Centre for Internet and Society

State of Digital Rights in India (Delhi, March 24)

Japreet Grewal and Sumandro Chattapadhyay — 2017-03-27T13:21:20Z

The Centre for Communication Governance at National Law University, Delhi and the Internet Freedom Foundation, in association with Access Now, are hosting a discussion on The State of Digital Rights in India on March 24, 2017 (Friday) from 6.00 pm onwards at Lecture Room-I, India International Centre- Annexe, New Delhi. Japreet Grewal and Sumandro Chattapadhyay will participate in the panel discussions.

Registration: Eventbrite

March 24, 2017 marks the two year anniversary of the landmark Shreya Singhal judgment. This was a very significant ruling on freedom of speech and expression and occupies an important place in the Supreme Court’s discourse on civil liberties. The judgment traces out the contours of free speech on the Internet in India and unequivocally holds that the right to freedom of expression provided under Article 19(1)(a) applies to speech over the Internet, making it clear that this is a medium-neutral right.

The event aims to shed some light on this key judgment and discuss ongoing discussions regarding our civil liberties and freedoms online before courts and the Parliament. We would also like to take this opportunity to discuss some of the other pressing issues like Network Neutrality, Internet shutdowns, Privacy and User Security which need immediate attention and engagement of our democratic institutions. We hope to formulate effective strategies which will further shape the legal and policy framework in India, and facilitate better collaborative efforts between stakeholders.

We hope to bring together everyone who contributed to the judgment, and those who do work connected with it, so that we may build on it to seek a better legal framework to protect online speech and to discuss the threats surrounding digital rights and how best build on the foundations of the judgment.

We would be grateful if you could take out some time on Friday evening (6PM) and be a part of this important discussion. The discussion will be followed by dinner and an Open Bar for an Open Internet, which will start from 9.00 pm at the Annexe Court in the India International Centre - Annexe. In case you are unable to attend the seminar, please do join us for dinner!

Featuring:

A keynote address on our online freedoms and policymaking, by Shri Tathagata Satpathy (Member of Parliament, Lok Sabha)
A legal panel analysing the legacy of the Shreya Singhal v. Union of India judgment
Beyond Shreya Singhal: A conversation with women on the future of our digital rights
Briefings on the state of digital rights in our courts and in Parliament
A conversation on the path ahead for our civil liberties and digital rights community

For more details visit https://cis-india.org/internet-governance/news/state-of-digital-rights-in-india-delhi-march-24

State of Consumer Digital Security in India

pranav — 2021-07-05T11:07:24Z

This report attempts to identify the existing state of digital safety in India, with a mapping of digital threats, which will aid stakeholders in identifying and addressing digital security problems in the country. This project was funded by the Asia Foundation.

Since 2006, successive Union governments in India have shown increased focus on digital governance. The National e-Governance Plan was launched by the UPA government in2006, and several digital projects led by the state such as digitisation of the filing of taxes, appointment process for passports, corporate governance, and the Aadhaar programme(India’s unique digital identity system that utilises biometric and demographic data) arose under it, in the form of mission mode projects (projects that are part of a broader National e-governance initiative, each focusing on specific e-Governance aspects, like banking, land records, or commercial taxes). In 2014, when the NDA government came to power, the National e-Governance Plan was subsumed under the government’s flagship project of Digital India, and several mission mode projects were added. In the meantime, the internet connectivity, first in the form of wire connectivity, and later in the form of mobile connectivity has increased greatly. In the same period, use of digital services, first in new services native to the Internet such as email, social networking, instant messaging, and later the platformization and disruption of traditional business models in transportation, healthcare, finance and virtually every sector, has led to a deluge of digital private service providers in India.

Currently, India has 500 million internet users — over a third of its total population — making it the country with the second largest number of Internet users after China. The uptake of these technological services has also been accompanied by several kinds of digital threats that an average digital consumer in India must regularly contend with. This report is a mapping of consumer-facing digital threats in India and is intended to aid stakeholders in identifying and addressing digital security problems. The first part of the report categorises digital threats into four kinds, Personal Data Threats, Online Content Related Threats, Financial Threats, and Online Sexual Harassment Threats. Threats under each category are then defined, with detailed consumer-facing consequences, and past instances where harm has been caused because of these threats.

Read the full report here.

For more details visit https://cis-india.org/internet-governance/blog/state-of-consumer-digital-security-in-india

Srikrishna panel upset at timing of Trai suggestions

Admin — 2018-07-19T14:17:19Z

The Justice BN Srikrishna Committee, which is drafting a model data protection and privacy law for India, is upset by the timing of recommendations made by the country’s telecom regulator this week, according to a senior member of the panel, as it fears this will delay the submission of its own report, due later this month.

The article by Megha Mandavia was published in Economic Times on July 19, 2018. Swaraj Paul Barooah was quoted.

On Monday, Telecom Regulatory Authority of India (Trai) in a surprise move recommended rules that give users control of their data and personal information while severely restricting ways in which telecom and internet firms can use customer data. Its rules are applicable for apps, browsers, operating systems and handset makers.

“Next week somebody will make some recommendations and that will have to be merged, then again somebody will make some other recommendations,” the person told ET. He added that the committee will look into Trai’s submissions.

On Wednesday, ET reported that officials of ministry of electronics and information technology (MeitY), besides industry groupings such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) were unhappy with Trai’s move.

“Like any other sector, the data protection Act will be the final thing. In respect of telecom matters, there will be a role for Trai as sectoral regulator but the basics of privacy will be governed by the data protection Act,” a MeitY official told ET.

Legal experts and industry analysts also questioned the need for the regulatory announcement just before the Justice Srikrishna committee releases its report, after a year of deliberations.

The high-powered group — consisting of jurists, academicians and policymakers — was formed last July with a brief to suggest principles for data privacy and a draft data protection bill for the country.

“Why is Trai then pre-empting the law?” said Kartik Maheshwari, leader for technology companies at law firm Nishith Desai Associates.

“Now that Trai has published its recommendations in public domain, the government may not be able to completely ignore them. But it’s so late in the day that it may not have any real impact on the final recommendations of the Justice Srikrishna committee,” he said.

The ten-member panel may incorporate some of Trai’s suggestions even as it submits its report to the union government next week. Trai chairman RS Sharma said the regulatory body has jurisdiction to tackle data protection under consumer interest, and those who feed off the industry — content providers, or apps, browsers, operating systems, and devices — were only custodians.

“We will send these recommendations to the committee, but we did not time it to coincide. We’re not dependent on the committee and we had issued this suo moto, since we felt the need to rigorously deliberate on the issue,” Sharma told ET on Tuesday.

There could be sector-specific laws within the general data protection framework for the telecom sector, he added.

Analysts say that regulators making public their recommendations before the data framework only adds to the confusion. “Industry was looking forward to a common primary framework. There are many independent suggestions coming from various regulators. It is creating confusion and chaos. I do expect considerable delay in finalising the law. Once the draft is out, there will be public consultation; all regulators will also have a say,” said Vidur Gupta, partner, government and public sector, EY India.

Others say that while there is clarity on what Trai is expecting, it has to be bound by the panel’s recommendations.

“It is good that a regulator has an eye on the market. It gives us an idea about what Trai has on its mind. The Reserve Bank of India also had not waited for Srikrishna Committee report before issuing a directive on data localisation,” said Swaraj Paul Barooah, policy director at Centre for Internet and Society.

“But the major point is that Trai’s recommendations are not binding; the data privacy law will be influenced by Justice Srikrishna committee only.”

For more details visit https://cis-india.org/internet-governance/news/economic-times-megha-mandavia-july-19-2018-srikrishna-panel-upset-at-timing-of-trai-suggestions

Spy Files 3: WikiLeaks Sheds More Light On The Global Surveillance Industry

maria — 2013-11-14T16:21:00Z

In this article, Maria Xynou looks at WikiLeaks' latest Spy Files and examines the legality of India's surveillance technologies, as well as their potential connection with India's Central Monitoring System (CMS) and implications on human rights.

Last month, WikiLeaks released “Spy Files 3”, a mass exposure of the global surveillance trade and industry. WikiLeaks first released the Spy Files in December 2011, which entail brochures, presentations, marketing videos and technical specifications on the global trade of surveillance technologies. Spy Files 3 supplements this with 294 additional documents from 92 global intelligence contractors.

So what do the latest Spy Files reveal about India?

When we think about India, the first issues that probably come to mind are poverty and corruption, while surveillance appears to be a more “Western” and elitist issue. However, while many other developing countries are excluded from WikiLeaks’ list of surveillance technology companies, India is once again on the list with some of the most controversial spyware.

ISS World Surveillance Trade Shows

The latest Spy Files include a brochure of the ISS World 2013 -the so-called “wiretapper’s ball”- which is the world’s largest surveillance trade show. This years ’ ISS World Asia will take place in Malaysia during the first week of December and law enforcement agencies from around the world will have another opportunity to view and purchase the latest surveillance tech. The leaked ISS World 2013 brochure entails a list of last years’ global attendees. According to the brochure, 53% of the attendees included law enforcement agencies and individuals from the defense, public safety and interior security sectors, 41% of the attendees were ISS vendors and technology integrators, while only 6% of the attendees were telecom operators and from the private enterprise. The brochure boasts that 4,635 individuals from 110 countries attended the ISS World trade shows last year and that the percentage of attendance is increasing.

The following table lists the Indian attendees at last years ’ ISS World:

Law Enforcement, Defense and Interior Security Attendees	Telecom Operators and Private Enterprises Attendees	ISS Vendors and Technology Integrators Attendees
Andhra Pradesh India Police	BT	AGC Networks
CBI Academy	Cogence Investment Bank	Aqsacom India
Government of India, Telecom Department	India Reliance Communications	ClearTrail Technologies
India Cabinet Secretariat	Span Telecom Pvt. Ldt.	Foundation Technologies
India Centre for Development of Telematics (C-DOT)		Kommlabs
India Chandigarh Police		Paladion Networks
India Defence Agency		Polaris Wireless
India General Police		Polixel Security Systems
India Intelligence Department		Pyramid Cyber Security
India National Institute of Criminology		Schleicher Group
India office LOKAYUKTA NCT DELHI		Span Technologies
India Police Department, A.P.		TATA India
India Tamil Nadu Police Department		Tata Consultancy Services
Indian Police Service, Vigilance		Telecommunications India
Indian Telecommunications Authority		Vehere Interactive
NTRO India
SAIC Indian Tamil Nadu Police

17 4 15

According to the above table - which is based on data from the WikiLeaks ’ ISS World 2013 brochure- the majority of Indian attendees at last years’ ISS World were from the law enforcement, defense and interior security sectors. 15 Indian companies exhibited and sold their surveillance technologies to law enforcement agencies from around the world and it is notable that India’s popular ISP provider, Reliance Communications, attended the trade show too.

In addition to the ISS World 2013 brochure, the Spy Files 3 entail a detailed brochure of a major Indian surveillance technology company: ClearTrail Technologies.

ClearTrail Technologies

ClearTrail Technologies is an Indian company based in Indore. The document titled “Internet Monitoring Suite ” from ClearTrail Technologies boasts about the company’s mass monitoring, deep packet inspection, COMINT, SIGINT, tactical Internet monitoring, network recording and lawful interception technologies. ClearTrail’s Internet Monitoring Suite includes the following products:

1. ComTrail: Mass Monitoring of IP and Voice Networks

ComTrail is an integrated product suite for centralized interception and monitoring of voice and data networks. It is equipped with an advanced analysis engine for pro-active analysis of thousands of connections and is integrated with various tools, such as Link Analysis, Voice Recognition and Target Location.

ComTrail is deployed within a service provider network and its monitoring function correlates voice and data intercepts across diverse networks to provide a comprehensive intelligence picture. ComTrail supports the capture, record and replay of a variety of Voice and IP communications in pretty much any type of communication, including - but not limited to- Gmail, Yahoo, Hotmail, BlackBerry, ICQ and GSM voice calls.

Additionally, ComTrail intercepts data from any type of network -whether Wireless, packet data, Wire line or VoIP networks- and can decode hundreds of protocols and P2P applications, including HTTP, Instant Messengers, Web-mails, VoIP Calls and MMS.

In short, ComTrail’s key features include the following:

- Equipped to handle millions of communications per day intercepted over high speed STM & Ethernet Links

- Doubles up as Targeted Monitoring System

- On demand data retention, capacity exceeding several years

- Instant Analysis across thousands of Terabytes

- Correlates Identities across multiple networks

- Speaker Recognition and Target Location

2. xTrail: Targeted IP Monitoring

xTrail is a solution for interception, decoding and analysis of high speed data traffic over IP networks and independently monitors ISPs/GPRS and 3G networks. xTrail has been designed in such a way that it can be deployed within minutes and enables law enforcement agencies to intercept and monitor targeted communications without degrading the service quality of the IP network. This product is capable of intercepting all types of networks -including wireline, wireless, cable, VoIP and VSAT networks- and acts as a black box for “record and replay” targeted Internet communications.

Interestingly enough, xTrail can filter based on a “pure keyword”, a URL/Domain with a keyword, an IP address, a mobile number or even with just a user identity, such as an email ID, chat ID or VoIP ID. Furthermore, xTrail can be integrated with link analysis tools and can export data in a digital format which can allegedly be presented in court as evidence.

In short, xTrail’s key features include the following:

- Pure passive probe

- Designed for rapid field operations at ISP/GPRS/Wi-Max/VSAT Network Gateways

- Stand-alone solution for interception, decoding and analysis of multi Gigabit IP traffic

- Portable trolley based for simplified logistics, can easily be deployed and removed from any network location

- Huge data retention, rich analysis interface and tamper proof court evidence

- Easily integrates with any existing centralized monitoring system for extended coverage

3. QuickTrail: Tactical Wi-Fi Monitoring

Some of the biggest IP monitoring challenges that law enforcement agencies face include cases when targets operate from public Internet networks and/or use encryption.

QuickTrail is a device which is designed to gather intelligence from public Internet networks, when a target is operating from a cyber cafe, a hotel, a university campus or a free Wi-Fi zone. In particular, QuickTrail is equipped with multiple monitoring tools and techniques that can help intercept almost any wired, Wi-Fi or hybrid Internet network so that a target communication can be monitored. QuickTrail can be deployed within fractions of seconds to intercept, reconstruct, replay and analyze email, chat, VoIP and other Internet activities of a target. This device supports real time monitoring and wiretapping of Ethernet LANs.

According to ClearTrail’s brochure, QuickTrail is a “all-in-one” device which can intercept secured communications, know passwords with c-Jack attack, alert on activities of a target, support active and passive interception of Wi-Fi and wired LAN and capture, reconstruct and replay. It is noteworthy that QuickTrail can identify a target machine on the basis of an IP address, MAC ID, machine name, activity status and several other parameters. In addition, QuickTrail supports protocol decoding, including HTTP, SMTP, POP3 and HTTPS. This device also enables the remote and central management of field operations at geographically different locations.

In short, QuickTrail’s key features include the following:

- Conveniently housed in a laptop computer

- Intercepts Wi-Fi and wired LANs in five different ways

- Breaks WEP, WPA/WPA2 to rip-off secured Wi-Fi networks

- Deploys spyware into a target’s machine

- Monitor’s Gmail, Yahoo and all other HTTPS-based communications

- Reconstructs webmails, chats, VoIP calls, news groups and social networks

4. mTrail: Off-The-Air Interception

mTrail offers active and passive ‘off-the-air’ interception of GSM 900/1800/1900 Mhz phone calls and data to meet law enforcement surveillance and investigation requirements. The mTrail passive interception system works in the stealth mode so that there is no dependence on the network operator and so that the target is unaware of the interception of its communications.

The mTrail system has the capability to scale from interception of 2 channels (carrier frequencies) to 32 channels. mTrail can be deployed either in a mobile or fixed mode: in the mobile mode the system is able to fit into a briefcase, while in the fixed mode the system fits in a rack-mount industrial grade chassis.

Target location identification is supported by using signal strength, target numbers, such as IMSI, TIMSI, IMEI or MSI SDN, which makes it possible to listen to the conversation on so-called “lawfully intercepted” calls in near real-time, as well as to store all calls. Additionally, mTrail supports the interception of targeted calls from pre-defined suspect lists and the monitoring of SMS and protocol information.

In short, mTrail’s key features include the following:

- Designed for passive interception of GSM communications

- Intercepts Voice and SMS “off-the-air”

- Detects the location of the target

- Can be deployed as a fixed unit or mounted in a surveillance van

- No support required from GSM operator

5. Astra: Remote Monitoring and Infection framework

“Astra ” is a remote monitoring and infection framework which incorporates both conventional and proprietary infection methods to ensure bot delivery to the targeted devices. It also offers a varied choice in handling the behavior of bots and ensuring non-traceable payload delivery to the controller.

The conventional methods of infection include physical access to a targeted device by using exposed interfaces, such as a CD-ROM, DVD and USB ports, as well as the use of social media engineering techniques. However, Astra also supports bot deployment without requiring any physical access to the target device.

In particular, Astra can push bot to any targeted machine sharing the same LAN (wired, wi-fi or hybrid). The SEED is a generic bot which can identify a target’s location, log keystrokes, capture screen-shots, capture Mic, listen to Skype calls, capture webcams and search the target’s browsing history. Additionally, the SEED bot can also be remotely activated, deactivated or terminated, as and when required. Astra allegedly provides an un-traceable reporting mechanism that operates without using any proxies, which overrules the possibility of getting traced by the target.

Astra’s key features include the following:

- Proactive intelligence gathering

- End-to-end remote infection and monitoring framework

- Follow the target, beat encryption, listen to in-room conversations, capture keystrokes and screen shots

- Designed for centralized management of thousands of targets

- A wide range of deployment mechanisms to optimize success ration

- Non-traceable, non-detectable delivery mechanism

- Intrusive yet stealthy

- Easy interface for handling most complex tasks

- Successfully tested over the current top 10 anti-virus available in the market

- No third party dependencies

- Free from any back-door intervention

ClearTrail Technologies argue that they meet lawful interception regulatory requirements across the globe. In particular, they claim that their products are compliant with ETSI and CALEA regulations and that they are efficient to cater to region specific requirements as well.

The latest Spy Files also include data on foreign surveillance technology companies operating in India, such as Telesoft Technologies, AGT International and Verint Systems. In particular, Verint Systems has its headquarters in New York and offices all around the world, including Bangalore in India. Founded in 1994 and run by Dan Bodner, Verint Systems produces a wide range of surveillance technologies, including the following:

- Impact 360 Speech Analytics

- Impact 360 Text Analytics

- Nextiva Video Management Software (VMS)

- Nextiva Physical Security Information Management (PSIM)

- Nextiva Network Video Recorders (NVRs)

- Nextiva Video Business Intelligence (VBI)

- Nextiva Surveillance Analytics

- Nextiva IP cameras

- CYBERVISION Network Security

- ENGAGE suite

- FOCAL-INFO (FOCAL-COLLECT & FOCAL-ANALYTICS)

- RELIANT

- STAR-GATE

- VANTAGE

While Verint Systems claims to be in compliance with ETSI, CALEA and other worldwide lawful interception and standards and regulations, it remains unclear whether such products successfully help law enforcement agencies in tackling crime and terrorism, without violating individuals’ right to privacy and other human rights. After all, Verint Systems has participated in ISS World Trade shows which exhibit some of the most controversial spyware in the world, used to target individuals and for mass surveillance.

And what do the latest Spy Files mean for India?

Why is it even important to look at the latest Spy Files? Well, for starters, they reveal data about which Indian law enforcement agencies are interested in surveillance and which companies are interested in selling and/or buying the latest spy gear. And why is any of this important? I can think of three main reasons:

1. The Central Monitoring System (CMS)

2. Is any of this surveillance even legal in India?

3. Can such surveillance result in the violation of human rights?

Spy Files 3...and the Central Monitoring System (CMS)

Following the Mumbai 2008 terrorist attacks, the Telecom Enforcement, Resource and Monitoring (TREM) cells and the Centre for Development of Telematics (C-DOT) started preparing the Central Monitoring System (CMS ). As of April 2013, this project is being manned by the Intelligence Bureau, while agencies which are planned to have access to it include the Research & Analysis Wing (RAW) and the Central Bureau of Investigation (CBI). ISP and Telecom operators are required to install the gear which enables law enforcement agencies to carry out the Central Monitoring System under the Unified Access Services (UAS ) License Agreement.

The Central Monitoring System aims at centrally monitoring all telecommunications and Internet communications in India and its estimated cost is Rs . 4 billion. In addition to equipping government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers, the CMS will also enable Call Data Records (CDR) analysis and data mining to identify personal information of the target numbers. The CMS supplements regional Internet Monitoring Systems , such as that of Assam, by providing a nationwide monitoring of telecommunications and Internet communications, supposedly to assist law enforcement agencies in tackling crime and terrorism.

However, data monitored and collected through the CMS will be stored in a centralised database, which could potentially increase the probability of centralized cyber attacks and thus increase, rather than reduce, threats to national security. Furthermore, some basic rules of statistics indicate that the bigger the amount of data , the bigger the probability of an error in matching profiles, which could potentially result in innocent people being charged with crimes they did not commit. And most importantly: the CMS currently lacks adequate legal oversight, which means that it remains unclear how monitored data will be used. The UAS License Agreement regarding the CMS mandates mass surveillance by requiring ISPs and Telecom operators to enable the monitoring and interception of communications. However, targeted and mass surveillance through the CMS not only raises serious questions around its legality, but also creates the potential for abuse of the right to privacy and other human rights.

Interestingly enough, Indian law enforcement agencies which attended last years ’ ISS World trade shows are linked to the Central Monitoring System. In particular, last years’ law enforcement, defense and interior security attendees include the Centre for Development of Telematics (C-DOT) and the Department of Telecommunications, both of which prepared the Central Monitoring System. The list of attendees also includes India’s Intelligence Bureau, which is manning the CMS, as well as the agencies which will have access to the CMS: the Central Bureau of Investigation (CBI), the Research and Analysis Wing (RAW), the National Technical Research Organization (NTRO) and various other state police departments and intelligence agencies.

Furthermore, Spy Files 3 entail a list of last years ’ ISS World security company attendees, which includes several Indian companies. Again, interestingly enough, many of these companies may potentially be aiding law enforcement with the technology to carry out the Central Monitoring System. ClearTrail Technologies, in particular, provides solutions for targeted and mass monitoring of IP and voice networks, as well as remote monitoring and infection frameworks - all of which would potentially be perfect to aid the Central Monitoring System.

In fact, ClearTrail states in its brochure that its ComTrail product is equipped to handle millions of communications per day, while its xTrail product can easily be integrated with any existing centralised monitoring system for extended coverage. And if that’s not enough, ClearTrail’s “Astra ” is designed for the centralized management of thousands of targets. While there may not be any concrete proof that ClearTrail is indeed aiding the Centralized Monitoring System, the facts speak for themselves: ClearTrail is an Indian company which sells target and mass monitoring products to law enforcement agencies. The Centralized Monitoring System is currently being implemented. What are the odds that ClearTrail is not equipping the CMS? And what are the odds that such technology is not being used for other mass electronic surveillance programmes, such as the Lawful Intercept and Monitoring (LIM)?

Spy Files 3...and the legality of India’s surveillance technologies

ClearTrail Technologies’ brochure -the only leaked document on Indian surveillance technology by the latest Spy Files- states that the company complies with ETSI and CALEA regulations. While it’s clear that the company complies with U.S. and European regulations on the interception of communications to attract more customers in the international market, such regulations don’t really apply within India, which is part of ClearTrail’s market. Notably enough, ClearTrail does not mention any compliance with Indian regulations in its brochure. So let’s have a look at them.

India has five laws which regulate surveillance:

1. The Indian Telegraph Act, 1885

2. The Indian Post Office Act, 1898

3. The Indian Wireless Telegraphy Act, 1933

4. The Code of Criminal Procedure (CrPc ), 1973: Section 91

5. The Information Technology (Amendment ) Act, 2008

The Indian Post Offices Act does not cover electronic communications and the Indian Wireless Telegraphy Act lacks procedures which would determine if surveillance should be targeted or not. Neither the Indian Telegraph Act nor the Information Technology (Amendment ) Act cover mass surveillance, but are both limited to targeted surveillance. Moreover, targeted interception in India according to these laws requires case-by-case authorization by either the home secretary or the secretary department of information technology. In other words, unauthorized, limitless, mass surveillance is not technically permitted by law in India.

The Indian Telegraph Act mandates that the interception of communications can only be carried out on account of a public emergency or for public safety. However, in 2008, the Information Technology Act copied most of the interception provisions of the Indian Telegraph Act, but removed the preconditions of public emergency or public safety, and instead expanded the power of the government to order interception for the “investigation of any offense”.

The interception of Internet communications is mainly covered by the 2009 Rules under the Information Technology Act 2008 and Sections 69 and 69 B are particularly noteworthy. According to these Sections, an Intelligence Bureau officer who leaked national secrets may be imprisoned for up to three years, while Section 69 not only allows for the interception of any information transmitted through a computer resource, but also requires that users disclose their encryption keys upon request or face a jail sentence of up to seven years.

While these laws allow for the interception of communications and can be viewed as widely controversial, they do not technically permit the mass surveillance of communications. In other words, ClearTrail’s products, such as ComTrail, which enable the mass interception of IP networks, lack legal backing. However, the Unified Access Services (UAS ) License Agreement regarding the Central Monitoring System mandates mass surveillance and requires ISP and Telecom operators to comply.

Through the licenses of the Department of Telecommunications, Internet service providers, cellular providers and telecoms are required to provide the Government of India direct access to all communications data and content even without a warrant, which is not permitted under the laws on interception. These licenses also require cellular providers to have ‘bulk encryption’ of less than 40 bits, which means that potentially any person can use off-the-air interception to monitor phone calls. However, such licenses do not regulate the capture of signal strength, target numbers like IMSI, TIMSI, IMEI or MSI SDN, which can be captured through ClearTrail’s mTrail product.

More importantly, following allegations that the National Technical Research Organization (NTRO) had been using off-the-air interception equipment to snoop on politicians in 2011, the Home Ministry issued a directive to ban the possession or use of all off-the-air phone interception gear. As a result, the Indian Government asked the Customs Department to provide an inventory of all all such equipment imported over a ten year period, and it was uncovered that as many as 73,000 pieces of equipment had been imported. Since, the Home Ministry has informed the heads of law enforcement agencies that there has been a compete ban on use of such equipment and that all those who possess such equipment and fail to inform the Government will face prosecution and imprisonment. In short, ClearTrail's product, mTrail, which undertakes off-the-air phone monitoring is illegal and Indian law enforcement agencies are prohibited from using it.

ClearTrail’s “Astra ” product is capable of remote infection and monitoring, which can push bot to any targeted machine sharing the same LAN. While India’s ISP and telecommunications licenses generally provide some regulations, they appear to be inadequate in regulating specific surveillance technologies which have the capability to target machines and remotely monitor them. Such licenses mandate mass surveillance, but legally, wireless communications are completely unregulated, which raises the question of whether the interception of public Internet networks is allowed. In other words, it is not clear if ClearTrail’s QuickTrail is technically legal or not. The UAS License agreement mandates mass surveillance, and while the law does not prohibit it, it does not mandate mass surveillance either. This remains a grey area.

The issue of data retention arises from ClearTrail ’s leaked brochure. In particular, ClearTrail states in its brochure that ComTrail - which undertakes mass monitoring of IP and Voice networks - retains data upon request, with a capacity that exceeds several years. xTrail - for targeted IP monitoring - has the ability to retain huge volumes of data which can potentially be used as proof in court. However, India currently lacks privacy legislation which would regulate data retention, which means that data collected by ClearTrail could potentially be stored indefinitely.

Section 7 of the Information Technology (Amendment) Act, 2008, deals with the retention of electronic records. However, this section does not state a particular data retention period, nor who will have authorized access to data during its retention, who can authorize such access, whether retained data can be shared with third parties and, if so, under what conditions. Section 7 of the Information Technology (Amendment) Act, 2008, appears to be incredibly vague and to fail to regulate data retention adequately.

Data retention requirements for service providers are included in the ISP and UASL licenses and, while they clarify the type of data they retain, they do not specify adequate conditions for data retention. Due to the lack of data protection legislation in India, it remains unclear how long data collected by companies, such as ClearTrail, would be stored for, as well as who would have authorized access to such data during its retention period, whether such data would be shared with third parties and disclosed and if so, under what conditions.

India currently lacks specific regulations for the use of various types of technologies, which makes it unclear whether ClearTrail ’s spy products are technically legal or not. It is clear that ClearTrail’s mass interception products, such as ComTrail, are not legalized - since Indian laws allow for targeted interception- but they are mandated through the UAS License agreement regarding the Central Monitoring System.

In short, the legality of ClearTrail’s surveillance technologies remains ambiguous. While India’s ISP and telecom licenses and the UAS License Agreement mandate mass surveillance, the laws - particularly the 2009 Information Technology Rules- mandate targeted surveillance and remain silent on the issue of mass surveillance. Technically, this does not constitute mass surveillance legal or illegal, but rather a grey area. Furthermore, while India ’s Telegraph Act, Information Technology Act and 2009 Rules allow for the interception, monitoring and decryption of communications and surveillance in general, they do not explicitly regulate the various types of surveillance technologies, but rather attempt to “legalize” them through the blanket term of surveillance.

One thing is clear: India’s license agreements ensure that all ISPs and telecom operators are a part of the surveillance regime. The lack of regulations for India’s surveillance technologies appear to create a grey zone for the expansion of mass surveillance in the country. According to Saikat Datta, an investigative journalist, a senior privacy telecom official stated:

“Do you really think a private telecom company can stand up to the government or any intelligence agency and cite law if they want to tap someone’s phone?”

Spy Files 3...and human rights in India

The facts speak for themselves. The latest Spy Files confirm that the same agencies involved in the development of the Central Monitoring System (CMS) are also interested in the latest surveillance technology sold in the global market. Spy Files 3 also provide data on one of India’s largest surveillance technology companies, ClearTrail, which sells a wide range of surveillance technologies to law enforcement agencies around the world. And Spy Files 3 show us exactly what these technologies can do.

In particular, ClearTrail’s ComTrail provides mass monitoring of IP and voice networks, which means that law enforcement agencies using it are capable of intercepting millions of communications every day through Gmail, Yahoo, Hotmail and others, of correlating our identities across networks and of targeting our location. xTrail enables law enforcement agencies to monitor us based on our “harmless” metadata, such as our IP address, our mobile number and our email ID. Think our data is secure when using the Internet through a cyber cafe? Well QuickTrail proves us wrong, as it’s able to assist law enforcement agencies in monitoring and intercepting our communications even when we are using public Internet networks.

And indeed, carrying a mobile phone is like carrying a GPS device, especially since mTrail provides law enforcement with off-the-air interception of mobile communications. Not only can mTrail target our location, listen to our calls and store our data, but it can also undertake passive off-the-air interception and monitor our voice, SMS and protocol information. Interestingly enough, mTrail also intercepts targeted calls from a predefined suspect list. The questions though which arise are: who is a suspect? How do we even know if we are suspects? In the age of the War on Terror, potentially anyone could be a suspect and thus potentially anyone’s mobile communications could be intercepted. After all, mass surveillance dictates that we are all suspicious until proven innocent .

And if anyone can potentially be a suspect, then potentially anyone can be remotely infected and monitored by Astra. Having physical access to a targeted device is a conventional surveillance mean of the past. Today, Astra can remotely push bot to our laptops and listen to our Skype calls, capture our Webcams, search our browsing history, identify our location and much more. And why is any of this concerning? Because contrary to mainstream belief, we should all have something to hide !

Privacy protects us from abuse from those in power and safeguards our individuality and autonomy as human beings. If we are opposed to the idea of the police searching our home without a search warrant, we should be opposed to the idea of our indiscriminate mass surveillance. After all, mass surveillance - especially the type undertaken by ClearTrail ’s products - can potentially result in the access, sharing, disclosure and retention of data much more valuable than that acquired by the police searching our home. Our credit card details, our photos, our acquaintances, our personal thoughts and opinions, and other sensitive personal information can usually be found in our laptops, which potentially can constitute much more incriminating information than that found in our homes.

And most importantly: even if we think that we have nothing to hide, it’s really not up to us to decide: it’s up to data analysts. While we may think that our data is “harmless”, a data analyst linking our data to various other people and search activities we have undertaken might indicate otherwise. Five years ago, a UK student studying Islamic terrorism for his Masters dissertation was detained for six days . The student may not have been a terrorist, but his data said this: “Young, male, Muslim... who is downloading Al-Qaeda’s training material” - and that was enough for him to get detained. Clearly, the data analysts mining his online activity did not care about the fact that the only reason why he was downloading Al-Qaeda material was for his Masters dissertation. The fact that he was a male Muslim downloading terrorist material was incriminating enough.

This incident reveals several concerning points: The first is that he was clearly already under surveillance, prior to downloading Al-Qaeda’s material. However, given that he did not have a criminal record and was “just a Masters student in the UK”, there does not appear to be any probable cause for his surveillance in the first place. Clearly he was on some suspect list on the premise that he is male and Muslim - which is a discriminative approach. The second point is that after this incident, it is likely that some male Muslims may be more cautious about their online activity - with the fear of being on some suspect list and eventually being prosecuted because their data shows that “they’re a terrorist”. Thus, mass surveillance today appears to also have implications on freedom of expression. The third point is that this incident reveals the extent of mass surveillance, since even a document downloaded by a Masters student is being monitored.

This case proves that innocent people can potentially be under surveillance and prosecuted, as a result of mass, indiscriminate surveillance. Anyone can potentially be a suspect today, and maybe for the wrong reasons. It does not matter if we think our data is “harmless”, but what matters is who is looking at our data, when and why. Every bit of data potentially hides several other bits of information which we are not aware of, but which will be revealed within a data analysis. We should always “have something to hide ”, as that is the only way to protect us from abuse by those in power.

In the contemporary surveillance state, we are all suspects and mass surveillance technologies, such as the ones sold by ClearTrail, can potentially pose major threats to our right to privacy, freedom of expression and other human rights. And probably the main reason for this is because surveillance technologies in India legally fall in a grey area. Thus, it is recommended that law enforcement agencies in India regulate the various types of surveillance technologies in compliance with the International Principles on Communications Surveillance and Human Rights.

Spy Files 3 show us why our human rights are at peril and why we should fight for our right to be free from suspicion.

This article was cross-posted in Medianama on 6th November 2013.

For more details visit https://cis-india.org/internet-governance/blog/spy-files-three

Spy agencies, IB and RAW, put spanner in proposed privacy law

praskrishna — 2013-11-19T09:50:05Z

The country’s intelligence agencies are out to scuttle a law that’s being drafted to protect your privacy.

The article by Nagender Sharma and Aloke Tikku was published in the Hindustan Times on November 2, 2013. Sunil Abraham is quoted.

The Intelligence Bureau and the Research and Analysis Wing (RAW) have told the government to water down the proposed law that makes it a crime to leak sensitive personal information collected by government departments and the private sector.

The agencies conveyed their views to national security adviser Shivshankar Menon at a recent meeting at the prime minister’s office. With home secretary Anil Goswami backing the spooks, even arguing that “the very need for such a bill” should be reviewed, Menon has called for revisiting the provisions the agencies have objected to.

The Right to Privacy Bill 2013 lays down privacy principles and standards, and stipulates jail terms and fines for leak of sensitive personal data.

“If such a bill was to be considered, intelligence agencies should be exempted from its purview,” Goswami argued at the meeting.

The intelligence agencies also spoke about how the bill would “adversely affect or compromise” the functioning of many agencies and projects, such as the Central Monitoring System that is used to intercept phone calls and internet communication, and the National Intelligence Grid that would give law enforcement agencies access to information combat terror threats.

The proposed privacy law was initially conceptualised to address data privacy, particularly in the context of data handled by the Indian IT industry for foreign clients.

But the Department of Personnel and Training – that drew up the bill – expanded its scope to cover information collected by the government and interception by intelligence agencies.

Sunil Abraham of the Centre for Internet and Society, a Bangalore-headquartered advocacy group, said the security establishment’s attempts to scuttle the privacy law were a step back.

“Civil society isn’t against surveillance by security agencies. All that we ask for is due process and oversight,” Abraham said.

For more details visit https://cis-india.org/news/hindustan-times-november-2-2013-nagender-sharma-alok-tikku-spy-agencies-ib-and-raw-put-spanner-in-proposed-privacy-law

Spreading unhappiness equally around

sunil — 2018-07-31T14:49:52Z

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.

The article was published in Business Standard on July 31, 2018.

There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.

Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.

Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.

The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with
the henhouse.

Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.

Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.

Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.

Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around

South African Protection of Personal Information Act, 2013

divij — 2014-05-05T06:59:51Z

As the rapid spread of technology in developing countries allows exponentially increasing availability of and access to personal data through automatic data processing, governments are beginning to recognize the necessity to evolve policies addressing data security and privacy concerns.

The source of pressure for strict legal regulations addressing data protection are both the growing recognition of the importance of privacy rights, as well as the risk of falling behind on international standards on data protection, which would hamper the potential of developing countries as destinations for outsourcing industries which depend largely on processing of information.[1] The Protection of Personal Information Act enacted by South Africa is an example of a policy which enables a comprehensive framework for data security and privacy and is a model for other developing nations which are weighing the costs and benefits of establishing a secure data protection regime.

The South African law traces the right to protection of personal information back to Section 14 of the South African Constitution, which provides for a right against the unlawful collection, retention, dissemination and use of personal information. The law establishes strict restrictions and regulations on the processing of personal information, which includes information including relating to race, gender, sexual orientation, medical information, biometric information and personal opinion. The processing of personal information under the Act must comply with 8 principles, namely - accountability, lawful purpose for processing and processing limitation, purpose specification, information quality, openness and notice of collection, openness, reasonable security safeguards and subject participation, in line with the international standards for fair information practices.[2] The Act also recognizes ‘special personal information’, including religious or political beliefs, race, sexual orientation and trade union membership, as well as any personal information of children below the age of 18, which require stricter safeguards for processing,. Similar to the draft Indian legislation on privacy, the Act contemplates an independent regulatory mechanism, the information regulator, which would have all the necessary powers to effectively monitor compliance under the Act, including the power for punishing offences under the Act.

The Protection of Personal Information Act contains 115 Sections and is meant to be an exhaustive and heavily detailed policy to bring South Africa’s laws in line with EU and international regulations on data protection.[3] Though such progressive policies should be a model for policy changes in other developing nations, one aspect in which the law fails is to address increasing privacy concerns arising from widespread government-enabled surveillance and data retention. The POPI excludes from its application the processing of information related to national security, terrorist related activities and public safety, combating of money laundering, investigation of proof of offences, the prosecution of offenders, execution of sentences or other security measures, subject to adequate safeguards being established by the legislature for protection of personal information. Unfortunately, the ambiguous wording of the exclusions, especially in determining “adequate safeguards”, leaves its interpretation and application open for governments to engage in mass surveillance in the name of public security. Over the past few years, governments have taken to using technology and information, particularly through mass surveillance, to collect comprehensive information on their citizens and violate their liberties and privacy. In India, particularly with programs like the Central Monitoring System being implemented, any policy which purportedly aims at the protection of privacy must not only seek bare minimal compliances with the current international standards for data protection, but should also address the mass, unrestricted surveillance and data retention which is taking place in the name of public security.

Developing nations like South Africa and India face significant challenges in ensuring individual privacy, particularly the lack of sufficient legal safeguards for the protection of privacy. The right to privacy is often dismissed as an elitist or western concept, which does not have value in the context of developing nations, without engaging with the realities and the nuances of the right. Further, the costs of expensive technical safeguards means private and public bodies are required to spend significant resources in maintaining data security and these factors often outweigh privacy considerations in policy debates. The South African Act, hence, serves both as an important model for legislation and as an indication that the right to privacy is valuable to recognize in developing countries as well.

[1]. Article 25 of the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (Directive 95/46/EC) prohibits the transfer of data to non-member states which do not comply with adequate data protection norms.

[2]. http://oecdprivacy.org/

[3]. Link to Act: www.gov.za/documents/download.php?f=204368

For more details visit https://cis-india.org/internet-governance/blog/south-african-protection-personal-information-act-2013

Sorry Wrong Number

praskrishna — 2011-07-08T04:11:02Z

The government’s ambitious project to give a unique identification number to every Indian citizen is running woefully behind schedule. T.V. Jayan investigates the problems that beset the project. The news was published in the Telegraph on 3 July 2011.

It was supposed to be a smooth, if mammoth, operation — one where a 12-digit unique identification (UID) or aadhaar number would be provided to every Indian citizen within a specified time frame. Yet less than a year after Prime Minister Manmohan Singh and United Progressive Alliance chairperson Sonia Gandhi launched it with much fanfare in Maharashtra’s Nandurbar district, the ambitious project seems mired in problems.

In Nandurbar itself, the pace of implementation has been agonisingly slow. As against the enrolment target of 2.6 lakh people by June end, only 1.17 lakh people have been enrolled so far.

And Nandurbar is just one case in point. In most districts and states, the Unique Identification Authority of India (UIDAI), the body that is overseeing the project, is struggling to meet its target. Only three states have crossed the one million mark in providing aadhaar numbers to their citizens. Andhra Pradesh leads the pack with nearly 3.5 million UIDs, followed by Karnataka (1.82 million) and Maharashtra (1.6 million). The total enrolment, according to the UIDAI website, stands at 9.5 million as on June 27. The plan, though, is to provide aadhaar numbers to 600 million people by 2014 — a target that will surely remain way out of reach if the UIDAI continues with its current pace of work.

Forget the debate on whether or not the UID project will compromise a citizen’s right to privacy. Right now, the big issue facing it is that it’s beset with a host of operational problems. “There are issues at all levels — conceptual, technology, logistics and at the implementation stages. Unless we resolve them fast, there could be inordinate delays. The project could even be derailed,” says a senior manager at one of the biggest enrolment agencies empanelled with the UIDAI, on condition of anonymity.

The UID programme works something like this. The UIDAI has appointed a large number of registrars, which are either state or central government departments, or public sector banks and insurance companies. The registrars, in turn, have enlisted the services of private firms to enrol people and collect demographic and biometric data such as their finger prints, iris scans and so on. So far 209 firms have been enlisted as enrolment agencies (EAs). While most of them are information technology firms, stock broking companies, financial service companies and even printing presses have been commissioned to obtain the UID enrolment data.

Once the EAs collect the information, the data packets are sent to the respective registrar to be vetted and thence to the UIDAI’s Central Identities Data Repository (CIDR) in Bangalore. The CIDR checks the data packets for authenticity and makes sure that there has been no duplication of data — in case an individual has been enrolled more than once. When all the processes are cleared, a UID number is generated against the person’s name, which is delivered to him or her by post.

Incidentally, the government is yet to announce the cost of the entire project, although UIDAI director general Ram Sewak Sharma reveals that the cost of generating each aadhaar number would be about Rs 150.

What is also slowing down the project is the process of “de-duplication” of data. UIDAI technology head Srikanth Nadhamuni admits that the biometric service providers who help the CIDR check duplication in biometric records now take a couple of minutes to process a single data packet. As a result, right now the UIDAI can issue fewer than 50,000 aadhaar numbers a day. And yet, it plans to generate one million numbers daily by October this year. To achieve this target the UIDAI should be processing 11 data packets per second during a 24-hour cycle.

UIDAI director general Sharma feels that these are niggling problems that will soon be resolved. “Kindly understand that the world has not seen this scale of de-duplication thus far,” he exclaims. “The IT systems, both hardware and software, are continuously being tuned to scale up to these numbers.”

UIDAI’s chief technology architect Prashant Varma is also optimistic. “These things need not be done sequentially. If we have enough computing power it can be carried out in a parallel manner,” he says, adding that more hardware is on its way to streamline the de-duplication process.

But others hold out a much bleaker view. “The de-duplication algorithm will get slower and slower as the size of the database grows. The authority has also not been transparent about the de-duplication process,” says Sunil Abraham, executive director of the Centre for Internet and Society (CIS), Bangalore.

Enrolment agencies too say that the problem is far more serious than what the UIDAI admits. “Currently, they are processing data packets that we had sent in April,” says the state head of an EA working with the commissioner of civil supplies in Andhra Pradesh.

Again, the fact that the UIDAI is taking an inordinately long time to generate the aadhaar numbers — about three to four months from the time of data collection, in place of a month as originally planned — is creating its own complications. Thanks to the time lag, a citizen who is unsure of his UID status may go to another enrolment agency associated with yet another registrar. So his data is collected again and sent to the CIDR for registration once more. This leads to duplication of data and hence, further increases the de-duplication workload.

What’s more, it also hits the margins of enrolment agencies as the UIDAI pays only once for someone’s data. So any EA that unwittingly collects the personal data of a citizen the second time will not be paid for its pains.

In fact, the EAs are beginning to realise that the work is barely financially viable for them. Having procured the enrolment job through competitive bidding, they are now finding out that the rates are abysmally low. “If one EA quotes a low price, others are asked to match it if they want to work with the same registrar,” says an executive with an EA, who does not wish to reveal his or his agency’s name.

“For instance, a Noida-based firm, which bagged the tender for 200 enrolment stations to be set up in Hyderabad from the commissioner of civil supplies in Andhra Pradesh, had quoted a figure of Rs 23 per enrolment. We all knew this was a ridiculously low amount as an ideal per capita enrolment cost should be between Rs 30 and 35. But others working in the Hyderabad area had no choice but to quote a figure very close to it,” he says.

Then again, because enrolment agencies are paid only after their enrollees have received the UID numbers, and because these numbers are taking months to be generated, the EAs are not getting paid on time. “We are already working on tiny margins. So if the cash flow is tight, we find it difficult to pay salaries to people who work on the ground,” says an enrolment agency official.

Admittedly, while the profitability of an EA need not be the UIDAI’s concern, it certainly needs to check if enrolment is being affected because the EAs are cutting corners to stay within their budgets.

The EAs are also witnessing high attrition rates among enrolment operators. These operators, who have to clear a certification exam before they can enrol people, work for three or four months and leave if some other agency offers them more money, reveals Sudhanva Kimmane of Comat Technologies, a Bangalore-based EA. Since getting a new operator certified takes about 20 to 25 days, the deadline goes for a toss.

Sometimes, the unreasonable demands of state governments also lead to delays. Karnataka, for instance, has asked registrars working in the state to gather information on as many as 19 counts. “Filling out so many additional fields reduces the number of enrolments that an operator can complete in a day and thus makes our targets go awry,” says an EA working in Karnataka.

Experts feel that one of the biggest flaws of the UID project is that it was launched all across the country without trial runs in small areas. “Whether in the private sector or the public sector, if a new project is being undertaken, it is usually tested in a small area before being launched on a large scale,” says an IT expert who has been involved with launching e-governance programmes in Kerala. “This way you suss out the feasibility of the project. Also, it helps to resolve all possible problems that may be encountered during the full roll-out. Why didn’t they first test the UID programme in a district, and then in a state before taking it pan India,” he asks.

With so many problems bedevilling the project, many people are sceptical of its success. Asks R. Ramakumar, associate professor at the Tata Institute of Social Sciences, Mumbai, “Will the benefits accruing from the project justify the huge expenses involved?” He points out that a similar project in the UK — that aimed to create a National Identity Register — was scrapped by the government in December. The London School of Economics, which analysed the proposal, found that the cost could end up being 10 times more than what was envisaged. “If the technologies involved are so infallible, why did a few developed countries which tried to use them drop them eventually,” he asks.

Clearly, there are too many uncomfortable questions facing the UIDAI right now. It remains to be seen if it is merely experiencing teething troubles or if India’s zillion-rupee aadhaar number scheme will tie itself into knots even before it gets to the halfway mark.

GLITCHES GALORE

Slipping targets: Only three states have crossed the one million mark in providing aadhaar numbers to their citizens. Total enrolment stands at 9.5 million as on June 27. The goal is to provide aadhaar numbers to 600 million people by 2014.

Slow data crunching: Processing each data packet now takes a couple of minutes. To achieve the target of generating one million UID numbers daily by October this year, the UIDAI should be processing 11 data packets a second during a 24-hour cycle.

Devil is in duplication: Since the UIDAI is taking about three to four months to generate an aadhaar number, a citizen who is unsure of his UID status may go to another enrolment agency. So his data are collected again and sent to the CIDR for registration once more. This increases the de-duplication workload and slows down the entire process even more.

High attrition rates: Enrolment operators, who have to clear a certification exam before they can enrol people, work for three or four months and leave if some other agency offers them more money. Since getting a new operator certified takes about 20 to 25 days, the enrolment agency’s target goes for a toss.

Click here to read the original in the Telegraph

For more details visit https://cis-india.org/news/sorry-wrong-number

Social Activist Alleges Threat By Police Officer Over Possession of Aadhaar

Admin — 2017-07-20T14:31:12Z

Social activist Shabnam Hashmi recorded a policeman telling her those without address proof and Aadhaar could be “eliminated”.

The article by Gaurav Vivek Bhatnagar was published in the Wire on July 16, 2017. Pranesh Prakash was quoted.

Well-known social activist Shabnam Hashmi held a press conference to say she was threatened on the telephone by a police officer at the Lajpat Nagar police station warning her that the government had launched a ‘surround and eliminate’ campaign against people whose addresses are not known and who do not possess Aadhaar numbers or cards. This is now a standing instruction to all police stations, Hashmi was told. Moreover, the officer – accused of threatening and abusing Hashmi when she called him on the night of July 14 to know why the husband of a woman, who learns stitching at a training centre run by the NGO Pehchan at Jaitpur in south-east Delhi, had been summoned at a late hour – insisted that police personnel were well within their rights to act in this way.

The police may brush aside this assertion as the concerned officer’s personal opinion, or they may deny the veracity of the conversation, which Hashmi recorded and shared with the media; but she and other anti-Aadhaar activists say the interaction raises questions about the consequences – intended or unintended – of the Centre’s stress on making Aadhaar mandatory for the personal liberty and civil rights of ordinary residents.

Many Aadhaar critics have, in the past, expressed the fear that the irresponsible use or misuse of Aadhaar could lead to India becoming a ‘surveillance state’ or ‘police state’ by placing enormous discretionary powers in the hands of unscrupulous state officials.

Petitioners in SC had cautioned against misuse of Aadhaar

Earlier this year, Communist Party of India leader Binoy Viswam had filed a petition in the Supreme Court questioning the introduction of Section 139 AA of the IT Act to link Aadhaar cards with PAN cards. Subsequently, in an interview in April this year, he had noted that “the citizens are becoming instruments in the hands of the state” as “by taking fingerprints, iris scans and other details of the citizens of the country, the state is becoming the custodian of its people.” He had also expressed the fear that “the state can use this data according to its whims and fancies”.

Viswam could not have been more correct. Much before the use of data, “elements” of the state have started using the ruse of creation of data itself as a convenient tool to threaten and intimidate people and this is precisely what happened in the case of Hashmi.

Recalling the incident, Hashmi, who is the founding trustee of Pehchan, said the NGO runs a small centre in Jaitpur extension where it teaches school dropouts to appear for class 10 and 12 examinations and also runs sewing classes for women.

Hashmi said that at around 9 pm on July 14, Haseen, the husband of Mubina, one of the trainees, was summoned by a sub-inspector to the Lajpat Nagar police station regarding a complaint. When Hashmi called up the police station to find out what the summons was about, the policeman allegedly “hurled abuses”, and used “highly derogatory and uncivilised language” during the conversation.

Though Hashmi did not have a recorder in her phone at the time of the first call, she subsequently downloaded one and later recorded her conversation with the same officer.

In this conversation, the policeman is heard reasoning with Hashmi that he had not summoned Haseen at a late hour. He claimed that he used harsh language in the first conversation since she had not identified herself and had only proclaimed herself to be a social worker. It also comes across in the conversation that Hashmi had told the man in the earlier conversation that he was drunk while being on duty and that this had irked him. It emerged that the cop had got an inkling that she was recording the later conversation, because of which he apparently mellowed down.

The issue assumes significance as after declaring twice in the past that Aadhaar cannot be made mandatory for delivering services, the Supreme Court had recently upheld the validity of an Income Tax law amendment linking PAN with Aadhaar for filing tax returns.

Former Attorney General Mukul Rohatgi had argued that the government was “entitled to have identification” and that “as constituents of society people can’t claim immunity from identification.” Rohatgi had insisted that “no right is absolute, right to body is not absolute. Under extreme cases even right to life can be taken away, under due process.”

Experts have often cautioned against Aadhaar misuse

According to legal experts, the illegalities related to Aadhaar do not just end with such arguments. Writing for The Wire, Prashant Reddy T., a research associate at the School of Law, Singapore Management University, had noted that in the past couple of months the “Modi government has increasingly used its rule-making powers under various laws in a manner which is contrary to the law of the land.” He was referring to the Centre’s announcement to mandatorily link Aadhaar numbers to all non-small bank accounts, failing which, access to the bank accounts would be disabled after December 31.

“As is often the case with this government, the question now is whether this new mandatory Aadhaar requirement (and the threatened punishment) is legal,” the expert had asked.

Earlier this year, writing for the Hindustan Times, Pranesh Prakash, policy director at the Centre for Internet and Society, and an affiliated fellow at Yale Law School’s Information Society Project, had referred to the immense potential of Aadhaar for profiling and surveillance. He had called for fundamentally altering Aadhaar, saying that if the rampant misuse of surveillance and wilful ignorance of the law by the state were anything to go by, the future looked bleak.

For more details visit https://cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar

Snooping technology: Will CMS work in India?

praskrishna — 2013-07-22T07:19:02Z

The Indian government plans to spend $132 million on setting up its brand new Central Monitoring System this year.

Pierre Fitter's article was published in FirstPost on July 17, 2013. Pranesh Prakash is quoted.

Several articles have raised valid questions about privacy violations, including this one by Danish Raza. Elsewhere, Pranesh Prakash has raised important points about how CMS may actually violate several laws and at least one Supreme Court verdict.

I ask a much more basic question: will CMS work? Can it really help security agencies eavesdrop on criminals and terrorists, despite several known technical hurdles?

	Encryption In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

Encryption

In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called Truecrypt. The INC sent the hard drive to the FBI in the US, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately convicted of attempting to bribe a police officer.

This story illustrates a fundamental loophole at the heart of CMS. A criminal, using free and easy-to-use software, can protect his data from even the most advanced surveillance tools available in law enforcement. NSA whistle blower Edward Snowden himself used encrypted email to communicate with journalists at the Guardian. In an online chat where he took questions from the public, Snowden noted that encryption was “one of the few things that you can rely on” to protect you from the eavesdropping behemoth created of the NSA.

It should hardly be surprising then, that terror groups have been encrypting their emails and data for at least the last five years. In fact Al Qaeda developed its own encryption software called ‘Mujahideen Secrets’, to encrypt emails, chat sessions and files. Version two of Mujahideen Secrets even included a tool to delete files securely so that they could not be recovered using special software if the computer was captured. Al Qaeda’s links to several terror groups operating in India has been widely reported in the past. It is not inconceivable that they have shared their encryption software with their comrades-in-arms.

Over the years it has become easier to encrypt one’s communication. YouTube tutorials train even novice users to set up email encryption within minutes. Phone calls, text messages and online chats can also be encrypted with free, easy-to-install apps.

The biggest problem with encryption is that it is virtually impossible to break the code in a time frame that’s useful for law-enforcement purposes. Without getting too technical, modern encryption relies calculating the prime factors of very, very large integers. In 2009, a group of some of the world’s best-known mathematicians and cryptographers reported that it took them four years to factor a 768-bit integer. They estimated it would take 1,000 times longer to factorise a 1024-bit integer. GPG, which is the most widely-used email encryption software, allows users up to 4096-bit encryption. Unless you have the password to the encrypted files, it would take you a very long time to crack the encryption.

Here’s an example to help you understand why encryption makes CMS redundant. Let’s say the system intercepts an encrypted email sent by a LeT handler in Karachi to a sleeper cell in Mumbai. The email contains instructions to detonate a bomb in a specific market at a specific time four days from now. Even if India’s intelligence agencies managed to link up every computer they had available to process the encryption, they would still not be able to crack it in time to learn the details and stop the attack.

What about ‘Metadata’?

It should be noted that encryption only protects the body of the email. The metadata, including the sender’s and receiver’s email addresses remain unencrypted, else the service provider would be unable to send the email to its destination. Law enforcement agencies often partner with email providers to track down the exact computer on which tell-tale emails were read.

However, this method of tracing criminals has a limitation. Programs such as TOR and Hotspot Shield disguise the IP address of a user’s PC. For example, when I use TOR, Facebook will often ask me to confirm my identity as it sees me as logging in from an unfamiliar location. TOR has thousands of servers around the world through which it bounces your data before sending it to its destination.

There is another limitation to using metadata. Due to obvious legal hurdles, CMS will only be deployed to capture communication within India. If terrorists were planning an attack from elsewhere in India’s neighbourhood (as happened with 26/11), we would have to rely on that country’s intelligence services for an alert. Good luck with that!

To make untraceable phone calls, terrorists have been known to use “burner” phones. These are pre-paid phones that are easily available in the US and other countries that do not require an ID for such mobile connections. They can be topped up using cash, which makes their prolonged using even more untraceable.

Even if CMS allowed spooks to listen to these calls, it would not be able to tell who was talking to whom. From details that emerged following the Abbottabad operation that killed Osama bin Laden, we also know that terrorists have been trained to turn off their phones and remove the battery to prevent being tracked even while not on a call.

So what is CMS good for?

If terrorist communications can easily be hidden from CMS, you have to wonder why the government is going through all the effort and expense to set up such a system. What good can come off the mass hoovering of data of ordinary citizens’?

Imagine if CMS intercepted a ‘BBM chat’ between two businessmen, who were discussing a contract that could affect the business interests of a government MP.

Imagine the government getting access to emails exchanged between a journalist and a source in the IAS who wants to expose a major corruption scandal involving a cabinet minister.

Imagine if the government had access to phone calls between two opposition politicians discussing election strategies.

What if CMS tracks a PhD candidate who is researching Naxal terror and has downloaded Naxal pamphlets? What if this researcher has been able to establish contact with Naxals for an interview. Can the government use such data to charge him with participating in a Naxal conspiracy, even if his only intention was to research their motivations? In a country where chief ministers label their critics as “Naxals” for merely raising questions, are we certain we want such unmitigated power in the government’s hands?

These are all questions well worth asking, especially since the ostensible reason for setting up the CMS—monitoring terrorists and criminals—is a fool’s errand at best.

For more details visit https://cis-india.org/news/firstpost-pierre-fitter-july-17-2013-snooping-technology

Sixth Meeting of the two Sub-Groups on Privacy Issues under the Chairmanship of Justice AP Shah

praskrishna — 2012-08-23T09:48:55Z

The sixth meeting of the two sub-groups on privacy issues will be held on August 31, 2012 at 10.00 a.m. in Committee Room No. 228, Yojana Bhawan, Sansad Marg, New Delhi under the chairmanship of Justice AP Shah, former chief justice of Delhi High Court.

No. M-13040/43/2012-CIT&I (Pt. File)
Government of India
Planning Commission
(CIT&I Division)

Yojana Bhawan, Sansad Marg,
New Delhi, dated the 23rd August, 2012

Meeting Notice

Subject: Meeting of the Group of Experts on Privacy Issues to be held on 31st August, 2012 under the Chairmanship of Justice A.P. Shah, former Chief Justice of Delhi High Court.

The meeting of the Group of Experts on Privacy Issues under the Chairmanship of Justice A.P. Shah, former Chief Justice of Delhi High Court is scheduled to be held on 31st August, 2012, at 10.00 AM in the Committee Room No. 228, Yojana Bhawan, Sansad Marg, New Delhi - 110001.

The agenda of the meeting is to discuss and finalize the draft report prepared on the basis of the recommendations of the two Sub-Groups of the Expert Group (Copy enclosed).

You are requested to kindly make it convenient to attend the meeting.

(S. Bose)
Deputy Secretary (CIT&I)

Through e-mail to:

Justice A.P. Shah, Chairman
Shri R. S. Sharma, D.G., UIDAI
Dr. Gulshan Rai, D.G. CERT-In, DeITy
Shri Manoj Joshi, J.S. DOPT
Shri R. Ragupathi,Additional Secretary, Department of Legal Affairs
Shri Som Mittal, Nasscom
Ms. Barkha Dutt, NDTV
Ms. Usha Ramanathan
Shri Sunil Abraham, CIS
Dr. Kamlesh Bajaj
Ms. Mala Dutt
Shri R.K. Gupta

Copy for information to:
Dr. C.M. Kumar, Sr. Adviser (CIT&I)
PS to MOS (Planning, S&T and Earth Sciences)

(S. Bose)
Deputy Secretary (CIT&I)

For more details visit https://cis-india.org/news/sixth-meeting-of-sub-groups-on-privacy-issues

Siri, did you hear me? Adapting Privacy to New Technologies, Automated Decision-making, and Cloud Computing

Admin — 2018-03-25T03:21:24Z

Amber Sinha participated as a panelist in the discussion on adapting privacy to new technologies organised by the USIBC on March 6, 2018 in New Delhi.

The way consumers interact with technology is quickly evolving, and there are distinct implications for privacy as these new applications and products become embedded in our daily lives. Many new technologies eliminate the need for consumers to interface with a screen, relying on sensor data, verbal interactions, or innate human communications – a grin or hand gesture. As technology evolves, so must the privacy protections.

Moderator: Ashutosh Chadha, Group Director, government Affairs & Public policy, Microsoft India

Panelists:

Shaundra Watson, Director, Policy, BSA | The Software Alliance
Betsy Broder, Counsel for International Consumer Protection, U.S. FTC
Amber Sinha, Senior Programme Manager, Centre for Internet and Society (CIS)
Riccardo Masucci, Global Director of Privacy Policy, Intel
Srinivas Poosarla, Vice President & Head (Global), Privacy & Data Protection, Infosys Limited

For more details visit https://cis-india.org/internet-governance/news/siri-did-you-hear-me-adapting-privacy-to-new-technologies-automated-decision-making-and-cloud-computing

Should you worry about identity theft?

Admin — 2017-11-26T11:24:56Z

Laws in India regarding data protection may be weak, but following basic cyber hygiene rules can make your own defences stronger.

The article by Shaikh Zoaib Saleem was published in Livemint on September 20, 2017. Pranesh Prakash quoted.

Earlier this month, US-based credit information company Equifax Inc. said its systems had been struck by a cybersecurity incident that may have affected about 143 million US consumers. A report by Bloomberg said the incident could be ranked among one of the largest data breaches in history. The intruders accessed names, social security numbers, birth dates, addresses, driver’s licence numbers and also credit card numbers, Equifax said in a statement.

While this reiterates what cyber security professionals say, that nothing is hack proof, it does remind us of the range of cyber crimes, which revolve around identity theft and frauds. It gives us a chance to reflect upon how well prepared we are, if a cyber attack strikes us, or if our personally identifiable data gets leaked.

According to the Norton Cyber Security Insights Report 2016, 49% of India’s online population, or more than 115 million Indians, are affected by cybercrime at some point with the country ranking second in terms of highest number of victims. “No government or organisation creates something that is designed to fail deliberately. People find the gaps in that system and then try to misuse it,” said Ritesh Chopra, country manager, consumer business unit, Symantec India, a cyber security company.

While it can be debated as to who should take the blame in different instances, one underlying theme is following basic cyber hygiene. “There are several mobile apps that leak data. While downloading and installing an app, you may give out access to several other things in your device,” said Chopra.

Most cyber crimes involve leak or breach of public information, which leads to identity fraud. Let’s take a look at what an identity fraud could mean.

Identity theft and frauds

Everything that we do online is linked to a digital identity—an email ID, a phone number or even an IP address of a device. Harshil Doshi, strategy security consultant, Forcepoint India, a cyber security firm, said that as long as the leaked information is limited to names, email addresses, addresses and mobile numbers, there may not be a reason for worrying. “There needs to be a distinction between what information is publicly available and what can be used only privately. People also talk about Aadhaar leaks. As long as it is not my fingerprint and retina scan, there is no cause of concern, because information like name and address are anyway public,” he said.

However, not everyone agrees with this point of view. Pranesh Prakash, policy director at advocacy group Centre for Internet and Society, said email addresses, date of birth and mobile phone number of an individual are not necessarily public information. “Work-related email addresses may be publicly available online but personal ones are not,” he said. Prakash, however, added that our notion of public information keeps changing.

Identity fraud impact

The concept of identity theft has become complicated as our digital lives expand. “Everything about you as an individual is your identity, including something personal like blood group and medical history. Your social media profile, bank transactions, blogs or online comments are also a part of this. From a fraud perspective, it is equally complex,” said Chopra.

Your identity can be impersonated in several ways. “The most common methods of identity fraud all require collecting publicly-available information about you,” said Prakash. For example, celebrity leaks in the US (cloud storage was hacked) happened also because there is more information about celebrities publicly available than for an average individual, he said.

Another example could be misuse of information regarding foreign exchange. “In India, there is a limit of buying foreign exchange worth $30,000 for an individual in a year. If information on how many times you exhaust that limit falls in the wrong hands, it can be used for money laundering in your name. How many people think about how PAN and passport copy that one shares to buy foreign exchange, can be misused?” said Chopra.

Further, health insurance can be fudged and somebody can use the benefit under your name or buy restricted medicines misusing your medical prescription.

What the law says

There are provisions in the Indian Penal Code that deal with issues like cheating by impersonation to some extent. “There isn’t anything that adequately covers activities such as getting access to your personal data, which leads to identity fraud, or sufficiently penalizes things like data breaches or data leaks that facilitate identity fraud,” said Prakash.

The government is working towards data protection laws. A committee for data protection framework has been constituted under Justice B.N. Srikrishna, former judge of Supreme Court.

But it needs to be seen what comes out of these deliberations. “I am quite apprehensive, yet hopeful, about what the committee will produce, especially because they will need to deal with protection of biometric data, leaks of which will be far worse than any other leaks because biometrics is something that cannot be changed at will subsequent to a leak, unlike one’s phone number, email address or password,” said Prakash.

According to cyber security professionals, prevention seems the only way out. “We have forgotten the difference between the real and virtual worlds. In the real world, if somebody knocks at your door, you will check before opening the door ,” said Chopra. The problem for individuals starts when we click on a malicious link or download a file like a song or an image which could have a malware loaded on it. Once it enters our system, it immediately starts stealing information.

While the law may take some time to evolve and address the issues arising out of larger data breaches from corporate entities or even from the government, it is important to be vigilant, which includes having complex passwords, not sharing passwords, being aware of suspicious emails and messages and downloading files and software only from reputed sources. While this alone may not guarantee you protection online, it certainly minimises the risk.

For more details visit https://cis-india.org/internet-governance/news/livemint-shaikh-zoaib-saleem-september-20-2017-should-you-worry-about-identity-theft

Should Nandan Nilekani's Aadhaar project, for identity proof and welfare delivery, exist at all?

praskrishna — 2014-04-14T10:27:57Z

The foundation of Aadhaar—a Congress flagship project to give every Indian a unique identity number and then use it to deliver services—has been under assault in the past three months.

The article by M. Rajshekhar was published in the Economic Times on April 3, 2014. Sunil Abraham is quoted.

Political, legal, reputational.

The political backlash is coming from leaders of BJP, the Congress' principal rival. Meenakshi Lekhi and Ananth Kumar are not, by any stretch of the imagination, the first or the last word on policy matters in the BJP, but they mince no words when they say that if their party forms a government, it will trash Aadhaar —a project that has delivered a unique ID to half of India and on which Rs 3,800 crore has been spent.

Even as BJP's loose cannons fired, the Supreme Court repeated on March 24 that the government cannot make Aadhaar mandatory to access welfare services like pensions and LPG subsidy. The same day, investigative journalism portal Cobrapost aired videos that allegedly showed agencies agreeing to enrol people from neighbouring countries for a bribe.

The BJP piled on. "It (Aadhaar) has served no purpose. They have issued cards to illegal migrants. We want citizenship cards," says Prakash Javadekar, spokesperson of BJP. His party does not have an official policy line on Aadhaar as yet, but another of its leaders, Yashwant Sinha, headed the Parliamentary panel that, in 2011, severely criticised and rejected the draft bill that provided the legal framework for Aadhaar. "We are for direct benefit transfer but not on the basis of Aadhaar, which is a very badly-designed scheme," Sinha told CNBC-TV18 on January 31. "We will give it to all citizens of India on the basis of NPR."

On the campaign trail in Bangalore, Nandan Nilekani, the chief architect and implementer of Aadhaar, defends his work as the chairman of Unique Identification Authority of India (UIDAI). "Aadhaar is a pro-development and an anti-corruption platform," says Nilekani, who was brought in by the Congress high command in 2009 and is contesting these elections on a party ticket against BJP's Kumar in Bangalore South. "It is a pity that some vested interests with narrow political and other motives are trying to stall the project."

Lost in those binaries are the objectives of Aadhaar, to universalise identity proof and to use it to plug leakages in delivery of welfare services. UIDAI, led by a hands-on Nilekani, pursued this agenda with a certain authority, great speed and an overriding emphasis on technology, all of which delivered outcomes.

But they also contributed to shortcomings that saw the project stumble on its way and for which it is now being critiqued. "This is the only way transformation takes place," says K Koshy, who was part of the team that conceptualised Aadhaar and is now with Ernst & Young. "When you know the ultimate system is workable, you sort out the problems as you go along."

Except, given the political winds blowing, it's anyone's guess what the new dispensation will feel about Aadhaar and UIDAI, from where Nilekani resigned on March 13 and which is seeing many officers who came from other parts of the government, on deputation, returning. Will the new dispensation see Aadhaar as an idea that is sound but with parts that need strengthening? Or, will they see it as an idea that is, by itself, fallacious? "I don't know where this is going," says Abhijit Sen, member, Planning Commission, under which UIDAI is housed.

At one level, it's a political question. "The next Parliament will have to decide what UIDAI can and cannot do," says Sen. At another level, even that political answer will stem from the answers to three questions that go to the core of what Aadhaar was meant to be and where it fell short.

1. Does Aadhaar Provide a Unique and Definitive Identity?

Yes and no. UIDAI collects two sets of information from an individual. The first is biometrics: prints of all 10 fingers and a scan of the iris in both eyes. Biometric data, which is supposed to be unique to every individual, is used to assign a unique number to the individual. The second set is basic personal information: name, address, father's name, date of birth and address. Individuals can show existing documents—like voter's I-card or passport —as verification. For those who did not have identification documents, UIDAI allowed certain people to attest for them.

Aadhaar is better at identifying individuals through their biometrics than ensuring the accuracy of their add-on data. This is partly due to its design. When Aadhaar was being conceptualised, says Shrikant Nadhamuni, who headed technology for UIDAI: "We wanted to move the ID game—from a state where some people had no ID and others had paper ID to something beyond even what Singapore had, in the form of smart cards, to online. Like biometric. Which is the future.

Here, your presence is enough to vet your ID." This is also partly due to how UIDAI did its enrolments. Shortly after taking charge, Nilekani announced UIDAI would issue 600 million Aadhaar numbers by March 2014. The initial plan was that the National Population Register (NPR), which conducts the decadal Census and which is housed under the ministry of home, would do the enrolments— capturing biometrics and information— and UIDAI would only issue the numbers.

Soon after, Nilekani decided he could not meet his 600 million target if he waited for NPR to give him biometric packets, and offered to do enrolments too. To meet the target, UIDAI wanted to outsource enrolment to multiple vendors. And compared to NPR, UIDAI collected very little demographic data. UIDAI appointed public and private companies as enrolment agencies. Quality issues arose. "90% of the larger enrolment agencies offloaded the work to local, small-time guys," says the head of a Gurgaon-based enrolment agency, not wanting to be named.

Instances of incomplete addresses, spelling mistakes, people bribing enrolment staff to obtain numbers, emerged. "There is always a trade off between inclusion and accuracy," says Nilekani. "And the fact that these errors happened only shows that the gates were kept wide enough to ensure there would be no exclusion." "The Aadhaar database is based on very weak data," says Sunil Abraham, the head of Bangalore-based Centre for Internet and Society, an Internet and governance think-tank. "It is basically linking biometrics to a person and the name/address he claims as his." This weakness started showing up as the government began to deliver welfare services by transferring money directly into bank accounts of beneficiaries, using Aadhaar. The first step was to add the Aadhaar number to the department and bank databases.

Reddy Subramanyam, joint secretary of NREGA, tried to seed Aadhaar numbers into his database of NREGA workers. "The current matching is just 25-30%." The mismatch arises because, say, the name will be S Kumar in one and Sunil Kumar in another. Aadhaar is "less ID project and more identification project," says legal researcher Usha Ramanathan. "The onus for ensuring the demographic information is correct falls on the number-holder."

2. Are Aadhaar-enabled Cash Transfers Delivering?

If giving every Indian a unique ID was Aadhaar's main mandate, revamping welfare delivery became its second. In 2011, Nilekani headed a committee to create a roadmap to move to a system of welfare delivery where money was transferred directly into bank accounts of beneficiaries—or direct benefit transfers (DBTs). The architectures it proposed pivoted around Aadhaar and online, realtime biometric authentication. This was to replace the existing smart-card architecture, which can work even in areas even without connectivity.

UIDAI saw the cloud as the future. "We were not very taken with the smart-card solution," says Nadhamuni. "Farmers have to carry multiple smart cards around. And then, there is the cost of the card." Smart-card companies, staring at the prospect of their investments going waste, protested. "Customers and service providers deserve the right to make a convenient choice. Can someone building a public highway insist that only a certain sort of a vehicle can ply on it?" Abhishek Sinha, CEO of Eko India, a mobile-banking start-up told ET in November 2011.

"The question is whether the model is working better now than what existed before," defends Koshy. It's a question that has not been answered conclusively and credibly: there have been no independent evaluations by the government of Aadhaarbased DBTs till now. "Aadhaar should not have been rolled out on a mission mode till it was tested on some scale," says MS Sriram, visiting faculty at IIM Bangalore's Centre for Public Policy. When asked about this, Sen says: "There was no independent evaluation. Everyone was rushing." From the field came reports about manual labourers and the aged struggling to authenticate using biometrics.

Nor were comparative studies conducted to check alternative ways to improve welfare delivery. Economist Reetika Khera argues that Chhattisgarh has removed corruption from its PDS programme through a mix of computerisation and community supervision. This echoes an observation made by the Parliamentary panel while rejecting the UIDAI bill: the government had not considered comparative costs of Aadhaar and other existing ID documents.

Yet, in November 2012, the Congress decided to make DBTs its calling card for the 2014 elections. At a rally in Dudu, Rajasthan, attended by Congress leaders and Nilekani, it announced DBT rollout in the state. A year later, after a patchy rollout, the Congress lost power in the state. And on January 30, the UPA pressed pause on DBTs for cooking gas.

3. Are there Strong Safeguards to Protect a Person's Privacy?

On February 26, the Mumbai High Court directed UIDAI to share its Goa biometrics with the CBI to help it solve a rape case in the state the agency was struggling to solve. UIDAI refused, saying this would violate the privacy of its number holders. The High Court agreed with the CBI. UIDAI went to the Supreme Court, which ruled that its biometric information cannot be shared with any government agency without the consent of number holders.

But the CBI request had shown what could go wrong. "Once you create an ID system, other things happen," says Sen. "The most inevitable one is that government departments—like the police—want to access it. A database exists and I want to use it." Says a Supreme Court lawyer, not wanting to be named: "You innocently give your fingerprints to UIDAI because you want your scholarship or gas subsidy or something. You volunteer this information and then you realise this can be used as evidence against you in a criminal trial?" In time, more agencies will use Aadhaar. "The moment you start putting the Aadhaar number into multiple databases, you make them comparable," says Abraham. "Land registry, tax records, etc, all become comparable." Adds Sen: "We need to think about who can use the authentication service."

He cites the example of banks using Aadhaar to judge a borrower's credit record as a good thing. Conversely, he adds, an insurer using a customer's Aadhaar to access hospital records, and take a call on premiums or policy issuance, is a bad outcome. "Insurance is supposed to work by pooling risk. Should they (insurers) even have the right to ask for authentication?" asks Sen. UIDAI officials say three things in their defence. One, they collect innocuous information, which they don't share. Two, for authentication queries, they only give 'yes/no' answers. Three, they have safeguards.

What is missing is a legal framework that governs collection, use and retention of biometrics. "India has not passed a data privacy law," says Nadhamuni. "This is a very important legislation we need to draft and enact for projects that use large-scale IT systems, be it Aadhaar, NREGA, voter card, income tax, etc. In the absence of such laws, UIDAI came up with rigorous data privacy and security policies to secure resident data." However, the Parliamentary panel, while rejecting the bill, noted that UIDAI began collecting biometric data even as the government worked on a privacy bill and a data protection bill. "The idea that databases can be used by anyone makes people vulnerable, especially in a state where there is neither law nor much respect for law," says Ramanathan.

Aadhaar stands at an uncomfortable junction. A new government, eager to ensure only citizens have unique numbers, could ask all Aadhaar holders to provide address proof and delete the others. Events of the past three months have framed the issues concerning Aadhaar, sometimes with a touch of rhetoric. "This is a good time to open the regulation issue," says Sen.

For more details visit https://cis-india.org/news/economic-times-april-3-2014-m-rajshekhar-should-nandan-nilekani-aadhar-project-for-identity-proof-and-welfare-delivery-exist

Should an Inability to Precisely Define Privacy Render It Untenable as a Right?

amber — 2017-08-04T01:49:56Z

The judges may still be able to articulate the manner in which limits for a right to privacy may be arrived at, without explicitly specifying them.

The article was published in the Wire on August 2, 2017.

Ludwig Wittgenstein wrote in his book, Philosophical Investigations, that things which we expect to be connected by one essential common feature, may be connected by a series of overlapping similarities, where no one feature is common. Instead of having one definition that works as a grand unification theory, concepts often draw from a common pool of characteristics. Drawing from overlapping characteristics that exist between family members, Wittgenstein uses the phrase ‘family resemblances’ to refer to such concepts.

In his book, Understanding Privacy, Daniel Solove makes a case for privacy being a family resemblance concept. Responding to the discontent in conceptualising privacy, Solove attempted to ground privacy not in a tightly defined idea, but around a web of diverse yet connected ideas. Some of the diverse human experiences that we instinctively associate with privacy are bodily privacy, relationships and family, home and private spaces, sexual identity, personal communications, ability to make decisions without intrusions and sharing of personal data. While these are widely diverse concepts, intrusions upon or interferences with these experiences are all understood as infringements of our privacy.

Other scholars too have recognised this dynamic, evolving and difficult to pinpoint nature of privacy. Robert Post described privacy as a concept “engorged with various and distinct meanings.” Helen Nissenbaum advocates a dynamic idea of privacy to be understood in terms of contextual norms.

The ongoing arguments in the Supreme Court on the existence of a constitutional right to privacy can also be viewed in the context of the idea of privacy as a family resemblance concept. In their arguments, the counsels for the petitioners have tried to make a case for privacy as a multi-dimensional fundamental right. Senior advocate Gopal Subramanium argued before the court that privacy inheres in the concept of liberty and dignity under Constitution of India, and is presupposed by various other rights such as freedom of speech, good conscience, and freedom to practice religion. He further goes on say that there are four aspects to privacy – spatial, decisional, informational and the right to develop personality. Shyam Divan, also arguing for the petitioners, further added that privacy includes the right to be left alone, freedom of thought, freedom to dissent, bodily integrity and informational self-determination.

When the chief justice brought up the need to define the extent of the right to privacy, the counsels raised concerns about the right being defined too specifically. This reluctance was borne out of the recognition that by its very nature, the right to privacy is a cluster of rights, with multiple dimensions manifesting themselves in different ways depending on the context. Both advocates, Subramaniam and Arvind Datar, argued that court must not engage in an exercise to definitively catalog all the different aspects of the right, foreclosing the future development of the law on point. This reluctance was also a result of the fact that the court has isolated the question of the existence of the right to privacy and how it may apply in the case of the Aadhaar project. Usually judges are able to ground legal principles in the relevant facts of the case while developing precedents. The referral to this bench is only on the limited question of the existence of a constitutional right to privacy. Therefore, any limits that are articulated by the court on the right exist without the benefit of a context.

On the other hand, the Attorney General (AG) argued that this very aspect of privacy was a rationale for not declaring it a fundamental right. At various points during the arguments, he indicated that the ambiguous and vague nature of the concept of privacy made it unsuitable as a fundamental right. Similarly, Tushar Mehta, arguing for Unique Identification Authority of India, also sought to deny privacy’s existence as a fundamental right as it is too subjective and vague.

The above argument assumes that the inability to precisely define privacy renders its untenable as a right. The key question is whether this lack of a common denominator makes privacy too vague a right, liable to expansive misinterpretations. Conceptions that do not have fixed and sharp boundaries, are not boundless. What it means is that the boundaries can often be fuzzy and in a state of constant evolution, but the limits and boundaries always exist.

At one point during the hearings, Justice Rohinton Nariman wanted the counsels to work on the parameters of challenge for state action with respect to privacy. As mentioned earlier, in the absence of facts to work with, such an exercise is fraught with risks. However, the judges may still be able to articulate the manner in which such limits may be arrived at, without specifying them. Justice Nariman himself later agrees that the judicial examination must proceed on a case by case basis, taking into account not only the tests under Article 14,19 and 21 under which petitioners have tried to locate privacy, but also under any other concurrent rights which may be infringed.

The AG also argued that the infringement of privacy in itself does not amount to a violation of the rights under Article 21, rather in some cases the transgressions on privacy may lead to an infringement of a person’s right to liberty and only in such cases should the fundamental rights be invoked. Thus, the argument made was that there was no need to declare privacy as a fundamental right but only to acknowledge that limiting privacy may sometimes lead to violations of the already existing rights. This argument may have been more cogent had he identified specific dimensions of privacy which, according to him, do not qualify as fundamental rights. However, this might have meant conceding that other dimensions of privacy, in fact do amount to fundamental rights.

It must be remembered that the problem of changing or multiple meanings is not limited to privacy. As the bench noted, drawing comparisons to the concepts of ‘liberty’ and ‘dignity’, these are constitutionally recognised values which equally suffer from a multitude of meanings based on context. The government’s position here is in line with critiques of privacy that Solove seeks to bust in his book. The idea of privacy evolves with time and people. And people, whether from a developed or developing polity, have an instinctive appreciation for it. The absence of a precise definition does not necessarily do great disservice to a concept, especially one that is fundamental to our freedoms.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-august-2-2017-should-an-inability-to-precisely-define-privacy-render-it-untenable-as-a-right