The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 2871 to 2885.
Report on ICANN 50
https://cis-india.org/internet-governance/blog/report-on-icann-50
<b>Jyoti Panday attended ICANN 50 in London from 22-26 June. Below are some of the highlights from the meeting. </b>
<p style="text-align: justify; ">From 22- 26 June, ICANN hosted its 50<sup>th</sup> meeting in London, the largest congregation of participants, so far. In the wake of the IANA transition announcement, Internet governance was the flavor of the week. ICANN’s transparency and accountability measures emerged as much contested notions as did references to NETmundial. This ICANN meeting clearly demonstrated that questions as to the role of ICANN in internet governance need to be settled.</p>
<p style="text-align: justify; "><b>ATLAS II</b></p>
<p style="text-align: justify; ">Coinciding with ICANN meeting was the 2<sup>nd</sup> At-Large Summit, or ATLAS II, bringing together a network of regionally self organized and self supporting At-Large structures, representing individual Internet users throughout the world. The goal of the meeting was to discuss, reach consensus and draft reports around five issues organized around five issues organized around thematic groups of issues of concerns to the At-Large Community.</p>
<p style="text-align: justify; ">The subjects for the thematic groups were selected by the representatives of ALSes, each summit participant was allocated to thematic groups according to his/her preferences. The groups included were:</p>
<ul style="text-align: justify; ">
<li>Future of Multistakeholder models </li>
<li>The Globalization of ICANN </li>
<li>Global Internet: The User perspective </li>
<li>ICANN Transparency and Accountability </li>
<li>At-Large Community Engagement in ICANN </li>
</ul>
<p style="text-align: justify; "><b>Fahad Chehade Five Point Agenda </b></p>
<p style="text-align: justify; ">ICANN President, Mr Chehade in his address to the ICANN community covered five points which he felt were important for ICANN in planning its future role. The first topic was the <a href="http://icannwiki.com/IANA" title="IANA">IANA</a> Stewardship and transition, and he stated that ICANN is committed to being a transparent organization and seeks to be more accountable to the community as the contract with the US government ends. Regarding the IANA transition, he remarked that ICANN had received thousands of comments and proposals regarding the transition of IANA stewardship and understood there would be much more discussion on this subject, and that a coordination group has been proposed of 27 members representing all different stakeholders in order to plot the course forward for IANA transition.</p>
<p style="text-align: justify; ">His second topic was about ICANN globalization and hardening of operations. He said that ICANN has about 2-3 years to go before he is comfortable that ICANN operations are where they need to be. He applauded the new service channels which allows customer support in many different languages and time zones, and mentioned local language support that would add to the languages in which ICANN content is currently available. Chehade spent a few minutes discussing the future of WHOIS "Directory" technology and highlighted the initial report that a working group had put together, led by Jean-Francois Poussard.</p>
<p style="text-align: justify; ">Next he covered the GDD, the Global Domains Division of ICANN and an update from that division on the New gTLD program. He mentioned the ICANN Auction, the contracts that had been signed, and the number of New gTLDs that had already been delegated to the Root. Internet Governance was Chehade's 4th topic of discussion, he applauded the NETmundial efforts, though he stressed that internet governance is one of the things that ICANN does and it will not be a high priority. He ended his speech with his last point, calling for more harmony within the ICANN community.</p>
<p style="text-align: justify; "><b>High Level Government Meeting</b></p>
<p style="text-align: justify; ">During ICANN London, UK government hosted a high-level meeting, bringing together representatives from governments of the world to discuss Internet Governance and specifically the NTIA transition of the IANA contract. Government representatives recognized that the stewardship of IANA should be a shared responsibility between governments and private sector groups, while other representatives stressed giving governments a stronger voice than other stakeholders. The consensus at the meeting held that the transition should not leave specific governments or interest groups with more control over the Internet, but that governments should have a voice in political issues in Internet Governance.</p>
<p style="text-align: justify; "><b>GAC Communiqué</b></p>
<p style="text-align: justify; "><b>GAC Communique, is a report drafted by the </b>Governmental Advisory Committee, advising the ICANN board on decisions involving policy and implementation. Highlights from the communiqué include:</p>
<ul style="text-align: justify; ">
<li>The GAC advises the Board regarding the .africa string, saying it would like to see an expedited process, especially once the Independent Review Panel comes to a decision regarding the two applicants for the string. They reaffirm their decision that DotConnectAfrica's application should not proceed.</li>
<li>The GAC mentioned the controversy surrounding .wine and .vin, where some European GAC representatives strongly felt that the applications for these strings should not proceed without proper safeguards for geographic names at the second level. However, the GAC was unable to reach consensus advice regarding this issue and thus did not relay any formal advice to the Board.</li>
<li>The GAC requested safeguards in the New gTLDs for IGO (Inter-Governmental Organization) names at the second level, and specifically related such advice for names relating to Red Cross and Red Crescent. </li>
</ul>
<p style="text-align: justify; "><b>Civil Society in ICANN and Internet Governance</b></p>
<p style="text-align: justify; ">NCUC, or the Noncommercial Users Constituency www.ncuc.org, voice of civil society in ICANN’s policy processes on generic top level domain names and related matters, as well as other civil society actors from the ICANN community organized a workshop to provide an opportunity for open and vigorous dialogue between public interest advocates who are active both within and outside the ICANN community.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-icann-50'>https://cis-india.org/internet-governance/blog/report-on-icann-50</a>
</p>
No publisherjyotiICANNInternet Governance2014-10-12T05:42:04ZBlog EntryThe India Conference on Cyber Security and Cyber Governance
https://cis-india.org/internet-governance/news/india-conference-cyber-security-and-cyber-governance
<b>Following the success of CYFY 2013 the CYFY 2014 will be held from October 15 to 17, 2014 in New Delhi. The Centre for Internet and Society is a knowledge partner for this event and Sunil Abraham is participating as a panelist in the session "Privacy is Dead". </b>
<p>Click to <a href="https://cis-india.org/internet-governance/blog/cyfy-2014-event-programme.pdf" class="internal-link">download the event details</a>. The event brochure can be <a href="https://cis-india.org/internet-governance/blog/cyfy-2014-brochure.pdf" class="external-link">downloaded here</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/india-conference-cyber-security-and-cyber-governance'>https://cis-india.org/internet-governance/news/india-conference-cyber-security-and-cyber-governance</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2014-10-13T07:10:19ZNews ItemIf MNCs make early inroads, they will keep market share: Sunil Abraham, CIS
https://cis-india.org/internet-governance/news/financial-express-october-23-2014-j-anand-if-mncs-make-early-inroads-they-will-keep-market-share
<b>The recent visits of the high-profile CEOs of internet/technology companies have made it clear that India, with its 200-million internet users, is increasingly becoming important for the multinational corporations (MNCs).</b>
<p style="text-align: justify; ">The article by J. Anand was <a class="external-link" href="http://www.financialexpress.com/news/if-mncs-make-early-inroads-they-will-keep-market-share-sunil-abraham-cis/1301085/0">published in the Financial Express</a> on October 23, 2014. Sunil Abraham gave his inputs.</p>
<hr />
<p style="text-align: justify; ">The recent visits of the high-profile CEOs of internet/technology companies have made it clear that India, with its 200-million internet users, is increasingly becoming important for the multinational corporations (MNCs). Bangalore-based Centre for Internet and Society (CIS) is a bit skeptical and feels some of these companies are trying to influence the internet policy-making of the country. Sunil Abraham, executive director of CIS, talks to FE’s Anand J regarding the government’s use of social media, the regulations and the plan for a Digital India. Edited excerpts:</p>
<p style="text-align: justify; ">We see a heightened interest in India from technology/internet companies, with their top CEOs visiting the country. What do you think is the reason?</p>
<p style="text-align: justify; ">In India, with little domestic competition, if these companies make early inroads, they will be able to keep the market share. The other reason is, the Indian government has made several proposals such as data localisation, mandatory data routing and so on, which have been demonised by the West as something that will balkanise the internet. Because India represents a big market, companies might be indulging in some amount of tokenism in the form of data centres. This is to show the government that they are willing to listen and lead the conversation to an agenda item that they are comfortable with and block some of the more dramatic proposals. The third reason could be that internet penetration might grow dramatically in the country and if the policy levers are moved appropriately, it will grow even more.</p>
<p style="text-align: justify; ">What is your stand on the government proposals?</p>
<p style="text-align: justify; ">In some ways, I agree with MNCs that some of the government proposals could break the architecture of internet. But then there are other proposals that are completely kosher. The domestic routing of an email if it travels within India is good as it will be difficult for the NSA to intercept then. From an internet design perspective, more fibre is good.</p>
<p style="text-align: justify; ">Data localisation though will result in balkanisation and might not yield desirable results. For instance, if you are watching a YouTube video, all the information about the user is stored by Google and all of that is stored outside the country. They might store some of this information as cache in a Google server temporarily. From a surveillance perspective, this user data called metadata is what the NSA might want. Even when it is collected in a local server, it might still be sent upstream.</p>
<p style="text-align: justify; ">What about the Indian government doing surveillance then?</p>
<p style="text-align: justify; ">There are different views on the surveillance capabilities of the Indian government. Some think that today the Indian government has the capability of engaging in mass surveillance. Others like me think that it can only do targeted surveillance and not mass surveillance. It does not have the infrastructure to pull that off and if it is doing targeted surveillance, it is mostly in compliance with the local laws.</p>
<p style="text-align: justify; ">Is the increasing use of social media by the government for its communication with citizens a concern?</p>
<p style="text-align: justify; ">If the government uses this private infrastructure to communicate with its citizens, there could be a variety of challenges and complications. First, all of these government communications must be mirrored on the government infrastructure as well. Otherwise, there is a concern around data retention. The government needs to have a copy in case a person goes to RTI for all the government communications to citizens. Secondly, the government is unwittingly becoming the salesperson for these global corporations.</p>
<p style="text-align: justify; ">Mark Zuckerberg has said that internet is a human right. Do you agree?</p>
<p style="text-align: justify; ">Internet is not a human right according to the UN. TV and Radio were never rights. All the basic human rights are to be protected irrespective of the communication medium of choice and will be legitimate even 100 years from now. The success of telecommunication and internet is market generated. If it becomes a human right, the companies are not delivering a service, but a human right and this complicates the issue. There will be new demands from citizens and litigations by citizens. If everybody demands 1GB every month, state does not have those resources.</p>
<p style="text-align: justify; ">India is a phone internet market. Indian internet is tied to Google now. Does the Android dominance — with a market share of around 90% — concern you?</p>
<p style="text-align: justify; ">It is hugely worrisome and yet another monopoly. It is not “free” software. From a privacy and national security perspective, it is a terrible development. Considering that it is based on Linux, there should have been several national and international competitors.</p>
<p style="text-align: justify; ">Has the era of hetergeneous internet with a million websites passed?</p>
<p style="text-align: justify; ">Internet is no longer decentralised; 80% of users’ time is now spent on a few products. And anywhere on internet, ad networks are tracking you. We ended up with the world’s biggest surveillance machine and surveillance is the business model of internet. It is very difficult to change this as we face the inertia of user behaviour.</p>
<p style="text-align: justify; ">What do you think of the government’s Digital India plan?</p>
<p style="text-align: justify; ">The government can use the billions from the Universal Service Obligation fund for broadband connectivity. The markets cannot handle back haul infrastructure and in most countries, some amount of state investment is necessary. Some of the open access details have to be worked out. The government seems to have a monopoly position in execution. We agree with the vision that every Indian should have a smartphone by 2019 and have a broadband connection too.</p>
<p style="text-align: justify; ">What are the regulations you want to see in place in India?</p>
<p style="text-align: justify; ">Internet users are currently overregulated with restrictions on what you can say. Let what is illegal offline be illegal online too. And government needs to think of enforceability.</p>
<p style="text-align: justify; ">The regulatory infrastructure for the government is limited. We want powerful companies to be regulated and follow global norms. The regulatory best practices are emerging from Europe in terms of competition, privacy, data protection, etc, and we need to follow them.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/financial-express-october-23-2014-j-anand-if-mncs-make-early-inroads-they-will-keep-market-share'>https://cis-india.org/internet-governance/news/financial-express-october-23-2014-j-anand-if-mncs-make-early-inroads-they-will-keep-market-share</a>
</p>
No publisherpraskrishnaInternet Governance2014-10-24T15:03:03ZNews ItemThe Gujarat High Court Judgment on the Snoopgate Issue
https://cis-india.org/internet-governance/blog/gujarat-high-court-judgment-on-snoopgate-issue
<b></b>
<h3 style="text-align: justify; ">Pranlal N. Soni v. State of Gujarat, C/SCA/14389/2014</h3>
<p style="text-align: justify; ">In the year 2013 the media widely reported that a female civil services officer was regularly spied upon in 2009 due to her acquaintance with the then Chief Minister of Gujarat (and current Prime Minister of India) Mr. Narendra Modi. It was reported that the surveillance was being supervised by the current president of the BJP, Mr. Amit Shah at the behest of Mr. Modi. The case took another twist when the officer and her father said that they had no problems with such surveillance, and had repeatedly conveyed to various statutory authorities including the National Commission for Women, the State Commission for Women, as also before the Hon’ble Supreme Court of India, that they never felt that their privacy was being interfered with by any of the actions of the State Authorities. Infact, para 3.5 of the petition indicated that it was at the behest of the father of the female officer that the State government had carried out the surveillance on his daughter as a security measure.</p>
<p style="text-align: justify; ">Inspite of the repeated claims of the subject of surveillance and her father, the Gujarat Government passed a Notification under the Commissions of Inquiry Act, 1952 appointing a two member Commission of Inquiry to enquire into this incident without jeopardizing the identity or interest of the female officer. This Notification was challenged in the Gujarat High Court by the very same female officer and her father on the ground that it violated their fundamental right to life and liberty. The petitioners claimed that they had to change their residential accommodation four times in the preceding few months due to the constant media glare. The print, electronic and social media, so called social workers and other busybodies constantly intruded into the private life of the petitioners and their family members. The petitioner's email accounts were hacked and scores of indecent calls were received from all over. Under the guise of protecting the petitioner's privacy, every action undertaken by the so called custodians for and on behalf of the petitioners resulted into a breach of privacy of the petitioners, making life impossible for them on a day to day basis.</p>
<p style="text-align: justify; ">After hearing the arguments of the petitioners, including arguments on technical points the Court struck down the Notification issued by the State government to enquire into the issue of the alleged illegal surveillance. However the Court also briefly touched upon the issue of violation of the privacy of the female officer in this whole episode. However, instead of enquiring into whether there was any breach of privacy in the facts of the case, the Court relied upon the statement made by the female officer that whatever surveillance was done did not cause any invasion into her privacy, rather it was the unwelcome media glare that followed the revelations regarding the surveillance which had caused an invasion of her privacy.</p>
<p style="text-align: justify; ">Thus we see that even though the whole snoopgate episode started out as one of “alleged” unwarranted and illegal surveillance this particular judgment is limited only to challenging the validity of the Inquiry Commission appointed by the State Government. In order to challenge the Notification in a PIL the female officer had to show that some fundamental right of hers was violated and in such circumstances privacy is the most obvious fundamental right which was violated.</p>
<p style="text-align: justify; ">Although this judgment talks about privacy, it does not have enough legal analysis of the right to privacy to have any significant ramifications for how privacy is interpreted in the Indian context. The only issue that could possibly be of some importance is that the we could interpret the Court’s reliance on the statement of the female officer that there was no breach of privacy rather than its own examination of facts to mean that in cases of breach of privacy, if the person whose privacy has been breached did not feel his or her privacy to have been invaded then the Courts would rely on the person’s statements rather than the facts. However this is only an interpretation from the facts and it does not seem that the Court has spent any significant amount of time to examine this issue, therefore it may not be prudent to consider this as establishing any legal principle.</p>
<p style="text-align: justify; "><b>Note</b>: The details of the case as well as the judgment can be found at <a href="http://gujarathc-casestatus.nic.in/gujarathc/tabhome.jsp">http://gujarathc-casestatus.nic.in/gujarathc/tabhome.jsp</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/gujarat-high-court-judgment-on-snoopgate-issue'>https://cis-india.org/internet-governance/blog/gujarat-high-court-judgment-on-snoopgate-issue</a>
</p>
No publishervipulInternet GovernancePrivacy2014-10-27T04:40:17ZBlog EntryGoogle move is not good for netizens, say experts
https://cis-india.org/news/google-move-is-not-good-for-netizens-say-experts
<b>Google's plan to merge data across 60 of its properties, which was announced last week, has drawn criticism from experts on the Internet, who are saying that this is detrimental to privacy. Balaji Narasimhan wrote this in the Hindu Business Line. The article was published on 31 January 2012.</b>
<p>"Google is doing what is good for shareholders. This is not positive for netizens,” said Mr Sunil Abraham, Executive Director, Centre for Internet and Society. “People like you and me have to either accept it or leave."</p>
<p>But what are the alternatives? Mr Somick Goswami, Director Consulting, PwC India, didn't want to comment directly on Google, but in the larger context of data privacy, he asked, "Do users want a free Internet or control over content? There is a lot of advocacy going around it. End of the day, when using the Internet, there has to be trust."</p>
<p>One way that Google could build trust could be by using something pertaining to loyalty, which retailers use in the real world in order to woo customers.</p>
<p>Mr Ram Menon, Executive Vice-President and Chief Technology Officer of Tibco, said that many of his clients make offers that are in context with what users want.</p>
<p>"For example, if you like cappuccino and this knowledge is known to a vendor, he can offer you a cappuccino when you walk past the store." He said that in such cases, there was no affront to privacy because the offer is relevant and in context. "You are a member and have opted in," he said.</p>
<p>Perhaps, the fact that all of Google's services are free has something to do with the privacy issue, pointed out the Australian Privacy Foundation. As its site privacy.org.au noted, "The company's business model is based on advertising revenue. Users pay no fees for their use of the services."</p>
<p>And the merger of its 60 policies apart, there is another issue worrying users — new acquisitions. As Mr Abraham pointed out, “When I was browsing Silk Smitha before YouTube was acquired by Google, I had no idea that one day this information would be known to Google."</p>
<p>And the issue becomes more serious in the context of a growing mobile workforce. As the Australian Privacy Foundation said, "Android mobile phones effectively trap users into having a Google user account."</p>
<p>Using Google services on a mobile – especially Google Latitude, a service that allows you to enable your friends to view your current location – allows Google to track your movements.</p>
<p>And since Google is predominantly an advertising-driven company, it could be argued that one day they might share information about you with a third party, enabling them to market to you more effectively, though this may not necessarily be done with your explicit permission – and this means that you may get an offer for products even if you have not opted in for such a service.</p>
<p>What can be done? Mr Abraham rued the fact that there are no specific laws to safeguard users.</p>
<p>"India needs privacy laws. In the US, law makers will create a fuss. In India, we are at the mercy of companies."</p>
<p>The original was published in the <a class="external-link" href="http://www.thehindubusinessline.com/industry-and-economy/info-tech/article2848166.ece">Hindu Business Line</a>. Sunil Abraham is quoted in this article. <a class="external-link" href="http://www.thehindubusinessline.com/industry-and-economy/info-tech/article2848166.ece"><br /></a></p>
<p>
For more details visit <a href='https://cis-india.org/news/google-move-is-not-good-for-netizens-say-experts'>https://cis-india.org/news/google-move-is-not-good-for-netizens-say-experts</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2012-02-03T10:03:17ZNews ItemIndia needs an independent privacy law, says NGO Privacy India
https://cis-india.org/news/india-needs-an-independent-privacy-law-says-ngo-privacy-india
<b>India needs an independent privacy law though there are a number of provisions in existing legislations that protect a citizen's privacy, according to an NGO that is lobbying for the cause. The story was published in the Economic Times on 2 February 2012.
</b>
<p><br />Privacy India, a conglomerate of the Centre for Internet and Society (CIS) and the Society in Action Group (SAG), with support from Privacy International, conducted a study of the existing laws in India related to privacy over a period of one and a half years in various cities. </p>
<p>A report, which will be released soon, has documented their findings about privacy laws and issues in India and high-level conclave and a national symposium on privacy will be held in Delhi on February 3 and 4.<br /><br />Lawyer-activist Prashant Bhushan and NCPRI head Aruna Roy will take part in the discussions on privacy in transparency, e-governance initiatives, national security, banking and health issues.<br /><br />"India doesn't have a privacy law, but there are provisions for it in different laws. During the course of the research, we found that the Indian judiciary has not been very strict in overseeing the implementation of the privacy clauses in various laws," CIS member Prashant Iyengar said, while reporting some of the findings of the study.<br /><br />Stricter implementation of the existing laws could go a long way in curbing most privacy issues, Iyengar said.</p>
<p><a class="external-link" href="http://economictimes.indiatimes.com/news/news-by-industry/et-cetera/india-needs-an-independent-privacy-law-says-ngo-privacy-india/articleshow/11727558.cms">Published in the Economic Times on 2 February 2012</a>. Prashant Iyengar is quoted in this.</p>
<p>
For more details visit <a href='https://cis-india.org/news/india-needs-an-independent-privacy-law-says-ngo-privacy-india'>https://cis-india.org/news/india-needs-an-independent-privacy-law-says-ngo-privacy-india</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2012-02-03T11:46:22ZNews ItemCommon man as crusader
https://cis-india.org/news/common-man-as-crusader
<b>Tamil Nadu saw its highest poll turn out in 44 years when 75% of its adults exercised their franchise in the 2011 assembly elections. There were 48 lakh Google searches for ‘Anna Hazare’ on June 8 2011 (when he began his fast) compared to a negligible number on any day in 2010. A 42-year-old man immolated himself in Kutch last year when he was told to bribe officials to access his own ancestral land records. </b>
<p><em>Shalini Singh's article was published in the Hindustan Times on 4 February 2012. </em></p>
<p>Record-breaking polling turnouts. Swelling debates on social networking sites. Simmering discontent with corruption in everyday life. Are these signs of India Churning?</p>
<p>“This computer literate generation that’s integrating village and city is leading a dynamic movement. The voter turnouts reflect this,” says Delhi-based sociologist Susan Visvanathan. “Across the country, people are wanting ‘to know’, which leads to action,” she adds.</p>
<table class="plain">
<tbody>
<tr>
<td>
<p>According to Nishant Shah, director of research at Centre for
Internet and Society in Bangalore, a social cause on networking sites
has never reached the levels that corruption did last year. “The
movement targeted at the middle-class for whom corruption is a big issue
was also the first middle-class movement in a long time.”</p>
<p>Citizens Resource and Action Initiative (Cranti) – a 2009 social
movement led by activist-dancer Mallika Sarabhai became a street play in
2010. It’s about reminding people about their rights. The movement
recently embarked on a voters’ awareness yatra in Gujarat. Director
Bharatsingh Zala says citizens are becoming aware about how the nexus
between politicians, bureaucrats and corporates is depriving them.
“People have lost patience and realised that unless they become
vigilant, entrenched and pervasive, corruption will not end.”</p>
<p> </p>
</td>
<td><img src="https://cis-india.org/home-images/ankush.jpg/image_preview" alt="ankush" class="image-inline image-inline" title="ankush" /></td>
</tr>
</tbody>
</table>
<p>Various socio-cultural battles are being fought in India according to sociologist Shiv Visvanathan. “The mindset of the middle-class is changing which was cynical of the political system. Corruption was earlier a civil society issue with the state and party being indifferent to it. Now, the issue has become big. But the scale of anti-corruption protest is one thing, to integrate it into one’s lifestyle/livelihood is another,” he says.</p>
<p align="center"><img src="https://cis-india.org/home-images/Anand.jpg/image_preview" alt="Anand" class="image-inline image-inline" title="Anand" /></p>
<p>India scored 3.1 on a scale of 0 to 10 (0=most corrupt, 10=most honest)
on the latest Corruption Perception Index released by global civil
society corruption watchdog Transparency International (TI). The score
was down from 3.3 in 2010 and 3.4 in 2009. India ranked 95 out of 183
countries, more corrupt than China (75) and better off than Pakistan
(134). The organisation has been working to get the Right to Service Act
passed, which is the right to get a service in X number of days. Ten
states have already enacted it. TI is also working on an Integrity Pact,
which is the commitment of public sector undertakings (PSU) to have
complaints looked into by external independent monitors. So far, 14 PSUs
have signed up. “There is a shift in attitudes now. People are voicing
their resentment with corruption, a reality they accepted earlier. Tools
such as the Right To Information have been effective,” says PS Bawa,
chairman of TI India.</p>
<p>There’s a long way to go. Gerson Da Cunha, convener-trustee of Agni, a 12-year-old movement for good governance in Mumbai, feels the anti-corruption movement is a ripple than a churning right now. “We can’t see a cultural shift to a cleaner administrative life until the political system stops being the generator of unaccounted money,” he says.</p>
<table class="plain" align="center">
<tbody>
<tr>
<td><img src="https://cis-india.org/home-images/Dhawan.jpg/image_preview" alt="Dhawan" class="image-inline image-inline" title="Dhawan" /></td>
</tr>
</tbody>
</table>
<p><a class="external-link" href="http://www.hindustantimes.com/India-news/NewDelhi/Common-man-as-crusader/Article1-806887.aspx"><img src="https://cis-india.org/home-images/Shekhar.jpg/image_preview" alt="Dhawan" class="image-inline image-inline" title="Shekhar" /><br /></a></p>
<p><a class="external-link" href="http://www.hindustantimes.com/India-news/NewDelhi/Common-man-as-crusader/Article1-806887.aspx">Read the original published in the Hindustan Times</a>. Nishant Shah, Director-Research, Centre for Internet & Society was quoted by the newspaper.</p>
<p>
For more details visit <a href='https://cis-india.org/news/common-man-as-crusader'>https://cis-india.org/news/common-man-as-crusader</a>
</p>
No publisherpraskrishnaInternet Governance2012-02-06T04:13:37ZNews ItemAadhaar Act and its Non-compliance with Data Protection Law in India
https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india
<b>This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</b>
<p> </p>
<h4>Download the file: <a href="https://cis-india.org/internet-governance/blog/aadhaar-act-43a-it-rules" class="internal-link">PDF</a>.</h4>
<hr />
<p style="text-align: justify;">Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha <a name="_ftnref1"></a> . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.</p>
<p style="text-align: justify;">In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("<strong>IT Act</strong> ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("<strong>IT Rules</strong>"). Section 43A of the IT Act, 2000 <a name="_ftnref2"></a> holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.</p>
<p style="text-align: justify;">Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, <a name="_ftnref3"></a> could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.</p>
<p style="text-align: justify;">In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.</p>
<h3>1. Compensation and Penalty</h3>
<p style="text-align: justify;"><strong>Section 43A:</strong> Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.</p>
<p style="text-align: justify;"><strong>Aadhaar</strong> <strong>Act :</strong> Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.</p>
<ul style="text-align: justify;">
<li>Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI. </li>
<li>Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository. </li>
<li>Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li></ul>
<p style="text-align: justify;">Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.</p>
<h3>2. Privacy Policy</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.</p>
<p style="text-align: justify;"><strong>Implications:</strong> Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.</p>
<h3>3. Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act: </strong> The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).</p>
<p style="text-align: justify;"><strong>Implications:</strong> If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.</p>
<h3>4. Collection Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.</p>
<h3>5. Notice</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:</p>
<ul style="text-align: justify;">
<li>The fact that information is being collected</li>
<li>The purpose for which the information is being collected</li>
<li>The intended recipients of the information</li>
<li>The name and address of the agency that is collecting the information</li>
<li>The name and address of the agency that will retain the information</li></ul>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.</p>
<h3>6. Retention Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.</p>
<h3>7. Purpose Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(5) requires that information must be used for the purpose that it was collected for.</p>
<p style="text-align: justify;"><strong>Aadhaar Act<a name="move447203643"></a></strong> Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.</p>
<p style="text-align: justify;"><a name="move4472036436"></a> Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.</p>
<h3>8. Right to Access and Correct</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.</p>
<h3>9. Right to 'Opt Out' and Withdraw Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.</p>
<h3>10. Grievance Officer</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.</p>
<p style="text-align: justify;"><strong>Aadhaar Act</strong>: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.</p>
<h3>11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.</p>
<h3>12. Requirements for Transfer of Sensitive Personal Data</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.</p>
<h3>13. Security of Information</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.</p>
<h3>Implications of the Differences for Body Corporates in Aadhaar Ecosystem</h3>
<p style="text-align: justify;">An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other. <a name="move446519928"></a></p>
<p style="text-align: justify;">Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.</p>
<h3>Appendix I</h3>
<p style="text-align: justify;">The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:</p>
<p style="text-align: justify;"><strong>i. Opt-out clause:</strong> A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.</p>
<p style="text-align: justify;"><strong>ii. Voluntary:</strong> To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.</p>
<p style="text-align: justify;"><strong>iii.</strong> Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.</p>
<p style="text-align: justify;"><strong>iv.</strong> Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.</p>
<p style="text-align: justify;"><strong>v. Oversight Committee:</strong> The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.</p>
<p><strong>Sources:</strong></p>
<ul>
<li> <a href="http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-bill-to-lok-sabha-with-oppn-amendments/"> http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-act-to-lok-sabha-with-oppn-amendments/ </a> </li>
<li> <a href="http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/"> http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/</a><br /><br /></li></ul>
<h3>Appendix II - Section 43A: Compensation for Failure to Protect Data</h3>
<p style="text-align: justify;">Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.</p>
<p style="text-align: justify;">For the purposes of this section:</p>
<ul>
<li>"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</li>
<li>"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;</li>
<li>"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.<br /><br /></li></ul>
<p style="text-align: justify;">The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals <em>engaged in commercial or professional activities</em>"</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india'>https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india</a>
</p>
No publishervanyaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-18T11:43:02ZBlog EntryWhy is the UIDAI cracking down on individuals that hoard Aadhaar data?
https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-april-13-2016-why-is-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data
<b>Private firms' offer to print Aadhaar details on plastic card a breach of law.</b>
<p style="text-align: justify; ">The article by Alnoor Peermohamed was published by <a class="external-link" href="http://www.business-standard.com/article/economy-policy/why-is-the-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data-116041200400_1.html">Business Standard </a>on April 13, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">The billion-strong citizen identification system, Aadhaar, has given rise to businesses keen on illegal harnessing of this private data, say the authorities.<br /><br /> Outfits are offering services to print the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Aadhaar" target="_blank"><span>Aadhaar </span></a>details on plastic cards, something the Union information technology ministry warned against on Monday. These entities charge anywhere between Rs 50 and Rs 600, and are listed on e-commerce websites, apart from own online presence.<br /><br /> Under the Aadhaar law, collecting and storing of the data by private companies without the user’s consent is a crime. Monday’s warning from the ministry to e-commerce marketplaces such as Amazon, Flipkart and eBay to disallow merchants from collecting and printing such details was a result of this.<br /><br /> This newspaper could not find any listings of Aadhaar printing services on Flipkart but there was one on Amazon (taken down) and no less than five such listings on eBay.<br /><br /> PrintMyAadhaar is one of the more well organised outfits operating in this space. “Get your E-Aadhaar printed on a PVC card for easier handling,” reads their website. Users are prompted to fill their Aadhaar details on the website, pay Rs 50 and have the card sent to their houses. PrintMyAadhaar even offers discounts for bulk orders.<br /><br /> “Collecting such information or unauthorised printing of an Aadhaar card or aiding such persons in any manner may amount to a criminal offence, punishable with imprisonment under the Indian Penal Code and also Chapter VI of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016,” read the statement from the ministry.<br /><br /> Currently, Aadhaar stores a person’s name, date of birth, sex and address, apart from their biometric data.<br /><br /> While the biometric data isn’t available to these PDF printing shops, the rest of the information is, according to Srikanth Nadhamuni, chief executive officer of Khosla Labs and a former head of technology at the Unique Identification Authority of India. However, collecting this data poses no security risk to the Aadhaar infrastructure, he added.<br /><br /> “Allowing somebody to accumulate large amounts of data from Aadhaar users in general is not a good practice. We should ensure that the Aadhaar details of people remain private and it should only be up to the discretion of the end-user to share this,” said Nadhamuni.<br /><br /> Some security experts say Aadhaar does pose a security risk, as it makes available an individual's details in the public domain. Several institutions are treating Aadhaar just like any other proof of identity.<br /><br /> “Transactions that should have been conducted using biometric authentication are being conducted just by presentation of paper documents. What is happening most commonly is that people are giving a printout or photocopy of their Aadhaar acknowledgement as their proof of identity to get a SIM card. The risk here is that somebody can get a mobile number against your name,” said Sunil Abraham, executive director of the non-profit Centre for Internet and Society.<br /><br /> He says the other technical issue with Aadhaar is the lack of a smart card that stores a person’s information, as in a digital signature. Due to the lack of this, people don’t know what information to keep private and what to make public. Conventional security techniques would have had a person keeping their PIN private (as with a bank account). If this personal PIN would have been saved on a smart card, which users wouldn’t have had much to worry about.<br /><br /> “In the case of Aadhaar, the authentication factor and the identification factor are in the public domain, because many people might have your UID number and people release their biometric data everywhere. Due to this broken technological solution, we are now through policy putting band-aids, saying people should not disclose their UID number unnecessarily,” added Abraham.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-april-13-2016-why-is-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data'>https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-april-13-2016-why-is-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-04-17T16:16:26ZNews ItemThe Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System
https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system
<b>Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.</b>
<p> </p>
<p><em>Originally published in and cross-posted from <a href="http://thewire.in/2016/04/19/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system-30256/">The Wire</a>.</em></p>
<hr />
<p>Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.</p>
<p>The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.</p>
<p>The Aadhaar number has been recently offered as <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the ‘last chance’ for the ailing welfare system</a> – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.</p>
<p>Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.</p>
<p>We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.</p>
<p>Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging <a href="http://scroll.in/article/805909/in-rajasthan-there-is-unrest-at-the-ration-shop-because-of-error-ridden-aadhaar">‘unrest at the ration shop’ across Rajasthan</a>, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.</p>
<p>RTI activists at the <a href="http://www.snsindia.org/">Satark Nagrik Sangathan</a> have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).</p>
<p>Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, <a href="http://www.epw.in/journal/2013/05/commentary/cost-benefit-analysis-uid.html">may only take care of one form of corruption</a>: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.</p>
<p>Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.</p>
<p>On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and <a href="http://scroll.in/article/806297/no-longer-a-black-box-why-does-the-revised-aadhar-bill-allow-sharing-of-identity-information">has allowed for sharing of all data except core biometrics (fingerprints and iris scan)</a> with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.</p>
<p>On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.</p>
<p>When it becomes publicly acceptable that <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the <em>money bill route</em> was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’</a>, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: <em>welfare is the message, surveillance is the medium</em>.</p>
<p>Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.</p>
<p>The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.</p>
<p>Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system'>https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system</a>
</p>
No publishersumandroUIDData SystemsPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-19T13:18:42ZBlog EntrySurveillance Technologies
https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies
<b>The following post briefly looks at different surveillance technologies, and the growing use of the them in India. </b>
<h3>Surveillance...</h3>
<p>New security technologies are constantly emerging that push the edge between privacy and a reasonable level of security. Society's tolerance level is constantly being tested by governments who use surveillance and monitoring technologies to protect the nation. Governments claim that they need absolute access to citizens life. They need to monitor phones, look through emails, peer into files – in-order to maintain security and protect against terrorism. Though as a side note, in an Economic Times article published on Nov. 4 2010 it was reported that government computers were being hacked into through viruses, and top secret documents were being stolen. The irony of the story is that the viruses were introduced to the computers through porn websites visited by officials.</p>
<h3>...In a Car? On the Street? In an Airport?</h3>
<p>Despite the fact that governmental monitoring might make the common man uncomfortable, the reality is that governments will always win the national security vs privacy fight. The story becomes more complicated when it moves from the government directly monitoring individuals, to security agencies monitoring individuals. For instance the use of full body scanners at airports, or trucks equipped with scatter x-ray machines used to control crime in neighborhoods - is a much more heated debate. There are other ways in which to check passengers for banned items, and other ways to keep crime off the streets without mandating that individuals submit themselves to invasive scans, or scanning unaware individuals.</p>
<h3>...In the Movie Theater????..for Marketing Purposes????</h3>
<p>Surveillance technology has now been taken even another step further. No longer is it being just used to prevent violent crimes or terrorist attacks. Today the movie industry is using controversial anti-piracy tools to protect the films they produce. For instance the security company Aralia Systems manufacturers products such as: CCTV cameras and anti-camcorder systems that shine infrared light beams on audiences as they watch a movie. The light beams reflect off camcorders and alerts the theater that there are camcorders present. Though this practice can be seen as invasive - individuals might be opposed to being probed by light beams throughout movies, the extent of potential privacy invasion does not stop there. Aralia Systems has partnered with Machine Vision Lab and has created a system that harvests audiences emotions and movements as they watch movies. The data can then be used by market researchers to better tailor their behavioral advertising schemes. Essentially movie theater monitoring has merged surveillance technologies with behavioral marketing technologies in a twisted invasion of movie watchers personal privacy.</p>
<h3>Is this technology in India?</h3>
<p>Though behavioral monitoring and piracy technologies such as ones produced by Aralia Systems are not yet used in Indian movie theaters – security measures against piracy are used. Movie theaters across India are equipped with metal detectors at the door, and security personel check your handbag or back pack for camcorders. According to a Indian Express article, the organization Allegiance Against Copyright Theft believes one of the reasons monitoring technology is not yet used in theaters is because there is no present Indian legislation that penalizes recording in halls. Once legislation is passed, they speculate there will be a push to use these technologies. Even though monitoring technology is not yet used in theaters, monitoring of consumers behavior is increasing. Recently in India the WPP owned research agency IMRB International has developed an online audience measurement system that uses tailored metering technology to track the sites that users visit. The Web Audience Measurement System has launched this technology in a sample size of 21,000 Indian households, covering 90,000 individuals. IMRB has said that the meters are capable of capturing usage data from multiple computers, and that they can then use the information to market to the individual. Does it seem ironic to anyone that companies now charge for a service – movie tickets, internet services, telephone services – and make an extra profit by data mining at the expense of a persons privacy?</p>
<h3>Sources</h3>
<ul><li>http://economictimes.indiatimes.com/news/politics/nation/Govt-depts-asked-not-to-store-sensitive-info-on-Net-connected-computers/articleshow/6874631.cms</li><li>http://www.research-live.com/news/technology/imrb-unveils-web-measurement-service-for-indian-market/4003941.article</li><li>http://blogs.computerworld.com/17276/anti_piracy_tool_will_harvest_market_your_emotions?source=rss_blogs</li><li> http://www.indianexpress.com/news/antipiracy-unit-joins-hands-with-cinema-halls-to-curb-camcording/695439/2</li></ul>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies'>https://cis-india.org/internet-governance/blog/privacy/surveillance-technologies</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-22T05:40:24ZBlog EntryInterview with Mr. Reijo Aarnio - Finnish Data Protection Ombudsman
https://cis-india.org/internet-governance/blog/interview-with-finnish-data-protection-ombudsman
<b>Maria Xynou recently interviewed Mr. Reijo Aarnio, the Finnish Data Protection Ombudsman, at the CIS' 5th Privacy Round Table. View this interview and gain an insight on recommendations for better data protection in India! </b>
<p>Mr. Reijo Aarnio - the Finnish Data Protection Ombudsman - was interviewed on the following questions:</p>
<p>1. What activities and functions does the Finnish data commissioner's office undertake?</p>
<p>2. What powers does the Finnish Data commissioner's office have? In your opinion, are these sufficient? Which powers have been most useful? If there is a lack, what would you feel is needed?</p>
<p>3. How is the office of the Finnish data protection commissioner funded?</p>
<p>4. What is the organizational structure at the Office of the Finnish Data Protection Commissioner and the responsibilities of the key executives?</p>
<p>5. If India creates a Privacy Commissioner, what structure/framework would you suggest for the office?</p>
<p>6. What challenges has your office faced?</p>
<p>7. What is the most common type of privacy violation that your office is faced with?</p>
<p>8. Does your office differ from other EU data protection commissioner offices?</p>
<p>9. How do you think data should be regulated in India?</p>
<p>10. Do you support the idea of co-regulation or self-regulation?</p>
<p>11. How can India protect its citizens' data when it is stored in foreign servers?</p>
<p><iframe frameborder="0" height="250" src="http://www.youtube.com/embed/zJzWD4LWLhY" width="250"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/interview-with-finnish-data-protection-ombudsman'>https://cis-india.org/internet-governance/blog/interview-with-finnish-data-protection-ombudsman</a>
</p>
No publishermariaInternet GovernancePrivacy2013-07-19T13:02:14ZBlog EntryParsing the Cyber Security Policy
https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy
<b>An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble, says Chinmayi Arun.</b>
<hr />
<p style="text-align: justify; ">Chinmayi Arun's article was published in<a class="external-link" href="http://www.thehoot.org/web/Parsing-the-cyber-security-policy/6899-1-1-19-true.html"> the Hoot</a> on July 13, 2013 and later cross-posted in the <a class="external-link" href="http://thefsiindia.wordpress.com/2013/07/13/indias-national-cyber-security-policy-preliminary-comments/">Free Speech Initiative </a>the same day.</p>
<hr />
<p style="text-align: justify; "><span><span>We often forget how vulnerable the World Wide Web leaves us. If walls of code prevent us from entering each other’s systems and networks, there are those who can easily pick their way past them or disable essential digital platforms. We are reminded of this by the doings of </span></span><span><a href="http://www.thedailybeast.com/articles/2013/04/17/anonymous-next-move.html" target="_blank"><span>Anonymous</span></a><span>, which carried out a series of </span><a href="http://www.pcmag.com/article2/0,2817,2404554,00.asp" target="_blank"><span>attacks</span></a><span>, including the website <span>run by Computer Emergency Response Team India (CERT-In)<span> which is the government agency in charge of cyber-security. Even more serious, are cyber-attacks (arguably cyber warfare) carried out by other states, using digital weapons such as </span></span></span><span><a href="http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/" target="_blank"><span>Stuxnet</span></a><span>, the digital worm<span>. More proximate and personal are perhaps the </span></span></span><span><a href="http://articles.timesofindia.indiatimes.com/2013-06-22/internet/40133370_1_phishing-attacks-kaspersky-lab-unsuspecting-user" target="_blank"><span>phishing attacks</span></a><span>, which are on the rise. </span></span></span></p>
<div style="text-align: justify; "><span><span>We therefore run a great risk if we leave</span></span><span><span><a href="http://abcnews.go.com/US/story?id=95993&page=1" target="_blank"><span> air-traffic control</span></a><span>, </span></span><span><a href="http://www.bbc.co.uk/news/world-us-canada-22692778" target="_blank"><span>defense resources</span></a> <span> or databases containing several </span></span><span><a href="http://www.nytimes.com/2013/05/10/us/hackers-access-personal-data-in-washington-state.html" target="_blank"><span>citizens’ personal data</span></a><span> vulnerable. Sure, there is no doubt that efforts towards better cyber-security are needed. A cyber-security policy is meant to address this need, and to help manage threats to individuals, businesses and government agencies. We need to carefully examine the government’s efforts to handle cyber-security, how effective it is and whether its actions do not have too many negative spillovers.</span></span></span></div>
<div style="text-align: justify; "><span><span><span><br /></span></span></span></div>
<div style="text-align: justify; "></div>
<p style="text-align: justify; "><span><span>The National Cyber-Security Policy, unveiled last week, is merely a statement of intention in broad terms. Much of its real impact will be ascertainable only after the language to be used in the law is available.</span></span><span><span> </span></span><span><span> Nevertheless, the scope of the policy </span></span><span><span><a href="http://www.rediff.com/news/report/national-cyber-security-policy-fails-on-many-fronts/20130703.htm" target="_blank"><span>remains ambiguous</span></a><span> so far, leading to </span></span><span><a href="http://groundreport.com/privacy-ignored-by-the-cyber-security-policy-of-india/" target="_blank"><span>much speculation</span></a><span> about the different ways in which it might be intrusive. </span></span></span></p>
<div style="text-align: justify; "><br />
<div style="text-align: justify; "><span><i><span>One Size Fits All?</span></i></span></div>
<div style="text-align: justify; "><span><span>The policy covers very different kinds of entities: government agencies, private companies or businesses, non-governmental entities and individual users. These entities may need to be handled differently depending on their nature. Therefore, while direct state action may be most appropriate to secure government agencies’ networks, it may be less appropriate in the context of purely private business. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>For example, securing police records would involve the government directly purchasing or developing sufficiently secure technology. However, different private businesses and non-governmental entities may be left to manage their own security. Depending on the size of each entity, each may be differently placed to acquire sophisticated security systems. A good policy would encourage innovation by those with the capacity to do this, while ensuring that others have access to reasonably sound technology, and that they use it. Grey-areas might emerge in contexts where a private party is manages critical infrastructure. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>It will also be important to distinguish between smaller and larger organisations whilst creating obligations. Unless this distinction is made at the implementation stage, start-up businesses and civil society organisations may find requirements such as earmarking a budget for cyber security implementation or appointing a Chief Information Security Officer onerous. Additionally, the policy will need to translate into a regulatory solution that provides under-resourced entities with ready solutions to enable them to make their information systems secure, while encouraging larger entities with greater purchasing power to invest in procuring the best possible solutions. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><i><span>Race to the Top</span></i></span></div>
<div style="text-align: justify; "><span><span>Security on the Internet works only if it stays one step ahead the people trying to break in. An effective cyber-security policy must keep up with the rapid evolution of technology, and must never become obsolete. The standard-setting and review bodies will therefore need to be very nimble.</span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>The policy contemplates working with industry and supporting academic research and development to achieve this. However the actual manner in which resources are distributed and progress is monitored may make the crucial difference between a waste of public funds and acquisition of capacity to achieve a reasonable degree of cyber security.</span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>Additionally the flow of public funds under this policy, particularly to purchase technology, should be examined very carefully to see whether it is justified. For example, if the government chooses to fund (even by way of subsidy) a private company’s cyber-security research and development rather than an equivalent public university’s endeavour, this decision should be scrutinized to see whether it was necessary. Similarly, if extensive public funds are spent training young people as a capacity-building exercise, we should watch to see how many of these people stay in India and how many leave such that other countries end up benefiting from the Indian government’s investment in them!</span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><i><span>Investigation of Security Threats</span></i></span></div>
<div style="text-align: justify; "><span><span>Although much of the policy focuses on defensive measures that can be taken against security breaches, it is intended not only to cover investigation subsequent to an attack but also to pinpoint ‘potential cyber threats’ so that proactive measures may be taken. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>The policy has outlined the need for a ‘Cyber Crisis Management Plan’ to handle incidents that impact ‘critical national processes or endanger public safety and security of the nation’. This portion of the policy will need to be watched closely to ensure that the language used is very narrow and allows absolutely no scope for misinterpretation or misuse that would affect citizens’ rights in any manner. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>This caution will be necessary both in view of the manner in which restraints on freedom of speech permitted in the interests of public safety have been flagrantly abused, and because of the </span><span>kind of paternalistic </span></span><span><a href="https://www.eff.org/deeplinks/2009/04/cybersecurity-act" target="_blank"><span>state intrusion</span></a><span><span> that might be conceived to give effect to this.</span></span></span></div>
<div style="text-align: justify; "><span><span><span><br /></span></span></span></div>
<div style="text-align: justify; "><span><span>Additionally, since the policy also mentions information sharing with internal and international security, defence, law enforcement and other such agencies, it will also be important to find out the exact nature of information to be shared.</span></span> Of course, how the policy will be put into place will only become clear as the terms governing its various parts emerge. But one hopes the necessary internal direct action to ensure the government agencies’ information networks are secure is already well underway.</div>
<span><span> </span></span>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>It is also to be hoped that the government chooses to take implementation of privacy rights at least as seriously as cyber-security. If some parts of cyber security involve ensuring that user data is protected, the decision about what data needs protection will be important to this exercise. </span></span></div>
<div style="text-align: justify; "><span><span><br /></span></span></div>
<div style="text-align: justify; "><span><span>Additionally, although the policy discusses various enabling and standard-setting measures, it does not discuss the punitive consequences of failure to take reasonable steps to safeguard individuals’ personal data online. These consequences will also presumably form a part of the privacy policy, and should be put in place as early as possible.</span></span></div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy'>https://cis-india.org/internet-governance/blog/the-hoot-july-13-2013-chinmayi-arun-parsing-the-cyber-security-policy</a>
</p>
No publisherchinmayiCyber SecurityInternet GovernancePrivacy2013-07-22T06:37:56ZBlog EntryYou Have the Right to Remain Silent
https://cis-india.org/internet-governance/blog/down-to-earth-july-17-2013-nishant-shah-you-have-the-right-to-remain-silent
<b>Reflecting upon the state of freedom of speech and expression in India, in the wake of the shut-down of the political satire website narendramodiplans.com.</b>
<hr />
<p style="text-align: justify; ">Nishant Shah's <a class="external-link" href="http://www.downtoearth.org.in/content/you-have-right-remain-silent">column was published in Down to Earth</a> on July 17, 2013.</p>
<hr />
<p style="text-align: justify; ">It took less than a day for narendramodiplans.com, a political satire website that had more than 60,000 hits in the 20 hours of its existence, to be taken down. A simple webpage that showed a smiling picture of Narendra Modi, the touted candidate for India’s next Prime Ministerial campaign, flashing his now trademark ‘V’ for <span><s>Vengeance</s> </span> Victory sign. At the first glimpse it looked like another smart media campaign by the net-savvy minister who has already made use of the social web quite effectively, to connect with his constituencies and influence the younger voting population in the country. Below the image of Mr. Modi was a text that said, "For a detailed explanation of how Mr. Narendra Modi plans to run the nation if elected to the house as a Prime Minister and also for his view/perspective on 2002 riots please click the link below." The button, reminiscent of 'sale' signs on shops that offer permanent discounts, promised to reveal, for once and for all, the puppy plight of Mr. Modi's politics and his plans for the country that he seeks to lead.</p>
<p style="text-align: justify; ">However, when one tried to click on the button, hoping, at least for a manifesto that combined the powers of Machiavelli with the sinister beauty of Kafka, it proved to be an impossible task. The button wiggled, and jiggled, and slithered all over the page, running away from the mouse following it. Referencing the layers of evasive answers, the engineered Public Relations campaigns that try to obfuscate the history to some of the most pointed questions that have been posited to the Modi government through judicial and public forums, the button never stayed still enough to actually reveal the promised answers. For people who are familiar with the history of such political satire and protest online would immediately recognise that this wasn’t the most original of ideas. In fact, it was borrowed from another website - <a href="http://www.thepmlnvision.com/" title="http://www.thepmlnvision.com/">http://www.thepmlnvision.com/</a> that levelled similar accusations of lack of transparency and accountability on the part of Nawaz Sharif of Pakistan. Another instance, which is now also shut down, had a similar deployment where the webpage claimed to give a comprehensive view into Rahul Gandhi’s achievements, to question his proclaimed intentions of being the next prime-minister. In short, this is an internet meme, where a simple web page and a java script allowed for a critical commentary on the future of the next elections and the strengthening battle between #feku and #pappu that has already taken epic proportions on Twitter.</p>
<p style="text-align: justify; ">The early demise of these two websites (please do note, when you click on the links that the Nawaz Sharif website is still working) warns us of the tightening noose around freedom of speech and expression that politicos are responsible for in India. It has been a dreary last couple of years already, with the passing of the <a href="http://www.downtoearth.org.in/content/cis-india.org/internet-governance/intermediary-liability-in-india" target="_blank">Intermediaries Liabilities Rules</a> as an amendment to the IT Act of India, <a href="http://www.indianexpress.com/news/spy-in-the-web/888509/1" target="_blank">Dr. Sibal proposing to pre-censor the social web</a> in a quest to save the face of erring political figures,<a href="http://www.indianexpress.com/news/two-girls-arrested-for-facebook-post-questioning-bal-thackeray-shutdown-of-mumbai-get-bail/1033177/" target="_blank"> teenagers being arrested for voicing political dissent</a>, and <a href="http://en.wikipedia.org/wiki/Aseem_Trivedi" target="_blank">artists being prosecuted</a> for exercising their rights to question the state of governance in our country. Despite battles to keep the web an open space that embodies the democratic potentials and the constitutional rights of freedom of speech and expression in the country, it has been a losing fight to keep up with the ad hoc and dictatorial mandates that seem to govern the web.</p>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/Namo.png" alt="Narendra Modi Plans" class="image-inline" title="Narendra Modi Plans" /></th>
</tr>
<tr>
<td>Above is a screen shot from narendramodiplans.com website</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">We have no indication of why this latest piece of satirical expression, which should be granted immunity as a work of art, if not as an individual’s right to free speech, was suddenly taken down. The website now has a message that says, “I quit. In a country with freedom of speech, I assumed that I was allowed to make decent satire on any politician more particularly if it is constructive. Clearly, I was wrong.” The web is already abuzz with conspiracy theories, each sounding scarier than the other because they seem so plausible and possible in a country that has easily sacrificed our right to free speech and expression at the altar of political egos. And whether you subscribe to any of the theories or not, whether your sympathies lie with the BJP or with the UPA, whether or not you approve of the political directions that the country seems to be headed in, there is no doubt that you should be as agitated as I am, about the fact that we are in a fast-car to blanket censorship, and we are going there in style.</p>
<p style="text-align: justify; ">What happens online is not just about this one website or the one person or the one political party – it is a reflection on the rising surveillance and bully state that presumes that making voices (and sometimes people) invisible, is enough to resolve the problems that they create. And what happens on the web is soon going to also affect the ways in which we live our everyday lives. So the next time, you call some friends over for dinner, and then sit arguing about the state of politics in the country, make sure your windows are all shut, you are wearing tin-foil hats and if possible, direct all conversations to the task of finally <a href="http://bollywoodjournalist.com/2013/07/08/desperately-seeking-mamta-kulkarni/" target="_blank">finding Mamta Kulkarni</a>. Because anything else that you say might either be censored or land you in a soup, and the only recourse you might have would be a website that shows the glorious political figures of the country, with a sign that says “To defend your right to free speech and expression, please click here”. And you know that you are never going to be able to click on that sign. Ever.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/down-to-earth-july-17-2013-nishant-shah-you-have-the-right-to-remain-silent'>https://cis-india.org/internet-governance/blog/down-to-earth-july-17-2013-nishant-shah-you-have-the-right-to-remain-silent</a>
</p>
No publishernishantFreedom of Speech and ExpressionSocial MediaInternet GovernanceIntermediary Liability2013-07-22T06:59:53ZBlog EntrySnooping technology: Will CMS work in India?
https://cis-india.org/news/firstpost-pierre-fitter-july-17-2013-snooping-technology
<b>The Indian government plans to spend $132 million on setting up its brand new Central Monitoring System this year.</b>
<hr />
<p style="text-align: justify; ">Pierre Fitter's article was <a class="external-link" href="http://www.firstpost.com/india/snooping-technology-will-cms-work-in-india-962545.html">published in FirstPost on July 17, 2013</a>. Pranesh Prakash is quoted.</p>
<hr />
<p style="text-align: justify; ">Several articles have raised valid questions about privacy violations, including <a href="http://www.firstpost.com/india/indias-central-monitoring-system-security-cant-come-at-cost-of-privacy-944475.html" target="_blank">this one by Danish Raza</a>. Elsewhere, <a href="http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in-india/" rel="nofollow" target="_blank">Pranesh Prakash has raised important points</a> about how CMS may actually violate several laws and at least one Supreme Court verdict.</p>
<p style="text-align: justify; ">I ask a much more basic question: will CMS work? Can it really help security agencies eavesdrop on criminals and terrorists, despite several known technical hurdles?</p>
<table class="invisible">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/Daniel.png" title="Daniel" height="250" width="332" alt="Daniel" class="image-inline" /></th>
<td>
<p><b>Encryption</b></p>
<p style="text-align: justify; ">In 2008, a prominent Brazilian banker and investor named Daniel Dantas was arrested and charged with money laundering and tax evasion along with a former mayor of Sao Paulo. For five months, the Brazilian National Institute of Criminology tried to read the contents of his hard drive but failed to crack it. Dantas had encrypted his data using a free program called <a href="https://en.wikipedia.org/wiki/TrueCrypt" rel="nofollow" target="_blank">Truecrypt</a>. The <a href="http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/" rel="nofollow" target="_blank">INC sent the hard drive to the FBI in the US</a>, which spent a whole year trying to crack it; it too failed. Dantas’s use of encryption likely helped him escape the money laundering and tax evasion charges. He was ultimately <a href="http://news.bbc.co.uk/2/hi/americas/7761823.stm" rel="nofollow" target="_blank">convicted of attempting to bribe a police officer</a>.</p>
</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">This story illustrates a fundamental loophole at the heart of CMS. A criminal, using free and easy-to-use software, can protect his data from even the most advanced surveillance tools available in law enforcement. NSA whistle blower Edward Snowden himself used encrypted email to communicate with journalists at the <i>Guardian</i>. In an <a href="http://discussion.guardian.co.uk/comment-permalink/24384968" rel="nofollow" target="_blank">online chat where he took questions from the public</a>, Snowden noted that encryption was “one of the few things that you can rely on” to protect you from the <a href="http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/" rel="nofollow" target="_blank">eavesdropping behemoth created of the NSA</a>.</p>
<p style="text-align: justify; ">It should hardly be surprising then, that terror groups have been encrypting their emails and data for at least the last five years. In fact <a href="http://intelwire.egoplex.com/2008_02_02_exclusives.html" rel="nofollow" target="_blank">Al Qaeda developed its own encryption software called ‘Mujahideen Secrets’</a>, to encrypt emails, chat sessions and files. Version two of Mujahideen Secrets even included a tool to delete files securely so that they could not be recovered using special software if the computer was captured. Al Qaeda’s links to several terror groups operating in India has been widely reported in the past. It is not inconceivable that they have shared their encryption software with their comrades-in-arms.</p>
<p style="text-align: justify; ">Over the years it has become easier to encrypt one’s communication. <a href="https://www.youtube.com/watch?v=MKehyXaY2XM" rel="nofollow" target="_blank">YouTube tutorials</a> train even novice users to set up email encryption within minutes. <a href="https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone&hl=en" rel="nofollow" target="_blank">Phone calls</a>, <a href="https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en" rel="nofollow" target="_blank">text messages</a> and <a href="http://www.cypherpunks.ca/otr/" rel="nofollow" target="_blank">online chats</a> can also be encrypted with free, easy-to-install apps.</p>
<p style="text-align: justify; ">The biggest problem with encryption is that it is virtually impossible to break the code in a time frame that’s useful for law-enforcement purposes. Without getting too technical, modern encryption relies calculating the prime factors of very, very large integers. In 2009, a group of some of the world’s best-known mathematicians and cryptographers reported that <a href="http://security.stackexchange.com/questions/4518/how-to-estimate-the-time-needed-to-crack-rsa-encryption" rel="nofollow" target="_blank">it took them four years to factor a 768-bit integer</a>. They estimated <a href="https://www.digicert.com/TimeTravel/math.htm" rel="nofollow" target="_blank">it would take 1,000 times longer to factorise a 1024-bit integer</a>. GPG, which is the most widely-used email encryption software, allows users up to 4096-bit encryption. Unless you have the password to the encrypted files, it would take you a very long time to crack the encryption.</p>
<p style="text-align: justify; ">Here’s an example to help you understand why encryption makes CMS redundant. Let’s say the system intercepts an encrypted email sent by a LeT handler in Karachi to a sleeper cell in Mumbai. The email contains instructions to detonate a bomb in a specific market at a specific time four days from now. Even if India’s intelligence agencies managed to link up every computer they had available to process the encryption, they would still not be able to crack it in time to learn the details and stop the attack.</p>
<p style="text-align: justify; "><b>What about ‘Metadata’?</b></p>
<p style="text-align: justify; ">It should be noted that encryption only protects the body of the email. The metadata, including the sender’s and receiver’s email addresses remain unencrypted, else the service provider would be unable to send the email to its destination. Law enforcement agencies often partner with email providers to track down the exact computer on which tell-tale emails were read.</p>
<p style="text-align: justify; ">However, this method of tracing criminals has a limitation. Programs such as <a href="https://en.wikipedia.org/wiki/Tor_%28anonymity_network%29" rel="nofollow" target="_blank">TOR</a> and <a href="https://en.wikipedia.org/wiki/Hotspot_Shield" rel="nofollow" target="_blank">Hotspot Shield</a> disguise the IP address of a user’s PC. For example, when I use TOR, Facebook will often ask me to confirm my identity as it sees me as logging in from an unfamiliar location. TOR has thousands of servers around the world through which it bounces your data before sending it to its destination.</p>
<p style="text-align: justify; ">There is another limitation to using metadata. Due to obvious legal hurdles, CMS will only be deployed to capture communication within India. If terrorists were planning an attack from elsewhere in India’s neighbourhood (as happened with 26/11), we would have to rely on that country’s intelligence services for an alert. Good luck with that!</p>
<p style="text-align: justify; ">To make untraceable phone calls, terrorists have been known to use <a href="https://en.wikipedia.org/wiki/Burner_phone#Privacy_rights_and_prepaid_mobile_phones" rel="nofollow" target="_blank">“burner” phones</a>. These are pre-paid phones that are easily available in the US and other countries that do not require an ID for such mobile connections. They can be topped up using cash, which makes their prolonged using even more untraceable.</p>
<p style="text-align: justify; ">Even if CMS allowed spooks to listen to these calls, it would not be able to tell who was talking to whom. From details that emerged following the Abbottabad operation that killed Osama bin Laden, we also know that terrorists have been trained to <a href="http://www.foxnews.com/tech/2011/05/03/bin-laden-grid-govt-help-expert-says/" rel="nofollow" target="_blank">turn off their phones and remove the battery</a> to prevent being tracked even while not on a call.</p>
<p style="text-align: justify; "><b>So what is CMS good for?</b></p>
<p style="text-align: justify; ">If terrorist communications can easily be hidden from CMS, you have to wonder why the government is going through all the effort and expense to set up such a system. What good can come off the mass hoovering of data of ordinary citizens’?</p>
<p style="text-align: justify; ">Imagine if CMS intercepted a ‘BBM chat’ between two businessmen, who were discussing a contract that could affect the business interests of a government MP.</p>
<p style="text-align: justify; ">Imagine the government getting access to emails exchanged between a journalist and a source in the IAS who wants to expose a major corruption scandal involving a cabinet minister.</p>
<p style="text-align: justify; ">Imagine if the government had access to phone calls between two opposition politicians discussing election strategies.</p>
<p style="text-align: justify; ">What if CMS tracks a PhD candidate who is researching Naxal terror and has downloaded Naxal pamphlets? What if this researcher has been able to establish contact with Naxals for an interview. Can the government use such data to charge him with participating in a Naxal conspiracy, even if his only intention was to research their motivations? In a country where chief ministers label their critics as “Naxals” for merely raising questions, are we certain we want such unmitigated power in the government’s hands?</p>
<p style="text-align: justify; ">These are all questions well worth asking, especially since the ostensible reason for setting up the CMS—monitoring terrorists and criminals—is a fool’s errand at best.</p>
<p>
For more details visit <a href='https://cis-india.org/news/firstpost-pierre-fitter-july-17-2013-snooping-technology'>https://cis-india.org/news/firstpost-pierre-fitter-july-17-2013-snooping-technology</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2013-07-22T07:19:02ZNews Item