Centre for Internet and Society

Now, Twitter too caught up in Cambridge Analytica controversy

Admin — 2018-05-02T02:49:25Z

Twitter does not share a break-up of users by region, the platform has less than 100 million users in India.

The article by Prasun Sonwalkar and Vidhi Choudhury was published in the Hindustan Times on April 30, 2018. Sunil Abraham was quoted.

Social media company Twitter Inc sold data to the University of Cambridge academic Aleksandr Kogan who harvested millions of Facebook users’ information without their knowledge, it has emerged, although the company has clarified that no private data was accessed.

It isn’t clear whether any of the data pertained to Indian users.

Twitter does not share a break-up of users by region, the platform has less than 100 million users in India.

Kogan, who created tools that allowed political consultancy Cambridge Analytica to psychologically profile and target voters, bought the data from the microblogging website in 2015, well before the recent scandal, involving use of the data of Facebook users, came to light.

According to The Daily Telegraph, Kogan bought data on tweets, user names, photos, profiles and locations over a five-month period between December 2014 and April 2015 through his company Global Science Research (GSR). Twitter said it had banned GSR and Cambridge Analytica from buying data or running advertisements on the website and that no private data had been accessed, while Kogan insisted the data had only been used to create "brand reports" and "survey extender tools" and that he had not violated Twitter's policies.

The daily reported that Twitter charges companies and organisations for large data sets that are particularly useful for gleaning public opinion or receptiveness to certain topics and ideas, although Twitter bans companies from using the data to derive sensitive political information or matching it with personal information obtained elsewhere.

A Twitter spokesman confirmed the ban and said: "Twitter has also made the policy decision to off-board advertising from all accounts owned and operated by Cambridge Analytica. This decision is based on our determination that Cambridge Analytica operates using a business model that inherently conflicts with acceptable Twitter Ads business practices. "Cambridge Analytica may remain an organic user on our platform, in accordance with the Twitter Rules."

The company said it does not allow "inferring or deriving sensitive information like race or political affiliation, or attempts to match a user's Twitter information with other personal identifiers" and that it had staff in place to police this "rigorously".

Sunil Abraham, founder for think tank Centre for Internet and Society said: “Even though Twitter claims it has contracts in place and staff for contractual enforcement, I cannot understand how they will prevent those buying their data from inferring race and political affiliation. Especially in jurisdictions like ours without comprehensive data protection law.”

A Cambridge Analytica spokesman said the company used Twitter for political advertising but insisted that it had never "undertaken a project with GSR focusing on Twitter data and Cambridge Analytica has never received Twitter data from GSR”.

Delhi-based lawyer Apar Gupta said, “Since we do not have a data protection law at present we are more or less dependent on the proactive disclosures by Twitter. Facebook is not a gold standard of upholding user rights and it is hoped that we soon have a regulator that can enforce such disclosures and place penalties.”

On 5 April, Facebook said user data of more than 560,000 Indians may have been harvested by British researcher Cambridge Analytica, at the centre of a recent storm over data breaches and potential privacy violations on the social media network.

“Twitter or Facebook are not alone in harvesting and storing user data. This is a widespread industry practice that relies on profiling. Such breaches and malpractices will continue to occur till we have a set of defined norms and enforceable penalties to protect user rights,” Gupta further added.

Only 335 users in India installed the thisisyourdigitallife app developed by academic Kogan and his company Global Science Research that may have been possibly at the centre of the data breaches, according to Facebook. The 335 people make up just 0.1% of the app’s total worldwide installs. Users agreed to take a personality test and have their data collected by the app, which then went on to also access information about the test-takers’ Facebook friends, leading to the accumulation of a much larger data pool.

Twitter Inc’s spokesperson said in an e-mail that an internal review conducted by it showed GSR had not accessed any private data.

“Unlike many other services, Twitter is public by its nature. People come to Twitter to speak publicly, and public Tweets are viewable and searchable by anyone. In 2015, Global Science Research (GSR) did have one-time API access to a random sample of public Tweets from a five-month period from December 2014 to April 2015,” the company statement added.

This is basically information that users chose to make public.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-april-30-2018-prasun-sonwalkar-vidhi-choudhury-now-twitter-too-caught-up-in-cambridge-analytica-controversy

Now, Aadhaar details displayed in Mizoram too

praskrishna — 2017-04-27T16:59:37Z

Contrary to the Centre’s assurances, government websites are revealing digital details of the poor, leaving them vulnerable to financial frauds and identity theft.

The article by Sebastian PT was published in the National Herald on April 26, 2017. Sunil Abraham was quoted.

Could there be a method to the madness? Or is it just carelessness? From the Jharkhand Government to the Union Territory of Chandigarh to the Union Ministry of Water and Sanitation to even Mizoram’s Food and Civil Supplies Department, government websites are found to have displayed Aadhaar details of citizens, a crime under the law.

In Jharkhand, details of 16 lakh beneficiaries – their bank account details, ration card and the 12-digit Aadhaar number – were displayed on the website of the Directorate of Social Security. Similar blunders were witnessed from different corners of the country from Chandigarh to Kerala, where details of 35 lakh people have been breached. This flies in the face of the Government’s repeated claims on data privacy, that Aadhaar details are completely safe.

The law doesn’t allow this. The displaying of the Aadhaar data, for instance, is in clear violation of Section 29 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The provision clearly says that “no” Aadhaar number or core biometric information of an Aadhaar number holder shall be “published, displayed or posted publicly”.

“There appears to be no regulation worth the name as far as the Aadhaar project is concerned,” says economist Reetika Khera from IIT Delhi.

So, will these officials responsible be punished according to the Act? More importantly, what about the damage of leaking such sensitive, apparently confidential data?

Irreparable Damage

Several cyber security experts have been warning of the possibility of precisely such leaks and Opposition parties were vociferously pointing this out while the Centre was brazenly violating the Supreme Court’s orders and forcibly extending Aadhaar to almost everything – including it being linked to one’s Permanent Account Number (PAN), used for filing income tax.

“What has been broken through technology, can’t be fixed with the law,” says Sunil Abraham, Executive Director of Bangalore-based research organisation, the Centre for Internet and Society.

The data breach just made it easy for players in the black market for ID (identification) documents to be lapped up to create false ID cards, for instance.

When demonetisation was being implemented, sources say that black money hoarders apparently bought fake IDs which were made from stolen Aadhaar details to get the old notes exchanged – one way for doing this was perhaps by opening new bank accounts or to, say, utilise unused Jan Dhan accounts to deposit the money. Now, one can only imagine what terrorists can do with these details.

So far, perhaps, the only solace is that the biometric details of the beneficiaries weren’t leaked. But, in the backdrop of the lax attitude of the various government departments, even that too is just waiting to happen, fear experts.

Abraham warns that Aadhaar was always a risky proposition as it was based on biometrics, which “made it very insecure”. He terms it as a “mass surveillance technology” – that too a poorly-designed technology – which, in fact, “undermines security”. Once biometric data are compromised, it cannot be secured again. Instead of biometrics, he suggests the UIDAI shift to using smart cards.

The unfettered forcible linking of almost everything – from bank accounts to one’s PAN card – to Aadhaar only makes things worse. “The Centre is ‘seeding’ the various data bases with the Aadhaar number, which is a very bad move. And, involving various private and public agencies in this only makes the entire thing very precarious,” warns Abraham. He points out that, for instance, when the PAN cards are linked with the Aadhaar number, breach made possible.

Instead, he says, the government should adopt the ‘tokenisation approach’, instead of the ‘seeding approach’. What this means is that, say, if the PAN card is to be linked to Aadhaar, then UIDAI issues a token number and not the original 12-digit Aadhaar number. So, even if a breach happens, the hacker will not be able to get all the Aadhaar details, he says.

However, the government does not seem to be taking the issue of privacy very seriously. What perhaps is not being understood is that this is not just a privacy issue, but making the masses vulnerable to frauds. Instead of treading cautiously in implementing Aadhaar, the government seems to be in a hurry to extend it to almost every possible silo in an individual’s life.

“Given the callous attitude of central and state governments, I hope that the Supreme Court will stop the government from a forced linking of Aadhaar, on the one hand, and bank accounts and PAN numbers on the other hand,” says Khera.

For more details visit https://cis-india.org/internet-governance/news/national-herald-sebastian-pt-april-26-2017-now-aadhaar-details-displayed-in-mizoram-too

Nothing unique about this identity

praskrishna — 2011-08-09T09:12:55Z

Relying on the government to protect your privacy is like asking peeping tom to install your window blinds, opined, not long ago, the American poet and novelist John Perry Barlow once. The statement attains significance in the context of Unique Identification (UID) project which is being touted as a milepost in inclusive politics. Liberalisation evangelists see UID project as the most virtuous thing that can ever happen to the Indian people who find themselves excluded from the system.

So, their ingenious solution is a 12-digit Aadhaar number — a super identity — to help the common man in opening a bank account or ordering a cylinder refill. This is, besides, the existing identities like ration card, the driving license, PAN card and passport to mention a few.

Prima facie, it may all appear euphemistic initiative; for some even very bright and attractive. For, its proclaimed purpose supposedly is to deepen the democratic process.

However, when one talks to civil rights activists who’ve gone hammer and tongs against the project, one will realise the truthfulness of Shakespeare’s observation that ‘a fair exterior may hide a corrupt mind!’

This becomes evident from the fact that the UID project has become the biggest industrial collector of personal information which should frighten up any person still in sensibilities.

The project has already proved disastrous since the unfolding events prove its advocates have not applied much thought to the dangers posed by centralised data collection considering India’s heterogenic population.

In fact, head of Unique Identification Authority of India (UIDAI) Nandan Nilekani had maintained UID enrolment was voluntary.

However, Chief Minister Oommen Chandy some two months back asserted his government would make UID mandatory unlike his predecessor V.S. Achuthanandan.

"Even in this basic thing, there’s so much confusion. But, the truth is that it’s voluntary. You can’t be coerced into it", confirms a prominent anti-UID campaigner Usha Ramanathan.

She alleged personal information passed onto UIDAI passes through various outsourcing layers compromising safety. It recently happened in Bangalore where a delivery boy demanded a customer’s fingerprint while delivering gas refill!

"Why should anyone give it to an unknown person? It shows the level to which your personal information could get disseminated", she says.

UID, in fact, is supposed to be foolproof. However, again in Bangalore, miscreants could easily fake an Aadhar number in the name of none other than Nandan Nilekani himself!

The fraud came to light when miscreants offered franchisee for UID enrolment for `2.5 lakh.

"Fake UIDs rackets confirm there’s no monitoring. So, how can UIDAI protect your information?" wonders Usha. Nandan Nilekani wants to enroll 60 per cent Indian population by 2014 into UID. However, it’s fast proving a chimerical target as the process involving agency-UIDAI-de-duplicating agency has started taking its toll.

"Initially, Aadhaar number was promised within a week. Now, it’s taking anywhere between three to six months", pointed out executive director, Bangalore-based Centre for Internet and Society (CIS) Sunil Abraham.

The project faces problems on cash transfer whose aim is to dismantle public distribution shops (PDS) which once done would put the farmer and customer at the mercy of market for their selling/procurement needs.

For, the farmer won’t be assured of a minimum support price (MSP) while for the customer there is no guarantee that the price would hold good till such time his account gets credited. Further, experts warn the Aadhar number-linked cash transfer will compromise safety. “Cash transfer using bio-metric is not safe. If it were otherwise, ATMs would’ve gone for it. Why didn’t they do it?” asks Sunil Abraham.

Interestingly, a group of students recently did a research on the efficacy of PDS. The research covering nine States cautioned prime minister Manmohan Singh that PDS was better than cash, except in Bihar.

Professor Sridhar Krishnaswamy W.B. University of Jurisdical Sciences fears the Corproates could link one’s Aadhar number to bank account to judge his or her behavioural pattern.

"It’s not right. Instead of resorting to blanket surveillance, government should go in for targeted surveillance," Sunil said.

This article by T. S. Sreenivasa Raghavan was published in the Deccan Chronicle on August 5, 2011. The original can be read here.

For more details visit https://cis-india.org/news/nothing-unique-about-identity

Noida cyber cell gives tips on preventing WannaCry attack

praskrishna — 2017-06-07T01:18:22Z

The attackers targeted a weakness found in older versions of Microsoft Windows.

The article by Juana McKenzie was published in the World News Journal on May 20, 2017.

Since late last week, the WannaCry cyber scourge has blocked customers the world over from accessing their data - unless they paid a ransom using Bitcoin. Here's what you should do to protect yourself.

Third, and perhaps more important: like the emperor's new clothes, even this new-fangled ransomware isn't as sophisticated as it's cracked up to be. If you're unsure about the legitimacy of something, delete it.

When Microsoft sells software it does so through a licensing agreement that states the company is not liable for any security breaches, said Michael Scott, a professor at Southwestern Law School.

It pays to know the proper file extensions that are available.

If you happen to come across files such as worklog.doc.exe, or financial_statement.xls.scr, do not open them as the files are most likely malicious.

'And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today - nation-state action and organised criminal action'.

Then there's the USA government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

No. This strain of ransomware was spread from device to device by taking advantage of an old security hole in some versions of Microsoft's Windows operating system.

Microsoft released a patch for this vulnerability in March and, on the heels of the attack Friday, even took the unusual step of releasing fixes for older versions of Windows that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8. This included the release of the patch in March and an update on Friday to Windows Defender to detect the WannaCrypt attack.

As there are different types of ransomware, there is no single, easy solution to restore your computer if it has been infected. Enterprises need to test patches before installing them to ensure that they don't have compatibility issues with existing applications and break existing workflows.

Security experts have hailed Microsoft's decision to publicly call out the U.S. government and the NSA's decision to stockpile cyberweapons.

"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable", Gates wrote in an email to employees identifying trustworthy computing as Microsoft's top priority. Such software will act as the first line of defence by blocking auto downloads and actively scan for suspected threats on the PC.

The culprit was "ransomware" known as WanaCryptOr 2.0, or WannaCry.

Europol said a special task force at its European Cybercrime Centre was "specially created to assist in such investigations and will play an important role in supporting the investigation".

Kaspersky said it was seeking to develop a decryption tool "as soon as possible". If the ransomware has locked your entire PC, as WannaCry has done, combating it is more hard. Backups often are also out of date and missing critical information.

Cloud storage services such as Google Drive, Microsoft OneDrive, Dropbox and Box offer large amount of storage space for a monthly or yearly subscription fee.

For more details visit https://cis-india.org/internet-governance/news/world-news-journal-juana-mckenzie-may-20-2017-noida-cyber-cell-gives-tips-on-preventing-wannacry-attack

No UID Campaign in New Delhi - A Report

praskrishna — 2012-06-20T03:51:45Z

The Unique Identification (UID) Bill is not pro-citizen. The scheme is deeply undemocratic, expensive and fraught with unforseen consequences. A public meeting on UID was held at the Constitution Club, Rafi Marg in New Delhi on 25 August, 2010. The said Bill came under scrutiny at the meeting which was organised by civil society groups from Mumbai, Bangalore and Delhi campaigning under the banner of "No UID". The speakers brought to light many concerns, unanswered questions and problems of the UID scheme.

Since 2009, when the UID Bill was presented to the general public by Nandan Nilekani, the project has been characterized as a landmark initiative that will transform India, bring in good governance, and provide relief and basic services for the poor. The scheme is rapidly being put in place; the draft Bill has been put before the Parliament of India and the resident numbers and data have been collected.

The UID proposes to take the finger prints and iris scans of every resident of India for authentication of each individual. J. T. D'Souza, an expert in free software technology exposed the flaws of the entire technical aspect of the UID project. He presented the risks and loopholes that technology such as iris and fingerprint scanners pose, and the risks in using a biometric system as a form of identification system. Contrary to the claim of the UID authority, that a scheme based on biometrics is foolproof, he explained how fingerprints are not unchanging, both fingerprints and iris scans can be easily spoofed (with a budget of only $10), and there are many ways in which the technology can break, be inconsistent, or be inaccurate.

From a human rights perspective the lack of democracy in the entire project was stressed. Usha Ramanathan reiterated the fact that no white paper was issued, the Bill has not gone through the Parliament and yet citizens’ data is being collected, citizens were given only a two week period to comment on the Bill, and in practice the UID number will not be voluntary for individuals.

The UID authority has posited the scheme as bringing benefits to the poor, plugging leakages in the Public Distribution System and the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), as well as enabling inclusive growth by providing each citizen with a verifiable and portable identity. These claims were debunked. An identity number will not fix the waste of grain that takes place every day, the portability of the number raises new problems of accessibility and distribution of resources, and the MGNREGS system is already working to be financially inclusive with a majority of its members already having a bank account.

In response to hearing the presentations of the speakers and the comments by the audience, senior Member of Parliament of the Revolutionary Socialist Party of India (RSP), Abani Roy called for the launching of a massive campaign to resist this expensive and dangerous project through which several companies will gain massive contracts from the public exchequer.

The campaigners for No UID plans to hold further meetings across the country and lobby Parliamentarians in the coming months.

For more information contact: Mathew Thomas (Bangalore) mathew111983@gmaill.com, Elonnai Hickok (Bangalore) elonnai@cis-india.org , Sajan Venniyoor (Delhi): +91-9818453483 - Bobby Kunhu (Delhi): +91-9654510398

For more details visit https://cis-india.org/internet-governance/blog/no-uid-campaign

No party's got a clear stand, Aadhaar's fate hangs in balance

praskrishna — 2014-05-05T06:01:08Z

A non-UPA government for sure will review the multi-crore UID programme, but none of the parties have yet talked about scrapping it.

The article by Pratap Vikram Singh was published in GovernanceNow.com on April 13, 2014. Sunil Abraham is quoted.

Since inception, Aadhaar’s foundation has been shaky. The Unique Identification Authority of India (UIDAI) has been functioning on an executive fiat, without parliamentary ratification. When the government first came up with a bill on the UID programme, it was rejected by the parliamentary standing committee, which questioned the purpose of the programme.

Aadhaar’s acceptability as proof of residence and its issuance to the illegal immigrants too has courted controversy. The opposition and the ministry of home affairs have repeatedly flagged the issue. Recently, the supreme court (SC) instructed the government to withdraw all orders mandating Aadhaar number for service delivery. In September last year too the apex court had ruled that no one should be denied a service for want of Aadhaar.

While the Congress hasn’t changed its position on Aadhaar and wishes to continue with Aadhaar-linked benefits transfer, the BJP hasn’t mentioned it even once in its 52-page manifesto. On April 8, Narendra Modi, BJP’s prime ministerial candidate, in an election rally near Bangalore was quoted as saying, “I asked several questions on the Aadhaar project. I asked them questions relating to illegal migrants and national security. They (the government) did not have any answer.”

Rajendra Pratap Gupta, member of BJP’s core committee on manifesto, told Governance Now: “If we come to power we will review this in totality. There is scepticism around the whole project and even the SC has ruled against mandating it.” He called Aadhaar one of the ‘biggest scams’ of the UPA. “We have found people owning multiple Aadhaar cards. It (Aadhaar) is not a very secure system,” he added.

On the other hand, Aam Aadmi Party doesn’t oppose the idea of Aadhaar, though it is critical of its linkage to delivering food and other subsidies. Atishi Marlena, the party’s manifesto committee chief, said, “In principle, we don’t oppose the Aadhaar programme. If it’s about providing an identification proof to the poor who don’t have other documents, we certainly welcome it. But Aadhaar’s linkage with benefits-transfer needs to be questioned. Who gets what and who doesn’t should be determined by gram sabhas and mohalla sabhas. It should be done via people participation.”

The CPI(M), in its manifesto, called for halting the project unless it gets parliamentary approval. It also underlined the need for a privacy and data protection law prior to the rollout of the UID programme. “The moment Aadhaar is linked with service delivery, the scope for exclusion widens. You need to have universal coverage of Aadhaar and banking before you roll out the benefits transfer programme,” CPI(M) Rajya Sabha member Tapan Sen said.

In its manifesto, the party has talked about ‘constituting an independent high-level expert panel for an appraisal of the technology of biometrics used in the project’.

Sunil Abraham of the Centre for Internet and Society said, “The centralised online authentication automatically raises issues of privacy infringement. The authentication, in a decentralised fashion, with help of smart cards, is less intrusive, as the logs are stored in a local fashion and not centralised as in the case of Aadhaar. It will be a welcome move if the next government selects resident ID (smart) card, issued by the home ministry, as proof for identification and service delivery.”

For more details visit https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance

No laws in India to protect customers if they lose money during digital transactions

praskrishna — 2016-12-02T17:07:02Z

The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services.

The article by Alnoor Peermohamed was published by Business Standard on December 2, 2016. Sunil Abraham was quoted.

India lacks laws to protect consumers if they lose money during digital transactions even as the government pushes for a less-cash economy after it withdrew Rs 500 and Rs 1,000 currency notes as the legal tender.

The Modi government's demonetisation move might have warranted an increase in transaction activity on digital wallets, but measures to ensure the underlying cyber security parameters for digital payments is still kept largely under the ambit of the Information Technology Act.

"We don't have any dedicated law on digital payments. That's very important to grant complete legality and remove and doubts and clarifications pertaining to legal efficacies and legal validity of digital payments," says Pavan Duggal, an advocate in the Supreme Court specialising in cyber law.

While the Reserve Bank of India usually sets security and privacy standards for banks in the country, the various digital wallets such as Paytm, Freecharge and Mobikwik fall under the category of Non-banking Financial Corporations (NBFCs) excluding them from this. For FinTech companies, security compliance falls under just Section 43 A of the IT Act.

Today, transactions between a user and a mobile wallet service provider are merely contractual agreements which can always be repudiated. There's a heightened need to legally back digital payments in India, not only to ensure the safety of consumer money but also for the safety of these companies.

Since the demonetisation on November 8, digital wallet firms such as Paytm have seen 35 million transactions by users to either buy goods and services, or transfer funds to another account. Rival Freecharge has tied up with police forces of Mumbai to pay traffic fines using its platform.

Research by Bengaluru-based think tank Centre for Internet and Society (CIS) shows that some of India's largest technology companies still do not comply with Section 43 A.

"We have a minimal data protection law in our IT Act and that will apply to all the FinTech players. But our ISPs and Telcos don't comply with Section 43 A, so you can imagine in the FinTech sector the compliance will be even lower," says Sunil Abraham, Executive Director at CI

The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services. While the issue is not being completely ignored by the authorities, some of the proposed workarounds such as creating a virtual sandbox around digital payment services raised questions.

The RBI limits the maximum balance on digital wallets to Rs 10,000 per user, ensuring that in the case of a breach the damage caused to a consumer is minimal but on November 23, the banking regulator increased the limit to Rs 20,000 .

Just last week India's largest digital wallet provider Paytm rolled out the option for customers to increase their wallet balance to a maximum of Rs 100,000 by getting a KYC check done.

"There are no legal mechanisms available should there be disputes pertaining to digital payments,"aid Duggal. He added that there are no effective remedy mechanisms available in case money in the digital payment ecosystem gets lost, hacked, stolen or misused.

While laws might take years to be framed and implemented, Abraham says there are temporary workarounds with which the overall cyber security of digital payment services can be improved. Under Section 43 A there are provisions to allow a sector to form a consortium that mutually agrees to set security standards, which all players must follow and is valid in the court of law during dispute resolution.

This move is encouraged by experts as governments often lack the bandwidth to define sectoral specific laws but is where private sector expertise can go a long way.

For more details visit https://cis-india.org/internet-governance/news/business-standard-december-2-2016-alnoor-peermohammed-no-laws-in-india-to-protect-customers-if-they-lose-money-during-digital-transactions

No ID, no benefits: thousands could lose lifeline under India’s biometric scheme

praskrishna — 2017-03-22T14:27:25Z

Controversial Aadhaar card restricts fundamental rights, argue critics, limiting access to free school meals and exposing 1 billion people to privacy risks.

The article was published in the Guardian on March 21, 2017. Sumandro Chattapadhyay was quoted.

An Aadhaar biometric identity card, which will be mandatory for Indians to access many essential government services and benefits. Photograph: Bloomberg/Getty Images

Hundreds of thousands of people in India could be left without essential government services and benefits – including free school meals and uniforms, food subsidies and pensions – under new rules that make access to more than three dozen state-funded schemes conditional on showing identification.

Over the past month, citizens have been notified that they have to prove their identity with a biometric ID, known as an Aadhaar card, to be eligible to use various services. Booking railway tickets online, applying for some jobs, and getting fuel subsidies will also be dependent on showing the controversial card.

Aadhaar cards were introduced by the Indian government in 2009, and rolled out by prime minister Narendra Modi in 2014. They record personal biometric data, including fingerprints and eye scans, which the government says allows it to ensure that welfare services are being delivered to those who really need them, and saving billions of rupees by reducing welfare fraud.

The Unique Identification Authority of India (UIDAI), which oversees the Aadhaar programme, says that more than 1.13 billion people have been enrolled on an official database. But activists say that hundreds of thousands of Indians and migrants are still undocumented and could miss out on their fundamental rights because of the new rules.

“What if a Facebook account was necessary to log in to the internet, and what if Facebook was owned by the government of the US?” asked Sumandro Chattapadhyay, research director at the Centre for Internet and Society (CIS), a thinktank with offices in Bangalore and Delhi. “We are building a system that will decide whether a child will eat or not on an afternoon based on [the] quality of internet connectivity and cleanliness of the child’s thumbprint.”

Chattapadhyay argued that Aadhaar, which is effectively being forced upon Indians, and which is used increasingly by private companies, exposed more than a billion people to huge privacy risks.

“The Aadhaar ID is being connected to digital communications via sim card registration, it is being connected to financial transactions via bank accounts, and all Indian citizens are being forced to enrol for it against the threat of losing out from welfare services,” he said.

“The potential of unmonitored and unregulated use of such linked data by the private sector is massive. It does not matter if the Indian state will finally go ahead with implementing this system or not. The fact that [it] is considering such a system is scary enough.”

Nanu Bhasin, spokesperson at the ministry of women and child development, confirmed that the order to link Aadhaar to government schemes had come directly from the Modi government. “There are leakages in the system,” she said. “This will plug leakages.”

Bhasin said Aadhaar was now mandatory: “You have to take it, it is necessary. You cannot take the right to a benefit if you don’t have the Aadhaar card.”

She said she did not know if those who did not want to enrol in the scheme because of potential privacy risks would still be able to receive benefits. “You have bank accounts, there you give all your details, everything. Why make a fuss [about privacy] for Aadhaar?” she said.

One of the most contentious new rules introduced this month, and coming into force in July, requires children to show Aadhaar cards to get free school meals. The notice led to a media storm in India, where malnutrition rates are high and nearly 60 million children are underweight.

On 7 March the government said alternative forms of ID would be accepted for free school meals where people did not yet have Aadhaar cards, and urged schools and childcare centres to enrol all attendees.

Activists argue that setting any barriers to free school meals is unethical and unconstitutional. Ambarish Rai, national convenor of the Right to Education Forum, said: “This is a very insensitive decision of the government. How can you make it mandatory? It is a clear-cut violation of the Right to Education Act 2009.”

Compulsory identification could deter school attendance if children struggle to get free school meals or uniforms, said Swati Narayan, visiting research scholar from the LSE and food activist. “India’s school meal programme covers almost 100 million children – the largest in the world. Instead of creating unnecessary barriers, the focus should be on how to improve these modest meals by adding eggs, fruit and nutritious foods to the menu.”

Glitches in the Aadhaar system have already led to reports of people being unfairly denied government subsidies. In February, the news website Scroll recorded a number of people in the state of Jharkhand being denied rice subsidies because of problems with Aadhaar card machines.

The constitutional validity of the government’s new orders is currently being debated in court, with questions raised as to whether the Indian parliament can restrict fundamental rights enshrined in the constitution, and whether the government has the power to force citizens to enrol.

In 2015, a supreme court order had ruled that the scheme was purely voluntary, and that it could not become mandatory with a court ruling. But in 2016, parliament passed the Aadhaar Act, which allowed the government to require identification for government services.

Khagesh Jha, a lawyer and activist, argued that the act was fundamentally unconstitutional. “Rescued children, children who have been trafficked or those who have been forced into child labour – [you] can’t expect them to hold an Aadhaar card or documents like a birth certificate. Right to education is a fundamental right, and is protected by the core of the constitution. It cannot be challenged by any other document.”

UIDAI, the agency overseeing Aadhaar, issued a statement saying the government had made savings of more than 490bn rupees (£6bn) in the past two and a half years, thanks to schemes linking government benefits to Aadhaar. It added that during the past seven years, there had been no report of a breach or leak of residents’ data.

For more details visit https://cis-india.org/internet-governance/news/the-guardian-march-21-2017-no-id-no-benefits

No Genie At Your Fingertips

praskrishna — 2017-02-16T16:02:31Z

Aadhaar biometrics will now enable cashless shopping sans card and smartphone. A look at the hopes and fears.

The article by Arindam Mukherjee was published in the Outlook on February 20, 2017. Pranesh Prakash and Sunil Abraham were quoted.

Soon, you will be able to pay for your groceries and other purchased goods by using just your fingerprints and biometric data. You won’t need debit or credit cards, smartphones or e-wallets. You won’t need to sign or even remember your PIN.

In a bid to increase digitisation and move to the next phase of ‘cashless India’, the government is preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money. The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

The initiative, which has been running as a pilot project in fair price shops in Andhra Pradesh, is expected to be launched in a month’s time. According to officials of the Unique Identification Authority of India (UIDAI), the system has been getting a positive response in these trials and is ready for a nationwide launch.

In Aadhaar Pay, all a person needs to carry to a shop are his fingerprints as merchant establishments will authenticate his or her identity through fingerprints, which will give them access to a person’s Aadhaar data. The only essential requirement for this new mode of payments is that bank accounts have to be linked with the account-holder’s Aadhaar number.

Unlike the post-demonetisation limits imposed on ATM and bank account withdrawals, no limits are proposed to be put on Aadhaar Pay transactions as of now. The proposal is to leave the fixing of limits to the discretion of banks. However, the government hopes Aadhaar Pay will be used mostly for small-value transactions rather than large deals.

The system will work through an app in the merchant establishment’s smartphone—with a fingerprint scanner device—eliminating the requirement of a Point of Sale (POS) terminal, which is required for credit card and debit card transactions. The scanner will be priced at around Rs 2,000, considerably cheaper than POS terminals that cost Rs 8,000-10,000.

Aadhaar Pay is the next step of the government’s successful run of Aadhaar Enabled Payment System (AEPS), under which transactions are made through ‘banking correspondents’, mostly in rural areas. These transactions are done through POS machines and micro-ATMs. Like Aadhaar Pay, AEPS disburses money without a signature or a debit or credit card, and without the need to visit a bank branch. But unlike AEPS, which works through banking correspondents, Aadhaar Pay will be available through merchant establishments much the same way as debit or credit cards work.

The biggest task before the government to ensure the success of Aadhaar Pay is to develop a network of merchant establishments that will accept Aadhaar Pay just the way they accept credit or debit cards or e-wallet payments like Paytm. To do this, the government said in this year’s budget that banks would be encouraged to put 20 lakh Aadhaar Pay access machines across the country. “We have asked every bank to select 35 merchants for this. These merchants will have a smartphone and a biometric device attachment to carry out Aadhaar Pay transactions,” UIDAI CEO Ajay Bhushan Pandey tells Outlook.

This won’t be easy. Even in case of debit or credit cards, the biggest limiting factor is the relatively small number of POS terminals that accept them. According to data from the National Payment Corporation of India (NPCI), there are only 14 lakh POS terminals in India, which has over 3.5-4 crore merchant establishments and 80 crore cards (77 crore debit cards and three crore credit cards). The bulk of these terminals are in tier I and tier II cities and almost none in tier III and IV towns. To improve the situation, the government is already working towards bringing in 10 lakh new terminals by March, most of which will be put in tier III and tier IV towns, bringing them deeper within the ambit of the digitised, cashless economy.

Though a starting target of 20 lakh terminals for Aadhaar Pay may seem quite ambitious, according to the latest data, 111.51 crore adults have already obtained their Aadhaar numbers and 50 crore bank accounts (of a total 110 crore savings accounts in the country) of 40 crore people have been linked to Aadhaar and, according to UIDAI, nearly two crore people are linking their bank accounts with Aadhaar every month, brightening up the prospects of Aadhaar Pay. A majority of these numbers are from rural areas and smaller cities.

The government and UIDAI aim to roll out Aadhaar Pay primarily in rural areas and tier III and tier IV cities to begin with, as these areas do not have proper debit or credit card coverage and the people living there are not big users of plastic cards or smartphones. “We need to provide a solution for every segment of the population,” says Pandey. “We have to take care of the people who cannot use smartphones or other mobile phones and debit or credit cards, and those who cannot remember their PIN for authentication. The only tool with them is their fingerprint. Approximately 30 crore people are not comfortable with cards or phone. We had to get them into the mode of digital payments.”

Not surprisingly, critics of Aadhaar and Aadhaar-based services have attacked Aadhaar Pay and AEPS on issues of privacy and security of biometric and personal data. Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as AEPS encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices. And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned. “Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

The launch of Aadhar Pay at this time becomes more challenging as there has been a decline in digital payments this January. According to RBI data, digital payments, including transactions made by using credit cards, debit cards, electronic fund transfers, digital wallets and mobile banking transactions, were 10.2 per cent lower by volume and 7 per cent lower by value in January 2017 as compared to December 2016. Also, digital transactions fell from 1,027.7 million (worth Rs 105.4 lakh crore) to 922.9 million (worth Rs 98 lakh crore). This could get worse as the RBI raised the cash withdrawal limits from Rs 24,000 to Rs 50,000 from February 20 and aims to remove all limits by mid-March.

Within digital transactions, debit and credit transactions at POS terminals declined 18.6 per cent month-on-month in January, while mobile banking transactions declined by 7.6 per cent, showing that people still prefer to deal in cash. According to NPCI data, however, IMPS transactions rose by 18 per cent in January and UPI-based transactions went up from 2 million transactions (worth Rs 700 crore) in December to 4.2 million transactions (worth Rs 1,666 crore) in January.

Clearly, considering India’s demography and its problems, when it comes to the security of personal and biometric data, the government and the UIDAI have many issues to clear before Aadhaar Pay can achieve any success. Moreover, there are over 100 crore mobile phones in India today, with even the lowest strata of the population having access to one. Yet mobile-based payments and m-wallets are yet to hit that critical mass. To make Aadhaar Pay a bigger success than that could be a gigantic task.

For more details visit https://cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips

No Fintech company meets every single privacy requirement under IT Act: CIS report

Shilpa S. Ranipeta — 2019-07-08T02:34:59Z

The study shows that privacy policies companies such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website.

The blog post by Shilpa S. Ranipeta published by the News Minute on June 10, 2019, quotes the research done by Aayush Rathi and Shweta Mohandas of the Centre for Internet & Society.

A study by the Centre for Internet and Society on privacy and security policies of Fintech companies in India has shown that no company met every single requirements under the Section 43A Rules of the IT Act. A study of privacy policies of 48 companies has also shown that privacy policies of major entities such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website of the company.

The privacy policies were assessed based on the privacy policy requirements mandated by the Sensitive Personal Data or Information (SPD/I) Rules.

A fintech company is one that combines financial services and products with technology. The companies categorised as Fintech in this study are payment gateways, payment gateway aggregators, mobile and online wallets, digital payments banks, peer-to-peer lending platforms and miscellaneous entities that share features of the above categorisation.

Rule 4 of the SPD/I Rules mandates that a company that handles information should have a privacy policy that ensures it is dealing with the information provided by users as per the SPD/I Rules. It is also required that the privacy policy is published on the website of the company and is ‘clear and easily accessible’. However, the SPD/I Rules doesn’t specify what would constitute a ‘clear and easily accessible’ privacy policy.

In this research, CIS has studied accessibility as how many times a person has to click to access the privacy policy, if it is readily available on the homepage, if the company states its practices for privacy in language that can be understood by someone fluent in English and does not require prior legal or technical knowledge to be understood.

Here are some observations from the research:

Accessibility:

The study found that 38 companies have a privacy policy accessible on the main website of the company, 38 also have the privacy policy included in terms and conditions of all documents of the company that collects personal information.

However, policies of only 20 companies can be understood by someone without legal and technical knowledge and 16 can be partially understood. Privacy policies of RazorPay, Oxigen, Airtel Payments Bank, Capital Float, Freecharge, BHIM couldn’t be understood by someone without legal and technical knowledge.

“For some of the companies the privacy policy had to be located in the terms of service or under separate categories such as ‘legal agreements’, ‘key policies’, ‘security’, further making the privacy police more inaccessible. We anticipate that unless the user is specifically looking for the privacy policy, it is unlikely for the privacy policy to be perused in the usual course of a user’s usage of the services of the fintech provider,” the report states.

The study found that while most fintech companies in the sample explicitly specified personal information that was being collected, fewer privacy policies contained categorical provisions segregating the sensitive personal information that was being collected. However, it was unclear what each category specifically entailed.

“Another terminology that is often incorporated to broaden the ambit of information being collected is the definition of personal information as any information that may be provided by the user. This squarely places the onus of restricting information collection on the user, further compounding the handicaps users face in ascertaining the information that that firms are seeking to collect because of the illustrative nature of the listing of information,” the report states.

Option to not provide information and withdrawal of consent:

Interpretation Rule 5(7) states that the company should inform users even before collecting information that they have an option to not provide the data or information.

The rule also specifies that the individual must also be informed that he/she has an option to subsequently withdraw consent from the use of the data or information collected by the data controller.

However, Privacy Policies of 30 companies do not specify that the user has the option to not provide information. These include companies such as PayU, CitrusPay, Jio Money, Airtel Payments Bank, Paytm, Fino Paytech, Capital Float, Walnut, etc.

Only 17 companies specify that the user has the option to subsequently withdraw consent.

Registering grievances

The study showed that only 16 of companies mention the existence of grievance officer in their privacy policies.

Rule 5(9) of the SPD/I Rules state that companies are required to have a grievance redress mechanism in place vis-a-vis the user’s privacy practices.

“Thirty-two companies failed to not just provide a redressal mechanism but also failed to mention the existence of a grievance officer specific to the resolution of issues that users may encounter vis-à-vis the data controller’s privacy practices,” the report states.

Language barrier

All companies, except PhonePe, had a privacy policy only in one language – English. PhonePe provided a privacy policy in both English and Hindi.

“With the growth of the digital economy, a multitude of Indians are using online 46 services, and it is imperative that privacy policies be accessible and understandable to all users of the service. In the context of the fintech sector, accessibility to privacy policies takes on added significance given the fintech sector’s avowed promise of increasing access to financial products to hitherto underserved sections of the society,” the report states.

The research showed that few consumers, if any, read online privacy policies, despite expressing concern about their online privacy. And privacy policies are often very technical and not comprehensible by a regular user.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-shilpa-s-ranipeta-june-10-2019-no-fintech-company-meets-every-single-privacy-requirement-under-it-act-cis-report

NIPFP Seminar on Exploring Policy Issues in the Digital Technology Arena

Admin — 2019-10-20T07:40:16Z

Anubha Sinha participated in this seminar as a discussant on the "Regulating emerging technologies" panel. The event was held at Indian Institute of Advanced Study, Shimla on October 10 - 11, 2019.

Click to view the agenda here. The session briefs can be seen here.

For more details visit https://cis-india.org/internet-governance/news/nipfp-seminar-on-exploring-policy-issues-in-the-digital-technology-arena

Nine-point code set out to safeguard personal information

praskrishna — 2012-10-22T06:42:36Z

A. P. Shah panel lists exceptions; suggests privacy commissioners.

Published in Hindu Business Line on October 18, 2012.

The Justice A. P. Shah panel has recommended an over-arching law to protect privacy and personal data in the private and public spheres.

The report also suggested setting up privacy commissioners, both at the Central and State levels.

It has spelt out nine national privacy principles that could be followed while framing the law.

The report comes at a time when there is growing concern over unique identity numbers, DNA profiling, brain-mapping, etc, most of which will be implemented on the ICT platform.

The report has listed certain exceptions in the right to privacy such as national security, public order, disclosure in public interest, prevention, detection, investigation and prosecution of criminal offences and protection of the individual or of the rights of freedom of others.

In certain cases, historical or scientific research and journalistic purposes can also be considered as exceptions, says the report.

Networking sites

Referring to social networking sites and search engines, which have their own privacy code, Justice Shah said these will either have to follow the model provided in the proposed Act or have a self-regulatory mechanism approved by the privacy commissioner.

The report suggests harmonising the proposed privacy Act with the RTI Act. Responding to privacy infringement concerns, as aired by the Prime Minister recently, Justice Shah said RTI was the only law that gave statutory protection to privacy, which could be over-ridden only in certain cases for individuals, not companies.

Minister of State for Planning Ashwani Kumar said a privacy Act was necessary as in a democracy one had to ensure that "no one right is so exercised so as to infringe upon the rights of individuals."

The high-level panel submitted its report to the Planning Commission on Thursday. It will now be forwarded to the Department of Personnel and Training, which is already looking into the privacy law.

Note: The Centre for Internet & Society was a part of the expert committee even though it is not explicitly mentioned here.

For more details visit https://cis-india.org/news/the-hindu-business-line-oct-18-2012-nine-point-code-set-out-to-safeguard-personal-information

NHA Data Sharing Guidelines – Yet Another Policy in the Absence of a Data Protection Act

Shweta Mohandas and Pallavi Bedi — 2022-09-29T15:17:24Z

In July this year, the National Health Authority (NHA) released the NHA Data Sharing Guidelines for the Pradhan Mantri Jan Aarogya Yojana (PM-JAY) just two months after publishing the draft Health Data Management Policy.

Reviewed and edited by Anubha Sinha

Launched in 2018, PM-JAY is a public health insurance scheme set to cover 10 crore poor and vulnerable families across the country for secondary and tertiary care hospitalisation. Eligible candidates can use the scheme to avail of cashless benefits at any public/private hospital falling under this scheme. Considering the scale and sensitivity of the data, the creation of a well-thought-out data-sharing document is a much-needed step. However, the document – though only a draft – has certain portions that need to be reconsidered, including parts that are not aligned with other healthcare policy documents. In addition, the guidelines should be able to work in tandem with the Personal Data Protection Act whenever it comes into force. With no prior intimation of the publication of the guidelines, and the provision of a mere 10 days for consultation, there was very little scope for stakeholders to submit their comments and participate in the consultation. While the guidelines pertain to the PM-JAY scheme, it is an important document to understand the government’s concerns and stance on the sharing of health data, especially by insurance companies.

Definitions: Ambiguous and incompatible with similar policy documents

The draft guidelines add to the list of health data–related policies that have been published since the beginning of the pandemic. These include three draft health data management policies published within two years, which have already covered the sharing and management of health data. The draft guidelines repeat the pattern of earlier policies on health data, wherein there is no reference to the policies that predated it; in this case, the guidelines fail to refer to the draft National Digital Health Data Management Policy (published in April 2022). To add to this, the document – by placing the definitions at the end – is difficult to read and understand, especially when terms such as ‘beneficiary’, ‘data principal’, and ‘individual’ are used interchangeably. In the same vein, the document uses the terms ‘data principal’ and ‘data fiduciary’, and the definitions of health data and personal data, from the 2019 PDP Bill, while also referring to the IT Act SDPI Rules and its definition of ‘sensitive personal data’. While the guidelines state that the IT Act and Rules will be the legislation to refer to for these guidelines, it is to be noted that the IT Act under the SPDI Rules covers ‘body corporates’, which under Section 43A(1), is defined as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;”. It is difficult to add responsibility and accountability to the organisations under the guidelines when they might not even be covered under this definition.

With each new policy, civil society organisations have been pointing out the need to have a data protection act before introducing policies and guidelines that deal with the processing and sharing of the data of individuals. Ideally, these policies – even in draft form – should have been published after the Personal Data Protection Bill was enacted, to ensure consistency with the provisions of the law. For example, the guidelines introduce a new category of governance mechanisms under the data-sharing committee headed by a data-sharing officer (DSO). The responsibilities and powers of the DSO are similar to that of the data protection officer under the draft PDP Bill as well as the National Data Health Management Policy (NHDMP). This, in turn, raises the question of whether the DSO and the DPOs under both the PDP Bill and the draft NDMP will have the same responsibilities. Clarity in terms of which of the policies are in force and how they intersect is needed to ensure a smooth implementation. Ideally, having multiple sources of definitions should be addressed at the drafting stage itself.

Guiding Principles: Need to look beyond privacy

The guidelines enumerate certain principles to govern the use, collection, processing, and transmission of the personal or sensitive personal data of beneficiaries. These principles are accountability, privacy by design, choice and consent, openness/transparency, etc. While these provisions are much needed, their explanation at times misses the mark of why these principles were added. For example, in the case of accountability, the guidelines state that the ‘data fiduciary’ shall be accountable for complying with measures based on the guiding principles However, it does not specify who the fiduciaries would be accountable to and what the steps are to ensure accountability. Similarly, in the case of openness and transparency, the guidelines state that the policies and practices relating to the management of personal data will be available to all stakeholders. However, openness and transparency need to go beyond policies and practices and should consider other aspects of openness, including open data and the use of open-source software and open standards. This again will add to transparency, in that it would specify the rights of the data principal, as the current draft looks at the rights of the data principal merely from a privacy perspective. In the case of purpose limitation as well, the guidelines are tied to the privacy notice, which again puts the burden on the individual (in this case, beneficiary) when the onus should actually be on the data fiduciary. Lastly, under the empowerment of beneficiaries, the guidelines state that the “data principal shall be able to seek correction, amendments, or deletion of such data where it is inaccurate;”. The right to deletion should not be conditional on inaccuracy, especially when entering the scheme is optional and consent-based.

Data sharing with third parties without adequate safeguards

The guidelines outline certain cases where personal data can be collected, used, or disclosed without the consent of the individual. One of these cases is when the data is anonymised. However, the guidelines do not detail how this anonymisation would be achieved and ensured through the life cycle of the data, especially when the clause states that the data will also be collected without consent. The guidelines also state that the anonymised data could be used for public health management, clinical research, or academic research. The guidelines should have limited the scope of academic research or added certain criteria to gain access to the data; the use of vague terminology could lead to this data (sometimes collected without consent) being de-anonymised or used for studies that could cause harm to the data principal or even a particular community. The guidelines state that the data can be shared as ‘protected health information’ with a government agency for oversight activities authorised by law, epidemic control, or in response to court orders. With the sharing of data, care should be taken to ensure data minimisation and purpose limitations that go beyond the explanations added in the body of the guidelines. In addition, the guidelines also introduce the concept of a ‘clean room’, which is defined as “a secure sandboxed area with access controls, where aggregated and anonymised or de-identified data may be shared for the purposes of developing inference or training models”. The definition does not state who will be developing these training models; it could be a cause of worry if AI companies or even insurance companies have the potential to use this data to train models that could eventually make decisions based on the results. The term ‘sandbox’ is explained under the now revoked DP Bill 2021 as “such live testing of new products or services in a controlled or test regulatory environment for which the Authority may or may not permit certain regulatory relaxations for a
specified period for the limited purpose of the testing”. Neither the 2019 Bill nor the IT Act/Rules defines ‘sandbox’; the guidelines should have ideally spent more time explaining how the sandbox system in the ‘Clean Room’ works.

Conclusion

The draft Data Sharing Guidelines are a welcome step in ensuring that the entities sharing and processing data have guidelines to adhere to, especially since the Data Protection Bill has not been passed yet. The mention of the best practices for data sharing in annexures, including practices for people who have access to the data, is a step in the right direction, which could be made better with regular training and sensitisation. While the guidelines are a good starting point, they still suffer from the issues that have been highlighted in similar health data policies, including not referring to older policies, adding new entities, and the reliance on digital and mobile technology. The guidelines could have added more nuance to the consent and privacy by design sections to ensure other forms of notice, e.g., notice in audio form in different Indian languages. While PM-JAY aims to reach 10 crore poor and vulnerable families, there is a need to look at how to ensure that consent is given according to the guidelines that are “free, informed, clear, and specific”.

For more details visit https://cis-india.org/internet-governance/blog/nha-data-sharing-guidelines

NGO questions people's privacy in UID scheme

praskrishna — 2012-01-12T11:45:07Z

Taking a leaf out of the recommendations of the parliamentary standing committee on finance (SCF) that raised objections on the National Identification Authority of India Bill 2010, Delhi-based NGOs have called upon the Jharkhand government to stay the execution of UID projects in the state. Jaideep Deogharia's article was published in the Times of India on 11 January 2012.

Citing excerpts from the recommendations of the SCF, headed by BJP MP Yashwant Sinha, the NGO activists asserted that the MoU signed by the government on June 25, 2010, was without any legal and constitutional mandate.

This claim, however, remains unfounded as the UIDAI is functioning under an executive order of the department of planning and has no links with the NIDAI Bill. The issue was recently clarified by the director general and mission director of UIDAI when he addressed the media in the capital during his three-day visit.

Organizing a round table, report on SCF and its implications for Aadhaar project and National Population register for multipurpose National ID Card (MNIC),

Citizens Forum for Civil Liberties member Gopal Krishna said given the fact that the Election Commission had shortlisted 15 documents as evidence of identity and citizenship, there was no need to have the 16th instrument (read UID).

"It violates citizens' basic and constitutional right to privacy because collecting biometric information of an individual was limited to criminals," he said clarifying that even in case of prisoners, the fingerprint data is supposed to be deleted after acquittal under the Prisoner Identification Act.

JT D'Souza, an expert in biometrics technology, Mumbai, gave a presentation on how biometric information was vulnerable to exploitation. Using a finger print reader, he demonstrated fake finger prints being read by the machine. He said a fingerprint on a semi solid wax slab can be filled up with adhesive and allowed to set for eight hours. "Once the adhesive block is removed, it takes up the exact marks of finger prints using which any finger print reader can be fooled," he said.

Another participant, Sunil Abraham, director, Centre for Internet and Society, Bangalore, said there is no data protection or privacy law in place. "The UID project was allowed to march on without any protection being put in place," he said.

"On one hand, the government wants its citizens to be transparent by giving all their biometric and demographic data, but on the other hand, people in higher authorities are making every bid to conceal facts and function in a non-transparent manner," he said.

D' Souza also raised questions about the uniqueness of fingerprints as it has never been tested on a vast population. Citing examples from foreign countries where fingerprint studies have proved to be ineffectual in establishing non duplication, he said biometric data if hacked could be misused.

Read the original published in the Times of India

For more details visit https://cis-india.org/news/ngo-questions-peoples-privacy-in-uid-scheme

New Standard Operating Procedures for Lawful Interception and Monitoring

divij — 2014-03-20T05:13:13Z

Government issues new guidelines to TSP’s to assist Lawful Interception and Monitoring.

Even as the Central Government prepares the Central Monitoring System for the unrestricted monitoring of all personal communication, the Department of Telecom has issued new guidelines for Telecom Service Providers to assist in responding to requests for interception and monitoring of communications from security agencies.

These guidelines do not appear to be publicly accessible, but according to news items, under the “Standard Operating Procedures for Lawful Interception and Monitoring of Telecom Service Providers”, the TSP’s must now provide for lawful interception and monitoring requests for voice calls, Short message Service (SMS), General Packet Radio Service (GPRS) and Value Added Service (VAS) including Multi Message Service (MMS), data and voice in 3G/4G/Long Term Evolution (LTE) including video call or Voice Over Internet protocol (VoIP). This move comes just days after the Home Ministry suggested that the Department of Telecom either change the rules under their Telecom Policies such as the Unified Access Service Licence (UASL) to include VoIP monitoring, or, drastically, block all VoIP services on the internet, which would include several communication applications including Skype and GTalk. (See the article published by Economic Times).

The guidelines will supposedly also provide for some basic safeguards to ensure that non-authorized interception does not take place, such as ensuring that the interception is only to be provided by the Chief Nodal Officer of a TSP and only upon the issue of an order by the Home Secretary at the Central or State Government. Furthermore, these requests must only be in written, in untampered and sealed envelopes with no overwriting, etc. and bearing the order number issued by the concerned Secretary, with the date of the order. However, in exigent circumstances the order may be provided by email, provided that the physical copy is sent within two days of the order, else the interception order must be terminated. Inquiry processes are detailed under the new SOP’s which can verify whether the request was in original and addressed to the Nodal Officer and from which designated security agency it was issued, and can also verify the issue of an acknowledgment of compliance of the order by the TSP within two days of its receipt. The new guidelines also clarify the issue of interception of roaming subscribers by the State Government where the subscriber is registered. According to the guidelines, an order by the government of the state where such a caller has registered is sufficient and does not need vetting by the Home Secretary at the centre.

Notwithstanding the additional “safeguards” against unlawful or unauthorized interception, the message to take away from these guidelines is the Government’s continued efforts to expand its surveillance regime to comprehensively monitor every action and every communication at its whim. These requests for monitoring, undertaken by “security agencies” which include taxation agencies and the SEBI, are flawed not merely because of the possibility of “unauthorized” interception, rather because the legal basis of the interception is vague, broad and widely susceptible to misuse, as the recent “snoopgate” allegations against the Gujarat government have shown. (See the article published by the Hindu).

The current regime, based on a wide interpretation of Section 5(2) of the Indian Telegraph Act and the telecom policies of the Department of Telecom, do not have adequate safeguards for preventing misuse by those in power – such as the requirement of reasonable suspicion or a warrant. Without a sound legal basis for interception, which protects the privacy rights of individuals, any additional safeguards are more or less moot, since the real threat of intrusive surveillance and infringing of basic privacy exists regardless of whether it is done under the seal of the Home Secretary or not.

Resources

For more details visit https://cis-india.org/internet-governance/blog/new-standard-operating-procedures-for-lawful-interception-and-monitoring