Centre for Internet and Society

Incident Response Requirements in Indian Law

vipul — 2016-12-28T01:19:28Z

Cyber incidents have serious consequences for societies, nations, and those who are victimised by them. The theft, exploitation, exposure or otherwise damage of private, financial, or other sensitive personal or commercial data and cyber attacks that damage computer systems are capable of causing lasting harm.

A recent example of such an attack that we have seen from India is the recent data breach involving an alleged 3.2 million debit cards in India.^[1] In the case of this hack the payment processing networks such as National Payments Corporation of India, Visa and Mastercard, informed the banks regarding the leaks, based on which the banks started the process of blocking and then reissuing the compromised cards. It has also been reported that the banks failed to report this incident to the Computer Emergency Response Team of India (CERT-In) even though they are required by law to do so.^[2] Such risks are increasingly faced by consumers, businesses, and governments. A person who is a victim of a cyber incident usually looks to receive assistance from the service provider and government agencies, which are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents. It is essential for an effective response to cyber incidents that authorities have as much knowledge regarding the incident as possible and have that knowledge as soon as possible. It is also critical that this information is communicated to the public. This underlines the importance of reporting cyber incidents as a tool in making the internet and digital infrastructure secure.. Like any other crime, an Internet-based crime should be reported to those law enforcement authorities assigned to tackle it at a local, state, national, or international level, depending on the nature and scope of the criminal act. This is the first in a series of blog posts highlighting the importance of incident reporting in the Indian regulatory context with a view to highlight the Indian regulations dealing with incident reporting and the ultimate objective of having a more robust incident reporting environment in India.

Incident Reporting under CERT Rules

In India, section 70-B of the Information Technology Act, 2000 (the “IT Act”) gives the Central Government the power to appoint an agency of the government to be called the Indian Computer Emergency Response Team. In pursuance of the said provision the Central Government issued the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT Rules”) which provide the location and manner of functioning of the Indian Computer Emergency Response Team (CERT-In). Rule 12 of the CERT Rules gives every person, company or organisation the option to report cyber security incidents to the CERT-In. It also places an obligation on them to mandatorily report the following kinds of incidents as early as possible:

Targeted scanning/probing of critical networks/systems;
Compromise of critical systems/information;
Unauthorized access of IT systems/data;
Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.;
Malicious code attacks such as spreading of virus/worm/Trojan/botnets/spyware;
Attacks on servers such as database, mail, and DNS and network devices such as routers;
Identity theft, spoofing and phishing attacks;
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks;
Attacks on critical infrastructure, SCADA systems and wireless networks;
Attacks on applications such as e-governance, e-commerce, etc.

The CERT Rules also impose an obligation on service providers, intermediaries, data centres and body corporates to report cyber incidents within a reasonable time so that CERT-In may have scope for timely action. This mandatory obligation of reporting incidents casts a fairly wide net in terms of private sector entities, however it is notable that prima facie the provision does not impose any obligation on government entities to report cyber incidents unless they come under any of the expressions “service providers”, “data centres”, “intermediaries” or “body corporate”. This would mean that if the data kept with the Registrar General & Census Commissioner of India is hacked in a cyber incident, then there is no statutory obligation under the CERT Rules on it to report the incident. It is pertinent to mention here that although there is no obligation on a government department under law to report such an incident, such an obligation may be contained in its internal rules and guidelines, etc. which are not readily available.

It is pertinent to note that although the CERT Rules provide for a mandatory obligation to report the cyber incidents listed therein, the Rules themselves do not provide for any penalty for non compliance. However this does not mean that there are no consequences for non compliance, it just means that we have to look to the parent legislation i.e. the IT Act for the appropriate penalties for non compliance. Section 70B(6) gives the CERT-In the power to call for information and give directions for the purpose of carrying out its functions. Section 70B(7) provides that any service provider, intermediary, data center, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be liable to imprisonment for a period up to 1 (one) year or fine of up to 1 (one) lakh or both.

It is possible to argue here that sub-section (6) only talks about calls for information by CERT-In and the obligation under Rule 12 of the CERT Rules is an obligation placed by the central government and not CERT-In. It can also be argued that sub-section (6) is only meant for specific requests made by CERT-In for information and sub-section (7) only penalises those who do not respond to these specific requests. However, even if these arguments were to be accepted and we were to conclude that a violation of the obligation imposed under Rule 12 would not attract the penalty stipulated under sub-section (7) of section 70B, that does not mean that Rule 12 would be left toothless. Section 44(b) of the IT Act provides that where any person is required under any of the Rules or Regulations under the IT Act to furnish any information within a particular time and such person fails to do so, s/he may be liable to pay a penalty of upto Rs. 5,000/- for every day such failure continues. Further section 45 provides for a further penalty of Rs.25,000/- for any contravention of any of the rules or regulations under the Act for which no other penalty has been provided.

Incident Reporting under Intermediary Guidelines

Section 2(1)(w) of the IT Act defined the term “intermediary” in the following manner;

“intermediary” with respect to any particular electronic record, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

Rule 3(9) of the Information Technology (Intermediaries Guidelines) Rules, 2011 (the “Intermediary Guidelines”) also imposes an obligation on any intermediary to report any cyber incident and share information related to cyber security incidents with the CERT-In. Since neither the Intermediary Guidelines not the IT Act specifically provide for any penalty for non conformity with Rule 3(9) therefore any enforcement action against an intermediary failing to report a cyber security incident would have to be taken under section 45 of the IT Act containing a penalty of Rs. 25,000/-.

Incident Reporting under the Unified License

Clause 39.10(i) of the Unified License Agreement obliges the telecom company to create facilities for the monitoring of all intrusions, attacks and frauds on its technical facilities and provide reports on the same to the Department of Telecom (DoT). Further clause 39.11(ii) provides that for any breach or inadequate compliance with the terms of the license, the telecom company shall be liable to pay a penalty amount of Rs. 50 crores (Rs. 50,00,00,000) per breach.

Conclusion

It is clear from the above discussion that there is a legal obligation service providers to report cyber incidents to the CERT-In. Presently, the penalty prescribed under Indian law may not be enough to incentivise companies to adopt comprehensive and consistent incident response programmes. , except in cases of telecom companies under the Unified License Agreement. A fine of Rs. 25,000/- appears to be inconsequential when compared to the possible dangers and damages that may be caused due to a security breach of data containing, for example, credit card details.. Further, it is also imperative that apart from the obligation to report the cyber incident to the appropriate authorities (CERT-In) there should also be a legal obligation to report it to the data subjects whose data is stolen or is put at risk due to the said breach. A provision requiring notice to the data subjects could go a long way in ensuring that service providers, intermediaries, data centres and body corporates implement the best data security practices since a breach would then be known by general consumers leading to a flurry of bad publicity which could negatively impact the business of the data controller, and for a business entity an economic stimulus may be an effective way to ensure compliance.

As we continue to research incident response, the questions and areas we are exploring include the ecosystem of incidence response including what is reported, how, and when, appropriate incentives to companies and governments to report incidents, various forms of penalties, the role of cross border sharing of information and jurisdiction and best practices for incident reporting and citizen awareness.

Published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document

^[1] http://www.huffingtonpost.in/2016/10/21/atm-card-hack-what-banks-are-saying-about-india-s-biggest-data/

^[2] http://tech.economictimes.indiatimes.com/news/internet/cert-in-had-warned-banks-on-oct-7-about-expected-targeted-attacks-from-pakistan/54991025

For more details visit https://cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law

In the Right Circle

praskrishna — 2011-08-23T07:40:57Z

I’ve been on Google Plus for a few weeks now. In the beginning, it felt like showing up early at a much-talked-up party. There was a small scatter of people, poking around, examining the place, making preliminary conversation with the few others they knew. Most of the talk was, unsurprisingly, about Google Plus.

Unlike the crash-bang disaster of Google Buzz, its awkward attempt at social networking that alienated most users by publicly exposing their contact list, and then proceeded from error to error, Google Plus has been a low-key, careful affair.

In the first two weeks, Google calibrated entry, depending on its capacity — letting early adopters and "power users" examine the platform and tell them what’s missing, and what works.

Google Plus mimics the real world, where people interact in clusters, and relate outwards in concentric circles of trust, rather than Facebook’s megaphone model. You drag and drop people into different circles, and can either mark individual posts to specific circles and combinations (‘family’ ‘college buddies’, ‘artsy types’), or make them public to everyone. You can catch up on these circles separately, and toggle between your many worlds, or choose to read the great river of updates on your “public" stream. Google Plus shows you a civilised way of arranging your acquaintances, avoiding that playground-level, plaintive, Facebook question: "why am I in your limited profile?"

In concept, Facebook also lets you slice your social world with friend lists, but it’s a tedious labour that few have undertaken. Design is everything — and Facebook was clearly not built for such fine-grained customisation, because everything about its default settings pointed the other way. In fact, its young CEO Mark Zuckerberg seemed to think an attachment to privacy was some faintly embarrassing, vestigial trait — the sooner we accept its obsolescence, the better.

Facebook has a remarkably flat view of friendship. If your Facebook friends are too wide and various, it can make you clam up, conscious of what a few people might think. Most people, as social media scholar danah boyd has noted, tend to focus on a part of their network, mentally blocking out the rest.

"I’d like to have separate interactions with my mother, my friends, my students and my university colleagues without bombarding my colleagues with my vacation pictures or boring my mother with research chatter," says Mallesh Pai, an academic who works on the economics of the internet. "Plus actually lets me do that."

Facebook works with the fiction that there is a single self you present to the world – while, in fact, you are a posse of selves. You might be the naïve seeker in some contexts, the voice of authority in others. In the real world, you read others by their voice and expression, factor in their situations, and modulate your own speech accordingly. But in Facebookland, you talk at an invisible audience. The problem of “collapsed contexts”, and the anxiety of audience is Facebook’s most obvious flaw, and Google Plus has focused squarely on that aspect. It obviously works best for those who are acutely aware of social role-play and judgment. Many people may claim not to care about finessing their personalities to different audiences, or see the point of migrating to a new platform —but once you wrap your head around the rich, real-world aspect of Google Plus, it’s hard to imagine why you’d want to stay on Facebook.

But it’s not just Facebook that Plus directly takes on — Twitter could also take a direct hit. The “following” circle lets you add people you don’t know personally, and see all their public posts. “Sometimes, it’s weird to realise you’re being followed by so many people you don’t know, but like on Twitter, it seems like too much effort to edit the list. Thankfully, there aren’t any spambots on Plus yet,” says Pranesh Prakash, a lawyer and policy advocate at the Bangalore-based Centre for Internet and Society. There’s no arbitrary 140-character limit, and there are coherent threads of conversation — in fact, the level of visible engagement on Plus makes Twitter look like “a boring RSS reader”, as someone observed.

Apart from the Facebook and Twitter-type uses, Google Plus comes with a standout feature that’s all its own: Hangouts, spontaneous video chatting with up to 10 people. You start a hangout, and anyone may drop in to talk for a bit. “It’s trying to replicate the sort of gathering you have in a coffee shop, just drop in and chat about the news or whatever,” says Pai. It’s so obviously useful that Dell is reportedly considering dropping traditional customer service calls and choosing to hang out with Google instead. Yes, Facebook has recently teamed up with Skype in a self-declared "awesome" move — but Skype still makes you pay for multi-way video conferencing, and doesn’t offer the serendipitous pleasures of Hangout yet.

Then there is Sparks, Google Plus’s attempt to push the right content at you – you pick from a variety of interests, and Google supplies a steady scroll of interesting links. Given how much info the company has on people, Sparks could become eerily spot-on.

In fact, the chief problem with Google Plus may be that it tries to cram in too much, leaving users overwhelmed. The bewildering array of buttons and options may put off some, and right now, it’s difficult to control the signal-to-noise ratio. “It’s definitely not as over-complicated as Google Wave, which nobody could really figure out” says Pai. “And honestly, it would be difficult to imagine the kind of functionality that Plus provides being delivered in any other way.” Then there are some who are sceptical of Circles — saying that greater granularity isn’t going to take away the dilemmas of talking to a group. They predict that once the novelty wears off and Google Plus expands, you’ll be struggling to edit and divide your circles, and to pitch yourself right.

So will Google Plus lure 750 million-plus Facebook and Twitter users away? "Don’t underestimate Facebook’s network benefits," says Prakash. “When I first went online in 1996, the first thing to do was to create an email address. Now the first thing that people do to mark an online entry is to create a Facebook account”.

Besides, Google may not want to supplant Facebook as much as master an arena it has so far sucked at – the social world. As Pranesh Prakash says, “it’s not about competition with Facebook, as much as trying to improve Google’s own services, bring them together into a seamless whole and better understand its users.” Making social life machine-readable would obviously be the next big jackpot for Google, and it appears determined to invest the time, resources and effort to getting it exactly right. As Shimrit Ben-Yair, product manager of the social graph at Google told Wired magazine’s Stephen Levy, Google Plus could be a revolutionary service if it hits the sweet spot between Facebook oversharing and Twitter undersharing.

Besides, most would agree that a spot of vigorous competition would be good for Facebook, which has played fast and loose with privacy policy — changing its defaults, and then reacting to the outcry that follows. "For too long, it was the only game in town. Facebook has innovated more in the three weeks that Plus has been around, than in a lon time," says Pai.

So far, Google Plus has been extra-solicitous of privacy, and adjusted on the fly to field testers’ feedback. It has jumped to attend to mistakes – like responding to complaints that a user’s gender should not be publicly available. When someone pointed out that even limited posts could be reshared by others, that technical hole was immediately plugged. "It’s very heartening to see that they’ve learnt from the mistakes of Facebook and Buzz," says Prakash. Unlike Facebook’s possessiveness about your information and pictures, Google’s Data Liberation policy is explicitly committed to letting you erase all personal traces whenever you want, and free yourself from any product.

But as Prakash cautions, "Google may not have a coherent view of privacy across all its products — for all Google Plus’s delicacy and tact, Google Street View may have different ideas about what is acceptable." There are many who find it unnerving that a revenue-driven, publicly traded company should be the master switch of our information economy. Given Google’s girth and dominance, competitors can’t realistically wrest attention away, after a certain point.

"Google is bigger because it’s better and better because it’s bigger", writes Siva Vaidyanathan in The Googlization of Everything. Google Plus, then, marks another large advance in the company’s stated mission to organise the world’s information. Even Pai admits that “if a new mail application came along, it would have to offer so much more than Google for me to consider shifting – given how Gmail does everything, syncs my calendar, knows my friends." But then again, he says, “Let’s judge Google not on what we think it is, but what it does. Everything that’s too big in a bad way, even those considered invincible, gets stopped eventually. Right now, I’m reading about Murdoch’s undoing with great glee – a few weeks back, who would have imagined that?"

This article by Amulya Gopalakrishnan was published in the Indian Express on July 24, 2011. The original story can be read here

For more details visit https://cis-india.org/news/right-circle

In The Biggest Data Leak, Info Of 13 Crore Aadhaar Card Holders Has Been Compromised And Is Available Online

praskrishna — 2017-05-12T15:59:31Z

The Modi government has been trying to make Aadhaar mandatory for everything from Income Tax return, buying a SIM card, bank transaction, train ticket, air travel, mid-day meal government subsidies etc.

The blog post by Bobins Abraham was published by India Times on May 3, 2017.

While the government claims that the move will increase security and ensure that the benefits are reaching to real people and not syphoned off. But security experts have been pointing out the possibility of security breach in the system resulting in the sensitive biometric data reaching in the hands of those, who could misuse them.

A study by Bengaluru-based think tank, Centre for Internet and Society has once again cemented these concerns. According to its report titled, "Information Security Practices of Aadhaar (or lack thereof): A documentation of the public availability of Aadhaar Numbers with sensitive personal financial information," Aadhaar data of as many as 13.5 crore card holders have already leaked online.

The study revealed that the mass data leak happened due to security flaws in four government websites:

National Social Assistance Programme
National Rural Employment Guarantee Act (NREGA)
Daily Online Payment Reports under NREGA (Govt. of Andhra Pradesh)
Chandranna Bima Scheme run by Government of Andhra Pradesh

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” the report said.

The report was published even as the government continue to defend Aadhaar in the Supreme Court saying that the move to link Aadhaar with PAN cards was meant to put a stop on the number of individuals in possession of multiple PAN cards by putting a robust identification system in place. Attorney General Mukul Rohatgi said that this will help in curbing money laundering, the flow of black money and controlling the funding of terror.

For more details visit https://cis-india.org/internet-governance/news/india-times-bobin-abraham-may-3-2017-in-the-biggest-data-leak-info-of-13-crore-aadhaar-card-holders-has-been-compromised-and-is-available-online

In India, Privacy Policies of Fintech Companies Pay Lip Service to User Rights

shweta — 2019-07-31T02:21:40Z

A study of the privacy policies of 48 fintech companies that operate in India shows that none comply with even the basic requirements of the IT Rules, 2011.

The article by Shweta Mohandas highlighting the key observations in Fintech study conducted by CIS was published in the Wire on July 30, 2019.

Earlier this month, an investigation revealed that a Hyderabad-based fintech company called CreditVidya was sneakily collecting user data through their devotional and music apps to assess people’s creditworthiness.

This should be unsurprising as the privacy policies of most Indian fintech companies do not specify who they will be sharing the information with. Instead, they employ vague terminology to identify sharing arrangements such as ‘third-party’, ‘affiliates’ etc.

This is one of the many findings that we came across while analysing the privacy policies of 48 fintech companies that operate in India.

The study looked at how the privacy policies complied with the requirements of the existing data protection regime in India – the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The IT Rules, among other things, require that privacy policies specify the type of data being used, the purpose of collection, the third parties the data will be shared with, the option to withdraw consent and the grievance redressal mechanism.

The rules also require the privacy policy to be easily accessible as well as easy to understand. The problem is that they are not as comprehensive and specific as, say, the draft Personal Data Protection Bill, which is awaiting passage through parliament, and hence require the companies to do much less than privacy and data protection practices emerging globally.

Nevertheless, despite the limited requirements, none of the companies in our sample of 48 were fully compliant with the parameters set by the IT Rules.

While 95% of the companies did fulfil the basic requirement of actually formulating and having a privacy policy, two major players stood out as defaulters: Airtel Payments Bank and Bhim UPI, for which we were not able to locate a privacy policy.

Though a majority of the privacy policies contained the statement “we take your privacy and security seriously”, 43% of the companies did not provide adequate details of the reasonable security practices and procedures followed.

The requirement in which most companies did not provide information for was regarding a grievance redressal mechanism, where only 10% of the companies comply.

While 31% of the companies provided the contact of a grievance redressal officer (some without even mentioning the redressal mechanism), 37% of the companies provided contact details of a representative but did not specify if this person could be contacted in case of any grievance.

Throughout the study, it was noted that the wording of the IT Rules allowed companies to use ambiguous terms to ensure compliance without exposing their actual data practices. For example, Rule 5 (7) requires a fintech company to provide an option to withdraw consent. Twenty three percent of the companies allowed the user to opt out or withdraw from certain services such as mailing list, direct marketing and in app public forums but they did not allow the user to withdraw their consent completely. While several of 17 companies did provide the option to withdraw consent, they did not clarify whether the withdrawal also meant that the user’s data was no processed or shared.

However, when it came to data retention, most of the 27 companies that provided some degree of information about the retention policy stated that some data would be stored for perpetuity either for analytics or for complying with law enforcement. The remaining 21 companies say nothing about their data retention policy.

In local languages

The issue of ambiguity most clearly arises when the user is actually able to cross the first hurdle – reading an app’s privacy policy.

With fintech often projected as one of the drivers of greater financial inclusion in India, it is telling that only one company (PhonePe) had the option to read the privacy policy in a language other than English. With respect to readability, we noted that the privacy policies were difficult to follow not just because of legalese and length, but also because of fonts and formatting – smaller and lighter texts, no distinction between paragraphs etc. added to the disincentive to read the privacy policy.

Privacy policies act as a notice to individuals about the terms on which their data will be treated by the entity collecting data. However, they are a monologue in terms of consent where the user only has the option to either agree to it or decline and not avail the services. Moreover, even the notice function is not served when the user is unable to read the privacy policy.

They, thus, serve as mere symbols of compliance, where they are drafted to ensure bare minimum conformity to legal requirements. However, the responsibility of these companies lies in giving the user the autonomy to provide an informed consent as well as to be notified in case of any change in how the data is being handled (this could be when and whom the data is being shared with, if there has been a breach etc).

With the growth of fintech companies and the promise of financial inclusion, it is imperative that the people using these services make informed decisions about their data. The draft Personal Data Protection Bill – in its current form – would encumber companies processing sensitive personal data with greater responsibility and accountability than before. However, the Bill, similar to the IT Rules, endorses the view of blanket consent, where the requirement for change in data processing is only of periodic notice (Section 30 (2)), a lesson that needs to be learnt from the CreditVidya story.

In addition to blanket consent, the SPD/I Rules and well as the PDP Bill does not require the user to be notified in all cases of a breach. While the information that is provided to data subjects is necessary to be designed keeping the user in mind, neither the SPD/I Rules, nor the PDP Bill take into account the manner in which data flows operate in the context of ‘disruptive’ business models that are a hallmark of the ‘fintech revolution’.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-shweta-mohandas-july-30-2019-in-india-privacy-policies-of-fintech-companies-pay-lip-service-to-user-rights

In India, Prism-like Surveillance Slips Under the Radar

praskrishna — 2013-07-03T09:31:18Z

Prism, the contentious U.S. data-collection surveillance program, has captured the world’s attention ever since whistle-blower Edward Snowden leaked details of global spying to the Guardian and Washington Post.

The article by Anjan Trivedi was published in Time World on June 30, 2013. Sunil Abraham is quoted.

However, it turns out India, the world’s largest democracy, is building its own version to monitor internal communications in the name of national security. Yet India’s Central Monitoring System, or CMS, was not shrouded in secrecy — New Delhi announced its intentions to watch over its citizens, however mutedly, in 2011, and rollout is slated for August. And while reports that the American system collected 6.3 billion intelligence reports in India led to a lawsuit at the nation’s Supreme Court, comparable indignation has been conspicuously lacking with the domestic equivalent.

CMS is an ambitious surveillance system that monitors text messages, social-media engagement and phone calls on landlines and cell phones, among other communications. That means 900 million landline and cell-phone users and 125 million Internet users. The project, which is being implemented by the government’s Centre for Development of Telematics (C-DOT), is meant to help national law-enforcement agencies save time and avoid manual intervention, according to the Department of Telecommunications’ annual report. This has been in the works since 2008, when C-DOT started working on a proof-of-concept, according to an older report. The government set aside approximately $150 million for the system as part of its 12th five-year plan, although the Cabinet ultimately approved a higher amount.

Within the internal-security ministry though, the surveillance system remains a relatively “hush-hush” topic, a project official unauthorized to speak to the press tells TIME. In April 2011, the Police Modernisation Division of the Home Affairs Ministry put out a 90-page tender to solicit bidders for communication-interception systems in every state and union territory of India. The system requirements included “live listening, recording, storage, playback, analysis, postprocessing” and voice recognition.

Civil-liberties groups concede that states often need to undertake targeted-monitoring operations. However, the move toward extensive “surveillance capabilities enabled by digital communications,” suggests that governments are now “casting the net wide, enabling intrusions into private lives,” according to Meenakshi Ganguly, South Asia director for Human Rights Watch. This extensive communications surveillance through the likes of Prism and CMS are “out of the realm of judicial authorization and allow unregulated, secret surveillance, eliminating any transparency or accountability on the part of the state,” a recent U.N. report stated.

India is no stranger to censorship and monitoring — tweets, blogs, books or songs are frequently blocked and banned. India ranked second only to the U.S. on Google’s list of user-data requests with 4,750 queries, up 52% from two years back, and removal requests from the government increased by 90% over the previous reporting period. While these were largely made through police or court orders, the new system will not require such a legal process. In recent times, India’s democratically elected government has barred access to certain websites and Twitter handles, restricted the number of outgoing text messages to five per person per day and arrested citizens for liking Facebook posts and tweeting. Historically too, censorship has been India’s preferred means of policing social unrest. “Freedom of expression, while broadly available in theory,” Ganguly tells TIME, “is endangered by abuse of various India laws.”

There is a growing discrepancy and power imbalance between citizens and the state, says Anja Kovacs of the Internet Democracy Project. And, in an environment like India where “no checks and balances [are] in place,” that is troubling. The potential for misuse and misunderstanding, Kovacs believes, is increasing enormously. Currently, India’s laws relevant to interception “disempower citizens by relying heavily on the executive to safeguard individuals’ constitutional rights,” a recent editorial noted. The power imbalance is often noticeable at public protests, as in the case of the New Delhi gang-rape incident in December, when the government shut down public transport near protest grounds and unlawfully detained demonstrators.

With an already sizeable and growing population of Internet users, the government’s worries too are on the rise. Netizens in India are set to triple to 330 million by 2016, according to a recent report. “As [governments] around the world grapple with the power of social media that can enable spontaneous street protests, there appears to be increasing surveillance,” Ganguly explains.

India’s junior minister for telecommunications attempted to explain the benefits of this system during a recent Google+ Hangout session. He acknowledged that CMS is something that “most people may not be aware of” because it’s “slightly technical.” A participant noted that the idea of such an intrusive system was worrying and he did not feel safe. The minister, though, insisted that it would “safeguard your privacy” and national security. Given the high-tech nature of CMS, he noted that telecom companies would no longer be part of the government’s surveillance process. India currently does not have formal privacy legislation to prohibit arbitrary monitoring. The new system comes under the jurisdiction of the Indian Telegraph Act of 1885, which allows for monitoring communication in the “interest of public safety.”

The surveillance system is not only an “abuse of privacy rights and security-agency overreach,” critics say, but also counterproductive in terms of security. In the process of collecting data to monitor criminal activity, the data itself may become a target for terrorists and criminals — a “honeypot,” according to Sunil Abraham, executive director of India’s Centre for Internet and Society. Additionally, the wide-ranging tapping undermines financial markets, Abraham says, by compromising confidentiality, trade secrets and intellectual property. What’s more, vulnerabilities will have to be built into the existing cyberinfrastructure to make way for such a system. Whether the nation’s patchy infrastructure will be able to handle a complex web of surveillance and networks, no one can say. That, Abraham contends, is what attackers will target.

National security has widely been cited as the reason for this system, but no one can say whether it will actually help avert terrorist activity. India’s own 9/11 is a case in point: the Indian government was handed intelligence by foreign agencies about the possibility of the 2008 Mumbai terrorist attacks, but did not act. This is a “clear indication that having access to massive amounts of data is not necessarily going to make people safer,” Kovacs tells TIME. However, officers familiar with the new system say it will not increase surveillance or enhance intrusion beyond current levels; it will only strengthen the policy framework of privacy and increase operational efficiency. Spokespersons and officials in the internal-security and telecom departments did not respond to requests or declined to comment.

The government has been cagey about details on implementation and extent. This ability to act however the authorities deems fit “just makes it really easy to slide into authoritarianism, and that is not acceptable for any democratic country,” Kovacs says. Indeed, India has seen that before — almost four decades ago, Indira Gandhi declared a state of emergency for 19 months, which suspended all civil liberties. Indians complaining about Prism may want to look a little closer to home.

For more details visit https://cis-india.org/news/time-world-anjan-trivedi-june-30-2013-in-india-prison-like-surveillance-slips-under-the-radar

In India, Biometric Data Storage Sparks Demands for Privacy Laws

praskrishna — 2016-03-23T02:27:05Z

In India, calls for strict privacy laws are growing after this week's passage of a measure that allows federal agencies access to biometric data of the nation's citizens, the world's largest such repository.

The article by Anjana Pasricha was published in Voice of America on March 18, 2016. Pranesh Prakash gave inputs.

The government says the use of biometrics will help cut rampant graft in the distribution of subsidies, but activists and opposition lawmakers warn it could usher in an era of increased state surveillance.

Raghubir Gaur, who works as an electrician in the capital, New Delhi, says he has never collected subsidized rations such as wheat and rice, because “somebody else has been taking the rations I should have gotten.” Now, with a national proof of identity, or "Aadhaar" card in his hands, Gaur says he is confident he will be able to access his designated subsidies.

The Aadhaar card is being used to give welfare benefits to the poor, who often cannot provide any proof identity, allowing corrupt officials to siphon entitlements.

The government says it has saved nearly $2 billion by preventing misuse of the subsidies in the last fiscal year alone.

Critics fear ‘police state’

Civil activists and research groups, however, have dubbed the Aadhaar program “surveillance technology” that constitutes a serious breach of privacy. They point to identity-verification systems in other countries, where cards or identification numbers are used for verification without creating a gigantic central database that documents every last transaction.

Indeed, the Aadhaar database also stores fingerprints and iris scans of every account holder, labeling each with a 12-digit identification number.

Concerns that this could lead to a massive invasion of privacy have been heightened because the new law allows the data to be used “in the interest of national security.”

“From verifying yourself to the ticket conductor on a train to someone who is delivering something at your house, all the way to opening a new bank account, all these transactions get logged against the centralized data base," says Pranesh Prakash of the Center for Internet and Society in Bangalore. "So this invades your life completely and thoroughly.”

Some lawyers and privacy advocates say this has made it even more important to support a strong privacy law to ensure the huge government database isn't misused.

Finance Minister Arun Jaitley has defended the biometrics legislation, saying the data will be accessed only in rare cases that require authorization by a senior official.

“You mark my words, you are midwifing a police state,” said lawmaker Asaduddin Owaisi, just one parliamentarian opposed passage of the legislation and found no comfort in Jaitley's assurances.

Fraud concerns

Despite objections, the bill was passed by legislators who argued that such a move is critical to ensuring subsidies reach intended beneficiaries in a country where millions are poor and illiterate.

Attempts to draft a right to privacy bill to protect individuals against misuse of data by government or private agencies date back to 2010, but have made little headway. The latest push started in 2014.

Citing a cyberattack targeting the U.S. government, in which a hacker gained access to the information of millions of people, research groups have also flagged security concerns around India’s ambitious Aadhaar program.

“If this database gets leaked, the entire identification system collapses because people will be able to authenticate themselves as anyone else. So identity fraud is a great concern,” said Prakash of the Center for Internet and Society.

Nearly one billion biometric identity cards have been issued in India in the last six years.

For more details visit https://cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws

Implications of post-Snowden Internet Localization Proposals

praskrishna — 2014-10-05T08:59:27Z

Sunil Abraham was a speaker in this workshop organized by Center for Democracy and Technology on September 2, 2014.

Following the 2013-2014 disclosures of large-scale pervasive surveillance of Internet traffic, various proposals to "localize" Internet users' data and change the path that Internet traffic would take have started to emerge.

Examples include mandatory storage of citizens' data within country, mandatory location of servers within country (e.g. Google, Facebook), launching state-run services (e.g. email services), restricted transborder Internet traffic routes, investment in alternate backbone infrastructure (e.g. submarine cables, IXPs), etc.

Localization of data and traffic routing strategies can be powerful tools for improving Internet experience for end-users, especially when done in response to Internet development needs. On the other hand, done uniquely in response to external factors (e.g. foreign surveillance), less optimal choices may be made in reactive moves.

How can we judge between Internet-useful versus Internet-harmful localisation and traffic routing approaches? What are the promises of data localization from the personal, community and business perspectives? What are the potential drawbacks? What are implications for innovation, user choice and the availability of online services in the global economy? What impact might they have on a global and interoperable Internet? What impact (if any) might these proposals have on user trust and expectations of privacy?

The objective of the session is to gather diverse perspectives and experiences to better understand the technical, social and economic implications of these proposals.

For full details see the IGF website.

For more details visit https://cis-india.org/internet-governance/news/implications-of-post-snowden-internet-localization-proposals

IISc students boycott UID, don’t want Big Brother to keep watch

praskrishna — 2011-08-23T08:24:14Z

The programme doesn’t have statutory backing. It is still in parliament

Nandan Nilekani may be Bangalore’s blue-eyed boy making waves at the national level with his Unique Identification Number (UID), but there’s one part of the city that’s not impressed: A section of students and faculty of Indian Institute of Science (IISc).

While many Bangaloreans have started enrolling for UID, the students are in boycott mode and say they will never do so.

Professor Shiv Sethi, astrophysics department, Raman Research Institute, said, “They (the authorities) have moved faster than us by starting the enrolment. It was during the discussion phase that we tried to impress upon them the loopholes of UID. Now that they have started the enrolment, it’s our turn to protest. We will meet and discuss with other like-minded people.”

IIScians say they don’t want to be under surveillance and that they are not comfortable with giving away their personal details since studies have proved how unsafe electronic data can be. The programme has been scrapped in the UK, they said.

In fact, when Nilekani visited IISc a few months back to deliver a lecture, the anti-UID group protested with placards and banners that read, ‘Beware, Big Brother is watching you’ and ‘Secure electronic archive is a myth’.

And now, apart from not signing up, some students are even considering burning copies of UID forms, a la team Anna burning copies of the draft Lokpal bill.

Prathamesh, a scholar, said: “UID is not going to solve problems of leakages. The government should universalise the PDS system to control misuse of subsidised foodgrain that find their way to restaurants. The project is fraught with loopholes and doesn’t have statutory backing. I will burn copies of the forms.”

Prathamesh added that the UID project was the brainwave of software companies who do not have a regular stream of revenue.

Even IISc alumni are putting up a fight. One of them who participated in the protest said, “I will not register. The programme does not have statutory backing. It is still in parliament. First, they said it was voluntary. Now, they are trying to link it to banks, LPG connections and other utilities.”

Sethi added, “A few people have approached the court. We will decide the next course of action.”

There are others who have doubts. Consumer activist Chandrasekhar of Malle-swaram feels that he needs to clarify all his doubts before enrolling. “I spoke with the officials. They told me it was voluntary. But now, it looks like they are linking it with other utilities.”

Nishant Shah, director, research, Centre for Internet Society, said, "We need to check for three issues: data retention, data protection and data privacy. Only after these issues are resolved can we have a UID for every citizen."

This article by Sameer Ranjan Bakshi was published in the Bangalore Mirror on August 23, 2011. The original story can be read here.

For more details visit https://cis-india.org/news/iisc-students-boycott-uid

If data is the new oil, how much does an Indian citizen lose?

Admin — 2018-04-03T15:42:31Z

Surveillance capitalism is the business model of the Internet, so what exactly are we talking about here?

The article by Saurya Sengupta was published in the Hindu on March 31, 2018. Sunil Abraham was quoted.

“We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.” That was the former executive chairman of Google, Eric Schmidt, trying to convince users that the tech giants did care about their privacy, ironically enough. But that was in 2010.

Fast forward eight years, and a lot has changed. The world has been rattled by revelations that the personally identifiable data of about 50 million Facebook users was breached by an analytics firm. Since then, the skeletons haven’t stopped tumbling out, with the news that the NaMo app asks for as many as 22 permissions from users, and that the official Congress app, since deleted, was vulnerable to data breach.

Bruce Schneier, an American security technologist and fellow at Harvard University’s Berkman Klein Center for Internet & Society, in his book Data and Goliath, says: “Google knows what kind of porn each of us searches for, which old lovers we still think about, our shames, our concerns, and our secrets.”

So, what does any of this mean for us, the lay users?

It may be helpful to start by asking what this ‘data’ is. “Whenever you use any service on your phone or browser, you end up giving a lot more information than you consciously recall. This includes not just the content of your interactions, but also metadata and so on,” says Nayantara Ranganathan, manager of the Internet Democracy Project’s Freedom of Expression programme. Metadata is, simply put, data about your data. So, for example, your location information, what time you were home, how many times you made calls to a certain number, and so on.

“This is known as behavioural data,” says Sunil Abraham, executive director of The Centre for Internet & Society, “which includes how fast or slow you scrolled, how long you stayed on a page, how many times you went to a particular part of a website, and so on.”

Bhajan or you?

This is not just data gathered by the large Facebook and Gmail apps, but also by a lot of the smaller ones. An app that plays bhajans, for example, may mine your data and share it. And what do the third parties do with this? Well, the idea is to simply embed you further in a consumerist panopticon.

To FB or not to be

As #DeleteFacebook gets louder, users agonise about leaving Facebook on Facebook, irony be damned
Truth is, quitting FB won't help. Because it's also about Google Photos and Maps and Candy Crush and Which Disney Villain Are You
In the absence of laws, you've no control of what apps can do with your data. Even after you've 'deleted' it
Facebook doesn't take responsibility for data collected by apps, and refers users to app developers instead
Quitting FB and other apps might be a privilege and not an option for most

“Surveillance capitalism is the business model of the Internet, and all social media apps make their money collecting data on users and monetising that,” says Schneier.

“Lots of apps have no revenue generation. Their only benefit is data,” says Manan Shah, founder and CEO of Avalance Global Solutions, a cyber security firm. In fact, he says, apps like WhatsApp are the obvious suspects while the smaller ones, like the bhajan one, slip under the radar.

All of it is part of ‘lead generation’ — the process of identifying potential customers for a service or business. “A call-centre is useless without data,” Shah says. “If I want to sell you an antivirus, for instance, a company will identify filters — who owns a computer, who has already purchased an antivirus, and so on. I can then target that user. This filtered data is often your full name, bank details, data about your debit and credit cards. Abraham says there is another fairly obvious purpose for all this data collection – to get you to spend as much time on the said platform as possible.

This explains why, for example, when you Google something, the suggested searches are often tailored in an eerie manner. If you search for a word, the second search suggestion will offer to get that word translated into the local language. So if you’re in Chennai, Tamil, or into Marathi if you’re in Mumbai.

This a product of profiling your location data as well as behavioural data. “Imagine the kind of insights your location information over the course of a month can expose: your residence, where you spend your mornings, your route to work, your loved one’s residence, and more,” says Ranganathan.

“Users are often not aware that they’ve given their consent to sharing this data,” says Nikhil Pahwa, digital rights activist. “The terms and conditions of every app are so complicated and voluminous that often you have no way of knowing what something is being used for and what you’ve given your permission to. That’s a failure of the kind of consent we have today,” he says. If an app developer, quips Pahwa, puts in a condition saying the user will name their first child after the app, the user is more than likely to click on ‘I agree’.

While the failure to make consent transparent is illegal, data collection in itself is a grey area. And what constitutes ‘misuse’ of data is murky because of the lack of regulations and clear outlines. “What if a salon has your phone number and sends an SMS saying your haircut is due,” asks S. Anand, CEO of data science firm Gramener. “Would you consider that misuse?”

It gets more ominous.

We’ll use it some day

At present, India has no law to stop apps from sharing your data with data brokers or data analytics firms. “The tendency has been to collect as much data as you can, even if it isn't relevant to your business today, because it might be some day or, better still, it might be valuable to others,” says Amba Kak, a Mozilla technology policy fellow. “This is why we need a law to say — collect what you need, not what you want.”

As an Indian citizen, your data today is breached, misused or sold, there is little you can do about it. “At most, users can be more vigilant about the apps they download, what permissions they give, and evaluate whether there are better alternatives,” says Ranganathan.

“One can approach a court and seek redress under the IT Act,” says Abraham, “but only if you have suffered a loss of property or money. If your data has been breached or leaked, and you haven’t suffered a monetary or property loss, there’s nothing you can do.”

The Justice Srikrishna committee, set up in July, is right now working on a draft data protection bill. The committee published a white paper last November, and a final report is expected by end of May. “The white paper itself looks fantastic,” Abraham tells me.

An ideal data protection law, says Kak, “will reflect the Supreme Court’s recent decision that all interference with the right to privacy must be necessary and proportionate.”

If data sharing is inevitable in the digital age, then it could be made illegal, for instance, to share data that can identify individuals. Anand says, “This could be done by replacing all names with a new random name or by aggregating total purchases by store and product rather than by individual purchase.”

So in an era where we have been casually asked to accept that ‘data is the new oil’, who is the biggest loser? “Framing 'data' as the new oil is dangerous,” says Ranganathan. Kak agrees: “This is a tired analogy that doesn't seem to get us anywhere except to recognise that data is a source of profit for the private sector.” She would rather go with Turkish sociologist Zeynep Tufekci’s definition where we think of data privacy like clean air or safe drinking water. “It is a public good that we need to safeguard as a collective through laws that make controllers of data accountable,” says Kak.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-march-31-2018-saurya-sengupta-if-data-is-new-oil-how-much-an-indian-citizen-lose

IETF106

Admin — 2019-12-15T06:14:02Z

Gurshabad Grover participated at IETF106, which was held in Singapore 16-22 November, 2019.

In the meeting of the Human Rights Protocol Considerations (hrpc) research group, I presented an update to draft-irtf-hrpc-guidelines-03 (Guidelines for Human Rights Protocol and Architecture Considerations), which is an Internet Draft adopted by the hrpc rg that he is co-editing with Niels ten Oever. More info here.

Among other working/research group meetings, I participated theTransport Layer Security (tls) and the Privacy Enhancements and Assessments research group (pearg) sessions. I also participated inseveral side meetings, including the Public Interest Technology Group(pitg) meeting.

Agenda for the IETF and the different WGs/RG can be found on the IETF website.

For more details visit https://cis-india.org/internet-governance/news/ietf106

IETF 105

Admin — 2019-08-13T01:38:36Z

Gurshabad Grover attended a meeting of the Internet Engineering Task Force (IETF), IETF105, held in Montreal from July 20 - 26.

Gurshabad participated in several IETF working group meetings, IRTF researchgroups meetings and other sessions, including ones on Captive Portals,Transport Layer Security, Applications Doing DNS, DNS Privacy, andSoftware Updates for IoT Devices. At the meeting of the Human Rights Protocol Considerations (hrpc) research group of the IRTF, I co-presented (with Niels ten Oever) an update to the Internet Draft we are editing, 'Guidelines for Human Rights Protocol and Architecture Considerations'. For more info, click here

For more details visit https://cis-india.org/internet-governance/news/ietf-105

IETF 104 Prague

Admin — 2019-04-12T01:04:47Z

Karan Saini and Gurshabad Grover participated in IETF 104 organized by IETF in Prague from 23rd March to 29th March 2019.

Karan Saini:

Attended and scribed for the Privacy Enhancements and Assessments Proposed Research Group (PEARG) session.
Attended and made interventions in the Stopping Malware and Researching Threats (SMART RG) research group session.
Attended: DNS Over HTTPS (DOH), Domain Name System Operations (DNSOP), Transport Layer Security (TLS) and Authentication and Authorization for Constrained Environments (ACE WG) group sessions
Attended side meetings: Public Interest Technology (PITG) and Web Packaging (webpack)

Gurshabad Grover:

Attended and made interventions in the Captive Portals (capport) and Registration Protocols Extensions (regext) working groups. Also attended the meetings of the Transport Layer Security (TLS), DNS Privacy, and DNS over HTTPS (DoH) working groups and the Privacy Enhancements and Assessments Proposed Research Group (PEARG). Additionally, attended the Public Interest Technology Group (PITG) and Centralisation of DNS Services side meetings.
At the meeting of the Human Rights Protocol Considerations (HRPC) research group, I presented an update to draft-irtf-hrpc-guidelines ('Guidelines for Human Rights Protocol and Architecture Considerations'), which I am co-editing with Niels ten Oever.
At the IETF Hackathon, I explored the use of differential privacy for privacy-preserving latency measurement in the QUIC protocol (with Amelia Andersdotter and Shivan Kaul Sahib). We will continue the research to see whether differential privacy techniques are viable/useful for IETF protocols.
Attended and made interventions in the Captive Portals (capport) andRegistration Protocols Extensions (regext) working groups. Also attended the meetings of the Transport Layer Security (TLS), DNS Privacy, and DNS over HTTPS (DoH) working groups and the Privacy Enhancements and Assessments Proposed Research Group (PEARG). Additionally, attended the Public Interest Technology Group (PITG) and Centralisation of DNS Services side meetings.
At the meeting of the Human Rights Protocol Considerations (HRPC)research group, I presented an update to draft-irtf-hrpc-guidelines('Guidelines for Human Rights Protocol and ArchitectureConsiderations'), which I am co-editing with Niels ten Oever.
At the IETF Hackathon, I explored the use of differential privacy forprivacy-preserving latency measurement in the QUIC protocol (with Amelia Andersdotter and Shivan Kaul Sahib). We will continue the research to see whether differential privacy techniques are viable/useful for IETF protocols.

For more information visit IETF website

For more details visit https://cis-india.org/internet-governance/news/ietf-104-prague

IETF 102 Montreal

Admin — 2018-08-01T22:42:31Z

The Internet Engineering Task Force (IETF) organized IETF 102 Montreal at Fairmont Queen Elizabeth Montreal in Canada from July 14 - 20, 2018. Gurshabad Grover participated remotely in the meetings of several Working Groups.

Meeting agenda of IETF102: https://datatracker.ietf.org/meeting/agenda

On July 19, in the meeting of the Human Rights Protocol Considerations (HRPC) Research Group, Gurshabad presented a review of the human rights considerations in the drafts of the Software Update for IoT Devices (SUIT) Working Group. His presentation was based on the review written by him and Sandeep Kumar, which is archived here.

Agenda of the HRPC session @ IETF102: https://datatracker.ietf.org/meeting/102/materials/agenda-102-hrpc-05

For more details visit https://cis-india.org/internet-governance/news/ietf-102-montreal

IDRC - Open Development Book - Authors' Workshop

praskrishna — 2017-03-29T03:47:14Z

Sumandro Chattapadhyay participated in the authors' workshop organized by the International Development Research Centre (IDRC) and the Centre for Innovation in Learning and Teaching at the University of Cape Town in South Africa on March 11 and 12, 2017.

The workshop gathered the contributers to an upcoming book by IDRC on open development. This volume will continue, extend, and reflect back on the previously published "Open Development: Networked Innovations in International Development" (Edited by Matthew L. Smith and Katherine M. A. Reilly). Elonnai Hickok, Gus Hosein from Privacy International and Sumandro Chattapadhyay are writing a chapter for this book that is tentative titled as "Six Principles for Openness and Privacy in the Time of Data Revolution".

This chapter will bring together personal and institutional experiences from policy advocacy and grounded practice in open data and privacy across the “South” and the “West” to discuss a potential framing of these two concerns as not opposing but complimentary rights. We locate this discussion of openness and privacy within the context of the ongoing “data revolution”, and propose six principles towards engaging with present and future challenges in generation and management of, innovation with, and reliance on data as an economic and social resource.

For more details visit https://cis-india.org/openness/news/idrc-open-development-book-authors-workshop

Identity of the Aadhaar Act: Supreme Court and the Money Bill Question

Vanya Rakesh and Sumandro Chattapadhyay — 2016-05-09T11:52:44Z

A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view. It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation. Vanya Rakesh and Sumandro Chattapadhyay wrote this article on The Wire.

Published by and cross-posted from The Wire.

The Aadhaar Act 2016, passed in the Lok Sabha on March 16, 2016, faced opposition ever since it was tabled in parliament. In particular, the move to introduce it as a money bill has been vehemently challenged on grounds of this being an attempt to bypass the Rajya Sabha completely. A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view.

It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation.

The money bill question

M.R. Madhavan has argued that the Aadhaar Act contains matters other than “only” those incidental to expenditure from the consolidated fund, as it establishes a biometrics-based unique identification number for beneficiaries of government services and benefits, but also allows the number to be used for other purposes beyond service delivery. While Pratap Bhanu Mehta calls this a subversion of “the spirit of the constitution”, P.D.T. Achary, former secretary general of the Lok Sabha, expressed concern about the attempts to pass off financial bills like Aadhaar as money bills as a means to circumvent and erode the supervisory role of the Rajya Sabha. Arvind Datar has further emphasised that when the primary purpose of a bill is not governed by Article 110(1), then certifying it as a money bill is an unconstitutional act.

Article 110(1) of the Constitution identifies a bill as a money bill if it contains “only” provisions dealing with the following matters, or those incidental to them:

imposition and regulation of any tax,
financial obligations undertaken by Indian Government,
payment into or withdrawal from the Consolidated Fund of India (CFI) or Contingent Fund of India,
appropriation of money and expenditure charged on the CFI or receipt, and
custody, issue or audit of money into CFI or public account of India.

However, the link of the Act with the Consolidated Fund of India is rather tenuous, since it depends on the Union or state governments declaring a certain subsidy to be available upon verification of the Aadhaar number. The objectives and validity of the Act would not actually change if the Aadhaar number no longer was directly connected to the delivery of services. The use of the word “if” in section 7 explicitly leaves scope for a situation where the government does not declare an Aadhaar verification as necessary for accessing a subsidy. In such a scenario, the Act will still be valid but without any formal connection with any charges on the Consolidated Fund of India.

A case of procedural irregularity?

The constitution of India borrows the idea of providing the speaker with the authority to certify a bill as money bill from British law, but operationalises it differently. In the UK, though the speaker’s certificate on a money bill is conclusive for all purposes under section 3 of the Parliament Act 1911, the speaker is required to consult two senior members, usually one from either side of the house, appointed by the committee from amongst those senior MPs who chair general committees. In India, the speaker makes the decision on her own.

Although article 110 (3) of the Indian constitution states that the decision of the speaker of the Lok Sabha shall be final in case a question arises regarding whether a bill is a money bill or not, this does not restrict the Supreme Court from entertaining and hearing a petition contesting the speaker’s decision. As the Aadhaar Act was introduced in the Lok Sabha as a money bill even though it does not meet the necessary criteria for such a classification, this treatment of the bill may be considered as an instance of procedural irregularity.

There is ample jurisprudence on what happens when the Supreme Court’s power of judicial review comes up against Article 122 – which states that the validity of any proceeding in the parliament can (only) be called into question on the grounds of procedural irregularities. In the crucial judgment of Raja Ram Pal vs Hon’ble Speaker, Lok Sabha and Others (2007), the court evaluated the scope of judicial review and observed that although parliament is supreme, unlike Britain, proceedings which are found to suffer from substantive illegality or unconstitutionality, cannot be held protected from judicial scrutiny by article 122, as opposed to mere irregularity. Deciding upon the scope for judicial intervention in respect of exercise of power by the speaker, in Kihoto Hollohan vs Zachillhu and Ors. (1992), the Supreme Court held that though the speaker of the house holds a pivotal position in a parliamentary democracy, the decision of the speaker (while adjudicating on disputed disqualification) is subject to judicial review that may look into the correctness of the decision.

Several past decisions of the Supreme Court discuss how the tests of legality and constitutionality help decide whether parliamentary proceedings are immune from judicial review or not. In Ramdas Athawale vs Union of India (2010), the case of Keshav Singh vs Speaker, Legislative Assembly (1964) was referred to, in which the judges had unequivocally upheld the judiciary’s power to scrutinise the actions of the speaker and the houses. It was observed that if the parliamentary procedure is illegal and unconstitutional, it would be open to scrutiny in a court of law and could be a ground for interference by courts under Article 32, though the immunity from judicial interference under this article is confined to matters of irregularity of procedure. These observations were reiterated in Mohd. Saeed Siddiqui vs State of Uttar Pradesh (2014) and Yogendra Kumar Jaiswal vs State of Bihar (2016).

Thus, the decision of the Lok Sabha speaker to pass and certify a bill as a money bill is definitely not immune from judicial review. Additionally, the Supreme Court has the power to issue directions, orders or writs for enforcement of rights under Article 32 of the constitution, therefore, allowing the judiciary to decide upon the manner of introducing the Aadhaar Act in parliament.

National implications demand public deliberation

As the provisions of the Aadhaar Act have far reaching implications for the fundamental and constitutional rights of Indian citizens, the Supreme Court should look into the matter of its identification and treatment as a money bill and whether such decisions lead to the thwarting of legislative and procedural justice.

The Supreme Court may also take this opportunity to reflect on the very decision making process for classification of bills in general. As Smarika Kumar argues, experience with the Aadhaar Act reveals a structural concern regarding this classification process, which may have substantial implications in terms of undermining public and parliamentary deliberative processes. This “trend,” as Arvind Datar notes, of limiting legislative discussions and decisions of national importance within the space of the Lok Sabha must be swiftly curtailed.

Apart from deciding upon the legality of the nature of the bill, it is vital that the apex court ask the government to categorically respond to the concerns red-flagged by the Standing Committee on Finance, which had taken great exception to the continued collection of data and issuance of Aadhaar numbers in its report, and to the recommendations passed in the Rajya Sabha recently. Further, the repeated violation of the Supreme Court’s interim orders – that the Aadhaar number cannot be made mandatory for availing benefits and services – in contexts ranging from marriages to the guaranteed work programme should also be addressed and responses sought from the Union government.

Evidently, the substantial implications of the Aadhaar Act for national security and fundamental rights of citizens, primarily privacy and data security, make it imperative to conduct a duly balanced public deliberation process, both within and outside the houses of parliament, before enacting such a legislation.

For more details visit https://cis-india.org/internet-governance/blog/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question