Centre for Internet and Society

What’s Hard To Digest About The Zomato Hacking

praskrishna — 2017-05-19T09:22:37Z

Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.

The blog post by Aayush Ailawadi was published by Bloomberg Quint on May 19, 2017. Pranesh Prakash was quoted.

The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in its blog that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.

Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.

In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”

But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.

Late on Thursday night, the story took an interesting turn when the company updated its blog post yet again. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.

Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.

But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.

Disclose To Confuse?

Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.

What’s So Scary About The Zomato Hacking?

Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.

What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.

Genuine Disclosures Vs False Promises

Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.

Where’s My Privacy And Security?

Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.

Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”

For more details visit https://cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking

What You Need To Worry About Before Linking Your Mobile Number With Aadhaar

Admin — 2017-11-26T05:55:49Z

As part of the directive issued by the Department of Telecommunications (DoT) dated March 23, 2017, major telecom service providers have issued a deadline of February 6, 2018, for linking mobile numbers with Aadhaar as part of the E-KYC verification.

The blog post by Roopa Raju and Shekhar Rai was published in Youth Ki Awaaz on November 8, 2017

The landmark case referenced by the DoT in the circular was the order issued by the Supreme Court on February 6, 2017, delivered by Justice JS Khehar (the erstwhile Chief Justice of India) in the case of Lokniti Foundation vs Union of India. The petitioner contended that terrorists, criminals and anti-social elements frequently used SIM cards to commit atrocious, organised and unorganised crimes across the country. The petition called for ensuring 100% verification on the identity of telecom service subscribers in public interest under Article 32 of the Constitution of India. The PIL added that unverified SIM cards pose a serious threat to the country’s security as they are routinely used in criminal and terrorist activities, thereby affecting a citizen’s right (as ensured under Article 21 of the Constitution). As per the CAG report tabled at the Parliament in 2014, the identities of 4.59 crore mobile users still remained unverified.

Article 21 of the Constitution of India, 1949, states that – “No person shall be deprived of his life or personal liberty except according to procedure established by law.” While there is a threat to the common public interest through increased acts of terrorism and atrocities due to unverified SIM cards, the safety of information provided and linked to Aadhaar are increasingly being questioned.

In a study dated May 1, 2017, published by the Centre for Internet and Society (CIS), a Bangalore-based organisation, it was observed that data of over 130 million Aadhaar card-holders were leaked from just four government portals dealing with the National Social Assistance programme, the National Rural Employment Guarantee Scheme, the Chandranna Bima Scheme and the Daily Online Payment Reports of NREGA.

On October 25, 2017, the chief minister of West Bengal, Mamata Banerjee, also strongly opposed the government’s plan to link mobile numbers with Aadhaar cards. She said that it was a breach of privacy and that the ruling government was intruding upon the citizen’s right to personal freedom. However, the Supreme Court questioned the state government’s right to challenge the Centre and asked her to file a plea with the court in her individual capacity.

As per the data published by Telecom Regulatory Authority of India (TRAI) on September 14, 2017, India’s telecom subscriber base dipped by 1.3 lakh to 121.07 crore in July 2017. Moreover, only three operators – Reliance Jio, Bharti Airtel and the state-run BSNL – reported additions to their subscriber base.

Month	Telephone subscriber base (in million)	Growth rate
Mar-17	1194.58	–
Apr-17	1198.89	0.36%
May-17	1204.98	0.51%
Jun-17	1210.84	0.49%
Jul-17	1210.71	-0.01%

(Source: TRAI monthly subscription data)

The dip in the subscriber count for various telecom operators can be accredited to the phasing of registration of SIM cards through E-KYC for new mobile numbers. While there is a the possibility of addition of genuine subscribers in the following months, the direct subscriber acquisition cost (DSAC) has been significantly reduced owing to the overall reduction in subscriber addition (assuming exclusion of sunk cost).

Prior to the DoT directive, telecom service providers relied heavily on the documents provided by the subscribers for SIM registration. The two-fold impact of this was the delay in SIM activation, owing to the transfer of documents from the retailer to the distributor to the company and the possibility of documents not matching with the usage timeline of usage. Additionally, tracking the ever-changing retailers was difficult for the service providers – and with the subscriber documents being collected and stored at one location by the service providers, verification of dummy subscribers was difficult.

With the introduction of Aadhaar linkage for mobile numbers, subscribers are held accountable for its usage, thereby tagging responsibility for any acts arising as a result. Savings from the digitisation of documents and paper should also be considered.

However, an increased number of job losses is possible, owing to the ‘optimisation’ of the process by way of document verification, servicing costs and reliance on third parties (to name just a few). Increased compliance costs are also an issue of concern.

The key question that looms prominently with the approaching deadline is how secure public data will be, given that it may possibly be linked with bank account numbers and income tax returns. With retailers using fingerprints of the subscribers to validate Aadhaar numbers with the mobile numbers at the time of SIM registration, there is an increased risk of exposure to identity theft.

While the government is increasingly trying to bring in a seamless process to assimilate data for transparency in analysing consumer patterns, it is suggested that they also allocate funds for enhancing the cyber-security of the data consolidated from this directive. Furthermore, cyber security regulations can be strengthened to avoid data leakages to third party organisations. Severe penalties should also be implemented to ensure robust compliance to these measures.

For more details visit https://cis-india.org/internet-governance/news/youth-ki-awaaz-roopa-sudarshan-what-you-need-to-worry-about-before-linking-your-mobile-number-with-aadhaar

What privacy? 13 crore Aadhaar numbers accessible on government portals

praskrishna — 2017-05-03T14:39:46Z

At least 13 crore Aadhaar numbers and 10 crore bank account numbers are readily accessible on government portals, a report claims.

The blog post by Anusha Ravi was published in Oneindia on May 2, 2017.

The centre for internet and society, in its report, has claimed that Aadhaar numbers with sensitive personal financial information were publicly available on four government portals built to oversee welfare schemes. The report said that the government portals made it easy to access sensitive details, despite it being illegal. "It is extremely irresponsible on the part of the UIDAI [Unique Identification Authority of India], the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may be used for mischief," said Amber Sinha and Srinivas Kodali, the authors of the report.

Apart from accessing a person's details, the portals made it possible for anyone to get data on beneficiaries of welfare schemes. In many cases, it included bank account numbers of beneficiaries. The report suggests that close to 23 crore Aadhaar number could have been leaked if most of the government portals connected to direct benefit transfers used the 'same negligent standards for storing data as the ones examined'. "The document shows that the breaches are an indicator of potentially irreversible privacy harm and the data could be used for financial fraud," the authors said in the report. The report was documented after authors studied the National Social Assistance Programme, National Rural Employment Guarantee Scheme, Andhra Pradesh government's Chandranna Bima Scheme and Andhra Pradesh's Daily Online Payment Reports of NREGA.

The report said that sensitive personal identity information such as Aadhaar number, caste, religion, address, photographs and financial information were easily available with a few clicks and suggested how poorly conceived these initiatives were. The report highlights that it was illegal to make personal data public and also refers to # #AadhaarLeaks, a campaign on twitter aimed at exposing the loopholes in the Aadhaar system.

For more details visit https://cis-india.org/internet-governance/news/one-india-may-2-2017-anusha-ravi-what-privacy-13-crore-aadhaar-numbers-accessible-on-governmental-portals

What India can Learn from the Snowden Revelations

elonnai — 2013-10-25T07:29:57Z

Big Brother is watching, across cyberspace and international borders. Meanwhile, the Indian government has few safeguards in theory and fewer in practice. There’s no telling how prevalent or extensive Indian surveillance really is.

The title of the article was changed in the version published by Yahoo on October 23, 2013.

Since the ‘Snowden revelations’, which uncovered the United States government’s massive global surveillance through the PRISM program, there have been reactions aplenty to their impact.

The Snowden revelations highlighted the issue of human rights in the context of the existing cross-border and jurisdictional nightmare: the data of foreign citizens surveilled and harvested by agencies such as the National Security Agency through programs such as PRISM are not subject to protection found in the laws of the country. Thus, the US government has the right to access and use the data, but has no responsibility in terms of how the data will be used or respecting the rights of the people from whom the data was harvested.

The Snowden revelations demonstrated that the biggest global surveillance efforts are now being conducted by democratically elected governments – institutions of the people, by the people, for the people – that are increasingly becoming suspicious of all people.

Adding irony to this worrying trend, Snowden sought asylum from many of the most repressive regimes: this dynamic speaks to the state of society today. The Snowden revelations also demonstrate how government surveillance is shifting from targeted surveillance, warranted for a specific reason and towards a specified individual, to blanket surveillance where security agencies monitor and filter massive amounts of information.

This is happening with few checks and balances for cross-border and domestic surveillance in place, and even fewer forms of redress for the individual. This is true for many governments, including India.

India’s reaction

After the first news of the Snowden revelations, the Indian Supreme Court agreed to hear a Public Interest Litigation requesting that foreign companies that shared the information with US security agencies be held accountable for the disclosure. In response to the PIL, the Supreme Court stated it did not have jurisdiction over the US government.

The response of the Supreme Court of India demonstrates the potency of jurisdiction in today’s global information economy in the context of governmental surveillance. Despite being upset at the actions of America’s National Security Agency (NSA), there is little direct legal action that any government or individual can take against the US government or companies incorporated there.

In the PIL, the demand that companies be held responsible is interesting and representative of a global debate, as it implies that in the context of governmental surveillance, companies have a responsibility to actively evaluate and reject or accept governmental surveillance requests. Although I do not disagree with this as a principle, in reality, this evaluation is a difficult step for companies to take.

For example, in India, under Section 69 of the Information Technology Act, 2000, service providers are penalized with up to seven years in prison for non-compliance with a governmental request for surveillance. The incentives for companies to actually reject governmental requests are minimal, but one factor that could possibly push companies to become more pronounced in their resistance to installing backdoors for the government and complying with governmental surveillance requests is market pressure from consumers.

To a certain extent, this has already started to happen. Companies such as Facebook, Yahoo and Google have created ‘transparency reports’ that provide – at different granularities – information about governmental requests and the company’s compliance or rejection of the same.

In India, P. Rajeev, Member of Parliament from Kerala, has started a petition asking that the companies disclose information on Indian data given to US security agencies. Although transparency by complying companies does not translate directly into regulation of surveillance, it allows the customer to make informed choices and decide whether a company’s level of compliance with governmental requests will impact his/her use of that service.

The PIL also called for the establishment of Indian servers to protect the privacy of Indian data. This solution has been voiced by many, including government officials. Though the creation of domestic servers would ensure that the US government does not have direct and unfettered access to Indian data, as it would require that foreign governments access Indian information through a formal Mutual Legal Assistance Treaty process, it does not necessarily enhance the privacy of Indian data.

As a note, India has MLAT treaties with 34 countries. If domestic servers were established, the information would be subject to Indian laws and regulations.

Snooping

The Snowden Revelations are not the first instance to spark a discussion on domestic servers by the Government of India.

For example, in the back-and-forth between the Indian government and the Canadian company RIM, now BlackBerry, the company eventually set up servers in Mumbai and provided a lawful interception solution that satisfied the Indian government. The Indian government made similar demands from Skype and Google. In these instances, the domestic servers were meant to facilitate greater surveillance by Indian law enforcement agencies.

Currently in India there are a number of ways in which the government can legally track data online and offline. For example, the interception of telephonic communications is regulated by the Indian Telegraph Act, 1885, and relies on an order from the Secretary to the Ministry of Home Affairs. Interception, decryption, and monitoring of digital communications are governed by Section 69 of the Information Technology Act, 2000 and again rely on the order of the executive.

The collection and monitoring of traffic data is governed by Section 69B of the Information Technology Act and relies on the order of the Secretary to the government of India in the Department of Information Technology. Access to stored data, on the other hand, is regulated by Section 91 of the Code of Criminal Procedure and permits access on the authorization of an officer in charge of a police station.

The gaps in the Indian surveillance regime are many and begin with a lack of enforcement and harmonization of existing safeguards and protocols. Presently, India is in the process of realizing a privacy legislation.

In 2012, a committee chaired by Justice AP Shah (of which the Center for Internet and Society was a member) wrote The Report of the Group of Experts on Privacy, which laid out nine national privacy principles meant to be applied to different legislation and sectors – including Indian provisions on surveillance.

The creation of domestic servers is just one example of how the Indian government has been seeking greater access to information flowing within its borders. New requirements for Indian service providers and the creation of projects that go beyond the legal limits of governmental surveillance in India enable greater access to details about an individual on a real-time and blanket basis.

For example, telecoms in India are now required to include user location data as part of the ‘call detail record’ and be able to provide the same to law enforcement agencies on request under provisions in the Unified Access Service and Internet Service Provider Licenses.

At the same time, the Government of India is in the process of putting in place a Central Monitoring System that would provide Indian security agencies the ability to directly intercept communications, bypassing the service provider.

Even if the Central Monitoring System were to adhere to the legal safeguards and procedures defined under the Indian Telegraph Act and Information Technology Act, the system can only do so partially, as both provisions create a clear chain of custody that the government and service providers must follow – that is, the service provider was included as an integral component of the interception process.

If the Indian government implements the Central Monitoring System, it could remove governmental surveillance completely from the public eye. Bypassing the service provider allows the government to fully determine how much the public knows about surveillance. It also removes the market and any pressure that consumers could exert from insight provided by companies on the surveillance requests that they are facing.

Though the Indian government could (and should) be transparent about the amount and type of surveillance it is undertaking, currently there is no legal requirement for the government of India to disclose this information, and security agencies are exempt from the Right to Information Act. Thus, unless India has a Snowden somewhere in the apparatus, the Indian public cannot hope to get an idea of how prevalent or extensive Indian surveillance really is.

Policy vacuum

For any government, the surveillance of its citizens, to some degree, might be necessary. But the Snowden revelations demonstrate that there is a vacuum when it comes to surveillance policy and practices. This vacuum has permitted draconian measures of surveillance to take place and created an environment of mistrust between citizens and governments across the globe.

When governments undertake surveillance, it is critical that the purpose, necessity and legality of monitoring, and the use of the material collected are built into the regime to ensure it does not violate the human rights of the people surveilled, foreign or domestic.

In 2013, the International Principles on the Application of Human Rights to Communications Surveillance were drafted, in part, to address this vacuum. The principles seek to explain how international human rights law applies to surveillance of communications in the current digital and technological environment. They define safeguards to ensure that human rights are protected and upheld when governments undertake surveillance of communications.

When the Indian surveillance regime is measured against these principles, it appears to miss a number of them, and does not fully meet several others. In the context of surveillance projects like the Central Monitoring System, and in order to avoid an Indian version of the PRISM program, India should take into consideration the safeguards defined in the principles and strengthen its surveillance regime to ensure not only the protection of human rights in the context of surveillance, but to also establish trust in its surveillance regime and practices with other countries.

Elonnai Hickok is the Program Manager for Internet Governance at the Centre for Internet and Society, and leads its research on privacy.

For more details visit https://cis-india.org/internet-governance/blog/yahoo-october-23-2013-what-india-can-learn-from-snowden-revelations

What Does Facebook's Transparency Report Tell Us About the Indian Government's Record on Free Expression & Privacy?

pranesh — 2015-04-05T05:08:37Z

Given India's online population, the number of user data requests made by the Indian government aren't very high, but the number of content restriction requests are not only high on an absolute number, but even on a per-user basis.

Further, Facebook's data shows that India is more successful at getting Facebook to share user data than France or Germany. Yet, our government complains far more about Facebook's lack of cooperation with Indian authorities than either of those countries do. I think it unfair for any government to raise such complaints unless that government independently shows to its citizens that it is making legally legitimate requests.

Since the Prime Minister of India Shri Narendra Modi has stated that "transparency and accountability are the two cornerstones of any pro-people government", the government ought to publish a transparency report about the requests it makes to Internet companies, and which must, importantly, provide details about how many user data requests actually ended up being used in a criminal case before a court, as well as details of all their content removal requests and the laws under which each request was made.

At the same time, Facebook's Global Government Requests Report implicitly showcases governments as the main causes of censorship and surveillance. This is far from the truth, and it behoves Facebook to also provide more information about private censorship requests that it accedes to, including its blocking of BitTorrent links, it's banning of pseudonymity, and the surveillance it carries out for its advertisers.

For more details visit https://cis-india.org/internet-governance/blog/what-does-facebook-transparency-report-tell-us-about-indian-government-record-on-free-expression-and-privacy

What Centre will tell Supreme Court on Aadhaar and social media account linkage

Amrita Madhukalya — 2019-09-02T04:28:45Z

The top court had held in the Aadhaar case that the government can make the linking of the 12-digit-number mandatory only in the case of availing subsidies and welfare benefits. Consequently, Section 57 of the Aadhaar Act was struck down.

The article by Amrita Madhukalya was published in Hindustan Times on August 28, 2019. Gurshabad Grover was quoted.

The Centre will refer to the Aadhaar Act and the Supreme Court’s 2017 privacy judgement when it is directed by the top court to put forward its view on whether the unique identification number should be made mandatory in opening and managing accounts on Facebook, Twitter, WhatsApp and other social media platforms.

“While we are yet to receive a notice from the SC asking for our reply, the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, and the apex court’s 2017 judgement upholding the Right to Privacy will guide us in drafting a response,” a senior official of the ministry of electronics and information technology, who did not wish to be named, said.

As a division bench of Madras High Court continues to hear two writ petitions on whether social media profiles should be linked to Aadhaar so that users in cases where pornographic material, fake news and communal content is posted on these sites can be traced, Facebook had simultaneously filed a plea to transfer all similar cases in the high courts of Madras, Bombay as well as Madhya Pradesh. The top court will hear the matter on September 13.

During its hearings, Madras High Court made it clear that it will not rule on Aadhaar-linking and the case will concentrate on traceability now. As of now, only one of the transfer petitions, the one in Jabalpur, deals with Aadhaar linking.

Meanwhile, the top court has already asked social media companies for their stand on the matter. Senior lawyers Mukul Rohatgi and Kapil Sibal, who have been representing Facebook and WhatsApp respectively in Madras High Court case, have already said that as both the companies are headquartered outside of India, with operations in dozens of countries, the high court’s judgement will have ramifications globally.

Both Twitter and Google declined to comment on the matter, as the matter is sub-judice, while Facebook was not available.

However, in March this year, Facebook CEO Mark Zuckerberg said that privacy, encryption and secure data storage were some of these principles while unveiling the company’s “vision and principles” in building a “privacy-focused” social platform.

Wherein people can have “clear control over who can communicate with them and confidence that no one else can access what they share”, such communication could be secure with end-to-end encryption, and Facebook will not store sensitive data in countries with “weak records on human rights”.

Gurshabad Grover of the Centre for Internet Security says he welcomes the Centre’s stand but adds that the petition should not have been allowed by the Madras High Court in the first place.

“The case is now deliberating on policy, which is the responsibility of the government. This goes against the basis of separation of power,” he says.

The Centre is dealing with issues surrounding traceability through the Intermediaries Guidelines, which is due in the next few weeks.

The solution, Grover says, lies in diplomatic negotiations.

“Instruments like the US’ Clarifying Lawful Overseas Use of Data Act can come in handy if India can fight for better executive agreements there, provided we have data protection laws in line with human rights standards,” he said.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-august-28-2019-amrita-madhukalya-what-centre-will-tell-sc-on-aadhaar-and-social-media-account-linkage

What are People's Rights in Digital World

praskrishna — 2016-01-12T01:51:53Z

Vanya Rakesh participated in this workshop organized by IT for Change on December 4, 2015 in Bangalore.


Above: Participants from the workshop

This workshop by IT for Change to build conceptions of rights with regard to the digital realm based on our tacit formative consciousness about them and undertake such an exercise to draw the first outlines of the social contract that must underpin our pervasively digital existence. IT for Change brought together thought leaders engaged in rights frameworks (including rights activists across domains and digital rights activists) to participate in this preliminary inquiry, to build from scratch a conception of what constitutes an equitable and just digital society, and what individual and collective rights would be commensurate to such a conception.

For more info click here.

For more details visit https://cis-india.org/internet-governance/news/what-are-peoples-rights-in-digital-world

Way to watch

chinmayi — 2013-07-01T10:17:27Z

The domestic surveillance regime in India lacks adequate safeguards.

Chinmayi Arun's column was published in the Indian Express on June 26, 2013.

A petition has just been filed in the Indian Supreme Court, seeking safeguards for our right to privacy against US surveillance, in view of the PRISM controversy. However, we should also look closer home, at the Indian government's Central Monitoring System (CMS) and other related programmes. The CMS facilitates direct government interception of phone calls and data, doing away with the need to justify interception requests to a third party private operator. The Indian government, like the US government, has offered the national security argument to defend its increasing intrusion into citizens' privacy. While this argument serves the limited purpose of explaining why surveillance cannot be eliminated altogether, it does not explain the absence of any reasonably effective safeguards.

Instead of protecting our privacy rights from the domestic and international intrusions made possible by technological development, our government is working on leveraging technology to violate privacy with greater efficiency. The CMS infrastructure facilitates large-scale state surveillance of private communication, with very little accountability. The dangers of this have been illustrated throughout history. Although we do have a constitutional right to privacy in India, the procedural safeguards created by our lawmakers thus far offer us very little effective protection of this right.

We owe the few safeguards that we have to the intervention of the Supreme Court of India, in PUCL vs Union of India and Another. In the context of phone tapping under the Telegraph Act, the court made it clear that the right to privacy is protected under the right to life and personal liberty under Article 21 of the Constitution of India, and that telephone tapping would also intrude on the right to freedom of speech and expression under Article 19. The court therefore ruled that there must be appropriate procedural safeguards to ensure that the interception of messages and conversation is fair, just and reasonable. Since lawmakers had failed to create appropriate safeguards, the Supreme Court suggested detailed safeguards in the interim. We must bear in mind that these were suggested in the absence of any existing safeguards, and that they were framed in 1996, after which both communication technology and good governance principles have evolved considerably.

The safeguards suggested by the Supreme Court focus on internal executive oversight and proper record-keeping as the means to achieving some accountability. For example, interception orders are to be issued by the home secretary, and to later be reviewed by a committee consisting of the cabinet secretary, the law secretary and the secretary of telecommunications (at the Central or state level, as the case may be). Records are to be kept of details such as the communications intercepted and all the persons to whom the material has been disclosed. Both the Telegraph Act and the more recent Information Technology Act have largely adopted this framework to safeguard privacy. It is, however, far from adequate in contemporary times. It disempowers citizens by relying heavily on the executive to safeguard individuals' constitutional rights. Additionally, it burdens senior civil servants with the responsibility of evaluating thousands of interception requests without considering whether they will be left with sufficient time to properly consider each interception order.

The extreme inadequacy of this framework becomes apparent when it is measured against the safeguards recommended in the recent report on the surveillance of communication by Frank La Rue, the United Nations special rapporteur on the promotion and protection of the right to freedom of speech and expression. These safeguards include the following: individuals should have the legal right to be notified that they have been subjected to surveillance or that their data has been accessed by the state; states should be transparent about the use and scope of communication surveillance powers, and should release figures about the aggregate surveillance requests, including a break-up by service provider, investigation and purpose; the collection of communications data by the state, must be monitored by an independent authority.

The safeguards recommended by the special rapporteur would not undermine any legitimate surveillance by the state in the interests of national security. They would, however, offer far better means to ensure that the right to privacy is not unreasonably violated. The emphasis placed by the special rapporteur on transparency, accountability and independent oversight is important, because our state has failed to recognise that in a democracy, citizens must be empowered as far as possible to demand and enforce their rights. Their rights cannot rest completely in the hands of civil servants, however senior. There is no excuse for refusing to put these safeguards in place, and making our domestic surveillance regime transparent and accountable, in compliance with our constitutional and international obligations.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-june-26-2013-chinmayi-arun-way-to-watch

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit https://cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

Watch out for cyber bullies

praskrishna — 2012-06-05T06:08:19Z

It's time to take a closer look at this form of cyber crime in India, writes KV Kurmanath in an article published in the Hindu Business Line on June 4, 2012.

The suicide of Tyler Clementi, the 18-year-old New Jersey student in 2010, had triggered a strong debate on invasion of privacy in the cyber age.

His roommate, an Indian student, captured the boy kissing another man in their hostel using his web camera.

The boy jumped into a river unable to take the humiliation, when the former tried to circulate the clip. Though the court refused to link the recording with the death, it sentenced the Indian youth to 30 days in prison last month.

What Clementi was subjected to is cyber bullying, argued those who campaigned for the Indian student's deportation.

Along with other cyber crimes, cyber bullying is on the rise in India too. The fledgling cyber police wings in different states are being flooded with complaints of invasion of privacy, blackmail and circulating electronic messages that cause annoyance.

Ms Aparna (name changed) was aghast when a close friend called her up about a nude picture of her being circulated on the web. A quick check pointed the needle of suspicion at a friend who she had just spurned. Angered by her rejection, the boy morphed her picture, checked into her email account and sent it to all the people in the contact list.

After finding Facebook not so amusing, Sujatha (name changed) decided to close her account and discussed this with a few friends too. A few days later, she found both her FB and gmail accounts compromised. She also found obscene pictures posted on the same.

Legal Issues

Incidents like these are growing sharply with poor knowledge among users abut how to protect accounts. Sharing one's passwords with others too is proving dangerous.

Prof. Madabhushi Sridhar, a cyber laws expert at NALSAR University, says the crimes cited above come under the bracket of invasion of privacy.

He says Section 66A in the amended IT Act deals with these crimes. Sending any message (through a computer or a communication device) that is grossly offensive or has menacing character; any communication which he knows to be false, but for the purpose of causing insult, annoyance, criminal intimidation comes under this section. This crime, he says, is punishable up to three years with a fine.

Prof. Sridhar, who has just completed a book on cyber laws, feels that punishments under the IT Act are insufficient. "They should be read with the Indian Penal Code. This will be an effective method to check cyber crimes," he says.

Prof. Sridhar also represents the Institute of Global Internet Governance and Advocacy (GIGA) at the Law University. GIGA conducts research on the Internet and takes up advocacy and training programmes on Internet Governance.

"We already have anti-voyeurism provisions in the IT Act under Sec. 66E," Mr Sunil Abraham, Executive Director of Centre for Internet and Security, says.

This offence is punishable with ‘imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.'

Repeated harassment aka cyber bullying can be addressed using the already over-broad provisions under Sec. 66A. Unfortunately this Section goes too far and can be used to censor legitimate speech.

"Security and privacy awareness in India is very poor. It would be very useful if both the government and civil society was more aggressive in awareness raising and triggering change in behaviour. Unfortunately this is a bit like smoking - even though people are aware of the issues - they engage in risky behaviour online," he says.

Lack of Data

Mr.Pavan Duggal, Chairman of Cyber Law Committee and Cyber laws expert, said there is no specific data on cyber crime in India and the data available with the NCRB (National Crimes Records Bureau) of around 900 cases for overall cybercrime is also doubtful.

"The solution is to make cyber laws more strict as current law under IT Act 2000 is a bailable offence with three years imprisonment and a fine," he points out.

"IT Act 2000 has to be re-amended to specific provisions pertaining to cyber bullying. Further, cyber bullying needs to be made a serious offence with minimum five years imprisonment and a fine of Rs 10 lakh. Unless you have deterrence in law it will be a continuing offence," he observes.

Fortunately, there are some safeguards which can help prevent such acts of cyber offences. In most cases, the acts of bullying or blackmailing are done by someone close to the victims. People should make it a point to keep their Internet identities very safe.

One should not disclose their identities such as passwords or hint questions to anyone – no matter how close they are. Parents should keep an eye on their children who are addicted to the Internet. They should inform and educate their children on the clear and present dangers that lurk on the Net.

They should also teach the importance of respecting others' privacy apart from taking precautions to keep their private space very safe.

(with inputs from Ronendra Singh)

Click to read the original published in the Hindu Business Line. Sunil Abraham is qouted in this article.

For more details visit https://cis-india.org/news/watch-out-for-cyber-bullies

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

Pooja Saxena and Amber Sinha — 2016-03-21T08:33:53Z

In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

Credits: The illustration uses the following icons from The Noun Project - Thumpbrint created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, Copy created by Mahdi Ehsaei.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016

Virtual Aadhaar ID: too little, too late?

Admin — 2018-01-16T23:59:21Z

Problems persist as many have already shared their 12-digit number with various entities, say experts

The article by Yuthika Bhargava was published in the Hindu on January 11, 2018

The move to introduce an “untested” virtual ID to address security concerns over Aadhaar database is a step in the right direction, but may be a case of too little, too late, according to experts, as many of the 119 crore Aadhaar holders have already shared their 12-digit numbers with various entities.

“What about all the databases that are already linked up with our Aadhaar number? Virtual ID will therefore not attack the root of the problem. At best, it is band-aid,” said Reetika Khera, faculty, Indian Institute of Technology-Delhi.

“Can we realistically expect rural folks to use this to protect themselves? Or are we pushing the barely literate into the hands of middlemen who will ‘help’ them navigate it?” she questioned.

The Unique Identification Authority of India (UIDAI) on Wednesday introduced the concept of a virtual ID that can be used in lieu of the Aadhaar number at the time of authentication, thus eliminating the need to share and store Aadhaar numbers. It can be generated only by the Aadhaar number-holder via the UIDAI website, Aadhaar enrolment centre, or its mobile application.

Experts pointed out that the virtual ID is voluntary and the Aadhaar number will still need to be used at some places.

“Unless all entities are required to use virtual IDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won’t really help,” said Pranesh Prakash, Policy Director, Centre for Internet and Society, Bengaluru.

Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, agreed. “The idea is good but it should have been done in 2010, as now all the data is already out. Now, what can be done is revoke everybody’s Aadhaar and give new IDs.”

Mr. Jonnalagadda added that Authentication User Agencies (AUAs) categorised as ‘global AUAs’ by the UIDAI will be exempted from using the virtual IDs. “These are likely to be entities which require de-duplication for subsidy transfer, such as banks and government agencies. All the leaks have happened till now from these entities. So, basically, the move will exempt the parties that are the problem,” he said.

Vipin Nair, one of the advocates representing the petitioners who have challenged the Aadhaar Act in the Supreme Court said, “It is potentially a case of unmitigated chaos purely from an Information Technology perspective.”

For more details visit https://cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late

Vijay Mallya cries foul after his Twitter and email accounts are hacked

praskrishna — 2016-12-10T13:50:25Z

The attackers said they were able to access over a gigabyte of data from Mallya's email.

The article by Alnoor Peermohamed was published in Business Standard on December 10, 2016. Sunil Abraham was quoted.

Liquor baron Vijay Mallya on Friday cried foul over his Twitter account being hacked by a group calling itself ‘Legion’. The group is believed to be the same as the one behind the hack of Congress vice-president Rahul Gandhi’s Twitter and e-mail servers last week.

Several tweets alleging that Mallya’s e-mail had been compromised and documents related to his offshore investments and bank accounts had been stolen were made from his official Twitter account in early on Friday.

“Outfit called Legion has hacked my e-mail accounts and are blackmailing me!! What a joke,” Mallya tweeted after seemingly taking back control of his account.

The attackers said they were able to access over a gigabyte of data from Mallya’s e-mail and shared a link for the public to gain access to it. They also tweeted the rest of the information on Mallya would be made public in the coming weeks, targeted at bringing him to justice for committing fraud.

The Twitteratti (the general public on the social networking platform), including several of Mallya’s 5.51 million followers, emerged in support of the hackers, who they proclaimed were working in the interest of the Indian people. Mallya has defaulted Rs 7,200 crores in loans and is being investigated for it.

“The e-mail hack is interesting because it’s the same global pattern. People are following Julian Assange’s advice — transparency should be directly proportional to power. What one really means is, public interest should be preserved,” says Sunil Abraham, executive director at Bengaluru-based Centre for Internet and Society.

While a lot of hacks continue to be carried out for monetary gain through extortion, several Internet vigilante groups have cropped up over the past decade, the most famous being WikiLeaks and more recently Anonymous. As India’s politicians, businessmen and the general public increasingly use technology and the Internet, they too are becoming targets for such hackers.

“If Mallya’s email account is hacked and all we get out of it is gossip, then it’s of no use. But if we as a nation ensure that the law is followed, or laws are improved, or corporate governance is evolved, all of that is positive impact of such an event. So hacktivists have to be very responsible when they do this, otherwise they spoil the name of whistleblowers and so on,” added Abraham.

Mallya is currently wanted by Indian law enforcement agencies and has a non-bailable warrant issued against his name by the court. He has currently exiled himself in the UK and refuses to travel to the country unless offered amnesty. While often denying any wrongdoing, the general public perception among Indians is that the billionaire playboy Mallya portrayed himself to be is guilty.

For more details visit https://cis-india.org/internet-governance/business-standard-alnoor-peermohamed-december-10-2016-vijay-mallya-cries-foul-after-his-twitter-and-email-accounts-are-hacked

VII NLSIR Symposium

praskrishna — 2014-01-09T07:08:33Z

The National Law School of India Review (NLSIR) - the flagship journal of the National Law School of India University (NLSIU), Bangalore is pleased to announce the seventh NLSIR Symposium on “Bridging the Security-Liberty Divide” scheduled to be held on December 21 and December 22, 2013 at the National Assessment and Accreditation Council (NAAC, opposite NLSIU Campus, Nagarhavi) Conference Hall, Bangalore.

This was published by NLSIR on December 20, 2013.

The decade following September 11 has been dubbed “liberty’s lost decade”, not just for the United States of America but for the world at large, marked by increasing tension between State interests in national security and individual liberty. As we continue to grapple with the implications of this clash, one clear winner seems to be emerging, best observed by examining changes in legal systems throughout this decade. The recent upsurge of criticism against NSA activity globally, however, could be seen as indicative of a changing trend. The VIIth NLSIR Symposium seeks to trace this dialogue between competing notions of security and liberty, and hopes to assess and analyse similar developments in India Confirmed speakers for the symposium include renowned legal experts such as Hon’ble Justice Muralidhar, Menaka Guruswamy, Mrinal Satish, Bharat Karnad, Aparna Chandra, Chinmayi Arun, Shyam Diwan, Bhairav Acharya, Roshni, Yug Mohit Chaudhary and Saikat Datta.

This year, the discussions will be divided into four panels:

Session I: Securing Liberty from the State - Redefining Criminal Thresholds in Law
(Forenoon, December 21, 2013, Saturday)

Session II: Intrusive Intelligence - Surveillance Programs and Privacy in India
(Afternoon, December 21, 2013, Saturday)

Session III: Beyond Borders - Extradition, Asylum and Concerns of State Security
(Forenoon, December 22, 2013, Sunday)

Session IV: Connecting the Dots
(Afternoon, December 22, 2013, Sunday)

For more details visit https://cis-india.org/news/nlsir-december-21-2013-nlsir-symposium

Vidhi Doshi - Fingerprint Payments Prompt Privacy Fears in India (The Guardian)

Vidhi Doshi — 2017-02-13T09:21:42Z

This article by Vidhi Doshi on the use of Aadhaar-based payments by private companies in India was published by The Guardian on February 09, 2017. Sumandro Chattapadhyay is quoted in the article.

Originally published by The Guardian.

For two years, Indian officials have been trawling the country, from city slums to unelectrified villages, zapping eyeballs, scanning fingerprints and taking photographs.

Last month, Indian shoppers started to see the results. With the launch of a government-backed fingerprint payment system, tied to India’s growing biometric data bank, registered citizens can – in theory at least – now pay for things with the touch of a finger.

India’s extraordinary biometric database, named Aadhaar after a Hindi word for ‘foundation’, is the biggest of its kind in the world. It was initially sold to the public as a welfare delivery mechanism that would ensure the country’s 1.25bn citizens were each receiving the right quantity of subsidised rice or cooking fuel, while weeding out fraudsters.

But now this pool of more than a billion people’s biometric data is being used by banks, credit checking firms and other private companies to identify customers, raising questions about privacy and security.

As one of his flagship policies, prime minister Narendra Modi pledged to create a “digital India” in which the country’s cash-centric economy would switch to credit and debit cards, squeezing the parallel economy of untaxed cash transactions and giving more citizens access to digital financial services.

In a surprise television announcement last November, Modi announced the demonetisation of 500 and 1,000 rupee notes (around £6 and £12), wiping out 85% of the country’s circulating currency overnight.

Two days later, when the banks reopened, long queues snaked around almost every branch, with millions lining up to open bank accounts for the first time. Many used their 12-digit Aadhaar number, linked to their biometric profile, to sign up. Within three weeks, 3m bank accounts had been opened using fingerprint verification, according to estimates.

The moment marked a radical change for India’s banking system, under which applicants were traditionally required to file photocopies of passports or voter IDs. Banks could take weeks, sometimes months, to verify them. Now applicants’ encrypted biometric data can be sent to the Unique Identification Authority of India (UIDAI), a government agency, to be matched against their Aadhaar data, re-encrypted and sent back to the bank.

Despite technical teething problems, the system is designed to allow very fast authorisation. “All this happens in a matter or two or three seconds,” explains Ajay Bhushan Pandey, UIDAI’s director general.

For Pandey, the benefits are clear: paper documents are easy to forge and hard to verify, especially in India where until recently thousands of people still used handwritten passports. Not so biometric data.

Privacy fears

Pandey emphasises that private banks and companies aren’t able to access the entire Aadhaar database, only to use the government interface, which allows them to verify identities.

Nonetheless, many Indians are worried about the privacy implications. Sumandro Chattapadhyay, a director at the Centre for Internet and Society thinktank, is one of them.

For starters, says Chattapadhyay, the law governing use of the biometric database, fast-tracked through parliament last year, is flimsy when it comes to the private sector. Since India lacks a general privacy or data protection law, this leaves corporate use of Aadhaar services effectively unregulated, he says.

This is particularly worrying, says Chattapadhyay, because of the data-sharing possibilities opened up by Aadhaar. It makes it easier for companies not only to share information on individuals’ consumption and mobility habits, but also to link this data up with public records like the electoral register, he says. “Both lead to significant threats to privacy of individuals.”

Chattapadhyay’s fear is that private companies could eventually gain access to government-held personal data, such as income or medical records, while the government could use company data like phone records to target specific individuals in political campaigns.

Already companies are linking Aadhaar numbers with collected metadata. Credit-checking startup CreditVidya, for example, identifies clients using their biometric ID in combination with their internet browsing history and other data, to assign credit scores for users who have no record of loan repayments. Banks then store this processed metadata, for example whether or not someone’s Facebook name is consistent with the name on their bank account.

Its founder Abhishek Agarwal admits there are risks for users: “[I]f someone managed to hack the bank’s security system, as well as the Aadhaar database, they could potentially be able to link your Facebook or LinkedIn data with your biometric information.” But he says this would be hard to do.

Pandey insists the companies are carefully vetted before they can use Aadhaar authentication. But, like Agarwal, he acknowledges the system can never be 100% secure: ““I wouldn’t say it is impossible to break the system, but it is very, very difficult.”

For more details visit https://cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian