Centre for Internet and Society

Open Letter to "Not" Recognize India as Data Secure Nation till Enactment of Privacy Legislation

elonnai — 2013-07-12T11:07:58Z

India shouldn't be granted the status of "data secure nation" by Europe until it enacts a suitable privacy legislation, points out the Centre for Internet and Society in this open letter.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC

This letter is with regards to both the request from the Confederation of Indian Industry that the EU recognize India as a data secure nation made on April 29th 2013, [1] and the threat from India to stall negotiations on the Free Trade Agreement with the EU unless recognized as data secure nation made on May 9th 2013.[2]

On behalf of the Centre for Internet and Society, we request that you urge the European Parliament and the EU ambassador to India to reject the request, and to not recognize India as a data secure nation until a privacy legislation has been enacted.

The Centre for Internet and Society believes that if Europe were to grant India status as a data secure nation based only on the protections found in the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”, not only will India be protected through inadequate standards, but the government will not have an incentive to enact a legislation that recognizes privacy as a comprehensive and fundamental human right. Since 2010 India has been in the process of realizing a privacy legislation. In 2011 the “Draft Privacy Bill 2011” was leaked.[3] In 2012 the “Report of the Group of Experts on Privacy” was released. The Report recommends a comprehensive right to privacy for India, nine national privacy principles, and a privacy framework of co-regulation for India to adopt. [4] In 2013 the need for a stand alone privacy legislation was highlighted by the Law Minister.[5] The Centre for Internet and Society has recently drafted the “Privacy Protection Bill 2013” - a citizen's version of a possible privacy legislation for India.[6] Currently, we are hosting a series of six “Privacy Roundtables” across India in collaboration with FICCI and DSCI from April 2013 - August 2013.[7] The purpose of the roundtables is to gain public feedback to the text of the “Privacy Protection Bill 2013”, and other possible frameworks for privacy in India. The discussions and recommendations from the meeting will be published into a compilation and presented at the Internet Governance meeting in October 2013.

The Center for Internet and Society will also be submitting the “Privacy Protection Bill 2013” and the public feedback to the Department of Personnel and Training (DoPT) with the hope of contributing to and informing a privacy legislation in India.

The Centre for Internet and Society has been researching privacy since 2010 and was a member of the committee which compiled the “Report of the Group of Experts on Privacy”. We have also submitted comments on the “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” to the Committee on Subordinate Legislation of the 15th Lok Sabha.[8]

We hope that you will consider our request and urge the European Parliament and the EU ambassador to India to not recognize India as a data secure nation until a privacy legislation has been enacted.

[1]. CII asks EU to accept India as 'Data Secure' nation: http://bit.ly/15Z77dH

[2]. India threatens to stall trade talks with EU: http://bit.ly/1716aF1

[3]. New privacy Bill: Data Protection Authority, jail term for offence: http://bit.ly/emqkkH

[4]. The Report of the Group of Experts on Privacy http://bit.ly/VqzKtr

[5]. Law Minister Seeks stand along privacy legislation, writes PM: http://bit.ly/16hewWs

[6]. The Privacy Protection Bill 2013 drafted by CIS: http://bit.ly/10eum5d

[7]. Privacy Roundtable: http://bit.ly/12HYoj5

[8]. Comments on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Information) Rules, 2011: http://bit.ly/Z2FjX6

Note: CIS sent the letters to Data Protection Commissioners across Europe.

For more details visit https://cis-india.org/internet-governance/blog/open-letter-to-not-recognize-india-as-data-secure-nation

Open house on information breaches

praskrishna — 2017-06-07T00:41:55Z

On May 26, 2017 at the Has Geek open house participants discussed the state of information security in India the legal and regulatory measures that companies must comply with, and consumers should be aware of. Udbhav Tiwari was a speaker at the event organized by Has Geek in Bengaluru.

Sandesh Anand–InfoSec professional at Cigital was the other speaker. Alok Prasanna Kumar, former Supreme Court advocate and Senior Resident Fellow at the Vidhi Centre for Legal policy, moderated the discussion. Udbhav spoke about Breach Notifications and the legal and regulatory positions behind it in India. His presentation from the event can be found here: https://goo.gl/51GDba

For more details visit https://cis-india.org/internet-governance/news/open-house-on-information-breaches

Open Governance and Privacy in a Post-Snowden World : Webinar

vanya — 2015-10-04T11:09:12Z

On 10th September 2015, the OGP Support Unit, the Open Government Guide, and the World Bank held a webinar on “Open Governance and Privacy in a Post-Snowden World” presented by Carly Nyst, Independent consultant and former Legal Director of Privacy International and Javier Ruiz, Policy Director of Open Rights Group. This is a summary of the key issues that were discussed by the speakers and the participants.

See Open Governance and Privacy in a Post-Snowden World

Summary

The webinar discussed how Government surveillance has become an important and key issue in the 21^st century, thanks to Edward Snowden. The main concern raised was with respect to what a democracy should look like in the present day. Should the states’ use of technology enable state surveillance or an open government? Typically, there is a balance that must be achieved between the privacy of an individual and the security of the state – particularly as the former is primarily about social rights and collective interest of citizens.

At the international level, the right to privacy has been recognized as a basic human right and an enabler of other individual freedoms. This right encapsulates protection of personal data where citizens have the authority to choose whether to share or reveal their personal data or not. Due to technological advancement that has enabled collection, storage and sharing of personal data, the right to privacy and data protection frameworks have become of utmost importance and relevance with regard to open government efforts. Therefore, it is important for Governments to be transparent in handling sensitive data that they collect and use.

Many countries have also introduced laws to balance the right to privacy and right to information. The role of the private sector and NGOs involved in enabling an open and transparent government must also be duly addressed at a national level.

Key Questions:

Why should the government release information?

There are multiple reasons for doing so including:

For the purposes of research and public policy (which relates to healthcare, social issues, economics, national statistics, census, etc.)

Transparency and accountability (politicians, registers, public expenses, subsidies, fraud, court records, education)

Public participation and public services (budgets, anti-corruption, engagement, and e-governance).

However, all these have certain risks and privacy implications:

Risk of identification of individual: Any individual whose information is released has the risk of identification, followed by issues like identity theft, discrimination, stigmatization or repression. Normally, the solution for this would be anonymization of the data; however, this is not an absolute solution. Privacy laws can generally cope with such risks, but with pseudonymous data it becomes difficult in preventing identification.
Profiling of social categories which can lead to discrimination: In such a situation, policies and other legislations regulating the use of data and providing remedy for violations can help.
Exploitation and unfair/unethical use of information: When understanding the potential exploitation of information it is useful to consider who is going to benefit from the release of information. For example, in UK, with respect to release of Health Data, the main concern is that people and companies will benefit commercially from the information released, despite of the result potentially being improved drugs and treatment.

What are the Solutions?

The webinar also discussed potential solutions to the questions and challenges posed. For example, when commitments of Open Government Data Partnership are considered, privacy legislations must also be proposed. Further, key stakeholders must make commitments to take pro-active measures to reduce informational asymmetries between the state and citizens. To reduce the risks, measures must be taken to publish what information the State has or what the Government knows about the citizens. For example, in UK, within the civil society network, it is being duly considered in the national plan that the government will publicize how it will share data and have a centralized view on the process of information handling and usage of the data.

The Open Government Guide provides for Illustrative Commitments like enactment of data protection legislation, establishing programmes for awareness and assessment of their impact, giving citizens control of their personal information and the right to redress when that information is misused, etc.

Surveillance

The issue of surveillance and the role of privacy in an open government context was also discussed. The need for creating a balance between the legitimate interest of national security and the privacy of individuals was emphasized. With the rise of digital technologies, many governmental measures pertaining to surveillance intervene in individual privacy. There are many forms of surveillance and this has serious privacy implications, especially in developing countries. For example:

Communications surveillance
Visual surveillance
Travel surveillance

This raises the question: When is surveillance legitimate and when must it be allowed?

The International Principles on the Application of Human Rights to Communications Surveillance acts as a soft law and tries to set out what a good surveillance system looks like by ensuring that governments are in compliance with international human rights law.

In essence surveillance does not violate privacy, however, there must be a clear and foreseeable legal framework laying circumstances when the government has the power to collect data and when individuals might be able to foresee when they might be under surveillance.

Also, a competent judicial authority must be established to oversee surveillance and keep a check on executive power by placing restrictions on privacy invasions. The actions of the government must be proportionate and the benefits must not outweigh harm caused by surveillance.

Role of openness in a “mass surveillance” state

Surveillance measures that are being undertaken by governments are increasingly secretive. The European court of Human Rights has held that Secret surveillance may undermine democracy under the cloak of protecting it. Hence, open government and openness will work towards protecting privacy and not undermining it.

To balance the measure of government surveillance with privacy, there is a need to publish laws regulating such powers; publish transparency reports about surveillance, interception and access to communications data; reform legislations relating to surveillance by state agencies to ensure it complies with human rights and establish safeguards to ensure that new technologies used for surveillance and interception respect the right to privacy.

Conclusion

The conclusion one can draw is that Privacy concerns have gained importance in today’s data driven world. The main question that needs to be answered is whether Government’s should adopt surveillance measures or adopt an Open Government?

Considering equal importance of national security and privacy of individuals, it is required that a balance must be crafted between the two. This could be possibly done by enacting foreseeable and clear laws outlining scope of surveillance by the Government on one hand, and informing citizens about such measures on the other. Establishment of a competent judicial authority to keep a check on Government actions is also suggested to work out the delicate balance between surveillance and privacy.

For more details visit https://cis-india.org/internet-governance/blog/open-governance-and-privacy-in-a-post-snowden-world-webinar

Open Data Hackathons are Great, but Address Privacy and License Concerns

sumandro — 2016-02-05T20:37:18Z

This is to cross-publish a blog post from DataMeet website regarding a letter shared with the organisers of Urban Hack 2015, Bangalore, in response to a set of privacy and license concerns identified and voiced during the hackathon by DataMeet members. Sumandro Chattapadhyay co-authored and co-signed the letter. The blog post is written by Nisha Thompson.

Hackathons are a source of confusion and frustration for us. DataMeet actively does not do them unless there is a very specific outcome the community wants like freeing a whole dataset or introducing open data to a new audience. We feel that they cause burn out, are not productive, and in general don't help create a healthy community of civic tech and open data enthusiasts.

That is not to say we feel others shouldn't do them, they are very good opportunities to spark discussion and introduce new audiences to problems in the social sector. DataKind and RHOK and numerous others host hackathons or variations of them regularly to stir the pot, bring new people into civic tech and they can be successful starts to long term connections and experiments. A lot of people in the DataMeet community participate and enjoy hackathons.

However, with great data access comes great responsibility. We always want to make sure that even if no output is achieved when a dataset is opened at least no harm should be done.

Last October an open data hackathon, Urban Hack, run by Hacker Earth, NASSCOM, XEROX, IBM and World Resource Institute India wanted to bring out open data and spark innovation in the transport and crime space by making datasets from Bangalore Metropolitan Transport Corporation (BMTC) and the Bangalore City Police available to work with. A DataMeet member (Srinivas Kodali) was participating, he is a huge transport data enthusiast and wanted to take a look at what is being made available.

In the morning shortly after it started I received a call from him that there is a dataset that was made available that seems to be violating privacy and data security. We contacted the organizers and they took it down, later we realized it was quite a sensitive dataset and a few hundred people had already downloaded it. We were also distressed that they had not clarified ownership of data, license of data, and had linked to sources like Open Bangalore without specifying licensing, which violated the license.

The organizers were quite noted and had been involved with hackathons before so it was a little distressing to see these mistakes being made. We were concerned that the government partners (who had not participated in these types of events before) were also being exposed to poor practices. As smart cities initiatives take over the Indian urban space, we began to realize that this is a mistake that shouldn't happen again.

Along with Centre for Internet and Society and Random Hacks of Kindness we sent the organizers, Bangalore City Police and BMTC a letter about the breach in protocol. We wanted to make sure everyone was aware of the issues and that measures were taken to not repeat these mistakes.

You can see the letter here:

We are very proud of the DataMeet community and Srinivas for bringing this violation to the attention of the organizers. As people who participate in hackathons and other data events it is imperative that privacy and security are kept in mind at all times. In a space like India where a lot of these concepts are new to institutions, like the Government, it is essential that we are always using opportunities not only to showcase the power of open data but also good practices for protecting privacy and ensuring security.

Originally posted on DataMeet website: http://datameet.org/2016/02/02/to-hack-or-not-to-hack/.

For more details visit https://cis-india.org/openness/open-data-hackathons-are-great-but-address-privacy-and-license-concerns

Open Call for Comments: The Privacy Protection Bill 2013 drafted by the Centre for Internet and Society

bhairav — 2014-02-25T05:38:27Z

The Centre for Internet and Society is announcing an Open Call for Comments to the CIS Privacy Protection Bill 2013.

In early 2013 the Centre for Internet and Society drafted the Privacy (Protection) Bill 2013 as a citizen’s version of privacy legislation for India. The Privacy (Protection) Bill, 2013 seeks to protect privacy by regulating (i) the manner in which personal data is collected, processed, stored, transferred and destroyed — both by private persons for commercial gain and by the state for the purpose of governance; (ii) the conditions upon which, and procedure for, interceptions of communications — both voice and data communications, including both data-in-motion and data-at-rest — may be conducted and the authorities permitted to exercise those powers; and, (iii) the manner in which forms of surveillance not amounting to interceptions of communications — including the collection of intelligence from humans, signals, geospatial sources, measurements and signatures, and financial sources — may be conducted.

The Centre for Internet and Society has been collecting comments to the Privacy Protection Bill since April 2013 with the intention of submitting the Bill to the Department of Personnel and Training as a citizen’s version of a privacy legislation for India. If you would like to submit comments on the Privacy Protection Bill to be included as part of the Centre for Internet and Society’s submission to the Department of Personnel and Training, please email comments to bhairav@cis-india.org.

Download the latest version of the Privacy Protection Bill (February 2014)

For more details visit https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-open-call-for-comments

Online Trolls Attack Critics of India's Aadhaar State ID System

praskrishna — 2017-06-07T13:34:00Z

India's biometric state ID system has been leaking citizens’ data for months. When this information surfaced in April 2017, it stoked fears that the system could be used as an instrument of surveillance against Indian residents.

The blog post by Rohith Jyothish was published by Global Voices on May 31, 2017.

The Unique Identity Authority of India (UIDAI), which administrates the system known as Aadhaar (meaning foundation in Hindi) maintains that it only collects minimal personal data and stores it securely. But critics have firmly expressed doubts about these claims.

The implications of these leaks, and of any system flaw in Aadhaar technology, are substantial, especially for Indians who depend on the Aadhaar system in order to authenticate their identities when they use any number of government services. The Aadhaar system has become the gatekeeper of state systems and services ranging from voting to financial savings to food subsidies.

The digital sphere is now starting to see a pushback against Aadhaar critics through articles and blogposts that describe concerned citizens and privacy experts as the ‘anti-Aadhaar brigade‘ and accuse them of publishing “half-truths” and “spread[ing] confusion to advance their own interests.” One such article was even featured on the UIDAI website.

Some of the most well-researched critiques of the system have come from the Centre for Internet and Society (CIS), an inter-disciplinary research organisation in Bangalore that has now become a target of the pro-Aadhaar lobby. Shortly after CIS released a report that pointed out security flaws in the Aadhaar ecosystem, the UIDAI accused the organization of hacking into the Aadhaar system themselves.

In fact, CIS had investigated databases of four specific government websites. Three were available publicly, the fourth one was accessible by simply changing one of the URL parameters. Following the accusation from UIDAI, CIS clarified that the Aadhaar numbers along with other sensitive personal financial information like bank account details were made available by government websites themselves, putting a sizeable portion of Indian citizens at risk of financial fraud.

The Press Trust of India (India's largest news agency) referred to it as a “flip-flop”, which was contested by researchers at CIS.

Independent technology news platform Medianama reported that the accusation by the UIDAI is regrettably consistent with previous actions in which they filed a case against a journalist for exposing flaws in Aadhaar's enrollment mechanism.

A website called ‘Support Aadhaar‘ and its Twitter handle sought to collate opinions supporting Aadhaar and quell those speaking against it. However, most of their messages appear to evade or deflect the concerns that critics have raised by touting the benefits of the system and portraying critics as having a poor understanding of the benefits of technology.

Many Twitter users have also begun noticing patterns in the pro-Aadhaar posts:

Meanwhile, several critics of Aadhaar have repeatedly been trolled by anonymous handles on Twitter. These ‘sock puppet’ accounts seemed to be targeting those who criticise Aadhaar on social media.

One of the most active trolls issued an open challenge to reveal their identity with just their Aadhaar number. Technology entrepreneur Kiran Jonnalagadda accepted the challenge and found that ‘@Confident_India’, one of the many anonymous troll Twitter handles, is Sharad Sharma, the co-founder and director of iSPIRT Foundation (Indian Software Product Industry Roundtable), the software lobby that built the backbone of the Aadhaar ecosystem.

Sharma accidentally tweeted a denial from the troll account which has since been deleted. He then tweeted again from his personal handle which was captured.

iSPIRT officially denied allegations by Jonnalgadda that the “evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack.” India Stack is the digital infrastructure that has been built over Aadhaar.

But several other Twitter users have confirmed that Sharma's phone number is linked to ‘@Confident_India’. By their own admission, iSPIRT seemed to have an officially sanctioned project intended to systematically challenge anti-Aadhaar campaigners in online platforms. But they refuse to term these actions as “trolling”.

However, Sharma later made an apology for trolling and called it a “lapse of judgement”. CIS Executive Director Sunil Abraham seemed to appreciate the message. He tweeted: Bravo to @sharads for this! All of us at @cis_india look fwd to collaborating with @Product_Nation & @sharads to serve Indian s/w sector. https://twitter.com/sharads/status/866943195678035968 …

iSPIRT is an initiative which finds far-reaching support from several IT industry leaders in India. What is worrying is that there is still no clarification from iSPIRT on the identities of the other anonymous trolls and their position on trolling against genuine concerns raised by citizens.

More than a week after the trolling revelations, iSPIRT announced on its website, the results of an investigation carried out by an Internal Guidelines and Compliance Committee over the allegations against Sharma of operating the anonymous handles, ‘@Confident_India’ and ‘@Indiaforward2′. Jonnalgadda was one of the trolling victims who testified in the internal meeting. A summary of the investigation was posted bafflingly by the accused himself in which he says that project Sudham has been dissolved and that he has been told to not make public appearances on behalf of iSPIRT for four months while he remains Director and the face of the organisation. FactorDaily reported that iSPIRT members on the condition of anonymity said that Pallav Nadhani (Founder, Chief Executive, FusionCharts) and Naveen Tewari (Co-founder, InMobi) who quit iSPIRT were upset with their excessive focus on India Stack.

One wonders whether this kind of behavior would be treated differently if it took place offline. Is intimidating those who appear to be ‘detractors’ the most effective way of dealing with criticism? Why is a software lobby taking it upon themselves to defend the idea of Aadhaar and India Stack through such means?

Many are hoping that experts on both sides of the issue can find a way to debate questions around the privacy and security of Aadhaar's technology — that affect some 1.3 billion people — in a more democratic way.

For more details visit https://cis-india.org/internet-governance/news/global-voices-rohith-jyothish-may-31-2017-online-troll-attack-critics-of-indias-aadhaar-state-id-system

Online privacy should not come at the cost of security: Sunil Abraham

praskrishna — 2014-11-02T02:27:12Z

Sunil Abraham, Centre for Internet and Society’s executive director, on privacy laws and Internet penetration.

Anirban Sen's article was published in LiveMint on May 19, 2013. Sunil Abraham is quoted.

The Centre for Internet and Society (CIS), a research thinktank that primarily focuses on issues of Internet governance, is pushing to revise the provisions of the Information Technology (IT) Act and make a stronger case for privacy laws and free speech in India, an issue that has caused widespread concern after the government tried to restrict access to more than a 100 websites last year with little justification.

“We want to revise the IT Act...that’s the toughest one and that’s not going to happen very soon because the government is treating it like an ego battle now. They no longer listen to the others,” said Sunil Abraham, executive director of CIS.

The IT Act has been at the centre of debate, with some of its provisions such as Section 66A, which criminalizes “causing annoyance or inconvenience” online or electronically, coming under criticism from rights advocates for being too vague and subject to interpretation.

CIS, which will complete five years on Monday and is organizing a four-day event focusing on issues such as cyber security, surveillance in India and privacy, said it also was working towards creating a privacy law for India within the next 3-4 years. India, which is estimated to have Internet penetration of just 10%, is the third-largest Internet market in the world.

“We’re getting closer and closer to that (privacy law),” said Abraham, adding that privacy should not come at the cost of security.

Over the past five years, Bangalore-based CIS has also been part of some government committees such as the Justice AP Shah Committee, which focused on privacy laws in India, and is also currently working on the country’s telecom policy. The non-government organization, which receives grants from international bodies such as the Wikimedia Foundation, has also worked on policies for the government of Iraq and is currently also doing policy work for the government of Burma.

“Five years ago we were making noise from outside the room, we were not inside any policy making space. That has also changed. From an organization that was mostly outside the room, we’re increasingly being trusted by our own government,” said Abraham, who was one of the most vocal critics of the government’s unique identification (UID) project when it was first launched. Abraham had raised concerns over its overtly broad scope and issues over privacy in the project.

For CIS, one of the biggest achievements over the past five years was being part of the policy framework for the government of India’s draft national policy on open standards for e-governance, said Abraham, adding that the organization was working towards increasing Internet penetration in the country, especially in rural areas.

“We’re hoping that every single mobile phone user in the country will become an Internet user. We’re planning for that future,” he said.

The CIS event starting on Monday will include speakers such as legal researcher and advocate Lawrence Liang and Vibodh Parthasarathi, an associate professor at the Centre for Culture, Media and Governance at the Jamia Millia Islamia university. Both Liang and Parthasarathi are members of the board at CIS.

For more details visit https://cis-india.org/news/livemint-anirban-sen-may-19-2013-online-privacy-should-not-come-at-the-cost-of-security

Old Isn't Always Gold: FaceApp and Its Privacy Policies

Mira Swaminathan and Shweta Reddy — 2019-08-09T10:12:11Z

Leaving aside the Red Scare for a moment, FaceApp's own rebuttal of privacy worries are highly problematic in nature.

The article by Mira Swaminathan and Shweta Reddy was published in the Wire on July 20, 2019.

If you, much like a large number of celebrities, have spammed your followers with the images of ‘how you may look in your old age’, you have successfully been a part of the FaceApp fad that has gone viral this week.

The problem with the FaceApp trend isn’t that it has penetrated most social circles, but rather, the fact that it has gone viral with minimal scrutiny of its vaguely worded privacy policy guidelines. We click ‘I agree’ without understanding that our so called ‘explicit consent’ gives the app permission to use our likeness, name and username, for any purpose, without our knowledge and consent, even after we delete the app. FaceApp is currently the most downloaded free app on the Apple Store due to a large number of people downloading the app to ‘turn their old selfies grey’.

There are many things that the app could do. It could process the images on your device, rather than take submitted photos to an outside server. It could also upload your photos to the cloud without making it clear to you that processing is not taking place locally on their device.

Further, if you have an Apple product, the iOS app appears to be overriding your settings even if you have denied access to their camera roll. People have reported that they could still select and upload a photo despite the app not having permission to access their photos. This ‘allowed behaviour’ in iOS is quite concerning, especially when we have apps with loosely worded terms and conditions.

FaceApp responded to these privacy concerns by issuing a statement with a list of defences. The statement clarified that FaceApp performs most of the photo processing in the cloud, that they only upload a photo selected by a user for editing and also confirmed that they never transfer any other images from the phone to the cloud. However, even in their clarificatory statement, they stated that they ‘might’ store an uploaded photo in the cloud and explained that the main reason for that is “performance and traffic”. They also stated that ‘most’ images are deleted from their servers within 48 hours from the upload date.

Further, the statement ends by saying that “all pictures from the gallery are uploaded to our servers after a user grants access to the photos”. This is highly problematic.

We have explained the concerns arising out of the privacy policy with reference to the global gold standards: the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, APEC Privacy Framework, Report of the Group of Experts on Privacy chaired by Justice A.P. Shah and the General Data Protection Regulation in the table below:

Privacy Domain	OECD Guidelines	APEC Privacy Framework	Report of the Group of Experts on Privacy	General Data Protection Regulation	FaceApp Privacy Policy
Transparency	There should be a general policy of openness about developments, practices and policies with respect to personal data.	Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal data.	A data controller shall give a notice that is understood simply of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.	Transparency: The controller shall take appropriate measures to provide information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Article 29 working party guidelines on Transparency: The information should be concrete and definitive, it should not be phrased in abstract or ambivalent terms or leave room for different interpretations. Example: “We may use your personal data to develop new services” (as it is unclear what the services are or how the data will help develop them);	Information we collect “When you visit the Service, we may use cookies and similar technologies”……. provide features to you. We may ask advertisers or other partners to serve ads or services to your devices, which may use cookies or similar technologies placed by us or the third party. “We may also collect similar information from emails sent to our Users..” Sharing your information “We may share User Content and your information with businesses…” “We also may share your information as well as information from tools like cookies, log files..” “We may also combine your information with other information..”
A simple reading of the guidelines in comparison with the privacy policy of FaceApp can help us understand that the terms used by the latter are ambiguous and vague. The possibility of a ‘may not’ can have a huge impact on the privacy concerns of the user. The entire point of ‘transparency’ in a privacy policy is for the user to understand the extent of processing undertaken by the organisation and then have the choice to provide consent. Vague phrases do not adequately provide a clear indication of the extent of processing of personal data of the individual.
Privacy Domain	OECD Guidelines	APEC Privacy Framework	Report of the Group of Experts on Privacy	General Data Protection Regulation	FaceApp Privacy Policy
Security Safeguards	Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data	Personal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorised access to personal information or unauthorised destruction, use, modification or disclosure of information or other misuses.	A data controller shall secure personal information that they have either collected or have in their custody by reasonable security safeguards against loss, unauthorised access, destruction, use, processing, storage, modification, deanonymization, unauthorised disclosure or other reasonably foreseeable risks	The controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.	How we store your information “We use commercially reasonable safeguards to help keep the information collected through the Service secure and take reasonable steps… However, FaceApp cannot ensure the security of any information you transmit to FaceApp or guarantee that information on the Service may not be accessed, disclosed, altered, or destroyed.”

The obligation of implementing reasonable security measures to prevent unauthorised access and misuse of personal data is placed on the organisations processing such data. FaceApp’s privacy policy assures that reasonable security measures according to commercially accepted standards have been implemented. Despite such assurances, FaceApp’s waiver of the liability by stating that it cannot ensure the security of the information against it being accessed, disclosed, altered or destroyed itself says that the policy is faltered in nature.

The privacy concerns and the issue of transparency (or the lack thereof) in FaceApp are not isolated. After all, as a Buzzfeed analysis of the app noted, while there appeared to be no data going back to Russia, this could change at any time due to its overly broad privacy policy.

The business model of most mobile applications being developed currently relies heavily on personal data collection of the user. The users’ awareness regarding the type of information accessed based on the permissions granted to the mobile application is questionable.

In May 2018, Symantec tested the top 100 free Android and iOS apps with the primary aim of identifying cases where the apps were requesting ‘excessive’ access to information of the user in relation to the functions being performed. The study identified that 89% of Android apps and 39% of the iOS app request for what can be classified as ‘risky’ permissions, which the study defines as permissions where the app requests data or resources which involve the user’s private information, or, could potentially affect the user’s locally stored data or the operation of other apps.

Requesting risky permissions may not on its own be objectionable, provided clear and transparent information regarding the processing, which takes place upon granting permission, is provided to the individuals in the form of a clear and concise privacy notice. The study concluded that 4% of the Android apps and 3% of the iOS apps seeking risky permissions didn’t even have a privacy policy.

The lack of clarity with respect to potentially sensitive user data being siphoned off by mobile applications became even more apparent with the case of a Hyderabad based fintech company that gained access to sensitive user data by embedding a backdoor inside popular apps.

In the case of the Hyderabad-based fintech company, the user data which was affected included GPS locations, business SMS text messages from e-commerce websites and banks, personal contacts, etc. This data was used to power the company’s self-learning algorithms which helped organisations determine the creditworthiness of loan applicants. It is pertinent to note that even when apps have privacy policies, users can still find it difficult to navigate through the long content-heavy documents.

The New York Times, as part of its Privacy Project, analysed the length and readability of privacy policies of around 150 popular websites and apps. It was concluded that the vast majority of the privacy policies that were analysed exceeded the college reading level. Usage of vague language like “adequate performance” and “legitimate interest” and wide interpretation of such phrases allows organisations to use data in extensive ways while providing limited clarity on the processing activity to the individuals.

The Data Protection Authorities operating under the General Data Protection Regulation are paying close attention to openness and transparency of processing activities by organisations. The French Data Protection Authority fined Google for violating their obligations of transparency and information. The UK’s Information Commissioner’s office issued an enforcement notice to a Canadian data analytics firm for failing to provide information in a transparent manner to the data subject.

Thus, in the age of digital transformation, the unwelcome panic caused by FaceApp should be channelled towards a broader discussion on the information paradox currently existing between individuals and organisations. Organisations need to stop viewing ambiguous and opaque privacy policies as a get-out-of-jail-free card. On the contrary, a clear and concise privacy policy outlining the details related to processing activity in simple language can go a long way in gaining consumer trust.

The next time an “AI-based Selfie App” goes viral, let’s take a step back and analyse how it makes use of user-provided data and information both over and under the hood, since if data is the new gold, we can easily say that we’re in the midst of a gold rush.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-mira-swaminathan-and-shweta-reddy-july-20-2019-old-isnt-always-gold-face-app-and-its-privacy-policies

Nullcon Security Conference

Admin — 2019-03-07T14:40:11Z

On March 1 and 2, 2019, Karan Saini attended the Nullcon Security Conference organized by Nullcon at Holiday Inn Resort, Mobor Beach, Cavelossim, Salcette, Goa.

The schedule of the event can be accessed here. Videos of the talks can be accessed here. The event was:attended by:

Security Practitioners (Analysts, Testers, Developers, Cryptographers, Hackers)
Security Executives (CISOs, CXOs)
Business Developers and Venture Capitalists (Presidents, Directors, VPs, Consultants)
Vendor Companies and Sponsors (Hardware, Software, Services)
Career Seekers and Recruiters (Seasoned Veterans, Students, Expanding Companies
Academia (Professors, Students)

The nullcon conference is a unique platform for security companies/evangelists to showcase their research and technology. Nullcon hosts Prototype, Exhibition, Trainings, Free Workshops, null Job Fair at the conference. It is an integrated and structured platform which caters to the needs of IT Security industry at large in a comprehensive way.

For more details visit https://cis-india.org/internet-governance/news/nullcon-security-conference

Nowhere to hide: Govt making your personal details public

praskrishna — 2013-10-29T06:15:06Z

The worst fears are coming true. Your sensitive private data may be up online turning you into a potential target of frauds. What is all the more dangerous is that you may be not even aware of this.

The article by First Post editors was published on October 28, 2013. Sunil Abraham is quoted.

An investigation by the Business Standard has revealed that various state and central government departments have already started putting up citizen’s personal details such as bank accounts and income on websites. The rationale behind the move is bringing about transparency.

The report also provides details of two persons, which the reporters could access online – a 25-year-old from Haryana and another farmer from Uttar Pradesh.

In the first instance, the paper got the details from the state government website which has published all the details as the youth is a beneficiary of the NREGS.

The Haryana government made public the details of the NREGS beneficiaries in its bid to bring about transparency. In Rural Development Minister Jairam Ramesh’s words, the aim is to make available all these data for public scrutiny.

In the second instance, the paper has obtained the occupation and yearly income, ration card number, full address, age, father’s/husband’s name, category and poverty status of the farmer. These details are available online as the state government is computerising the public distribution system.

If you thought, not everybody’s data will be made public this way, you are wrong, because before long the details of all the beneficiaries of direct benefit transfer will also be published online.

Though the Information Technology Act does not permit publishing sensitive personal financial details online, there is an exception if such information is come under Right to Information Act.

At the face of it transparency is a lame excuse to publish such data. How can the government provide all the details, including the bank account details of its citizen, at a time when cyber crime has increased many-fold.

And nobody knows the gravity of the situation better than the government. Minister of State for Communications & IT Milind Deora recently told Lok Sabha that this year until June as many as 78 government websites were hacked.

Citing Indian Computer Response Team (CERT-In) data he said in 2011 as many as 308 government sites were hacked and in 2012 the figure was 371.

The number of security breach incidents in 2011 stood at 13,301 and in 2012 at 22,060. The corresponding figure for this year until June has already hit 16,035, he said. Security breach included incidents related to spam, malware infection and system break-in.

In such an environment, the governments’ transparency drive comes at the cost of personal security.

The problem with making public details such as date of birth and names of family members is that it helps the hackers crack passwords. Most of the people have such details as their passwords and pins, the BS report says.

Sunil Abraham of Centre for Internet and Society rightly says in the BS report, “If people start publishing information like these and the government doesn’t regulate it through a data protection law, criminal minds can harvest and combine all databases accurately.”

For more details visit https://cis-india.org/news/first-post-october-28-2013-nowhere-to-hide

Now, Twitter too caught up in Cambridge Analytica controversy

Admin — 2018-05-02T02:49:25Z

Twitter does not share a break-up of users by region, the platform has less than 100 million users in India.

The article by Prasun Sonwalkar and Vidhi Choudhury was published in the Hindustan Times on April 30, 2018. Sunil Abraham was quoted.

Social media company Twitter Inc sold data to the University of Cambridge academic Aleksandr Kogan who harvested millions of Facebook users’ information without their knowledge, it has emerged, although the company has clarified that no private data was accessed.

It isn’t clear whether any of the data pertained to Indian users.

Twitter does not share a break-up of users by region, the platform has less than 100 million users in India.

Kogan, who created tools that allowed political consultancy Cambridge Analytica to psychologically profile and target voters, bought the data from the microblogging website in 2015, well before the recent scandal, involving use of the data of Facebook users, came to light.

According to The Daily Telegraph, Kogan bought data on tweets, user names, photos, profiles and locations over a five-month period between December 2014 and April 2015 through his company Global Science Research (GSR). Twitter said it had banned GSR and Cambridge Analytica from buying data or running advertisements on the website and that no private data had been accessed, while Kogan insisted the data had only been used to create "brand reports" and "survey extender tools" and that he had not violated Twitter's policies.

The daily reported that Twitter charges companies and organisations for large data sets that are particularly useful for gleaning public opinion or receptiveness to certain topics and ideas, although Twitter bans companies from using the data to derive sensitive political information or matching it with personal information obtained elsewhere.

A Twitter spokesman confirmed the ban and said: "Twitter has also made the policy decision to off-board advertising from all accounts owned and operated by Cambridge Analytica. This decision is based on our determination that Cambridge Analytica operates using a business model that inherently conflicts with acceptable Twitter Ads business practices. "Cambridge Analytica may remain an organic user on our platform, in accordance with the Twitter Rules."

The company said it does not allow "inferring or deriving sensitive information like race or political affiliation, or attempts to match a user's Twitter information with other personal identifiers" and that it had staff in place to police this "rigorously".

Sunil Abraham, founder for think tank Centre for Internet and Society said: “Even though Twitter claims it has contracts in place and staff for contractual enforcement, I cannot understand how they will prevent those buying their data from inferring race and political affiliation. Especially in jurisdictions like ours without comprehensive data protection law.”

A Cambridge Analytica spokesman said the company used Twitter for political advertising but insisted that it had never "undertaken a project with GSR focusing on Twitter data and Cambridge Analytica has never received Twitter data from GSR”.

Delhi-based lawyer Apar Gupta said, “Since we do not have a data protection law at present we are more or less dependent on the proactive disclosures by Twitter. Facebook is not a gold standard of upholding user rights and it is hoped that we soon have a regulator that can enforce such disclosures and place penalties.”

On 5 April, Facebook said user data of more than 560,000 Indians may have been harvested by British researcher Cambridge Analytica, at the centre of a recent storm over data breaches and potential privacy violations on the social media network.

“Twitter or Facebook are not alone in harvesting and storing user data. This is a widespread industry practice that relies on profiling. Such breaches and malpractices will continue to occur till we have a set of defined norms and enforceable penalties to protect user rights,” Gupta further added.

Only 335 users in India installed the thisisyourdigitallife app developed by academic Kogan and his company Global Science Research that may have been possibly at the centre of the data breaches, according to Facebook. The 335 people make up just 0.1% of the app’s total worldwide installs. Users agreed to take a personality test and have their data collected by the app, which then went on to also access information about the test-takers’ Facebook friends, leading to the accumulation of a much larger data pool.

Twitter Inc’s spokesperson said in an e-mail that an internal review conducted by it showed GSR had not accessed any private data.

“Unlike many other services, Twitter is public by its nature. People come to Twitter to speak publicly, and public Tweets are viewable and searchable by anyone. In 2015, Global Science Research (GSR) did have one-time API access to a random sample of public Tweets from a five-month period from December 2014 to April 2015,” the company statement added.

This is basically information that users chose to make public.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-april-30-2018-prasun-sonwalkar-vidhi-choudhury-now-twitter-too-caught-up-in-cambridge-analytica-controversy

Now, Aadhaar details displayed in Mizoram too

praskrishna — 2017-04-27T16:59:37Z

Contrary to the Centre’s assurances, government websites are revealing digital details of the poor, leaving them vulnerable to financial frauds and identity theft.

The article by Sebastian PT was published in the National Herald on April 26, 2017. Sunil Abraham was quoted.

Could there be a method to the madness? Or is it just carelessness? From the Jharkhand Government to the Union Territory of Chandigarh to the Union Ministry of Water and Sanitation to even Mizoram’s Food and Civil Supplies Department, government websites are found to have displayed Aadhaar details of citizens, a crime under the law.

In Jharkhand, details of 16 lakh beneficiaries – their bank account details, ration card and the 12-digit Aadhaar number – were displayed on the website of the Directorate of Social Security. Similar blunders were witnessed from different corners of the country from Chandigarh to Kerala, where details of 35 lakh people have been breached. This flies in the face of the Government’s repeated claims on data privacy, that Aadhaar details are completely safe.

The law doesn’t allow this. The displaying of the Aadhaar data, for instance, is in clear violation of Section 29 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The provision clearly says that “no” Aadhaar number or core biometric information of an Aadhaar number holder shall be “published, displayed or posted publicly”.

“There appears to be no regulation worth the name as far as the Aadhaar project is concerned,” says economist Reetika Khera from IIT Delhi.

So, will these officials responsible be punished according to the Act? More importantly, what about the damage of leaking such sensitive, apparently confidential data?

Irreparable Damage

Several cyber security experts have been warning of the possibility of precisely such leaks and Opposition parties were vociferously pointing this out while the Centre was brazenly violating the Supreme Court’s orders and forcibly extending Aadhaar to almost everything – including it being linked to one’s Permanent Account Number (PAN), used for filing income tax.

“What has been broken through technology, can’t be fixed with the law,” says Sunil Abraham, Executive Director of Bangalore-based research organisation, the Centre for Internet and Society.

The data breach just made it easy for players in the black market for ID (identification) documents to be lapped up to create false ID cards, for instance.

When demonetisation was being implemented, sources say that black money hoarders apparently bought fake IDs which were made from stolen Aadhaar details to get the old notes exchanged – one way for doing this was perhaps by opening new bank accounts or to, say, utilise unused Jan Dhan accounts to deposit the money. Now, one can only imagine what terrorists can do with these details.

So far, perhaps, the only solace is that the biometric details of the beneficiaries weren’t leaked. But, in the backdrop of the lax attitude of the various government departments, even that too is just waiting to happen, fear experts.

Abraham warns that Aadhaar was always a risky proposition as it was based on biometrics, which “made it very insecure”. He terms it as a “mass surveillance technology” – that too a poorly-designed technology – which, in fact, “undermines security”. Once biometric data are compromised, it cannot be secured again. Instead of biometrics, he suggests the UIDAI shift to using smart cards.

The unfettered forcible linking of almost everything – from bank accounts to one’s PAN card – to Aadhaar only makes things worse. “The Centre is ‘seeding’ the various data bases with the Aadhaar number, which is a very bad move. And, involving various private and public agencies in this only makes the entire thing very precarious,” warns Abraham. He points out that, for instance, when the PAN cards are linked with the Aadhaar number, breach made possible.

Instead, he says, the government should adopt the ‘tokenisation approach’, instead of the ‘seeding approach’. What this means is that, say, if the PAN card is to be linked to Aadhaar, then UIDAI issues a token number and not the original 12-digit Aadhaar number. So, even if a breach happens, the hacker will not be able to get all the Aadhaar details, he says.

However, the government does not seem to be taking the issue of privacy very seriously. What perhaps is not being understood is that this is not just a privacy issue, but making the masses vulnerable to frauds. Instead of treading cautiously in implementing Aadhaar, the government seems to be in a hurry to extend it to almost every possible silo in an individual’s life.

“Given the callous attitude of central and state governments, I hope that the Supreme Court will stop the government from a forced linking of Aadhaar, on the one hand, and bank accounts and PAN numbers on the other hand,” says Khera.

For more details visit https://cis-india.org/internet-governance/news/national-herald-sebastian-pt-april-26-2017-now-aadhaar-details-displayed-in-mizoram-too

Nothing unique about this identity

praskrishna — 2011-08-09T09:12:55Z

Relying on the government to protect your privacy is like asking peeping tom to install your window blinds, opined, not long ago, the American poet and novelist John Perry Barlow once. The statement attains significance in the context of Unique Identification (UID) project which is being touted as a milepost in inclusive politics. Liberalisation evangelists see UID project as the most virtuous thing that can ever happen to the Indian people who find themselves excluded from the system.

So, their ingenious solution is a 12-digit Aadhaar number — a super identity — to help the common man in opening a bank account or ordering a cylinder refill. This is, besides, the existing identities like ration card, the driving license, PAN card and passport to mention a few.

Prima facie, it may all appear euphemistic initiative; for some even very bright and attractive. For, its proclaimed purpose supposedly is to deepen the democratic process.

However, when one talks to civil rights activists who’ve gone hammer and tongs against the project, one will realise the truthfulness of Shakespeare’s observation that ‘a fair exterior may hide a corrupt mind!’

This becomes evident from the fact that the UID project has become the biggest industrial collector of personal information which should frighten up any person still in sensibilities.

The project has already proved disastrous since the unfolding events prove its advocates have not applied much thought to the dangers posed by centralised data collection considering India’s heterogenic population.

In fact, head of Unique Identification Authority of India (UIDAI) Nandan Nilekani had maintained UID enrolment was voluntary.

However, Chief Minister Oommen Chandy some two months back asserted his government would make UID mandatory unlike his predecessor V.S. Achuthanandan.

"Even in this basic thing, there’s so much confusion. But, the truth is that it’s voluntary. You can’t be coerced into it", confirms a prominent anti-UID campaigner Usha Ramanathan.

She alleged personal information passed onto UIDAI passes through various outsourcing layers compromising safety. It recently happened in Bangalore where a delivery boy demanded a customer’s fingerprint while delivering gas refill!

"Why should anyone give it to an unknown person? It shows the level to which your personal information could get disseminated", she says.

UID, in fact, is supposed to be foolproof. However, again in Bangalore, miscreants could easily fake an Aadhar number in the name of none other than Nandan Nilekani himself!

The fraud came to light when miscreants offered franchisee for UID enrolment for `2.5 lakh.

"Fake UIDs rackets confirm there’s no monitoring. So, how can UIDAI protect your information?" wonders Usha. Nandan Nilekani wants to enroll 60 per cent Indian population by 2014 into UID. However, it’s fast proving a chimerical target as the process involving agency-UIDAI-de-duplicating agency has started taking its toll.

"Initially, Aadhaar number was promised within a week. Now, it’s taking anywhere between three to six months", pointed out executive director, Bangalore-based Centre for Internet and Society (CIS) Sunil Abraham.

The project faces problems on cash transfer whose aim is to dismantle public distribution shops (PDS) which once done would put the farmer and customer at the mercy of market for their selling/procurement needs.

For, the farmer won’t be assured of a minimum support price (MSP) while for the customer there is no guarantee that the price would hold good till such time his account gets credited. Further, experts warn the Aadhar number-linked cash transfer will compromise safety. “Cash transfer using bio-metric is not safe. If it were otherwise, ATMs would’ve gone for it. Why didn’t they do it?” asks Sunil Abraham.

Interestingly, a group of students recently did a research on the efficacy of PDS. The research covering nine States cautioned prime minister Manmohan Singh that PDS was better than cash, except in Bihar.

Professor Sridhar Krishnaswamy W.B. University of Jurisdical Sciences fears the Corproates could link one’s Aadhar number to bank account to judge his or her behavioural pattern.

"It’s not right. Instead of resorting to blanket surveillance, government should go in for targeted surveillance," Sunil said.

This article by T. S. Sreenivasa Raghavan was published in the Deccan Chronicle on August 5, 2011. The original can be read here.

For more details visit https://cis-india.org/news/nothing-unique-about-identity

Noida cyber cell gives tips on preventing WannaCry attack

praskrishna — 2017-06-07T01:18:22Z

The attackers targeted a weakness found in older versions of Microsoft Windows.

The article by Juana McKenzie was published in the World News Journal on May 20, 2017.

Since late last week, the WannaCry cyber scourge has blocked customers the world over from accessing their data - unless they paid a ransom using Bitcoin. Here's what you should do to protect yourself.

Third, and perhaps more important: like the emperor's new clothes, even this new-fangled ransomware isn't as sophisticated as it's cracked up to be. If you're unsure about the legitimacy of something, delete it.

When Microsoft sells software it does so through a licensing agreement that states the company is not liable for any security breaches, said Michael Scott, a professor at Southwestern Law School.

It pays to know the proper file extensions that are available.

If you happen to come across files such as worklog.doc.exe, or financial_statement.xls.scr, do not open them as the files are most likely malicious.

'And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today - nation-state action and organised criminal action'.

Then there's the USA government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

No. This strain of ransomware was spread from device to device by taking advantage of an old security hole in some versions of Microsoft's Windows operating system.

Microsoft released a patch for this vulnerability in March and, on the heels of the attack Friday, even took the unusual step of releasing fixes for older versions of Windows that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8. This included the release of the patch in March and an update on Friday to Windows Defender to detect the WannaCrypt attack.

As there are different types of ransomware, there is no single, easy solution to restore your computer if it has been infected. Enterprises need to test patches before installing them to ensure that they don't have compatibility issues with existing applications and break existing workflows.

Security experts have hailed Microsoft's decision to publicly call out the U.S. government and the NSA's decision to stockpile cyberweapons.

"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable", Gates wrote in an email to employees identifying trustworthy computing as Microsoft's top priority. Such software will act as the first line of defence by blocking auto downloads and actively scan for suspected threats on the PC.

The culprit was "ransomware" known as WanaCryptOr 2.0, or WannaCry.

Europol said a special task force at its European Cybercrime Centre was "specially created to assist in such investigations and will play an important role in supporting the investigation".

Kaspersky said it was seeking to develop a decryption tool "as soon as possible". If the ransomware has locked your entire PC, as WannaCry has done, combating it is more hard. Backups often are also out of date and missing critical information.

Cloud storage services such as Google Drive, Microsoft OneDrive, Dropbox and Box offer large amount of storage space for a monthly or yearly subscription fee.

For more details visit https://cis-india.org/internet-governance/news/world-news-journal-juana-mckenzie-may-20-2017-noida-cyber-cell-gives-tips-on-preventing-wannacry-attack

No UID Campaign in New Delhi - A Report

praskrishna — 2012-06-20T03:51:45Z

The Unique Identification (UID) Bill is not pro-citizen. The scheme is deeply undemocratic, expensive and fraught with unforseen consequences. A public meeting on UID was held at the Constitution Club, Rafi Marg in New Delhi on 25 August, 2010. The said Bill came under scrutiny at the meeting which was organised by civil society groups from Mumbai, Bangalore and Delhi campaigning under the banner of "No UID". The speakers brought to light many concerns, unanswered questions and problems of the UID scheme.

Since 2009, when the UID Bill was presented to the general public by Nandan Nilekani, the project has been characterized as a landmark initiative that will transform India, bring in good governance, and provide relief and basic services for the poor. The scheme is rapidly being put in place; the draft Bill has been put before the Parliament of India and the resident numbers and data have been collected.

The UID proposes to take the finger prints and iris scans of every resident of India for authentication of each individual. J. T. D'Souza, an expert in free software technology exposed the flaws of the entire technical aspect of the UID project. He presented the risks and loopholes that technology such as iris and fingerprint scanners pose, and the risks in using a biometric system as a form of identification system. Contrary to the claim of the UID authority, that a scheme based on biometrics is foolproof, he explained how fingerprints are not unchanging, both fingerprints and iris scans can be easily spoofed (with a budget of only $10), and there are many ways in which the technology can break, be inconsistent, or be inaccurate.

From a human rights perspective the lack of democracy in the entire project was stressed. Usha Ramanathan reiterated the fact that no white paper was issued, the Bill has not gone through the Parliament and yet citizens’ data is being collected, citizens were given only a two week period to comment on the Bill, and in practice the UID number will not be voluntary for individuals.

The UID authority has posited the scheme as bringing benefits to the poor, plugging leakages in the Public Distribution System and the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), as well as enabling inclusive growth by providing each citizen with a verifiable and portable identity. These claims were debunked. An identity number will not fix the waste of grain that takes place every day, the portability of the number raises new problems of accessibility and distribution of resources, and the MGNREGS system is already working to be financially inclusive with a majority of its members already having a bank account.

In response to hearing the presentations of the speakers and the comments by the audience, senior Member of Parliament of the Revolutionary Socialist Party of India (RSP), Abani Roy called for the launching of a massive campaign to resist this expensive and dangerous project through which several companies will gain massive contracts from the public exchequer.

The campaigners for No UID plans to hold further meetings across the country and lobby Parliamentarians in the coming months.

For more information contact: Mathew Thomas (Bangalore) mathew111983@gmaill.com, Elonnai Hickok (Bangalore) elonnai@cis-india.org , Sajan Venniyoor (Delhi): +91-9818453483 - Bobby Kunhu (Delhi): +91-9654510398

For more details visit https://cis-india.org/internet-governance/blog/no-uid-campaign