Centre for Internet and Society

Aadhaar verification at airports raises need for stricter data privacy regulations

Admin — 2017-11-27T13:34:35Z

The absence of legislation is letting companies compile and deploy sensitive personal information without legal oversight.

The article by Aman Sethi was published in the Hindustan Times on November 27, 2017

When Suvodeep Das, a 42-year-old marketing professional, took a Jet airways flight from Hyderabad to Mumbai in September, he said a software bug in the airline’s website wouldn’t let him check in online without first punching in his Aadhaar number.

“When I got my boarding pass, it had my Aadhaar number printed on it,” Das told HT, wondering, “Why do you need an Aadhaar number to take a flight, and why display it publicly?”

In October, another passenger found their Aadhaar number on the boarding pass: this time, it was barcoded.

HT has reviewed both boarding passes. Publishing Aadhaar numbers is an offence under the Aadhaar Act 2016.

Jet Airways did not respond to repeated requests for comment. Speaking off the record, airline executives said Jet encoded Aadhaar numbers to test the proposed Aadhaar Enabled Entry and Biometric Boarding System (AEEBBS): a complex Aadhaar-seeding project that aims to replace a passenger’s boarding pass with his/her fingerprint.

Bangalore International Airport (BIAL), which plans to install AEEBBS, says it will improve passenger security and reduce check-in time at the Kempegowda International, India’s third busiest airport.

Privacy advocates, however, say the system, which stores passenger biometrics and Aadhaar numbers on the servers of a private corporation, is an example of how the absence of a data protection law in India lets companies compile and deploy sensitive personal information without legal oversight.

Future uses of the AEEBBS, according to the BIAL website, include integrating the system with passenger blacklists, typically maintained by the ministry of home affairs, to determine who can and cannot board a flight.

“The unregulated proliferation of Aadhaar uses is compromising the digital identities of citizens and putting them at risk,” said Usha Ramanathan, a legal theorist who has written extensively on Aadhaar. ”There is a misconception that data protection is about data being at risk. It is actually about the rights of people being at risk.”

Pilot Project

In January, Bangalore International Airport Ltd (BIAL), the corporation that runs the Bengaluru terminal, and Jet Airways integrated their flight and passenger databases as part of a four-month pilot project to test the AEEBS.

“The pilot project incorporated the entire airport journey from entry right through to the boarding gate and included all security check points,” a BIAL spokesperson said in an email. “The project allowed for quicker processing time for a passenger from entry to security gate while simultaneously enabling fewer points of human interaction.”

Participation in the project was voluntary. BIAL said about 15% of passengers opted to use it. In October, BIAL called for bids for a full roll-out of the AEEBBS by December 2018.

The system, tender documents reveal, works in the following way:

First passengers enter their Aadhaar numbers when they book their flights. The airline turns this number into a QR code printed on the flight ticket. Once at the terminal, passengers bypass the standard practice of showing their ticket and ID to a security guard, and instead they enter the terminal by flashing the ticket at a QR code scanner while pressing their fingers against a biometric reader installed at the entrance.

The AEEBBS verifies the passenger’s identity by querying the UIDAI’s database, and then checks the airport’s flight information system to see if the passenger is booked to fly that day.

Thereafter, the system creates a “passenger dataset” that bundles the passenger’s biometrics and flight information into a single file unique to each passenger. This dataset is used to verify the identity of the passenger at each checkpoint, allowing the airport to track the passenger until she boards her plane.

The tender document states that the biometric data should be purged immediately after the passenger’s flight departs. If flights are rescheduled, the biometrics shall persist until the passenger finally departs.

Concerns over Bengaluru airport’s use of Aadhaar

The Aadhaar-Enabled Entry and Biometric Boarding System (AEEBBS) aims to replace boarding cards with a passenger’s fingerprint. Here is how it works.

Why Biometrics?

Bengaluru isn’t the only airport experimenting with systems like the AEEBBS.

“We have initiated trials on facial recognition, iris and finger-print scanning etc., to generate Aadhaar + Biometric enabled passenger data-sets,” said a spokesperson for the GMR Hyderabad International Airport. “We hope to complete these trials in the next two months and deploy them by June 2018 for all domestic passengers.”

Yet biometrics isn’t a fool-proof way of verifying someone’s identity. Biometric experts have maintained that fingerprints can be copied and printed onto “fake fingers” — a process known as spoofing.

At Michigan State University, biometric expert Anil Jain and his team have developed so-called fake fingers using 12 different materials, the most sophisticated of which mimics the physical properties of human skin.

“Many of the commercial systems may not have state-of-the-art spoof detection facilities,” Jain said, adding that he has advised the UIDAI on biometrics in the past.

Jain said it was important that a secured space like an airport have biometric readers that include “liveness” detection, a term that refers to a broad set of techniques that use a combination of advanced hardware and software to avoid spoof attacks.

However, it is not mandatory for UIDAI-certified biometric devices to have liveness detection features. Documents published by Standardisation Testing and Quality Certification (STQC), the agency tasked with certifying Aadhaar devices, make clear that “liveness detection” is “preferable” but not mandatory.

Some manufacturers of certified devices say their devices have liveness detection, but STQC does not include this specific feature in its testing.

Prof Jain said biometrics are harder to forge than the identity cards that are currently needed to gain access to airport terminals, suggesting that the AEEBBS could increase security only if the data that undergirds the system is properly secured.

Storage Concerns

Under regulations framed by the Unique Identification Authority of India (UIDAI), it is illegal to store biometric data captured for any Aadhaar-related transaction.

Also, UIDAI-certified biometric devices are prohibited from storing biometric data which casts a cloud over BIAL’s proposal to create passenger datasets to merge passenger flight data, biometric data and Aadhaar numbers, and store it on a local BIAL network.

While UIDAI did not respond to requests for comment on if these passenger data sets violated its regulations, BIAL said it would work around the system by capturing passenger biometric data twice — once to verify passenger identities in accordance with UIDAI regulations, and once for the purpose of creating the passenger data set.

“Our intent is to capture data and store a separate set of biometrics records (delinked from Aadhaar) that include face/iris/fingerprints for the purpose of authentication of passenger at various check points inside the airport,” the spokesperson said.

Some experts believe this may not be enough.

“The Aadhaar Act and Regulations are supposed to ensure that our biometric records are safe, and entities capturing biometrics for Aadhaar-related purposes cannot store the biometrics,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

“If biometrics collected doesn’t need to follow the Aadhaar regulations because of a technicality, how strong are the regulations?” Prakash said.

Last year, 22.18 million passengers travelled through Bengaluru airport. Once the AEEBBS is installed, the airport’s servers shall become a temporary repository of millions of fingerprints, and a lucrative target for sophisticated hackers who could capture this data by implanting malicious software in the system.

Such software has become easier to access since August 2016, when a group calling itself the “Shadow Brokers” announced it had stolen some of the world’s most advanced cyber-weapons from the vaults of the Tailored Access Operations unit of National Security Agency, which manages the cyber-arsenal of the United States of America.

Designing the system to minimise the use of biometrics could alleviate these concerns, according to Rahul Matthan, a partner at law firm Trilegal.

“If data minimisation is the principle that we keep on top of mind, Aadhaar should be used to allow entry,” Matthan said, “Then the airport must devise other methods and standards to ensure that security and passenger tracking is achieved.”

Safeguarding Aadhaar Numbers

The AEEBBS also raises questions on the manner in which airlines and airports will store non-biometric data like passenger Aadhaar numbers. UIDAI regulations published in July 2017 say companies and government departments must store Aadhaar numbers in secure, isolated, databases called ‘Aadhaar Data Vaults’.

Each Aadhaar number in these vaults must be associated with a “reference key” — which is like a nick-name for the Aadhaar number. So instead of using a citizen’s Aadhaar number for a given transaction, businesses must preserve the confidentiality of the number by using the reference key instead.

Jet Airway’s decision to print Aadhaar numbers, rather than the reference keys, on the boarding passes, suggests that the airline is not following UIDAI guidelines — a problem that is likely to multiply as more airlines start gathering this information to avail of the AEEBBS facility. Jet Airways did not respond to requests for comment.

Once the AEEBBS is in place, BIAL also intends to use passenger data, harvested during check-in and boarding, for commercial purposes, but it is unclear if and how this data will be anonymised before it is used.

“We aim to make meaning of the abundant data that will be collected,” the BIAL spokesperson said, insisting that the airport would respect traveller privacy and the data would not be sold to third parties. “In due course — and with passenger consent — we intend to use business intelligence to make the journey more impactful.”

For lawyer Matthan, the AEEBBS is an example of why India needs a comprehensive data protection law to address issues between citizens and private corporations.

“There is a need to ensure that Aadhaar is based on a sound framework of privacy protection,” he said, noting that the recent Supreme Court judgment protected citizen privacy against infringement by the government.

Data protection legislation, he said, would ensure that private corporations are held to the same standard.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-aman-sethi-november-27-2017-aadhaar-verification-at-airports-raises-need-for-stricter-data-privacy-regulations

India Today Conclave Next 2017: Aadhaar was rushed, says MP Rajeev Chandrashekhar

praskrishna — 2017-11-26T06:41:07Z

Talking at the ongoing India Today Conclave Next 2017, MP Rajeev Chandrashekhar said that Aadhaar was rushed and foisted on the country by authorities that fail to first create a proper ecosystem. Chandrashekhar gave his comments at a keynote titled Privacy -- The Fundamental Right for the Digital Citizen.

The article by Priya Pathak was published by India Today on November 8, 2017.

Chandrashekhar, who has been vocal on the issues like data protection, privacy and net neutrality, said that the government should have created a proper ecosystem for Aadhaar by bringing norms and laws around data protection and privacy before asking people to sign up for the unique ID.

The MP talked about India's journey from being a largest unconnected world to becoming the largest connected world. But Chandrashekhar criticised the "flawed" Aadhaar and said that it was a classic example of how a government system would push for technology in governance without addressing key bits of the ecosystem around the citizen and the consumer.

"If that (Aadhaar) wasn't enough, the IT act and section 66A and its language and its vagueness and its potential for misuse was another example of the faults of a bureaucracy or a political system trying to legislate or create solutions in the digital world, " he said.

At the same time, he lauded the recent Supreme Court order that held all Indians had fundamental right to privacy. "The latest finding of Supreme Court of Privacy as fundamental right is a big deal and it will alter number of things going forward," he said. He added that there should be more debate and discussion on data privacy as there is an attempt to characterise data privacy as some of kind of elitist issue in India which it's not.

Privacy, especially for the digital world, currently is one of the most debated topics in India. The country in the past few years has seen a number of instances where a government or a private entity has knowingly or unknowingly compromised the data of its users. Recently a study published by Centre for Internet and Society, a Bengaluru-based organisation, revealed that private data of more 130 million Aadhaar card holders were leaked from four government websites.

The Supreme Court in August this year declared privacy as a fundamental right. A nine-judge Constitution bench headed by Chief Justice J S Khehar has declared that "right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 and entire Part III of the Constitution".

The move has been praised by many including Rajeev Chadrashekhar who has said that it is a big welcome step. "It is clear that Aadhaar and all other legislations existing and proposed will have to meet the test of privacy being a fundamental right," he recently said.

For more details visit https://cis-india.org/internet-governance/news/india-today-priya-pathak-november-8-2017-india-today-conclave-next-2017-aadhaar-was-rushed-says-mp-rajeev-chandrashekhar

What You Need To Worry About Before Linking Your Mobile Number With Aadhaar

Admin — 2017-11-26T05:55:49Z

As part of the directive issued by the Department of Telecommunications (DoT) dated March 23, 2017, major telecom service providers have issued a deadline of February 6, 2018, for linking mobile numbers with Aadhaar as part of the E-KYC verification.

The blog post by Roopa Raju and Shekhar Rai was published in Youth Ki Awaaz on November 8, 2017

The landmark case referenced by the DoT in the circular was the order issued by the Supreme Court on February 6, 2017, delivered by Justice JS Khehar (the erstwhile Chief Justice of India) in the case of Lokniti Foundation vs Union of India. The petitioner contended that terrorists, criminals and anti-social elements frequently used SIM cards to commit atrocious, organised and unorganised crimes across the country. The petition called for ensuring 100% verification on the identity of telecom service subscribers in public interest under Article 32 of the Constitution of India. The PIL added that unverified SIM cards pose a serious threat to the country’s security as they are routinely used in criminal and terrorist activities, thereby affecting a citizen’s right (as ensured under Article 21 of the Constitution). As per the CAG report tabled at the Parliament in 2014, the identities of 4.59 crore mobile users still remained unverified.

Article 21 of the Constitution of India, 1949, states that – “No person shall be deprived of his life or personal liberty except according to procedure established by law.” While there is a threat to the common public interest through increased acts of terrorism and atrocities due to unverified SIM cards, the safety of information provided and linked to Aadhaar are increasingly being questioned.

In a study dated May 1, 2017, published by the Centre for Internet and Society (CIS), a Bangalore-based organisation, it was observed that data of over 130 million Aadhaar card-holders were leaked from just four government portals dealing with the National Social Assistance programme, the National Rural Employment Guarantee Scheme, the Chandranna Bima Scheme and the Daily Online Payment Reports of NREGA.

On October 25, 2017, the chief minister of West Bengal, Mamata Banerjee, also strongly opposed the government’s plan to link mobile numbers with Aadhaar cards. She said that it was a breach of privacy and that the ruling government was intruding upon the citizen’s right to personal freedom. However, the Supreme Court questioned the state government’s right to challenge the Centre and asked her to file a plea with the court in her individual capacity.

As per the data published by Telecom Regulatory Authority of India (TRAI) on September 14, 2017, India’s telecom subscriber base dipped by 1.3 lakh to 121.07 crore in July 2017. Moreover, only three operators – Reliance Jio, Bharti Airtel and the state-run BSNL – reported additions to their subscriber base.

Month	Telephone subscriber base (in million)	Growth rate
Mar-17	1194.58	–
Apr-17	1198.89	0.36%
May-17	1204.98	0.51%
Jun-17	1210.84	0.49%
Jul-17	1210.71	-0.01%

(Source: TRAI monthly subscription data)

The dip in the subscriber count for various telecom operators can be accredited to the phasing of registration of SIM cards through E-KYC for new mobile numbers. While there is a the possibility of addition of genuine subscribers in the following months, the direct subscriber acquisition cost (DSAC) has been significantly reduced owing to the overall reduction in subscriber addition (assuming exclusion of sunk cost).

Prior to the DoT directive, telecom service providers relied heavily on the documents provided by the subscribers for SIM registration. The two-fold impact of this was the delay in SIM activation, owing to the transfer of documents from the retailer to the distributor to the company and the possibility of documents not matching with the usage timeline of usage. Additionally, tracking the ever-changing retailers was difficult for the service providers – and with the subscriber documents being collected and stored at one location by the service providers, verification of dummy subscribers was difficult.

With the introduction of Aadhaar linkage for mobile numbers, subscribers are held accountable for its usage, thereby tagging responsibility for any acts arising as a result. Savings from the digitisation of documents and paper should also be considered.

However, an increased number of job losses is possible, owing to the ‘optimisation’ of the process by way of document verification, servicing costs and reliance on third parties (to name just a few). Increased compliance costs are also an issue of concern.

The key question that looms prominently with the approaching deadline is how secure public data will be, given that it may possibly be linked with bank account numbers and income tax returns. With retailers using fingerprints of the subscribers to validate Aadhaar numbers with the mobile numbers at the time of SIM registration, there is an increased risk of exposure to identity theft.

While the government is increasingly trying to bring in a seamless process to assimilate data for transparency in analysing consumer patterns, it is suggested that they also allocate funds for enhancing the cyber-security of the data consolidated from this directive. Furthermore, cyber security regulations can be strengthened to avoid data leakages to third party organisations. Severe penalties should also be implemented to ensure robust compliance to these measures.

For more details visit https://cis-india.org/internet-governance/news/youth-ki-awaaz-roopa-sudarshan-what-you-need-to-worry-about-before-linking-your-mobile-number-with-aadhaar

OPINION | Data is New Oil and Human Mind the New Battlefield. India Must Wake Up Now

Admin — 2017-11-26T03:28:55Z

In information warfare, the battlespace is the human mind. This is where the privacy of an individual intersects with national security. Fighting this battle will require a new paradigm in thought and action.

The article by Lt. General (Retd.) D. S. Hooda was published by News18.com on November 11, 2017

A few days ago, the Army Headquarters took out a public advisory warning about a “deliberate misinformation campaign being launched by vested interests some of which is being initiated from countries bordering our nation.” This is an acknowledgment of the use of social media for what is today considered the most dominant form of warfare — ‘information warfare’. It has been extensively used by our adversaries in Jammu and Kashmir to show the government and security forces in poor light.

Deception, propaganda and misinformation have always been a part of warfare but what is different today is that the tools of information warfare have acquired a new dimension. An integration of massive amounts of data with Artificial Intelligence (AI) has given a significant weapon in the hands of information warriors.

The cost of saving data has been plummeting, with the cost being halved about every 15 months. Now more and more data about individuals is being saved, both by corporations and governments. In his book, Data and Goliath, Bruce Schneier writes that worldwide, Google has the capacity to store 15 exabytes of data. To put it in context, one exabyte is 500 billion pages of text. Bruce also quotes the case of Max Schrems, an Austrian law student, who in 2011 demanded all his personal data from Facebook. After a two year legal battle, Facebook gave him a CD with 1200 pages of PDF. This is how much Facebook knows about you, and it does not forget because it is all saved.

All this big data would be useless unless it can be utilised for decision making and this is where advances in AI have provided the breakthrough. Smart machines mine the data and detect trends, patterns, habits, ideology and desires. These personal characteristics of individuals are being used by corporations to send targeted advertisements to influence commercial decisions.

The same technique is used in information warfare. On November 1, the US House Intelligence Committee released Facebook advertisements bought by Russian operatives to influence the 2016 elections. Washington Post wrote, “The ads made visceral appeals to voters concerned about illegal immigration...African American political activism, rising prominence of Muslims” among other issues. Senator Angus King said, “The strategy is to take a crack in our society and turn it into a chasm.”

Data is the new oil and that is exactly how it is being traded and sold. In the absence of any legal provisions, companies and ‘data brokers’ are sharing and selling personal data. Can this personal data find its way to a hostile government? Last month, the US Army brought out that their troops in the Baltic had reported instances of cell phone hacking. However, more worrisome was the fact the hackers knew personal details of the soldiers. Direct threats against family members of the military can have a negative psychological impact during conflict.

India has its share of political, social and ethnic differences, just as in many societies. In recent times these differences have been magnified as nationalism has taken centre stage. It is difficult to imagine why these fault lines will not be exploited by inimical forces as India enters the election mode in 2018. Looking at examples from the US and French elections, Brexit and the cyber battle during the Catalonia referendum, I think we have no option but to be prepared.

The preparation for this war (and I do not use this word lightly) lies in three spheres — concepts, practices and structures.

Conceptually, our current shortcoming is that we are viewing this issue through a technical prism rather than the broader spectrum of information warfare. CERT and NTRO can technically protect our critical infrastructure but they do not have an equal understanding of the human dimension, which is more strategic than scientific. The Americans, world leaders in information technology, have not been able to prevent a perceived subversion of their democratic process.

Our practices need to improve. The security of personal data is a major concern. The Supreme Court has declared privacy as a fundamental right, but there are no privacy laws to back it up. Even data stored in India is not safe as the owners of our data are the giant technology companies, mostly based in the US and not under our legal control. In September 2017, it was reported that Google has quietly stopped challenging most search warrants from US judges in which the data requested is stored on overseas servers.

A May 2017, report by the Centre for Internet and Society estimated that 135 million Aadhaar numbers could have been leaked from official portals. This was not due to a security breach but due to poor privacy practices.

Our continued reliance on foreign hardware and software is extremely worrisome. There was clear evidence that Cisco systems had been back-doored by the American National Security Agency but the Indian military continues to procure hardware from Cisco. There is a similar story with Chinese equipment in our telecommunication and power sectors. An attempt to introduce an Indian operating system to replace Windows in the Army has been mired in controversy.

In case of a targeted cyber attack on India, there is little we can do except issue advisories. The solutions will have to come from foreign manufactures or developers whose equipment we are using. There is an urgent need to give a fillip to developing indigenous solutions for our critical infrastructure.

And finally, structures. An organisation to execute information warfare would have to be led by the Ministry of Defence, because the threat is mainly from external players. It would be a combination of military planners, specialists from the field of intelligence, government agencies, media and cyber warfare experts. Such an organisation does not currently exist, though the raising of the Cyber Command could fill this gap.

In information warfare, the battlespace is the human mind. This is where the privacy of an individual intersects with national security. Fighting this battle will require a new paradigm in thought and action.

(The author is former Northern Commander, Indian Army, under whose leadership India carried out surgical strikes against Pakistan in 2016. Views are personal.)

For more details visit https://cis-india.org/internet-governance/news/news-18-lt-general-retd-ds-hooda-data-is-new-oil-and-human-mind-the-new-battlefield-india-must-wake-up-now

Roundtable on Data Integrity and Privacy

Admin — 2017-11-25T02:17:13Z

Amber Sinha attended a roundtable on data integrity and privacy organized by the Observer Research Foundation (ORF) on November 18, 2017 in New Delhi. The round table discussion was chaired by Shri Baijayant Panda, Hon'ble Member of Parliament.

With the 10-member committee headed by former Justice B.N. Srikrishna being mandated to recommend principles for a new data protection bill, the time is ripe for online platforms, service providers and citizen stakeholders to discuss what the substantive elements of the new data protection law should look like.

Regulatory principles around data should be informed by the impetus for innovation, the responsibility to deliver social benefits and most importantly the users’ expectation of privacy. Increasingly, the nature and number of actors collecting and processing user data is becoming unclear. The new data protection framework must clarify the relationship between the user and apps/ mobile platforms that collect her data, but should do so while acknowledging the heterogenous nature of the Indian digital economy, comprising operating systems, platforms and devices of varying security and sophistication.

To kick-start this project, ORF hosted a roundtable chaired by Shri Baijayant Panda to hear from a diverse set of stakeholders to understand what direction the data privacy regime in India should take. The roundtable took place at the Viceroy, Claridges Hotel, 12, Dr APJ Abdul Kalam Road, New Delhi, Delhi 110011.

The roundtable broadly covered the following aspects –

Role of user consent and choice
Importance of cross border data flows
Appropriate regulatory authority
International best practices and relevance to the Indian context
Reasonable restrictions
Private-public collaboration

For more details visit https://cis-india.org/internet-governance/news/roundtable-on-data-integrity-and-privacy

Cyberattacks a significant threat to democracy: Modi

Admin — 2017-11-24T13:29:17Z

We have to ensure that cyberspace does not become a playground for dark horses of radicalism, says PM Narendra Modi at the fifth Global Conference on Cyber Space in Delhi.

The article by Komal Gupta was published in Livemint on November 24, 2017.

Prime Minister Narendra Modi on Thursday said creating a safe and secure cyberspace is on the primary agenda of the government as cyberattacks were a threat to democracy.

Modi’s assurance of decisively dealing with cyberattacks comes at a time when policymakers are making an unprecedented push to popularize digital transactions and cut down use of cash in order to have a more transparent and accountable economic environment. The government is at present working on a draft policy for tackling ransomware, a malicious software.

“We have to ensure that cyberspace does not become a playground for dark horses of radicalism,” Modi said, while inaugurating the fifth Global Conference on Cyber Space (GCCS) in the national capital.

A total of 50 incidents of cyberattacks affecting 19 financial organizations were reported from 2016 until June 2017, PTI reported in August.

With multiple cyberattacks affecting key infrastructure assets like ports and major payment companies recently, the government has decided to come out with a draft policy for tackling ransomware, a senior government official told Mint during the conference. “CERT-In (The Indian Computer Emergency Response Team) is working on a draft policy for tackling ransomware which will be put up for consultation by various stakeholders, including organized enterprise users of IT (Information Technology), solution providers and internet service providers (ISPs),” Ajay Kumar, additional secretary in the ministry of electronics and information technology said.

Kumar said the draft policy will focus on the proprietary steps the country will take in case of a ransomware attack. This will include the steps for the sharing of information to try and restrict the loss as much as possible. A centre of excellence will be set up to find solutions to attacks or neutralise the malware, he added.

The need to set up a safe and secure cyberspace is one the major concerns of the government as it is moving to create a ‘less-cash’ economy. Earlier this year, the government announced the “DigiDhan Mission” to achieve a 25 billion digital transactions target, outlined in the Union budget for this fiscal.

Modi said empowerment through digital access is the aim of the government and digital technology has saved around $10 billion so far by eliminating middlemen.

The MyGov platform is a prime example of how technology strengthens offices. PRAGATI has resulted in faster governance decisions through general consensus, he added.

PRAGATI (Pro-Active Governance And Timely Implementation) is an interactive platform aimed at addressing the common man’s grievances and monitoring and reviewing programmes and projects of the central and state governments.

Umang stands for Unified Mobile Application for New-age Governance. It provides all pan India e-Gov services ranging from central to local government bodies and other citizen-centric services like Aadhaar and Digilocker on one single platform or mobile app.

Modi said, “the app will provide over hundred citizen-centric services. It will automatically add pressure among peers and result in a better performance.”

Law and IT minister Ravi Shankar Prasad, speaking at the event, said privacy of individuals was of utmost importance but “privacy cannot withhold innovation.” He further said the citizens’ right of accessing the internet is “non-negotiable” and the government will not allow any company to restrict people’s entry to the worldwide web.

Speaking on Facebook’s Free Basics programme, Prasad said the government did not allow social networking giant’s programme because it offered access to select internet services. Facebook had introduced its Free Basics programme in India in 2015 to offer free basic internet access to people in partnership with telecom operators. Prasad said the idea behind Free Basics was that everything will be free, namely eduction, health, entertainment and others, if one enters the Net through one gate (Facebook’s).

“I said India is a democracy, we don’t believe in one gate. We believe in multiple gates. Therefore, this gate locking for India will not be accepted and I did not allow it. This stems (from) our commitment that internet must be accessible to all,” he added.

Sri Lankan Prime Minister Ranil Wickremesinghe, who was present at the event, said there was no legal framework on cyberspace and he hoped the conference would lead to a consensus to finalize the terms of the framework. “Our government has a lot more to do in net neutrality but we have taken progressive and revolutionary step in this regard,” added Wickremesinghe.

Wickremesinghe is on a four-day visit to India with the aim of boosting bilateral ties.

On the first day of the conference, India agreed to establish a joint working group with Iran to work in different IT areas.

India will provide technical advice to Mauritius for setting up the digilocker infrastructure. An MoU has been signed with Denmark for future cooperation in the IT sector.

“While a policy on ransomware is welcome, there is much more to be done. Implementation of the 2014 National Cybersecurity Policy has been very slow. Even the simplest bits, such as a secure process for receiving vulnerability disclosure has been lacking,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

PTI contributed to this story.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-24-2017-komal-gupta-cyberattacks-a-significant-threat-to-democracy-modi

Privacy issues exist even without Aadhaar

Admin — 2017-11-23T16:12:11Z

There is a critical need for a data privacy regulator to penalize unauthorized disclosure of personal information.

The article by Ronald Abraham was published by Livemint on November 15, 2017.

In part I, I argued that while Aadhaar can be a tool to infringe upon our right to privacy, it is merely one such; there exist other tools that can be similarly exploited. This becomes evident when you analyse each privacy issue related to Aadhaar using the National Privacy Principles framework, and compare Aadhaar’s data privacy risks to other national ID systems. We need an independent data privacy regulator, backed by a robust law, to safeguard against the risks.

Here, we explore two such data privacy issues: data disclosure and voluntariness (database linking was analysed in part I).

Data disclosure

According to the National Privacy Principle on data disclosure, “a data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure”.

On paper, the Aadhaar Act appears compliant with this principle as Section 29 prohibits the disclosure of personal information. Exceptions exist for courts to request demographic data, and for joint secretaries and higher ranks to request biometric data; the latter on the grounds of “national security”. However, greater clarity is required on whether individuals will be informed of data disclosures.

In practice, however, data disclosures well beyond these exceptions have taken place. A study by the Centre for Internet and Society found that nearly 130 million Aadhaar numbers had been published online by four government departments. In many cases, these were published along with information on “caste, religion, address, photographs and financial information”. If someone manages to steal these individuals’ fingerprints as well (which is becoming less difficult), one possibility is that Aadhaar-linked bank accounts can be cleaned out using micro-ATMs.

Demographic data disclosure, however, is not limited to Aadhaar. For transparency reasons, state election commission websites disclose the personal information of every person registered to vote online. Agencies scrape these databases and sell them.

Like database linking, the onus of abiding by the principle of data disclosure is on the “data controller”. The four government agencies that disclosed Aadhaar data—not the Unique Identification Authority of India (UIDAI)—are the relevant data controllers in this case. However, UIDAI has not pressed charges against them; under the Aadhaar Act, it is solely authorized to do so. Given UIDAI’s role of working with the government to enable and encourage the use of Aadhaar, it should not also be responsible for regulating them. Additionally, the Election Commission’s data disclosure norms demonstrate that the issue is bigger than Aadhaar.

This, therefore, points to the critical need for a data privacy regulator to investigate and penalize unauthorized disclosure of sensitive personal information. A strong regulator, with a clear law, will also serve as an effective deterrent for negligent disclosure practices.

Voluntariness

The ability to voluntarily opt in and out of data systems, based on informed consent, is central to the National Privacy Principle of “Choice and Consent”. Once an individual opts in, the principle clarifies that they “also have an option to withdraw (their) consent given earlier to the data controller”.

With regard to opting in, UIDAI has maintained that Aadhaar enrolment is voluntary. However, Section 7 of the Aadhaar Act and various orders by government agencies require Aadhaar to access basic services. Though exceptions are allowed, in practice they are implemented inconsistently, making Aadhaar near-mandatory.

To be sure, the choice principle states that data controllers can choose not to provide services if an individual doesn’t consent to provide data, “if such information is necessary for providing the goods or services”. However, we need more explicit guidelines on what features satisfy this condition, something that can be defined in a data privacy law.

With regard to opting out, no such UIDAI provision exists. One argument is that more data increases UIDAI’s capability to establish the uniqueness of new enrollees. However, it is unclear why this is the case because even if millions opt out of Aadhaar, UIDAI’s ability to guarantee the uniqueness of new enrollees compared to existing enrollees doesn’t diminish.

While voluntariness is actively discussed with Aadhaar, the same is not true for other IDs and data initiatives. For example, fingerprints are collected to issue Indian passports, but the use of this is not clear—raising concerns around voluntariness as well as purpose limitation.

Through this analysis, it becomes clear that data privacy issues exist even without Aadhaar. To tackle the risks to privacy, India requires a strong, competent and independent data privacy regulator, backed by a robust law.

With the recent Supreme Court judgement and upcoming hearings, we have a unique opportunity to strengthen our institutional ability to manage future risks. We must seize this opportunity to try and secure a privacy-protected future.

Ronald Abraham is a partner at IDinsight and co-author of ‘State of Aadhaar’ report 2016-17.

Research contributions from Shreya Dubey and Akash Pattanayak.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-23-2017-ronald-abraham-privacy-issues-exist-even-without-aadhaar

Counter Comments on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

amber — 2017-11-23T14:29:06Z

The Centre for Internet & Society (CIS) has commented on the Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in three main parts. The first part 'Preliminary' introduces the document. The second part 'About CIS' is an overview of the organization. The third part contains the 'Counter Comments' on the Consultation Paper taking into account the submission made by other stakeholders.

Download the full submission here

For more details visit https://cis-india.org/internet-governance/blog/counter-comments-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector

Aadhaar seeding: benefits and concerns

Admin — 2017-11-23T02:02:45Z

Products and services such as bank accounts, life insurance policies and phone connections have to be linked with Aadhaar. But is this of any real help?

The article by Shaikh Zoaib Saleem was published by Livemint on November 14, 2017.

The government has made it mandatory for consumers to link many important services with Aadhaar. You too may be getting frequent reminders to link your banks account, mutual fund and mobile number with Aadhaar. Recently, the Reserve Bank of India also clarified that it is mandatory to link bank accounts with Aadhaar.

The latest addition to this list are insurance policies. In a circular, the Insurance Regulatory and Development Authority of India (Irdai) has stated that linking of Aadhaar number to insurance policies is mandatory under the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017.

The issue is being discussed intensively, with the Supreme Court taking a decision in favour of linking Aadhaar biometrics and the number with a host of services. Several petitions have been filed challenging not just the linking of these services with Aadhaar but also the validity of Aadhaar itself. We spoke to people who support and those who oppose this linking, to understand how either case impacts consumers.

The benefits

According to the Unique Identification Authority of India (UIDAI), government schemes are asking for Aadhaar as it helps to clean out duplications and fakes, and provides accurate data to enable implementation of direct benefit programmes. “Use of Aadhaar reduces the cost of identifying persons and provides increased transparency to the government in implementation of its schemes,” the Authority states under frequently asked questions on its website (read more at: https://uidai.gov.in/your-aadhaar/help/faqs.html) So, when you link your bank account with your Aadhaar, government benefits such as subsidy on LPG cylinders is credited directly to that account. The FAQs, however, do not elaborate how such linking helps an individual who does not get, or does not wish to get, such subsidies. In a tweet, UIDAI had said that verifying a bank account using Aadhaar adds an additional layer of security.

Nakul Saxena, a former banker who now works on policy advocacy at the software think tank iSpirt Foundation, said that linking of Aadhaar with these services will help eradicate fake accounts, fake insurance policies and unauthorised mobile connections. “It is possible that there are many accounts in the system that have been opened using such documents and copied signatures and even the banks may not be aware of it. Some people may not even be aware that an account exists in their name. These accounts need to be verified using Aadhaar now,” he said.

The government claims to have removed millions of fake beneficiaries for government benefits by Aadhaar linking. As reported by Mint in May 2017, over 23 million fake ration cards have been scrapped, potentially saving the government Rs14,000 crore in food subsidy every year. Another Mint report in August says, three states discovered that about 2,72,000 fake students were availing the mid-day meal (MDM) scheme.

However, those who are against linking Aadhaar disagree with these arguments. “Initially, Aadhaar was about delivery of services. But linking everybody’s phone number and bank account is not about that anymore. The real question is, what purpose this linking serves. If the intention is to update the databases, then there can be other means to update those,” said Rahul Narayan, a Supreme Court advocate who is among the lawyers representing petitioners who have challenged Aadhaar linking in court.

The concerns

The fundamental objection to this linking of services is that all information on an individual will be available at a single place, which could make surveillance easier and also increase the risks if this information is hacked. “As of now, your bank knows something about you, your insurance company knows something and your mobile phone company knows something about you. Each of these are different silos of information. When these converge, which is then accessible to a single person, that person knows almost everything about you,” said Narayan.

Moreover, a user’s Aadhaar number and fingerprint are permanent identifiers, and at least the Aadhaar number has been compromised for over 130 million citizens, as per a study by Centre for Internet & Society, said Nikhil Pahwa, co-founder of the SaveTheInternet.in (https://internetfreedom.in) campaign for net neutrality in India. “This leaves the users vulnerable to social hacks, some of which we have already been reading about in the news. To forcefully and mandatorily link Aadhaar to bank accounts means that their finances are at risk,” he said.

Saxena said the data leaks that have been highlighted have been typically about demographic details such as name, date of birth and address “which have been commonly available so far.” However, given the heightened sensitivities in this digital age, customers must ask their service providers to not publish such details, nor provide this information freely, he added.

Grievance redressal and data privacy

Another major concern is the absence of a clear redressal mechanisms for consumers in case of a data leak, misuse or hack. “When things go wrong, consumers need to have access to a proper complaints mechanism. In the case of Aadhaar, such access is to be provided through the establishment of ‘contact centres’ under the Regulation 32 of the UIDAI Enrolment and Update Regulations. To the best of our knowledge, not much beyond Regulation 32 has yet been specified by the UIDAI,” said Renuka Sane, associate professor at the National Institute of Public Finance and Policy, who has worked on data privacy and security issues.

Apart from this, Section 47 of the Aadhaar Act stipulates that only UIDAI or its authorised officers can file a criminal complaint for violations of the Act, she added.

“The UIDAI has been given complete discretion in determining if and when to file a criminal complaint for violations of the Act, and an individual aggrieved by actions of a third person is left to rely upon the bonafide actions of the UIDAI,” Sane added. The government is also working towards a data privacy legislation, that is needed to give citizens protection against misuse of their data, and them having some control over who gets their data, how it is used, and where it can be shared. “However, a data privacy legislation and mechanism will not ensure that data remains secure and protected, and that processes are followed. The Act disallowing people from sharing Aadhaar numbers did not prevent government departments from publishing details online,” said Pahwa. He also said that systems can get hacked, which could include the Aadhaar database, the parallel Aadhaar databases with state governments, or eKYC databases held with banks and telecom operators.

Saxena said the UIDAI has clarified that biometric information is not stored with user agencies, and stored biometrics can't be used for Aadhaar authentication or eKYC. “Hence, customers can be assured when using Aadhaar and biometrics with authorized entities,” he said. “The data privacy law will address data privacy and protection in all digital systems, not just Aadhaar. It will equally apply to social media and mobile apps. It should also go into the aspect of ‘right to be forgotten’,” said Saxena.

Pahwa, however, insists that the least that should be done is to give citizens the right to not link their Aadhaar and use other IDs for authentication, plus the ability to change their ID number if the system gets compromised.

What you should do

For now, the deadlines for linking bank accounts with Aadhaar is 31 December 2017, and for mobile phones it is 7 February 2018. In its latest hearing on the matter, the Supreme Court has directed service providers to mention these deadlines in their reminders. “Right now, regardless of what they say, nobody is going to shut down your bank account or disconnect your mobile connection, at least till the deadline. There are several petitions being heard in the Supreme Court. The matter is supposed to be taken up by the Supreme Court in the last week of November. The final word from the court is yet to come and it is quite possible that at least the deadlines gets extended,” said Narayan.

If you have already linked these services with Aadhaar, you are in no trouble. But if you are having second thoughts, the linking cannot be undone. If you are concerned about safety or other aspects, you can wait to get more clarity from the Supreme Court.

For more details visit https://cis-india.org/internet-governance/news/shaikh-zoaib-saleem-livemint-november-14-2017-aadhaar-seeding-benefits-and-concerns

UIDAI admits 210 government websites made Aadhaar details public

Admin — 2017-11-21T16:03:29Z

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were leaked on over 200 central and state government websites.

The article was published in the Financial Express on November 20, 2017.

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were made public on over 200 central and state government websites. According to an RTI reply, these websites publicly displayed name, address and other details of Aadhaar beneficiaries, which was removed when the breach was identified.

However, UIDAI does not have information about the time of the breach. It also said that Aadhaar details have never been made public by UIDAI. “However, it was found that approximately 210 websites of the central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of the general public,” it said.

UIDAI issues Aadhaar — a 12-digit unique identification number — which acts as a proof of identity and addresses anywhere in the country. Lately, Aadhaar has been creating furore for security and privacy reasons, especially after the Narendra Modi government began aggressively pushing the identification number to be linked with social benefits, banks, PAN, mobile number et al. In a landmark judgement this August, the Supreme Court ruled that privacy was a fundamental right of citizens, weakening the case for pushing Aadhar.

Currently, cases are being heard in the apex court on linking Aadhaar to banks and mobile numbers. In May, the Centre for Internet and Society had claimed that Aadhaar numbers of as many as 135 millions could have been leaked. “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS had said. Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it had added.

UIDAI and the government had been vehemently denying that Aadhaar details can be leaked despite apprehension from different sections of society. Soon after the RTI reply appeared in media, UIDAI refuted the news of leaks, calling it a “skewed presentation of facts. “Such report is a skewed presentation of the facts and poses as if the Aadhaar data is breached or leaked which is not the true presentation. Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI,” press release by PIB said.

It said that the data on these websites was placed in public domain as a measure of proactive disclosure under the RTI Act.

For more details visit https://cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public

National Privacy Workshop

Admin — 2017-12-05T14:24:16Z

Centre for Internet & Society is organizing a round-table to discuss the potential impact of numerous policy developments with wide ranging implications for recognition and governance of privacy in India. The round-table will be held on December 9, 2017 at India International Centre in New Delhi, 10.30 a.m. to 5.00 p.m.

Background

The recent past in India has seen numerous policy developments with wide ranging implications for recognition and governance of privacy in India. The emphatic and unanimous avowal of the right to privacy by the Supreme Court, the government’s stated commitment to a data protection law and the formation of the Sri Krishna Committee are developments which will continue to inform policymaking around privacy in India for a long time to come. The Supreme Court’s conception of a robust right to privacy encompassing different element - spatial, decisional and informational, and its guidance on strict limiting tests may have a wide impact on a range of issues. The impact of this judgment and a data protection law on informational privacy in India will be immense and it is important to delve in challenges and issues that it may throw up. In last year, we have also seen instances of purported conflict between the transparency instruments such as the right to information and the right to informational privacy. How these conflicts are resolved in law and practice will be key to these two essential human rights in the modern information society. Further, while these general consensus on privacy principles, the appropriate ways to govern and enforce privacy remains an open issue, and the success of any data protection framework will depend as much on what kind of privacy governance models are adopted.This roundtable will look to discuss the potential impact of these policy decisions, what theories should guide the data protection law in India, what models of privacy governance are workable and how privacy can co-exist with transparency principle and robust RTI regime.

Agenda

10.30 - 11.00	Tea
11.00 - 11.30	Welcome and setting the scene
11.30 - 12.30	Session 1: Policy Developments around Informational Privacy in India What do different policy developments indicate about privacy in India? What are the (potential) impacts of these developments? What questions are being asked and are these the right questions to ask? How do we expect the ‘state of privacy’ to change in India in response to these policy developments?
12.30 - 13.30	Session 2: Approaches to Privacy and Data Protection for India What are different approaches to privacy and government the Indian government can take? What cultural/political etc. aspects should be taken into consideration when thinking through this question? What are the pros and cons to different approaches? What are the pros and cons to the below approaches: - Privacy as control - Data as property - Utilitarian approaches - Technological Solutions
13.30 - 14.30	Lunch
14.30 - 15.30	Session 3: Transparency and Privacy How can transparency from the private sector enable the right to privacy? What are key principles that can guide this relationship? Where is transparency from the private sector most needed with respect to privacy? What are incentives that governments can adopt to encourage privacy?
15.30 - 16.30	Governance Models for Data Protection What kind of institutional framework is required for governance of privacy in India? How do we address questions of liability, penalties and enforcement? What role do sectoral players have in a data governance framework? What is best way for other stakeholders like industry, civil society and academia in collaborative governance of privacy?
16.30 - 17.00	Tea and snacks

Speakers

Usha Ramanathan
Rahul Sharma
Apar Gupta
Malavika Raghavan
Shankar Narayanan
Ujwala Uppaluri
Rebecca MacKinnon
Nikhil Pahwa
Kamlesh Bajaj
Manasa Venkatraman
Smitha K Prasad

Download the Agenda

For more details visit https://cis-india.org/internet-governance/events/national-privacy-workshop-at-india-international-centre

Breach Notifications: A Step towards Cyber Security for Consumers and Citizens

Amelia Andersdotter — 2017-11-14T15:38:15Z

Through the Digital India project the Indian government is seeking to establish India as a digital nation at the forefront. Increasingly, this means having good cyber-security policies in place and enabling a prosperous business environment for companies that implement sound cyber-security policies. This paper will look at one such policy, which enables investments in cyber-security for IT products and services through giving consumers a way to hold business owners and public authorities to account when their security fails.

Electronic data processing has awarded societies with lots of opportunities for improvements that would not have been possible without them. Low market entrance barriers for new innovators have caused a flood of applications and automations that have the potential to improve citizens’ and consumers’ lives, as well as government operations. But while the increasing prevalence of electronic hardware and programmable software in many different parts of society and industry, combined with the intricate value chains of international communications networks, devices and equipment markets and software markets, have created a large number of opportunities for economic, social and public activity, they have also brought with them a number of specific problems pertaining to consumer rights.

Read full report here

For more details visit https://cis-india.org/internet-governance/blog/breach-notifications-a-step-towards-cyber-security-for-consumers-and-citizens

Cross Border Sharing of Data: Challenges and Solutions

Admin — 2017-11-20T15:20:18Z

Centre for Internet & Society (CIS) has been following the debates around MLAT process taking place globally and researching potential areas of tension in the tools that India uses to access data across borders. As part of this research, CIS is hosting a workshop on cross border sharing of data on December 8, 2017 at India Islamic Centre from 10.30 a.m. to 5.00 p.m.

For more details visit https://cis-india.org/internet-governance/events/cross-border-sharing-of-data-challenges-and-solutions

A Comparison of Legal and Regulatory Approaches to Cyber Security in India and the United Kingdom

Authored by Divij Joshi and edited by Elonnai Hickok — 2017-11-14T15:26:46Z

This report is the first part of a three part series of reports that compares the Indian cyber security framework with that of the U.K, U.S and Singapore.

This report compares laws and regulations in the United Kingdom and India to see the similarities and disjunctions in cyber security policy between them. The first part of this comparison will outline the methodology used to compare the two jurisdictions. Next, the key points of convergence and divergence are identified and the similarities and differences are assessed, to see what they imply about cyber space and cyber security in these jurisdictions. Finally, the report will lay out recommendations and learnings from policy in both jurisdictions.

Read the full report here

For more details visit https://cis-india.org/internet-governance/blog/a-comparison-of-legal-and-regulatory-approaches-to-cyber-security-in-india-and-the-united-kingdom

Response Submission on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector

Amber Sinha, Elonnai Hickok and Udbhav Tiwari — 2019-03-13T00:27:30Z

CIS submitted its comments on the consultation paper on privacy, security and ownership of data in telecom sector which was published by the Telecom Regulatory Authority of India on August 9, 2017.

The submission is divided in four parts. The first part introduces the document, the second part gives an overview of CIS and its work, the third part contains general comments on the consultation paper and the fourth part contains specific comments on questions posed in the consultation paper. Click to read the full submission made to the Telecom Regulatory Authority of India on November 6, 2017.

For more details visit https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector