public interest. This is the job of the government, especially in an age of digitisation. But Aadhaar compromises the ability of the state to stand up for its citizens.

With June 30 approaching fast, many of those who have so far abstained from enrolling in the system are considering giving up their rebellion and going like sheep to get themselves registered in the database. In the words of Divan, they will have to “volunteer compulsorily for an Aadhaar”. The government is probably counting on this. Turning to the Supreme Court has been of no help, although a verdict can be hoped for in a couple of weeks. But what can we do if they rule for the government?

Some of the panelists are on board with the idea of a civil disobedience movement, a kind of a rebellion against Aadhaar. Some suggested thinking of out-of-the-box ways to register one’s protest and dissent against what is clearly becoming the architecture of a surveillance state. Saraph was particularly vehement about the need to completely destroy the Aadhaar database – “shred it”.

What all the panelists emphasised repeatedly was that there can be no improvements to a system that is so deeply flawed and that has had so many “teething problems” that are making millions suffer. The main takeaway from the discussion was that Aadhaar must see a speedy demise because it cannot be saved and cannot persist in its current state.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-10-2017-shreyashi-roy-taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

WannaCry: ATMs not to shut down, clarifies RBI, but how safe are our machines?

praskrishna — 2017-05-19T06:30:49Z

SBI has denied there was any compromise in its ATMs.

The blog post by Soumya Chatterjee was published by Newsminute on May 16, 2017. Udbhav Tiwari was quoted.

In the wake of the onslaught by ransomware WannaCry across the globe, the Reserve Bank of India has denied that it has asked banks in the country to shut down ATMs despite multiple conflicting reports on the same.

Speaking to The News Minute, the central bank’s spokesperson clarified, “The RBI has not passed any circulars to banks on the issue. All circulars sent to banks by the RBI is on the official website if it’s not on the website that means there is no such circular.”

The State Bank of India, the largest consumer bank of India also denied any compromise in its ATMs.

“All our systems are updated as required. Some of those, we do it daily. There are two types of updates, one is at the server level and one at the machine level. Generally, server level updates are done on a daily basis because patches are released and these are managed centrally in addition to local firewalls. The ATM machines are updated typically once in 15 days that is when the maintenance engineers visit the sites, they carry the latest software patch with them. So, everything is updated, there is no problem regarding this. We have additional surveillance but none of the ATM networks in the world has been impacted," Mrityunjoy Mahapatra, CIO of SBI told TNM.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

“This particular vulnerability was exposed by the WikiLeaks in March saying that the US' NSA was using this vulnerability in Windows operating systems to target individuals. Following this, Microsoft had sent patches in its update in March itself to counter this particular form of threats,” Udhav told TNM.

Udhav said WannaCry is one of the viruses which exploits this vulnerability adding,"No operating system is completely secure be it Windows, Mac or Linux or others, but there are certain OSs that are more susceptible to such attacks due to their popular usage and subsequent research carried on them. Once such attacks come out in the public domain and they usually get patched by the maintainers of the OS."

“In my personal experience, I have come across that most of the ATMs run on customised versions/ embeds of Windows XP or better Windows 7 which came out in 2001 and 2009 respectively. The support period for XP has already lapsed which means that it is more susceptible to malicious attacks than patched versions of other OSs,” Udhav said.

"However, Microsoft made an exception for this current threat and issued patches just for this,” added Udhav, noting if the patches were not installed they remain open to the WannaCry threat.

He also says that as there is no central repository to know what operating system many ATMs run, it would be hard to get the number of machines which are prone to this particular attack.

The cyber security expert draws parallels with the data security breaches last September and October, where a malware attack forced Indian banks to replace or request users to change the security codes of 3.2 million debit cards.

Udhav explained, “The malware had propagated in a very similar manner, they propagated via the internal networks of the bank because of a vulnerability of the ATM machines and then started recording details stored in the magnetic strips of the card."

Apart from invading some systems in departments of some state government in India, WannaCry has penetrated high profile systems across the globe including UK’s health services, Germany’s railway.

For more details visit https://cis-india.org/internet-governance/news/newsminute-may-16-2017-soumya-chatterjee-wannacry-atms-not-to-shut-down-clarifies-rbi

Indian Government says it is still drafting privacy law, but doesn’t give timelines

praskrishna — 2017-05-15T02:10:26Z

Read the original published by Medianama here

The Government is drafting a legislation to protect privacy of individuals breached through unlawful means in consultation with stakeholders, the minister for communications and information technology Ravi Shankar Prasad said in the Rajya Sabha. However, no timeline was provided, which is really the problem: Is the Indian government even interested in a privacy law?

In August last year, the Government of India had said in the Supreme Court of India that had said that “violation of privacy doesn’t mean anything because privacy is not a guaranteed right”, actually arguing that the citizens of India do not have a fundamental right to privacy.
In September last year, the DeitY had also sought to make encryption (and personal and business security) weaker via a draft policy on encryption, requiring all users to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable plain-text to Law and Enforcement Agencies if required. After a public outcry, the paper was withdrawn.
Last month, the DoT made it mandatory to have GPS on all phones by 2018.

We’re in a situation where the country doesn’t have a privacy law on one hand, and is setting up surveillance systems like the Centralized Monitoring System, NETRA, NATGRID (for collecting data from across databases), and linking citizens and databases across the unique identity number in Aadhaar on the other.

What happened to the old Privacy bill?

While India does not yet have a comprehensive privacy policy, back in 2014, the Centre for Internet and Society received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India had drafted. A comparison of the draft bill from 2014 and the draft privacy bill of 2011 can be found here.

As per Prasad, as of now, the Section 43, 43A and 72A of the IT Act of 2000 provide the legal framework for digital privacy and security, mandating that agencies collecting personal data must provide a privacy policy, and compensations must be paid to the victim in case of unauthorized access or leakage of information.

Questions asked in Rajya Sabha:

Whether Government intends to bring a specific legislation to address the concerns regarding privacy in the country, if so, the details thereof, if not, the reason therefore; and

Whether the legislation would provide for protection of ‘personal data’ along the lines of the European Union’s Data Protection Directive, if so, the details thereof, if not, the reasons therefor

EU Privacy Bill

Interestingly, the question posed to the minister asked if the legislation would provide for protection of personal data along the lines of European Union’s General Data Protection Directive (GDRP), which were approved just last month. EU’s directive defines “any information relating to an identified or identifiable natural person directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”, as personal data.

The GDRP has a pretty wide scope and is pretty consumer friendly. The laws require users to provide explicit consent for data collection, companies to report as soon as they have a data breach, and a ‘right to erasure’ that lets users request all personal data related to them to be deleted. It also imposes a significant fine of up to 4% of annual worldwide turnover of a company in the previous financial year, in case of non compliance. For a comprehensive overview of the policy read handbook on European data protection law (pdf).

Email privacy bill US

The US does not have a comprehensive digital privacy law like the EU and mostly relies on the the privacy act of 1974. However, recently the US House of Representatives unanimously passed the Email Privacy Act that would require investigators to get a warrant before forcing companies to hand over customer email or other electronic communications, no matter how old the communication.

For more details visit https://cis-india.org/internet-governance/news/medianama-vivek-pai-may-4-2017-indian-govt-says-it-is-still-drafting-privacy-law

Aadhaar: Are a billion identities at risk on India's biometric database

praskrishna — 2017-05-20T06:38:26Z

"My fingerprints and iris are mine and my own. The state cannot take away my body," a lawyer told India's Supreme Court last week.

The article by Soutik Biswas was published by BBC News on May 4, 2017. Also see the blog post by Rawlson King published by Biometric Update.com on May 5, 2017.

Shyam Divan was arguing a crucial petition challenging a new law that makes it compulsory for people to submit a controversial biometric-based personal identification number while filing income tax returns.

Defending this law, the government's top law officer told the court on Tuesday that an individual's "right to body is not an absolute right".

"You can have right over your body but the state can restrict trading in body organs, so the state can exercise control over the body," Attorney General Mukul Rohatgi said.

At the heart of the latest challenge are rising concerns over the security of this mega biometric database and privacy of the number holders. (The government says it needs to link the identity number to income tax returns to improve compliance and prevent fraud.)

India's biometric database is the world's largest. Over the past eight years, the government has collected fingerprints and iris scans from more than a billion residents - or nearly 90% of the population - and stored them in a high security data centre. In return, each person has been provided with a randomly generated, unique 12-digit identity number.

For a country of 1.2 billion people with only 65 million passport-holders and 200 million with driving licenses, the portable identity number is a boon to the millions who have long suffered for a lack of one.

States have been using the number, also called Aadhaar (Foundation), to transfer government pensions, scholarships, wages for a landmark rural jobs-for-work scheme and benefits for cooking fuel to targeted recipients, and distribute cheap food to the poor.

Over the years, the number has taken a life of its own and begun exerting, what many say, is an overweening and stifling control over people's lives. For many like political scientist Pratap Bhanu Mehta, Aadhaar has transmuted from a "tool of citizen empowerment to a tool of state surveillance and citizen vulnerability".

People will soon need the number to receive benefits from more than 500 of India's 1,200-odd welfare schemes. Even banks and private firms have begun using it to authenticate consumers: a new telecom company snapped up 100 million subscribers in quick time recently by verifying the customer's identity through the number.

'Forcibly linked'

People are using the number to even get their marriages registered. The number, says Nikhil Pahwa, editor and publisher of Indian news site MediaNama, is "being forcibly linked to mobile numbers, bank accounts, tax filings, scholarships, pensions, rations, school admissions, health records and much much more, which thus puts more personal information at risk".

Some of the fears are not without basis.

The government has assured that the biometric data is "safe and secure in encrypted form", and anybody found guilty of leaking data can be jailed and fined.

But there have already been a number of leaks of details of students, pensioners and recipients of welfare benefits involving a dozen government websites. Even former Indian cricket captain MS Dhoni's personal information was mistakenly tweeted by an overzealous enrolment service provider.

Now a disturbing report by The Centre for Internet and Society claims that details of around 130-135 million Aadhaar numbers, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries have been leaked online by four key government schemes.

More than 230 million people nationwide are accessing welfare benefits using their numbers, and potentially, according to the report, "we could be looking at a data leak closer to that number". And linking the number to different databases - as the government is doing - is increasing the risk of data theft and surveillance.

The chief law officer believes that the outrage over the leaks is "much ado about nothing".

"Biometrics were not leaked, only Aadhaar numbers were leaked. It is nothing substantial. The idea is biometrics should not be leaked," Mukul Rohtagi told the Supreme Court on Tuesday.

The government itself has admitted that it has blacklisted or suspended some 34,000 service providers for helping create "fake" identification numbers or not following proper processes. Two years ago, a man was arrested for getting an identification number for his pet dog. The government itself has deactivated 8.5 million numbers for incorrect data, dodgy biometrics and duplication. Last month, crop loss compensation for more than 40,000 farmers was delayed because their Aadhaar numbers were "entered incorrectly by banks".

'Mass surveillance'

There are also concerns that the number can be used for profiling. Recently, authorities asked participants at a function in a restive university campus in southern India to provide their Aadhaar identity numbers. "This is not only a matter of privacy. The all pervasiveness of the Aadhaar number is a threat to freedom of expression, which is a constitutional right," Srinivas Kodali, who investigated the latest report on data leaks, told me.

Critics say the government is steaming ahead with making the number compulsory for a range of services, violating a Supreme Court order which said enrolment would be voluntary. "The main danger of the number," says economist Jean Dreze, "is that it opens the door to mass surveillance."

Nandan Nilekani, the technology tycoon who set up the programme popularly known by its acronym UIDAI, believes concerns about the safety of the biometric database are exaggerated.

He says the identity number has cut wastage, removed fakes, curbed corruption and made substantial savings for the government. He insists that the programme is completely encrypted and secure. "It's like you are creating a rule-based society," he told Financial Times recently, "it's the transition that is going on right now."

Abused

More than 60 countries around the world take biometric data from its people, says Mr Nilekani. But then there are nagging concerns worldwide about these databases being abused by hackers and state intelligence.

In 2016, personal details of some 50 million people in Turkey were reportedly leaked. (Turkey's population is estimated at 78 million.) In 2015, hackers stole more than five million fingerprints after breaching US government networks. In 2011, French experts discovered a hack involving the theft of millions of people's data in Israel.

Pratap Bhanu Mehta has written that the lack of a "clear transparent consent architecture, no transparent information architecture, no privacy architecture worth the name [India doesn't have a privacy law], and increasingly, no assurance about what exactly you do if the state decides to mess with your identity" could easily make Aadhaar a "tool of state suppression".

So a lot of lingering doubts remain. How pervasive should an identity number be? What about the individual freedom of citizens? How do you ensure the world's biggest biometric database is secure in a country with no privacy laws and a deficient criminal justice system?

In many ways, the debate about Aadhaar is also a debate about the future of India. As lawyer Shyam Divan argued forcefully in the top court, "people are reduced to vassals" when the state controls your body to this extent.

For more details visit https://cis-india.org/internet-governance/news/bbc-news-soutik-biswas-may-4-2017-aadhaar-are-a-billion-identities-at-risk-on-indias-biometric-database

India’s Supreme Court hears challenge to biometric authentication system

praskrishna — 2017-05-20T06:44:02Z

Two lawsuits being heard this week before India’s Supreme Court question a requirement imposed by the government that individuals should quote a biometrics-based authentication number when filing their tax returns.

The post by John Riberio, IDG News Service was mirrored by IT World on May 3, 2017.

Civil rights groups have opposed the Aadhaar biometric system, which is based on centralized records of all ten fingerprints and iris scans, as their extensive use allegedly encroach on the privacy rights of Indians. “Aadhaar is surveillance technology masquerading as secure authentication technology,” said Sunil Abraham, executive director of Bangalore-based research organization, the Centre for Internet and Society.

The Indian government has in the meantime extended the use of Aadhaar, originally meant to identify beneficiaries of state schemes for the poor, to other areas such as filing of taxes, distribution of meals to school children and payment systems.

Hearings on the writ petitions, challenging the amendment to the Income Tax Act, are going on in Delhi before a Supreme Court bench consisting of Justices A.K. Sikri and Ashok Bhushan.

Tax payers are required to have the Aadhaar number in addition to their permanent account number (PAN), which they have previously used to file their tax returns. Their failure to produce the Aadhaar number would lead to invalidation of the PAN number, affecting people who are already required to quote this number for other transactions such as buying cars or opening bank accounts.

The stakes in this dispute are high. The petitioners have argued for Aadhaar being voluntary and question the manner in which the new amendment to the tax law has been introduced. The government has said both in court and in other public forums that it needs a reliable and mandatory biometric system to get around the issue of fake PAN numbers.

The lawyer for one of the plaintiffs, Shyam Divan, has argued for the individual’s absolute ownership of her body, citing Article 21 of the Indian Constitution, which protects a person from being “deprived of his life or personal liberty except according to procedure established by law.” The government has countered by saying that citizens do not have absolute rights over their bodies, citing the law against an individual committing suicide as an example.

The Supreme Court in another lawsuit looking into privacy issues and the constitutionality of the Aadhaar scheme had ruled in an interim order in 2015 that the biometric program had to be voluntary and could not be used to deprive the poor of benefits.

"The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen," the top court ruled.

The government holds that the Aadhaar Act, passed in Parliament last year, provides the legal backing for making the biometric identification compulsory.

The current lawsuits against Aadhaar have not been argued on grounds of privacy, reportedly because the court would not allow this line of argument, which is already being heard in the other case. The Supreme Court has made current petitioners “fight this battle with one arm tied behind their backs!,” wrote lawyer Gautam Bhatia in a blog post Wednesday.

For more details visit https://cis-india.org/internet-governance/news/idg-news-service-john-riberio-may-3-2017-indias-supreme-court-hears-challenge-to-biometric-authentication-system

En Inde, le biométrique version très grand public

praskrishna — 2017-05-03T16:27:23Z

Initiée en 2010, l’Aadhaar est désormais la plus grande base de données d’empreintes et d’iris au monde. Carte d’identité destinée aux 1,25 milliard d’Indiens, elle sert aussi de moyen de paiement. Mais la sécurité du système et son utilisation à des fins de surveillance posent question.

The article was published by Liberation on April 27, 2017. Sunil Abraham was quoted.

Le front barré d’un signe religieux hindou rouge, Vivek Kumar se tient droit derrière le comptoir de son étroite papeterie située dans une allée obscure d’un quartier populaire du sud-est de New Delhi. Sous le regard bienveillant d’une idole de Ganesh - le dieu qui efface les obstacles -, le commerçant à la fine moustache et à la chemise bleu-gris au col Nehru réalise des photocopies, fournit des tampons ou des stylos à des dizaines de chalands.

Gaurav, un vendeur de légumes de la halle d’à côté, entre acheter du crédit de communication mobile. Au moment de payer, il sort son portefeuille, mais pas pour chercher de la monnaie. Il y prend sa carte d’identité Aadhaar et fournit ses douze chiffres au commerçant. Qui les entre dans un smartphone, sélectionne la banque de Gaurav et indique le montant de l’achat. Le client n’a plus qu’à poser son pouce sur un lecteur biométrique relié au combiné, connecté à Internet. Une lumière rouge s’allume et un son retentit : la transaction est bien passée.

Depuis mars, 32 banques indiennes fournissent ce service novateur de paiement par empreinte digitale. Appelé Aadhaar Pay, il utilise les informations biométriques, à savoir les dix empreintes digitales et celle de l’iris, recueillies par le gouvernement depuis septembre 2010 pour créer la première carte d’identité du pays. Toute personne résidant en Inde depuis plus de six mois, y compris les étrangers, peut s’inscrire et l’obtenir gratuitement.

«Renverser le système»

L’Aadhaar («la fondation» en hindi) représente aujourd’hui la plus grande base de données biométriques au monde, avec 1,13 milliard de personnes enregistrées sur 1,25 milliard, soit 99 % de la population adulte indienne.

L’objectif initial était double : identifier la population - 10% des Indiens n’avaient jusqu’ici aucun papier, et donc aucun droit - et se servir de ces moyens biométriques pour sécuriser l’attribution de nombreuses subventions alimentaires ou énergétiques, dont le détournement coûte plusieurs milliards d’euros chaque année à l’Etat fédéral.

A partir de 2014, la nouvelle majorité nationaliste hindoue du BJP a étendu les usages de l’Aadhaar pour transformer cet outil de reconnaissance en un vrai «passe-partout» de la vie quotidienne indienne : depuis l’ouverture d’une ligne téléphonique à la déclaration de ses impôts, en passant surtout par la création d’un compte en banque, le numéro Aadhaar sera à présent requis. Dans ce dernier cas, l’Aadhaar permet en prime d’utiliser le paiement bancaire par biométrie pour réduire le recours au liquide, qui représente encore plus de 90 % des transactions dans le pays.

Le Premier ministre, Narendra Modi, a fait de cette inclusion financière l’un de ses principaux chevaux de bataille : en 2014, son gouvernement a lancé un énorme programme qui a permis la création de 213 millions de comptes bancaires en deux ans - aujourd’hui, quasiment tous les foyers en possèdent au moins un. Il a continué dans cette voie énergique en démonétisant, en novembre, les principales coupures. But de la manœuvre : convaincre les Indiens de se défaire, au moins temporairement, de leur dépendance aux billets marqués de la tête de Gandhi.

«Le liquide est gratuit, donc il est difficile de pousser les gens à utiliser d’autres moyens de paiement, explique Ragavan Venkatesan, responsable des paiements numériques à la banque IDFC, pionnière dans l’utilisation de l’Aadhaar Pay. Nous avons donc renversé le système pour que le commerçant soit incité à utiliser les moyens numériques.» L’établissement financier a d’abord développé le «microdistributeur de billets» : une tablette que le vendeur peut utiliser pour créer des comptes, recevoir des petits dépôts ou fournir du liquide aux clients au nom de la banque, contre une commission. Comme l’Aadhaar Pay, cette tablette se connecte au lecteur biométrique - fourni par l’entreprise française Safran - pour l’identification et l’authentification. Dans les deux cas, et à la différence des paiements par carte, ni le marchand ni le client ne paient pour l’utilisation de ce réseau. «Le mode traditionnel de paiement par carte va progressivement disparaître», prédit Ragavan Venkatesan.

Défi

Pour l’instant, le système n’en est toutefois qu’à ses débuts. Environ 70 banques - une minorité du réseau indien - sont reliées à l’Aadhaar Pay, et lors de nos visites dans différents magasins de New Delhi, une transaction a été bloquée pendant dix minutes à cause d’un problème de serveur. La connectivité est d’ailleurs un défi dans un pays dont la population est en majorité rurale : le système nécessite au minimum le réseau 2G, dont sont dépourvus environ 8 % des villages, selon le ministère des Télécommunications.

Mais c’est la protection du système qui est surtout en question : «La biométrie réduit fortement le niveau de sécurité, car c’est facile de voler ces données et de les utiliser sans votre accord, explique Sunil Abraham, directeur du Centre pour l’Internet et la société de Bangalore. Il existe maintenant des appareils photo de haute résolution qui permettent de capturer et de répliquer les empreintes ou l’iris», affirme ce spécialiste en cybersécurité.

Le problème tient au caractère irrévocable de ces données biométriques. A la différence d’une carte bancaire qu’on peut annuler et remplacer, on ne peut changer d’empreinte ou d’iris. L’Autorité indienne d’identification unique (UIDAI), qui gère l’Aadhaar, prévoit bien que l’on puisse bloquer l’utilisation de ses propres données biométriques sur demande, ce qui offre une solution de sécurisation temporaire. «Si un fraudeur essaie de les utiliser, on peut le repérer [grâce au réseau internet, ndlr] et l’arrêter», défend Ragavan Venkatesan, de la banque IDFC.

Mais cela risque de ne pas suffire en cas de recel de ces informations : la police vient d’interpeller un groupe de trafiquants qui étaient en possession des données bancaires de 10 millions d’Indiens, récupérées à travers des employés et sous-traitants, données qu’ils revendaient par paquets. Une femme âgée s’était déjà fait dérober 146 000 roupies (un peu plus de 2 000 euros) à cause de cette fraude.

Outil idéal

Le directeur de l’UIDAI assure qu’aucune fuite ni vol de données n’ont été rapportés à ce jour depuis leurs serveurs - ce qui ne garantit pas que cette confidentialité sera respectée par tous les autres acteurs qui y ont accès. En février, un chercheur en cybersécurité a alerté la police sur le fait que 500 000 numéros Aadhaar ainsi que les détails personnels de leurs propriétaires - exclusivement des mineurs - avaient été publiés en ligne. La loi sur l’Aadhaar punit de trois ans de prison le vol ou le recel de ces données. Ce texte adopté l’année dernière - soit six ans après le début de la collecte - empêche également leur utilisation à d’autres fins que l’authentification pour l’attribution de subventions et de services. Et l’UIDAI ne peut y accéder pleinement qu’en cas de risque pour la sécurité nationale, et selon une procédure spéciale.

Reste qu’il n’existe pas d’autorité, comme la Cnil en France, chargée de veiller de manière indépendante à ce que ces lignes rouges ne soient pas franchies par un Etat à la recherche de nouveaux moyens de renseignement. Car les experts s’accordent sur ce point : le biométrique est un outil idéal pour surveiller une population.

En 2010, le gouvernement britannique avait d’ailleurs mis fin à son projet de carte d’identité biométrique, estimant que le taux d’erreurs dans l’authentification était trop élevé et le risque d’atteinte aux libertés trop important. Les Indiens, souvent subjugués par les nouvelles technologies pour résoudre leurs problèmes sociaux, ne semblent pas prêts de revenir en arrière. Surtout si cela peut en plus servir à mieux ficher un pays menacé par un terrorisme régional et local.

For more details visit https://cis-india.org/internet-governance/news/en-inde-le-biometrique-version-tres-grand-public