Centre for Internet and Society

National Health Stack: Data For Data’s Sake, A Manmade Health Hazard

Murali Neelakantan, Swaraj Barooah, Swagam Dasgupta and Torsha Sarkar — 2018-09-16T05:01:18Z

On Oct. 5, 2017, an HIV positive woman was denied admission in Hyderabad’s Osmania General Hospital even though she was entitled to free treatment under India’s National AIDS Control Organisation programme. Another incident around the same time witnessed a 24-year-old pregnant woman at Tikamgarh district hospital in Madhya Pradesh being denied treatment by hospital doctors once she tested positive for HIV. The patient reportedly delivered the twins outside the maternity ward after she was turned away by the hospital, but her newborn twin girls died soon after.

The op-ed was published in Bloomberg Quint on August 14, 2018.

Apart from facing the severity of their condition, patients afflicted with diseases such as HIV, tuberculosis, and mental illnesses, are often subject to social stigma, sometimes even leading to the denial of medical treatment. Given this grim reality would patients want their full medical history in a database?

The ‘National Health Stack’ as described by the NITI Aayog in its consultation paper, is an ambitious attempt to build a digital infrastructure with a “deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem”. If the government is to create a database of individuals’ health records, then it should appreciate the differential impact that it could have on the patients.

The collection of health data, without sensitisation and accountability, has the potential to deny healthcare to the vulnerable.

We have innumerable instances of denial of services due to Aadhaar and there is a real risk that another database will lead to more denial of access to the most vulnerable.

Earlier, we had outlined some key aspects of the NHS, the ‘world’s largest’ government-funded national healthcare scheme. Here we discuss some of the core technical issues surrounding the question of data collection, updating, quality, and utilisation.

Resting On A Flimsy Foundation: The Unique Health ID

The National Health Stack envisages the creation of a unique ID for registered beneficiaries in the system — a ‘Digital Health ID’. Upon the submission of a ‘national identifier’ and completion of the Know Your Customer process, the patient would be registered in the system, and a unique health ID generated.

This seemingly straightforward process rests on a very flimsy foundation. The base entry in the beneficiary registry would be linked to a ‘strong foundational ID’. Extreme care needs to be taken to ensure that this is not limited to an Aadhaar number. Currently, the unavailability of Aadhaar would not be a ground for denial of treatment to a patient only for their first visit; the patient must provide Aadhaar or an Aadhaar enrolment slip to avail treatment thereafter. This suggests that the national healthcare infrastructure will be geared towards increasing Aadhaar enrollment, with the unstated implication that healthcare is a benefit or subsidy — a largess of government, and not, as the courts have confirmed, a fundamental right.

Not only is this project using government-funded infrastructure to deny its citizens the fundamental right to healthcare, it is using the desperate need of the vulnerable for healthcare to push the ‘Aadhaar’ agenda.

Any pretence that Aadhaar is voluntary is slowly fading with the government mandating it at every step of our lives.

Aadhaar Seva kendra. (Source: Aadhaar Official Account/Facebook

Is The Health ID An Effective And Unique Identifier?

Even if we choose to look past the fact that the validity of Aadhaar is still pending the test of legality before the apex court, a foundational ID would mean that the data contained within that ID is unique, accurate, incorruptible, and cannot be misused. These principles, unfortunately, have been compromised by the UIDAI in the Aadhaar project with its lack of uniqueness of identity (i.e, fake IDs and duplicity), failure to authenticate identity, numerous alleged data leaks (‘alleged’ because UIDAI maintains that there haven’t been any leaks), lack of connectivity to be able to authenticate identity and numerous instances of inaccurate information which cannot be corrected.

Linking something as crucial and basic as healthcare data with such a database is a potential disaster.

There is a real risk that incorrect linking could cause deaths or inappropriate medical care.

The High Risk Of Poor Quality Data

The NITI Aayog paper envisages several expansive databases that are capable of being updated by different entities. It includes enrollment and updating processes but seems to assume that all these extra steps will be taken by all the relevant stakeholders and does not explain the motivation for stakeholders to do so.

In a country where government doctors, hospitals, wellness centres, etc are overburdened and understaffed, this reliance is simply not credible. For instance, all attributes within the registries are to be digitally signed by an authorised updater, there must be an audit trail for all changes made to the registries, and surveyors will be tasked with visiting providers in person to validate the data. Identifying these precautions as measures to assure accurate data is a great step towards building a national health database, but this seems an impossible task.

Who are these actors and what will incentivise them to ensure the accuracy and integrity of data?

In other words, what incentive and accountability structures will ensure that data entry and updating is accurate, and not approached from a more ‘jugaad’ ‘let’s just get this done for the sake of it’ attitude that permeates much of the country. How will patients have access to the database to be able to check its accuracy? Is it possible for a patient (who will presumably be ill) to gain easy access to an updater to change their data? If so, how? It is worth noting that the patient’s ‘right’ to check her data assumes that they have access to a computer that is connected to the internet as well as a good level of digital literacy, which is not the case in India for a significant section of the population. Even data portability loses its potential benefits if the quality of data on these registries is not reliable. In this case, healthcare providers will need to verify their patients’ health history using physical records instead, rendering the stack redundant.

Who will be liable to the patient for misdiagnosis based on the database?

A sonographic image is displayed on a monitor as a patient undergoes an ultrasound scan in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)

Leaving the question of accountability vague opens updaters to the possibility of facing dangerous and unnecessarily punitive measures in the future. The NITI Aayog paper fails to address this key issue which arose recently. Despite being a notifiable disease, there are reports that numerous doctors from the private sector failed to notify or update TB cases to the Ministry of Health and Family Welfare ostensibly on the grounds that they did not receive consent from their patients to share their information with the government. This was met with a harsh response from the government which stated that clinical establishment that failed to notify tuberculosis patients would face jail time. According to a few doctors, the government’s new move would coerce patients to go to ‘underground clinics’ to receive treatment discreetly and hence, would not solve the issue of TB.

The document also offers no specific recommended procedures regarding how inaccurate entries will be corrected or deleted.

It is then perhaps not a stretch to imagine that these scenarios would affect the quality of the data stored; defeating NITI Aayog’s objective of researchers using the stack for high-quality medical data.

The reason why the quality and integrity of data is at the head of the table is that all the proposed applications of the NHS (analytics, fraud detection etc.) assume a high quality, accurate dataset. At the same time, the enrolment process, updating process and disclosed measures to ensure data quality will effectively lead to poor quality data. If this is the case, then applications derived from the NHS dataset should assume an imperfect data, rather than an accurate dataset, which should make one wonder if no data is better than data that is certainly inaccurate.

Lack Of Data Utilisation Guidelines

Issues with data quality are exacerbated depending on how and where it is used, and who uses it. The paper has identified some users to be health-sector stakeholders such as healthcare providers (hospitals, clinics, labs etc), beneficiaries, doctors, insurers and accredited social health activists but misses laying down utilisation guidelines. The foresight to create a dataset that can be utilised by multiple actors for numerous applications is commendable, but potentially problematic -- especially if guidelines on how this data is to be used by stakeholders (especially the private sector) are ignored.

In order to bridge this knowledge gap, India has the opportunity to learn from the legal precedent set by foreign institutions. As an example, one could examine the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. which sets out strict guidelines for how businesses are to handle sensitive health data in order to maintain the individual’s privacy and security. It goes one step further to also lay down incentive and accountability structures in order that business associates necessarily report security breaches to their respective covered entities.

If we do not take necessary precautions now, we not only run the risk of poor security and breach of privacy but of inaccurate data that renders the national health data repository a health risk for the whole patient population.

There’s also the lack of clarity on who is meant to benefit from using such a database or whether the benefits are equal to all stakeholders, but more on that in a subsequent piece.

A medical team uses a glucometer to check the blood glucose level of a patient at a mobile clinic in Pancharala, on the outskirts of Bengaluru, India. (Photographer: Dhiraj Singh/Bloomberg)

It’s Your Recipe, You Try It First!

If the NITI Aayog and the government are sure that there is a need for a national healthcare database, perhaps they can start using the Central Government Health Scheme (which includes all current and retired government employees and their families) as a pilot scheme for this. Once the software, database and the various apps built on it are found to be good value for money and patients benefit from excellent treatment all over the country, it could be expanded to those who use the Employees’ State Insurance system, and then perhaps to the armed forces. After all, these three groups already have a unique identifier and would benefit from the portability of healthcare records since they are likely to be transferred and posted all over the country. If, and only if, it works for these groups and the claimed benefits are observed, then perhaps it can be expanded to the rest of the country’s healthcare systems.

Murali Neelakantan is an expert in healthcare laws. Swaraj Barooah is Policy Director at The Centre for Internet and Society. Swagam Dasgupta and Torsha Sarkar are interns at The Centre for Internet and Society.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-quint-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-august-14-2018-national-health-stack-data-for-datas-sake-a-manmade-health-hazard

National Consultation on Media Law

praskrishna — 2014-09-30T06:52:50Z

The Law Commission of India and the National University, Delhi have joined hands to organize the National Consultation on Media Law at the India Habitat Centre in New Delhi on September 27 and 28, 2014. Nehaa Chaudhari participated in this event.

Click to view the:

For more details visit https://cis-india.org/internet-governance/news/national-consultation-on-media-law

Nasscom chief saying full data protection isn’t possible should wake us from our digital slumber

praskrishna — 2017-03-17T01:47:25Z

Considering India is rapidly moving towards a digital economy, the hurdles not withstanding, data and identity security are topics which have to be taken very seriously. Since the demonetisation, a large part of the population who would never bother with digital transactions has suddenly come online. But there is no such thing as complete security of personal data, according to Nasscom chief R Chandrashekhar.

This was published by First Post on March 16, 2017. Pranesh Prakash was quoted.

Attending the World Consumer Rights Day, R Chandrashekhar said that personal data of online consumers cannot be completely secure and stressed on the need to have strict enforcement of consumer protection laws. Speaking to PTI, Chandrashekhar said, “More than 3 million credit card data details were misused recently. Let us face it, these kind of security breaches will take place. There is nothing called fully perfect security in IT.”

It’s high time we call a spade, a spade

R Chandrashekhar, President Nasscom. Image: PIB

Coming from the head of Nasscom, this announcement pertaining to security is very important. According to Chandrashekhar one cannot expect complete cyber security, but there are definitely ways in which such attacks and incidents can be minimised. He very rightly said that that protecting the online consumer data, specially looking at how rapidly e-commerce is growing in the country, is of prime importance.

One cannot help but agree with Chandrashekhar, specially considering the fact India does not have a privacy law ecosystem that is present in countries such as the US and the UK, where online consumer protection is taken very seriously. Germany and other EU nations have always been at the forefront, when it comes to protecting data privacy, and it has ensured that consumer-facing technology companies do not run roughshod when it comes to protecting user data.

Chandrashekhar stated that there was no need for separate regulations for e-commerce sites, but the priority was ensuring means to enforce consumer laws in the digital world.

Lack of dedicated privacy laws

According to cyberlaw and cybersecurity expert, Pavan Duggal, “Going forward, there is an urgent need for India to take a strong view on privacy in terms of legislative frameworks. Unfortunately, at the time of writing, India does not have a dedicated law on privacy.”

Image: Foamy Media

Social media websites for instance have a lot of user data. But what happens when they suddenly change their privacy policies? For instance, a lot of users signed on to WhatsApp when it was an independent company. But post the Facebook acquisition, there have been a lot of instances where WhatsApp has updated its terms and conditions to suit its parent Facebook.

That’s not completely illegal one may say. Loss of privacy is a price you pay for free services. But what if, I as a consumer of WhatsApp do not want the app to share any of my data with Facebook? The only option I am left with is to delete WhatsApp. But then again, I do not know if my data is also deleted from WhatsApp servers or it has already been shared. Social media apps, only let you know what updates are being added. Consent is only required to update the app. You can stall that, up to a point. But there will come a time when you will have to update an app. Then by default you have given approval to all the terms and conditions associated with the app.

Two students had challenged WhatsApp’s revision to its privacy policy before Delhi High Court. The Court dismissed the petition insisting that users could opt out by deleting their accounts.

When a similar challenge was mounted before the authorities in UK, Facebook had to put a pause on their data sharing – and this was because of its strong data protection policy. Under the UK data protection law, the company has to inform the authority established under the Act of any changes in the use of user data. In the case of WhatsApp, the UK authority objected to such sharing.

Aadhaar – the 12-digit biometric storehouse

Aadhaar card is being used for many financial and non financial transactions. Also the Aadhaar number associated with an individual also holds a lot of personal and biometric data. So when recently, there was news about a possible Aadhaar data breach when UIDAI filed a police complaint against Axis Bank, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, it was naturally a shock to many.

Unlike a password which can be changed, with biometric information there is no scope to do that if it is compromised. Although UIDAI claims that there are multiple levels of security and firewalls to ensure there is no breach of Aadhaar information of an individual, one can only hope that it is robust enough to withstand any attack. Collection of biometric data by the government to form a database, for instance, was debated and ultimately not used in the UK.

Pranesh Prakash, policy director of the Centre for Internet and Society, expressed concern about the pace at which we are progressing when it comes to having a legal and regulatory framework when it comes to the Digital India push. “While the security architecture of Aadhaar Enabled Payment Systems (AEPS) might in itself be good, the idea of providing your fingerprints to merchants for financial transactions is a terrible idea since that is like asking you to give your bank password to a merchant, and the merchant can reuse that password, and you can’t ever change the password,” said Prakash.

Enforcing the correct processes

Last year, a malware affected the systems of Hitachi Payment Services, which provides back end services to ATM machines and Point of Sale nodes across India. As a result of this, around 32 lakh debit cards were compromised including those issued by SBI, HDFC, Yes Bank, Axis, BOB and ICICI. Security experts and consultants have pointed out various holes in the electronic transaction systems in place in India. Intel has also warned that ATM machines in India are vulnerable to malicious attacks. Intel points out that countries in the Asia Pacific region are developing and are particularly vulnerable because of old systems and machines being used.

Image: REUTERS/Amit Dave

According to Mahesh Patel, president and group CTO, AGS Transact Technologies this was more of a governance issue of the data centre than any technical error. “It is not about the software, but it is about the processes and procedures you put in place to ensure that the system is secure. Everything from physical security to computing security to admin management, etc should be process driven. So somewhere there could have been a weak link there. Cloud has to be secure and encrypted which suffices the use case of payments. This cloud is different from the ones used by e-commerce sites to display all their products,” said Patel.

We may have the best of software and security measures, but ensuring that they are implemented the right way is equally important. Plugging the loopholes in current regulations is also important.

Existing laws and regulations, not enough

According to Duggal, “The Information Technology Act, 2000 hardly has effective provisions to protect any data and personal privacy in the digital ecosystem. The Indian Government needs to come up with strong privacy law which can protect both personal privacy and data privacy in an effective manner.”

One may find it really shocking to hear the head of Nasscom saying something to the extent that full data protection for online consumers is not possible, but there is definitely truth to the matter. It will require concerted efforts from not only regulators, governments, digital wallet players and banking industry to come up with these privacy laws, but also you the consumer has to ensure that you are aware of the dangers lurking in the digital world. Educating oneself of the various ways in which your data can be compromised is a good way to protect your online self.

Because, let’s face it, for all practical purposes if you are online, your privacy is dead.

For more details visit https://cis-india.org/internet-governance/news/first-post-march-16-nimish-sawant-nasscom-chief-saying-full-data-protection-isnt-possible-should-wake-us-from-our-digital-slumber

Nasscom against differential pricing for data services

praskrishna — 2016-01-06T15:12:17Z

The National Association of Software and Services Companies says it should be the regulator that decides on such content, not firms.

The article by Moulishree Srivastava was published in Livemint on January 5, 2016. Pranesh Prakash gave inputs.

India’s top software lobby on Monday said if select web content needs to be provided cheaper for some Indians, it must be the regulator that decides on such content, not companies.

In its response to a consultation paper by the Telecom Regulatory Authority of India (Trai) on differential pricing for data usage, the National Association of Software and Services Companies (Nasscom) objected to plans such as Free Basics and Airtel Zero where companies choose content to be provided at different speeds and prices, but backed powers for the regulator to allow such a model if the regulator deems they are in “public interest”, while adhering to principles of net neutrality.

“We strongly oppose any model where telecom service providers (TSPs) or their partners have a say or discretion in choosing content that is made available at favourable rates, speed... any differential pricing by TSP either directly such as Airtel Zero or indirectly as in the case of Free Basics through a platform provider which limits access to the internet services or websites (selected by the TSP or by the partners) violate the idea of net neutrality,” said R. Chandrashekhar, president, Nasscom.

“But when we recognize the reality of India as a country which has low internet penetration and even lower broadband penetration, apart from low levels of digital literacy and limited local language content... there may be a need to provide certain services in public interest at differential or lower prices which the regulator feels are necessary,” he said.

“Therefore, it is important that the regulator should have the power to allow differential pricing for certain types or classes of services that are deemed to be in public interest and based on mandatory prior approvals,” he said. “Any such programmes should abide by the principles of net neutrality and not constrain innovation in any way and not constrain innovation in any way.”

Differential pricing for data usage means offering services at different price points to different users. However, analysts say it could lead to an anti-competitive environment, hurting small companies and start-ups, while giving the TSPs and their partner platforms near-monopolistic access to the vast amount of user data that has potential commercial value in a country such as India where privacy laws are not strong.

Differential pricing is a significant aspect of the net neutrality debate that erupted in India in 2015, when Trai released a consultation paper in April. Soon, telecom operator Bharti Airtel Ltd launched Zero, a marketing platform that allows customers to access mobile applications for free but charges the application providers.

Facebook’s Free Basics service (the new name for Internet.org) aims to offer people without the Internet free access to a handful of websites and a range of services through mobile phones, which net neutrality activists say will violate the core principle that everyone should have unrestricted access to Internet and it should not be regulated by a company.

Following the outrage, Trai put Free Basics on hold, asking Reliance Communications Ltd to furnish the detailed terms and conditions of its Free Basics service. The next step will be announced later this month.

In an op-ed in the Times of India last week, Nandan Nilekani, co-founder of Infosys Ltd. and former chairman of Unique Identification Authority of India, publicly criticized Facebook’s Free Basics, calling it a walled garden.

“The walled garden of Free Basics goes against the spirit of openness on the internet, and in the guise of being pro-poor, balkanises it. Only Free Basics-approved websites will be accessible for free,” he said in the article which he co-authored with Viral Shah who led the design of government’s subsidy platforms using Aadhaar. “In theory, anyone meeting the technical guidelines today can participate. However, services that may potentially compete with telco offerings may not join Free Basics. Since Facebook does not currently subsidise free usage, telcos will have to foot the bill by raising prices.”

He said schemes such as direct benefit transfer for Internet data packs would be better compared to programmes such as Free Basics.

Nasscom, in its response, recommended “mandatory prior approval of such services by the regulator and sharing of periodic information on tariff plans seek to lower the price as well as zero rating services,” adding that these programmes should abide by the principle of net neutrality, meaning it should not limit consumers access to pre-defined set of services or websites.

“Any such differential pricing programs should have explicit approval of the regulator—and should be deemed to be in the public interest and the onus of proving it to be in the public interest in the first instance would be on service provider and before Trai arrives at a final decision a public consultation is also advised because of the dangers involved,” Nasscom said. “Even after the approval, suitable oversight mechanism should be maintained by the regulator in all such case.”

Pranesh Prakash, policy director at the Centre for Internet and Society (CIS), said Nasscom’s approach to make differential pricing plans and options as an exception rather than the rule was quite reasonable. “It says that if differential pricing services adhere to the guidelines of being non-discriminatory, non-anti-competitive, non-predatory, non-ambiguous and transparent, they can be allowed under the supervision of the regulator, which is similar to the position adopted by CIS,” he said.

“Though some of their positions are ambiguous—for instance what they mean by non-discriminatory, and whether they are okay with differential pricing between classes of applications, are unclear—and some of their recommendations increase regulatory complexity, such as their proposal for independent not-for-profit entities with independent boards to own and manage such differential pricing programs, by and large it is a useful submission,” Prakash added.

For more details visit https://cis-india.org/internet-governance/news/livemint-moulishree-srivastava-january-5-2016-nasscom-against-differential-pricing-for-data-services

Narendra Modi’s personal app sparks India data privacy row

Admin — 2018-03-28T16:17:32Z

PM’s NaMo app sends user data to third party in US, says researcher.

Sunil Abraham was quoted in the article published by Financial Times on March 28, 2018.

“People are outraged that there is a peephole,” says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, a non-profit research organisation. “They are not outraged that anyone has looked into the peephole — because there is no evidence of that yet.”

For Mr Abraham, however, the controversy demonstrates that “Indian political parties have a voracious appetite for political data. If unchecked by law or public outrage, they will continue to hoover up as much data as they can from our devices.”

“Privacy is definitely a political issue,” says Mr. Abraham. “Political parties are reacting not because they will get into trouble under the law. They are reacting because they areafraid their supporters may not like it.”

For more details visit https://cis-india.org/internet-governance/news/financial-times-march-28-2018-narendra-modi-personal-app-sparks-india-data-privacy-row

My Experiment with Scam Baiting

sahana — 2012-03-13T10:43:28Z

Today, as I am sure many of you have experienced, Internet scams are widespread and very deceptive. As part of my research into privacy and the Internet, I decided to follow a scam and attempt to fully understand how Internet scams work, and what privacy implications they have for Internet users. Though there are many different types of scams that take place over the Internet —identity scams, housing scams, banking scams— just to name a few. I decided to look in depth at the lottery scam.

Day 1: July 4, 2011

On July 4, I received a spam mail from Shell BP Manchester England (lamarc65@cs.com). The e-mail informed me that my e-mail address had won a sum of $550,000 which was held on July 3, 2011 in England. In order to claim my prize the e-mail instructed me to confirm the receipt of the mail by submitting a few of my personal details to one Dr. Mohammed Al Maliki. This is an extract from the letter asking for my information:

Information Requested:

Your full Name:
Contact address:
Your Telephone:
Your Age:
Your occupation:
Your country of origin:

Congratulations.
Yours Sincerely,
Mrs Roseline Lott
Shell Prize announcer, England.

Deciding to reply to the email and see what happened, I responded to Dr. Mohammed Al Maliki (dr.mohamedmalik@gmail.com) with the information that the e-mail had asked, only I substituted my real information with the following fake information:

Shaiza Sarkar
B-196, CR Park, New Delhi - 110019
09916000603
23 yrs old
India

To my surprise he replied to my mail the same day at 4:59pm. In this mail he informed me that he had sent my details to Lloyds Bank who would be responsible for the payment of my prize. He asked me to inform him after I receive a mail from the bank. The e-mail contained a phone number for me to call. I tried to call the number mentioned in the mail but there was no reply.

Again to my surprise, I received a mail from Lloyds Bank at 6:58 p.m. the same day with a list of documents and details that I was supposed to send them to claim the prize money. Lloyds Bank had also attached a deposit certificate to ‘prove’ that Shell Petroleum Development Company had deposited the prize money in the bank. Below is an extraction of the e-mail I received from Lloyds Bank.

"FROM THE DESK OF DR. MOHAMED MALIK
REGIONAL CLAIMS AGENT,
SHELL PETROLEUM INTERNATIONAL LOTTERY PROGRAM.
Regional Office:
St James Court, Great Park Road,
Almondsbury Park, Bradley Stoke,
Bristol BS32 4QJ, England
Contact: +447035974608
“LLOYDS BANK PLC
ADMINISTRATIVE HEADQUARTERS.
LONDON, ENGLAND, UNITED KINGDOM.
REF...FILENOS2345/LTB
ATTENTION: SARKAR SHAIZA
*REGARDING YOUR PRIZE FROM SHELL PETROLEUM DEVELOPMENT COMPANY*
PLEASE SEND US THE DOCUMENTS BELOW;
1. A CERTIFICATE OF AWARD FROM SHELL PETROLEUM CONTACT DR MOHAMED MALIK
2. A SCANNED COPY OF EITHER YOUR DRIVERS LICENSE OR YOUR INTERNATIONAL PASSPORT OR WORK I.D CARD.
3. A SWORN AFFIDAVIT OF CLAIM FROM THE CROWN COURT HERE IN LONDON,YOU ARE REQUIRED TO CONTACT [DR MOHAMED MALIK]YOUR AGENT FOR ALL THIS.
SIR PAUL WISCONFIELD.
HEAD OF OPERATIONS.
LLOYDS TSB BANK PLC

Day 2: July 5, 2011

The next day I informed Dr. Mohammed Al Maliki of the above letter from the bank, as instructed to at 8:58 p.m. At 9:45 p.m., Dr. Mohammed Al Maliki emailed me back with the certificate of award from Shell Petroleum Development Company with my fake name printed on it.

Though the first two documents that Lloyds Bank required me to obtain were standard enough, the turning point in this entire scam was the third document that Lloyds Bank asked me to acquire. The third document asked me to present a sworn affidavit of claim from the Crown Court in London. Following the instructions given by the bank, I again emailed Dr. Mohammed Al Maliki. He replied with instructions for me to contact Barrister Wilson Burrows (ESQ) of Wilson and Co. Law Chambers for this document. I tried to search for Wilson and Co. Chambers on the Internet and found that no company with such a name exists.

This is the certificate of award provided to me by Dr. Mohammed Al Maliki:

Day 3: July 6, 2011

At 1:47 p.m. I mailed Wilson and Co. Law Chambers informing them about the sworn affidavit that I required in order to claim the lottery prize. The same day at 8:25 p.m. the Law Chambers sent me the following mail with an application form, and asked me to transfer 520 pounds through a Western Union Money Transfer to the Chamber’s Accountant Mr. Preston Doyle. I checked the address provided in the mail to see if it existed. The Google map showed that the given pin code “L14JJ”- London - was a pin code for Liverpool, Merseyside UK, which is not London , and not where Wilson and Co. Law Chambers claimed to be based. Additionally, the Law Chambers attached a form for the affidavit in this mail.

Below is an extract from the email I received from Wilson and Co. Law Chambers:
“The Principal Attorney
Wilson and co Chambers
#18 Harms Road Manchester
L14JJ - London.
Supreme Solicitors, Principal Attorneys and Property Managers
Kind Attention: Client,
As stated in the attached form, the completed form should be returned with the Court Oath Fee. For further processing, see below fees;
Court Oath Fee: 250 Pounds
Attorney Fee: 270 Pounds
------------------------------------------
Total Fee: 520 Pounds
-----------------------------------------
To send this money, go to any WESTERN UNION MONEY TRANSFER OFFICE nearest to you and make the payment to the Chamber's Accountant - Mr. Preston Doyle with the following details -
Receiver's Name: Mr. Preston Doyle
Receiver's Location: London, United Kingdom.
Receiver's Address: #18 Harms Road Manchester, L14JJ – London
Amount: £ 520.00 (Five Hundred and Twenty Pounds)
Regards,
Mrs.Wilson Burrows(ESQ)
(Registrar)
Mrs. Ivon Samuel (KBE) (Secretary)”

Day 4: July 7, 2011

After receiving the e-mail asking for a money transfer, I was curious and wished to probe more. Thus, I wrote to Wilson and Co Law Chambers and explained that a Western Union Transfer was not available in my village. The same day at 6:48 p.m. the Law Chambers sent me a mail saying that the Honourable Chamber recognizes only Western Union Transfer as the safest mode for transactions. I did not reply to this mail, as I knew I would not be able to go any further with my investigation. Though I was disappointed because this was the end to my investigation into lottery scams, and I still had questions that I wanted answered, the last e-mail the Law Chambers sent me was very interesting. In the last email sent to me by the Law Chambers requested (in a very pushy tone) that I should not tell anyone about my prize money, and that it was in fact in my best interest not to tell anyone.

Below is the extract of this mail:

“So do not discuss your winning with anybody until your prize has been transferred to you. It is for your own good. And it is at that time alone that you can be used for advert purposes by our company. So the success of this transfer lies sorely in your hands. These are the exact words from the Director this morning.”

Regards,

Mrs.Wilson Burrows (ESQ)

(Registrar)

His Lordship, Justice Ivon Samuel (KBE) (Secretary)

Day 5: July 8, 2011

Originally I wrote to the Law Chambers telling them I did not have access to a Western Union for the purpose of seeing if they use other mediums to receive money. Surprisingly, at 1:47 p.m. Wilson and Co. Law Chambers emailed me. The e-mail said that they would grant me the privilege of using a direct deposit of the 250 pounds into their correspondents account in India. In the mail they asked me to confirm that I would use this method of payment, and that once confirmed, that they would furnish me with their correspondent’s account details. Interested, I confirmed. After my e-mail confirmation at 9:47 p.m. they emailed me the details of their correspondent in India.

Below are the details of the account that I was supposed to transfer the money into:

This is the account details you will deposit the money into:
Account Name: L. MOHAN SINGH
Bank name: HDFC BANK
Branch: DELHI
Account number: 0609190004391
Ifsc Code : HDFC0000609
Pan Card: DDMPS9075M

Day 6: July 11, 2011

I did not deposit the money (obviously) and I did not e-mail the bank or the Law Chambers, I did receive a mail from Wilson and Co. Law Chambers informing me that their reputable organization would not tolerate my laxity. Unfortunately, because I could not pay the fee to their correspondent and obtain the affidavit, I was unable to follow the scam any further. Despite this dead end I was curious to know if they would provide me with the phone number of their Indian correspondent. Thus, I wrote them a mail to humbly apologise for the delay. I further asked them to provide me with the correspondent’s phone number claiming that the bank was rejecting his profile due to security protocols.

Day 7: July 12, 2011

The Law Chambers responded, informing me that they did not wish to give the correspondents number. In their e-mail they made it quite clear that for online banking all that is needed is the IFSC code. Therefore, I had to stop here.

This is the extract of the mail they sent me when I asked for the phone number:

The Principal Attorney
Wilson and co Chambers
#18 Harms Road Manchester
L14JJ - London.
Supreme Solicitors, Principal Attorneys and Property Managers

Kind Attention: Client,
This Honorable Chambers is in receipt of your mail. It is very important for you to know that laxity will not be accepted anymore. For the online transfer of this payment, you do not need any phone number, all you need is the IFSC Code already supplied to you. Once more, the IFSC Code is HDFC0000609. That is all you need to make an online transfer.

While I stopped following the scam at this point, many people might have continued with the process without any knowledge of it being a scam. Thus, one should be very sceptical about individuals or organizations who ask for personal and banking information.

Conclusions

In my experiment with scam baiting, I realized that:

They introduced me to various parties to make this entire scheme look professional. I initially assumed that I would have to carry out the process with the Shell Petroleum Development Company alone.
In the beginning of the experiment I initially thought the scam was about taking my account number and hacking into it. During my experiment I realized that the scam was not designed to make money by emptying my bank account, but instead was designed to profit off of the various admission fees such as the Sworn Affidavit.
Due to the speed by which they were able to respond to my emails, I realized that they had pre-prepared fake documents – ready to send to anyone who emailed them regarding claiming the offered lottery prize.
Throughout all of our e-mail exchanges I noticed that the individuals behind the scam only used a G-mail account. Curious, I checked their IP address – hoping to find out more information and possibly track their location – but found that Google does not reveal senders IP address information (which is in fact a very good thing in terms of privacy protection!)

For a detailed understanding of different types of scams visit here.

For more details visit https://cis-india.org/internet-governance/blog/privacy/scam-baiting

Multistakeholder Consultation on Encryption

praskrishna — 2016-12-17T01:22:35Z

The Centre for Internet & Society (CIS) in collaboration with ORF and Takshashila Institution is organizing a Multi-Stakeholder Consultation on Encryption on December 17, 2016 at TERI in Bengaluru.

The consultation is intended to help shape the discussions around the new draft encryption policy slated to be released sometime early next year. The consultation will be divided into two segments: an open house and a panel discussion with high-level government representatives, including Dr. Gulshan Rai, the National Cyber Security Coordinator. The sessions start at 10.30 a.m. on December 17, 2016 and will go on for until approximately 4.30 p.m.

The discussions themselves will highlight inputs from the three main constituents affected by an encryption policy: civil society and end users, the private sector and government. The range of civil liberties and constitutional rights implicated by encryption, as well as the needs of businesses to secure data flows will be discussed. Government officials too are expected to join the consultation and will provide perspectives on encryption and legitimate access to data for law enforcement purpose.

For more info reach out to Udbhav Tiwari (udbhav@cisindia.org) or Bedavyasa Mohanty (bedavyasam@orfonline.org)

For more details visit https://cis-india.org/internet-governance/events/multistakeholder-consultation-on-encryption

Moving Towards a Surveillance State

atreya — 2013-07-15T05:57:15Z

The cyberspace is a modern construct of communication and today, a large part of human activity takes place in cyberspace. It has become the universal platform where business is executed, discourse is conducted and personal information is exchanged. However, the underbelly of the internet is also seen to host activities and persons who are motivated by nefarious intent.

Note: The original tender document of the Assam Police dated 28.02.2013 along with other several other tender documents for procurement of Internet and Voice Monitoring Systems is attached as a zip folder.

As highlighted in the International Principles on the Application of Human Rights to Communications Surveillance, logistical barriers to surveillance have decreased in recent decades and the application of legal principles in new technological contexts has become unclear. It is often feared that in light of the explosion of digital communications content and information about communications, or "communications metadata," coupled with the decreasing costs of storing and mining large sets of data and the provision of personal content through third party service providers make State surveillance possible at an unprecedented scale. Communications surveillance in the modern environment encompasses the monitoring, interception, collection, preservation and retention of, interference with, or access to information that includes, reflects, arises from or is about a person's communications in the past, present or future.[*] These fears are now turning into a reality with the introduction of mass surveillance systems which penetrate into the lives of every person who uses any form of communications. There is ample evidence in the form of tenders for Internet Monitoring Systems (IMS) and Telecom Interception Systems (TCIS) put out by the Central government and various state governments that the Indian state is steadily turning into an extensive surveillance state.

While surveillance and intelligence gathering is essential for the maintenance of national security, the creation and working of a mass surveillance system as it is envisioned today may not necessarily be in absolute conformity with the existing law. A mass surveillance system like the Central Monitoring System (CMS) not only threatens to completely eradicate any vestige of the right to privacy but in the absence of a concrete set of procedural guidelines creates a tremendous risk of abuse.

Although information regarding the Central Monitoring System is quite limited on the public forum at the moment it can be gathered that a centralized system for monitoring of all communication was first proposed by the Government of India in 2009 as indicated by the press release of the Ministry of Communications & Information. Implementation of the system started subsequently as indicated by another government press release and the Center for Development of Telematics (C-DOT) was entrusted with the responsibility of implementing the system. As per the C-DOT annual report 2011-12, research, development, trials and progressive scaling up of a Central Monitoring System were conducted by the organization in the past 4 years and the requisite hardware and CMS solutions which support voice and data interception have been installed and commissioned at various Telecom Service Providers (TSP) in Delhi and Haryana as part of the pilot project. Media reports indicate that the project will be fully functional by 2014. While an extensive surveillance system is being stealthily introduced by the state, several concerns with regard to its extent of use, functioning, and real world impact have been raised owing to ambiguities and wide gaps in procedure and law. Moreover, the lack of a concrete privacy legislation coupled with the absence of public discourse indicates the lack of interest of the state over the rights of an ordinary citizen. It is under these circumstances that awareness must first be brought regarding the risks of the mass surveillance on civil liberties which in the absence of established procedures protecting the rights of the citizens of the state can result in the abuse of powers by the state or its agencies and lead to the demise of civil freedoms even in democratic states.

The architecture and working of a proposed Internet Monitoring System must be examined in an attempt to better understand the functioning, capabilities and possible impact of a Central Monitoring System on our society and lives. This can perhaps allow more open discourse and a committed effort to preserve the rights of the citizens especially the right to privacy can be made while allowing for the creation of strong procedural guidelines which will help maintain legitimate intelligence gathering and surveillance.

Internet Monitoring System: Setup and Working
Very broadly, The Internet Monitoring System enables an agency of the state to intercept and monitor all content which passes through the Internet Service Provider’s (ISP) server which includes all electronic correspondence (emails, chats or IM’s, transcribed call logs), web forms, video and audio files, and other forms of internet content. The electronic data is stored and also subject to various types of analysis. While Internet Monitoring Systems are installed locally and their function is limited to specific geographic region, the Central Monitoring System will consolidate the data acquired from the different voice and data interception systems located across the country and create a centralized architecture for interception, monitoring and analysis of communications. Although the exact specifications and functions of the central monitoring system still remain unclear and ambiguous, some parallels regarding the functioning of the CMS can be drawn from the the specifications revealed in the Assam Police tender document for the procurement of an Internet Monitoring System.

Setup
The deployment architecture of an Internet Monitoring System (IMS) contains probe servers which are installed at the Internet Service Provider’s (ISP) premises and the probes are installed at various tapping points within the entire ISP network. A collection server is also installed and hosted at the site of the ISP. The collection server is used to either collect, analyze, filter or simple aggregate the data from the ISP servers and the data is transferred to a master aggregation server located a central data center. The central data center may also contain more servers specifically for analysis and storage. This type of architecture is being referred to as a ‘high availability clustered setup’ which is supposed to provide security in case of a failure or outage.

The Assam Police Internet Monitoring System tender document specifically indicates that the deployment in the state of Assam shall require 8 taps or probes to be installed at different ISPs, out of which 6 taps/probes shall be of 10 GBPS and 2 taps are of 1 GBPS. The document however mentions that the specifications are preliminary and subject to change.

Types of data
The proposed internet monitoring system of the Assam state can provide network traffic interception and a variety of internet protocols including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Session Initiation Protocol (SIP), Voice over Internet Protocol (VoIP) can be intercepted and monitored. The system can also support monitoring of Internet Relay Chat and various other messaging applications (such as Google Talk, Yahoo Chat, MSN Messenger, ICQ, etc.). The system can be equipped to capture and display multiple file types like text (.doc, .pdf), zipped (.zip) and executable applications (.exe). Further, information regarding login details, login pattern, login location, DNS address, routing address can be acquired along with the IP address and other details of the user.

Web crawling capabilities can be installed on the system which can provide data from various data sources like social networking sites, web based communities, wikis, blogs and other forms of web content. Social media websites (such as Twitter, Facebook, Orkut, MySpace etc.), web pages and data on hosted applications can also be intercepted, monitored and analyzed. The system also allows capture of additional pages if updated; log periodical updates and other changes. This allows the monitoring agencies the capability of gathering internet traffic based on several parameters like Protocols, Keywords, Filters and Watch lists. Keyword matching is achieved by including phonetically similar words in various languages including local languages.

More specific functions of the IMS can include complete email extraction which will disclose the address book, inbox, sent mail folder, drafts folder, personal folders, delete folders, custom folders etc. and can also provide identification of dead drop mails. The system can also be equipped to allow country wise tracking of instant messages, chats and mails.

Regarding retention and storage of data, the tender document specifies that the system shall be technically capable of retaining the metadata of Internet traffic for at least one year and the defined traffic/payload/content is to be retained in the storage server at least for a week. However, the data may be retained for a longer period if required. The metadata and qualified data after analysis are integrated to a designated main intelligence repository for storage.

Types of Analysis
The Internet Monitoring System apart from intercepting all the data generated through the Internet Service Providers is essentially equipped for various types of data analysis. The solutions that are installed in the internet monitoring system provide the capability for real time as well as historical analysis of network traffic, network perimeter devices and internal sniffers. The kinds of analysis based on ‘slicing and dicing of data’ range from text mining, sentiment analysis, link analysis, geo-spatial analysis, statistical analysis, social network analysis, transaction analysis, locational analysis and fusion based analysis, CDR analysis, timeline analysis and histogram based analysis from various sources.

The solutions installed in the IMS can enable monitoring of specific words or phrases (in various languages) in blogs, websites, forums, media reports, social media websites, media reports, chat rooms and messaging applications, collaboration applications and deep web applications. Phone numbers, addresses, names, locations, age, gender and other such information from content including comments and such can also be monitored. Specifically with regard to social media, the user’s profile and information related to it can be extracted and a detailed ontology of all the social media profiles of the user can be created.

Based on the information, the analysis supposed to provide the capability to identify suspicious behavior based on existing and new patterns as they emerge and are continuously applied to combine incoming and existing information on people, profiles, transactions, social network, type of websites visited, time spent on websites, type of content download or view and any other type of gatherable information. The solutions on the system are also supposed to create single or multiple or parallel scenario build-ups that may occur in blogs, social media forums, chat rooms, specific web hosting server locations or URL, packet route that may be defined from time to time and such scenario build-ups can be based on parameters like sentiments, language or expressions purporting hatred or anti-national expressions, and even emotions like expression of joy, compassion and anger, which as may be defined by the agency depending on operational and intelligence requirement. Based on these parameters, automated alerts can be generated relating to structured or unstructured data (including metadata of contents), events, pattern discovery, phonetically similar words or phrases or actions from users.

Based on the data analysis, reports or dossiers can be generated and visual analysis allowing a wide variety of views can be created. Further, real time visualization showing results from real-time data can be generated which allows alerts, alert categories or discoveries to be ranked (high, medium, and low priority, high value asset, low value asset, moderate value asset, verified information, unverified information, primary evidence, secondary evidence, circumstantial evidence, etc.) based on criteria developed by the agency. The IMS solutions can also be capable of offering web-intelligence and open source intelligence and allow capabilities like simultaneous search capabilities which can be automated providing a powerful tool for exploration of the intercepted data.

Another important requirement mentioned in the tender document is the systems capability to integrate with other interception and monitoring systems for 2G, 3G/UMTS and other evolving mobile carrier technologies including fixed line and Blackberry services and encrypted IP services like Skype services.

Conclusion
It is clear that a system like IMS with its extensive interception and analysis capabilities gives complete access to an agency or authority of all information that is accessed or transmitted by a person on the internet including information which is private and confidential such as email and instant messages. Although the state has the power to issue directions for interception or monitoring of information under the Information Technology Act, 2000 and certain rules are prescribed under section 69B, they are wholly inadequate compared to the scope and extent of the Internet Monitoring System and its scale of operations. The interception and monitoring systems that are either proposed or already in place effectively bypass the existing procedures prescribed under the Information Technology Act.

The issues, concerns and risks are only compounded when it comes to the Central Monitoring System. The solutions installed in present day interception and monitoring systems give the state unprecedented powers to intercept, monitor and analyze all the data of any person who access the internet. Tools like deep packet inspection and extensive data mining solutions in the absence of concrete safeguards and when deployed through a centralized system can be misused to censor any content including legitimate discourse. Also, the perception that access to a larger amount of data or all data can help improve intelligence can also be sometimes misleading and it must be asked whether the fundamental rights of the citizens of the state can be traded away under the pretext of national security. Furthermore, it is essential for the state to weigh the costs of such a project both economically and morally and balance it with sufficient internal measures as well as adequate laws so that the democratic values are persevered and not endangered by any act of reckless force.

Reiterating what has been said earlier, while it is important for the state to improve its intelligence gathering tools and mechanisms, it must not be done at the cost of a citizen’s fundamental right. It is the duty of the democratic state to endure and maintain a fine balance between national interest and fundamental rights through timely creation of equitable laws.

[*]. http://necessaryandproportionate.net/#_edn2

For more details visit https://cis-india.org/internet-governance/blog/moving-towards-surveillance-state

More than a Hundred Global Groups Make a Principled Stand against Surveillance

elonnai — 2013-07-31T14:26:38Z

For some time now there has been a need to update understandings of existing human rights law to reflect modern surveillance technologies and techniques.

Nothing could demonstrate the urgency of this situation more than the recent revelations confirming the mass surveillance of innocent individuals around the world.

To move toward that goal, today we’re pleased to announce the formal launch of the International Principles on the Application of Human Rights to Communications Surveillance. The principles articulate what international human rights law – which binds every country across the globe – require of governments in the digital age. They speak to a growing global consensus that modern surveillance has gone too far and needs to be restrained. They also give benchmarks that people around the world can use to evaluate and push for changes in their own legal systems.

The product of over a year of consultation among civil society, privacy and technology experts, including the Centre for Internet and Society (read here, here, here and here), the principles have already been co-signed by over hundred organisations from around the world. The process was led by Privacy International, Access, and the Electronic Frontier Foundation. The process was led by Privacy International, Access, and the Electronic Frontier Foundation.

The release of the principles comes on the heels of a landmark report from the United Nations Special Rapporteur on the right to Freedom of Opinion and Expression, which details the widespread use of state surveillance of communications, stating that such surveillance severely undermines citizens’ ability to enjoy a private life, freely express themselves and enjoy their other fundamental human rights. And recently, the UN High Commissioner for Human Rights, Nivay Pillay, emphasised the importance of applying human right standards and democratic safeguards to surveillance and law enforcement activities.

"While concerns about national security and criminal activity may justify the exceptional and narrowly-tailored use of surveillance programmes, surveillance without adequate safeguards to protect the right to privacy actually risk impacting negatively on the enjoyment of human rights and fundamental freedoms," Pillay said.

The principles, summarised below, can be found in full at necessaryandproportionate.org. Over the next year and beyond, groups around the world will be using them to advocate for changes in how present laws are interpreted and how new laws are crafted.

We encourage privacy advocates, rights organisations, scholars from legal and academic communities, and other members of civil society to support the principles by adding their signature.

To sign, please send an email to rights@eff.org, or visit https://www.necessaryandproportionate.org/about

Summary of the 13 principles

Legality: Any limitation on the right to privacy must be prescribed by law.
Legitimate Aim: Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.
Necessity: Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a legitimate aim.
Adequacy: Any instance of communications surveillance authorised by law must be appropriate to fulfill the specific legitimate aim identified.
Proportionality: Decisions about communications surveillance must be made by weighing the benefit sought to be achieved against the harm that would be caused to users’ rights and to other competing interests.
Competent judicial authority: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent.
Due process: States must respect and guarantee individuals' human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public.
User notification: Individuals should be notified of a decision authorising communications surveillance with enough time and information to enable them to appeal the decision, and should have access to the materials presented in support of the application for authorisation.
Transparency: States should be transparent about the use and scope of communications surveillance techniques and powers.
Public oversight: States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance.
Integrity of communications and systems: States should not compel service providers, or hardware or software vendors to build surveillance or monitoring capabilities into their systems, or to collect or retain information.
Safeguards for international cooperation: Mutual Legal Assistance Treaties (MLATs) entered into by States should ensure that, where the laws of more than one State could apply to communications surveillance, the available standard with the higher level of protection for users should apply.
Safeguards against illegitimate access: States should enact legislation criminalising illegal communications surveillance by public and private actors.

For more details visit https://cis-india.org/internet-governance/blog/more-than-hundred-global-groups-make-principled-stand-against-surveillance

Modi Govt compromising privacy of individuals: Cong

Admin — 2018-04-18T01:10:42Z

Charging the Narendra Modi Governemt with compromising the privacy of individuals by leaking user information on the Narendra Modi app, the Congress on Monday said the counter allegations by the BJP that the Opposition party was indulging in 'data theft' were an attempt to divert attention from the issue.

This was published by United News of India on March 26, 2018.

Talking to reporters here, AICC spokesperson Abhishek Manu Singhvi said, 'we have said repeatedly that the biggest assault on individual privacy has occurred under the watch of the Narendra Modi Government. Not only people’s money, but people’s privacy is also in question.

Even as startling revelations that the Narendra Modi app, run by the BJP is sharing data of millions of users with American companies emerge, the Modi Government mocks and flouts the ‘Right to Privacy’ with brazen impunity. While the Prime Minister’s Office, PMO India app, asks users to voluntarily part with their identity on 14 data points, the NaMo app asks for a sweeping access to 22 data points. The NaMo app records audio, video, contacts of your friends and family and even tracks your location via GPS. No wonder, Modi ji is like the ‘Bigg Boss’ who with brazenness likes to spy on Indians. The BJP whose IT (Identity Theft?) Minister does daily press conferences on the issue of data security and democracy, has much to answer to the people of India on the unscrupulous means by which Shri Narendra Modi’s personal app is accessing data and passing on data of more than 50 lakh Indians,' he alleged.

Describing the BJP allegations that the Congress was indulging in 'data theft' through its mobile app, Mr Singhvi said. 'the Modi Government is resorting to deflectionary and diversionary tactics. The Congress application had just 15,000 downloads against the 50 lakh Indians who downloaded the NaMo app. Also, the Congress application was discontinued as most of the users wanted to register offline.'

Accusing Mr Modi of misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by the government, Mr Singhvi said, 'Why does Mr Modi, in his own book ‘Exam Warriors’ urge you to download the NaMo app. Is he now planning to snoop in on minors? Mr Modi is misusing the Prime Minister’s position to build personal database with data on millions of Indians via the NaMo app promoted by Government. If as PM he wants to use tech to communicate with India, there is no problem in that. But use the official PMO app for it, not the NaMo app. This data belongs to India, not to Mr Modi.

Shockingly, data of atleast 13 lakh NCC cadets which include personal mobile phone numbers and email ID’s are being given to the Prime Minister’s Office for an interaction.'

Citing in this regard the report of a committee of experts appointed by the government on the issue of data protection, Mr Singhvi said, 'importantly, a Government appointed Committee of Experts (CoE) to look into a framework for data protection, headed by Justice (retd) BN Srikrishna has made scathing observations in a paper released in November 2017, against the Government and has shockingly implied (according to the media reports) that the Modi Government is collecting personal data illegally. The committee, which is currently in the process of conducting consultations, has also considered the SC judgment on privacy, says in its paper “The public and private sector are collecting and using personal data on an unprecedented scale. While data can be put to beneficial use, unregulated and arbitrary use of data, especially personal data, raise concerns relating to centralisation of databases, profiling of individuals, increased surveillance and a consequent erosion of individual autonomy.”

Alleging that under the Modi Government, not only the personal data of citizens was under serious threat, but there were multiple reports of data breaches in banks, Mr Singhvi said, 'astonishingly, under the Modi Government, not only the personal data of citizens is under serious threat, but multiple breaches in the banks. In an atmosphere where every single day there has been a bank fraud worth thousands of crores of rupees being reported, have resulted in one single question - how safe is our money in banks?

Banks and PSU’s have reported multiple breaches in recent past. A newspaper report on Monday said two online security experts have claimed that the Aadhaar database of two public-sector enterprises leaked select data and the vulnerability was fixed only a month after attention was drawn to it. This exposes their names, the 12-digit Aadhaar number and information of the services they have linked their Aadhaar card to. These services include bank details, policy details and other private information. This was corroborated by the UIDAI statement released on Sunday.

“It was left up there for more than a month — even though it had been reported to them directly,” claim the security experts. On February 23, 2018 a report had claimed that there was a data breach which had hit the the Punjab National Bank, whereby sensitive credit, debit card details of 10,000 customers were leaked. Quick Heal, a reputed software company in October 2017 had also claimed that there was a massive data breach in 6,000 government offices including banks. Earlier in 2016, as per media reports -- 32 lakh debit/credit cards of various Indian banks were compromised. The worst-hit was the State Bank of India along with certain private banks.'

He also charged the present Government of breach of Aadhaar data of individuals.

'In April 2014, the then Gujarat Chief Minister Narendra Modi had attacked Aadhaar and the UPA Government on its possible ‘security threat’. Life has now come full circle for the BJP. Just like numerous other issues, their blatant hypocrisy on Aadhaar is exposed. In January, this year, when a reputed newspaper in a sting exposed how 1 crore Aadhaar details can be accessed in just 10 minutes, by paying just Rs 500 in Chandigarh, the UIDAI had then filed an FIR against the reporter. Now the editor of the reputed media house has also been replaced.

We have seen it in May 4, 2017, when the Modi Government is on record in Supreme Court, accepting data breach in the Aadhaar scheme. Now the Attorney General in Supreme Court, while arguing that Aadhaar data remains safe and secure, says that the Aadhaar data remains secure behind a complex that has 13-ft high and five-feet thick walls, which is laughable and ludicrous, to say the least. On November 20, 2017, the UIDAI had accepted on record that –“More than 210 central and state government websites publicly displayed details such as names and addresses of Aadhaar beneficiaries”. Earlier too, ‘Centre for Internet and Society’, a Bengaluru-based organisation (CIS) in a study published on May 1, 2017, had found that data of more than 130 million Aadhaar card holders has been leaked from just four government websites. Therefore this is a serious issue. Clearly, neither our money, nor our Aadhaar details or our personal details are secure under the Modi Government.'

For more details visit https://cis-india.org/internet-governance/news/united-news-of-india-march-26-2018-modi-govt-compromising-privacy-of-individuals-congress

MLATs and the proposed Amendments to the US Electronic Communications Privacy Act

Vipul Kharbanda and Elonnai Hickok — 2016-12-28T01:09:34Z

In continuance of our blog post on mutual legal assistance treaties (MLATs), we examine a new approach to international bilateral cooperation being suggested in the United States, by creating a mechanism for certain foreign governments to directly approach the data controllers.

Published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document.

In the previous article on MLATs we discussed, in some detail, what MLATs are and why they are needed. One area which was briefly focused upon in that article was the limitations and criticisms of the MLAT mechanism, of which one of the main criticisms being the problems caused due to different legal standards in various jurisdictions as well as the time taken to process a request for information sent from one country to another. Talking specifically about the United States, where most internet companies are headquartered and hold large amounts of data, it typically takes months to process requests under MLATs and foreign governments often struggle to comprehend and comply with the legal standards in the United States for obtaining data for use in their investigations.[1] The requirement that a foreign government should take permission from, and comply with the requirements of a foreign government simply because the data needed happens to be controlled by a service provider based in a foreign country strikes many foreign law enforcement officials as damaging to security and law enforcement efforts, especially when they are requesting data pertaining to a crime between two of their own citizens that primarily took place on their soil.[2]

These inefficiencies of the MLAT process lead to further problems of foreign governments attempting to apply their search and surveillance laws in an extraterritorial manner for example in 2014 the UK passed the Data Retention and Investigatory Powers Act, 2014 with gives the government the power to directly access data from foreign service providers if sought for specific purposes and the request is approved by the Secretary of State or other specified executive branch official.[3] Another response that may occur is if, frustrated by such inefficiencies of the existing systems, courts in foreign states start assuming extra territorial jurisdiction, as happened when a District Court in Vishakhapatnam restrained Google from complying with a subpoena issued by the Superior Court of California, ordering Google to share the password of the Gmail account belonging to an Indian citizen residing in Vishakhapatnam.[4]

Solution proposed in the United States

In order to overcome these inefficiencies, at least in the American context, the Department of Justice has proposed a legislation which seeks to make the process of foreign governments getting information from US based entities more streamlined by amending the provisions of the Electronic Communications Privacy Act (ECPA) of the United States (the “Amendment”). These amendments have been proposed primarily for the US and UK to effectuate a proposed bilateral agreement whereby the UK government will be able to approach US companies directly with requests for information without going through the MLAT process or getting an order from a US court.

The Amendment seeks to ensure that requests from foreign governments for information from US entities get answered in a smooth manner by including those requests in the process for seeking information under the ECPA itself. This move would no doubt, make it easier for foreign governments to access data in the US, but such a move can be criticized on the ground that it would then allow all states, irrespective of their legal standards of privacy, etc. to get access to such information. This problem has been overcome in the amendment by adding a new section to Title 18 which would allow the Attorney General, with the concurrence of the Secretary of State to certify to the Congress that the legal standards in the contracting state which is being given access to the mechanism under the ECPA satisfies certain requirements specified in the chapter (and discussed below). Only after such a certification has been received by the Congress, a contracting state would be able to receive the benefits sought to be granted under the Amendment.

It is important to note that the US administration is looking to use the US-UK Agreement as a standard to be followed for similar potential agreements with a number of other countries wherein the agencies in those countries could request information from US based entities through court orders through a properly specified legal framework. Though to our knowledge India has not been formally approached by the US government to enter into such an agreement, it is important to ask the question viz. if approached:

Does India's present legal system meet the standards laid down in the amendment to the ECPA?
And if they do, should India also seek to enter into such an Agreement with the United States?
And if India does, what could be the implications for citizens and for countries in a similar position as India?

We hope to be able to answer the above three questions, or at least throw some light on them, in the conclusion of this paper by relying upon the discussions contained herein.

Criticisms of the Amendment

While such a mechanism may be very effective in addressing the needs of security agencies in investigation and prevention of criminal activities, one cannot accept such an overarching change in cross border enforcement without analyzing the consequences that such a proposal will have on the right to privacy. Some of these consequences have been highlighted by experts responding to the amendment:

Lack of Judicial Authorisation: The Amendment requires that the foreign governments have a process whereby a person could seek post-disclosure review by an independent entity instead of a warrant by a court.[5] Although a court order is not the norm for interception even in Indian law, however under American law such protection is given to data held by American companies even though the data may belong to Indian citizens and this protection will no longer be available if the Amendment is passed.

Vague Standard for requests: Under the domestic law of any state there is usually a large amount of jurisprudence regarding when search orders can be issued, such as the “probable cause” standard that is followed in the United States or similar standards that may be followed in other jurisdictions. This ensures that even when the wording of the law is not precise, which it cannot be for such a subjective issue, there is still some amount of clarity around when and under what circumstances such warrants may be issued. In contrast, the Amendment requires that the orders be based on “requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.” Although the language here may seem reasonable but in the absence of any jurisprudence backing it, it becomes very vague and susceptible to misuse. Disclosure without a Warrant: Under the current MLAT process as followed in the United States, a judge in the U.S. must issue a warrant based on probable cause in order for a U.S. company to turn over content to a foreign government. This requirement protects individuals abroad by requiring their governments to meet certain standards when seeking information held by U.S. companies. The Amendment seeks to remove this essential safeguard for a judicial warrant. The Amendment does not require requests from foreign governments to be based on a prior judicial authorization, since a large number of countries (including India) do not always require judicial orders for such orders.[6]

Allows Real Time Surveillance by Foreign Governments: American privacy rights activists have raised the concern that the Amendment would allow foreign governments to conduct ongoing surveillance by asking American companies to turn over data in real time. The requirements that the foreign governments would have to fulfill to execute such an order are less stringent than those which have to be fulfilled by the American security agencies if they want to indulge in similar activities. When the U.S. government wants to conduct real-time surveillance, it must comply with the Wiretap Act, which imposes heightened privacy protections.[7] The court orders for this purpose also require minimization of irrelevant information, are strictly time-limited, only available for certain serious crimes, etc.[8] In Indian law any such request, apart from being time limited and being available only for certain specified purposes, also has to satisfy that interception is the only reasonable option to acquire such information.

Process to determine which countries can make demands is not credible: Under the Amendment, the Attorney General and the Secretary of State, would decide whether the laws and practices of the foreign government adequately meet the standards set forth in the legislation for entering into a bilateral agreement. Their decisions would not be liable to be reviewed by a court or in any administrative procedure. They could make their determinations based on information which is not available to the public and the criteria for making the decision are vague and flexible. Further these criteria have been described as “factors” and not “requirements”[9] so that even if some of them are not satisfied, the certification process can still be completed.

Companies do not have the resources to determine if a request complies with the terms of the agreement: The Amendment does not provide any oversight to ensure that technology companies are only turning over information permitted in a specific bilateral agreement. For example, a bilateral agreement may permit disclosure of information only in response to orders that do not discriminate on the basis of religion, however, it may not be possible for the companies receiving the request to determine whether a particular request complies with that condition or not. The Amendment does not require that individual companies put in place requisite processes to weed out requests that may be non compliant with the provisions of the agreement; nor are there periodic audits to ensure that companies are properly responding to foreign government information requests.[10]

Non compliance with Human Rights Standards: Under international human rights law, governments are allowed to conduct surveillance only based on individualized and sufficient suspicion; authorized by an independent and impartial decision-maker; necessary and proportionate to achieve a legitimate aim, including by being the least intrusive means possible.[11] However the mechanism proposed by the Amendment falls woefully short of these standards.[12]

One must not lose sight of the fact that most of the criticisms of the proposal that have been discussed above have been made in the context of, and based on the standards of privacy protection that are available to American citizens. If we look at it from an Indian perspective most of those protections are not available to Indian citizens in any case since independent judicial oversight is not a sine qua non for access to information by the security agencies in India. Although the Amendment leaves open the question of how a request would be made by the foreign government to the individual Agreements, it may be safe to assume that were India to enter into such an Agreement with the United States, it would require the orders for access to comply with the standards laid down under Indian law before the relevant authorities send the request to the US based data controllers. At the least, this would ensure that the rights of Indian citizens currently guaranteed under Indian law, howsoever flawed they might be, would in all likelihood be safeguarded as per Indian law.

Certification from the Attorney General to the US Congress

In the above background if India were to enter into the agreement with the U.S Government apart from actually negotiating and signing that Agreement, the Indian government will also have to ensure (if the Amendment is passed) that the Attorney General of the United States, with the concurrence of the Secretary of State gives a certificate to the Congress that Indian law satisfies the requirements set forth in the proposed section XXXX of Title 18.

It must be kept in mind that if the negotiations between India and the United States in this regard reach such a mature stage that the certification from the Attorney General is required, then that would mean that there is enough political will on both sides to ensure that such an arrangement actually comes to fruition. In this context it would not be unfair to assume that the Attorney General may have a slight bias towards opining that Indian laws do conform to the requirements of the Amendment, as the Attorney General would want to support the decision taken by the administration, and our analysis shall have a similar bias in order to be more contextual.

The certification would, inter alia, contain the determination of the Attorney General:

That the domestic law of India affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the Indian government that will be subject to the agreement.It should be noted that the Amendment specifies various factors that should be taken into account to reach such a determination, which include whether the Indian government:

(i) has adequate substantive and procedural laws on cybercrime and electronic evidence, as demonstrated through accession to the Budapest Convention on Cybercrime, or through domestic laws that are consistent with definitions and the requirements set forth in Chapters I and II of that Convention; Although India is not a signatory to the Budapest Convention the Information Technology Act, 2000 (which is the main legislation dealing with cybercrime) has penal provisions which have borrowed heavily from the provisions of the Budapest Convention.

demonstrates respect for the rule of law and principles of nondiscrimination;

The provisions of Article 14 as well as Article 21 of the Constitution of India demonstrates that the legal regime in India is committed to the rule of law and principles of non discrimination.

adheres to applicable international human rights obligations and commitments or demonstrates respect for international universal human rights (including but not limited to protection from arbitrary and unlawful interference with privacy; fair trial rights; freedoms of expression, association and peaceful assembly; prohibitions on arbitrary arrest and detention; and prohibitions against torture and cruel, inhuman, or degrading treatment or punishment);

India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India.

has clear legal mandates and procedures governing those entities of the foreign government that are authorized to seek data under the executive agreement, including procedures through which those authorities collect, retain, use, and share data, and effective of oversight of these activities;

India has a number of legislations which govern the interception and request for information such as the Information Technology Act, 2000, the Indian Telegraph Act, 1885, Code of Criminal Procedure, 1973, etc. which put in place mechanisms governing the authorities and entities which can ask for information.

has sufficient mechanisms to provide accountability and appropriate transparency regarding the government’s collection and use of electronic data; and

The Right to Information Act, 2005 provides the citizens the right to access any public document unless access to the same is prohibited due to the specific exemptions provided in the Act. It may be noted here that the provisions of the Right to Information Act are often frustrated by the bureaucracy by using exceptions such as “national security”, but for the purposes of this write up we are already assuming a bias towards fulfillment of these factors/conditions and therefore as long as there is even some evidence of compliance, the conditions will be considered as fulfilled by the Attorney General for the purposes of his certificate.

demonstrates a commitment to promote and protect the global free flow of information and the open, distributed, and interconnected nature of the Internet.

The Telecom Regulatory Authority of India, which regulates telecom services in India has also issued the Prohibition of Discriminatory Tariffs for Data Services Regulations, 2016 which prohibits service providers from charging discriminatory tariffs for data services on the basis of content.

Other than Indian law, the certificate from the Attorney General will also have to certify certain issues which would have to be addressed in the bilateral agreement itself, viz.:

That the Indian government has adopted appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement.
That the agreement requires the following with respect to orders subject to the agreement:

(i) The Indian government may not intentionally target a United States person or a person located in the United States, and must adopt targeting procedures designed to meet this requirement;

(ii) The Indian government may not target a non–United States person located outside the United States if the purpose is to obtain information concerning a United States person or a person located in the United States;

(iii) The Indian government may not issue an order at the request of or to obtain information to provide to the United States government or a third-party government, nor shall the Indian government be required to share any information produced with the United States government or a third-party government;

(iv) Orders issued by the Indian government must be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism;

(v) Orders issued by the Indian government must identify a specific person, account, address, or personal device, or any other specific identifier as the object of the Order;

(vi) Orders issued by the Indian government must be in compliance with the domestic laws of India, and any obligation for a provider of an electronic communications service or a remote computing service to produce data shall derive solely from Indian law;

(vii) Orders issued by the Indian government must be based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation;

(viii) Orders issued by the Indian government must be subject to review or oversight by a court, judge, magistrate, or other independent authority;

(ix) Orders issued by the Indian government for the interception of wire or electronic communications, and any extensions thereof, must be for a fixed, limited duration; interception may last no longer than is reasonably necessary to accomplish the approved purposes of the order; and orders may only be issued where that same information could not reasonably be obtained by another less intrusive method;

(x) Orders issued by the Indian government may not be used to infringe freedom of speech;

(xi) The Indian government must promptly review all material collected pursuant to the agreement and store any unreviewed communications on a secure system accessible only to those trained in applicable procedures;

(xii) The Indian government must segregate, seal, or delete, and not disseminate material found not to be information that is, or is necessary to understand or assess the importance of information that is, relevant to the prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or seriously bodily harm to any person;

(xiii) The Indian government may not disseminate the content of a communication of a U.S. person to U.S. authorities unless the communication (a) may be disseminated pursuant to Section 4(a)(3)(xii) and (b) relates to significant harm, or the threat thereof, to the United States or U.S. persons, including but not limited to crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud;

(xiv) The Indian government must afford reciprocal rights of data access to the United States government;

(xv) The Indian government must agree to periodic review of its compliance with the terms of the agreement by the United States government; and

(xvi) The United States government must reserve the right to render the agreement inapplicable as to any order for which it concludes the agreement may not properly be invoked.

Conclusion

It is clear from the discussion above that the proposed Amendment is a controversial piece of legislation which will affect the way law enforcement is carried out in the internet. While there is no doubt that proposing an alternate mechanism to the existing inefficient MLAT structure is definitely the need of the hour, whether the mechanism proposed in the proposed Amendment, with all the negative implications on privacy, is the right way forward is far from certain.

As for the three questions that we had sought out to answer in the beginning of this paper, we would not like to say that Indian law definitely conforms to all the requirements listed in the Amendments, but it can safely be said that it appears that if the governments of India and the United States so wish, it would not be difficult for the Attorney General of the United States to be able to give a certification to the Congress as required in the proposed Amendment.

The other two questions as to whether India should try to opt for such an arrangement if given a chance and what would be the consequence for its people are somewhat related, in the sense that it is only by examining the consequences on its citizens that we will arrive at an answer as to whether India should opt for such an arrangement or not. The level of protections offered to Indian citizens under India law in terms of protection of their private data from government surveillance is lower than that which is offered to American citizens under American law. The growing influence of the internet is changing the citizen-state dynamic giving rise to increasing incidents where the government has to approach private actors for permission in order to carry out their governmental functions of providing security. This is because more and more private data of individual citizens is being uploaded on to the internet and controlled by private actors such as telecom companies, social media sites, etc. and the governments have to approach these private actors in case they want access to this information. The fact that the government has to approach private actors to get access to data gives private citizens some leverage to ask for better privacy protections in the context of state surveillance.

Although this proposed Amendment may not affect the local surveillance laws in India, however it would definitely have an effect on the way that citizens’ data is protected and accessed by the government.

[1] Explanation by the Assistant Attorney General attached to the proposed Amendment.

[2] https://www.justsecurity.org/24145/u-s-u-k-data-sharing-treaty/

[3] https://www.justsecurity.org/24145/u-s-u-k-data-sharing-treaty/

[4] http://spicyip.com/2012/04/clash-of-courts-indian-district-court.html

[5] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[6] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[7] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[8] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[9] https://www.justsecurity.org/32529/foreign-governments-tech-companies-data-response-jennifer-daskal-andrew-woods/

[10] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[11] International Covenant on Civil and Political Rights, art. 17, Dec. 19, 1966, U.N.T.S 999, cf. https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

[12] https://www.aclu.org/letter/aclu-amnesty-international-usa-and-hrw-letter-opposing-doj-proposal-cross-border-data-sharing

For more details visit https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act

Misuse of Surveillance Powers in India (Case 1)

pranesh — 2013-12-06T09:37:24Z

In this series of blog posts, Pranesh Prakash looks at a brief history of misuse of surveillance powers in India. He notes that the government's surveillance powers have been freqently misused, very often without any kind of judicial or political redressal. This, he argues, should lead us as concerned citizens to demand a scaling down of the government's surveillance powers and pass laws to put it place more robust oversight mechanisms.

Case 1: Unlawful Phone-tapping in Himachal Pradesh

In December 2012, the government changed in Himachal Pradesh. The Bharatiya Janata Party (BJP) went out of power, and the Indian National Congress (INC) came into power. One of the first things that Chief Minister Virbhadra Singh did, within hours of taking his oath as Chief Minister on December 25, 2012, was to get a Special Investigation Team (SIT) to investigate phone tapping during the BJP government’s tenure.

On December 25th and 26th, 12 hard disk drives were seized from the offices of the Crime Investigation Department (CID) and the Vigilance Department (which is supposed to be an oversight mechanism over the rest of the police). These hard disks showed that 1371¹ phone numbers were targetted and hundreds of thousands of phone conversations were recorded. These included conversations of prominent leaders “mainly of” the INC but also from the BJP, including three former cabinet ministers and close relatives of multiple chief ministers, a journalist, and many senior police officials, including the Director General of Police.

Violations of the Law

While the law required the state’s Home Secretary to grant permission for each person that was being tapped, the Home Secretary had legitimately only granted permission in 34² cases. This leaves over a thousand cases where phones were tapped illegally, in direct violation of the law. The oversight mechanism provided in the law, namely the Review Committee under Rule 419A of the Indian Telegraph Rules, was utterly powerless to check this. Indeed, the internal checks for the police, namely the Vigilance Department, also seems to have failed spectacularly.

Every private telecom company cooperated in this unlawful surveillance, even though the people who were conducting it did so without proper legal authority. Clearly we need to revise our interception rules to ensure that these telecom companies do not cooperate unless they are served with an order digitally signed by the Home Secretary.

While all interception recordings are required to be destroyed within 6 months as per Rule 419A of the Indian Telegraph Rules, that rule was also evidently ignored and conversations going back to 2009 were being stored.

Concluding Concerns

What should concern us is not merely that such a large number of politicians/police officers were tapped, but that no criminal charges were brought about on the basis of these phone taps, indicating that much of it was being used for political purposes.

What should concern us is that the requirement under Section 5 of the Indian Telegraph Act, which covers phone taps, of the existence of a “public emergency” or endangerment of “public safety”, which is a prerequisite of phone taps as per the law and as emphasised by the Supreme Court in 1996 in the PUCL judgment, were blatantly ignored.

What should concern us is that it took a change in government to actually uncover this sordid tale.

1385 according to a Hindustan Times report [1]: http://indiatoday.intoday.in/story/himachal-pradesh-police-registers-first-fir-in-phone-tapping-scandal/1/285698.html↩
A Zee News report states 34 while it’s 171 according to a Mail Today report ↩

For more details visit https://cis-india.org/internet-governance/blog/misuse-surveillance-powers-india-case1

Microsoft says WannaCry ransomware must be a wake-up call for governments

praskrishna — 2017-06-07T00:55:40Z

Computer security experts said the current attack could have been much worse but for the quick action of a young researcher in Britain who discovered a vulnerability in the ransomware itself, known as WanaCryptor 2.0. It has, however, retweeted a blog post by Brad Smith, president and chief legal officer at Microsoft, who directs much of the blame toward the USA government, arguing that it should have alerted the $524 billion tech titan about the problem.

The article was published in Journaldu Maghreb on May 20, 2017

"This is an emerging pattern in 2017", he continued. "We have seen vulnerabilities stored by the Central Intelligence Agency show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world", wrote Smith in a blog post on Sunday. Then there's the US government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals.

"An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen", Mr Smith wrote. Brad Smith, Microsoft's top lawyer, criticized US intelligence agencies for "stockpiling" software code that can be used by hackers. In February, Smith first called for the creation of what he has dubbed a Geneva Convention for cyberspace, which would outlaw nation-state cyberattacks on critical infrastructure and tech companies.

Cyber-security firm HumanFirewall said that on account of high use of pirated Windows operating system in India, it was more susceptible to the attack. Microsoft has connected previous exploits of its products released by the mysterious Shadow Brokers group to tools which were stolen from NSA cyber warfare operations. "All our systems are updated as required". This sophisticated, self-propagating malware was created to spread to all other computers on the same network after infecting one machine.

Estimates by law enforcement agency Europol estimated yesterday that more than 200,000 computers in 150 countries were infected, but with the worm continuing to spread to vulnerable Windows machines, that number will surely rise. When 22 year olds are the heroes of the anti-cyber attack fight, rather than the agencies tasked to defend countries against these types of threats, it is perhaps time to question what these organisations have been doing all this time? NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer. That dump included a vulnerability codenamed EternalBlue, which preys on a flaw in Microsoft Word to transmit malicious software from one Windows Computer to another. Usually used by cyber criminals, ransomware is a popular means of making illicit money from victims who have to pay the criminals in order to have their data decrypted.

Today is likely to be painful for many organizations all over the world that took the weekend off and are returning to the work-week to find hundreds or thousands of computers on their networks encrypted by WannaCry ransomware, which surfaced Friday and has been propagating ever since. It was a stress-filled weekend for many IT workers this past weekend as the WannaCry ransomware attack spread, crippling Windows systems worldwide.

Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems that have the SMB service exposed to the internet. "Otherwise they're literally fighting the problems of the present with tools from the past", he said. However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised. This allowed users of the older systems to secure their computers without requiring an upgrade to the latest operating software.

For more details visit https://cis-india.org/internet-governance/news/journaldu-maghreb-may-20-2017-microsoft-says-wannacry-ransomware-must-be-a-wake-up-call

Messaging apps find another foe in India’s market regulator

praskrishna — 2013-06-05T10:46:32Z

Paranoid governments and mobile operators aren’t the only one that dislike messaging apps. Regulatory bodies aren’t crazy about them either. The Securities and Exchange Board of India (SEBI) is worried that attempts to pass on confidential information or manipulate markets are originating from within services like WhatsApp and Blackberry Messenger.

This blog post was published in Quartz on May 8, 2013. Elonnai Hickok is quoted.

The regulator already analyzes data from trades for irregularities through its “integrated market surveillance system”. That gives it an idea of what stocks are being manipulated. Now it wants to expand its horizons. The Press Trust of India reports that SEBI has looked into tracking Twitter and Facebook and is grappling with messaging apps—though as yet it has no systems in place for doing either, according to Elonnai Hickok of the Center for Internet Studies in Bangalore. A SEBI spokesperson could not be reached for comment.

Even if SEBI did start following you on Twitter, it cannot snoop on your WhatsApp messages. That sort of power is the preserve of intelligence and police authorities. And there is good reason for SEBI’s restricted powers. Keeping the markets clean may be an honorable pursuit, but the regulator hasn’t always used honorable means.

India’s finance minister last year said that SEBI would be allowed to request call records, which are the data kept by operators about who called whom, for how long and from where. Such information can help investigators discover sources of leaked information. It can also be used to figure out whether traders are trying to influence other investigators. But a freedom-of-information request recently revealed that SEBI had been requesting—and receiving—such data from carriers at least since 2009, well before it was supposedly allowed to do so.

For more details visit https://cis-india.org/news/quartz-may-8-2013-leo-mirani-messaging-apps-find-another-foe-in-indias-market-regulator

Meeting on Proactive Disclosure and Personal Data (Delhi, May 13, 5:30 pm)

sumandro — 2017-05-13T04:32:41Z

CIS is organising an informal discussion on topics related to proactive disclosure and personal data thrown up by the recently published report by Amber Sinha and Srinivas Kodali titled "Information Security Practices of Aadhaar (or lack thereof)". Please join us at 5:30 pm today, May 13, at the CIS office.

Read the report: PDF

Location

For more details visit https://cis-india.org/internet-governance/events/meeting-on-proactive-disclosure-and-personal-data-delhi-may-13