Centre for Internet and Society

Data Protection and Privacy in India: The (Fundamental) Right Way

Admin — 2017-11-27T14:01:02Z

Amber Sinha attended a roundtable conference on data protection and privacy on October 30, 2017 at India Habitat Centre in New Delhi. The close-door event was organised by the Indian Council for Research on International Economic Relations.

Participants at the conference discussed:

Role of consent in data protection, how it should be configured in India
Conflicts between the data minimization principle and big data
Governance approaches to data protection
Propertarian view of data
Need for capacity building in India and institutions who should be involved in the data protection regime, and
Cross border data flows and data localisation

For more details visit https://cis-india.org/internet-governance/news/data-protection-and-privacy-in-india-the-fundamental-right-way

Data Privacy: Footprints on the Web

Admin — 2018-06-25T16:48:34Z

Technology has made data protection a hot button issue. Now, a group of eminent citizens, mostly lawyers, have formulated a draft privacy bill, a legal framework that protects the individual’s right to privacy, but it faces legal jurisdiction issues

The blog post by Sujit Bhar was published in IndiaLegal on June 21, 2018.

Lack of data privacy is a modern day peril. Quite like the individual’s right to privacy—one that has been raised to the level of a Fundamental Right by the Supreme Court—data privacy today is prime, because technology has made our lives fully dependant on associated data. Hence, by extension of the same logic and arguments that the top court used for personal privacy, data privacy should be protected.

The methodology to be adopted, though, is not as easy to determine given the lack of legislation in the field, the improbability of existing technology to ensure complete privacy and because of legal jurisdiction issues.

Also, to what extent data privacy can and should be allowed is a legal argument that needs to be supported by other fields of knowledge. The Supreme Court decision to award privacy as a Fundamental Right will act as a plinth in determining this.

To that end a group of eminent citizens, mostly lawyers, came together and formulated a draft privacy bill with the objective of slicing through banal arguments that would ensue if this was to wait for public re-reference/debate.

The proponents—Apar Gupta, Gautam Bhatia, Kritika Bhardwaj, Maansi Verma, Naman M Aggarwal, Praavita Kashyap, Prasanna S, Raman Jit Singh Chima, Ujwala Uppaluri and Vrinda Bhandari—have tried to develop their own privacy bill, based on the foundation of the Privacy (Protection) Bill, 2013, “which was drafted over a series of roundtables and inputs conducted by the Centre for Internet and Society, Bangalore”.

In doing so the group started from what it calls “seven privacy principles”, derived from various constitutional and expert texts.

Principle 1: Individual rights are at the centre of privacy and data protection.

This says that “the individual and her rights are primary. The law on privacy must empower you by advancing your right to privacy…”including “your right to autonomy and dignity.

Principle 2: A data protection law must be based on privacy principles.

Here reference is made to the report of the Justice AP Shah Committee of Experts. It’s a method that has been left flexible, to accommodate fast developing technology. There is a reference to Moore’s Law in this. Moore’s Law has remained one of the most overwhelmingly true laws of the IT industry. Originating in 1970, it says that processor speeds, or overall processing power for computers “will double every two years”. While that has remained true till now, with the development of multiple core processors, this law too has seemingly run its course. With the world changing at such a fast pace, if the data privacy bill/law does not remain flexible, it would also be quickly consigned to a museum of laws. Hence this flexible approach will be crucial.

Principle 3: A strong privacy commission must be created to enforce the privacy principles.

This is the part of establishing an oversight authority, “a strong body to ensure that the data protection rights are put into practice and enforced”. This structure has been treated for something “that works in principle and in practice.”

There is one part that says that this proposed “Privacy Commission”, has been “provided wide powers of investigation, adjudication, rule-making and enforcement. The Commission should adopt an approach that builds accountability for the rights of users by having powers to impose penalties that are proportionate to the harm and build deterrence.” This, obviously, means that it will be stepping onto the toes of other laws and that would be a rough road to navigate. However, as the group’s own philosophy says that the problem with technology oriented legislation is that it takes catching up with the progress of technology. To overcome this, the group wants to “make sure that the Privacy Code is not outdated” and hence wants to make sure that the “Privacy Commission can exercise rule making powers to give effect to the data protection principles under the regulation”.

The other part of the philosophy is of acknowledging and addressing public complaints. Hence the legal rigidity of regular acts would be dismissed. How this can work with enforcement agencies, though, will remain a matter of debate. The draft bill says that the “Privacy Commission must serve as the forum for the redressal of the general public’s grievances”, and that “Privacy Commissions should have the ability to investigate (independently through the office of a Director General), hold hearings and pass orders with directions and fines”.

That could be legal nightmare, because unlike a simple code, the bill has to pass through parliament to become an act, and legislators are the ones who have final say in remodelling an existing law. How much power they would agree to delegate is anybody’s guess.

Of course, the draft also calls for the courts to welcome public opinion. There seems to be a slight hitch in the wording, which says that “…while the Privacy Commission serves as the forum for redressal, the public should retain the remedies of approaching the civil courts (even in instances where harm is suffered by a group of people) and of filing police complaints directly”. That questions even the oversight authority of the commission. There is another objective—a hope, one would say—that the Privacy Commission must have jurisdiction over the government, as it does over the private sector. The Privacy Commission should have overriding power and superintendence over all legal entities in matter of data protection and privacy”. While this sounds good on paper, the issue of national security can override all. At this point, according to a cyber security expert, there is talk within the Indian government on how to deal with the social media messaging app WhatsApp. Technically, as the company points out, messaging through an app is encrypted (military grade encryption, it is said) end-to-end. Hence terrorist groups have zeroed in on this as a common idea exchange platform. There could possibly be restrictive legislation on this. That could strike at the heart of data privacy.

The government’s reaction, though, could become counter-productive. This could be visible in what the Justice Srikrishna-led Committee of Experts possibly could recommend.

Principle 4: The government should respect user privacy. Technically, if this bill, in its current form, has to go through parliament, members of both houses should be willing to accept that it will have no snooping powers, ever. The way the government fought tooth and nail against personal privacy in court—and the Aadhaar verdict is still awaited—this proposal seems unlikely to have an easy passage. The draft says: “It is imperative that the government, its arms, bodies and programmes be compliant with the privacy protection principles through a data protection law.”

There is a caveat within this, saying: “We support the use of digital technologies for public benefit. However, they should not be privileged over fundamental rights.” The proposal also says: “The government is responsible for the delivery of many essential services to the public of India. These services must not be withheld from an individual, due to such individual not sharing data with the government. Withholding services on the pretext of requirement of collection of data effectively amounts to extortion of consent. Individuals cannot be forced to trade away their data and citizenship at the altar of being permitted to use government services and access legal entitlements on welfare.” This will have to wait its validation or dismissal through the Aadhaar verdict.

Principle 5: A complete privacy code comes with surveillance reform

This is another tricky issue for any government. It talks about how the Snowden revelations “brought to public knowledge that our personal data is collected in an indiscriminate manner by governments”. The draft calls this collection procedure “dragnet surveillance”, because it “contravenes the principles of necessity, proportionality and purpose limitation”. Necessity and proportionality have been argued in detail during the Aadhaar debate in court and till that verdict is out, it would, possibly, not be right to delve into this, though a recommendation for procedural safeguards might run into the same wall as in the case of encrypted software in social media apps. The draft accepts the possibility of “individual interception and surveillance”, but says “this should be severely limited in substance and practice through procedural safeguards”.

Principle 6: The right to information needs to be strengthened and protected

This basically refers to the Right to Information Act and seems completely justified, with Information Commissioners being “exempted from interference or control by the Privacy Commissioner”.

Principle 7: International protections and harmonisation to protect the open internet must be incorporated

Another contentious issue, being fuelled by the loss of face by Facebook in its effort to introduce graded access (with paywalls).

The group widens its scope in stating that “we need to be guided by the Supreme Court’s Right to Privacy decision and make reference to the European Union’s General Data Protection Regulation”. More interestingly, the group admits that every law will have certain exceptions. It says: “…but without clear wording sometimes exceptions swallow up the rule. We adopted a three part test in our drafting process in which any exceptions to these privacy principles should be: (a) worded clearly; (b) limited in purpose, necessary and proportionate to the aim; and (c) accompanied by sufficient procedural safeguards”.

On the face of it, the overall draft represents a novel and upright way of thinking, and if some of this is accepted while the government mulls the Justice Srikrishna Committee’s recommendations (expected late this month), it would be a good beginning.

For more details visit https://cis-india.org/internet-governance/news/india-legal-live-june-21-2018-data-privacy

Data Privacy Forum

Admin — 2018-03-01T01:31:56Z

Amber Sinha took part in the Data Privacy Forum organized by the Asian Business Law Institute on February 7, 2018. The forum was held at the Supreme Court of Singapore.

The forum was organised to discuss the findings of a compendium of country reports on cross border data flow regulations in countries from Asia and Australia, and the way forward. The forum had attendance from 18 countries and had about 90 participants. Elonnai Hickok and Amber Sinha were the reporters for India. Amber was a speaker on the first panel on “Adoption and reform of data protection laws in Asia: how legal systems adapt to global developments and regulatory competition”.

Click to read more

For more details visit https://cis-india.org/internet-governance/news/data-privacy-forum

Data Privacy Day 2016

praskrishna — 2016-01-29T15:34:18Z

The Bangalore chapter of Data Privacy Day was organized by Data Security Council of India on January 28, 2016 at Electronic City in Bangalore. Sunil Abraham was a panelist.

Agenda

For more details visit https://cis-india.org/internet-governance/news/data-privacy-day-2016

Data Privacy Day 2014

praskrishna — 2014-02-04T05:34:59Z

January 28 is annually celebrated as Data Privacy Day (DPD). Data Security Council of India (DSCI) organized the annual meeting J N Tata Hall, Bldg 1, Infosys Campus, Infosys Ltd., Electronics City, Bangalore. Elonnai Hickok was a panelist.

Programme Details

2:30 - 3:00 p.m.: Keynote address by Srinath Batni, Member of the Board, Infosys
3:00 - 4:30 p.m.: Panel Discussion on "Privacy today and tomorrow in Indian and Global Context"

Panelists:

M D Sharath, Deputy Superintendent of Police, Cyber Crimes Division, CID Headquarters, Karnataka Police
Srinivas Poosarla, Associate Vice President and Head (Global), Privacy & Data Protection, Infosys Ltd
Joshi Joseph, Senior Information Risk Manager, ING Vyasa Bank
Na.Vijayashankar (Naavi), Information Assurance Consultant
Elonnai Hickok, Policy & Advocacy Associate, Centre for Internet & Society (CIS)

IT Product / Internet services company

Panel will be moderated by Rahul Jain, Principal Consultant, DSCI

4:30- 5:00 p.m.: Presentation on Privacy by Rahul Jain, Principal Consultant, DSCI
5:00- 5:30 p.m.: High Tea

For more info on the event see here.

For more details visit https://cis-india.org/news/data-privacy-day-2014

Data Privacy and Citizen's Rights' Symposium Report

Admin — 2019-04-05T02:24:09Z

The Technology Law Forum at the National Academy of Legal Studies and Research (NALSAR) has published the Report on Data Privacy and Citizen's Rights' Symposium.

This report is a compilation of all the speakers' speeches during the panel discussion. Shweta Mohandas was one of the eight speakers at the panel and the excerpts from her presentation has also been covered in this report. Click to read more

For more details visit https://cis-india.org/internet-governance/news/data-privacy-and-citizens-rights-symposium-report

Data Infrastructures and Inequities: Why Does Reproductive Health Surveillance in India Need Our Urgent Attention?

Aayush Rathi and Ambika Tandon — 2019-12-30T16:44:32Z

In order to bring out certain conceptual and procedural problems with health monitoring in the Indian context, this article by Aayush Rathi and Ambika Tandon posits health monitoring as surveillance and not merely as a “data problem.” Casting a critical feminist lens, the historicity of surveillance practices unveils the gendered power differentials wedded into taken-for-granted “benign” monitoring processes. The unpacking of the Mother and Child Tracking System and the National Health Stack reveals the neo-liberal aspirations of the Indian state.

The article was first published by EPW Engage, Vol. 54, Issue No. 6, on 9 February 2019.

Framing Reproductive Health as a Surveillance Question

The approach of the postcolonial Indian state to healthcare has been Malthusian, with the prioritisation of family planning and birth control (Hodges 2004). Supported by the notion of socio-economic development arising out of a “modernisation” paradigm, the target-based approach to achieving reduced fertility rates has shaped India’s reproductive and child health (RCH) programme (Simon-Kumar 2006).

This is also the context in which India’s abortion law, the Medical Termination of Pregnancy (MTP) Act, was framed in 1971, placing the decisional privacy of women seeking abortions in the hands of registered medical practitioners. The framing of the MTP act invisibilises females seeking abortions for non-medical reasons within the legal framework. The exclusionary provisions only exacerbated existing gaps in health provisioning, as access to safe and legal abortions had already been curtailed by severe geographic inequalities in funding, infrastructure, and human resources. The state has concomitantly been unable to meet contraceptive needs of married couples or reduce maternal and infant mortality rates in large parts of the country, mediating access along the lines of class, social status, education, and age (Sanneving et al 2013).

While the official narrative around the RCH programme transitioned to focus on universal access to healthcare in the 1990s, the target-based approach continues to shape the reality on the ground. The provision of reproductive healthcare has been deeply unequal and, in some cases, in hospitals. These targets have been known to be met through the practice of forced, and often unsafe, sterilisation, in conditions of absence of adequate provisions or trained professionals, pre-sterilisation counselling, or alternative forms of contraception (Sama and PLD 2018). Further, patients have regularly been provided cash incentives, foreclosing the notion of free consent, especially given that the target population of these camps has been women from marginalised economic classes in rural India.

Placing surveillance studies within a feminist praxis allows us to frame the reproductive health landscape as more than just an ill-conceived, benign monitoring structure. The critical lens becomes useful for highlighting that taken-for-granted structures of monitoring are wedded with power differentials: genetic screening in fertility clinics, identification documents such as birth certificates, and full-body screeners are just some of the manifestations of this (Adrejevic 2015). Emerging conversations around feminist surveillance studies highlight that these data systems are neither benign nor free of gendered implications (Andrejevic 2015). In continual remaking of the social, corporeal body as a data actor in society, such practices render some bodies normative and obfuscate others, based on categorisations put in place by the surveiller.

In fact, the history of surveillance can be traced back to the colonial state where it took the form of systematic sexual and gendered violence enacted upon indigenous populations in order to render them compliant (Rifkin 2011; Morgensen 2011). Surveillance, then, manifests as a “scientific” rationalisation of complex social hieroglyphs (such as reproductive health) into formats enabling administrative interventions by the modern state. Lyon (2001) has also emphasised how the body emerged as the site of surveillance in order for the disciplining of the “irrational, sensual body”—essential to the functioning of the modern nation-state—to effectively happen.

Questioning the Information and Communications Technology for Development (ICT4D) and Big Data for Development (BD4D) Rhetoric

Information and Communications Technology (ICT) and data-driven approaches to the development of a robust health information system, and by extension, welfare, have been offered as solutions to these inequities and exclusions in access to maternal and reproductive healthcare in the country.

The move towards data-driven development in the country commenced with the introduction of the Health Management Information System in Andhra Pradesh in 2008, and the Mother and Child Tracking System (MCTS) nationally in 2011. These are reproductive health information systems (HIS) that collect granular data about each pregnancy from the antenatal to the post-natal period, at the level of each sub-centre as well as primary and community health centre. The introduction of HIS comprised cross-sectoral digitisation measures that were a part of the larger national push towards e-governance; along with health, thirty other distinct areas of governance, from land records to banking to employment, were identified for this move towards the digitalised provisioning of services (MeitY 2015).

The HIS have been seen as playing a critical role in the ecosystem of health service provision globally. HIS-based interventions in reproductive health programming have been envisioned as a means of: (i) improving access to services in the context of a healthcare system ridden with inequalities; (ii) improving the quality of services provided, and (iii) producing better quality data to facilitate the objectives of India’s RCH programme, including family planning and population control. Accordingly, starting 2018, the MCTS is being replaced by the RCH portal in a phased manner. The RCH portal, in areas where the ANMOL (ANM Online) application has been introduced, captures data real-time through tablets provided to health workers (MoHFW 2015).

A proposal to mandatorily link the Aadhaar with data on pregnancies and abortions through the MCTS/RCH has been made by the union minister for Women and Child Development as a deterrent to gender-biased sex selection (Tembhekar 2016). The proposal stems from the prohibition of gender-biased sex selection provided under the Pre-Conception and Pre-Natal Diagnostics Techniques (PCPNDT) Act, 1994. The approach taken so far under the PCPNDT Act, 2014 has been to regulate the use of technologies involved in sex determination. However, the steady decline in the national sex ratio since the passage of the PCPNDT Act provides a clear indication that the regulation of such technology has been largely ineffective. A national policy linking Aadhaar with abortions would be aimed at discouraging gender-biased sex selection through state surveillance, in direct violation of a female’s right to decisional privacy with regards to their own body.

Linking Aadhaar would also be used as a mechanism to enable direct benefit transfer (DBT) to the beneficiaries of the national maternal benefits scheme. Linking reproductive health services to the Aadhaar ecosystem has been critiqued because it is exclusionary towards women with legitimate claims towards abortions and other reproductive services and benefits, and it heightens the risk of data breaches in a cultural fabric that already stigmatises abortions. The bodies on which this stigma is disproportionately placed, unmarried or disabled females, for instance, experience the harms of visibility through centralised surveillance mechanisms more acutely than others by being penalised for their deviance from cultural expectations. This is in accordance with the theory of "data extremes,” wherein marginalised communities are seen as living on the extremes of data capture, leading to a data regime that either refuses to recognise them as legitimate entities or subjects them to overpolicing in order to discipline deviance (Arora 2016). In both developed and developing contexts, the broader purpose of identity management has largely been to demarcate legitimate and illegitimate actors within a population, either within the framework of security or welfare.

Potential Harms of the Data Model of Reproductive Health Provisioning

Informational privacy and decisional privacy are critically shaped by data flows and security within the MCTS/RCH. No standards for data sharing and storage, or anonymisation and encryption of data have been implemented despite role-based authentication (NHSRC and Taurus Glocal 2011). The risks of this architectural design are further amplified in the context of the RCH/ANMOL where data is captured real-time. In the absence of adequate safeguards against data leaks, real-time data capture risks the publicising of reproductive health choices in an already stigmatised environment. This opens up avenues for further dilution of autonomy in making future reproductive health choices.

Several core principles of informational privacy, such as limitations regarding data collection and usage, or informed consent, also need to be reworked within this context.^[1] For instance, the centrality of the requirement of “free, informed consent” by an individual would need to be replaced by other models, especially in the context of reproductive health of rape survivors who are vulnerable and therefore unable to exercise full agency. The ability to make a free and informed choice, already dismantled in the context of contemporary data regimes, gets further precluded in such contexts. The constraints on privacy in decisions regarding the body are then replicated in the domain of reproductive data collection.

What is uniform across these digitisation initiatives is their treatment of maternal and reproductive health as solely a medical event, framed as a data scarcity problem. In doing so, they tend to amplify the understanding of reproductive health through measurable indicators that ignore social determinants of health. For instance, several studies conducted in the rural Indian context have shown that the degree of women’s autonomy influences the degree of usage of pregnancy care, and that the uptake of pregnancy care was associated with village-level indicators such as economic development, provisioning of basic infrastructure and social cohesion. These contextual factors get overridden in pervasive surveillance systems that treat reproductive healthcare as comprising only of measurable indicators and behaviours, that are dependent on individual behaviour of practitioners and women themselves, rather than structural gaps within the system.

While traditionally associated with state governance, the contemporary surveillance regime is experienced as distinct from its earlier forms due to its reliance on a nexus between surveillance by the state and private institutions and actors, with both legal frameworks and material apparatuses for data collection and sharing (Shepherd 2017). As with historical forms of surveillance, the harms of contemporary data regimes accrue disproportionately among already marginalised and dissenting communities and individuals. Data-driven surveillance has been critiqued for its excesses in multiple contexts globally, including in the domains of predictive policing, health management, and targeted advertising (Mason 2015). In the attempts to achieve these objectives, surveillance systems have been criticised for their reliance on replicating past patterns, reifying proximity to a hetero-patriarchal norm (Haggerty and Ericson 2000). Under data-driven surveillance systems, this proximity informs the preexisting boxes of identity for which algorithmic representations of the individual are formed. The boxes are defined contingent on the distinct objectives of the particular surveillance project, collating disparate pieces of data flows and resulting in the recasting of the singular offline self into various 'data doubles' (Haggerty and Ericson 2000). Refractive, rather than reflective, the data doubles have implications for the physical, embodied life of individual with an increasing number of service provisioning relying on the data doubles (Lyon 2001). Consider, for instance, apps on menstruation, fertility, and health, and wearables such as fitness trackers and pacers, that support corporate agendas around what a woman’s healthy body should look, be or behave like (Lupton 2014). Once viewed through the lens of power relations, the fetishised, apolitical notion of the data “revolution” gives way to what we may better understand as “dataveillance.”

Towards a Networked State and a Neo-liberal Citizen

Following in this tradition of ICT being treated as the solution to problems plaguing India’s public health information system, a larger, all-pervasive healthcare ecosystem is now being proposed by the Indian state (NITI Aayog 2018). Termed the National Health Stack, it seeks to create a centralised electronic repository of health records of Indian citizens with the aim of capturing every instance of healthcare service usage. Among other functions, it also envisions a platform for the provisioning of health and wellness-based services that may be dispensed by public or private actors in an attempt to achieve universal health coverage. By allowing private parties to utilise the data collected through pullable open application program interfaces (APIs), it also fits within the larger framework of the National Health Policy 2017 that envisions the private sector playing a significant role in the provision of healthcare in India. It also then fits within the state–private sector nexus that characterises dataveillance. This, in turn, follows broader trends towards market-driven solutions and private financing of health sector reform measures that have already had profound consequences on the political economy of healthcare worldwide (Joe et al 2018).

These initiatives are, in many ways, emblematic of the growing adoption of network governance reform by the Indian state (Newman 2001). This is a stark shift from its traditional posturing as the hegemonic sovereign nation state. This shift entails the delayering from large, hierarchical and unitary government systems to horizontally arranged, more flexible, relatively dispersed systems.^[2] The former govern through the power of rules and law, while the latter take the shape of self-regulating networks such as public–private contractual arrangements (Snellen 2005). ICTs have been posited as an effective tool in enabling the transition to network governance by enhancing local governance and interactive policymaking enabling the co-production of knowledge (Ferlie et al 2011). The development of these capabilities is also critical to addressing “wicked problems” such as healthcare (Rittel and Webber 1973).^[3] The application of the techno-deterministic, data-driven model to reproductive healthcare provision, then, resembles a fetishised approach to technological change. The NHSRC describes this as the collection of data without an objective, leading to a disproportional burden on data collection over use (NHSRC and Taurus Glocal 2011).

The blurring of the functions of state and private actors is reflective of the neo-liberal ethic, which produces new practices of governmentality. Within the neo-liberal framework of reproductive healthcare, the citizen is constructed as an individual actor, with agency over and responsibility for their own health and well-being (Maturo et al 2016).

“Quantified Self” of the Neo-liberal Citizen

Nowhere can the manifestation of this neo-liberal citizen can be seen as clearly as in the “quantified self” movement. The quantified self movement refers to the emergence of a whole range of apps that enable the user to track bodily functions and record data to achieve wellness and health goals, including menstruation, fertility, pregnancies, and health indicators in the mother and baby. Lupton (2015) labels this as the emergence of the “digitised reproductive citizen,” who is expected to be attentive to her fertility and sexual behaviour to achieve better reproductive health goals. The practice of collecting data around reproductive health is not new to the individual or the state, as has been demonstrated by the discussion above. What is new in this regime of datafication under the self-tracking movement is the monetisation of reproductive health data by private actors, the labour for which is performed by the user. Focusing on embodiment draws attention to different kinds of exploitation engendered by reproductive health apps. Not only is data about the body collected and sold, the unpaid labour for collection is extracted from the user. The reproductive body can then be understood as a cyborg, or a woman-machine hybrid, systematically digitising its bodily functions for profit-making within the capitalist (re)production machine (Fotoloulou 2016). Accordingly, all major reproductive health tracking apps have a business model that relies on selling information about users for direct marketing of products around reproductive health and well-being (Felizi and Varon nd).

As has been pointed out in the case of big data more broadly, reproductive health applications (apps) facilitate the visibility of the female reproductive body in the public domain. Supplying anonymised data sets to medical researchers and universities fills some of the historical gaps in research around the female body and reproductive health. Reproductive and sexual health tracking apps globally provide their users a platform to engage with biomedical information around sexual and reproductive health. Through group chats on the platform, they are also able to engage with experiential knowledge of sexual and reproductive health. This could also help form transnational networks of solidarity around the body and health (Fotopoulou 2016).

This radical potential of network-building around reproductive and sexual health is, however, tempered to a large extent by the reconfiguration of gendered stereotypes through these apps. In a study on reproductive health apps on Google Play Store, Lupton (2014) finds that products targeted towards female users are marketed through the discourse of risk and vulnerability, while those targeted towards male users are framed within that of virility. Apart from reiterating gendered stereotypes around the male and female body, such a discourse assumes that the entire labour of family planning is performed by females. This same is the case with the MCTS/RCH.

Technological interventions such as reproductive health apps as well as HIS are based on the assumption that females have perfect control over decisions regarding their own bodies and reproductive health, despite this being disproved in India. The Guttmacher Institute (2014) has found that 60% of women in India report not having control over decisions regarding their own healthcare. The failure to account for the husband or the family as stakeholder in decision-making around reproductive health has been a historical failure of the family planning programme in India, and is now being replicated in other modalities. This notion of an autonomous citizen who is able to take responsibility of their own reproductive health and well-being does not hold true in the Indian context. It can even be seen as marginalising females who have already been excluded from the reproductive health system, as they are held responsible for their own inability to access healthcare.

Concluding Remarks

The interplay that emerges between reproductive health surveillance and data infrastructures is a complex one. It requires the careful positioning of the political nature of data collection and processing as well as its hetero-patriarchal and colonial legacies, within the need for effective utilisation of data for achieving developmental goals. Assessing this discourse through a feminist lens identifies the web of power relations in data regimes. This problematises narratives of technological solutions for welfare provision.

The reproductive healthcare framework in India then offers up a useful case study to assess these concerns. The growing adoption of ICT-based surveillance tools to equalise access to healthcare needs to be understood in the socio-economic, legal, and cultural context where these tools are being implemented. Increased surveillance has historically been associated with causing the structural gendered violence that it is now being offered as a solution to. This is a function of normative standards being constructed for reproductive behaviour that necessarily leave out broader definitions of reproductive health and welfare when viewed through a feminist lens. Within the larger context of health policymaking in India, moves towards privatisation then demonstrate the peculiarity of dataveillance as it functions through an unaccountable and pervasive overlapping of state and private surveillance practises. It remains to be seen how these trends in ICT-driven health policies affect access to reproductive rights and decisional privacy for millions of females in India and other parts of the global South.

For more details visit https://cis-india.org/internet-governance/blog/data-infrastructures-inequities-reproductive-health-surveillance-india

Data for Development: Mapping key considerations for policy and practice in India

Admin — 2019-04-25T15:17:55Z

On 24 April 2019 Arindrajit Basu delivered a talk at an event titled at Data for Development:Mapping key considerations for policy and practice in India at Azim Premchand University.

Arindrajit presented some of CIS's work on artificial intelligence and its work on privacy and the SriKrishna Bill, some of the constitutional contours of India's data governance policies and some of the larger implications on India's foreign policy vision as an emerging economy.

For more details visit https://cis-india.org/internet-governance/news/data-for-development-mapping-key-considerations-for-policy-and-practice-in-india

Data Flow in the Unique Identification Scheme of India

vidushi — 2015-09-03T17:02:44Z

This note analyses the data flow within the UID scheme and aims at highlighting vulnerabilities at each stage. The data flow within the UID Scheme can be best understood by first delineating the organizations involved in enrolling residents for Aadhaar. The UIDAI partners with various Registrars usually a department of the central or state Government, and some private sector agencies like LIC etc– through a Memorandum of Understanding for assisting with the enrollment process of the UID project.

Many thanks to Elonnai Hickok for her invaluable guidance, input and feedback

These Registrars then appoint Enrollment Agencies that enroll residents by collecting the necessary data and sharing this with the UIDAI for de-duplication and issuance of an Aadhaar number, at enrolment centers that they set up. The data flow process of the UID is described below:[1]

Data Capture

Filling out an enrollment form – To enroll for an Aadhaar number, individuals are required to provide proof of address and proof of identity. These documents are verified by an official at the enrollment center.

Vulnerability: Though an official is responsible for verifying these documents, it is unclear how this verification is completed. It is possible for fraudulent proof of address and proof of identity to be verified and approved by this official.

The 'introducer' system: For individuals who do not have a Proof of Identity, Proof of Address etc the UIDAI has established an 'introducer' system. The introducer verifies that the individual is who they claim to be and that they live where they claim to live.

Vulnerability: This introducer is akin to the introducer concept in banking; except that here, the introducer must be approved by the Registrar, and need not know the person bring enrolled. This leads to questions of authenticity and validity of the data collected and verified by an 'introducer'. The Home Ministry in 2012, indicated that this must be reviewed.[2]

Categories of data for enrollment: The UIDAI has a standard enrollment form and list of documents required for enrollment. This includes: name, address, birth date, gender, proof of address and proof of identity. Some MoUs (Memorandum of Understanding) permit for the Registrars to collect additional information in addition to what is required by the UIDAI. This could be any information the Registrar deems necessary for any purpose.

Vulnerability: The fact that a Registrar may collect any information they deem necessary and for any purpose leads to concerns regarding (1) informed consent – as individuals are in placed in a position of having to provide this information as it is coupled with the Aadhaar enrollment process (2) unauthorized collection - though the MOU between the UIDAI and the Registrar has authorized the Registrar to collect additional information – if the information is personal in nature and the Registrar is a body corporate it must be collected as per the Information Technology Rules 2011 under section 43A. It is unclear if Registrars that are body corporates are collecting data in accordance to these rules. (3) As Registrars are permitted to collect any data they deem necessary for any purpose – this leads to concerns regarding misuse of this data..[3]

Verification of Resident’s Documents: true copies of original documents, after verification are sent to the Registrar for “permanent storage.”[4]

Vulnerability: It is unclear as to what extent and form this storage takes place. There is no clarity on who is responsible for the data once collected, and the permissible uses of such data are also unclear. The contracts between the UID and Registry claim that guidelines must be followed, while the guidelines state that, “The documents are required to be preserved by Registrar till the UIDAI finalizes its document storage agency” and states that the “Registrars must ensure that the documents are stored in a safe and secure manner and protected from unauthorized access.” [5] The question of what is “unauthorized access”, “secure storage”, when is data transferred to the UIDAI and when the UIDAI will access it and why remain unanswered. Moreover, there is nothing about deleting documents once the MoU lapses. The guidelines in question were also developed post facto.

Data collection for enrollment: After verification of proof of address and proof of identity, operators at the enrolling the agency will be enrolling individuals. Data Collection is completed by operators at the enrolling agency. This includes the digitization of enrollment forms and collection of biometrics. Enrollment information is manually collected and entered into computers operating software provided by the UIDAI and then transferred to the UIDAI. Biometrics are collected through devices that have been provided by third parties such as Accenture and L1Identity Solutions.

Vulnerability: After data is collected by enrollment operators it is possible for data leakage to occur at the point of collection or during transfer to the Registrar and UIDAI. Data operators, are therefore not answerable to the UIDAI, but to a private agency; a fact which has been the cause of concern even within the government.[6] There have also been instances of sub contracting which leads to more complications in respect of accountability. Misuse[7] and loss of data is a very real possibility, and irregularities have been reported as well.[8] By relying on technology that is provided by third parties (in many cases foreign third parties) data collected by these devices is also available to these companies while at the same time the companies are not regulated by Indian law.

Import pre-enrolment data into Aadhaar enrollment client, Syncing NPR/census data into the software: The National Population Register (NPR) enrolls usual residents, and is governed by the Citizenship Rules, which prescribe a penalty for non disclosure of information.

Vulnerability: Biometrics does not form part of the Rules that govern NPR data collection; the Citizenship Rules, 2003. In many ways, collection of biometrics without amending the citizenship laws amounts to a worrying situation. The NPR hands over information that it collects to UIDAI, biometrics collected as part of the UIDAI is included in the NPR, leading to concerns surrounding legality and security of such data.

Resident’s consent: for “whether the resident has agreed to share the captured information with organizations engaged in delivery of welfare services.”

Vulnerability: This allows the UIDAI to use data in an almost unfettered fashion. The enrolment form reads, “‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” Informed consent, Vague. What info and with whom. Why is necessary for the UIDAI to share this information, when the organization is only supposed to be a passive intermediary? Does beyond the mandate of the UIDAI, which is only to provide and authenticate the number.

Biometric exceptions: The operator checks if the resident’s eyes/hands are amputated/missing, and after the Supervisor verifies the same, the record is made as an exception and only the individuals photograph is recorded.

Vulnerability: There has widespread misuse of this clause, with data being fabricated to fall into this category, making it unreliable as a whole. In March 2013, 3.84 lakh numbers were cancelled as they were based on fraudulent use of the exception clause. [9]

Operator checks if resident wants Aadhaar enabled bank account: The UID project was touted to be a scheme that would ensure access to benefits and subsidies that are provided through cash transfers as well as enabling financial inclusion. Subsequently, the need for a Aadhaar embedded bank account was made essential to avail of these benefits. The operator at this point checks whether the resident would like to open such a bank account.

Vulnerability: The data provided at the time of linking UID with a bank account cannot be corrected or retracted. Although this has the vision of financial inclusion, it is now a threat of exclusion.

Capturing biometrics- The UIDAI scheme includes assigning each individual a unique identification number after collecting their demographic and biometric information. One Time Passwords are used to manually override a situation in which biometric identification fails.[10] The UIDAI data collection process was revamped in 2012 to include best finger detection and multiple try method.[11]

Vulnerabilities: The collection process is not always accurate, in fact, 70% of the residents who enrolled in Salt Lake, will have to re-enroll due to discrepancies at the time of enrollment.[12] Further, a large number of people in India are unable to give biometric information due to manual labour, or cataracts etc.

After such data is entered, the Operator shows such data to the Resident or Introducer or Head of the Family (as the case may be) for validation.

Operator Sign off – Each set of data needs to be verified by an Operator whose fingerprint is already stored in the system.

Vulnerability: Vesting authority to sign off in an operator allows for signing off on inaccurate or fraudulent data. For example, the issuance of aadhaar numbers to biometric exceptions highlight issues surrounding misuse and unreliability of this function.[13]

After this, the Enrolment operator gets supervisor’s sign off for any exceptions that might exist, Acknowledgement and consent for enrolment is stored. Any correction to specified data can be made within 96 hours.

Document Storage, Back up and Sync

After gathering and verifying all the information about the resident, the Enrolment Agency Operator will store photocopies of the documents of the resident. These Agencies also backup data “from time to time” (recommended to be twice a day), and maintain it for a minimum of 60 days. They also sync with the server every 7-10 days.

Vulnerability: The security implications of third party operators storing information is greatly exacerbated by the fact that these operators use technology and devices from companies have close ties to intelligence agencies in other countries; L-1 Identity Solutions have close ties with America’s CIA, Accenture with French intelligence etc. [14]

Transfer of Demographic and Biometric Data Collected to CIDR

“First mile logistics” include transferring data by using Secure File Transfer Protocol) provided by UIDAI or through a “suitable carrier” such as India Post.

Vulnerability: There is no engagement between the UIDAI and the enrolling agencies; the registrars engage private enrolment agencies, and not the UIDAI. Further, the scope of people authorized to collect information, the information that can be collected, how such information is stored etc are all vague. In 2009, there was a notification that claimed that the UIDAI owns the database[15] but there is no indication on how it may be used, how this might react to instances of identity fraud, etc.

Data De-duplication and Aadhar Generation at CIDR

On receiving biometric information, the de-duplication is done to ensure that each individual is given only one UID number.

Vulnerability:

This de-duplication is carried out by private companies, some of which are not of indian origin and thus are also not bound by Indian law. Also, the volume of Aadhaar numbers rejected due to quality or technical reasons is a cause of worry; the count reaching 9 crores in May 2015.[16]
The MoUs promise registrars access to information contained in the Aadhaar letter, although individuals are ensured that such letter is only sent to them. [17]
General compliance and de-duplication has been an issue, with over 34,000 people being issued more than one Aadhaar number,[18] and innumerable examples of faulty Aadhaar cards being issued.[19]

[1] Enrolment Process Essentials : UIDAI , (December 13,2012), http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[2] UIDAI to review biometric data collection process of 60 crore resident Indians: P Chidambaram, Economic Times, (Jan 31, 2012), http://articles.economictimes.indiatimes.com/2012-01-31/news/31010619_1_biometrics-uidai-national-population-register.

[3]See: an MoU signed between the UIDAI and the Government of Madhya Pradesh. Also see: Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[4]http://nictcsc.com/images/Aadhaar%20Project%20Training%20Module/English%20Training%20Module/module2_aadhaar_enrolment_process17122012.pdf

[5] Document Storage Guidelines for Registrars – Version 1.2, https://uidai.gov.in/images/mou/D11%20Document%20Storage%20Guidelines%20for%20Registrars%20final%2005082010.pdf

[6] Arindham Mukherjee, Lola Nayar, Aadhaar,A Few Basic Issues, Outlook India, (December 5, 2011), http://dataprivacylab.org/TIP/2011sept/India4.pdf.

[7] Aadhaar: UIDAI probing several cases of misuse of personal data, The Hindu, (April 29, 2012), http://www.thehindubusinessline.com/economy/aadhar-uidai-probing-several-cases-of-misuse-of-personal-data/article3367092.ece.

[8] Harsimran Julka, UIDAI wins court battle against HCL technologies, The Economic Times, (October 4, 2011), http://articles.economictimes.indiatimes.com/2011-10-04/news/30242553_1_uidai-bank-guarantee-hp-and-ibm.

[9] Chetan Chauhan, UIDAI cancels 3.84 lakh fake Aadhaar numbers, The Hindustan Times, (December 26, 2012), http://www.hindustantimes.com/newdelhi/uidai-cancels-3-84-lakh-fake-aadhaar-numbers/article1-980634.aspx.

[10] Usha Ramanathan, “Inclusion project that excludes the poor”, The Statesman (July 4, 2013).

[11] UIDAI to Refresh Data Collection Process, Zee News, (February 7, 2012) http://zeenews.india.com/news/delhi/uidai-to-refresh-data-collection-process_757251.html.

[12] Snehal Sengupta, Queue up again to apply for Aadhaar, The Telegraph, (February 27, 2015), http://www.telegraphindia.com/1150227/jsp/saltlake/story_5642.jsp#.VayjDZOqqko

[13] Chauhan, supra note 7.

[14] Usha Ramanathan, Three Supreme Court Orders Later, What’s the Deal with Aadhaar? Yahoo News, (April 13, 2015), https://in.news.yahoo.com/three-supreme-court-orders-later--what-s-the-deal-with-aadhaar-094316180.html.

[15] Usha Ramanathan, “Threat of Exclusion and of Surveillance”, The Statesman (July 2, 2013).

[16] Over 9 Crore Aadhaar enrolments rejected by UIDAI, Zee News (May 8, 2015).

[17] Usha Ramanathan, “States as handmaidens of UIDAI”, The Statesman (August 8, 2013).

[18] Surabhi Agarwal, Duplicate Aadhar numbers within estimate, Live Mint (March 5, 2013).

[19] Usha Ramanathan, “Outsourcing enrolment, gathering dogs and trees”, The Statesman (August 7, 2013).

For more details visit https://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india

Danish Expert Group on Data Ethics

Admin — 2018-12-01T04:42:42Z

Amber Sinha was one of the stakeholders who provided inputs to the Danish Expert Group on Data Ethics in June 2018 during their visit to New Delhi. The Expert Group has prepared and submitted its final report.

In April the Danish Expert Group on Data Ethics commenced work on developing recommendations on Data Ethics for the Danish Government. The expert group have now handed over their recommendations to the Danish Minister of Industry, Business and Financial Affairs. Read the report.

For more details visit https://cis-india.org/internet-governance/news/danish-expert-group-on-data-ethics

Cyberspace and External Affairs:A Memorandum for India Summary

Arindrajit Basu and Elonnai Hickok — 2018-12-01T04:10:51Z

This memorandum seeks to summarise the state of the global debate in cyberspace; outline how India can craft it’s global strategic vision and finally, provides a set of recommendations for the MEA as they craft their cyber diplomacy strategy.

It limits itself to advocating certain procedural steps that the Ministry of External Affairs should take towards propelling India forward as a leading voice in the global cyber norms space and explains why occupying this leadership position should be a vital foreign policy priority. It does not delve into content-based recommendations at this stage. Further, this memorandum is not meant to serve as exhaustive academic research on the subject but builds on previous research by the Centre for Internet & Society in this area to highlight key policy windows that can be driven by India.

This memorandum provides a background to global norms formation focussing on key global developments over the past month; traces the opportunities s for India to play a lead role in the global norms formulation debate and then charts out process related recommendations on next steps towards India taking this forward.

Click here to read more

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-and-elonnai-hickok-november-30-2018-cyberspace-and-external-affairs

Cybersecurity Compilation: Indian Context

Leilah Elmokadem and edited by Elonnai Hickok — 2017-06-18T13:16:39Z

This document intends to serve as a comprehensive source compiling all the cyber-security related regulations, policies, guidelines, notifications, executive orders, court rulings, etc.

Ultimately, it attempts to collect all the cyber security initiatives that have been put out by Indian regulatory bodies and organizations. To approach this end, we identified they actors and institutions in cyber security and record their published guidelines, frameworks, ongoing projects and any policies released to strengthen cyber security. We have mostly followed a general framework in which, for each document found, we indicate the definition of cyber security (if stated), the objectives, recommendations/guidelines and scope. This format was sometimes difficult to follow for some types of initiatives in the documents. For example, a document of questions and answers to parliament could not be recorded in this fashion. As a result, the document is not entirely uniform in structure. This research compendium is in continuous progress, expanding along with the base of our knowledge and ongoing research.

Download the Compendium

For more details visit https://cis-india.org/internet-governance/blog/cybersecurity-compilation-indian-context

Cyberattacks a significant threat to democracy: Modi

Admin — 2017-11-24T13:29:17Z

We have to ensure that cyberspace does not become a playground for dark horses of radicalism, says PM Narendra Modi at the fifth Global Conference on Cyber Space in Delhi.

The article by Komal Gupta was published in Livemint on November 24, 2017.

Prime Minister Narendra Modi on Thursday said creating a safe and secure cyberspace is on the primary agenda of the government as cyberattacks were a threat to democracy.

Modi’s assurance of decisively dealing with cyberattacks comes at a time when policymakers are making an unprecedented push to popularize digital transactions and cut down use of cash in order to have a more transparent and accountable economic environment. The government is at present working on a draft policy for tackling ransomware, a malicious software.

“We have to ensure that cyberspace does not become a playground for dark horses of radicalism,” Modi said, while inaugurating the fifth Global Conference on Cyber Space (GCCS) in the national capital.

A total of 50 incidents of cyberattacks affecting 19 financial organizations were reported from 2016 until June 2017, PTI reported in August.

With multiple cyberattacks affecting key infrastructure assets like ports and major payment companies recently, the government has decided to come out with a draft policy for tackling ransomware, a senior government official told Mint during the conference. “CERT-In (The Indian Computer Emergency Response Team) is working on a draft policy for tackling ransomware which will be put up for consultation by various stakeholders, including organized enterprise users of IT (Information Technology), solution providers and internet service providers (ISPs),” Ajay Kumar, additional secretary in the ministry of electronics and information technology said.

Kumar said the draft policy will focus on the proprietary steps the country will take in case of a ransomware attack. This will include the steps for the sharing of information to try and restrict the loss as much as possible. A centre of excellence will be set up to find solutions to attacks or neutralise the malware, he added.

The need to set up a safe and secure cyberspace is one the major concerns of the government as it is moving to create a ‘less-cash’ economy. Earlier this year, the government announced the “DigiDhan Mission” to achieve a 25 billion digital transactions target, outlined in the Union budget for this fiscal.

Modi said empowerment through digital access is the aim of the government and digital technology has saved around $10 billion so far by eliminating middlemen.

The MyGov platform is a prime example of how technology strengthens offices. PRAGATI has resulted in faster governance decisions through general consensus, he added.

PRAGATI (Pro-Active Governance And Timely Implementation) is an interactive platform aimed at addressing the common man’s grievances and monitoring and reviewing programmes and projects of the central and state governments.

Umang stands for Unified Mobile Application for New-age Governance. It provides all pan India e-Gov services ranging from central to local government bodies and other citizen-centric services like Aadhaar and Digilocker on one single platform or mobile app.

Modi said, “the app will provide over hundred citizen-centric services. It will automatically add pressure among peers and result in a better performance.”

Law and IT minister Ravi Shankar Prasad, speaking at the event, said privacy of individuals was of utmost importance but “privacy cannot withhold innovation.” He further said the citizens’ right of accessing the internet is “non-negotiable” and the government will not allow any company to restrict people’s entry to the worldwide web.

Speaking on Facebook’s Free Basics programme, Prasad said the government did not allow social networking giant’s programme because it offered access to select internet services. Facebook had introduced its Free Basics programme in India in 2015 to offer free basic internet access to people in partnership with telecom operators. Prasad said the idea behind Free Basics was that everything will be free, namely eduction, health, entertainment and others, if one enters the Net through one gate (Facebook’s).

“I said India is a democracy, we don’t believe in one gate. We believe in multiple gates. Therefore, this gate locking for India will not be accepted and I did not allow it. This stems (from) our commitment that internet must be accessible to all,” he added.

Sri Lankan Prime Minister Ranil Wickremesinghe, who was present at the event, said there was no legal framework on cyberspace and he hoped the conference would lead to a consensus to finalize the terms of the framework. “Our government has a lot more to do in net neutrality but we have taken progressive and revolutionary step in this regard,” added Wickremesinghe.

Wickremesinghe is on a four-day visit to India with the aim of boosting bilateral ties.

On the first day of the conference, India agreed to establish a joint working group with Iran to work in different IT areas.

India will provide technical advice to Mauritius for setting up the digilocker infrastructure. An MoU has been signed with Denmark for future cooperation in the IT sector.

“While a policy on ransomware is welcome, there is much more to be done. Implementation of the 2014 National Cybersecurity Policy has been very slow. Even the simplest bits, such as a secure process for receiving vulnerability disclosure has been lacking,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

PTI contributed to this story.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-24-2017-komal-gupta-cyberattacks-a-significant-threat-to-democracy-modi

Cyber Policy Centres Meeting in Sri Lanka

Admin — 2019-01-21T23:50:45Z

Elonnai Hickok, Sunil Abraham and Ambika Tandon participated in this event organized by IDRC in Sri Lanka on January 11 - 14, 2019.

Download the agenda here

See the presentation here

For more details visit https://cis-india.org/internet-governance/news/cyber-policy-centres-meeting-in-sri-lanka

Cyber law experts asks why CERT-In removed advisory warning about WhatsApp vulnerability

Megha Mandavia — 2019-11-15T00:48:00Z

On the missing web page note, CERT-In had provided a detailed explanation of the vulnerability, which could be exploited by an attacker by making a decoy voice call to a target.

The article by Megha Mandavia was published in ET Tech.com on November 4, 2019. Pranesh Prakash was quoted.

Cyber law experts have asked the government to explain why the Indian computer emergency response team (CERT-In) removed from its website two days ago an advisory it had put out in May warning users of a vulnerability that could be used to exploit WhatsApp on their smartphones.

“This is merely further evidence that the explanation is to be provided by GoI (Government of India) instead of blame shifting and politicizing the issue,” said Mishi Choudhary, the legal director of the New York-based Software Freedom Law Center. “India is a surveillance state with no judicial oversight.”

On the missing web page note, CERT-In had provided a detailed explanation of the vulnerability, which could be exploited by an attacker by making a decoy voice call to a target.

It had warned WhatsApp users that the vulnerability could allow an attacker to access information on the system, such as logs, messages and photos, and could further compromise it. CERT-In rated the severity “high” and asked users to upgrade to the latest version of the app.

It also listed links to hackernews and cyber security firm Check Point Software that pointed to the alleged involvement of Israeli cyber software firm NSO Group in the hacking of WhatsApp messenger.

CERT-In Director-General Sanjay Bahl did not respond to ET’s mails or calls seeking clarity on why the advisory was pulled from its website.

The Times of India reported first the development.

The government had blamed WhatsApp for not informing it about the attack and asked the Facebook-owned company to respond by November 4.

In response, WhatsApp sources pointed out that it had informed CERT-in in May about the vulnerability and updated in September that 121 Indian nationals were targeted using the exploit, ET reported on Sunday.

“We should not read too much into it. It could just be bad website management. The vulnerability was public knowledge. It was reported by the Common Vulnerabilities and Exposures (CVE) organization in May,” said Pranesh Prakash, fellow at the Centre of Internet and Society, a non-profit organisation.

The government has also questioned the timing of the disclosure, as it comes amid a request by it to the Supreme Court seeking three months to frame rules to curb misuse of social media in the country.

The government has categorically told WhatsApp that it wants the platform to bring in a mechanism that would enable tracing of the origin of messages, a demand that the instant messaging platform has resisted citing privacy concerns.

For more details visit https://cis-india.org/internet-governance/news/et-tech-megha-mandavia-november-4-2019-cyber-law-experts-asks-why-cert-in-removed-advisory-warning-about-whatsapp-vulnerability