Centre for Internet and Society

About Open Access Day

sunil — 2008-09-21T14:43:16Z

October 14, 2008 will be the world’s first Open Access Day. The founding partners for this Day are SPARC (the Scholarly Publishing and Academic Resources Coalition), Students for FreeCulture, and the Public Library of Science.

Open Access Day will help to broaden awareness and understanding of Open Access, including recent mandates and emerging policies, within the international higher education community and the general public.

Open Access^¹ is a growing international movement that uses the Internet to throw open the locked doors that once hid knowledge. It encourages the unrestricted sharing of research results with everyone, everywhere, for the advancement and enjoyment of science and society.

Open Access is the principle that publicly funded research should be freely accessible online, immediately after publication, and it’s gaining ever more momentum around the world as research funders and policy makers put their weight behind it.

The Open Access philosophy was firmly articulated in 2002, when the Budapest Open Access Initiative was introduced. It quickly took root in the scientific and medical communities because it offered an alternative route to research literature that was frequently closed off behind costly subscription barriers.

Today, the OAIster search engine provides access to 17,799,314 Open Access records from 1015 contributors. According to the Directory of Open Access Journals – India publishes 105 Open Access journals. Both INSA and IASc have made their journals open access journals. Indian Institute of Science has an EPrints repository and it has over 11,000 papers and this year, the Institute's centenary year, the number is expected to cross 23,000. NIT, Rourkela, has mandated open access to all faculty research papers. There are about thirty OA institutional repositories in India today. The IITs and IISc have formed a consortium and are making their class lectures open access under a project called NPTEL. These lectures are available in web, video and YouTube formats.

About CCMG-JMI

The Centre seeks to enhance the integration and development of interdisciplinary research into the media in India and South Asia. To this end, various programmes envisaged at CCMG will contribute in the following manner:

Methodologically, work at the Centre will examine and seek to develop new approaches both, quantitative and qualitative. This being a recurrent motif across all thematic rubrics pursued.
Archiving the measurement and analysis of media production, content and reception takes place in many organisations, but very little of such data is available to researchers, or is analysed comparatively. To address this void, the Centre aims to create an archive of media research data of value to researchers across South Asia.
Comparative perspectives across disciplines, mediascapes and regions are of utmost importance to the centre’s body of objectives. Comparative analyses will require reconciling data based on differing calibration approaches rooted in, often, contesting intellectual traditions and policy foundations.
Networking will be structured to aid the regular association of media scholars and policy analysts from varied, contiguous disciplines. Equally, the Centre will act as a focal point for dialogues between social scientists, civil society actors and media professionals who rarely are able to share a platform.

1This section and the next is adapted from the content available at http://www.openaccessday.org

For more details visit https://cis-india.org/openness/publications/content-access/about-open-access-day

Agenda

sunil — 2008-10-13T12:25:59Z

The Centre for Culture, Media & Governance, Jamia Millia Islamia, New Delhi, and the Centre for Internet and Society, Bangalore, jointly organise the first Open Access Day on the 14th of October 2008 at Tagore Hall, Dayar-i-Mir Taqi Mir, Jamia Millia Islamia, New Delhi.

Agenda

Time	Session
1400 – 1415	Welcome and Introduction: Prof. Biswajit Das, Director, Centre for Culture, Media & Governance, Jamia Millia Islamia
1415 – 1535	Chair: Prof. Arif Ali, Head Dept. of Bio-Technology, Jamia Milia Islamia Panelists: Mr. Zakir Thomas, Project Director - Open Source Drug Discovery, and Dr. Anshu Bhardwaj, Scientist, CSIR, New Delhi. Dr. Andrew Lynn, Professor, Department of Bio-informatics, Jawaharlal Nehru University, New Delhi. Prof. Subbiah Arunachalam, Distinguished Fellow, Centre for Internet and Society
1535 – 1600	Question and Answer Session Open Discussion
1600 - 1615	Vote of thanks and closure by Sunil Abraham, Director – Policy, Centre for Internet and Society.
	End with Tea/Coffee

Contact Details

New Delhi	Bangalore
Vibodh Parthasarathi Reader/Associate Professor Centre for Culture, Media and Governance Nelson Mandela House, Mujib Bagh Jamia Millia Islamia, New Delhi 110 025 P.: +91 11 26933810/26933842 M: +91 9873458688 E: ccmgjmi AT gmail.com W: http://jmi.nic.in/ccm	Sunil Abraham Director - Policy Centre for Internet and Society No. D2, 3rd Floor, Sheriff Chambers 14, Cunningham Road, Bangalore - 560 052 P: +91 80 4092 6283 F: +91 80 4114 8130 M: +91 9611100817 E: sunil AT cis-india.org W: www.cis-india.org

Map

For more details visit https://cis-india.org/openness/publications/content-access/agenda

Open Content and Open Access

sunil — 2009-10-08T14:54:39Z

Open Content (of which Open Access can be thought of as a subcategory) is that content which is freely available on the Internet with or without rights to modify or re-use it. Open content can take many manifestations from openly-licensed materials (Creative Commons, etc.), open access to scholarly literature (scientific, legal, etc.), open educational resources, to open access to the law (particularly legislations and judgments). We at CIS believe that sharing of knowledge and culture is only human.

For more details visit https://cis-india.org/openness/publications/content-access

Response to the Draft National Policy on Open Standards for e-Governance

sunil — 2011-08-23T03:05:56Z

Pranesh Prakash, Programme Manager at the Centre for Internet and Society, authored a response to the draft Open Standards Policy document published by the National Informatics Centre, Department of Information Technology, Ministry of Communications and Information Technology.

The National Informatics Centre (NIC), Department of Information Technology (DIT), Ministry of Communications and Information Technology (MCIT) has recently published a Draft Policy on Open Standards for eGovernance. Members of the public have been invited to provide feedback to the document. The last date for feedback is 21st November 2008.

The Centre for Internet and Society has prepared a draft response to the draft policy. This response letter only deals with the policy document from the perspective of the global FLOSS movement. This is not meant to be comprehensive feedback to the document itself.

Institutional Co-signatories

Richard Stallman, Founder, Free Software Foundation, USA
Mishi Choudhary, Partner, Software Freedom Law Centre, USA
Dr. Alvin Marcelo, Director for Southeast Asia, International Open Source Network, the Philippines
Lawrence Liang, Founder, Alternative Law Forum, Bangalore, India
Dr. G. Nagarjuna, Chaiman, Free Software Foundation of India, Mumbai, India
Vinay Sreenivasa, Member, IT for Change, Bangalore, India

Individual Co-signatories

Shahid Akhtar, Founder, International Open Source Network, Canada
Denis Jaromil Rojo, Developer, Dyne, Netherlands
Raj Mathur, Consultant, Kandalaya, New Delhi, India
Marek Tuszynski, Founder, Tactical Technology Collective, United Kingdom

Text

Dear Sir or Madam,

The government had done a commendable job of releasing a progressive and forward-looking policy on the usage of open standards in e-governance. Globally the European Union's Electronic Interoperability Framework (EIF) guidelines (version 2 of which is currently in the draft stage) is considered to be the gold standard as far as open standard policy is concerned. The draft National Policy on Open Standards meets all of the EIF's four open standard requirements. However, there is still some room for improvement as discussed below.

While the document talks of the standard being royalty free (4.1 and 5.1.1) and without any patent-related encumbrance (4.1), it limits those requirements "for the life time of the standard" (5.1.1), which seems a bit ambiguous and is not defined in the appendix either. It would be preferable to make it royalty-free for the lifetime of the patents (if any) as open archival material shouldn't one day (after the end of "life time of the standard", and before the expiry of the patents) suddenly be forced to become paid archives. It would be desirable to make declarations of patent non-enforcement irrevocable (as the EU EIF does), by incorporating a wording such as: "irrevocably available on a royalty-free basis, without any patent-related encumbrance".

There should also be a separate provision in the "policy statement on open standards adoption in e-governance" section of the document making explicit that there can be no restraint on use or implementation of the standard (as has been stated in the "guiding principles" section).

Perhaps when talking of specification documents (5.1.5) the words "any restrictions" could be amended to include a few examples of what the term "any restrictions" would include. The document could make explicit that it must be permissible for all to copy, distribute and use the specifications freely, without any cost or legal barriers.

Sometimes private companies can interfere with the standardisation process, the document could perhaps be more explicit regarding remedial measures that could be undertaken in the event – for example use of competition law, as in the case of the EU EIF which states: "Practices distorting the definition and evolution of open standards must be addressed immediately to protect the integrity of the standardisation process."

As it stands, the draft document addresses many notions of openness (freely accessible, at zero cost, non-discriminatory, extensible, and without any legal hindrances, thus preventing vendor lock-in), and there is much to applaud in it. It has a clear implementation mechanism, with a laudable aim of establishing a monitoring agency and an Open Source Solutions Laboratory. It is applicable not only to future e-governance initiatives, but to existing ones as well. Furthermore, it also has an in-built review mechanism, which is crucial given the rate of change of technologies and consequently of the requirements of the government. Thus, the draft policy document very clearly encourages competition and innovation in the software industry and promotes the Free and Open Source Software (FOSS) movement and industry. As researchers from UNU MERIT have pointed out, even a nominal fee for usage of a standard can lead to exclusion of open source software implementations, leading to less competition in the software industry. Thus, all in all this draft document represents a commendable effort by the Indian government towards a sustainable and robust e-governance structure based on open standards. However, a few small amendments as suggested in this letter would make it an even greater guarantor of openness.

Yours sincerely,
Sunil Abraham
Director (Policy)
Centre for Internet and Society

Please download the draft response in the format you prefer.

For more details visit https://cis-india.org/openness/publications/standards/the-response

Open Standards

sunil — 2010-01-11T10:52:24Z

The Centre for Internet and Society promotes Open Standards, i.e., standards that are technically and legally free to study, free to use, developed and managed in an open manner, with a complete implementation available to all. Open standards help all -- government and citizens, industry and consumers -- by allowing greater interoperability and choice (since they are necessary for free and open source software), greater competition, reduction in costs, and greater long-term reliability. As part of our work on Open Standards, we have been providing the comments to the Indian government's Draft National Policy on Open Standards for e-Governance, and have been working as a member of the Dynamic Coalition on Open Standards at the UN-sponsored Internet Governance Forums.

For more details visit https://cis-india.org/openness/publications/standards

Software Patents

sunil — 2010-01-11T09:51:40Z

Software patents are a potent threat to both open standards as well as FOSS. While in India, pure software patents (i.e., a patent over a "computer programme per se") is not allowed, still software patents are to be reckoned with. The draft patent manual prepared by the Patent Office in 2008 seemingly goes against section 3(k) of the Patents Act, and allows partially for software patents. Further, the Patent Office sometimes incorrectly grants software patents, even though the same is prohibited by the law.

For more details visit https://cis-india.org/openness/publications/software-patents

The Quixotic Fight to Clean up the Web

sunil — 2012-01-26T20:53:02Z

The ongoing attempt to pre-screen online content won’t change anything. It will only drive netizens into the arms of criminals, writes Sunil Abraham in this article published in Tehelka Magazine, Vol 9, Issue 04, Dated 28 Jan 2012.

GOOGLE AND Facebook’s ongoing case in the Delhi High Court over offensive online content is curious in three ways. First, the complaint does not mention the IT Act, 2000. Prior to the 2008 amendment, intermediaries (in this case, Google, Facebook, etc) had no immunity. But after the amendment, intermediaries have significant immunity and are not considered liable unless takedown notices are ignored.

Second, it is curious that the complaint does not mention specific individuals or groups directly responsible for authoring the allegedly offensive material. Only intermediaries have been explicitly named. If specific content items have been submitted in court then it is curious that specific accounts and users have not been charged with the same offences.

Three, Delhi-based journalist Vinay Rai claims that takedown notices and requests for user information were ignored by the intermediaries. As yet, unpublished research at the Centre for Internet and Society has reached the exact opposite conclusion. We sent fraudulent takedown notices to seven of the largest intermediaries in India as part of a policy sting operation. Six of them over-complied and demonstrated no interest in protecting freedom of expression. Our takedown notices were complied with even though they were largely nonsensical. It is therefore curious that Rai’s takedown notices were ignored.

Under Section 79 of the IT Act, the intermediary must not “initiate the transmission”, “select the receiver of the transmission” and “select or modify the information contained in the transmission”. In other words, they must not possess “actual knowledge” of the content. This would be absolutely true if intermediaries acted as “dumb pipes” or “mere conduits”. But today, they have reactive “human filters” ensuring conformance to community guidelines that often go beyond constitutional limits on freedom of expression.

For example, Facebook deletes breastfeeding photographs if a certain proportion of the breast is visible, despite numerous protests. Intermediaries also use proactive “machine filters” to purge their networks of pornography and copyright infringing content. In order to retain immunity under the IT Act, intermediaries would have to demonstrate that they have no “actual knowledge”. This would also imply that they cannot proactively filter or pre-screen content without becoming liable for illegal content.

More sophisticated “machine filters” will continue to be built for social media platforms as computing speeds increase and costs decrease dramatically. But there will be significant collateral damage — the vibrancy of online Indian communities will be diminished as legitimate content will be removed and this in turn will retard Internet adoption rates. Free media, democratic governance, research and development, culture and the arts will all be fundamentally undermined. So whether pre-censorship is technically feasible is an irrelevant question. The real question is what limits on freedom of expression are reasonable in the Internet age.

The legal tussle is yet another chance for reflecting on the shortcomings of the IT Act

Censorship is like prohibition, illegal content will persist, the mafia will profit and ordinary citizens will be implicated in criminal networks. Use of anonymising proxies, circumvention tools and encryption technologies will proliferate, frustrating network optimisation efforts and law enforcement activities.

This is yet another opportunity for reflecting on the shortcomings of the ITAct. A lot of the confusion and anxiety today emerges from vague language, unconstitutional limits on freedom of expression, multi-tiered blanket surveillance provisions, blunt security policy measures contained in the statute and its associated rules. The next Parliament session is the last opportunity for MPs to ask for the rules for intermediaries, cyber cafes and reasonable security practices to be revisited. The MP who musters the courage to speak will be dubbed a superhero.

As told to Shonali Ghosal. Sunil Abraham is Executive director, centre for internet and society and can be contacted at sunil@cis-india.org. The original article was published in Tehelka.

Illustration by Sudeep Chaudhuri

For more details visit https://cis-india.org/internet-governance/quixotic-fight-to-clean-the-web

Do we need the Aadhar scheme?

sunil — 2012-02-03T10:11:24Z

"Decentralisation and privacy are preconditions for security. Digital signatures don’t require centralised storage and are much more resilient in terms of security", Sunil Abraham in the Business Standard on 1 February 2012.

We don’t need Aadhar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a “billions-of-users” scale on the internet with reasonable security. The Unique Identification (UID) project based on the so-called “infallibility of biometrics” is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies.

Biometrics are poor authentication factors because once they are compromised they cannot be re-secured unlike digital signatures. Additionally, an individual’s biometrics can be harvested remotely without his or her conscious cooperation. The iris can be captured remotely without a person’s knowledge using a high-res digital camera.

Biometrics are poor identification factors in a country where the registrars have commercial motivation to create ghost identities. For example, bank managers trying to achieve targets for deposits by opening benami accounts. Biometrics for these ghost identities can be imported from other countries or generated endlessly using image processing software. The de-duplication engine at the Unique Identification Authority of India (UIDAI) will be fooled into thinking that these are unique residents.

An authentication system does not require a centralised database of authentication factors and transaction details. This is like arguing that the global system of e-commerce needs a centralised database of passwords and logs or, to use an example from the real world, to secure New Delhi, all citizens must deposit duplicate keys to their private property with the police.

Decentralisation and privacy are preconditions for security. The “end-to-end principle” used to design internet security is also in compliance with Gandhian principles of Panchayat Raj. Digital signatures don’t require centralised storage of private keys and are, therefore, much more resilient in terms of security.

Biometrics as authentication factors require the government to store biometrics of all citizens but citizens are not allowed to store biometrics of politicians and bureaucrats. The state authenticates the citizen but the citizen cannot conversely authenticate the state. Digital signatures as an authentication factor, on the other hand, does not require this asymmetry since citizens can store public keys of state actors and authenticate them. The equitable power relationship thus established allows both parties to store a legally non-repudiable audit trail for critical transactions like delivery of welfare services. Biometrics exacerbates the exiting power asymmetry between citizens and state unlike digital signatures, which is peer authentication technology.

Privacy protections should be inversely proportional to power. The transparency demanded of politicians, bureaucrats and large corporations cannot be made mandatory for ordinary citizens. Surveillance must be directed at big-ticket corruption, at the top of the pyramid and not retail fraud at the bottom. Even for retail fraud, the power asymmetry will result in corruption innovating to circumvent technical safeguards. Government officials should be required by law to digitally sign the movement of resources each step of the way till it reaches a citizen. Open data initiatives should make such records available for public scrutiny. With support from civil society and the media, citizens will themselves address retail fraud. To solve corruption, the state should become more transparent to the citizen and not vice versa.

UIDAI’s latest 23-page biometrics report is supposed to dispel the home ministry’s security anxieties. It says “biometric data is collected by software provided by the UIDAI, which immediately encrypts and applies a digital signature.” Surely, what works for UIDAI, that is digital signatures, should work for citizens too. The report does not cover even the most basic attack — for example, the registrar could pretend that UIDAI software is faulty and harvest biometrics again using a parallel set-up. If biometrics are infallible, as the report proclaims, then sections in the draft UID Bill that criminalise attempts to defraud the system should be deleted.

The compromise between UIDAI and the home ministry appears to be a turf battle for states where security concerns trump developmental aspirations. This compromise does nothing to address the issues raised by the Parliamentary Standing Committee on Finance, headed by the Bharatiya Janata Party’s Yashwant Sinha.

Read the original published in the Business Standard on 1 February 2012

For more details visit https://cis-india.org/internet-governance/do-we-need-the-aadhar-scheme

ICANN Analysis

sunil — 2018-03-15T06:35:45Z

For more details visit https://cis-india.org/internet-governance/files/icann-analysis

Cambridge Analytica scandal: How India can save democracy from Facebook

sunil — 2018-03-28T15:44:00Z

Hegemonic incumbents like Google and Facebook need to be tackled with regulation; govt should use procurement power to fund open source alternatives.

The article was published in the Business Standard on March 28, 2018

The Cambridge Analytica scandal came to light when whistleblower Wylie accused Cambridge Analytica of gathering details of 50 million Facebook users. Cambridge Analytica used this data to psychologically profile these users and manipulated their opinion in favour of Donald Trump. BJP and Congress have accused each other of using the services of Cambridge Analytica in India as well. How can India safeguard the democratic process against such intervention? The author tries to answer this question in this Business Standard Special.

Those that celebrate the big data/artificial intelligence moment claim that traditional approaches to data protection are no longer relevant and therefore must be abandoned. The Cambridge Analytica episode, if anything, demonstrates how wrong they are. The principles of data protection need to be reinvented and weaponized, not discarded. In this article I shall discuss the reinvention of three such data protection principles. Apart from this I shall also briefly explore competition law solutions.

Collect data only if mandated by regulation

One, data minimization is the principle that requires the data controller to collect data only if mandated to do so by regulation or because it is a prerequisite for providing a functionality. For example, Facebook’s messenger app on Android harvests call records and meta-data, without any consumer facing feature on the app that justifies such collection. Therefore, this is a clear violation of the data minimization principle. One of the ways to reinvent this principle is by borrowing from the best practices around warnings and labels on packaging introduced by the global anti-tobacco campaign. A permanent bar could be required in all apps, stating ‘Facebook holds W number of records across X databases over the time period Y, which totals Z Gb’. Each of these alphabets could be a hyperlink, allowing the user to easily drill down to the individual data record.

Consent must be explicit, informed and voluntary

Two, the principle of consent requires that the data controller secure explicit, informed and voluntary consent from the data subject unless there are exceptional circumstances. Unfortunately, consent has been reduced to a mockery today through obfuscation by lawyers in verbose “privacy notices” and “terms of services”. To reinvent consent we need to bring ‘Do Not Dial’ registries into the era of big data. A website maintained by the future Indian data protection regulator could allow individuals to check against their unique identifiers (email, phone number, Aadhaar). The website would provide a list of all data controllers that are holding personal information against a particular unique identifier. The data subject should then be able to revoke consent with one-click. Once consent is revoked, the data controller would have to delete all personal information that they hold, unless retention of such information is required under law (for example, in banking law). One-click revocation of consent will make data controllers like Facebook treat data subjects with greater respect.

There must be a right to explanation

Three, the right to explanation, most commonly associated with the General Data Protection Directive from the EU, is a principle that requires the data controller to make transparent the automated decision-making process when personal information is implicated. So far it has been seen as a reactive measure for user empowerment. In other words, the explanation is provided only when there is a demand for it.

The Facebook feeds that were used for manipulation through micro-targeting of content is an example of such automated decision making. Regulation in India should require a user empowerment panel accessible through a prominent icon that appears repeatedly in the feed. On clicking the icon the user will be able to modify the objectives that the algorithm is maximizing for. She can then choose to see content that targets a bisexual rather than a heterosexual, a Muslim rather than a Hindu, a conservative rather a liberal, etc. At the moment, Facebook only allows the user to stop being targeted for advertisements based on certain categories. However, to be less susceptible to psychological manipulation, the user should be allowed to define these categories, for both content and advertisements.

How to fix the business model?

From a competition perspective, Google and Facebook have destroyed the business model for real news, and replaced it with a business model for fake news, by monopolizing digital advertising revenues. Their algorithms are designed to maximize the amount of time that users spend on their platforms, and therefore, don’t have any incentive to distinguish between truth and falsehood. This contemporary crisis requires three types of interventions: one, appropriate taxation and transparency to the public, so that the revenue streams for fake news factories can be ended; two, the construction of a common infrastructure that can be shared by all traditional and new media companies in order to recapture digital advertising revenues; and three, immediate action by the competition regulator to protect competition between advertising networks operating in India.

The Google challenge

With Google, the situation is even worse, since Google has dominance in both the ad network market and in the operating system market. During the birth of competition law, policy-makers and decision-makers acted to protect competition per se. This is because they saw competition as an essential component of democracy, open society, innovation, and a functioning market. When the economists from the Chicago school began to influence competition policy in the USA, they advocated for a singular focus on the maximization of consumer interest. The adoption of this ideology has resulted in competition regulators standing powerlessly by while internet giants wreck our economy and polity. We need to return to the foundational principles of competition law, which might even mean breaking Google into two companies. The operating system should be divorced from other services and products to prevent them from taking advantage of vertical integration. We as a nation need to start discussing the possible end stages of such a breakup.

In conclusion, all the fixes that have been listed above require either the enactment of a data protection law, or the amendment of our existing competition law. This, as we all know, can take many years. However, there is an opportunity for the government to act immediately if it wishes to. By utilizing procurement power, the central and state governments of India could support free and open source software alternatives to Google’s products especially in the education sector. The government could also stop using Facebook, Google and Twitter for e-governance, and thereby stop providing free advertising for these companies for print and broadcast media. This will make it easier for emerging firms to dislodge hegemonic incumbents.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-march-28-2018-sunil-abraham-cambridge-analytica-scandal-how-india-can-save-democracy-from-facebook

The scariest bill in Parliament is getting no attention – here’s what you need to know about it

sunil — 2015-09-13T07:56:42Z

A bill proposes creation of a national DNA data bank, without requisite safeguards for privacy, and opens the information to everything from civic disputes to compilation of statistics.

The blog post by Nayantara Narayanan was published in Scroll.in on July 24, 2015.

On Wednesday, the Narendra Modi government told the Supreme Court that India's citizens have no fundamental right to privacy. Attorney General Mukul Rohatgi referred to a 1950 court verdict which held that the right to privacy was not a fundamental right while defending the constitutional validity of the Aadhar scheme, a massive database of information of individual citizens including biometrics and bank accounts. At the same time, the government is planning another big database.

In the ongoing stormy monsoon session of Parliament, where the government and opposition have locked horns over several proposed legislation, Human DNA Profiling Bill 2015 has been making little noise but can have widespread impact on India’s criminal justice system and the privacy of citizens. The bill aims to regulate the collection and use of genetic material from crime scenes, and also proposes the creation of a national DNA databank that might be used for non-forensic purposes.

DNA is a mighty tool, especially in criminal forensics, but access to a person’s genetic information can be highly intrusive and dangerous. DNA contains information about health and genetic relationships that can influence employment, insurance. It can be tampered with and planted at crime scenes.

Law and poverty expert Usha Ramanathan and Centre for Internet and Society executive director Sunil Abraham, who are members of an expert committee on DNA profiling constituted by the government, have written dissent notes against the final draft of the Human DNA Profiling Bill. Ramanathan and Abraham are of the opinion that there aren’t adequate safeguards to privacy and too much power rests with the proposed DNA Profiling Board.

Ramanathan notes that one of the biggest challenges of a DNA database is function creep – the gradual widening of the use of a technology beyond the purpose for which it was originally intended. As this DNA profiling bill enters Parliament, here are some questions we should be asking.

Is DNA evidence infallible?

The short answer is “no”. Despite all the crime shows and murder movies we have seen where DNA evidence nails the perpetrator to the crime, DNA evidence is far from absolute. Genetic material recovered from a crime scene is likely to be only a partial strand of DNA. Analysing this partial strand can lead to a match with the person that left the DNA behind but can also lead to a coincidental match with people who happen to have a similar gene sequence in their DNA. False incriminations can happen when more than one person’s DNA get mixed at the crime scene, from DNA contamination, mislabelling and even degradation over time.

In the Aarushi Talwar murder case, for instance, the Hyderabad-based Centre for DNA Fingerprinting and Diagnostics altered its 2008 report in 2013 and admitted to typographical errors in the description of its DNA samples. The evidence could have changed the course of the investigation.

What will the national DNA database look like?

The bill proposes to set up a national DNA data bank and a number of state or regional data banks that will feed into the national data pool. Every data bank will have six categories under which DNA profiles will be filed – crime scene index, suspects’ index, offenders’ index, missing persons’ index, unknown deceased persons’ index, and volunteers’ index. The DNA profiling board will have the power to include more categories. In the offenders’ index, the DNA information will be linked to the name of the person from whom it was collected. All others will be linked to a case reference number.

What happens when my genetic material is on the database?

The bill gives sanction for broad use of DNA profiles and samples – to identify victims of accidents or disasters, to identify missing persons, for civil disputes and other offences. It also allows the information to be used to create population statistics, identification research, parental disputes, issues relating to reproductive technologies and migration. In his dissent note, Abraham argues that all non-forensic use should be rejected.

Cases like whether paternity should be determined, unwed mothers leaving their children and adopted children looking for their natural parents are hugely contestable things, said Ramanathan. “You are changing multiple structures and not recognising any of them,” she added.

Even though the bill allows for DNA information of offenders to be expunged once a court acquits them or sets aside a conviction, it makes no provision for removing other kinds of profiles.

The CDFD, which will be instrumental in building and processing DNA profiles, is using the CODIS software bought from the US's Federal Bureau of Investigation an compatible with their systems. The FBI used CODIS to identify victims of the terrorist attacks on the World Trade Center in 2001. More recently, the CDFD used CODIS to identify some who died in the Uttarakhand floods of 2013 after asking for 5,000 people who were possibly relatives of the deceased to undertake DNA testing.

Can the DNA profiling board protect our genetic information?

The bill grants the board vast powers to allow the use of DNA profiles in any civil and criminal proceedings that it deems necessary. “Ideally these powers would lie with the legislative or judicial branch,” Abraham said, in his dissent note. “Furthermore, the Bill establishes no mechanism for accountability or oversight over the functioning of the Board.”

Ramanathan questions the constitution of the board itself, her worry being that the board is not a body of disinterested officials. The secretary of the board is supposed to be from the Centre for DNA Fingerprinting and Diagnostics, an autonomous institute that will get a lot of work from the creation of the national DNA data bank.

Why does a DNA fingerprinting consent form ask for caste?

One of the most troubling features of the creation of a databank is the consent form to be signed by a person donating blood for DNA analysis. Along with name, gender and address, the form also asks for caste to be listed.

India has a history of unwarrantedly linking caste and community with criminality. Members of decriminalised tribes regularly report being harassed by the police and even having false cases foisted on them simply because they are linked to a certain community. Tagging caste onto genetic data can result in unfair profiling and identification errors.

The United Kingdom set up its national criminal DNA database in 1995. The database expanded over a decade by including genetic information of anyone who was arrested till more than one million innocent people were on it – including a grandmother who didn’t return a football to children who kicked it into her garden. The dangers of a genetic database are too much state oversight, false implication in crimes and a loss of privacy – none of which should come to pass without at least a debate.

For more details visit https://cis-india.org/internet-governance/news/the-scariest-bill-in-parliament-is-getting-no-attention-2013-here2019s-what-you-need-to-know-about-it

Why the DNA Bill is open to misuse: Sunil Abraham

sunil — 2015-09-13T08:37:44Z

The Human DNA Profiling Bill, the law that regulates the collection, storage and use of the human genetic code, has attracted some strong criticism from civil liberties groups including the Bengaluru-based Centre for Internet and Society (CIS) which had participated in the expert committee for DNA profiling constituted by the Department of Biotechnology in 2012.

CIS circulated a detailed dissent note earlier this year on the draft of the Bill. As the government gets ready to table the Bill in Parliament, CIS Executive Director Sunil Abraham tells Kanika Datta why the provisions of the Bill are open to misuse and invasion of privacy. Edited excerpts:

Why does Centre for Internet and Society reject using DNA analysis for non-forensic use as set out in the Human DNA Profiling Bill in its current form? What are the possible risks involved here?

The problem here is that the introduction to the Bill talks of DNA matches "without a doubt". But the way we understand it, biometric technology depends on approximate matching and not discrete matching. Unlike, say, the technology used for matching digital signatures, machines for matching DNA, fingerprints or the iris specify a false positive ratio when they leave the factory - that's what created the controversy in the O J Simpson trial, for example. This means you have to be very conservative in populating the database. For a given false positive ratio - the larger the database the greater the incidence of mistaken identification. That is why we think that for purposes other than forensic use, it would be better to create other databases.

Let me clear: we are not Luddites but neither are we naïve techno-enthusiasts. After all, the Innocence Project in the US has managed to overturn the convictions of many people who were held guilty through DNA evidence. But it is a myth that the more sophisticated the technology the more secure and accurate it is. In fact, the reverse is often true. For instance, the voter machines we use in India are primitive technology but they are much harder to compromise compared to the voting machines used in the US. Given all this, we believe that there should be "process fixes", such as sending DNA collected from a crime scene to two laboratories as a check and balance against the fallibility of human beings and machines.

CIS made the point that the powers of the DNA Board are too wide. In what possible way could these powers be misused since the Board is to be an independent authority?

When this exercise was started, the DNA Board had 26 functions. We proposed that this be cut this down to ten, which was accepted by a sub-committee. But when the final Bill came back it rejected the consensus view and restored the 26 functions, including things like "raising the general awareness". All this detracts from the Board's primary role and efficiency and expands its discretionary powers. It is true that a good regulator needs some amount of discretion but this should be a limited discretion within a tightly defined scope -- this is true for any regulator, not just the DNA Board.

The provision that no civil suit can be entertained on any matter on which the DNA Board is empowered under the Act looks excessive. Is there any precedent that explains why this provision was introduced? What kind of oversight and checks and balances are there in other jurisdictions that could be incorporated in the Indian law?

I can understand the logic here; the government is trying to ensure that the regulator has final say. After all, if you look at telecom, the decisions of the TDSAT (Telecom Dispute Settlement & Appellate Tribunal) can be appealed in the High Court and the Supreme Court. But eliminating judicial appeal as this Bill has state amounts to a violation of classic regulatory design by circumventing the appellate process. Ideally, we need a tripartite separation of law in which the executive frames policies, the DNA board implements them and the courts adjudicate upon them.

You have said the term "DNA Analysis" has not been defined. Could you explain the possible risks of the absence of a definition?

DNA analysis is of many types and some of them allow you to get to know a person quite intimately in terms of their medical history, genetic traits and so on. But forensic analysis looks at a limited set of markers which are essentially privacy-protecting and from which no genetic traits can be determined. You can't, for instance, do a study on the genetic make-up of criminals from this analysis. Now, if this Bill is around law enforcement - which we know is the policy intention - then the DNA analysis should be limited to those markers. That would reduce the chances of abuse.

You have also criticised the low standards of information disclosure and suggest the issue should be vested in an independent third party rather than the DNA Bank Manager. Could you explain how this would help?

In information and technology and telecom there is an executive authorisation mechanism in place for information sharing that requires the home secretary's permission for non-emergency situations and the head of the police station in the case of an emergency. We want a similar authorisation process - say, a judge and an established paper trail so that there are proper checks and balances. When personal information is involved, even the DNA Board is not well placed because its members are scientists whereas disclosure of personal information is a question of the law.

You have said the Bill has not been brought in line with the nine national privacy principles set out by an expert committee in 2012. Shouldn't a privacy law precede the passing of the DNA Bill in any case?

It's not a chicken-and-egg situation, but the point to consider is that the world is moving towards European data protection principles, and something like 100 countries have adopted it. If we in India want to trade in European personal information (via our BPO and outsourcing businesses) we must have a law that is adequate from the data protection perspective. This means, among other things, mandating that anyone whose DNA profile is accessed receives a notice to this effect, for instance. We know that the Department of Personnel and Training has incorporated the principles set out in the Justice Shah report in the privacy Bill two years ago but we haven't heard anything about it since. If and when this Bill is enacted, it will have overriding powers over a host of laws. But where the DNA Bill is concerned, there is no reason for it not to take cognisance of a later law.

What has been the government's reaction to this dissent note?

No reaction!

For more details visit https://cis-india.org/internet-governance/news/business-standard-kanika-datta-august-1-2015-why-the-dna-bill-is-open-to-misuse-sunil-abraham

Linking Aadhaar with social media or ending encryption is counterproductive

sunil — 2019-08-28T01:39:47Z

Should Aadhaar be used as KYC for social media accounts? We have recently seen a debate on this question with even the courts hearing arguments in favour and against such a move.

The article was published in Prime Time on August 26, 2019.

The case began in Madras High Court and later Facebook moved the SC seeking transfer of the petition to the Apex court. The original petition was filed in July, 2018 and sought linking of Aadhaar numbers with user accounts to further traceability of messages.

Before we try and answer this question, we need to first understand the differences between the different types of data on social media and messaging platforms. If a crime happens on an end to end cryptographically secure channel like WhatsApp the police may request the following from the provider to help solve the case:

Identity data: Phone numbers of the accused. Names and addresses of the accused.
Metadata: Sender, receiver(s), time, size of message, flag identifying a forwarded messages, delivery status, read status, etc.
Payload Data: Actual content of the text and multimedia messages.

Different countries have taken different approaches to solving different layers of the surveillance problem. Let us start with identity data. Some like India require KYC for sale of SIM cards while others like the UK allow anonymous purchases. Corporations also have policies when it comes to anonymous speech on their platforms – Facebook for instance enforces a soft real ID policy while Twitter does not crack down on anonymous speech. The trouble with KYC the old fashioned way is that it exposes citizens to further risk. Every possessor of your identity documents is a potential attack surface. Indian regulation should not result in Indian identity documents being available in the millions to foreign corporations. Technical innovations are possible, like tokenisation, Aadhaar paperless local e-KYC or Aadhaar offline QR code along with one time passwords. These privacy protective alternatives must be mandatory for all and the Aadhaar numbers must be deleted from previously seeded databases. Countries that don’t require KYC have an alternative approach to security and law enforcement. They know that if someone like me commits a crime, it would be easy to catch me because I have been using the same telecom provider for the last fifteen years. This is true of long term customers regardless if they are pre-paid or post-paid. The security risk lies in the new numbers without this history that confirms identity. These countries use targeted big data analytics to determine risk and direct surveillance operations to target new SIM cards. My current understanding is that when it comes to basic user data – all the internet giants in India comply with what they consider as legitimate law enforcement requests. Some proprietary and free and open source [FOSS] alternatives to services offered by the giants don’t provide such direct cooperation in India.

When it comes to payload data – it is almost impossible (meaning you will need supercomputers) to access the data unless the service/software provider breaks end-to-end cryptography. It is unwise, like some policy-makers are proposing, to prohibit end-to-end cryptography or mandate back doors because our national sovereignty and our capacity for technological self-determination depends on strong cryptography. A targeted ban or prohibition against proprietary providers might have a counterproductive consequence with users migrating to FOSS alternatives like Signal which won’t even give the police identity data. As a supporter of the free software movement, I would see this as a positive development but as a citizen I am aware that the fight against crime and terror will become harder. So government must pursue other strategies to getting payload data such as a comprehensive government hacking programme.

Meta-data is critical when it comes to separating the guilty from the innocent and apportioning blame during an investigation. For example, who was the originator of a message? Who got it and read it last? WhatsApp claims that it has implemented the Signal protocol faithfully meaning that they hold no meta-data when it comes to the messages and calls. Currently there is no regulation which mandates data retention for over the top providers but such requirements do exist for telecom providers. Just like access to meta-data provides some visibility into illegal activities it also provides visibility into legal activities. Therefore those using end-to-end cryptography on platforms with comprehensive meta-data retention policies will have their privacy compromised even though the payload data remains secure. Here is a parallel example to understand why this is important. Early last year, the Internet Engineering Task Force chose a version of TLS 1.3 that revealed less meta-data over one that provided greater visibility into the communications. This hardening of global open standards, through the elimination of availability of meta-data for middle-boxes, makes it harder for foreign governments to intercept Indian military and diplomatic communications via imported telecom infrastructure. Courts and policy makers across the world have to grapple with the following question: Are meta-data retention mandates for the entire population of users a “necessary and proportionate” legal measure to combat crime and terror. For me, it should not be illegal for a provider who voluntarily wishes to retain data, provided it is within legally sanctioned limits but it should not be requirement under law.

There are technical solutions that are yet to be properly discussed and developed as an alternative to blanket meta-data retention measures. For example, Dr. V Kamakoti has made a traceability proposal at the Madras High Court. This proposal has been critiqued by Anand Venkatanarayanan as being violative in spirit of the principles of end-to-end cryptography. Other technical solutions are required for those seeking justice and for those who wish to serve as informers for terror plots. I have proposed client side metadata retention. If a person who has been subjected to financial fraud wishes to provide all the evidence from their client, it should be possible for them to create a digital signed archive of messages for the police. This could be signed by the sender, the provider and also the receiver so that technical non-repudiation raises the evidentiary quality of the digital evidence. However, there may be other legal requirements such as the provision of notice to the sender so that they know that client side data retention has been turned on.

The need of the hour is sustained research and development of privacy protecting surveillance mechanisms. These solutions need to be debated thoroughly amongst mathematicians, cryptographers, scientists, technologists, lawyers, social scientists and designers so that solutions with the least negative impact can be rolled out either voluntarily by providers or as a result of regulation.

For more details visit https://cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive

Artificial Intelligence: a Full-Spectrum Regulatory Challenge [Working Draft]

sunil — 2020-08-04T06:10:13Z

Today, there are certain misconceptions regarding the regulation of AI. Some corporations would like us to believe that AI is being developed and used in a regulatory vacuum. Others in civil society organisations believe that AI is a regulatory circumvention strategy deployed by corporations. As a result, these organisations call for onerous regulations targeting corporations. However, some uses of AI by corporations can be completely benign and some uses AI by the state can result in the most egregious human rights violations. Therefore policy makers need to throw every regulatory tool from their arsenal to unlock the benefits of AI and mitigate its harms.

This policy brief proposes a granular, full spectrum approach to the regulation of AI depending on who is using AI, who is impacted by that use and what human rights are impacted. Everything from deregulation, to forbearance, to updated regulations, to absolute and blanket prohibitions needs to be considered depending on the specifics. This approach stands in contrast to approaches of ethics, omnibus law, homogeneous principles, and human rights, which will result in inappropriate under-regulation or over-regulation of the sector.

Find a copy of the working draft here.

For more details visit https://cis-india.org/internet-governance/artificial-intelligence-a-full-spectrum-regulatory-challenge-working-draft

Surveillance Project

sunil — 2016-04-05T15:21:27Z

The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.

The article will be published in Frontline, April 15, 2016 print edition.

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.

Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.

Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”

Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.

Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology

One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”

Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.

One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?

Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

For more details visit https://cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project