Centre for Internet and Society

Fake News, Rumors & Online Content Regulation

praskrishna — 2017-02-28T02:46:13Z

Medianama and Mint organized #NAMApolicy open house on 'Fake News, Rumors & Online Content Regulation' on February 22, 2017 at the India Habitat Centre. Japreet Grewal and Amber Sinha attended the event.

The discussions broadly covered the impact of Fake News on democratic processes, Legal status of online content regulation in India & administrative challenges with Fake News, Responsibility and accountability of online platforms, while addressing challenges of identification of sources of Fake News, Potential legal and non-legal ways of addressing Fake News, etc.

Agenda

06:30 to 07:00 pm - Registration
07:00 to 07:10 pm - Introductory note
07:10 to 09:00 pm - Round-table discussion moderated by Nikhil Pahwa
09:00 pm onwards - Networking dinner

For more details visit https://cis-india.org/internet-governance/news/fake-news-rumors-online-content-regulation

Essentials of building internet tools for inclusion

praskrishna — 2017-03-14T14:38:23Z

A talk jointly proposed by Chinmayi SK and Rohini Lakshané was selected for the Internet Freedom Festival held at Valencia, Spain from March 6 to 10, 2017. The talk held on March 6, 2017 was jointly organized by Random Hacks of Kindness, The Bachchao Project, and the Centre for Internet and Society.

For the full schedule of Internet Freedom Festival, click here. A manual titled Building Tech for Diversity and Inclusion 101 jointly authored by Chinmayi S.K., Rohini Lakshané and Willow Brugh was released during the event.

For more details visit https://cis-india.org/internet-governance/events/essentials-of-building-internet-tools-for-inclusion

AI for Social Good

praskrishna — 2017-03-15T01:22:42Z

AI in Asia event was organised by the Digital Asia Hub on March 6 and 7, 2017 in Tokyo, Japan. The event partners were Waseda University, the Ministry of Internal Affairs and Communications, NICT, NTT and the Japan Society of Information and Communication Research. Udbhav Tiwari attended the event.

Udbhav Tiwari presented a small (2 minute) lighting talk on the Autonomous Weapons Design section as a part of the 'Interactive Exercise on Next Steps for the Academic Community session', with the IEEE Ethically Aligned Design document as a guiding note. Read the executive summary here. See the workshop agenda here.

For more details visit https://cis-india.org/internet-governance/news/ai-for-social-good

Nasscom chief saying full data protection isn’t possible should wake us from our digital slumber

praskrishna — 2017-03-17T01:47:25Z

Considering India is rapidly moving towards a digital economy, the hurdles not withstanding, data and identity security are topics which have to be taken very seriously. Since the demonetisation, a large part of the population who would never bother with digital transactions has suddenly come online. But there is no such thing as complete security of personal data, according to Nasscom chief R Chandrashekhar.

This was published by First Post on March 16, 2017. Pranesh Prakash was quoted.

Attending the World Consumer Rights Day, R Chandrashekhar said that personal data of online consumers cannot be completely secure and stressed on the need to have strict enforcement of consumer protection laws. Speaking to PTI, Chandrashekhar said, “More than 3 million credit card data details were misused recently. Let us face it, these kind of security breaches will take place. There is nothing called fully perfect security in IT.”

It’s high time we call a spade, a spade

R Chandrashekhar, President Nasscom. Image: PIB

Coming from the head of Nasscom, this announcement pertaining to security is very important. According to Chandrashekhar one cannot expect complete cyber security, but there are definitely ways in which such attacks and incidents can be minimised. He very rightly said that that protecting the online consumer data, specially looking at how rapidly e-commerce is growing in the country, is of prime importance.

One cannot help but agree with Chandrashekhar, specially considering the fact India does not have a privacy law ecosystem that is present in countries such as the US and the UK, where online consumer protection is taken very seriously. Germany and other EU nations have always been at the forefront, when it comes to protecting data privacy, and it has ensured that consumer-facing technology companies do not run roughshod when it comes to protecting user data.

Chandrashekhar stated that there was no need for separate regulations for e-commerce sites, but the priority was ensuring means to enforce consumer laws in the digital world.

Lack of dedicated privacy laws

According to cyberlaw and cybersecurity expert, Pavan Duggal, “Going forward, there is an urgent need for India to take a strong view on privacy in terms of legislative frameworks. Unfortunately, at the time of writing, India does not have a dedicated law on privacy.”

Image: Foamy Media

Social media websites for instance have a lot of user data. But what happens when they suddenly change their privacy policies? For instance, a lot of users signed on to WhatsApp when it was an independent company. But post the Facebook acquisition, there have been a lot of instances where WhatsApp has updated its terms and conditions to suit its parent Facebook.

That’s not completely illegal one may say. Loss of privacy is a price you pay for free services. But what if, I as a consumer of WhatsApp do not want the app to share any of my data with Facebook? The only option I am left with is to delete WhatsApp. But then again, I do not know if my data is also deleted from WhatsApp servers or it has already been shared. Social media apps, only let you know what updates are being added. Consent is only required to update the app. You can stall that, up to a point. But there will come a time when you will have to update an app. Then by default you have given approval to all the terms and conditions associated with the app.

Two students had challenged WhatsApp’s revision to its privacy policy before Delhi High Court. The Court dismissed the petition insisting that users could opt out by deleting their accounts.

When a similar challenge was mounted before the authorities in UK, Facebook had to put a pause on their data sharing – and this was because of its strong data protection policy. Under the UK data protection law, the company has to inform the authority established under the Act of any changes in the use of user data. In the case of WhatsApp, the UK authority objected to such sharing.

Aadhaar – the 12-digit biometric storehouse

Aadhaar card is being used for many financial and non financial transactions. Also the Aadhaar number associated with an individual also holds a lot of personal and biometric data. So when recently, there was news about a possible Aadhaar data breach when UIDAI filed a police complaint against Axis Bank, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, it was naturally a shock to many.

Unlike a password which can be changed, with biometric information there is no scope to do that if it is compromised. Although UIDAI claims that there are multiple levels of security and firewalls to ensure there is no breach of Aadhaar information of an individual, one can only hope that it is robust enough to withstand any attack. Collection of biometric data by the government to form a database, for instance, was debated and ultimately not used in the UK.

Pranesh Prakash, policy director of the Centre for Internet and Society, expressed concern about the pace at which we are progressing when it comes to having a legal and regulatory framework when it comes to the Digital India push. “While the security architecture of Aadhaar Enabled Payment Systems (AEPS) might in itself be good, the idea of providing your fingerprints to merchants for financial transactions is a terrible idea since that is like asking you to give your bank password to a merchant, and the merchant can reuse that password, and you can’t ever change the password,” said Prakash.

Enforcing the correct processes

Last year, a malware affected the systems of Hitachi Payment Services, which provides back end services to ATM machines and Point of Sale nodes across India. As a result of this, around 32 lakh debit cards were compromised including those issued by SBI, HDFC, Yes Bank, Axis, BOB and ICICI. Security experts and consultants have pointed out various holes in the electronic transaction systems in place in India. Intel has also warned that ATM machines in India are vulnerable to malicious attacks. Intel points out that countries in the Asia Pacific region are developing and are particularly vulnerable because of old systems and machines being used.

Image: REUTERS/Amit Dave

According to Mahesh Patel, president and group CTO, AGS Transact Technologies this was more of a governance issue of the data centre than any technical error. “It is not about the software, but it is about the processes and procedures you put in place to ensure that the system is secure. Everything from physical security to computing security to admin management, etc should be process driven. So somewhere there could have been a weak link there. Cloud has to be secure and encrypted which suffices the use case of payments. This cloud is different from the ones used by e-commerce sites to display all their products,” said Patel.

We may have the best of software and security measures, but ensuring that they are implemented the right way is equally important. Plugging the loopholes in current regulations is also important.

Existing laws and regulations, not enough

According to Duggal, “The Information Technology Act, 2000 hardly has effective provisions to protect any data and personal privacy in the digital ecosystem. The Indian Government needs to come up with strong privacy law which can protect both personal privacy and data privacy in an effective manner.”

One may find it really shocking to hear the head of Nasscom saying something to the extent that full data protection for online consumers is not possible, but there is definitely truth to the matter. It will require concerted efforts from not only regulators, governments, digital wallet players and banking industry to come up with these privacy laws, but also you the consumer has to ensure that you are aware of the dangers lurking in the digital world. Educating oneself of the various ways in which your data can be compromised is a good way to protect your online self.

Because, let’s face it, for all practical purposes if you are online, your privacy is dead.

For more details visit https://cis-india.org/internet-governance/news/first-post-march-16-nimish-sawant-nasscom-chief-saying-full-data-protection-isnt-possible-should-wake-us-from-our-digital-slumber

Benefits, Harms, Rights and Regulation: A Survey of Literature on Big Data

Amber Sinha, Vanya Rakesh, Vidushi Marda and Geethanjali Jujjavarapu — 2017-03-23T02:17:56Z

This survey draws upon a range of literature including news articles, academic articles, and presentations and seeks to disaggregate the potential benefits and harms of big data, organising them into several broad categories that reflect the existing scholarly literature. The survey also recognises the non-technical big data regulatory options which are in place as well as those which have been proposed by various governments, civil society groups and academics.

The survey was edited by Sunil Abraham, Elonnai Hickok and Leilah Elmokadem

Introduction

In 2011, it was estimated that the quantity of data produced globally surpassed 1.8 zettabyte.By 2013 it had increased to 4 zettabytes. With the nascent development of the so-called ‘Internet of Things’ gathering pace, these trends are likely to continue. This expansion in the volume, velocity, and variety of data available, together with the development of innovative forms of statistical analytics, is generally referred to as “Big Data”; though there is no single agreed upon definition of the term. Although still in its initial stages, big data promises to provide new insights and solutions across a wide range of sectors, many of which would have been unimaginable even a decade ago.

Despite enormous optimism about the scope and variety of big data’s potential applications, many remain concerned about its widespread adoption, with some scholars suggesting it could generate as many harms as benefits. Most notably are the concerns about the inevitable threats to privacy associated with the generation, collection and use of large quantities of data. Concerns have also been raised regarding, for example, the lack of transparency around the design of algorithms used to process the data, over-reliance on big data analytics as opposed to traditional forms of analysis and the creation of new digital divides. The existing literature on big data is vast. However, many of the benefits and harms identified by researchers tend to focus on sector specific applications of Big Data analytics, such as predictive policing, or targeted marketing. Whilst these examples can be useful in demonstrating the diversity of big data’s possible applications, they do not offer a holistic perspective of the broader impacts of Big Data.

Click to read the full survey here

For more details visit https://cis-india.org/internet-governance/blog/benefits-harms-rights-and-regulation-survey-of-literature-on-big-data

State of Digital Rights in India (Delhi, March 24)

Japreet Grewal and Sumandro Chattapadhyay — 2017-03-27T13:21:20Z

The Centre for Communication Governance at National Law University, Delhi and the Internet Freedom Foundation, in association with Access Now, are hosting a discussion on The State of Digital Rights in India on March 24, 2017 (Friday) from 6.00 pm onwards at Lecture Room-I, India International Centre- Annexe, New Delhi. Japreet Grewal and Sumandro Chattapadhyay will participate in the panel discussions.

Registration: Eventbrite

March 24, 2017 marks the two year anniversary of the landmark Shreya Singhal judgment. This was a very significant ruling on freedom of speech and expression and occupies an important place in the Supreme Court’s discourse on civil liberties. The judgment traces out the contours of free speech on the Internet in India and unequivocally holds that the right to freedom of expression provided under Article 19(1)(a) applies to speech over the Internet, making it clear that this is a medium-neutral right.

The event aims to shed some light on this key judgment and discuss ongoing discussions regarding our civil liberties and freedoms online before courts and the Parliament. We would also like to take this opportunity to discuss some of the other pressing issues like Network Neutrality, Internet shutdowns, Privacy and User Security which need immediate attention and engagement of our democratic institutions. We hope to formulate effective strategies which will further shape the legal and policy framework in India, and facilitate better collaborative efforts between stakeholders.

We hope to bring together everyone who contributed to the judgment, and those who do work connected with it, so that we may build on it to seek a better legal framework to protect online speech and to discuss the threats surrounding digital rights and how best build on the foundations of the judgment.

We would be grateful if you could take out some time on Friday evening (6PM) and be a part of this important discussion. The discussion will be followed by dinner and an Open Bar for an Open Internet, which will start from 9.00 pm at the Annexe Court in the India International Centre - Annexe. In case you are unable to attend the seminar, please do join us for dinner!

Featuring:

A keynote address on our online freedoms and policymaking, by Shri Tathagata Satpathy (Member of Parliament, Lok Sabha)
A legal panel analysing the legacy of the Shreya Singhal v. Union of India judgment
Beyond Shreya Singhal: A conversation with women on the future of our digital rights
Briefings on the state of digital rights in our courts and in Parliament
A conversation on the path ahead for our civil liberties and digital rights community

For more details visit https://cis-india.org/internet-governance/news/state-of-digital-rights-in-india-delhi-march-24

Why We Should All Worry About The Mandatory Imposition Of Aadhaar

praskrishna — 2017-03-27T15:02:10Z

It appears that with each passing day, the government is linking an increasing number of benefits and government services to the 12-digit biometric-based Aadhaar number for Indians, despite growing concerns around its data privacy and security.

The article by Rimin Dutt and Ivan Mehta was published by Huffington Post on March 24, 2017. Sunil Abraham was quoted.

Aadhaar, which collects among other information, citizens' iris scans and fingerprints and stores them into a centralised database for a prolonged time with only loose guidelines and no pre-existing laws to ensure the privacy of that data, is now linked to no less than 38 government schemes, including the government's latest directive –- that Aadhaar become mandatory for tax filing and securing PAN numbers -- introduced by Finance Minister Arun Jaitley earlier this week.

Jaitley openly admitted on Wednesday in the Parliament that the government, in effect, would be forcing people to get Aadhaar in an effort to increase tax compliance.

Aadhaar's use, by no means, is restricted to government agencies alone. A growing number of private financial institutions are now fulfilling their "Know Your Customer" or e-KYC formalities by making Aadhaar compulsory. The government is also in the process of making Aadhaar the basis of all financial transactions.

While the timing of the government's aggressive push of Aadhaar, in itself, is raising eyebrows among political observers, there are some serious concerns about this unique experiment that deserve stronger scrutiny.

Why disregard the Supreme Court?

In making Aadhaar mandatory for filing taxes and securing core taxpayer identity, the government has openly gone against a Supreme Court order from last year that explicitly stated that the Aadhaar Card scheme is "purely voluntary" and cannot be made mandatory until the court has decided on this.

The government has defended its move, saying it is allowed to do so under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.

However, as Gopal Krishna, a member of the Citizens Forum for Civil Liberties, writes in Business Today, the passage of the Act by the Parliament "does not automatically imply that any agency can make UID/Aadhaar compulsory disregarding the Supreme Court's orders."

According to Krishna, in doing so, the government is "clearly stepping beyond" the mandate of the Aadhaar Act, and also acting in contempt of the Parliament, according to him.

In addition, if tax evasion was the driving factor behind the move, it begs the question — wouldn't forcing people to get Aadhaar actually do the opposite by adding another layer of hassle?

Indeed, tax experts have noted how this requirement may hinder tax collection. Archit Gupta, Founder & CEO ClearTax.com, a tax service provider told HuffPost India, "The [Aadhaar] announcement is likely to be a dampener to tax filers, specially first-timers ... FY 2016-17 filing is expected to see a large number of first-time filers due to demonetisation efforts, and this move may make them more guarded."

Why not strengthen PAN?

The government already has an extensive mandate for the Permanent Account Number (PAN) cards, which are required to validate several important services or for undertaking transactions such as buying and selling property or jewellery worth over ₹2 lakhs. Last year, the government, in fact, said that the National Pension System (NPS) scheme would accept PAN cards over Aadhaar cards to validate new customers.

On Wednesday, however, Jaitley said PAN cards have been misused by certain people to evade taxes, and there are reports that Aadhaar may become the ultimate authenticating document. However, the continued and growing use of PAN along with Aadhaar adds an extra layer of formalities for citizens to access government services, which are their constitutionally guaranteed rights.

How safe is Aadhaar anyway?

Depending on who you talk to, the safety concerns of Aadhaar come up as a pressing issue, especially in the wake of a recent security incident when the Unique Identification Authority of India initiated police action against entities associated with Axis Bank including Suvidhaa Infoserve and e-sign provider eMudhra, which had allegedly engaged in unauthorised authentication and impersonation by illegally storing Aadhaar biometrics.

Earlier this month, in a separate incident, security researcher Srinivas Kodali warned Indian authorities of a website that was leaking Aadhaar demographic data of over five lakh minors, as well as the existence several parallel databases that had key identification data linked to Aadhaar, Scroll reported.

In the absence of any privacy laws in India, these security concerns have assumed even greater significance.

UIDAI, the authority behind Aadhaar, has maintained the technology behind Aadhaar is robust and that it uses advanced encryption to transmit and store data. It specifically denied that any breach of centralised data took place in the Axis Bank incident, saying the case was an isolated incident.

However, in a rather ironic twist in the Aadhaar Act, which itself contains no provisions to address privacy concerns, any legal action against any misuse or theft of Aadhaar data can only be initiated by UIDAI, leaving citizens with no legal recourse should a breach occur.

That represents an obvious conflict of interest as it gives exclusive power to the very authority that is responsible for the security and confidentiality of identity information and authentication records, PRS Legislative Research, has noted.

In addition, the controversial Aadhaar Act contains several other inherent dangers such as the potential to profile citizens based on the linking of other databases with Aadhaar by studying patterns of behaviour.

"Techniques such as running computer programmes across datasets for pattern recognition can be used for various purposes such as detecting potential illegal activities...However, these can also lead to harassment of innocent individuals who get identified incorrectly as potential threats," noted PRS Legislative.

There are currently no safeguards to prevent inappropriate profiling, instances of which could increase as more and more private organisations link their data to Aadhaar, and potentially exploit data for commercial purposes without the consent of citizens.

The US, in comparison, has laws in place that require agencies that collects data to submit an annual report to US Congress on all such data mining activities.

Other unresolved concerns

There are several other concerns related to the widespread use of Aadhaar card and the power it is afforded under the Aadhar act. The act allows UIDAI to collect biometric information beyond iris and fingerprint scans, for example, to include other bio-data such as DNA, noted PRS.

The act also allows private agencies to use Aadhaar, which contradicts an earlier stated objective of the scheme that sought to restrict the use of Aadhaar for only government expenditures.

"It allows private persons to use Aadhaar as a proof of identity for any purpose. This provision will enable private entities such as, airline, telecom, insurance, real estate etc. companies, to require Aadhaar as a proof of identity for availing their services," PRS has noted.

There's also the worrying prospect of Aadhaar being used as a surveillance tool by the government, instead of an e-governance technology, Sunil Abraham, executive director of research organisation, Centre for Internet and Society, told the The Hindu Business Line, adding biometrics only make citizens transparent to the state and not the state transparent to citizens.

"We warned the government six years ago, but they ignored us," said Abraham.

Krishna has a more dire warning: "The JAM Trinity -- Jan Dhan Yojana, Aadhaar and mobile numbers -- may well be a fish bait to trap unsuspecting citizens into the world's biggest transnational biometric database to turn them into subjects under surveillance forever in the name of a set of welfare and anti-poverty policies.

What has been done to address the security concerns?

It is unclear what the government or UIDAI may have done in the wake of the security incident to upgrade its systems. According to an expert HuffPost Post India talked to, many third party apps that are using Aadhar data may not be screened or audited for security, which is a huge worry.

Kodali told HuffPost India that Aadhaar has potential design issues when it comes to information security.

"By design it allows anyone store information of the Aadhaar holder through [application programming interface]. This is creating many parallel databases with Aadhaar as a key," he said.

He notes that security is an afterthought for many institutions and companies.

"UIDAI and the architects of Aadhaar do not accept that data can be a liability instead of an asset," he said. "The mandatory nature of Aadhaar without the right infrastructure and skilled workforce is not just a cyber security issue, but a national security issue."

When will India get privacy laws?

No one quite knows. But there's a growing call for a need for strict privacy laws, given the move towards digital financial transactions and growing e-commerce use. Most advanced economies including the US, the UK, France, Australia and New Zealand have enacted privacy laws.

However, in India, the right to privacy still doesn't exist despite it being recognised by even the UN charter of human rights. Article 12 of the Universal Declaration of Human Rights states, "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

The potential for cyber criminals to misuse citizen data isn't lost on even prominent IT industry experts.

Recently, the chief of IT industry body Nasscom R Chandrashekhar told PTI that personal data of online consumers can never be fully secure, emphasising the need for strict consumer protection laws. "More than 3 million credit card data details were misused recently. Let us face it, these kind of security breaches will take place. There is nothing called fully perfect security in IT," he said.

To be sure, Aadhaar has been lauded by several prominent experts and economists, and it is, undoubtedly, an ambitious project to potentially aid financial inclusion for a large population that has historically been outside of a formal financial services net. India also has one of the lowest tax compliance rates, making tax collection a priority for the government.

Recently, Paul Romer, World Bank's chief economist told Bloomberg, "The system in India is the most sophisticated that I've seen ... It's the basis for all kinds of connections that involve things like financial transactions. It could be good for the world if this became widely adopted."

But given the sensitivity of citizen biometrics data and potential for misuse, the government ought to be held accountable for its proper use and ensure enough safeguards are put in place before its imposition on each citizen.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-rimin-dutt-ivan-mehta-march-24-2017-why-we-should-all-worry-about-the-mandatory-imposition-of-aadhaar

Round Table on Privacy and Data Protection at NIPFP

praskrishna — 2017-03-27T16:02:59Z

National Institute of Public Finance & Policy organized a round-table on privacy and data protection on March 24, 2017 in New Delhi.

Click to see the agenda.

For more details visit https://cis-india.org/internet-governance/news/round-table-on-privacy-and-data-protection-at-nipfp

Other Than Women: Exploring Harassment and Difference Online

praskrishna — 2017-03-27T16:11:30Z

A satellite session at RightsCon in Brussels is being organized by the Tactical Technology Collective on March 28, 2017. Rohini Lakshané is a speaker at this event.

Tactical Tech is interested in the problem of online harassment as a barrier to political participation in quantified societies, and in terms of the harm it causes those targeted. We have been working to customise tactics of resistance and support to communities/individuals who are working online and are exposed to, or are at risk of, harassment.

This Satellite Session at Rightscon is fashioned as an intervention into ongoing advocacy, research, and practical support efforts, and seeks to interrogate a wide range of possible framings of (as well as responses to) online harassment.

For more info, click here

For more details visit https://cis-india.org/internet-governance/news/other-than-women-exploring-harassment-and-difference-online

The Fintech Disruption - Innovation, Regulation, and Transformation

praskrishna — 2017-03-29T02:10:49Z

Sumandro Chattapadhyay attended an event organized by Carnegie India on March 28, 2017. The aim of the initiative was that inclusive and sustainable regulations require constant interaction between policy makers and industry.

Select senior level policymakers, leaders from the banking industry and dynamic start-up founders and innovators gathered for the meet-up. The intention is to follow up on the discussions and debates from the round-table and come out with a detailed report on Fintech Regulations based on the research and conversations with start-ups and other valuable stakeholders.

See the conference agenda

For more details visit https://cis-india.org/internet-governance/news/the-fintech-disruption-innovation-regulation-and-transformation

Net Neutrality Resources

praskrishna — 2017-04-22T09:11:21Z

Submissions by the Centre for Internet and Society to TRAI and DoT, 2015-2017.

Submission for TRAI Consultation on Regulatory Framework for Over-the-Top Services (June 29, 2015)
Submission to TRAI Consultation on Differential Pricing (January 7, 2016)
Counter Comments to TRAI on Differential Pricing (January 14, 2016)
TRAI Consultation on Differential Pricing for Data Services: Post-Open House Discussion Submission (January 25, 2016)
Submission to TRAI Consultation on Free Data (June 30, 2016)
Submission to TRAI Consultation on Proliferation of Broadband through Public WiFi Networks (August 28, 2016)
Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks (December 12, 2016)
Submission to TRAI Consultation on Net Neutrality (April 18, 2017)

For more details visit https://cis-india.org/internet-governance/resources/net-neutrality-resources

Google Hangout on Technology and Jobs

praskrishna — 2017-03-29T10:38:42Z

Vanya Rakesh was a speaker at a Google hangout discussion held on Friday, March 24th, 2017 on "Technology and Jobs" as part of a project that ICRIER is doing with World Bank headquarters and several institutions across the world, titled “Jobs for Development”.

Video

For more details visit https://cis-india.org/internet-governance/news/google-hangout-on-technology-and-jobs

Internet Freedom Festival 2017

praskrishna — 2017-03-29T11:24:38Z

The Global Unconference of the Internet Freedom Communities took place at Valencia in Spain from March 6 to 10, 2017. The event was organized by the IFF. Vidushi Marda on behalf of CIS took part in the event.

Vidushi as part of her work with Working Group 1 (WG1) of the Freedom Online Coalition (FOC), organised a workshop along with Mallory Knodel from APC. This workshop was titled "Practical implementations of human rights respecting cybersecurity policy". Participants in the workshop were divided into groups to evaluate the recommendations developed by WG1 in light of existing cyber security policies from around the world. The recommendations can be found here and the accompanying narrative document can be found here.

The session ended up being productive - we received feedback from participants about the effectiveness of the recommendations, and also about aspects of these recommendations that needed revisiting/more work. A more detailed account of the session can be found at the Wiki page.

Vidushi also attended the following sessions:

Data Protection Law and its Different Manifestations
Using the Ranking Digital Rights Corporate Accountability Index for Advocacy & Research
The identity we can't change: a new wave of biometric policies around the world
Enabling free speech online by legal defence: the need for skilled lawyers to secure the free flow of information online: Vidushi channeled a discussion about Shreya Singhal v. Union of India as an important case study in understanding how legal defence has been used to secure rights online. She specifically spoke about the distinction made in the judgment b/w communications on the internet vs. communications elsewhere.

For more info see here.

For more details visit https://cis-india.org/internet-governance/news/internet-freedom-festival-2017

WISER Lecture : Sumandro Chattapadhyay on Deregulation by Code

praskrishna — 2017-03-29T11:48:08Z

University of the Witwatersrand organized a talk by Sumandro Chattapadhyay on Derugulation by Code on March 8, 2017 in Johannesburg.

On November 08, 2017, the Government of India initiated a demonetisation process. It involved cancellation of Rs. 500 and Rs. 1,000 currency notes as legal tender, establishing of a time bound process for the notes to be returned to the banks, announcement of specific emergency services (such as hospitals and utilities) for which the canceled notes could still be used, and introduction of a new Rs. 2,000 note. While the purpose of the demonetisation move was publicly articulated in terms of removal of unaccounted wealth held in cash form, the state narrative quickly moved to being primarily focused on promotion of various forms of digital payments, especially mobile-based payments. The notion of a "WhatsApp moment" in Indian banking in particular, and in Asian banking in general, has been in circulation since 2015. Nandan Nilekani, a significant technocrat politician of India who has been CEO of Infosys (a major Indian IT company) and the Chairman of the UID/Aadhaar project, was one of the first persons to take note of this upcoming "revolution". In a lecture given by him on August 21, 2015, he described the technological and market forces, enabled by policy decision, that are going to disrupt the Indian banking landscape.

Sumandro's lecture discussed the linkages between this WhatsApp moment and the demonetisation move, and locate them in the context of institutional and technological changes happening in the Indian banking sector since 2008. The talk focused on the development and proliferation of the Unified Payments Interface - an universal, private-owned, government-backed, mobile-to-mobile payment infrastructure - as the key instrument through which the ongoing deregulation of banking in India is being driven.

For more details visit https://cis-india.org/internet-governance/news/wiser-lecture-sumandro-chattapadhyay-on-deregulation-by-code

How Aadhaar compromises privacy? And how to fix it?

sunil — 2017-04-01T07:00:06Z

Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

The op-ed was published in the Hindu on March 31, 2017.

When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.

Shift from biometrics to smart cards: In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database: The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.

Prohibit the use of Aadhaar number in other databases: We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it