Centre for Internet and Society

India’s post-truth society

swaraj — 2018-09-12T12:16:31Z

The proliferation of lies and manipulative content supplies an ever-willing state a pretext to step up surveillance.

The op-ed was published in Hindu Businessline on September 7, 2018.

After a set of rumours spread over WhatsApp triggered a series of lynchings across the country, the government recently took the interesting step of placing the responsibility for this violence on WhatsApp. This is especially noteworthy because the party in power, as well as many other political parties, have taken to campaigning over social media, including using WhatsApp groups in a major way to spread their agenda and propaganda.

After all, a simple tweet or message could be shared thousands of times and make its way across the country several times, before the next day’s newspaper is out. Nonetheless, while the use of social media has led to a lot of misinformation and deliberately polarising ‘news’, it has also helped contribute to remarkable acts of altruism and community, as seen during the recent Kerala floods.

While the government has taken a seemingly techno-determinist view by placing responsibility on WhatsApp, the duality of very visible uses of social media has led to others viewing WhatsApp and other internet platforms more as a tool, at the mercy of the user. However, as historian Melvin Kranzberg noted, “technology is neither good nor bad; nor is it neutral”. And while the role of political and private parties in spreading polarising views should be rigorously investigated, it is also true that these internet platforms are creating new and sometimes damaging structural changes to how our society functions. A few prominent issues are listed below:

Fragmentation of public sphere

Jurgen Habermas, noted sociologist, conceptualised the Public Sphere as being “a network for communicating information and points of view, where the streams of communication are, in the process, filtered and synthesised in such a way that they coalesce into bundles of topically specified public opinions”.

To a large extent, the traditional gatekeepers of information flow, such as radio, TV and mainstream newspapers, performed functions enabling a public sphere. For example, if a truth-claim about an issue of national relevance was to be made, it would need to get an editor’s approval.

In case there was a counter claim, that too would have to pass an editorial check. Today however, nearly anybody can become a publisher of information online, and if it catches the right ‘influencer’s attention, it could spread far wider and far quicker than it would’ve in traditional media. While this does have the huge positive of giving space to more diverse viewpoints, it also comes with two significant downsides.

First, that it gives a sense of ‘personal space’ to public speech. An ordinary person would think a few times, do some research, and perhaps practice a speech before giving it before 10,000 people. An ordinary person would also think for perhaps five seconds before putting out a tweet on the very same topic, despite now having a potentially global audience.

Second, by having messages sent directly to your hand-held device, rather than open for anyone to fact-check and counter, there is less transparency and accountability for those who send polarising material and misinformation. How can a mistaken and polarising view be countered, if one doesn’t even know it is being made? And if it can’t be countered, how can its spread by contained?

The attention market

Not only is that earlier conception of public sphere being fragmented, these new networked public spheres are also owned by giant corporations. This means that these public spheres where critical discourse is being shaped and spread, are actually governed by advertisement-financed global conglomerates. In a world of information overflow, and privately owned, ad-financed public spheres, the new unit of currency is attention.

It is in the direct interest of the Facebooks and Googles of the world, to capture user attention as long as possible, regardless of what type of activity that encourages. It goes without saying that neither the ‘mundane and ordinary’, nor the ‘nuanced and detailed’ capture people’s attention nearly as well as the sensational and exciting.

Nearly as addicting, studies show, are the headlines and viewpoints which confirm people’s biases. Fed by algorithms that understand the human desire to ‘fit in’, people are lowered into echo chambers where like-minded people find each other and continually validate each other. When people with extremist views are guided to each other by these algorithms, they not only gather validation, but also now use these platforms to confidently air their views — thus normalising what was earlier considered extreme. Needless to say, internet platforms are becoming richer in the process.

Censorship by obfuscation

Censorship in the attention economy, no longer requires blocking of views or interrupting the transmission of information. Rather, it is sufficient to drown out relevant information in an ocean of other information. Fact checking news sites face this problem. Regardless of how often they fact-check speeches by politicians, only a minuscule percentage of the original audience comes to know about, much less care about the corrections.

Additionally, repeated attacks (when baseless) on credibility of news sources causes confusion about which sources are trustworthy. In her extremely insightful book “Twitter and Tear Gas”, Prof Zeynep Tufekci rightly points out that rather than traditional censorship, powerful entities today, (often States) focus on overwhelming people with information, producing distractions, and deliberately causing confusion, fear and doubt. Facts, often don’t matter since the goal is not to be right, but to cause enough confusion and doubt to displace narratives that are problematic to these powers.

Viewpoints from members of groups that have been historically oppressed, are especially harangued. And those who are oppressed tend to have less time, energy and emotional resources to continuously deal with online harassment, especially when their identities are known and this harassment can very easily spill over to the physical world.

Conclusion

Habermas saw the ideal public sphere as one that is free of lies, distortions, manipulations and misinformation. Needless to say, this is a far cry from our reality today, with all of the above available in unhealthy doses. It will take tremendous effort to fix these issues, and it is certainly no longer sufficient for internet platforms to claim they are neutral messengers. Further, whether the systemic changes are understood or not, if they are not addressed, they will continue to create and expand fissures in society, giving the state valid cause for intervening through backdoors, surveillance, and censorship, all actions that states have historically been happy to do!

For more details visit https://cis-india.org/internet-governance/blog/hindu-businessline-swaraj-paul-barooah-september-7-2018-indias-post-truth-society

India’s parental control directive and the need to improve stalkerware detection

divyank — 2024-04-04T14:20:41Z

We analyse a child-monitoring app being developed by the Indian government and question whether it is an effective way to enact parental controls. We highlight how such monitoring apps are often repurposed for digital stalking and play a role in intimate partner violence. We also evaluate the protection provided by antivirus tools in detecting such stalkerware apps and describe how we collected technical evidence to help improve the detection of these apps.

This post was reviewed and edited by Amrita Sengupta.

Stalkerware is a form of surveillance targeted primarily at partners, employees and children in abusive relationships. These are software tools that enable abusers to spy on a person’s mobile device, allowing them to remotely access all data on the device, including calls, messages, photos, location history, browsing history, app data, and more. Stalkerware apps run hidden in the background without the knowledge or consent of the person being surveilled.[1] Such applications are easily available online and can be installed by anyone with little technical know-how and physical access to the device.

News reports indicate that the Ministry of Electronics and Information Technology (MeitY) is supporting the development of an app called “SafeNet”[2] that allows parents to monitor activity and set content filters on children’s devices. Following a directive from the Prime Minister’s office to “incorporate parental controls in data usage” by July 2024, the Internet Service Providers Association of India (ISPAI) has suggested that the app should come preloaded on mobile phones and personal computers sold in the country. The Department of Telecom is also asking schools to raise awareness about such parental control solutions.[3][4]

The beta version of the app is available for Android devices on the Google Play Store and advertises a range of functionalities including location access, monitoring website and app usage, call and SMS logs, screen time management and content filtering. The content filtering functionality warrants a separate analysis and this post will only focus on the surveillance capabilities of this app.

Applications like Safenet, that do not attempt to hide themselves and claim to operate with the knowledge of the person being surveilled, are sometimes referred to as “watchware”.[5] However, for all practical purposes, these apps are indistinguishable from stalkerware. They possess the same surveillance capabilities and can be deployed in the exact same ways. Such apps sometimes incorporate safeguards to notify users that their device is being monitored. These include persistent notifications on the device’s status bar or a visible app icon on the device’s home screen. However, such safeguards can be circumvented with little effort. The notifications can simply be turned off on some devices and there are third-party Android tools that allow app icons and notifications to be hidden from the device user, allowing watchware to be repurposed as stalkerware and operate secretly on a device. This leaves very little room for distinction between stalkerware and watchware apps.[6] In fact, the developers of stalkerware apps often advertise their tools as watchware, instructing users to only use them for legitimate purposes.

Even in cases where stalkerware applications are used in line with their stated purpose of monitoring minors’ internet usage, the effectiveness of a surveillance-centric approach is suspect. Our previous work on children’s privacy has questioned the treatment of all minors under the age of 18 as a homogenous group, arguing for a distinction between the internet usage of a 5-year-old child and a 17-year-old teenager. We argue that educating and empowering children to identify and report online harms is more effective than attempts to surveil them.[7][8] Most smartphones already come with options to enact parental controls on screen time and application usage[9][10], and the need for third-party applications with surveillance capabilities is not justified.

Studies and news reports show the increasing role of technology in intimate partner violence (IPV).[11][12] Interviews with IPV survivors and support professionals indicate an interplay of socio-technical factors, showing that abusers leverage the intimate nature of such relationships to gain access to accounts and devices to exert control over the victim. They also indicate the prevalence of “dual-use” apps such as child-monitoring and anti-theft apps that are repurposed by abusers to track victims.[13]

There is some data available that indicates the use of stalkerware apps in India. Kaspersky anti-virus’ annual State of Stalkerware reports consistently place India among the top 4 countries with the most number of infections detected by its product, with a few thousand infections reported each year between 2020 and 2023.[14][15][16[17] TechCrunch’s Spyware Lookup Tool, which compiles information from data leaks from more than nine stalkerware apps to notify victims, also identifies India as a hotspot for infections.[18] Avast, another antivirus provider, reported a 20% rise in the use of stalkerware apps during COVID-19 lockdowns.[19] The high rates of incidence of intimate partner violence in India, with the National Family Health Survey reporting that about a third of all married women aged 18–49 years have experienced spousal violence [20], also increases the risk of digitally-mediated abuse.

Survivors of digitally-mediated abuse often require specialised support in handling such cases to avoid alerting abusers and potential escalations. As part of our ongoing work on countering digital surveillance, we conducted an analysis of seven stalkerware applications, including two that are based in India, to understand and improve how survivors and support professionals can detect their presence on devices.

In some cases, where it is safe to operate the device, antivirus solutions can be of use. Antivirus tools can often identify the presence of stalkerware and watchware on a device, categorising them as a type of malware. We measured how effective various commercial antivirus solutions are at detecting stalkerware applications. Our results, which are detailed in the Appendix, indicate a reasonably good coverage, with six out of the seven apps being flagged as malicious by various antivirus solutions. We found that Safenet, the newest app on the list, was not detected by any antivirus. We also compared the detection results with a similar study conducted in 2019 [21] and found that some newer versions of previously known apps saw lower rates of detection. This indicates that antivirus solutions need to analyse new apps and newer versions of apps more frequently to improve coverage and understand how they are able to evade detection.

In cases where the device cannot be operated safely, support workers use specialised forensic tools such as the Mobile Verification Toolkit [22] and Tinycheck [23], which can be used to analyse devices without modifying them. We conducted malware analysis on the stalkerware apps to document the traces they leave on devices and submitted them to an online repository of indicators of compromise (IOCs).[24] These indicators are incorporated in detection tools used by experts to detect stalkerware infections.

Despite efforts to support survivors and stop the spread of stalkerware applications, the use of technology in abusive relationships continues to grow.[25] Making a surveillance tool like Safenet available for free, publicising it for widespread use, and potentially preloading it on mobile devices and personal computers sold in the country, is an ill-conceived way to enact parental controls and will lead to an increase in digitally-mediated abuse. The government should immediately take this application out of the public domain and work on developing alternate child protection policies that are not rooted in distrust and surveillance.

If you are affected by stalkerware there are some resources available here:
https://stopstalkerware.org/information-for-survivors/
https://stopstalkerware.org/resources/

Appendix

Our analysis covered two apps based in India, SafeNet and OneMonitar, and five other apps, Hoverwatch, TheTruthSpy, Cerberus, mSpy and FlexiSPY. All samples were directly obtained from the developer’s websites. The details of the samples are as follows:

Name

File name

Version

Date sample was obtained

SHA-1 Hash

SafeNet

Safenet_Child.apk

0.15

16th March, 2024

d97a19dc2212112353ebd84299d49ccfe8869454

OneMonitar

ss-kids.apk

5.1.9

19th March, 2024

519e68ab75cd77ffb95d905c2fe0447af0c05bb2

Hoverwatch

setup-p9a8.apk

7.4.360

5th March, 2024

50bae562553d990ce3c364dc1ecf44b44f6af633

TheTruthSpy

TheTruthSpy.apk

23.24

5th March, 2024

8867ac8e2bce3223323f38bd889e468be7740eab

Cerberus

Cerberus_disguised.apk

3.7.9

4th March, 2024

75ff89327503374358f8ea146cfa9054db09b7cb

mSpy

bt.apk

7.6.0.1

21st March, 2024

f01f8964242f328e0bb507508015a379dba84c07

FlexiSPY

5009_5.2.2_1361.apk

5.2.2

26th March, 2024

5092ece94efdc2f76857101fe9f47ac855fb7a34

We analysed the network activity of these apps to check what web servers they send their data to. With increasing popularity of Content Delivery Networks (CDNs) and cloud infrastructure, these results may not always give us an accurate idea about where these apps originate, but can sometimes offer useful information:

Name Domain IP Address[26] Country ASN Name and Number

SafeNet safenet.family 103.10.24.124 India Amrita Vishwa Vidyapeetham, AS58703

OneMonitar onemonitar.com 3.15.113.141 United States Amazon.com, Inc., AS16509

OneMonitar api.cp.onemonitar.com 3.23.25.254 United States Amazon.com, Inc., AS16509

Hoverwatch hoverwatch.com 104.236.73.120 United States DigitalOcean, LLC, AS14061

Hoverwatch a.syncvch.com 158.69.24.236 Canada OVH SAS, AS16276

TheTruthSpy thetruthspy.com 172.67.174.162 United States Cloudflare, Inc., AS13335

TheTruthSpy protocol-a946.thetruthspy.com 176.123.5.22 Moldova ALEXHOST SRL, AS200019

Cerberus cerberusapp.com 104.26.9.137 United States Cloudflare, Inc., AS13335

mSpy mspy.com 104.22.76.136 United States Cloudflare, Inc., AS13335

mSpy mobile-gw.thd.cc 104.26.4.141 United States Cloudflare, Inc., AS13335

FlexiSPY flexispy.com 104.26.9.173 United States Cloudflare, Inc., AS13335

FlexiSPY djp.bz 119.8.35.235 Hong Kong HUAWEI CLOUDS, AS136907

To understand whether commercial antivirus solutions are able to categorise stalkerware apps as malicious, we used a tool called VirusTotal, which aggregates checks from over 70 antivirus scanners.[27] We uploaded hashes (i.e. unique signatures) of each sample to VirusTotal and recorded the total number of detections by various antivirus solutions. We compared our results to a similar study by Citizen Lab in 2019 [28] that looked at a similar set of apps to identify changes in detection rates over time.

Product

VirusTotal Detections (March 2024)

VirusTotal Detections (January 2019) (By Citizen Lab)

SafeNet [29]

0/67 (0 %)

N/A

OneMonitar [30]

17/65 (26.1%)

N/A

Hoverwatch

24/58 (41.4%)

22/59 (37.3%)

TheTruthSpy

38/66 (57.6%)

0

Cerberus

8/62 (12.9%)

6/63 (9.5%)

mSpy

8/63 (12.7%)

20/63 (31.7%)

Flexispy [31]

18/66 (27.3%)

34/63 (54.0%)

We also checked if Google’s Play Protect service [32], a malware detection tool that is built-in to Android devices using Google’s Play Store. These results were also compared with similar checks performed by Citizen Lab in 2019.

Product

Detected by Play Protect (March 2024)

Detected by Play Protect (January 2019) (By Citizen Lab)

SafeNet

no

N/A

OneMonitar

yes

N/A

Hoverwatch

yes

yes

TheTruthSpy

yes

yes

Cerberus

yes

no

mSpy

yes

yes

Flexispy

yes

yes

Endnotes

1. Definition adapted from Coalition Against Stalkerware, https://stopstalkerware.org/

2. https://web.archive.org/web/20240316060649/https://safenet.family/

3. https://www.hindustantimes.com/india-news/itministry-tests-parental-control-app-progress-to-be-reviewed-today-101710702452265.html

4. https://www.hindustantimes.com/india-news/schools-must-raise-awareness-about-parental-control-in-internet-usage-says-dot-101710840561172.html

5. https://github.com/AssoEchap/stalkerware-indicators/blob/master/README.md

6. https://cybernews.com/privacy/difference-between-parenting-apps-and-stalkerware/

7. https://timesofindia.indiatimes.com/blogs/voices/shepherding-children-in-the-digital-age/

8. https://blog.avast.com/stalkerware-and-children-avast

9. https://safety.google/families/parental-supervision/

10. https://support.apple.com/en-in/105121

11. R. Chatterjee et al., "The Spyware Used in Intimate Partner Violence," 2018 IEEE Symposium on Security and Privacy (SP), 2018, pp. 441-458.

12. https://www.computerweekly.com/news/252492575/Use-of-abusive-stalkerware-against-women-skyrocketed-in-2020

13. D. Freed et al., "Digital technologies and intimate partner violence: A qualitative analysis with multiple stakeholders", PACM: Human-Computer Interaction: Computer-Supported Cooperative Work and Social Computing (CSCW), vol. 1, no. 2, 2017.

14. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/03/07160820/The-State-of-Stalkerware-in-2023.pdf

15. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/03/07152747/EN_The-State-of-Stalkerware_2022.pdf

16. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf

17. https://media.kasperskycontenthub.com/wp-content/uploads/sites/100/2020/03/25175212/EN_The-State-of-Stalkerware-2020.pdf

18. https://techcrunch.com/pages/thetruthspy-investigation/

19. https://www.thenewsminute.com/atom/avast-finds-20-rise-use-spying-and-stalkerware-apps-india-during-lockdown-129155

20. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10071919/

21. https://citizenlab.ca/docs/stalkerware-holistic.pdf

22. https://docs.mvt.re/en/latest/

23. https://tiny-check.com/

24. https://github.com/AssoEchap/stalkerware-indicators/pull/125

25. https://stopstalkerware.org/2023/05/15/report-shows-stalkerware-is-not-declining/

26. IP information provided by https://ipinfo.io/

27. https://docs.virustotal.com/docs/how-it-works

28. https://citizenlab.ca/docs/stalkerware-holistic.pdf

29. Sample was not known to VirusTotal, it was uploaded at the time of analysis

30. Sample was not known to VirusTotal, it was uploaded at the time of analysis

31. Sample was not known to VirusTotal, it was uploaded at the time of analysis

32. https://developers.google.com/android/play-protect

For more details visit https://cis-india.org/internet-governance/blog/india2019s-parental-control-directive-and-the-need-to-improve-stalkerware-detection

India’s National ID Program May Be Turning The Country Into A Surveillance State

praskrishna — 2017-04-07T12:49:30Z

For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones.

The blog post by Pranav Dixit was published by BuzzFeedNews on April 4, 2017. Sunil Abraham was quoted.

An abridged version of the blog post containing Sunil Abraham's quotes are reproduced below:

“You can’t change your fingerprints”

Sunil Abraham, the CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.

“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is far from stellar. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.

Abraham’s concerns are not without global precedent. In 2012, Ecuadorian police jailed blogger Paul Moreno for breaking into the country’s online national identity database and registering himself as Ecuadorian President Rafael Correa. In April 2016, hackers posted a database containing names, national IDs, addresses, and birth dates of more than 50 million Turkish citizens, including Turkish President Recep Tayyip Erdogan; later that month, Mexico’s entire voter database — over 87 million national IDs, addresses, and more — was leaked onto Amazon’s cloud servers by as-yet-untraced sources; and in the Philippines, more than 55 million voters had their private information — including fingerprints — released on the Dark Web.

“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data.”

“What is the price that we pay as a nation if our database of over a billion people — complete with all 10 fingerprints and iris scans — leaks?” Abraham asked. The consequences, he said, will be permanent. Unlike a password, which you can reset at any time, your biometrics, if compromised, are the ultimate privacy breach. “You can’t change your fingerprints.”

The UIDAI claims that the Aadhaar database is protected using the “highest available public key cryptography encryption (PKI-2048 and AES-256)” and would take “billions of years” to crack.

“Encryption like this doesn’t typically get broken, it gets circumvented,” security researcher Troy Hunt told BuzzFeed News. “For example, the web application that sits in front of it is compromised and data is retrieved after decryption.” Or alternatively, he said, the encryption key itself is compromised. “Naturally, governments will offer all sorts of assurances on these things, but the simple, immutable fact is that once large volumes are centralized like this, there is a heightened risk of security incidents and of the data consequently being lost or exposed,” he added.

Cryptographer and cybersecurity expert Bruce Schneier echoed Hunt’s assessment. “When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data,” he said. “They will go around the encryption.”

Nilekani — who did not respond to BuzzFeed News’ requests for comment — recently dismissed concerns around the project’s privacy implications as “hand-waving.” In an interview with the Economic Times, he repeatedly stressed how secure Aadhaar’s “advanced encryption technology” was. “I can categorically say that it’s the most secure system in India and among the most secure systems in the world,” he said.

Abraham is unconvinced by such assurances. He believes Aadhaar fundamentally changes the equation between a citizen and a state. “There’s a big difference between you identifying yourself to the government, and the government identifying who you are,” he said.

Aadhaar’s opponents say the program’s implementation has left India’s poorest people with no choice but to use it. “If you link people’s food subsidies, wages, bank accounts, and other crucial things to Aadhaar, you hit them where it hurts the most,” Ramanathan argued. “You leave them with no choice but to sign up.”

“Can you imagine if the United States passed a law that said that every person who wished to get food stamps would need their fingerprints registered in a government-owned database?” a journalist turned Aadhaar activist who did not wished to be named told BuzzFeed News. “Imagine what a scandal that would be.”

For Nilekani, such criticism is just overstatement and drama. “I think this so-called anti-Aadhaar lobby is really just a small bunch of liberal elites who are in some echo chamber,” he said during a recent interview with Indian business news channel ET Now. “The reality is that a billion people are using Aadhaar. A lot of the accusations are just delusional. Aadhaar is not a system for surveillance. [The critics] live in a bubble and are not connected to reality.”

Abraham laughed off Nilekani’s comments. “The Unique Identification Authority of India will become the monopoly provider of identification and authentication services in India,” he said. “That sounds like a centrally planned communist state to me. I don’t know which left liberal elites he’s talking about.”

For more details visit https://cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state

India’s digital check

sunil — 2015-09-15T14:55:47Z

All nine pillars of Digital India directly correlate with policy research conducted at the Centre for Internet and Society, where I have worked for the last seven years. This allows our research outputs to speak directly to the priorities of the government when it comes to digital transformation.

The article was originally published by DNA on July 8, 2015.

Broadband Highways and Universal Access to Mobile Connectivity: The first two pillars have been combined in this paragraph because they both require spectrum policy and governance fixes. Shyam Ponappa, a distinguished fellow at our Centre calls for the leveraging of shared spectrum and also shared backhaul infrastructure. Plurality in spectrum management, for eg, unlicensed spectrum should be promoted for accelerating backhaul or last mile connectivity, and also for community or local government broadband efforts. Other ideas that have been considered by Ponappa include getting state owned telcos to exit completely from the last mile and only focus on running an open access backhaul through Bharat Broadband Limited. Network neutrality regulations are also required to mitigate free speech, diversity and competition harms as ISPs and TSPs innovate with business models such as zero-rating.

Public Internet Access Programme: Continuing investments into Common Service Centres (CSCs) for almost a decade may be questionable and therefore a citizen’s audit should be undertaken to determine how the programme may be redesigned. The reinventing of post offices is very welcome, however public libraries are also in need urgent reinventing. CSCs, post offices and public libraries should all leverage long range WiFi for Internet and intranet, empowering BYOD [Bring Your Own Device] users. Applications will take time to develop and therefore immediate emphasis should be on locally caching Indic language content. State Public Library Acts need to be amended to allow for borrowing of digital content. Flat-fee licensing regimes must be explored to increase access to knowledge and culture. Commons-based peer production efforts like Wikipedia and Wikisource need to be encouraged.

e-Governance: Reforming Government through Technology: DeitY, under the leadership of free software advocate Secretary RS Sharma, has accelerated adoption and implementation of policies supporting non-proprietary approaches to intellectual property in e-governance. Policies exist and are being implemented for free and open source software, open standards and electronic accessibility for the disabled. The proprietary software lobby headed by Microsoft and industry associations like NASSCOM have tried to undermine these policies but have failed so far.

The government should continue to resist such pressures. Universal adoption of electronic signatures within government so that there is a proper audit trail for all communications and transactions should be made an immediate priority. Adherence to globally accepted data protection principles such as minimisation via “form simplification and field reduction” for Digital India should be applauded. But on the other hand the mandatory requirement of Aadhaar for DigiLocker and eSign amounts to contempt of the Supreme Court order in this regard.

e-Kranti — Electronic Delivery of Services: The 41 mission mode projects listed are within the top-down planning paradigm with a high risk of failure — the funds reserved for these projects should instead be converted into incentives for those public, private and public private partnerships that accelerate adoption of e-governance. The dependency on the National Informatics Centre (NIC) for implementation of e-governance needs to be reduced, SMEs need to be able to participate in the development of e-governance applications. The funds allocated for this area to DeitY have also produced a draft bill for Electronic Services Delivery. This bill was supposed to give RTI-like teeth to e-governance service by requiring each government department and ministry to publish service level agreements [SLAs] for each of their services and prescribing punitive action for responsible institutions and individuals when there was no compliance with the SLAs.

Information for All: The open data community and the Right to Information movement in India are not happy with the rate of implementation of National Data Sharing and Accessibility Policy (NDSAP). Many of the datasets on the Open Data Portal are of low value to citizens and cannot be leveraged commercially by enterprise. Publication of high-value datasets needs to be expedited by amending the proactive disclosure section of the Right to Information Act 2005.

Electronics Manufacturing: Mobile patent wars have begun in India with seven big ticket cases filed at the Delhi High Court. Our Centre has written an open letter to the previous minister for HRD and the current PM requesting them to establish a device level patent pool with a compulsory license of 5%. Thereby replicating India’s success at becoming the pharmacy of the developing world and becoming the lead provider of generic medicines through enabling patent policy established in the 1970s. In a forthcoming paper with Prof Jorge Contreras, my colleague Rohini Lakshané will map around fifty thousand patents associated with mobile technologies. We estimate around a billion USD being collected in royalties for the rights-holders whilst eliminating legal uncertainties for manufacturers of mobile technologies.

IT for Jobs: Centralised, top-down, government run human resource development programmes are not useful. Instead the government needs to focus on curriculum reform and restructuring of the education system. Mandatory introduction of free and open source software will give Indian students the opportunity to learn by reading world-class software. They will then grow up to become computer scientists rather than computer operators. All projects at academic institutions should be contributions to existing free software projects — these projects could be global or national, for eg, a local government’s e-governance application. The budget allocated for this pillar should instead be used to incentivise research by giving micro-grants and prizes to those students who make key software contributions or publish in peer-reviewed academic journals or participate in competitions. This would be a more systemic approach to dealing with the skills and knowledge deficit amongst Indian software professionals.

Early Harvest Programmes: Many of the ideas here are very important. For example, secure email for government officials — if this was developed and deployed in a decentralised manner it would prevent future surveillance of the Indian government by the NSA. But a few of the other low-hanging fruit identified here don’t really contribute to governance. For example, biometric attendance for bureaucrats is just glorified bean-counting — it does not really contribute to more accountability, transparency or better governance.

The author works for the Centre for Internet and Society which receives funds from Wikimedia Foundation that has zero-rating alliances with telecom operators in many countries across the world

For more details visit https://cis-india.org/internet-governance/blog/dna-sunil-abraham-july-8-2015-india-digital-check

India’s Central Monitoring System: Security can’t come at cost of privacy

praskrishna — 2013-07-15T06:43:21Z

During a Google hangout session in June this year, Milind Deora, minister of state for communications and information technology, addressed concerns related to the central monitoring system (CMS).

Danish Raza's article was published in FirstPost on July 10, 2013. Sunil Abraham is quoted.

The surveillance project, described as the Indian version of PRISM, will allow the government to monitor online and telephone data of citizens. prism-milind-deora-cms-central-monitoring-system/” target=”_blank”>

The minister tried to justify the project arguing that the union government will become the sole custodian of citizen’s data which is now accessible to other parties such as telecom operators. But his justification failed to persuade experts who argue that the data is hardly safe because it is held by the government. And the limited information available about the project has raised serious concerns about its need and the consequences of government snooping on such a mass scale.

A release by the Press Information Bureau, dated November 26, 2009, is perhaps the only government document related to CMS available in public domain. It merely states that the project will strengthen the security environment in the country. “In the existing system secrecy can be easily compromised due to manual intervention at many stages while in CMS these functions will be performed on secured electronic link and there will be minimum manual intervention. Interception through CMS will be instant as compared to the existing system which takes a very long time.”

One of the primary concerns raised by experts is the sheer lack of public information on the project. So far, there is no official word from the government about which government bodies or agencies will be able to access the data; how will they use this information; what percentage of population will be under surveillance; or how long the data of a citizen will be kept in the record.

“This makes it impossible for India’s citizens to assess whether surveillance is the only, or the best, way in which the stated goal can be achieved. Also, citizens cannot gauge whether these measures are proportionate i.e. they are the most effective means to achieve this aim. The possibility of having such a debate is crucial in any democratic country,” said Dr Anja Kovacs, project director at Internet Democracy Project, Delhi based NGO working for online freedom of speech and related issues.

There is also no legal recourse for a citizen whose personal details are being misused or leaked from the central or regional database. Unlike America’s PRISM project under which surveillance orders are approved by courts, CMS does not have any judicial oversight. “This means that the larger ecosystem of checks and balances in which any surveillance should be embedded in a democratic country is lacking. There is an urgent requirement for a strong legal protection of the right to privacy; for judicial oversight of any surveillance; and for parliamentary or judicial oversight of the agencies which will do surveillance. At the moment, all three are missing.” said Kovacs.

Given the use of technology by criminals and terrorists, government surveillance per se, seems inevitable. Almost in every nation, certain chunk of population is always under the scanner of intelligence agencies. However, mass-scale tracking the data of all citizens — not just those who are deemed persons of interest — enabled by the CMS has sparked a public furor. Sunil Abraham, executive director, Centre for Internet & Society, Bangalore, compared surveillance with salt in cooking. “A tiny amount is essential but any excess is counterproductive,” he said. “Unlike target surveillance, blanket surveillance increases the probability of false positives. Wrong data analysis will put more number of innocent civilians under suspicion as, by default, their number in the central server is more than those are actually criminals.”

Such blanket surveillance techniques also pose a threat to online business. With all the data going in one central pool, a competitor or a cyber criminal rival can easily tap into private and sensitive information by hacking into the server. “As vulnerabilities will be introduced into Internet infrastructure in order to enable surveillance, it will undermine the security of online transactions,” said Abraham. He notes that the project also can undermine the confidentiality of intellectual property especially pre-grant patents and trade secrets. “Rights-holders will never be sure if their IPR is being stolen by some government in order to prop up national players.”

Every time a surveillance system is exposed or its misuse sparks a debate, governments argue that such programs are required for internal security purposes and to help abort terror attacks. Obama made the same argument after PRISM was revealed to the public. Civil rights groups, on the other hand, argue that security cannot be prioritised by large-scale invasions of privacy especially in a country like India where there is little accountability or transparency. So is there a middle ground that will satisfy both sides?

“Yes, security and privacy can coexist,” said Commander (rtd) Mukesh Saini, former national information security coordinator, government of India, “We can design a system which takes care of national security aspect and yet gains the confidence of the citizens. Secrecy period must not be more than three to four years in such projects. Thereafter who all were snooped and when and why and under whose direction/circumstances must be made public through a website after this time gap.”

Kovacs agrees and says the right kind of surveillance program would focus on the needs of the citizen and not the government. “If a contradiction seems to exist between cyber security and privacy online, this is only because we have lost sight of who is supposed to benefit from any security measures. Only if a measure contributes to citizen’s sense of security, can it really be considered a legitimate security measure.”

For more details visit https://cis-india.org/news/firstpost-danish-raza-july-10-2013-indias-central-monitoring-system-security-cant-come-at-cost-of-privacy

India’s biometric ID scans make sci-fi a reality

praskrishna — 2017-03-28T02:45:28Z

I have been thinking about my fingerprints and the secrets that may lie within my eyes — and whether I want to share them with the Indian government. I may not however have a choice.

The article by Amy Kazmin was published in the Financial Times on March 27, 2017. Sunil Abraham was quoted.

India has the world’s largest domestic biometric identification system, known as Aadhaar. Since 2010, the government has collected fingerprints and iris scans from more than 1bn residents, and each has been assigned a 12-digit identification number.

The scheme is championed by Nandan Nilekani, the billionaire co-founder of IT company Infosys. It was initially conceived to ensure poor Indians received subsidised food entitlements and other welfare benefits that were previously siphoned off by unscrupulous intermediaries. It was also seen as offering poor Indians, many of whom lack birth certificates, with a portable ID that can be used anywhere in the country.

Until now, obtaining an Aadhaar number was voluntary, though most Indians enrolled without hesitation as they see its potential benefits. But New Delhi is now enlisting Aadhaar, which means “foundation” or “base” in Hindi, in more than just welfare schemes. This would mean sharing one’s biometric details isn’t really optional any more despite a Supreme Court ruling that it should be “purely voluntary”.

Last week, the government issued a rule requiring an Aadhaar number for filing tax returns, ostensibly to improve tax compliance. It has also decided that all cell phone numbers must be linked to an Aadhaar number by 2018. Even Indian Railways has plans to demand Aadhaar from those booking train tickets online.

What was once touted as an initiative to improve delivery of welfare suddenly now seems like the foundation of a surveillance state — and I admit the prospect of putting my own biometrics in the database leaves me uneasy.

As a US citizen, I’ve never had to give my biometric data to my government. Domestically, fingerprints are only taken from criminal suspects, or applicants for government jobs, though I know foreign citizens are fingerprinted on arrival.

To me, the idea of sharing eye scans evokes the dystopian Hollywood film, Minority Report, which depicts a near future in which optical-recognition cameras allow the authorities to identify anyone in any public place. The hero on the run, played by Tom Cruise, has an illegal eye transplant to avoid detection.

In recent days, many Indian academics and activists have raised concerns about Aadhaar data security, the lack of privacy rules and the absence of any accountability structure if data are misused.

"Biometrics is being weaponised," says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "What you need to be worried about is that someone will clean out your bank account or frame you in a crime," he says.

Pratap Bhanu Mehta, director of the Centre for Policy Research, has written of the “conversion of Aadhaar from a tool of citizen empowerment to a tool of state surveillance and citizen vulnerability”.

I call Mr Nilekani, of whose honourable intentions I have no doubt. After leaving Infosys in 2009, he spent five years in government, working to get Aadhaar off the ground. He says he is “extremely offended” when his project is accused of being part of a surveillance society, a narrative he says is “completely misrepresenting” the project. “I can steal your fingerprint off your glass. I don’t need this fancy technology,” he says. “Surveillance is far better done by following my phone, or when I use a map to order a taxi: the map knows where I am. Our internet companies know where you are.”

But in a society known for ingenious means of bypassing rules, such as having multiple taxpayer ID cards to aid evasion, Mr Nilekani says biometric authentication of individuals can bring discipline and reduce cheating. “It’s like you are creating a rule-based society,” he says, “it’s the transition that is going on right now.” I hang up, hardly reassured. To me, it seems clear that in India, as in so many places these days, Big Brother is increasingly watching.

For more details visit https://cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality

India’s Biometric Database Is Creating A Perfect Surveillance State — And U.S. Tech Companies Are On Board

Admin — 2018-09-04T14:40:51Z

The Aadhaar program offers a glimpse of the tech world's latest quest to control our lives, where dystopias are created in the name of helping the impoverished.

The article by Paul Bluementhol and Gopal Sathe was published in Huffington Post on August 25, 2018. Sunil Abraham was quoted.

Big U.S. technology companies are involved in the construction of one of the most intrusive citizen surveillance programs in history.

For the past nine years, India has been building the world’s biggest biometric database by collecting the fingerprints, iris scans and photos of nearly 1.3 billion people. For U.S. tech companies like Microsoft, Amazon and Facebook, the project, called Aadhaar (which means “proof” or “basis” in Hindi), could be a gold mine.

The CEO of Microsoft has repeatedly praised the project, and local media have carried frequent reports on consultations between the Indian government and senior executives from companies like Apple and Google (in addition to South Korean-based Samsung) on how to make tech products Aadhaar-enabled. But when reporters of HuffPost and HuffPost India asked these companies in the past weeks to confirm they were integrating Aadhaar into their products, only one company ― Google ― gave a definitive response.

That’s because Aadhaar has become deeply controversial, and the subject of a major Supreme Court of India case that will decide the future of the program as early as this month. Launched nine years ago as a simple and revolutionary way to streamline access to welfare programs for India’s poor, the database has become Indians’ gateway to nearly any type of service ― from food stamps to a passport or a cell phone connection. Practical errors in the system have caused millions of poor Indians to lose out on aid. And the exponential growth of the project has sparked concerns among security researchers and academics that India is the first step toward setting up a surveillance society to rival China.

A Scheme Born In The U.S.

Tapping into Aadhaar would help big tech companies access the data and transactions of millions of users in the second most populous country on earth, explained Usha Ramanathan, a Delhi-based lawyer, legal researcher and one of Aadhaar’s most vocal critics.

The idea for India’s national biometric identification team wasn’t unprecedented, and in fact, it has strong parallels with a system proposed for the United States. Following the Sept. 11, 2001, attacks, the CEO of Oracle, Larry Ellison, offered to build the U.S. government software for a national identification system that would include a centralized computer database of all U.S. citizens. The program never got off the ground amid objections from privacy and civil liberties advocates, but India’s own Ellison figure, Nandan Nilekani, had a similar idea. The billionaire founder of IT consulting giant Infosys, Nilekani conceptualized Aadhaar as a way to eliminate waste and corruption in India’s social welfare programs. He lobbied the government to bring in Aadhaar, and went on to run the project under the administration of Manmohan Singh. Nilekani gained even more influence under current Prime Minister Narendra Modi, who moved to make Aadhaar necessary for almost any kind of business in India.

The first 12-digit Aadhaar ID was issued in 2010. Today, over a billion people (around 89 percent of India’s population) have been included in the system ― from India’s unimaginably wealthy billionaires to the homeless, from residents of the country’s sprawling cities to remote inaccessible villages. While initially a voluntary program, the database is now linked to just about all government programs. You need an Aadhaar ID to get a passport issued or renewed. Aadhaar was made mandatory for operating a bank account, using a cell phone or investing in mutual funds, only for the proposals to be rolled back pending the Supreme Court verdict on the constitutionality of the project.

As Aadhaar identification became integrated into other systems like banking, cell phones and government programs, tech companies can use the program to cross-reference their datasets against other databases and assemble a far more detailed and intrusive picture of Indians’ lives. That would allow them, for example, to better target products or advertising to the vast Indian population. “You can take a unique identifying number and use it to find data in different sectors,” explained Pam Dixon, executive director of the World Privacy Forum, an American public interest research group. “That number can be cross-walked across all the different parts of their life.”

Microsoft, which uses Aadhaar in a new version of Skype to verify users, declined to talk about its work integrating products with the Aadhaar database. But Bill Gates, Microsoft’s founder, has publicly endorsed Aadhaar and his foundation is funding a World Bank program to bring Aadhaar-like ID programs to other countries. Gates has also argued that ID verification schemes like Aadhaar in itself don’t pose privacy issues. Microsoft CEO Satya Nadella has repeatedly praised Aadhaar in both his recent book and a tour across India.

Amazon did not respond to a request for comment, but according to a BuzzFeed report, the company told Indian customers not uploading a copy of Aadhaar “might result in a delay in the resolution or no resolution” of cases where packages were missing.

Facebook, too, failed to respond to repeated requests for comment, though the platform’s prompts for users to log in with the same name as their Aadhaar card prompted suspicions from users that it wanted everyone to use their Aadhaar-verified names and spellings so they could later build in Aadhaar functionality with minimal problems.

A spokesman for Google, which has its own payments platform in India called Tez, told HuffPost that the company has not integrated any of its products with Aadhaar. But there was outrage earlier in August when the Aadhaar helpline was added to Android phones without informing users. Google claimed in a statement to the Economic Times this happened “inadvertently”

Privacy Jeopardized For Millions

But the same features that are set to make tech companies millions are are also the ones that threaten the privacy and security of millions of Indians.

“As long as [the data] is being shared with so many people and services and companies, without knowing who has what data, it will always be an issue,” said Srinivas Kodali, an independent security researcher. “They can’t protect it until they encrypt it and stop sharing data.”

One government website allowed users to search and geolocate homes on the basis of caste and religion ― sparking fears of ethnic and religious violence in a country where lynchings, beatings and mob violence are commonplace. Another website broadcast the names, phone numbers and medical purchases — like generic Viagra and HIV medication — of anyone who buys medicines from government stores. In another leak, a Google search for phone numbers of farmers in Andhra Pradesh would reveal their Aadhaar numbers, address, fathers’ names and bank account numbers.

The leaks are aggravated by “a Star Trek-type obsession” with data dashboards, said Sunil Abraham, executive director of the Center for Internet and Society. Many government departments each created an online data dashboard with detailed personal records on individuals, he explained. The massive centralization of personal data, he said, created a huge security risk as these dashboards were accessible to any government official and in many cases, were even left open to the public.

Authentication failures have led to deaths among the poorest sections of Indian society when people were denied government food rations.

And much like the tech companies, some local governments are using the system to connect data sets and build expansive surveillance. In the state of Andhra Pradesh in India, there’s a war room next to the state chief minister’s office, where a wall of screens shows details from databases that collect information from every department. There are security cameras and dashboards that track every mention of the chief minister on the news. There’s a separate team watching what’s being said about him on social media and there are also dashboards that collect information from IoT [Internet of Things] sensors across the state.

Court Ruling Could Halt Rollout

Those issues around privacy are why the dreams of government bureaucrats and large tech companies to build a perfect surveillance apparatus around Aadhaar may ultimately fall apart. The Supreme Court of India is set to decide on a case that could decide the future of the program.

The court is set to review 27 petitions, including whether requiring an Aadhaar for government subsidies and benefits makes access to these programs conditional, even though the state is constitutionally bound to deliver them. The petitioners include lawyers, academics and a 92-year-old retired judge whose petition also secured the right to privacy as a fundamental right in August 2017. Petitioners also argue that the ability for Aadhaar to be used to track and profile people is unconstitutional.

In its judgment, due any day now, the court will rule on all 27 petitions together. It will decide not only the fate of the Aadhaar Act of 2016, but likely the future involvement of some of tech’s biggest companies in one of the world’s most ambitious and divisive IT projects.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-august-25-2018-paul-bluementhal-and-gopal-sathe-indias-biometric-database-is-creating-a-perfect-surveillance-state

India's struggle for online freedom

praskrishna — 2012-06-18T06:39:32Z

"65 years since your independence," a new battle for freedom is under way in India — according to a YouTube video uploaded by an Indian member of Anonymous, the global "hacktivist" movement.

Rebecca MacKinnon's article was published in the Sydney Morning Herald on June 9, 2012

With popular websites like Vimeo.com blocked across India by court order, the video calls for action: "Fight for your rights. Fight for India." Over the past several weeks, the group has launched distributed denial-of-service attacks against websites belonging to internet service providers, government departments, India's Supreme Court, and two political parties.

Street protests are being planned for today in as many as 18 cities to protest laws and other government actions that a growing number of Indian internet users believe have violated their right to free expression and privacy online.

A lively national internet freedom movement has grown rapidly across India since the beginning of this year.

The most colourful highlight so far was a seven-day Gandhian hunger strike, otherwise known as a "freedom fast," held in early May on a New Delhi pavement by political cartoonist Aseem Trivedi and activist-journalist Alok Dixit. Trivedi's website was shut down this year in response to a police complaint by a Mumbai-based advocate who alleged that some of Trivedi's works "ridicule the Indian Parliament, the national emblem, and the national flag."

Escalating political and legal battles over internet regulation in India are the latest front in a global struggle for online freedom — not only in countries like China and Iran where the internet is heavily censored and monitored by autocratic regimes, but also in democracies where the political motivations for control are much more complicated.

Democratically elected governments all over the world are failing to find the right balance between demands from constituents to fight crime, control hate speech, keep children safe, and protect intellectual property, and their duty to ensure and respect all citizens' rights to free expression and privacy. Popular online movements — many of them globally interconnected — are arising in response to these failures.

Only about 10 per cent of India's population uses the web, making it unlikely that internet freedom will be a decisive ballot-box issue anytime soon. Yet activists are determined to punish New Delhi's "humourless babus," as one columnist recently called India's censorious politicians and bureaucrats, in the country's media. Grassroots organisers are bringing a new generation of white-collar protesters to the streets to defend the right to use a technology that remains alien to the majority of India's people.

The trouble started with the 2008 passage of the Information Technology (Amendment) Act, whose Section 69 empowers the government to direct any internet service to block, intercept, monitor, or decrypt any information through any computer resource.

Company officials who fail to comply with government requests can face fines and up to seven years in jail. Then, in April 2011, the Ministry of Communications and Information Technology issued new rules under which internet companies are expected to remove within 36 hours any content that regulators designate as "grossly harmful," "harassing," or "ethnically objectionable" — designations that are open to a wide variety of interpretations and that free speech advocates argue have opened the door to abuse.

It is thanks to these rules that the website of the hunger-striking cartoonist, Trivedi, was taken offline. Also thanks to the 2011 rules, Facebook and Google are facing trial for having failed to remove objectionable content. If found guilty, the companies could face fines, and executives could be sentenced to jail time.

Saturday's protesters are calling for annulment of the 2011 rules and the repeal of part of the 2008 act. They are also calling for internet service companies to reverse the wholesale blocking of hundreds of websites, including the file-sharing services isoHunt and The Pirate Bay, as well as the video-sharing site Vimeo and Pastebin, which is primarily used for the sharing of text and links.

Internet service providers were responding to a court order from the Madras High Court demanding the blockage, which is aimed at preventing the online distribution of pirated versions of one particular film. The internet companies, fearing that they would not be able to catch every individual instance on every possible site they host, instead chose to block entire services along with all of their content — which had nothing to do with the film in question.

Such "John Doe" orders, named because they are directed against unknown potential offenders in the present and future, are characterised "by their overly broad and sweeping nature," argue lawyer Lawrence Liang and researcher Achal Prabhala, which extends "to a range of non-infringing activities as well, thus catching a whole range of legal acts in their net."

More broadly, as Delhi-based journalist Shivam Vij wrote in a recent essay: "The current mechanisms of internet censorship in India — blocking, direct removal requests to websites, intermediary rules — are draconian and unconstitutional. They need to be replaced with a new set of rules that are fair, transparent and accessible for public scrutiny. They should not be amenable to misuse by the powers-that-be for their own private interests."

Not only are the rules abused, but researchers find that they are causing extralegal censorship by companies that overcompensate in order to err on the side of caution. Last year, the Bangalore-based Centre for Internet and Society performed an experiment in which it sent "legally flawed" takedown demands to seven companies that provide a range of online services, including search, online shopping, and news with user-generated comments.

The legal flaws in the notices were such that the companies could have rejected them without being in breach of the law. Yet "of the 7 intermediaries to which takedown notices were sent, 6 intermediaries over-complied with the notices, despite the apparent flaws in them," reads the Centre for Internet and Society report.

Despite the growing public opposition, a motion to annul the 2011 rules was defeated by voice vote in the upper house of Parliament last month. Yet the criticism was sufficiently sharp that Communications Minister Kapil Sibal announced that he will hold consultations with all members of Parliament, representatives of industry, and other "stakeholders" to discuss the law's problems and how it might be revised.

Many of the law's critics, however, are skeptical that this will eliminate the law's deep flaws and loopholes for abuse, especially given the government's failure to listen so far. Comments on the 2011 rules submitted last year by the Centre for Internet and Society were not even acknowledged as having been received by the Ministry of Communications and Information Technology. "Sibal uses the excuse of national security and hate speech," says the center's director, Sunil Abraham, "but that is not what is happening."

Abraham worries that what is really happening is a government effort at Internet "behavior modification" through a process akin to an experiment involving caged monkeys, bananas, and ice water. Put four monkeys in a cage and hang a bunch of bananas on the ceiling. Every time one of them climbs up to reach the bananas, you drench all of them with ice water.

Soon enough, the monkeys will start policing themselves — attacking anybody who tries to reach the bananas, making it unnecessary for their masters to deploy the ice water. "This is why the government is being so aggressive so early on, with only 10 percent of India's population online," says Abraham. "If you start the drenching early on, by the time you get to 50 per cent [internet penetration], every one will be well-behaved monkeys."

Companies will act as private internet police for fear of legal punishment before the government is called upon to step in and enforce the law. If it works, Indian politicians could have fewer reasons to worry about online critiques or mockery, because companies fearing prosecution will proactively delete speech that could potentially be designated "harassing" or "grossly harmful."

India is not China or Iran, however. Its politicians may be corrupt, and most of its voters may not understand why Internet freedom matters because they've never used the Internet. But it still has an independent press and boisterous civil society that are not going to give up their critiques and protests anytime soon. India also has a strong, independent judiciary, with a record of ruling against censorship and surveillance measures when a strong case can be made that they conflict with constitutional protections of individual rights. "On free speech I have high faith in the Indian judiciary," says Abraham. "There is a good chance to launch a constitutional challenge."

If Google and Facebook lose at their impending trial — now scheduled for July — they will most certainly appeal, which activists hope could provide just such an opportunity to prevent the sort of "behaviour modification" process that Abraham warns against.

Now India's burgeoning internet freedom movement needs its own reverse "behaviour modification" strategy — imposing consistent and regular doses of political and legal ice water upon India's bureaucrats, politicians, and companies whenever they do things that threaten to corrode the rights of India's internet users. Saturday's protest is just the beginning.

Sunil Abraham is quoted in the article. The report on Intermediary Guidelines co-produced by CIS and Google is also mentioned.

For more details visit https://cis-india.org/news/indias-struggle-for-online-freedom

India's National ID Project Brings Pain to Those it Aims to Help

Admin — 2018-05-12T00:53:39Z

Poor management, corruption and fraud are threatening to derail the world’s largest national identity project.

The blog post by Aayush Soni was published in Ozy.com on May 11, 2018.

For Phoolmati, a resident of the Kusumpur Pahari slum in south Delhi, standing every month in a queue at the neighborhood fair-price shop was a trusted routine. When her turn came up, she would place her thumb on a scanning machine that confirmed her identity. But on a biting-cold morning this past January, she had to return home empty-handed because, the shopkeeper told her, the “server was down.”

The next day, it happened again. On her third try, Phoolmati thought she had gotten lucky when the machine scanned her thumb successfully. But she was in for a shock. “The shopkeeper told me that, according to the computer records, I’ve already taken my quota of wheat flour for the month,” she says. When she protested and showed her ration card, another form of identification, the shopkeeper wouldn’t accept it.

Left with no choice, Phoolmati had to buy wheat flour from the open market at 25 rupees per kilogram — more than 12 times the amount she usually paid at fair-price shops. She wasn’t alone. At a weekly meeting of slum residents in a temple courtyard in April, many women complained about the difficulty of buying subsidized food grains to the Satark Nagrik Sangathan (Alert Citizens Organization), a nonprofit that seeks accountability from government agencies. Nanno Devi, a 67-year-old homemaker whose fingers are wrinkled with age, said that she didn’t receive her quota of wheat flour for January because a fingerprint-scanning machine couldn’t detect her thumb impression.

Nor are the urban poor, like Phoolmati, the only ones with such complaints. Students with government scholarships, senior citizens with pensions, farmers entitled to subsidies, religious minorities and backward castes eligible for benefits, patients at public hospitals, young couples trying to get married and professionals updating their bank details are all on the front line of an unparalleled experiment that was meant to help them but is hurting them instead.

Theirs is the lived experience of Aadhaar, a unique 12-digit identity system that includes an individual’s biometrics and demographic data — and that must verify an individual’s identity for the government, increasingly, to even recognize their existence. First rolled out in 2010, it is modeled on America’s Social Security number system, with the aim that government subsidies and welfare programs reach the intended beneficiaries and aren’t siphoned off by middlemen.

But over the past three years, India’s Narendra Modi government has cajoled, pressured and often effectively forced people into enrolling for this ID, even though it isn’t required by law. Today, a person’s bank account risks being frozen if it isn’t linked to her Aadhaar number. Her PAN (permanent account number) card, used to file income tax, could be declared invalid. Mobile phone companies can disconnect her number if it isn’t authenticated through biometrics. An Aadhaar number (or an enrollment number, in case someone has already applied for it) is mandatory to open a new bank account, get a new passport, invest in mutual funds or register a marriage. A joke making the rounds on Twitter is that very soon, Aadhaar will be mandatory for a person to swipe right on Tinder.

In the absence of any privacy law, much of the concern within sections of India’s educated middle class has focused on questions about personal freedom, data security and mass surveillance. But a parallel tide of complaints is rising from those the program was meant to help, rooted in complications it has instead imposed upon them. This growing frustration is threatening to derail the initiative in a manner privacy can’t, in a nation where millions live in cramped city apartments with strangers, and the distinction between personal and public is often blurred.

Cases of fraud, mismanagement and corruption hurting Aadhaar beneficiaries are tumbling out into the public domain almost every week. In late March, hackers used weaknesses in the Aadhaar database to steal data from a government organization that manages more than $120 billion in the pensions and savings of millions of Indians. In January, a 10-year-old girl from the Dalit community — historically at the bottom of India’s caste ladder — was denied a school scholarship because officials had misnamed her on her Aadhaar card. Last October, a farm loan waiver program in Maharashtra state ran into trouble after officials discovered that 100 farmers had the same Aadhaar identity number.

The Modi government maintains that it takes both the security of personal data and the concerns of Aadhaar beneficiaries seriously. But it is reluctant to answer any questions about identity theft, corruption, privacy or misappropriated benefits. Neither Ajay Bhushan Pandey, the current CEO of the Unique Identification Authority of India (UIDAI), which runs Aadhaar, nor Vikas Shukla, its spokesperson, responded to multiple requests for comment.

At a public rally in early May, Modi — who had himself opposed the program before he came to power in 2014 — called critics of Aadhaar “opponents of technology” unwilling to evolve with the times. Increasingly, though, many are questioning whether it’s Aadhaar’s own identity that has changed the most from when the idea first came up. “From a project of inclusion, it has become a project of exclusion,” says Usha Ramanathan, a lawyer who focuses on issues of development and poverty. Just ask Phoolmati.

Aadhaar was the brainchild of Nandan Nilekani, a former CEO of tech giant Infosys, who in a 2009 book argued that multiple forms of identification made it “difficult” to establish a “definitive identity” for India’s citizens.

A single identity linked to passports, PAN cards and other national databases, Nilekani argued, would not only solve this problem but also help eliminate the exasperating processes that India’s bureaucracy is notorious for — mountains of paper, proof of identity in triplicate and a glacial pace of work. It would help citizens avail government benefits that are rightfully theirs. Such a system would reduce a citizen’s dependence on distribution mechanisms susceptible to leakages and make “the moral scruples of our bureaucrats redundant,” Nilekani wrote. “An IT-enabled, accessible national ID system would be nothing less than revolutionary in how we distribute state benefits and welfare handouts.”

That same year, the Congress Party–led United Progressive Alliance government offered Nilekani a chance to translate his idea into reality, appointing him UIDAI chairman. Under Nilekani the UIDAI hired people from within the Indian bureaucracy as well as those outside it. The initial team of 50 included software engineers, designers and entrepreneurs from Silicon Valley as well as lawyers and policy wonks who worked at the head office in New Delhi. Each of the eight regional offices had a staff of 20.

In its early-stage avatar, the team had thought out solutions to problems such as the ones the residents of Kusumpur Pahari faced, says a policy consultant who worked with the UIDAI in 2010 and spoke on condition of anonymity. “You can use old methods and physically verify a person’s name and address [by going to their house] if biometrics aren’t working,” the consultant says. “It’s built into the architecture [of Aadhaar].” In his view, the current government under Modi — whose Bharatiya Janata Party defeated the Congress Party and came to power in 2014 — and the UIDAI setup have made a “mess” of the program. He also believes that the goal has shifted from inclusion to mass enrollment. Nilekani did not respond to a request for comment.

For sure, Aadhaar has staunch supporters too, who argue that it has helped reduce the misuse of government subsidies. In July 2017, India’s junior minister for consumer affairs, food and public distribution, C.R. Chaudhary, told the country’s Parliament that Aadhaar had helped the government delete nearly 25 million fake ration cards that the poor use to access subsidized food ingredients.

“This unnecessary fearmongering around Aadhaar is uncalled for,” says Sanjay Anandaram of iSpirit, a software industry think tank. In his view, it’s “last-mile deployment challenges” like fingerprint authentication, one-time-password systems and server glitches that need to be fixed, not Aadhaar. He juxtaposes anecdotal examples of people struggling to gain benefits with the “larger purpose” he believes Aadhaar serves. “It is a revolutionary system to ensure governance improves — especially for centrally administered programs,” he says.

The UIDAI has made some efforts too, if not to improve security of personal data then at least to allow citizens to check whether their Aadhaar identity has been misused. They can go online and view any occasions when their Aadhaar identity was used to access benefits.

But for millions of Indians dependent on subsidies, pensions, scholarships and other benefits, the concerns go well beyond privacy. Getting an Aadhaar identity can be a struggle. Earlier this year, the Punjab government conceded that it can’t process nearly 200,000 farm loan waiver claims either because intended beneficiaries don’t have Aadhaar cards or because the UIDAI is still processing their applications. At the same time, not signing on to Aadhaar is increasingly not an option. In February 2017, Chaudhary’s ministry made it mandatory for individuals to have an Aadhaar card to access subsidized food grains. Then, in October, an 11-year-old girl died of starvation in the central state of Jharkhand because the local ration dealer refused to give her family food grains for six months, as they had not linked their ration cards to Aadhaar. Facing criticism, the government asked states not to deny the poor the food grains they are entitled to, but the incident underscored how the Aadhaar initiative is cutting the needy off from subsidy access, rather than helping them, suggests Ramanathan, the lawyer. “People are dying because of Aadhaar,” she says.

But the Modi government has shown no signs of rethinking either the ways in which Aadhaar appears to hurt the poorest in Indian society or its data security protocols. Instead, it has appeared keener to target whistle-blowers pointing out weaknesses in the initiative.

It cost Rachna Khaira, a reporter, only 500 rupees ($7.50) to access the entire Aadhaar database — the names, addresses, fingerprint scans, iris scans, mobile phone numbers, email addresses, postal index numbers (PINs) and Aadhaar numbers of 830 million Indians. She “purchased” the service offered by anonymous sellers on WhatsApp and transferred the money via Paytm, a popular digital wallet company, to an “agent,” who created a “gateway” for Khaira. He then gave her a log-in ID and a password to that gateway, which allowed Khaira unrestricted access to the Aadhaar database. Her report, published in January in The Tribune, one of India’s oldest English dailies, created a national stir. Instead of trying to plug the holes the report had revealed, the UIDAI filed criminal cases against Khaira and the newspaper, accusing them of breaching privacy.

Khaira’s wasn’t the first piece of evidence to expose the vulnerability of the Aadhaar database. In May 2017, a report by the Centre for Internet and Society, a nonprofit organization, claimed that 130 million to 135 million Aadhaar numbers were published on four websites: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme and two projects run by Andhra Pradesh state. “This is the largest exercise in the world of the conversion of public information into an asset and then its privatization,” says Nikhil Pahwa, editor of MediaNama and a critic of Aadhaar.

These breaches of security highlight corruption and mismanagement that belie claims the government continues to peddle. In April 2017, Ravi Shankar Prasad, India’s minister of information and technology, told Parliament that “Aadhaar is robust. Aadhaar is safe. Aadhaar is secure, and totally accountable.” The government hasn’t appeared too perturbed by privacy concerns. On July 22, 2015, Mukul Rohatgi, the then attorney general, argued before the country’s Supreme Court that “the right of privacy is not a guaranteed right under our constitution.” That set off a two-year-long hearing before a nine-judge bench of the court, which unanimously ruled in 2017 that the right to privacy was indeed a fundamental right.

The criticism from social groups Aadhaar was meant to benefit, though, has left the Modi administration on the defensive. Since the passage of the 2016 Aadhaar law, civil society activists have filed 12 petitions in the Supreme Court challenging its legality. In January, the All India Kisan Sabha, one of India’s largest farmer organizations with millions of members, petitioned the top court against government moves to link subsidies to Aadhaar identities. Some leaders from Modi’s party, the BJP, have also started questioning their own government in Parliament about cases of beneficiaries denied their due because of the Aadhaar program. The Supreme Court, which is holding regular hearings on the case, has extended indefinitely the date by which citizens must link all identity documents to their Aadhaar number, until it rules on the validity of the legislation. At stake is the trust the Indian people can place in their government.

Back in Kusumpur Pahari, much of that trust has already eroded. In his 2014 election campaign, Modi had promised to stand guard as a chaukidaar (watchman) over the country’s resources, to prevent corruption. But when someone illegally withdrew Phoolmati’s grains by using her Aadhaar identity, the watchman wasn’t able to stop the theft.

For Phoolmati and other residents of Kusumpur Pahari, their ration cards guaranteed them food, and were a rare pillar of certainty in an unstable life. The Aadhaar-linked fingerprint authentication system is a source of frustration, and they don’t want it, they make clear at their weekly meeting. They now get their ration some months, and other months they don’t. Life on the fringes of society was already tough. Aadhaar, they say, has made it harder still.

For more details visit https://cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help

India's National Cyber Security Policy in Review

jon — 2013-07-31T10:40:22Z

Earlier this month, the Department of Electronics and Information Technology released India’s first National Cyber Security Policy. Years in the making, the Policy sets high goals for cyber security in India and covers a wide range of topics, from institutional frameworks for emergency response to indigenous capacity building.

What the Policy achieves in breadth, however, it often lacks in depth. Vague, cursory language ultimately prevents the Policy from being anything more than an aspirational document. In order to translate the Policy’s goals into an effective strategy, a great deal more specificity and precision will be required.

The Scope of National Cyber Security

Where such precision is most required is in definitions. Having no legal force itself, the Policy arguably does not require the sort of legal precision one would expect of an act of Parliament, for example. Yet the Policy deals in terms plagued with ambiguity, cyber security not the least among them. In forgoing basic definitions, the Policy fails to define its own scope, and as a result it proves remarkably broad and arguably unfocused.

The Policy’s preamble comes close to defining cyber security in paragraph 5 when it refers to "cyber related incident[s] of national significance" involving "extensive damage to the information infrastructure or key assets…[threatening] lives, economy and national security." Here at least is a picture of cyber security on a national scale, a picture which would be quite familiar to Western policymakers: computer security practices "fundamental to both protecting government secrets and enabling national defence, in addition to protecting the critical infrastructures that permeate and drive the 21st century global economy."[*] The paragraph 5 definition of sorts becomes much broader, however, when individuals and businesses are introduced, and threats like identity theft are brought into the mix.

Here the Policy runs afoul of a common pitfall: conflating threats to the state or society writ large (e.g. cyber warfare, cyber espionage, cyber terrorism) with threats to businesses and individuals (e.g. fraud, identity theft). Although both sets of threats may be fairly described as cyber security threats, only the former is worthy of the term national cyber security. The latter would be better characterized as cyber crime. The distinction is an important one, lest cyber crime be “securitized,” or elevated to an issue of national security. National cyber security has already provided the justification for the much decried Central Monitoring System (CMS). Expanding the range of threats subsumed under this rubric may provide a pretext for further surveillance efforts on a national scale.

Apart from mission creep, this vague and overly broad conception of national cyber security risks overwhelming an as yet underdeveloped system with more responsibilities than it may be able to handle. Where cyber crime might be left up to the police, its inclusion alongside true national-level cyber security threats in the Policy suggests it may be handled by the new "nodal agency" mentioned in section IV. Thus clearer definitions would not only provide the Policy with a more focused scope, but they would also make for a more efficient distribution of already scarce resources.

What It Get Right

Definitions aside, the Policy actually gets a lot of things right — at least as an aspirational document. It certainly covers plenty of ground, mentioning everything from information sharing to procedures for risk assessment / risk management to supply chain security to capacity building. It is a sketch of what could be a very comprehensive national cyber security strategy, but without more specifics, it is unlikely to reach its full potential. Overall, the Policy is much of what one might expect from a first draft, but certain elements stand out as worthy of special consideration.

First and foremost, the Policy should be commended for its commitment to “[safeguarding] privacy of citizen’s data” (sic). Privacy is an integral component of cyber security, and in fact other states’ cyber security strategies have entire segments devoted specifically to privacy. India’s Policy stands to be more specific as to the scope of these safeguards, however. Does the Policy aim primarily to safeguard data from criminals? Foreign agents? Could it go so far as to protect user data even from its own agents? Indeed this commitment to privacy would appear at odds with the recently unveiled CMS. Rather than merely paying lip service to the concept of online privacy, the government would be well advised to pass legislation protecting citizens’ privacy and to use such legislation as the foundation for a more robust cyber security strategy.

The Policy also does well to advocate “fiscal schemes and incentives to encourage entities to install, strengthen and upgrade information infrastructure with respect to cyber security.” Though some have argued that such regulation would impose inordinate costs on private businesses, anyone with a cursory understanding of computer networks and microeconomics could tell you that “externalities in cybersecurity are so great that even the freest free market would fail”—to quote expert Bruce Schneier. In less academic terms, a network is only as strong as its weakest link. While it is true that many larger enterprises take cyber security quite seriously, small and medium-sized businesses either lack immediate incentives to invest in security (e.g. no shareholders to answer to) or more often lack the basic resources to do so. Some form of government transfer for cyber security related investments could thus go a long way toward shoring up the country’s overall security.

The Policy also “[encourages] wider usage of Public Key Infrastructure (PKI) within Government for trusted communication and transactions.” It is surprising, however, that the Policy does not mandate the usage of PKI. In general, the document provides relatively few details on what specific security practices operators of Critical Information Infrastructure (CII) can or should implement.

Where It Goes Wrong

One troubling aspect of the Policy is its ambiguous language with respect to acquisition policies and supply chain security in general. The Policy, for example, aims to “[mandate] security practices related to the design, acquisition, development, use and operation of information resources” (emphasis added). Indeed, section VI, subsection A, paragraph 8 makes reference to the “procurement of indigenously manufactured ICT products,” presumably to the exclusion of imported goods. Although supply chain security must inevitably factor into overall cyber security concerns, such restrictive acquisition policies could not only deprive critical systems of potentially higher-quality alternatives but—depending on the implementation of these policies—could also sharpen the vulnerabilities of these systems.

Not only do these preferential acquisition policies risk mandating lower quality products, but it is unlikely they will be able to keep pace with the rapid pace of innovation in information technology. The United States provides a cautionary tale. The U.S. National Institute of Standards and Technology (NIST), tasked with producing cyber security standards for operators of critical infrastructure, made its first update to a 2005 set of standards earlier this year. Other regulatory agencies, such as the Federal Energy Regulatory Commission (FERC) move at a marginally faster pace yet nevertheless are delayed by bureaucratic processes. FERC has already moved to implement Version 5 of its Critical Infrastructure Protection (CIP) standards, nearly a year before the deadline for Version 4 compliance. The need for new standards thus outpaces the ability of industry to effectively implement them.

Fortunately, U.S. cyber security regulation has so-far been technology-neutral. Operators of Critical Information Infrastructure are required only to ensure certain functionalities and not to procure their hardware and software from any particular supplier. This principle ensures competition and thus security, allowing CII operators to take advantage of the most cutting-edge technologies regardless of name, model, etc. Technology neutrality does of course raise risks, such as those emphasized by the Government of India regarding Huawei and ZTE in 2010. Risk assessment must, however, remain focused on the technology in question and avoid politicization. India’s cyber security policy can be technology neutral as long as it follows one additional principle: trust but verify.

Verification may be facilitated by the use of free and open-source software (FOSS). FOSS provides security through transparency as opposed to security through obscurity and thus enables more agile responses to security responses. Users can identify and patch bugs themselves, or otherwise take advantage of the broader user community for such fixes. Thus open-source software promotes security in much the same way that competitive markets do: by accepting a wide range of inputs.

Despite the virtues of FOSS, there are plenty of good reasons to run proprietary software, e.g. fitness for purpose, cost, and track record. Proprietary software makes verification somewhat more complicated but not impossible. Source code escrow agreements have recently gained some traction as a verification measure for proprietary software, even with companies like Huawei and ZTE. In 2010, the infamous Chinese telecommunications giants persuaded the Indian government to lift its earlier ban on their products by concluding just such an agreement. Clearly trust but verify is imminently practicable, and thus technology neutrality.

What’s Missing

Level of detail aside, what is most conspicuously absent from the new Policy is any framework for institutional cooperation beyond 1) the designation of CERT-In “as a Nodal Agency for coordination of all efforts for cyber security emergency response and crisis management” and 2) the designation of the “National Critical Information Infrastructure Protection Centre (NCIIPC) to function as the nodal agency for critical information infrastructure protection in the country.” The Policy mentions additionally “a National nodal agency to coordinate all matters related to cyber security in the country, with clearly defined roles & responsibilities.” Some clarity with regard to roles and responsibilities would certainly be in order. Even among these three agencies—assuming they are all distinct—it is unclear who is to be responsible for what.

More confusing still is the number of other pre-existing entities with cyber security responsibilities, in particular the National Technical Research Organization (NTRO), which in an earlier draft of the Policy was to have authority over the NCIIPC. The Ministry of Defense likewise has bolstered its cyber security and cyber warfare capabilities in recent years. Is it appropriate for these to play a role in securing civilian CII? Finally, the already infamous Central Monitoring System, justified predominantly on the very basis of cyber security, receives no mention at all. For a government that is only now releasing its first cyber security policy, India has developed a fairly robust set of institutions around this issue. It is disappointing that the Policy does not more fully address questions of roles and responsibilities among government entities.

Not only is there a lack of coordination among government cyber security entities, but there is no mention of how the public and private sectors are to cooperate on cyber security information—other than oblique references to “public-private partnerships.” Certainly there is a need for information sharing, which is currently facilitated in part by the sector-level CERTS. More interesting, however, is the question of liability for high-impact cyber attacks. To whom are private CII operators accountable in the event of disruptive cyber attacks on their systems? This legal ambiguity must necessarily be resolved in conjunction with the “fiscal schemes and incentives” also alluded to in the Policy in order to motivate strong cyber security practices among all CII operators and the public more broadly.

Next Steps

India’s inaugural National Cyber Security Policy is by and large a step in the right direction. It covers many of the most pressing issues in national cyber security and lays out a number of ambitious goals, ranging from capacity building to robust public-private partnerships. To realize these goals, the government will need a much more detailed roadmap.

Firstly, the extent of the government’s proposed privacy safeguards must be clarified and ideally backed by a separate piece of privacy legislation. As Benjamin Franklin once said, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” When it comes to cyberspace, the Indian people must demand both liberty and safety.

Secondly, the government should avoid overly preferential acquisition policies and allow risk assessments to be technologically rather than politically driven. Procurement should moreover be technology-neutral. Open source software and source code escrow agreements can facilitate the verification measures that make technology neutrality work.

Finally, to translate this policy into a sound strategy will necessarily require that India’s various means be directed toward specific ends. The Policy hints at organizational mapping with references to CERT-In and the NCIIPC, but the roles and responsibilities of other government agencies as well as the private sector remain underdetermined. Greater clarity on these points would improve inter-agency and public-private cooperation—and thus, one hopes, security—significantly.

[*]. Melissa E. Hathaway and Alexander Klimburg, “Preliminary Considerations: On National Cyber Security” in National Cyber Security Framework Manual, ed. Alexander Klimburg, (Tallinn, Estonia: Nato Cooperative Cyber Defence Centre of Excellence, 2012), 13

For more details visit https://cis-india.org/internet-governance/blog/indias-national-cyber-security-policy-in-review

India's Identity Crisis

malavika — 2014-01-09T07:56:08Z

Malavika Jayaram's article was published in 2013 Internet Monitor Annual Report: Reflections on the Digital World, published by Harvard's Berkman Center for Internet and Society.

India’s Unique Identity (UID) project is already the world’s largest biometrics identity program, and it is still growing. Almost 530 million people have been registered in the project database, which collects all ten fingerprints, iris scans of both eyes, a photograph, and demographic information for each registrant. Supporters of the project tout the UID as a societal game changer. The extensive biometric information collected, they argue, will establish the uniqueness of each individual, eliminate fraud, and provide the identity infrastructure needed to develop solutions for a range of problems. Despite these potential benefits, however, critical concerns remain about the UID’s legal and physical architecture as well as about unforeseen risks associated with the linking and analysis of personal data.

The most basic concerns regarding the UID project stem from the fact that biometric technologies have never been tested on such a large population. As a result, well-founded concerns exist around scalability, false acceptance and rejection rates, and the project’s core premise that biometrics can uniquely and unambiguously identify people in a foolproof manner. Some of these concerns are based on technical issues—collecting fingerprints and iris scans “in the field,” for instance, can be complicated when a registrant’s fingerprints are eroded by manual labor or her irises are affected by malnutrition and cataracts. Other concerns relate to the project’s federated implementation architecture, which, by outsourcing collection to a massive group of private and public registrars and operators, increases the chance for data breaches, error, and fraud.

Perhaps even more vexing are concerns regarding how the UID, which promises financial inclusion (by reducing the identification barriers to opening bank accounts, for example), might in fact lead to new types of exclusion for already marginalized groups. Members of the LGBT community, for instance, question whether the inclusion of the transgender category within the UID scheme is a laudable attempt at inclusion, or a new means of listing and targeting members of their community for exclusion. More fundamentally, as more and more services and benefits are linked to the UID, the project threatens to exclude all those who cannot or will not participate in the scheme due to logistical failures or philosophical objections.

It is worth noting that the UID is not the only large data project in India. A slew of “Big Brother” projects exist: the Centralised Monitoring System (CMS), the Telephone Call Interception System (TCIS), the National Population Register (NPR), the Crime and Criminal Tracking Network and Systems (CCTNS), and the National Intelligence Grid (NATGRID), which is working to aggregate up to 21 different databases relating to tax, rail and air travel, credit card transactions, immigration, and other domains. The UID is intended to serve as a common identifier across these databases, creating a massive surveillance state. It also facilitates an ecosystem where access to goods and services, from government subsidies to drivers’ licenses to mobile phones to cooking gas, increasingly requires biometric authentication.

The UID project was originally vaunted as voluntary, but the inexorable slippery slope toward compulsory participation has triggered a series of lawsuits challenging the legality of forced enrollment and the constitutionality of the entire project. Most recently, in September 2013, India’s federal Supreme Court affirmed by way of an interim decision that the UID was not mandatory, that not possessing a UID should not disadvantage anybody, and that citizenship should be ascertained as a criteria for registering in order to ensure that UIDs are not issued to illegal immigrants. This last stipulation is particularly thorny given that the Unique Identification Authority of India (UIDAI, the body in charge of the UID project) has consistently distanced the UID from questions of citizenship under the justification that it is a matter beyond their remit (i.e., the UID is open to residents, and is not linked to citizenship). The government moved quickly to urge a modification of the order, but the Supreme Court declined to do so and will instead release its final decision after it reviews a batch of petitions from activists and others. The UIDAI approached the court, arguing that not making the UID mandatory has serious consequences for welfare schemes, but the court recently ordered the federal government, the Reserve Bank of India, and the Election Commission to delink the LPG cooking gas scheme from the UID. This is a considerable setback for the project, given that this was one of the most hyped linkages for the UID. It remains to be seen whether the court will similarly halt other attempts to make the UID mandatory.

In the meantime, the UID project is effectively being implemented in a legal vacuum without support from the Supreme Court or Parliament. The Cabinet is seeking to rectify this and has cleared a bill that would finally provide legal backing for the UID program—its previous attempt was rejected by the Standing Committee on Finance in 2010. This bill is scheduled to come up for debate during the winter session of Parliament. The bill’s progress, along with the final decision of the Supreme Court, will have far reaching consequences for the UID project’s implementation and longevity, as well as for the relationship between India’s citizens and the state.

If fully implemented, the UID system will fundamentally alter the way in which citizens interact with the government by creating a centrally controlled, technology-based standard that mediates access to social services and benefits, financial systems, telecommunications, and governance. It will undoubtedly also have implications for how citizens relate to private sector entities, on which the UID rests and which have their own vested interests in the data. The success or failure of the UID represents a critical moment for India. Whatever course the country takes, its decision to travel further toward or turn away from becoming a “database nation” will have implications for democracy, free speech, and economic justice within its own borders and also in the many neighboring countries that look to it as a technological standard bearer.

The Indian government seems to envision “big data” as a panacea for fraud, corruption, and abuse, but it has given little attention to understanding and addressing the fraud, corruption, and abuse that massive databases can themselves engender. The government’s actions have yet to demonstrate an appreciation for the fact that the matrix of identity and surveillance schemes it has implemented can create a privacy-invading technology layer that is not only a barrier to online activity but also to social participation writ large.

The lack of identification documents for a large portion of the Indian population does need to be addressed. Whether the UID project is the best means to do this—whether it has the right architecture and design, whether it can succeed without an overhaul of several other failures of governmental institutions, and whether fixing the identity piece alone causes more harm than good—should be the subject of intense debate and scrutiny. Only through rigorous threat modeling and analysis of the risks arising out of this burgeoning “data industrial complex” can steps be taken to stem the potential repercussions of the project not just for identity management, fraud, corruption, distributive justice, and welfare generally, but also for autonomy, openness, and democracy.

Click to download the article published in the annual report of Berkman's Center for Internet and Society (PDF 7223 Kb)

For more details visit https://cis-india.org/internet-governance/blog/internet-monitor-2013-malavika-jayaram-indias-identity-crisis

India's Central Monitoring System (CMS): Something to Worry About?

maria — 2014-02-22T13:50:37Z

In this article, Maria Xynou presents new information about India's controversial Central Monitoring System (CMS) based on official documents which were shared with the Centre for Internet and Society (CIS). Read this article and gain an insight on how the CMS actually works!

The idea of a Panoptikon, of monitoring all communications in India and centrally storing such data is not new. It was first envisioned in 2009, following the 2008 Mumbai terrorist attacks. As such, the Central Monitoring System (CMS) started off as a project run by the Centre for Communication Security Research and Monitoring (CCSRM), along with the Telecom Testing and Security Certification (TTSC) project.

The Central Monitoring System (CMS), which was largely covered by the media in 2013, was actually approved by the Cabinet Committee on Security (CCS) on 16th June 2011 and the pilot project was completed by 30th September 2011. Ever since, the CMS has been operated by India's Telecom Enforcement Resource and Monitoring (TERM) cells, and has been implemented by the Centre for Development of Telematics (C-DOT), which is an Indian Government owned telecommunications technology development centre. The CMS has been implemented in three phases, each one taking about 13-14 months. As of June 2013, government funding of the CMS has reached at least Rs. 450 crore (around $72 million).

In order to require Telecom Service Providers (TSPs) to intercept all telecommunications in India as part of the CMS, clause 41.10 of the Unified Access Services (UAS) License Agreement was amended in June 2013. In particular, the amended clause includes the following:

“But, in case of Centralized Monitoring System (CMS), Licensee shall provide the connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at its own cost in the form of dark fibre with redundancy. If dark fibre connectivity is not readily available, the connectivity may be extended in the form of 10 Mbps bandwidth upgradeable upto 45 Mbps or higher as conveyed by the Governemnt, till such time the dark fibre connectivity is established. However, LICENSEE shall endeavor to establish connectivity by dark optical fibre at the earilest. From the point of presence of MPLS network of CMS onwards traffic will be handled by the Government at its own cost.”

Furthermore, draft Rule 419B under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of “message related information” / Call Data Records (CDR) to Indian authorities. Call Data Records, otherwise known as Call Detail Records, contain metadata (data about data) that describe a telecomunication transaction, but not the content of that transaction. In other words, Call Data Records include data such as the phone numbers of the calling and called parties, the duration of the call, the time and date of the call, and other such information, while excluding the content of what was said during such calls. According to draft Rule 419B, directions for the disclosure of Call Data Records can only be issued on a national level through orders by the Secretary to the Government of India in the Ministry of Home Affairs, while on the state level, orders can only be issued by the Secretary to the State Government in charge of the Home Department.

Other than this draft Rule and the amendment to clause 41.10 of the UAS License Agreement, no law exists which mandates or regulates the Central Monitoring System (CMS). This mass surveillance system is merely regulated under Section 5(2) of the Indian Telegraph Act, 1885, which empowers the Indian Government to intercept communications on the occurence of any “public emergency” or in the interest of “public safety”, when it is deemed “necessary or expedient” to do so in the following instances:

the interests of the sovereignty and integrity of India
the security of the State
friendly relations with foreign states
public order
for preventing incitement to the commission of an offense

However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and vague, and fails to explicitly regulate the details of how the Central Monitoring System (CMS) should function. As such, the CMS appears to be inadequately regulated, which raises many questions with regards to its potential misuse and subsequent violation of Indian's right to privacy and other human rights.

So how does the Central Monitoring System (CMS) actually work?

We have known for quite a while now that the Central Monitoring System (CMS) gives India's security agencies and income tax officials centralized access to the country's telecommunications network. The question, though, is how.

Well, prior to the CMS, all service providers in India were required to have Lawful Interception Systems installed at their premises in order to carry out targeted surveillance of individuals by monitoring communications running through their networks. Now, in the CMS era, all TSPs in India are required to integrate Interception Store & Forward (ISF) servers with their pre-existing Lawful Interception Systems. Once ISF servers are installed in the premises of TSPs in India and integrated with Lawful Interception Systems, they are then connected to the Regional Monitoring Centres (RMC) of the CMS. Each Regional Monitoring Centre (RMC) in India is connected to the Central Monitoring System (CMS). In short, the CMS involves the collection and storage of data intercepted by TSPs in central and regional databases.

In other words, all data intercepted by TSPs is automatically transmitted to Regional Monitoring Centres, and subsequently automatically transmitted to the Central Monitoring System. This means that not only can the CMS authority have centralized access to all data intercepted by TSPs all over India, but that the authority can also bypass service providers in gaining such access. This is due to the fact that, unlike in the case of so-called “lawful interception” where the nodal officers of TSPs are notified about interception requests, the CMS allows for data to be automatically transmitted to its datacentre, without the involvement of TSPs.

The above is illustrated in the following chart:

The interface testing of TSPs and their Lawful Interception Systems has already been completed and, as of June 2013, 70 ISF servers have been purchased for six License Service Areas and are being integrated with the Lawful Interception Systems of TSPs. The Centre for Development of Telematics has already fully installed and integrated two ISF servers in the premises of two of India's largest service providers: MTNL and Tata Communications Limited. In Delhi, ISF servers which connect with the CMS have been installed for all TSPs and testing has been completed. In Haryana, three ISF servers have already been installed in the premises of TSPs and the rest of currently being installed. In Chennai, five ISF servers have been installed so far, while in Karnataka, ISF servers are currently being integrated with the Lawful Interception Systems of the TSPs in the region.

The Centre for Development of Telematics plans to integrate ISF servers which connect with the CMS in the premises of service providers in the following regions:

Delhi
Maharashtra
Kolkata
Uttar Pradesh (West)
Andhra Pradesh
Uttar Pradesh (East)
Kerala
Gujarat
Madhya Pradesh
Punjab
Haryana

With regards to the UAS License Agreement that TSPs are required to comply with, amended clause 41.10 specifies certain details about how the CMS functions. In particular, the amended clause mandates that TSPs in India will provide connectivity upto the nearest point of presence of MPLS (Multi Protocol Label Switching) network of the CMS at their own cost and in the form of dark optical fibre. From the MPLS network of the CMS onwards, traffic will be handled by the Government at its own cost. It is noteworthy that a Memorandum of Understanding (MoU) for MPLS connectivity has been signed with one of India's largest ISPs/TSPs: BSNL. In fact, Rs. 4.8 crore have been given to BSNL for interconnecting 81 CMS locations of the following License Service Areas:

Delhi
Mumbai
Haryana
Rajasthan
Kolkata
Karnataka
Chennai
Punjab

Clause 41.10 of the UAS License Agreement also mandates that the hardware and software required for monitoring calls will be engineered, provided, installed and maintained by the TSPs at their own cost. This implies that TSP customers in India will likely have to pay for more expensive services, supposedly to “increase their safety”. Moreover, this clause mandates that TSPs are required to monitor at least 30 simultaneous calls for each of the nine designated law enforcement agencies. In addition to monitored calls, clause 41.10 of the UAS License Agreement also requires service providers to make the following records available to Indian law enforcement agencies:

Called/calling party mobile/PSTN numbers
Time/date and duration of interception
Location of target subscribers (Cell ID & GPS)
Data records for failed call attempts
CDR (Call Data Records) of Roaming Subscriber
Forwarded telephone numbers by target subscriber

Interception requests from law enforcement agencies are provisioned by the CMS authority, which has access to the intercepted data by all TSPs in India and which is stored in a central database. As of June 2013, 80% of the CMS Physical Data Centre has been built so far.

In short, the CMS replaces the existing manual system of interception and monitoring to an automated system, which is operated by TERM cells and implemented by the Centre for Development of Telematics. Training has been imparted to the following law enforcement agencies:

Intelligence Bureau (IB)
Central Bureau of Investigation (CBI)
Directorate of Revenue Intelligence (DRI)
Research & Analysis Wing (RAW)
National Investigation Agency (NIA)
Delhi Police

And should we even be worried about the Central Monitoring System?

Well, according to the brief material for the Honourable MOC and IT Press Briefing on 16th July 2013, we should not be worried about the Central Monitoring System. Over the last year, media reports have expressed fear that the Central Monitoring System will infringe upon citizen's right to privacy and other human rights. However, Indian authorities have argued that the Central Monitoring System will better protect the privacy of individuals and maintain their security due to the following reasons:

The CMS will just automate the existing process of interception and monitoring, and all the existing safeguards will continue to exist
The interception and monitoring of communications will continue to be in accordance with Section 5(2) of the Indian Telegraph Act, 1885, read with Rule 419A
The CMS will enhance the privacy of citizens, because it will no longer be necessary to take authorisation from the nodal officer of the Telecom Service Providers (TSPs) – who comes to know whose and which phone is being intercepted
The CMS authority will provision the interception requests from law enforcement agencies and hence, a complete check and balance will be ensured, since the provisioning entity and the requesting entity will be different and the CMS authority will not have access to content data
A non-erasable command log of all provisioning activities will be maintained by the system, which can be examined anytime for misuse and which provides an additional safeguard

While some of these arguments may potentially allow for better protections, I personally fundamentally disagree with the notion that a centralised monitoring system is something not to worry about. But let's start-off by having a look at the above arguments.

The first argument appears to imply that the pre-existing process of interception and monitoring was privacy-friendly or at least “a good thing” and that existing safeguards are adequate. As such, it is emphasised that the process of interception and monitoring will “just” be automated, while posing no real threat. I fundamentally disagree with this argument due to several reasons. First of all, the pre-existing regime of interception and monitoring appears to be rather problematic because India lacks privacy legislation which could safeguard citizens from potential abuse. Secondly, the very interception which is enabled through various sections of the Information Technology (Amendment) Act, 2008, and the Indian Telegraph Act, 1885, potentially infringe upon individual's right to privacy and other human rights.

May I remind you of Section 69 of the Information Technology (Amendment) Act, 2008, which allows for the interception of all information transmitted through a computer resource and which requires users to assist authorities with the decryption of their data, if they are asked to do so, or face a jail sentence of up to seven years. The debate on the constitutionality of the various sections of the law which allow for the interception of communications in India is still unsettled, which means that the pre-existing interception and monitoring of communications remains an ambiguous matter. And so, while the interception of communications in general is rather concerning due to dracodian sections of the law and due to the absence of privacy legislation, automating the process of interception does not appear reassuring at all. On the contrary, it seems like something in the lines of: “We have already been spying on you. Now we will just be doing it quicker and more efficiently.”

The second argument appears inadequate too. Section 5(2) of the Indian Telegraph Act, 1885, states that the interception of communications can be carried out on the occurence of a “public emergency” or in the interest of “public safety” when it is deemed “necessary or expedient” to do so under certain conditions which were previously mentioned. However, this section of the law does not mandate the establishment of the Central Monitoring System, nor does it regulate how and under what conditions this surveillance system will function. On the contrary, Section 5(2) of the Indian Telegraph Act, 1885, clearly mandates targeted surveillance, while the Central Monitoring System could potentially undertake mass surveillance. Since the process of interception is automated and, under clause 41.16 of the Unified License (Access Services) Agreement, service providers are required to provision at least 3,000 calls for monitoring to nine law enforcement agencies, it is likely that the CMS undertakes mass surveillance. Thus, it is unclear if the very nature of the CMS falls under Section 5(2) of the Indian Telegraph Act, 1885, which mandates targeted surveillance, nor is it clear that such surveillance is being carried out on the occurence of a specific “public emergency” or in the interest of “public safety”. As such, the vagueness revolving around the question of whether the CMS undertakes targeted or mass surveillance means that its legality remains an equivocal matter.

As for the third argument, it is not clear how bypassing the nodal officers of TSPs will enhance citizen's right to privacy. While it may potentially be a good thing that nodal officers will not always be aware of whose information is being intercepted, that does not guarantee that those who do have access to such data will not abuse it. After all, the CMS appears to be largely unregulated and India lacks privacy legislation and all other adequate legal safeguards. Moreover, by bypassing the nodal officers of TSPs, the opportunity for unauthorised requests to be rejected will seize to exist. It also implies an increased centralisation of intercepted data which can potentially create a centralised point for cyber attacks. Thus, the argument that the CMS authority will monopolise the control over intercepted data does not appear reassuring at all. After all, who will watch the watchmen?

While the fourth argument makes a point about differentiating the provisioning and requesting entities with regards to interception requests, it does not necessarily ensure a complete check and balance, nor does it completely eliminate the potential for abuse. The CMS lacks adequate legal backing, as well as a framework which would ensure that unauthorised requests are not provisioned. Thus, the recommended chain of custody of issuing interception requests does not necessarily guarantee privacy protections, especially since a legal mechanism for ensuring checks and balances is not in place.

Furthermore, this argument states that the CMS authority will not have access to content data, but does not specify if it will have access to metadata. What's concerning is that metadata can potentially be more useful for tracking individuals than content data, since it is ideally suited to automated analysis by a computer and, unlike content data which shows what an individuals says (which may or may not be true), metadata shows what an individual does. As such, metadata can potentially be more “harmful” than content data, since it can potentially provide concrete patterns of an individual's interests, behaviour and interactions. Thus, the fact that the CMS authority might potentially have access to metadata appears to tackle the argument that the provisioning and requesting entities will be seperate and therefore protect individual's privacy.

The final argument appears to provide some promise, since the maintenance of a command log of all provisioning activities could potentially ensure some transparency. However, it remains unclear who will maintain such a log, who will have access to it, who will be responsible for ensuring that unlawful requests have not been provisioned and what penalties will be enforced in cases of breaches. Without an independent body to oversee the process and without laws which predefine strict penalties for instances of misuse, maintaining a command log does not necessarily safeguard anything at all. In short, the above arguments in favour of the CMS and which support the notion that it enhances individual's right to privacy appear to be inadequate, to say the least.

In contemporary democracies, most people would agree that freedom is a fundamental human right. The right to privacy should be equally fundamental, since it protects individuals from abuse by those in power and is integral in ensuring individual liberty. India may literally be the largest democracy in the world, but it lacks privacy legislation which establishes the right to privacy, which guarantees data protection and which safeguards individuals from the potentially unlawful interception of their communications. And as if that is not enough, India is also carrying out a surveillance scheme which is largely unregulated. As such, it is highly recommended that India establishes a privacy law now.

If we do the math, here is what we have: a country with extremely high levels of corruption, no privacy law and an unregulated surveillance scheme which lacks public and parliamentary debate prior to its implementation. All of this makes it almost impossible to believe that we are talking about a democracy, let alone the world's largest (by population) democracy! Therefore, if Indian authorities are interested in preserving the democratic regime they claim to be a part of, I think it would be highly necessary to halt the Central Monitoring System and to engage the public and the parliament in a debate about it.

After all, along with our right to privacy, freedom of expression and other human rights...our right to freedom from suspicion appears to be at stake.

How can we not be worried about the Central Monitoring System?

The Centre for Internet and Society (CIS) is in possession of the documents which include the information on the Central Monitoring System (CMS) as analysed in this article, as well as of the draft Rule 419B under the Indian Telegraph Act, 1885.

For more details visit https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about

India's Biometric Identification Programs and Privacy Concerns

divij — 2016-07-21T10:51:42Z

The invasiveness of individual identification coupled with the fallibility of managing big data which biometric identification presents poses a huge risk to individual privacy in India.

Divij Joshi is a 2nd year at NLS. He is interning with the Centre for Internet and Society for the privacy project. This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Introduction

Biometric technology looks to be the way ahead for the Indian government in its initiatives towards identification. From the Unique Identity Scheme (Aadhaar) to the National Population Register and now to Election ID’s, [1] biometric identification seems to have become the government’s new go-to solution for all kinds of problems. Biometrics prove to be an obvious choice in individual identification schemes – it’s easiest to identify different individuals by their faces and fingerprints, unique and integral aspects of individuals – yet, the unflinching optimism in the use of biometric technology and the collection of biometric data on a massive scale masks several concerns regarding compromises of individual privacy.

‘Big Data’ and Privacy Issues

Biometric data is going to be collected under several existing and proposed identification schemes of the government, from the Centralized Identities Data Register of the UID to the draft DNA Profiling Bill which seeks to improve criminal forensics and identification. With the completion of the biometric profiling under the UID, the Indian government will have the largest database of personal biometric data in the world. [3] With plans for the UID to be used for several different purposes — as a ration card, for opening a banking account, for social security and healthcare and several new proposed uses emerging everyday,[1] the creation of ‘Big Data’ becomes possible. ‘Big Data’ is characterized by the volume of information that is produced, the velocity by which data is produced, the variety of data produced and the ability to draw new conclusions from an analysis of the data.[2] The UID will generate “Big Data” as it is envisioned that the number will be used in every transaction for any platform that adopts it — for all of the 1.2 billion citizens of India. In this way the UID is different any other identity scheme in India, where the identifier is used for a specific purpose at a specific point of time, by a specific platform, and generates data only in connection to that service. Though the creation of “Big Data” through the UID could be beneficial through analysing data trends to target improved services, for example, at the same time it can be problematic in case of a compromise or breach, or if generated information is analyzed to draw new and unintended conclusions about individuals without their consent, and using information for purposes the individuals did not mean for it to be used.

Biometric ID and Theft of Private Data

The government has touted identification schemes such as the UID and NPR as a tool to tackle rural poverty, illegal immigration and national security issues and with this as the premise, the concerns about privacy seem to have been left in the lurch. The optimism driving the programmes also means that its potential fallibility is often overlooked in the process. Biometric technology has been proven time and again to be just as easily jeopardized as any other and the threat of biometric identity theft is as real and common as something like credit card fraud, with fingerprints and iris scans being easily capable of replication and theft without the individual owners consent. [2] In fact, compromise or theft of biometric identity data presents an even greater difficulty than other forms of ID because of the fact that it is unique and intrinsic, and hence, once lost cannot be re-issued or reclaimed like traditional identification like a PIN, leaving the individual victim with no alternative system for identification or authentication. This would also defeat the entire purpose behind any authentication and identification schemes. With the amount of personal data that the government plans to store in databases using biometrics, and without adequate safeguards which can be publicly scrutinized, using this technology would be a premature and unsafe move.

Biometric data and Potential Misuse

Centralised data storage is problematic not only for the issues with data compromise and identity theft, but the problems of potential third-party misuse in the absence of an adequate legal framework for protecting such personal data, and proper technical safeguards for the same, as has been pointed out by the Standing Committee on Finance in its report on the UIDAI project.[4] The threat to privacy which these massive centralized databases pose has led to the shelving of similar programmes in England as well as France. [4] Further, concerns have been voiced about data sharing and access to the information contained in the biometric database. The biometric database is to be managed by several contracting companies based in the US. These same companies have legal obligations to share any data with the US government and Homeland Security. [5]

A second, growing concern over biometric identification schemes is over the use of biometrics for state surveillance purposes. While the UID’s chief concern on paper has been development, poverty, and corruption alleviation, there is no defined law or mandate which restricts the number from being used for other purposes, hence giving rise to concerns of a function creep - a shift in the use of the UID from its original intended purpose. For example, the Kerala government has recently proposed a scheme whereby the UID would be used to track school children.[5] Other schemes such as the National Population Register and the DNA Profiling Bill have been specifically set up with security of the State as the mandate and aim.[6] With the precise and accurate identification which biometrics offers, it also means that individuals are that much easier to continuously survey and track, for example, by using CCTV cameras with facial recognition software, the state could have real-time surveillance over any activities of any individual.[7]

With all kinds of information about individuals connected by a single identifier, from bank accounts to residential and voter information, the threat of increased state surveillance, and misuse of information becomes more and more pronounced. By using personal identifiers like fingerprints or iris scans, agencies can potentially converge data collected across databases, and use it for different purposes. It also means that individuals can potentially be profiled through the information provided from their various databases, accessed through identifiers, which leads to concerns about surveillance and tracking, without the individuals knowledge. There are no Indian laws or policies under data collection schemes which address concerns of using personal identifiers for tracking and surveillance.[8] Even if such such use is essential for increased national security, the implementation of biometrics for constant surveillance under the present regime ,where individuals are not notified about the kind of data being collected and for what its being used, would be a huge affront on civil liberties, as well as the Right to Privacy, and prove to be a powerful and destructive weapon in the hands of a police state. Without these concerns being addressed by a suitable, publicly available policy, it could pose a huge threat to individual privacy in the country. As was noted by the Deputy Prime Minister of the UK, Nick Clegg, in a speech where he denounced the Identity Scheme of the British government, saying that “This government will end the culture of spying on its citizens. It is outrageous that decent, law-abiding people are regularly treated as if they have something to hide. It has to stop. So there will be no ID card scheme. No national identity register, a halt to second generation biometric passports.” [6]

Biometric technology has been useful in several programmes and policies where its use has been open to scrutiny and restricted to a specific function, for example, the recent use of facial recognition in Goa to tackle voter fraud, and similar schemes being taken up by the Election Commission. [7] However, with lack of any guidelines or specific legal framework covering the implementation and collection of biometric data schemes, such schemes can quickly turn into ‘biohazards’ for personal liberty and individual privacy, as has been highlighted above and these issues must be brought to light and adequately addressed before the Government progresses on biometric frontiers.

[1]. http://www.goacom.com/goa-news-highlights/3520-biometric-scanners-to-be-used-for-elections.

[2]. http://www.wired.com/threatlevel/2008/03/hackers-publish.

[3].https://www.eff.org/deeplinks/2012/09/indias-gargantuan-biometric-database-raises-big-questions.

[4]. http://www.informationweek.com/security/privacy/britain-scraps-biometric-national-id-car/228801001.

[5]. http://www.thehindu.com/opinion/op-ed/questions-for-mr-nilekani/article4382953.ece.

[6]. http://news.bbc.co.uk/2/hi/8691753.stm

[7]. Supra note 1.

For more details visit https://cis-india.org/internet-governance/blog/indias-biometric-identification-programs-and-privacy-concerns

India's billion-member biometric database raises privacy fears

praskrishna — 2016-03-17T15:25:45Z

India's parliament is set to pass legislation that gives federal agencies access to the world's biggest biometric database in the interests of national security, raising fears the privacy of a billion people could be compromised.

The article by Sanjeev Miglani and Manoj Kumar was published by Reuters on March 16, 2016. Sunil Abraham was quoted.

The move comes as the ruling Bharatiya Janata Party (BJP) cracks down on student protests and pushes a Hindu nationalist agenda in state elections, steps that some say erode India's traditions of tolerance and free speech.

It could also usher in surveillance far more intrusive than the U.S. telephone and Internet spying revealed by former National Security Agency (NSA) contractor Edward Snowden in 2013, some privacy advocates said.

The Aadhaar database scheme, started seven years ago, was set up to streamline payment of benefits and cut down on massive wastage and fraud, and already nearly a billion people have registered their finger prints and iris signatures.

Now the BJP, which inherited the scheme, wants to pass new provisions including those on national security, using a loophole to bypass the opposition in parliament.

"It has been showcased as a tool exclusively meant for disbursement of subsidies and we do not realize that it can also be used for mass surveillance," said Tathagata Satpathy, a lawmaker from the eastern state of Odisha.

"Can the government ... assure us that this Aadhaar card and the data that will be collected under it – biometric, biological, iris scan, finger print, everything put together – will not be misused as has been done by the NSA in the U.S.?"

Finance Minister Arun Jaitley has defended the legislation in parliament, saying Aadhaar saved the government an estimated 150 billion rupees ($2.2 billion) in the 2014-15 financial year alone.

A finance ministry spokesman added that the government had taken steps to ensure citizens' privacy would be respected and the authority to access data was exercised only in rare cases.

According to another government official, the new law is in fact more limited in scope than the decades-old Indian Telegraph Act, which permits national security agencies and tax authorities to intercept telephone conversations of individuals in the interest of public safety.

"POLICE STATE"

Those assurances have not satisfied political opponents and people from religious minorities, including India's sizeable Muslim community, who say the database could be used as a tool to silence them.

"We are midwifing a police state," said Asaduddin Owaisi, an opposition MP.

Raman Jit Singh Chima, global policy director at Access, an international digital rights organization, said the proposed Indian law lacked the transparency and oversight safeguards found in Europe or the United States, which last year reformed its bulk telephone surveillance program.

He pointed to the U.S. Foreign Intelligence Surveillance Court, which must approve many surveillance requests made by intelligence agencies, and European data protection authorities as oversight mechanisms not present in the Indian proposal.

The Indian government brought the Aadhaar legislation to the upper house of parliament on Wednesday in a bid to secure passage before lawmakers go into recess.

To get around its lack of a majority there, the BJP is presenting it as a financial bill, which the upper chamber cannot reject. It can return it to the lower house, where the ruling party has a majority.

In its assessment of the measure, New Delhi-based PRS Legislative Research said law enforcement agencies could use someone's Aadhaar number as a link across various datasets such as telephone and air travel records.

That would allow them to recognize patterns of behavior and detect potential illegal activities.

But it could also lead to harassment of individuals who are identified incorrectly as potential security threats, PRS said.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, said Aadhaar created a central repository of biometrics for almost every citizen of the world's most populous democracy that could be compromised.

"Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station," he said.

"It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

For more details visit https://cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears

India's Aadhaar with biometric details of its billion citizens is making experts uncomfortable

praskrishna — 2017-02-14T14:57:33Z

"Indians in general have yet to understand the meaning and essence of privacy," says Member of Parliament, Tathagata Satpathy.

The blog post was published by Mashable India on February 14, 2017. Sunil Abraham was quoted.

But on Feb. 3, privacy was the hot topic of debate among many in India, thanks to a tweet that showed random people being identified on the street via Aadhaar, India's ubiquitous database that has biometric information of more than a billion Indians.

That's how India Stack, the infrastructure built by the Unique Identification Authority of India (UIDAI), welcomed OnGrid, a privately owned company that is going to tap on the world's largest biometrics system, conjuring images of Minority Report style surveillance.

But how did India get here?

Aadhaar's foundation

Not long ago, there were more people in India without a birth or school certificate than those with one (PDF). They had no means to prove their identity. This also contributed to what is more popularly known as “leakage” in the government subsidy fundings. The funds weren’t reaching the right people, in some instances, and much of it was being siphoned off by middlemen.

Nearly a decade ago, the government began scrambling for ways to tackle these issues. Could technology come to the rescue? The government dialled techies, people like Nandan Nilekani, a founder of India's mammoth IT firm Infosys, for help.

In 2008, they formulated Aadhaar, an audacious project "destined" to change the prospects of Indians. It was similar to Social Security number that US residents are assigned, but its implications were further reaching.

At the time, the government said it will primarily use this optional program to help the poor who are in need of services such as grocery and other household items at subsidized rates.

Eight years later, Aadhar, which stores identity information such as a photo, name, address, fingerprints and iris scans of its citizens and also assigns them with a unique 12-digit number, has become the world's largest biometrics based identity system.

According to the Indian government, over 1.11 billion people of the country's roughly 1.3 billion citizens have enrolled themselves in the biometrics system. About 99 percent of all adults in India have an Aadhaar card, it said last month.

Today, the significance of Aadhaar, which on paper remains an optional program, is undeniable in the country. The government says Aadhaar has already saved it as much as $5 billion.

But that's not it.

There's a bit of Aadhaar in everyone's life

Aadhaar (Hindi for foundation) has long moved beyond helping the poor. The UPI (Unified Payment Interface), another project by the Indian government that uses Aadhaar, is helping the country's much unbanked population to avail financial services for the first time. Nilekani calls it a "WhatsApp moment" in the Indian financial sector.

In December last year, Prime Minister Narendra Modi launched BHIM, a UPI-based payments app that aims to get millions of Indians to do online money transactions for the first time, irrespective of which bank they had their accounts with. With BHIM, transferring money is as simple as sending a text message. People can also scan QR codes and pay merchants for their purchases.

"This app is destined to replace all cash transactions," Modi said at the launch event. "BHIM app will revolutionize India and force people worldwide to take notice," he added.

The next phase, called Aadhaar Enabled Payments System will do away with smartphones. People will be able to make payments by swiping their finger on special terminals equipped with fingerprint sensors rather than swiping cards.

Last year, the government said people could store their driver license documents in an app called DigiLocker, should they want to be relieved from the burden of carrying paper documents. DigiLocker is a digital cloud service that any citizen in India can avail using their Aadhaar information.

The government also plans to hand out "health cards" to senior citizens, mapped to their Aadhaar number, which will store their medical records, which doctors will be able to access.

“Aadhaar is an instrument for good governance. Aadhaar is the mode to reach the poor without the middlemen,” Ravi Shankar Prasad, India’s IT minister said in a press conference last year.

But despite all the ways Aadhaar is making meaningful impact in millions of lives, some people are very skeptical about it. And for them, the scale at which Aadhaar operates now is only making things worse.

A security nightmare

There have been multiple reports suggesting bogus and fake entries in Aadhaar database. Instances of animals such as dogs and cows having their own Aadhaar identification numbers have been widely reported. In one instance, even Hindu god Hanuman was found to have an Aadhaar card.

The problem, it appears, is Aadhaar database has never been verified or audited, according to multiple security experts, privacy advocates, lawyers, and politicians who spoke to Mashable India this month.

“There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified,” Member of Parliament and privacy advocate, Rajeev Chandrasekhar told Mashable India. “Aadhaar isn’t foolproof, and this has resulted in fake data get into the system. This in turn opens new gateways for money launderers,” he added.

Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There’s little a person whose Aadhaar data has been compromised could do. “Citizens who have voluntarily given their data to Aadhaar authority, as of result of this, are at risk,” he added.

Rahul Narayan, a lawyer who is counselling several petitioners challenging the Aadhaar project, echoed similar sentiments. “There’s no concrete regulation in place,” he told Mashable India. “The scope for abuses in Aadhaar is very vast,” he added.

But regulation — or its lack thereof — is only one of the many challenges, experts say. Sunil Abraham, the executive director of Bangalore-based research organisation the Centre for Internet and Society (CIS), says the security concerns around Aadhaar are alarming.

“Aadhaar is remote, covert, and non-consensual,” he told Mashable India, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling.

Abraham said fingerprint and iris data of a person can be stolen with little effort — a “gummy bear” which sells for a few cents, can store one’s fingerprint, while a high resolution camera can capture one’s iris data.

Aadhaar doesn’t use basic principles of cryptography, and much of its security is not known.

Aadhaar is also irrevocable, which strands a person, whose data has been compromised, with no choice but to get on with life, Abraham said, adding that these vulnerabilities could have been averted had the government chosen smart cards instead of biometrics.

On top of this, he added, that Aadhaar doesn’t use basic principles of cryptography, and much of the security defences it uses are not known.

Had the government open sourced Aadhaar code to the public (a common practice in the tech community), security analysts could have evaluated the strengths of Aadhaar. But this too isn’t happening.

At CIS, Sunil and his colleagues have written over half-a-dozen open letters to the UIDAI (the authority that governs Aadhaar project) raising questions and pointing holes in the system. But much of their feedback has not returned any response, Abraham told Mashable India.

India Stack: A goldmine for everyone

As part of its push to make Aadhaar more useful, the UIDAI created what is called India Stack, an infrastructure through which government bodies as well as private entities could leverage Aadhaar's database of individual identities. This is what sparked the initial debate about privacy when India Stack tweeted the controversial photo.

Speaking to Mashable India, Piyush Peshwani, a founder of OnGrid, however dismissed the concerns, clarifying that the picture was for representation purposes only. He said OnGrid is building a trust platform, through which it aims to make it easier for recruiters to do background check on their potential employees after getting their consent.

India Stack and OnGrid have since taken down the picture from their Twitter accounts. "OnGrid, much like other 200 companies working with UIDAI, can only retrieve information of users after receiving their prior consent," he said.

The lack of information from the UIDAI and India Stack is becoming a real challenge for citizens, many feel. There also appears to be a conflict of interest between the privately held companies and those who helped design the framework of Aadhaar.

As Rohin Dharmakumar, a Bangalore-based journalist pointed out, Peshwani was part of the core team member of Aadhaar project. A lawyer, who requested to be not identified, told Mashable India that there is a chance that these people could be familiar with Aadhaar’s roadmap and use the information for business advantage, to say the least.

Most people Mashable India spoke to are questioning the way these third-party companies are handling Aadhaar data. There is no regulation in place to prevent these companies from storing people’s data or even creating a parallel database of their own — a view echoed by Abraham, Narayan, and Chandrasekhar.

Not mandatory only on paper

But for many, the biggest concern with Aadhaar remains just how aggressively it is being implemented into various systems. For instance, in the past one month alone, students in most Indians states who want to apply for NEET, a national level medical entrance test, were told by the education board CBSE that they will have to provide their Aadhaar number.

A few months ago, Aadhaar was also made mandatory for students who wanted to appear in JEE, an all India common engineering entrance examination conducted for admission to various engineering colleges in the country.

The apex Supreme Court of India recently asked the central government to register the phone number of all mobile subscribers in India (there are about one billion of those in India) to their respective Aadhaar cards. Telecom carriers are already enabling new connections to get activated by verifying users with Aadhaar database.

A prominent journalist who focuses on privacy and laws in India questioned the motive. “When they kickstarted UIDAI, people were told that this an optional biometrics system. But since then the government has been rather tight-lipped on why it is aggressively pushing Aadhaar into so many areas,” he told Mashable India, requesting not to be identified.

"It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar."

“It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar. The Aadhaar card is being offered to people in need, especially the poor, by making them believe that services and subsidies provided by the government will be held back from them unless they register,” Satpathy told Mashable India.

The central government said last week Aadhaar number would be mandatory for availing food grains through the Public Distribution System under the National Food Security Act. In October last year, the government made Aadhaar mandatory for those who wanted to avail cooking gas at subsidized prices.

“No matter how many laws are made about not making Aadhaar mandatory, ultimately it depends on the last mile person who is offering any service to inform citizens about their rights,” Satpathy added.

“These last-mile service providers are companies who would benefit from collecting and bartering big data for profit. They would be least interested to inform citizens about their rights and about the not mandatory status of Aadhaar.

“As Aadhaar percolates more and is used by more government and private services, the citizen will start assuming it's a part of their life. This card is already being misunderstood as if it is essential like a passport,” he added.

“My worry is that this data will be used by government for mass surveillance, ethnic cleansing and other insidious purposes,” Satpathy said. “Once you have information about every citizen, the powerful will not refrain from misusing it and for retention of power. The use of big data for psycho-profiling is not unknown to the world anymore.”

Mashable India reached out to UIDAI on Feb. 8 for comment on the privacy and security concerns made in this report. At the time of publication, the authority hadn't responded to our queries.

For more details visit https://cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate

Name	Domain	IP Address[26]	Country	ASN Name and Number
SafeNet	safenet.family	103.10.24.124	India	Amrita Vishwa Vidyapeetham, AS58703
OneMonitar	onemonitar.com	3.15.113.141	United States	Amazon.com, Inc., AS16509
OneMonitar	api.cp.onemonitar.com	3.23.25.254	United States	Amazon.com, Inc., AS16509
Hoverwatch	hoverwatch.com	104.236.73.120	United States	DigitalOcean, LLC, AS14061
Hoverwatch	a.syncvch.com	158.69.24.236	Canada	OVH SAS, AS16276
TheTruthSpy	thetruthspy.com	172.67.174.162	United States	Cloudflare, Inc., AS13335
TheTruthSpy	protocol-a946.thetruthspy.com	176.123.5.22	Moldova	ALEXHOST SRL, AS200019
Cerberus	cerberusapp.com	104.26.9.137	United States	Cloudflare, Inc., AS13335
mSpy	mspy.com	104.22.76.136	United States	Cloudflare, Inc., AS13335
mSpy	mobile-gw.thd.cc	104.26.4.141	United States	Cloudflare, Inc., AS13335
FlexiSPY	flexispy.com	104.26.9.173	United States	Cloudflare, Inc., AS13335
FlexiSPY	djp.bz	119.8.35.235	Hong Kong	HUAWEI CLOUDS, AS136907

Product	VirusTotal Detections (March 2024)	VirusTotal Detections (January 2019) (By Citizen Lab)
SafeNet [29]	0/67 (0 %)	N/A
OneMonitar [30]	17/65 (26.1%)	N/A
Hoverwatch	24/58 (41.4%)	22/59 (37.3%)
TheTruthSpy	38/66 (57.6%)	0
Cerberus	8/62 (12.9%)	6/63 (9.5%)
mSpy	8/63 (12.7%)	20/63 (31.7%)
Flexispy [31]	18/66 (27.3%)	34/63 (54.0%)

Product	Detected by Play Protect (March 2024)	Detected by Play Protect (January 2019) (By Citizen Lab)
SafeNet	no	N/A
OneMonitar	yes	N/A
Hoverwatch	yes	yes
TheTruthSpy	yes	yes
Cerberus	yes	no
mSpy	yes	yes
Flexispy	yes	yes