Centre for Internet and Society

4th National Standards Conclave Evolving a Comprehensive National Strategy for Standards Sectoral and Regional Inclusiveness

praskrishna — 2017-05-20T08:06:15Z

Udbhav Tiwari represented CIS in the 4th National Standards Conclave held on the May 1 and 2, 2017 at The Lalit, New Delhi. The event was organized by the Ministry of Commerce and Industry and the Confederation of Indian Industry.

The event looked at creating a National Standards Strategy to focus on India's standardisation efforts in the global stage. The event also focused on the release on the National Standards Portal, a website that creats a one stop access of standards, technical regulations and TBT information. There were a few sessions that were useful in particular - the IT Standardisation, the Standards Portal and the theme paper for National Standards Strategy.

Download the Agenda

For more details visit https://cis-india.org/internet-governance/news/4th-national-standards-conclave-evolving-a-comprehensive-national-strategy-for-standards-sectoral-and-regional-inclusiveness

4 Popular Myths about UID

Prashant Iyengar — 2012-06-20T04:37:08Z

By now, there is already a lot of material in the public domain that is critical about the UID/Aadhar project, writes Prashant Iyengar in this blog entry published in Privacy India on January 22, 2011.

(See aadhararticles.blogspot.com for an exhaustive catalogue). Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme. Much of this material has criticized the UID for the ‘big brotherly’ techno-surveillance regime that it threatens to unleash, usually under the guise of delivering assured benefits to the marginal peasant. Many commentators have questioned the haste with which a project of this scale and complexity has sought to be pushed through. Some have expressed doubts on the feasibility – financial, technical or logistical – of the scheme.

I do not intend to rehearse these arguments in this post. Instead, I pick four somewhat obscure, but troublesome assertions made about the UID and test their veracity against documents available on the UIDIA site itself. The purpose is to cut through all the equivocation behind the claims that UID officials have been making, and arrive at some minimal clarity on what the UID is (and isn’t).

Registration is voluntary!

How does one make sense of Nandan Nilenkani’s cryptic remark, “I wouldn’t call it compulsory. I would rather say that it will become ubiquitous”?

In a sense, this is true enough. Nowhere in the entire bulk of UID documentation will you encounter the express words “mandatory” or “compulsory”. Hence, proved! But that isn’t to say, however, that there is any way you will be able to avoid getting registered.

Very rapidly, accessing basic services and your very status as a citizen will be conditional on your possessing an Aadhar number. This is owing to the complex operational structure that the UID Scheme adopts which leaves the task of enrollment entirely in the hands of third party ‘Registrars’ who include a host of Central and State social security and welfare departments (including the Ministry of Rural Development which administers the Rural employment guarantee scheme), banks and insurance companies. There is nothing in the Aadhar Scheme that forbids these Registrars from making access to their services conditional on one’s consent to UID registration. In practice, many of them have and will continue to make UID registration a preliminary formality before access is granted to their services. So your ‘freedom’ to resist UID registration will depend on your ability to forego your minimum guarantee of the right to employment, cooking gas, banking and insurance services, food rations etc.

And if miraculously you are able to subsist without these services, there is still one minor detail that is seldom mentioned in conversations about UID: without a UID number, you will not be counted as a citizen of India. This is owing to the fact that the Registrar General of India, the authority responsible for compiling the National Population Register of India under the Citizenship Act, also happens to be a ‘Registrar’ for the purposes of the UID. Which means that one’s registration in the NPR will entail automatic enrollment in the UID. The Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules, 2003 makes it mandatory for everyone to be enrolled in the National Population Register. So, paradoxically, although the Aadhar number does not confer citizenship, one cannot be a citizen anymore without owning an Aadhar number.

In other words, the UID scheme avoids the charge of being compulsory, by outsourcing its compulsion entirely.

The UID Scheme will only collect a minimal set of information

A frequently made assertion about the UID scheme is that the data collected will be limited to a standard set of information like one’s name, residence, date of birth, photo, all 10 finger prints and iris image. Once again, this is only a half truth. As mentioned previously, the entire process of enrollment is carried out through Registrars who have absolute freedom to expand the categories of information collected to include data that is entirely orthogonal to the purposes of the UID. This freedom is typically guaranteed by a clause in the MOUs which the UIDAI has signed with Registrars enabling them to collect additional data that “is required for their business or service”. Thus, for instance, in Himachal Pradesh, citizens are asked to provide additional details such as information about their ration cards, PAN cards, LPG connection and bank accounts[i]

To employ a telling epithet found in one of the UID documents, the ‘Registrars own the process of enrollment’.

Privacy is guaranteed

Although the UIDAI makes repeated assertions regarding its intent to respect privacy and ensure data protection, the precise mechanism through which these objectives will be secured is extremely unclear.

To begin with, the entire responsibility for devising schemes for safeguarding information during the collection phase rests entirely on the Registrars. The UIDAI’s own responsibility for privacy begins only from the moment the information is transmitted to it by the Registrars – by which time the information has already passed through many hands including the Enrolling Agency, and the Intermediary who passes on information from the Registrar to the UIDAI.
Rather than setting out an explicit redressal mechanism and a liability regime for privacy violations, the UID’s documents stop at loosely describing the responsibility of the Registrars as a ‘fiduciary duty’ towards the resident/citizen’s information. The Registrars are tasked with maintaining records of the data collected for a minimum period of six months. No maximum period is specified and Registrars are free to make what use of the data they see fit.
In addition, the Registrars are mandated to keep copies of all documents collected from the Resident either in physical or scanned copies “till the UIDAI finalizes its document storage agency.”[ii]
The ‘Data Protection and Security Guidelines’ which the UIDAI requires all Registrars to observe merely contains pious injunctions calling on them to observe care at all stages of data collection and to develop appropriate internal policies. There is mention of the desirability of external audits and periodic reporting mechanisms, but the details of these schemes are left to the individual Registrar to draw up.
Although the Draft National Identification Authority of India Bill penalizes the intentional disclosure or dissemination of identity information collected in the course of enrollment or authentication, this does not guard against accidental leaks and does not mandate the service providers to positively employ heightened security procedures. Prosecution of offences under the Act can only proceed with the sanction of the UID Authority, which further burdens the task of criminal enforcement in these cases and would make it difficult for individuals to obtain redress quickly. The total absence of a provision for civil remedies against Registrars makes it unlikely that they will take the task of protecting privacy seriously.
In other words, the individual’s right to privacy is only as strong as the weakest link in the elaborate chain of information collection, processing and storage.

The UIDAI will not disclose any information and will only authenticate information with Yes/No answers

This is another of the frequently misleading claims made by the UID Authority. Thus, for instance, in April, 2010, in response to a question in the course of an interview, Nandan Nilekani said “UID itself has very limited fields, it has only four or five fields — name, address, date of birth, sex and all that. But it also does not supply this data to anybody. .. the only authentication you can get from our system is a yes or no. So, you can’t query and say what’s this guys name or what’s his date of birth, you can’t get all that.”[iii]

This statement is, however belied by many of the UIDAI’s own documents.

The draft NIA Bill, for instance, permits the Authority to issue regulations on the sharing of “the information of aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct”. In practice, prior “written consent” for sharing is obtained from the resident as a matter of course at the time of enrollment itself, and it is impossible to obtain an Aadhar number without consenting to sharing by the UID Authority.[iv] In practice, in India, a large number of forms will be filled in by assistants and the written consent box will be ticked as a matter of course without the resident understanding the full implications of her “consent”.
The draft NIA Bill permits the authority to “make any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge”. There is nothing in the Act that requires that this information be made available on an individual basis – in other words, it is possible for the data to be shared en-masse with any agency “in the interests of national security”.
There is nothing preventing “Registrars” who carry out the actual data collection functions from sharing this information with anyone they choose. Thus, for instance, the Aadhar information collected during the exercise of compiling the National Population Register will can be shared in whichever manner the Registrar General of India chooses – irrespective of what the UIDAI does with that information.

So, while ordinarily, the UIDAI would not authenticate information other than giving Yes/No responses, there are mechanisms already in place that presume that all this information will be made available, on demand, to whichever agency that happens to be interested.

[i] 2011. UID project picks up pace. Indian Express. Available at: http://www.indianexpress.com/story-print/735790 [Accessed January 22, 2011].
[ii] UIDAI – Document Storage Guidelines for Registrars Ver. 1.2, August 2010.
[iii] 2010. To issue first set of UIDs by Feb 2011: Nilekani – CNBC-TV18 -. Money Control. Available at: http://www.moneycontrol.com/news/business/to-issue-first-setuids-by-feb-2011-nilekani_449820-4.html [Accessed January 22, 2011].
[iv] For instance, a flowchart of the Resident Enrollment Process issued by the UID stipulates “Record Resident’s consent for Information Sharing” as the tenth step in the enrollment process. Unless this step is followed, the enrollment process cannot proceed!

Click to read the original here

For more details visit https://cis-india.org/internet-governance/popular-myths-about-uid

2nd India Think Tank Forum

praskrishna — 2017-07-07T01:16:00Z

Udbhav Tiwari participated in a panel titled "The New Cold War: Information and Cyber Wars" at the Second India Think Tank Forum organized by ORF, the Think Tank Programme at UPenn and the McKinsey Institute between 19 to 21 June 2017 at Claridges in New Delhi.

Agenda

June 19, 2017
18.00 – 18.30 – Registration
18.30 – 18.40 – Welcome Remarks
18.45 – 20.00 – Big Politics: OBOR, India, and the Liberal International Order

This panel will explore the emerging trends in geo-politics and the implications thereof on the liberal international order. It will explore the rise of China, in particular the ambitious Belt & Road Initiative and in its strategic and economic impact on Asia. It will discuss the role of the U.S. and Europe in what is now referred to as the Asian century. Lastly, it will discuss India’s role as a liberal actor in a rapidly changing global order.

Chair: Sanjaya Baru, Distinguished Fellow, USI
Speakers:
Indrani Bagchi, Diplomatic Editor, Times of India
Lt. Gen. Aditya Singh, Senior Fellow, Delhi Policy Group
Nitin Pai, co-Founder, Takshashila Institute
Seshdari Vasan, Chennai Centre for China Studies, Chennai

20.00 – 20.30 – Three Years of the Modi Government: Looking Back, Looking Ahead

In Conversation: Smt. Smriti Irani, Union Cabinet Minister for Textiles, Govt. of India.

20.30 - Dinner

For more details visit https://cis-india.org/internet-governance/news/2nd-india-think-tank-forum

10 tactics for turning information into action

radha — 2011-04-05T04:19:46Z

Tactical Technology Collective (TTC) with The Centre for Internet and Society (CIS) and the Alternative Law Forum, is happy to announce the Bangalore launch of TTC's newest toolkit - '10 tactics for turning information into action'.

‘10 tactics’ explores the use of technology and social media platforms such as Google Earth, Twitter and Facebook on human rights advocacy in the developing world. The film presents ten strategies for turning information into action and is aimed at global human rights advocates, as well as campaigners of all kinds.

The launch will be in the form of a screening organised by Tactical Technology Collective- India, CIS and ALF. After the screening, there will be an open discussion on the use of social media for advocacy.

This documentary is very important and timely viewing for all and most relevant to advocates working in the grassroots, campaigners, information actvists...

This event is open to all. Admission is free. Attendees will receive a copy of the toolkit in its offline form.

For more information about the film and the event log in to: http://www.informationactivism.org/, or call 080 4153 1129.

For more details visit https://cis-india.org/events/10-tactics-for-turning-information-into-action

(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information

Amber Sinha and Srinivas Kodali — 2019-03-13T00:29:01Z

Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.

Read the updated report: Download (pdf)

Read the first statement of clarification (May 16, 2017): Download (pdf)

Read the second statement of clarification (November 05, 2018): Link to page (html)

We are grateful to Yesha Paul and VG Shreeram for research support.

In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.

For more details visit https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1

(re) conference

Admin — 2019-05-02T02:01:48Z

From 10 to 12 April 2019, Aayush Rathi participated in a "reconference" a global conference designed to provoke conversations around the new possibilities and opportunities for feminist movements. It was held in Kathmandu, and was organised by CREA, a feminist human rights organisation based in New Delhi.

At the (re)conference, Aayush Rathi spoke on a panel as a part of the technology track curated by Point of View. The research Ambika Tandon and Aayush have undertaken on reproductive health and its datafication in India, as a part of the BD4D project, was selected to be presented on the panel. The presentation can be found here. The agenda and theme of the (re) conference can be found here.

For more details visit https://cis-india.org/internet-governance/news/crea-reconference

'Why should we talk to Dunzo?' State regulators fume at liquor delivery

Admin — 2018-09-19T14:04:35Z

In 2016, the Chandigarh police ordered thirty bottles of liquor on getTalli, an online liquor ordering platform.

The blog post by Aroon Deep was published in Medianama on September 7, 2018

“We do not sell liquor. On your request, we procure liquor from a government authorized vendor on your behalf and deliver it to you,” getTalli explained on its website, according to a Hindustan Times report. The police weren’t exactly interested in consuming that liquor. The order was a trap. They arrested both Pratham Gupta and Anurag Awasthi, who founded the site. The two were charged with criminal conspiracy, fraud, and a state law prohibiting “unlawful import, export, transport, manufacture, possession, etc”. The site was shut down.

Excise is a state subject, so each state has varying levels of strictness in regulating services like Dunzo, which allow users to buy alcohol (among several other things) through them. Karnataka is among the stricter jurisdictions. Dunzo stopped delivering alcohol in the state when regulators made noise about online alcohol delivery not being a recognized mode of sale. “Why should we talk to [Dunzo]?” Rajendra Prasad, an excise official in Bangalore told MediaNama. Dunzo doesn’t seem to have government relations managers, so the company has chosen simply to shut down alcohol delivery rather than engage with regulators. Alcohol deliveries previously accounted for around one in thirty orders for Dunzo in Bangalore, an employee told The News Minute.

Alcohol delivery and the law

On the face of it, alcohol delivery — at least the kind used by Dunzo — doesn’t seem to be cause for regulatory concern. Third party delivery services can’t have their own inventory, so they must simply buy liquor from authorized retailers and deliver them to customers. This doesn’t seem to have any downsides, since the delivery is separately charged and taxed; and the tax on the alcohol is also paid. But regulators have continued to cry foul.

Aayush Rathi, a policy officer at the Centre for Internet and Society, pointed out that the Karnataka Excise Act — and possibly other states’ excise regimes — gives states a lot of control on regulating the movement of alcohol. “A ‘sale’ in the Karnataka Excise Act is defined as ‘any transfer otherwise than by way of gift’,” Rathi told MediaNama. This definition essentially makes online ordering and delivery of liquor illegal — even if the service doing it doesn’t maintain inventory. Since there is no license for online delivery of alcohol, there is little by way of legal standing services like Dunzo have when faced with regulatory scrutiny.

But that is assuming that the regulatory scrutiny comes in the first place. While Punjab and Karnataka have chosen to use the vast regulatory powers the law grants them, other states haven’t done the same. In Gurgaon and Pune, though, alcohol deliveries continue unabated. HipBar, which delivers alcohol across India, told The News Minute, “HipBar is engaging with multiple states and their respective regulators to move the needle on last mile deliveries of alcoholic beverages with reasonable restrictions and safeguards in place, such that the letter and spirit of the excise policy is not vitiated.” That brings the question of whether the current model of last-mile delivery by services like Dunzo and HipBar violate the spirit of excise law in the first place.

For more details visit https://cis-india.org/internet-governance/news/medianama-september-7-2018-aroon-deep-why-should-we-talk-to-dunzo-state-regulators-fume-at-liquor-delivery

'What Security Breach?' The Unchanging Tone of UIDAI's Denials

Admin — 2018-09-19T14:14:53Z

This week brought with it another instance of Aadhaar déjà vu. The narrative is now eerily familiar to people with even a passing acquaintance with the matter.

The article by Karan Saini was published in the Wire on September 12, 2018

A security vulnerability in the Aadhaar ecosystem comes to light, usually through civil society stakeholders or the media. The Unique Identification Authority of India (UIDAI) issues a standard denial, refuses to publicly acknowledge that it has to course-correct and fix the problem, and the public waits for the process to repeat.

Following a three-month-long investigation by Huffington Post into the known and documented problem of cracked Aadhaar enrolment software, several security experts from within the country and elsewhere were able to conclude that the authenticity of entries within the Aadhaar database was likely compromised to an unknown extent. This was a direct result of a patched version of the enrolment software with stripped security features being circulated and used by potential hostile actors – among others.

The patched software bypasses several crucial security features of the enrolment client and could have also been used to get around the biometric authentication which legitimate enrolment operators would have to undertake before attempting to add new entries to the database.

The UIDAI responded to this report with a statement which is nearly identical to many of the authority’s previous press releases on alleged security incidents.

In its statement, the UIDAI said that “the claims made in the report about Aadhaar being vulnerable to tampering leading to ghost entries in Aadhaar database by purportedly bypassing operators’ biometric authentication to generate multiple Aadhaar cards is totally baseless”.

The statement which was issued by the authority seems straightforward but is actually cryptic in its very nature. The story published by Huffington Post did not categorically assert that the software bypass was being used ‘to generate multiple Aadhaar cards’, while the authority’s statement specifically refuted this claim.

This is, sadly, not new. The Aadhaar authority has always purposely misinterpreted what is actually being alleged in critical stories, and then presented their interpretations in their statements of rebuttal, which essentially amount to irresponsible dissemination of misleading information.

For instance, the UIDAI ignores that even without the issue of cracked enrolment software, there are already many proven cases of ghost entries in the database, including that of a Pakistani ISI spy as well as an Uzbek national involved in illegal sex-trade in the country. Both of these persons held real, valid Aadhaar cards which were issued to them under false identities.

The UIDAI also states that enrolments are verified at their backend system in order to prevent any such false entries from finding their way into the database. Given this, the question arises – how did these highlighted cases of false entries make it through the supposed checks and balances in place to the point where Aadhaar numbers for these persons were issued (and delivered)?

Similar events took place when in March 2018, ZDNet broke the story of an application programming interface (API) hosted on the website of utility provider Indane Gas, which could have been abused by hackers to steal information such as full names, Aadhaar numbers, names of linked banking institutions as well as details of the specific utility provider which a person uses for a major chunk of the population.

The UIDAI statement at the time baldly claimed that there was no breach of its central database (what is called the ‘CIDR’) and that biometric data were safe. The only problem? Neither of these issues were asserted or even hinted at in the original story.

Reporters from the publication had attempted to reach out to UIDAI repeatedly – and that too through several mediums of communication, such as phone, email and even direct messages to the official UIDAI Twitter account – all to no avail.

“We tried to contact UIDAI by phone and email after we learned of the Aadhaar data leak. We eventually sent all the details in a Twitter DM message — but only because UIDAI wouldn’t offer […] an email address to send this data leak issue to,” posted Zack Whittaker, the reporter who had broken the story for ZDNet, as a tweet on his public Twitter account.

This was not the first time the authority had done such a thing (and neither was it the last, as we see with the Huffington Post story), as witnessed in the January 2018 incident with the Tribune; where the UIDAI did not respond to the paper’s attempts at communication at all before publication and later used it to state that no security incident had taken place altogether.

Reporters from the Huffington Post had also attempted to reach out to UIDAI prior to publication of the story; attempts at communication which the UIDAI willingly left unanswered. After UIDAI’s rebuttal, the Huffington Post published a statement of their own in which they asserted that they stood by the claims made in their story, while also making it known that the UIDAI had never responded directly to any of their communication.

The UIDAI’s most recent statement deploys a bizarre array of security jargon including buzzwords such as “full encryption”, “access control” and “tamper resistance” – without providing any elaboration on what any of these things would help prevent with regard to the issues raised in the media report.

This obfuscation is very troubling, and particularly so for those people who do not actively follow news regarding the troubles of the programme or other media organisations that are not equipped to understand the nuances of security reporting. For both groups of people, the statements issued by the UIDAI would be enough of an assertion to lead them to believe that all is well with the project and that anyone saying otherwise is an “unscrupulous element” with “vested interests”.

After the first few incidents, the authority’s cookie-cutter response seems to be part of the playbook through which they seek to protect their image: by retaining the ability to publicly deny an incident, even if it has already taken place; which is done by never confirming (or even acknowledging) an issue before publication. This is presumably done out of fear of the reputational damage which would inevitably be caused by admittance of a compromise or fault on their part.

Consider what happened with the Tribune breach report. The UIDAI officially denied it (even though some of their lower-level officials were quoted in the story), filed an FIR against the journalist. When the dust settled down, a prominent business newspaper ran a story which strangely enough quoted anonymous officials who highlighted the steps that were taken to fix the problem.

The UIDAI understands that ‘the first step in solving a problem is to recognise that it does exist’. Acknowledging problems within the Aadhaar project would be catastrophically damaging for the authority as well as the public’s perception of them. This is why we are always presented with almost indistinguishable statements of rebuttal and denial from the UIDAI, which too are never backed with any evidence.

Seeing as how the UIDAI’s statements almost always end up backfiring, their decision to employ a social media agency to monitor the internet for chatter on Aadhaar starts to make a little sense. For a while now, the authority has wished to undertake mass digital surveillance through social media and other online forums in order to track “top detractors” of the Aadhaar scheme and counter them to effectively “neutralise negative sentiments” surrounding the project.

This move, however, was challenged by petitioner Mahua Moitra who saw it as “an attempt by the State to overreach the jurisdiction of the Hon’ble Supreme Court in matters where the legality of social media surveillance and Aadhaar itself is under challenge”.

For now, the next time we are hit with a sense of déjà vu when it comes to an Aadhaar-related security incident, we should see through the UIDAI’s statements for what they truly are: hopeless attempts at damage control for a system that is crumbling at its very foundation.

For more details visit https://cis-india.org/internet-governance/news/the-wire-karan-saini-september-12-2018-what-security-breach-the-unchanging-tone-of-uidai-denials

'Website not found' pop-ups leave net activists fuming

Tushar Kaushik — 2019-04-03T15:53:04Z

Internet activists are concerned over what they term as rising instances of websites being blocked by internet service providers (ISPs) and the government without citing any reason for doing so.

The article by Tushar Kaushik was published in the Economic Times on March 6, 2019. Gurshabad Grover was quoted.

Last year, the Ministry of Electronics and Information Technology (MeitY) blocked 2,799 URLs for allegedly hosting malicious content, marking a sharp increase from 2017, when 1,385 URLs were blocked.

These numbers were disclosed by minister of state for electronics and IT SS Ahluwalia in a written reply to a question in the Lok Sabha in February.

In 2016, the number of URLs that were blocked stood at 633.

The government has also withheld information on the list of blocked websites despite several queries under the right to information (RTI) Act, internet activists told ET.

The Centre for Internet and Society (CIS), a Bengaluru-based advocacy group, is compiling a list of URLs and websites that are being blocked, and has identified over 3,200 so far. Senior policy officer at CIS Gurshabad Grover said that among the blocked URLs are proxy servers and websites of NGOs that are deemed to have criticised government policy.

As per Grover, some of the websites and URLs reported to have been blocked at some point include the sites of human rights groups such as arabhra-.org, www.protectioninternational.org and www.drugsense.org.Also blocked were a site on feminism (feminist.org), the website of an environmental organisation (wedo.org) and a blog by activist Irom Sharmila (iromsharmilachanu.wordpress.com).

“Many blockades, when brought to the notice of courts, were revoked, but the URLs still remain inaccessible. The bigger problem is that of getting the list of blocked URLs,” Grover told ET.

'Restricting the Right to Receive Information'

A MeitY official, however, said no website is blocked arbitrarily. “No government machinery can order (blocking of a URL) without valid reason and without following valid procedure. And the only procedure available to us is (Section) 69A and 79 (of the IT Act). Rest is a court order,” the senior MeitY official, who did not want to be identified, told ET.

“Valid procedure is (Section) 69A, where we can order. But in addition there is (Section) 79, where notice is issued for any illegal activity happening on any platform. This notice can be issued by the appropriate government department. And the intermediary platform is free to agree to it or disagree,” the official said, adding that every complaint received against a website is considered individually.

Section 69A of the IT Act empowers the Centre to block websites in the interest of national security. Section 79 empowers the government to issue a notice to an intermediary to remove any content that it finds illegal.

A MeitY spokesperson could not respond immediately to ET’s emailed queries on the issue.

Grover of CIS said there was no way to determine if a website was blocked by the government or an ISP, unless a government order for the blocking was available.
For instance, last month, several users of the messenger service Telegram and music sharing website SoundCloud had reported that these websites had been blocked by Reliance Jio, according to the Internet Freedom Foundation.

Reliance Jio did not respond to queries from ET.

Internet Freedom Foundation’s executive director Apar Gupta expressed concern over the lack of information regarding reasons for blocking URLs.

“This is very worrying because it’s a secretive process that prevents the public from accessing a website, which restricts the right to receive information — a part of the fundamental right to freedom of speech and information,” he said.

For more details visit https://cis-india.org/internet-governance/news/economic-times-march-6-2019-tushar-kaushik-website-not-found-pop-ups-leave-net-activists-fuming

'Pakistan' hackers target India's top police agency

praskrishna — 2011-04-02T01:26:57Z

Cyber-attackers who identified themselves as the "Pakistan Cyber Army" have hacked the website of India's top police agency, officials said on Saturday. The website of the Central Bureau of Investigation (CBI) was hacked by programmers who left a message saying that the attack was in revenge for similar Indian assaults on Pakistani sites, Press Trust of India said. The hackers signed their message on the Indian police website: "Long Live Pakistan."

CBI authorities said they were working to restore the site, which offered information to the public.

The spokeswoman said she could not comment on Indian media reports that more than 200 other Indian sites had also been attacked by Pakistani hackers.

"We came to know the CBI site had been compromised Friday night," the spokeswoman told AFP, asking not to be named. "It will take us a couple of days to restore the site."

She said she could not immediately say who was responsible for the attack.

The CBI has "registered a case" and is investigating the attack, she said.

The message posted on the CBI site said the attack was "in response to the Pakistani websites hacked by 'Indian Cyber Army'," the Press Trust of India (PTI) reported.

"Hacked hahaa funny," the message said. "Let us see what you investigating agency so called CBI can do" (sic).

Hackers had also infiltrated the server of the National Informatics Centre (NIC), which maintains most of the government's websites, PTI reported.

In August, a group also calling itself the "Pakistan Cyber Army" hacked into the website of independent Indian MP Vijay Mallya, a flamboyant liquor baron, who is also head of Kingfisher Airlines.

The group claims to have hacked a number of Indian websites in recent years, including India's state-run Oil and Natural Gas Corporation, in retaliation for Indian hackers accessing Pakistan sites.

Indian IT specialists have long lamented what they say is a lack of awareness about Internet security across the country, including in the corridors of power.

Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, said it would have been easy for attackers to get into the CBI public site as it was "not a particularly sensitive" one.

The Indian government "has a very low level of cyber awareness and cyber security. We don't take cyber security as seriously as the rest of the world," he said.

He added that the government needed to "make at least 10 times the current level of investment to get their standards to match the rest of the world."

According to the Indian Computer Emergency Response Team, a government agency that tracks IT security issues, more than 3,600 Indian websites were hacked in the first six months of this year.

Read the original news here

For more details visit https://cis-india.org/news/police-agency-targetted

'IRCTC’s Aadhaar play can violate SC order and derail National Security'

praskrishna — 2015-07-07T15:10:08Z

Your online railway bookings are going to become a wee bit more difficult if they aren’t already so.

The blog entry by Shubhra Rishi was published by CIO.IN on July 1, 2015. Sunil Abraham gave his inputs.

That is, if the IRCTC makes Aadhaar card compulsory during the registration process for e-ticketing. The move, according to a recent announcement by IRCTC, will ensure that users registering on the IRCTC website are properly identified of their identity and address through the Aadhaar card number verification.

So in case, you already have an Aadhaar card, then you need not worry. For those who don't have it yet or are reluctant to apply for it, are in for a tough time.

According to Sandip Dutta, public relations officer at IRCTC, the plan, although still in the preliminary state, is to make Aadhaar compulsory which will prevent touts from further exploiting the e-ticketing platform.

IRCTC which already has around three crore registered users, adds 15,000 new registrations every day. Just to give you the scale of an IRCTC website, a 15-minute tatkal window has about 1,000,000 people trying to log on to the IRCTC website. This means a new user won't be able to book a railway ticket on the IRCTC site until he owns an Aadhaar card.

Also Read: Indian CISO don’t trust UID with their data

"This is a complete overkill and will only result in harassment of an ordinary citizen," says Sunil Abraham, executive director at The Centre for Internet & Society. "Aadhaar, he says, should be used to prevent politicians and bureaucrats from engaging in big-ticket fraud or whole-sale corruption. It should be used to make the state more accountable to citizens and not the other way around. It is unfortunate that techno-utopians are using biometric technology to fight retail corruption or small-ticket fraud.

If IRCTC makes Aadhaar mandatory for user registrations, they will be in direct violation of the Supreme Court's interim order of September 23, 2013 where it has ordered that no person should suffer for not getting the Aadhaar card in spite of the authority making it mandatory, since government says it is voluntary.

On March 24, 2014 again, the Supreme Court reiterated its earlier order of 2013 and directed all government authorities and departments to modify their forms/circulars, etc., so as to not compulsorily require an Aadhaar number. In the same order the Supreme Court also restrained the UIDAI from transferring any biometric data to any agency without the consent of the person in writing as an interim measure.

According to cyber law expert and Supreme Court Lawyer, Pavan Duggal, till the time Aadhaar has been brought to a legislative sanctity, no government agency must make it compulsory and if they do so, they will be in gross violation of the order and will be held for contempt of court. "The National Identification Authority of India Bill that intends to give statutory backing to UIDAI (introduced in Rajya Sabha in 2010) is yet to be passed by the Parliament. Aadhaar is also non-compliant with the Information Technology Act 2000," says Duggal. Aadhaar, he says, is the unwanted child that hasn't proven legitimacy yet.

The illegitimacy, which continues to prevail due to several anomalies in the UIDAI’s Aadhaar allotment process. In March this year, about 20 million people enrolled in Delhi for an Aadhaar identification number, according to Census. However, the UIDAI generated about 17.7 million unique numbers in Delhi, about a million more than the city population.

In another incident, Aadhaar numbers were assigned to adult residents in 13 of the country's 36 states, and union territories surpassed their respective population as per 2011 census figures. However, the UIDAI blames that ‘gaps’ in census evaluation may have resulted in inaccuracy of the population data.

There have also been bizarre instances in the past where some Aadhaar cards displayed pictures of an empty chair, a tree, and a dog instead of the actual applicant.

So how does it aid unscrupulous elements in misusing the flaws of the Aadhaar card system?

To start with, Aadhaar captures biometrics of a user, which is neither permanent nor immovable, says Dr. Anupam Saraph, innovator, professor and an advisor in governance, informatics and strategic planning.

"Biometrics change during the life of a person, sometimes even within a year, or without warning. Biometrics can be easily stolen, replicated or misused as has been demonstrated by instances of fingerprints and iris scans of high profile targets being hacked. The enrollment agencies that have captured the biometric have the entire demographic and biometric database in their possession and as such it can be misused or stolen. Once the biometric fails or is stolen, all the functions that have crept to link access to the biometric are denied with little or no recourse to the victim," says Saraph.

“Another benign scenario may be large scale fake bookings to make tickets pricier, the malignant scenario will be entire trains used to transfer armies of anti-nationals and terrorists. Therefore, the Railway Minister must rise to cancel any such plans," says Saraph, and the Home Minister and Defence Minister must immediately scrap the linkage of Aadhaar to any database, require that the entire UID is destroyed as was done in the UK. “This kind of compromise requires the initiation of a time-bound judicial probe by a retired CAG and Supreme Court Judge supported by the CBI to investigate the exposure of the country to serious threats to national security due to UID,” he says.

And therefore, the bigger question isn't whether Aadhaar should be made compulsory or not, but whether it is a foolproof method to validate someone's identity. If it isn’t, then why is IRCTC playing the Aadhaar card?

For more details visit https://cis-india.org/internet-governance/news/cio-july-1-2015-irctc-aadhaar-play-can-violate-sc-order-and-derail-national-security

'India wants core internet infrastructure'

praskrishna — 2014-05-05T10:29:30Z

India wants "core internet infrastructure" to be part of an international legal system that would accommodate governments, civil society and other stakeholders. In typical Indian diplomatic style, its position can be interpreted to mean everything and nothing.

The article by Indrani Bagchi was published in the Times of India on April 24, 2014. Sunil Abraham is quoted.

An MEA team led by Vinay Kwatra, joint secretary told the Net Mundial in Brazil on Thursday, "The elements of India's approach on internet governance respond to its growing complexity and rests in supporting the dynamism, security and openness of a single and un-fragmented cyberspace. We also support innovation, and robust private sector investments to augment internet's continuing growth and evolution."

The Indian position is essentially an MEA position, because there has been little prior inter-agency consultation certainly in the government. In fact, while the MEA had decided upon its team almost a month ago, the Department of Information Technology only woke up last week.

It was only on Friday that the nodal ministry for IT-related issues even agreed to send a team to Brazil on Monday — the same team that the MEA was sending. If nothing else, sources said, this only highlighted the lack of seriousness within the Indian system.

In Brazil, Kwatra said internet should have a democratic governing system, involving everyone, which would essentially mean creating a parallel international system. The internet is essentially owned and led by the US, controlled by the fact that the overwhelming number of root servers are situated in that country. But after the Edward Snowden leaks on

NSA surveillance, the US' intentions and practices have come under a cloud.

While India does not want the status quo to continue, there is no clarity whether India favours a multilateral or a multi-stakeholder system. India, like China, wants a strong state presence in the decision making process of internet governance, because "it is used for transactions of core economic, civil and defence assets at national level and in the process, countries are placing their core national security interests in this medium." On the other hand, it wants unfettered access to knowledge and technology as a nation-building and governance tool.

Additionally, India wants non-governmental stakeholders to be properly audited "there should also be a clear delineation of principles governing their participation - including their accountability, representativeness, transparency, and inclusiveness. Clearly, it makes it even more important that we define the multistakeholderism."

There is a crying need for India to clearly define the future it expects to thrive in.

Sunil Abhraham of the Centre for Internet and Society in Bangalore says India should take the lead in defining new internet rules, keeping its future in mind. "We could use patent pools and compulsory licensing to provide affordable and innovative digital hardware to the developing world. This would ensure that rights-holders, innovators, manufactures, consumers and government would all benefit ... We could explore flat-fee licensing models like a broadband copyright cess or levy to ensure that users get content at affordable rates and rights-holders get some royalty from all internet users in India.

This will go a long way in undermining the copyright enforcement based censorship regime that has been established by the US. When it comes to privacy - we could enact a world-class privacy law and establish an independent, autonomous and proactive privacy commissioner who will keep both private and state actors on a short lease. Then we need a scientific, targeted surveillance regime that is in compliance with human rights principles. This will make India simultaneously an IP and privacy haven and thereby attract huge investment from the private sector, and also earn the goodwill of global civil society and independent media." This is more than the Indian government has thought of.

While no binding decisions are expected from Brazil this week, the high profile event is expected to trigger a high level debate on possible reforms. India, say officials, need to hone its position to come up with concrete proposals. This is imperative, after the US made two crucial decisions on internet governance this year.

In March the US announced by September 2015 it would give up oversight of the Internet Corporation for Assigned of Names and Numbers (ICANN), a non-profit group based in California that assigns domain names. But the US is clear it will not hand over control to any organization that can be controlled by any other country. This week, the US' FCC has dealt a body blow to the concept of "net neutrality" (which essentially functions on the premise that access to the internet is the same for everyone) by allowing companies like Disney and Google to pay for premium internet speeds. Countries like China, Russia, Saudi Arabia (maybe even Iran) seek to control net access for their citizens as a measure of political control. Second, cyber offensives by countries who are ramping up capacity in these fields could take over internet governance structures if they are not crafted carefully enough. On the flip side, as Sunil Abraham of the Centre for Internet and Society puts it, "The US censorship regime is really no better than China's. China censors political speech - US censors access to knowledge thanks to the intellectual property (IP) rightsholder lobby.."

If the US is relinquishing control over ICANN, the next global battle is likely to be over who takes over that mantle. Which, in turn, makes it important to get net governance right. At least China has a plan — it wants the UN to take control. India wants a bit of this and a bit of that, without actually giving it a shape, which makes it impossible for India to shape the future of the debate.

For more details visit https://cis-india.org/news/the-times-of-india-april-24-2014-india-wants-core-internet-infrastructure

'I'm going to ruin you, dear'

praskrishna — 2014-09-09T09:55:47Z

Revenge porn is sweeping across the developed world. And now it's being seen in India. The culprit, says Prasun Chaudhuri, is often a former friend, partner, relative or colleague.

This article by Prasun Chaudhuri with additional reporting by Varuna Verma in Bangalore was published in the Telegraph on August 3, 2014. Rohini Lakshane gave her inputs.

How would you feel if you casually opened a mail and found the link to a pornographic site — and it turned out to contain pictures of yourself naked? That's what Kalpana did. She clicked on a link sent to her and, to her horror, found that the face of the girl who "was available for sex" was hers. Her stomach lurched when she saw that the pictures showed her own bedroom. The site also contained her personal and contact details.

Kalpana was shattered. The subject line of the mail had said "I'm going to ruin you, dear". It had seemed like a prank. Only, it wasn't. It was a very real and malevolent attempt to destroy her reputation.

The 24-year-old Mumbai-based bank executive had become a victim of revenge porn — a new form of cybercrime in which ex-lovers or boyfriends upload intimate photos and videos of their former partners for the world to see. Mostly, the sexually explicit pictures are of women posted by jilted or spurned men.

Kalpana's photos, it was later found, were posted by her recently divorced husband, Pranay. They were taken when the two lived together.

Revenge porn is a trend sweeping across the developed world — from the US and Japan to countries in Europe. And now it's being seen in India, fuelled by the growing access to the Internet and camera-wielding mobile phones — all that is needed for taking and posting offensive pictures.

"Now that you have gadgets you tend to capture every moment of your life in pictures or videos," Calcutta-based psychiatrist J.R. Ram points out. "Not only that, you want to share these images through networking apps in your mobile phone or the Internet — without ever thinking of the consequences."

National Crimes Record Bureau (NCRB) figures — released on July 1, 2014 — show a 63.7 per cent rise in cyber offences from 2012 to 2013. During this period, the category "transmission of obscene content in electronic form" reflects a quantum jump —104.2 per cent — with 1,203 cases registered and 737 people arrested. "The data show cyber offences against women have increased sharply," NCRB director-general R.R. Verma says. "But we do not have any specific data on revenge crimes."

More and more such cases, however, are now coming to light. Kalpana lodged a complaint with the Navgarh police station in Mumbai. Ashish was arrested under a number of sections of the Indian Penal Code and the Information Technology Act.

Sneha, a 22-year-old college student from Udupi in Karnataka, also went to the police with the complaint that her ex-boyfriend had put up her photographs and videos on the Internet. M.B. Boralingaiah, superintendent of police, Manipal district, says the boy was arrested and sent to judicial custody.

"There has been an exponential rise in the number of cases of cyber revenge being reported to the police," Boralingaiah says. "This could also be because of increasing awareness of cyber laws, which prompts more people to approach the police." The Karnataka police are now setting up cyber crime police stations at regional levels across the state. Currently, only one police station, in Bangalore, deals with such crimes.

The profile of the criminal in revenge porn, Boralingaiah adds, is different from that of the average criminal plotting a scam using the Internet. In all the cases that have been reported, the accused is a former friend, partner, relative or colleague with no criminal history. They are also educated, intelligent and technologically savvy.

And that is why, despite suspicions, it is not always easy to catch the offender. The police say they have to first track down the origin of the pornographic site where the pictures are posted. "When we receive a complaint we try to locate the IP address (the unique identifier for the computer)," says Siddhartha Chakraborty, in charge of Cyber Police Station, Lalbazar, Calcutta. "But these crooks are clever enough to use some fake IP address of a distant country."

Once the police zero in on the IP address, it asks the web hosts to remove the offensive images, which they normally do. "But the procedure can take weeks or even months," Chakraborty adds.

Debarati Halder, a lawyer and cyber victim counsellor based at Tirunelvelli, Tamil Nadu, says she comes across 10-15 cases of revenge porn every month across the country, mostly involving college students. Often, the victims themselves take pictures while taking a shower or in their inner wear and share them with their boyfriends.

Many young women, Halder says, see such acts as symbols of independence or defiance.

"Taking 'sexy' images of themselves offers them a false sense of liberty, bypassing the repression imposed upon them in the real world," she says. "They feel relatively uninhibited in cyberspace and tend to experiment with their looks and sexuality, but are unable to determine where to draw the line."

The young are not greatly concerned with privacy and security on the Internet, Canada-based Internet safety expert Terry Cutler stresses. "They don't understand that once you send out an inappropriate photo or video, you no longer control it."

There are, according to some estimates, at least 3,000 voyeuristic websites where such pictures can be posted. The visuals are often copied and replicated across multiple porn sites, making it virtually impossible for the authorities to wipe off the digital prints. "Often these clips are available on mirror sites, web archives and caches. Video footage can also go viral on social networks and porn buffs even share these images offline," Chakraborty warns.

But people seldom think that the intimate pictures that they shoot with their lovers may one day become public. "When you're in love you trust your partner. You don't expect him to use these pictures to humiliate you when things fall apart," says Antara, a 32-year-old IT analyst in a government agency who has been a victim of revenge porn. She says that her husband, to seek a quick divorce, uploaded intimate pictures on porn sites to show that she was a woman of "bad character".

Also worrying is that a large number of women are victims of non-consensual and amateur pornography. Abir Atarthy, a Calcutta-based cyber-security expert, recently solved a case in which a college student found her pictures, shot in her bedroom, circulating on a social networking site.

"She was shocked because she not taken those pictures, nor had anybody else," Atarthy says. A thorough check revealed that a boy whose advances she had spurned had installed a hidden spy program in her laptop. "The program — capable of switching on the webcam even if the machine was offline — had been taking her snaps from her private life and sending the visuals to the youth whenever she connected to the Internet," he says.

Rohini Lakshané, a researcher at the Bangalore-based Centre for Internet and Society, describes such non-consensual acts as sexually violent crimes. "I don't like to use the term 'revenge porn', for it's an act of violence against women," she says. "Sometimes women are even raped and coerced into sex, filmed, threatened and blackmailed over the release of the footage online," Lakshané says.

The intention is to humiliate the woman and make her life miserable is the equivalent of throwing acid on her face, holds Dr Subhrangshu Aditya, a student counsellor at Jadavpur University, Calcutta. "These men can't accept rejection and it's their way to settle scores."

The victim, the experts say, doesn't just feel betrayed but often falls into depression — not just because of the ex-partner's action but because she sees herself as a partner in the crime, for the pictures uploaded may have been shot with her consent. "Their guardians also blame her for this and avoid reporting the matter to the police apprehending a bigger scandal," Halder adds.

The lawyer urges victims of such crimes to always approach the police. "Indian women have a strong legal recourse against perpetrators of revenge porn," she says. The amended 354 [C] of the Criminal Law (Amended) Act 2013, also known as the "voyeurism section", criminalises capturing and sharing images of a woman in private space. Section 66(E) of the IT Act criminalises the publication and transmission of images of an individual's private parts without his or her consent.

"These are watertight laws, strong enough to book an offender," she says, adding that the law also protects a victim's identity.

Across the world, laws are now being framed to punish cyber porn offenders. In January, Israel voted to define posting of images without consent as sexual harassment, punishable by up to five years in jail. Many states in the US already have laws against revenge porn and Britain may bring in one soon.

But perhaps the best way to prevent such crimes is by safeguarding privacy — at home and in the virtual world (see box). Cyber security expert Cutler sums it up aptly: "Just think this before you click the send button: If I were to post the visual on the Internet, would I care if it landed on the front page of a newspaper or the 8pm news?"

Some names have been changed to protect identities

How to Safeguard Your Privacy?

Get acquainted with the privacy settings of the social networks, dating and matrimonial websites you use
Do not upload any single close-shot picture on the Internet; this can be morphed and misused
Never film yourself during sexually intimate acts; even if you delete the pictures and videos these can be recovered from your device
Watch out for weird webcam activity; malicious software can easily infect your computer or phone and control the webcam
Remove your memory card from your mobile or format the hard disc of your computer before giving the device to service centres
Don't give your device to others and always lock your applications (especially picture galleries) in your mobile
Install and update antivirus and antimalware in your device

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-august-3-2014-i-am-going-to-ruin-you-dear

'Hope for such swift crackdowns for everyone'

Admin — 2018-07-07T08:52:39Z

The prompt arrest has impressed cybercrime experts, but some are sceptical whether this case will serve as a deterrent for trolls or spell hope for citizens at the receiving end of online abuse.

The article was published in the Times of India on July 6, 2018.

"I don't think this serves as sufficient deterrent for the everyday user. The victim here was a high-profile individual and action was taken after specific instructions from the Union home ministry towards both the police and Twitter," said Pranav MB of the Centre for Internet and Society, a non-profit whose focus areas include digital privacy and cybersecurity.

Pavan Duggal, chairman of the International Commission of Cyber Security Law, too felt the "high-profile stature" of the complainant means this could be an example of "customised justice" and not "generic justice". "The police invariably give step-motherly treatment to the common man whose issues are low priority to them," he said.

Duggal stressed on the need to adopt a "holistic approach" to deter anonymous trolls as a matter of "de facto routine". "We need to come up with strong legal provisions to deal with trolls," he said.

Such steps are becoming imperative given that a recent study by a global cybersecurity firm showed that eight out of 10 persons in India reported some form of online abuse. Another study by a Delhi NGO detailed how vocal women often have to deal with violent threats and sexual remarks. After the arrest, Priyanka Chaturvedi herself pointed out that "they like to target women who have a different opinion" and stressed the need to send a strong message.

"Threatening the rape of a child is the lowest thing. It's disgusting," said women's rights lawyer Flavia Agnes. Pointing out the vicious trolling of foreign minister Sushma Swaraj over her ministry's clearance to the passport of a Hindu-Muslim couple, Agnes said: "This has been happening again and again and it is getting out of hand. Arresting is one thing but we need to put an end to this menace."

The swift police action has impressed Mumbai cybercrime investigator Ritesh Bhatia. "It is not too difficult to catch trolls using fake ID these days since social media platforms are ready to provide the police with user logs that help track their IP address. I am glad Twitter responded quickly," said Bhatia. "I also hope that such speedy action is taken for all those who are threatened and abused, irrespective of their profession, status and political affiliations."

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-july-6-2018-hope-for-such-swift-crackdowns-for-everyone

'Full belief in fake texts shows cops not trusted'

Admin — 2018-06-26T01:21:04Z

Nilotpal Basu and Abhijeet Nath, an audio engineer and digital artiste, were beaten to death in Assam's Karbi Anglong last week based on rumours that they were kidnappers.

The article was published in the Times of India on June 18, 2018. Pranesh Prakash was quoted. Inputs from Kim Arora.

A manipulated WhatsApp video is said to be the source of the panic. While it is just the medium and not the reason behind the killings, WhatsApp, with its 250-million users in India, allows rumours to travel farther than ever before. "In many non-urban areas, such WhatsApp videos are the first form in which people encounter the internet on their phones. They don't always go online and verify them," says Jency Jacob, who runs the fact checking outlet Boom. This gullibility can't be explained just by class or education, he says. "Technology makes it easy to believe what you want to believe and spread it," says Jacob.

The spread of internet gives wings to rumours in pockets where kidnappings are a real fear. The states where lynchings have been reported are also among those with high figures for child abductions. Technology has helped rumours travel greater distances with greater impunity, says Pranesh Prakash, fellow at Centre for Internet and Society, recalling that child abduction rumours led to a lynching in Tamil Nadu in 2015 too, but this time, "such rumours have spread all over South India". And as the Karbi Anglong killings show, to Assam as well.

WhatsApp being an encrypted platform, police cannot trace the source of the rumourmongering. WhatsApp did not respond to TOI's queries on tracing origins of hate messages, but a spokesperson shared a statement saying they "block automated messages" and are educating people about spotting fake news and hoaxes.

In many cases, law enforcement has failed at a more basic level. Child abduction is a disturbing rumour, designed to provoke an emotional reaction, but other anxieties are at work too. "Rumours tend to escalate when there is a lack of official information, and clearly many feel what happens to them and their children does not get attention at higher levels," says sociologist Dipankar Gupta. It also points to a collapse in the state's credibility, he says. So, Gupta says, "there is no seeking of justice, only reprisal."

For more details visit https://cis-india.org/internet-governance/news/times-of-india-june-18-2018-full-belief-in-fake-texts-shows-cops-not-trusted