Centre for Internet and Society

UNHRC Resolution A/HRC/32/L20 (with amendments (in track))

Japreet Grewal — 2016-07-06T08:07:48Z

For more details visit http://editors.cis-india.org/internet-governance/resources/unhrc-resolution-a-hrc-32-l20-with-amendments-in-track

UNESCO's Open Forum

praskrishna — 2011-04-05T03:58:47Z

As UNESCO organized Freedom of Expression related workshops, this Open Forum will be dedicated to other key IGF topics, notably multilingualism in cyberspace, open access to scientific information, open educational resources, and accessibility for marginalized groups. In addition, UNESCO will take this opportunity to announce new initiatives and share experiences with participants. The interactive panel format will start with brief presentations from experts, followed by a moderated discussion with participants.

Organizer: UNESCO

Moderator:
Mr Jānis Kārkliņš, Assistant Director-General for Communication and Information, UNESCO

Opening by Mr Jānis Kārkliņš

Introductory remarks

Mr Nitin Desai, Chair of the Internet Governance Forum (IGF) will speak about: The future of the IGF and UNESCO’s opportunities
Mr Rod Beckstrom, CEO ICANN, on cooperation with UNESCO, next steps

1. Multilingualism in cyberspace

Proposed speakers:

Mr Baher Esmat, Manager, Regional Relations – Middle East, ICANN
Mr Daniel Pimienta, President of FUNREDES (Fundacion Redes y Desarrollo) Saint Domingue, Dominican Republic

Open discussion

2. Open access to scientific information and open educational resources

Proposed speakers:

Mr Indrajit Banerjee, Director, Information Society Division, Communication and Information Sector, UNESCO
Mr Abel Packer, Director of the SciELO.org Open Access (OA) initiative

Open discussion

3. An initiative on developing inclusive information policies using ICTs in education for persons with disabilities

Proposed speakers:

Mr Axel Leblois, Executive Director, the Global Initiative for Inclusive Information and Communications Technologies 9G3ict), An Advocacy Initiative of the United Nations Global Alliance for ICT and Development
Ms Anja Kovacs, Centre for Internet and Society (India)

Open discussion

For more details visit http://editors.cis-india.org/events/unesco-open-forum

UNESCO Internet Universality Indicators consulted at the 8th Asia Pacific Regional Internet Governance Forum

praskrishna — 2017-08-23T02:05:44Z

“Internet Universality indicators should measure broad social implications of the Internet and serve as a powerful tool to foster sustainable development,” was a strong message delivered by Asia-Pacific stakeholders at UNESCO consultation to develop Internet Universality indicators during the 8th Asia Pacific Regional Internet Governance Forum (APrIGF) in Bangkok (Thailand), 29 July 2017.

This was published by UNESCO on August 9, 2017.

The Bangkok consultation event, co-moderated by Ms. Xianhong Hu (UNESCO) and Ms. Chat Garcia Ramilo (Association for Progressive Communications, APC), brought multi-stakeholders and experts from the Asia Pacific region to contribute to prioritizing issues within the five categories indicators along the Internet Universality R.O.A.M principles, namely on human Rights, Openness, Accessibility, Multi-stakeholder participation, as well as concerning Crosscutting issues.

“Rights entail a number of digital rights including freedom of religious and political expression and right to assembly and association online. Privacy concerns on the Internet are extremely important as well”, stated Ms Gayatri Khandahi from APC on human Rights indicators. In addition, she noted the importance of social and economic rights exercised on the Internet, such as the right to work and the right to political participation, and the jurisdiction challenges of these rights in the pretext of Internet. She emphasized the need to consult also with vulnerable groups, such as women, trans-gender groups and migrants.

Dr. Anja Kovacs from Internet Democracy Project pointed out that rights have impact on other themes or indicators, for instance online abuse of women impacts access in India. She also noted that in the course of developing these indicators, it is crucial to take into account future trends because digital rights are evolving and these indicators might not be useful in 10 years.

“Open Internet is a top concern since it is being limited by many localized requirements. Thus openness requires open and transparent policy and decision making process which is at the core of multi-stakeholder approach”, commented by Prof. Xue Hong from Beijing Normal University on Openness indicators. She suggested “open access” needs to consider people’s various barriers to access Internet, including legal barriers. She suggested that “open source”, “open innovation” and “open market” are also important aspects to measure the level of openness.

On Accessibility indicators, Mr Winston Roberts from the International Federation of Library Associations & Institutions (IFLA) suggested that the definition of universal access needs to be updated and access in various forms can be used as an indicator, such access to broadband. He stressed the importance to include quality access and access in rural areas.

“Access and accessibility should be defined clearly. Access should include indicators to assess quality of service and openness should include assessment of the market”, stated Ms. Bishakha Datta. Mr. Naveed Haq from Internet Society suggested those accessibility indicators could check how many government websites are available to people with disabilities.

“Internet is a classic example where various communities are represented and thus multistakeholderism becomes important”, said Mr. Naveed Haq from Internet Society on Multistakeholder indicators. Mr. Sunil Abraham from Center for Internet Society raised challenges that the government needs to deregulate policies and laws and redo them with a multi-stakeholder process, but on the other hand, private sectors fail to mitigate harm through the self-regulatory model. Mr. Joyce Chen, ICANN representative, highlighted the importance to engage with governments, who need to facilitate more dialogue.

“The rights and interest of those vulnerable groups, such as transgender and women should be considered by the indicators, particularly to assess how rights, such as the right to privacy intersect with their agenda”, suggested by Ms. Bishakha Datta from Point of View on Crosscutting dimension indicators. Dr Anja Kovacs pointed out that it is crucial not miss out groups of people whose interests might not be directly aligned with their governments, for instance refugees or migrants.”

In addition to the ongoing on-site Multistakeholder consultation sessions, UNESCO is now also offering the possibility for interested actors, including Member States, to participate in the consultation online at https://en.unesco.org/internetuniversality.

As an ongoing project developed by UNESCO, Internet Universality Indicators aims to serve as a recognized and authoritative global research tool for national assessing Internet development along the lines of UNESCO’s Internet Universality concept as endorsed by UNESCO 38^th General Conference in 2015. The final indicators will be presented in 2018 and will be submitted to the UNESCO Member States in the International Programme for the Development of Communication (IPDC) for endorsement.

For more details visit http://editors.cis-india.org/internet-governance/news/unesco-internet-universality-indicators-consulted-at-the-8th-asia-pacific-regional-internet-governance-forum

UNESCO Global Report: Opening New Avenues for Empowerment

nirmita — 2013-09-04T07:21:56Z

We prepared a report on higher education for persons with disabilities in the Asia-Pacific region for UNESCO some time back. The report has been compiled into a global report. Nirmita Narasimhan was the project coordinator from the Centre for Internet and Society.

Preface

(by Irina Bokova, Director General of UNESCO)

Over one billion people – approximately 15 percent of the world’s population – live with some form of disability. Facing a wide range of barriers, including access to information, education, health care and a lack of job opportunities, persons living with disabilities struggle every day to be integrated into society.

This is unacceptable, and UNESCO is taking a stand. To tackle these challenges, UNESCO has led a number of initiatives, including the 2013 Global Report, to empower persons with disabilities thanks to information and communication technologies. Our position is clear – information and communication technologies, along with associative technologies, can widen access to information and knowledge, so they must accessible to all.

Building on the United Nations Convention on the Rights of Persons with Disabilities, the Global Report addresses strong recommendations to all stakeholders – from decision-makers to educators, civil society and industry – on how concretely to advance the rights of people living with disabilities. These recommendations draw on extensive research and consultations. Studies launched in five regions have allowed UNESCO to understand more clearly the conditions and challenges faced by persons with disabilities around the world.

To empower persons with disabilities is to empower societies as a whole – but this calls for the right policies and legislation to make information and knowledge more accessible through information and communication technologies. It calls also for applying accessibility standards to the development of content, product and services. The successful application of such technologies can make classrooms more inclusive, physical environments more accessible, teaching and learning content and techniques more in tune with learners’ needs. We need the commitment of all Government and stakeholders to make this a reality for all persons living with disabilities. To build the inclusive knowledge societies we need for the century ahead, we cannot leave anyone aside. We must do everything to replace exclusion and discrimination with inclusion and empowerment – for this, we must harness the full power of information and communication technologies. This is our shared commitment, and this Global Report will help us move forward.

Forward

(by HE Mr. Miguel Angel Estrella, UNESCO Goodwill Ambassador)

Communication and information are essential for the development of people and societies. It is thanks to the networks of connections which are established freely between individuals that a society is able to advance, as well as the personal development of individuals which makes it possible to increase the collective benefit of all those who form a society. In light of this, special attention should be paid and necessary products and services should be created for persons with disabilities. The more totalitarian and repressive societies are, the more restricted access to information and knowledge is, as well as the application of rights to self-expression and opinion. In addition, special services and attention for the common good of society are limited. However, when a society is free and respectful of human rights, individuals have more solidarity, are open to work together and share information. As a consequence of this free exchange of information and knowledge, it should be possible to build a more inclusive society which can fully participate in the social, cultural and economic life, intellectually and culturally rich, and where people with different
abilities, can take full advantage of Information and Communication Technologies.

Access to information and knowledge allows humans to contribute to social development where he or she can make better choices, and to share the richness with those around them. The conditions, special capacities and abilities of each individual to learn should never be an obstacle or an impediment to their individual development. On the contrary, it is the duty of all authorities to establish an enabling environment and provide special services to those who require them, keeping people with disabilities in mind. Such an inclusive society ensures that each person is valued as an equal human being.

I, therefore, warmly welcome UNESCO’s publication titled “Opening New Avenues for Empowerment: ICTs to Access Information and Knowledge for Persons with Disabilities” which not only makes a major contribution to our understanding of disability, but also highlights technological advancement and shares good practices that have already changed the lives of people with disabilities. The publication also makes concrete recommendations for action at the local, national and international levels, targeting policy and decision makers, educators, IT&T industry, civil society and certainly persons with disabilities, which, I hope, will receive your deserved attention!

Acknowledgements

This Global Report, Opening New Avenues for Empowerment: ICTs to Access Information and Knowledge for Persons with Disabilities, has been commissioned by the UNESCO Communication and Information Sector. It is a result of collaborative action among many researchers, public and private organizations, governmental bodies and civil society, and appreciation is extended to each of them.

The Report is based on the findings of five UNESCO regional studies carried out with the help of the following institutions and coordinating authors:

Africa: Mr Raymond Lang, Dr., the Leonard Cheshire Disability and Inclusive Development Centre, University College, London (UK);

Arab Region and North Africa: Mr Mohamed Jemni, Professor of ICT and Educational Technologies, Head of Research Laboratory UTIC, University of Tunis (Tunisia);

Asia Pacific: Ms Nirmita Narasimhan, Project Coordinator, Centre for Internet and Society (India);

Eastern Europe and Central Asia: International Consulting Agency- Mezhvuzkonsalt (Russian Federation);

South America, Central America and Mexico and the Caribbean: Ms Pilar Samaniego (South America);
Ms Sanna-Mari Laitamo and Ms Estela Valerio (Central America and Mexico); and Ms Cristina Francisco (The Caribbean).

The principal author of this global report is Mr Michael Blakemore, Emeritus Professor of Geography at the University of Durham (UK), who is a UK’s Bologna Expert (Higher Education Reform and Innovation) with the European Commission.

The overall preparation of the world report, regional studies and coordination of the project were ensured by Ms Irmgarda Kasinskaite-Buddeberg and Mr Davide Storti from UNESCO’s Communication and Information Sector.

UNESCO thanks the GAATES Foundation for its contributions and advice to the preparation of this report, particularly Ms Cynthia Waddell and Ms Betty Dion. Thanks also to Mr Jonathan Avila from SSB Bart Group

UNESCO wishes to acknowledge the many individual contributors, experts, and advocates, who assisted in the gathering of survey data and in the preparation of the regional studies.

All those contributing their expertise and time to the peer review also deserve recognition. They include: Axel Leblois (G3ict), Luis Gallegos (Ambassador of Ecuador to the United Nations in Geneva, Switzerland), David Andrés Rojas M. and Vanessa Ramirez (The Trust of America, TRUST ), Shadi Abou-Zahra (W3C/WAI), Bernhard Heinser (DAISY Consortium), Jan A. Monsbakken and Uma Tuli (Rehabilitation International, RI), Karsten Gerloff (Free Software Foundation Europe), Brian Nitz (Oracle), Kiran Kaja (Adobe), Katim S. Touray (Free Software Foundation for Africa), Sophie Gautier and Charles-H. Schulz (LibreOffice), Luiz M. Alves dos Santos (European Commission, EC), Arnoud van Wijk (Real-Time Task Force), Reinhard Weissinger (International Organization for Standardization, ISO), Kenneth Eklindh (UNESCO), Simon Ball (JISC TechDis).

The global summary report was edited by Ms Alison McKelvey.

Click to read the full report here.

For more details visit http://editors.cis-india.org/accessibility/blog/opening-new-avenues-for-empowerment

UNESCO Global Report

praskrishna — 2013-09-04T06:53:18Z

For more details visit http://editors.cis-india.org/accessibility/blog/unesco-global-report

Understanding the Right to Information

elonnai — 2013-06-12T11:39:05Z

Elonnai Hickok summarises the Right to Information Act, 2005, how it works, how to file an RTI request, the information that an individual can request under the Act, the possible responses and the challenges to the citizen and the government. She concludes by saying that there are many structural changes that both citizens and governmental officers can make to improve the system.

Introduction

The Right to Information Act, 2005 (RTI) was created in 2005 and marked an important time in Indian legislative history. The Right to Information enables citizens to hold the government accountable and ensure that it is a transparent body. Questions that can be asked by the citizen to the government range from anything that may concern to some meeting notes to why a teacher is not present in a public school, etc. In the current RTI system there are many challenges that are inhibiting the government’s efficient delivery of the RTI as a service to the people. This has changed the concept of how the citizens view the RTI, as the government feels harassed and the citizens feel as though their rights are being unjustly denied. Additionally, individuals have turned the RTI into a redressal mechanism rather than a way to ensure transparency and learn/understand how their government is functioning. The use of the RTI as a redressal mechanism has created a relationship of animosity between the government and citizens. The below note outlines the ecosystem of the RTI and notes specific challenges that both citizens and the government face.[1]

The RTI Ecosystem

RTI work flow

An individual files an RTI with the central/ state public information officer (PIO) or a specific PIO. PIOs are often not trained, and rarely apply for the position, but are instead designated.
Within five days the information is to be forwarded to the correct PIO.
The PIO must open a file and dispose of the request within 30 days.
If the PIO fails to reply to the applicant by either approving or denying a request, the PIO is liable to pay a fine of Rs. 250 for each day of delay.
If information is electronically uploaded, it is stored in any format the officer chooses (jpeg, pdf, html, etc).
Except for land records and staff records, files are retained for a maximum of one year.
If the PIO does not dispose of the request, there is scope for an appeal within 30-45 days to the appellate authority.
There is scope for a second appeal to the information commissioner if the authority does not respond within 90 days or the answer is found to be unsatisfactory.
The final decision of the information commissioner is binding.

Filing an RTI request

Though there is no specific format an individual must follow when submitting an RTI, when filing a request, individuals must include:

His /her name and address.
The name and address of the public information officer (PIO).
The particulars of information/documents required (limited to 150 words and one subject matter).
The time period of the information required.
Proof of payment.
Signature.
Proof if the individual is a BPL holder.[2]

Information that an individual can request under the RTI Act

Inspection of work, documents, and records
Taking notes, extracts or certified copies of documents or records.
Taking certified samples of material.
Obtaining of information in the form of diskettes, floppies, tapes, and video cassettes, or in any other electronic mode, or through printouts where such information is stored in a computer, or in any other device.
Obtaining the status of an RTI request or complaint.

Note: If an individual is requesting third party information, the PIO must inform the third party and provide the individual the opportunity to state a reason for not disclosing the information.

Accepted format of requested materials and records

Material requested can be in any format including: records, documents, memos, emails, opinions, advices, press releases, circulars, orders, logbooks, contracts, reports, papers, samples, models, and data material held in any electronic form.
Records requested can include: any document, manuscript and file, any microfilm, microfiche and facsimile copy of a document, and reproduction of image or images embodied in such microfilm (whether enlarged or not), and any other material produced by a computer or any other device.

Possible Responses to an RTI request

An information officer can respond to an RTI in the following ways:

Transfer request to appropriate PIO within five days and notify the applicant about the transfer.
Provide the requested information within 30 days.
Reject the request information within 30 days stating the reasons for rejection, the period within which an appeal against such rejection may be preferred, and the details of the appellate authority.
Not respond to the applicant. If no response is received within 30 days the officer is liable for a penalty of Rs. 250 per day.

Appeal/Complaint Process

First appeal can be filed after 30 days or if the information given was unsatisfactory. The appeal must include: name and address of the appellant, name and address of the PIO involved, brief facts leading to appeal, relief sought, grounds for appeal, and copies of the application or documents involved, including copies of the reply, if received from the PIO.
Second appeal must contain: name and address of the applicant, and name and address of the PIO involved, particulars of the Order including the number if any against which the appeal is preferred, brief facts leading to the appeal, if appeal/complaint is preferred against deemed refusal then the particulars of the application, including number and date and name, address of the PIO to whom the application was originally made, relief sought, grounds for the relief, verification by the applicant, any other information which the commission may deem necessary for deciding during the appeal, self attested copies of the application or documents involved, copies of the documents relied upon by the appellant and referred to in the appeal, and an index of the documents referred to in the appeal.
A complaint must include: name and address of the complainant, name and address of the state PIO against whom the complaint is being made, facts leading to the complaint, particulars of the application [number, date, name and address of the PIO (three copies)], relief sought, grounds and proof for relief, verification of the complainant (three copies), index of documents referred to in the complaint, and any other necessary information.[3]

Challenges to the Citizen

Knowing the correct Public Information Officer

Knowing which public information officer to mail in the RTI request is the first difficulty that an individual faces. As noted above in 2008 there were a total of 73,256 recorded public information commissioners in the State of Karnataka. New public information commissioners are created every day, because the RTI extends not only to any department of the government, but to any sub-contracted company, organization, school, or NGO that is receiving government funding and doing work on behalf of the government directly or indirectly. Lists of PIOs can be found on department bulletin boards and websites, but there is no clear method for an individual to know what information each PIO is the custodian over. Thus, they are left to determine on their own, and rely on the PIO to forward their application to the correct individual.

Filing in the correct format

Though it is stated in the law what language an RTI request will be accepted in, and what information should be included – individuals are often unaware of the guidelines and unaware of how to correctly fill out an RTI request. An incorrectly formatted request is one of the major reasons for rejection of a request by the PIO.

Language

In the State of Karnataka, RTIs can be filed only in two languages: Kannada and English. By law, RTI responses are given only in the language that the department works in on a daily basis, and in English. The information that is supplied through the request is given in its original language. For example, if you ask for a document that is originally in Marathi, the document will be photo copied and sent to you. No translation of documents takes place, because it is not the job function of the officer to translate documents.

Appeals

If an individual is denied information, or does not receive a reply within 30 days, they have the option of seeking an appeal through an appellate authority. In 2008 Karnataka had 5416 Appellate Authorities. Currently, because of the backlog in appeal cases and the slow functioning of the system, an individual might have to wait for upto one year for his/her appeal to be heard. Often at this point the information is no longer relevant or needed.

Privacy

In some cases individuals are denied a request for information based on the grounds that it would invade the privacy of the public officer. This is sometimes the case and sometimes not the case. Finding the right balance between the right to information and privacy is important, as protecting an individual’s privacy is crucial, but privacy should not be used as a reason for the government to be less transparent to the citizen and be used as a way to deny a citizen the information that they are entitled to.[4]

Challenges in the RTI System for the Government

Too many RTI requests and no system to record duplicates: As the figure shows above, in 2008, the Karnataka Government received 42208 RTI requests. Currently, it is not possible to know how many of these requests were duplicates since departments handling RTIs do not make it a practice to upload and organize filed RTI requests in a format easily accessible to citizens. Thus, there is no present system in place to track, upload, and store past RTI's in a meaningful way.
Additional overhead in recording, organizing, accessing, and storing data: In the current system every time an RTI request is received by the government, they open a new file for that request. Though in some ways this system of storage simplifies the process of finding past RTIs, it adds an additional overhead cost as photocopies must be made, new files created, and correctly added to the organized system. Each state follows its own method of recording, organizing, accessing, and storing data – thus, currently it is not possible to easily access the information from another state or combine information from two separate states.
Lack of compliance with section 4(d) pro-active disclosure: Under section 4 (d), the government is required to pro-actively disclose a pre-determined data to the public via websites and other useful modes. Currently there is very little compliance with section 4(d) from governmental departments. There are many factors that contribute to the low rate of compliance that exist including lack of resources and lack of proper enforcement. If governmental departments were to comply with section 4(d) then the load of RTI requests and the time each request must take to answer could be lightened considerably as the government could respond by pointing citizens to the already disclosed information.

Conclusion

Though the Right to Information is an important right, the above entry looks at some of the weaknesses and challenges in the system. There are many structural changes that both citizens and governmental officers can make to improve the system such as pro-actively disclosing information, ensuring that an RTI is filed correctly, and creating a system for organizing previously asked questions. Alongside of these structural changes it is also critical that a positive culture of transparency and accountability is fostered throughout society, thus encouraging citizens to actively engage with the government and exercise their right to information.

Notes

[1].I am grateful to N. Vikram Simha, RTI activist, for his insight and feedback into the RTI system.

[2].N. Vikram Simha, Right to Information Act of 2005: Guide for Citizens.

[3].N. Vikram Simha, Right to Information: Trend Ahead. Karanataka State Chartered Accountants Association, Bangalore

[4].N. Vikram Simha, RTI and Protection of Individual Privacy

For more details visit http://editors.cis-india.org/internet-governance/understanding-right-to-information

Understanding the Data Gaps on Wikidata Concerning Heritage Structures of West Bengal

Bodhisattwa Mandal — 2021-05-15T12:31:40Z

This is a short study on identifying the data gaps related to heritage structures in West Bengal on Wikidata, and potential strategies to address the same. The report is authored by Bodhisattwa Mandal, with editorial oversight and support by Puthiya Purayil Sneha and external review by Sumandro Chattapadhyay. This is part of a series of short-term studies undertaken by the CIS-A2K team in 2019-2020.

Wikidata is a free and open repository of structured and linked data, hosted by the Wikimedia Foundation, built collaboratively[1] by human volunteers and robots from all over the world[2]. This platform, with an initial intention to be used within Wikimedia projects as a high quality secondary database [3], first started by centrally linking Wikipedia articles about the same topics in different languages[4][5][6][7][8], but soon it started linking with external databases.

Introduction to Wikidata

Wikidata is designed to be structured as a Resource Description Framework or RDF model which describes statements in the form of triplets of subject–predicate–object. In Wikidata, subject–predicate–object is termed as item–property–value. Items on Wikidata can represent every possible object, concept or topic in human knowledge which passes a certain threshold of defined notability and are represented by unique Q numbers. The actual data of an item is called value, which is pre-defined by the data type, be it strings, numbers, dates, url links, coordinates, musical notations etc. or even other items. Properties, represented by unique P numbers, describe the data value of items. The items, properties and values are language independent and thus totally machine-readable, although for human comfort and understanding, one can describe items in their own languages by adding or translating labels, descriptions or aliases.

Due to the machine-readable triplet structure of Wikidata, the database can be easily queried to find answers, which might not be otherwise possible from a list of unstructured contents such as Wikipedia articles. To retrieve and manipulate RDF data formats in triplets, we require a semantic query language for RDF databases named SPARQL. Through Wikidata query service, one can use SPARQL and retrieve data and the prevailing gaps on Wikidata and visualize in different ways.

Wikidata in West Bengal, India

Massive imports of coordinates for places in West Bengal happened between October 2018 and May 2019 on Wikidata as reflected by the map generated using Resemble.js

Wikidata activities around India have been organized around India for almost 4 years under the WikiProject India umbrella. Targeted approaches to fill data gaps on different topics have been pursued through data-thons and campaigns in these years and community strength has been aimed to increase through workshops and skill sharing initiatives.

Being part of that initiative, the Indian state of West Bengal has seen a lot of activities around Wikidata in recent years. Under the WikiProject umbrella, Wikidata volunteers have been working together to build data on different topics related to the state, its demographics, culture, heritage, education, health, politics, language etc. As heritage has been the prime focus of the Wikimedia community members of West Bengal, in this essay, we will identify the data gaps related to the topic through SPARQL query and explore reasons for the same, if any, through interviews of active volunteers who have been working on this area for years.

Wikimedia community members have been working on documenting different forms of heritage since 2011, when they organized Wikipedia Takes Kolkata photo-walk for the first time. Since then, they have organized eight more Wikipedia Takes Kolkata photo-walks, 11 Wiki Exploration projects in 9 districts of the state, 2 editions of prestigious Wiki Loves Monuments in India 2018 and 2019 and several other documentation projects organized organically or single-handedly and by doing so they have uploaded several thousands of photographs related to heritage structures and GLAM collections on Wikimedia Commons.

In this essay, we will focus on the photo-walks and explorations which were conducted to document heritage structures of West Bengal. We will focus on two basic types of data which should be there in every dataset on heritage structures, i.e. a) location, and b) image, and we will find out if there is any significant gap there using SPARQL queries.

Photo-walks and Wiki Explorations in West Bengal

Map of KMC heritage buildings generated from Wikidata query https://w.wiki/Tir

Let’s start with the nine consecutive series of Wikipedia takes Kolkata photo-walks which aims to photo-document heritage buildings and structures of Kolkata. To understand the data gap related to the heritage buildings, we will examine the presence of graded heritage buildings and structures enlisted by Kolkata Municipal Corporation (KMC) on Wikidata through different SPARQL queries. Wikidata now contains 923 heritage buildings and structures listed by KMC, but out of them 26.65% have images and only 18.53% have coordinates.

Although 81.47% of the items of the heritage structures were missing coordinates, but they gave fairly good idea about their location, all of the items had municipal wards and streets connected with them, utilizing which, photographers and travellers are expected to explore the sites easily. However, while testing the items of the wards, it was noticed that however all the 144 wards contain coordinates, but they all lack a crucial property which can denote their area of location i.e. the geoshape data. While coordinates can denote the exact location of certain parts of an area, it is misleading when it comes to a larger area, which requires geoshape to better describe the location. While testing the street data, it was found that both geoshape and coordinate data are lacking for the streets, which makes them extremely difficult to locate.

Map of temples in West Bengal generated from Wikidata query https://w.wiki/Tj7

For the last 3 years, Wikimedia volunteers from West Bengal have also been involved in Wiki Exploration projects to remote parts of the state documenting temples, mosques, sculptures etc., many of which have not been documented online before. Few hundreds of heritage structures in 9 districts of the state were documented and thousands of photographs under this project have been uploaded to Wikimedia Commons. Now, if we test the Wikidata presence of the temples situated in West Bengal, it can be noticed that 435 temples have items, out of which only 196 items have images and only 79 have coordinates. however 302 of them have their location pin-pointed to the village, ward, town or city level. Similar to the previous case, although there are 40,359 items for villages located in West Bengal, only 0.017% have coordinates while none have geoshape data.

From the above two scenarios, it can be easily concluded from the SPARQL queries, that there has been a significant amount of data gap. Both the datasets contain significant lack of location data and images. The second scenario even lacks data on the temples itself.

Challenges of Contributing to Wikidata in/from West Bengal

Now, to understand why there are huge gaps in the data, we have interviewed four volunteers from West Bengal who are involved in these two kinds of projects, three of them are Wikimedia contributors for five-ten years and one of them is relatively new to the movement. They all upload heritage photographs to Wikimedia Commons and 2 of them contribute to Wikidata. All of them agreed that due to lack of suitable hardware, they could not document the exact coordinate data while photo-documenting heritage structures. GPS devices or full-frame cameras with built-in GPS are expensive and are not affordable to many. Interviewees have also pointed out that due to lack of proper training on how to document heritage structures properly, photographers and amaetur researchers miss out vital points of documentation and thus increase data gaps. Restricted access to private heritage structures like temples maintained by families or private heritage buildings and their documents, lack of proper existing documentation along with analogue and digital metadata, and rapid destruction of built heritage due to lack of maintenance or improper restoration procedures etc. are also the reasons for data gaps. While answering the question about why photographs are not converted fully into data, they point out that it might be a burden for photographers to learn about data entry in Wikidata, as this is out of their area of interest and workflow. As noted by an interviewee, ‘the nature of work for Wikidata does not match with photographers' workflow.’ However, they also stressed on the need to conduct training programmes on Wikidata for photographers and interested people involved in documentation to let them know the importance of structured data in the area of heritage documentation.

Recommendations

From the observations of this short study, it is recommended that volunteers working on heritage documentation in West Bengal should be supported with suitable hardware to document coordinates. Frequent training programs should be conducted, preferably by experts, for volunteers on how to document heritage structures in a professional way, so that data gaps remain minimal. Training on Wikidata should be conducted for photographers to let them understand the importance of structured data in the field of heritage documentation. It is also recommended to increase interaction among the Wikidata and Wikimedia Commons volunteers, to understand each other's work flow and strategically modify those to provide optimal results.

References

[1] Vrandečić, Denny (2012). "Wikidata: a new platform for collaborative data collection". Proceedings of the 21st international conference companion on World Wide Web - WWW '12 Companion. Lyon, France: ACM Press: 1063. doi:10.1145/2187980.2188242. ISBN 978-1-4503-1230-1.

[2] Vrandečić, Denny; Krötzsch, Markus (2014-09-23). "Wikidata: a free collaborative knowledgebase". Communications of the ACM. 57 (10): 78–85. doi:10.1145/2629489.

[3] Vrandečić, Denny (2012).

[4] Roth, Mathew (30 March 2012). "The Wikipedia data revolution". Wikimedia Foundation Blog.

[5] Pintscher, Lydia (14 January 2013). "First steps of Wikidata in the Hungarian Wikipedia". Wikimedia Deutschland Blog.

[6] Pintscher, Lydia (30 January 2013)."Wikidata coming to the next two Wikipedias". Wikimedia Deutschland Blog.

[7] Pintscher, Lydia (15 February 2013). "Wikidata live on the English Wikipedia". Wikimedia Deutschland Blog.

[8] Pintscher, Lydia (6 March 2013). "Wikidata now live on all Wikipedias". Wikimedia Deutschland Blog.

Notes

[1] The query results were generated during early 2020. The results may vary at the time of publication of this article.

[2] See Annexure I for the interview questionnaire.

[3] Read this report on Wikimedia Meta-Wiki here.

For more details visit http://editors.cis-india.org/a2k/blogs/understanding-the-data-gaps-on-wikidata-concerning-heritage-structures-of-west-bengal

Unable to read Odia on your android device? Don’t fret!

praskrishna — 2015-12-15T08:04:39Z

If you get only boxes in place of Odia fonts in your Android device then it does not support the language. So you need to install Odia font in your smart phone; one way is to root it, but it’s not without cons.

The article by Ruby Nanda was published in Odisha Sun Times on September 28, 2015. Subhashish Panigrahi was quoted.

Rooting means breaking and getting full rights into the entire operating system of your Android. If done right it can turn you into a super user and open a wealth of opportunities with your handheld device. But, rooting is a complex process and definitely not for a newbie, as rooting leads to loss of warranty, security issues and a wrong move can turn it into a paperweight.

“Rooting is not advisable as it is bit complicated and turns your phone warranty void”, says Subhashish Panigrahi, Programme Officer at the Centre for Internet and Society, an NGO. By far the easiest way to read Odia is by installing Firefox Browser for your android mobile, he added.

Nihar Kumar Dalai, IT professional, has found an easy hack and with Panigrahi, he has designed a free licensed tutorial by which one can easily read Odia language in their smart phones.

“Odia fonts are supported only in the latest android 5.1.1 update, but people using android devices with older version may not have Odia fonts and can see only the boxes. We see many people seeking help to resolve this problem on Twitter and Facebook. With missing Odia fonts, people may end up writing Odia in Roman script, said Dalai.

“There has been very positive response from people who have tried this method. I’m happy to play a very small part for this cause, the IT professional added.

So if you are unable to read or write Odia in your android handheld then no sweat, just try out these simple steps and enjoy the fun of reading and writing Odia in your mobile.

Install Mozilla Firefox browser for Android on your phone from Google Play.
Launch Firefox and go to the Oriya fonts package Add-Ons page and select “Add to Firefox”
Click on Install
Eureka! Now Odia fonts appear on your android device instead of unrecognizable boxes.

Click here to watch the tutorial:

https://or.wikipedia.org/s/ucf

Once you’re able to read and write Odia, you can use any online Odia transliteration service e.g. TypeOdia (on Firefox browser), iBUS on Linux, Microsoft’s Indic language Input Tool, Google Input Tool.

P.S: This method only works on Firefox Browser for Android and not on any other Apps. Android jellybean 4.3 version also supports Odia but there might be issues which are fixed by 5.1.1.

For more details visit http://editors.cis-india.org/openness/news/odisha-sun-times-september-28-2015-ruby-nanda-unable-to-read-odia-on-your-android-device

UK’s Interception of Communications Commissioner — A Model of Accountability

joe — 2014-07-24T06:08:53Z

The United Kingdom maintains sophisticated electronic surveillance operations through a number of government agencies, ranging from military intelligence organizations to police departments to tax collection agencies. However, all of this surveillance is governed by one set of national laws outlining specifically what surveillance agencies can and cannot do.

The primary law that governs government investigations is the Regulation of Investigatory Powers Act 2000, abbreviated as RIPA 2000.

To ensure that this law is being followed and surveillance operations in the United Kingdom are not conducted illegally, the RIPA 2000 Part I establishes an Interception of Communications Commissioner, who is tasked with inspecting the surveillance operations, assessing their legality, and compiling an annual report to for the Prime Minister.

On April 8, 2014 the current Commissioner, Rt Hon. Sir Anthony May, laid the 2013 annual report before the House of Commons and the Scottish Parliament. In its introduction, the report notes that it is responding to concerns raised as a result of Edward Snowden’s actions, especially misuse of powers by intelligence agencies and invasion of privacy. The report also acknowledges that the laws governing surveillance, and particularly RIPA 2000, are difficult for the average citizen to understand, so the report includes a narrative outline of relevant provisions in an attempt to make the legislation clear and accessible. However, the report points out that while the Commissioner had complete access to any documents or investigative records necessary to construct the report, the Commissioner was unable to publish surveillance details indiscriminately, due to confidentiality concerns in a report being issued to the public. (It is worth noting here that though the Commissioner is one man, he has an entire agency working under him, so it is possible that he himself did not do or write all of that the report attributes to him). As a whole, the report outlines a series of thorough audits of surveillance operations, and reveals that the overwhelming majority of surveillance in the UK is conducted entirely legally, and that the small minority of incorrectly conducted surveillance appears to be unintentional. Looking beyond the borders of the United Kingdom, the report represents a powerful model of a government initiative to ensure transparency in surveillance efforts across the globe.

The Role of the Commissioner

The report begins in the first person, by outlining the role of the Commissioner. May’s role, he writes, is primarily to audit the interception of data, both to satisfy his own curiosity and to prepare a report for the Prime Minister. Thus, his primary responsibility is to review the lawfulness of surveillance actions, and to that end, his organization possesses considerable investigative powers. He is also tasked with ensuring that prisons are legally administrated, though he makes this duty an afterthought in his report.

Everyone associated with surveillance or interception in the government must disclose whatever the commissioner asks for. In short, he seems well equipped to carry out his work. The Commissioner has a budget of £1,101,000, almost all of which, £948,000 is dedicated to staff salaries.

The report directly addresses questions about the Commissioner’s ability to carry out his duties. Does the Commissioner have full access to whatever materials or data it needs to conduct its investigations, the report asks, and it answers bluntly, yes. It is likely, the report concludes, that the Commissioner also has sufficient resources to adequately carry out his duties. Yes, the Commissioner is fully independent from other government interests; the commissioner answers his own question. Finally, the report asks if the Commissioner should be more open in his reports to the public about surveillance, and he responds that the sensitivity of the material prohibits him from disclosing more, but that the report adequately addresses public concern regardless. There is a degree to which this question and answer routine seems self-congratulatory, but it is good to see that the Commissioner is considering these questions as he carries out his duties.

Interception of Communications

The report first goes into detail about the Commissioner’s audits of communications interception operations, where interception means wiretapping or reading the actual content of text messages, emails, or other communications, as opposed to the metadata associated with communications, such as timestamps and numbers contacted. In this section, the report outlines the steps necessary to conduct an interception, outlining that an interception requires a warrant, and only a Secretary of State (one of five officials) can authorize an interception warrant. Moreover, the only people who can apply for such warrants are the directors of various intelligence, police, and revenue agencies. In practice, the Secretaries of State have senior staff that read warrant applications and present those they deem worthy to the Secretary for his or her signature, as their personal signature is required for authorization.

For a warrant to be granted, it must meet a number of criteria. First, interception warrants must be necessary in the interests of national security, to prevent or detect serious crime, or to safeguard economic wellbeing of the UK. Additionally, a warrant can be granted if it is necessary for similar reasons in other countries with mutual assistance agreements with the UK. Warrants must be proportionate to the ends sought. Finally, interception warrants for communications inside the UK must specify either a person or a location where the interception will take place. Warrants for communications outside of the UK require no such specificity.

In 2013, 2760 interception warrants were authorized, 19% fewer warrants than in 2012. The Commissioner inspected 26 different agencies and examined 600 different warrants throughout 2013. He gave inspected agencies a report on his findings after each inspection, so they could see whether or not they were following the law. He concluded that the agencies that undertake interception “do so lawfully, conscientiously, effectively, and in our national interest.” Thus, all warrants adequately meet the application and authorization requirements outlined in RIPA 2000.

Communications Data

The report goes on to discuss communications data collection, where communications data refers to metadata–not the content of the communications itself, but data associated with it, such as call durations, or a list of email recipients. The Commissioner explains that metadata is easier to obtain than an interception warrant. Designated officials in their respective surveillance organization read and grant metadata warrant applications, instead of one of the Secretaries of State who could grant interception warrants. Additionally, the requirements for a metadata warrant are looser than for interception warrants. Metadata warrants must still be necessary, but necessary for a broader range of causes, ranging from collecting taxes, protecting public health, or for any purpose specified by a Secretary of State.

The relative ease of obtaining a metadata warrant is consistent with a higher number of warrants approved. In 2013, 514,608 metadata warrants were authorized, down from 570,135 in 2012. Local law enforcement applied for 87.5% of those warrants while intelligence agencies accounted for 11.5%. Only a small minority of requests was sent from the revenue office or other departments.

The purposes of these warrants were similarly concentrated. 76.9% of metadata warrants were issued for prevention or detection of crime. Protecting national security justified 11.4% of warrants and another 11.4% of warrants were issued to prevent death or injury. 0.2% of warrants were to identify people who had died or otherwise couldn’t identify themselves, 0.11% of warrants were issued to protect the economic wellbeing of the United Kingdom, and 0.02% of warrants were associated with tax collection. The Commissioner identified less than 0.01% of warrants as being issued in a miscarriage of justice, a very low proportion.

The Commissioner inspected metadata surveillance efforts, conducting 75 inspections in 2013, and classified the practices of those operations inspected as good, fair or poor. 4% of operations had poor practices. He noticed two primary errors. The first was that data was occasionally requested on an incorrect communications address, and the second was that he could not verify that some metadata was not being stored past its useful lifetime. May highlighted that RIPA 2000 does not give concrete lengths for which data should be stored, as Section 15(3) states only that data must be deleted “as soon as there are no longer grounds for retaining it as necessary for any of the authorized purposes.” He noted that he was only concerned because some metadata was being stored for longer periods than associated interception data. As May put it, “I have yet to satisfy myself fully that some of these periods are justified and in those cases I required the agencies to shorten their retention periods or, if not, provide me with more persuasive reasons.” The Commissioner seems determined that this practice will either be eliminated or better justified to him in the near future.

Indian Applications

The United Kingdom’s Interception of Communications Commissioner has similar powers to the Indian Privacy Commissioner suggested by the Report of the Group of Experts on Privacy. Similar to the United Kingdom, it is recommended that a Privacy Commissioner in India have investigative powers in the execution of its charter, and that the Privacy Commissioner represent citizen interests, ensuring that data controllers are in line with the stipulated regulations. The Report also broadly states that “with respect to interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material, the Commissioner may exercise broad oversight functions.” In this way, the Report touches upon the need for oversight of surveillance, and suggests that this responsibility may be undertaken by the Privacy Commissioner, but does not clearly place this responsibility with the Privacy Commissioner. This raises the question of if India should adopt a similar model to the United Kingdom – and create a privacy commissioner – responsible primarily for overseeing and enforcing data protection standards, and a separate surveillance commissioner – responsible for overseeing and enforcing standards relating to surveillance measures. When evaluating the different approaches there are a number of considerations that should be kept in mind:

Law enforcement and security agencies are the exception to a number of data protection standards including access and disclosure.
There is a higher level of ‘sensitivity’ around issues relating to surveillance than data protection and each needs to be handled differently.
The ‘competence’ required to deliberate on issues related to data protection is different then the ‘competence’ required deliberating on issues related to surveillance.

Additionally, this raises the question of whether India needs a separate regulation governing data protection and a separate regulation governing surveillance.

Allegations of Wrongdoing

It is worth noting that though May describes surveillance operations conducted in compliance with the law, many other organizations have accused the UK government of abusing their powers and spying on citizens and internet users in illegal ways. The GCHQ, the government’s communications surveillance center has come under particular fire. The organization has been accused indiscriminate spying and introducing malware into citizen’s computers, among other things. Led by the NGO Privacy International, internet service providers around the world have recently lodged complaints against the GCHQ, alleging that it uses malicious software to break into their networks. Many of these complaints are based on the information brought to light in Edward Snowden’s document leaks. Privacy International alleges that malware distributed by GCHQ enables access to any stored content, logging keystrokes and “the covert and unauthorized photography or recording of the user and those around him,” which they claim is similar to physically searching through someone’s house unbeknownst to them and without permission. They also accuse GCHQ malware of leaving devices open to attacks by others, such as identity thieves.

Snowden’s files also indicate a high level of collaboration between GCHQ and the NSA. According to the Guardian, which analyzed and reported on many of the Snowden files, the NSA has in past years paid GCHQ to conduct surveillance operations through the US program called Prism. Leaked documents report that the British intelligence agency used Prism to generate 197 intelligence reports in the year to May 2012. Prism is not mentioned at all in the Interception of Communications Commissioner’s report. In fact, while the report’s introduction explains that it will attempt to address details revealed in Snowden’s leaked documents, very little of what those documents indicate is later referenced in the report. May ignores the plethora of accusations of GCHQ wrongdoing.

Thus, while May’s tone appears genuine and sincere, the details of his report do little to dispel fears of widespread surveillance. It is unclear whether May is being totally forthcoming in his report, especially when he devotes so little energy to directly responding to concerns raised by Snowden’s leaks.

Conclusion

May wrapped up his report with some reflections on the state of surveillance in the United Kingdom. He concluded that RIPA 2000 protects consumers in an internet age, though small incursions are imaginable, and especially lauds the law for it’s technological neutrality. That is, RIPA 2000 is a strong law because it deals with surveillance in general and not with any specific technologies like telephones or Facebook, use of which changes over time. The Commissioner also was satisfied that powers were not being misused in the United Kingdom. He reported that there have been a small number of unintentional errors, he noted, and some confusion about the duration of data retention. However, any data storage mistakes seemed to stem from an unspecific law.

Despite May’s report of surveillance run by the books, other UK groups have accused GCHQ, the government’s communications surveillance center, of indiscriminate spying and introducing malware into citizen’s computers. Privacy International has submitted a claim arguing that a litany of malware is employed by the GCHQ to log detailed personal data such as keystrokes. The fact that May’s report does little to disprove these claims casts the Commissioner in an uncertain light. It is unclear whether surveillance is being conducted illegally or, as the report suggests, all surveillance of citizens is being conducted as authorized.

Still, the concept of a transparency report and audit of a nation’s surveillance initiatives report is a step towards government accountability done right, and should serve as a model for enforcement methods in other nations. May’s practice of giving feedback to the organizations he inspects allows them to improve, and the public report he releases serves as a deterrent to illegal surveillance activity. The Interception of Communications Commissioner–provided he reports truthfully and accurately–is what gives the safeguards built into the UK’s interception regime strength and accountability. In other nations looking to establish privacy protections, a similar role would make their surveillance provisions balanced with safeguards and accountability to ensure that the citizens fundamental rights–including the right to privacy–are not compromised.

For more details visit http://editors.cis-india.org/internet-governance/blog/uk-interception-of-communications-commissioner-a-model-of-accountability

UIDAI's Virtual ID, limited KYC does little to protect Aadhaar data already collected, say critics

Admin — 2018-01-16T23:51:44Z

Aadhaar-issuing body, Unique Identification Authority of India (UIDAI), had barely started patting itself on the back for introducing the Virtual ID concept, what CEO Ajay Bhushan Pandey called "one of biggest recent innovations in this field", when detractors came crawling out of the woodwork, all guns blazing.

The article was published in Business Today on January 12, 2018.

"Under compulsion, millions of persons have already shared Aadhaar number with many service providers. New security layer is like locking the stable after horses have bolted," tweeted P. Chidambaram, Congress veteran and former finance minister. This is not just an opposition party member taking potshots at the government. As of last month, close to 14 crore out of about 30 crore Permanent Account Numbers (PANs) had already been linked to Aadhaar and 70% of the estimated 100 crore bank accounts had been seeded. This will be the case for insurance policies as well as all government-sponsored welfare schemes and services since the Supreme Court ruling to extend the deadline for mandatory Aadhaar linking came just a fortnight before the government's December 21 deadline. So how does the new two-tier security system protect all that Aadhaar data already collected by sundry agencies?

The short answer is that it does not. According to media reports, banks and other service providers have not been asked to delete stored Aadhaar data from their databases. The only directive is to enforce the new security system within the June 1 deadline. In the absence of a legal mandate, agencies can very well choose to retain any Aadhaar data previously collected on their servers, leaving it open to any number of security breaches in the future.

So, it would appear that the new VID and limited KYC norms are good ideas, just too late in arriving. Only procrastinators putting off linking Aadhaar to essential services stand to gain, unless the government decides to revoke all existing Aadhaar cards and issue fresh 12-digit unique identification numbers post June 1.

Where the new security system definitely scores is on the privacy front. To remind you, VID a temporary, 16-digit, randomly-generated number that an Aadhaar holder can use for authentication or KYC services along with his/her fingerprint instead in lieu of the Aadhaar number. The VID together with biometrics of the user would give any authorized agency, say, a mobile company, limited details like name, address and photograph, which are enough for any verification. You can generate/replace Virtual IDs on the UIDAI website, Aadhaar mobile app and at enrolment centres.

Since the system-generated VID will be mapped to an individual's Aadhaar number at the back end, it will do away with the need for the user to share Aadhaar number with sundry service agencies. This will, in turn, reduce the collection of Aadhaar numbers by various agencies. VIDs being temporary cannot be de-duplicated and as an added precaution, agencies that undertake authentication will not be allowed to generate VIDs on behalf of Aadhaar holders.

Furthermore, under limited KYC, UIDAI will evaluate all Authentication User Agencies (AUAs) and split them into two categories: Global AUAs and Local AUAs. Only agencies whose services, by law, require them to store the Aadhaar number-qualified as Global AUAs-will enjoy access to full demographic details of an individual. All the remaining AUAs will be branded as Local AUAs and will neither get access to full KYC, nor can they store the Aadhaar number on their systems. Instead, they will get a tokenised number issued by UIDAI to identify their customers. The 72 character alphanumeric 'UID Token' for your Aadhaar number will reportedly be different for every authentication body you approach so agencies will no longer be able to merge databases, thus enhancing privacy substantially.

However, there's a problem here, too. As Pranesh Prakash, Policy Director of Bengaluru-based Centre for Internet and Society, told The Hindu, "unless all entities are required to use VIDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won't really help."

In a recent online survey, conducted by social engagement platform LocalCircles, 52% of 15,000 respondents said they feared that their Aadhaar data might not be safe from unauthorised access by hackers and information sellers. The UIDAI's latest move does little to allay this doubt.

For more details visit http://editors.cis-india.org/internet-governance/news/uidais-virtual-id-limited-kyc-does-little-to-protect-aadhaar-data-already-collected-say-critics

UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

praskrishna — 2017-05-20T11:06:16Z

As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

Is UIDAI investigating the 13 crore Aadhaar leaks?

The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.

For more details visit http://editors.cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals

UIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules

elonnai — 2014-03-06T07:00:21Z

UIDAI practices and section 43A of the IT Act are analyzed in this post.

In the 52^nd Report on Cyber Crime, Cyber Security, and the Right to Privacy – in evidence provided, the Department of Electronics and Information Technology stated “...Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) [1]

This blog post explains the requirements found under Section 43A of the Information Technology Act 2000 and the subsequent Information Technology “ Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011[2] and analyses publicly available documents from the UIDAI website[3] as well as the UIDAI enrolment form[4] to demonstrate the ways in which:

UIDAI practices are in line with section 43A and the Rules,
UIDAI practices are not in line with section 43A and the Rules,
UIDAI practices are partially in with section 43A and the Rules
Where more information is needed to draw a conclusion.

Applicability and Scope

Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information.

Body Corporate under the Information Technology Act 2008 is defined as:

“Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

UIDAI Practices - not in line: The UIDAI is not a body corporate. The UIDAI is an attached office under the aegis of the Planning Commission that was set up by an executive order.[5]

The UIDAI collects, processes, stores, and shares both digital and non-digital information. As section 43A and subsequent Rules apply only to digital information, there is not sufficient protection provided over all the information collected, processed, stored, and used by the UIDAI.

Privacy Policy on Website

Rule 4 requires body corporate to provide a privacy policy on their website. The privacy policy must include:

Clear and easily accessible statements of its practices and policies
Type of personal or sensitive personal data or information collected
Purpose of collection and usage of such information
Disclosure of information including sensitive personal information
Reasonable security practices and procedures as provided under rule 8

UIDAI Practices - Partially in Line

Though the UIDAI has placed a privacy policy[6] on their website, the privacy policy only addresses the use of website and does not comprehensively provide clear and accessible statements about all of the UIDAI’s practices and policies.
The UIDAI privacy policy does not state the specific types of personal or sensitive data that could be collected, but instead states “As a general rule, this website does not collect Personal Information about you when you visit the site. You can generally visit the site without revealing Personal Information, unless you choose to provide such information.”

Features on the UIDAI website that require individuals to provide personal information and sensitive personal information include: Booking an appointment, checking aadhaar status, enrolling for e-aadhaar, enrolling for aadhaar, updating aadhaar data. Types of information required for these services include: mobile number, name, address, gender, date of birth, and enrolment ID.[7]

The privacy policy goes on to state: “If you are asked for any other Personal Information you will be informed how it will be used if you choose to give it. If at any time you believe the principles referred to in this privacy statement have not been followed, or have any other comments on these principles, please notify the webmaster through the Contact Us page. Note: The use of the term "Personal Information" in this privacy statement refers to any information from which your identity is apparent or can be reasonably ascertained.”
The UIDAI privacy policy does explain the purpose for collection of information on the website and the use of collected information.
The UIDAI privacy policy does not address the possibility of disclosure of information collected by the UIDAI from the use of its website, except in the case of when an individual provides his/her email at which point the privacy policy states “Your e-mail address will not be used for any other purpose, and will not be disclosed without your consent.”
The UIDAI privacy policy does not provide information about the security practices adopted by the UIDAI.

Consent

Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

UIDAI Practices - in Line
The UIDAI collects written consent from individuals through the enrolment form for the issuance of an Aadhaar number.

Collection Limitation

Rule 5 (2) requires that body corporate only collect sensitive personal data if it is connected to a lawful purpose and if it is considered necessary for that purpose.

UIDAI Practices - in Line
The Aadhaar enrolment form requires only the necessary sensitive personal data for the issuance of an Aadhaar number. Individuals are given the option to provide banking and financial information.

Notice During Direct Collection

Rule 5(3) requires that while collecting information directly from an individual the body corporate must provide the following information:

The fact that the information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information
The name and address of the agency that will retain the information

UIDAI Practices - Partially in Line
The Aadhaar enrolment form does not provide the following information:

The intended recipients of the information
The name and address of the agency collecting the information
The name and address of the agency that will retain the information

Retention Limitation

Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

UIDAI Practices - Unclear
It is unclear from publicly available information what the UIDAI retention practices are.

Use Limitation

Rule 5(5) requires that information must be used for the purpose that it was collected for.

UIDAI Practices - Unclear
It is unclear from publicly available information if the UIDAI is using collected information only for the purpose for which it was collected for.

Right to Access and Correct

Rule 5(6) requires body corporate to provide individuals with the ability to review the information they have provided and access and correct personal or sensitive personal information.

UIDAI Practices - Partially in Line
Though the UIDAI provides individuals with the ability to access and correct personal information, as stated on the enrolment form, correction is free only if changed within 96 hours of enrolment. Additionally, as stated on the enrolment form, if an individual chooses to allow for the UIDAI to facilitate the opening of a bank account and link present bank accounts to the UID number, this information, after being provided, cannot be corrected. The UIDAI website has a portal for updating information, but only name, address, gender, data of birth, and mobile number can be updated through this method. [9]

Right to ‘Opt Out’ and Withdraw Consent

Rule 5(7) requires that body corporate must provide individuals with the option of 'opting out' of providing data or information sought. Individuals also have the right to withdraw consent at any point of time. Body corporate has the right to withdraw services if consent is withdrawn.

UIDAI Practices - Partially in Line
The UID enrolment form provides individuals with one ‘optional’ field - the option of having the UIDAI open a bank account and link it to the individuals UID number or having the UIDAI link present bank accounts to individuals UID number. No other option to ‘opt out’ or withdraw consent is present on the enrolment form or the UIDAI privacy policy, terms of use, or website.

Security of Information

Rule 8 requires that body corporate must secure information in accordance with the ISO 27001 standard. These practices must be audited on an annual basis or when the body corporate undertakes a significant up gradation of its process and computer resource.

UIDAI Practices - Unclear
The security practices adopted by the UIDAI are not mentioned in the website privacy policy, on the website, or on the enrolment form, thus it is unclear from publicly available information if the UID is compliant with ISO 27001 standards. Though the UIDAI has been functioning since 2010, and it is unclear from publicly available information if annual audits of the UIDAI security practices have been undertaken.

Disclosure with Consent

Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, including cyber incidents and prosecution and punishment of offenses, on receipt of a written request.

UIDAI Practices - Partially in Line
In the enrolment form, consent for disclosure is stated as ‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” This is a blanket statement and allows for all future possibilities of sharing and disclosure of information provided with any organization that the UIDAI deems as ‘engaged in the delivery of welfare services’.

The UIDAI privacy policy only addresses the disclosure of an individual’s email address with consent. Though not directly addressing disclosure, the UIDAI privacy policy also states “ We will not identify users or their browsing activities, except when a law enforcement agency may exercise a warrant to inspect the service provider's logs.”

Prohibition on Publishing and Further Disclosure

Rule 6(3) and 6(4) prohibit the body corporate from publishing sensitive personal data or information. Similarly, organizations receiving sensitive personal data are not allowed to disclose it further.

UIDAI Practices - in Line
The UDAI does not publish sensitive personal data. It is unclear what practices and standards registrars and enrolment agencies are functioning under.

Requirements for Transfer of Sensitive Personal Data

Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection.

UIDAI Practices - Unclear
It is unclear from publicly available information if information collected by the UIDAI is transferred outside of India.

Establishment of Grievance Officer

Rule 5(9) requires that body corporate must establish a grievance officer and the details must be posted on the body corporates website and grievances must be addressed within a month of receipt.

UIDAI Practices - in Line
The website of the UIDAI provides details of a grievance officer that individuals can contact.[10] It is unclear from publicly available information if grievances are addressed within a month.

[1]. http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf

[2]. http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf

[3]. http://uidai.gov.in/

[4]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[5]. http://uidai.gov.in/organization-details.html

[6]. http://uidai.gov.in/privacy-policy.html

[7]. http://resident.uidai.net.in/home

[8]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[9]. https://ssup.uidai.gov.in/web/guest/ssup-home

[10]. http://uidai.gov.in/contactus.html

For more details visit http://editors.cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules

UID: The World’s Largest Biometric Database

praskrishna — 2011-07-23T02:04:45Z

At the start of his presentation, Sunil Abraham pointed to two aerial drawings of cybercafes: one where each computer was part of a private booth, and one where the computers were in the open so the screens would be visible to any one. Which layout would be more friendly to women, and why, Abraham wanted to know. Some participants selected the first option, liking the idea of the privacy, while others liked the second option so that the cybercafe owner would be able to monitor users’ activities.

Abraham said he was surprised no one said option one looked like masturbation booths, adding that in May, India passed rules prohibiting the first design option to avoid just such an issue. This is despite a survey conducted of female college students, who liked the idea of privacy in cybercafés that typically are male-dominated.

Cybercafes are just one of the areas impacted by India’s plan for collecting and using biometrics to create unique individual identification cards.

Abraham focused his presentation on activists’ efforts to counter the government’s myths about a unique identification (UID) program.

One campaign image showed two soldiers on the border asking for an east-Asian looking person’s identification. The way to balance, or rectify, the drawing, Abraham said, would be to allow citizens to be able to ask the soldiers for the identification information.

The campaign, “Rethink UID Project,” included several images illustrating various problems with the plan. For example, one said: “Central storage of keys is a bad idea, so is central storage of our biometrics.” As Abraham explained, if storing a copy of your housekey at the police station does not make us feel more secure, then why wouldn’t storing our biometrics with the government also make us a little more scared?

In the Indian scheme, Abraham said, the government says biometrics will be used as an authentication factor in order to prove your identity, but from a computer science perspective, it’s a bad idea because it is so easy to steal biometrics. And, as Abraham pointed out, if your biometrics are stolen, it’s not possible for you to re-secure it—it’s not like getting a new ATM card and password, he said.

If this system of national UID was designed using digital keys instead of biometrics, then we would have a completely different configuration, Abraham said.

Centralized storage is nonnegotiable, and therefore the process of authentification is done through a centralized database, but with digital keys or digital signatures, authentification could be done on a peer basis, so citizen could authenticate border guards and vice versa.

Another image from the “Rethink UID Project” campaign pointed out that “Technology cannot solve corruption.” As Abraham said, problems of corruption in the subsidy system (food, loans, education, employment guarantee act in rural India, etc) won’t be fixed with biometrics. For example, if biometric equipment is installed at fair-price shops, before the shop owner gives the grain, the citizen would have to present biometrics, which would go through a centralized server and be authenticated, then the citizen would get the grain, and ultimately there would be a record saying this particular citizen collected this amount of subsidized grain at this particular time.

But there are a whole range of ways shop owners can compromise the system, Abraham said.

The first way: 30-50 percent of India is illiterate, so shop owner can say the biometrics were rejected by the server and the citizen would not know better. Or, the owner can say there was no connectivity so authentification didn’t go through, or the owner could say there was no electricity so the system won’t work, or the shop owner could give just part of the grain that the citizen is due.

Corruption innovates and terrorism innovates—if technology innovates, so does corruption, as it is not a static phenomenon, Abraham said. You can’t wish away human beings from technological configurations.

One village will have multiple biometric readers.

Abraham said they have proposed an alternative schema: remove readers from the shop, school, hospital, bank, etc., and have only one scanner at the local governance hall. Instead of the citizen becoming transparent to the government, the government should become transparent to the citizen. The shop owners should make transparent which IDs they have given how much grain to, and only if they are going to dispute the ID of a citizen, can they go to the local government administrative office to prove the ID.

Another image from the “Rethink UID Project” campaign said, “The poor and the rich: who do we track first?”

Abraham explained that one problem in India is “black money,” or money for which you don’t pay taxes because the accounts are in fake names in order to store money. Like creating fake bank accounts, he said it also would be easy to create fake biometrics by combining the handprints and eyes of multiple people to get a second fake ID. Also the system could be hacked into and iris images Photoshopped. Ghost ideas also could be created and then sold off. Because the rich will get their IDs behind closed doors, Abraham said, it will be easy for them to get multiple IDs, but the poor will not be able to.

Referring to “tailgating,” or when one ID is card swiped to gain entrance for multiple people, such as swiping one metro card and then two people walking through, Abraham noted that the problem is that the tailgating only is seen as a problem when it’s at the bottom of the pyramid, such as one woman goes to the fair-price shop to collect grain for five or six families so only one person has to lose a day’s wage instead of all five or six losing a day’s wages. Tailgating at the bottom if the pyramid is usually a question of survival, he said.

Thus, another image from the campaign showed a pyramid and said, “Transparency at the top first…before transparency at the bottom.”

The first principle is that expectations of privacy should be inversely proportional to power, so people who are really powerful, like NGOs, politicians, or heads of corporations, should have less privacy, and people who have very little power should have more privacy, Abraham said.

Also, from a business perspective, the nation gets greater return on its investment if surveillance equipment is trained on people at the top of the pyramid to catch big-time corruption, he said.

Most of the panic around the UID is over the transaction database. Beyond a databse storing everyone’s biometrics, another database will track transactions: every time you buy a mobile phone or purchase a ticket or access a cyber cafe or subsidies, thanks to UID, there will a record made in the transaction database, Abraham said.

Abraham said it is important to note that surveillance is not an intrinsic part of information systems, but once surveillance is engineered into information systems, both those with good intentions or bad intentions can take advantage of that surveillance capability.

The UID means there will be 22 databases available to 12 intelligence agencies, he said.

So when a girl enters into a cybercafé, first she will have to provide her UID, and then the café owner will photocopy the card, then the owner has the right to take a photo of the girl using his own camera, then the owner is supposed to maintain browser logs of her computer for a period of one year.

So the question then is how to assure accountability without surveillance?

The first possibility, Abraham said, is partial storage. The transaction database could store half the data, and the central database could store the other half, so the full 360-view of the data would not be available without a court order.

The second solution is a transaction escrow, where every time a record is put into the main database, it will be encrypted using 2-3 keys, and only if 3 agencies cooperate with keys, can the information be decrypted. Thus, it is targeted surveillance, not blanket surveillance.

To conclude his presentation, Abraham divided participants into four groups in order to design surveillance systems for internet surveillance, mobile technologies, CCTVs, and border control.

Sharon Strover spoke on behalf of the CCTV group, saying they ended up with more questions than anything else. They agreed there should be notices when cameras are in use, there should be public knowledge of who is doing surveillance and who has access to the footage, and the data shouldn’t be sold. But the group couldn’t decide which spaces warranted CCTVs and which not.

Abraham then pointed out that the next generation of CCTVs can read everybody’s irises as they pass the cameras—it’s in the lab now, and 2-3 years from the market, he said.

Next, Andy Carvin spoke on behalf of the mobile technologies surveillance group. Whether or not capturing metadata or content as well, the mobile phone company can collect it, but it shouldn’t be able to keep any identifiable information for the person – it should only be able to look at information in the aggregate. The rest of the information should be shipped to a non-governmental organization or government agency specialized in privacy, and 2 keys would be required: one from the judiciary and one from the NGO or governmental agency.

Smári McCarthy reported back for the Internet surveillance group, pointing out that data retention has been useful in criminal cases less than 0.2 percent of the time in one study, and another showed there has been no statistically significant increase in the number of criminal cases solved because of data retention. So, he said, the group concluded there should be no blanket surveillance, only court orders in certain criminal cases that define who will be under surveillance and for how long. Also, they wanted to see a transparency register available so the public could be informed about how many people are under surveillance currently and throughout year and other general information, such as the success rate—how many of these surveillances have led to criminal convictions or similar.

Finally, Summer Harlow spoke on behalf of the border control group, which said scanning of checked- and carry-on luggage is acceptable, but there should be no luggage searches without specific probable cause from intelligence agencies or if the scans pick up weapons or other contraband. Similarly, people could be subject to spectrum scans and drug/bomb sniffing dogs for weapons and contraband, but again they would not be physically searched by border agents without probable cause. Also, people and luggage could not randomly be searched based on the country of their passport or their flight destination or origin.

In summary, Abraham said, surveillance is like salt in food: it is essential in small amounts, but completely counter-productive if even slightly excessive.

Download Sunil's presentation here [PDF, 1389 kb]
Sunil Abraham made the presentation at the Gary Chapman International School on Digital Transformation on 21 July 2011. The original news published by International School on Digital Transformation can be read here
Read the schedule here

For more details visit http://editors.cis-india.org/news/uid-worlds-largest-database

UID Project in India - Some Possible Ramifications

Liliyan — 2012-03-21T10:13:27Z

Having a standard for decentralized ID verification rather than a centralized database that would more often than not be misused by various authorities will solve ID problems, writes Liliyan in this blog entry. These blog posts to be published in a series will voice the expert opinions of researchers and critics on the UID project and present its unique shortcomings to the reader.

Researchers at CIS have been grappling with the UID project from research, advocacy, and legal standpoints though all approach it from their own perspective and opinions are rarely duplicated. In an attempt to make their expert opinions more accessible to readers, a series of blog posts, this being the first, will be put up. These posts will not, and cannot because of its length and format, try to address all the possible issues the UID poses. However, they will present the bare bones of the arguments and research questions that the independent voices at CIS see as crucial. These posts will also ask many more questions than they answer, in an attempt to spur further dialogue about the UID project.

Central to understanding the nature of the UID project and its possible ramifications is the idea that technology is not merely a tool to be used by an unchanging, monolithic state. In fact, its very adoption can create ripple effects throughout the apparatus of the state. When the state adoptsa mainstream and ubiquitous technology, the structure of the government and methods of governance change. These changes are not always so dramatic as to be immediately noticeable without some informed inspection, but if one considers the way the state and the citizen interact the significance of these changes becomes starkly apparent. Can we trust the government to use touch screen voting machines like the ones we see every day at the bank? Do government surveillance cameras make us safer or introduce worrisome intrusion into our privacy, or both? Technology is not as neutral as it appears. That is not to say that it is inherently good or bad, but that it is not inert, it is transformative in nature.

The nation state as we know it is built on the printed word, or at least analogue technology. The ways in which we codify, distribute, and assimilate information have, for centuries, been dominated by the printing press. With the introduction of “database governance” there will inevitably be a shift, and a radical one at that. The Indian government has announced its intention to move towards “SMART” (simple, moral, accountable, responsive and transparent) governance, and this implies both an acceptance of the neo-liberal philosophy of government and techno-governance. To achieve a new level of transparency, accountability, and responsiveness, the move towards e-governance could be a major turning point, but how does this shift complicate and change the citizen-state relationship in India? How does this change shift the relationship of India with the rest of the international community?

The UID and Shifts in the Citizen-State Relationship

One way that the citizen-state relationship will change with the shift towards techno-governance, specifically in regard to the UID project, is that the UID posits the state as both the safe-keeper and arbiter of identity. Proponents of the UID project are adamant that it is a voluntary program, but even the UID website states that “in time, certain service providers may require a person to have a UID to deliver services”. As the UID becomes increasingly ubiquitous, could not having a number mean being cut off from some or many of the basic privileges of citizenship if one's identity is becoming more difficult to verify? If having a UID number is the most prominent marker of identity, then it is through state definition, arbitration and upon the state's technical capacity that all will rely.

Moreover, how do we begin to address the privacy issues raised by technological advances in relation to non-changing legal structures? What does it mean to capture all this identity data without introducing a new privacy legislation to protect the citizen? Without new legal accommodation, otherwise benign processes like a statistical census can become a potent tool in a shift towards a police state. As state apparatus's shift, there must be some paradigmatic shift in law to accompany these new technologies and government roles.

If the state transforms through the integration of e-governance forms, then there will inevitably be a recalibration of the relationship between the state, the market, and the citizen. Traditionally the separation of these entities creates arbitration and within a development paradigm there is dynamic, active triangulation. One way we can see this triangulation is through government intervention in markets on behalf of the citizen. There are certain spaces of consumption, for example, such as a cinema where state intervention against discrimination creates a marker for citizenship. That is, because I am able to access a cinema without discrimination, as one of my constitutional rights, this demonstrates my citizenship. However, with the introduction of public- private partnerships, or PPPs, the fact of having multiple stake-holders of political economy allows for the state to disinvest in the production and delivery of certain public services. Satisfying the needs of the citizen for services like sanitation, public education, delivery of power and clean water, maintenance of infrastructure like roads and bridges, can be handed over to corporate entities. The Indian government has enthusiastically embraced PPPs as a way to bring needed capital to the infrastructure demands that accompany their economic growth goals. However, how does this kind of task delegation affect transparency and accountability? If the state decides to stop producing or supplying a good or service, and instead turns this over to a corporation, can the mechanisms for state oversight realistically be trusted to make sure quality and accountability are not adversely affected and rectify the situation if they are? Where does the citizen come into all of this, in terms of what they stand to gain and lose?

The Definition of Citizenship and the UID

As the state and the market enters into new relationships the definition of citizenship changes. If the citizen is seen as the intended beneficiary of state programs, this new relationship between state and market begs the question “Who is subject to (or the subject of) the state?” When the corporate sphere creates micro-financing that helps farmers, they may help the people at the bottom of the economic pyramid manage their debt, but does it necessarily address the problems that created the debt in the first place? How does the market mediate the citizen-state dialogue? As the state and the market enter into new relationships there is a recalibration of the citizen-government relationship. Do market demands for an e-literate consumer put pressure on the state to create one where one did not exist before, and if so, can this not have profound implications for the definition of citizenship?

Part of the movement towards e-governance is signalled by the fact that there has been a shift away from state-sponsored literacy campaigns to e-literacy programs. Does this use of information and communications technology for development (or ITC4D) alienate significant portions of the population? Can such programs in fact widen the digital divide? With the introduction of e-governance the state asks the citizen to participate in governance by creating new avenues for civic participation, such as providing databases of information pertaining to the state that is freely accessible for analysis and manipulation by anyone with the skills to do so. But, if this makes it impossible for some portions of the citizenry to communicate effectively with the state, does this run the risk of making certain, traditional forms of citizenship redundant? How are people with low literacy and little or no access to the necessary technologies supposed to communicate with this new high-tech bureaucracy? Will those who cannot navigate the new systems be inadvertently relegated to second-class status?

This is of particular concern when thinking about the UID project. To properly manage and distribute social services, ID management in some form is crucial. However, when trying to make sure services are properly delivered to the uneducated poor the danger for digital-analogue slippage that is not in their favour increases, and accountability is not necessarily adequately addressed. For example, if I am an illiterate farmer entitled to a certain ration and the person conducting the transaction decides to defraud me, they can easily ask me to authenticate my biometrics, make it appear that they have been simply checking my identity when they have actually fooled me into authenticating the “completed” transaction and simply tell me the computer says, I've already received my share, that I'm only entitled to half of the normal amount, or some other such lie. In this scenario, how would I know this person wasn't telling me the truth? If they lie using a simple ledger, I can take the ledger itself or a copy of it to a literate friend and have them help me navigate the situation. I can seek redress and substantiate my claims more easily if I am not alienated by the technologies being used. Technologies can be empowering or dis-empowering depending on their application. How then, do we balance the demands of the market and the duties of the state against the rights of the citizen? Or rather, how do we apply technology in such a way that the demands of the market and the duties of the state mutually balance each other?

Centralization and Cost-effectiveness of the UID

While ID management is indisputably important, it does not require a centralized database. In the US there are multiple pieces of information, stored in separate databases that can be used to authenticate a transaction. No one can open a bank account with just a social security insurance number. You also need a separate form of ID, often two, that can be used to verify identity. In this way, the SSI number is a bit like a “username” and the other forms of ID, driver's license or passport, function like a corresponding “password”. With the UID project, however, the “username” (the number itself) and the “password” (the number holder's biometrics) are stored in the same place. Thereby, should the database be in some way compromised, all the information needed to verify and complete transactions would be available. If storing this information in a central database is really a good idea, then one must also accept the premise that merging all existing email servers into one monolithic server is also a good idea. Furthermore, centralization is not only more dangerous, it is totally unnecessary. Trillions of dollars worth of trade take place every year using PIN numbers issued by banks and verified without the verifying data being centralized. Having a standard for decentralized ID verification, rather than a centralized database would solve ID problems without creating a database that would be vulnerable to attack.

There are lots of examples of governments implementing costly safety measures that don't actually make anyone safer. Take for example the cameras put up all over London to monitor the movements of people. Unfortunately, something as low-tech as a hooded sweatshirt can thwart these attempts at surveillance. Moreover, if I am a criminal, I am going to make it a priority to know where the cameras are so that I can strategically avoid them. Another example is the millions of dollar the U.S. government spent on putting an armed Federal Air Marshal on every flight, post 9/11. While traditional intelligence gather has thwarted other attempted attacks since 9/11, Air Marshals have not been responsible for stopping any. Simply because the UID project is more technologically advanced does not make it more effective. It seems to greatly increase the risk of fraud that there can be so many separate biometrics machines scattered in different places to verify so many transactions. Having the machines sequestered in private businesses where they will not be constantly monitored or regulated seems to be both costly and easily subject to tampering. It seems to make more sense to have, say, one central, monitored machine per so many people that could be used to settle identity disputes when they arise rather than making the technology a part of every transaction.

Infallibility and Circumvention of the UID

The UID is not infallible and circumvention will certainly be a problem with the project. We find an analogy in the field of digital rights management. If I copy an mp3 without permission or payment, that is illegal. Digital rights management law was introduced to stop this practice, but it was circumvented. This legislation has not stopped the first crime. It has merely created a second, that of circumventing the law. The UID, in so far as it may be used to try to stop the crime of illegally siphoning resources such as, for example, grain intended to go to the poor, cannot stop people from circumventing the system. Circumventing the UID will be a crime. If doing so were truly impossible there would be no need to criminalize it. So, instead of preventing the initial crime of siphoning may not prevent the first crime, while introducing another.

There are basically two possible types of circumvention that are possible, though they might present themselves in various different forms. “Type A” or “the Mission Impossible” kind of fraud might involve fake thumb prints and contact lenses being worn by someone trying to fool the person conducting the biometric authentication. “Type B” occurs when the person operating the biometrics machine is working to defraud the system, most likely with one or many accomplices.

“Type A” involves one dishonest person, who is trying to access someone else's account or a ghost account, and there are various proposed methods to prevent against this type of fraud. To prevent against people using fake thumb prints, the biometrics machines will measure the heat of the thumb as well as the image of the thumb. With the iris scan, there will be a pulse of light to cause contraction in the iris so that a contact lens, which cannot adjust for light, can be detected. All of this will drastically raise the price of the machines in question. It is hard to imagine farmers and labourers defrauding the system with elaborate biometric defrauding devices, so these expensive machines are much more appropriate for monitoring the top of the economic pyramid, who steal in larger sums and have more sophisticated technology at their disposal.

“Type B” involves dishonesty either by the person in control of the biometric authentication, or both that person and others. This seems to be a much more likely and problematic scenario. Right now, bank accounts that are not connected to a name are regularly created so that people can cheat the tax man. Since the bank profits from these accounts, it's in the bank's interest to help people set up such accounts. Ghost ID numbers, and things like bank accounts that are connected to them, can still be produced with biometrics. How is this possible? Well, to make it possible for so many biometric authentications to happen every day, the whole set of ten finger prints won't be sent. That would be way too much data. So, instead of overwhelming the channels, only one thumb print will be sent. Even that many thumb prints would be an information overload, so each thumb print's image will be reduced to a set of 30 data points that will be compared against the original scans. So, where is there a possibility for fraud? When the scan of the finger is taken, and image is rendered. If someone wants to create a ghost ID they only have to manipulate this image, like with a Photoshop filter, and alter the data points. Once I've created a set of biometric markers that doesn't connect to anyone, I can conduct transactions for a ghost. One can easily imagine a market emerging for ghost IDs. People might start trying to pay foreign tourists for their biometric information, which could be sold to a local office. There are certain settings where biometrics works well, for example, at an airport. There, everything is under constant video surveillance. If someone were to tamper with or try to replace the machinery it would be quickly noticed by the cameras. Even if it weren't, different people would routinely be operating the same machine and this would be an added safe guard against fraud. However, at a bank, or any place where the machines used for verification are operated behind closed doors it is quite likely that the technology will be abused. This abuse could easily go unnoticed, because the draft UID bill has proposed strict accountability measures for the Authority, and has conveniently overlooked extending these to collecting and enrolling agencies.

Digital/Analogue Slippage

There is always the possibility of digital/analogue slippage or, more simply put, the computer records not reflecting what actually happened even if no fake identity was used. This happens all the time in IT buildings in the form of tailgating. Four people go out to lunch together and as they re-enter the building they're supposed to each swipe their ID card individually. It is easier and faster for one person to swipe for everyone so, despite signs discouraging this behaviour, this is a common occurrence. If you were to try to analyse the data collected after a day of such comings and goings it would be indecipherable.

I can also authenticate my biometrics, in order to authorize a transaction, without the transaction actually being complete. Let's say I'm a poor farmer entitled to a ration of 10 kilos of grain. The person who is supposed to give me the grain is not an honest person and insists that I authenticate the transaction before he or she gives me my ration. I do what I'm told but only receive 5 kilos. The computer record shows that I have gotten my full ration, so I have no grounds to contest. In this scenario, more complex technology does not necessarily mean greater accountability. Furthermore, even if I am illiterate, if there is a simple ledger that has recorded the transaction, I can physically take the ledger or a copy of it and show it to some literate person willing to help me. If the only record of the transaction is in a database that I can't access or can't understand it will be even more difficult for me to seek help. Moreover, if I don't understand the technology and the shop owner decides not to give me the grain at all they can simply say “Oh, I'm sorry, your account has been denied” or “The computer says you've already been given your ration” and I have little chance of successfully negotiating that situation. Built in to this example is the disadvantage that the illiterate and the computer illiterate face when dealing with this technology but, this is not necessarily always present in cases where digital/analogue slippage causes confusion or complication.

Commonly, things are bought by or registered to one person and used by another. For example, in a small office building, all the phone lines and computers may have been bought in the name of one person. Each office worker will not buy their own computer or equipment, but instead the computers will be bought in the name of the person who runs the organization or an administrator with financial authority. If someone in the office uses their computer to make a bomb or store child pornography, who is accountable? This is the problem when there is digital/analogue slippage. There is the digital record of events and then things as they really are, which are not always identical, and there is no accountability or safeguard against mistake. In the context of the UID, the possibility of such slippage is too high, and will work against the goal of delivering benefits to the poor instead of facilitating it.

For more details visit http://editors.cis-india.org/internet-governance/blog/uid-in-india

Typing in Indic Languages from Mobiles made Easy!

subha — 2013-07-17T09:02:46Z

A new app is up for typing in Indic languages from mobile phones. This is is available online at: http://bitly.com/indictyping and supports on iOS. Android version is to be released soon.

"There are two hard things in computer science: cache invalidation, naming things, and off-by-one errors."
Phil Karlton

Yuvi Panda smiles saying this. Yuvi Panda, a former Wikimedia Foundation contractor and developer was here in our Delhi office and I had an opportunity to spend some time discussing some of the technical problems that we have been facing.

One of the major setback most people have with their phones is the lack of language support and lack of typing support for Indic languages. Fortunately most of the new generation phones support Indic languages. Three of the major operating systems used currently by most phones are Android, Windows, Blackberry and iOS. Android being an open source operating system has extensive community support and developments which is something we were primarily hopeful while starting this project. Windows phones also have a good number of user base in India and support for Indic languages on Windows is really good. Though iOS has good support for Indic display there is no support for typing. IOS, Windows and Blackberry all being proprietary have really less community support and any tool available on these app market would be proprietary. So, our idea was to start a cross platform app which will use the available jQuery ime used for Indic typing for Indic Wikipedias and sister projects.

Currently, most of the Indic language Wikipedias use a typing tool called Narayam ( "Narayam" is a Malayalam word which refers to a metal stylus that was used for writing on palm leaves and papyrus in ancient days). By default the typing scheme for most of the language wikipedias is set to transliteration or phonetic. An Indian mobile user would normally type his own language using Roman letters from a mobile. "और दोस्त सब ठीक है?" in Hindi would be typed as "Aur dost sab thik hai?" when someone pings a friend on facebook or sends a text message. Now with the new typing tool you need to type "aur dosta saba thiika hai?" to get the same text in Devanagari script. This typing scheme is almost same like the phonetic typing most people use for regional languages on mobile which is why typing won’t be much of difference. In terms of usability most people would use the typed text either for web search in regional languages, Facebook posts, tweeting or even sending mails and text messages.

The detailed procedure for typing using this tool is documented at: http://goo.gl/HdVJW. Indic typing tool is available at: http://bitly.com/indictyping

Scan the QR code below using your QR code application to go "Indic typing tool".

Developer speaks:

This is a simple tool that lets you type in your native language on mobile phones. Currently only iOS devices are supported.

The tool is a simple wrapper around Wikimedia Foundation Language Engineering's jquery.ime project. It simply adds a much easier to use (on a mobile device) language selector, and makes it available offline (on iOS devices).

Quick links:

Source code: https://github.com/yuvipanda/indic-typing-tool
Test the app and report the bugs directly on GitHub or on Meta.
Credits: YuviPanda, Subhashish Panigrahi, Santhosh Thottingal

For more details visit http://editors.cis-india.org/openness/blog-old/typing-in-indic-languages-from-mobiles