Centre for Internet and Society

Narendra Modi’s personal app sparks India data privacy row

Admin — 2018-03-28T16:17:32Z

PM’s NaMo app sends user data to third party in US, says researcher.

Sunil Abraham was quoted in the article published by Financial Times on March 28, 2018.

“People are outraged that there is a peephole,” says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, a non-profit research organisation. “They are not outraged that anyone has looked into the peephole — because there is no evidence of that yet.”

For Mr Abraham, however, the controversy demonstrates that “Indian political parties have a voracious appetite for political data. If unchecked by law or public outrage, they will continue to hoover up as much data as they can from our devices.”

“Privacy is definitely a political issue,” says Mr. Abraham. “Political parties are reacting not because they will get into trouble under the law. They are reacting because they areafraid their supporters may not like it.”

For more details visit https://cis-india.org/internet-governance/news/financial-times-march-28-2018-narendra-modi-personal-app-sparks-india-data-privacy-row

Cambridge Analytica scandal: How India can save democracy from Facebook

sunil — 2018-03-28T15:44:00Z

Hegemonic incumbents like Google and Facebook need to be tackled with regulation; govt should use procurement power to fund open source alternatives.

The article was published in the Business Standard on March 28, 2018

The Cambridge Analytica scandal came to light when whistleblower Wylie accused Cambridge Analytica of gathering details of 50 million Facebook users. Cambridge Analytica used this data to psychologically profile these users and manipulated their opinion in favour of Donald Trump. BJP and Congress have accused each other of using the services of Cambridge Analytica in India as well. How can India safeguard the democratic process against such intervention? The author tries to answer this question in this Business Standard Special.

Those that celebrate the big data/artificial intelligence moment claim that traditional approaches to data protection are no longer relevant and therefore must be abandoned. The Cambridge Analytica episode, if anything, demonstrates how wrong they are. The principles of data protection need to be reinvented and weaponized, not discarded. In this article I shall discuss the reinvention of three such data protection principles. Apart from this I shall also briefly explore competition law solutions.

Collect data only if mandated by regulation

One, data minimization is the principle that requires the data controller to collect data only if mandated to do so by regulation or because it is a prerequisite for providing a functionality. For example, Facebook’s messenger app on Android harvests call records and meta-data, without any consumer facing feature on the app that justifies such collection. Therefore, this is a clear violation of the data minimization principle. One of the ways to reinvent this principle is by borrowing from the best practices around warnings and labels on packaging introduced by the global anti-tobacco campaign. A permanent bar could be required in all apps, stating ‘Facebook holds W number of records across X databases over the time period Y, which totals Z Gb’. Each of these alphabets could be a hyperlink, allowing the user to easily drill down to the individual data record.

Consent must be explicit, informed and voluntary

Two, the principle of consent requires that the data controller secure explicit, informed and voluntary consent from the data subject unless there are exceptional circumstances. Unfortunately, consent has been reduced to a mockery today through obfuscation by lawyers in verbose “privacy notices” and “terms of services”. To reinvent consent we need to bring ‘Do Not Dial’ registries into the era of big data. A website maintained by the future Indian data protection regulator could allow individuals to check against their unique identifiers (email, phone number, Aadhaar). The website would provide a list of all data controllers that are holding personal information against a particular unique identifier. The data subject should then be able to revoke consent with one-click. Once consent is revoked, the data controller would have to delete all personal information that they hold, unless retention of such information is required under law (for example, in banking law). One-click revocation of consent will make data controllers like Facebook treat data subjects with greater respect.

There must be a right to explanation

Three, the right to explanation, most commonly associated with the General Data Protection Directive from the EU, is a principle that requires the data controller to make transparent the automated decision-making process when personal information is implicated. So far it has been seen as a reactive measure for user empowerment. In other words, the explanation is provided only when there is a demand for it.

The Facebook feeds that were used for manipulation through micro-targeting of content is an example of such automated decision making. Regulation in India should require a user empowerment panel accessible through a prominent icon that appears repeatedly in the feed. On clicking the icon the user will be able to modify the objectives that the algorithm is maximizing for. She can then choose to see content that targets a bisexual rather than a heterosexual, a Muslim rather than a Hindu, a conservative rather a liberal, etc. At the moment, Facebook only allows the user to stop being targeted for advertisements based on certain categories. However, to be less susceptible to psychological manipulation, the user should be allowed to define these categories, for both content and advertisements.

How to fix the business model?

From a competition perspective, Google and Facebook have destroyed the business model for real news, and replaced it with a business model for fake news, by monopolizing digital advertising revenues. Their algorithms are designed to maximize the amount of time that users spend on their platforms, and therefore, don’t have any incentive to distinguish between truth and falsehood. This contemporary crisis requires three types of interventions: one, appropriate taxation and transparency to the public, so that the revenue streams for fake news factories can be ended; two, the construction of a common infrastructure that can be shared by all traditional and new media companies in order to recapture digital advertising revenues; and three, immediate action by the competition regulator to protect competition between advertising networks operating in India.

The Google challenge

With Google, the situation is even worse, since Google has dominance in both the ad network market and in the operating system market. During the birth of competition law, policy-makers and decision-makers acted to protect competition per se. This is because they saw competition as an essential component of democracy, open society, innovation, and a functioning market. When the economists from the Chicago school began to influence competition policy in the USA, they advocated for a singular focus on the maximization of consumer interest. The adoption of this ideology has resulted in competition regulators standing powerlessly by while internet giants wreck our economy and polity. We need to return to the foundational principles of competition law, which might even mean breaking Google into two companies. The operating system should be divorced from other services and products to prevent them from taking advantage of vertical integration. We as a nation need to start discussing the possible end stages of such a breakup.

In conclusion, all the fixes that have been listed above require either the enactment of a data protection law, or the amendment of our existing competition law. This, as we all know, can take many years. However, there is an opportunity for the government to act immediately if it wishes to. By utilizing procurement power, the central and state governments of India could support free and open source software alternatives to Google’s products especially in the education sector. The government could also stop using Facebook, Google and Twitter for e-governance, and thereby stop providing free advertising for these companies for print and broadcast media. This will make it easier for emerging firms to dislodge hegemonic incumbents.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-march-28-2018-sunil-abraham-cambridge-analytica-scandal-how-india-can-save-democracy-from-facebook

UIDAI servers or third parties, Aadhaar leaks are dangerous: Experts

Admin — 2018-03-27T02:16:55Z

Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.

The article by Mayank Jain was published in Business Standard on March 27, 2018. Pranesh Prakash was quoted.

The government has told the Supreme Court that the Aadhaar data “remains safely behind 13-feet high walls” and it will take “the age of the universe” to break one key in the Unique Identification Authority of India’s (UIDAI’s) encryption.

Even if this claim is taken at face value, experts suggest leaks from third-party databases seeded with Aadhaar numbers are equally dangerous and the UIDAI is responsible for the damage. The most recent case came from a report published online and it said random numbers could provide access to the Aadhaar data, which also includes people’s financial information, from a state-owned company’s database. Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.“There is no truth in this story as there has been absolutely no breach of the UIDAI’s Aadhaar database.

Aadhaar remains safe and secure,” the UIDAI said on Twitter shortly after the story broke on ZDNet.The authority added even if the report was taken to be true, “it would raise security concerns on the database of that Utility Company and has nothing to do with the security of the UIDAI’s Aadhaar database”.This has been the authority’s defence in several such cases but those in the know of things say it doesn’t hold water simply because the Aadhaar data is not concentrated in the UIDAI’s complexes anymore and has spread across various databases.“Publishing this by the state entities is a violation under the Aadhaar Act.

Even if you publish your Aadhaar number, it is a violation of the law,” said Pranesh Prakash, policy director at the Centre for Internet and Society.“Saying that the UIDAI has not been compromised is thoroughly insufficient because for customers, it doesn’t matter if the leak comes from servers operated by the UIDAI or from others holding copies of the UIDAI database.”Prakash said it should be the authority’s responsibility to help others comply with the law and prevent data leaks.

He gave the example of biometric leaks from Gujarat government servers and how criminals used them to forge fingerprints.The possibility of data leaks was demonstrated when Robert Baptiste, purportedly a French app developer, announced on Twitter how he got access to thousands of scanned Aadhaar card copies through simple Google searches.In an interview to Business Standard, Baptiste said the major threat was data handling by third parties, which could lead to identity theft.Even the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, has provisions that debar making public citizens’ Aadhaar-related information public unless required for certain purposes.

“Whoever intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act” can be in jail for three years and pay a fine of ~10,000 under the Act.A lawyer appearing on the petitioners’ side in the ongoing Supreme Court case on the constitutional validity of Aadhaar said only the UIDAI had the powers to file cases against people who published Aadhaar information. Hence everyone else is helpless despite the leaks.

The UIDAI’s argument that Aadhaar information can’t be misused is duplicitous because the regulations under the Aadhaar Act assure individuals that if biometric authentication fails, they should have other means of identifying themselves, says Kiran Jonnalagadda, founder of HasGeek.“So the regulations guarantee that anyone in possession of stolen identity information will be able to misuse it without biometric authentication,” he said.Prakash agreed with this. He said demographic authentication, which is an acceptable authentication method under the Aadhaar Act, was prone to misuse as long as Aadhaar numbers remained public.“Aadhaar is used as just a piece of paper, unlike security features embedded in passports or even permanent account number cards. Thus, demographic authentication merely involves providing Aadhaar numbers and details like addresses, which can be used even for things like getting entry into an airport by just printing a ticket and having a fake Aadhaar,” he said.

Queries sent to the UIDAI were not answered till the time of going to press

For more details visit https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts

Security experts say need to secure Aadhaar ecosystem, warn about third party leaks

Admin — 2018-03-26T22:37:30Z

The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming.

The article by Nilesh Christopher was published in Economic Times on March 26, 2018. Sunil Abraham was quoted.

While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.

“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication ZDnet citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company Indane that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.

UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.

There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.

“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.

In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.

UIDAI could take a leaf from Indian Space Research Organisation while handling data breach reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.

“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane.

“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks

Indian IT firms not ready for European Union's proposed privacy laws, only a few compliant with GDPR

Admin — 2018-04-18T00:56:20Z

Only a third of Indian IT firms are compliant with the European Union's General Data Protection Regulation (GDPR), which will come into force on 25 May, according to a media report.

The article was published in First Post on March 26, 2018.

The GDPR, the EU's new online privacy rules, is designed to protect users' online privacy. The European Parliament has adopted the regulation but European governments have yet to approve the text.

“Only 30-35 percent of all IT/ITeS companies have started their journey to work towards GDPR compliance,” Jaspreet Singh, Cyber Security Partner at EY, was quoted as saying by The Economic Times.

The GDPR is applicable to companies globally, and has significant potential financial penalties. Damages of any breach of privacy of user data from Europe could cost companies as much as four percent of their revenue, according to The Economic Times. For the Indian IT sector, Europe ranks number two in terms of the amount of business it drives, with US still taking the lead.

Indian firms, according to Business Standard, are struggling to understand the GDPR policies. A survey by EY had shown that 60 percent of Indian respondents were unfamiliar with the new regulation.

"When asked to describe their company’s current status with respect to complying with the GDPR, only 33 percent of respondents said that they have a plan, while 39 percent said that they are not familiar with the GDPR at all and 17 percent said that they have heard of the GDPR but have not yet taken any action," EY’s Global Forensic Data Analytics Survey 2018 had said.

What the GDPR is all about?

The GDPR attempts to unify data protection laws across the EU. It applies to all companies, regardless of location, that process the personal data of people living in the European Union. It aims to strengthen the protection of EU citizens' personal details. It will apply to all companies, including those outside of the EU.

The GDPR is considered the biggest shake-up of personal data privacy rules since the birth of the internet. It is intended to give European citizens more control over their online information.

Under the new regulation, users will be asked once and for all whether to accept cookies, rather than every time they visit a new website. Users will have the option of going invisible online, while the rules enshrine the so-called "right to be forgotten" legislation. The industries most deeply affected will be those that collect large amounts of customer data and include technology companies, retailers, healthcare providers, insurers and banks.

Companies must be able to provide European customers with a copy of their personal data and under some circumstances delete it at their behest. They will also be required to report data breaches within 72 hours.

How Indian firms will be affected?

According to a study published by The Centre for Internet and Society, as a result of GDPR, data protection procedures like breach notification; excessive documentation and appointment of data protection officer may have to be incorporated in the Indian laws as well.

"As non – compliance involves high fines, inability of India or the organizations situated in India to qualify as data secure destinations is likely to divert business opportunities to safer locations," the study said.

(With inputs from agencies)

For more details visit https://cis-india.org/internet-governance/news/first-post-march-26-2018-indian-it-firms-not-ready-for-european-unions-proposed-privacy-laws-only-a-few-compliant-with-gdpr

Modi Govt compromising privacy of individuals: Cong

Admin — 2018-04-18T01:10:42Z

Charging the Narendra Modi Governemt with compromising the privacy of individuals by leaking user information on the Narendra Modi app, the Congress on Monday said the counter allegations by the BJP that the Opposition party was indulging in 'data theft' were an attempt to divert attention from the issue.

This was published by United News of India on March 26, 2018.

Talking to reporters here, AICC spokesperson Abhishek Manu Singhvi said, 'we have said repeatedly that the biggest assault on individual privacy has occurred under the watch of the Narendra Modi Government. Not only people’s money, but people’s privacy is also in question.

Even as startling revelations that the Narendra Modi app, run by the BJP is sharing data of millions of users with American companies emerge, the Modi Government mocks and flouts the ‘Right to Privacy’ with brazen impunity. While the Prime Minister’s Office, PMO India app, asks users to voluntarily part with their identity on 14 data points, the NaMo app asks for a sweeping access to 22 data points. The NaMo app records audio, video, contacts of your friends and family and even tracks your location via GPS. No wonder, Modi ji is like the ‘Bigg Boss’ who with brazenness likes to spy on Indians. The BJP whose IT (Identity Theft?) Minister does daily press conferences on the issue of data security and democracy, has much to answer to the people of India on the unscrupulous means by which Shri Narendra Modi’s personal app is accessing data and passing on data of more than 50 lakh Indians,' he alleged.

Describing the BJP allegations that the Congress was indulging in 'data theft' through its mobile app, Mr Singhvi said. 'the Modi Government is resorting to deflectionary and diversionary tactics. The Congress application had just 15,000 downloads against the 50 lakh Indians who downloaded the NaMo app. Also, the Congress application was discontinued as most of the users wanted to register offline.'

Accusing Mr Modi of misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by the government, Mr Singhvi said, 'Why does Mr Modi, in his own book ‘Exam Warriors’ urge you to download the NaMo app. Is he now planning to snoop in on minors? Mr Modi is misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by Government. If as PM he wants to use tech to communicate with India, there is no problem in that. But use the official PMO app for it, not the NaMo app. This data belongs to India, not to Mr Modi.

Shockingly, data of atleast 13 lakh NCC cadets which include personal mobile phone numbers and email ID’s are being given to the Prime Minister’s Office for an interaction.'

Citing in this regard the report of a committee of experts appointed by the government on the issue of data protection, Mr Singhvi said, 'importantly, a Government appointed Committee of Experts (CoE) to look into a framework for data protection, headed by Justice (retd) BN Srikrishna has made scathing observations in a paper released in November 2017, against the Government and has shockingly implied (according to the media reports) that the Modi Government is collecting personal data illegally. The committee, which is currently in the process of conducting consultations, has also considered the SC judgment on privacy, says in its paper “The public and private sector are collecting and using personal data on an unprecedented scale. While data can be put to beneficial use, unregulated and arbitrary use of data, especially personal data, raise concerns relating to centralisation of databases, profiling of individuals, increased surveillance and a consequent erosion of individual autonomy.”

Alleging that under the Modi Government, not only the personal data of citizens was under serious threat, but there were multiple reports of data breaches in banks, Mr Singhvi said, 'astonishingly, under the Modi Government, not only the personal data of citizens is under serious threat, but multiple breaches in the banks. In an atmosphere where every single day there has been a bank fraud worth thousands of crores of rupees being reported, have resulted in one single question - how safe is our money in banks?

Banks and PSU’s have reported multiple breaches in recent past. A newspaper report on Monday said two online security experts have claimed that the Aadhaar database of two public-sector enterprises leaked select data and the vulnerability was fixed only a month after attention was drawn to it. This exposes their names, the 12-digit Aadhaar number and information of the services they have linked their Aadhaar card to. These services include bank details, policy details and other private information. This was corroborated by the UIDAI statement released on Sunday.

“It was left up there for more than a month — even though it had been reported to them directly,” claim the security experts. On February 23, 2018 a report had claimed that there was a data breach which had hit the the Punjab National Bank, whereby sensitive credit, debit card details of 10,000 customers were leaked. Quick Heal, a reputed software company in October 2017 had also claimed that there was a massive data breach in 6,000 government offices including banks. Earlier in 2016, as per media reports -- 32 lakh debit/credit cards of various Indian banks were compromised. The worst-hit was the State Bank of India along with certain private banks.'

He also charged the present Government of breach of Aadhaar data of individuals.

'In April 2014, the then Gujarat Chief Minister Narendra Modi had attacked Aadhaar and the UPA Government on its possible ‘security threat’. Life has now come full circle for the BJP. Just like numerous other issues, their blatant hypocrisy on Aadhaar is exposed. In January, this year, when a reputed newspaper in a sting exposed how 1 crore Aadhaar details can be accessed in just 10 minutes, by paying just Rs 500 in Chandigarh, the UIDAI had then filed an FIR against the reporter. Now the editor of the reputed media house has also been replaced.

We have seen it in May 4, 2017, when the Modi Government is on record in Supreme Court, accepting data breach in the Aadhaar scheme. Now the Attorney General in Supreme Court, while arguing that Aadhaar data remains safe and secure, says that the Aadhaar data remains secure behind a complex that has 13-ft high and five-feet thick walls, which is laughable and ludicrous, to say the least. On November 20, 2017, the UIDAI had accepted on record that –“More than 210 central and state government websites publicly displayed details such as names and addresses of Aadhaar beneficiaries”. Earlier too, ‘Centre for Internet and Society’, a Bengaluru-based organisation (CIS) in a study published on May 1, 2017, had found that data of more than 130 million Aadhaar card holders has been leaked from just four government websites. Therefore this is a serious issue. Clearly, neither our money, nor our Aadhaar details or our personal details are secure under the Modi Government.'

For more details visit https://cis-india.org/internet-governance/news/united-news-of-india-march-26-2018-modi-govt-compromising-privacy-of-individuals-congress

Aadhaar safety

Admin — 2018-03-26T17:09:26Z

We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.

The article was published in Asian Age on March 25, 2018.

Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.

‘Safety claims are bogus’
Hrishikesh Bhaskaran, Privacy Activist
Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).

The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.

‘Multi-level security assumes added significance’
Jaideep Mehta, CEO of VCCircle.com
Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.

‘Tightening system, or line of human command more important’
Ershad Kaleebullah, Technology Editor
There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar’s size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI’s datacentre and even fortifying it with the world’s thickest and tallest wall is not going to protect them. I’m really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can’t keep a secret to save their lives.

‘Your data security is in your hands, always be cautious’
Viraj Kumar Pratapwant, Senior Software Design Engineer
First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.

Sunil Abraham, Executive Director at Centre for Internet and Society
Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data in encrypted in the CIDR - the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.

For more details visit https://cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety

Siri, did you hear me? Adapting Privacy to New Technologies, Automated Decision-making, and Cloud Computing

Admin — 2018-03-25T03:21:24Z

Amber Sinha participated as a panelist in the discussion on adapting privacy to new technologies organised by the USIBC on March 6, 2018 in New Delhi.

The way consumers interact with technology is quickly evolving, and there are distinct implications for privacy as these new applications and products become embedded in our daily lives. Many new technologies eliminate the need for consumers to interface with a screen, relying on sensor data, verbal interactions, or innate human communications – a grin or hand gesture. As technology evolves, so must the privacy protections.

Moderator: Ashutosh Chadha, Group Director, government Affairs & Public policy, Microsoft India

Panelists:

Shaundra Watson, Director, Policy, BSA | The Software Alliance
Betsy Broder, Counsel for International Consumer Protection, U.S. FTC
Amber Sinha, Senior Programme Manager, Centre for Internet and Society (CIS)
Riccardo Masucci, Global Director of Privacy Policy, Intel
Srinivas Poosarla, Vice President & Head (Global), Privacy & Data Protection, Infosys Limited

For more details visit https://cis-india.org/internet-governance/news/siri-did-you-hear-me-adapting-privacy-to-new-technologies-automated-decision-making-and-cloud-computing

India Trilateral Forum

Admin — 2018-04-10T15:09:21Z

Sunil Abraham was a panelist in the session "The Promise and Peril of Technology" at the 14th edition of India Trilateral Forum organized by the German Marshall Fund of the United States, Observer Research Foundation and Ministry of Foreign Affairs, Government of Sweden in Goa from March 22 - 23, 2018.

The Promise and Peril of Technology

The emergence of new technologies create possibilities for change, yet also carry risks of the emergence of “soft wars,” privacy issues, ethical challenges, among others. With global military spending on the rise, we may now be on the cusp of a series of new technological innovations that will fundamentally change the way we conduct warfare. The rise of low-cost real-time satellite surveillance has the potential for privacy violation, intrusive controls, and hacking. Many credit the digital revolution with creating new possibilities for democratic engagement, because information technology has made institutions like mass media less hierarchical. There are hidden costs to the digital revolution and the transformative technologies, which needs to be carefully understood. The panel discussed the deeper layers of opportunities and risks associated with transformative technologies on war and peace and discuss whether the U.S., India, and Europe are falling behind China in this crucial area.

For more details visit https://cis-india.org/internet-governance/news/india-trilateral-forum

Facebook breach: Privacy advocates in India seek stronger data laws

Admin — 2018-03-20T23:37:04Z

Privacy advocates in India underlined the urgent need for stronger data privacy laws in India with the debate coming under focus after reports alleged that British data analysis firm Cambridge Analytica had tapped into the profiles of more than 50 million Facebook users, without their permission, during the last US elections.

The article by Surabhi Agarwal and Devina Sengupta was published in the Economic Times on March 20, 2018. Pranesh Prakash was quoted.

Advocates of data privacy told ET that even in India — where issues around data privacy have been on the boil — voter opinion may be targeted by using their personal information without their approval. “The government has not moved with necessary pace on data protection,” said advocate Apar Gupta.

“Election commission (EC) has not taken up this issue of data protection for regulatory scrutiny. EC has in the past issued guidelines to protect election integrity and restrained exit polls and also required candidates to disclose social media handles. However, much more needs to be done,” he added.

His concerns around India’s voting process being potentially vulnerable to similar influence like in the US come amid a “case study” on the Cambridge Analytica website said the company had worked for Indian political parties as well.

It said that the British firm was “contracted to undertake an indepth electorate analysis for the Bihar Assembly Election in 2010…Our client achieved a landslide victory, with over 90% of total seats targeted by CA being won”.

Media reports quoted sources at Cambridge Analytica, and its Indian partner, Oveleno Business Intelligence, as saying that the local company was in talks with leading Indian political parties for a pact for their 2019 parliamentary poll campaigns.

“This shows integrity of elections and voter trust may be undermined through data analytics and target voters on the basis of their personal data,” said Gupta Pranesh Prakash, policy director at Center for Internet and Society, said India urgently needs a strong data protection regulation, that require companies to have oversight and pin liabilities on them if they fail to have oversight over data they transact with.

“So, in this case for instance, the companies that provided Cambridge Analytica DATA are seriously culpable and Facebook --right now it is unclear if under any current law it is culpable --there are some discussions in the US etc. Regardless of it, they should be required to exercise greater diligence when it comes to personable data that they have taken consent for,” said Prakash.

“Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook. If these reports are true, it's a serious abuse of our rules.

All parties involved — including the SCL Group/Cambridge Analytica, Christopher Wylie and Aleksandr Kogan — certified to us that they destroyed the data in question. In light of new reports that the data was not destroyed, we are suspending these three parties from Facebook, pending further information. We will take whatever steps are required to see that the data in question is deleted once and for all —and take action against all offending parties.”

In a statement to ET, Facebook said there was no breach of its data base and that protecting people’s information was core to the company. “Like all app developers, Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” Paul Grewal, VP & Deputy General Counsel, Facebook said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-20-2018-surabhi-agarwal-devina-sengupta-facebook-breach-privacy-advocates-in-india-seek-stronger-data-laws

Supreme Court extends Aadhaar linking deadline till it passes verdict

Admin — 2018-03-17T15:02:10Z

The Supreme Court, however, allowed the government to seek Aadhaar numbers to transfer benefits of government schemes funded from the consolidated fund of India.

The article by Priyanka Mittal and Komal Gupta was published in Livemint on March 13, 2018. Pranesh Prakash was quoted.

The Supreme Court (SC) on Tuesday extended the deadline for linking of Aadhaar with mobile services, opening of new bank accounts and other services until it passes its verdict on a pending challenge to the constitutional validity of such linkages.

The court also noted that Aadhaar could not be made mandatory for issuance of a Tatkal passport, for now.

The extension would be applicable to the schemes of ministries/departments of the Union government as well as those of state governments, the court ruled in an interim order.

It was however, clarified that the extension would not be applicable for availing services, subsidies and benefits under Section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.

A Constitution bench comprising Chief Justice Dipak Misra and justices D.Y. Chandrachud, A.K. Sikri, A.M. Khanwilkar and Ashok Bhushan is hearing a challenge to the constitutional basis of the 12-digit unique identification project, which is now likely to conclude after 31 March, the earlier deadline for Aadhaar linking.

“Even where Aadhaar hasn’t been mandated by the government, and even though the Supreme Court has extended the deadline for some mandatory linkages, if the software systems used by various governmental and private entities don’t make ‘Aadhaar number’ and authentication optional, then the SC’s orders gets nullified, effectively,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society (CIS).

Similar concerns over the extent of Tuesday’s interim protection were also expressed by the Software Freedom Law Centre (SFLC), an organization working to protect freedom in the digital world. “While the extension is certainly welcome, it is also important to note that there is currently some uncertainty about this extension and how it applies to linkages made mandatory under Section 7 of the Aadhaar Act. If the latest order does indeed exclude Aadhaar linkages mandated under Section 7, a large number of central and state government schemes (such as PDS, LPG, MNREGA and many more) would still need to be linked to Aadhaar by the end of the month, significantly diminishing the relief brought by today’s order, ” said the organization.

“The deadline for Aadhaar holders to link their PAN cards for taxation purposes will also be extended until disposal of the case as this linkage was mandated by Section 139AA of the Income Tax Act, 2000 and not Section 7 of the Aadhaar Act,” SFLC added.

Last week, attorney general K.K. Venugopal had told the apex court that the centre would consider extending the linking deadline since arguments in the case were likely to proceed beyond the earlier deadline of 31 March.

For more details visit https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-komal-gupta-march-13-2018-supreme-court-extends-aadhaar-linking-deadline-till-it-passes-verdict

New Lock For EU’s Digital Mines

Admin — 2018-03-17T13:10:52Z

Indian companies dealing with European data wait anxiously as the EU pushes in new security rules

The article by Arindam Mukherjee was published in the Outlook in March 26, 2018 issue. Elonnai Hickok was quoted.

Pretty soon, Indian companies, especially those associated with European companies, will have to walk that extra mile to protect personal data. Come May 25, the European Union (EU) will enact a new set of regulations, called the General Data Protection Regulation (GDPR), which will impose stringent conditions for personal data protection and privacy laws.

What’s more, any violation of or non-compliance with the new regulations will attract the strictest of penalties and fines. On an average, the new regulations call for up to 4 per cent of a company’s global revenue as penalty.

With the already huge and rapidly expanding field of big data play across companies and industries, data protection has come under the limelight and many countries are talking in terms of putting in place stringent rules for personal data protection. The EU will be the first off the block with GDPR, which comes into effect in less than three months. It is expected that following the EU’s example, similar regulations will start coming up in other countries as well.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU.

The GDPR will replace the 1995 Data Protection Directive currently operational in the EU and its regulations will cover all EU member states and citizens. Accordingly, all companies operating in the EU and having customers there, or even having work outsourced from the EU which involves its citizens’ personal data, will have to fall in line and comply.

The rules under GDPR will be relevant for businesses collecting, processing, storing, and sharing data of EU data subjects. This would include all businesses located in India providing services directly or indirectly to EU data subjects, as well as Indian companies with a presence in Europe.

This has put a lot of Indian IT and ITES companies in a bind given that few Indian companies are in a position to comply with the new GDPR rules and regulations within the given deadline. GDPR necessitates that adequate steps have to be taken to secure EU data wherever it is stored or processed.

At present, India does not have any data privacy law. However, the government has set up a committee of experts under former Supreme Court Justice B.N. Srikrishna to look into matters related to data protection and privacy in the country. The committee has so far come up with a draft protection bill. But it is unlikely that the committee will be able to come out with its final report before the GDPR deadline of May 25.

Huzefa Goawala, who heads GRC, India & SAARC, RSA, says the impact of GDPR will be heavy on India. “A sizeable chunk of Indian companies operate out of the EU including IT/ITeS, manufacturing, financial services and telecom companies,” he adds. “The GDPR will apply to personally identifiable information and internal facing data and external facing data, and organisations will have to protect data on all these fronts. Unfortunately, very few organisations have taken measures to become GDPR compliant at the ground level and are waiting for others to make a move. Larger, tier 1 organisations are in a consultation mode at the moment and are in a preliminary stage of compliance.”

According to Ernst & Young’s forensic data analytics survey (2018) done among Indian companies, 60 per cent of Indian respondents are still not familiar with the GDPR, while only a little over 23 per cent have heard of it but have done nothing about it. “This puts India in a precarious position, especially because it takes time for a company to prepare for GDPR compliance, which involves identifying where all the data resides and taking measures to safeguard it,” says Mukul Shrivastava, partner, Fraud Investigation and Dispute Services, Ernst & Young. “Many large IT-ITeS companies have secure servers in the EU or on cloud. But a lot of EU data processing is either done in India or is outsourced to India. That data needs to be protected under the GDPR.”

Experts say that under GDPR, a company will have to report any breach of data security within 72 hours. In case it fails to do so, stiff penalties will be imposed. With GDPR, the EU wants to stress on how important personally identifiable information is and see what companies are doing to protect it. It calls for deployment of ground level technologies by companies to ensure data security.

To ensure full compliance under GDPR will be a difficult task. “It is not possible to check 100 per cent compliance,” says Vijayshankar Na, cyber law and international information security expert. “There can be multiple versions of personal data in a process. To tap this data and see where all it is flowing in the system will be the toughest part under GDPR. Companies will have to identify all this in order to protect data.”

To help Indian companies, India’s IT representative body Nasscom has sought a “data secure” status for its companies from the EU. The EU has given a similar status to American companies, which ensures some concessions for them. Indian companies would be entitled to similar concessions under GDPR if they get the data secure status. But a decision on this is yet to come.

“As India has not attained data secure status, the collection, processing, storing, and sharing of EU data subjects by Indian companies will continue to be through ‘binding corporate rules’,” says Elonnai Hickok, chief operating officer, CIS (Centre For Internet and Society), Bangalore. “Though GDPR will affect any company handling EU data, the IT sector in India could potentially be impacted the most given the amount of business that it does and potentially could do with the region. For instance, a Deloitte report has estimated the outsourcing opportunity of the Indian IT industry with Europe at $45 billion.”

Hickok says India’s legal regime around privacy, consisting primarily of section 43A of the IT Act and associated rules, has not been found to be data secure by the EU in past assessments. This means that unless practices are guided by binding corporate rules, the standard of practice in India is lower than required by the previous Data Protection Directive (1995) as well as the GDPR. Some of the potentially challenging requirements in the GDPR will include the requirement for reporting breaches, new standards for consent, ensuring the rights of data subjects including access and correction, portability, erasure and deletion, the right to objection, and, if the need arises, the right to request human intervention in automated decisions.

What could also hit Indian companies is that the cost of GDPR compliance will be high—there will be costs related to human capital, periodic updates, IT infrastructure around the data (both hardware and software) and setting up cyber security and incident response programs.

“Europe is an important market for Indian companies,” says Vinayak Godse, senior director, Data Security Council of India (DSCI). “This heightened threshold of privacy may lead to some top line compromise for Indian IT companies. The compliance burden is also bound to increase. The small and mid-size companies looking at the EU as a market may struggle to comply with the new rules.”

The Indian government is trying to bring some order vis a vis data privacy and the Justice Srikrishna panel is expected to expedite the process. “The Government of India is currently developing a national data protection framework, following the Supreme Court judgment of August 2017 recognising an individual’s privacy as a fundamental right,” says Keshav Dhakad, director & assistant general counsel, corporate, External & Legal Affairs, Microsoft India. “The coming of GDPR will help galvanise the discussion in countries outside of Europe and in India.”

As of now though, there is a lot of confusion and Indian companies, staring at a tight deadline, are under stress. If they can speed up the process and comply, they will be safe, but if they fail, they could lose business in one of India’s most promising markets.

For more details visit https://cis-india.org/internet-governance/news/outlook-march-26-2018-new-lock-for-eu-digital-mines

Aadhaar unique IDs in India: a qualified success?

Admin — 2018-03-17T12:49:51Z

Anshuman Jaswal form Kapronasia shares insights into the security and privacy concerns related to Aadhaar, which are often overlooked

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

The Digital India project initiated by the Government of India has made significant headway in the last few years. As part of this project, the Unique Identification Authority of India (UIDAI) has presided over the allotment of unique identification numbers to all Indian residents since 2009. Currently, more than 1.1 billion Indian citizens and residents have Aadhaar IDs, making this the largest exercise of this kind the world has ever seen. There are many potential benefits of such a scheme, but there are also concerns and pitfalls. Besides the advantages, this article also focuses on some of the security and privacy concerns related to Aadhaar, which are often overlooked.

Benefits of Aadhaar

India is the second most populous nation on earth, with more than 1.3 billion people. Having a unique identification system in place would be a fillip for the government, as it would allow government schemes for poverty alleviation and improvement in health and educational well-being to be better targeted. For example, if a needy person’s bank account is linked to their Aadhaar biometric ID, then it would be easier for the government to provide funds to the individual without using any intermediary. In a country struggling with corruption throughout the government machinery, being able to reach the target audience directly is a significant benefit. Similarly, if both the bank accounts and the tax IDs of individuals are linked to the Aadhaar ID, then the government can trace the income and expenditure of its citizens, thereby obtaining vital information that would allow it to counter money-laundering and the shadow economy.

Security challenges are paramount

Creating a monumental technology infrastructure to meet the requirements of a population of more than 1.3 billion people does not come without its problems. Many people have questioned the wisdom of concentrating so much critical personal information in a government platform that is not known for having a robust security framework. There have been two prominent instances in which the Aadhaar database has been compromised.

In May 2017, the Bengaluru-based Centre for Internet and Society (CIS) alleged that there had been an illegal breach of the database, and Aadhaar identity numbers of more than 130 million people had been leaked online, along with their dates of birth, addresses, and tax IDs (PAN). It is believed that the revealed information did not include the biometric identification of the people affected, but the breach was significant nonetheless as it exposed millions of people to possible fraud.

The response of the UIDAI was also insightful, because it asked the CIS to reveal on which servers the data was stored, and who might have been responsible for the breach. The UIDAI response quoted the relevant laws, namely sections of the Information Technology Act, 2000 and the Aadhaar Act, underlining the liability under law. The aggressive approach of the UIDAI forced the CIS to retract some of its claims, but then the focus of the discussion was shifted from the loss of critical information to the semantics of the claims of CIS. Instead of calling the breach a “leak”, after receiving the letter from UIDAI, CIS stated that it was merely an “illegal disclosure”.

The second instance of a breach occurred between January to July 2017, when an IT expert hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India. His intention was to access the central identities data repository of UIDAI for verification of Aadhaar numbers, to be used for an ‘eKYC Verification’ app created by him. The UIDAI database gave him access considering that it was the e-hospital system that was requesting the Aadhaar identity verification. The hack shows that the security protocols of the UIDAI require significant overhaul before it can be trusted to protect the hundreds of millions of digital identities in its database.

Aadhaar and the right to privacy

The Indian constitution does not mention a right to privacy. This has been raised as a serious concern by the critics of Aadhaar, since there is no related privacy framework that outlines how the government can use the Aadhaar information. However, the Supreme Court of India addressed some of these concerns when it stated, in August 2017, that privacy is a fundamental right under the Constitution with reasonable restrictions. It was a landmark decision in the Indian context, since it could affect the way in which the unique identification data is collected, and especially the means for which it is used. For example, in the past, the government has mandated that Aadhaar data to be linked to citizens’ information from bank accounts, tax filings, medical records and phone numbers. Once this is achieved, the government would have unregulated access to such information. There is currently no statute or legal precedent to guard against abuse or to allow an individual to file a complaint.

The Supreme Court decision gives encouragement to citizens and institutions that are concerned about the rights of ordinary individuals, while also laying the groundwork for further work that needs to be done to create a robust legal framework in this field.

Read the original blog post published by the Paypers here

For more details visit https://cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success

White Paper on Data Protection and Privacy

Admin — 2018-03-07T14:57:53Z

National Institute of Public Finance and Policy is organizing a roundtable on data protection and privacy in New Delhi on March 8, 2018. Sunil Abraham is participating as a moderator in the session on Rights and Protections. Amber Sinha is also participating as a panelist.

Agenda here

For more details visit https://cis-india.org/internet-governance/news/white-paper-on-data-protection-and-privacy

Roundtable on A.I. and Governance in India

pranav — 2018-04-20T07:41:21Z

The Centre for Internet and Society (CIS), Bangalore is organizing a roundtable on ‘A.I. and Governance in India' at India Islamic Cultural Centre in New Delhi on March 16, 2018 from 10.00 a.m. to 1.30 p.m.

Download the Event Report

The Roundtable seeks to discuss the various issues and challenges surrounding the design, development and use of AI in Governance (including law enforcement and legal institutions).

In line with the changing times, the government, as well as its agencies, have started using technology and digitization to make governance more efficient and accessible. For example,through its flagship project Digital India, the Indian government has undertaken digitization and revamping of systems related to railways, land records, educational resource etc. As the government pursues its digital agenda, artificial intelligence can be a tool for efficiency and decision making. To realize the potential of AI, a clear understanding of the technology and how it can and should be used is necessary. The first step towards a robust AI policy is a sound Information and Communication Technology (ICT) policy that lays the edifice for algorithmic decision making using AI.

Though the adoption of AI in the public sector is still in its nascent stages, the government of India is taking various steps to increase the scale of adoption. The Union Ministry of Commerce and Industry has constituted a task force on AI to facilitate India's economic transformation. This year’s Union Budget also recognised the need for government investment in research, training and skill development in robotics, AI, digital manufacturing, Big Data intelligence and Quantum communications. Though the adoption of AI in the public sector is still in its nascent stages, the government of India is taking various steps to increase the scale of adoption. The Union Ministry of Commerce and Industry has constituted a task force on AI to facilitate India's economic transformation. This year’s Union Budget also recognised the need for government investment in research, training and skill development in robotics, AI, digital manufacturing, Big Data intelligence and Quantum communications.

Our research on the application of AI in Indian governance aims to examine five broad sectors of application: law enforcement, discharge of governmental functions, defense,judicial/administrative decision making, and education. A few of the existing government research initiatives identified by CIS include the Center for Artificial Intelligence and Robotics (CAIR) hosted by the Indian Defense Research and Development Organization which focuses on research and development of ICT solutions for defense, and the Ministry of Finance’s use of geospatial analytics for their economic survey on human settlements. There are already instances where government bodies are using AI, an example being the case of the Indian Police force, which is revamping its investigation procedures by using Big Data and Artificial Intelligence. The Delhi police has already started using data and analytics to control crime. In the field of agriculture too, the Indian government has partnered with Microsoft to use AI to improve crop production.

While AI can aid governance in numerous ways, there needs to be a system of checks and balances in order to ensure effectiveness, transparency, and accountability. Hence,governance mechanisms must be able to ensure inclusiveness, while minimising the risks that might arise with the use of the technology. Experts have also predicted that, as the government incorporates AI into specific areas of governance- such as service delivery, it will simultaneously need to incorporate it into broader policy structures such as cyber security and the national education framework.

The process of designing a governance ecosystem is a complex one, and AI poses several pre-existing ethical and legal for each application within this ecosystem. The effectiveness ofAI and Machine learning inherently depends on the availability of data, and it is predicted that the most imminent challenge will also involve the same, especially as India becomesincreasingly data dense and the government is entrusted with its citizens’ data. These challenges could range from the collection, storage, and use of data, to having to answerquestions of fairness, safety, and prevention of misuse. This roundtable seeks to deliberate on these questions and more so as to understand how to optimise the use of AI ingovernance for the public interest. In doing so, the roundtable will use preliminary research that CIS has undertaken into the use of AI and governance in India as an entry point into broader discussions on the challenges and benefits and way forward for AI.

Agenda

For more details visit https://cis-india.org/internet-governance/events/roundtable-on-a-i-and-governance-in-india