The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 8.
Vidhi Doshi - Fingerprint Payments Prompt Privacy Fears in India (The Guardian)
http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian
<b>This article by Vidhi Doshi on the use of Aadhaar-based payments by private companies in India was published by The Guardian on February 09, 2017. Sumandro Chattapadhyay is quoted in the article.</b>
<p>Originally published by <a href="https://www.theguardian.com/sustainable-business/2017/feb/09/fingerprint-payments-privacy-fears-india-banknotes">The Guardian</a>.</p>
<hr />
<p style="text-align: justify;">For two years, Indian officials have been trawling the country, from city slums to unelectrified villages, zapping eyeballs, scanning fingerprints and taking photographs.</p>
<p style="text-align: justify;">Last month, Indian shoppers started to see the results. With the launch of a government-backed fingerprint payment system, tied to India’s growing biometric data bank, registered citizens can – in theory at least – now pay for things with the touch of a finger.</p>
<p style="text-align: justify;">India’s extraordinary biometric database, named Aadhaar after a Hindi word for ‘foundation’, is the biggest of its kind in the world. It was initially sold to the public as a welfare delivery mechanism that would ensure the country’s 1.25bn citizens were each receiving the right quantity of subsidised rice or cooking fuel, while weeding out fraudsters.</p>
<p>But now this pool of more than a billion people’s biometric data is being used by banks, credit checking firms and other private companies to identify customers, raising questions about privacy and security.</p>
<p style="text-align: justify;">As one of his flagship policies, prime minister Narendra Modi pledged to create a “digital India” in which the country’s cash-centric economy would switch to credit and debit cards, squeezing the parallel economy of untaxed cash transactions and giving more citizens access to digital financial services.</p>
<p style="text-align: justify;">In a surprise television announcement last November, Modi announced the demonetisation of 500 and 1,000 rupee notes (around £6 and £12), wiping out 85% of the country’s circulating currency overnight.</p>
<p style="text-align: justify;">Two days later, when the banks reopened, long queues snaked around almost every branch, with millions lining up to open bank accounts for the first time. Many used their 12-digit Aadhaar number, linked to their biometric profile, to sign up. Within three weeks, 3m bank accounts had been opened using fingerprint verification, according to estimates.</p>
<p style="text-align: justify;">The moment marked a radical change for India’s banking system, under which applicants were traditionally required to file photocopies of passports or voter IDs. Banks could take weeks, sometimes months, to verify them. Now applicants’ encrypted biometric data can be sent to the Unique Identification Authority of India (UIDAI), a government agency, to be matched against their Aadhaar data, re-encrypted and sent back to the bank.</p>
<p style="text-align: justify;">Despite technical teething problems, the system is designed to allow very fast authorisation. “All this happens in a matter or two or three seconds,” explains Ajay Bhushan Pandey, UIDAI’s director general.</p>
<p style="text-align: justify;">For Pandey, the benefits are clear: paper documents are easy to forge and hard to verify, especially in India where until recently thousands of people still used handwritten passports. Not so biometric data.</p>
<h4>Privacy fears</h4>
<p style="text-align: justify;">Pandey emphasises that private banks and companies aren’t able to access the entire Aadhaar database, only to use the government interface, which allows them to verify identities.</p>
<p style="text-align: justify;">Nonetheless, many Indians are worried about the privacy implications. Sumandro Chattapadhyay, a director at the Centre for Internet and Society thinktank, is one of them.</p>
<p style="text-align: justify;">For starters, says Chattapadhyay, the law governing use of the biometric database, fast-tracked through parliament last year, is flimsy when it comes to the private sector. Since India lacks a general privacy or data protection law, this leaves corporate use of Aadhaar services effectively unregulated, he says.</p>
<p style="text-align: justify;">This is particularly worrying, says Chattapadhyay, because of the data-sharing possibilities opened up by Aadhaar. It makes it easier for companies not only to share information on individuals’ consumption and mobility habits, but also to link this data up with public records like the electoral register, he says. “Both lead to significant threats to privacy of individuals.”</p>
<p style="text-align: justify;">Chattapadhyay’s fear is that private companies could eventually gain access to government-held personal data, such as income or medical records, while the government could use company data like phone records to target specific individuals in political campaigns.</p>
<p style="text-align: justify;">Already companies are linking Aadhaar numbers with collected metadata. Credit-checking startup CreditVidya, for example, identifies clients using their biometric ID in combination with their internet browsing history and other data, to assign credit scores for users who have no record of loan repayments. Banks then store this processed metadata, for example whether or not someone’s Facebook name is consistent with the name on their bank account.</p>
<p style="text-align: justify;">Its founder Abhishek Agarwal admits there are risks for users: “[I]f someone managed to hack the bank’s security system, as well as the Aadhaar database, they could potentially be able to link your Facebook or LinkedIn data with your biometric information.” But he says this would be hard to do.</p>
<p style="text-align: justify;">Pandey insists the companies are carefully vetted before they can use Aadhaar authentication. But, like Agarwal, he acknowledges the system can never be 100% secure: ““I wouldn’t say it is impossible to break the system, but it is very, very difficult.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian'>http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian</a>
</p>
No publisherVidhi DoshiDemonetisationDigital PaymentBig DataPrivacyInternet GovernanceAadhaarBiometrics2017-02-13T09:21:42ZBlog EntrySunil Abraham on Aadhaar's misuse during demonetisation
http://editors.cis-india.org/internet-governance/news/economic-times-january-14-2017-sunil-abraham-on-aadhaar-misuse-during-demonetisation
<b>Sunil Abraham spoke to Economic Times on the misuse of Aadhaar during demonetisation. </b>
<p style="text-align: justify; ">Sunil Abraham said:</p>
<p style="text-align: justify; ">"We saw Aadhaar being misused at large-scale during the demonetization, criminals had created a black market in Aadhaar identity cards and photocopies of Aadhaar. Those interested in converting black money were purchasing these photocopies from the black market and giving them to bank officials so that they could maintain fake records that tried to prove that ordinary people came in photos' cash transactions.</p>
<p style="text-align: justify; ">Whenever we try to introduce technological measures we must always think of the human systems that are at work and the human procedures that are at work. Another example is today telcos giving sim cards based on Aadhaar authentication to meet their sales targets some of these telcos are giving multiple sim cards for a single Aadhaar based KYC. Those sim cards are often resold into black market or given to persons that are not familiar with the aadhaar number holder and this has only makes the security situation in the country worse. It has not improved." Watch the <b><a class="external-link" href="http://economictimes.indiatimes.com/et-now/experts/sunil-abraham-on-aadhaars-misuse-during-demonetisation/videoshow/56544492.cms">Video</a></b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-january-14-2017-sunil-abraham-on-aadhaar-misuse-during-demonetisation'>http://editors.cis-india.org/internet-governance/news/economic-times-january-14-2017-sunil-abraham-on-aadhaar-misuse-during-demonetisation</a>
</p>
No publisherpraskrishnaDemonetisationAadhaarInternet GovernancePrivacy2017-01-19T01:35:02ZNews ItemDemonetisation: Cost Vs Benefit
http://editors.cis-india.org/internet-governance/news/ndtv-december-24-2016-demonetisation-cost-versus-benefit
<b>Sunil Abraham took part in a discussion on Demonetisation in NDTV's Big Fight programme aired on December 24, 2016. </b>
<p style="text-align: justify; ">Prime Minister's big post-demonetisation deadline of 50 days is coming to a close. Does this mean that people's ordeal with the currency ban will also come to an end? Will the government continue to have people's support and patience through its big bang reforms if they fail to achieve their original aim of retrieving black money? We ask, what lies ahead for India? How long will it take for India to become a cashless economy? What are the pitfalls? With a high bank dormancy rate of 43%, most Indians still prefer to make transactions through cash. Even if we are able to make that journey to becoming a cashless economy by 2020, does the government have the infrastructure to make online payments safe?</p>
<p style="text-align: justify; "><i>Sunil Abraham said that the trouble with the design of the Aadhaar project is that it makes citizens transparent to the state and does not make state transparent to the citizen. With every generation of corruption busting technology we see new ways of corruption being introduced into our society</i>. For more <a class="external-link" href="http://www.ndtv.com/video/news/the-big-fight/demonetisation-cost-vs-benefit-443536?site=full"><b>watch the video</b></a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ndtv-december-24-2016-demonetisation-cost-versus-benefit'>http://editors.cis-india.org/internet-governance/news/ndtv-december-24-2016-demonetisation-cost-versus-benefit</a>
</p>
No publisherpraskrishnaDemonetisationInternet Governance2017-01-17T16:04:16ZNews ItemThe soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint
http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint
<b>Paying for your groceries and other goods by using your biometrics instead of an e-wallet, debit card or cash seems to be the next phase in the Centre’s ambitious push to shift the country to a “less cash” economy, as its mandarins term it.</b>
<p style="text-align: justify; ">The article by Indulekha Aravind was <a class="external-link" href="http://economictimes.indiatimes.com/news/economy/policy/the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint/articleshow/56542475.cms">published in the Economic Times</a> on 15 January 2017. Sunil Abraham was <a class="external-link" href="http://economictimes.indiatimes.com/et-now/experts/sunil-abraham-on-aadhaars-misuse-during-demonetisation/videoshow/56544492.cms">consulted for this</a>.</p>
<hr />
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Ajay Bhushan Pandey, CEO of the Unique Identification Authority of India (UIDAI), says it will be rolling out Aadhaar-enabled payment system, or Aadhaar Pay, for merchants in the next few weeks. This will be an app for merchants that enables them to receive payments through biometric authentication of the customer, provided their bank accounts are linked to their Aadhaar number. "A pilot is under way in fair price shops in Andhra Pradesh where shopkeepers are accepting payments from PDS beneficiaries. The results are very encouraging," says Pandey.</p>
<p style="text-align: justify; ">The idea takes off from the existing Aadhaar-enabled payment system (AEPS) used by bank business correspondents (BCs) in rural areas to disburse and accept cash, using micro ATMs. "We are trying to tweak this so that a similar device can be used by a local merchant," says Pandey. Adoption will depend on two factors: merchants’ acceptance of it and whether they can use an app rather than a micro ATM. The biggest advantage through this method of payment, says Pandey, is that the customer will not need a credit or debit card, or even a smartphone.</p>
<p style="text-align: justify; "><img alt="The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint" class="gwt-Image" src="http://img.etimg.com/photo/56542603/page-19-1.jpg" title="The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint" /></p>
<p style="text-align: justify; ">The limits for transactions using AEPS, such as the number of daily transactions, will be left to the discretion of the banks. In the long term, the AEPS will be migrated to the BHIM (Bharat Interface for Money) platform but the rollout of Aadhaar Pay will happen before that. Post demonetisation, banking BC’s number of transactions using AEPS has leapt from 4-5 lakh to 14-15 lakh, says Pandey. According to Reserve Bank of India data on electronic payment systems, the total volume of such transactions jumped from 671 million in November 2016 to 957 million in December. USSD-based payments, which can be done using a basic feature phone, are among the biggest beneficiaries: the volume rose from just 7,000 in November to 1,02,000 in December, and value of transactions from over Rs 7,000 to over Rs 1 lakh. Prepaid payment instruments — mainly mobile wallets — rose from 59 million to 88 million in the same period (and value from Rs 1,300 crore to Rs 2,100 crore).</p>
<p style="text-align: justify; ">While Aadhaar Pay is likely to ride the demonetisation wave if it is launched soon, certain concerns remain, as the list is how secure such a payment system will be. The UIDAI CEO says it is a paramount concern for the organisation, too. "We are using the latest technology to ensure the information stays encrypted end to-end, so that information is not leaked or misused. In the months to come, we will strengthen the security."</p>
<p style="text-align: justify; "><b>Wary About Security</b> <br /> Sunil Abraham, executive director of the Centre for Internet and Society, a think tank that has been analysing the Aadhaar project for six years, outlines several reasons why Aadhaar-based biometrics is inappropriate for authentication in payments, unlike card-based payments that use cryptography. <br /> <br /> "With biometrics, there is always an error ratio. It is imprecise matching, whereas with cryptography (smart cards), there is no false positive or negative. You either have the key (PIN) or you don’t. It is also very cheap to defeat biometric authentication — even an unlettered person can do it," says Abraham. It would be easy enough, he says, to replicate someone else’s fingerprint by pressing it against lukewarm wax and filling the mould with glue to get a dummy finger. In contrast, compromising a smart card requires more cost and effort, from tech-savviness to machines such as a skimmer that will read the card. "And once you are compromised,you are compromised forever. You can’t change it, like a debit card PIN."</p>
<p style="text-align: justify; ">Using Aadhaar for authentication had proved to be a failure during the exchange of currency notes following demonetisation, he adds, pointing to how the poor and the middle class stood in queues for money while stacks of new currency were recovered from the homes of businessmen and bureaucrats. "When you have bank officials who are corrupt, giving them your biometrics is giving them more ammunition for corruption." To catch the criminals, law enforcement agencies had to resort to CCTV footage,a relatively older technology, he says. Others point out that while it may be secure, certain factors stand in the way of making biometrics-based payment authentication a large-scale success. Amrish Rau, CEO of PayU India, a payment gateway provider, cites a list of reasons why it would inevitably take off but only in 5-10 years.</p>
<p style="text-align: justify; ">"For one, the technology is not yet good enough. There are also bandwidth and data constraints in sending biometric data," says Rau. Even in more mature markets, it has yet to find widespread acceptance, he says, pointing to the slow adoption of Apple Pay and Samsung Pay in the US. "It’s not the answer today.” This is in contrast to NITI Aayog CEO Amitabh Kant’s recent remarks that cards and PoS machines would become redundant by 2020 because Indians would be making payments using their thumb (biometrics). "... my view is that in the next two and a half years, India will make all its debit cards, credit cards, all ATM machines, all PoS machines totally irrelevant,” Kant had said at a Pravasi Bharatiya Divas session in Bengaluru.</p>
<div style="text-align: justify; ">UIDAI’s Pandey is more circumspect. “I wouldn’t say who would replace what. But from the government’s side we are encouraging all modes of digital payment. India has a diverse population and some people might prefer using a card, others a wallet. Collectively, they will contribute to a less-cash society.”</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint'>http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint</a>
</p>
No publisherpraskrishnaDemonetisationDigital PaymentDigital GovernanceDigital EconomyPrivacyInternet GovernanceDigital MoneyVideoAadhaarBiometrics2017-01-16T03:14:22ZNews ItemComments on the Report of the Committee on Digital Payments (December 2016)
http://editors.cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016
<b>The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.</b>
<p> </p>
<h3><strong>1. Preliminary</strong></h3>
<p><strong>1.1.</strong> This submission presents comments by the Centre for Internet and Society (“CIS”) <strong>[1]</strong> in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) <strong>[2]</strong>.</p>
<h3><strong>2. The Centre for Internet and Society</strong></h3>
<p><strong>2.1.</strong> The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.</p>
<p><strong>2.2.</strong> CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.</p>
<h3><strong>3. Comments</strong></h3>
<p><strong>3.1.</strong> CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 <strong>[3]</strong>, have generated <strong>unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances</strong>. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider <strong>opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken</strong> towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.</p>
<p><strong>3.2.</strong> While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. <strong>CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services.</strong> Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.</p>
<p><strong>3.3.</strong> The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. <strong>We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders</strong>. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.</p>
<p><strong>3.4.</strong> The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. <strong>CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice</strong>.</p>
<p><strong>3.5.</strong> The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. <strong>We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise.</strong> Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). <strong>This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments</strong>.</p>
<p><strong>3.6.</strong> The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” <strong>CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has</strong>. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.</p>
<p><strong>3.7.</strong> CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” <strong>We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities</strong>.</p>
<p><strong>3.8.</strong> We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity <strong>[4]</strong>. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). <strong>The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report.</strong> The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.</p>
<p><strong>3.9.</strong> A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). <strong>This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic</strong>.</p>
<p><strong>3.10.</strong> The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). <strong>Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment.</strong> A mandate for <em>replacement</em> of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.</p>
<p><strong>3.11.</strong> The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. <strong>Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud</strong>.</p>
<p><strong>3.12.</strong> In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. <strong>We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats</strong>.</p>
<p><strong>3.13.</strong> The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. <strong>It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy</strong>. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.</p>
<p><strong>3.14.</strong> CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. <strong>We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities</strong>.</p>
<p><strong>3.15.</strong> The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. <strong>We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away</strong>. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.</p>
<p><strong>3.16.</strong> As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, <strong>it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days</strong>. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.</p>
<h3><strong>Endnotes</strong></h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://finmin.nic.in/reports/Note-watal-report.pdf">http://finmin.nic.in/reports/Note-watal-report.pdf</a> and <a href="http://finmin.nic.in/reports/watal_report271216.pdf">http://finmin.nic.in/reports/watal_report271216.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://finmin.nic.in/cancellation_high_denomination_notes.pdf">http://finmin.nic.in/cancellation_high_denomination_notes.pdf</a>.</p>
<p><strong>[4]</strong> Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: <a href="http://www.budapestopenaccessinitiative.org/read">http://www.budapestopenaccessinitiative.org/read</a>.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016'>http://editors.cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016</a>
</p>
No publisherSumandro Chattapadhyay and Amber SinhaUIDDigital IDBig DataDigital EconomyDigital AccessPrivacyDigital SecurityData RevolutionDigital PaymentInternet GovernanceDigital IndiaData ProtectionDemonetisationHomepageFeaturedAadhaar2017-01-12T12:32:22ZBlog EntryDigital native: The View from My Bubble
http://editors.cis-india.org/raw/indian-express-december-4-2016-nishant-shah-digital-native-the-view-from-my-bubble
<b>In the digital world, the privileged have the power to deny a devastating crisis for the poor.</b>
<p>The article was <a class="external-link" href="http://indianexpress.com/article/technology/digital-native-the-view-from-my-bubble/">published by Indian Express</a> on December 4, 2016.</p>
<hr />
<p style="text-align: justify; ">For weeks now, my timeline on almost all social media feeds has been dominated by stories of demonetisation. Over the last few years, I have been spending time in countries where I, more or less, live a cashless life. Every transaction is enabled by a digital connection — my contactless debit card pays most of the bills for groceries, my phone works as an automatic wallet at my favourite stores, and the larger purchases are done online, through direct bank transfers. Most days, I leave home with such little cash that I would not even be able to buy a decent meal with it.</p>
<p style="text-align: justify; ">While the continent is different, this experience is not much different from my days spent in India. I don’t really remember the last time I made huge cash deposits or withdrawals, and the services that I am used to would almost all have facilitated digital transactions, ensuring a smooth continuation of my life except, perhaps, for renouncing the occasional binge on street food, and letting go of the habit of hailing an auto on a busy road.</p>
<p style="text-align: justify; ">Hence, like many people who live in the same privileged combination of class, urbanity, education and affordability, my initial reaction to this move was reflective and speculative. In an abstract manner, I was curious about what this means to the theory of value, what this would achieve in the long-term visions of the state, and wondering what the costs of currency re-introductions might be. The earlier debates with family and friends were all marked by this elitist inquiry into the nature of things, feasting our minds on economic and political conundrums, well aware that there is going to be no crisis on the horizon. The social media also reflected this filter bubble. We made pithy jokes and offered polarised opinions about whether or not this is going to achieve the whitening of black money, and what its long term effects on the economic future would be.</p>
<p style="text-align: justify; ">Now that we know, however, that this state of emergency is going to last well into the end of this year, and as reports trickle in of the deprivation, exploitation and precariousness that destabilise lives and push them towards the precipice, I take a deep introspective breath. I don’t want to go into the discussions of the impact and measures of this move on lives that I do not live, and people who are so unlike me that I cannot even imagine what it means to live on the edge of a demonetised currency note. My opinions on this cannot be more informed or valid than the millions of voices that have flooded the social web with commentary, discussions and outright abusive fighting around the issue.</p>
<p style="text-align: justify; ">Instead, I want to reflect on what it means to consume a lived crisis, an embodied reality, a precarious condition through the mediated bubble of the digital web. For years now, activists have lamented that the web is an alienating medium. It allows people to become armchair clicktivists, removed from the reality of messy life and able to profess care, concern and commitment as long as it does not inconvenience or disrupt their everyday life. However, this has often been seen as a knee-jerk reaction to change, with enough evidence to prove that these technologies of connectivity also produce new collective forms of action, engendering trust, empathy, and care for people who are often made invisible in the systemic violence of everyday life. The debate is unresolved. However, the ways in which the demonetisation crisis — because it has officially become a crisis — is being consumed online, remotely, makes me wonder how the digital web allows a space for performance without experience, and articulation without politics.</p>
<p style="text-align: justify; ">Almost unanimously, the continued chatter of how the common man must bear some inconvenience for the greater good of our collective futures comes from people who embody the same privileges I do. From the comfort of their well-stocked kitchens and their insurances that would cover any health crises, these voices continue to parrot the idea that all that this means for anybody is just a bit of a hassle, but nothing to worry about.</p>
<p style="text-align: justify; ">In the growing face of evidence that the poor are being pushed to the limits of their downward precipitation, they continue to invoke the sacrifices that must be made towards making India great again. Every day, I hear them valiantly champion the Prime Minister for his authoritative decision, and defend the logistics that have failed to protect the economic survival of the silent sufferers in the favour of recovering untold wealth which might turn out to be mythical after all.</p>
<p style="text-align: justify; ">And, each time I read these reports, I wonder how the digital allows them, protects them, and produces a performative space from which they can speak, without any experience, about the lives of others, reducing their struggles to lifestyle logistics and ambulatory adjustments.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/indian-express-december-4-2016-nishant-shah-digital-native-the-view-from-my-bubble'>http://editors.cis-india.org/raw/indian-express-december-4-2016-nishant-shah-digital-native-the-view-from-my-bubble</a>
</p>
No publishernishantResearchers at WorkDemonetisationDigital IndiaRAW Blog2016-12-05T15:15:07ZBlog EntryLack of clarity about cashless and online transactions makes digital payments more worrisome
http://editors.cis-india.org/internet-governance/news/economic-times-december-1-2016-neha-alawadhi-lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome
<b>Even as demonetisation pushes for more and more cashless and online transactions through, e-wallets, banks and other such apps, there is a serious lack of clarity on how these companies handle customer data, and how it is shared with other entities. "Data is the new oil," is an oft repeated phrase in nearly every technology related conversation that comes up anywhere in India today.</b>
<p style="text-align: justify; ">The article by Neha Alawadhi was <a class="external-link" href="http://economictimes.indiatimes.com/industry/banking/finance/banking/lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome/articleshow/55714435.cms">published in the Economic Times</a> on December 1, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">However, the handling of this data, most of which carries some of our most personal information, has little protection if it is misused by a private or government entity.</p>
<p style="text-align: justify; ">Sample this: at an industry event, a Bengaluru-based startup claimed to solve the problem of credit worthiness of individuals for small loans by using some unusual means. To determine credit worthiness, the company maps everything in your phone — right from how many SMSes you receive for non-payment of dues, to how you fill out your loan application form. The company also claims that it can map, using your phone data, the area of your residence and office.</p>
<p style="text-align: justify; ">There are several other companies, especially those in the financial technology (fintech) space, doing similar mapping. The Wall Street Journal on Monday reported that more than three dozen local governments across China are compiling digital records of social and financial behaviour to rate credit worthiness. A person gets a score deduction for violations such as fare cheating, jaywalking and violating family-planning rules.</p>
<p style="text-align: justify; "><img alt="Lack of clarity about cashless and online transactions makes digital payments more worrisome" class="gwt-Image" src="http://img.etimg.com/photo/55714471/untitled-27.jpg" title="Lack of clarity about cashless and online transactions makes digital payments more worrisome" /></p>
<p style="text-align: justify; ">India may be some distance away from such a credit scoring system, but the increased use of online transactions — financial or otherwise — is sure to lead to similar business models.</p>
<p style="text-align: justify; ">"You have no clue what data you are sharing with fintech companies. They are collecting data from other sources and combining it to assess your credit score," said Sunil Abraham, executive director of the Centre for Internet Society.</p>
<p style="text-align: justify; ">For example, there is no clarity on what an e-wallet company does with your details and transaction history even after you delete the app. "If there is large level of customer migration of users from an app company, they will just become a data analytics company. The bigger danger in future is the growth of large data intermediaries which are similar to Visa and Mastercard networks, which purchase big databases and further sell this data and build their services or product on top of that. There are large privacy concerns there," said Apar Gupta, advocate and Internet policy expert. While lack of a privacy law or controller has been a long standing concern, the existing law for data protection — Section 43(A) of the Information Technology Act— also offers only very basic protection and is "grossly inadequate", according to Abraham.</p>
<p style="text-align: justify; ">To make matters worse, they also lack a strict enforcement mechanism. "We don’t know what are the data practices (adopted by apps). There is no privacy controller or some other body, so it is very difficult for a user to know what are the actual ways their data is being implemented," said Gupta.</p>
<p style="text-align: justify; ">There have also been cases of government entities making sensitive and personal information public. Earlier this year, DataMeet, a community of data science enthusiasts, found that Bengaluru Police released 13,000 call data records (CDR) of potential on-going investigations during a hackathon with focus on solving problems of cities.</p>
<p style="text-align: justify; ">"There has been very little talk about data ethics and data practices in India. But cases of misuse of data are frequent," noted DataMeet member Srinivas Kodali in a blogpost.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-december-1-2016-neha-alawadhi-lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome'>http://editors.cis-india.org/internet-governance/news/economic-times-december-1-2016-neha-alawadhi-lack-of-clarity-about-cashless-and-online-transactions-makes-digital-payments-more-worrisome</a>
</p>
No publisherpraskrishnaDemonetisationData ManagementInternet GovernancePrivacy2016-12-02T16:20:39ZNews ItemDemonetisation Survey Limits the Range of Feedback that can be Provided by the User
http://editors.cis-india.org/internet-governance/blog/first-post-udbhav-tiwari-november-24-2016-demonetisation-survey-limits-the-range-of-feedback-that-can-be-provided-by-the-user
<b>The government has faced increasingly targeted attacks by the Opposition and the public on the merits of the demonetisation move carried out a fortnight ago. In an attempt to placate this ire and to create a feedback loop that directly engages with the public, the government has decided to conduct a mass survey to gauge public perception. The survey is hosted on the Narendra Modi mobile application that can be found on the Android and iOS app stores. This article will attempt to analyse the mobile application by looking at the design principles followed in the survey and the scope given to survey takers to express their true opinion of the demonetisation move.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.firstpost.com/india/how-narendra-modis-survey-limits-the-range-of-feedback-that-can-be-provided-by-user-3121948.html">published by First Post</a> on November 24, 2016.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">At the time of writing, <a href="http://www.firstpost.com/india/demonetisation-despite-fortnight-of-hardship-cash-strapped-india-stands-by-modi-3121690.html" target="_blank">90 percent of respondents</a> expressed the feeling that the government's move was 'brilliant/nice'. However, one must look into the merits of the survey and its limitations to understand the true value and nature of the results of the survey.</p>
<p style="text-align: justify; ">The first step required in order to take the survey, is downloading the application itself, which forces the user to automatically grant access to Contacts, Phone and Storage functions of their phone. While there are ostensible reasons for these permissions, (sharing the data from within the application, storing downloaded information, etc.) unless the user is running Android 6.0 or above, the user doesn’t have a choice in giving these permissions. This leaves the application with the potential to collect the entire phone book of the user as as well as access any files stored on the user’s device. This is independent of the survey and provides a large scope for massive data collection from any user just choosing to install the application in the first place. It is easily possible to create a version of the application that carries out a vast majority of its current functions without these permissions and the government (along with the application developer) should endeavour to do so at the earliest. In the alternative, they should have a clear and distinct privacy policy that informs users of the data collection and its possible use.</p>
<p style="text-align: justify; ">The second major step required to take the survey is the long and tedious registration process, which requires all sorts of details with massive privacy implications. This includes the name, email ID, phone number, residency details, profession and interests, all of which are compulsory fields. Why all of these details are necessary to take a supposedly simple survey and what possible use this information can be put to by the government is both unclear and problematic. It is also possible to register using Google, Facebook, Twitter and other social networking sites where there is a varying standard of equally private and unnecessary information that is being collected by the application from these websites. There are no privacy notices or consent forms that govern this information collection nor is their any indication of how this information will be put to use beyond the scope of the survey. The generic, standard form privacy policy (less than 10 lines long) on the <a class="auto-link" href="http://www.firstpost.com/topic/person/narendra-modi-profile-20711.html" target="_blank" title="Narendra Modi">Narendra Modi</a> website is hidden at the bottom of the application download page (not in the application itself) and leaves a lot to be desired to safeguard user interest.</p>
<p style="text-align: justify; ">Once the registration is complete, the user is presented with the survey, which has a total of 10 questions of 3 broad categories. 6 of these questions have multiple choice answers, 3 of them have a sliding rating meter and 1 question has general comments/suggestion page. The article will now look at these categories and analyze the design of the questions, the extent of the choice they give to the users and finally if the survey has a coercive or limiting effect on the feedback that can be given by the user via the application regarding the demonetisation move.</p>
<div class="alignnone wp-caption" id="attachment_3122038" style="text-align: justify; "><a href="http://s4.firstpost.in/wp-content/uploads/2016/11/Choice_Limiting_Namo.jpg"><img width="825" alt="Choice limiting multiple=" title="Demonetisation Survey Limits the Range of Feedback that can be Provided by the User" src="http://editors.cis-india.org/internet-governance/blog/first-post-udbhav-tiwari-november-24-2016-demonetisation-survey-limits-the-range-of-feedback-that-can-be-provided-by-the-user" /></a>
<p class="wp-caption-text">Choice limiting multiple choice questions.</p>
</div>
<p style="text-align: justify; ">The first category of questions, the multiple choice questions (MCQ), have varying degree of choices that the user can select from. However, regardless of the extent of the choices, their exact nature is severely limiting and makes it almost impossible to express a truly negative opinion of the survey. This is done in two ways, first the explicit restriction of choices and second the more subtle negative colouring of responses by cleverly phrasing questions. An example of the explicit restriction of choices can be seen in Question No 7. “Demonetisation will bring real estate, higher education, healthcare in common man’s reach” which has three options, “Completely Agree, Partially Agree and Can’t Say.” There is no option to disagree with the paradigm set by the question and neither is there an option for the user to further explain or elucidate upon the answer, if he/she choose Can’t Say as an option. This also means that there will be no answers that will have “No” as an answer to the fairly open ended question, which can have a myriad of responses. The same can be said for Question No. 6 regarding the demonetisation move’s effectiveness in curbing illegal activities to which, once again, “No” is not an answer, with “Don’t Know” being the best a user disagreeing can do with the survey question.</p>
<p style="text-align: justify; ">The second, more subtle aspect of the MCQ questions are questions that serve as bait to demand a positive answer, which can be used to later bolster the survey's results in a positive light. For example, Question No. 1 reads “Do you think Black Money exists in India” and Question No. 2 reads “Do you think the evil of Corruption & Black Money needs to be fought and eliminated?” both of which have simple “Yes” and “No” as the only two possible responses. These rhetorical questions, which demand a positive answer, provide almost no aspect for the user to subtly or explicitly disagree with motivating factor behind the demonetisation move. The placement of these questions and the lack of choice in responses that can be given to them leaves huge potential to tilt the survey results in the favour of the government’s move. For example, you can’t simultaneously agree that black money is a problem and think the demonetisation move is a bad idea, simply because you can’t express that view in a single question within the survey.</p>
<div class="alignnone wp-caption" id="attachment_3122056" style="text-align: justify; "><a href="http://s3.firstpost.in/wp-content/uploads/2016/11/Positive-bias.jpg"><img width="825" alt="Positive bias driven multiple=" title="Demonetisation Survey Limits the Range of Feedback that can be Provided by the User" src="http://editors.cis-india.org/internet-governance/blog/first-post-udbhav-tiwari-november-24-2016-demonetisation-survey-limits-the-range-of-feedback-that-can-be-provided-by-the-user" /></a>
<p class="wp-caption-text">Positive bias driven multiple choice question.</p>
</div>
<p style="text-align: justify; ">The other two categories of questions do not suffer from the overt problems of encouraging positive bias that the MCQ questions do but leave a fair bit to be desired in their outlook towards individuals who disagree with the move. In the sliding rating meter questions, there are strong visual cues that hint that disagreeing with the demonetisation move is a negative, undesirable idea. They do so by using a large, danger red frown as the icon for Question No. 5 that asks for the survey takers opinion on the ban on old 500 and 1000 rupee notes. The same goes for Question No. 3 that deals with the general moves of the government to tackle black money. This makes any opinion or answer that disagrees with the validity of the move an answer that is portrayed in a negative light. Similarly, the general comments/suggestion section in Question No. 10 is the only place for anyone to express a negative or non-concurring opinion, which there is no way to measure statistically in the overall survey results and will mostly likely not be counted in the final survey results.</p>
<div class="alignnone wp-caption" id="attachment_3122120" style="text-align: justify; "><a href="http://s1.firstpost.in/wp-content/uploads/2016/11/Jan_Jan.jpg"><img alt="Visual cues. " class="wp-image-3122120 size-full" height="500" src="http://s1.firstpost.in/wp-content/uploads/2016/11/Jan_Jan.jpg" width="825" /></a>
<p class="wp-caption-text">Visual cues.</p>
</div>
<p style="text-align: justify; ">All of the above points clearly show that the design of both the Narendra Modi mobile application and its survey have huge potential for coercing a biased viewpoint upon any survey taker and ensure that it is almost possible to express a stark, negative opinion against the demonetisation move via the survey. This can and should be remedied by the government to allow for a more open, conducive and critical discourse to take place regarding the move among the public. It is only when such opinion is allowed to exist in the first place, that the government can understand, engage and respond to the various valid critiques of the move. The chilling effect that would take place in the current form of the survey would be counterproductive to the original intent behind its creation, which was to create a direct constructive feedback loop between the public and the government.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/first-post-udbhav-tiwari-november-24-2016-demonetisation-survey-limits-the-range-of-feedback-that-can-be-provided-by-the-user'>http://editors.cis-india.org/internet-governance/blog/first-post-udbhav-tiwari-november-24-2016-demonetisation-survey-limits-the-range-of-feedback-that-can-be-provided-by-the-user</a>
</p>
No publishertiwariDemonetisationInternet GovernancePrivacy2016-11-24T14:50:08ZBlog Entry