Centre for Internet and Society

Privacy Perspectives on the 2012 -2013 Goa Beach Shack Policy

elonnai — 2012-10-25T10:23:50Z

CCTVs in India are increasingly being employed by private organizations and the government in India as a way to increase security and prevent/ deter crime from taking place. When the government mandates the use of CCTV’s for this purpose, it often does so by means of a blunt policy mandate, requiring the installation of CCTV systems, but without any further clarification as to who should oversee the use of the cameras, what bodies should have access to the records, how access should be granted or obtained, and how long the recordings should be retained.

The lack of clarity and specificity in these requirements, the fact that these technologies are used in public spaces to collect undefined categories and amounts of information, and the fact that the technology can cut through space – and does not distinguish between private and public and primarily captures information where it is directed to, give rise to privacy concerns and raises fundamental questions about the ways in which technologies can be used to effectively increase security while still protecting the rights of individuals and the promotion of business.

An example of a blanket CCTV installation requirement from the government is seen in the 2012-2013 Goa Beach Shack Policy.[1] This blog will examine the shack policy from a privacy perspective, and how identification requirements are evolving. The blog will explore different principles by which surveillance technologies like CCTVs can be employed in order to promote effectiveness and protect the rights of individuals.

To help understand the current status of the Shack Policy and the extent of CCTV use in Goa, I spoke with a number of shack owners, cyber café owners, the Ministry of Tourism, and the Police of Goa. In this blog I do not use any direct quotes and write only from the perspective of my personal observations.

Current Status of the Shack Policy

This year, for the 2012-2013 tourist season, the Department of Tourism of Goa is implementing the Beach Shack Policy for regulating the establishment and running of temporary shacks at beaches in Goa. The policy applies only to the licensing, construction, maintenance, and demolition of temporary shacks on beaches owned by the government. The policy lays out requirements that must be submitted by applicants for obtaining a license and requirements relating to the operation of the shacks including size, security, health and safety, and noise control. Shacks, huts, hotels, etc. built on private land do not come under the scope of the policy. The shacks can only be bars and restaurants that can run from November 1^st through May 31^st, after which they must be taken down until the next season. The licensing of these shacks is to enable local employment opportunities in Goa. This can be seen by the requirement in the policy that Shacks are to be granted to only one member of the family who is unemployed.[2] Currently, the Ministry of Tourism has almost completed the allotment of shack spaces on all beaches in Goa. The police will assist in the enforcement of the policy, but their exact role is in the process of being clarified. Before the 2012-2013 policy, shacks were regulated by annual beach shack policies, which are not available online, but can be accessed through an RTI request to the Department of Tourism. Resistance to the policy has been seen by some because of concerns that the shacks will take away business from local private owners, will block fishing boats, will cause trash and sewage problems, and create issues for free movement of people on the beach.

Inside the policy:

Application Requirements

To apply for a license for a temporary shack, every application must be turned in by hand and must be accompanied by a residence certificate in original issued by Village Panchayat Municipality, attested copy of ration card, four copies of a recent colored passport photos with name written on the back, attested copy of birth certificate/passport copy/Pan Card and any other information that the applicant desires to furnish, and affidavit. In addition individuals must provide their name, address, telephone number, name of the shack, name of the beach stretch, nationality, experience, and any other information they wishes to provide.[3] These requirements are not excessive and have been kept to what seems minimally necessary for providing a license, though the option for individuals to provide any additional information they wish – could be used to convey meaningful information or extraneous information to the government.

Operational Requirements

The policy has a number of operational requirements for shack owners as well. For example owners must clearly display a self identifying photograph on the shack[4] and they must agree to assist the Tourism Department and Police department in stopping any crime and violation of any law along the Beach.[5]

The policy also requires that any person handling food must take a course conducted by IHMCT, GTDC, or Porvorim,[6] shacks must also be made out of eco friendly material as much as possible and the use of cement is banned,[7] and the proper disposal of trash and waste water will be the responsibility of the shack owner.[8] Furthermore, foreigners working in the shacks must have a work visa,[9] and loud music is not allowed to be played after 10:30 p.m.[10]

As noted in the introduction, each shack must install a CCTV surveillance system that provides real-time footage with an internal looping system in a non-invasive form. [11] But I got to understand that the CCTV requirement will be slowly introduced and will not be implemented this year due to resistance from shack owners. When the requirement is implemented, hopefully different aspects around the use of CCTVs will be clarified including: the retention period for the recordings, access control to the recordings, the responsibilities of the shack owner, where the camera will be set up and where it needs to be directed to, etc.

Currently in Goa there are official requirements for CCTVs to be installed in Cyber Cafes under section 144 of the CrPc. This requirement only came into effect on October 1st 2012.[12]Some private hotels, huts, and restaurants run CCTV cameras for their own security purposes. When asked if CCTVs will also become mandatory for private areas, some said this will happen, while others said it would be difficult to implement.

Enforcement

The policy uses a number of measures to ensure enforcement. For examples, successful applicants must place a security deposit of 10,000 with Director of Tourism. If any term of the policy is violated, the deposited amount will be given to the Government Treasury and the individual is required to pay another Rs. 10,000 to continue operating.[13]The placement of deck beds on the beach without authorization will also be treated as an offense under the Goa Tourist Places (protection and maintenance) Act 2001 and will be punished with a term of imprisonment minimum three months, which may extend to 3 years, and a fine which may extend to Rs. 5,000 or both. All offenses under the Act are cognizable and non-refundable. [14] If the shack is not dismantled at the end of the season, the individual will have their application rejected for the next three years.[15] Shack owners will also be penalized of they are caught discriminating against who can and cannot enter into the shack.[16]

Interestingly, though CCTV cameras can be used to ‘catch’ a number of offenses, the offenses that are penalized under the Act do not seem to require the presence of a CCTV camera. Additionally, the policy is missing penalties for the tampering and misuse of these cameras and unauthorized access to recordings.

Other practices around security and identification in Goa

In 2011 Goa also issued a new ‘C’ form that must be filled out by foreigners entering hotels.[17]

The form requires twenty six categories of information to be filled out including: permanent address, next destination to be proceeded to, contact number in hotel, purpose of visit, whether employed in India, and where the foreigner arrived from. According to hotel owners, three copies of these records are made. Two are submitted to the police and one is kept with the hotel. The records kept with the hotel are often kept for an undefined time period. In 2011 the police also enforced a new practice where every shack, hut, hotel etc. must have an all night security guard to ensure security on the beach. It was noted that registration of migrant workers is now mandatory, and that non-registered or undocumented vendors are removed from working on the beaches.

Will the 2012 – 2013 Beach Shack Policy have new implications?

In its current form, especially taking into consideration that the CCTV requirement will not be implemented immediately, the 2012 – 2013 shack policy does not seem alarming from a privacy perspective. On the general policy, though the penalties, such as the possibility of three months in prison for having too many beach chairs, seems to be over-reaching, there are a number of positive requirements in the policy such as the use of eco-friendly material, noise control, and strict procedures for disposing of trash and sewage.

The privacy perspective could change when CCTVs are implemented. The amount of data that would be generated and the ambiguity around the employment of the cameras could raise a number of privacy concerns. Yet the fact that this part of the policy will only be implemented later down the road seems indicative of both the shack owners discomfort in using the technology, and perhaps the government’s recognition that a certain level of ground work needs to be done before CCTVs are made mandatory for every shack in the state. Hopefully before the requirement is implemented, the ground work will be set up either at a national level – in the form of a national privacy legislation, or at the state level – in the form of appropriate safeguards and procedures built into the policy.

At the macro level, and when examined in the context of the growing use of CCTVs by private owners, the implementation of the UID and NPR requirements in Goa, and the introduction of the new ‘C’ form for foreigners, the CCTV requirement found in the Shack Policy seems to part of a growing trend across the country where the government seems to seek to identify all individuals and their movements/actions for unclear and undefined purposes, and looks towards identification through the collection of personal information and use of technology as a means to solve security issues.

For example, Goa is not the only city to consider mandatory installation of CCTV’s. In Delhi, the Department of Tourism issued a similar requirement in a 2012 amendment to the “existing Guidelines for Classification/Reclassification of Hotels”. According to the amendment hotels applying for approval are required to provide documentation that security features including CCTV systems are in place.[18] Similarly, in 2011 the Delhi State Industrial and Infrastructure Development Corporation began implementing a plan to install CCTVs outside of government and private liquor shops, amounting to 550 shops in total. The goal was to use the CCTV cameras to catch individuals breaking the Excise Act on camera and use the recordings during trials. According to news coverage, the cameras are required to be capable of recording images 50 meters away and all data must be stored for a period of 30 days.[19]

The ambiguity that exists around the legal use of many of these security systems and technologies, including CCTV’s was recently highlighted in Report of the Group of Experts on Privacy headed by Justice A.P Shah.[20] The report noted that the use of CCTV cameras and more broadly the use of electronic recording devices in India is an area that needs regulation and privacy safeguards. The report describes how the nine proposed national privacy principles of notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure of information, security, and openness, could be applied and will be affected by the use of these technologies.[21]

Conclusion

In India and elsewhere, the police are faced on a daily basis with the challenge of preventing and responding to all types of crime, and from this perspective – any information, clue, or lead is helpful and necessary, and the potential usefulness of CCTVs in identifying criminals and to some extent deterring crime is clear. On the other hand when CCTVs are employed without safeguards and regulations it could result in infractions of privacy and rights or could simply move the crime away from the surveilled area to an unsurveilled area.

Finding a way to ensure that police have access to the information that they need and that crime is prevented, while at the same time ensuring that the rights of individuals are not compromised, and the private sectors ability to easily do business is not limited by unrealistic security requirements, is an important discussion that governments, policy makers, and the public should be having. The answer hopefully is not found in a binary game of all or nothing, surveillance or no surveillance – but instead is found through mechanisms and principles that apply to both security and privacy such as transparency, oversight, proportionality, and necessity. For example, practices around what access the police legally have via surveillance systems, retention practices, cost of implementing surveillance, and amount of surveillance undertaken each year could be made transparent to the public to ensure that the public is informed and aware of the basic information around these systems. Furthermore, clear oversight over surveillance systems including distinction between the responsibilities and liabilities can ensure that unreasonable requirements are not placed. Lastly any surveillance that is undertaken should be necessary and proportional to the crime or threat that it is being used to prevent or detect. These principles along with the defined National Privacy Principles could help measure what amount and what type of surveillance could be the most effective, and ensure that when surveillance is employed it is done in a way that also protects the rights of individuals and the private sector.

Notes
[1].Ministry of Tourism. Goa Government. 2012-2013 Beach Shack Policy. Available at: http://bit.ly/Xk18NH. Last accessed: October 24th 2012.
[2]. Id. Section 2.
[3]. Id. Application Requirements 1-8. Pg 1&2.
[4]. Section 33.
[5].A part of the affidavit
[6].Id. Section 4.
[7]. Id. Section 17.
[8].Id. Section 28.
[9]. Id. Section 35.
[10].Id. Section 37.
[11]. Id. Section 38.
[12]. Order No. 38/10/2006. Under Section 144 of the Code of Criminal Procedure, 1973. Available at: http:// www.goaprintingpress.gov.in/downloads/1213/1213-28-SIII-OG.pdf
[13]. Beach Shack Policy 2012 - 2013, Section 16.
[14]. Id. Section 18.
[15]. Id. Section 22.
[16]. Id. Section 32.
[17]. Arrival Report of Foreigner in Hotel.”Form C” . Available at: http://bit.ly/TbUO4S
[18]. Government of India. Ministry of Tourism. Amendment in the existing Guidelines for Classification / Reclassification of Hotels. June 28^th 2012. Available at: http://bit.ly/RXtgBg. Last Accessed: October 24th 2012.
[19]. Bajpaj, Ravi. CCTV shots to check drinking outside city liquor vends. The Indian Express reproduced on the website of dsidc. December 20^th 2011. Available at: http://bit.ly/VHwCzd. Last accessed: October 24th 2012.
[20]. GOI. Report of the Group of Experts on Privacy. October 2012. Available at: http://bit.ly/VqzKtr. Last accessed: October 24th 2012.
[21]. Id. pg. 61-62.

For more details visit https://cis-india.org/internet-governance/blog/privacy-perspectives-on-the-2012-2013-goa-beach-shack-policy

Bolstering right to remain private

praskrishna — 2012-10-29T09:00:13Z

The Justice AP Shah panel has done to well to lay down an enforceable roadmap that can strengthen privacy laws in the country. It’s now for the legislature to take the issue to a logical conclusion.

Apar Gupta's column was published in the Pioneer on October 29, 2012.

A haveli courtyard is an apt metaphor for the complexity which is involved in drafting a law on privacy. Though the courtyard gives an appearance of openness, it is limited by the walls, doors and windows which surround it. The architecture represents a mediated understanding of the options which are available to the resident in sharing and limiting information to family and strangers. A somewhat similar project is in the works with the Union Government taking steps towards the enactment of a privacy law.

Privacy law as it is understood at present is usually limited to the odd writ petition filed against the Government by a private individual seeking enforcement of a fundamental right to privacy. Recently, such adjudication has been limited to high-profile individuals, and where there is wide voyeuristic interest. For instance, two recent petitioners include industrialist Ratan Tata and former Samajwadi Party leader Amar Singh. Here, it is important to stress that with the state gathering more and more data about individuals through the Unique Identification Authority of India scheme, there is a need to democratise the right by making legal provisions for its enforcement. In making such provisions a balance has to be maintained, where information which serves public interest or gathered through informed consent is not encumbered in the name of protecting individual privacy.

To find this balance, the Government late last year tasked a Committee of Experts chaired by Justice AP Shah to prepare a report on the Privacy Bill. Readers would recall that Justice Shah had authored a judgement which read down Section 377 of the Indian Penal Code, decriminalising homosexual activity. A closer reading of the judgement shows the reliance placed by the court on the privacy right and to reach its determination. With such credentials, the Justice Shah Committee has exceeded the high expectations placed on it, presenting a fair and balanced approach towards a privacy law in India.

At the very outset the report clearly marks its objectives, from which it then commences to study judicial precedent on privacy as well as the experience of foreign jurisdictions. On the basis of this study, it has evolved nine privacy principles which encompass within it distinct aspects of individual privacy. Such a nuanced approach to privacy is certainly welcome given that privacy as a right is often subjective, varying drastically in its appreciation as per civil society, private industry and even Government itself.

Beyond the specific aspects of the privacy right, the report extends the right both to Government as well as private industry. This is a sign of the times, best put by Pranesh Prakash, policy director, Centre for Internet and Society, when he says that citizens reveal more data about themselves to social networking websites than they would to the Government under torture!

Another significant aspect is the proposed co-regulatory regime which the report suggests. And, experience has taught us that a right without an effective remedy to enforce it counts for a little more than a black letter on paper. In this respect, the report proposes a sectoral regulator which has supervision over State level privacy commissioners. In addition to this, the report also proposes a system of self-regulation where industry-specific standards may be proposed and then sanctioned by the privacy commissioners. However, contrary to the present approach of tribunalisation, the report suggests that recourse to civil courts for aggrieved persons should always be kept open.

Though the origins of the privacy rights may be antiquated, widespread consensus suggests that the modern practice and substance of privacy law owes its beginning to an article published in the fourth volume of the Harvard Law Review. The article, authored by Louis Brandeis and Samuel Warren drawing a physical justification for what seemed like a novelty back then, stated that the law regarded a man’s house as his castle.

Sadly, the right has not seen a proper development in India, mainly due to the absence of an overarching legislation as well as a lack of understanding of its proper contours. At least in this respect, the report marks a significant development in the drafting of a comprehensive privacy legislation in India. A haveli, a house or a castle — the Justice Shah panel has provided a useful blueprint to the legislature to build an effective and balanced statute to safeguard individual privacy.

(The writer is a partner in a Delhi-based law firm and visiting faculty at the National Law University, Delhi)

For more details visit https://cis-india.org/news/daily-pioneer-columnists-oct-29-2012-apar-gupta-bolstering-right-to-remain-private

Biggest blast on Aadhaar leak so far: govt sites leaked data of 13 crore people

praskrishna — 2017-05-03T14:35:23Z

In yet another shocking report of personal data breach in India, it has emerged that Aadhaar data of 13 crore people was put out on websites of four major government projects in the country. The leaked data include bank account details of over one crore people linked to Aadhar numbers under the direct benefit scheme. Over eight crore people lost their private data on the national job guarantee scheme website alone.

The article by Jikku Varghese Jacob was published by Manorama on May 2, 2017.

The shocking details have surfaced in a report released by the Center for Internet Society (CIS) which deals with the publication of Aadhaar data and their security. It appears to be the biggest blast on Aadhaar data leak yet. The report says these pieces of information were available on Internet since last November. Once detected, the CIS officials had initiated steps to remove them.

The CIS report cites two central government portals and websites from Andhra Pradesh as violators. Following are the websites that published the data:

National Social Assistance Programme (under the Ministry of Rural Development).
The national portal of the job guarantee scheme.
Daily online payment reports (Government of Andhra Pradesh)
Chandranna Bheema project (Government of Andhra Pradesh)

Private data of 1,59,42,083 people were leaked on the social assistance scheme site. The two Andhra Pradesh sites breached the privacy of three crore people.

Information leaked on most of the sites could be downloaded as Excel sheet. It is estimated that data on 23 crore people is linked to Aadhaar under the direct benefit scheme.

The CIS fears that if other government sites have also handled such data without care there could have occurred a massive data base breach. The CIS put in months of effort before finalizing this report.

It was recently found that Aadhaar data on 35 lakh people in Kerala was found disclosed on the state's Sevana Pension website. In Jharkhand, 14 lakh people had their privacy violated when their Aadhaar information was put out on a government website.

Such leaks of Aadhaar data is a crime that can fetch up to three years of imprisonment. Complaints have arisen that government departments did not bother to comply with an IT ministry directive last month to remove the Aadhaar data from websites.

Experts point out that criminals can misuse personal data on Aadhaar and bank account. The data could be used to obtain SIM cards and carry out transactions online.

Aadhaar, the world's largest bio-metric enrolment in India, will enrol 1.2 billion people in a 12-digit unique number for each person to be issued to each resident in the country. The number with its biometric information – photograph, fingerprints and iris scan – of each individual is easily verifiable in an online.

For more details visit https://cis-india.org/internet-governance/news/manorama-may-2-2017-jikku-varghese-jacob-biggest-blast-on-aadhaar-leak-so-far-govt-sites-leaked-data-of-13-crore-people

130 Million Aadhaar Numbers Were Made Public, Says New Report

praskrishna — 2017-05-20T06:32:32Z

The research report looks at four major government portals whose poor information security practices have exposed personal data including bank account details.

The article was published in the Wire on May 1, 2017. This was also mirrored on MensXP.com on May 5, 2017.

Irresponsible information security practices by a major central government ministry and a state government may have exposed up to 135 million Aadhaar numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central government and state government departments.

This new report, released by the Centre for Internet and Society, studied four government databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own NREGA portal and the online dashboard of a state government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The data leaks come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and Aadhaar number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download pption on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the government agency that manages the Aadhaar initiative, in the data leaks.

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these government databases are still leaking data. Over the last two months, some of information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about Aadhaar leaks,” the report notes.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-1-2015-130-million-aadhaar-numbers-were-made-public-says-new-report

Govt may have made 135 million Aadhaar numbers public: CIS report

praskrishna — 2017-05-03T15:43:37Z

CIS report says Aadhaar numbers leaked through government databases could be 100-135 million and bank accounts numbers leaked about 100 million.

The article by Komal Gupta was published in Livemint on May 2, 2017.

A central government ministry and a state government may have made public up to 135 million Aadhaar numbers, according to a research report issued by Bengaluru-based think tank Centre for Internet and Society (CIS) late on Monday.

The report titled Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information studied four government databases.

The first two belong to the rural development ministry—the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act’s (NREGA) portal.

The other two databases deal with Andhra Pradesh—the state’s own NREGA portal and the online dashboard of a government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” said Amber Sinha and Srinivas Kodali, the authors of the research report.

The report claims these government dashboards and databases revealed personally identifiable information (PII) due to a lack of proper controls exercised by the departments.

“While the availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” said the report.

The report said the NSAP portal lists 94,32,605 bank accounts and 14,98,919 post office accounts linked with Aadhaar.

“While the UIDAI (Unique Identification Authority of India) has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data,” said the report.

UIDAI did not respond to an email from Mint seeking comments.

For more details visit https://cis-india.org/internet-governance/news/livemint-may-2-2017-komal-gupta-govt-may-have-made-135-million-aadhaar-numbers-public-cis-report

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-12T15:40:28Z

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

The article was published in the Times of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added. SR MBI MR

For more details visit https://cis-india.org/internet-governance/news/times-of-india-may-5-2017-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

Aadhaar: Are a billion identities at risk on India's biometric database

praskrishna — 2017-05-20T06:38:26Z

"My fingerprints and iris are mine and my own. The state cannot take away my body," a lawyer told India's Supreme Court last week.

The article by Soutik Biswas was published by BBC News on May 4, 2017. Also see the blog post by Rawlson King published by Biometric Update.com on May 5, 2017.

Shyam Divan was arguing a crucial petition challenging a new law that makes it compulsory for people to submit a controversial biometric-based personal identification number while filing income tax returns.

Defending this law, the government's top law officer told the court on Tuesday that an individual's "right to body is not an absolute right".

"You can have right over your body but the state can restrict trading in body organs, so the state can exercise control over the body," Attorney General Mukul Rohatgi said.

At the heart of the latest challenge are rising concerns over the security of this mega biometric database and privacy of the number holders. (The government says it needs to link the identity number to income tax returns to improve compliance and prevent fraud.)

India's biometric database is the world's largest. Over the past eight years, the government has collected fingerprints and iris scans from more than a billion residents - or nearly 90% of the population - and stored them in a high security data centre. In return, each person has been provided with a randomly generated, unique 12-digit identity number.

For a country of 1.2 billion people with only 65 million passport-holders and 200 million with driving licenses, the portable identity number is a boon to the millions who have long suffered for a lack of one.

States have been using the number, also called Aadhaar (Foundation), to transfer government pensions, scholarships, wages for a landmark rural jobs-for-work scheme and benefits for cooking fuel to targeted recipients, and distribute cheap food to the poor.

Over the years, the number has taken a life of its own and begun exerting, what many say, is an overweening and stifling control over people's lives. For many like political scientist Pratap Bhanu Mehta, Aadhaar has transmuted from a "tool of citizen empowerment to a tool of state surveillance and citizen vulnerability".

People will soon need the number to receive benefits from more than 500 of India's 1,200-odd welfare schemes. Even banks and private firms have begun using it to authenticate consumers: a new telecom company snapped up 100 million subscribers in quick time recently by verifying the customer's identity through the number.

'Forcibly linked'

People are using the number to even get their marriages registered. The number, says Nikhil Pahwa, editor and publisher of Indian news site MediaNama, is "being forcibly linked to mobile numbers, bank accounts, tax filings, scholarships, pensions, rations, school admissions, health records and much much more, which thus puts more personal information at risk".

Some of the fears are not without basis.

The government has assured that the biometric data is "safe and secure in encrypted form", and anybody found guilty of leaking data can be jailed and fined.

But there have already been a number of leaks of details of students, pensioners and recipients of welfare benefits involving a dozen government websites. Even former Indian cricket captain MS Dhoni's personal information was mistakenly tweeted by an overzealous enrolment service provider.

Now a disturbing report by The Centre for Internet and Society claims that details of around 130-135 million Aadhaar numbers, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries have been leaked online by four key government schemes.

More than 230 million people nationwide are accessing welfare benefits using their numbers, and potentially, according to the report, "we could be looking at a data leak closer to that number". And linking the number to different databases - as the government is doing - is increasing the risk of data theft and surveillance.

The chief law officer believes that the outrage over the leaks is "much ado about nothing".

"Biometrics were not leaked, only Aadhaar numbers were leaked. It is nothing substantial. The idea is biometrics should not be leaked," Mukul Rohtagi told the Supreme Court on Tuesday.

The government itself has admitted that it has blacklisted or suspended some 34,000 service providers for helping create "fake" identification numbers or not following proper processes. Two years ago, a man was arrested for getting an identification number for his pet dog. The government itself has deactivated 8.5 million numbers for incorrect data, dodgy biometrics and duplication. Last month, crop loss compensation for more than 40,000 farmers was delayed because their Aadhaar numbers were "entered incorrectly by banks".

'Mass surveillance'

There are also concerns that the number can be used for profiling. Recently, authorities asked participants at a function in a restive university campus in southern India to provide their Aadhaar identity numbers. "This is not only a matter of privacy. The all pervasiveness of the Aadhaar number is a threat to freedom of expression, which is a constitutional right," Srinivas Kodali, who investigated the latest report on data leaks, told me.

Critics say the government is steaming ahead with making the number compulsory for a range of services, violating a Supreme Court order which said enrolment would be voluntary. "The main danger of the number," says economist Jean Dreze, "is that it opens the door to mass surveillance."

Nandan Nilekani, the technology tycoon who set up the programme popularly known by its acronym UIDAI, believes concerns about the safety of the biometric database are exaggerated.

He says the identity number has cut wastage, removed fakes, curbed corruption and made substantial savings for the government. He insists that the programme is completely encrypted and secure. "It's like you are creating a rule-based society," he told Financial Times recently, "it's the transition that is going on right now."

Abused

More than 60 countries around the world take biometric data from its people, says Mr Nilekani. But then there are nagging concerns worldwide about these databases being abused by hackers and state intelligence.

In 2016, personal details of some 50 million people in Turkey were reportedly leaked. (Turkey's population is estimated at 78 million.) In 2015, hackers stole more than five million fingerprints after breaching US government networks. In 2011, French experts discovered a hack involving the theft of millions of people's data in Israel.

Pratap Bhanu Mehta has written that the lack of a "clear transparent consent architecture, no transparent information architecture, no privacy architecture worth the name [India doesn't have a privacy law], and increasingly, no assurance about what exactly you do if the state decides to mess with your identity" could easily make Aadhaar a "tool of state suppression".

So a lot of lingering doubts remain. How pervasive should an identity number be? What about the individual freedom of citizens? How do you ensure the world's biggest biometric database is secure in a country with no privacy laws and a deficient criminal justice system?

In many ways, the debate about Aadhaar is also a debate about the future of India. As lawyer Shyam Divan argued forcefully in the top court, "people are reduced to vassals" when the state controls your body to this extent.

For more details visit https://cis-india.org/internet-governance/news/bbc-news-soutik-biswas-may-4-2017-aadhaar-are-a-billion-identities-at-risk-on-indias-biometric-database

Meeting on Proactive Disclosure and Personal Data (Delhi, May 13, 5:30 pm)

sumandro — 2017-05-13T04:32:41Z

CIS is organising an informal discussion on topics related to proactive disclosure and personal data thrown up by the recently published report by Amber Sinha and Srinivas Kodali titled "Information Security Practices of Aadhaar (or lack thereof)". Please join us at 5:30 pm today, May 13, at the CIS office.

Read the report: PDF

Location

For more details visit https://cis-india.org/internet-governance/events/meeting-on-proactive-disclosure-and-personal-data-delhi-may-13

Indian Government says it is still drafting privacy law, but doesn’t give timelines

praskrishna — 2017-05-15T02:10:26Z

Read the original published by Medianama here

The Government is drafting a legislation to protect privacy of individuals breached through unlawful means in consultation with stakeholders, the minister for communications and information technology Ravi Shankar Prasad said in the Rajya Sabha. However, no timeline was provided, which is really the problem: Is the Indian government even interested in a privacy law?

In August last year, the Government of India had said in the Supreme Court of India that had said that “violation of privacy doesn’t mean anything because privacy is not a guaranteed right”, actually arguing that the citizens of India do not have a fundamental right to privacy.
In September last year, the DeitY had also sought to make encryption (and personal and business security) weaker via a draft policy on encryption, requiring all users to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable plain-text to Law and Enforcement Agencies if required. After a public outcry, the paper was withdrawn.
Last month, the DoT made it mandatory to have GPS on all phones by 2018.

We’re in a situation where the country doesn’t have a privacy law on one hand, and is setting up surveillance systems like the Centralized Monitoring System, NETRA, NATGRID (for collecting data from across databases), and linking citizens and databases across the unique identity number in Aadhaar on the other.

What happened to the old Privacy bill?

While India does not yet have a comprehensive privacy policy, back in 2014, the Centre for Internet and Society received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India had drafted. A comparison of the draft bill from 2014 and the draft privacy bill of 2011 can be found here.

As per Prasad, as of now, the Section 43, 43A and 72A of the IT Act of 2000 provide the legal framework for digital privacy and security, mandating that agencies collecting personal data must provide a privacy policy, and compensations must be paid to the victim in case of unauthorized access or leakage of information.

Questions asked in Rajya Sabha:

Whether Government intends to bring a specific legislation to address the concerns regarding privacy in the country, if so, the details thereof, if not, the reason therefore; and

Whether the legislation would provide for protection of ‘personal data’ along the lines of the European Union’s Data Protection Directive, if so, the details thereof, if not, the reasons therefor

EU Privacy Bill

Interestingly, the question posed to the minister asked if the legislation would provide for protection of personal data along the lines of European Union’s General Data Protection Directive (GDRP), which were approved just last month. EU’s directive defines “any information relating to an identified or identifiable natural person directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”, as personal data.

The GDRP has a pretty wide scope and is pretty consumer friendly. The laws require users to provide explicit consent for data collection, companies to report as soon as they have a data breach, and a ‘right to erasure’ that lets users request all personal data related to them to be deleted. It also imposes a significant fine of up to 4% of annual worldwide turnover of a company in the previous financial year, in case of non compliance. For a comprehensive overview of the policy read handbook on European data protection law (pdf).

Email privacy bill US

The US does not have a comprehensive digital privacy law like the EU and mostly relies on the the privacy act of 1974. However, recently the US House of Representatives unanimously passed the Email Privacy Act that would require investigators to get a warrant before forcing companies to hand over customer email or other electronic communications, no matter how old the communication.

For more details visit https://cis-india.org/internet-governance/news/medianama-vivek-pai-may-4-2017-indian-govt-says-it-is-still-drafting-privacy-law

Plug data leak before imposing Aadhaar

praskrishna — 2017-05-17T02:10:37Z

As the Central government continues to expand the scope and boundaries of the applicability of Aadhaar, the unique identification number, even before the Supreme Court’s verdict on its constitutional validity, reports suggesting that millions of Aadhaar numbers may have been leaked deliberately or inadvertently are a matter of grave concern.

The article was published in the Deccan Herald on May 11, 2017.

The Centre for Internet and Society, a Bengaluru-based organisation, has claimed that close to 135 million Aadhaar numbers and 100 million bank account numbers have been exposed by government portals dealing with pension, social welfare and employment guarantee schemes. The report says that with Aadhaar being used or planned to be used for authenticating and authorising several transactions, the financial risks of the disclosure of such data are greatly exacerbated. Virtually confirming that some ‘over-enthusiastic’ government agencies have been making the Aadhaar data public, Aruna Sundararajan, secretary, Union Electronics and Information Technology Ministry, has said that the Centre is in the process of ‘educating officials’ about the sanctity of the material collected, besides drafting amendments to the Information Technology Act to ensure data protection and secrecy. That’s indeed a late realisation, and hopefully, not a case of locking the stables once the horses have bolted.

The Supreme Court is also rightly concerned about the invasion of a citizen’s body in obtaining fingerprints and iris impressions for Aadhaar and the violation of an individual’s privacy. Attorney General Mukul Rohatgi raised several eyebrows by arguing that “citizens don’t have an absolute right over their own bodies” and there was nothing illegal about obtaining biometric details. He may be legally right, but as the court pointed out, it is the duty of the state to maintain the liberty and dignity of all individuals. As almost 98% of the population has already been covered by Aadhaar, the question of privacy is now more academic, though making Aadhaar mandatory for the filing of income tax along with PAN card is not. As the government is unable to come to grips with millions of benami transactions and largescale evasion of income tax in the country, if the linking of Aadhaar is going to bring down such cases, it needs to be welcomed.

However, Aadhaar is not a magic bullet that has a solution for every problem. The government shoulddrop the idea of making it mandatory for social welfare programmes such as children availing midday mealsin schools, supply of nutrition under ICDS programme and provision of scholarship for the disabled. The government certainly has a responsibility to prevent misuse of the schemes, while making sure that welfare measures are not denied to the needy on technical grounds.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-may-11-2017-plug-data-leak-before-imposing-aadhaar

What’s Hard To Digest About The Zomato Hacking

praskrishna — 2017-05-19T09:22:37Z

Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.

The blog post by Aayush Ailawadi was published by Bloomberg Quint on May 19, 2017. Pranesh Prakash was quoted.

The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in its blog that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.

Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.

In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”

But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.

Late on Thursday night, the story took an interesting turn when the company updated its blog post yet again. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.

Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.

But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.

Disclose To Confuse?

Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.

What’s So Scary About The Zomato Hacking?

Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.

What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.

Genuine Disclosures Vs False Promises

Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.

Where’s My Privacy And Security?

Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.

Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”

For more details visit https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking

UIDAI puts posers to CIS over Aadhaar data leak claim

praskrishna — 2017-05-19T09:28:33Z

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.

The article originally published by PTI was also published by the Financial Express on May 19, 2017.

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.

Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.

Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.

The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.

The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.

However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.

For more details visit https://cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

Revisiting Aadhaar: Law, Tech and Beyond

praskrishna — 2017-05-19T14:47:32Z

Udbhav Tiwari attended a panel on "Revisiting Aadhaar: Law, Tech and Beyond" held at the India International Centre Annexe on May 9, 2017 in New Delhi, organised by the Software Freedom Law Centre (SFLC.in) in collaboration with Digital Empowerment Foundation and IT for Change.

The panel consisted of:

Saikat Datta; Policy Director, Centre for Internet and Society (Moderator)
Anivar Aravind; Founder/Director at Indic Project
Anupam Saraph; Professor and Future Designer
Prasanna S; Advocate
Shyam Divan; Senior Advocate, Supreme Court
Srinivas Kodali; Co-founder at Open Stats
Osama Manzar; Founder and Director, Digital Empowerment Foundation
Usha Ramanathan; Legal Researcher

The panel was quite enlightening (and Saikat was a stellar moderator), with Mr. Divan's elucidation on the arguments made in the court for the Aadhaar case in particular being a great learning experience. Benjamin and Sheetal (both interns in the Delhi office) along with Sumandro also attended the event.

The other learning was that for people who have attended multiple such panels/seminars and meetings on Aadhaar, they can have a lot of repeated content. I passed on the feedback to SFLC about how they could possibly include a small 10 to 15 minute session in future such panels on developments since the previous such event on the Aadhaar and include practical aspects about what people can do about minimising the harms that we are all slowly being co opted into facing with the system.

More info about the event here.

For more details visit https://cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web