The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 1 to 12.
Reconfiguring Data Governance: Insights from India and the EU
https://cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu
<b>This policy paper is the result of a workshop organised jointly by the Tilburg Institute of Law, Technology and Society, Netherlands, the Centre for Communication Governance at the National Law University Delhi, India and the Centre for Internet & Society, India in January, 2023. The workshop brought together a number of academics, researchers, and industry representatives in Delhi to discuss a range of issues at the core of data governance theory and practice. </b>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/ReconfiguringDataGovernance.png/@@images/70165fe1-cc66-4cac-9f99-b7485c87218a.png" alt="Reconfiguring Data Governance" class="image-inline" title="Reconfiguring Data Governance" /></p>
<p style="text-align: justify; ">The workshop aimed to compare and assess lessons from data governance from India and the European Union, and to make recommendations on how to design fit-for-purpose institutions for governing data and AI in the European Union and India.</p>
<p style="text-align: justify; ">This policy paper collates key takeaways from the workshop by grounding them across three key themes: how we conceptualise data; how institutional mechanisms as well as community-centric mechanisms can work to empower individuals, and what notions of justice these embody; and finally a case study of enforcement of data governance in India to illustrate and evaluate the claims in the first two sections.</p>
<p style="text-align: justify; ">This report was a collaborative effort between researchers Siddharth Peter De Souza, Linnet Taylor, and Anushka Mittal at the Tilburg Institute for Law, Technology and Society (Netherlands), Swati Punia, Sristhti Joshi, and Jhalak M. Kakkar at the Centre for Communication Governance at the National Law University Delhi (India) and Isha Suri, and Arindrajit Basu at the Centre for Internet & Society, India.</p>
<hr />
<p>Click to download the <a class="external-link" href="http://cis-india.org/internet-governance/files/reconfiguring-data-governance.pdf"><b>report</b></a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu'>https://cis-india.org/internet-governance/blog/reconfiguring-data-governance-insights-from-india-and-eu</a>
</p>
No publisherSwati Punia, Srishti Joshi, Siddharth Peter De Souza, Linnet Taylor, Jhalak M. Kakkar, Isha Suri, Arindrajit Basu, and Anushka MittalInternet GovernanceData GovernanceData ProtectionData Management2024-02-20T00:30:00ZBlog EntryDemystifying Data Breaches in India
https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india
<b>Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.
</b>
<p>Edited by Arindrajit Basu and Saumyaa Naidu</p>
<hr />
<p dir="ltr" style="text-align: justify; ">India saw a <a href="https://theprint.in/india/despite-62-drop-in-data-breaches-india-among-top-5-nations-targeted-by-hackers-study-finds/917197/">62% drop in data breaches in the first quarter of 2022</a>. Yet, it ranked fifth on the list of countries most hit by cyberattacks according to a 2022 <a href="https://surfshark.com/blog/data-breach-statistics-by-country">report by Surfshark</a>, a Netherlands-based VPN company. Another report <a href="https://analyticsindiamag.com/the-ridiculous-17-5-cr-for-a-data-breach/">on the cost of data breaches researched by the Ponemon Institute and published by IBM</a> reveals that the breach of about 29500 records between March 2021 and March 2022 resulted in a 25% increase in the average cost from INR 165 million in 2021 to INR 176 million in 2022.</p>
<p style="text-align: justify; "><span>These statistics are certainly a cause for concern, especially in the context of India’s rapidly burgeoning digital economy shaped by the pervasive platformization of private and public services such as welfare, banking, finance, health, and shopping among others. Despite the rate at which data breaches occur and are reported in the media, there seems to be little information about how and when they are resolved. This post examines the discourse on data breaches in India with respect to their historical forms, with a focus on how the specific terminology to describe data security incidents has evolved in mainstream news media reportage.</span></p>
<p style="text-align: justify; "><span>While expert articulations of cybersecurity in general and data breaches in particular tend to predominate the public discourse on data privacy, this post aims to situate broader understandings of data breaches within the historical context of India’s IT revolution and delve into specific concepts and terminology that have shaped the broader discourse on data protection. The late 1990s and early 2000s offer a useful point of entry into the genesis of the data security landscape in India.</span></p>
<h3><span></span><span>Data Breaches and their Predecessor Forms</span></h3>
<p style="text-align: justify; "><span></span><span>The articulation of data security concerns around the late 1990s and early 2000s isn’t always consistent in deploying the phrase, ‘data breach’ to signal cybersecurity concerns in India. The terms such as ‘data/ identity theft’ and ‘data leak’ figure prominently in the public articulation of concerns with the handling of personal information by IT systems, particularly in the context of business process outsourcing (BPO) and e-commerce activities. Other pertinent terms such as “security breach”, “data security”, and ‘“cyberfraud” also capture the specificity of growing concerns around outsourced data to India. At the time, i.e. around mid-2000s regulatory frameworks were still evolving to accommodate and address the complexities arising from a dynamic reconfiguration of the telecommunications and IT landscape in India.</span></p>
<p dir="ltr" style="text-align: justify; ">Some of the formative cases that instantiate the usage of the aforementioned terms are instructive to understand shifts in the reporting of such incidents over time. The earliest case during that period concerns<a href="https://www.stop-source-code-theft.com/source-code-theft-cases-in-india/"> a 2002 case concerning the theft and sale of source code</a> by an IIT Kharagpur student who intended to sell the code to two undercover FBI agents who worked with the CBI to catch the thief. A straightforward case of data theft was framed by media stories around the time as a <a href="https://timesofindia.indiatimes.com/iitian-held-for-stealing-software-source-code/articleshow/20389713.cms">cybercrime involving the illegal sale</a> of the source code of a software package, as <a href="https://economictimes.indiatimes.com/ip-laws-lax-but-us-firm-bets-on-india/articleshow/696197.cms?from=mdr">software theft of intellectual property in the context of outsourcing</a> and as an instance of <a href="https://www.computerworld.com/article/2573515/at-risk-offshore.html">industrial espionage in poor nations without laws protecting foreign companies</a>. This case became the basis of the earliest calls for the protection of data privacy and security in the context of the Indian BPO sector. The Indian IT Act, 2000 at the time only covered <a href="http://pavanduggal.com/wp-content/uploads/2016/01/India-Responds-to-Growing-Concerns-Over-Data-Security.pdf">unauthorized access and data theft from computers and networks without any provisions for data protection, interception or computer forgery</a>. The BPO boom in India brought with it <a href="https://blj.ucdavis.edu/archives/vol-6-no-2/offshore-outsourcing-to-india.html">employment opportunities for India’s English-speaking, educated youth but in the absence of concrete data privacy legislation</a>, the country was regarded as an unsafe destination for outsourcing aside from the political ramifications concerning the loss of American jobs.</p>
<p dir="ltr" style="text-align: justify; ">In a major 2005 incident, employees of the Mphasis BFL call centre in Pune extracted sensitive bank account information of Citibank’s American customers to divert INR 1.90 crore into new accounts set up in India. The media coverage of this incident calls it <a href="https://www.indiatoday.in/magazine/economy/story/20050502-pune-call-centre-fraud-rattles-india-booming-bpo-sector-787790-2005-05-01">India’s first outsourcing cyberfraud and a well planned scam</a>, a <a href="https://economictimes.indiatimes.com/mphasis-call-centre-fraud-net-widens/articleshow/1077097.cms">cybercrime in a globalized world</a>, and a case of <a href="https://timesofindia.indiatimes.com/home/sunday-times/deep-focus/indias-first-bpo-scam-unraveled/articleshow/1086438.cms">financial fraud and a scam</a> that required no hacking skills, and a <a href="https://www.infoworld.com/article/2668975/indian-call-center-workers-charged-with-citibank-fraud.html">case of data theft and misuse</a>. Within the ambit of cybercrime, media reports of these incidents refer to them as cases of “fraud”, “scam” and “theft''.</p>
<p dir="ltr" style="text-align: justify; ">Two other incidents in 2005 set the trend for a critical spotlight on data security practices in India. In a <a href="http://news.bbc.co.uk/2/hi/south_asia/4619859.stm">June 2005 incident, an employee of a Delhi-based BPO firm, Infinity e-systems, sold the account numbers and passwords of 1000 bank customers </a>to the British Tabloid, The Sun. The Indian newspaper, Telegraph India, carried an online story headlined, “<a href="https://www.telegraphindia.com/india/bpo-blot-in-british-backlash-indian-sells-secret-data/cid/873737">BPO Blot in British Backlash: Indian Sells Secret Data</a>,” which reported that the employee, Kkaran Bahree, 24, was set up by a British journalist, Oliver Harvey. Harvey filmed Bahree accepting wads of cash for the stolen data. Bahree’s theft of sensitive information is described both as a data fraud and a leak in the above 2005 BBC story by Soutik Biswar. Another story on the incident calls it a “<a href="https://www.rediff.com/money/2005/jun/24bpo3.htm">scam” involving the leakage of credit card information</a>. The use of the term ‘leak’ appears consistently across other media accounts such as a <a href="https://timesofindia.indiatimes.com/city/delhi/esearch-bpo-employee-sacked-still-missing/articleshow/1153017.cms">2005 story on Karan Bahree in the Times of India</a> and another story in the Economic Times about the Australian Broadcasting Corporation’s (ABC) sting operation similar to the one in Delhi, describing the scam by the <a href="https://economictimes.indiatimes.com/hot-links/bpo/karan-bahree-part-ii-shot-in-australia/articleshow/1201347.cms?from=mdr">fraudsters as a leak</a> of the online information of Australians. Another media account of the coverage describes the incident in more generic terms such as an “<a href="https://www.tribuneindia.com/2005/20050625/edit.htm">outsourcing crime</a>”.</p>
<p dir="ltr" style="text-align: justify; ">The other case concerned <a href="https://www.taylorfrancis.com/chapters/mono/10.4324/9781315610689-16/political-economy-data-security-bpo-industry-india-alan-chong-faizal-bin-yahya">four former employees of Parsec technologies who stole classified information and diverted calls from potential customers</a>, causing a sudden drop in the productivity of call centres managed by the company in November 2005. Another call centre <a href="http://news.bbc.co.uk/1/hi/uk/7953401.stm">fraud came to light in 2009 through a BBC sting operation in which British reporters went to Delhi </a>and secretly filmed a deal with a man selling credit card and debit card details obtained from Symantec call centres, which sold software made by Norton. This BBC story uses the term “breach” to refer to the incident.</p>
<p dir="ltr">In the broader framing of these cases generally understood as cybercrime, which received transnational media coverage, the terms “fraud”, “leak”, “scam”, and “theft” appear interchangeably. The term “data breach” does not seem to be a popular or common usage in these media accounts of the BPO-related incidents. A broader sense of breach (of confidentiality, privacy) figures in the media reportage in <a href="https://economictimes.indiatimes.com/hot-links/bpo/cyber-crimes-can-the-west-trust-indian-bpos/articleshow/1157115.cms?from=mdr">implicitly racial terms of cultural trust</a>, as a matter of <a href="https://www.news18.com/news/business/bpo-staff-need-ethical-training-poll-248442.html">ethics and professionalism</a> and in the <a href="https://www.news18.com/news/business/sting-op-may-spell-doom-for-bpos-248260.html">language of scandal </a>in some cases.</p>
<p dir="ltr" style="text-align: justify; ">These early cases typify a specific kind of cybercrime concerning the theft or misappropriation of outsourced personal data belonging to British or American residents. What’s remarkable about these cases is the utmost sensitivity of the stolen personal information including financial details, bank account and credit/debit card numbers, passwords, and in one case, source code. While these cases rang the alarm bells on the Indian BPO sector’s data security protocols, they also directed attention to concerns around <a href="https://economictimes.indiatimes.com/hot-links/bpo/cyber-crimes-can-the-west-trust-indian-bpos/articleshow/1157115.cms?from=mdr">the training of Indian employees on the ethics of data confidentiality and vetting through psychometric tests</a> for character assessment. In the wake of these incidents, the National Association of Software and Service Companies (NASSCOM), an Indian non-governmental trade and advocacy group,<a href="https://www.computerworld.com/article/2547959/outsourcing-to-india--dealing-with-data-theft-and-misuse.html"> launched a National Skills Registry for IT professionals to enable employers to conduct background checks</a> in 2006.</p>
<p dir="ltr" style="text-align: justify; ">These data theft incidents earned India a global reputation of an unsafe destination for business process outsourcing, seen to be lacking both, a culture of maintaining data confidentiality and concrete legislation for data protection at the time. Importantly, the incidents of data theft or misappropriation were also traceable back to a known source, a BPO employee or a group of malefactors, who often sold sensitive data belonging to foreign nationals to others in India.</p>
<p dir="ltr" style="text-align: justify; ">The phrase “data leak” also caught on in another register in the context of the widespread use of camera-equipped mobile phones in India. The 2004 Delhi MMS case offers an instance of a date leak, recapitulating the language of scandal in moralistic terms.</p>
<h3 dir="ltr">The Delhi MMS Case</h3>
<p dir="ltr" style="text-align: justify; ">The infamous 2004 incident involved two underage Delhi Public School (DPS) students who recorded themselves in a sexually explicit act on a cellular phone. After a fall out, the male student passed the low-resolution clip on to his friend in which his female friend’s face is seen. The clip, distributed far and wide in India, ended up on the famous e-shopping and auction website, bazee.com leading to <a href="https://indiancaselaw.in/avnish-bajaj-vs-state-dps-mms-scandal-case/">the arrest of the website’s CEO Avinash Bajaj for hosting the listing for sale</a>. Another similar case in 2004 mimicked the mechanics of visual capture through hand-held MMS-enabled mobile phones. A two-minute MMS of a top South-Indian actress <a href="https://timesofindia.indiatimes.com/india/web-of-sleaze-now-nude-video-of-top-actress/articleshow/966048.cms">taking a shower went viral on the Internet in 2004, the year when another MMS of two prominent Bollywood actors kissing</a> had already done the rounds. The <a href="https://www.journals.upd.edu.ph/index.php/plaridel/article/view/2392">MMS case also marked the onset of a national moral panic around the amateur uses of mobile phone technologies</a>, capable of corrupting young Indian minds under a sneaky regime of new media modernity. The MMS case, not strictly the classic case of a data breach - non-visual information generally stored in databases - became an iconic case of a data leak framed in the media as <a href="https://www.telegraphindia.com/india/scandal-in-school-shakes-up-delhi/cid/1667531">a scandal that shocked the country</a>, with calls for the regulation of mobile phone use in schools. The case continued its scandalous afterlife in a <a href="https://www.heraldgoa.in/Edit/dev-ds-leni-has-a-dps-mms-scandal-connection-/21344">2009 Bollywood film, Dev D</a> and another <a href="https://indianexpress.com/article/entertainment/entertainment-others/delhi-mms-scandal-inspires-dibakars-love-sex-aur-dhoka/">2010 film, Love, Sex and Dhokha</a>,</p>
<p dir="ltr" style="text-align: justify; ">Taken together, the BPO data thefts and frauds and the data leak scandals prefigure the contemporary discourse on data breaches in the second decade of the 21st century, or what may also be called the Decade of Datafication. The launch of the Indian biometric identity project, Aadhaar, in 2009, which linked access to public services and welfare delivery with biometric identification, resulted in large-scale data collection of the scheme’s subscribers. Such linking raised the spectre of state surveillance as alleged by the critics of Aadhaar, marking a watershed moment in the discourse on data privacy and protection.</p>
<h3 dir="ltr">Aadhaar Data Security and Other Data Breaches</h3>
<p dir="ltr" style="text-align: justify; ">Aadhaar was challenged in the Indian Supreme Court in 2012 when <a href="https://www.outlookindia.com/website/story/worries-about-the-aadhaar-monster/296790">it was made mandatory for welfare and other services such as banking, taxation and mobile telephony</a>. The national debate on the status of privacy as a cultural practice in Indian society and a fundamental right in the Indian Constitution led to two landmark judgments - the <a href="https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf">2017 Puttaswamy ruling</a> holding privacy to be a constitutional right subject to limitations and <a href="https://indiankanoon.org/doc/127517806/">the 2018 Supreme Court judgment holding mandatory Aadhaar to be constitutional only for welfare and taxation but no other service</a>.</p>
<p dir="ltr" style="text-align: justify; ">While these judgments sought to rein in Aadhaar’s proliferating mandatory uses, biometric verification remained the most common mode of identity authentication with <a href="https://www.businesstoday.in/latest/trends/story/aadhaar-not-mandatory-yet-organisations-pose-it-as-a-mandatory-document-335550-2022-05-29">most organizations claiming it to be mandatory for various purposes</a>. During the same period from 2010 onwards, a range of data security events concerning Aadhaar came to light. These included <a href="https://www.firstpost.com/tech/news-analysis/aadhaar-security-breaches-here-are-the-major-untoward-incidents-that-have-happened-with-aadhaar-and-what-was-actually-affected-4300349.html">app-based flaws, government websites publishing Aadhaar details of subscribers, third party leaks of demographic data, duplicate and forged Aadhaar cards and other misuses</a>.</p>
<p dir="ltr" style="text-align: justify; ">In 2015, the Indian government launched its ambitious <a href="https://indiancc.mygov.in/wp-content/uploads/2021/08/mygov-10000000001596725005.pdf">Digital India Campaign to provide government services to Indian citizens</a> through online platforms. Yet, data security breach incidents continued to increase, particularly the trade in the sale and purchase of sensitive financial information related to bank accounts and credit card numbers. The online availability of <a href="https://www.livemint.com/Industry/l5WlBjdIDXWehaoKiuAP9J/India-unprepared-to-tackle-online-data-security-report.html">a rich trove of data, accessible via a simple Google search without the use of any extractive software or hacking skills </a>within a thriving shadow economy of data buyers and sellers makes India a particularly vulnerable digital economy, especially in the absence of robust legislation. The lack of awareness around digital crimes and low digital literacy further exacerbates the situation given that datafication via government portals, e-commerce, and online apps has outpaced the enforcement of legislative frameworks for data protection and cybersecurity.</p>
<p dir="ltr" style="text-align: justify; ">In the context of Aadhaar data security issues, the term “data leak” seems to have more traction in media stories followed by the term “security breach”. Given the complexity of the myriad ways in which Aadhaar data has been breached, terms such as <a href="https://techcrunch.com/2022/06/13/aadhaar-leak-pm-kisan/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAADvQXtC19Gj80LSKVc5jLwnRsREalvM2f6dV3N9KmCs8be6_1Zbvu3J6abPmBxhLlUooLiOjg4JktYDDCXr0OYYvOZ5XFlXa6DfCJk97TvMXM-cs3uJbCJBA-ePqvAC5K4qGZSyDB4OykMEOIKXJpB0CTOourPRc5dBxFFq5JXlB">data leak and exposure</a> (of <a href="https://zeenews.india.com/personal-finance/aadhaar-data-breach-over-110-crore-indian-farmers-aadhaar-card-data-compromised-2473666.html">11 crore Indian farmers’ sensitive information</a>) add to the specificity of the data security compromise. The term “fraud” also makes a comeback in the context of <a href="https://www.business-standard.com/article/economy-policy/india-s-aadhaar-id-system-delivers-benefits-but-at-risk-of-widespread-fraud-122062400124_1.html">Aadhaar-related data security incidents</a>. These cases represent a mix of data frauds involving<a href="https://economictimes.indiatimes.com/news/india/alarm-over-fake-id-printing-websites-using-customer-data-for-cyber-fraud/articleshow/94742646.cms"> fake identities</a>, <a href="https://indianexpress.com/article/cities/delhi/in-new-age-data-theft-fraudsters-steal-thumb-prints-from-land-registries-7914530/">theft of thumb prints </a>for instance from land registries and inadvertent data leaks in numerous incidents involving <a href="https://techcrunch.com/2019/01/31/aadhaar-data-leak/">government employees in Jharkhand</a>, v<a href="https://www.firstpost.com/india/aadhaar-data-leak-details-of-7-82-cr-indians-from-ap-and-telangana-found-on-it-grids-database-6448961.html">oter ID information of Indian citizens in Andhra Pradesh and Telangana</a> and <a href="https://www.thehindu.com/sci-tech/technology/major-aadhaar-data-leak-plugged-french-security-researcher/article26584981.ece">activist reports of Indian government websites leaking Aadhaar data</a>.</p>
<p dir="ltr" style="text-align: justify; ">Aadhaar-related data security events parallel the increase in corporate data breaches during the decade of datafication. The term “data leak” again alternates with the term “data breach” in most media accounts while other terms such as “theft” and “scam” all but disappear in the media coverage of corporate data breaches.</p>
<p dir="ltr" style="text-align: justify; ">From 2016 onwards, incidents of corporate data breaches in India continued to rise. A massive <a href="https://thewire.in/banking/debit-card-breach-india-banking">debit card data breach involving the YES Bank ATMs and point-of-sale (PoS) machines </a>compromised through malware between May and July of 2016 resulted in the exposure of ATM PINs and non-personal identifiable information of customers. It went <a href="https://www.livemint.com/Industry/Ope7B0jpjoLkemwz6QXirN/SBI-Yes-Bank-MasterCard-deny-data-breach-of-own-systems.html">undetected for nearly three</a> months. Another data leak in 2018 concerned a <a href="https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/">system run by Indane, a state-owned utility company, which allowed anyone to download private information on all Aadhaar holders </a>including their names, services they were connected to and the unique 12-digit Aadhaar number. Data breaches continued to be reported in India concurrent with the incidents of data mismanagement related to Aadhaar. Some <a href="https://www.csoonline.com/article/3541148/the-biggest-data-breaches-in-india.html">prominent data breaches included </a>a cyberattack on the systems of airline data service provider SITA resulting in the leak of Air India passenger data, leakage of the personal details of the Common Admission Test (CAT) applicants, details of credit card and order preferences of Domino’s pizza customers on the dark web, leakage of COVID-19 patients’ test results leaked by government websites, user data of Justpay and Big Basket for sale on the dark web and an SBI data breach among others between 2019 and 2021.</p>
<p dir="ltr" style="text-align: justify; ">The media reportage of these data breaches use the term “cyberattack” to describe the activities of hackers and cybercriminals operating within a<a href="https://www.thehindu.com/sci-tech/technology/internet/most-damaging-cybercrime-services-are-cheap-on-the-dark-web/article37004587.ece"> shadow economy or the dark web</a>. Recent examples of cyberattacks by hackers who leak user data for sale on the dark web include <a href="https://indianexpress.com/article/technology/tech-news-technology/mobikwik-database-leaked-on-dark-web-company-denies-any-data-breach-7251448/">8.2 terabytes of 110 million sensitive financial data (KYC details, Aadhaar, credit/debit cards and phone numbers) of the payments app MobiKwik users</a>, <a href="https://www.firstpost.com/tech/news-analysis/dominos-india-data-breach-name-location-mobile-number-email-of-18-crore-orders-up-for-sale-on-dark-web-9650591.html">180 million Domino’s pizza orders (name, location, emails, mobile numbers),</a> and <a href="https://techcrunch.com/2022/07/18/cleartrip-data-breach-dark-web/">Flipkart’s Cleartrip users’ data</a>. In these incidents again, three terms appear prominently in the media reportage - cyberattack, data breach, and leak. The term “data breach” remains the most frequently used epithet in the media coverage of the lapses of data security. While it alternates with the term “leak” in the stories, the term “data breach” appears consistently across most headlines in the news stories.</p>
<p dir="ltr">The exposure of sensitive, personal, and non-personal data by public and private entities in India is certainly a cause for concern, given the ongoing data protection legislative vacuum.</p>
<p dir="ltr" style="text-align: justify; ">The media coverage of data breaches tends to emphasize the quantum of compromised user data aside from the types of data exposed. The media framing of these breaches in <a href="https://www.livemint.com/technology/tech-news/indian-firms-lost-176-million-to-data-breaches-last-fiscal-11658914231530.html">quantitative terms of financial loss</a> as well as the <a href="https://www.indiatoday.in/technology/news/story/personal-data-of-3-4-million-paytm-mall-users-reportedly-exposed-in-2020-data-breach-1980690-2022-07-27">magnitude</a> and the <a href="https://www.moneycontrol.com/news/business/banks/indian-banks-reported-248-data-breaches-in-last-four-years-says-government-8940891.html">number of breaches</a> certainly highlights the gravity of these incidents but harm to individual users is often not addressed.</p>
<h3 dir="ltr">Evolving Terminology and the Source of Data Harms</h3>
<p dir="ltr" style="text-align: justify; ">The main difference in the media reportage of the BPO cybersecurity incidents during the early aughts and the contemporary context of datafication is the usage of the term, “data breach”, which figures prominently in contemporary reportage of data security incidents but not so much in the BPO-related cybercrimes.</p>
<p dir="ltr" style="text-align: justify; ">THe BPO incidents of data theft and the attendant fraud must be understood in the context of the anxieties brought on by a globalizing world of Internet-enabled systems and transnational communications. In most of these incidents regarded as cybercrimes, the language of fraud and scam ventures further to attribute such illegal actions of the identifiable malefactors to cultural factors such as lack of ethics and professionalism.The usage of the term “data leak” in these media reports functions more specifically to underscore a broader lapse in data security as well as a lack of robust cybersecurity laws. The broader term, “breach”, is occasionally used to refer to these incidents but the term, “data breach” doesn’t appear as such.</p>
<p dir="ltr" style="text-align: justify; ">The term “data breach” gains more prominence in media accounts from 2009 onwards in the context of Aadhaar and the online delivery of goods and services by public and private players. The term “data breach” is often used interchangeably with the term “leak” within the broader ambit of cyberattacks in the corporate sector. The media reportage frames Aadhaar-related security lapses as instances of security/data breaches, data leaks, fraud, and occasionally scam.</p>
<p dir="ltr" style="text-align: justify; ">In contrast to the handful of data security cases in the BPO sector, data breaches have abounded in the second decade of the twenty-first century. What further differentiates the BPO-related incidents to the contemporary data breaches is the source of the data security lapse. Most corporate data breaches remain attributable to the actions of hackers and cybercriminals while the BPO security lapses were traceable back to ex-employees or insiders with access to sensitive data. We also see in the coverage of the BPO-related incidents, the attribution of such data security lapses to cultural factors including a lack of ethics and professionalism often in racial overtones. The media reportage of the BBC and ABC sting operations suggests that the India BPOs lack of preparedness to handle and maintain personal data confidentiality of foreigners point to the absence of a privacy culture in India. Interestingly, this transnational attribution recurs in a different form in the national debate on <a href="https://huffpost.netblogpro.com/archive/in/entry/indians-don-t-care-about-privacy-but-thankfully-the-law-will-teach-them-what-it-means_a_23179031">Aadhaar and how Indians don’t care about their privacy</a>.</p>
<p dir="ltr" style="text-align: justify; ">The question of the harms of data breaches to individuals is also an important one. In the discourse on contemporary data breaches, the actual material harm to an individual user is rarely ever established in the media reportage and generally framed as potential harm that could be devastating given the sensitivity of the compromised data. The harm is reported to be predominantly a function of organizational cybersecurity weakness or attributed to hackers and cybercriminals.</p>
<p dir="ltr" style="text-align: justify; ">The reporting of harm in collective terms of the number of accounts breached, financial costs of a data breach, the sheer number of breaches and the global rankings of countries with the highest reported cases certainly suggests a problem with cybersecurity and the lack of organizational preparedness. However, this collective framing of a data breach’s impact usually elides an individual user’s experience of harm. Even in the case of Aadhaar-related breaches - a mix of leaking data on government websites and other online portals and breaches - the notion of harm owing to exposed data isn’t clearly established. This is, however, different from the <a href="https://scroll.in/article/1013700/six-types-of-problems-aadhaar-is-causing-and-safeguards-needed-immediately">extensively documented cases of Aadhaar-related issues</a> in which welfare benefits have been denied, identities stolen and legitimate beneficiaries erased from the system due to technological errors.</p>
<h3 dir="ltr">Future Directions of Research</h3>
<p dir="ltr" style="text-align: justify; ">This brief, qualitative foray into the media coverage of data breaches over two decades has aimed to trace the usage of various terms in two different contexts - the Indian BPO-related incidents and the contemporary context of datafication. It would be worth exploring at length, the relationship between frequent reports of data breaches, and the language used to convey harm in the contemporary context of a concrete data protection legislation vacuum. It would be instructive to examine the specific uses of the terms such as “fraud”, “leak”, “scam”, “theft” and “breach” in media reporting of such data security incidents more exhaustively. Such analysis would elucidate how media reportage shapes public perception towards the safety of user data and an anticipation of attendant harm as data protection legislation continues to evolve.</p>
<p dir="ltr" style="text-align: justify; ">Especially with Aadhaar, which represents a paradigm shift in identity verification through digital means, it would be useful to conduct a sentiment analysis of how biometric identity related frauds, scams, and leaks are reported by the mainstream news media. A study of user attitudes and behaviours in response to the specific terminology of data security lapses such as the terms “breach”, “leak”, “fraud”, “scam”, “cybercrime”, and “cyberattack” would further contribute to how lay users understand the gravity of a data security lapse. Such research would go beyond expert understandings of data security incidents that tend to dominate media reportage to elucidate the concerns of lay users and further clarify the cultural meanings of data privacy.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india'>https://cis-india.org/internet-governance/blog/demistifying-data-breaches-in-india</a>
</p>
No publisherPawan SinghPrivacyInternet GovernanceData GovernanceData ProtectionData Management2022-10-17T16:14:03ZBlog EntryNothing to Kid About – Children's Data Under the New Data Protection Bill
https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill
<b>The pandemic has forced policymakers to adapt their approach to people's changing practices, from looking at contactless ways of payment to the shifting of educational institutions online.</b>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The article was originally <a class="external-link" href="https://www.ijlt.in/post/nothing-to-kid-about-children-s-data-under-the-new-data-protection-bill">published in the Indian Journal of Law and Technology</a></p>
<hr />
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">For children, the internet has shifted from being a form of entertainment to a medium to connect with friends and seek knowledge and education. However, each time they access the internet, data about them and their choices are inadvertently recorded by companies and unknown third parties. The growth of EdTech apps in India has led to growing concerns regarding children's data privacy. This has led to the creation of a <a class="_1lsz7 _3Bkfb" href="https://economictimes.indiatimes.com/tech/startups/edtech-firms-work-to-get-communication-right-with-the-asci/articleshow/89082308.cms" rel="noopener noreferrer" target="_blank">self-regulatory</a> body, the Indian EdTech Consortium. More recently, the <a class="_1lsz7 _3Bkfb" href="https://economictimes.indiatimes.com/tech/startups/edtech-firms-work-to-get-communication-right-with-the-asci/articleshow/89082308.cms" rel="noopener noreferrer" target="_blank">Advertising Standard Council of India</a><span class="_3zM-5"> has </span>also started looking at passing a draft regulation to keep a check on EdTech advertisements.</p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The Joint Parliamentary Committee (JPC), tasked with drafting and revising the Data Protection Bill, had to consider the number of changes that had happened after the release of the 2019 version of the Bill. While the most significant change was the removal of the term “personal data” from the title of the Bill, in a move to create a comprehensive Data Protection Bill that includes both personal and non personal data. Certain other provisions of the Bill also featured additions and removals. The JPC, in its revised version of the Bill has removed an entire class of <a class="_1lsz7 _3Bkfb" href="https://prsindia.org/billtrack/the-personal-data-protection-bill-2019#:~:text=Obligations%20of%20data%20fiduciary%3A%20A,specific%2C%20clear%20and%20lawful%20purpose" rel="noopener noreferrer" target="_blank">data fiduciaries</a> – guardian data fiduciary – which was tasked with greater responsibility for managing children's data. While the JPC justified the removal of the guardian data fiduciary stating that consent from the guardian of the child is enough to meet the end for which personal data of children are processed by the data fiduciary. While thought has been given to looking at how consent is given by the guardian on behalf of the child, there was no change in the age of children in the Bill. Keeping the age of consent under the Bill as the same as the age of majority to enter into a contract under the 1872 Indian Contract Act – 18 years – reveals the disconnect the law has with the ground reality of how children interact with the internet.</p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">In the current state of affairs where Indian children are navigating the digital world on their own there is a need to look deeply at the processing of children’s data as well as ways to ensure that children have information about consent and informational privacy. By placing the onus of granting consent on parents, the PDP Bill fails to look at how consent works in a privacy policy–based consent model and how this, in turn, harms children in the long run.</p>
<h3 class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d aujbK _3M0Fe _1FoOD iWv3d _1j-51 mm8Nw">1. Age of Consent</h3>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">By setting the age of consent as 18 years under the Data Protection Bill, 2021, it brings all individuals under 18 years of age under one umbrella without making a distinction between the internet usage of a 5-year-old child and a 16-year-old teenager. There is a need to look at the current internet usage habits of children and assess whether requiring parental consent is reasonable or even practical. It is also pertinent to note that the law in the offline world does make the distinction between age and maturity. For example, it has been <a class="_1lsz7 _3Bkfb" href="https://cis-india.org/internet-governance/blog/pallavi-bedi-and-shweta-mohandas-cis-comments-on-data-protection-bill" rel="noopener noreferrer" target="_blank">highlighted</a> that Section 82 of the Indian Penal Code, read with Section 83, states that any act by a child under the age of 12 years shall not be considered an offence, while the maturity of those aged between 12–18 years will be decided by the court (individuals between the age of 16–18 years can also be tried as adults for heinous crimes). Similarly, child labour laws in the country allow children above the age of 14 years to work in non-hazardous industries, which would qualify them to fall under Section 13 of the Bill, which deals with employee data.</p>
<p style="text-align: justify; "><span>A 2019 </span><a class="_1lsz7 _3Bkfb" href="https://reverieinc.com/wp-content/uploads/2020/09/IAMAI-Digital-in-India-2019-Round-2-Report.pdf" rel="noopener noreferrer" target="_blank">report</a><span> suggests that two-thirds of India’s internet users are in the 12–29 years age group, accounting for about 21.5% of the total internet usage in metro cities. With the emergence of cheaper phones equipped with faster processing and low internet data costs, children are no longer passive consumers of the internet. They have social media accounts and use several applications to interact with others and make purchases. There is a need to examine how children and teenagers interact with the internet as well as the practicality of requiring parental consent for the usage of applications.</span></p>
<p style="text-align: justify; "><span>Most applications that require age data request users to type in their date of birth; it is not difficult for a child to input a suitable date that would make it appear that they are </span><a class="_1lsz7 _3Bkfb" href="https://www.theguardian.com/media/2013/jul/26/children-lie-age-facebook-asa" rel="noopener noreferrer" target="_blank">over 18</a><span>. In this case they are still children but the content that will be presented to them would be those that are meant for adults including content that might be disturbing or those involving use of </span><a class="_1lsz7 _3Bkfb" href="https://www.theguardian.com/media/2013/jul/26/children-lie-age-facebook-asa" rel="noopener noreferrer" target="_blank">alcohol and gambling. </a><span>Additionally, in their privacy policies, applications sometimes state that they are not suited for and restricted from users under 18. Here, data fiduciaries avoid liability by placing the onus on the user to declare their age and properly read and understand the privacy policy.</span></p>
<p style="text-align: justify; "><span>Reservations about the age of consent under the Bill have also been highlighted by some members of the JPC through their dissenting opinions. </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf#page=221" rel="noopener noreferrer" target="_blank">MP Ritesh Pandey </a><span>suggested that the age of consent should be reduced to 14 years keeping the best interest of the children in mind as well as to support children in benefiting from technological advances. Similarly, </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.193/lsscommittee/Joint%20Committee%20on%20the%20Personal%20Data%20Protection%20Bill,%202019/17_Joint_Committee_on_the_Personal_Data_Protection_Bill_2019_1.pdf#page=221" rel="noopener noreferrer" target="_blank">MP Manish Tiwari </a><span>in his dissenting opinion suggested regulating data fiduciaries based on the type of content they provide or data they collect.</span></p>
<h3><span>2. How is the 2021 Bill Different from the 2019 Bill?</span></h3>
<p style="text-align: justify; "><span>The </span><a class="_1lsz7 _3Bkfb" href="http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf" rel="noopener noreferrer" target="_blank">2019 </a><span>draft of the Bill consisted of a class of data fiduciaries called guardian data fiduciaries – entities that operate commercial websites or online services directed at children or which process large volumes of children’s personal data. This class of fiduciaries was barred from profiling, tracking, behavioural monitoring, and running targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child. In the previous draft, such data fiduciaries were not allowed to engage in ‘profiling, tracking, behavioural monitoring of children, or direct targeted advertising at children’. There was also a prohibition on conducting any activities that might significantly harm the child. As per Chapter IV, any violation could attract a penalty of up to INR 15 crore of the worldwide turnover of the data fiduciary for the preceding financial year, whichever is higher. However, this separate class of data fiduciaries do not have any additional responsibilities. It is also unclear as to whether a data fiduciary that does not by definition fall within such a category would be allowed to engage in activities that could cause ‘significant harm’ to children.</span></p>
<p style="text-align: justify; "><span>The new Bill also does not provide any mechanisms for age verification and only lays down considerations that verification processes should be undertaken. Furthermore, the JPC has suggested that consent options available to the child when they attain the age of majority i.e. 18 years should be included within the rule frame by the Data Protection Authority instead of being an amendment in the Bill.</span></p>
<h3><span>3. In the Absence of a Guardian Data Fiduciary</span></h3>
<p style="text-align: justify; "><span>The 2018 and 2019 drafts of the PDP Bill consider a child to be any person below the age of 18 years. For a child to access online services, the data fiduciary must first verify the age of the child and obtain consent from their guardian. The Bill does not provide an explicit process for age verification apart from stating that regulations shall be drafted in this regard. The 2019 Bill states that the Data Protection Authority shall specify codes of practice in this matter. Taking best practices into account, there is a need for ‘</span><a class="_1lsz7 _3Bkfb" href="https://cuts-ccier.org/pdf/project-brief-highlighting-inclusive-and-practical-mechanisms-to-protect-childrens-data.pdf" rel="noopener noreferrer" target="_blank">user-friendly and privacy-protecting age verification techniques</a><span>’ to encourage safe navigation across the internet. This will require </span><a class="_1lsz7 _3Bkfb" href="https://cuts-ccier.org/pdf/bp-global-technological-developments-in-age-verification-and-age-estimation.pdf" rel="noopener noreferrer" target="_blank">looking at </a><span>technological developments and different standards worldwide. There is a need to hold companies </span><a class="_1lsz7 _3Bkfb" href="https://www.livemint.com/opinion/columns/theres-a-better-way-to-protect-the-online-privacy-of-kids-11615306723478.html" rel="noopener noreferrer" target="_blank">accountable</a><span> for the protection of children’s online privacy and the harm that their algorithms cause children and to make sure that they are not continued.</span></p>
<p class="public-DraftStyleDefault-text-ltr fixed-tab-size public-DraftStyleDefault-block-depth0 iWv3d b+iTF _78FBa _1FoOD iWv3d _1j-51 mm8Nw" style="text-align: justify; ">The JPC in the 2021 version of the Bill removed provisions about guardian data fiduciaries, stating that there was no advantage in creating a different class of data fiduciary. As per the JPC, even those data fiduciaries that did not fall within the said classification would also need to comply with rules pertaining to the personal data of children i.e. with Section 16 of the Bill. Section 16 of the Bill requires the data fiduciary to verify the child’s age and obtain consent from the parent/guardian. The manner of age verification has also een spelt out. Furthermore, since ‘significant data fiduciaries’ is an existing class, there is still a need to comply with rules related to data processing. The JPC also removed the phrase “in the best interests of, the child” and “is in the best interests of, the child” under sub-clause 16(1), implying that the entire Bill concerned the rights of the data principal and the use of such terms dilutes the purpose of the legislation and could give way to manipulation by the data fiduciary.</p>
<h3><span>Conclusion</span></h3>
<p style="text-align: justify; "><span>Over the past two years, there has been a significant increase in applications that are targeted at children. There has been a proliferation of EduTech apps, which ideally should have more responsibility as they are processing children's data. We recommend that instead of creating a separate category, such fiduciaries collecting children's data or providing services to children be seen as ‘significant data fiduciaries’ that need to take up additional compliance measures.</span></p>
<p style="text-align: justify; "><span>Furthermore, any blanket prohibition on tracking children may obstruct safety measures that could be implemented by data fiduciaries. These fears are also increasing in other jurisdictions as there is a likelihood to restrict data fiduciaries from using software that looks out for such as </span><a class="_1lsz7 _3Bkfb" href="https://www.unodc.org/e4j/en/cybercrime/module-12/key-issues/online-child-sexual-exploitation-and-abuse.html" rel="noopener noreferrer" target="_blank">Child Sexual Abuse Material</a><span> as well as online predatory behaviour. Additionally, concerning the age of consent under the Bill, the JPC could look at international best practices and come up with ways to make sure that children can use the internet and have rights over their data, which would enable them to grow up with more awareness about data protection and privacy. One such example to look at could be the Children's Online Privacy Protection Rule (COPPA) in the US, where the rules apply to operators of websites and online services that collect personal information from kids </span><a class="_1lsz7 _3Bkfb" href="https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance" rel="noopener noreferrer" target="_blank">under 13 </a><span>or provide services to children that are directed at a general audience, but have actual knowledge that they collect personal information from such children. A form of combination of this system and the significant data fiduciary classification could be one possible way to ensure that children’s data and privacy are preserved online.</span></p>
<hr />
<p>The authors are researchers at the Centre for Internet and Society and thank their colleague Arindrajit Basu for his inputs.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill'>https://cis-india.org/internet-governance/blog/ijlt-shweta-mohandas-and-anamika-kundu-march-6-2022-nothing-to-kid-about-childrens-data-under-the-new-data-protection-bill</a>
</p>
No publisherShweta Mohandas and Anamika KunduDigitalisationDigital KnowledgeInternet GovernanceData ProtectionData Management2022-03-10T13:19:52ZBlog EntryThe Government needs to make sure our emails don't destroy the environment
https://cis-india.org/internet-governance/blog/the-government-needs-to-make-sure-our-emails-dont-destroy-the-environment
<b>The Government's data centre policy must be more reflective of energy requirements and sustainable practices to effectively ensure that India's growing digital user base doesn't hurt the environment. </b>
<p dir="ltr"> </p>
<p dir="ltr">Ask people to name the first things they think of when you say climate change and you can expect a few standard answers. Polar bears on shrinking ice caps, cities suffocated from car exhaust fumes and mass deforestation are all surely to be somewhere on the list of responses. What you probably won’t find, however, is people discussing their social media. Or their email. Or any piece of the immeasurable amount of data that we produce on the internet on a daily basis. Yet all of this data is far from green, and is substantially increasing our carbon footprint. So the question arises, how is our data contributing to climate change, and what can policy makers do about it? </p>
<p>There is a tendency to focus on the turnover of hardware when discussing the climate impact of digital technology. And while this is an important element of the sector’s impact, it is essential that policymakers also recognise the impact of intangible elements of the digital ecosystem - such as data. Every piece of data that is created or transmitted across the internet has an environmental cost. That cost being the energy required (and by extension the fossil fuel amount used) to operate the technology that hosts and transports the data. </p>
<p>Admittedly, the environmental impact and cost of one person checking their instagram or even reading this article is quite low. But aggregated across the estimated number of internet users in the <a href="https://www.tvtechnology.com/news/global-digital-population-grows-to-48b-in-2020">world</a>, digital technologies are estimated to be responsible for <a href="https://www.bbc.com/future/article/20200305-why-your-internet-habits-are-not-as-clean-as-you-think#:~:text=If%20we%20were%20to%20rather,of%20carbon%20dioxide%20a%20year.">1.7 billion tonnes of greenhouse gases</a> - which is about 4% of the global greenhouse gas production and roughly how much is produced by the global airline industry.</p>
<p>Another key element of data’s environmental impact is the establishment and operation of data centres. Data centres are establishments that house computing and ICT equipment. These centres are critical infrastructure components to the functioning of the internet and are used to store an immense volume of data. As the number of data centres has <a href="https://www.datacenterknowledge.com/industry-perspectives/data-center-dilemma-our-data-destroying-environment">exploded over the last decade</a>, they have come to account for 1% all global greenhouse gas production on their own, and are expected to contribute to <a href="https://www.computerworld.com/article/3431148/why-data-centres-are-the-new-frontier-in-the-fight-against-climate-change.html">14% of all emissions by 2040</a>.<br /><br /></p>
<h3>India’s growing data centre problem </h3>
<p><br />As the number of Internet users in India <a href="https://www.livemint.com/industry/media/india-s-active-internet-user-base-to-hit-639-mn-by-year-end-11588879564767.html">grows</a> at an exponential rate, it is imperative that the government take a proactive approach to creating sustainable infrastructure that can meet the ICT demands of the population. </p>
<p>Recently, the Ministry of Electronics and Information technology, released its draft policy on data centres. The policy outlined the government’s aim at establishing a large number of domestic data centres that will be used to store all data created within the country. The government’s policy envisions India as being one of the world leaders in data centre establishment and operation - on a par with countries such as <a href="https://www.eco-business.com/news/the-future-of-data-centres-in-the-face-of-climate-change/">Singapore who now hold that mantle</a>. </p>
<p>However, despite presenting this grand vision, the policy provides no specifics on how it plans to cope with the environmental stress that these new centres would bring. The policy states that ensuring uninterrupted power to these centres will be a key priority of the government - a burden that would be far beyond the capacity of current renewable energy sources in the country. Taking the example of Singapore, almost <a href="https://www.eco-business.com/news/the-future-of-data-centres-in-the-face-of-climate-change/">7% of all electricity consumption</a> in the country was from data centres. Such proportionate consumption by Indian data centres would realistically only be possible through an expanded use of fossil fuel generated electricity. </p>
<p dir="ltr">To give the policy some credit, it does mention ‘encouraging’ the use of renewable energy for data centres but fails to mention any specific schemes or measures to ensure renewable energy investment and growth is enough to keep up with growing data centre energy demands. <br /><br /></p>
<h3>What can policy makers do? </h3>
<p><br />The question arises, how can policy makers make data centres more sustainable? Is there any way of reducing the energy consumption of these data centres? </p>
<p>In short, not really right now. It has been estimated that <a href="https://www.computerworld.com/article/3431148/why-data-centres-are-the-new-frontier-in-the-fight-against-climate-change.html">40% of total energy consumption by data centres is used in cooling</a>. And while there is the possibility that building these data centres in cooler environments would reduce these costs - converting shimla, coorg, ooty and other cool weathered hill stations into monuments of data centre infrastructure does not seem particularly practical. And so short of investing heavily into research and development for the future and conforming to global standards of data centre operation, there is not much the government can do now outside of focusing on the source of the energy that is used by these centres. </p>
<p>Keeping this in mind, the first step in evolving India’s data infrastructure has to be investing in and developing clear schemes for promoting renewable energy in the country. While India has seen positive growth in renewable energy infrastructure, it would require substantial private and public investment in order to meet its target of <a href="https://energy.economictimes.indiatimes.com/news/renewable/opinion-is-indias-renewable-energy-investment-on-track/76229607">450 GW of renewable energy by 2021</a>. Widespread development of data centres would only further stress India’s energy needs and would therefore require a commensurate increase in the amount of renewable energy available. As such it is imperative that the state not stick to vague statements of ‘encouraging renewable energy’ or ‘collaborating between ministries’ and rather adopt a revised policy for developing renewable energy for digital infrastructure. </p>
<p> Such a step would ensure the sustainability of the country’s digital infrastructure, and ensure that every Indian has access to both clean air and their email. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-government-needs-to-make-sure-our-emails-dont-destroy-the-environment'>https://cis-india.org/internet-governance/blog/the-government-needs-to-make-sure-our-emails-dont-destroy-the-environment</a>
</p>
No publisheramanClimate changeEnvironmental ImpactEnvironmentData GovernanceData CentresData Management2021-01-25T14:17:29ZBlog EntryDanish Expert Group on Data Ethics
https://cis-india.org/internet-governance/news/danish-expert-group-on-data-ethics
<b>Amber Sinha was one of the stakeholders who provided inputs to the Danish Expert Group on Data Ethics in June 2018 during their visit to New Delhi. The Expert Group has prepared and submitted its final report.</b>
<p style="text-align: justify; "><span>In April the Danish Expert Group on Data Ethics commenced work on developing recommendations on Data Ethics for the Danish Government. The expert group have now handed over their recommendations to the Danish Minister of Industry, Business and Financial Affairs. <a class="external-link" href="http://cis-india.org/internet-governance/files/data-for-the-benefit-of-people">Read the report</a>.<br /></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/danish-expert-group-on-data-ethics'>https://cis-india.org/internet-governance/news/danish-expert-group-on-data-ethics</a>
</p>
No publisherAdminInternet GovernanceData ProtectionData ManagementPrivacy2018-12-01T04:42:42ZNews ItemResponse Submission on TRAI's Consultation Paper on Privacy, Security and Ownership of Data in Telecom Sector
https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector
<b>CIS submitted its comments on the consultation paper on privacy, security and ownership of data in telecom sector which was published by the Telecom Regulatory Authority of India on August 9, 2017.
</b>
<p style="text-align: justify;">The submission is divided in four parts. The first part introduces the document, the second part gives an overview of CIS and its work, the third part contains general comments on the consultation paper and the fourth part contains specific comments on questions posed in the consultation paper. Click to read the <strong><a class="external-link" href="http://cis-india.org/telecom/files/submission-to-trai-november-6-2017">full submission</a></strong> made to the Telecom Regulatory Authority of India on November 6, 2017.<br /><br /><br /><br /></p>
<p>
For more details visit <a href='https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector'>https://cis-india.org/telecom/blog/response-submission-on-trais-consultation-paper-on-privacy-security-and-ownership-of-data-in-telecom-sector</a>
</p>
No publisherAmber Sinha, Elonnai Hickok and Udbhav TiwariTelecomData ProtectionData ManagementPrivacy2019-03-13T00:27:30ZBlog EntryComments on the Statistical Disclosure Control Report
https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report
<b>This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.
</b>
<p><strong id="docs-internal-guid-a12fe2b3-c746-4c1a-0287-1814414668af"><br /></strong></p>
<h3 style="text-align: justify;" dir="ltr">1. PRELIMINARY</h3>
<p style="text-align: justify;" dir="ltr">This submission presents comments by the Centre for Internet and Society, India (“CIS”) on the Statistical Disclosure Control Report published on March 30th by Ministry of Statistics and Programme Implementation.</p>
<p style="text-align: justify;" dir="ltr">CIS is thankful for the opportunity to put forth its views.<br class="kix-line-break" />This submission is divided into three main parts. The first part, ‘Preliminary’, introduces the document; the second part, ‘About CIS’, is an overview of the organization; and, the third part contains the ‘Comments’.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<h3 style="text-align: justify;" dir="ltr">2. ABOUT CIS</h3>
<p style="text-align: justify;" dir="ltr">CIS is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, freedom of speech and expression, intermediary liability, digital privacy, and cybersecurity.<br class="kix-line-break" /><br /></p>
<p style="text-align: justify;" dir="ltr">CIS values the fundamental principles of justice, equality, freedom and economic development. This submission is consistent with CIS' commitment to these values, the safeguarding of general public interest and the protection of India's national interest at the international level. Accordingly, the comments in this submission aim to further these principles.</p>
<h3 style="text-align: justify;" dir="ltr">3. Comments</h3>
<h4 style="text-align: justify;" dir="ltr">3.1 General Comments</h4>
<p style="text-align: justify;" dir="ltr">As a non-profit organisation we recognize the importance of the efforts by the Ministry of Statistics and Programme Implementation (MoSPI) to make the data you collect available to the public in open formats with relevant information about reliability of statistical estimates.</p>
<p><span style="text-align: justify;">We at CIS have recently released a report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. We encountered several central and state government departments collecting socioeconomic data from citizens, linking it with Aadhaar and even publishing them in exportable data formats like EXCEL and MS ACCESS Databases. </span><span style="text-align: justify;">While we understand this issue primarily concerns to Unique Identification Authority of India (UIDAI), the lack of standards around information/statistical disclosure are a general threat to transparency in a democracy and privacy of individuals. </span><span style="text-align: justify;">Going through the report we understand the committee is unable to prescribe a standard for other ministries and departments until they try and pilot these standards within Ministry of Statistics and Programme Implementation. This delay in prescribing the standards can be really dangerous in the current circumstances of massive data collection by government departments and linking all the databases with a unique identifier, Aadhaar Number. </span><span style="text-align: justify;">At the same time we understand the importance of data dissemination to be carried out and we recommend the following for improving the standards around data disclosure control.</span></p>
<h4 style="text-align: justify;" dir="ltr">3.2 Integrity of Information and Data</h4>
<p style="text-align: justify;" dir="ltr">We agree with the committee that the error rates need to be kept in mind while designing practices to convert raw data. But we request the process of changes being made be actively measured and documented. In case of errors being computed, guidelines can be made to decrease the possibilities of misinterpretation of errors causing loss of integrity of information. Statistics are important for decision making in governance, errors in computations can be biased towards millions of people. Statistical biases are important to be looked into while converting data from its raw format to make sure there are no damage caused by information.</p>
<h4 style="text-align: justify;" dir="ltr">3.3 Data Security</h4>
<p style="text-align: justify;" dir="ltr">One of the important issues around storage and publication of Aadhaar information is the lack of masking standards. With the availability of data from multiple departments, it is possible to reconstruct identification details by linking data from multiple databases. It is recommended to bring masking standards while personally identifiable micro data is being published. There is an urgent need for departments to also look at auditing access to information and tracking sharing of information. It is recommended the department digitally signs all the information and documents being published or shared by them to keep track of who had accessed the information and verifying the authenticity of information.</p>
<p style="text-align: justify;" dir="ltr">We request the department to define what exactly is “usage for statistical purposes only” and recommend standards to control and restrict usage of information for this purpose. It is important they design frameworks or mechanisms to allow others to report violations around this. This process should be transparent and documented heavily.</p>
<h4 style="text-align: justify;" dir="ltr">3.4 Anonymization of microdata</h4>
<p style="text-align: justify;" dir="ltr">We recommend the data being collected be anonymized at source to evade the possibility of the accidental disclosure of personally identifiable information. While the current anonymization efforts have been helpful, with steady increase in data mining and classification algorithms and practices it is recommended to evolve the standards around this area.</p>
<h4 style="text-align: justify;" dir="ltr">3.5 Data Dissemination</h4>
<p style="text-align: justify;" dir="ltr">Data dissemination is an important aspect for district statistics officers, we recommend they actively communicate their work through monthly newsletters, quarterly workshops to help improve the conversations around statistics and at the same time engage with the users who would benefit from the data.</p>
<p style="text-align: justify;" dir="ltr">We also recommend that data when being published includes metadata of collection, modification, storage and other important information. Also the information needs to be published in open formats which does not require proprietary software to be used to open them. At the same time data should be published in multiple formats like CSV, XLS, PDF,</p>
<p style="text-align: justify;" dir="ltr">The committee also recognizes the need for having data users part of discussions around important decisions and be part of committees. We would like the department to recognize our efforts and consider us for future committee representations.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">Thank you for this opportunity and we look forward to work with you in future.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report'>https://cis-india.org/internet-governance/comments-on-the-statistical-disclosure-control-report</a>
</p>
No publisherSrinivs Kodali and Amber SinhaCall for CommentsDigital AccessOpen DataOpen Government DataData ProtectionData GovernanceAadhaarDigitisationInformation SecurityOpennessInternet GovernanceData Management2019-03-13T00:28:44ZBlog Entry(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information
https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1
<b>Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.
</b>
<p> </p>
<h4>Read the updated report: <a class="external-link" href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof/" target="_blank">Download</a> (pdf)</h4>
<h4>Read the first statement of clarification (May 16, 2017): <a class="external-link" href="https://cis-india.org/internet-governance/clarification-on-information-security-practices-of-the-aadhaar-report/" target="_blank">Download</a> (pdf)</h4>
<h4>Read the second statement of clarification (November 05, 2018): <a class="external-link" href="https://cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report" target="_blank">Link to page</a> (html)</h4>
<hr />
<p><em>We are grateful to Yesha Paul and VG Shreeram for research support.</em></p>
<hr />
<p>In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1'>https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1</a>
</p>
No publisherAmber Sinha and Srinivas KodaliDigital IDPrivacyNDSAPData ProtectionAccountabilityFeaturedData GovernanceAadhaarDigitisationHomepageInternet GovernanceData Management2019-03-13T00:29:01ZBlog EntryYour digital wallet can be a ‘pickpocket’
https://cis-india.org/internet-governance/news/hindu-samarth-bansal-december-5-2016-your-digital-wallet-can-be-a-pickpocket
<b>If you have installed a wallet app on your smartphone, be careful. Many such apps can access data, even sensitive personal information, and have features that do more than just make payments. All that, with your due “permission”.
</b>
<p style="text-align: justify; ">The article by Samarth Bansal was <a href="http://www.thehindu.com/news/national/Your-digital-wallet-can-be-a-%E2%80%98pickpocket%E2%80%99/article16760772.ece?utm_source=RSS_Feed&utm_medium=RSS&utm_campaign=RSS_Syndication">published in the Hindu</a> on December 5, 2016. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; "><br />When installing them, the apps display a list of permissions. The user is prompted to either grant permission to access to SMSs, call records and so on or decline, but the latter means rejecting the download. Barring a small fraction of tech-savvy users, most go with the flow, ignoring the permissions section.<br /><br />The Hindu reviewed permissions sought by five wallet applications: MobiKwik, Freecharge, PayTM, Jio Money and Airtel Money.<br /><br />Freecharge and Jio Money seek permission to “directly call phone numbers”. The app can call up numbers without notifying you. In fact, Freecharge asks to “read call log”. All five require permission to “read contacts”, which, as PayTM mentions, “gives you the ability to pick a number from contacts for a quick recharge or bill payment” or “helps you send and request money from friends”. FreeCharge and PayTM ask permission to “modify contacts” and “record audio”.<br /><br />PayTM is the only one that requests to “read your web bookmarks and history”. According to AndroidPit, an Android-centred news portal, this permission is needed for alternative browsers, back-up tools and possibly some social networking apps. For the rest, it is possibly a way to “spy on user’s browsing behaviour”, the portal says.<br />Wealth of data<br /><br />Pranesh Prakash, policy director at the Centre for Internet and Society, told The Hindu that access to a wealth of data about the user enables various other business models.<br /><br />“A mobile wallet application, using location tracking data, can tell a user about the discounts available on a nearby store if the payment is conducted using that platform. If the user is not explicitly made aware of such usage of data, I would call it a misuse of information,” he said. Note that “precise” location tracking feature, via GPS or mobile network, is a feature requested by all.<br /><br />For PayTM, there is a mismatch between the complete set of permissions it asks for — as stated in the app store — and the ones it mentions on a dedicated page on its website explaining “PayTM app permissions”. Apart from the six basic features, there is no mention about functions like location tracking or reading web history — which it requires — on the web page.<br /><br />“In this regard, PhonePe [another wallet app] is the model to follow: it clearly states the permissions it is seeking and explains why it needs each one of those at the time of set-up.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/hindu-samarth-bansal-december-5-2016-your-digital-wallet-can-be-a-pickpocket'>https://cis-india.org/internet-governance/news/hindu-samarth-bansal-december-5-2016-your-digital-wallet-can-be-a-pickpocket</a>
</p>
No publisherpraskrishnaInternet GovernanceData ManagementPrivacy2016-12-05T01:44:29ZNews ItemDeveloper team fixed vulnerabilities in Honorable PM's app and API
https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="https://cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="https://cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>https://cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog EntryNo laws in India to protect customers if they lose money during digital transactions
https://cis-india.org/internet-governance/news/business-standard-december-2-2016-alnoor-peermohammed-no-laws-in-india-to-protect-customers-if-they-lose-money-during-digital-transactions
<b>The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services.</b>
<p style="text-align: justify; ">The article by Alnoor Peermohamed was <a class="external-link" href="http://www.business-standard.com/article/economy-policy/no-laws-in-india-to-protect-customers-if-they-lose-money-during-digital-transactions-116120200342_1.html">published by Business Standard </a>on December 2, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; "><span class="p-content"> </span></p>
<p style="text-align: justify; ">India lacks laws to protect consumers if they lose money during <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Digital+Transactions" target="_blank">digital transactions </a>even as the government pushes for a less-cash economy after it withdrew Rs 500 and Rs 1,000 currency notes as the legal tender.</p>
<p style="text-align: justify; ">The Modi government's <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Demonetisation" target="_blank">demonetisation </a>move might have warranted an increase in transaction activity on digital wallets, but measures to ensure the underlying cyber security parameters for digital payments is still kept largely under the ambit of the Information Technology Act.</p>
<p style="text-align: justify; ">"We don't have any dedicated law on digital payments. That's very important to grant complete legality and remove and doubts and clarifications pertaining to legal efficacies and legal validity of digital payments," says Pavan Duggal, an advocate in the Supreme Court specialising in cyber law.</p>
<p style="text-align: justify; ">While the Reserve Bank of India usually sets security and privacy standards for banks in the country, the various digital wallets such as Paytm, <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Freecharge" target="_blank">Freecharge </a>and Mobikwik fall under the category of Non-banking Financial Corporations (NBFCs) excluding them from this. For FinTech companies, security compliance falls under just Section 43 A of the IT Act.</p>
<p style="text-align: justify; ">Today, transactions between a user and a mobile wallet service provider are merely contractual agreements which can always be repudiated. There's a heightened need to legally back digital payments in India, not only to ensure the safety of consumer money but also for the safety of these companies.</p>
<p style="text-align: justify; "><span class="p-content">Since the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Demonetisation" target="_blank">demonetisation </a>on November 8, digital wallet firms such as <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Paytm" target="_blank">Paytm </a>have seen 35 million transactions by users to either buy goods and services, or transfer funds to another account. Rival <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Freecharge" target="_blank">Freecharge </a>has tied up with police forces of Mumbai to pay traffic fines using its platform.</span></p>
<p style="text-align: justify; "><span class="p-content">Research by Bengaluru-based think tank Centre for Internet and Society (CIS) shows that some of India's largest technology companies still do not comply with Section 43 A.</span></p>
<p style="text-align: justify; "><span class="p-content">"We have a minimal data protection law in our IT Act and that will apply to all the FinTech players. But our ISPs and Telcos don't comply with Section 43 A, so you can imagine in the FinTech sector the compliance will be even lower," says Sunil Abraham, Executive Director at CI<br /><br />The lack of basic privacy and security laws pertaining to digital payments in India puts the onus on consumers who use such services. While the issue is not being completely ignored by the authorities, some of the proposed workarounds such as creating a virtual sandbox around digital payment services raised questions.<br /><br />The RBI limits the maximum balance on digital wallets to Rs 10,000 per user, ensuring that in the case of a breach the damage caused to a consumer is minimal but on November 23, the banking regulator increased the limit to Rs 20,000 .<br /><br />Just last week India's largest digital wallet provider Paytm rolled out the option for customers to increase their wallet balance to a maximum of Rs 100,000 by getting a KYC check done.<br /><br />"There are no legal mechanisms available should there be disputes pertaining to digital payments,"aid Duggal. He added that there are no effective remedy mechanisms available in case money in the digital payment ecosystem gets lost, hacked, stolen or misused.</span></p>
<p style="text-align: justify; "><span class="p-content">While laws might take years to be framed and implemented, Abraham says there are temporary workarounds with which the overall cyber security of digital payment services can be improved. Under Section 43 A there are provisions to allow a sector to form a consortium that mutually agrees to set security standards, which all players must follow and is valid in the court of law during dispute resolution.</span></p>
<p style="text-align: justify; "><span class="p-content">This move is encouraged by experts as governments often lack the bandwidth to define sectoral specific laws but is where private sector expertise can go a long way. <br /></span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/business-standard-december-2-2016-alnoor-peermohammed-no-laws-in-india-to-protect-customers-if-they-lose-money-during-digital-transactions'>https://cis-india.org/internet-governance/news/business-standard-december-2-2016-alnoor-peermohammed-no-laws-in-india-to-protect-customers-if-they-lose-money-during-digital-transactions</a>
</p>
No publisherpraskrishnaInternet GovernanceData ManagementPrivacy2016-12-02T17:07:02ZNews ItemLack of clarity about cashless and online transactions makes digital payments more worrisome
https://cis-india.org/internet-governance/news/economic-times-december-1-2016-neha-alawadhi-lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome
<b>Even as demonetisation pushes for more and more cashless and online transactions through, e-wallets, banks and other such apps, there is a serious lack of clarity on how these companies handle customer data, and how it is shared with other entities. "Data is the new oil," is an oft repeated phrase in nearly every technology related conversation that comes up anywhere in India today.</b>
<p style="text-align: justify; ">The article by Neha Alawadhi was <a class="external-link" href="http://economictimes.indiatimes.com/industry/banking/finance/banking/lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome/articleshow/55714435.cms">published in the Economic Times</a> on December 1, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">However, the handling of this data, most of which carries some of our most personal information, has little protection if it is misused by a private or government entity.</p>
<p style="text-align: justify; ">Sample this: at an industry event, a Bengaluru-based startup claimed to solve the problem of credit worthiness of individuals for small loans by using some unusual means. To determine credit worthiness, the company maps everything in your phone — right from how many SMSes you receive for non-payment of dues, to how you fill out your loan application form. The company also claims that it can map, using your phone data, the area of your residence and office.</p>
<p style="text-align: justify; ">There are several other companies, especially those in the financial technology (fintech) space, doing similar mapping. The Wall Street Journal on Monday reported that more than three dozen local governments across China are compiling digital records of social and financial behaviour to rate credit worthiness. A person gets a score deduction for violations such as fare cheating, jaywalking and violating family-planning rules.</p>
<p style="text-align: justify; "><img alt="Lack of clarity about cashless and online transactions makes digital payments more worrisome" class="gwt-Image" src="http://img.etimg.com/photo/55714471/untitled-27.jpg" title="Lack of clarity about cashless and online transactions makes digital payments more worrisome" /></p>
<p style="text-align: justify; ">India may be some distance away from such a credit scoring system, but the increased use of online transactions — financial or otherwise — is sure to lead to similar business models.</p>
<p style="text-align: justify; ">"You have no clue what data you are sharing with fintech companies. They are collecting data from other sources and combining it to assess your credit score," said Sunil Abraham, executive director of the Centre for Internet Society.</p>
<p style="text-align: justify; ">For example, there is no clarity on what an e-wallet company does with your details and transaction history even after you delete the app. "If there is large level of customer migration of users from an app company, they will just become a data analytics company. The bigger danger in future is the growth of large data intermediaries which are similar to Visa and Mastercard networks, which purchase big databases and further sell this data and build their services or product on top of that. There are large privacy concerns there," said Apar Gupta, advocate and Internet policy expert. While lack of a privacy law or controller has been a long standing concern, the existing law for data protection — Section 43(A) of the Information Technology Act— also offers only very basic protection and is "grossly inadequate", according to Abraham.</p>
<p style="text-align: justify; ">To make matters worse, they also lack a strict enforcement mechanism. "We don’t know what are the data practices (adopted by apps). There is no privacy controller or some other body, so it is very difficult for a user to know what are the actual ways their data is being implemented," said Gupta.</p>
<p style="text-align: justify; ">There have also been cases of government entities making sensitive and personal information public. Earlier this year, DataMeet, a community of data science enthusiasts, found that Bengaluru Police released 13,000 call data records (CDR) of potential on-going investigations during a hackathon with focus on solving problems of cities.</p>
<p style="text-align: justify; ">"There has been very little talk about data ethics and data practices in India. But cases of misuse of data are frequent," noted DataMeet member Srinivas Kodali in a blogpost.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/economic-times-december-1-2016-neha-alawadhi-lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome'>https://cis-india.org/internet-governance/news/economic-times-december-1-2016-neha-alawadhi-lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome</a>
</p>
No publisherpraskrishnaDemonetisationData ManagementInternet GovernancePrivacy2016-12-02T16:20:39ZNews Item