Centre for Internet and Society

WISER Lecture : Sumandro Chattapadhyay on Deregulation by Code

praskrishna — 2017-03-29T11:48:08Z

University of the Witwatersrand organized a talk by Sumandro Chattapadhyay on Derugulation by Code on March 8, 2017 in Johannesburg.

On November 08, 2017, the Government of India initiated a demonetisation process. It involved cancellation of Rs. 500 and Rs. 1,000 currency notes as legal tender, establishing of a time bound process for the notes to be returned to the banks, announcement of specific emergency services (such as hospitals and utilities) for which the canceled notes could still be used, and introduction of a new Rs. 2,000 note. While the purpose of the demonetisation move was publicly articulated in terms of removal of unaccounted wealth held in cash form, the state narrative quickly moved to being primarily focused on promotion of various forms of digital payments, especially mobile-based payments. The notion of a "WhatsApp moment" in Indian banking in particular, and in Asian banking in general, has been in circulation since 2015. Nandan Nilekani, a significant technocrat politician of India who has been CEO of Infosys (a major Indian IT company) and the Chairman of the UID/Aadhaar project, was one of the first persons to take note of this upcoming "revolution". In a lecture given by him on August 21, 2015, he described the technological and market forces, enabled by policy decision, that are going to disrupt the Indian banking landscape.

Sumandro's lecture discussed the linkages between this WhatsApp moment and the demonetisation move, and locate them in the context of institutional and technological changes happening in the Indian banking sector since 2008. The talk focused on the development and proliferation of the Unified Payments Interface - an universal, private-owned, government-backed, mobile-to-mobile payment infrastructure - as the key instrument through which the ongoing deregulation of banking in India is being driven.

For more details visit https://cis-india.org/internet-governance/news/wiser-lecture-sumandro-chattapadhyay-on-deregulation-by-code

Digital native: Free speech? You must be joking!

nishant — 2017-06-08T01:16:01Z

India’s digital landscape is dotted with vigilante voices that drown out people’s right to free speech.

The article was published in the Indian Express on May 14, 2017.

Freedom of speech and expression has always been a tricky issue. While all of us are generally in favour of defending our rights to speak what is in our hearts, we are not equally thrilled about the speech of others that we might not enjoy. While we know that free speech and expression are not absolute — there are blurred lines of things that are offensive, might cause harm, and are directed with malice at different individuals or collectives — we also generally accept that this is a freedom that marks the maturity and sustainability of a stable democratic system.

Thus, even when confronted with speech and expression that might be undesirable: a political view that contradicts ours, an expression of blasphemy or profanity, a voice of dissent that questions the status quo, or an unsavoury information tidbit that mocks at somebody we admire, we generally take it in good stride, and learn to deal and engage with these actions. We do this, because we know that trying to curtail somebody else’s rights to free speech, would eventually restrict our own capacity for it, thus reducing the scope of an engaged and critical society. Especially in countries like India, where everybody has an opinion, where people offer critiques over chai and join heated debates over paan, there’s no denying that we are fond of our rights and capacity to speak
our minds.

However, within Digital India, these things seem to be changing fast. Every day we wake up to the cacophonous clamour of social media to realise that increasingly we are becoming an intolerant society filled with vigilantes bent on stopping people from saying things that we might just not like. In the ongoing saga of shrinking spaces of free speech, we now add the shameful incident at the Embassy of Sweden in India. On May 8, following mass populist trolling and complaints from the Twitteratti, the Embassy disinvited two women print and TV journalists — Swati Chaturvedi and Barkha Dutt — and cancelled their event, ironically, in the honour of World Press Freedom, on the topic of women’s participation in the online public space, to talk about trolls.

I shall wait here for the bitter irony to sink in: two of the strongest women voices in Indian public media, were disinvited to speak from an event where they were to talk about their experience of being trolled, harassed, bullied and intimidated in the newly emerging digital media landscape. Instead of giving them a voice, sharing their experiences, and engaging with their stories, the hypermasculine army of right wing vigilantes who object to these women’s history of critique of the current government and its leaders, decided to show their Twitter might, and celebrated as they succeeded in putting one more nail in the coffin of free and fearless speech in the country.

Some Twitter users went ahead and tagged their favourite leaders — @Narendramodi and @manekagandhibjp. They demanded, using their freedom of voice, to stop others from speaking. Social media networks have often been celebrated as alternative spaces where new, and unexpected voices can express their opinions without the fear of physical retribution or penalisation. While this has been consistently proven wrong by government authorities who have regularly policed, penalised and punished voices of dissent or disfavour, that at least is something we can notice, challenge and contest through legal redressal. However, with this new mob justice where the volume of voices engineered to amplify their disapproval, coupled with threats of violence and economic downfall (the users this time threatened to make a list of Swedish products and boycott them) is a recurring and disturbingly new phenomenon.

Crowds have always had the power to demand and leverage change of their liking. However, on social media, this can take up more sinister forms, because a handful of people through Twitter bots and chat scripts can create the illusion of a hugely amplified voice that can then be used to threaten and restrict the scope of free speech. The mass bullying effect needs a strong counterpoint in the form of better internet governance policies and regulations that nurture safe spaces for the tinier voices to be heard.

At the same time, however, the stifling attempts require another strategy — the need to speak up against such acts of intimidation and silencing, not only from the regular people on the web, but from the officials and leaders who have sworn to protect our constitutional rights. And this is, perhaps, where our leaders are failing us. Because, in an age of hypervisibility, where every step they take is a selfie moment, where every move they make makes it to the headlines, and they take pride in documenting their life in exceedingly boring detail, it creates a deafening silence when the leaders remain mute to the slow dissipation of the rights to free speech and expression by the angry mobs of networked digitality.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-may-14-2017-digital-native-free-speech-you-must-be-joking

An Urgent Need for the Right to Privacy

sumandro — 2016-03-17T07:40:12Z

Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.

Read and sign the open letter.

Text of the Open Letter

As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.

Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.

In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.

Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.

We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.

Signatories:

Amber Sinha, the Centre for Internet and Society
Japreet Grewal, the Centre for Internet and Society
Joshita Pai, Centre for Communication Governance, National Law University
Raman Jit Singh Chima, Access Now
Sarvjeet Singh, Centre for Communication Governance, National Law University
Sumandro Chattapadhyay, the Centre for Internet and Society
Sunil Abraham, the Centre for Internet and Society
Vanya Rakesh, the Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

Amber Sinha — 2016-03-16T10:11:32Z

We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment.

Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.

Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.

These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Vipul Kharbanda — 2016-03-17T19:43:53Z

Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

introduction of any virus or other computer contaminant in the CIDR [36];
causing damage to the data in the CIDR [37];
disruption of access to the CIDR [38];
denial of access to any person who is authorised to access the CIDR [39];
destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles

Aadhaar Bill 2016 Evaluated against the National Privacy Principles

Pooja Saxena and Amber Sinha — 2016-03-21T08:38:34Z

In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012. The infographic is based on Vipul Kharbanda’s article 'Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles

Media Market Risk Ratings: India

Torsha Sarkar, Pranav M Bidare, and Gurshabad Grover — 2022-01-25T13:29:06Z

The Centre for Internet and Society (CIS) and the Global Disinformation Index (GDI) are launching a study into the risk of disinformation on digital news platforms in India, creating an index that is intended to serve donors and brands with a neutral assessment of news sites that they can utilise to defund disinformation.

Introduction

The harms of disinformation are proliferating around the globe—threatening our elections, our health, and our shared sense of facts.

The infodemic laid bare by COVID-19 conspiracy theories clearly shows that disinformation costs peoples’ lives. Websites masquerading as news outlets are driving and profiting financially from the situation.

The goal of the Global Disinformation Index (GDI) is to cut off the revenue streams that incentivise and sustain the spread of disinformation. Using both artificial and human intelligence, the GDI has created an assessment framework to rate the disinformation risk of news domains.

The GDI risk rating provides advertisers, ad tech companies and platforms with greater information about a range of disinformation flags related to a site’s content (i.e. reliability of content), operations (i.e. operational and editorial integrity) and context (i.e. perceptions of brand trust). The findings in this report are based on the human review of these three pillars: Content, Operations, and Context.

A site’s disinformation risk level is based on that site’s aggregated score across all of the reviewed pillars and indicators. A site’s overall score ranges from zero (maximum risk level) to 100 (minimum risk level). Each indicator that is included in the framework is scored from zero to 100. The output of the index is therefore the site’s overall disinformation risk level, rather than the truthfulness or journalistic quality of the site.

Key Findings

In reviewing the media landscape for India, the assessment found that:

Nearly a third of the sites in our sample had a high risk of disinforming their online users.

Eighteen sites were found to have a high disinformation risk rating. This group includes sites that are published in all the three languages in our scope: English, Hindi and Bengali.
Around half of the websites in our sample had a ‘medium’ risk rating. No site performed exceptionally on all fronts, resulting in no sites having a minimum risk rating. On the other hand, no site performed so poorly as to earn a maximum risk rating.

Only a limited number of Indian sites present low levels of disinformation risks.

No website was rated as having a ‘minimum’ disinformation risk.
Eight sites were rated with a ‘low’ level of disinformation risk. Seven out of these websites served content primarily in English, one in Hindi.

The media sites assessed in India tend to perform very poorly on publishing transparent operational checks and balances.

Over one-third of the sites in our sample published little information about their ownership structure, and also failed to be transparent about their revenue sources.
Only ten of the sites in our sample publish any information about their policies on how they correct errors in their reporting.

Association with traditional media did not play a significant factor in determining risk of disinformation.

On average, websites associated with TV or print did not perform any differently when compared to websites that solely serve digital content.

The findings show that on the whole, Indian websites can substantially increase their trustworthiness by taking measures to address these shortfalls in their operational checks and balances. For example, they could increase transparency on the structure of their businesses and have clear policies on how they address errors in their reporting. Both of these measures are in line with universal standards of good journalistic practices, as agreed by the Journalism Trust Initiative.

Click to download the full report here. To read the report in Hindi, click here. The authors extend their thanks to Anna Liz Thomas, Sanah Javed, Sagnik Chatterjee, and Raghav Ahooja for their assistance.

For more details visit https://cis-india.org/internet-governance/blog/gdi-and-cis-torsha-sarkar-pranav-m-bidare-and-gurshabad-grover-july-12-2021-media-market-risk-ratings-india

Iron out contradictions in the Digital India programme

sumandro — 2015-07-28T01:04:28Z

The Digital India initiative takes an ambitious 'Phir Bhi Dil Hai Hindustani' approach to develop communication infrastructure, government information systems, and general capacity to digitise public life in India. I of course use 'public life' in the sense of the wide sphere of interactions between people and public institutions.

The article was published in the Hindustan Times on July 15, 2015.

The 'Phir Bhi Dil Hai Hindustani' approach involves putting together Japanese shoes, British trousers, and a Russian cap to make an entertainer with a pure Indian heart. In this case, the analogy must not be understood as different components of the initiative coming from different countries, but as coming from different efforts to use digital technologies for governance in India.

It is deploying the Public Information Infrastructure vision, inclusive of the National Optical Fibre Network (now renamed as BharatNet) and the national cloud computing platform titled Meghraj, so passionately conceptualised and pursued by Sam Pitroda. It has chosen the Aadhaar ID and the authentication-as-a-service infrastructure built by Nandan Nilekani, Ram Sewak Sharma, and the team, as the identity platform for all governmental processes across Digital India projects. It has closely embraced the mandate proposed by Jaswant Singh led National Task Force on Information Technology and Software Development for completely electronic interface for paper-free citizen-government interactions.

The digital literacy and online education aspects of the initiative build upon the National Mission on Education through ICT driven by Kapil Sibal. Two of the three vision areas of the Digital India initiative, namely 'Digital infrastructure as a utility to every citizen' and 'governance and service on demand,' are directly drawn from the two core emphasis clusters of the National e-Governance Plan designed by R. Chandrashekhar and team, namely the creation of the national and state-level network and data infrastructures, and the National Mission Mode projects to enable electronic delivery of services across ministries.

And this is not a bad thing at all. In fact, the need for this programmatic and strategic convergence has been felt for quite some time now, and it is wonderful to see the Prime Minister directly addressing this need. Although, while drawing benefits from the existing programmes, the DI initiative must also deal with the challenges inherited in the process.

Recently circulated documents describes that the institutional framework for Digital India will be headed by a Monitoring Committee overseeing two main drivers of the initiative: the Digital India Advisory Group led by the minister of communication and information technology, and the Apex Committee chaired by the cabinet secretary. While the former will function primarily through guiding the implementation works by the Department of Electronics and Information Technology (DeitY), the latter will lead the activities of both the DeitY and the various sectoral ministries.

Here lies one possible institutional bottleneck that the Digital India architecture inherits from the National e-Governance Plan. Putting the DeitY in the driving seat of the digital transformation agenda in parallel with all other central government departments indicate an understanding that the transformation is fundamentally a technical issue. However, most often what is needed is administrative reform at a larger scale, and re-engineering of processes at a smaller scale.

Government agencies that have addressed such challenges in the past, such as the department of administrative reforms and public grievances, is not mentioned explicitly within the institutional framework, and instead DeitY has been trusted with a range of tasks that may be beyond its scope and core skills.

The danger of this is that the Digital India initiative will end up initiating more infrastructural and software projects, without transforming the underlying governmental processes. For example, the recently launched eBasta website creates a centralised online shop for publishers of educational materials to make books available for teachers to browse and select for their classes, and for the students to directly download, against payment or otherwise. The website has been developed by the Centre for Development of Advanced Computing and DeitY. At the same time, the ministry of human resource development, which is responsible for matters related to public education, has already collaborated with the Central Institute of Educational Technology and the Homi Bhabha Centre for Science Education in TIFR to build a comprehensive platform for multi-media resources for education – the National Repository of Open Educational Resources. The initial plans of the DI initiative are yet to explicitly recognise that the key challenge is not in building new applications and websites, but aligning existing efforts.

This mismatch, between what the Digital India initiative proposes to achieve and how it plans to achieve it, is further demonstrated in the 'e-Governance Policy Initiatives under Digital India' document. The compilation lists the key policies to govern designing and implementation of the Digital India programmes, but surprisingly fails to mention any policies, acts, and pending bills approved or initiated by any previous government. This is remarkably counter-productive as the existing policy frameworks, such as the Framework for Mobile Governance, the National Data Sharing and Accessibility Policy, and the Interoperability Framework for e-Governance, are suitably placed to complement the new policies around use of free of open source softwares for e-governance systems, so as to ensure their transparency, interoperability, and inclusive outreach. Several pending bills like The National Identification Authority of India Bill, 2010, The Electronic Delivery of Services Bill, 2011, and The Privacy (Protection) Bill, 2013, are absolutely fundamental for comprehensive and secure implementation of the various programmes under the Digital India initiative.

The next year will complete a decade of development of national e-governance systems in India, since the launch of National e-Governance Plan in 2006. Given this history of information systems sometimes partially implemented and sometimes working in isolation, a 'Phir Bhi Dil Hai Hindustani' approach to digitise India is a very pragmatic one. What we surely do not need is increased contradiction among e-governance systems. Simultaneously, we neither need digital systems that centralise governmental power within one ministry on technical grounds, or expose citizens to abuse of their digital identity and assets due to lack of sufficient legal frameworks.

(Sumandro Chattapadhyay is research director, The Centre for Internet and Society. The views expressed are personal.)

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-july-15-2015-sumandro-chattapadhyay-iron-out-contradictions-in-the-digital-india-programme

Amutha Arunachalam - Stand Shielded of Digital Rights (Delhi, May 05, 4 pm)

sumandro — 2017-05-03T13:30:32Z

We are proud to announce that Amutha Arunachalam will be the speaker at the May #FirstFriday event at the CIS Delhi office. Amutha is Principal Technical Officer in the Council Of Scientific and Industrial Research. The talk will be on digital signatures, traceability of time-stamps, and setting up an Indian Standard (Digital) Time. If you are joining us, please RSVP at the soonest as we have only limited space in our office.

Amutha Arunachalam

Principal Technical Officer, Council of Scientific and Industrial Research

Amutha Arunachalam entered the Indian Government service as an Intelligence Officer in Ministry of Home Affairs in 1988 after working at the Indian Institute of Technology Madras in Fibre Optic communication Laboratory. She later moved to the Council of Scientific and Industrial Research in the field of Information Technology. She managed the IT infrastructure of the CSIR lab (Central Road Research Institute) till 2006 and moved to CSIR Head Quarters and contributed in the ICT refurbishment drive, mainly in the IT with a major contribution in establishing DATA Centre, implementing network security, linking CSIR HQ to the National Knowledge Network facility extended by National Information Centre(NIC) before joining UIDAI.

In UIDAI (National Identity Project) she managed the Data Center operations that includes critical CIDR (Central Identification Repository) and was responsible for setting up Infrastructure to roll out Disaster recovery centre, Aadhaar Enrolment Service, Benchmarking of UIDAI Enrolment , Authentication Applications and setting up of Backend infrastructure of the Authentication Service for Roll out to citizens. After the five year Deputation at UIDAI (Feb 2016), she is currently posted in the Council of Scientific and Industrial Research working in the Area of Policy in Cyber Security for CSIR, Enhancing Research with collaborative, networking and Building unified CSIR Ecosystem with Enterprise platform.

RSVP

Location

For more details visit https://cis-india.org/internet-governance/events/firstfridayatcis-amutha-arunachalam-stand-shielded-of-digital-rights-may-05

Digital Native: Getting through an election made for the social media gaze

nishant — 2019-04-28T04:12:45Z

In the poll season, social media platforms thrive on wounded outrage disguised as politics.

The article by Nishant Shah was published in Indian Express on April 21, 2019.

There is palpable excitement as the most populous democracy in the world goes out to vote. Last election, which saw the saffron sweep, we realised the role of social media platforms in electoral politics. From the controversial selfie by the aspiring Prime Minister flaunting the lotus symbol, that was reported as violating the advertisement rules set by the Election Commission, to the mass mobilisation of ideology-based voters, orchestrated by automated bots and the hashtag brigades of #acchedin, there was no denying that digital strategies are going to form the backend of a robust political campaign.

In a country of hypervisible lynch mobs staged via WhatsApp, polarised hatred exacerbated by armies of trolls, and the fluency with which hate speech has been normalised on the tweetosphere, social media and digital apps are front and centre in this election. People are coming out of voting booths and, even before the exit pollsters catch them, they are making Snapchat videos and “I voted” selfies, clearly identifying the parties they support. The verified social media accounts of leading political parties are doubling down on their poll promises of a communal purge of “infiltrators”, divine curses for the heretic who doesn’t vote for the “party of gods”, and threats of profiling if a community voted for the correct party and subsequent dire consequences. The door-to-door campaigning of the past has obviously been replaced by the tweet-to-tweet mixture of threats, cajoling, and blood lust that seems to set the tone for our current political climate.

At the same time, the manifestos of the two leading coalitions, as well as the affidavits of the people running for office, are under deep public scrutiny. The BJP, in a Freudian blooper, announced itself as working for violence on women, incurring the sarcastic wrath of Twitter. One minister, who has been running through various cabinet positions, including education, was called to task to explain her wide repertoire of unverified degrees that change every voting season. Complaints against suspicious Electronic Voting Machines (EVMs) have made themselves heard loudly on social-media discussion forums. And lately, the YouTube videos of people allegedly showing the easy removal of the indelible ink from the voting fingers, exploded into public view, jeopardising the integrity of the one-person-one-vote paradigm.

Social media, it would seem, is everywhere. And its ubiquity is ensuring that all stakeholders of the electoral process are performing for the social media gaze. Our leaders are talking in tweet-sized morsels, hoping to get their last messages in. The organisers of the massive process have taken to debunking false claims, providing verified information, and guiding people to their voting processes. The voters are not only wearing their party colours, but also canvassing for their favourite leaders, either through proclamations of patriotism or through emotional messages of voting against hate and discrimination. Voting groups are scrutinising and discussing the party manifestos and also the unexpected alliances coming into being in the quest of reaching the majority mark.

For more details visit https://cis-india.org/raw/indian-express-april-21-2019-nishant-shah-getting-through-an-election-made-for-social-media-gaze

Workshop on Democratic Accountability in the Digital Age (Delhi, November 14-15)

sumandro — 2016-12-15T09:27:22Z

IT for Change, along with Centre for Internet and Society (CIS), Digital Empowerment Foundation (DEF), Mazdoor Kisan Shakti Sangathan (MKSS) and National Campaign for People’s Right to Information (NCPRI), is organising a two day workshop on ‘Democratic Accountability in the Digital Age’. The workshop will focus on evolving a comprehensive policy approach to data based governance and digital democracy, grounded in a rights and social justice framework. It will be held at the United Service Institution of India, Delhi, during November 14-15, 2016. The CIS team to participate in the workshop includes Sumandro Chattapadhyay (speaker), Amber Sinha (speaker), Vanya Rakesh (participant), and Himadri Chatterjee (participant).

The workshop aims to:

Discuss the institutional norms, rules and practices appropriate to the rise of ‘governance by networks’ and ‘rule by data’ that can guarantee democratic accountability and citizen participation, and
Articulate the steps to claim the civic-public value of digital technologies so that data and the new possibilities for networking are harnessed for a vibrant grassroots democracy.

We hope the workshop can create a civil society coalition that can build effective strategies for legal and policy reform to further participatory democracy in the digital age. On the first day, the workshop will set the context through knowledge sharing and thematic presentations and discussions. On the second day, we aim to concretize strategies for collective action to further democratic accountability in the digital age.

Workshop Agenda (PDF)

Background Note (ODT)

For more details visit https://cis-india.org/internet-governance/events/workshop-on-democratic-accountability-in-the-digital-age-delhi-november-14-15

Seminar on Understanding Financial Technology, Cashless India, and Forced Digitalisation (Delhi, January 24)

sumandro — 2017-01-23T13:17:19Z

The Centre for Financial Accountability is organising a seminar on "Understanding Financial Technology, Cashless India, and Forced Digitalisation" on Tuesday, January 24, at YWCA, Ashoka Road, New Delhi. Sumandro Chattapadhyay will participate in the seminar and speak on the emerging architecture of FinTech in India, as being developed and deployed by UIDAI and NPCI.

Cross-posted from Centre for Financial Accountability.

Programme Schedule

09.30 - Registration

10:00 - Introduction to the Seminar & Setting the Context

Madhuresh Kumar, National Alliance of People’s Movements

10:15–11:30 - Session 1 - Understanding the Political Context of FinTech

B P Mathur, Former Dy CAG

Prabir Purkayastha, Free Software Movement of India and Knowledge Commons

C P Chandrasekhar, Centre for Economic Studies and Planning, JNU

11:30-11:45 – Tea / Coffee break

11:45-13:15 - Session 2 - How will FinTech Impact the Poor, and Labour and Banking Sector?

Ashim Roy, New Trade Union of India

Nikhil Dey, Mazdoor Kisan Shakti Sangathan

Ravinder Gupta, General Secretary, State Bank of India Officers Association

13:15-14:00 – Lunch

14:00-15:30 - Session 3 - Understanding the Economic Context of FinTech

Indira Rajaraman, Former Director, RBI

Tony Joseph, Sr. Journalist

15:30-17:00 - Session 4 - Understanding the Architecture of FinTech: Linkages to Aadhaar, IndiaStack etc

Sumandro Chattapadhyay, the Centre for Internet and Society

Gopal Krishna, ToxicsWatch

17:00 – Tea

For more details visit https://cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017

"Will the Magic Number Deliver?" - Roundtable on Aadhaar at CSLG, JNU, April 26

sumandro — 2016-04-20T10:49:58Z

The Centre for the Study of Law and Governance (CSLG), Jawaharlal Nehru University (JNU), will organise a roundtable discussion on Tuesday, April 26, to discuss the Aadhaar project and Act. Along with Rajeev Chandrasekhar, Prasanna S, Apar Gupta, and Chirashree Dasgupta, Sumandro Chattapadhyay will be one of the discussants. It will take place in the CSLG Conference Room at 6 pm.

Discussion Note

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, was enacted by the Parliament on March 16. Thereafter it has been notified on March 26.

The Act empowers the UIDAI (Unique Identification Authority of India) to collect biometric and demographic information of residents to provide them with a unique number. This unique number is to be used for enumeration, identification and targeting of beneficiaries of government subsidies and services.

Since the creation of the UIDAI as an executive authority in 2009, this process of enumeration has been ongoing. Recently, it was announced that more than 100 crore residents have been given their aadhaar cards. Alongside, however, legal challenges have continued in the Supreme Court.

Given this context, this Roundatable Discussion will focus on the following set of questions (among others):

Can the Aadhaar Number enable better delivery of government subsidies and services?
How does the Act ensure data protection?
Is there a right to privacy in India? What are the implications in the context of Aadhaar?
Does the Act ensure public access to statutory remedies in case of violations?
Did the Aadhaar Bill fulfil the requirements of a money bill?

Discussion Format

Setting the Theme - Short Introduction to the Topic by Natasha Goyal

Speakers' comments, 15 minutes each, consecutive, no power points

Rajeev Chandrasekhar, Member of Parliament, Rajya Sabha
Sumandro Chattapadhyay, the Centre for Internet and Society
Prasanna S, Lawyer
Apar Gupta, Advocate, Delhi High Court
Dr. Chirashree Dasgupta, Centre for the Study of Law and Governance

Open Session (Moderated Q and A)

Followed by Tea

Directions to Venue

From JNU main gate, proceed straight until you get to a T-junction. Turn left. Continue until you reach a second T-junction. Turn right. Follow the road for just 0.7 km until you see a bus stop labelled “Paschimmabad.” About 50 m past the bus stop turn right at a sign that reads: “Centre for the Study of Law and Governance”. The CSLG building is on the right. The conference room is on the first floor.

Poster

For more details visit https://cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016

Digital native: The View from My Bubble

nishant — 2016-12-05T15:15:07Z

In the digital world, the privileged have the power to deny a devastating crisis for the poor.

The article was published by Indian Express on December 4, 2016.

For weeks now, my timeline on almost all social media feeds has been dominated by stories of demonetisation. Over the last few years, I have been spending time in countries where I, more or less, live a cashless life. Every transaction is enabled by a digital connection — my contactless debit card pays most of the bills for groceries, my phone works as an automatic wallet at my favourite stores, and the larger purchases are done online, through direct bank transfers. Most days, I leave home with such little cash that I would not even be able to buy a decent meal with it.

While the continent is different, this experience is not much different from my days spent in India. I don’t really remember the last time I made huge cash deposits or withdrawals, and the services that I am used to would almost all have facilitated digital transactions, ensuring a smooth continuation of my life except, perhaps, for renouncing the occasional binge on street food, and letting go of the habit of hailing an auto on a busy road.

Hence, like many people who live in the same privileged combination of class, urbanity, education and affordability, my initial reaction to this move was reflective and speculative. In an abstract manner, I was curious about what this means to the theory of value, what this would achieve in the long-term visions of the state, and wondering what the costs of currency re-introductions might be. The earlier debates with family and friends were all marked by this elitist inquiry into the nature of things, feasting our minds on economic and political conundrums, well aware that there is going to be no crisis on the horizon. The social media also reflected this filter bubble. We made pithy jokes and offered polarised opinions about whether or not this is going to achieve the whitening of black money, and what its long term effects on the economic future would be.

Now that we know, however, that this state of emergency is going to last well into the end of this year, and as reports trickle in of the deprivation, exploitation and precariousness that destabilise lives and push them towards the precipice, I take a deep introspective breath. I don’t want to go into the discussions of the impact and measures of this move on lives that I do not live, and people who are so unlike me that I cannot even imagine what it means to live on the edge of a demonetised currency note. My opinions on this cannot be more informed or valid than the millions of voices that have flooded the social web with commentary, discussions and outright abusive fighting around the issue.

Instead, I want to reflect on what it means to consume a lived crisis, an embodied reality, a precarious condition through the mediated bubble of the digital web. For years now, activists have lamented that the web is an alienating medium. It allows people to become armchair clicktivists, removed from the reality of messy life and able to profess care, concern and commitment as long as it does not inconvenience or disrupt their everyday life. However, this has often been seen as a knee-jerk reaction to change, with enough evidence to prove that these technologies of connectivity also produce new collective forms of action, engendering trust, empathy, and care for people who are often made invisible in the systemic violence of everyday life. The debate is unresolved. However, the ways in which the demonetisation crisis — because it has officially become a crisis — is being consumed online, remotely, makes me wonder how the digital web allows a space for performance without experience, and articulation without politics.

Almost unanimously, the continued chatter of how the common man must bear some inconvenience for the greater good of our collective futures comes from people who embody the same privileges I do. From the comfort of their well-stocked kitchens and their insurances that would cover any health crises, these voices continue to parrot the idea that all that this means for anybody is just a bit of a hassle, but nothing to worry about.

In the growing face of evidence that the poor are being pushed to the limits of their downward precipitation, they continue to invoke the sacrifices that must be made towards making India great again. Every day, I hear them valiantly champion the Prime Minister for his authoritative decision, and defend the logistics that have failed to protect the economic survival of the silent sufferers in the favour of recovering untold wealth which might turn out to be mythical after all.

And, each time I read these reports, I wonder how the digital allows them, protects them, and produces a performative space from which they can speak, without any experience, about the lives of others, reducing their struggles to lifestyle logistics and ambulatory adjustments.

For more details visit https://cis-india.org/raw/indian-express-december-4-2016-nishant-shah-digital-native-the-view-from-my-bubble

Fake Narendra Modi apps aplenty, but it’s up to users to protect themselves

praskrishna — 2016-12-10T04:24:24Z

The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded.

The article was published by Indian Express on December 2, 2016. Pranesh Prakash was quoted. Also see Nandini Yadav's blog post in BGR on December 3, 2016.

The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded.

A “Narendra Modi” app, purportedly offered by the Government of India, caught the attention of Internet expert Pranesh Prakash on Thursday as the app developer was found to be using a Bangladesh-based web host and e-mail address. Suggesting that this could be the work of a con-artist, Prakash underlined that granting access to fake apps could lead to security breach. The app, hosted on Google Play store, automatically gets excessive permission including full network access and ability to take pictures and videos once downloaded. The original NaMo, however, only gets access to read, modify and delete the user’s media files. The “fake” app was downloaded more than 1 lakh times and has an average rating of 4.4 from over 2,000 reviews. A simple search on the play store throws up dozens of Narendra Modi apps, some even calling themselves fake apps. The original app was published by Narendramodi.in and Government Of India. But there are scores of other apps trying to imitate the original.

Pranesh, who is Policy Director at The Centre for Internet and Society, also questioned how users can differentiate between fake and genuine apps when even the official app was registered using a gmail address. While the Government of India Narendra Modi app has been published using info@narendramodi.press, the one by Narendramodi.in has been published using a simple Gmail app. He also highlighted how the play store was flooded with fake banking apps, with one such “SBI app” gaining full access to the user’s files. Incidentally, the fake Modi Ki Note app which has been in the limelight since the demonetisation on high value notes and issue of new ones itself has many duplicates.

In the last two days, the Congress and its vice-president Rahul Gandhi fell victim to hacking as their verified Twitter accounts were compromised. Profane content was shared from both accounts, targeting the Gandhi and his family. This lead to the Congress questioning Prime Minister Narendra Modi’s digital India push as security remains a huge concern.

For more details visit https://cis-india.org/internet-governance/news/indian-express-december-2-2016-fake-narendra-modi-apps-aplenty-but-it-is-up-to-users-to-protect-themselves