The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 81 to 95.
UIDAI admits 210 government websites made Aadhaar details public
https://cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public
<b>The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were leaked on over 200 central and state government websites.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.financialexpress.com/economy/uidai-admits-210-government-websites-made-aadhaar-details-public/940545/">published in the Financial Express</a> on November 20, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were made public on over 200 central and state government websites. According to an RTI reply, these websites publicly displayed name, address and other details of Aadhaar beneficiaries, which was removed when the breach was identified.</p>
<p style="text-align: justify; ">However, UIDAI does not have information about the time of the breach. It also said that Aadhaar details have never been made public by UIDAI. “However, it was found that approximately 210 websites of the central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of the general public,” it said.</p>
<p style="text-align: justify; ">UIDAI issues Aadhaar — a 12-digit unique identification number — which acts as a proof of identity and addresses anywhere in the country. Lately, Aadhaar has been creating furore for security and privacy reasons, especially after the <a href="http://www.financialexpress.com/tag/narendra-modi/" target="_blank">Narendra Modi</a> government began aggressively pushing the identification number to be linked with social benefits, banks, PAN, mobile number et al. In a landmark judgement this August, the Supreme Court ruled that privacy was a fundamental right of citizens, weakening the case for pushing Aadhar.</p>
<p style="text-align: justify; ">Currently, cases are being heard in the apex court on linking Aadhaar to banks and mobile numbers. In May, the Centre for Internet and Society had claimed that Aadhaar numbers of as many as 135 millions could have been leaked. “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS had said. Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it had added.</p>
<p style="text-align: justify; ">UIDAI and the government had been vehemently denying that Aadhaar details can be leaked despite apprehension from different sections of society. Soon after the RTI reply appeared in media, UIDAI refuted the news of leaks, calling it a “skewed presentation of facts. “Such report is a skewed presentation of the facts and poses as if the Aadhaar data is breached or leaked which is not the true presentation. Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI,” press release by PIB said.</p>
<p style="text-align: justify; ">It said that the data on these websites was placed in public domain as a measure of proactive disclosure under the RTI Act.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public'>https://cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-11-21T16:03:29ZNews ItemUID: Questions without Answers – A Talk by Usha Ramanathan
https://cis-india.org/internet-governance/blog/UID_Questions_without_Answers
<b>UID enrolment is in full swing, providing an official identification to millions of Indians, yet there are numerous unanswered questions. A public talk on UID was held at the Institute of Science, Bangalore on September 6, 2011. Usha Ramanathan, an independent law researcher on jurisprudence, poverty and rights, discussed the questions that plague the UID project and the veil of silence enveloping the answers.</b>
<p style="text-align: justify;">Ms. Ramanathan
began her presentation by describing the progress and evolution of the UID
project. She stated three adjectives that reflect the target goal of the Unique
Identification Authority of India (UIDAI): unique, ubiquitous and universal.
She demonstrated how their initial objectives and claims have been drastically
altered in three major ways.</p>
<p style="text-align: justify;">First and
foremost, the UIDAI claimed that enrolment is voluntary, not mandatory, and
hence, inclusive. Yet, Nandan Nilekani has
consistently maintained that other agencies may make it compulsory.
UID is becoming ubiquitous and is a prerequisite for access to a wide variety
of welfare schemes and services such as PDS, MGNREGS, banks, public health,
etc. It is thus clear that this could
actually exclude those who do not have a number or whose biometrics doesn't work. Therefore, this undermines the inclusive nature of the project.</p>
<p style="text-align: justify;">Second, the
UIDAI claimed that the UID would enable inclusive growth. Ms. Ramanathan expressed a
serious concern surrounding the risk of exclusion. Instead of facilitating
inclusion, around two to five per cent of the Indian population would be
excluded from the current process of authentication and potentially from having
a UID number, as they do not have viable biometric data.<a name="_ftnref" href="#_ftn1"><span class="MsoFootnoteReference">[1]</span></a> Physical or visual impairments such as corneal blindness, corneal scars, and
malnourishment induced cataracts or ‘low-quality’ fingerprints from a lifetime
of hard labour inhibit those from providing valid fingerprints or iris scans.<a name="_ftnref" href="#_ftn2"><span class="MsoFootnoteReference">[2]</span></a>
<u></u></p>
<p style="text-align: justify;">Third, Ms. Ramanathan reiterated that
the <a class="external-link" href="http://www.prsindia.org/uploads/media/NIA%20Draft%20Bill.pdf">National Identification Authority India Bill </a>prohibited sharing data, except by the consent of the resident, by
a court order or for national security. However, UID information is being directly fed into the National Intelligence Grid
(NATGRID) who will then provide information about people that is in 21
databases, to eleven security agencies, including the RAW and IB over which
there is no superintendence or oversight.<a name="_ftnref" href="#_ftn3"><span class="MsoFootnoteReference">[3]</span></a> She
discussed the high likelihood of a breach of privacy as there are insufficient
standards protecting an individual from unlawful invasion. Additionally, the
UIDAI does not have mechanisms in place for an individual to be notified if there
is a data breach. </p>
<h3><u>Who owns this project?</u></h3>
<p style="text-align: justify;">A very important question asked is, “Who owns this project?” Ms.
Ramanathan stated that the convergence of information especially during the
‘de-duplication process clearly reflects the corporatization of the project.
She also questioned the background of some of the technological companies
involved. For instance, L-1 Identity
Solutions is well known for its links with the CIA. Additionally, Accenture is
on a Smart Borders project with US Homeland Security. She explained that ownership also plays into the
feasibility and financial cost of the project. Furthermore, the UIDAI has not
conducted a
feasibility study on the technology or the financial cost of the project.</p>
<h3><u>International Experience</u></h3>
<p style="text-align: justify;">Lastly, Ms. Ramanathan discussed the international experience of a
universal identity system. In the United Kingdom, their universal system of
identification was labelled as ‘intrusive bullying’ as well as ‘an assault on personal
liberties’. The United States and the United Kingdom both abandoned a
universal identity system, as it was impractical, unjustified and dangerous.</p>
<p style="text-align: justify;">Ms. Ramanathan raised many questions that evoked thought and discussion from the
audience. She provided numerous examples of ambiguity, misconceptions and confusion
surrounding the UID project. She urged the audience to exercise their civil
liberties or risk losing them. Lastly, she believed that an informed debate
involving the UIDAI and the public is long overdue.</p>
<p style="text-align: justify;">“The UIDAI must clarify misconception and provide detailed answers to
crucial questions, as there is a lack of understanding within the general
population about the UID. Therefore, the UIDAI and the Government of India must
increase and ensure transparency of the UID project”, she added. </p>
<p style="text-align: justify;"><em>Ms. Usha Ramanathan was speaking at an event organised by Concern, an IISc Student group. She was speaking in her personal capacity and the opinions reflected above are necessarily not those of CIS.</em></p>
<p style="text-align: justify;"> </p>
<div><br clear="all" />
<hr align="left" size="1" width="33%" />
<div id="ftn">
<p><a name="_ftn1" href="#_ftnref"><span class="MsoFootnoteReference">[1]</span></a> Biometrics Design Standards for UID
Applications (December 2009).</p>
</div>
<div id="ftn">
<p><a name="_ftn2" href="#_ftnref"><span class="MsoFootnoteReference">[2]</span></a> Biometrics Design Standards
for UID Applications (December 2009).</p>
</div>
<div id="ftn">
<p style="text-align: justify;"><a name="_ftn3" href="#_ftnref"><span class="MsoFootnoteReference">[3]</span></a>Usha Ramanathan, The Myth of the Technology Fix, http://www.india-seminar.com/2011/617/617_usha_ramanathan.htm.</p>
<p style="text-align: justify;"><strong>VIDEO</strong></p>
<p> </p>
</div>
</div>
<iframe src="http://blip.tv/play/AYLRySYA.html" frameborder="0" height="250" width="250"></iframe><embed style="display:none" src="http://a.blip.tv/api.swf#AYLRySYA" type="application/x-shockwave-flash"></embed>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/UID_Questions_without_Answers'>https://cis-india.org/internet-governance/blog/UID_Questions_without_Answers</a>
</p>
No publisherNatasha VazInternet GovernancePrivacy2011-11-24T04:41:41ZBlog EntryUID: Nothing to Hide, Nothing to Fear?
https://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear
<b>Isn’t it interesting that authorities ask you about your identity and you end up showing your proof of existence! Isn’t this breaching into one’s personal life? Why so much transparency only from the public side? Why can’t the government be equally transparent to the public?, asks Shilpa Narani.</b>
<p>Before I get into an argument, I would like to share with you that my research is based on a comparative study of articles published on UID in leading newspapers like the Times of India, the Indian Express, the Hindustan Times, and its supplement LiveMint, Business Standard, Asian Age, DNA India, Bangalore Mirror, Deccan Chronicle and Deccan Herald. My research shows that the government officials and the individuals working for the UIDAI, who are involved in proposing identity system, are in fact hide their own identity from the public.</p>
<h3>Background</h3>
<p>A pan-India project to “identify” each resident was formally inaugurated in 2009, with the establishment of the Unique Identification Authority of India (UIDAI) as an office attached to the Planning Commission.[<a href="#1">1</a>] The goal of the Unique ID project is to issue a unique identity number to every resident in the country. The Unique Identification number (UID) will be linked to every resident’s basic demographic and biometric details, and stored in the UIDAI central database.[<a href="#2">2</a>] Now a 12 digit number will henceforth decide whether you exist or not? It will decide whether you remain a known or an unknown person? With this blog I would like to highlight the irony in the UIDAI's attempt to establish if a person is known or is unknown with a 12 digit number.</p>
<p>An identity card virus seems to be spreading across India. Everyone is praising the UID and the social, economic, and political improvements it will bring. “The aim of the UID scheme is to bring transparency in the system,'' says Sonia Gandhi.[<a href="#3">3</a>] One has to wonder though — if the aim of the UID is to bring transparency, why it is that government and UIDAI officials are not transparent themselves?</p>
<h3>Findings</h3>
<p>According to my research, in 55 news articles taken from different newspapers mentioned above, there are 66 persons who shared their views on UID only on the condition of anonymity. Most of these individuals were public servants who themselves did not wish to be identified. For instance, one individual was from the department of information technology, who is working on the UID project and with the UIDAI itself.</p>
<p>Total Anonymous</p>
<p><img src="https://cis-india.org/home-images/uidgrid.jpg/image_preview" alt="UID - Grid Summary" class="image-inline image-inline" title="UID - Grid Summary" /></p>
<p>As one can see from the graph above, the total number of anonymous people sharing their perspectives on the UID are more than the total number of identified people sharing their perspective on the UID. Below is a detailed review of UID articles from each newspaper:</p>
<p><strong>Times of India</strong>: Out of 13 articles, Times of India quoted nine anonymous sources in which there were HRD officials, civic sources, sources from census operation department, collectorate sources, senior postal officials, UIDAI officials, and unclassified individuals. Times of India only quoted four identified sources.</p>
<p><strong>Indian Express</strong>: Out of 10 articles, the Indian Express quoted twelve anonymous sources including sources from senior officials of the AADHAR office, senior Delhi government officials and some unclassified sources. Again only four identified sources were quoted.</p>
<p><strong>LiveMint</strong>: Out of 7 articles, the Live Mint quoted 15 anonymous sources including sources from the Information Regulatory and Development Authority (IRDA), UIDAI, Bank of India, a senior SEBI official, sources from ministry, etc. Only 11 sources revealed their identity.</p>
<p><strong>Hindustan Times</strong>: Out of 3 articles, there were 6 anonymous sources, and 5 sources that were identified. Anonymous sources were from UIDAI, finance ministry, and other government officials.</p>
<p><strong>Deccan Herald</strong>: Out of 11 articles, there were 14 anonymous sources and only 6 were identified. Anonymous sources included UIDAI officials, banks, senior officials from government, and unclassified sources as well.</p>
<p>Asian Age: Out of 4 articles, there were 5 anonymous sources. Anonymous sources included government officials and some unclassified officials.</p>
<h3>Power of Identity: Why is anonymity important?</h3>
<p>UID has the potential to threaten an individual’s ability to be anonymous in society. Anonymity results when the personal identity or personally identifiable information of a person is not known. As demonstrated above, a certain amount of anonymity already exists in India today, but with the coming of the UID there is the potential that this will be changed.</p>
<h3>Conclusion</h3>
<p>As Sonia Gandhi herself said, the UID's aim is to bring transparency in the system. Though the government is eager to make the Indian public transparent in their everyday lives, clearly from the analysis above, individuals working for the government and UIDAI are not comfortable being transparent to the public. It is ironic that the individuals developing and working for this scheme are not willing to voice their opinion and be identified, but private individuals are. Though the UID scheme is being promoted as a way to make the people accountable and visible in the eyes of the government, from the very start of the project the UIDAI and government have kept themselves under a cloud of secrecy. The government’s non-transparent attitude towards this project and the unawareness of its use on the people makes the whole scheme shady and unnecessary.</p>
<pre>Notes</pre>
<p class="discreet"><a class="external-link" name="1" href="http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf">[1]http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf</a></p>
<p class="discreet"><a class="external-link" name="2" href="http://uidai.gov.in/UID_PDF/Working_Papers/UID_and_iris_paper_final.pdf">[2]http://uidai.gov.in/UID_PDF/Working_Papers/UID_and_iris_paper_final.pdf</a></p>
<p class="discreet"><a class="external-link" name="3" href="http://articles.timesofindia.indiatimes.com/2010-09-30/india/28243557_1_uid-number-unique-id-numbers-tembhli">[3]http://articles.timesofindia.indiatimes.com/2010-09-30/india/28243557_1_uid-number-unique-id-numbers-tembhli</a></p>
<strong>Download the <a href="https://cis-india.org/internet-governance/publications/uid-grid.xlsx/at_download/file" class="internal-link" title="UID Grid">UID Summary Grid here</a></strong><strong> [Excel, 19kb]</strong>
<div><strong><br /></strong>
<div class="pullquote">For the summary of articles in newspapers, <a href="https://cis-india.org/internet-governance/publications/uid-new-grid" class="external-link">click here</a></div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear'>https://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear</a>
</p>
No publishershilpaInternet GovernancePrivacy2011-09-28T11:44:21ZBlog EntryUID: A Data Subject's Registration Tale
https://cis-india.org/internet-governance/blog/uid-a-data-subjects-registration-tale
<b>A person who registered for UIDAI shares their experience of registering for the UID Number, on the condition of anonymity.</b>
<p style="text-align: justify; ">The registration process begins with filling a form, which has a verification clause at the end. This is a statement that the data, including biometric data, is correct and is that of the registrant. The presence of the word ‘biometric’ in relation to the verification creates tacit consent in the collection of biometric data.</p>
<p style="text-align: justify; ">The data subject registered for the UID number as several utilities were being linked to the UID number at that time.</p>
<p style="text-align: justify; ">The data subject pointed out three areas for concern: (i) optional data was being collected under protest; (ii) the subjects documents were being taken out of their sight for scanning; (iii) the ownership of data.</p>
<p style="text-align: justify; ">While registering for the UID number, data subjects have a choice not to link their bank numbers to bank accounts and to utilities such as gas connections. This data subject noticed that the data operator linked these by default and the data subject had to specifically request the de-linking. The data operator did not inform the data subject of the choice not to link the UID with these services. If this is the state of affairs for the conscious registrant, it is unlikely that those who cannot read will be informed of their right to choice. Their information will then be inadvertently linked and they will be denied the right to opt out of the linkage.</p>
<p style="text-align: justify; ">This data subject additionally noted that their right to refuse to provide optional data on the registration form was blatantly disregarded by the enrolling agency. Despite protests against providing this information, the enroller forcibly entered information such as ‘ward number’, which was optional. The enroller justified these actions - stating: the company will cut our salary. Unfortunately, registrants do not know who the data collection company is.</p>
<p style="text-align: justify; ">Where the data subjects do not know who collects their data and where it is going, there can be no accountability.</p>
<p style="text-align: justify; ">This incident seems to show that the rules on personal information are being violated. The right to know: the identity and address of the entity collecting the data,<a href="#_ftn1" name="_ftnref1">[1]</a> the purpose of data collection,<a href="#_ftn2" name="_ftnref2">[2]</a> the restrictions on data use<a href="#_ftn3" name="_ftnref3">[3]</a> and the right not to disclose sensitive personal data <a href="#_ftn4" name="_ftnref4">[4]</a> are all granted by the Information Technology Rules. Data subjects also have the right to be informed about the intended recipients<a href="#_ftn5" name="_ftnref5">[5]</a> and the entities that will retain the data. <a href="#_ftn6" name="_ftnref6">[6]</a> The data collector has failed to perform its corresponding duty to make such disclosures and has arguably limited the control of data subjects over their privacy.</p>
<p style="text-align: justify; ">If this is what other UID registrations are like, then perhaps it is time to modify the process of data handling and processing. The law should be implemented better and amended to enable better implementation either through greater state intervention or severe liability when personal information is improperly handled.</p>
<div style="text-align: justify; ">
<hr align="left" size="1" width="100%" />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> R.4(3)(d) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> R. 4(3)(b) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> R. 4(7) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> R. 4 (7) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5">[5]</a> R. 4 (3) (c) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6">[6]</a> R.4(3)(d) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-a-data-subjects-registration-tale'>https://cis-india.org/internet-governance/blog/uid-a-data-subjects-registration-tale</a>
</p>
No publisherMukta BatraUIDInternet GovernancePrivacy2014-09-11T09:05:07ZBlog EntryUID Research
https://cis-india.org/internet-governance/blog/uid-research
<b>The Centre Internet and Society, India has been researching privacy policy in India since the year 2010 with the following objectives. </b>
<ol style="text-align: justify; ">
<li>Researching the vision and implementation of the UID Scheme - both from a technical and regulatory perspective.</li>
<li>Understanding the validity and legality of collection, usage and storage of Biometric information for this scheme.</li>
<li>Raising public awareness around issues concerning privacy, data security and the objectives of the UID Scheme.</li>
</ol>
<p style="text-align: justify; ">The UID scheme seeks to provide all residents of India an identity number based on their biometrics that can be used to authenticate individuals for the purpose of Government benefits and services. A 2015 Supreme Court ruling has clarified that the UID can only be used in the PDS and LPG Schemes.</p>
<p style="text-align: justify; ">Concerns with the scheme include the broad consent taken at the time of enrolment, the lack of clarity as to what happens with transactional metadata, the centralized storage of the biometric information in the CIDR, the seeding of the aadhaar number into service providers’ databases, and the possibility of function creep. Also, there are concerns due to absence of a legislation to look into the privacy and security concerns.</p>
<p style="text-align: justify; ">UID Research -</p>
<p style="text-align: justify; ">1. Ramifications of Aadhar and UID schemes -</p>
<p style="text-align: justify; ">The UID and Aadhar systems have been bombarded with criticisms and plagued with issues ranging from privacy concerns to security risks. The following articles deal with the many problems and drawbacks of these systems.</p>
<p style="text-align: justify; ">§ UID and NPR: Towards Common Ground <a href="http://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground"> http://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground </a></p>
<p style="text-align: justify; ">§ Public Statement to Final Draft of UID Bill <a href="http://bit.ly/1aGf1NN">http://bit.ly/1aGf1NN</a></p>
<p style="text-align: justify; ">§ UID Project in India - Some Possible Ramifications <a href="http://cis-india.org/internet-governance/blog/uid-in-india">http://cis-india.org/internet-governance/blog/uid-in-india</a></p>
<p style="text-align: justify; ">§ Aadhaar Number vs the Social Security Number <a href="http://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number"> http://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number </a></p>
<p style="text-align: justify; ">§ Feedback to the NIA Bill <a href="http://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill">http://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill</a></p>
<p style="text-align: justify; ">§ Unique ID System: Pros and Cons <a href="http://bit.ly/1jmxbZS">http://bit.ly/1jmxbZS</a></p>
<p style="text-align: justify; ">§ Submitted seven open letters to the Parliamentary Finance Committee on the UID covering the following aspects: SCOSTA Standards (http://bit.ly/1hq5Rqd), Centralized Database (http://bit.ly/1hsHJDg), Biometrics (http://bit.ly/196drke), UID Budget (http://bit.ly/1e4c2Op), Operational Design (http://bit.ly/JXR61S), UID and Transactions (http://bit.ly/1gY6B8r), and Deduplication (http://bit.ly/1c9TkSg)</p>
<p style="text-align: justify; ">§ Comments on Finance Committee Statements to Open Letters on Unique Identity: The Parliamentary Finance Committee responded to the open letters sent by CIS through an email on 12 October 2011. CIS has commented on the points raised by the Committee: <a href="http://bit.ly/1kz4H0F">http://bit.ly/1kz4H0F</a></p>
<p style="text-align: justify; ">§ Unique Identification Scheme (UID) & National Population Register (NPR), and Governance <a href="http://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note"> http://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note </a></p>
<p style="text-align: justify; ">§ Financial Inclusion and the UID <a href="http://cis-india.org/internet-governance/privacy_uidfinancialinclusion">http://cis-india.org/internet-governance/privacy_uidfinancialinclusion</a></p>
<p style="text-align: justify; ">§ The Aadhaar Case <a href="http://cis-india.org/internet-governance/blog/the-aadhaar-case">http://cis-india.org/internet-governance/blog/the-aadhaar-case</a></p>
<p style="text-align: justify; ">§ Do we need the Aadhaar scheme <a href="http://bit.ly/1850wAz">http://bit.ly/1850wAz</a></p>
<p style="text-align: justify; ">§ 4 Popular Myths about UID <a href="http://bit.ly/1bWFoQg">http://bit.ly/1bWFoQg</a></p>
<p style="text-align: justify; ">§ Does the UID Reflect India? <a href="http://cis-india.org/internet-governance/blog/privacy/uid-reflects-india"> http://cis-india.org/internet-governance/blog/privacy/uid-reflects-india </a></p>
<p style="text-align: justify; ">§ Would it be a unique identity crisis? <a href="http://cis-india.org/news/unique-identity-crisis">http://cis-india.org/news/unique-identity-crisis</a></p>
<p style="text-align: justify; ">§ UID: Nothing to Hide, Nothing to Fear? <a href="http://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear"> http://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear </a></p>
<p style="text-align: justify; ">2. Right to Privacy and UID -</p>
<p style="text-align: justify; ">The UID system has been hit by many privacy concerns from NGOs, private individuals and others. The sharing of one's information, especially fingerprints and retinal scans to a system that is controlled by the government and is not vetted as having good security irks most people. These issues are dealt with the in the following articles.</p>
<p style="text-align: justify; ">§ India Fears of Privacy Loss Pursue Ambitious ID Project <a href="http://cis-india.org/news/india-fears-of-privacy-loss">http://cis-india.org/news/india-fears-of-privacy-loss</a></p>
<p style="text-align: justify; ">§ Analysing the Right to Privacy and Dignity with Respect to the UID <a href="http://bit.ly/1bWFoQg">http://bit.ly/1bWFoQg</a></p>
<p style="text-align: justify; ">§ Analysing the Right to Privacy and Dignity with Respect to the UID <a href="http://cis-india.org/internet-governance/blog/privacy/privacy-uiddevaprasad"> http://cis-india.org/internet-governance/blog/privacy/privacy-uiddevaprasad </a></p>
<p style="text-align: justify; ">§ Supreme Court order is a good start, but is seeding necessary? <a href="http://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary"> http://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary </a></p>
<p style="text-align: justify; ">§ Right to Privacy in Peril <a href="http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril"> http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril </a></p>
<p style="text-align: justify; ">3. Data Flow in the UID -</p>
<p style="text-align: justify; ">The articles below deal with the manner in which data is moved around and handled in the UID system in India.</p>
<p style="text-align: justify; ">§ UIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules <a href="http://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules"> http://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules </a></p>
<p style="text-align: justify; ">§ Data flow in the Unique Identification Scheme of India <a href="http://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india"> http://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india </a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-research'>https://cis-india.org/internet-governance/blog/uid-research</a>
</p>
No publishervanyaInternet GovernancePrivacy2016-01-03T09:59:27ZBlog EntryUID Meeting in Bangalore – A Report
https://cis-india.org/internet-governance/blog/privacy/uid-meeting-november
<b>On 23 November 2010 a public meeting was held for the UID in Bangalore. The speakers included B.K Chandrashekar, former Chairman of the Karnataka Legislature Council, Mr. Vidyashankar, Principal Secretary to Government of e-commerce, Sunil Abraham, Executive Director of Centre for Internet and Society, Jude D’Souza, Technology Specialist and Mathew Thomas, Retired Army Officer.</b>
<p>Mr. Chandrashekar opened the public talk by giving a summary of the UID scheme, and sharing his own personal apprehensions to the project. Voicing his concerns as to the scale and architecture of the project, the collection of biometrics from individuals, and the fact that other countries have abandoned similar projects – he raised many points that evoked thought from the audience.</p>
<p>In his presentation, Jude D’Souza explained how the technology (iris scanners and fingerprint readers) that is used in the UID project can be easily spoofed. Through demonstration he proved how fingerprints can be replicated and subsequently authenticated with the use of simply a wax model. He also raised the point that high resolution cameras are now able to capture an individual’s fingerprint and iris at that point the captured image can be transferred and duplicated, and subsequently used for authentication. The point emphasized by D’Souza was that the technology being used by the UID is not as fool proof as is being claimed, and yet nowhere in the Bill or project is this concern being addressed. Redress for possible transaction errors is not provided for in the Bill, and it is not clear if a problem does arise what steps an individual should take.</p>
<p>Sunil Abraham spoke on the legality of the UID project. Emphasizing the point that civil society does not oppose the project in itself, but that civil society is concerned with the weaknesses that exist in the proposed legislation. He noted problems such as an overly broad scope, privacy concerns, and lack of adequate forms of redress. Mr. Abraham also contrasted the UID project with the identity work that has been done in Estonia, and raised the question as to whether a centralized is entirely necessary as opposed to a decentralized system of identity. <br />Mathew Thomas, through the use of many examples drove home two main questions.</p>
<ol><li>Why is a project that is based on biometrics with a centralized structure necessary?</li><li>Can the project realistically meet its proposed objectives of bringing benefits to the poor?</li></ol>
<p>Using the UK’s failed centralized identity scheme, which is similar to the UID scheme, he made the argument that India has the opportunity to learn from the mistakes of others, and this opportunity should not be overlooked or passed by. Mr. Thomas also pointed out that a proper cost benefit analysis is lacking for the project, as well as proper test trials of the technology and scheme.</p>
<p>Mr. Vidyashankar presented on the progress of the UID in Karnataka and answered questions concerning the project. In particular he focused on explaining the collection of information for Know Your Resident (KYR), and Know Your Resident+ (KYR+). KYR information includes: an individual’s name, address, date of birth, gender, relation details, phone number (optional), email (optional), and financial information. KYR+ includes: Physically Handicapped, EPIC Card No, Pan No., Bank Details, LPG Gas Connection, Supply Card, MNREGA Job Card, RSBY Card No, Pension ID, National Population Register No, Property Tax, Electricity Consumer No., Water Connection No., and BPL Data. The purpose of collecting the extra data for KYR+ is to prevent the exploitations of subsidies. By having on record who is eligible for what benefit, the over collection of benefits will be stopped. Vidyashankar also addressed privacy concerns, assuring the audience that information is encrypted at the time of collection and secured for privacy measures.</p>
<p>The reaction from the audience was one of apprehension, and in some cases anger. Individuals questioned the achievability of the objectives of the project, and expressed concerns that their tax money was being wasted. The overall sentiment in the room was that the UID project and Bill will be passed through Parliament but that in the long run, it will not benefit the everyday Indian citizen.</p>
<p>In a later interview Mr. Vidyashankar kindly clarified different details of the project that were still unclear. For example, if an individual needs to update the information in their profile – like their address - they are able to by visiting the closest centre , authenticating themselves, and requesting that the information be changed. He also clarified that registrars and enrollers are monitored as they are registering and authenticating individuals. He also clarified that numbers issued today and in the pilot projects will be valid after the Bill is passed through parliament. At the close of the interview he again assured me that the UID project does account for individual’s privacy, and is able to adequately protect collected data on due to the use of level five encryption. Despite Mr. Vidyanshankar’s assurances, it does not seem logical that the UID project is privacy safe, if a Privacy Legislation is being created specifically to protect the data that the UID will be collecting. It is concerning that the UID project is being carried forward without adequate built in safeguards, and even more concerning that it will the Bill could be passed through parliament and become a living law without the much needed privacy safeguards in place.</p>
<p><strong>Note</strong>: Recently a final draft of the UID Bill that will be submitted to the Lok Sabha was released to the public. Civil Society has responded with comments and concerns for the UID Bill, which can be found on the CIS website.<strong> </strong></p>
<p><strong>VIDEOS</strong></p>
<p><br /><br /></p>
<embed src="http://blip.tv/play/AYKQ8FMA" type="application/x-shockwave-flash" width="250" height="250" allowscriptaccess="always" allowfullscreen="true"></embed>
<embed src="http://blip.tv/play/AYKQ8gwA" type="application/x-shockwave-flash" width="250" height="250" allowscriptaccess="always" allowfullscreen="true"></embed>
<embed src="http://blip.tv/play/AYKRlmwA" type="application/x-shockwave-flash" width="250" height="250" allowscriptaccess="always" allowfullscreen="true"></embed>
<embed src="http://blip.tv/play/AYKRl3QA" type="application/x-shockwave-flash" width="250" height="250" allowscriptaccess="always" allowfullscreen="true"></embed>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/uid-meeting-november'>https://cis-india.org/internet-governance/blog/privacy/uid-meeting-november</a>
</p>
No publisherpraskrishnaPrivacy2011-01-04T08:14:52ZBlog EntryUID has no legal sanctity, says lawyer-activist
https://cis-india.org/news/the-hindu-march-3-2013-uid-has-no-legal-sanctity
<b>‘Iris scanning adopted for the UID project is flawed as the iris keeps changing’</b>
<hr />
<p class="body" style="text-align: justify; ">This article was<a class="external-link" href="http://www.thehindu.com/todays-paper/tp-national/tp-karnataka/uid-has-no-legal-sanctity-says-lawyeractivist/article4471076.ece"> published in the Hindu</a> on March 3, 2013. CIS organized a workshop at the event.</p>
<hr />
<p class="body" style="text-align: justify; ">Unique Identification Authority of India (UIDAI) and the UID project have no legal sanctity, said independent law researcher and human rights activist Usha Ramanathan on Saturday.</p>
<p class="body" style="text-align: justify; ">Speaking at a workshop on the UID, the National Population Register and Governance, organised by the Centre for Internet and Society, Ms. Ramanathan said the UIDAI has “no clear legal status.” “The fact that there are no limits placed on its functioning is deeply worrying,” she remarked.</p>
<p class="body" style="text-align: justify; ">Ms. Ramanathan pointed out that an agency, which was created by a mere executive order in 2009, now “owns” the data obtained from Indian citizens. Although the UIDAI has said enrolment is not mandatory, a host of providers of essential services – from ration shops to LPG distributors and now even railway tickets – require Aadhaar authentication.</p>
<p class="body" style="text-align: justify; ">The idea of using biometric validation of identities was adopted despite there “being no evidence of its viability anywhere in the world,” Ms. Ramanathan said. In fact, several reports have established the failure of biometrics as a means of validating identities, she claimed. The iris scanning, which has been adopted for the UID project is flawed because the iris does change over time, she said.</p>
<p class="body" style="text-align: justify; ">Anant Maringati, a geographer from Hyderabad, said the “positive” potential of the project have been usurped by entities such as microfinance institutions, which sue them to track those who have defaulted on loans.</p>
<hr />
<p class="body" style="text-align: justify; ">‘<i>An agency, which was created by a mere executive order in 2009, now owns the data obtained from Indian citizens’</i><br /><br /><i>‘Although the UIDAI has said enrolment is not mandatory, providers of essential services seek Aadhaar authentication’</i></p>
<hr />
<p>
For more details visit <a href='https://cis-india.org/news/the-hindu-march-3-2013-uid-has-no-legal-sanctity'>https://cis-india.org/news/the-hindu-march-3-2013-uid-has-no-legal-sanctity</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2013-03-11T06:08:32ZNews ItemUID and NPR: Towards Common Ground
https://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground
<b>The UID (Unique Identification) and NPR (National Population Register) are both government identity schemes that aggregate personal data, including biometric data for the provision of an identification factor, and aim to link them with the delivery of public utility services.</b>
<p style="text-align: justify; ">The differences between the two exist in terms of collection of data, the type of identification factor issued, authorities involved and the outcome.</p>
<p style="text-align: justify; ">Despite the differences, there has been talk of combining the two schemes because of the overlap.<a href="#_ftn1" name="_ftnref1">[1]</a> In the same breath, it has been argued that the two schemes are incompatible. <a href="#_ftn2" name="_ftnref2">[2]</a></p>
<p style="text-align: justify; ">One of the UIDAI’s (Unique Identification Authority of India) functions is to harmonize the two schemes. <a href="#_ftn3" name="_ftnref3">[3]</a></p>
<p style="text-align: justify; ">As it stands, the schemes are distinct. Enrolment for a UID does not lead to automatic enrolment in the NPR. The NPR website expressly states that even if a data subject has undergone census or has been granted a UID Number, it is necessary to visit a data collection centre to provide biometric data for the NPR.<a href="#_ftn4" name="_ftnref4">[4]</a></p>
<h2 style="text-align: justify; ">UID and NPR: The Differences</h2>
<h3 style="text-align: justify; ">The Basis of identity/ Unit of Survey</h3>
<p style="text-align: justify; ">The most striking difference between the UID and NPR Schemes is their notion of identity. The UID is individual based, whereas the NPR scheme focuses on the household or the family as a composite unit. Thus, the UID seeks to enroll individuals while the NPR seeks to gather data of the members of a household or family as a composite unit during the census and later register each person for an NPR Card, on the basis of the census data. To this extent, analysis of the data gathered from the two schemes will be different and will require differing analytical tools. The definition of the data subject and the population is different. In one scheme, the unit is an individual; in the other it is the household/family. Though the family is the composite unit in the NPR, the data is finally extracted it is unpaired to provide individuals NPR cards, but the family based association is not lost and it is argued that this household association of NPR should be used to calculate and provide subsidies. Some states have put on hold transfer of cooking gas subsidy, which is calculated for each household, through Aadhar-linked bank accounts.<a href="#_ftn5" name="_ftnref5">[5]</a> If both schemes were merged, the basis for determining entitlement to subsidies would be non-uniform.</p>
<h3 style="text-align: justify; ">Differences in Information Collection</h3>
<p style="text-align: justify; ">The UID and NPR have different procedures for collection of information. In the UID scheme, all data is collected in data collection centres whereas NPR data is collected door to door in part and in collection centres for the other part.</p>
<p style="text-align: justify; ">UID data is collected by the UIDAI themselves or by private parties, under contract. These contractors are private parties: often, online marketing service providers.<a href="#_ftn6" name="_ftnref6">[6]</a> The data subjects were initially allowed registration through an introducer and without any documentation. This was replaced with the verification system where documents were to be produced for registration for UID.</p>
<p style="text-align: justify; ">The NPR involves a dual collection process- the first stage is the door-to-door collection of data as part of the Census. This information is collected through questionnaire. No supporting documents/ proof is produced to verify this data. The verification happens at a later stage, through public display of the information. This data is digitized. The data subjects are then to give their biometric data at the data collection centres, on the production of the census slip. The biometric data collectors are parties who are empanelled by the UIDAI and are eligible to collect data under the UID Scheme. A subject’ s data is aggregated and then de-duplicated by the UIDAI. <a href="#_ftn7" name="_ftnref7">[7]</a></p>
<p style="text-align: justify; ">This shows two points of merger. It can be suggested that when data is collected for the UID number, then the subject should not have to give their biometrics for the NPR Scheme again. The sharing of biometrics across the schemes will reduce cost and redundancy. While sharing of UID data with NPR is feasible, the reverse is not true, since UID is optional and NPR is not. If NPR data is to be shared with UID, then the subject has the right to refuse. However, the consent for using NPR data for the UID is a default YES in the UID form. <a href="#_ftn8" name="_ftnref8">[8]</a> Prohibiting the information sharing is no option.</p>
<h3 style="text-align: justify; ">Differences in Stated Purposes</h3>
<p style="text-align: justify; ">The NPR is linked to citizenship status. The NPR exercise is being conducted to create a national citizen register and to assist in identifying and preventing illegal immigration. The NPR card, a desired outcome, is aimed to be a conduit for transactions relating to subsidies and public utilities.<a href="#_ftn9" name="_ftnref9">[9]</a> So is the UID Number, which was created to provide the residents of India an identity. The linkage and provision of subsidies through the NPR and UID cards have not taken off on a large scale and there is a debate as to which will be more appropriate for direct benefit transfer, with some leaders proclaiming that the NPR scheme is more suited to direct benefit transfer.<a href="#_ftn10" name="_ftnref10">[10]</a> Since the UID Number is linked to direct benefit transfer, but not to citizenship, benefits such as those under the MNREGA scheme, may be availed by non-citizens as well, though only citizens are eligible for the scheme.<a href="#_ftn11" name="_ftnref11">[11]</a></p>
<p style="text-align: justify; ">C. Chandramouli, the Registrar General and Census Commissioner of India, states that the conflict between the two schemes is only perceived, and results from a poor understanding of the differences in objective. The NPR, he states is created to provide national security through the creation of a citizen register, starting with a register of residents after authentication and verification of the residence of the subjects. On the other hand, the UID exercise is to provide a number that will be used to correctly identify a person.<a href="#_ftn12" name="_ftnref12">[12]</a></p>
<h3 style="text-align: justify; ">Difference in Legal Sanctity</h3>
<p style="text-align: justify; ">The UIDAI was set up through an executive notification, which dictates a few of its responsibility, including: assigning a UID number, collating the UID and NPR schemes, laying down standards for interlinking with partner databases and so on. However, the UIDAI has not expressed responsibility to collect, or authorize collection of data under this scheme. The power to authorize the collection of biometrics is vested with the National Identification Authority of India (NIAI), which will be set up under the National Identification Authority of India Bill, (NIAI Bill, which is at times referred to as the UID Bill).</p>
<p style="text-align: justify; ">The NPR Scheme has been created pursuant to the 2004 Amendment of the Citizenship Act. Under S. 14A of the Citizenship Act, the central government has the power to compulsorily register citizens for an Identity Card. This gives the NPR exercise sanctity. However, no authority to collect biometric information has been given either under this Act or Rules framed under it.</p>
<h2 style="text-align: justify; ">Future of Aadhaar</h2>
<p style="text-align: justify; ">The existence of both the UID and NPR Schemes leads to redundancy. Therefore, many have advocated for their merger. This seems impractical, as the standards in collection and management of data are not the same.</p>
<p style="text-align: justify; ">For some time, it was thought that the Aadhaar Scheme would be scrapped. This belief was based on the present government’s opposition to the scheme during and before the election. This was further strengthened by the fact that they did not expressly mention the continuance of the scheme in their manifesto. The Cabinet Committee on UIDAI was disbanded and the enrolment for the UID Number was stopped, only to be resumed a short while later.<a href="#_ftn13" name="_ftnref13">[13]</a></p>
<p style="text-align: justify; ">However, recent events show that the Aadhaar scheme will continue. First, the new government has stated that the UID scheme will continue. In support of the UID Scheme, the government has made budgetary allocation for the scheme to enable, <i>inter-alia,</i> it being sped-up. The Government even intends to enact a law to give the scheme sanctity. <a href="#_ftn14" name="_ftnref14">[14]</a></p>
<p style="text-align: justify; ">Second, the Government is assigning the UID Number new uses. To track attendance of government employees, the Government shall use a biometric attendance system, which is linked to the employees UID Number. <a href="#_ftn15" name="_ftnref15">[15]</a> The attendance will be uploaded onto a website, to boost transparency.</p>
<p style="text-align: justify; ">Third, direct benefit transfers under the UID will become more vigorous.</p>
<p style="text-align: justify; ">The UID is already necessary for registration under the NPR, which is compulsory.</p>
<p style="text-align: justify; ">Providing one’s UID Number for utilities such as cooking gas is also compulsory in several areas, despite the Courts diktat that it should not be so.<a href="#_ftn16" name="_ftnref16">[16]</a></p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">The government is in favour of continuing both the schemes. Therefore, it is unlikely that either scheme will be scrapped or that the two schemes will be combined. The registration for UID is becoming compulsory by implication as it is required for direct benefit transfers and for utilities. Data collected under NPR is being shared with the UIDAI by default, when one registers for a UID number. However, the reverse is unlikely, as the UID collects secondary data, whereas NPR requires primary data, which it collects through physical survey and authentication. Perhaps the sharing of data could be incorporated when one goes to the data collection centre to submit biometrics for the NPR. The subject could fill in the UID form and submit verification documents at this stage, completing both exercises in one go. This will drastically reduce the combined costs of the two exercises.</p>
<hr style="text-align: justify; " />
<p><a href="#_ftnref1" name="_ftn1">[1]</a> Rajesh Aggarwal, Merging UID and NPR???, Igovernment, accessed 5 September, 2014 <a href="http://www.igovernment.in/igov/opinion/41631/merging-npr-uid">http://www.igovernment.in/igov/opinion/41631/merging-npr-uid</a>; Bharti Jain, Rajnath Hints at Merger of NPR and Aadhar, Times of India, accessed 5 September, 2014 <a href="http://timesofindia.indiatimes.com/india/Rajnath-hints-at-merger-of-NPR-and-Aadhaar/articleshow/35740480.cms">http://timesofindia.indiatimes.com/india/Rajnath-hints-at-merger-of-NPR-and-Aadhaar/articleshow/35740480.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2">[2]</a> Raju Rajagopal, The Aadhar-NPR Conundrum, Mint, accessed 5 September, 2014 <a href="http://www.livemint.com/Opinion/tvpoCYeHxrs2Z7EkAAu7bP/The-AadhaarNPR-conundrum.html">http://www.livemint.com/Opinion/tvpoCYeHxrs2Z7EkAAu7bP/The-AadhaarNPR-conundrum.html</a> .</p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3">[3]</a> Cl, 4 of the Notification on the creation o fthe UIDAI, No. A-43011/02/2009-Admin.1 of the Planning Commission of India, dated 28 January, 2009</p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4">[4]</a> FAQ for NPR, accessed: 3 September, 2014. <a href="http://censusindia.gov.in/2011-Common/FAQs.html">http://censusindia.gov.in/2011-Common/FAQs.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a> A Jolt for Aadhar: UPA Shouldn’t Have to Put on Hold its Only Good Idea,Business Standard, accessed 5 September, 2014 <a href="http://www.business-standard.com/article/opinion/a-jolt-for-aadhaar-114020301243_1.html">http://www.business-standard.com/article/opinion/a-jolt-for-aadhaar-114020301243_1.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6">[6]</a> Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 <a href="http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/">http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7">[7]</a> NPR Activities, accessed 5 September, 2014, <a class="external-link" href="http://ditnpr.nic.in/NPR_Activities.aspx">http://ditnpr.nic.in/NPR_Activities.aspx</a></p>
<p style="text-align: justify; "><a href="#_ftnref8" name="_ftn8">[8]</a> R. Dinakaran, NPR and Aadhar- A Confused Process, The Hindu BusinessLine, accessed: 4 September, 2014 <a href="http://www.thehindubusinessline.com/blogs/blog-rdinakaran/npr-and-aadhaar-a-confused-process/article4940976.ece">http://www.thehindubusinessline.com/blogs/blog-rdinakaran/npr-and-aadhaar-a-confused-process/article4940976.ece</a></p>
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9">[9]</a> More than sixty-five thousand NPR cards have been issued and biometric data of more than twenty-five lakh people has been captured, as on 28 August, 2014 <a href="http://censusindia.gov.in">http://censusindia.gov.in</a></p>
<p style="text-align: justify; "><a href="#_ftnref10" name="_ftn10">[10]</a> NPR, not Aadhaar, best tool for cash transfer: BJP's Sinha, accessed: 3 September, <a class="external-link" href="http://www.moneycontrol.com/master_your_money/stocks_news_consumption.php?autono=1035033">http://www.moneycontrol.com/master_your_money/stocks_news_consumption.php?autono=1035033</a></p>
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11">[11]</a> Bharati Jain, NDA's national ID cards may kill UPA's Aadhaar, accessed 3 September, 2014 <a href="http://timesofindia.indiatimes.com/india/NDAs-national-ID-cards-may-kill-UPAs-Aadhaar/articleshow/36791858.cms">http://timesofindia.indiatimes.com/india/NDAs-national-ID-cards-may-kill-UPAs-Aadhaar/articleshow/36791858.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12">[12]</a> <i>Id.</i></p>
<p style="text-align: justify; "><a href="#_ftnref13" name="_ftn13">[13]</a> Aadhar Enrolment Drive Begins Again, accessed 3 Spetember, 2014 <a href="http://timesofindia.indiatimes.com/city/gurgaon/Aadhaar-enrolment-drive-begins-again/articleshow/38280932.cms">http://timesofindia.indiatimes.com/city/gurgaon/Aadhaar-enrolment-drive-begins-again/articleshow/38280932.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref14" name="_ftn14">[14]</a> Mahendra Singh, Modi govt to give legal backing to Aadhaar, Times of India, <a href="http://timesofindia.indiatimes.com/india/Modi-govt-to-give-legal-backing-to-Aadhaar/articleshow/38336812.cms">http://timesofindia.indiatimes.com/india/Modi-govt-to-give-legal-backing-to-Aadhaar/articleshow/38336812.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref15" name="_ftn15">[15]</a> Narendra Modi Government to Launch Website to Track Attendance of Central Government Employees, DNA, accessed: 4 September, 2014 <a href="http://www.dnaindia.com/india/report-narendra-modi-government-to-launch-website-to-track-attendance-of-central-government-employees-2014684">http://www.dnaindia.com/india/report-narendra-modi-government-to-launch-website-to-track-attendance-of-central-government-employees-2014684</a></p>
<p style="text-align: justify; "><a href="#_ftnref16" name="_ftn16">[16]</a> No gas supply without Aadhaar card, Deccan Chronicle, accessed: 4 September, 2014, <a href="http://www.deccanchronicle.com/140829/nation-current-affairs/article/no-gas-supply-without-aadhaar-card">http://www.deccanchronicle.com/140829/nation-current-affairs/article/no-gas-supply-without-aadhaar-card</a></p>
<hr />
<p>Note: This is an anonymous post.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground'>https://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground</a>
</p>
No publisherMukta BatraUIDAadhaarInternet GovernancePrivacy2014-10-15T13:06:40ZBlog Entry UID & Privacy - A Call for Papers
https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers
<b>Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010. </b>
<h3>Topic<br /></h3>
<p>Privacy and the UID</p>
<h3>Submission Deadline</h3>
<p> By 15 January 2010 to admin@privacyindia.org</p>
<h3>Word Length</h3>
<p> 3,000-5,000 words</p>
<h3>Topic Summary</h3>
<p>The <em>Aadhaar</em> scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate. </p>
<p>As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.</p>
<p>We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:</p>
<ul><li> Comparative studies on privacy and national identity card schemes in other countries</li></ul>
<ul><li> Privacy and the UID Bill </li></ul>
<ul><li> How will a project such as the UID change the relationship between the state, the individual, and the market? </li></ul>
<p>Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.</p>
<h3>Who We Are</h3>
<p> Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see <a class="external-link" href="http://www.privacyinternational.org/">www.privacyinternational.org</a>). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers'>https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers</a>
</p>
No publisherelonnaiInternet GovernancePrivacy2012-03-21T10:03:44ZBlog EntryTransparency Reports — A Glance on What Google and Facebook Tell about Government Data Requests
https://cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests
<b>Transparency Reports are a step towards greater accountability but how efficacious are they really? </b>
<p style="text-align: justify; ">Prachi Arya examines the transparency reports released by tech giants with a special focus on user data requests made to <a class="external-link" href="https://www.google.co.in/">Google</a> and <a class="external-link" href="https://www.facebook.com/">Facebook</a> by Indian law enforcement agencies. <i></i></p>
<p style="text-align: justify; "><i>The research was conducted as part of the 'SAFEGUARDS' project that CIS is doing with Privacy International and IDRC.</i></p>
<hr />
<p style="text-align: justify; ">According to a recent <a class="external-link" href="http://www.comscore.com/Insights/Press_Releases/2013/8/comScore_Releases_the_2013_India_Digital_Future_in_Focus_Report">comScore Report</a> India has now become the third largest internet user with nearly 74 million citizens on the Internet, falling just behind China and the United States. The report also reveals that Google is the preferred search engine for Indians and Facebook is the most popular social media website followed by <a class="external-link" href="http://www.linkedin.com/">LinkedIn</a> and <a class="external-link" href="https://twitter.com/">Twitter</a>. While users posting their photos on Facebook can limit viewership through privacy settings, there isn’t much they can do against government seeking information on their profiles. All that can be said for sure in the post-Snowden world is that large-scale surveillance is a reality and the government wants it on their citizen’s online existence. In this Orwellian scenario, transparency reports provide a trickle of information on how much our government finds out about us.</p>
<p style="text-align: justify; ">The first transparency report was released by Google three years ago to provide an insight into <a class="external-link" href="http://googleblog.blogspot.in/2013/04/transparency-report-more-government.html">‘the scale and scope of government requests for censorship and data around the globe’</a>. Since then the issuance of such reports is increasingly becoming a standard practice for tech giants. An <a class="external-link" href="https://www.eff.org/who-has-your-back-2013">Electronic Frontier Foundation Report</a> reveals that major companies that have followed Google’s lead include Dropbox, LinkedIn, Microsoft and Twitter<a href="#_ftn3" name="_ftnref3"><span class="MsoFootnoteReference"><span class="MsoFootnoteReference"> </span></span></a> with Facebook and Yahoo! being the latest additions<a href="#_ftn4" name="_ftnref4"><span class="MsoFootnoteReference"><span class="MsoFootnoteReference"> </span></span></a>. Requests to <a class="external-link" href="https://transparency.twitter.com/">Twitter</a> and <a class="external-link" href="https://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/">Microsoft</a> from Indian law enforcement agencies were significantly less than requests to Facebook and Google. Twitter revealed that Indian law enforcement agencies made less than 10 requests, none of which resulted in sharing of user information. Out of the 418 requests made to Microsoft by India (excluding Skype), 88.5 per cent were complied with for non-content user data. The <a class="external-link" href="http://info.yahoo.com/transparency-report/">Yahoo! Transparency Report</a> revealed that 6 countries surpassed India in terms of the number of user data requests. Indian agencies requested user data 1490 times from 2704 accounts for both content and non-content data and over 50 per cent of these requests were complied with.</p>
<p style="text-align: justify; ">The following is a compilation of what the latest transparency reports issued by Facebook and Google.</p>
<h3 class="external-link"><a class="external-link" href="http://www.google.com/transparencyreport/">Google</a></h3>
<blockquote class="quoted" style="text-align: justify; ">"The information we share on the Transparency Report is just a sliver of what happens on the internet"<br /><b>Susan Infantino</b>, <i>Legal Director for Google</i></blockquote>
<p class="MsoListParagraph">Beginning from December 2009, Google has published several biannual transparency reports:</p>
<ul>
<li style="text-align: justify; ">It discloses traffic data of Google services globally and statistics on removal requests received from copyright owners or governments as well as user data requests received from government agencies and courts. It also lays down the legal process required to be followed by government agencies seeking data.</li>
</ul>
<ul>
<li style="text-align: justify; ">There was a 90 per cent increment in the number of <a class="external-link" href="http://www.google.com/transparencyreport/removals/government/">content removal requests</a> received by Google from India. The requests complied with included:
<ul>
<li style="text-align: justify; ">Restricting videos containing clips from the controversial movie “Innocence of Muslims” from view. </li>
<li style="text-align: justify; ">Many YouTube videos and comments as well as some Blogger blog posts being restricted from local view for disrupting public order in relation to instability in North East India.</li>
</ul>
</li>
<li style="text-align: justify; ">For <a class="external-link" href="http://www.google.com/transparencyreport/userdatarequests/IN/">User Data requests</a>, the Google report details the number of user data requests and users/accounts as well as percentage of requests which were partially or completely complied with. In India the user data requests more than doubled from 1,061 in the July-December 2009 period to 2,431 in the July-December 2012 period. The compliance rate decreased from 79 per cent in the July-December 2010 period to 66 per cent in the last report.</li>
<li style="text-align: justify; ">Jurisdictions outside the United States can seek disclosure using Mutual Legal Assistance Treaties or any ‘other diplomatic and cooperative arrangement’. Google also provides information on a voluntary basis if requested following a valid legal process if the requests are in consonance with international norms, U.S. and the requesting countries' laws and Google’s policies.</li>
</ul>
<h3><a class="external-link" href="https://www.facebook.com/about/government_requests">Facebook</a></h3>
<ul>
<blockquote class="quoted" style="text-align: justify; ">"We hope this report will be useful to our users in the ongoing debate about the proper standards for government requests for user information in official investigations." <br /><b>Colin Stretch</b>, <i> Facebook General Counsel</i></blockquote>
</ul>
<p style="text-align: justify; ">Facebook inaugurated its first ever transparency report last Tuesday with a promise to continue releasing these reports.</p>
<ul>
<li style="text-align: justify; ">The ‘Global Government Requests Report’ provides information on the number of requests received by the social media giant for user/account information by country and the percentage of requests it complied with. It also includes operational guidelines for law enforcement authorities.</li>
</ul>
<ul>
<li style="text-align: justify; ">The report covers the first six months of 2013, specifically till June 30. In this period India made 3,245 requests from 4,144 users/accounts and half of these requests were complied with. </li>
</ul>
<ul>
<li style="text-align: justify; ">Jurisdictions outside the United States can seek disclosure by way of mutual legal assistance treaties requests or letter rogatory. Legal requests can be in the form of search warrants, court orders or subpoena. The requests are usually made in furtherance of criminal investigations but no details about the nature of such investigations are provided.</li>
</ul>
<ul>
<li style="text-align: justify; ">Broad or vague requests are not processed. The requests are expected to include details of the law enforcement authority issuing the request and the identity of the user whose details are sought. </li>
</ul>
<h3>The Indian Regime</h3>
<p style="text-align: justify; ">Section 69 and 69 B of the <a class="external-link" href="http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf">Information Technology (Amended) Act, 2008</a> prescribes the procedure and sets safeguards for the Indian Government to request user data from corporates. According to section 69, authorized officers can issue directions to intercept, monitor or decrypt information for the following reasons:</p>
<ol>
<li>Sovereignty or integrity of India,</li>
<li>Defence of India,</li>
<li>Security of the state,</li>
<li>Friendly relations with foreign states, </li>
<li>Maintenance of public order,</li>
<li>Preventing incitement to the commission of any cognizable offence relating to the above, or</li>
<li>For investigation of any offence.</li>
</ol>
<p style="text-align: justify; ">Section 69 B empowers authorized agencies to monitor and collect information for cyber security purposes, including ‘for identification, analysis and prevention of intrusion and spread of computer contaminants’. Additionally, there are rules under section 69 and 69 B that regulate interception under these provisions.</p>
<p style="text-align: justify; ">Information can also be requested through the Controller of Certifying Authority under section 28 of the IT Act which circumvents the stipulated procedure. If the request is not complied with then the intermediary may be penalized under section 44.</p>
<p style="text-align: justify; ">The Indian Government has been increasingly leaning towards greater control over online communications. In 2011, <a class="external-link" href="http://in.news.yahoo.com/court-stays-rs-11-lakh-fine-imposed-yahoo-163503671.html">Yahoo! was slapped with a penalty of Rs. 11 lakh</a> for not complying with a section 28 request, which called for email information of a person on the grounds of national security although the court subsequently stayed the Controller of Certifying Authorities' order.<a href="#_ftn7"> </a> In the same year the government called for <a href="https://cis-india.org/internet-governance/unkindest-cut-mr-sibal" class="external-link">pre-screening user content</a> by internet companies and social media sites to ensure deletion of ‘objectionable content’ before it was published.<a href="#_ftn8"> </a> Similarly, the government has increasingly sought <a class="external-link" href="http://www.hrw.org/news/2013/06/07/india-new-monitoring-system-threatens-rights">greater online censorship</a>, using the Information Technology Act to arrest citizens for social media posts and comments and even emails criticizing the government.<a href="#_ftn9"> </a></p>
<h3 style="text-align: justify; ">What does this mean for Privacy?</h3>
<p style="text-align: justify; ">The Google Transparency Report has thrown light on an increasing trend of governmental data requests on a yearly basis. The reports published by Google and Facebook reveal that the number of government requests from India is second only to the United States. Further, more than 50 per cent of the requests from India have led to disclosure by nearly all the companies surveyed in this post, with Twitter being the single exception.</p>
<p style="text-align: justify; ">Undeniably, transparency reports are important accountability mechanisms which reaffirm the company’s dedication towards protecting its user’s privacy. However, basic statistics and vague information cannot lift the veil on the full scope of surveillance. Even though Google’s report has steadily moved towards a more nuanced disclosure, it would only be meaningful if, <i>inter alia</i>, it included a break-up of the purpose behind the requests. Similarly, although Google has also included a general understanding of the legal process, more specifics need to be disclosed. For example, the report could provide statistics for notifications to indicate how often user’s under scrutiny are not notified. Such disclosures are important to enhance user understanding of when their data may be accessed and for what purposes, particularly without prior or retrospective intimation of the same. Till such time the report can provide comprehensive details about the kind of surveillance websites and internet services are subjected to, it will be of very limited use. Its greatest limitation, however, may lie beyond its scope.</p>
<p style="text-align: justify; ">The monitoring regime envisioned under the Information Technology Act effectively lays down an overly broad system which may easily lead to abuse of power. Further, the Indian Government has become infamous for their need to control websites and social media sites. Now, with the Indian Government’s plan for establishing the Central Monitoring System the need for intermediaries to conduct the interception may be done away with, giving the government unfettered access to user data, potentially rendering corporate transparency of data requests obsolete.</p>
<ul>
</ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests'>https://cis-india.org/internet-governance/blog/what-google-and-facebook-tell-about-govt-data-requests</a>
</p>
No publisherprachiInternet GovernancePrivacy2013-09-13T09:44:53ZBlog EntryTrans Pacific Partnership and Digital 2 Dozen: Implications for Data Protection and Digital Privacy
https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy
<b>In this essay, Shubhangi Heda explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations.</b>
<p> </p>
<p>1. <strong><a href="#1">Introduction</a></strong></p>
<p>2. <strong><a href="#2">Analysis of TPP and D2D</a></strong></p>
<p>2.1. <strong><a href="#2-1">Trans Pacific Partnership (TPP)</a></strong></p>
<p>2.2. <strong><a href="#2-2">Digital 2 Dozen (D2D)</a></strong></p>
<p>3. <strong><a href="#3">Major Criticisms of the Digital Agenda of TPP</a></strong></p>
<p>3.1. <strong><a href="#3-1">Data Protection</a></strong></p>
<p>3.2. <strong><a href="#3-2">Digital Privacy</a></strong></p>
<p>4. <strong><a href="#4">Implications of TPP for RCEP</a></strong></p>
<p>5. <strong><a href="#5">Implications of TPP in the Context of EU Safe Harbour Judgement</a></strong></p>
<p>6. <strong><a href="#6">Implications of TPP for India after US-India Cyber Relationship Agreement</a></strong></p>
<p>7. <strong><a href="#7">Conclusion</a></strong></p>
<p>8. <strong><a href="#8">Endnotes</a></strong></p>
<p>9. <strong><a href="#9">Author Profile</a></strong></p>
<hr />
<h2 id="1">1. Introduction</h2>
<p>This essay explores the concerns related to data protection and digital privacy under the Trans Pacific Partnership (TPP) agreement signed recently between United States of America and eleven countries located around the pacific ocean region, across South America, Australia, and Asia <strong>[1]</strong>. TPP is a free trade agreement (FTA) that emphasises, among other things, the need for liberalising global digital economy. The essay also analyses the critical document titled ‘Digital 2 Dozen’ (D2D), which compiles the key action items within TPP addressing liberalisation of digital economy, and sets up the relevant goals for the member nations. TPP requires the member countries to facilitate unhindered digital data flow across nations, for commercial and governmental purposes, which evidently have major implications for national and regional data protection and privacy regimes. These implications must also be seen in the context the recent judgement by the EU Court of Justice against the validity of the EU-USA data transfer agreement of 2000. Further, the essay discusses the potential impacts that TPP/D2D might have on India, in the context of the ongoing USA-India Cyber Relationship dialogue. If the privacy concerns are not raised right now TPP might act as a model framework for future FTAs which will fail to encompass proper data protection and digital privacy regime within it.</p>
<h2 id="2">2. Analysis of TPP and D2D</h2>
<h3 id="2-1">2.1. Trans Pacific Partnership (TPP)</h3>
<p>Trans Pacific Partnership (TPP) is a large multi-partner free trade agreement amongst twelve Asia-Pacific countries, which is closely led by geo-political and economic strategies of the USA. Countries started the negotiation of TPP in 2008 when USA joined Pacific Four (P-4) negotiations and in 2015 negotiations of TPP was concluded and text was released. Ministers from the member countries signed the agreement on February 4, 2016 <strong>[2]</strong>. The main aim of TPP is to liberalise trade and investment beyond what is provided for within the WTO. It is also considered to be a strategic move by the US to counter the trade linkages that are being established in the Asian region. TPP largely covers topics of market access, and rules on various related issues such as intellectual property rights, labour laws, and environment standards <strong>[3]</strong>.</p>
<p>Between 1992 -2012 there has been an upsurge in bilateral trade agreements being signed in Asia from 25 to 103 and the effect of these FTAs is called the ‘noodle bowl effect’. TPP is seen as framework which will replace these FTAs which are causing the ‘noodle bowl effect’.While these FTAs are being replaced but with TPP being signed there are various bilateral arrangements signed along with TPP. USA has also stated that TPP will not affect the already existing NAFTA <strong>[4]</strong>. While TPP is being concluded there is another free trade agreement being negotiated between USA and EU , which is Trans Trade and Investment Partnership (TTIP). Both TPP and TTIP and are considered to be serving similar objective which is to deal with new and modern trade issues. Also both the agreements are US led and since negotiation for TPP are now finalised it may have a significant impact on TTIP <strong>[5]</strong>.</p>
<p>TPP is one of the first document which deals specifically with digital economy and applies across borders. The main aims of TPP are to promote free flow of data across borders without data localisation. It aims to remove national clouts and regional internets. It also includes provisions to combat theft of trade secrets. It allows you to create transparent regulatory process with inputs from various stakeholders. It also aims to provide access to tools and procedures for conduct of e-commerce <strong>[6]</strong>.</p>
<p>Some of the major criticism to TPP were regarding the issues related to <strong>[7]</strong>:</p>
<ul><li>environment, wherein it does not address the issue of climate change and the language used in the agreement is very weak;</li>
<li>labour rights provision mandates parties to adhere to the ILO provision but it does not seem to provide for effective framework and might not bring the desired change;</li>
<li>investment chapter is seen to be controversial because of the investor state dispute settlement clause which will allow foreign investor to sue government over policies that might cause harm to them;</li>
<li>e-commerce and telecommunication chapter raises major privacy concerns;</li>
<li>intellectual property chapter wherein it includes controversial rules regarding pharmaceutical companies and data exclusivity apart from the privacy concerns.</li></ul>
<h3 id="2-2">2.2 Digital 2 Dozen (D2D)</h3>
<p>D2D is set of rules and aims which is specifically drafted to be followed for the trade agreements related to open internet and digital economy. More specific aims of TPP as provided within the ‘Digital 2 Dozen,’ aiming for more liberalised trade in digital goods and services, are <strong>[8]</strong>:</p>
<ul><li>promoting free and open internet,</li>
<li>prohibiting digital custom duties,</li>
<li>securing basic non-discrimination principles,</li>
<li>enabling cross-border data flows,</li>
<li>preventing localization barriers,</li>
<li>barring forced technology transfers,</li>
<li>advancing innovative authentication methods,</li>
<li>delivering enforceable consumer protections,</li>
<li>safeguarding network competition,</li>
<li>fostering innovative encryption products, and</li>
<li>building an adaptable framework.</li></ul>
<p>Strategic goal of the US in introducing D2D as goals of TPP has been to set up a trend within Asian region for all the trade agreements. It is expected to ensure that if TPP is a success, similar goals and policy frameworks will be followed for other trade agreements as we. For example, the USA-India partnership also enshrines similar aims and so does the USA-Korea partnership. Hence while India is not part of TPP, USA is nonetheless trying to get India into a partnership which is similar to the TPP. The language proposed by the USA in TPP negotiations has always been supportive for cross border data flows as it claims that companies have mechanism to keep a privacy check and privacy would not be undermined, but countries like New Zealand and Australia which have strong privacy protection laws nationally have raised concerns which will be discussed in further sections <strong>[9]</strong>. Also not only in privacy rights but Digital Dozen initiative also affects other digital rights related to - excessive copyright terms TPP proposed to extend the term of copyright to hundred years which deprive access to knowledge; as in the U.S motive to give more power to private entities , the ISP obligations enumerated within TPP which puts freedom of expression and privacy at risk as ISPs are allowed to check for copyright infringement and TPP does not put any privacy restriction in this regard; introduction of new fair use rules; ban on circumvention of digital locks or DRMs; no compulsory limitation for persons with disabilities; lack of fair use for journalistic right; while net neutrality is major issue is many developing nations in Asia no effective provision for net neutrality is aimed at in the D2D initiative; prohibits open source mandates which puts barrier for countries which want to release any software as open source as a policy decision <strong>[10]</strong>.</p>
<h2 id="3">3. Major Issues Related to Data Protection and Privacy in the TPP</h2>
<h3 id="3-1">3.1. Data Protection</h3>
<p>One of the major concern raised against TPP is regarding data protection provisions that have been integrated within the E- Commerce chapter of the agreement. Article 14.11 and Article 14 .13 are the ones that deal with data flow related to consumer information.Article 14.11 in the agreement puts a requirement on the member states to allow transfer of data across border and Article 14.13 does not allow the companies to host data on local servers. Concerns were raised in few member states for instance, Australian Privacy Foundation raised concerns over Article 14.11 which requires transfers to be allowed in context of business activities of service suppliers. It claimed that exception to this provision is very narrow and the repercussion for not following the exception is that investor state dispute settlement proceedings can be initiated, which is not sufficient to protect privacy. Also, it highlighted the issue that with the narrow exception provided under Article 14.13 which relates to prohibition on data localisation, it might have adverse effect on the implementation of national privacy laws within Australia <strong>[11]</strong>.</p>
<p>Another provision which is of major concern is Article 14.13 which prohibit data localisation. It will raise problems for countries like Indonesia and China which will have to change their local laws to implement the provision <strong>[12]</strong>. Since there already has been a major concern with regard to USA- EU Safe Harbour Agreement which was later made subject to the ECJ’s ruling on data protection, which invalidated any arrangement which provides voluntary enterprises responsibility to enforce privacy. But both the USA and EU are in process of renegotiating the agreement.The major concern was that in EU data protection is a fundamental right while in USA data protection is more consumer centric. When similar concerns were raised in TPP negotiations, they were rebutted as USA claimed that FTA does not concern itself with data protection <strong>[13]</strong>.</p>
<p>In 2012 Australia proposed an alternative language to TPP which allowed countries to place restriction on data flow as long as it was not a barrier to trade. U.S responded to concerns raised by the Australia through a side letter which ensured Australia that U.S and Australia have a mutual understanding in relation to privacy and U.S will ensure the privacy of data with regards to Australia. While Australia’s concern was given acknowledgement other countries which raised similar issues were not given any assurances <strong>[14]</strong>. US instead proposed ad- hoc strategy that gave private companies power to form privacy policy with implementation through state machinery <strong>[15]</strong>.</p>
<h3 id="3-2">3.2. Digital Privacy</h3>
<p>Article 14.8 in the E- Commerce chapter of the agreement states that countries can form legal framework for the protection of rights but the kind of ‘legal framework’ is not defined. Also, nowhere it states that the privacy protection or data protection laws are expressly exempted, rather it states that any such policy implemented by member states will be put under review of TPP standards. The standards which TPP proposes to follow are based on the underlying idea that any such policy should not hinder free trade in any way. This test will be applied by tribunals which are experts in trade and investment and not on data protection or human rights <strong>[16]</strong>. While Article 14.8 provides for protection of private information of consumers but the footnote to the provision renders it ineffective. The footnote states that member countries can adopt legal framework for the protection of data which can be done by self-regulation by industry and does not provide for any comprehensive data protection obligation upon the member states <strong>[17]</strong>. Similar to this Article 13.4 of the telecommunications chapter under TPP also states that the countries can apply regulation regarding confidentiality of the messages as long as it is not “a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services" <strong>[18]</strong>.</p>
<p>Another chapter which raises major concerns about the privacy rights is intellectual property. It affects privacy through the provisions related to technological protective measures and the provision that regulate ISP’s liability. Regarding the TPM provision, the TPP follows the DMCA model whereby the exception to anti- circumvention provision is very narrow and does not apply to anti- trafficking provision. The exception allows user to circumvent TPM if it affect the user's privacy in any way, although this provision does not apply to ant- trafficking of TPM. The provision regarding ISP’s liability states that there should be cooperation between ISPs and rights holders and it does not prohibit ISPs to monitor its users. Also TPP proposes the notice for takedown and identification of the infringer by the ISP but this provision is not in consonance with laws of member states, like that of Peru which does not have any copyright law on ISP . Also many countries have tried to introduce proper privacy laws along with implementation of ISP liability but that is not done within the TPP <strong>[19]</strong>. TPP as whole aims to give greater power to private regulators without providing for minimum standard for protection of privacy.</p>
<p>Although TPP is not a data protection agreement but it consequently deals with various aspects of data protection, hence it is prospective model for privacy and data protection practices in future trade agreements. If positive obligations are included within the free trade agreements it will have an advancing impact on the data protection regime.</p>
<h2 id="4">4.Implications of TPP for RCEP</h2>
<p>While TPP has such lacunas similar provision are proposed in RCEP to which India is a party and which will have serious implication as many of the countries have inadequate data protection laws nationally and with the introduction of such an FTA the exploitation of privacy rights will be rampant <strong>[20]</strong>. To avoid this EU directive on data protection should be taken into consideration in the negotiations of such FTAs. But for the RCEP negotiations are still going on and in India many companies like Flipkart, Snapdeal etc. have started preparing for the changing norms. The government claims that it is going to accept best practices in the region which indicates that it is going to have same policies as that of TPP. Although people from industry have raised concerns that while there are national laws but it is difficult to check third party involvement within the business and it is becoming increasingly difficult to keep the consumer data confidential <strong>[21]</strong>.</p>
<h2 id="5">5. Implications of TPP in the Context of EU Safe-Harbour Judgement</h2>
<p>Mr. Maximillian Schrems, an Austrian National residing in Austria, has been a user of the Facebook social network since 2008. Any person residing in EU who wishes to use Facebook is required to conclude, at the time of his registration, a contract with Facebook Ireland (a subsidiary of Facebook Inc. which itself is established in Unites States). Some or all of the personal data of the Facebook Ireland’s users who residing in EU is transferred to servers belonging to Facebook Inc. that are located in United States, where it undergoes processing. On 25 June 2013 Mr Schrems made a complaint to the commissioner by which he in essence asked the latter to exercise his statutory powers by prohibiting Facebook Ireland from transferring his personal data to Unites States, and this led to the <em>Maximillian Schrems v Data Protection Commissioner</em> case <strong>[22]</strong>. He contended that in his complaint that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in thereby by the public authorities. Mr Schrems referred in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the NSA.(para 26, 27, 28). The case came in the court ruled that “that a third country which ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of the EU 94/46 directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection. The ruling implies that personal data cannot be transferred to third country which does not provide adequate level of protection.</p>
<p>EU safe harbour judgment and EU directive on privacy provide contrasting rules related to privacy. While TPP gives power to private entities to formulate rules regarding privacy while the recent ECJ judgment invalidated giving such power to private entities under EU-US Safe Harbour Agreement. Also in context of the same judgment Hamburg’s Commissioner for Data Privacy And Freedom of Information announced an investigation into the data transfer taking place through Facebook and Google to U.S. Hence in the light of the recent judgment member states within EU are not allowed to permit cross border data flow, in contrast to this one of the main goals of TPP is to maintain free flow of data across border <strong>[23]</strong>. EU is this regard has also set forth the proposal to introduce General Data Protection Regulation. (GDPR). Although U.S and EU are trying to renegotiate the agreement but the privacy concerns raised cannot be ignored. Hence following the same model as was invalidate under the ECJ judgment lets US exploit privacy of member states under TPP. Similar concerns as raised within the judgment are also raised in India as it also following the same model within U.S-India Cyber Relationship Agreement and in RCEP negotiations.</p>
<h2 id="6">6. Implications of TPP in the context of USA-India Cyber Relationship</h2>
<p>While India is not part of TPP but it might have an effect on the U.S India Cyber Relationship Agreement. In August 2015 there was re- initiation of the India-U.S cyber dialogue to address common concerns related to cybersecurity and to develop better partnerships between public and private sector for betterment of digital economy <strong>[24]</strong>. One of the key aim of this agreement is free flow of information between two nations, which suffers from similar problem that it will put privacy of the citizens at risk. Also India does not have any bilateral treaty which ensures cyber data protection in such a scenario the only solution is data localisation, but this agreement will put data at risk <strong>[25]</strong>. Hence while the TPP negotiations were going on and also RCEP is being discussed the concerns about privacy and data protection need to be raised as mention in earlier section regarding implications of TPP on RCEP, the USA-India Cyber Relationship also faces the same implications..Although the aim of USA-India Cyber Relationship is to ensure cybersecurity. After the cases of Muzaffarnagar riots, upheaval in North -Eastern states and Gujarat riots, India has realised it is important to ensure compliance from the social media companies. India sees the USA-India Cyber Relationship as an opportunity to achieve this goal. The Google Transparency Report states that that India made around three thousand requests to Google for user data <strong>[26]</strong>, which indicate at the country's interest in having a common data understanding with the major social media companies (almost all of which are located in USA) about requesting and sharing of user activity data. While this concern is being addressed through the agreement, it is difficult to ignore the clause related to free flow of information, and if the meaning of the term is extended and adopted from TPP itself will put digital privacy of Indian citizens at risk <strong>[27]</strong>.</p>
<h2 id="7">7. Conclusion</h2>
<p>Even though TPP negotiation are completed but the ratification of the agreement is still underway. TPP is being seen as one of a kind trade agreement because it is the first time that countries across the globe have come together as a whole to address concerns of modern trade. Although it fails to address some of the key concerns related to privacy and data protection which are becoming increasingly important. Data protection and privacy issues cannot be seen in isolation and needs to merged within the modern day trade agreements. The D2D component by the USA is strategic move to have trade dominance in Asia and to compete with China’s growth . TPP has privacy and data protection lacunae within the e- commerce , telecommunications and intellectual property discussion.Although it might have serious implications on RCEP negotiation and USA- India Cyber Relationship Dialogue. Similar concern regarding data protection has already been addressed by ECJ judgment invalidating USA-EU Safe Harbour Agreement but the similar ad - hoc strategy has been incorporated within TPP. Since TPP might be considered as best practice model for future FTAs in the Asian region it is important to raise and address these privacy concerns now.</p>
<h2 id="8">8. Endnotes</h2>
<p><strong>[1]</strong> The signatory countries include Australia, Canada, Japan, Malaysia, Mexico, Peru, United States of America, Vietnam, Chile, Brunei, Singapore, New Zealand. "The Trans-Pacific Partnership,"
<a href="http://www.ustr.gov/tpp">http://www.ustr.gov/tpp</a> (last visited Jul 7, 2016).</p>
<p><strong>[2]</strong> "The Origins and Evolution of the Trans-Pacific Partnership (TPP)," Global Research, <a href="http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495">http://www.globalresearch.ca/the-origins-and-evolution-of-the-trans-pacific-partnership-tpp/5357495</a> (last visited Jul 7, 2016).</p>
<p><strong>[3]</strong> Fergusson, Ian F., Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP): In Brief," (2015), <a href="http://digitalcommons.ilr.cornell.edu/key_workplace/1477/">http://digitalcommons.ilr.cornell.edu/key_workplace/1477/</a> (last visited Jul 1, 2016).</p>
<p><strong>[4]</strong> Gajdos, Lukas, <em>The Trans-Pacific Partnership and its impact on EU trade</em>, Policy Department, Directorate-General for External Policies, Policy Briefing (2013), <a href="http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf">http://www.europarl.europa.eu/RegData/etudes/briefing_note/join/2013/491479/EXPO-INTA_SP(2013)491479_EN.pdf</a>.</p>
<p><strong>[5]</strong> Twining, Daniel, Hans Kundnani & Peter Sparding, <em>Trans-Pacific Partnership: geopolitical implications for EU-US relations</em>, Policy Department, Directorate-General for External Policies, June 24 (2016), <a href="http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf">http://www.europarl.europa.eu/RegData/etudes/STUD/2016/535008/EXPO_STU(2016)535008_EN.pdf</a>.</p>
<p><strong>[6]</strong> USTR, "Remarks by Deputy U.S. Trade Representative Robert Holleyman to the New Democrat Network," <a href="https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade">https://ustr.gov/about-us/policy-offices/press-office/speechestranscripts/2015/may/remarks-deputy-us-trade</a> (last visited Jul 4, 2016).</p>
<p><strong>[7]</strong> Murphy, Katharine, "Trans-Pacific Partnership: four key issues to watch out for," The Guardian, November 6, 2015, <a href="https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for">https://www.theguardian.com/business/2015/nov/06/trans-pacific-partnership-four-key-issues-to-watch-out-for</a> (last visited Jul 7, 2016).</p>
<p><strong>[8]</strong> USTR, "The Digital 2 Dozen" (2016), <a href="https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf">https://ustr.gov/sites/default/files/Digital-2-Dozen-Final.pdf</a> (last visited Jul 1, 2016).</p>
<p><strong>[9]</strong> Fergusson, Ian F.m Mark A. McMinimy & Brock R. Williams, "The Trans-Pacific Partnership (TPP) negotiations and issues for congress," (2015), <a href="http://digitalcommons.ilr.cornell.edu/key_workplace/1412/">http://digitalcommons.ilr.cornell.edu/key_workplace/1412/</a> (last visited Jul 8, 2016).</p>
<p><strong>[10]</strong> "How the TPP Will Affect You and Your Digital Rights," Electronic Frontier Foundation (2015), <a href="https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights">https://www.eff.org/deeplinks/2015/12/how-tpp-will-affect-you-and-your-digital-rights</a> (last visited Jul 7, 2016).</p>
<p><strong>[11]</strong> Australian Privacy Foundation (APF), <em>Trans Pacific Partnership Agreement</em> (2016), <a href="https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf">https://www.privacy.org.au/Papers/Parlt-TPP-160310.pdf</a>.</p>
<p><strong>[12]</strong> Greenleaf, Graham, "The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?," SSRN (2016), <a href="http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386">http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2732386</a> (last visited Jul 1, 2016).</p>
<p><strong>[13]</strong> "GED-Project: Transatlantic Data Flows and Data Protection," GED Blog (2015), <a href="https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/">https://ged-project.de/topics/competitiveness/transatlantic-data-flows-and-data-protection-the-state-of-the-debate/</a> (last visited Jul 1, 2016).</p>
<p><strong>[14]</strong> Geist, Michael, "The Trouble with the TPP, Day 14: No U.S. Assurances for Canada on Privacy," (2016), <a href="http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/">http://www.michaelgeist.ca/2016/01/the-trouble-with-the-tpp-day-14-no-u-s-assurances-for-canada-on-privacy/</a> (last visited Jul 4, 2016).</p>
<p><strong>[15]</strong> Aaronson, Susan Ariel, "What does TPP mean for the Open Internet?" From <em>Policy Brief on Trade Agreements and Internet Governance Prepared for the Global Commission on Internet Governance</em> (2015), <a href="https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf">https://www.gwu.edu/~iiep/events/DigitalTrade2016/TPPPolicyBrief.pdf</a> (last visited Jul 5, 2016).</p>
<p><strong>[16]</strong> Lomas, Natasha, "TPP Trade Agreement Slammed For Eroding Online Rights," TechCrunch, <a href="http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/">http://social.techcrunch.com/2015/11/05/tpp-vs-privacy/</a> (last visited Jun 30, 2016).</p>
<p><strong>[17]</strong> "Q&A: The Trans-Pacific Partnership," Human Rights Watch (2016), <a href="https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership">https://www.hrw.org/news/2016/01/12/qa-trans-pacific-partnership</a> (last visited Jul 1, 2016).</p>
<p><strong>[18]</strong> "TPP Full Text Released," People Over Politics (2015), <a href="http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/">http://peopleoverpolitics.org/2015/11/07/tpp-just-as-bad-as-you-thought/</a> (last visited Jul 7, 2016).</p>
<p><strong>[19]</strong> "Right to Privacy in Trans-Pacific Partnership (TPP ) Negotiations," Knowledge Ecology International, <a href="http://keionline.org/node/1164">http://keionline.org/node/1164</a> (last visited Jul 1, 2016).</p>
<p><strong>[20]</strong> Asian Trade Centre, "E-Commerce and Digital Trade Proposals for RCEP (2016)," <a href="http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf">http://static1.squarespace.com/static/5393d501e4b0643446abd228/t/575a654c86db438e86009fa1/1465541967821/RCEP+E-commerce+June+2016.pdf</a> (last visited Jul 1, 2016).</p>
<p><strong>[21]</strong> "E-commerce companies like Flipkart, Snapdeal to beef up data security to meet RCEP norms," The Economic Times, <a href="http://economictimes.indiatimes.com//articleshow/49068419.cms">http://economictimes.indiatimes.com//articleshow/49068419.cms</a> (last visited Jul 1, 2016).</p>
<p><strong>[22]</strong> ECLI:EU:C:2015:650 (C -362/14)</p>
<p><strong>[23]</strong> King et al., "Privacy law, cross-border data flows, and the Trans Pacific Partnership Agreement: what counsel need to know," Lexology, <a href="http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209">http://www.lexology.com/library/detail.aspx?g=b5c0b400-8161-4439-a4b7-131552ad5209</a> (last visited Jul 4, 2016).</p>
<p><strong>[24]</strong> "U.S.-India Business Council Applauds Resumption of Cybersecurity Dialogue," U.S.-India Business Council (2015), <a href="http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue">http://www.usibc.com/press-release/us-india-business-council-applauds-resumption-cybersecurity-dialogue</a> (last visited Jul 5, 2016).</p>
<p><strong>[25]</strong> Sukumar, Arun Mohan, "India Is Coming up Against the Limits of Its Strategic Partnership With the United States," The Wire (2016), <a href="http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/">http://thewire.in/40403/india-is-coming-up-against-the-limits-of-its-strategic-partnership-with-the-united-states/</a> (last visited Jul 4, 2016).</p>
<p><strong>[26]</strong> Countries – Google Transparency Report, <a href="https://www.google.com/transparencyreport/userdatarequests/countries/">https://www.google.com/transparencyreport/userdatarequests/countries/</a> (last visited Jul 8, 2016).</p>
<p><strong>[27]</strong> Sukumar, Arun Mohan, "A case for the Net’s Ctrl+Alt+Del," The Hindu, September 5, 2015, <a href="http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece">http://www.thehindu.com/opinion/op-ed/a-case-for-the-nets-ctrlaltdel/article7616355.ece</a> (last visited Jul 5, 2016).</p>
<h2 id="9">9. Author Profile</h2>
<p><strong>Shubhangi Heda</strong> is a Student of Jindal Global Law School, O.P Jindal Global University. She has completed her fourth year. She gives due importance to popular culture in her life and loves to read fiction and like to watch TV-shows, her favorite being 'White Collar'.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy'>https://cis-india.org/internet-governance/blog/tpp-and-d2-implications-for-data-protection-and-digital-privacy</a>
</p>
No publisherShubhangi HedaTrans Pacific PartnershipPrivacyFree Trade AgreementDigital EconomyInternet GovernanceData Protection2016-07-12T07:56:24ZBlog EntryTRAI recommendations on data privacy raises eyebrows
https://cis-india.org/internet-governance/news/economic-times-july-18-2018-surabhi-agarwal-and-gulveen-aulakh-trai-recommendations-on-data-privacy-raises-eyebrows
<b>The telecom regulator’s recommendations on data privacy have raised eyebrows over jurisdiction and timing, with IT ministry officials as well as companies questioning the need for it at a time when the government appointed Justice BN Srikrishna committee is in the final stages of drafting the data protection law. </b>
<p style="text-align: justify; ">The article by Surabhi Agarwal and Gulveen Aulakh was published in <a class="external-link" href="https://economictimes.indiatimes.com/industry/telecom/telecom-policy/trai-recommendations-on-data-privacy-raises-eyebrows/printarticle/65033263.cms">Economic Times</a> on July 18, 2018. Swaraj Paul Barooah was quoted.</p>
<hr />
<p style="text-align: justify; ">Telecom Regulatory Authority of India (TRAI) Chairman RS Sharma though countered that the sectoral watchdog has the jurisdiction to protect consumer interest in the sector, and those who feed off the industry - content providers, or apps, browsers, operating systems, and devices - need to be accountable as far as data protection is concerned.</p>
<p style="text-align: justify; ">TRAI Monday released its recommendations on the subject titled ‘Privacy, Security and Ownership of Data in the Telecom Sector’ which are applicable for apps, browsers, operating systems and handset makers.</p>
<p style="text-align: justify; ">An official of the Ministry of electronics and IT, which is tasked with drafting the data protection law, said that the Act will “prevail” over everything else. “Like any other sector, the data protection Act will be the final thing. In respect of telecom matters, there will be a role for TRAI as sectoral regulator but the basics of privacy will be governed by the data protection Act.”</p>
<p style="text-align: justify; ">The official also added that TRAI saying that their recommendations will be applicable till the data protection law comes into force "doesn't make sense since it won't have a legal mandate."</p>
<p style="text-align: justify; ">Industry bodies such as Internet and Mobile Association of India (IAMAI) and the Indian Cellular Association (ICA) have also criticised TRAI, saying the recommendations were “illegal” and akin to “jumping the gun” ahead of the release of the Srikrishna committee report.</p>
<p style="text-align: justify; ">Some of the clauses such as no use of metadata to identify individuals coupled with data minimisation will be detrimental to building the data business in the country, they said.</p>
<p style="text-align: justify; ">But Sharma was argued Trai was well within its rights to protect telecom consumers.</p>
<p style="text-align: justify; ">"Do I not have the jurisdiction to protect the interest of consumers in the telecom sector? I have that. And data protection of consumers in the telecom sector is an issue which is certainly related to the interest of consumers. I have deliberated on that issue, and I’m not saying that bring all those entities under my jurisdiction,” Sharma said.</p>
<p style="text-align: justify; ">He added that there is a regulatory imbalance because entities such as devices, OS, browsers and apps are not following any law. “So, the government can come up with a broad framework but till that time let the telecom rules apply on them too."</p>
<p style="text-align: justify; ">In its recommendations, TRAI said that individual users owned their data, or personal information, and entities such as devices were "mere custodians” and do not have primary rights over that information. It also said that the current framework for protection of personal information is “not sufficient” and suggested expanding the ambit of licence conditions governing telcos to all entities handling customer information.</p>
<p style="text-align: justify; ">In its statement, IAMAI, which represents companies such as Facebook and Google, called TRAI’s assertion that the existing framework is not sufficient to protect telecom consumers “contradictory.”</p>
<p style="text-align: justify; ">“The TRAI recommendations on privacy are premised on a voice and SMS regime. It is not meant for data driven business, which the app companies are. App companies use pseudo anonymous data and app companies do not give Call Detail Records. Incidentally, the Sri Krishna Committee under the Ministry of IT, which is the nodal body for apps as well as for handset manufacturers, is deeply, looking into this issue of consent, which is a fair thing to do.”</p>
<p style="text-align: justify; ">Voicing similar concerns, the ICA, which represents most of India’s top handset makers, said that the telecom watchdog has absolutely no powers to begin regulating on issues of privacy and ownership of data, leave alone having jurisdiction over devices, operating systems, browsers and applications.</p>
<p style="text-align: justify; ">“The industry rejects TRAI's attempts to expand its powers and usurp government's jurisdiction.” It added that TRAI “jumped the gun” by seeking to regulate the digital ecosystem without waiting for the data protection law under consideration by the Justice Srikrishna Committee. “This piecemeal approach is dangerous and unproductive.”</p>
<p style="text-align: justify; ">Handset makers such as Intex and Karbonn added they should be kept out of the ambit of the proposed regulations because they don't use customer data or monetise from it, which is mostly what apps do. Any additional pressure on indirect costs will lead to wafer-thin margins getting eroded further and consumers will have to bear the brunt, as it will lead to increase in prices of mobile phones.</p>
<p style="text-align: justify; ">Trai’s recommendations have been sent to the Department of Telecommunications (DoT) which has to take a final call on whether they will be adopted.</p>
<p style="text-align: justify; ">An official spokesperson for Zomato said that they have not been contacted by any of the regulatory bodies on this, as of now. “Our country is still undergoing the process of setting up a regulatory framework, and what happens between the TRAI recommendations and the B N Srikrishna's committee's draft for Data Protection bill will eventually help set up a much required benchmark.</p>
<p style="text-align: justify; ">In its suggestions, Trai said that as with telcos, all user data flows through smart devices, putting the device manufacturers, browsers, operating systems, and applications etc. in a prime position to collect and process the personal information of users. Since all user data passes through telcos and devices, appropriate steps must be taken to protect user privacy vis-a-vis these entities. “This will ensure, in prevailing circumstances, that the privacy of users is protected and maintained”.</p>
<p style="text-align: justify; ">Swaraj Paul Barooah, policy director at Center for Internet and Society, said that the recommendations is worrying at one level since “There is nothing in the telecom sector that requires interim urgent intervention and it may mean that the privacy framework maybe further delayed.”</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/economic-times-july-18-2018-surabhi-agarwal-and-gulveen-aulakh-trai-recommendations-on-data-privacy-raises-eyebrows'>https://cis-india.org/internet-governance/news/economic-times-july-18-2018-surabhi-agarwal-and-gulveen-aulakh-trai-recommendations-on-data-privacy-raises-eyebrows</a>
</p>
No publisherAdminInternet GovernancePrivacy2018-07-19T13:33:44ZNews ItemToken security or tokenized security?
https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security
<b>Implementing a system of tokenization for Aadhaar verification will address the security loopholes highlighted in recent reports.</b>
<p style="text-align: justify; ">The article by Manasa Venkataraman and Ajay Patri was published in <a class="external-link" href="http://www.livemint.com/Opinion/Kx7GIb4P73EpEtpxOFzi6M/Token-security-or-tokenized-security.html">Livemint</a> <span>on January 9, 2018.</span></p>
<hr style="text-align: justify; " />
<p class="S3l" style="text-align: justify; ">Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in <i>The Tribune </i>on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.</p>
<p style="text-align: justify; ">These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.</p>
<p style="text-align: justify; ">There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.</p>
<p style="text-align: justify; ">Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.</p>
<p style="text-align: justify; ">One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.</p>
<p style="text-align: justify; ">Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.</p>
<p style="text-align: justify; ">Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.</p>
<p style="text-align: justify; ">The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.</p>
<p style="text-align: justify; ">Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.</p>
<p style="text-align: justify; ">The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.</p>
<p style="text-align: justify; ">Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in <i>The Tribune</i>. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.</p>
<p style="text-align: justify; ">These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.</p>
<p style="text-align: justify; "><i>Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security'>https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-17T00:17:41ZNews ItemToken disclosures?
https://cis-india.org/news/the-hindu-august-4-2013-deepa-kurup-token-disclosures
<b>Snowden’s Xkeyscore expose makes a mockery of Twitter’s transparency revelations.</b>
<hr />
<p class="body" style="text-align: justify; ">The article by Deepa Kurup was <a class="external-link" href="http://www.thehindu.com/sci-tech/technology/token-disclosures/article4986166.ece">published in the Hindu</a> on August 4, 2013. Sunil Abraham is quoted.</p>
<hr />
<p class="body" style="text-align: justify; ">This week, roughly around the same time, two ‘revelations’ made headlines in the world of technology. The first, the U.S. National Security Agency’s top secret web surveillance programme, codenamed Xkeyscore, another expose from the house of Edward Snowden & Co.; and second, microblogging site Twitter’s third biannual Transparency Report for the first half of 2013.</p>
<p class="body" style="text-align: justify; ">The former exposed a global surveillance net, cast far and wide to freely (no formal authorisation required) access and mine emails, chats and browsing histories of millions. The content of the latter report not only pales in comparison but also raises fundamental questions on just how much goes on beyond the arguably modest claims made on Twitter’s transparency charts.</p>
<p class="body" style="text-align: justify; ">Documents published by <i>The Guardian </i>have the NSA claiming that the “widest-reaching” system mining intelligence from the web had, over a month in 2012, retrieved and stored no less than 41 billion records on its Xkeyscore servers. These mind-boggling numbers make a mockery of Twitter’s few hundred access request disclosures, advocates of online privacy and freedom point out. Then, it is hardly surprising that a large chunk of global requests came from the U.S. government: no less than 902 of the total 1,157 requests, accounting for 78 per cent. A far second is Japan at 8 per cent followed by the U.K.</p>
<h3 class="body" style="text-align: justify; ">India References</h3>
<p style="text-align: justify; ">Interestingly, both Twitter’s report and the NSA’s Xkeyscore document have India references. While a map titled 'Where is Xkeyscore' in the training manual released showing India as one of 150 sites (hosting a total of 700 servers) indicates that India's very much on the global surveillance radar of the United States government; the fact that the India is a new entrant on Twitter's ‘Country Withheld Content Tool’ means that the government here is also making active interventions in microblogging content. This is very much in line with stances the Indian government has taken over the last year, swinging indecisively between asking internet firms to pre-screen content and asking service providers to take down what it finds offensive.</p>
<h3 style="text-align: justify; ">India, A Bit-Player</h3>
<p class="body" style="text-align: justify; ">The Twitter report states that over the last six months it has seen an increase in the number of requests received (and eventual withholding of content) in five new countries: India, Brazil, Japan, Netherlands and Russia. In terms of numbers, India is still very much a bit player in the game given it falls under the ‘less than 10 category, a list where the number of requests for user information made by the government during this period is fewer than 10. It appears from the report that Twitter did not honour any of these requests, indicating that either the requests were too broad or failed to identify individual accounts.</p>
<p class="body" style="text-align: justify; ">In the same period, Twitter received two requests from India to remove content, one from the “government/law enforcement agency” and the other through a court order. In all, three tweets were removed by Twitter. No details on the nature of content removed were available.</p>
<h3 class="body" style="text-align: justify; ">Transparency Trends</h3>
<p class="body" style="text-align: justify; ">A late entrant to transparency initiatives, Twitter's bi-annual reports have been applauded by privacy activists as an initiative that at least attempted to offer a glimpse into the otherwise opaque medium/industry. According to 'Who Has Your Back' an initiative by the Electronic Frontier Foundation, which tracks which corporate helps protect your data from the government, only a third of the 18 internet majors publish Transparency Reports – in fact, Facebook, WordPress and Tumblr all don't publish.</p>
<p class="body" style="text-align: justify; ">This article by Deepa Kurup was published in the Hindu on August 4, 2013. Sunil Abraham is quoted.</p>
<p class="body" style="text-align: justify; ">While it's definitely good that Twitter's providing data for India, post-Edward Snowden and his revealing PRISM leaks, netizens would question to what extent this data is representative of the magnitude or extent of user data tracking. Do governments like the U.S. need to approach Twitter (or other internet service providers) at all to access detailed user activity logs, content and metadata?</p>
<h3 class="body" style="text-align: justify; ">Secret Orders Excluded</h3>
<p style="text-align: justify; ">Twitter makes it clear that its current report does not include "secret orders" or FISA disclosures. In another blog related to the Transparency Report, Jeremy Kessel, Manager, Legal Policy at Twitter Inc, writes that since 2012, Twitter's seen an uptick in requests to withhold content from two to seven countries. He writes that while Twitter wants to publish “numbers of national security requests – including FISA (Foreign Intelligence Surveillance Act) disclosures – separately from non-secret requests.” It claims it has “insisted” that the United States government allow for increased transparency into “secret orders”. “We believe it’s important to be able to publish numbers of national security requests – including FISA disclosures – separately from non-secret requests." Unfortunately, we are still not able to include such metrics, Twitter states.</p>
<h3 style="text-align: justify; ">'Not the Whole Truth'</h3>
<p style="text-align: justify; ">In the absence of these metrics, Sunil Abraham, director of Centre for Internet and Society, feels transparency reports “may not tell us the whole truth”. The Xkeyscore revelations then may explain why the U.S. government has made only 902 information requests. “A rogramme like XKeyScore potentially allows them to capture the very same data without having to approach Twitter. This is the very same imperative behind the CMS project in India. Governments across the world want to automate private sector involvement in blanket surveillance measures so that it wont serve as a check on their unbridled appetite for data”</p>
<p style="text-align: justify; ">He warns that there's a likely “race to the bottom”, given that an unintended consequence of transparency may be that governments, rather than being shamed into respect for free speech and privacy, would be emboldened by the scale of surveillance and censorship in the so-called democracies such as the US and EU members that are on top of the global blanket surveillance game.</p>
<p>
For more details visit <a href='https://cis-india.org/news/the-hindu-august-4-2013-deepa-kurup-token-disclosures'>https://cis-india.org/news/the-hindu-august-4-2013-deepa-kurup-token-disclosures</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2013-08-07T09:30:39ZNews ItemTo protect data, don’t opt for plastic or laminated Aadhaar card: UIDAI
https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar
<b>Unauthorized printing of Aadhaar cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, UIDAI says.</b>
<p>The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Politics/5Gr7j4bgNoLRVtf10cjrzK/To-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar.html">published by Livemint</a> on February 7, 2017</p>
<hr />
<p class="S3l" style="text-align: justify; ">To protect information provided by holders of Aadhaar, the Unique Identification Authority of India (UIDAI) on Tuesday cautioned people against opting for plastic or laminated “smart” cards.</p>
<p style="text-align: justify; ">Unauthorized printing of the cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, it said in a statement on Tuesday.</p>
<p style="text-align: justify; ">Besides, opting for plastic or laminated cards opened up the possibility of Aadhaar details (personal sensitive demographic information) being shared with devious elements without the informed consent of holders, the statement added.</p>
<p>According to UIDAI, the Aadhaar letter sent by it, a cutaway portion or downloaded versions of Aadhaar on ordinary paper or mAadhaar are perfectly valid.</p>
<p style="text-align: justify; ">“If a person has a paper Aadhaar card, there is absolutely no need to get his/her Aadhaar card laminated or obtain a plastic Aadhaar card or so called smart Aadhaar card by paying money. There is no concept such as smart or plastic Aadhaar card,” UIDAI chief executive officer Ajay Bhushan Pandey said in a statement.</p>
<p style="text-align: justify; ">Printing Aadhaar on a plastic/PVC sheet privately can cost anywhere between Rs50 and Rs300 or more, UIDAI said. It added that a printout of the downloaded Aadhaar card, even in black and white, is as valid as the original Aadhaar letter sent by UIDAI.</p>
<p>It added that in case a person loses his Aadhaar card, he can download the card free from <i>https://eaadhaar.uidai.gov.in.</i></p>
<p style="text-align: justify; ">Pandey asked holders not to share Aadhaar number or personal details with unauthorized agencies for getting the card laminated, or printed on plastic.</p>
<p style="text-align: justify; ">The agency also directed unauthorized agencies not to collect Aadhaar information from people, reminding them that collecting such information or unauthorized printing of Aadhaar card is a criminal offence punishable with imprisonment.</p>
<p style="text-align: justify; ">“I feel a lot more has to be done by UIDAI. Sadly, by encouraging people to rely on printed Aadhaar ‘cards’, UIDAI is ending up with the worst of both worlds with respect to personal data protection: photocopies of so-called Aadhaar cards/letter are being circulated to facilitate identity fraud as well as the kind of dangerous personal data disclosures that centralized databases enable,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.</p>
<p style="text-align: justify; ">Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar'>https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-02-07T01:00:00ZNews Item