Centre for Internet and Society

Open Letter to the Finance Committee: Operational Design

praskrishna — 2011-02-17T10:02:46Z

The objective of the UID project is to provide identity infrastructure that is not susceptible to fraud or error. This note highlights parts of the operational design of the project, which are flawed. We plead that each point be taken into consideration and that the design be suitably revised.

Flawed aspects of the operational design

During enrolment: false identities

Initial proof of one’s identity is best proved through multiple, standardized documents. The UID lists seventeen acceptable documents.1 Acceptance and verification of only one of these identities is necessary for enrolment. This is a lower standard than existing forms of identity such as the Passport or the PAN card.2

During transactions: technology will not solve corruption

In every transaction that requires the use of the Aadhaar number, there are four points where corruption is possible and delivery of services will not take place:

The technology fails, and does not perform authentication;
The authority fails and delivers a false positive or false negative;
The local administrator fails to deliver the service after authentication;
The biometric fails due to biological changes, and thus the individual is denied benefits; and
Fraudulent use of face biometrics at the transaction level.

During transactions: high cost of centralization with limited benefits

Verifying unique identity for every transaction will introduce an unnecessary authentication overhead. In the UID Bill, there is provision for standardized authentication fees.3

At some point service providers will pass on the authentication cost through a required authentication fee to the residents. This will take place with no entitlement of any service or guarantee against fraud.

During redressal: no guarantee of quick and adequate remedies

The delivery of services is guaranteed only when there is an optional way for transactions to be completed. If an Aadhaar number holder attempts to complete a transaction, and the UIDAI rejects it, the individual can make a request for re-verification with the registrar.4

If the UIDAI still rejects the request, the individual must file a complaint to the UIDAI contact centre and wait for appropriate remedial action,5 yet the UIDAI is not liable for the loss of service.

During upgrades of the system: patchwork approach to data protection

It is more secure to have pro-active data protection than re-active data protection. The data protection legislation that is meant to secure data processed in the UID project will be established only after the UID bill becomes law. One can only assume that the UID will respond to every new policy development in a patchwork fashion.

1http://uidai.gov.in/index.php?option=com_fsf&view=faq&Itemid=206&catid=24

2 http://passport.nic.in/, http://nrisharejunction.com/pan.aspx

3 Chapter 3, Section 23 (2) (o): The National Identification Authority of India Bill 2010

4 http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf

5 http://uidai.gov.in/images/FrontPageUpdates/aadhaarhandbookver1.2.pdf pg.18

For more details visit https://cis-india.org/internet-governance/blog/privacy/operational-design

Open Letter to the Finance Committee: UID Budget

praskrishna — 2011-02-17T11:18:16Z

This note presents the aspects of the UID project, which have not been considered or incorporated into the UID’s budget. The costs include re-enrollment, loss in human time, and the cost of the audit function.

Cost of re-enrollment
In the report 'Biometrics Design Standards for UID Applications' 1 a pilot study in India concluded that about two to five per cent of the people did not have viable biometric data. These data have not been taken into account when setting the program budget. Over time biometrics modify, thus re-enrollment will be required. The UIDAI states that given the changing nature of biometric data – biometrics would be collected every five years for children and every ten years for adults. The current project does not give us a clear picture as to what extent the re-enrollment will be required, and how the additional costs will be accounted for.
Cost of loss in human time
A time motion study is a tool used to enhance business efficiency and ensure cost effectiveness by reducing the number of motions in performing a task. In their budget, the UIDAI has accounted for the salaries of individuals associated directly with the UIDAI. The UIDAI has not accounted for the loss in human time that will take place by individuals whose daily routine will be impacted by the UID. If a time motion study were to be done only on the UID project, one would find that individuals not paid by the UIDAI, lose potential wages due to the unpaid time they must dedicate towards the scheme – or that businesses will be forced to compensate for the extra time required for each transaction by providing additional personnel. For example: On a train the number of train masters present is calculated according to how many individuals each ticket master can check and process. With the UID, in order to prevent fraud around subsidized train tickets , individuals on the train will have their biometrics checked and authenticated. The below diagram demonstrates how authenticating an individual by their UID and biometric incurs a loss in human time, and thus, the process of collecting train tickets will require more train masters to complete.
Current Process:
- Present ticket to train master
- Train master checks identity card and identity on ticket
- Train master ticks ticket, and ticks his list to indicate verification
Process with biometrics:
- Present Aadhaar number, fingerprint , and ticket to train master
- Train master takes a reading of your fingerprint and sends it to the central database
- Train master waits for approval from the CIDR
- The CIDR gives a yes or no response
- If the answer is no – the train master swipes your finger five times, and then finds alternate forms of identification
- Train master provides proof of verification
Cost of audit function
The bulk of the UID enabled transactions will have financial implications. Every financial transaction involves three or four parties: the person who collects the payment, the person who prepares the documentation, the person who approves the documentation, and finally the person who audits the documentation. In such a context the technology can play the role of the person who: collects, prepares, and approves each transaction. The role of auditing the transaction cannot be played by technology. The audit function is human, and the audit function needs to be worked into the project budget.

1 “Biometrics Design Standards for UID Applications" pg.22

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-budget

Open Letter to the Finance Committe: Biometrics

praskrishna — 2011-02-17T13:12:22Z

This note points out the weaknesses inherent in biometrics and the pitfalls in using them. It recommends procedural safeguards that should be adopted by the UID in order to make the use of biometrics more secure and inclusive.

Biometrics are not centrally stored and are used only for identification

Biometrics, as our first letter notes 1 are better suited for identification, and are inappropriate for authentication. Therefore, the central server need not store biometric information, and need only store the public key of each citizen's digital signature.2 Biometrics on a smart card for authentication will allow service providers to determine if the card is being carried by the right person. This configuration of biometrics has many positives. It is :
- Cost effective
- More secure
- Places the control of biometric information in the hands of the data subject
Use encrypted data, rather than live data

The UID scheme has stated that biometrics will be encrypted, but has not provided further details. 3
It is recommended that biometrics are:
- Encrypted whenever it is used, stored and transferred;
- A biometric should be encrypted to such a degree that it is not possible to reconstruct the biometric data; and
- After an encrypted version of the biometric is made, the original biometric should be deleted.
In order to perform an identification check – the biometrics presented should be encrypted and then compared to the encrypted version stored on the card. If the card is stolen – the thief would not be able to harvest biometrics.
Security clearance for all associated entities and personnel

UID registrations and transactions will be handled by 'registrars' or in other words personnel who work at organizations not directly under the control of the UIDAI. A clear process associated with who can perform transactions and a proper audit system is needed to prevent 'insider' attacks.
Clearly defined alternate identification factors

There are many situations in which a biometric cannot be accepted in a transaction. For example, when the biometric changes, is misread, or is unreadable. The UID has recognized this possibility and has stated: “In case of authentication, the operator needs to find an alternate method of authentication if fingerprint verification fails. The operator/application would not know the cause of verification failure. A timeout will be implemented in service after five attempts.”4
The alternative identity factors that will be accepted need to be clearly defined and articulate.
Standards for acceptance of biometric as authentication factor

The UIDAI has proposed a whole range of authentication factors – pin, password, partial biometrics, full biometrics, mobile phone and combination's thereof. 5 Some of these authentication factors may also be presented by the data subject over the Internet. As our previous letters have stated – some authentication factors are more secure than others. Therefore, the UIDAI should publish standards for acceptance of different authentication factors based on the security requirements of different types of transactions. Even if biometrics are used as an authentication standard – in our opinion it should only be used for trivial transactions without major financial or citizenship implications.

Footnotes:

1http://www.cis-india.org/advocacy/igov/privacy-india/letter-to-finance-committee

2 Distinguish and separate the authentication process from the identification process: Identification is a comparison of one set of biometric data against all sets of collected biometrics in one central database to verify the identity of the owner of the biometric data. Authentication is a comparison of a biometric against a stored template to validate the existence of that specific biometric

3 http://uidai.gov.in/index.php?option=com_fsf&view=faq&Itemid=206&catid=7

4 Biometric Design Standards for UID Applications: pg 37

5 UIDAI Strategy Overview. Creating a Unique Identity Number for Every Resident in India. Pg. 28

For more details visit https://cis-india.org/internet-governance/blog/privacy/biometrics

Open Letter to the Finance Committee: Finance and Security

praskrishna — 2011-02-17T11:57:42Z

This note explores the three connections between finance and security and demonstrates the cost implications of operating a centrally designed identity management system as proposed by the UID. In doing so, it shows how the monitoring, storing, and securing of transactional data in a centralized database fall short of meeting the project's objectives of authentication, and thus is an additional cost. Further, it is argued that the blanket monitoring of the transaction database is not an effective method of detecting fraud, and is an expensive component of the project.

Operating a centralized identity management system that requires the use of a remote database for every transaction is always more expensive than a decentralized identity management system that could optionally use a local database.

Centralized database costs

Both public and private keys must be centrally stored
All transactions require connectivity for the sending and receiving of authentication of data, and have an associated connectivity cost
Securing all data at a central database has augmented costs

Decentralized database costs

Only the public key must be centrally stored
Some transactions require connectivity for the sending and receiving of authentication data

The cost of building an identity management system that includes recording, monitoring, and securing each transaction is more than the cost of building only an identity authentication system. The goal of the project is to identify a person. Recording each transaction will add unnecessary cost.

Cost of identity authentication system
Cost of monitoring transactions	> Cost of identity authentication system
Cost of securing transaction data

Increasing security or fighting fraud can be done in two ways - having a targeted approach or through blanket monitoring. The UID scheme, through the monitoring of the transaction database featuring trillions of transaction by 1.2 billion people is a blanket approach, and will provide lower return on investment than a targeted approach.

For more details visit https://cis-india.org/internet-governance/blog/privacy/finance-and-security

Privacy Matters — Conference Report

praskrishna — 2011-01-27T10:22:55Z

A one-day conference on Privacy Matters was held on Sunday, 23 January 2011 at the National University of Juridical Sciences (NUJS) Law School in Kolkata. This was the first of a series of eleven conferences on ‘privacy’ that Privacy India is scheduled to host in different Indian cities from January to June this year. Members of Parliament, Sri Manoj Bhattacharya from the Revolutionary Socialist Party (RSP) and Sri Nilotpal Basu from the Communist Party of India (Marxist) CPI (M) spoke in the conference. Students, the civil society and lawyers also participated in it.

Introduction

The conference was held to discuss elements of the privacy legislation that has been proposed to the Parliament of India, and the UID Bill and project. The conference focused on the tensions between privacy and society that exist in India today, and acted as a space for opinion sharing and discussion. Privacy India which was formed under the auspices of Privacy International, a UK based organization that works to protect the right of privacy around the world, the Centre for Internet and Society (CIS), an NGO based in Bangalore, and Society in Action Group (SAG), an NGO based in Delhi joined hands to host this event.

Rajan Gandhi, founder of SAG opened the conference with an explanation of the mandate of Privacy India, the objective of which is of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of Privacy India's goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, legislators and the legal and academic community.

Keynote

The keynote speech was delivered by Dr. Sudhir Krishnaswamy professor of law and governance. Dr. Krishnaswamy began by outlining the present situation of privacy in India. The right to privacy has been read into Sections 19 and 21 of the Constitution of India through case law, which has defined privacy — among other things — as the right to personal autonomy, the right against unreasonable search and seizure, and as a fundamental right that is critical to the person, but does not supersede public or national interest. Dr. Krishnaswamy also raised many intriguing questions including: what does privacy mean to India — is it linked to a person’s dignity and their honour? Or is it purely concerned with misappropriation of information, and further is privacy in India an issue of the individual or an issue of the family and the community? He also described the philosophical groundings of privacy as being in the right to dignity, the right to autonomy, and the misappropriation of information.

Privacy Challenges

The conference was spread into three sessions. In the first session Prashant Iyengar, head researcher of the project at Privacy India, spoke about the challenges that India specifically is facing in shaping a privacy legislation including: the need to balance the right to information/transparency and privacy, the need to create a definition of privacy that does not exclude lower classes and is not a negative right, but instead a positive right, and the problem of ubiquitous surveillance that is happening in society today. Elonnai Hickok, policy analyst at Privacy India, spoke specifically on wire tapping, and the Nira Radia tapes. In her presentation she first outlined other countries definitions of privacy which include: the right to be left alone, the protection from unauthorized searches, and the right to control information about oneself through consent. Using the case study of Nira Radia and Ratan Tata she spoke about the rising concern of wire tapping in the country as being indicative of a social change and relationship of the state and government. Elonnai also raised questions concerning whether privacy should be made inversely proportional to public figures, and if public interest will always supersede the private right of individuals.

UID and Privacy

The second session of the conference focused on the UID Bill and privacy. Presentations from NUJS student Amba Kak and Sai Vinod raised concerns about the UID project and privacy. Their presentation also compared and contrasted identity schemes of other countries with the UID. A few similarities that they found amongst all scheme were: the collection of data, the processing of data, and the storing of data. Deva Prasad from the National Law School of Bangalore presented on constitutional elements of the UID scheme ranging from loopholes in the Bill to connections that can be made when the UID Bill is placed in the larger picture. Sri Manoj Bhattacharya (MP) from RSP voiced his concerns of the UID, and emphasized that by giving an individual a number which acts as their fundamental identity which they use to function in society, the government in fact is eroding an individual’s actual identity, and that is an invasion of privacy. Sri Nilotpal Basu (MP) from CPI (M) spoke out strongly against the UID, voicing that his greatest concern with the UID is that it will be a way for corporate bodies to target individuals as consumers, and that privacy legislation could be used as a way for corporate bodies to hide from the public eye.

Conclusion

In the concluding session the floor was opened up to the public for questions and opinion sharing. Many participants shared what they believed needed to be included in privacy legislation, and what issues a privacy legislation needs to address. A few of these include: privacy rights and the media, privacy and the right to information, the privacy rights of minorities, and the privacy rights of the government. Also types of regulatory models for privacy were discussed. For instance, should privacy in India be represented and protected through a data protection law, or should privacy be seen as a fundamental right to privacy? Should privacy be represented through a broad framework, or through sector specific statutes? What should the redressal and enforcement mechanisms look like?

As seen from the presentations and the comments at the conference one thing which is clear is that privacy is an issue that concerns every person in India. Over the next six months Privacy India will be conducting ten more conferences in different Indian cities to engage the public in dialogues of privacy and raise awareness around the issues of privacy. The next workshop will be held on 5 February 2011 in Bangalore.

Download the conference summary here

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-nujsconference-summary

4 Popular Myths about UID

Prashant Iyengar — 2012-06-20T04:37:08Z

By now, there is already a lot of material in the public domain that is critical about the UID/Aadhar project, writes Prashant Iyengar in this blog entry published in Privacy India on January 22, 2011.

(See aadhararticles.blogspot.com for an exhaustive catalogue). Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme. Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme.

I do not intend to rehearse these arguments in this post. Instead, I pick four somewhat obscure, but troublesome assertions made about the UID and test their veracity against documents available on the UIDIA site itself. The purpose is to cut through all the equivocation behind the claims that UID officials have been making, and arrive at some minimal clarity on what the UID is (and isn’t).

Registration is voluntary!

How does one make sense of Nandan Nilenkani’s cryptic remark, “I wouldn’t call it compulsory. I would rather say that it will become ubiquitous”?

In a sense, this is true enough. Nowhere in the entire bulk of UID documentation will you encounter the express words “mandatory” or “compulsory”. Hence, proved! But that isn’t to say, however, that there is any way you will be able to avoid getting registered.

Very rapidly, accessing basic services and your very status as a citizen will be conditional on your possessing an Aadhar number. This is owing to the complex operational structure that the UID Scheme adopts which leaves the task of enrollment entirely in the hands of third party ‘Registrars’ who include a host of Central and State social security and welfare departments (including the Ministry of Rural Development which administers the Rural employment guarantee scheme), banks and insurance companies. There is nothing in the Aadhar Scheme that forbids these Registrars from making access to their services conditional on one’s consent to UID registration. In practice, many of them have and will continue to make UID registration a preliminary formality before access is granted to their services. So your ‘freedom’ to resist UID registration will depend on your ability to forego your minimum guarantee of the right to employment, cooking gas, banking and insurance services, food rations etc.

And if miraculously you are able to subsist without these services, there is still one minor detail that is seldom mentioned in conversations about UID: without a UID number, you will not be counted as a citizen of India. This is owing to the fact that the Registrar General of India, the authority responsible for compiling the National Population Register of India under the Citizenship Act, also happens to be a ‘Registrar’ for the purposes of the UID. Which means that one’s registration in the NPR will entail automatic enrollment in the UID. The Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules, 2003 makes it mandatory for everyone to be enrolled in the National Population Register. So, paradoxically, although the Aadhar number does not confer citizenship, one cannot be a citizen anymore without owning an Aadhar number.

In other words, the UID scheme avoids the charge of being compulsory, by outsourcing its compulsion entirely.

The UID Scheme will only collect a minimal set of information

A frequently made assertion about the UID scheme is that the data collected will be limited to a standard set of information like one’s name, residence, date of birth, photo, all 10 finger prints and iris image. Once again, this is only a half truth. As mentioned previously, the entire process of enrollment is carried out through Registrars who have absolute freedom to expand the categories of information collected to include data that is entirely orthogonal to the purposes of the UID. This freedom is typically guaranteed by a clause in the MOUs which the UIDAI has signed with Registrars enabling them to collect additional data that “is required for their business or service”. Thus, for instance, in Himachal Pradesh, citizens are asked to provide additional details such as information about their ration cards, PAN cards, LPG connection and bank accounts[i]

To employ a telling epithet found in one of the UID documents, the ‘Registrars own the process of enrollment’.

Privacy is guaranteed

Although the UIDAI makes repeated assertions regarding its intent to respect privacy and ensure data protection, the precise mechanism through which these objectives will be secured is extremely unclear.

To begin with, the entire responsibility for devising schemes for safeguarding information during the collection phase rests entirely on the Registrars. The UIDAI’s own responsibility for privacy begins only from the moment the information is transmitted to it by the Registrars – by which time the information has already passed through many hands including the Enrolling Agency, and the Intermediary who passes on information from the Registrar to the UIDAI.
Rather than setting out an explicit redressal mechanism and a liability regime for privacy violations, the UID’s documents stop at loosely describing the responsibility of the Registrars as a ‘fiduciary duty’ towards the resident/citizen’s information. The Registrars are tasked with maintaining records of the data collected for a minimum period of six months. No maximum period is specified and Registrars are free to make what use of the data they see fit.
In addition, the Registrars are mandated to keep copies of all documents collected from the Resident either in physical or scanned copies “till the UIDAI finalizes its document storage agency.”[ii]
The ‘Data Protection and Security Guidelines’ which the UIDAI requires all Registrars to observe merely contains pious injunctions calling on them to observe care at all stages of data collection and to develop appropriate internal policies. There is mention of the desirability of external audits and periodic reporting mechanisms, but the details of these schemes are left to the individual Registrar to draw up.
Although the Draft National Identification Authority of India Bill penalizes the intentional disclosure or dissemination of identity information collected in the course of enrollment or authentication, this does not guard against accidental leaks and does not mandate the service providers to positively employ heightened security procedures. Prosecution of offences under the Act can only proceed with the sanction of the UID Authority, which further burdens the task of criminal enforcement in these cases and would make it difficult for individuals to obtain redress quickly. The total absence of a provision for civil remedies against Registrars makes it unlikely that they will take the task of protecting privacy seriously.
In other words, the individual’s right to privacy is only as strong as the weakest link in the elaborate chain of information collection, processing and storage.

The UIDAI will not disclose any information and will only authenticate information with Yes/No answers

This is another of the frequently misleading claims made by the UID Authority. Thus, for instance, in April, 2010, in response to a question in the course of an interview, Nandan Nilekani said “UID itself has very limited fields, it has only four or five fields — name, address, date of birth, sex and all that. But it also does not supply this data to anybody. .. the only authentication you can get from our system is a yes or no. So, you can’t query and say what’s this guys name or what’s his date of birth, you can’t get all that.”[iii]

This statement is, however belied by many of the UIDAI’s own documents.

The draft NIA Bill, for instance, permits the Authority to issue regulations on the sharing of “the information of aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct”. In practice, prior “written consent” for sharing is obtained from the resident as a matter of course at the time of enrollment itself, and it is impossible to obtain an Aadhar number without consenting to sharing by the UID Authority.[iv] In practice, in India, a large number of forms will be filled in by assistants and the written consent box will be ticked as a matter of course without the resident understanding the full implications of her “consent”.
The draft NIA Bill permits the authority to “make any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge”. There is nothing in the Act that requires that this information be made available on an individual basis – in other words, it is possible for the data to be shared en-masse with any agency “in the interests of national security”.
There is nothing preventing “Registrars” who carry out the actual data collection functions from sharing this information with anyone they choose. Thus, for instance, the Aadhar information collected during the exercise of compiling the National Population Register will can be shared in whichever manner the Registrar General of India chooses – irrespective of what the UIDAI does with that information.

So, while ordinarily, the UIDAI would not authenticate information other than giving Yes/No responses, there are mechanisms already in place that presume that all this information will be made available, on demand, to whichever agency that happens to be interested.

[i] 2011. UID project picks up pace. Indian Express. Available at: http://www.indianexpress.com/story-print/735790 [Accessed January 22, 2011].
[ii] UIDAI – Document Storage Guidelines for Registrars Ver. 1.2, August 2010.
[iii] 2010. To issue first set of UIDs by Feb 2011: Nilekani – CNBC-TV18 -. Money Control. Available at: http://www.moneycontrol.com/news/business/to-issue-first-setuids-by-feb-2011-nilekani_449820-4.html [Accessed January 22, 2011].
[iv] For instance, a flowchart of the Resident Enrollment Process issued by the UID stipulates “Record Resident’s consent for Information Sharing” as the tenth step in the enrollment process. Unless this step is followed, the enrollment process cannot proceed!

Click to read the original here

For more details visit https://cis-india.org/internet-governance/popular-myths-about-uid

An Open Letter to the Finance Committee: SCOSTA Standards

elonnai — 2013-12-20T03:58:09Z

The UID Bill has been placed to the Finance Committee for review and approval. Through a series of open letters to the Finance Committee, civil society is asking the committee to take into consideration and change certain aspects of the Bill and the project. The below note compares the SCOSTA standard with the Aadhaar biometric standard, and explains why we believe the SCOSTA standard should replace the Aadhaar biometric standard for the authentication process in the UID scheme.

Introduction

This note is intended to demonstrate how the Aadhaar biometric standard is weaker than the SCOSTA standard. Through a comparison of the SCOSTA standard-based smart card and the Aadhaar biometric-based identification number, it will show how the SCOSTA standard is a more secure, structurally sound, and cost effective approach to authentication of identity for India. Though we recognize that Aadhaar biometrics are useful for the de-duplication and identification of individuals, we believe that the SCOSTA standard is more appropriate for the authentication of individuals. Thus, we ask that the Aadhaar biometric based authentication process be replaced with a SCOSTA standard based authentication process.

A background of the two standards

The SCOSTA standard is used in smart cards and was developed by the National Informatics Centre in India. It is:

1. Compliant with the international standard ISO-7816 for smart cards.

2. Based on a public/private key and pin authentication factor

3. Authentication factor refers to an individuals keys, pass-phrases, and pin.

The biometric standard authenticates the identity of an individual based on his or her physical fingerprints and iris scans (in the case of the UID). The standard:

1. Verifies if the individual exists within a known population by comparing the biometric data to those of other individuals stored in a secured centralized database.

2. Based on a symmetric authentication factor

A comparison of the two standards

Standard	SCOSTA - MNIC smart card	Aadhaar Biometric - UID number
Architecture	Decentralized SCOSTA standards require a pair and key combination with a pin, and thus can be structured in a decentralized manner	Centralized Aadhaar biometric standards require symmetric authentication factors, and thus must be structured in a centralized manner
Standards for Technology	Open standard Creates security through transparency	Closed standard Creates security though obscurity
Points of failure	Multiple points of failure The SCOSTA standard has multiple points of failure, because of decentralized structure, thus if one data base is compromised all data is not lost.	Single point of failure The Aadhaar Biometric standard has one single point of failure, because of centralized structure, thus if the data base is compromised all data is lost
Impact on local industry	Encourages Open standards allow local industry to compete in manufacturing technology	Discourages Closed standards allow foreign players to monopolize the manufacturing of technology
Cost analysis	Cost effective Increased competition keeps prices low	Cost ineffective Decreased competition keeps prices high
Revocation	Revocable If the key pair and pin are stolen, a new set of passwords can be issued	Permanent If the biometrics of an individual are stolen, they cannot be re-issued
Possibility of fraudulent authentication	Lower A thief must steal your smart card and your secret pin to commit fraud	Higher A thief only needs to collect your fingerprints using a glass tumbler to commit fraud
Viability of Technology	Proven effective for large populations	Not proven effective for large populations

For more details visit https://cis-india.org/internet-governance/blog/privacy/letter-to-finance-committee

The Privacy Rights of Whistleblowers

elonnai — 2012-03-22T05:47:16Z

The recent disclosures from Wikileaks have shown that the right to information, whistle-blowing, and privacy are interconnected. This note looks at the different ways in which the three are related, as well as looking at the benefits and drawbacks to Wikileaks in terms of privacy.

Introduction

In a recent interview, the Canadian Privacy Commissioner was quoted as saying “Information and the manipulation of information is the key to power. Those who can control the information can influence society enormously.” History and present-day society have both proven the truth in this statement. It is one among many reasons that the right to information is important to uphold. In India, and in other countries, there are statutes – in India, the Right To Information Act – that entitles the public to request and receive information that pertains to public bodies and their conduct, information that is publicly available because it is intrinsically related to the public interest. An entirely separate but equally critical way in which the public is kept informed is through whistle-blowing. Traditionally, whistle-blowing is any disclosure made in the name of public interest. Recent events such as the Ratan Tata case and the leaks of US diplomatic cables have brought to light the relationship between the public’s right to information, the rights of whistleblowers, and the rights of individuals to privacy. These recent cases have shown that the right to information, whistle-blowing, and the right to privacy are interconnected, because privacy can provide individuals with the means to sustain autonomy against potentially overwhelming forces of government and persons who might have mixed motivations. The right to information and whistle-blowing are means by which the government is held accountable to the public if they violate the law or the public trust. The Wikileaks case and the Ratan Tata case raise important questions about when those two interests need to give way to private interests. One of the key questions that Wikileaks raises is: if whistleblowing is supposed to be disclosure in the public interest -- i.e., to protect the public – should disclosure of personal information be permissible only if a person can demonstrate that he/she is trying to remedy or avoid actual wrongdoing rather than simply publishing information that is "interesting to the public?"

What is a Whistleblower and how does a Whistleblower Benefit from Wikileaks?

Whistleblowing is the modern counterpart to “informers” – people who reveal others’ wrongdoing. Much whistleblowing occurs by going "up the chain" in a person's own department or agency or company. If the person is reporting wrongdoing and the person ultimately goes to the authorities about illegal activity, the individual reporting the leak can sometimes get immunity for his or her own actions, can sometimes collect part of the penalties, and can under certain statutes in some countries even bring suit if the company retaliates against him -- for example, by firing him. In this way traditional whistleblowing places the responsibility for legal and ethical conduct on employees who are better situated to see wrongdoing than outsiders would be. In many countries, a person may present information of a whistleblowing nature to a judicial body. The judicial body then determines the validity of the information, the degree of public interest involved, and the proper form of redress to be taken. The judicial body offers legal protection to the whistleblower. Another method of whistleblowing is to leak information to the press. Once information is in the public domain – at least if there is freedom of press -- the information can no longer be covered up. Neither the right to free press, nor the right to protection as a whistleblower is universal. The current critique of the Indian Whistle Blowing Bill is that the right to protection will not be ensured. A Times of India article issued in September 2010 pointed out that the Whistle Blowing Act’s biggest weakness is that the Bill’s Central Vigilance Commission is designated to play both the role as competent authority to deal with complaints file by whistleblowers and as the tribunal to protect whistleblowers. Structuring the power to allow one body to fulfil both functions runs the risk of bias and could breed distrust that would cause people to avoid the system altogether. The article complained that the Bill has no teeth, and that even if the Commission believes that the whistleblowing is valid, it is able only to give advice rather than actually to prosecute individuals. The article recites extreme instances in which individuals have blown the whistle and paid for it with their lives. For example: in 2005 a manager of the Indian Oil Corporation was killed after exposing a scheme in adulterated petrol, and in 2010 an RTI activist was killed after exposing land scams in Mahrashtra. In these situations, Wikileaks is an interesting and powerful tool for individuals who either do not want to leak their information to a judicial body or are not protected if they do so in their own country. Leaking information to Wikileaks is in one sense analogous to leaking information to the press, but it is not precisely the same because it is not a news media outlet, but instead is a way for a person to post information on a mass media outlet. It should be noted, however, that informants who leak to Wikileaks are not afforded the same immunity that individuals who leak to authorities are granted. When an individual shares documents or information with Wikileaks, the site in turn acts as a platform to publish the information on the web and with the press. Being an independent entity that is neither tied down to a certain territory, government, or entity – Wikileaks has the pull of non-bias. But the strength of Wikileaks is also its weakness. When 250,000 diplomatic cables were posted, there was no one who understood the context of the content to monitor to ensure that everything was appropriate to post. As a result, the information was transmitted to an audience who normally would not be entitled to it. By doing so, the leaked information placed individual diplomats in precarious positions that could potentially put them in harm’s way and unnecessarily damage their reputations, as well as putting the reputation of the United States on the line.

Privacy and Whistleblowing

As a result the United States is looking to press charges against Julian Assange, founder of Wikileaks, for espionage. The way in which Wikileaks leaked information and the nature of the leak has brought privacy into the picture. When looking at the act of whistleblowing through the lens of privacy, there are obvious privacy concerns for the whistleblower, for the person or entity whose information has been leaked, and for possible third parties involved. Paul Chadwick, the Victorian Privacy Commissioner, pointed out that for the whistleblower the main privacy concerns include the individual’s identity, safety, and reputation. For the alleged wrongdoer the privacy concerns include: identity, safety, employment, and liberty (where sanctions may include imprisonment). For third parties, reputation and safety can both be jeopardized by disclosures by whistleblowers. The Wikileaks leaks squarely present the question whether intent should be brought into the analysis of privacy and whistleblowers. If a whistleblower is disclosing with the intent protect the public, the protections afforded to this person should weigh differently against the privacy interests of alleged wrongdoers and third parties than for someone who is simply defining the public interest as “interesting to the public,” or, worse, as seen in the false leak by Pakistan against India, is looking to leak information to disrupt public interest. Even though Wikileaks works to protect the anonymity of individuals who leak information, it is not bound by any law to protect the privacy of individuals involved in the leak. The concept behind Wikileaks is important. By interacting with government information, it has the ability to bring accountability and transparency to governments, but the only regulation over Wikileaks is internal (and thus inherently subjective). Wikileaks needs to change its structure to take into account leaks shared without the intent of protecting the public interest and even then needs to monitor to prevent leaks that could place individuals in precarious situations or damage reputations with no validating information.

Sources:

http://www.ctv.ca/generic/generated/static/business/article1833688.html

Chadwick, Paul. Whistleblowing, Transparency, and Privacy: Aspects of the relationship between Victoria’s Whistleblowers Protection Act and the Information Privacy Act.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-wikilileaks-whistleblowers

UID & Privacy - A Call for Papers

elonnai — 2012-03-21T10:03:44Z

Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010.

Topic

Privacy and the UID

Submission Deadline

By 15 January 2010 to admin@privacyindia.org

Word Length

3,000-5,000 words

Topic Summary

The Aadhaar scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate.

As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.

We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:

Comparative studies on privacy and national identity card schemes in other countries

Privacy and the UID Bill

How will a project such as the UID change the relationship between the state, the individual, and the market?

Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.

Who We Are

Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see www.privacyinternational.org). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers

UID Meeting in Bangalore – A Report

praskrishna — 2011-01-04T08:14:52Z

On 23 November 2010 a public meeting was held for the UID in Bangalore. The speakers included B.K Chandrashekar, former Chairman of the Karnataka Legislature Council, Mr. Vidyashankar, Principal Secretary to Government of e-commerce, Sunil Abraham, Executive Director of Centre for Internet and Society, Jude D’Souza, Technology Specialist and Mathew Thomas, Retired Army Officer.

Mr. Chandrashekar opened the public talk by giving a summary of the UID scheme, and sharing his own personal apprehensions to the project. Voicing his concerns as to the scale and architecture of the project, the collection of biometrics from individuals, and the fact that other countries have abandoned similar projects – he raised many points that evoked thought from the audience.

In his presentation, Jude D’Souza explained how the technology (iris scanners and fingerprint readers) that is used in the UID project can be easily spoofed. Through demonstration he proved how fingerprints can be replicated and subsequently authenticated with the use of simply a wax model. He also raised the point that high resolution cameras are now able to capture an individual’s fingerprint and iris at that point the captured image can be transferred and duplicated, and subsequently used for authentication. The point emphasized by D’Souza was that the technology being used by the UID is not as fool proof as is being claimed, and yet nowhere in the Bill or project is this concern being addressed. Redress for possible transaction errors is not provided for in the Bill, and it is not clear if a problem does arise what steps an individual should take.

Sunil Abraham spoke on the legality of the UID project. Emphasizing the point that civil society does not oppose the project in itself, but that civil society is concerned with the weaknesses that exist in the proposed legislation. He noted problems such as an overly broad scope, privacy concerns, and lack of adequate forms of redress. Mr. Abraham also contrasted the UID project with the identity work that has been done in Estonia, and raised the question as to whether a centralized is entirely necessary as opposed to a decentralized system of identity.
Mathew Thomas, through the use of many examples drove home two main questions.

Why is a project that is based on biometrics with a centralized structure necessary?
Can the project realistically meet its proposed objectives of bringing benefits to the poor?

Using the UK’s failed centralized identity scheme, which is similar to the UID scheme, he made the argument that India has the opportunity to learn from the mistakes of others, and this opportunity should not be overlooked or passed by. Mr. Thomas also pointed out that a proper cost benefit analysis is lacking for the project, as well as proper test trials of the technology and scheme.

Mr. Vidyashankar presented on the progress of the UID in Karnataka and answered questions concerning the project. In particular he focused on explaining the collection of information for Know Your Resident (KYR), and Know Your Resident+ (KYR+). KYR information includes: an individual’s name, address, date of birth, gender, relation details, phone number (optional), email (optional), and financial information. KYR+ includes: Physically Handicapped, EPIC Card No, Pan No., Bank Details, LPG Gas Connection, Supply Card, MNREGA Job Card, RSBY Card No, Pension ID, National Population Register No, Property Tax, Electricity Consumer No., Water Connection No., and BPL Data. The purpose of collecting the extra data for KYR+ is to prevent the exploitations of subsidies. By having on record who is eligible for what benefit, the over collection of benefits will be stopped. Vidyashankar also addressed privacy concerns, assuring the audience that information is encrypted at the time of collection and secured for privacy measures.

The reaction from the audience was one of apprehension, and in some cases anger. Individuals questioned the achievability of the objectives of the project, and expressed concerns that their tax money was being wasted. The overall sentiment in the room was that the UID project and Bill will be passed through Parliament but that in the long run, it will not benefit the everyday Indian citizen.

In a later interview Mr. Vidyashankar kindly clarified different details of the project that were still unclear. For example, if an individual needs to update the information in their profile – like their address - they are able to by visiting the closest centre , authenticating themselves, and requesting that the information be changed. He also clarified that registrars and enrollers are monitored as they are registering and authenticating individuals. He also clarified that numbers issued today and in the pilot projects will be valid after the Bill is passed through parliament. At the close of the interview he again assured me that the UID project does account for individual’s privacy, and is able to adequately protect collected data on due to the use of level five encryption. Despite Mr. Vidyanshankar’s assurances, it does not seem logical that the UID project is privacy safe, if a Privacy Legislation is being created specifically to protect the data that the UID will be collecting. It is concerning that the UID project is being carried forward without adequate built in safeguards, and even more concerning that it will the Bill could be passed through parliament and become a living law without the much needed privacy safeguards in place.

Note: Recently a final draft of the UID Bill that will be submitted to the Lok Sabha was released to the public. Civil Society has responded with comments and concerns for the UID Bill, which can be found on the CIS website.

VIDEOS

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-meeting-november

Public Statement to Final Draft of UID Bill

elonnai — 2012-03-22T05:48:00Z

The final draft of the UID Bill that will be submitted to the Lok Sabha was made public on 8 November 2010. If the Bill is approved by Parliament, it will become a legal legislation in India. The following note contains Civil Society's response to the final draft of the Bill.

On 8 November 2010, the UID Authority issued the final draft of the UID Bill that will be submitted to the Lok Sabha for review and approval. Earlier this year in June 2010 the Authority issued a draft UID Bill to the public for comment and review. Civil Society responded with a detailed summary and high summary of points that amended the draft or were missing in the draft Bill. We are disappointed that none of the concerns raised by Civil Society, including those listed below, were addressed.

Architecture

The centralized architecture of the UID project is unnecessary. A federated and decentralized structure to the UID project would achieve the same goal of providing identity, authentication, and delivery of benefits.

Scope

The scope of the Bill is overboard. Though the main purpose of the Bill is to facilitate the delivery of benefits to residents, the loose language and intermixing of terms creates a threat that data will be collected and used beyond delivery of benefits

Voluntary and not Mandatory

The Bill should prohibit the denial of goods, services, entitlements, and benefits for lack of a UID number- provided that an individual furnishes equivalent ID, thus ensuring that the Aadhaar number is truly voluntary.

Inadequate Privacy Safeguards

The Bill inadequately elaborates on the principles of privacy relating to identity and transaction data. The protections needed should be self-contained within the Bill. Thus, the UID Bill itself should be clear and concise about data collection, transfer, retention, security, and dissemination.

Unwarranted Data Retention

The Bill does not provide adequate privacy protection for transaction data. In particular section 32(2) empowers the Authority to determine the duration that data is to be retained for.

Lack of accountability for all Actors

The Bill holds only the Authority accountable for violations. Rather the Bill needs to hold enrolling agencies, registrars, and other service providers accountable. Furthermore, the Bill does not provide adequate regulations or accountability for the data that are outsourced.

Lack of Exceptions

The Bill does not detail the circumstances and categories of people who will be excused or accommodated with respect to the issuing of Aadhaar numbers or authentication of transactions.

Lack of Anonymity

The Bill does not provide adequate specificity as to the situations in which anonymity will be preserved and/or an Aadhaar number should not be requested.

Inadequacy of Penalties

The penalties provided in the Bill are inadequate, because they do not cover several types of misuse.

Unaffordability of Fees

It is incompatible with the Bill’s stated purpose of inclusion to require an individual to pay to be authenticated.

Lack of Rollback and Ombudsman Office

The Bill does not provide adequate redress for system/transaction errors and fraud.

Inappropriate Structure and Governance

The Bill does not provide appropriate judicial and parliamentary oversight.

Upon comparison of the draft Bill and the final Bill, CIS finds the following changes the most significant:

Definition of Resident

Section 2 (q): “resident” means an individual usually residing in a village or rural area or town or ward or demarcated area (demarcated by the Registrar General of Citizen Registration) within ward in a town or urban area”

Comment: This section clarifies the definition of ‘resident’ from the draft Bill, which defined resident as an “individual usually residing within the territory of India”. By specifying that individuals in demarcated areas will not receive UID numbers, the definition of resident is brought into line with the scope of the Bill as laid out in the preamble. We see this change as a positive revision.

Prohibition of Dissemination of Information

Section 30 (3): “Notwithstanding anything contained in any other law and save as otherwise provided in this Act, the Authority or any of its officer or other employee or any agency who maintains the Central Identities Data Repository shall not, whether during his service as such or thereafter, reveal any information stored in the Central Identities Data Repository to any person”

Comment: This section prohibits the dissemination of any information that is stored in the Central Identities Data Repository. This prohibition extends to anyone or any entity that handles information, and supersedes other laws that might permit dissemination of information. We see this change as a positive revision.

Disclosure of Information in the Case of a National Security

Section 33 (b):“Any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer or officers not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government”

Comment: This section is a minor improvement on the previous draft since it requires specific authorization from the Central Government (rather than from a Minister in charge). Unfortunately, however, it retains the undesirable language of "national security" from the previous draft which, as we had previously pointed out, is not currently clearly defined under Indian law. An alternative phrase that we recommend instead is the Constitutional vocabulary of "public emergency" which already has a considerable volume of judicial reasoning that has elaborated what it means. Eg. in Hukam Chand v. Union of India (AIR 1976 SC 789) it was held that a public emergency "is one which raises problems concerning the interest of public safety", the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order, or the prevention of incitement to the commission of an offence."

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-publicstatement-UID

Consumer Privacy - How to Enforce an Effective Protective Regime?

elonnai — 2012-03-21T10:06:04Z

In a typical sense, when people think of themselves as consumers, they just think about what they purchase, how they purchase and how they use their purchase. But while doing this exercise we are always exchanging personally identifiable information, and thus our privacy is always at risk. In this blog post, Elonnai Hickok and Prashant Iyengar through a series of questions look through the whole concept of consumer privacy at the national and international levels. By placing a special emphasis on Indian context, this post details the potential avenues of consumer privacy in India and states the important elements that should be kept in mind when trying to find at an effective protective regime for consumer privacy.

Who is a consumer?

According to the Consumer Protection Act,1986, a consumer is a broad label for any person who buys any goods or services for consideration with the intent of using them for a non-commercial purpose. In the typical sense, when people think of themselves being a consumer, they might think about what they purchase through a physical exchange of money for goods or services, ranging from things as simple as fruit or grain to home appliances to cable television, either in a store or through an online exchange where you enter in your credit card information and receive your purchase. Certain services that consumers use may, by their very nature, put an extraordinary amount of sensitive personal information into the hands of vendors. Typical examples include hospitals, banks and telecommunications.

What is Consumer Privacy and how may it be breached?

Consumer privacy is concerned with the manner in which information disclosed by a consumer to a vendor is collected and used. Specific issues include: behavioral advertising, spyware, identity management, and data security/breach, Increasingly, data that is collected from consumers is stored in databanks. This is then used for both legitimate purposes (such as marketing, research etc) and illegitimate extraneous purposes (as when this data is sold in bulk to third parties). Additionally, the privacy of consumers may be compromised by actions of third parties that are facilitated by the negligence of the vendors (as for instance hacking into databases). The following international examples illustrate the kinds of privacy threats that the collection of data from consumers may pose[1]

Example 1) Toysmart – an online company- collected personal information from its users, promising to keep it private. In 2000, Toysmart entered bankruptcy and in an attempt to avoid losing everything tried to sell its database despite its strict privacy policy. This example illustrates how vendors may attempt to monetize the personal information of customers exceeding the terms of the contract entered into with them.

Example 2) In 2006 it was found that AOL's research site had a stored file that contained information collected from more than 600,000 users between March to May of 2006. Though the file did not indicate each user by name, it was eventually found that there was enough information to correlate specific individuals to their user number. The example of AOL’s demonstrates the danger of online privacy breaches through either oversight or negligence of the vendor in adopting adequate security measures.

Example 3) Similar to the previous example ChoicePoint – an all-purpose information broker, whose database contains information about nearly every adult American citizen, had its system hacked. The thieves had access to the names, addresses and social security.

How is consumer privacy protected- internationally ?

Broad guidelines: The OECD Privacy Guidelines

Though not a law, the OECD Guidelines drafted in 1980 provide a useful set of ‘fair information practices’ within which privacy of consumers may be evaluated. Briefly, the eight principles declared were: 1) Collection limitation principle (there should be limits to the collection of data), 2) data quality principle (data should be accurate and relevant to the purpose collected), 3) purpose specification principle, 4) use limitation principle, 5) security safeguards principle, 6) openness principle (there should be openness about data policies and changes thereof), 7) individual participation principle (enabling the individual to find out if data is being held about him and to obtain a copy of the data and make corrections) and 8) accountability principle [2].

The EU Data Protection Directive (Directive 95/46/EC)

This is a broad directive adopted by the European Union designed to protect the privacy of all personal data of EU citizens collected and used for commercial purposes, specifically as it relates to processing, using, or exchanging such data. The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. The basic guidelines of the Directive are [3]:

Notice: Data subjects must be notified of the: identity of the collector of their personal information, the uses for which the information is being collected, how the data subjects may exercise any available choices regarding the use or disclosure of personal information, where and to whom information may be transferred, and how data subjects may access their personal information.

Consent: “Unambiguous consent” of a data subject is required before any personal information may be processed. Special categories such as race, religion, political of philosophical beliefs, health, union membership, sex life, and criminal history have additional processing requirements.

Consistency: Controllers and processors may only use information in accordance with the terms of the notice given.

Access: Controllers must give data subjects access to personal information.

Security:Organizations must provide adequate security, using both technical and other means to protect the confidentiality and integrity of the data.

Onward transfer: Personal information may not be transferred to a third party unless that third party has signed a contract with the individual or organization which binds them to use the information consistently with the notice given to the data subjects.

Enforcement: Each EU country has established a Data Protection Authority that has the power to investigate complaints, levy fines, initiate criminal actions, and demand changes in businesses information handling practices.

Specific Sectoral Legislation and privacy policies

The US takes a sectoral approach to protecting consumer privacy. Legislation that protects consumer privacy includes: Gramm-Leach Bliley Act, Health Insurance Portability and Accountability Act, and the Children's Online Privacy Protection Act. Also, the CAN-SPAM Act bans the sending of commercial electronic messages that contain false information. The most comprehensive act for the consumer in the U.S is the Fair Credit Report Act, which was passed in 1970. Enforcement of the Act is vested in the Federal Trade Commission. The FCRA applies to how consumers information is collected and used, and applies to insurance, employment, and other non-credit consumer transactions. Under the FCRA the information that is protected is broadly defined as 1. Consumer Report- any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer' s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumers eligibility for credit, insurance, and employment purposes.

Furthermore the FCRA:

(a) provides the right for consumers to ensure the accuracy of their data.

(b) includes “right to know” provisions to enable consumers to know all information in their files

(c ) grants consumer dispute rights

(d) requires opt-out options [ibid 4]

Consumer Privacy in India

Broadly, there are four potential avenues for the protection of consumer privacy in India.

1. Individual organizations may voluntarily commit to protect the information of their clients through “Privacy Policies” These become a component of the contractual commitments between the service providers and customers and are enforced through ordinary civil litigation.

2. Certain professions and industries have codes of privacy that they must statutorily abide by. This is true of such professions as the medical profession and the legal profession in India and the entire banking industry and the telecom industry. Rigorous privacy norms are set for each of these industries by their respective apex governing bodies. Penalties for breach include derecognition and monetary penalties.

3. Consumer privacy may be enforced by the specialized Consumer Dispute Tribunals under the Consumer Protection Act in India.

4. The newly amended Information Technology Act imposes an obligation on anyone controlling data to indemnify against losses caused by the leakage/improper use of that data.

Each of these mechanisms is discussed in some details below:

Privacy Policies:

Several Indian companies have publicly stated privacy policies that they display on their website. We have profiled the privacy policies of two such companies as a sample.

Airtel: Defines personal information, informs users how their information will be used, describes which third parties will have access to your information, provides the ability to opt-out of commercial SMSs, provides an email address for privacy concerns.

Rediff: Provides email for customer support, states what personal information is collected from you, what information is collected from you by cookies, what information is collected about you and stored, who will collect the information about you, how the information will be used to advertise to you and tailor to your preferences, states the rights that advertisers have to your information, disclaimer of responsibility for any other websites linked to the page, states that the information released in a chat room is considered public information, defines third party usage, defines security measures taken, lays out what choices the consumer has regarding collection and distribution of their information, contains opt-out clauses, defines personal information, defines cookies, explains that consumers have the ability to correct inaccurate information, requires youth consent [5].

Examples of Indian organizations without a privacy policy on websites: Canara bank, Andhra Bank, Indian railways, Air-India, BSNL, State Bank of India.

Note: The International Guide to Privacy suggests the following be included in privacy policies: description of the personal information collected by the website and third party, description of how the information is used and list of parties with whom it may be shared, a list of the options available regarding the collection, use, sharing and distribution of the information, a description of how inaccuracies can be corrected, a list of the websites that are linked to the organization’s site and a disclaimer that the organization is not responsible for the privacy practices of other sites, a description of how the information is safeguarded (both physically and electronically) against loss, misuse, and alteration, consent for use of personal information [6].

Professional/Industrial Regulations

As mentioned above, several professional bodies have privacy guidelines which their members must abide by.

Advocates

Rules of Professional Conduct have been framed under the Advocates Act and establishes a code of conduct to be followed by lawyers in order to protect the confidence, information, and data of a client. It is important to note that the obligation of confidentiality continues even after the client relationship is terminated. The Evidence Act further buttresses the confidentiality of clients by making information passed between lawyer and client subject to a special privilege [7].

Medical Practitioners

Similarly, in 2002, the Medical Council of India notified the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations which contain ethical injunctions backed by disciplinary action in cases of breaches. Several of these relate to privacy, for instance : Every physician is required to maintain medical records pertaining to indoor patients for a period of 3 years from the date of commencement of the treatment [8].

Article 2.2: Requires physicians to maintain Confidences concerning individual or domestic life entrusted by patients to a physician. Defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State. The rule also requires the physician, controversially to evaluate “whether his duty to society requires him to employ knowledge, obtained through confidence as a physician, to protect a healthy person against a communicable disease to which he is about to be exposed”. In such an instance, the rules advice the physician to “act as he would wish another to act toward one of his own family in like circumstances.”

Article 7.14: Enjoins the registered medical practitioner not to disclose the secrets of a patient that have been learnt in the exercise of his / her profession except –

1. in a court of law under orders of the Presiding Judge;

2. in circumstances where there is a serious and identified risk to a specific

person and / or community; and

3. notifiable diseases.

Article 7.17: Forbids a medical practitioner from publishing photographs or case reports of patients without their permission, in any medical or other journal in a manner by which their identity could be made out. If the identity is not to be disclosed, however, the consent is not needed.

Important Case Law

In one of the most important cases to have come up on the issue of privacy, a person sued a hospital for having disclosed his HIV status to his fiancé without his knowledge resulting in their wedding being called off. In Mr. X vs Hospital Z, the Supreme Court held that the hospital was not guilty of a violation of privacy since the disclosure was made to protect the public interest. The supreme court while affirming the duty of confidentiality owed to patients, ruled that the right to privacy was not absolute and was “subject to such action as may be lawfully taken for the prevention of crime or disorder or protection of health or morals or protection of rights and freedom of others.”[9] This case raises certain questions which might be worthwhile to consider:

1. Are there other ways in which the situation could have been handled – such as through proper counselling. Furthermore, it is important to establish what the role of a hospital is, and where their primary interest lies in protecting their patient and their patients data, and take into consideration the importance of consent in handling and disclosing personal information.

2. The argument that there is no absolute for privacy raises questions of who is determining the limits for disclosure of the man's HIV status. If his fiancé should be informed of his results, should his workplace , community, church? Do they face the same risks as his fiancé? Who is to be the judge of this risk?

Banking and Telecom Industry

The Banking and Telecom industry each have regulatory authorities which have periodically issued guidelines seeking to protect the privacy of customers. Thus, for instance, RBI's Customer Service statement obliges bankers to maintain secrecy, and not to divulge any information to third parties. Likewise, the TRAI has issued regulations on unsolicited commercial communications and has initiated steps to monitor confidentiality measures taken by telecom operators. More details are provided in the accompanying briefs that exclusively deal with the banking and telecom industries.

Consumer Protection Act 1986:

The Consumer Protection Act which was enacted with the objective to provide for better protection of the interests of the consumer has emerged as a major source of relief to those who have suffered violations of their privacy {10}.

Important Case Laws

In Rajindre Nagar Post Office vs. Sh Ashok Kriplani a post master was accused of not delivering a registered letter, opening it, and then returning it in a torn condition. It was determined that the tearing of the letter without delivery to addressee was a grave “deficiency in service” on the part of the appellant. It was ruled that the right of privacy of the respondent was infringed upon by the postman. Under the Consumer Protection Act 1986, compensation of Rs. 1000 was awarded as to the mental agony, harassment, and loss arising from the charge of deficiency in service. The importance of this case lies in the willingness of the courts to treat breach of privacy as a “deficiency of service”[11].

In January 2007, the Delhi State Consumer Disputes Redressal Commission imposed a fine of Rs. 75 lakh on a group of defendants including Airtel, ICICI and the American Express Bank for making unsolicited calls, messages and telemarketing. Although this decision was reversed on appeal by the Delhi High Court it confirms a trend of Consumer Dispute Redressal Commissions willing to take up cudgels on behalf of consumers for violations of their privacy.

Information Technology Act 2000 (Amended 2008)

In 2008, the Information Technology Act was amended to include an extremely salutary relief to people when a breach of privacy is occasioned by the leakage of data from computerised databases maintained by corporates. Thus, the newly inserted Section 43A states that if a “body corporate” is possessing, dealing, or handling any “sensitive personal data or information” in a computer resource which it owns, controls, or operates, and is negligent in implementing and maintaining “reasonable security practices and procedures” and thereby causes wrongful loss or wrongful gain to any person, this body corporate will become liable to pay damages as compensation to the affected person.

The Section further stipulates that the Central Government would come up with the reasonable security practices and procedures and would also define what constituted ‘personal sensitive information’.

Likewise, the newly introduced Section 72A declares that if “any person including an intermediary” secures access to any personal information about another person while providing services under the terms of lawful contract, and if he, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses such information without the consent of the person concerned, or in breach of a lawful contract, he is liable to be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both [12].

Conclusion

In conclusion it is important to consider many elements when looking at an effective protective regime for consumer privacy :
1. Is a comprehensive data protection of a sectoral approach more suited to the needs of India?

2. Does India want to become compliant with international standards for data protection ?

3. How will privacy policies be enforced and how will organizations be held accountable for protection of client privacy under the legislation ?

4. Will consumers be notified if their information is breached? If so – what will be included in the breach notification?

5. How can a legislation ensure that consumers are aware of their privacy rights?

6. How can a privacy legislation address the need for different levels of protection for different types of data?

Bibliography:

1. Examples drawn from: Oussayef, karim. Selective Privacy: Facilitating Market Based Solutions to Data Breaches by Standardizing Internet Privacy Policies. 14 B U Journal Sci and Tech Law. 105 2008.

2. Organisation for Economic Co-operatioin and Development, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security , July 25, 2002

3. Directive 95/46/EC of European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processting of personal data and on the ree movement of data

4. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg.34-4

5http://www.rediff.com/w3c/policy.html

6. Westby Jody, International Guide to Privacy. American Bar Association. 2004 pg. 161-164

7. The Advocates Act 1961http://www.sharmalawco.in/Downloads/THE%20ADVOCATES%20ACT%201961.pdf

8 Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations. Published in Part III, Section 4 of the Gazette of India, dated 6th April, 2002http://www.mciindia.org/rules-and-regulation/Code%20of%20Medical%20Ethics%20Regulations.pdf.

9. (1998) 8 SCC 296:http://indiankanoon.org/doc/382721/

10. Indian Consumer Protection Act 1986http://www.legalhelpindia.com/consumer-protection-act.html.

11.http://164.100.72.12/ncdrcrep/judgement/80Post%20Master%20Vs%20Ashok%20Kriplani%20(JDK)%2023.03.2009.htm

12. Information Technology Act 2000: Amended 2008http://www.mit.gov.in/content/information-technology-act.

For more details visit https://cis-india.org/internet-governance/blog/privacy/consumer-privacy

American Bar Association Online Privacy Conference: A Report

elonnai — 2012-03-21T10:08:36Z

On 10 November 2010, I attended an American Bar Association online conference on 'Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference'. The panalists addressed many important global privacy challenges and spoke about the changes the EU directive is looking to take.

Introduction

On 10 November, I attended an American Bar Association online conference on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference.” The panel was made up of:

Lisa Sotto, a private practitioner in the US
Billy Hawkes, Commissioner of Data Protection, Ireland
Bojana Bellamy, Director of Data Privacy, London, UK
Hugh Stevenson, Deputy Director of the Federal Trade Commission, US
Jennifer Stoddart, Privacy Commissioner, Canada.

The panelists shared their insight into many issues, including the challenges that cloud computing, behavioural advertising, and cross-border data transfer pose to privacy. The panel also spoke on the need to address concerns of enforcement, data breach, accountability, and harmonization of data protection policies. The conference was very informative, and brought up many points that, as India moves forward with a privacy legislation, should be considered and given thought about.

Technology Concerns: Cloud Computing, Behavioural Advertising, and Cross- border Data Transfer

When speaking about the concerns of cloud computing, behavioural advertising, and cross-border data transfer – the panel was in agreement that privacy policies need to move beyond paper to practice. They questioned whether broad national law can actually address the privacy concerns associated with these issues, or whether internal, specific policies are more effective at protecting data being outsourced to the cloud, passed through the Internet, and sent across borders. Specifically addressing cloud computing internal policies have the potential to be more effective, because data in the cloud is essentially nowhere; it does not reside in one jurisdiction, and thus it is difficult to establish which countries’ laws apply to the data. Additionally, if there is a breach in data, the onus at the end of the day falls on the company that was in possession of the data the data breach. Though internal policies could also be used to address behavioural advertising, the lack of consumer awareness limits how effective a self-regulating program can be. Hugh Stevenson suggested another possibility - creating a system analogous to the “do not call registry” for websites – something like “do not track.” This would allow consumers to opt out of being tracked by cookies etc. on a websites, and force websites to be transparent about their collection and retention of data. Another solution discussed that could work to move policies beyond paper to practice, was the emerging trend of “privacy by design". “Privacy by design” is a mechanism applied by technology manufacturing and technology providing companies where companies will assess privacy risks before they offer a service, or before a product goes onto the market. This might mean a software company or service provider will need a seal before selling their products that indicates the product or service meets a certain privacy standard. If enforced effectively, the system of a seal could be especially effective, because it creates a visual indicator of privacy - allowing consumers to easily and quickly recognize what products are more privacy risky than others, and easily find reliable and secure data processors. The ability of the privacy seal to be applied to all services and sectors, would be particularly useful in a sectoral system like the US, where companies that collect data, but are not apart of the regulated sectors (financial, health, etc) do not come within the purview of the privacy protecting laws.

Privacy Seals Globally? Privacy Seals in India?

If this system of a privacy seal becomes widely used, it will be interesting to see the effect that it has on the international community, and subsequently – the Indian consumer. Even though India does not have a privacy legislation, nor a heightened concern over personal privacy, the Indian consumer does consume American-developed software, phones, computers and other technologies. Perhaps as a “privacy seal” begins to be seen on foreign products used in India, it will create pressure on domestic manufacturers and service providers to meet similar standards with their products. Furthermore, perhaps foreign countries will not want to engage in trade with a company if that company does not use the “privacy seal". Similar pressure is being placed on Chinese-made technologies. For example, the reputation that Chinese phones have of being dangerous and cheap has led some countries, like Australia, to place bans on the phones coming into their borders. Essentially a privacy seal could provide sufficient economic incentives and pressures on companies globally to ensure that their products and practices adequately protect consumer privacy.

Accountability:

In addition to internal policies and seals as ways to push privacy protection beyond theory and into practice, the panel heavily emphasized the need for accountability. Accountability, according to Bojana Bellamy – the EU Data Privacy Director, is increasingly necessary because data is constantly being sent and processed in multiple countries and places across the globe. How to create a greater level of accountability amongst organizations has been a subject of much discussion. Currently the EU is looking at adding an“accountability principle” to the directive. The directive is defining accountability as: showing how responsibility is exercised and making this verifiable -or in simpler terms – compliance with principles in the data protection field. The accountability principle that is being proposed would be comprised of two requirements. One requirement would obligate the data controllers to implement appropriate and effective measures that made sure the principles and obligations of the Directive were being put into effect by organizations. The second would be to require that data controllers demonstrate that these measures have been taken. In practice, this would translate into scalable programs such as the requirement of a privacy impact assessment,monitoring,sanctions, and internal and external audits The legal architecture of the accountability mechanism would be two-tiered. One tier would consist of the basic statutory requirement that would be binding for all data controllers; the second would include voluntary accountability systems. This would also mean that the data controllers would need to strengthen their internal arrangements. Further accountability measures considered by the Directive working party include: Establishment of internal procedures prior to the creation of new personal data processing operations, setting up written and binding data protection policies to be considered and applied to new data processing operations, mapping of procedures to endure proper identification of all data processing operations and maintenance of an inventory of data processing operations, appointment of data protection officer, offering adequate data protection, training, and education to staff members.

Data Breaches:

The panel next discussed data breaches. From the example of the UK, where in 2007 the government lost 24 million records from the Child Benefit Database – clearly date breaches are a continual, often very serious problem. Few people though, realize the extent to which data breaches happen (on their own personal data) and the actual consequences of the breaches, because countries do not have a well defined data breach policies set in place. There are a handful of European countries, like France and Germany, and some American states, like California, that have included data breach requirements into their laws. Also, Despite this, there are no broad statutes for data breach notification in the US or the EU. Also in 2009 the E-Privacy Directive, which applies to ISPs, telecommunication networks, and other electronic communications services, made it mandatory for certain data breaches to be reported.. Whether data breach notification should be made a requirement through legislation is a question many countries are facing. Some countries, like Canada, rely on self-regulation for enforcement of data breaches. Jennifer Stoddart, the data commissioner from Canada, spoke about how self regulation in Canada works. One of the mechanisms that makes self-regulation so effective is the media. If a data breach occurs, through bad press, the media causes the social and monetary costs to increase, so that companies will want to prevent data breaches. The privacy commission of Canada works to help companies remedy the breaches when they occur, but focuses mainly on working with companies to prevent a breach from taking place at all. Challenges and question that self regulation face are:

Will companies work to be less transparent and avoid notification despite the severity of the breach, because of the repercussions?

How will the balance between over-reporting breaches with under-reporting breaches be maintained?
Even if there is a social incentive to provide notification of breach, is it adequate enough to ensure that the notification is comprehensive and that proactive steps are taken by the organization to prevent further breach?
If bad media is the main form of penalty for companies – is this enough penalty, and is it able to take into consideration the context of each privacy breach?

These questions along with the growing number of breaches that are occurring have pushed the EU and other countries to consider integrating data breach statutes into broad legislation.

E-Privacy Directive Breach Notification:

Under the E-Privacy Directive the definition of a personal data breach is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed in connection with provision of a publicly available electronic communications service in the Community.” Currently the system in the EU is broken down into a two tiered system – a breach notification by the organization to the data controller is the first level. This level includes breaches that have occurred, but do not necessarily harm an individual. The second tier is if the breach impacts the subscriber or individual, than the individual must be notified of the nature of the breach, and recommendations made of measures to mitigate the possible adverse effects of the breach. If the breach is so large that individual notice is impractical, notice of the breach must be posted in the media. Failure to notify or incorrect notification results in sanctions. In the UK, data breach notification must include:

1. The type of information and compromised number of records

2. The circumstances of the loss, release, or corruption

3. Actions taken to minimize or mitigate the effect on individuals involved including whether they have been informed

4. details of how the breach is being investigated,

5. whether any other regulatory bodies have been informed and, if so, their responses

6. remedial actions taken to prevent future occurrences and any other information that may assist the ICO in making an assessment.

Accountability, breach notification: What material should India think about for a legal privacy structure?

Lawrence Friedman once explained that legal systems are living organisms – Bills are constantly being amended, passed, and retracted in order to make the legal structure that governs a society reflect the ethos of that society. Thus, when conceptualizing a new piece of legal legislation it is important to look at what purpose that legislation is going to serve, and if that purpose reflects the ideas, values, attitudes, and expectations that a society has. India is a nation that has enacted statutes and regulations for responding to cultural and economic changes against a backdrop of widely-dispersed population groups with deeply-engrained traditions of government and management. This has led to incongruities, for example, there are strong requirements for government transparency, but at the same time there is a common perception that bribery is necessary to prompt official action. There are laws to protect certain rights, but the average person who takes action will never be afforded redress. Thus, India faces both similar and different challenges that the EU and Western countries are face in concern with privacy. One of the greatest privacy challenges in India today, despite having adopted technology, habits, and practices that put privacy at risk, is the common perception that India does not have any privacy issues. Because it is believed that privacy is not at risk, there is a lack of awareness and understanding as to how to prevent privacy violations. Though the breach notification and accountability components that were discussed in the meeting are very detail-oriented mechanisms, they raise a fundamental question about legal architecture and context. When forming a privacy legislation, a few broad questions that India needs to consider are:

· Does it want a broad legislation, one that could limit business and trade (unless potential trading partners demand such legislation), or sector-based legislations, which risk being too tailored and difficult to harmonize?

· If India wants a broad privacy framework how will this be set up?

· What will be the tools used for civil education?

· How will enforcement take place ?

· Is self regulated accountability or statuary accountability better?

· Will there be a privacy tribunal?

· How will data be categorized?

· Will breaches be notified?

· Will standardized privacy policies be created?

As Hugh Stevenson, the commissioner from the FTC, described - one of the greatest benefits of breach notification was the awareness of privacy that it has brought. As individuals are notified that their information has been compromised, they are becoming more aware of how technologies work and how their information is processed, and what risks are involved and what protective measures they should take. Looking at the prospect of enhanced awareness from making data breach notification mandatory, it seems that it can only be a positive step for India to take towards raising awareness and understanding of privacy. The notification of breach could be required to specifically include a description of why the breach took place, and the steps that individuals could take to further protect their data. A concern that has been voiced - is whether a comprehensive legislation could be implemented? And should India be looking to enact such a comprehensive and detailed legislation when there is no existing privacy legislation to build off of, and no deep culture of privacy? To these concerns I can only speculate that there is always a balance between being overly ambitious in a legislation, and too conservative. It seems that enforcement will in fact always be a challenge in India, and that part of policy-making needs to address this challenge, rather than avoid it.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-aba-conference

Privacy, Free/Open Source, and the Cloud

elonnai — 2012-03-22T05:50:10Z

A look into the questions that arise in concern to privacy and cloud computing, and how open source plays into the picture.

Introduction

Cloud computing, in basic terms, is internet-based computing where shared resources and services are taken from the primary infrastructure of the internet and provided on demand. Cloud computing creates a shared network between major corporations like Google, Microsoft, Amazon and Yahoo. In this way, cloud systems are related to grid computing systems/service- oriented architectures, and create the potential for the entire I.T. infrastructure to be programmable. Because of this, cloud computing establishes a new consumption and delivery standard for IT services based on the internet. It is a new consumption and delivery model, because it is made up of services delivered through common centers and built on servers which act as a point of access for the computing needs of consumers. The access points facilitate the tailoring and delivering of targeted applications and services to consumers. Details are taken from the users, who no longer need to have an understanding of, or control over the technology infrastructure in the cloud that supports their desired application.

There are both corporate and consumer implications for such a system. For example, according cloud computing lowers the barriers to entry for corporations and new services. It also enables innovative enterprise in locations where there is an insufficient supply of human or other resources through the provision of inexpensive hardware, software, and applications. The consumer, in turn, is provided with information that he or she is projected to be interested in based on information he or she has already “consumed.” Thus, for example: Google has the ability to monitor a person’s consuming habits through searches and to reduce those habits to a pattern which selects applications to display – and consumption of those reinforces the pattern.

Privacy Concerns:

Though cloud computing can be a useful tool for consumers, corporations, and countries, cloud computing poses significant privacy concerns for all actors involved. For the consumer, a major concern is that future business models may rely on the use of personal data from consumers of cloud services for advertising or behavioral targeting. This concern brings to light the fundamental problem of cloud computing which is that consumers consent to the secondary use of their personal data only when they are signing up for services, and that “consent” is almost automatically generated. How can the cloud assure users that their private data will be properly protected? It is true that high levels of encryption can be (and are) used, and that many companies also take other precautionary measures, but protective measures vary, and the secondary sources that gain access to information may not protect it as well as the initial source. Moreover, even strong protection measures are vulnerable to hackers. As well, what happens if a jurisdiction, like the Indian government, gains access to information about a foreign national? India still does not have a comprehensive data protection law, nor does it have many forms of redress for violations of privacy. How is that individuals information protected?

These questions give rise to other privacy concerns with respect to the data that is circulated and stored on the cloud, which are the questions of territory, sovereignty, and regulation. Many of these were brought up at the Internet Governance Forum, which took place on the 16th of September including: Which jurisdiction has authority in cases of dispute or digital crime? If you lose data or your data is damaged, stolen, or manipulated, where do you go? Is the violation enforced under local laws, and, if so, under the law of the violator or the law of the violated? If international law, who can access the tribunals, and which tribunals have this jurisdiction? What if a person's data is replicated in two data centres in two different countries? Are the data subject to scrutiny by the officials of all three? Is there a remedy against abuse by any of them? Does it matter whether the country in which the data centre resides does not require a warrant for government access? And how will a consumer know any of that up front? As a corollary, if content is being sent to one country but resides on a data centre in another country, whose data protection standards apply? For example, certain governments in Europe require data retention for limited amount of time for purposes for law enforcement, but other countries may allow retention of data for shorter or longer periods of time.

How are privacy, free/open source, and the cloud related ?

Eben Moglen, a professor from Columbia law school, and founder and chairman of the Software Freedom Law Center who spoke on cloud computing, privacy, and free/open software at the Indian Institute for science on Thursday September 25, had another solution to the privacy concerns that arise out of the cloud. His lecture explains how the internet has moved from a tool that once promoted equality between people – no servants and no masters – to a tool that reinforces social hierarchies. The reinforcement of these hierarchies is directly related to the language used and communication facilitated between the computer and the individual. Professor Moglen describes how initially, when computers were first introduced to the public, humans spoke directly to computers, and computers responded directly to humans. This open, two-way communication changed when Microsoft, Apple, and IBM removed the language between humans and computers and created proprietary software based on a server-client computing relationship. By removing the language between humans and computers, these corporations dis-empowered individuals. Professor Moglen used this as a springboard to address the privacy concerns that come up in cloud computing. Privacy at its base is the ability of an individual to control access to various aspects of self, such as decisional, informational, and locational. In having the ability to control these factors, privacy consists of a relation between a person and another person or an entity. Professor Moglen postulated that free/open access to code would make the internet an environment where choices over that relationship were still in the hands of an individual, and, among other protections, the individuals could build up their desired levels of privacy.

Is free/open software the solution?

Eben Moglen's solution to the many privacy concerns that arise out of cloud computing is the application and use of free software/open source by individuals. Unlike some applications on the cloud, open source is free, and once an individual has access to the code, that person can control how a program functions, including how a program uses personal information, and thus the person would be able to protect their privacy. Of course, this presumes that the consumer of the internet is sophisticated enough to access and manipulate code. But even putting that presumption aside, is the ability to write code enough to protect data (will help you protect data better – add more security)? Perhaps if a person could create his own server and bypass the cloud, but this does not seem like an ideal (or practical) solution. Though free/open source is an important element that should be incorporated into cloud computing, free/open source depends on open standards. According to Pranesh Prakash, in his presentation at the Internet Governance Forum, the role of standards in ensuring interoperability is critical to allowing consumers to choose between different devices to access the cloud, to choose between different software clients, and to shift between one service and another. This would include moving information, both the data and the metadata, from one cloud to another. Clouds would need to be able to talk to one another to enable data sharing, and open source is key to this, though it is important to note that if one uses free/open source, they must set up their own infrastructure.

Conclusion

Even though Moglen believes that free/open source software brings freedom and provides the solution to protect an individual’s privacy in the context of cloud computing, he was not speaking to the specific context of India. To do that, it is important to expand the definitions that one uses of free/open source and privacy, and then to contextualize them. Looking closely at the words “free/open source,” they are not limited to access to a software's code, even though that is free/open source’s base. For the ideology of free/open source to work, access to code is just a key to the puzzle. A person, community, culture and state must understand the purpose of free/open source, know how to use it, and know how it can be applied in order for it to be transformative, liberating, and protective. There needs to be a shared understanding that free/open source is not just about being able to change code, but about a shared commitment to sharing code and making it transparent and accessible. In the United States and other countries, free/open source did not just enter into American society and immediately fix issues of privacy by bringing freedom, as it seems Professor Moglen is suggesting free/open source will do in India. Though Professor Moglen promises freedom and privacy protection through free/open source, perhaps this is not an honest appraisal of the technology. Free/open source, if not equally accessed or misapplied, protects neither freedom nor privacy. As noted above, even if a person has access to code, he can protect data only to a certain extent. Thus, he might think that he has created a privacy wall around information that actually is readily accessible. In other words, free/open source cannot be the only answer to freedom, but instead a piece to a collective answer.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy-cloud-computing

Privacy Concerns in Whole Body Imaging: A Few Questions

elonnai — 2012-03-21T10:09:02Z

Security versus Privacy...it is a question that the world is facing today when it comes to using the Whole Body Imaging technology to screen a traveller visually in airports and other places. By giving real life examples from different parts of the world Elonnai Hickok points out that even if the Government of India eventually decides to advocate the tight security measures with some restrictions then such measures need to balanced against concerns raised for personal freedom. She further argues that privacy is not just data protection but something which must be viewed holistically and contextually when assessing new policies.

What is Whole Body Imaging?

Whole Body Imaging is an umbrella term that includes various technologies that can produce images of the body without the cover of clothing. The purpose of WBI technology is to screen travellers visually in order to detect weapons, explosives and other threat items more thoroughly, without the cover of clothing. Examples include: Ultrasonic Imaging Technology, Superconducting Quantum Interference Device, T-ray Technology, Millimeter Wave Technology, MM-wave Technology, and X-ray Scanning Systems. The two main types of scanners used for security screening are: Millimeter Wave and Backscatter machines. The Millimeter Wave machines send radio waves over a person and produce a three-dimensional image by measuring the energy reflected back. Backscatter machines use low-level x-rays to create a two-dimensional image of the body. The machines show what a physical pat-down would potentially reveal as well, but what a metal detector would not find – for example, they will detect items such as chemical explosives and non-metallic weapons.

How are These Technologies Being Used - Two News Items to Ponder:

News Item One

In 2009-2010 a Nigerian attempted to blow up a Detroit-bound aircraft in the United States. In response to this attempt, in addition to the heightened security concerns in light of 9/11, the United States has pushed for the greater use of full-body scanners among other initiatives. The hope is that the scanners will bring a heightened level of security and stop potential attacks from occurring in the future.

Also, in response to the attempted attack on the U.S, the Mumbai Terrorist attacks, and many other incidents, India has likewise considered the implementation of full-body scanners in airports. According to an article published on 2 January 2010 in The Times of India, soon after the incident in the United States, the Indian Intelligence Bureau submitted a comprehensive airport review that spoke about the need for full-body scanners. On 6 July 2010, the Times of India issued a story on how full-body scanners will not be used at the two Dubai airports. The story went on to explain in detail how the airports in Dubai have decided against the use of full-body scanners as a security measure, because they ‘contradict’ Islam, and because the government respects the privacy of individuals and their personal freedom. The head of the Dubai police department was quoted as saying “The scanners will be replaced with other inspection systems that reserve travelers' privacy.” At airports that utilize the scanners, not everyone is required to go through a full-body scanner at the security checkpoint (I myself have never been in one), but instead the authority will randomly select persons to be scanned. An individual has the option to opt out of the scan, but if they choose to do so, they must undergo a thorough body pat-down search. During the scan, the officer zoomed over parts of the image for a better look, if any portion of the image appears suspicious. Once a scan is completed, the passenger waits while the scan is sent to and reviewed by another officer elsewhere. The officers are connected by wireless headsets. If no problems are found, the image is supposed to be erased. If a problem is found, the officer tells the checkpoint agent where the problem is, and the image is retained until the issue is resolved, and then it is erased. The wireless transmission of the image by a computer to another officer for analysis is a built-in safeguard, because the agent who sees the image never sees the passenger and the officer who sees the passenger never sees the image.

Despite this, the machines are controversial because they generate images of a passengers' entire body, which raises concerns as to the possible privacy violations that could occur. Besides the physical invasion that the scanners pose, privacy concerns have centered on the fact that the actual implementation of the procedures for retention and deletion of images is unclear. For instance, in Florida, images from a scanner at a courthouse were found to have been leaked and circulated. In 2008, the US Department of Homeland Security did a report on the privacy of whole-body imaging and its compliance with the Fair Information Practice Principles. Among other safeguards, the report concluded that the image does not provide enough details for personal identification, the image is not retained, and the machine could in fact work to protect the privacy of an individual by sparing the person the indignity of a pat-down.

News Item Two

In October this year, Fox News came out with a story that told how the use of x-ray scanners, similar to the ones used in airports, are now being placed in vans that can see into the inside of the vehicles around them. The vans are used to detect car bombs, drugs, radioactivity and people hiding. The vans have been used at major crowd events like the Super Bowl. According to the Department of Homeland Security, the vans have led to the seizure of 89,000 pounds of narcotics and $4 million worth of currency. In vans the technology used is the backscatter x-ray machine. The cars are more controversial than the scanners at airports, because it is not possible to obtain consent from the target vehicle, and a person in a car does not have the option to opt out for a thorough car search. Furthermore, images are not sent to another authority to be analyzed, but are instead analyzed by the authority in the car. Reactions to the vans have been mixed. Some worry about the invasion to privacy that the vans pose, the lack of consent that an individual gives to having his car scanned, and the fact that these scans are conducted without a warrant. Others believe that the security the vans can provide far outweighs the threats to privacy. In airports, if evidence is found against a person, it is clear that airport authorities have the right to stop the individual and proceed further. This right is given by an individual‘s having chosen to do business at the airport, but a person who is traveling on a public street or highway has not chosen to do business there. It is much more difficult to conclude that by driving on a road an individual has agreed to the possible scanning of his/her car.

Questions at the Heart of the WBI Debate:

Whole Body Imaging raises both simple and difficult questions about the dilemma of security vs. privacy, and privacy as a right vs. privacy as protection. If privacy is seen as a constitutional right, as it is in the European Union under the Convention on Human Rights, then Whole Body Imaging raises questions about the human body — its legal and moral status, its value, its meaning, and the dignity that is supposed to be upheld by the virtue of an individual’s privacy being a right. If Whole Body Imaging threatens the dignity of an individual, is it correct to permit the procedure at airports and allow vans with x-ray machines to roam the streets? This question segues into a deeper question about security over privacy. The security appeal of WBI technology is its pro-active ability to provide intelligence information about potential threats before anything actually happens. Does the security that these machines bring trump the right to privacy that they could be violating? Isn’t this particularly true given that airport scanning is of only a randomly-selected portion of travelers? Is the loss of privacy that occurs proportional to the need and the means met? What is the purpose of security in these contexts? All privacy legislation must work to strike a balance between security and privacy. Typically, in terms of governments and security, restrictions are placed on the amount of unregulated monitoring that governments can do through judicial oversight. Warrantless monitoring is typically permitted only in the case of declared national emergencies. Should WBI technology be subject to the same restrictions as, say, wiretapping? or would this defeat the purpose of the technology, given that the purpose is to prevent an event that could lead into a declared national emergency. Furthermore, how can legislation and policy, which has traditionally been crafted to be reactive in nature, adequately respond to the pro-active nature of the technology and its attempt to stop a crime before it happens?

How Have Other Countries Responded to Whole Body Imaging and How Should India Respond?

Countries around the world have responded differently to the use of whole body imaging. In the EU, full-body scanners are used only in the UK, and their use there is being protested, with the Human Rights Charter being used to argue that full-body imaging lowers human dignity and violates a person’s right to privacy. In EU countries such as Germany, there has been a strong backlash against full-body image scanners by calling them ‘Naked Scanners’. Nonetheless, according to an ABC report, in 2009 the Netherlands announced that scanners would be used for all flights heading from Amsterdam's airport to the United States.

In the US, where scanners are being used, EPIC is suing the TSA on the grounds that the TSA should have enacted formal regulations to govern their use. It argues that the body scanners violate the Fourth Amendment, which prohibits unreasonable searches and seizures. Canada has purchased 44 new imaging scanners but has suggested using image algorithms to protect the individuals’ privacy even further. A Nigerian leader also pledged to use full-body scanners.

Though India has not implemented the use of WBI technology, it has considered doing so twice, in 2008 and again in 2010. Legally, India would have to wrestle with the same questions of security vs. privacy that the world is facing. From the government’s demand for the Blackberry encryption keys and the loose clauses in the ITA and Telegraph Act that permit wiretapping and monitoring by the government, it would appear that the Government of India would advocate the tight security measures with few restrictions, and would welcome the potential that monitoring has to stop terror from occurring. But this would have to be balanced against the concerns raised by the police officers’ observation in the Times of India that the use of scanners, was “against Islam, and an invasion of personal freedom.” It is not clear which value would be given priority.

The variation in responses and the uneven uptake of the technology around the world shows how controversial the debate between security and privacy is, and how culture, context, and perception of privacy all contribute to an individual’s, a nation’s, and a country’s willingness or unwillingness to embrace new technology. The nature of the debate shows that privacy is not an issue only of data protection, that it is much more than just a sum of numbers. Instead, privacy is something that must be viewed holistically and contextually, and that must be a factor when assessing new policies.

For more details visit https://cis-india.org/internet-governance/blog/privacy-concerns-in-whole-body-imaging-a-few-questions