Centre for Internet and Society

Database on Big Data and Smart Cities International Standards

vanya — 2016-02-11T15:49:45Z

The Centre for Internet and Society is in the process of mapping international standards specifically around Big Data, IoT and Smart Cities. Here is a living document containing a database of some of these key globally accepted standards.

1. International Organisation for Standardization: ISO/IEC JTC 1 Working group on Big Data (WG 9 )

● Background

- The International Organization for Standardization /International Electrotechnical Commission (ISO/IEC) Joint Technical Committee (JTC) 1, Information Technology announced the creation of a Working Group (WG) focused on standardization in connection with big data.

- JTC 1 is the standards development environment where experts come together to develop worldwide standards on Information and Communication Technology (ICT) for integrating diverse and complex ICT technologies.^{^[1]}

- The American National Standards Institute (ANSI) holds the secretariat to JTC 1 and the ANSI-accredited U.S. Technical Advisory Group (TAG) Administrator to JTC 1 is theInterNational Committee for Information Technology Standards (INCITS) ^{^[2]}, an ANSI member and accredited standards developer (ASD). InterNational Committee for Information Technology standards (INCITS) is a technical committee on Big Data to serve as the US Technical Advisory Group (TAG) to JTC 1/WG 9 on Big Data/ pending approval of a New Work Item Proposal (NWIP). The INCITS/Big Data will address standardization in the areas assigned to JTC 1/WG 9. ^{^[3]}

- Under U.S. leadership, WG 9 on Big Data will serve as the focus of JTC 1's big data standardization program.

● Objective

- To identify standardization gaps.

- Develop foundational standards for Big Data.

- Develop and maintain liaisons with all relevant JTC 1 entities

- Grow the awareness of and encourage engagement in JTC 1 Big Data standardization efforts within JTC 1. ^{^[4]}

● Status

- JTC 1 appoints Mr. Wo Chang to serve as Convenor of the JTC 1 Working Group on Big Data.

- The WG has set up a Study Group on Big Data.

2. International Organisation for Standardization: ISO/IEC JTC 1 Study group on Big Data

● Background

- The ISO/IEC JTC1 Study Group on Big Data (JTC1 SGBD) was created by Resolution 27 at the November, 2013 JTC1 Plenary at the request of the USA and other national bodies for consideration of Big Data activities across all of JTC 1.

- A Study Group (SG) is an ISO mechanism by which the convener of a Working Group (WG) under a sub-committee appoints a smaller group of experts to do focused work in a specific area to identify a clear group to focus attention on a major area and expand the manpower of the committee.

- The goal of an SG is to create a proposal suitable for consideration by the whole WG, and it is the WG that will then decide whether and how to progress the work.^{^[5]}

● Objective

JTC 1 establishes a Study Group on Big Data for consideration of Big Data

activities across all of JTC 1 with the following objectives:

- Mapping the existing landscape: Map existing ICT landscape for key technologies and relevant standards /models/studies /use cases and scenarios for Big Data from JTC 1, ISO, IEC and other standards setting organizations,

- Identify key terms : Identify key terms and definitions commonly used in the area of Big Data,

- Assess status of big data standardization : Assess the current status of Big Data standardization market requirements, identify standards gaps, and propose standardization priorities to serve as a basis for future JTC 1 work, and

- Provide a report with recommendations and other potential deliverables to the 2014 JTC 1 Plenary. ^{^[6]}

● Current Status

- The study group released a preliminary report in the year 2014, which can be accessed here : http://www.iso.org/iso/big_data_report-jtc1.pdf.

3. The National Institute of Standards and Technology Big Data Interoperability Framework :

● Background

- NIST is leading the development of a Big Data Technology Roadmap which aims to define and prioritize requirements for interoperability, portability, reusability, and extensibility for big data analytic techniques and technology infrastructure to support secure and effective adoption of Big Data.

- To help develop the ideas in the Big Data Technology Roadmap, NIST is creating the Public Working Group for Big Data which Released Seven Volumes of Big Data Interoperability Framework on September 16, 2015.^{^[7]}

● Objective

- To advance progress in Big Data, the NIST Big Data Public Working Group (NBD-PWG) is working to develop consensus on important, fundamental concepts related to Big Data.

● Status

- The results are reported in the NIST Big Data Interoperability Framework series of volumes. Under the framework, seven volumes have been released by NIST, available here:

http://bigdatawg.nist.gov/V1_output_docs.php

4. IEEE Standards Association

● Background:

- The IEEE Standards Association introduced a number of standards

related to big-data applications.

● Status:

The following standard is under development:

- IEEE P2413

"IEEE Standard for an Architectural Framework for the Internet of Things (IoT)" defines the relationships among devices used in industries, including transportation and health care. It also provides a blueprint for data privacy, protection, safety, and security, as well as a means to document and mitigate architecture divergence.^{^[8]}

5. ITU

● Background:

- The International Telecommunications Union (ITU) has announced its first standards for big data services, entitled 'Recommendation ITU-T Y.3600 "Big data - cloud computing based requirements and capabilities"', recognizing the need for strong technical standards considering the growth of big data to ensure that processing tools are able to achieve powerful results in the areas of collection, analysis, visualization, and more.^{^[9]}

● Objective:

- Recommendation Y.3600 provides requirements, capabilities and use cases of

cloud computing based big data as well as its system context. Cloud computing

based big data provides the capabilities to collect, store, analyze, visualize and

manage varieties of large volume datasets, which cannot be rapidly transferred

and analysed using traditional technologies.^{^[10]}

- It also outlines how cloud computing systems can be leveraged to provide big-data services.

● Status:

- The standard was relseased in the year 2015 and is avaiabe here: http://www.itu.int/rec/T-REC-Y.3600-201511-I .

Smart cities

1. ISO Standards on Smart Cities

● Background:

- ISO, the International Organization for Standardization, established a strategic advisory group in 2014 for smart cities, comprised of a wide range of international experts to advise ISO on how to coordinate current and future Smart City standardization activities, in cooperation with other international standards organizations, to benefit the market.^{^[11]}

- Seven countries, China, Germany, UK, France, Japan, Korea and USA, are currently involved in the research.

● Objective:

- The main aims of which are to formulate a definition of a Smart City

- Identify current and future ISO standards projects relating to Smart Cities

- Examine involvement of potential stakeholders, city requirements, potential interface problems. ^{^[12]}

● Status:

- ISO/TC 268, which is focused on sustainable development in communities, has one working group developing city indicators and other developing metrics for smart community infrastructures. In early 2016 this committee will be joined by another - IEC - systems committee. The first standard produced by ISO/TC 268 is ISO/TR 37150:2014.

- ISO/TR 37150:2014 Smart community infrastructures -- Review of existing activities relevant to metrics: this standard provides a review of existing activities relevant to metrics for smart community infrastructures. The concept of smartness is addressed in terms of performance relevant to technologically implementable solutions, in accordance with sustainable development and resilience of communities, as defined in ISO/TC 268. ISO/TR 37150:2014 addresses community infrastructures such as energy, water, transportation, waste and information and communications technology (ICT). It focuses on the technical aspects of existing activities which have been published, implemented or discussed. Economic, political or societal aspects are not analyzed in ISO/TR 37150:2014.^{^[13]}

- ISO 37120:2014 provides city leaders and citizens a set of clearly defined city performance indicators and a standard approach for measuring each. Though some indicators will be more helpful for cities than others, cities can now consistently apply these indicators and accurately benchmark their city services and quality of life against other cities.^{^[14]} This new international standard was developed using the framework of the Global City Indicators Facility (GCIF) that has been extensively tested by more than 255 cities worldwide. This is a demand-led standard, driven and created by cities, for cities. ISO 37120 defines and establishes definitions and methodologies for a set of indicators to steer and measure the performance of city services and quality of life. The standard includes a comprehensive set of 100 indicators - of which 46 are core - that measures a city's social, economic, and environmental performance. ^{^[15]}

The GCIF global network, supports the newly constituted World Council on City Data - a sister organization of the GCI/GCIF - which allows for independent, third party verification of ISO 37120 data.^{^[16]}

- ISO/TS 37151 and ISO/TR 37152 Smart community infrastructures -- Common framework for development & operation: outlines 14 categories of basic community needs (from the perspective of residents, city managers and the environment) to measure the performance of smart community infrastructures. These are typical community infrastructures like energy, water, transportation, waste and information and communication technology systems, which have been optimized with sustainable development and resilience in mind. ^{^[17]} The committee responsible for this document is ISO/TC 268, Sustainable development in communities, Subcommittee SC 1, Smart community infrastructures. The objective is to develop international consensus on a harmonised metrics to evaluate the smartness of key urban infrastructure.^{^[18]}

- ISO 37101 Sustainable development of communities -- Management systems -- Requirements with guidance for resilience and smartness : By setting out requirements and guidance to attain sustainability with the support of methods and tools including smartness and resilience, it can help communities improve in a number of areas such as: Developing holistic and integrated approaches instead of working in silos (which can hinder sustainability), Fostering social and environmental changes, Improving health and wellbeing, Encouraging responsible resource use and Achieving better governance. ^{^[19]} The objective is to develop a Management System Requirements Standard reflecting consensus on an integrated, cross-sector approach drawing on existing standards and best practices.

- ISO 37102 Sustainable development & resilience of communities - Vocabulary . The objective is to establish a common set of terms and definitions for standardization in sustainable development, resilience and smartness in communities, cities and territories since there is pressing need for harmonization and clarification. This would provide a common language for all interested parties and stakeholders at the national, regional and international levels and would lead to improved ability to conduct benchmarks and to share experiences and best practices.

- ISO/TR 37121 Inventory & review of existing indicators on sustainable development & resilience in cities : A common set of indicators useable by every city in the world and covering most issues related to sustainability, resilience and quality of life in cities. ^{^[20]}

- ISO/TR 12859:2009 gives general guidelines to developers of intelligent transport systems (ITS) standards and systems on data privacy aspects and associated legislative requirements for the development and revision of ITS standards and systems. ^{^[21]}

2. International Organisation for Standardization: ISO/IEC JTC 1 Working group on Smart Cities (WG 11 )

● Background:

- Serve as the focus of and proponent for JTC 1's Smart Cities standardization program and works for development of foundational standards for the use of ICT in Smart Cities - including the Smart City ICT Reference Framework and an Upper Level Ontology for Smart Cities - for guiding Smart Cities efforts throughout JTC 1 upon which other standards can be developed.^{^[22]}

● Objective:

- To develop a set of ICT related indicators for Smart Cities in collaboration with ISO/TC 268.

- Identify JTC 1 (and other organization) subgroups developing standards and related material that contribute to Smart Cities.

- Grow the awareness of, and encourage engagement in, JTC 1 Smart Cities standardization efforts within JTC 1.

● Status

- Ms Yuan Yuan is the Convenor of this Working group.

- The purpose was to provide a report with recommendations to the JTC 1 Plenary in the year 2014, to which a preliminary report was submitted. ^{^[23]}

3. International Organisation for Standardization: ISO/IEC JTC 1 Study Group (SG1) on Smart Cities

● Background:

- The Study Group (SG) - Smart Cities was established in 2013^{^[24]} SG 1 will explicitly consider the work going on in the following committees: ISO/TMB/AG on Smart Cities, IEC/SEG 1, ITU-T/FG SSC and ISO/TC 268. ^{^[25]}

● Objective :

- To examine the needs and potentials for standardization in this area.

● Status:

- SG 1 is paying particular attention to monitoring cloud computing activities, which it sees as the key element of the Smart Cities infrastructure. DIN's Information Technology and Selected IT Applications Standards Committee (NIA (www.nia.din.de)) is formally responsible for ISO/IEC JTC1 /SG 1, but an autonomous national mirror committee on Smart Cities does not yet exist and the work is being overseen by DIN's Smart Grid steering body. ^{^[26]}

- A preliminary report has been released in the 2014, available here- http://www.iso.org/iso/smart_cities_report-jtc1.pdf

4. ITU

● Background:

- ITU members have established an ITU-T Study Group titled "ITU-T Study Group 20: IoT and its applications, including smart cities and communities" ^{^[27]}

- ITU-T has also established a Focus Group on Smart Sustainable Cities (FG-SSC).

● Objective:

- The study group will address the standardization requirements of Internet of Things (IoT) technologies, with an initial focus on IoT applications in smart cities.

- The focus group shall assess the standardization requirements of cities aiming to boost their social, economic and environmental sustainability through the integration of information and communication technologies (ICTs) in their infrastructures and operations.

- The Focus Group will act as an open platform for smart-city stakeholders - such as municipalities; academic and research institutes; non-governmental organizations (NGOs); and ICT organizations, industry forums and consortia - to exchange knowledge in the interests of identifying the standardized frameworks needed to support the integration of ICT services in smart cities.^{^[28]}

● Status:

- The study group will develop standards that leverage IoT technologies to address urban-development challenges.

- The FG-SSC concluded its work in May 2015 by approving 21 Technical Specifications and Reports. ^{^[29]}

- So far, ITU-T SG 5 FG-SSC has issued the following reports- Technical report "An overview of smart sustainable cities and the role of information and communication technologies", Technical report "Smart sustainable cities: an analysis of definitions", Technical report "Electromagnetic field (EMF) considerations in smart sustainable cities", Technical specifications "Overview of key performance indicators in smart sustainable cities", Technical report "Smart water management in cities".^{^[30]}

5. PRIPARE Project :

● Background:

- The 7001 - PRIPARE Smart City Strategy is to to ensure that ICT solutions integrated in EIP smart cities will be compliant with future privacy regulation.

- PRIPARE aims to develop a privacy and security-by-design software and systems engineering methodology, using the combined expertise of the research community and taking into account multiple viewpoints (advocacy, legal, engineering, business).

● Objective:

- The mission of PRIPARE is to facilitate the application of a privacy and security-by-design methodology that will contribute to the advent of unhindered usage of Internet against disruptions, censorship and surveillance, support its practice by the ICT research community to prepare for industry practice and foster risk management culture through educational material targeted to a diversity of stakeholders.

● Status:

- Liaison is currently on-going so that it becomes a standard (OASIS and ISO).^{^[31]}

6. BSI-UK

● Background:

- In the UK, the British Standards Institution (BSI) has been commissioned by the UK Department of Business, Innovation and Skills (BIS) to conceive a Smart Cities Standards Strategy to identify vectors of smart city development where standards are needed.

- The standards would be developed through a consensus-driven process under the BSI to ensure good practise is shared between all the actors. ^{^[32]}

● Objective:

The BIS launched the City's Standards Institute to bring together cities and key

industry leaders and innovators :

- To work together in identifying the challenges facing cities,

- Providing solutions to common problems, and

- Defining the future of smart city standards.^{^[33]}

● Status:

The following standards and publications help address various issues for a city to

become a smart city:

- The development of a standard on Smart city terminology (PAS 180)

- The development of a Smart city framework standard (PAS 181)

- The development of a Data concept model for smart cities (PAS 182)

- A Smart city overview document (PD 8100)

- A Smart city planning guidelines document (PD 8101)

- BS 8904 Guidance for community sustainable development provides a decision-making framework that will help setting objectives in response to the needs and aspirations of city stakeholders

- BS 11000 Collaborative relationship management

- BSI BIP 2228:2013 Inclusive urban design - A guide to creating accessible public spaces.

7. Spain

● Background:

- AENOR, the Spanish standards developing organization (SDO), has issued two new standards on smart cities: the UNE 178303 and UNE-ISO 37120. These standards joined the already published UNE 178301.

● Objective:

- The texts, prepared by the Technical Committee of Standardization of AENOR on Smart Cities (AEN / CTN 178) and sponsored by the SETSI (Secretary of State for Telecommunications and Information Society of the Ministry of Industry, Energy and Tourism), aim to encourage the development of a new model of urban services management based on efficiency and sustainability.

● Status:

Some of the standards that have been developed are:

- UNE 178301 on Open Data evaluates the maturity of open data created or held by the public sector so that its reuse is provided in the field of Smart Cities.

- UNE 178303 establishes the requirements for proper management of municipal assets.

- UNE-ISO 37120 which collects the international urban sustainability indicators.

- Following the publication of these standards, 12 other draft standards on Smart Cities have just been made public, most of them corresponding to public services such as water, electricity and telecommunications, and multiservice city networks. ^{^[34]}

8. China

● Background:

Several national standardization committees and consortia have started

standardization work on Smart Cities, including:

- China National IT Standardization TC (NITS),

- China National CT Standardization TC,

- China National Intelligent Transportation System Standardization TC,

- China National TC on Digital Technique of Intelligent Building and Residence Community of Standardization Administration, China Strategic Alliance of Smart City Industrial Technology Innovation^{^[35]}

● Objective:

- In the year 2014, all the ministries involved in building smart cities in China joined with the Standardization Administration of China to create working groups whose job is to manage and standardize smart city development, though their activities have not been publicized. ^{^[36]}

● Status:

- China will continue to promote international standards in building smart cities and improve the competitiveness of its related industries in global market.

- Also, China's Standardization Administration has joined hands with National Development and Reform Commission, Ministry of Housing and Urban-Rural Development and Ministry of Industry and Information Technology in establishing and implementing standards for smart cities.

- When building smart cities, the country will adhere to the ISO 37120 and by the year 2020, China will establish 50 national standards on smart cities. ^{^[37]}

9. Germany

● Background :

- Member of European Innovation Partnership (EIP) for Smart Cities and Communities DKE (German Commission for Electrical, Electronic & Information Technologies) and DIN (GermanInstitute for Standardization) have developed a joint roadmap and Smart Cities recommendations for action in Germany.

● Objective:

- Its purpose is to highlight the need for standards and to serve as a strategic template for national and international standardization work in the field of smart city technology.

- The Standardization Roadmap highlights the main activities required to create smart cities. ^{^[38]}

● Status:

- An updated version of the standardization roadmap was released in the year 2015. ^{^[39]}

10. Poland

● Background:

- A coordination group on Smart and Sustainable Cities and Communities (SSCC) was set up in the beginning of 2014 to monitor any national standardization activities.

● Objective:

- It was decided to put forward a proposal to form a group at the Polish Committee for Standardization (PKN) providing recommendations for smart sustainable city standardization in Poland.

● Status:

It has two thematic groups:

- GT 1-2 on terminology and Technical Bodies in PKN Its scope covers a collection of English terms and their Polish equivalents related to smart and sustainable development of cities and communities to allow better communication among various smart city stakeholders. This includes the preparation of the list of Technical Bodies (OT) in PKN involved in standardization activities related to specific aspects of smart and sustainable local development and making proposals concerning the allocation of standardization works to the relevant OT in PKN.

- GT 3 for gathering information and the development and implementation of a work programme Its scope includes identifying stakeholders in Poland, and gathering information on any national "smart city" initiatives having an impact on environment-friendly development, sustainability, and liveability of a city. The group is also tasked with developing a work programme for GZ 1 based on identified priorities for Poland. Finally, its aim is to conduct communication and dissemination of activities to make the results of GZ 1 visible. ^{^[40]}

11. Europe

● Background:

- In 2012, the European standardization organizations CEN and CENELEC founded the Smart and Sustainable Cities and Communities Coordination Group (SSCC-CG), which is a Coordination Group established to coordinate standardization activities and foster collaboration around standardization work. ^{^[41]}

● Objective:

- The aim of the CEN-CENELEC-ETSI (SSCC-CG) is to coordinate and promote European standardization activities relating to Smart Cities and to advise the CEN and CENELEC (Technical) and ETSI Boards on standardization activities in the field of Smart and Sustainable Cities and Communities.

- The scope of the SSCC-CG is to advise on European interests and needs relating to standardization on Smart and Sustainable cities and communities.

● Status:

- Originally conceived to be completed by the end of 2014, SSCC-CG's mandate has been extended by the European standards organizations CEN, CENELEC and ETSI by a further two years and will run until the end of 2016.^{^[42]}

- The SSCC-CG does not develop standards, but reports directly to the management boards of the standardization organizations and plays an advisory role. Current members of the SSCC.CG include representatives of the relevant technical committees, the CEN/CENELEC secretariat, the European Commission, the European associations and the national standardization organizations.^{^[43]}

- CEN/CENELEC/ETSI Joint Working Group on Standards for Smart Grids: The aim of this document is to provide a strategic report which outlines the standardization requirements for implementing the European vision of smart grids, especially taking into account the initiatives by the Smart Grids Task Force of the European Commission. It provides an overview of standards, current activities, fields of action, international cooperation and strategic recommendations^{^[44]}

12. Singapore

● Background:

- In the year 2015, SPRING Singapore, the Infocomm Development Authority of Singapore (IDA) and the Information Technology Standards Committee (ITSC), under the purview of the Singapore Standards Council (SSC), have laid out an Internet of Things (IoT) Standards Outline in support of Singapore's Smart Nation initiative.

● Objective:

- Realising importance of standards in laying the foundation for the nation empowered by big data, analytics technology and sensor networks in light of Singapore's vision of becoming a Smart Nation.

● Status:

Three types of standards - sensor network standards, IoT foundational standards and domain-specific standards - have been identified under the IoT Standards Outline. Singapore actively participates in the ISO Technical Committee (TC) working on smart city standards.^{^[45]}

^{^[1]} ISO/IEC JTC 1, Information Technology, http://www.iso.org/iso/jtc1_home.html

^{^[2]} The InterNational Committee for Information Technology Standards, JTC 1 Working Group on Big Data, http://www.incits.org/committees/big-data

^{^[3]} ISO/IEC JTC 1 Forms Two Working Groups on Big Data and Internet of Things, 27th January 2015, https://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=5b101d27-47b5-4540-bca3-657314402591

^{^[4]} JTC 1 November 2014 Resolution 28 - Establishment of a Working Group on Big Data, and Call for Participation, 20th January 2015, http://jtc1sc32.org/doc/N2601-2650/32N2625-J1N12445_JTC1_Big_Data-call_for_participation.pdf

^{^[5]} SD-3: Study Group Organizational Information, https://isocpp.org/std/standing-documents/sd-3-study-group-organizational-information

^{^[6]} ISO/IEC JTC 1 Study Group on Big Data (BD-SG), http://jtc1bigdatasg.nist.gov/home.php

^{^[7]} NIST Released V1.0 Seven Volumes of Big Data Interoperability Framework (September 16, 2015),http://bigdatawg.nist.gov/home.php

^{^[8]} Standards That Support Big Data, Monica Rozenfeld, 8th September 2014, http://theinstitute.ieee.org/benefits/standards/standards-that-support-big-data

^{^[9]} ITU releases first ever big data standards, Madolyn Smith, 21st December 2015, http://datadrivenjournalism.net/news_and_analysis/itu_releases_first_ever_big_data_standards#sthash.m3FBt63D.dpuf

^{^[10]} ITU-T Y.3600 (11/2015) Big data - Cloud computing based requirements and capabilities, http://www.itu.int/itu-t/recommendations/rec.aspx?rec=12584

^{^[11]} ISO Strategic Advisory Group on Smart Cities - Demand-side survey, March 2015, http://www.platform31.nl/uploads/media_item/media_item/41/62/Toelichting_ISO_Smart_cities_Survey-1429540845.pdf

^{^[12]} The German Standardization Roadmap Smart City Version 1.1, May 2015, https://www.vde.com/en/dke/std/documents/nr_smartcity_en_v1.1.pdf

^{^[13]} ISO/TR 37150:2014 Smart community infrastructures -- Review of existing activities relevant to metrics, http://www.iso.org/iso/catalogue_detail?csnumber=62564

^{^[14]} Dissecting ISO 37120: Why this new smart city standard is good news for cities, 30th July 2014, http://smartcitiescouncil.com/article/dissecting-iso-37120-why-new-smart-city-standard-good-news-cities

^{^[15]} World Council for City Data, http://www.dataforcities.org/wccd/

^{^[16]} Global City Indicators Facility, http://www.cityindicators.org/

^{^[17]} How to measure the performance of smart cities, Maria Lazarte, 5th October 2015

http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref2001

^{^[18]} http://iet.jrc.ec.europa.eu/energyefficiency/sites/energyefficiency/files/files/documents/events/slideslairoctober2014.pdf

^{^[19]} A standard for improving communities reaches final stage, Clare Naden, 12th February 2015,

http://www.iso.org/iso/news.htm?refid=Ref1932

^{^[20]} http://iet.jrc.ec.europa.eu/energyefficiency/sites/energyefficiency/files/files/documents/events/slideslairoctober2014.pdf

^{^[21]} ISO/TR 12859:2009 Intelligent transport systems -- System architecture -- Privacy aspects in ITS standards and systems, http://www.iso.org/iso/catalogue_detail.htm?csnumber=52052

^{^[22]} ISO/IEC JTC 1 Information technology, WG 11 Smart Cities, http://www.iec.ch/dyn/www/f?p=103:14:0::::FSP_ORG_ID,FSP_LANG_ID:12973,25

^{^[23]} Work of ISO/IEC JTC1 Smart Ci4es Study group , https://interact.innovateuk.org/documents/3158891/17680585/2+JTC1+Smart+Cities+Group/e639c7f6-4354-4184-99bf-31abc87b5760

^{^[24]} JTC1 SAC - Meeting 13 , February 2015, http://www.finance.gov.au/blog/2015/08/05/jtc1-sac-meeting-13-february-2015/

^{^[25]} The German Standardization Roadmap Smart City Version 1.1, May 2015, https://www.vde.com/en/dke/std/documents/nr_smartcity_en_v1.1.pdf

^{^[26]} The German Standardization Roadmap Smart City Version 1.1, May 2015, https://www.vde.com/en/dke/std/documents/nr_smartcity_en_v1.1.pdf

^{^[27]} ITU standards to integrate Internet of Things in Smart Cities, 10th June 2015, https://www.itu.int/net/pressoffice/press_releases/2015/22.aspx

^{^[28]} ITU-T Focus Group Smart Sustainable Cities, https://www.itu.int/dms_pub/itu-t/oth/0b/04/T0B0400004F2C01PDFE.pdf

^{^[29]} Focus Group on Smart Sustainable Cities, http://www.itu.int/en/ITU-T/focusgroups/ssc/Pages/default.aspx

^{^[30]} The German Standardization Roadmap Smart City Version 1.1, May 2015, https://www.vde.com/en/dke/std/documents/nr_smartcity_en_v1.1.pdf

^{^[31]} 7001 - PRIPARE Smart City Strategy, https://eu-smartcities.eu/commitment/7001

^{^[32]} Financing Tomorrow's Cities: How Standards Can Support the Development of Smart Cities, http://www.longfinance.net/groups7/viewdiscussion/72-financing-financing-tomorrow-s-cities-how-standards-can-support-the-development-of-smart-cities.html?groupid=3

^{^[33]} BSI-Smart Cities, http://www.bsigroup.com/en-GB/smart-cities/

^{^[34]} New Set of Smart Cities Standards in Spain, https://eu-smartcities.eu/content/new-set-smart-cities-standards-spain

^{^[35]} Technical Report, M2M & ICT Enablement in Smart Cities, Telecommunication Engineering Centre, Department of Telecommunications, Ministry of Communications and Information Technology, Government of India, November 2015, http://tec.gov.in/pdf/M2M/ICT%20deployment%20and%20strategies%20for%20%20Smart%20Cities.pdf

^{^[36]} Smart City Development in China, Don Johnson, 17th June 2014, http://www.chinabusinessreview.com/smart-city-development-in-china/

^{^[37]} China to continue develop standards on smart cities, 17th December 2015, http://www.chinadaily.com.cn/world/2015wic/2015-12/17/content_22732897.htm

^{^[38]} The German Standardization Roadmap Smart City, April 2014, https://www.dke.de/de/std/documents/nr_smart%20city_en_version%201.0.pdf

^{^[39]} This version of the Smart City Standardization Roadmap, Version 1.1, is an incremental revision of Version 1.0. In Version 1.1, a special focus is placed on giving an overview of current standardization activities and interim results, thus illustrating German ambitions in this area.

^{^[40]} SSCC-CG Final report Smart and Sustainable Cities and Communities Coordination Group, January 2015, https://www.etsi.org/images/files/SSCC-CG_Final_Report-recommendations_Jan_2015.pdf

^{^[41]} Orchestrating infrastructure for sustainable Smart Cities , http://www.iec.ch/whitepaper/pdf/iecWP-smartcities-LR-en.pdf

^{^[42]} Urbanization- Why do we need standardization?, http://www.din.de/en/innovation-and-research/smart-cities-en

^{^[43]} CEN-CENELEC-ETSI Coordination Group 'Smart and Sustainable Cities and Communities' (SSCC-CG), http://www.cencenelec.eu/standards/Sectors/SmartLiving/smartcities/Pages/SSCC-CG.aspx

^{^[44]} Final report of the CEN/CENELEC/ETSI Joint Working Group on Standards for Smart Grids, https://www.etsi.org/WebSite/document/Report_CENCLCETSI_Standards_Smart%20Grids.pdf

^{^[45]} SPRING Singapore Supported Close to 600 Companies in Standards Adoption, and Service Excellence Projects , 12th August 2015, http://www.spring.gov.sg/NewsEvents/PR/Pages/Internet-of-Things-(IoT)-Standards-Outline-to-Support-Smart-Nation-Initiative-Unveiled-20150812.aspx

For more details visit https://cis-india.org/internet-governance/blog/database-on-big-data-and-smart-cities-international-standards

Data Retention in India

elonnai — 2013-07-12T15:51:13Z

As part of its privacy research, the Centre for Internet and Society has been researching upon data retention mandates from the Government of India and data retention practices by service providers. Globally, data retention has become a contested practice with regards to privacy, as many governments require service providers to retain more data for extensive time periods, for security purposes. Many argue that the scope of the retention is becoming disproportional to the purpose of investigating crimes.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

The Debate around Data Retention

According to the EU, data retention “refers to the storage of traffic and location data resulting from electronic communications (not data on the content of the communications)”.[1]

The debate around data retention has many sides, and walks a fine line of balancing necessity with proportionality. For example, some argue that the actual retention of data is not harmful, and at least some data retention is necessary to assist law enforcement in investigations. Following this argument, the abuse of information is not found in the retention of data, but instead is found by who accesses the data and how it is used. Others argue that any blanket or a priori data retention requirements are increasingly becoming disproportional and can lead to harm and misuse. When discussing data retention it is also important to take into consideration what type of data is being collected and by what standard is access being granted. Increasingly, governments are mandating that service providers retain communication metadata for law enforcement purposes. The type of authorization required to access retained communication metadata varies from context to context. However, it is often lower than what is required for law enforcement to access the contents of communications. The retention and lower access standards to metadata is controversial because metadata can encompass a wide variety of information, including IP address, transaction records, and location information — all of which can reveal a great deal about an individual.[2] Furthermore, the definition of metadata changes and evolves depending on the context and the type of information being generated by new technologies.

Data Retention vs. Data Preservation

Countries have taken different stances on what national standards for data retention by service providers should be. For example, in 2006 the EU passed the Data Retention Directive which requires European Internet Service Providers to retain telecom and Internet traffic data from customers' communications for at least six months and upto two years. The stored data can be accessed by authorized officials for law enforcement purposes.[3] Despite the fact that the Directive pertains to the whole of Europe, in 2010 the German Federal Constitutional Court annulled the law that harmonized German law with the Data Retention Directive.[4] Other European countries that have refused to adopt the Directive include the Czech Republic and Romania.[5] Instead of mandating the retention of data, Germany, along with the US, mandates the 'preservation' of data. The difference being that the preservation of data takes place through a specified request by law enforcement, with an identified data set. In some cases, like the US, after submitting a request for preservation, law enforcement must obtain a court order or subpoena for further access to the preserved information.[6]

Data Retention in India

In India, the government has established a regime of data retention. Retention requirements for service providers are found in the ISP and UASL licenses, which are grounded in the Indian Telegraph Act, 1885.

ISP License

According to the ISP License,[7] there are eight categories of records that service providers are required to retain for security purposes that pertain to customer information or transactions. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the records must be made available and provided. This language implies that records will be kept.

According to the ISP License, each ISP must maintain:

Users and Services: A log of all users connected and the service they are using, which must be available in real time to the Telecom Authority. (Section 34.12).

Outward Logins or Telnet: A log of every outward login or telnet through an ISPs computer must be available in real time to the Telecom Authority. (Section 34.12).

Packets: Copies of all packets originating from the Customer Premises Equipment of the ISP must be available in real time to the Telecom Authority. (Section 34.12).

Subscribers: A complete list of subscribers must be made available on the ISP website with password controlled access, available to authorized Intelligence Agencies at any time. (Section 34.12).
Internet Leased Line Customers: A complete list of Internet leased line customers and their sub-customers consisting of the following information: name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email. These must be made available on a password protected website (Section 34.14). The password and login ID must be provided to the DDG (Security), DoT HQ and concerned DDG(VTM) of DoT on a monthly basis. The information should also be accessible to authorized government agencies (Section 34.14).

Diagram Records and Reasons: A record of complete network diagram of set-up at each of the internet leased line customer premises along with details of connectivity must be made available at the site of the service provider. All details of other communication links (PSTN, NLD, ILD, WLL, GSM, other ISP) plus reasons for taking the links by the customer must be recorded before the activation of the link. These records must be readily available for inspection at the respective premises of all internet leased line customers (Section 34.18).
Commercial Records: All commercial records with regard to the communications exchanged on the network must be maintained for a year (Section 34.23).
Location: The service provider should be able to provide the geographical location of any subscriber at a given point of time (Section 34.28(x).

Remote Activities: A complete audit trail of the remote access activities pertaining to the network operated in India. These must be retained for a period of six months, and must be provided on request to the licensor or any other agency authorized by the licensor (Section 34.28 (xv).

UASL License

According to the UASL License[8], there are twelve categories of records that ISP’s are required to retain that pertain to costumer information or transactions for security purposes. In some cases the license has identified how long records must be maintained, and in other cases the license only states that the information must be provided and made available when requested. This language implies that records will be kept.

According to the license, service providers must maintain and make available:

Numbers: Called/calling party mobile/PSTN numbers when required. Telephone numbers of any call-forwarding feature when required (Section 41.10).
Interception records: Time, date and duration of interception when required (Section 41.10).
Location: Location of target subscribers. For the present, cell ID should be provided for location of the target subscriber when required (Section 41.10).
All call records: All call data records handled by the system when required (Section 41.10). This includes:
1. Failed call records: Call data records of failed call attempts when required. (Section 41.10).
2. Roaming subscriber records: Call data records of roaming subscribers when required. (Section 41.10)
Commercial records: All commercial records with regards to the communications exchanged on the network must be retained for one year (Section 41.17).
Outgoing call records: A record of checks made on outgoing calls completed by customers who are making large outgoing calls day and night to various customers (Section 41.19(ii)).
Calling line Identification: A list of subscribers including address and details using calling line identification should be kept in a password protected website accessible to authorized government agencies (Section 41.19 (iv)).
Location: The service provider must be able to provide the geographical location of any subscriber at any point of time (Section 41.20(x)).
Remote access activities: Complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months (Section 41.20 (xv)).

RTI Request to BSNL and MTNL

On September 10, 2012, the Centre for Internet and Society sent an RTI to MTNL and BSNL with the following questions related to the respective data retention practices:

Does MTNL/BSNL store the following information/data:

Text message detail (To and from cell numbers, timestamps)
Text message content (The text and/or data content of the SMS or MMS)
Call detail records (Inbound and outbound phone numbers, call duration)
Bill copies for postpaid and recharge/top-up billing details for prepaid
Location data (Based on cell tower, GPS, Wi-Fi hotspots or any combination thereof)

If it does store data then

For what period does MTNL/BSNL store: SMS and MMS messages, cellular and mobile data, customer data?
What procedures for retention does MTNL/BSNL have for: SMS and MMS messages, cellular and mobile data, and customer data?
What procedures for deletion of: SMS and MMS messages, cellular and mobile data, and customer data?
What security procedures are in place for SMS and MMS messages, cellular and mobile data, and customer data?

BSNL Response

BSNL replied by stating that it stores at least three types of information including:

IP session information - connection start end time, bytes in and out (three years offline)
MAC address of the modem/router/device (three years offline)
Bill copies for post paid and recharge/top up billing details for prepaid. Billing information of post paid Broadband are available in CDR system under ITPC, prepaid voucher details (last six months).

MTNL Response

MTNL replied by stating that it stores at least () types of information including:

Text message details (to and from cell number, timestamps) in the form of CDRs (one year)
Call detail records including inbound and outbound phone numbers and call duration (one year)
Bill copies from postpaid (one year)
Recharge details for prepaid (three months)
Location of the mobile number if it has used the MTNL GSM/3GCDMA network (one year)

It is interesting that BSNL stores information that is beyond the required time period required in both the ISP and the UASL licenses. The responses to the RTI showed that each service provider also stores different types of information. This could or could not be the actual case, as each question could have been interpreted differently by the responding officer.

Conclusion

The responses to the RTI from BSNL and MTNL are a step towards understanding data retention practices in India, but there are still many aspects about data retention in India which are unclear including:

What constitutes a ‘commercial record’ which must be stored for one year by service providers?
How much data is retained by service providers on an annual basis?
What is the cost involved in retaining data? For the service provider? For the public?
How frequently is retained information accessed by law enforcement? What percentage of the data is accessed by law enforcement?
How many criminal and civil cases rely on retained data?
What is the authorization process for access to retained records? Are these standards for access the same for all types of retained data?

Having answers to these questions would be useful for determining if the Indian data retention regime is proportional and effective. It would also be useful in determining if it would be meaningful to maintain a regime of data retention or switch over to a more targeted regime of data preservation.

Though it can be simple to say that a regime of data preservation is the most optimal choice as it gives the individual the greatest amount of immediate privacy protection,

A regime of data preservation would mean that all records would be treated like an interception, where the police or security agencies would need to prove that a crime was going to take place or is in the process of taking place and then request the ISP to begin retaining specific records. This approach to solving crime would mean that the police would never use retained data or historical data as part of an investigation – to either solve a case or to take the case to the next level. If Indian law enforcement is at a point where they are able to concisely identify a threat and then begin an investigation is a hard call to make. It is also important to note that though preservation of data can reduce the risk to individual privacy as it is not possible for law enforcement to track individuals based off of their historical data and access large amounts of data about an individual, preservation does not mean that there is no possibility for abuse. Other factors such as:

Any request for preservation and access to records must be legitimate and proportional
Accessed and preserved records must be used only for the purpose indicated

Accessed and preserved records can only be shared with authorized authorities

Any access to preserved records that do not pertain to an investigation must be deleted

These factors must be enforced through the application of penalties for abuse of the system. These factors can also be applied to not only a data preservation regime, but also a data retention regime and are focused on preventing the actual abuse of data after retained. That said, before an argument for either data retention or data preservation can be made for India it is important to understand more about data retention practices in India and use of retained data by Indian law enforcement and access controls in place.

[1]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31st 2012. Available at: http://bit.ly/14qXW6o. Last accessed: January 21st 2013
[2].Draft International Principles on Communications Surveillance and Human Rights: http://bit.ly/UpGA3D
[3]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31^st 2012. Available at: http://bit.ly/14qXW6o . Last accessed: January 21^st 2013.
[4]. European Commission – Press Release. Commission Takes Germany to Court Requesting that Fines be Imposed. May 31^st 2012. Available at: http://bit.ly/14qXW6o. Last accessed: January 21^st 2013.
[5]. Tiffen, S. Sweden passes controversial data retention directive. DW. March 22 2012. Available at: http://bit.ly/WOfzaX. Last Accessed: January 21^st 2013.
[6]. Kristina, R. The European Union's Data Retention Directive and the United State's Data Preservation Laws: Fining the Better Model. 5 Shilder J.L. Com. & Tech. 13 (2009) available at: http://bit.ly/VoQxQ9. Last accessed: January 21^st 2013
[7]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Internet Services.
[8]. Government of India. Ministry of Communications & IT Department of Telecommunications. License Agreement for Provision of Unified Access Services after Migration from CMTS. Amended December 3^rd 2009.

For more details visit https://cis-india.org/internet-governance/blog/data-retention-in-india

Data Protection Submission

amber — 2018-04-18T16:37:05Z

For more details visit https://cis-india.org/internet-governance/files/data-protection-submission

Data protection experts slam state for sending mass SMSes

praskrishna — 2012-03-27T03:46:00Z

Experts in the field of data protection, privacy law and media have criticised the West Bengal government's mass SMS sent to individuals, companies and media houses through private mobile networks last Friday. Lara Choksey reports this in an article published in the Statesman on March 25, 2012.

The government's use of private data in order to spread political messages is ethically dubious and dangerous, say some. The SMS indirectly refers to The Telegraph's publication of the Poonam Pandey tweet, warning against the transmission of “provocative and indecent photographs for hurting the religious sentiments of people and disrupting communal harmony.” It urges recipients to “frustrate the designs of … unscrupulous people and maintain peace and communal harmony,” and is signed by “Mamata Banerjee, Chief Minister”.

Speaking to The Statesman on Saturday, Mumbai-based media lecturer Ms Geeta Seshu identified two issues with the government sending out political messages through mobile phone networks.

Firstly, from an ethical standpoint, the unchecked freedom of mobile phone companies to hand out private data is “completely wrong”, she said.

Secondly, the use of government funds for such dissemination needs to be transparent. If the state government has used public funds to distribute its message through a mobile phone network, then this information should be readily available, said Ms Seshu.

The Telecom Regulation Authority of India's (Trai) unsolicited commercial communications regulations allow unsolicited advertising through mobile phone networks.

Mr Apar Gupta, partner of Delhi-based law firm Advani and Co., explained, “The regulations are not wide enough to prohibit communications from a political party.” He observed, “Using SMS messages is a very efficient propaganda tool because so many people have access to mobile phones.”

Mobile phone networks such as Vodafone make it clear in their privacy policies that the personal data of its customers “may be used for inclusion in any telephone or similar directory or directory enquiry service provided or operated by us or by a third party” (source Vodafone website).

Any third party ~ governmental or corporate ~ can therefore access the company's directory of private mobile numbers at the discretion of the network in question.

It is not yet clear which government department coordinated the SMS, or what funds were used to cover the costs. Representatives from the ministry of information and cultural affairs were not able to shed a light on the matter. “I know that a message was sent out,” said the I & CA director Umapada Chatterjee, "But it was not sent from this department. I do not know that information.”

Some commentators did not condemn the government's SMS. Delhi High Court lawyer and cyber law expert, Mr Praveen Dalal, criticised the publication of the Poonam Pandey tweet on the grounds of it violating the due diligence guidelines of the Cyber Law of India. He commented, “If casual and careless publications … continue, there would be no other option left for the government but to regulate their affairs in a more intrusive manner.”

However, executive director of the Centre for Internet and Society, Mr Sunil Abraham, called the state government's use of unsolicited SMS a “clear abuse of the powers afforded by elected office.” Mr Abraham explained that elected representatives would be justified in such measures, and in utilising public funds, in the event of a disaster, or when public order, public health or national security are compromised.

“However in this case, the government is abusing the provisions of the law and using this incident as a pretext to threaten media professionals with surveillance and to intimidate for the purposes of reigning in free speech,” he told The Statesman. The chief minister was unavailable to make a comment on the matter.

Read the original published in the Statesman

For more details visit https://cis-india.org/news/data-protection-experts-slam-state-for-sending-mass-smses

Data Privacy: Footprints on the Web

Admin — 2018-06-25T16:48:34Z

Technology has made data protection a hot button issue. Now, a group of eminent citizens, mostly lawyers, have formulated a draft privacy bill, a legal framework that protects the individual’s right to privacy, but it faces legal jurisdiction issues

The blog post by Sujit Bhar was published in IndiaLegal on June 21, 2018.

Lack of data privacy is a modern day peril. Quite like the individual’s right to privacy—one that has been raised to the level of a Fundamental Right by the Supreme Court—data privacy today is prime, because technology has made our lives fully dependant on associated data. Hence, by extension of the same logic and arguments that the top court used for personal privacy, data privacy should be protected.

The methodology to be adopted, though, is not as easy to determine given the lack of legislation in the field, the improbability of existing technology to ensure complete privacy and because of legal jurisdiction issues.

Also, to what extent data privacy can and should be allowed is a legal argument that needs to be supported by other fields of knowledge. The Supreme Court decision to award privacy as a Fundamental Right will act as a plinth in determining this.

To that end a group of eminent citizens, mostly lawyers, came together and formulated a draft privacy bill with the objective of slicing through banal arguments that would ensue if this was to wait for public re-reference/debate.

The proponents—Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman M Aggarwal, Praavita Kashyap, Prasanna S, Raman Jit Singh Chima, Ujwala Uppaluri and Vrinda Bhandari—have tried to develop their own privacy bill, based on the foundation of the Privacy (Protection) Bill, 2013, “which was drafted over a series of roundtables and inputs conducted by the Centre for Internet and Society, Bangalore”.

In doing so the group started from what it calls “seven privacy principles”, derived from various constitutional and expert texts.

Principle 1: Individual rights are at the centre of privacy and data protection.

This says that “the individual and her rights are primary. The law on privacy must empower you by advancing your right to privacy…”including “your right to autonomy and dignity.

Principle 2: A data protection law must be based on privacy principles.

Here reference is made to the report of the Justice AP Shah Committee of Experts. It’s a method that has been left flexible, to accommodate fast developing technology. There is a reference to Moore’s Law in this. Moore’s Law has remained one of the most overwhelmingly true laws of the IT industry. Originating in 1970, it says that processor speeds, or overall processing power for computers “will double every two years”. While that has remained true till now, with the development of multiple core processors, this law too has seemingly run its course. With the world changing at such a fast pace, if the data privacy bill/law does not remain flexible, it would also be quickly consigned to a museum of laws. Hence this flexible approach will be crucial.

Principle 3: A strong privacy commission must be created to enforce the privacy principles.

This is the part of establishing an oversight authority, “a strong body to ensure that the data protection rights are put into practice and enforced”. This structure has been treated for something “that works in principle and in practice.”

There is one part that says that this proposed “Privacy Commission”, has been “provided wide powers of investigation, adjudication, rule-making and enforcement. The Commission should adopt an approach that builds accountability for the rights of users by having powers to impose penalties that are proportionate to the harm and build deterrence.” This, obviously, means that it will be stepping onto the toes of other laws and that would be a rough road to navigate. However, as the group’s own philosophy says that the problem with technology oriented legislation is that it takes catching up with the progress of technology. To overcome this, the group wants to “make sure that the Privacy Code is not outdated” and hence wants to make sure that the “Privacy Commission can exercise rule making powers to give effect to the data protection principles under the regulation”.

The other part of the philosophy is of acknowledging and addressing public complaints. Hence the legal rigidity of regular acts would be dismissed. How this can work with enforcement agencies, though, will remain a matter of debate. The draft bill says that the “Privacy Commission must serve as the forum for the redressal of the general public’s grievances”, and that “Privacy Commissions should have the ability to investigate (independently through the office of a Director General), hold hearings and pass orders with directions and fines”.

That could be legal nightmare, because unlike a simple code, the bill has to pass through parliament to become an act, and legislators are the ones who have final say in remodelling an existing law. How much power they would agree to delegate is anybody’s guess.

Of course, the draft also calls for the courts to welcome public opinion. There seems to be a slight hitch in the wording, which says that “…while the Privacy Commission serves as the forum for redressal, the public should retain the remedies of approaching the civil courts (even in instances where harm is suffered by a group of people) and of filing police complaints directly”. That questions even the oversight authority of the commission. There is another objective—a hope, one would say—that the Privacy Commission must have jurisdiction over the government, as it does over the private sector. The Privacy Commission should have overriding power and superintendence over all legal entities in matter of data protection and privacy”. While this sounds good on paper, the issue of national security can override all. At this point, according to a cyber security expert, there is talk within the Indian government on how to deal with the social media messaging app WhatsApp. Technically, as the company points out, messaging through an app is encrypted (military grade encryption, it is said) end-to-end. Hence terrorist groups have zeroed in on this as a common idea exchange platform. There could possibly be restrictive legislation on this. That could strike at the heart of data privacy.

The government’s reaction, though, could become counter-productive. This could be visible in what the Justice Srikrishna-led Committee of Experts possibly could recommend.

Principle 4: The government should respect user privacy. Technically, if this bill, in its current form, has to go through parliament, members of both houses should be willing to accept that it will have no snooping powers, ever. The way the government fought tooth and nail against personal privacy in court—and the Aadhaar verdict is still awaited—this proposal seems unlikely to have an easy passage. The draft says: “It is imperative that the government, its arms, bodies and programmes be compliant with the privacy protection principles through a data protection law.”

There is a caveat within this, saying: “We support the use of digital technologies for public benefit. However, they should not be privileged over fundamental rights.” The proposal also says: “The government is responsible for the delivery of many essential services to the public of India. These services must not be withheld from an individual, due to such individual not sharing data with the government. Withholding services on the pretext of requirement of collection of data effectively amounts to extortion of consent. Individuals cannot be forced to trade away their data and citizenship at the altar of being permitted to use government services and access legal entitlements on welfare.” This will have to wait its validation or dismissal through the Aadhaar verdict.

Principle 5: A complete privacy code comes with surveillance reform

This is another tricky issue for any government. It talks about how the Snowden revelations “brought to public knowledge that our personal data is collected in an indiscriminate manner by governments”. The draft calls this collection procedure “dragnet surveillance”, because it “contravenes the principles of necessity, proportionality and purpose limitation”. Necessity and proportionality have been argued in detail during the Aadhaar debate in court and till that verdict is out, it would, possibly, not be right to delve into this, though a recommendation for procedural safeguards might run into the same wall as in the case of encrypted software in social media apps. The draft accepts the possibility of “individual interception and surveillance”, but says “this should be severely limited in substance and practice through procedural safeguards”.

Principle 6: The right to information needs to be strengthened and protected

This basically refers to the Right to Information Act and seems completely justified, with Information Commissioners being “exempted from interference or control by the Privacy Commissioner”.

Principle 7: International protections and harmonisation to protect the open internet must be incorporated

Another contentious issue, being fuelled by the loss of face by Facebook in its effort to introduce graded access (with paywalls).

The group widens its scope in stating that “we need to be guided by the Supreme Court’s Right to Privacy decision and make reference to the European Union’s General Data Protection Regulation”. More interestingly, the group admits that every law will have certain exceptions. It says: “…but without clear wording sometimes exceptions swallow up the rule. We adopted a three part test in our drafting process in which any exceptions to these privacy principles should be: (a) worded clearly; (b) limited in purpose, necessary and proportionate to the aim; and (c) accompanied by sufficient procedural safeguards”.

On the face of it, the overall draft represents a novel and upright way of thinking, and if some of this is accepted while the government mulls the Justice Srikrishna Committee’s recommendations (expected late this month), it would be a good beginning.

For more details visit https://cis-india.org/internet-governance/news/india-legal-live-june-21-2018-data-privacy

Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?

Aayush Rathi and Ambika Tandon — 2019-12-30T16:44:32Z

In order to bring out certain conceptual and procedural problems with health monitoring in the Indian context, this article by Aayush Rathi and Ambika Tandon posits health monitoring as surveillance and not merely as a “data problem.” Casting a critical feminist lens, the historicity of surveillance practices unveils the gendered power differentials wedded into taken-for-granted “benign” monitoring processes. The unpacking of the Mother and Child Tracking System and the National Health Stack reveals the neo-liberal aspirations of the Indian state.

The article was first published by EPW Engage, Vol. 54, Issue No. 6, on 9 February 2019.

Framing Reproductive Health as a Surveillance Question

The approach of the postcolonial Indian state to healthcare has been Malthusian, with the prioritisation of family planning and birth control (Hodges 2004). Supported by the notion of socio-economic development arising out of a “modernisation” paradigm, the target-based approach to achieving reduced fertility rates has shaped India’s reproductive and child health (RCH) programme (Simon-Kumar 2006).

This is also the context in which India’s abortion law, the Medical Termination of Pregnancy (MTP) Act, was framed in 1971, placing the decisional privacy of women seeking abortions in the hands of registered medical practitioners. The framing of the MTP act invisibilises females seeking abortions for non-medical reasons within the legal framework. The exclusionary provisions only exacerbated existing gaps in health provisioning, as access to safe and legal abortions had already been curtailed by severe geographic inequalities in funding, infrastructure, and human resources. The state has concomitantly been unable to meet contraceptive needs of married couples or reduce maternal and infant mortality rates in large parts of the country, mediating access along the lines of class, social status, education, and age (Sanneving et al 2013).

While the official narrative around the RCH programme transitioned to focus on universal access to healthcare in the 1990s, the target-based approach continues to shape the reality on the ground. The provision of reproductive healthcare has been deeply unequal and, in some cases, in hospitals. These targets have been known to be met through the practice of forced, and often unsafe, sterilisation, in conditions of absence of adequate provisions or trained professionals, pre-sterilisation counselling, or alternative forms of contraception (Sama and PLD 2018). Further, patients have regularly been provided cash incentives, foreclosing the notion of free consent, especially given that the target population of these camps has been women from marginalised economic classes in rural India.

Placing surveillance studies within a feminist praxis allows us to frame the reproductive health landscape as more than just an ill-conceived, benign monitoring structure. The critical lens becomes useful for highlighting that taken-for-granted structures of monitoring are wedded with power differentials: genetic screening in fertility clinics, identification documents such as birth certificates, and full-body screeners are just some of the manifestations of this (Adrejevic 2015). Emerging conversations around feminist surveillance studies highlight that these data systems are neither benign nor free of gendered implications (Andrejevic 2015). In continual remaking of the social, corporeal body as a data actor in society, such practices render some bodies normative and obfuscate others, based on categorisations put in place by the surveiller.

In fact, the history of surveillance can be traced back to the colonial state where it took the form of systematic sexual and gendered violence enacted upon indigenous populations in order to render them compliant (Rifkin 2011; Morgensen 2011). Surveillance, then, manifests as a “scientific” rationalisation of complex social hieroglyphs (such as reproductive health) into formats enabling administrative interventions by the modern state. Lyon (2001) has also emphasised how the body emerged as the site of surveillance in order for the disciplining of the “irrational, sensual body”—essential to the functioning of the modern nation-state—to effectively happen.

Questioning the Information and Communications Technology for Development (ICT4D) and Big Data for Development (BD4D) Rhetoric

Information and Communications Technology (ICT) and data-driven approaches to the development of a robust health information system, and by extension, welfare, have been offered as solutions to these inequities and exclusions in access to maternal and reproductive healthcare in the country.

The move towards data-driven development in the country commenced with the introduction of the Health Management Information System in Andhra Pradesh in 2008, and the Mother and Child Tracking System (MCTS) nationally in 2011. These are reproductive health information systems (HIS) that collect granular data about each pregnancy from the antenatal to the post-natal period, at the level of each sub-centre as well as primary and community health centre. The introduction of HIS comprised cross-sectoral digitisation measures that were a part of the larger national push towards e-governance; along with health, thirty other distinct areas of governance, from land records to banking to employment, were identified for this move towards the digitalised provisioning of services (MeitY 2015).

The HIS have been seen as playing a critical role in the ecosystem of health service provision globally. HIS-based interventions in reproductive health programming have been envisioned as a means of: (i) improving access to services in the context of a healthcare system ridden with inequalities; (ii) improving the quality of services provided, and (iii) producing better quality data to facilitate the objectives of India’s RCH programme, including family planning and population control. Accordingly, starting 2018, the MCTS is being replaced by the RCH portal in a phased manner. The RCH portal, in areas where the ANMOL (ANM Online) application has been introduced, captures data real-time through tablets provided to health workers (MoHFW 2015).

A proposal to mandatorily link the Aadhaar with data on pregnancies and abortions through the MCTS/RCH has been made by the union minister for Women and Child Development as a deterrent to gender-biased sex selection (Tembhekar 2016). The proposal stems from the prohibition of gender-biased sex selection provided under the Pre-Conception and Pre-Natal Diagnostics Techniques (PCPNDT) Act, 1994. The approach taken so far under the PCPNDT Act, 2014 has been to regulate the use of technologies involved in sex determination. However, the steady decline in the national sex ratio since the passage of the PCPNDT Act provides a clear indication that the regulation of such technology has been largely ineffective. A national policy linking Aadhaar with abortions would be aimed at discouraging gender-biased sex selection through state surveillance, in direct violation of a female’s right to decisional privacy with regards to their own body.

Linking Aadhaar would also be used as a mechanism to enable direct benefit transfer (DBT) to the beneficiaries of the national maternal benefits scheme. Linking reproductive health services to the Aadhaar ecosystem has been critiqued because it is exclusionary towards women with legitimate claims towards abortions and other reproductive services and benefits, and it heightens the risk of data breaches in a cultural fabric that already stigmatises abortions. The bodies on which this stigma is disproportionately placed, unmarried or disabled females, for instance, experience the harms of visibility through centralised surveillance mechanisms more acutely than others by being penalised for their deviance from cultural expectations. This is in accordance with the theory of "data extremes,” wherein marginalised communities are seen as living on the extremes of data capture, leading to a data regime that either refuses to recognise them as legitimate entities or subjects them to overpolicing in order to discipline deviance (Arora 2016). In both developed and developing contexts, the broader purpose of identity management has largely been to demarcate legitimate and illegitimate actors within a population, either within the framework of security or welfare.

Potential Harms of the Data Model of Reproductive Health Provisioning

Informational privacy and decisional privacy are critically shaped by data flows and security within the MCTS/RCH. No standards for data sharing and storage, or anonymisation and encryption of data have been implemented despite role-based authentication (NHSRC and Taurus Glocal 2011). The risks of this architectural design are further amplified in the context of the RCH/ANMOL where data is captured real-time. In the absence of adequate safeguards against data leaks, real-time data capture risks the publicising of reproductive health choices in an already stigmatised environment. This opens up avenues for further dilution of autonomy in making future reproductive health choices.

Several core principles of informational privacy, such as limitations regarding data collection and usage, or informed consent, also need to be reworked within this context.^[1] For instance, the centrality of the requirement of “free, informed consent” by an individual would need to be replaced by other models, especially in the context of reproductive health of rape survivors who are vulnerable and therefore unable to exercise full agency. The ability to make a free and informed choice, already dismantled in the context of contemporary data regimes, gets further precluded in such contexts. The constraints on privacy in decisions regarding the body are then replicated in the domain of reproductive data collection.

What is uniform across these digitisation initiatives is their treatment of maternal and reproductive health as solely a medical event, framed as a data scarcity problem. In doing so, they tend to amplify the understanding of reproductive health through measurable indicators that ignore social determinants of health. For instance, several studies conducted in the rural Indian context have shown that the degree of women’s autonomy influences the degree of usage of pregnancy care, and that the uptake of pregnancy care was associated with village-level indicators such as economic development, provisioning of basic infrastructure and social cohesion. These contextual factors get overridden in pervasive surveillance systems that treat reproductive healthcare as comprising only of measurable indicators and behaviours, that are dependent on individual behaviour of practitioners and women themselves, rather than structural gaps within the system.

While traditionally associated with state governance, the contemporary surveillance regime is experienced as distinct from its earlier forms due to its reliance on a nexus between surveillance by the state and private institutions and actors, with both legal frameworks and material apparatuses for data collection and sharing (Shepherd 2017). As with historical forms of surveillance, the harms of contemporary data regimes accrue disproportionately among already marginalised and dissenting communities and individuals. Data-driven surveillance has been critiqued for its excesses in multiple contexts globally, including in the domains of predictive policing, health management, and targeted advertising (Mason 2015). In the attempts to achieve these objectives, surveillance systems have been criticised for their reliance on replicating past patterns, reifying proximity to a hetero-patriarchal norm (Haggerty and Ericson 2000). Under data-driven surveillance systems, this proximity informs the preexisting boxes of identity for which algorithmic representations of the individual are formed. The boxes are defined contingent on the distinct objectives of the particular surveillance project, collating disparate pieces of data flows and resulting in the recasting of the singular offline self into various 'data doubles' (Haggerty and Ericson 2000). Refractive, rather than reflective, the data doubles have implications for the physical, embodied life of individual with an increasing number of service provisioning relying on the data doubles (Lyon 2001). Consider, for instance, apps on menstruation, fertility, and health, and wearables such as fitness trackers and pacers, that support corporate agendas around what a woman’s healthy body should look, be or behave like (Lupton 2014). Once viewed through the lens of power relations, the fetishised, apolitical notion of the data “revolution” gives way to what we may better understand as “dataveillance.”

Towards a Networked State and a Neo-liberal Citizen

Following in this tradition of ICT being treated as the solution to problems plaguing India’s public health information system, a larger, all-pervasive healthcare ecosystem is now being proposed by the Indian state (NITI Aayog 2018). Termed the National Health Stack, it seeks to create a centralised electronic repository of health records of Indian citizens with the aim of capturing every instance of healthcare service usage. Among other functions, it also envisions a platform for the provisioning of health and wellness-based services that may be dispensed by public or private actors in an attempt to achieve universal health coverage. By allowing private parties to utilise the data collected through pullable open application program interfaces (APIs), it also fits within the larger framework of the National Health Policy 2017 that envisions the private sector playing a significant role in the provision of healthcare in India. It also then fits within the state–private sector nexus that characterises dataveillance. This, in turn, follows broader trends towards market-driven solutions and private financing of health sector reform measures that have already had profound consequences on the political economy of healthcare worldwide (Joe et al 2018).

These initiatives are, in many ways, emblematic of the growing adoption of network governance reform by the Indian state (Newman 2001). This is a stark shift from its traditional posturing as the hegemonic sovereign nation state. This shift entails the delayering from large, hierarchical and unitary government systems to horizontally arranged, more flexible, relatively dispersed systems.^[2] The former govern through the power of rules and law, while the latter take the shape of self-regulating networks such as public–private contractual arrangements (Snellen 2005). ICTs have been posited as an effective tool in enabling the transition to network governance by enhancing local governance and interactive policymaking enabling the co-production of knowledge (Ferlie et al 2011). The development of these capabilities is also critical to addressing “wicked problems” such as healthcare (Rittel and Webber 1973).^[3] The application of the techno-deterministic, data-driven model to reproductive healthcare provision, then, resembles a fetishised approach to technological change. The NHSRC describes this as the collection of data without an objective, leading to a disproportional burden on data collection over use (NHSRC and Taurus Glocal 2011).

The blurring of the functions of state and private actors is reflective of the neo-liberal ethic, which produces new practices of governmentality. Within the neo-liberal framework of reproductive healthcare, the citizen is constructed as an individual actor, with agency over and responsibility for their own health and well-being (Maturo et al 2016).

“Quantified Self” of the Neo-liberal Citizen

Nowhere can the manifestation of this neo-liberal citizen can be seen as clearly as in the “quantified self” movement. The quantified self movement refers to the emergence of a whole range of apps that enable the user to track bodily functions and record data to achieve wellness and health goals, including menstruation, fertility, pregnancies, and health indicators in the mother and baby. Lupton (2015) labels this as the emergence of the “digitised reproductive citizen,” who is expected to be attentive to her fertility and sexual behaviour to achieve better reproductive health goals. The practice of collecting data around reproductive health is not new to the individual or the state, as has been demonstrated by the discussion above. What is new in this regime of datafication under the self-tracking movement is the monetisation of reproductive health data by private actors, the labour for which is performed by the user. Focusing on embodiment draws attention to different kinds of exploitation engendered by reproductive health apps. Not only is data about the body collected and sold, the unpaid labour for collection is extracted from the user. The reproductive body can then be understood as a cyborg, or a woman-machine hybrid, systematically digitising its bodily functions for profit-making within the capitalist (re)production machine (Fotoloulou 2016). Accordingly, all major reproductive health tracking apps have a business model that relies on selling information about users for direct marketing of products around reproductive health and well-being (Felizi and Varon nd).

As has been pointed out in the case of big data more broadly, reproductive health applications (apps) facilitate the visibility of the female reproductive body in the public domain. Supplying anonymised data sets to medical researchers and universities fills some of the historical gaps in research around the female body and reproductive health. Reproductive and sexual health tracking apps globally provide their users a platform to engage with biomedical information around sexual and reproductive health. Through group chats on the platform, they are also able to engage with experiential knowledge of sexual and reproductive health. This could also help form transnational networks of solidarity around the body and health (Fotopoulou 2016).

This radical potential of network-building around reproductive and sexual health is, however, tempered to a large extent by the reconfiguration of gendered stereotypes through these apps. In a study on reproductive health apps on Google Play Store, Lupton (2014) finds that products targeted towards female users are marketed through the discourse of risk and vulnerability, while those targeted towards male users are framed within that of virility. Apart from reiterating gendered stereotypes around the male and female body, such a discourse assumes that the entire labour of family planning is performed by females. This same is the case with the MCTS/RCH.

Technological interventions such as reproductive health apps as well as HIS are based on the assumption that females have perfect control over decisions regarding their own bodies and reproductive health, despite this being disproved in India. The Guttmacher Institute (2014) has found that 60% of women in India report not having control over decisions regarding their own healthcare. The failure to account for the husband or the family as stakeholder in decision-making around reproductive health has been a historical failure of the family planning programme in India, and is now being replicated in other modalities. This notion of an autonomous citizen who is able to take responsibility of their own reproductive health and well-being does not hold true in the Indian context. It can even be seen as marginalising females who have already been excluded from the reproductive health system, as they are held responsible for their own inability to access healthcare.

Concluding Remarks

The interplay that emerges between reproductive health surveillance and data infrastructures is a complex one. It requires the careful positioning of the political nature of data collection and processing as well as its hetero-patriarchal and colonial legacies, within the need for effective utilisation of data for achieving developmental goals. Assessing this discourse through a feminist lens identifies the web of power relations in data regimes. This problematises narratives of technological solutions for welfare provision.

The reproductive healthcare framework in India then offers up a useful case study to assess these concerns. The growing adoption of ICT-based surveillance tools to equalise access to healthcare needs to be understood in the socio-economic, legal, and cultural context where these tools are being implemented. Increased surveillance has historically been associated with causing the structural gendered violence that it is now being offered as a solution to. This is a function of normative standards being constructed for reproductive behaviour that necessarily leave out broader definitions of reproductive health and welfare when viewed through a feminist lens. Within the larger context of health policymaking in India, moves towards privatisation then demonstrate the peculiarity of dataveillance as it functions through an unaccountable and pervasive overlapping of state and private surveillance practises. It remains to be seen how these trends in ICT-driven health policies affect access to reproductive rights and decisional privacy for millions of females in India and other parts of the global South.

For more details visit https://cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india

Data Flow in the Unique Identification Scheme of India

vidushi — 2015-09-03T17:02:44Z

This note analyses the data flow within the UID scheme and aims at highlighting vulnerabilities at each stage. The data flow within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI partners with various Registrars usually a department of the central or state Government, and some private sector agencies like LIC etc– through a Memorandum of Understanding for assisting with the enrollment process of the UID project.

Many thanks to Elonnai Hickok for her invaluable guidance, input and feedback

These Registrars then appoint Enrollment Agencies that enroll residents by collecting the necessary data and sharing this with the UIDAI for de-duplication and issuance of an Aadhaar number, at enrolment centers that they set up. The data flow process of the UID is described below:[1]

Data Capture

Filling out an enrollment form – To enroll for an Aadhaar number, individuals are required to provide proof of address and proof of identity. These documents are verified by an official at the enrollment center.

Vulnerability: Though an official is responsible for verifying these documents, it is unclear how this verification is completed. It is possible for fraudulent proof of address and proof of identity to be verified and approved by this official.

The 'introducer' system: For individuals who do not have a Proof of Identity, Proof of Address etc the UIDAI has established an 'introducer' system. The introducer verifies that the individual is who they claim to be and that they live where they claim to live.

Vulnerability: This introducer is akin to the introducer concept in banking; except that here, the introducer must be approved by the Registrar, and need not know the person bring enrolled. This leads to questions of authenticity and validity of the data collected and verified by an 'introducer'. The Home Ministry in 2012, indicated that this must be reviewed.[2]

Categories of data for enrollment: The UIDAI has a standard enrollment form and list of documents required for enrollment. This includes: name, address, birth date, gender, proof of address and proof of identity. Some MoUs (Memorandum of Understanding) permit for the Registrars to collect additional information in addition to what is required by the UIDAI. This could be any information the Registrar deems necessary for any purpose.

Vulnerability: The fact that a Registrar may collect any information they deem necessary and for any purpose leads to concerns regarding (1) informed consent – as individuals are in placed in a position of having to provide this information as it is coupled with the Aadhaar enrollment process (2) unauthorized collection - though the MOU between the UIDAI and the Registrar has authorized the Registrar to collect additional information – if the information is personal in nature and the Registrar is a body corporate it must be collected as per the Information Technology Rules 2011 under section 43A. It is unclear if Registrars that are body corporates are collecting data in accordance to these rules. (3) As Registrars are permitted to collect any data they deem necessary for any purpose – this leads to concerns regarding misuse of this data..[3]

Verification of Resident’s Documents: true copies of original documents, after verification are sent to the Registrar for “permanent storage.”[4]

Vulnerability: It is unclear as to what extent and form this storage takes place. There is no clarity on who is responsible for the data once collected, and the permissible uses of such data are also unclear. The contracts between the UID and Registry claim that guidelines must be followed, while the guidelines state that, “The documents are required to be preserved by Registrar till the UIDAI finalizes its document storage agency” and states that the “Registrars must ensure that the documents are stored in a safe and secure manner and protected from unauthorized access.” [5] The question of what is “unauthorized access”, “secure storage”, when is data transferred to the UIDAI and when the UIDAI will access it and why remain unanswered. Moreover, there is nothing about deleting documents once the MoU lapses. The guidelines in question were also developed post facto.

Data collection for enrollment: After verification of proof of address and proof of identity, operators at the enrolling the agency will be enrolling individuals. Data Collection is completed by operators at the enrolling agency. This includes the digitization of enrollment forms and collection of biometrics. Enrollment information is manually collected and entered into computers operating software provided by the UIDAI and then transferred to the UIDAI. Biometrics are collected through devices that have been provided by third parties such as Accenture and L1Identity Solutions.

Vulnerability: After data is collected by enrollment operators it is possible for data leakage to occur at the point of collection or during transfer to the Registrar and UIDAI. Data operators, are therefore not answerable to the UIDAI, but to a private agency; a fact which has been the cause of concern even within the government.[6] There have also been instances of sub contracting which leads to more complications in respect of accountability. Misuse[7] and loss of data is a very real possibility, and irregularities have been reported as well.[8] By relying on technology that is provided by third parties (in many cases foreign third parties) data collected by these devices is also available to these companies while at the same time the companies are not regulated by Indian law.

Import pre-enrolment data into Aadhaar enrollment client, Syncing NPR/census data into the software: The National Population Register (NPR) enrolls usual residents, and is governed by the Citizenship Rules, which prescribe a penalty for non disclosure of information.

Vulnerability: Biometrics does not form part of the Rules that govern NPR data collection; the Citizenship Rules, 2003. In many ways, collection of biometrics without amending the citizenship laws amounts to a worrying situation. The NPR hands over information that it collects to UIDAI, biometrics collected as part of the UIDAI is included in the NPR, leading to concerns surrounding legality and security of such data.

Resident’s consent: for “whether the resident has agreed to share the captured information with organizations engaged in delivery of welfare services.”

Vulnerability: This allows the UIDAI to use data in an almost unfettered fashion. The enrolment form reads, “‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” Informed consent, Vague. What info and with whom. Why is necessary for the UIDAI to share this information, when the organization is only supposed to be a passive intermediary? Does beyond the mandate of the UIDAI, which is only to provide and authenticate the number.

Biometric exceptions: The operator checks if the resident’s eyes/hands are amputated/missing, and after the Supervisor verifies the same, the record is made as an exception and only the individuals photograph is recorded.

Vulnerability: There has widespread misuse of this clause, with data being fabricated to fall into this category, making it unreliable as a whole. In March 2013, 3.84 lakh numbers were cancelled as they were based on fraudulent use of the exception clause. [9]

Operator checks if resident wants Aadhaar enabled bank account: The UID project was touted to be a scheme that would ensure access to benefits and subsidies that are provided through cash transfers as well as enabling financial inclusion. Subsequently, the need for a Aadhaar embedded bank account was made essential to avail of these benefits. The operator at this point checks whether the resident would like to open such a bank account.

Vulnerability: The data provided at the time of linking UID with a bank account cannot be corrected or retracted. Although this has the vision of financial inclusion, it is now a threat of exclusion.

Capturing biometrics- The UIDAI scheme includes assigning each individual a unique identification number after collecting their demographic and biometric information. One Time Passwords are used to manually override a situation in which biometric identification fails.[10] The UIDAI data collection process was revamped in 2012 to include best finger detection and multiple try method.[11]

Vulnerabilities: The collection process is not always accurate, in fact, 70% of the residents who enrolled in Salt Lake, will have to re-enroll due to discrepancies at the time of enrollment.[12] Further, a large number of people in India are unable to give biometric information due to manual labour, or cataracts etc.

After such data is entered, the Operator shows such data to the Resident or Introducer or Head of the Family (as the case may be) for validation.

Operator Sign off – Each set of data needs to be verified by an Operator whose fingerprint is already stored in the system.

Vulnerability: Vesting authority to sign off in an operator allows for signing off on inaccurate or fraudulent data. For example, the issuance of aadhaar numbers to biometric exceptions highlight issues surrounding misuse and unreliability of this function.[13]

After this, the Enrolment operator gets supervisor’s sign off for any exceptions that might exist, Acknowledgement and consent for enrolment is stored. Any correction to specified data can be made within 96 hours.

Document Storage, Back up and Sync

After gathering and verifying all the information about the resident, the Enrolment Agency Operator will store photocopies of the documents of the resident. These Agencies also backup data “from time to time” (recommended to be twice a day), and maintain it for a minimum of 60 days. They also sync with the server every 7-10 days.

Vulnerability: The security implications of third party operators storing information is greatly exacerbated by the fact that these operators use technology and devices from companies have close ties to intelligence agencies in other countries; L-1 Identity Solutions have close ties with America’s CIA, Accenture with French intelligence etc. [14]

Transfer of Demographic and Biometric Data Collected to CIDR

“First mile logistics” include transferring data by using Secure File Transfer Protocol) provided by UIDAI or through a “suitable carrier” such as India Post.

Vulnerability: There is no engagement between the UIDAI and the enrolling agencies; the registrars engage private enrolment agencies, and not the UIDAI. Further, the scope of people authorized to collect information, the information that can be collected, how such information is stored etc are all vague. In 2009, there was a notification that claimed that the UIDAI owns the database[15] but there is no indication on how it may be used, how this might react to instances of identity fraud, etc.

Data De-duplication and Aadhar Generation at CIDR

On receiving biometric information, the de-duplication is done to ensure that each individual is given only one UID number.

Vulnerability:

This de-duplication is carried out by private companies, some of which are not of indian origin and thus are also not bound by Indian law. Also, the volume of Aadhaar numbers rejected due to quality or technical reasons is a cause of worry; the count reaching 9 crores in May 2015.[16]
The MoUs promise registrars access to information contained in the Aadhaar letter, although individuals are ensured that such letter is only sent to them. [17]
General compliance and de-duplication has been an issue, with over 34,000 people being issued more than one Aadhaar number,[18] and innumerable examples of faulty Aadhaar cards being issued.[19]

[1] Enrolment Process Essentials : UIDAI , (December 13,2012), http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[2] UIDAI to review biometric data collection process of 60 crore resident Indians: P Chidambaram, Economic Times, (Jan 31, 2012), http://articles.economictimes.indiatimes.com/2012-01-31/news/31010619_1_biometrics-uidai-national-population-register.

[3]See: an MoU signed between the UIDAI and the Government of Madhya Pradesh. Also see: Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[4]http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[5] Document Storage Guidelines for Registrars – Version 1.2, https://uidai.gov.in/images/mou/D11%20Document%20Storage%20Guidelines%20for%20Registrars%20final%2005082010.pdf

[6] Arindham Mukherjee, Lola Nayar, Aadhaar,A Few Basic Issues, Outlook India, (December 5, 2011), http://dataprivacylab.org/TIP/2011sept/India4.pdf.

[7] Aadhaar: UIDAI probing several cases of misuse of personal data, The Hindu, (April 29, 2012), http://www.thehindubusinessline.com/economy/aadhar-uidai-probing-several-cases-of-misuse-of-personal-data/article3367092.ece.

[8] Harsimran Julka, UIDAI wins court battle against HCL technologies, The Economic Times, (October 4, 2011), http://articles.economictimes.indiatimes.com/2011-10-04/news/30242553_1_uidai-bank-guarantee-hp-and-ibm.

[9] Chetan Chauhan, UIDAI cancels 3.84 lakh fake Aadhaar numbers, The Hindustan Times, (December 26, 2012), http://www.hindustantimes.com/newdelhi/uidai-cancels-3-84-lakh-fake-aadhaar-numbers/article1-980634.aspx.

[10] Usha Ramanathan, “Inclusion project that excludes the poor”, The Statesman (July 4, 2013).

[11] UIDAI to Refresh Data Collection Process, Zee News, (February 7, 2012) http://zeenews.india.com/news/delhi/uidai-to-refresh-data-collection-process_757251.html.

[12] Snehal Sengupta, Queue up again to apply for Aadhaar, The Telegraph, (February 27, 2015), http://www.telegraphindia.com/1150227/jsp/saltlake/story_5642.jsp#.VayjDZOqqko

[13] Chauhan, supra note 7.

[14] Usha Ramanathan, Three Supreme Court Orders Later, What’s the Deal with Aadhaar? Yahoo News, (April 13, 2015), https://in.news.yahoo.com/three-supreme-court-orders-later--what-s-the-deal-with-aadhaar-094316180.html.

[15] Usha Ramanathan, “Threat of Exclusion and of Surveillance”, The Statesman (July 2, 2013).

[16] Over 9 Crore Aadhaar enrolments rejected by UIDAI, Zee News (May 8, 2015).

[17] Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[18] Surabhi Agarwal, Duplicate Aadhar numbers within estimate, Live Mint (March 5, 2013).

[19] Usha Ramanathan, “Outsourcing enrolment, gathering dogs and trees”, The Statesman (August 7, 2013).

For more details visit https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india

Dark days for the creative class in India: Siddiqui

praskrishna — 2014-02-17T09:14:43Z

As India’s literacy rate improves, governments, courts, media, publishers and big business are all stifling free speech.

Haroon Siddiqui's article was published in thestar.com on February 16, 2014. Pranesh Prakash is quoted.

In contrast to North America and Europe, India’s book publishers, newspapers and TV/radio stations are doing well, thanks to a rising literacy rate and a growing middle class. Authors, artists, journalists and filmmakers are enjoying big audiences and relatively good paycheques. Yet, paradoxically, free speech has never been so imperilled in the world’s largest democracy, for several reasons.

Governments are using colonial-era laws to stifle free speech. The lower courts and police are caving in to religious bigots who demand bans on what they don’t want to see and hear. Vigilante groups are using goon tactics to intimidate the creative class. Big business is slapping lawsuits and creating libel chill. Publishing houses are capitulating to legal, political and economic pressure. The media are too busy mollycoddling governments and advertisers to stand up for free speech.

Legal framework

The constitution guarantees free speech but, as in Canada and several European nations, it also imposes “reasonable restrictions” to maintain peace and public order. The Supreme Court has set a high bar for imposing any restrictions, yet both the federal and state governments routinely shut down anything that might flare communal riots, especially between Hindus and Muslims — a real and ever-present danger. Politicians don’t want blood on their hands to uphold the right of a preening writer to poke people in the eye. Critics counter that the political class doesn’t really care for intellectual freedom.

Libel and defamation laws criminalize speech and prescribe jail terms. This, again, is not much different than, say, the Canadian Criminal Code, under which those convicted of hate speech may be jailed for up to three years. (That’s what we are left with after the Stephen Harper Conservatives axed the civilian remedy that was available under the Human Rights Act.)

India’s Anti-Sedition Act prohibits words and actions that may cause “hatred or contempt or disaffection” toward government. This is used even against journalists, activists and those protesting government policies. As many as 6,000 farmers and fishermen were charged for opposing a nuclear plant along the southeast coast.

The Penal Code makes it an offence, punishable by up to three years in jail, to hurt anyone’s religious sensibilities; promote enmity between different religious groups; circulate “any statement or report containing rumour or alarming news with intent to create or promote, or which is likely to create or promote, on grounds of religion, race, place of birth, residence, language, caste or community feelings of enmity,” etc., etc.

Worse, the code allows anyone offended by anything to demand that the offensive material be removed.

Indians are easily offended, indeed are “desperate to be offended,” jokes novelist Manu Joseph. The milieu allows religious leaders and politicians to stoke real or imagined grievances and rush to the courts and the police, both of which usually cave in rather than risk the wrath of frenzied protesters.

“Instead of protecting the right of free expression, the state defends the offended,” writes Salil Tripathi on the website Index on Censorship.

Adds Kian Ganz, editor of the website Legally India: “Many of these British-colonial laws were written and enforced to ‘control’ a multi-ethnic and religious population. Yet they are still around and are regularly used to stifle free speech.”

Religious bigotry

While we hear mostly of angry Muslims taking offence to alleged insults to Islam — the 1988 ban on Salman Rushdie’s The Satanic Verses being the prime example — increasingly it is Hindu fundamentalists who have been agitating successfully against what they do not like.

“Hindu bigots have matched, or perhaps even outperformed, their Islamic counterparts,” writes Ramachandra Guha, India’s pre-eminent historian. He was condemning Penguin India’s decision last week to recall and pulp American academic Wendy Doniger’s The Hindus: an Alternative History, under pressure from a Hindu group that said the 2009 book contained “heresies” and was focused on “sex and eroticism.”

There has been no bigger victim of Hindu wrath than the late M.F. Hussain, the “Picasso of India.” His priceless work was vandalized, he was slapped with hundreds of lawsuits and threatened with death for painting Hindu deities in the nude. He went into exile in Doha, Qatar, where I spoke to him on the phone in 2011 and heard his pain at having been hounded out of his beloved India. We agreed to meet later but he died soon after, at age 95.

Last year, India’s leading intellectual Ashish Nandy was threatened with arrest for ostensibly offending Dalits (Hindus of a lower caste, formerly known as untouchables).

In 2012, Mumbai police arrested a young woman who complained on Facebook about the shutdown of the city of 18 million on the death of Bal Thackeray, leader of a chauvinist regional Hindu party. Another woman who “liked” the page was also detained,both for “hurting religious sentiments.”

In 2011, the western state of Gujarat stopped the sale of American journalist Joseph Lelyveld’s biography of Mahatma Gandhi, which suggested that the great leader may have had a sexual relationship with a male German architect. The chief minister (premier), Narendra Modi, is now the prime ministerial candidate of the Hindu nationalist Bharata Janata Party for federal elections in May, which he is favoured to win.

In 2010, Canadian author Rohinton Mistry’s 1995 book, A Fine Balance, was removed from the syllabus of Bombay University, his alma mater, following objections by a student, the grandson of Thackeray. The head of the university’s English Department had to go into hiding after receiving death threats.

In 2008, Delhi University expunged from its history course an essay by A.K. Ramanujam on Hinduism following complaints by a Hindu group, and Oxford University Press India temporarily stopped printing it.

Other examples:

In 2007, a court issued an arrest warrant for actor Richard Gere for kissing Bollywood actress Shilpa Shetty, following complaints by irate Hindus. An institute in the western city of Pune was vandalized because American academic James Laine had done part of his research there for his book, Shivaji: Hindu King in Islamic India. An art gallery in Bangalore hastily removed partially nude pictures of Hindu deities fearing retaliation by a Hindu moral squad.

Guha, the historian, once suggested that both Rushdie and Hussain, one pilloried by Muslims and the other by Hindus, be conferred India’s highest civilian honours. “That would have been a blow for artistic freedom. And it’d have equally offended Hindu and Islamic bigots.”

Libel chill

There has been a steady rise in what free speech advocates see as nuisance lawsuits by corporate houses, businessmen and political parties.

In December, Jitender Bhargava, executive director of Air India until 2010, saw his book on the national airline withdrawn by Bloomsbury India, allegedly under political pressure.

The same month, another book, Sahara: The Untold Story, on the controversial finance and real estate conglomerate, was held back under a court order.

In 2011, Penguin removed a chapter in The Beautiful and the Damned from its Indian edition after Arindam Chaudhuri, who runs business schools, sued about his profile in it. He also sued Caravan, a journal of politics and culture, for an article on how he had “made a fortune off the aspirations and insecurities of India’s middle class.” The Delhi-based businessman still has the Delhi-based magazine entangled in the case he filed in a jurisdiction 1,750 kilometres away — and 300 kilometres from the nearest airport.

Penguin also held back a biography of J. Jayalalithaa, chief minister of the southern state of Tamil Nadu, who had a stay order issued against it.

In 1998, a book about the head of a textile conglomerate, Dhirubhai Ambani, was not published in India after the publisher was threatened with lawsuits. A second edition of The Polyester Prince was issued in India but with the offending material cut out.

It is difficult for outsiders, especially without the benefit of reading the materials in dispute, to judge the timidity of the publishers. But there’s no questioning the creeping self-censorship.

Obeisant media

Vinod Jose, executive editor of Caravan, writes in its annual media issue:

“Media owners bargained with the government to secure lucrative licences to mine coal blocks in return for their power to influence the public. Editors got caught on tape striking deals with lobbyists but remained arrogantly unapologetic. Owners fired political editors who wrote about politics independently . . . Forbes India pulled a story because it irked the finance ministry.”

Jose said that in 2013, the year surveyed, “the dominant mood of the press was docility.” If in the 1950s and 1960s, the media served the state, now they serve big business. They have begun to expose government corruption but remain mostly mum on corporate malfeasance. The Times of India, the country’s largest English daily, takes equity in some companies it provides advertising space to.

State surveillance

India, like the United States and other democracies, is under heavy criticism for invasion of citizen privacy under sweeping state surveillance, especially by its eight intelligence agencies that operate under mostly secretive powers.

“The real problem is that we don’t know what powers they do have — we only know bits and pieces about the Centralised Monitoring System (CMS), from some tender documents that indicate that the government intends to track web usage, phone calls, text messages and map location information, apparently without the knowledge of even telecom operators,” says Nikhil Pahwa of MediaNama (Media Journal), a website that provides news and analysis of digital media. “The issue is even less obvious here than that of the NSA,” the National Security Agency in the United States.

“The rules give the Indian government the ability to gag free speech, and block any website it deems fit, without publicly disclosing why or who blocked it — or providing adequate recourse for getting the block removed.”

“Intelligence agencies are not answerable to parliament, only to the Home ministry,” says Anja Kovacs of the Centre for Internet and Society. There are few checks and balances, little or no civilian oversight.

“The Indian government’s centralized monitoring is chilling, given its reckless and irresponsible use of the sedition and Internet laws,” says Human Rights Watch. “New surveillance capabilities have been used . . . to target critics, journalists and human rights activists.”

“Every month at the federal level, 7,000 to 9,000 phone taps are authorized or re-authorized,” writes Pranesh Prakash, policy director for the Centre for Internet and Society.

Conclusion

It is useful to remember that whatever is true of India, the exact opposite may also be true. So, while the situation is getting bleaker on the free speech front, in India the state is not the sole culprit, unlike in Russia, China or other authoritarian places. India also has a vibrant civil society that’s hammering away — is free to hammer away — at the need for a liberal polity to be liberal. The intellectuals, activists and NGOs I have quoted, testify to that. Here’s another:

The PEN All-India Centre in Mumbai and the newly formed Delhi Pen, both part of the global network of writers dedicated to free speech, said this last week:

“The removal of books from our bookshops, bookshelves and libraries, whether through state-sanctioned censorship, private vigilante action or publisher capitulation are all egregious violations of free speech that we shall oppose in all forms at all times.”

For more details visit https://cis-india.org/news/the-star-op-ed-february-16-2014-haroon-siddiqui-dark-days-for-creative-class-in-india

CyFy 2017 Agenda

Admin — 2017-11-26T09:11:29Z

For more details visit https://cis-india.org/internet-governance/files/cyfy-2017-agenda

CyFy 2017

Admin — 2017-11-26T09:36:25Z

CyFy is a conference on internet governance and cyber security organised by the Observer Research Foundation (ORF) in New Delhi between 2 and 4 October 2017. Sunil Abraham was a speaker.

Sunil Abraham was a speaker on a panel titled "Security Through Identity?" on the 4 October 2017 and chaired an invite only session titled "Encryption: The End of Surveillance?" on the 3rd of October, 2017. Saikat Dutta and Udbhav Tiwari also participated in the encryption session. Saikat was a speaker in a session titled "Digital Vulnerabilities: Capacity Building for Tackling Cyber Crime" on 3 October 2017. Udbhav Tiwari chaired a session titled "Dangerous Disclosures: Cyber Security Incident Reporting" on 4 October 2017.

Conference agenda here

For more details visit https://cis-india.org/internet-governance/news/cy-fy-2017

Cyfy 2015: The India Conference on Cyber Security and Internet Governance

praskrishna — 2015-10-17T14:44:42Z

In its third year, Cyfy; South Asia’s biggest internet policy conference is being held in New Delhi, from 14-16 October, 2015. The event is organized by Observer Research Foundation at Hotel Taj Mansingh. Sunil Abraham is a panelist in the session "Protection of Intellectual Property and Business Secrets in the Knowledge Economy".

Building on its scope and scale of the previous year — over 55 speakers, from 12 countries, with 350 attendees — the conference discusses issues that affect the emerging world and developed world alike. The conversations will further and widen the debate around internet governance, security, surveillance, freedom of expression, norms of state behaviour, technology and specific societal challenges that emerging and developing countries seek to address by the effective design and deployment on these technologies. In 2015, Cyfy will bring together more experts from South Asia, in order to present new thought on the specific challenges of internet access, policy and regulation, e-governance, financial inclusion, and bottom of the pyramid solutions.

Along with its growing network of both Indian and international partners, ORF looking forward to hosting another thought-provoking and productive few days, and bridging some digital divides in contemporary internet cyber policy debates.

Protection of Intellectual Property and Business Secrets in the Knowledge Economy

Over the past decade, there has been an exponential rise in cyber-enabled theft of intellectual property, and it has been recognized as an unfair predatory practice. With the rise of the globalized knowledge economy, the stability of open trading systems increasingly depends on cross-border IP protection. What is the relevance of the protection of intellectual property and business secrets for economic development and stability of the international trading system?

Download the agenda For more info visit here.

For more details visit https://cis-india.org/internet-governance/news/cyfy-2015-india-conference-on-cyber-security-and-internet-governance

CYFY 2014 Event Programme

praskrishna — 2014-10-13T06:59:09Z

For more details visit https://cis-india.org/internet-governance/blog/cyfy-2014-event-programme.pdf

Cyberspying: Government may ban Gmail for official communication

praskrishna — 2013-09-02T04:19:53Z

The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyberspying by the US.

This article was published in the Times of India on August 30, 2013. Sunil Abraham is quoted.

A senior official in the ministry of communications and information technology said the government plans to send a formal notification to nearly 5 lakh employees barring them from email service providers such as Gmail that have their servers in the US, and instead asking them to stick to the official email service provided by India's National Informatics Centre.

"Gmail data of Indian users resides in other countries as the servers are located outside. Currently, we are looking to address this in the government domain, where there are large amounts of critical data," said J Satyanarayana, secretary in the department of electronics and information technology.

Snowden fallout

The move comes in the wake of revelations by former US National Security Agency contractor Edward Snowden that the US government had direct access to large amounts of personal data on the internet such as emails and chat messages from companies like Google, Facebook and Apple through a programme called PRISM.

Documents leaked by Snowden showed that NSA may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Even as the new policy is being formulated, there has been no mention yet of how compliance will be ensured.

Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their official email.

A Google India spokeswoman said the company has not been informed about the ban, and hence it cannot comment on speculation. "Nothing is documented so far, so for us, it is still speculation," Google said in an email response.

A senior official in the IT department admitted on condition of anonymity that employees turn to service providers such as Gmail because of the ease of use compared with official email services, as well as the bureaucratic processes that govern creation of new accounts.

"You can just go and create an account in Gmail easily, whereas for a government account, you have to go through a process because we have to ensure that he is a genuine government user."

Last week, IT Minister Kapil Sibal said the new policy would require all government officials living abroad to use NIC servers that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India.

Sunil Abraham, executive director of Bangalore-based research firm Centre for Internet and Society, said he agrees with the government's decision to ban Gmail for official communication and that any official violating this needs to be punished.

"After Snowden's revelations, we can never be sure to what extent foreign governments are intercepting government emails," he said. Abraham, however, called the government's decision a "late reaction", as the use of Gmail and other free email services by bureaucrats has increased in the past.

"Use of official government email would also make it easier to achieve greater transparency and anti-corruption initiatives. Ministers, intelligence and law enforcement officials should not be allowed to use alternate email providers under any circumstance."

For more details visit https://cis-india.org/news/times-of-india-august-30-2013-cyberspying-govt-may-ban-gmail-for-official-communication

Cybersecurity Compilation

elonnai — 2017-06-18T13:15:49Z

For more details visit https://cis-india.org/internet-governance/files/cyber-security-compilation.pdf

Cyberscholars Working Group at MIT

praskrishna — 2014-01-09T06:41:31Z

Malavika Jayaram is giving a talk on Biometrics or Bust - India’s Identity Crisis at this event organised by Berkman Center for Internet & Society on December 12 at 6.00 p.m.

Read the original published by Harvard University here.

The Cyberscholar Working Group is a forum for fellows and affiliates of MIT, Yale Law School Information Society Project, Columbia University, and the Berkman Center for Internet & Society at Harvard University to discuss their ongoing research. Each session is focused on the peer review and discussion of current projects submitted by a presenter. Meeting alternatively at Harvard, MIT, Yale, the working group aims to expand the shared knowledge of young scholars by bringing together these preeminent centers of thought on issues confronting the information age. Discussion sessions are designed to facilitate advancements in the individual research of presenters and in turn encourage exposure among the participants to the multi-disciplinary features of the issues addressed by their own work.

This month's presentations include:
(1) "Lines of Control: Networks of Imperialism and Independence in India (1840-1947)"
Abstract: This paper examines the history of communications networks in India and the relationship between communications and second-order networks. It draws attention to the wave of colonial network development that took place in India between 1840 and 1948. During these years, Britain constructed a series shipping, rail and telegraph networks to achieve a set of military and commercial goals. This paper studies how first- and second-order networks developed, and the intended and unintended effects of these networks on Indiaʼs economics, politics, and identity. The paper draws on economic and social studies of colonial communications networks in India, original reports by British officials and the Colonial Office, and the literature focusing on the role of technology in British imperialism. It shows how Indiaʼs colonial communication networks, built to augment and extend British control over the subcontinent, became conduits for Indian resistance and nationalism.
Keywords: shipping, telegraph, railroads, imperialism, nationalism, network theory, India

Colin Agur is a PhD candidate at Columbia University and Visiting Fellow at Yale Law School's Information Society Project. His research examines India's telecommunications, focusing on mobile network formation and second-order effects of network growth. He spent the 2012-13 academic year in Delhi and Chennai, conducting document analysis, interviews with industry figures and participant observation related to mobile phone usage. He has published articles about Indian media and culture in Harvard's Nieman Lab, the Journal of Asian and African Studies and Journalism (forthcoming), and about telecommunications history in Information and Culture.

(2) Big Data Dramas in the 1960s and 1970s
Abstract: The recent frenzy in discussing NSA activities and the collecting of Big Data show a widespread critical concern for the current practice of gathering and using personal data. These concerns have their history. In my presentation, I track the beginnings of a growing public awareness and sensitivity towards the societal handling of personal data. I argue that the early computerization phase during the 1960s and 1970s played a crucial role in discussing these issues. Media reports, popular books, scientific publications, and political hearings all of a sudden began – often in quite different ways – to address and question contemporary practices of collecting, sharing, and storing of personal data. Their authors explored and negotiated all kind of societal settings where personal data played a significant role at that time. There have been concerns about these issues with personal data before, but – as I will show in my presentation – not on this broad societal level and to this extent as in the late 1960s and early 1970s. I argue that during that time, the usage of personal data became a highly controversial matter not only of public, but also of private interest.My inquiry examines how the term “data“ and in particular the collection of personal data became loaded with cultural and emotional significance in scientific and media discussions in the 1960s and 1970s in the United States and in Germany. Furthermore, it explores how the early computerization affected our societal handling of data long before the personal computer entered our private lives.

Julia Fleischhack is a visiting postdoctoral research fellow in the program in Science, Technology, and Society at the Massachusetts Institute of Technology. She holds a PhD in anthropology from Zürich University. Her current research is on data centers from the private sector and funded by the Fritz Thyssen foundation.

(3) Biometrics or Bust - India’s Identity Crisis
Abstract: India's identity juggernaut - the Unique Identity (UID) project that has registered around 500 million people and is yet to be fully realized - is already the world's largest ever biometrics identity scheme. Grounded in the premise that centralized de-duplication and authentication will uniquely identify people and eliminate fraud, it is hailed as a game changer and a silver bullet that will solve myriad socio-economic problems, yet its conception and architecture raise significant concerns. Its implementation as a techno-utopian project in a legal vacuum, despite the potential for abuse and exclusion, give pause to the much-vaunted claims of transforming welfare delivery and galvanizing financial inclusion. I will provide an overview of the identity project and highlight some of the key implications for privacy and free speech, and more broadly, democracy and openness. I will also unpack some of the narratives being constructed, describe the current public discourse and legal developments, and locate the project within the broader surveillance state and database nation that India is morphing into.

Malavika Jayaram is a Fellow at the Berkman Center for Internet and Society at Harvard, focusing on privacy, identity and free expression. A Fellow at the Centre for Internet and Society, Bangalore, she is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection directory. In August 2013, she was voted one of India's leading lawyers - one of only 8 women to be featured in the "40 under 45" survey conducted by Law Business Research, London.

For more details visit https://cis-india.org/news/cyberscholars-working-group-mit

Centre for Internet and Society

Database on Big Data and Smart Cities International Standards

[45] SPRING Singapore Supported Close to 600 Companies in Standards Adoption, and Service Excellence Projects , 12th August 2015, http://www.spring.gov.sg/NewsEvents/PR/Pages/Internet-of-Things-(IoT)-Standards-Outline-to-Support-Smart-Nation-Initiative-Unveiled-20150812.aspx

Data Retention in India

The Debate around Data Retention

Data Retention vs. Data Preservation

Data Retention in India

ISP License

UASL License

RTI Request to BSNL and MTNL

BSNL Response

MTNL Response

Conclusion

Data Protection Submission

Data protection experts slam state for sending mass SMSes

Data Privacy: Footprints on the Web

Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?

Framing Reproductive Health as a Surveillance Question

Questioning the Information and Communications Technology for Development (ICT4D) and Big Data for Development (BD4D) Rhetoric

Potential Harms of the Data Model of Reproductive Health Provisioning

Towards a Networked State and a Neo-liberal Citizen

“Quantified Self” of the Neo-liberal Citizen

Concluding Remarks

Data Flow in the Unique Identification Scheme of India

Data Capture

Document Storage, Back up and Sync

Transfer of Demographic and Biometric Data Collected to CIDR

Data De-duplication and Aadhar Generation at CIDR

Dark days for the creative class in India: Siddiqui

CyFy 2017 Agenda

CyFy 2017

Cyfy 2015: The India Conference on Cyber Security and Internet Governance

Protection of Intellectual Property and Business Secrets in the Knowledge Economy

CYFY 2014 Event Programme

Cyberspying: Government may ban Gmail for official communication

Snowden fallout

Cybersecurity Compilation

Cyberscholars Working Group at MIT

^{^[45]} SPRING Singapore Supported Close to 600 Companies in Standards Adoption, and Service Excellence Projects , 12th August 2015, http://www.spring.gov.sg/NewsEvents/PR/Pages/Internet-of-Things-(IoT)-Standards-Outline-to-Support-Smart-Nation-Initiative-Unveiled-20150812.aspx