Centre for Internet and Society

Participation in ISO/IEC JTC 1 SC 27 meetings

Admin — 2019-11-02T06:31:46Z

From October 14 - 18, 2019, Gurshabad Grover, participated in the meetings of ISO/IEC JTC 1 SC 27 held in Paris, the committee that develops international standards for IT Security techniques.

Gurshabad focused on the meetings of working group 5 that deals with identity management and privacy technologies. Some highlights of the participation:

I represented the Indian delegation's contributions in the comment resolution meeting on WD TS 27570: Privacy guidelines for smart cities.

Since October 2018, I have been a co-rapporteur on the working groups' study period on the impact of machine learning on privacy. At this meeting, we presented our interim report. We are extending the study period for six months to further collaborate with SC 42 (that deals with artificial intelligence standards) to document privacy aspects for the applications and use cases they have developed.

I will now be a co-rapporteur on the study period on `Privacy for fintech services', which was initiated in this meeting. We will be surveying privacy standards and data protection regulations to assess the need for new work items (standards/guidelines document) in the space.

For more details visit https://cis-india.org/internet-governance/news/participation-in-iso-iec-jtc-1-sc-27-meetings

Parsing the Cyber Security Policy

chinmayi — 2013-07-22T06:37:56Z

An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble, says Chinmayi Arun.

Chinmayi Arun's article was published in the Hoot on July 13, 2013 and later cross-posted in the Free Speech Initiative the same day.

We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of Anonymous, which carried out a series of attacks, including the website run by Computer Emergency Response Team India (CERT-In) which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as Stuxnet, the digital worm. More proximate and personal are perhaps the phishing attacks, which are on the rise.

We therefore run a great risk if we leave air-traffic control, defense resources or databases containing several citizens’ personal data vulnerable. Sure, there is no doubt that efforts towards better cyber-security are needed. A cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. We need to carefully examine the government’s efforts to handle cyber-security, how effective it is and whether its actions do not have too many negative spillovers.

The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of its real impact will be ascertainable only after the language to be used in the law is available. Nevertheless, the scope of the policy remains ambiguous so far, leading to much speculation about the different ways in which it might be intrusive.

One Size Fits All?

The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore, while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business.

For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security. Depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure.

It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions.

Race to the Top

Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble.

The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.

Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s endeavour, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them!

Investigation of Security Threats

Although much of the policy focuses on defensive measures that can be taken against security breaches, it is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive measures may be taken.

The policy has outlined the need for a ‘Cyber Crisis Management Plan’ to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’. This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner.

This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the kind of paternalistic state intrusion that might be conceived to give effect to this.

Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared. Of course, how the policy will be put into place will only become clear as the terms governing its various parts emerge. But one hopes the necessary internal direct action to ensure the government agencies’ information networks are secure is already well underway.

It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise.

Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy

Paper-thin Safeguards and Mass Surveillance in India

chinmayi — 2015-06-20T10:17:57Z

The Indian government's new mass surveillance systems present new threats to the right to privacy. Mass interception of communication, keyword searches and easy access to particular users' data suggest that state is moving towards unfettered large-scale monitoring of communication. This is particularly ominous given that our privacy safeguards remain inadequate even for targeted surveillance and its more familiar pitfalls.

This need for better safeguards was made apparent when the Gujarat government illegally placed a young woman under surveillance for obviously illegitimate purposes, demonstrating that the current system is prone to egregious misuse. While the lack of proper safeguards is problematic even in the context of targeted surveillance, it threatens the health of our democracy in the context of mass surveillance. The proliferation of mass surveillance means that vast amounts of data are collected easily using information technology, and lie relatively unprotected.

This paper examines the right to privacy and surveillance in India, in an effort to highlight more clearly the problems that are likely to emerge with mass surveillance of communication by the Indian Government. It does this by teasing out Indian privacy rights jurisprudence and the concerns underpinning it, by considering its utility in the context of mass surveillance and then explaining the kind of harm that might result if mass surveillance continues unchecked.

The first part of this paper threads together the evolution of Indian constitutional principles on privacy in the context of communication surveillance as well as search and seizure. It covers discussions of privacy in the context of our fundamental rights by the draftspersons of our constitution, and then moves on to the ways in which the Supreme Court of India has been reading the right to privacy into the constitution.

The second part of this paper discusses the difference between mass surveillance and targeted surveillance, and international human rights principles that attempt to mitigate the ill effects of mass surveillance.

The concluding part of the paper discusses mass surveillance in India, and makes a case for expanding our existing privacy safeguards to protect the right to privacy in a meaningful manner in face of state surveillance.

Download the paper here.

For more details visit https://cis-india.org/internet-governance/blog/paper-thin-safeguards-and-mass-surveillance-in-india

Panel suggests law to protect individual privacy

praskrishna — 2012-10-22T14:37:28Z

A government-appointed expert panel Thursday called for a law to protect individual privacy against misuse of information collected by various agencies, public and private, and through various methods like telephone tapping.

Published in Newstrack India on October 18, 2012.

Concerns have been voiced by various quarters in the country on the possible invasion of citizen's privacy guaranteed under Article 21 of the Constitution through national programmes like Unique Identification number, reproductive rights of women, DNA profiling and brain mapping which will be implemented through the information, communication and technology (ICT) platforms.

Minister of State for Planning Ashwani Kumar last year had constituted the experts group to identify the privacy issues and prepare a report to facilitate authoring of the privacy bill.

The group, headed by former Delhi High Court Chief Justice A.P. Shah, recommended setting up of a regulatory framework comprising Privacy Commissioners at the centre and regional levels to deal with privacy issues and mandatory destruction of telephone conversation after a specified period.

As regards the specific issue of phone tapping, it said "interception orders must be specific and all interceptions would only be in force for a period of 60 days and renewed for a period up to 180 days".

It suggested that the records of the conservation should be destroyed by security agencies and telephone service providers within stipulated time frame.

"Records of interception must be destroyed by security agencies after six months or nine months and service providers must destroy after two or six months," it said.

Acccording to an official release, the following are some of the major recommendations made in the panel's report:

The regulatory framework will consist of Privacy Commissioners at the Central and Regional levels.

A system of co-regulation that will give self-regulating organizations at industry level choice to develop privacy standards which should be approved by a Privacy Commissioner.

Individuals would be given the choice (opt-in/opt-out) with regard to providing their personal information and the data controller would take individual consent only after providing inputs of its information practices.

The data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection as well as process the data relevant to the purpose for which they are collected.

The data collected would be put to use for the purpose for which it has been collected. Any change in the usage would be done with the consent of the person concerned.

Data collected and processed would be relevant for the purpose and no additional data elements would be collected from the individual.

Interception orders must be specific and all interceptions would only be in force for a period of 60 days and renewed for a period up to 180 days. Records of interception must be destroyed by security agencies after 6 months or 9 months and service providers must destroy after 2 months or 6 months.

Infringement of any provision under the Act would constitute an offence by which individuals may seek compensation for an organization/bodies held accountable to.

Note: CIS was part of the expert committee even though not explicitly mentioned.

For more details visit https://cis-india.org/news/newstrackindia-october-18-2012-suggests-law-to-protect-individual-privacy

Panel on Privacy, Surveillance & the UID in the post-Snowden era

praskrishna — 2013-11-26T19:05:54Z

The Centre for Internet and Society (CIS) and the Say No to UID campaign invite you to a discussion on the UID and on the implications of the world's largest biometric data collection scheme in a post-Snowden era. The panel will take place on November 30th at the Institution of Agricultural Technologists in Bangalore.

Probably one of the most important things that we learnt following the Edward Snowden revelations is that our data has value. In fact, what we learnt is that our data has immense value...since it is clearly worth billions of dollars — to say the least.

However, not only does India lack privacy legislation which could safeguard our data from potential abuse, but it is also currently implementing some of the most controversial surveillance schemes in the world, in addition to the world's largest biometric data collection scheme. What's probably more alarming is that such schemes, such as the UID, lack legal backing, as well as public and parliamentary debate!

We aim to change that. As such, the Centre for Internet and Society (CIS) and the Say No to UID campaign jointly invite you to attend a panel which will discuss all of these crucial topics.

Schedule of panel:

3.30pm - 4pm: Tea/Coffee/Refreshments & Registration

4pm - 5.30pm: Panel on Privacy, Surveillance & the UID in the post-Snowden era

5.30pm - 6pm: Q&A and Open Discussion

Panelists:

- Dr. Usha Ramanathan: Academic, Jurist and Activist

- K V Narendra: Director of Rezorce Research Foundation

- Vinay Baindur: Researcher on Urban Local Government & Decentralisation

- Maria Xynou: Policy Associate on the Privacy Project at the Centre for Internet & Society

For more details visit https://cis-india.org/events/panel-on-privacy-surveillance-uid-in-the-post-snowden-era

Panel Discussion on UID/ Aadhar act 2016 and its impact on Social, Security

praskrishna — 2016-04-28T17:02:59Z

Sunil Abraham was a speaker at this event organized by Students Christian Movement of India at SCM House in Bangalore on April 25, 2016. Mathew Thomas and Usha Ramanathan also gave talks.

With the passage of the Aadhaar act 2016 is UID / Aadhar mandatory now? How do we understand the issue of Social Security in the context of the new law? What does it mean for those who need to access their senior citizen pension, rations, school and college scholarships, etc.

How does one understand the money bill route for introducing the bill in Parliament? What are implications of this for the validity of the law?

What will happen to the court cases challenging the UID now?

Where are we now on the thorny issues of surveillance, tracking, profiling, biometrics, private and foreign companies and subsidy? What does the law say?

This discussion will revisit the debates around the UID and examine the implications of the new law.

For more details visit https://cis-india.org/internet-governance/news/panel-discussion-on-uid-aadhar-act-2016-and-its-impact-on-social-security

Pandemic Technology takes its Toll on Data Privacy

Aman Nair and Pallavi Bedi — 2021-06-26T06:52:52Z

The absence of any legal framework has meant these tools are now being used for purposes beyond managing the pandemic.

The article by Aman Nair and Pallavi Bedi was published in the Deccan Herald on June 13, 2021.

People show Arogya Setu App installed in their phones while travelling by special New Delhi-Bilaspur train from New Delhi Railway Station. Credit: PTI File Photo

Jabalpur: A beneficiary shows his certificate on his mobile phone after receiving COVID-19 vaccine dose, at Gyan Ganga College in Jabalpur, Saturday, May 15, 2021. (PTI Photo)

At a time when technology is spawning smart solutions to combat Covid-19 worldwide, India’s digital response to the pandemic has stoked concerns that surveillance could pose threats to the privacy of the personal data collected. Be it apps or drones, there is widespread criticism that digital tools are being misused to share information without knowledge or consent. At the other end of the spectrum, the great urban-rural digital divide is hampering the already sluggish vaccination drive, exposing vulnerable populations to a fast-mutating virus.

Last year, the Centre, states and municipal corporations launched more than 70 apps relating to Covid-19, demonstrating the country’s digital-driven approach to handling the pandemic. Chief among these was the central government’s contact tracing app Aarogya Setu. Launched under the Digital India programme, the app quickly came under scrutiny over data privacy.

As per its privacy policy, Aarogya Setu collects personal details such as name, age, sex, profession and location. As there is no underlying legislation forming its basis, and in the absence of a personal data protection bill, serious privacy concerns regarding the collection, storage and use of personal data have been raised.

The government has attempted to mitigate these concerns with reassurances that the data will be used solely in tracing the spread of the virus. However, recent reports from the Kulgam district of Jammu and Kashmir point to the sharing of application data with police. This demonstrates how easy it is to use personal data for purposes other than which it was collected, and presents a serious threat to citizen privacy.

Though Aarogya Setu was initially launched as ‘consensual’ and ‘voluntary’, it soon became mandatory for individuals to download the app for various purposes such as air and rail travel (this order was subsequently withdrawn) and for government officials. Initially it was also mandatory for the private sector, but this was later watered down to state that employers should, on a ‘best effort basis', ensure that the app is downloaded by all employees having compatible phones. However, the ‘best effort basis’ soon translated into mandatory imposition for certain individuals, especially those working in the ‘gig economy’.

Several states had also launched apps for various purposes ranging from contact tracing of suspected Covid patients to monitoring the movement of quarantined patients. As a report by the Centre for Internet and Society observed, given the attention on Aarogya Setu, most of the apps launched by the state governments escaped scrutiny and public attention.Most of these apps either did not have a privacy policy or the policy was vague and often did not provide important details such as who was collecting the data, the time period for retaining the data and whether personal data could be shared with other departments, most notably, law enforcement.Apart from contact tracing apps, the pandemic also ushered in a wave of other apps and digital tools by the government. These include systems such as drones to check whether people are following Covid-19 norms and facial recognition cameras to report to the police whether someone has broken quarantine. Similar to Aarogya Setu, these tools have also largely been brought about in the absence of a legal and regulatory framework.
The absence of any legal framework has meant these tools are now being used for purposes beyond managing the pandemic.

The government is now planning to use facial recognition technology along with Aadhaar toauthenticate people before giving them vaccine shots.

Aarogya Setu is now linked with the vaccination process. Beneficiaries have been provided an option to register through Aarogya Setu. The pandemic has also provided a means for the government to bring in changes to health policies and introduce the National Health Data Management Policy for the creation of a Unique Health Identity Number for citizens.

Vaccination and digital platforms

The use of digital technology has extended to the vaccination process through the deployment of the Covid Vaccine Intelligence Network (Co-WIN) platform.During the first phase of inoculation, beneficiaries were required to register on the Co-WIN app while in the subsequent phases, registration was to be done on the Co-WIN website. The beneficiary is required to upload a photo identity proof.

While Aadhaar has been identified as one of the seven documents that can be uploaded for this, the Health Ministry has clarified that Aadhaar is not mandatory for registration either through Co-WIN or through Aarogya Setu. However, as per media reports, certain vaccination centres still seem to insist on Aadhaar identity even though beneficiaries may have used another identity proof to register on the Co-WIN website.

It is also pertinent to note that the website did not have a privacy policy till the Delhi High Court issued directions on June 2, 2021. The privacy policy hyperlinked on the Co-WIN app directed the user to the Health Data Policy of the National Health Data Management Policy, 2020.

The vaccination drive has been used as a means to push the health identity project forward as beneficiaries who have opted to provide Aadhaar identity proof have also been provided with a health identity number on their vaccination certificate. It is interesting to note that Co-WIN’s privacy policy now states that if the beneficiary uses Aadhaar as identity proof, it can 'opt' to get a Unique Health Id.However, as a recent report revealed, health identity numbers have already been generated for certain beneficiaries without obtaining consent from them for the purpose.

Have the apps been successful?

One could argue that privacy concerns are a worthwhile tradeoffin order to contain the spread of thepandemic. But it is worth examining how successful these technologies have been. In reality, the use of digital technology at every stage of combating the pandemic has clearly highlighted the extent of our digital divide. As per data from TRAI, there are around 750 million Internet subscribers in India,which is only a little more than half of India’s estimated 1.3 billion citizens — with this gap having a significant impact on the efficacy of the government’s strategies. Aarogya Setu has fallen far short of its goal, of having near universal adoption. It has limited adoption in much of the country. This has severely limited its efficacy in tracing the spread of the virus. Research from Maulana Azad Medical College has cited socio-economic inequalities,educational barriers and the lack of smartphone penetration as being the key causes behind the app’s limited success, pointing back to the digital divide. Moreover, the app has also brought with it a host of associated problems including lateral surveillance and function creep caused by the addition of new features. All of which, along with the previously mentioned privacy concerns, have served to hamper public trust and adoption.

A similar situation is seen in the case of vaccination and the Centre’s Co-WIN web portal. The need for registration, first on the Co-WIN app and later on the Co-WIN web portal, has disproportionately affected those who either have no or limited digital access. Many of them belong to vulnerable groups such as migrant and informal sector workers (mainly from disadvantaged castes), LGBTQIA + individuals, sex workers and both urban and rural poor. These issues have also been acknowledged by the Supreme Court, which raised serious concerns about the government being able to achieve its stated object of universal vaccination.

As the inoculation exercise opened up for the 18-45 age group, it increasingly favoured the urban population who possessed the technological and digital literacy to either create or access a host of tools. One need to only look at the wave of automated CO-WIN bots that arose as soon as the vaccination process was expanded to see how these dynamics manifested.

Ultimately, the digital-driven approach that the governments have adopted has resulted in a number of issues — most notably, data privacy and exclusion. Going forward, government strategies must actively account for these factors and ensure that citize rights are adequately protected.

For more details visit https://cis-india.org/internet-governance/blog/deccan-herald-aman-nair-and-pallavi-bedi-june-13-2021-pandemic-technology-takes-its-toll-on-data-privacy

PAI WG Labor and Economy Meeting

Admin — 2018-05-05T09:35:07Z

Elonnai Hickok co-chaired the first PAI Labor and Economy WG in NYC on April 25, 2018.

Agenda

For more details visit https://cis-india.org/internet-governance/news/pai-wg-labor-and-economy-meeting

Oyo Hotels’ Real-Time Digital Record Database Sparks Privacy Fears

Admin — 2019-01-18T02:26:50Z

Oyo Hotels’ pilot to maintain a real-time digital database of guests and plan to share it with law-enforcement agencies has triggered privacy concerns.

The article by Nishant Sharma was published by Bloomberg Quint on January 16, 2019. Pranesh Prakash was quoted.

The digital check-in and check-out database of guests will do away with the conventional arrival and departure registers, Aditya Ghosh, chief executive India and South Asia at the hotel chain said at a CII event, according to a report in Business Standard. That will make the process efficient and transparent and the SoftBank-backed startup has received acceptance from governments of Haryana, Rajasthan and Telangana for the proposed digitisation of guest entry and departure records, the report said quoting Ghosh.

That triggered an outrage on social media, with users calling it invasion of privacy.

Oyo, in an emailed statement to BloombergQuint, said it will provide information to the law-enforcement agencies about who is staying only after an information order is issued by the police. The company said it will create “stronger data security net”. Oyo, however, didn't clarify who will maintain the data centres.

Centralisation of data of any kind isn't good and will make data more fragile, Sunil Abraham, founder of research think tank Center for Internet and Society, told BloombergQuint. “If someone manages to break into the police data, or where the data is stored then they will be able to have the access to the data. It is always good to store data locally.”

Just last year, Marriott International Inc. reported a hack in which passport numbers, emails and mailing addresses of 327 million of its 500 million Starwood guests was leaked.

To be sure, police always have access to data of customers staying at hotels, one way or the another. As per existing regulations, all hotels, bed and breakfasts and guest-houses have to make an entry of guests checking in and out in a register. This can be checked by the local police when an information order is presented.

Chances of manipulating information in such a register is high, and at times police go through the data without having an information order as well, said an industry executive requesting anonymity.

Srinivas Kodali, a cybersecurity expert, said such a centralised database makes business sense for Oyo because they will get access to data not just of people who booked through them but also of others who checked in without booking online. “Because there is no law, the entities can do it.”

Pranesh Prakash, a technology policy analyst and affiliated fellow at CIS, sees this as an invasion of privacy in the absence of law. Digitisation of data can be allowed only after there’s a law on what happens in the case it’s misused. There is no legal framework about how and where the data will be used, he said.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-january-16-2019-oyo-hotels-real-time-digital-record-database-sparks-privacy-fears

Outrage As Privileged IITians Use Tech To Spy On Sweepers

Rachna Khaira — 2019-12-15T05:33:21Z

Some members of the housekeeping staff at IIT Ropar were put under round the clock surveillance during working hours for many days in February this year without their consent. IIT Ropar Director Prof S K Das has ordered a probe into the incident.

The article by Rachna Khaira was published in Huffington Post on December 31, 2019. Aayush Rathi was quoted.

The Indian Institute of Technology (IIT), Ropar is conducting a probe into the reported tagging and round the clock electronic surveillance of some housekeeping staff members as part of an experiment run by the Technology Business Incubation Foundation (TBIF) located at the IIT campus in February this year.

HuffPost India has learnt that the TBIF, a tech incubator run within IIT Ropar, signed off on the “Sweepy” project in which housekeeping staff were given wristbands and brooms secretly embedded with tracking chips, without seeking the consent of the janitorial staff, or informing IIT Ropar management.

While the housekeeping staff were told the wristbands would record their pulse and heart beat, and that they should wear it while cleaning the campus, the tracking chips were used to track to assess if they were sweeping out hard-to-reach corners of the institute.

Prof. Sarit Kumar Das, Director IIT Ropar told HuffPost India that a three member committee comprising of Prof. Bijoy H Barua, Prof. Javed Agrewala and Prof. Deepak Kashyap has been set up to look into the matter.

“We at the IIT Ropar respect privacy and condemn any such violation made by any of our student or staff member,” said Prof. Das. “Before conducting any experiment on human beings, an approval has to be sought from the human ethics team constituted in our institution and they present a case to me after seeking a written consent from the people who would undergo the experiment. Only, after getting my approval, such an experiment can be conducted at the campus.”

Sweeping surveillance

J K Sharma, the Chief Operating Officer of TBIF, told HuffPost India that his tech incubator deliberately misled the housekeeping staff about the true purpose of the wristband as they felt the housekeeping staff wouldn’t agree to wear such a device.

While elaborating more on the ‘Sweepy’ project, Sharma said that the project was based on an idea that came to the hostellers who were upset over the housekeeping staff for not cleaning their rooms.

“The sweepers were not working properly and despite reporting the matter several times to the authorities, they were not taking any cognisance. Perturbed, the students developed this programme in which the location of the sweeper can be recorded and monitored in a control room by a gadget tied to the sweeper’s wrist,” said Sharma.

He further added that a beacon records the activity of the sensor pasted to the broom or mop held by the sweeper and can monitor the area and the time in which it was used. The report was produced digitally on the screen.

Was a consent sought from the sweepers before tagging them?

“The testing was done in a secret manner as the housekeeping staff may not have given their consent for the trial. We tried it on three sweepers and while two of them were found working dedicatedly, one was found to have missed cleaning from few areas assigned to him,” said Sharma.

The findings were shared with the housekeeping supervisor who later directed his staff to do their duty more diligently.

The team working on the project however told HuffPost India that they secured the privacy of the housekeeping staff by removing the microphone from the gadgets tied to their wrists.

This technology does not have video feature and only monitors location of a moving object and is quite cheap as compared to the radio-frequency identification (RFID) technology that uses electromagnetic fields to automatically identify and track tags attached to objects.

The testing was done in a secret manner as the housekeeping staff may not have given their consent for the trial. We tried it on three sweepers and while two of them were found working dedicatedly, one was found to have missed cleaning from few areas assigned to himJ K Sharma, Chief Executive Officer, Technology Business Incubation Foundation, IIT Ropar

Calling this an increasingly commonplace trend of covert spying on domestic workers without their knowledge, Ayush Rathi, Programme Officer, Centre for Internet and Society, said that the housekeeping staff was made to wear the gadget under a false pretense is telling.

“This is a classic example of how the access to privacy is stratified along the axes of class, caste and gender. And ties in closely with a key purpose of surveillance — that of exerting control over people’s bodies to conform to the surveiller’s ideas of right and wrong,” said Rathi.

He further added that in many ways, this story captures the zeitgeist of the 21st century. The is the essence of so much of what qualifies as innovation today is that they seek to find technological solutions to problems that are structural in nature.

“So, in this instance it is very evident that the objective sought to be achieved was not to merely ‘fix’ the problem of the housekeeping staff performing its duties well, but to solely hold them guilty for failing to do so,” said Rathi.

An alternate, albeit more tedious, approach would have been to speak with the workers and iron out the struggles they were facing at the workplace that were preventing them from performing their job well. Any solution could only have been prepared thereafter — he added.

As per Prof. Das, a major problem with the engineering students is that unlike medical students, 90 percent of their experiments are based on machines and not human beings.

“There is too much deficiency of the understanding of human psychology amongst engineering students. To curb this, we at the IIT have started a mandatory course on human ethics which is being taught by some of the renowned human psychology experts. Still sometimes, the violations gets reported,” said Prof. Das.

For more details visit https://cis-india.org/internet-governance/news/huffignton-post-december-13-2019-rachna-khaira-outrage-as-privileged-iit-ians-use-tech-to-spy-on-sweepers

Opposition questions govt move to make Aadhaar must

praskrishna — 2017-04-12T14:19:20Z

Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.

The article by Komal Gupta was published in Livemint on April 11, 2017. Pranesh Prakash was quoted.

The Rajya Sabha on Monday witnessed a lively debate on Aadhaar, with the opposition questioning the government’s move to make the 12-digit unique identification number mandatory for a host of welfare benefits.

Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.

“My major concern is implementation, how Aadhaar is being used to exclude people to avail benefits of the schemes which have been designed for them…If you need to apply to avail benefits, it’s as good as mandatory,” said Ramesh.

The former cabinet minister argued that over 25% of the population will stand excluded.

“The Rs50,000 crore savings due to Aadhaar linkage as given by the government is highly questionable,” he said, adding that according to Comptroller and Auditor General (CAG) reports, 92% of the savings on domestic gas subsidies is not on account of Aadhaar implementation or direct benefit transfer. “Instead, it is because of the fall in international oil prices,” Ramesh argued.

Trinamool Congress member Derek O’Brien said that for manual labourers, biometric identification does not always match and that can deprive them of welfare.

He gave the example of Andhra Pradesh, where almost half the 85,000 ration card holders in 2014 were unable to get subsidized foodgrains due to faulty point of sale machines and biometrics not matching.

K.T.S Tulsi, member of Parliament and senior Supreme Court advocate, said, “Not in my whole career have I come across a greater mutilation of a statutory provision than what has taken place in the case of Aadhaar.” He said Section 29 of the Aadhaar Act doesn’t permit data stored with the Unique Identification Authority of India (UIDAI) to be shared with anyone but a provision was later made for voluntary agreement to allow the sharing of data.

IT and law minister Ravi Shankar Prasad said, “No religion, income, medical history, ethnicity or education is asked in Aadhaar. Even email ID and phone number is optional.”

“The right of privacy of individuals must be respected. The privacy of the data cannot be breached by us except in the case of national security,” Prasad added.

He claimed that the government has been blacklisting operators that share data from the Aadhaar system. It has blacklisted 34,000 operators, and has taken action against 1,000 of them.

Prasad also said that UIDAI will be accountable to the Parliament.

Expressing concern on mandating the use of Aadhaar for different services, Pranesh Prakash, Policy director of the Centre for Internet and Society, said, “As an enabler, people would want to have Aadhaar. But when it is made mandatory, it becomes more of a disenabler instead of an enabler.”

“With the move towards a digital economy, setting up of a data protection authority as recommended by the Shah committee is important along with mass surveillance and greater accountability from the government,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-april-12-2017-komal-gupta-opposition-questions-govt-move-to-make-aadhaar-must

OPINION | Data is New Oil and Human Mind the New Battlefield. India Must Wake Up Now

Admin — 2017-11-26T03:28:55Z

In information warfare, the battlespace is the human mind. This is where the privacy of an individual intersects with national security. Fighting this battle will require a new paradigm in thought and action.

The article by Lt. General (Retd.) D. S. Hooda was published by News18.com on November 11, 2017

A few days ago, the Army Headquarters took out a public advisory warning about a “deliberate misinformation campaign being launched by vested interests some of which is being initiated from countries bordering our nation.” This is an acknowledgment of the use of social media for what is today considered the most dominant form of warfare — ‘information warfare’. It has been extensively used by our adversaries in Jammu and Kashmir to show the government and security forces in poor light.

Deception, propaganda and misinformation have always been a part of warfare but what is different today is that the tools of information warfare have acquired a new dimension. An integration of massive amounts of data with Artificial Intelligence (AI) has given a significant weapon in the hands of information warriors.

The cost of saving data has been plummeting, with the cost being halved about every 15 months. Now more and more data about individuals is being saved, both by corporations and governments. In his book, Data and Goliath, Bruce Schneier writes that worldwide, Google has the capacity to store 15 exabytes of data. To put it in context, one exabyte is 500 billion pages of text. Bruce also quotes the case of Max Schrems, an Austrian law student, who in 2011 demanded all his personal data from Facebook. After a two year legal battle, Facebook gave him a CD with 1200 pages of PDF. This is how much Facebook knows about you, and it does not forget because it is all saved.

All this big data would be useless unless it can be utilised for decision making and this is where advances in AI have provided the breakthrough. Smart machines mine the data and detect trends, patterns, habits, ideology and desires. These personal characteristics of individuals are being used by corporations to send targeted advertisements to influence commercial decisions.

The same technique is used in information warfare. On November 1, the US House Intelligence Committee released Facebook advertisements bought by Russian operatives to influence the 2016 elections. Washington Post wrote, “The ads made visceral appeals to voters concerned about illegal immigration...African American political activism, rising prominence of Muslims” among other issues. Senator Angus King said, “The strategy is to take a crack in our society and turn it into a chasm.”

Data is the new oil and that is exactly how it is being traded and sold. In the absence of any legal provisions, companies and ‘data brokers’ are sharing and selling personal data. Can this personal data find its way to a hostile government? Last month, the US Army brought out that their troops in the Baltic had reported instances of cell phone hacking. However, more worrisome was the fact the hackers knew personal details of the soldiers. Direct threats against family members of the military can have a negative psychological impact during conflict.

India has its share of political, social and ethnic differences, just as in many societies. In recent times these differences have been magnified as nationalism has taken centre stage. It is difficult to imagine why these fault lines will not be exploited by inimical forces as India enters the election mode in 2018. Looking at examples from the US and French elections, Brexit and the cyber battle during the Catalonia referendum, I think we have no option but to be prepared.

The preparation for this war (and I do not use this word lightly) lies in three spheres — concepts, practices and structures.

Conceptually, our current shortcoming is that we are viewing this issue through a technical prism rather than the broader spectrum of information warfare. CERT and NTRO can technically protect our critical infrastructure but they do not have an equal understanding of the human dimension, which is more strategic than scientific. The Americans, world leaders in information technology, have not been able to prevent a perceived subversion of their democratic process.

Our practices need to improve. The security of personal data is a major concern. The Supreme Court has declared privacy as a fundamental right, but there are no privacy laws to back it up. Even data stored in India is not safe as the owners of our data are the giant technology companies, mostly based in the US and not under our legal control. In September 2017, it was reported that Google has quietly stopped challenging most search warrants from US judges in which the data requested is stored on overseas servers.

A May 2017, report by the Centre for Internet and Society estimated that 135 million Aadhaar numbers could have been leaked from official portals. This was not due to a security breach but due to poor privacy practices.

Our continued reliance on foreign hardware and software is extremely worrisome. There was clear evidence that Cisco systems had been back-doored by the American National Security Agency but the Indian military continues to procure hardware from Cisco. There is a similar story with Chinese equipment in our telecommunication and power sectors. An attempt to introduce an Indian operating system to replace Windows in the Army has been mired in controversy.

In case of a targeted cyber attack on India, there is little we can do except issue advisories. The solutions will have to come from foreign manufactures or developers whose equipment we are using. There is an urgent need to give a fillip to developing indigenous solutions for our critical infrastructure.

And finally, structures. An organisation to execute information warfare would have to be led by the Ministry of Defence, because the threat is mainly from external players. It would be a combination of military planners, specialists from the field of intelligence, government agencies, media and cyber warfare experts. Such an organisation does not currently exist, though the raising of the Cyber Command could fill this gap.

In information warfare, the battlespace is the human mind. This is where the privacy of an individual intersects with national security. Fighting this battle will require a new paradigm in thought and action.

(The author is former Northern Commander, Indian Army, under whose leadership India carried out surgical strikes against Pakistan in 2016. Views are personal.)

For more details visit https://cis-india.org/internet-governance/news/news-18-lt-general-retd-ds-hooda-data-is-new-oil-and-human-mind-the-new-battlefield-india-must-wake-up-now

Open Secrets

nishant — 2013-11-30T08:21:21Z

We need to think of privacy in different ways — not only as something that happens between people, but between you and corporations.

Dr. Nishant Shah's article was originally published in the Indian Express on October 27.

If you are a part of any social networking site, then you know that privacy is something to be concerned about. We put out an incredible amount of personal data on our social networks. Pictures with family and friends, intimate details about our ongoing drama with the people around us, medical histories, and our spur-of-the-moment thoughts of what inspires, peeves or aggravates us. In all this, the more savvy use filters and group settings which give them some semblance of control about who has access to this information and what can be done with it.

But it is now a given that in the world of the worldwide web, privacy is more or less a thing of the past. Data transmits. Information flows. What you share with one person immediately gets shared with thousands. Even though you might make your stuff accessible to a handful of people, the social networks work through a "friend-of-a-friend effect", where others in your networks use, like, share and spread your information around so that there is an almost unimaginable audience to the private drama of our lives. Which is why there is a need for a growing conversation about what being private in the world of big data means.

Privacy is about having control over the data and some ownership about who can use it and for what purpose. Interface designs and filters that allow limited access help this process. The legal structures are catching up with regulations that control what individuals, entities, governments and corporations can do with the data we provide. However, most people think of privacy as a private matter. Just look at last month's conversations around Facebook's new privacy policies, which no longer allow you to hide. If you are on Facebook, people can find you using all kinds of parameters — meta data — other than just your name. They might find you through hobbies, pages you like, schools you have studied in, etc. This can be scary because it means that based on particular activities, people can profile and follow you. Especially for people in precarious communities — the young adults, queer people who might not be ready to be out of the closet, women who already face increased misogyny and hostility online. This means they are officially entering a stalkers' paradise.

While those concerns need to be addressed, there is something that seems to be missing from the debate. Almost all of these privacy alarms are about what people can do to people. That we need to protect ourselves from people, when we are in public — digital or otherwise. We are reminded that the world is filled with predators, crackers and scamsters, who can prey on our personal data and create physical, emotional, social and financial havoc. But this is the world we already know. We live in a universe filled with perils and we have learned and coped with the fact that we navigate through dangerous spaces, times and people all the time. The digital is no different than the physical when it comes to the possible perils that we live in, though digital might facilitate some kinds of behaviour and make data-stalking easier.

What is different with the individualised, just-for-you crafted world of the social web is that there are things which are not human, which are interacting with you in unprecedented ways. Make a list of the top five people you interact with on Facebook. And you will be wrong. Because the thing that you interact with the most on Facebook, is Facebook. Look at the amount of chatter it creates — How are you feeling today?; Your friend has updated their status; Somebody liked your comment… the list goes on. In fact, much as we would like to imagine a world that revolves around us, we know that there are a very few people who have the energy and resources to keep track of everything we do. However, no matter how boring your status message or how pedestrian your activity, deep down in a server somewhere, an artificial algorithm is keeping track of everything that you do. Facebook is always listening, and watching, and creating a profile of you. People might forget, skip, miss or move on, but Facebook will listen, and remember long after you have forgotten.

If this is indeed the case, we need to think of privacy in different ways — not only as something that happens between people, but between people and other entities like corporations. The next time there is a change in the policy that makes us more accessible to others, we should pay attention. But what we need to be more concerned about are the private corporations, data miners and information gatherers, who make themselves invisible and collect our personal data as we get into the habit of talking to platforms, gadgets and technologies.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-october-27-2013-nishant-shah-open-secrets

Open Letter to the Finance Committee: UID and Transactions

praskrishna — 2011-02-24T13:35:11Z

Since official documentation from the UIDAI is very limited, we assume that data pertaining to transactions would comprise of the Aadhaar number, identifier of the authenticating device, date-time stamp, and approval/rejection/error code. Recording and maintaining of data pertaining to transactions is very important because it increases transparency and accountability through an audit trail. However, storage of such sensitive data creates many privacy risks, because more often than not metadata gives you as much intelligence as raw data.

For example – even if you didn’t have access to the Radia recordings – just knowing who she called, when, how frequently, in what order, and for how long, will give quite a comprehensive picture. Thus, we believe that such data should not be fully stored in a central database. By way of an open letter, we suggest three alternative ways of storing and securing data relating to transactions, so that transparency and accountability is preserved without enabling surveillance or profiling of individuals.

Partial storage of data relating to transactions

Once a transaction is processed, half of the UID number is stored in the central database, while the other half of the number is stored with the service provider. Thus, for an agency to reconstruct the audit trail they must seek consent from the service provider and the UIDAI for information regarding a specific transaction. The process would follow steps like these:

Send part of the Aadhaar number to the CIDR
Service provider stores part of the Aadhaar number locally.
Law enforcement and intelligence agencies seeking transaction data securing required approvals from the Home Ministry and then request data from the UIDAI and service provider
Data is provided by UIDAI and the service provider and combined to reconstruct the audit trail.

Storage of the public keys with a custodian

Similar to the model followed in the new wiretapping regulations1, the transaction details in the central database is secured using several custodians. Thus, no single entity has complete knowledge of access to the database. And if the transaction details are leaked to the public, the custodian can be held responsible for negligence. Thus, for an agency to reconstruct the audit trail they must seek approvals and request encrypted data. The process would follow steps like these:

Encrypt transaction data with the public key of the ‘custodian’
Store encrypted data in CIDR
Law enforcement and intelligence agencies seeking transaction details require approvals from the Home Ministry, and then request encrypted data from the UIDAI.
The custodian on receipt of the necessary approvals decrypts the data using his/her private key, and then the audit trail becomes available.

Complete storage of transaction details at the service provider level

After a transaction is processed, the information is encrypted and stored in a de-centralized manner with the service provider, thus agencies or individuals can only access information regarding a specific transaction at a specific organization. The process would follow steps like these:

Encrypt transaction data
Store encrypted data at service provider level
Law enforcement and intelligence agencies seeking transaction details require approvals from the Home Ministry, and then request encrypted data from each service provider. Audit trail is reconstructed by merging data sets from different service providers.
The CIDR will only hold Aadhaar number, date-time stamp, and approval/rejection/error code.

Note

1 http://timesofindia.indiatimes.com/india/Tapping-norms-Govt-will-erase-private-talk/articleshow/7407633.cms

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-and-transactions

Open Letter to the Finance Committee: UID Budget

praskrishna — 2011-02-17T11:18:16Z

This note presents the aspects of the UID project, which have not been considered or incorporated into the UID’s budget. The costs include re-enrollment, loss in human time, and the cost of the audit function.

Cost of re-enrollment
In the report 'Biometrics Design Standards for UID Applications' 1 a pilot study in India concluded that about two to five per cent of the people did not have viable biometric data. These data have not been taken into account when setting the program budget. Over time biometrics modify, thus re-enrollment will be required. The UIDAI states that given the changing nature of biometric data – biometrics would be collected every five years for children and every ten years for adults. The current project does not give us a clear picture as to what extent the re-enrollment will be required, and how the additional costs will be accounted for.
Cost of loss in human time
A time motion study is a tool used to enhance business efficiency and ensure cost effectiveness by reducing the number of motions in performing a task. In their budget, the UIDAI has accounted for the salaries of individuals associated directly with the UIDAI. The UIDAI has not accounted for the loss in human time that will take place by individuals whose daily routine will be impacted by the UID. If a time motion study were to be done only on the UID project, one would find that individuals not paid by the UIDAI, lose potential wages due to the unpaid time they must dedicate towards the scheme – or that businesses will be forced to compensate for the extra time required for each transaction by providing additional personnel. For example: On a train the number of train masters present is calculated according to how many individuals each ticket master can check and process. With the UID, in order to prevent fraud around subsidized train tickets , individuals on the train will have their biometrics checked and authenticated. The below diagram demonstrates how authenticating an individual by their UID and biometric incurs a loss in human time, and thus, the process of collecting train tickets will require more train masters to complete.
Current Process:
- Present ticket to train master
- Train master checks identity card and identity on ticket
- Train master ticks ticket, and ticks his list to indicate verification
Process with biometrics:
- Present Aadhaar number, fingerprint , and ticket to train master
- Train master takes a reading of your fingerprint and sends it to the central database
- Train master waits for approval from the CIDR
- The CIDR gives a yes or no response
- If the answer is no – the train master swipes your finger five times, and then finds alternate forms of identification
- Train master provides proof of verification
Cost of audit function
The bulk of the UID enabled transactions will have financial implications. Every financial transaction involves three or four parties: the person who collects the payment, the person who prepares the documentation, the person who approves the documentation, and finally the person who audits the documentation. In such a context the technology can play the role of the person who: collects, prepares, and approves each transaction. The role of auditing the transaction cannot be played by technology. The audit function is human, and the audit function needs to be worked into the project budget.

1 “Biometrics Design Standards for UID Applications" pg.22

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-budget