The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 241 to 255.
Aadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief
http://editors.cis-india.org/internet-governance/news/ndtv-sukriti-dwivedi-january-13-2018-aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief
<b>"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.</b>
<p style="text-align: justify; ">The blog post by Sukriti Dwivedi was <a class="external-link" href="https://www.ndtv.com/india-news/aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief-1799467">published by NDTV</a> on January 13, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Virtual ID, the 16-digit temporary number, announced by UIDAI this week had been suggested way back in 2009-10 when its architects were still designing the system. But the Aadhaar authority, which has called Virtual ID a unique innovation to enhance privacy and security, decided against rolling it out at that time.</p>
<p id="_mcePaste" style="text-align: justify; ">"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.</p>
<p style="text-align: justify; "><span>It may be a step forward. But not everyone is as convinced.</span></p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Cyber security Jiten Jain is one of them. Mr Jain told NDTV that UIDAI should first of all decide if the Aadhaar number was confidential information or not because it had changed its stance on this aspect on more than one occasion.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Like when government departments put out lakhs of Aadhaar number, the government agency had insisted that there was nothing really confidential about the number which could not be misused. Or when The Tribune earlier this month claimed to have found gaps in UIDAI's security system that let the newspaper demographic details of an individual, UIDAI claimed that "the Aadhaar number is not a secret number" anyways.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Also, a point is being made that if hiding an Aadhaar number enhances privacy, then what about the crores of people who have been forced to share their Aadhaar numbers - and a copy of their Aadhaar cards - all these years.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Experts suggest the timing of the announcement may not have been a coincidence. The initiative came against the backdrop of mounting privacy concerns after the newspaper expose. The hearing by a five-judge Constitution Bench of the Supreme Court to decide if the Aadhaar project violates citizens' privacy is to start hearing from next week, January 17.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Srinivas Kodali, cyber security expert and an Aadhaar researcher, said it was clear that the UIDAI had brought it hurriedly. "They said they will release the codes by March 1. So it clearly looks like they haven't planned this thoroughly," he said.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">There are also concerns about the ability of people living in remote areas to generate the Virtual IDs, in terms of connectivity and literacy. That means a large proportion of people would not be able to generate the Virtual IDs.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">UIDAI chief Mr Pandey said there was nothing to prevent them from continuing to use their Aadhaar number. It is an option, he stressed.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">This, experts at the Bengaluru-based research group, Centre for Internet and Society, which has long advocated for a token system such as the Virtual ID, said was a problem area.</p>
<p style="text-align: justify; ">"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers. It may be a step forward. But not everyone is as convinced.</p>
<p style="text-align: justify; ">Cyber security Jiten Jain is one of them. Mr Jain told NDTV that UIDAI should first of all decide if the Aadhaar number was confidential information or not because it had changed its stance on this aspect on more than one occasion.</p>
<p style="text-align: justify; ">Like when government departments put out lakhs of Aadhaar number, the government agency had insisted that there was nothing really confidential about the number which could not be misused. Or when The Tribune earlier this month claimed to have found gaps in UIDAI's security system that let the newspaper demographic details of an individual, UIDAI claimed that "the Aadhaar number is not a secret number" anyways.</p>
<p style="text-align: justify; ">Also, a point is being made that if hiding an Aadhaar number enhances privacy, then what about the crores of people who have been forced to share their Aadhaar numbers - and a copy of their Aadhaar cards - all these years.</p>
<p style="text-align: justify; ">Experts suggest the timing of the announcement may not have been a coincidence. The initiative came against the backdrop of mounting privacy concerns after the newspaper expose. The hearing by a five-judge Constitution Bench of the Supreme Court to decide if the Aadhaar project violates citizens' privacy is to start hearing from next week, January 17.</p>
<p style="text-align: justify; ">Srinivas Kodali, cyber security expert and an Aadhaar researcher, said it was clear that the UIDAI had brought it hurriedly. "They said they will release the codes by March 1. So it clearly looks like they haven't planned this thoroughly," he said.</p>
<p style="text-align: justify; ">There are also concerns about the ability of people living in remote areas to generate the Virtual IDs, in terms of connectivity and literacy. That means a large proportion of people would not be able to generate the Virtual IDs.</p>
<p style="text-align: justify; ">UIDAI chief Mr Pandey said there was nothing to prevent them from continuing to use their Aadhaar number. It is an option, he stressed.</p>
<p style="text-align: justify; ">This, experts at the Bengaluru-based research group, Centre for Internet and Society, which has long advocated for a token system such as the Virtual ID, said was a problem area.</p>
<p style="text-align: justify; ">"Privacy can be protected by design and not by choice," said CIS executive director Sunil Abraham, who believes the biggest flaw with Aadhaar was its design.</p>
<p style="text-align: justify; ">"Since it is not mandatory most people will just use the Aadhaar number instead of getting into the hassle of generating a VID... This is privacy through hurdles instead of privacy by design. I suggest authorities should generate VIDs for people and ensure that third parties only use VID and not the Aadhaar number," Pranesh Prakash at the CIS' policy director told NDTV.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ndtv-sukriti-dwivedi-january-13-2018-aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief'>http://editors.cis-india.org/internet-governance/news/ndtv-sukriti-dwivedi-january-13-2018-aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:42:58ZNews ItemHammered government offers Virtual ID firewall to protect your Aadhaar
http://editors.cis-india.org/internet-governance/news/indian-express-january-11-2018-
<b>Days after reports surfaced claiming security breaches, the Unique Identification Authority of India (UIDAI) on Wednesday announced the implementation of a new security protocol that would remove the need to divulge Aadhaar numbers during authentication processes and limit third-party access to KYC details.</b>
<p>The article was published in <a class="external-link" href="http://www.newindianexpress.com/nation/2018/jan/11/hammered-government-offers-virtual-id-firewall-to-protect-your-aadhaar-1750466.html">New Indian Express</a> on January 11, 2018.</p>
<hr />
<p style="text-align: justify; ">Admitting that the “collection and storage of Aadhaar numbers by various entities has heightened privacy concerns”, the UIDAI circular said Authentication User Agencies (AUAs) providing Aadhaar services have to be ready to implement the protocol from March 1, 2018. From June 1 use of Virtual ID for authentication would be mandatory.</p>
<p style="text-align: justify; ">The linchpin of the new protocol will be the virtual ID (VID) — a “temporary, revocable 16-digit random number” that can be used instead of Aadhaar to verify or link services. VIDs will have a limited validity and can be generated only by the Aadhaar holder. “UIDAI will provide various options to generate, retrieve and replace VIDs… these will be made available via UIDAI’s resident portal, Aadhaar Enrolment Centre, mAadhaar mobile application, etc.,” it said. While only one VID per Aadhaar number will be valid at a time, users can revoke and generate new VIDs as many times as desired.</p>
<p style="text-align: justify; ">UIDAI will also limit KYC details accessible by AUAs by classifying them as Global AUAs, which are required to use Aadhaar e-KYC by law, and Local AUAs. Only the former will have full access to e-KYC details and can store Aadhaar numbers. Local AUAs will only have access to limited KYC details and be prohibited from storing Aadhaar numbers. UIDAI will also generate UID tokens which will be used to identify customers within agencies’ systems, but these will not be usable by other AUAs.</p>
<p style="text-align: justify; ">However, cybersecurity experts say that even if the new “patch” is effective, verification processes will have to be redone to prevent misuse of already-leaked Aadhaar numbers. “The concept is attractive, but the devil is in the details,” observed Pavan Duggal, cyberlaw expert, adding that the new system does not address those who have already gained unauthorised access to Aadhaar numbers. Sunil Abraham, executive director, Centre for Internet and Society, was more categorical. “If it has to be effective, they will have to redo (Aadhaar-KYC) from scratch.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/indian-express-january-11-2018-'>http://editors.cis-india.org/internet-governance/news/indian-express-january-11-2018-</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:34:12ZNews ItemBengaluru gives data safety tips to panel
http://editors.cis-india.org/internet-governance/news/deccan-herald-january-14-2018-pranshu-rathee-bengaluru-gives-data-safety-tips-to-panel
<b>A crucial consultation ahead of the framing of the country's data protection laws witnessed animated discussions here on Saturday.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.deccanherald.com/content/653716/bengaluru-gives-data-safety-tips.html">Deccan Heral</a>d on January 14, 2018</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Participants raised a variety of concerns. Held on the IISc campus, it discussed everything from revenge porn and human genomics to artificial intelligence and the right to be forgotten.</p>
<p style="text-align: justify; ">Cybersecurity experts, academics, lawyers and others attended the day-long event.</p>
<p style="text-align: justify; ">They made their submissions to the Srikrishna Committee, formed on July 31 last year to frame principles for data protection laws.</p>
<p style="text-align: justify; ">The session was chaired by Justice B N Srikrishna, retired Supreme Court judge. Also on the panel were Rama Vedashree, CEO, Data Security Council of India, and Gopalakrishnan S.</p>
<p style="text-align: justify; ">The basis of the discussion was a 200-page document drafted by the nine members of the Srikrishna Committee. January 31 is the deadline to respond to the committee's white paper.</p>
<h3 style="text-align: justify; ">Classification of data</h3>
<p style="text-align: justify; ">Several dystopian scenarios, such as profiling and discrimination with the help of behavioural and psychometric data, led to discussions on the need for classification of data types.</p>
<p style="text-align: justify; ">Darshana, a lawyer from the People's Union of Civil Liberties (PUCL), spoke about how people were being denied rations for not holding Aadhaar.</p>
<p style="text-align: justify; ">The collection of children's biometric data brought up the question of consent.</p>
<p style="text-align: justify; ">Srikrishna clarified the white paper contained a chapter on consent: it suggests an age limit below which parental consent will have to be mandatory.</p>
<p style="text-align: justify; ">A discussion on the right to be forgotten arose after some participants sought a provision to revoke consent already given.</p>
<p style="text-align: justify; ">Questions associated with genome sequencing were raised by Vijay Chandru, professor, IISc.</p>
<p style="text-align: justify; ">"We need to pay special attention to this type of information. The collection of DNA in the form of saliva, when, say, you make a visit to a weight loss clinic, has become the commercial norm. The Insurance Regulatory Act can have huge implications as genetic data can be used to discriminate and deny health coverage," Chandru said.</p>
<p style="text-align: justify; ">Sunil Abraham, head of the Centre for Internet and Society, said he was delighted with the quality of debate and discussion.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/deccan-herald-january-14-2018-pranshu-rathee-bengaluru-gives-data-safety-tips-to-panel'>http://editors.cis-india.org/internet-governance/news/deccan-herald-january-14-2018-pranshu-rathee-bengaluru-gives-data-safety-tips-to-panel</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:19:00ZNews ItemUIDAI introduces new two-layer security system to improve Aadhaar privacy
http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy
<b>The Unique Identification Authority of India (UIDAI) has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the world's largest repository of citizen data. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://economictimes.indiatimes.com/news/economy/policy/uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy/articleshow/62442873.cms">Economic Times</a> on January 11, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In one of the most significant security upgrades by the eightyear old agency, the UIDAI announced the creation of a "virtual ID" which can be used in lieu of the 12-digit Aadhaar number at the time of authentication for any service.</p>
<p style="text-align: justify; ">The UIDAI has also limited access to stored personal information and mandated the use of unique tokens through which authenticating agencies can access required data. It claims that the measures will strengthen privacy and also prevent combining of databases linked to Aadhaar.</p>
<p style="text-align: justify; ">ET was the first to report about the UIDAI plan to introduce virtual numbers to address security concerns in its November 20 edition last year.</p>
<p style="text-align: justify; ">A top government official told ET that UIDAI has been working on this technology since July of 2016. "This is going to be one of the biggest innovations ever, people can change their virtual ID whenever they want or after every authentication or every 10 seconds." He added that this will silence most critics of Aadhaar.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">"The Aadhaar number being the permanent ID for life, there is need to provide a mechanism to ensure its continued use while optimally protecting the collection and storage in many databases," the UIDAI said in a notification on Wednesday while announcing the new measures.</p>
<h3 style="text-align: justify; ">More Needed to be Done: Experts</h3>
<p style="text-align: justify; ">"The collection and storage of Aadhaar number by various entities has heightened privacy concerns," it stated.</p>
<p style="text-align: justify; ">Under the new regime, for every Aadhaar number, the authority will issue a 16-digit virtual identity number which will be "temporary and revocable at any time."</p>
<p style="text-align: justify; ">This virtual ID can be generated only by the individual Aadhaar holder and can be replaced by a new one after a minimum validity period.</p>
<p style="text-align: justify; ">In addition, while some Authentication User Agencies (AUA) — categorised by the UIDAI as 'Global' — will have access to all the details or the e-KYC of a specific Aadhaar number, all other agencies will only have access to limited data through the virtual identity number.</p>
<p style="text-align: justify; ">"So this is a very very significant thing and I think this is a great step forward," said Nandan Nilekani, former chairman of UIDAI, in an interview to television channel ET Now on Wednesday.</p>
<p style="text-align: justify; ">Nilekani, widely regarded as the architect of Aadhaar, said that through these new security measures the possibility of the Aadhaar number being stored in many databases also goes away.</p>
<p style="text-align: justify; ">It will make a huge difference in allaying the concerns and it really "eliminates all the arguments against Aadhaar," he told ET Now.</p>
<p style="text-align: justify; ">Last week, Chandigarh-based daily The Tribune reported that demographic data from the Aadhaar database could be accessed for as little as Rs 500. The expose led to the UIDAI barring over 5,000 officials from accessing its portal through login ids and passwords. It also introduced biometric authentication for future access, as reported by ET on Tuesday.</p>
<p style="text-align: justify; ">The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data protection legislation. The country's apex court is scheduled to resume its hearing on the validity of the Aadhaar scheme next week on January 17.</p>
<p style="text-align: justify; ">Kamlesh Bajaj, former CEO of the Data Security Council of India said by limiting access to only those agencies mandated by law, the UIDAI has ensured that "someone will not be able to combine database. It's a positive development in my view and technologically feasible," he said</p>
<h3 style="text-align: justify; ">Expert Views</h3>
<p style="text-align: justify; ">Privacy experts and activists were of the view that more needs to be done to ensure foolproof security for critical personal information.</p>
<p style="text-align: justify; ">The Bengaluru-based research organisation Centre for Internet and Society has suggested that all the Aadhaar seeding with all the existing databases should be revoked. "Until then, it is one step ahead and but not enough," said Sunil Abraham, executive director of CIS.</p>
<p style="text-align: justify; ">To enable a speedy rollout of the new safety standards, the UIDAI plans to release the required technical updates by March 1, 2018 and all the Authentication agencies using the Aadhaar database will need to upgrade their systems latest by June 1, 2018.</p>
<p style="text-align: justify; ">In its circular, UIDAI has also said that agencies not allowed to use or store the Aadhaar number should make changes inside their systems to replace Aadhaar number within their databases with UID Token.</p>
<p style="text-align: justify; ">"Unless there is complete revocation, some database with Aadhaar numbers will still float around and secondly there is no reason why some data controllers should be trusted, the tokenisation should be implemented for everyone," said CIS's Abraham.</p>
<p style="text-align: justify; ">The circular said that authentication using virtual ID will be performed in the same manner as the Aadhaar number and people can generate or retrieve their virtual numbers (in case they forget) at the UIDAI's resident portal, Aadhaar Enrolment Centers, or through the Aadhaar mobile application.</p>
<p style="text-align: justify; ">In addition to the virtual numbers, UIDAI will also provide "unique tokens" to each agency against an Aadhaar number to ensure that they are to establish the uniqueness of beneficiaries in their database such as for distributing government subsidies under cooking gas or scholarships.</p>
<p style="text-align: justify; ">Activists argue that most service providers — even digital ones — work with a paper ID card system. "They don't cross-check it with the UIDAI database. UIDAI is not issuing virtual ids for paper cards, and a new category of so called Global AUAs are exempted from using the virtual ids, so citizens are not protected almost anywhere that they need to use Aadhaar," said Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, who said the change doesn't help enough to secure the ecosystem.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy'>http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:08:34ZNews ItemIs your personal information under lock and key?
http://editors.cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key
<b>Customers, be more careful about how you log in and log off!</b>
<p style="text-align: justify; ">The article by Sravanthi Challapalli was published by <a class="external-link" href="http://www.thehindubusinessline.com/catalyst/is-your-personal-information-under-lock-and-key/article10026720.ece">Hindu Businessline</a> on January 16, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">We’re coming off a year that was highlighted by several data breaches around the world. In India, the Aadhaar debate continues to make headlines, with allegations about its data theft and Big Brother potential for surveillance. And for quite a while now, the marketing world has been suffused with mention of artificial intelligence, chatbots, big data, data-driven analytics, and other such buzzwords. The ultimate, stated aim is to make life simpler for the citizen/customer. But how secure is our data, which we put out there both voluntarily and by mandate, and what can we do to protect it?</p>
<h3 style="text-align: justify; ">Laziness will hurt</h3>
<p style="text-align: justify; ">A study by security services provider Gemalto found that retailers (76 per cent), banks (74 per cent) and social media sites (71 per cent) operating in India have a lot of work to do on this front. Consumers would leave if their personal information suffered a breach, it said. Even as the majority of customers said businesses don’t treat their data with due respect, they did not take enough precautions themselves, it observed. Fifty-one per cent of the study’s respondents used the same password across several online accounts and many did not use even available solutions such as two-factor authentication to protect social media accounts, making them susceptible to data breaches. They also believed the onus of protecting data lay on the business.</p>
<h3 style="text-align: justify; ">Caveats of little help</h3>
<div id="_mcePaste" style="text-align: justify; ">So, caveat emptor? “Caveat emptor has meaning only when the customer has enough knowledge to protect himself,” says Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society. Using the sausage factory analogy (no one knew what went into the products and how clean they were), he says few know how big data is used. Regulation can help in this regard. He expects India to have data protection rules in place in a couple of years.</div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.</p>
<p style="text-align: justify; ">So, caveat emptor? “Caveat emptor has meaning only when the customer has enough knowledge to protect himself,” says Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society. Using the sausage factory analogy (no one knew what went into the products and how clean they were), he says few know how big data is used. Regulation can help in this regard. He expects India to have data protection rules in place in a couple of years.<br />The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.</p>
<h3 style="text-align: justify; ">Efficiency all round</h3>
<p style="text-align: justify; ">ICICI Prudential Life Insurance Executive Director Puneet Nanda says digital data storage has catalysed efficiency on several fronts. “Technology helps us swiftly identify the nominee and facilitates faster payouts as compared to the times when the information was stored physically. It has improved turnaround times and enabled delivery of superior service leading to higher customer satisfaction. Corporations can provide customers instant gratification. Today, we can issue a policy in minutes. Proliferation of technology has enabled corporations to identify customer needs and make offers best suited to their requirements.”</p>
<p style="text-align: justify; ">CIS will offer comments to the Srikrishna Committee. Abraham says such laws in other countries define what personal information is, establish the office of the regulator, have powers to receive and investigate complaints and ensure marketers fall in line. Regulators have punitive powers as well. In 2014, telecom major Verizon had to pay $7.4 million in the US to settle a Federal Communications Commission complaint about advertising to customers without letting them know they had an opt-out option. The privacy conditions one routinely “agrees” to online does not give the data controller a free ticket to do what they want with the information, he says.</p>
<h3 style="text-align: justify; ">Not much one can do</h3>
<p style="text-align: justify; ">Abraham says there is very little the customer can do, other than “acts of civil disobedience, tell lies, fill out false information” when there’s little protection. Rana Gupta, Vice President – APAC, Identity and Data Protection, Gemalto, says one is not left with many choices in an increasingly digital world, not to mention the social pressure. Imagine asking for time off from work to withdraw some cash from your bank because you are suspicious of ATMs? “Users have to rely on organisations doing the right thing,” he says. Regulation making data encryption and second-factor authentication mandatory will help. Customers have begun to ask how data is being secured, and whether it is encrypted. Addressing such concerns would help businesses such as e-commerce and banks, which are increasingly dependent on an online presence.</p>
<p style="text-align: justify; ">Even though they’re painful to remember and key in, long passwords that include a capital letter, a special character and a number are deterrents to misuse, as are one-time passwords and messages that alert/ confirm users logging in to an account or transacting a deal. Rohan Bhargava, Co-founder of cashback and coupons site CashKaro.com, says businesses have to design the best methods to thwart the worst intentions. “Companies are vulnerable when they take short cuts at basic processes.”</p>
<p style="text-align: justify; ">Bhargava says his company prefers to build most of the technical products it needs, itself, rather than resort to third-party builders/providers. Marketers, he says, experiment with a lot of untested products and the scripts they use can be the root of the problem.</p>
<p style="text-align: justify; ">Checks and balances at every stage, running security reviews whenever something changes, effectively managing the life cycle of the encryption keys and limiting access to customer data are vital. The responsibility for securing data lies with both customer and marketer but the latter’s is the larger responsibility as it is they who implement and have the infrastructure that the user does not, says Gemalto’s Gupta.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key'>http://editors.cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T16:54:33ZNews ItemFixing Aadhaar: Security developers' task is to trim chances of data breach
http://editors.cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar
<b>The task before a security developer is not only to reduce the probability of identity breach but to eliminate certain occurrences.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.business-standard.com/article/opinion/fixing-aadhaar-security-developers-task-is-to-trim-chances-of-data-breach-118010901281_1.html">Business Standard</a> on January 10, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><span>I feel no joy when my prophecies about digital identity systems come true. This is because from a Popperian perspective these are low-risk prophecies. I had said that that all centralised identity databases will be breached in the future. That may or may not happen within my lifetime so I can go to my grave without worries about being proven wrong. Therefore, the task before a security developer is not only to reduce the probability but more importantly to eliminate the possibility of certain occurrences.</span></p>
<p style="text-align: justify; "><span>The blame for fragility in digital identity systems today can be partially laid on a World Bank document titled “Ten Principles on Identification for Sustainable Development” which has contributed to the harmonisation of approaches across jurisdictions. Principle three says, “Establishing a robust — unique, secure, and accurate — identity”. The keyword here is “a”. Like The Lord of the Rings, the World Bank wants “one digital ID to rule them all”. For Indians, this approach must be epistemologically repugnant as ours is a land which has recognised the multiplicity of truth since ancient times.</span></p>
<p style="text-align: justify; "><span>In “Identities Research Project: Final Report” funded by Omidyar Network and published by Caribou Digital — the number one finding is “people have always had, and managed, multiple personal identities”. And the fourth finding is “people select and combine identity elements for transactions during the course of everyday life”. As researchers they have employed indirect language, for layman the key takeaway is a single national ID for all persons and all purposes is an ahistorical and unworkable solution.</span></p>
<table class="plain">
<tbody>
<tr>
<td>
<p><img src="http://editors.cis-india.org/home-images/AadhaarBS.png" style="text-align: justify; " title="Aadhaar BS" class="image-inline" alt="Aadhaar BS" /></p>
<div style="text-align: justify; "><span style="float: left; "><span style="float: left; "><i>Revoke all <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers. Photo: Reuters</i></span></span></div>
<div style="text-align: justify; "><span style="float: left; "><br /></span></div>
</td>
</tr>
</tbody>
</table>
<div style="text-align: justify; "><span>monoculture can be prevented. The traditional approach is followed in the US - you could have multiple documents that are accepted as valid ID. Or you could have multiple identity providers providing ID artifacts using an interoperable framework as they do in the UK. Another approach is tokenisation. The first time tokenisation was suggested in the Aadhaar context was in an academic paper published in August 2016 by Shweta Agrawal, Subhashis Banerjee and Subodh Sharma from IIT Delhi titled “Privacy and Security of Aadhaar: A Computer Science Perspective”.</span></div>
<p style="text-align: justify; "><span>The paper in its fourth key recommendation says “cryptographically embed Aadhaar ID into Authentication User Agency (AUAs) and KYC User Agency (aka KUAs) — specific IDs making correlation impossible”. The paper considers several designs for such local identifier where — 1) no linking is possible, 2) only unidirectional linking is possible, and 3) bidirectional linking is possible referring to a similar scheme in the LSE identity report.</span></p>
<p id="_mcePaste" style="text-align: justify; ">Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.</p>
<p id="_mcePaste" style="text-align: justify; ">On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.</p>
<p style="text-align: justify; ">The paper in its fourth key recommendation says “cryptographically embed Aadhaar ID into Authentication User Agency (AUAs) and KYC User Agency (aka KUAs) — specific IDs making correlation impossible”. The paper considers several designs for such local identifier where — 1) no linking is possible, 2) only unidirectional linking is possible, and 3) bidirectional linking is possible referring to a similar scheme in the LSE identity report.Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar'>http://editors.cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2018-01-10T16:47:59ZBlog EntryUIDAI denies any breach of Aadhaar database
http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database
<b>Personal data, including biometric information, of citizens safe and secure, says UIDAI on Aadhaar data breach.
</b>
<p style="text-align: justify; ">The article by Komal Gupta was published by <a class="external-link" href="http://www.livemint.com/Politics/bw5gRWcZoFYOjixGVVSqiP/UIDAI-says-Aadhaar-misuse-traceable-system-secure.html">Livemint</a> on January 7, 2018</p>
<hr />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) on Thursday clarified that there has not been any breach in the Aadhaar database and the personal data of citizens, including biometric information, is safe and secure.</p>
<p style="text-align: justify; ">The clarification comes in response to a news report titled ‘Rs 500, 10 minutes, and you have access to a billion Aadhaar details’ published in The Tribune on Thursday. The report claims that a WhatsApp group sold all Aadhaar data available with UIDAI for a sum of Rs. 500.</p>
<p id="_mcePaste" style="text-align: justify; ">UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken.</p>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p style="text-align: justify; ">UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI clarified in a press statement that displayed demographic information cannot be misused; it would need to be paired with an individual’s biometrics.</p>
<p style="text-align: justify; ">There are more than 1.19 billion Aadhaar card holders in the country.</p>
<p style="text-align: justify; "><span>“If it is not a data breach, then this means that some people who have legitimate access to the data are selling it illegitimately. This poses a greater problem,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.</span></p>
<h2></h2>
<h2></h2>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database'>http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-07T12:03:13ZNews ItemShould Aadhaar be mandatory?
http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory
<b>This week, a constitutional bench of the Supreme Court will adjudicate on limited questions of stay orders in the Aadhaar case. After numerous attempts by the petitioners in the Aadhaar case, the court has agreed to hear this matter, just shy of the looming deadline of December 31 for the linking of Aadhaar numbers to avail government services and benefits. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.deccanherald.com/content/647320/should-aadhaar-mandatory.html">Deccan Herald</a> on December 9, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Getting their day in the court to hear interim matters is but a small victory in what has been a long and frustrating fight for the petitioners. In 2012, Justice K S Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court questioning the validity of the Aadhaar project due its lack of legislative basis (the Aadhaar Act was passed by Parliament in 2016) and its transgressions on our fundamental rights.</p>
<p style="text-align: justify; ">Over time, a number of other petitions also made their way to the apex court challenging different aspects of the Aadhaar project. Since then, five different interim orders of the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number.<br /><br />Aadhaar, according to the Supreme Court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to only specific schemes, namely LPG, PDS, MNREGA, National Social Assistance Program, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br /><br />The then Attorney General, Mukul Rohatgi, in a hearing before the court in July 2015 stated that there is no constitutionally guaranteed right to privacy. But the judgement by the nine-judge bench earlier this year was an emphatic endorsement of the constitutional right to privacy.<br /><br />In the course of a 547-page judgement, the bench affirmed the fundamental nature of the right to privacy, reading it into the values of dignity and liberty.<br /><br />Yet months after the judgement, the Supreme Court has failed to hear arguments in the Aadhaar matter. The reference to a larger bench and subsequent deferrals have since delayed the entire matter, even as the government has moved to make Aadhaar mandatory for a number of government schemes.<br /><br />At this point, up to 140 government services have made linking with Aadhaar mandatory to avail these services. Chief Justice of India Dipak Misra has promised a constitution bench this week, likely to look only into interim matters of stay on the deadline of Aadhaar-linking. It is likely that the hearings for the final arguments are still some months away. The refusal of the court to adjudicate on this issue has been extremely disappointing, and a grave disservice to the court's intended role as the champion of individual rights.<br /><br />It is worth noting that the interim orders by the Supreme Court that no person should suffer because they do not have an Aadhaar number, and limiting its use only to specified schemes, still stand.<br /><br />However, since the passage of the Aadhaar Act, which allows the use of Aadhaar by both private and public parties, permits making it mandatory for availing any benefits, subsidies and services funded by the Consolidated Fund of India, the spate of services for which Aadhaar has been made mandatory suggests that as per the government, the Aadhaar Act has, in effect, nullified the orders by the Supreme Court.<br /><br />This was stated in so many words by Union Law Minister Ravi Shankar Prasad in the Rajya Sabha in April. This view is an erroneous one. While acts of Parliament can supersede previous judicial orders, they must do so either through an express statement in the objects of the Act, or implied when the two are mutually incompatible. In this case, the Aadhaar Act, while permitting the government authorities to make Aadhaar mandatory, does not impose a clear duty to do so.<br /><br />Therefore, reading the orders and the legislation together leads one to the conclusion that all instances of Aadhaar being made mandatory under the Aadhaar Act are void.<br /><br />The question may be more complicated for cases where Aadhaar has been made mandatory through other legislations, such as Prevention of Money Laundering Act, as they clearly mandate the linking of Aadhaar numbers, rather than merely allowing it. However, despite repeated appeals of the petitioners, the court has so far refused to engage with the question of the legality of such instances. <br /><br />How may the issues finally be resolved? When the court deigns to hear final arguments, the Aadhaar case will be instructive in how the court defines the contours of the right to privacy. The right to privacy judgement, while instructive in its exposition of the different aspects of privacy, does not delve deeply into the question of what may be legitimate limitations on this right.<br /><br />In one of the passages of the judgement, "ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients" is mentioned as an example of a legitimate incursion into the right to privacy. However, it must be remembered that none of the opinions in the privacy judgement were majority judgements.<br /><br />Therefore, in future cases, lawyers and judges must parse through the various opinions to arrive at an understanding of the majority opinion, supported by five or more judges. While the privacy judgement was a landmark one, its actual impact on the rights discourse and on matters like Aadhaar will depend extensively on the how the judges choose to interpret it.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory'>http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory</a>
</p>
No publisheramberAadhaarInternet GovernancePrivacy2017-12-18T15:54:39ZBlog EntryChecks and balances needed for mass surveillance of citizens, say experts
http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts
<b>A number of measures are required to protect law-abiding citizens from mass surveillance and misuse of their personal data, according to top technology and legal experts. </b>
<p style="text-align: justify; ">The article by Peerzada Abrar was <a class="external-link" href="http://www.thehindu.com/business/Industry/checks-and-balances-needed-for-mass-surveillance-of-citizens-say-experts/article21381478.ece">published in the Hindu</a> on December 9, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The measures include issuing of tokens by the Unique Identification Authority of India (UIDAI) instead of Aadhaar numbers and having an official in the judiciary give permission to vigilance.</p>
<p style="text-align: justify; ">The experts were participating in a panel discussion on ‘Navigating Big Data Challenges’ at Carnegie India’s Global Technology Summit here. They also said there was a need to implement ‘de-identification of data’ or preventing a person’s identity from being connected with information.</p>
<p style="text-align: justify; ">The moderator of the discussion was Justice B.N. Srikrishna, a former Supreme Court judge, who was also heading a government-appointed committee of experts to identify “key <a href="http://www.thehindu.com/tag/1401-1400-1349/data-protection/?utm=bodytag"><b>data protection </b></a>issues” and recommend methods to address them. Justice Srikrishna told the panellists that Aadhaar or the unique identification number had empowered the people. But in situations where the State wants all the information about citizens from different service providers because of its suspicions related to terrorism or criminal activity, he asked, what is the method to create a balance?</p>
<p style="text-align: justify; ">“Surveillance is like salt in cooking which is essential in tiny quantities, but counterproductive even if slightly in excess,” responded Sunil Abraham, executive director of Bengaluru-based think tank, Centre for Internet and Society. He said there was a need to make a surveillance system which had privacy by design built into it.</p>
<p style="text-align: justify; ">Mr. Abraham said that his organisation had proposed to the UIDAI that it used ‘tokenisation,’ which meant that whenever there was a ‘know your customer’ requirement, the Aadhaar number was not accessed by organisations like telecom firms or the banks. Instead, when the citizens used various services via smart cards or pins, a token got generated, which was controlled by the UIDAI. Organisations like banks and telecom firms can store those token numbers in their database. He said this would make it harder for unauthorised parties to combine databases. But at the same time would enable law enforcement agencies to combine database using the appropriate authorizations and infrastructure.</p>
<p style="text-align: justify; ">“UIDAI is considering this, they call it the dummy Aadhaar numbers. We need technical as well as institutional checks and balances,” said Mr. Abraham.</p>
<p style="text-align: justify; ">Countries like the U.S also have processes like Foreign Intelligence Surveillance Court (FISA court) which entertains applications made by the U.S Government for approval of electronic surveillance, physical search, and certain other forms of investigative actions for foreign intelligence purposes.</p>
<p style="text-align: justify; ">“My concern is that in the current system, surveillance can be done by the State machinery. I don’t necessarily suggest FISA court.... but some kind of mechanism where (one can’t) be held at the mercy of incestuous State machinery,” said Rahul Matthan, a partner at law firm Trilegal. “But have some second person who is outside the influence of this system (and) who actually says ‘yes this is a terrorist which requires us to do mass surveillance,” he said.</p>
<p style="text-align: justify; "><b>Artificial Intelligence</b></p>
<p style="text-align: justify; ">A large amount of information or Big data ranging from financial, health to political insights of people is being collected by different organisations and service providers which is sitting in different silos. All of this is likely going to be linked through Aadhaar. Mr. Srikrishna asked what if a situation arises where all of this data is aggregated and using artificial intelligence and machine learning, one is able to analyse it and profile individuals. He said “would that be not a terrifying scenario” where the State can act super-monitor for citizens. He asked how can citizens be guarded against it?</p>
<p style="text-align: justify; ">Mr.Srikrishna was referring to the ‘Social Credit System’ proposed by the Chinese government for creating a national reputation system to rate the trustworthiness of its citizens including their economic and social status. It works as a mass surveillance tool and uses big data analysis technology.</p>
<p style="text-align: justify; ">“It is a possibility. What stands in the way of it becoming a reality (in India) is a robust law,” said Mr.Matthan. “Technology is so powerful that it could equally be used for good as well as bad.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts'>http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-12-16T14:32:23ZNews ItemMasking personal data to protect privacy crucial for India, say experts
http://editors.cis-india.org/internet-governance/news/masking-personal-data-to-protect-privacy-crucial-for-india-say-experts
<b>Finding a way to protect privacy is critical, with the Supreme Court hearing petitions challenging the mandatory linking of Aadhaar to avail various social and welfare benefits.</b>
<p style="text-align: justify; ">The article by Deepti Govind was published in <a class="external-link" href="http://www.livemint.com/Technology/CTcE0FEunaE0aouBIYoqMJ/Masking-personal-data-to-protect-privacy-crucial-for-India.html">Livemint</a> on December 11, 2017</p>
<hr />
<p style="text-align: justify; ">Using the concept of de-identification to protect an individual’s right to privacy and creating laws that constantly re-evaluates the difference between harmful and good use of data is crucial for India, according to an expert panel on data privacy.</p>
<p style="text-align: justify; ">That could mean developing a token system that lets the Unique Identification Authority of India (UIDAI) hold a master-list of data through Aadhaar, while generating token numbers for all other Know Your Customer (KYC) requirements, suggested the panel at the Global Technology Summit hosted by think-tank Carnegie India.</p>
<p style="text-align: justify; ">“If we can implement de-identification principles in government collection and storage of data, even if that data is displayed on the website it cannot be correlated to an individual. And if it can’t be correlated to an individual then immediately that data is not as dangerous as it could be,” said Rahul Matthan, partner at Trilegal and a <i>Mint</i> columnist.</p>
<p style="text-align: justify; ">In theory, de-identification could include anything from deleting or masking personal identifiers, like names, to generalizing or suppressing others, like an individual’s pin code.</p>
<p style="text-align: justify; ">Finding a way to protect privacy is critical for India, with the Supreme Court hearing petitions challenging the mandatory linking of Aadhaar to avail various social and welfare benefits.</p>
<p style="text-align: justify; ">One of the grounds for challenge is that the use of biometric information of an individual encroaches upon the individual’s privacy.</p>
<p style="text-align: justify; ">The Centre for Internet and Society, a Bengaluru-based research organisation, proposed that the UIDAI use tokens for KYC requirements. Under this method an individual can use a smart card and a personal identification number (PIN), rather than biometrics, at a UIDAI-controlled booth and generate a token number. That token number can be submitted to a telephone operator or a bank.</p>
<p style="text-align: justify; ">“UIDAI is currently considering this. They call it the dummy or virtual Aadhaar numbers. Under this a single agency cannot pull off the surveillance completely by themselves. So there is both a technical and institutional check,” said Sunil Abraham, executive director of the Centre for Internet and Society.</p>
<p style="text-align: justify; ">Another method could be shifting the emphasis to revoking consent rather than grant of consent to collect and store data.</p>
<p style="text-align: justify; ">This could be done using the same method that currently exists to filter unwanted calls and messages on phones via the do-not-disturb registry. But over and above these, creating the right regulatory framework is important.</p>
<p style="text-align: justify; ">“It has become absolutely necessary to have in place a law which governs the usage of misuse of data,” said former Supreme Court justice B.N. Srikrishna.</p>
<p style="text-align: justify; ">Srikrishna used to head a 10-member committee of experts constituted by the government to study various issues related to data protection, make specific suggestions on the principles to be considered and suggest a draft data protection bill.</p>
<p style="text-align: justify; ">The data protection law must balance the interests of all three stakeholders—the common citizens, data collectors and the state—and not focus on just one or two, Srikrishna said on Friday. There should also be methods in place to penalize or impose fines on companies or agencies in case of data breaches or misuses, he added. But imposing fines is not the ideal solution, according to experts.</p>
<p style="text-align: justify; ">“It’s really critical that we think about building in incentives to do better. If every violation results in a huge penalty, for instance, then the posture of companies will be a secretive, protective, legal defence posture rather than one that strives to constantly improve practices and technologies,” said Facebook Inc.’s global deputy chief privacy officer, Stephen Deadman.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/masking-personal-data-to-protect-privacy-crucial-for-india-say-experts'>http://editors.cis-india.org/internet-governance/news/masking-personal-data-to-protect-privacy-crucial-for-india-say-experts</a>
</p>
No publisherAdminInternet GovernancePrivacy2017-12-16T14:27:34ZNews ItemDeadline For Linking Bank Accounts With Aadhaar To Be Extended To 31 March
http://editors.cis-india.org/internet-governance/news/deadline-for-linking-bank-accounts-with-aadhaar-to-be-extended-to-31-march
<b>The government does away with the existing deadline of 31 December for linking of bank accounts with Aadhaar and PAN</b>
<p style="text-align: justify; ">The article by Komal Gupta and Ramya Nair was published in <a class="external-link" href="http://www.livemint.com/Politics/EtNWlheQgO5lhQXF7qVfyH/Deadline-for-linking-bank-accounts-with-Aadhaar-to-be-extend.html">Livemint</a> on December 14, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The government on Wednesday extended the deadline for linking of bank accounts with Aadhaar to 31 March, in line with its submission to the Supreme Court.</p>
<p style="text-align: justify; ">The earlier deadline was 31 December.</p>
<p style="text-align: justify; ">Bank account holders will have to furnish their 12-digit unique biometric identity number and Permanent account number or PAN by 31 March or within six months of opening the account, whichever is earlier, said a statement from the finance ministry.</p>
<p style="text-align: justify; ">This will provide temporary relief to crores of bank account holders who had not linked their bank accounts with the 12-digit unique identity number.</p>
<p style="text-align: justify; ">Last week, the income tax department had extended the deadline for linking of Aadhaar with the permanent account number to 31 March from 31 December.</p>
<p style="text-align: justify; ">The move comes a day before a Constitution bench of the Supreme Court starts hearing the issue of stay against mandatory linking of Aadhaar with bank accounts and mobile phone numbers.</p>
<p style="text-align: justify; ">The statement added that the bank account will cease to be operational in case of failure to furnish Aadhaar and PAN as on 31 March or at the end of six months. The account will become operational again only after the furnishing of documents.</p>
<p style="text-align: justify; ">“This is just a gesture from the government, seeking to avoid the court granting an interim stay against the mandatory linkage of Aadhaar with bank accounts. This apparent extension won’t truly help ordinary people, who will continue being harassed through constant messages urging them to provide their Aadhaar number to continue receiving entitlements, services, and for access to one’s own money,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/deadline-for-linking-bank-accounts-with-aadhaar-to-be-extended-to-31-march'>http://editors.cis-india.org/internet-governance/news/deadline-for-linking-bank-accounts-with-aadhaar-to-be-extended-to-31-march</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-12-16T13:24:59ZNews ItemArtificial Intelligence - Literature Review
http://editors.cis-india.org/internet-governance/blog/artificial-intelligence-literature-review
<b>With origins dating back to the 1950s Artificial Intelligence (AI) is not necessarily new. However, interest in AI has been rekindled over the last few years, in no small measure due to the rapid advancement of the technology and its applications to real- world scenarios. In order to create policy in the field, understanding the literature regarding existing legal and regulatory parameters is necessary. This Literature Review is the first in a series of reports that seeks to map the development of AI, both generally and in specific sectors, culminating in a stakeholder analysis and contributions to policy-making. This Review analyses literature on the historical development of the technology, its compositional makeup, sector- specific impacts and solutions and finally, overarching regulatory solutions.</b>
<p>Edited by Amber Sinha and Udbhav Tiwari; Research Assistance by Sidharth Ray</p>
<hr />
<p style="text-align: justify; ">With origins dating back to the 1950s Artificial Intelligence (AI) is not necessarily new. With an increasing number of real-world implications over the last few years, however, interest in AI has been reignited over the last few years.</p>
<p style="text-align: justify; ">The rapid and dynamic pace of development of AI have made it difficult to predict its future path and is enabling it to alter our world in ways we have yet to comprehend. This has resulted in law and policy having stayed one step behind the development of the technology.</p>
<p style="text-align: justify; ">Understanding and analyzing existing literature on AI is a necessary precursor to subsequently recommending policy on the matter. By examining academic articles, policy papers, news articles, and position papers from across the globe, this literature review aims to provide an overview of AI from multiple perspectives.</p>
<p style="text-align: justify; ">The structure taken by the literature review is as follows:</p>
<ol>
<li>Overview of historical development</li>
<li>Definitional and compositional analysis</li>
<li>Ethical & Social, Legal, Economic and Political impact and sector-specific solutions</li>
<li>The regulatory way forward</li>
</ol>
<p style="text-align: justify; ">This literature review is a first step in understanding the existing paradigms and debates around AI before narrowing the focus to more specific applications and subsequently, policy-recommendations.</p>
<p style="text-align: justify; "><a class="external-link" href="http://cis-india.org/internet-governance/files/artificial-intelligence-literature-review"><b>Download the full literature review</b></a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/artificial-intelligence-literature-review'>http://editors.cis-india.org/internet-governance/blog/artificial-intelligence-literature-review</a>
</p>
No publisherShruthi AnandInternet GovernanceArtificial IntelligencePrivacy2017-12-18T15:12:52ZBlog EntryBreeding misinformation in virtual space
http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-december-3-2017-
<b>A well-informed citizenry and institutions that provide good information are fundamental to a functional democracy.</b>
<p style="text-align: justify; ">The phenomenon of fake news has rece-ived significant sc-holarly and media attention over the last few years. In March, Sir Tim Berners Lee, inventor of the World Wide Web, has called for a crackdown on fake news, stating in an open letter that “misinformation, or fake news, which is surprising, shocking, or designed to appeal to our biases, can spread like wildfire.”</p>
<p style="text-align: justify; ">Gartner, which annually predicts what the next year in technology will look like, highlighted ‘increased fake news’ as one of its predictions.</p>
<p style="text-align: justify; ">The report states that by 2022, “majority of individuals in mature economies will consume more false information than true information. Due to its wide popularity and reach, social media has come to play a central role in the fake news debate.”</p>
<p style="text-align: justify; ">Researchers have suggested that rumours penetrate deeper within a social network than outside, indicating the susceptibility of this medium. Social networks such as Facebook and communities on messaging services such as Whats-App groups provide the perfect environment for spreading rumours. Information received via friends tends to be trusted, and online networks allow in-dividuals to transmit information to many friends at once.</p>
<p style="text-align: justify; ">In order to understand the recent phenomenon of fake news, it is important to recognise that the problem of misinformation and propaganda has existed for a long time. The historical examples of fake news go back centuries where, prior to his coronation as Roman Emperor, Octavian ran a disinformation campaign against Marcus Antonius to turn the Roman populace against him.</p>
<p class="imgCenter" style="text-align: justify; "><a class="objectNew"><img alt="aa" src="http://images.asianage.com/images/fdeb4b878fd86fc0af509a2eb0b6927a4c6fdede-tc-img-preview.jpg" title="aa" /></a></p>
<p style="text-align: justify; ">The advent of the printing press in the 15th century led to widespread publication; however, there were no standards of verification and journalistic ethics. Andrew Pettigrew wri-tes in his The Invention of News, that news reporting in the 16th and 17th centuries was full of portents about “comets, celestial apparitions, freaks of nature and natural disasters.”</p>
<p style="text-align: justify; ">In India, the immediate cause for the 1857 War of Indepen-dence was rumours that the bones of cows and pigs were mixed with flour and used to grease the cartridges used by the sepoys.</p>
<p style="text-align: justify; ">Leading up to the Second World War, the radio emerged as a strong medium for dissemination of disinformation, used by the Nazis and other Axis powers. More recently, the milk miracle in the mid-1990s consisting of stories of the idol of Ganesha drinking milk was a popular fake news phenomenon. In 2008, rumours about the popular snack, Kurkure, being made out of plastic became so widespread that Pepsi, its holding company, had to publicly rebut them.</p>
<p style="text-align: justify; ">A quick survey by us at the Centre of Internet and Society, for a forthcoming report, of the different kinds of misinformation being circulated in India, suggested four different kinds of fake news.</p>
<p style="text-align: justify; ">The first is a case of manufactured primary content. This includes instances where the entire premise on which an argument is based is patently false. In August 2017, a leading TV channel reported that electricity had been cut to the Jama Masjid in New Delhi for non-payment of bills. This was based on a false report carried by a news portal.</p>
<p style="text-align: justify; ">The second kind of fake news involves manipulation or editing of primary content so as to misrepresent it as something else. This form of fake news is often seen with respect to multimedia content such as images, pictures, audios and videos. These two forms of fake news tend to originate outside traditional media such as newspapers and television channels, and can be often sourced back to social media and WhatsApp forwards.</p>
<p style="text-align: justify; ">However, we see such unverified stories being picked up by traditional media. Further, there are instances where genuine content such as text and pictures are shared with fallacious contexts and descriptions. Earlier this year, several dailies pointed out that an image shared by the ministry of home affairs, purportedly of the floodlit India-Pakistan border, was actually an image of the Spain-Morocco border. In this case, the image was not doctored but the accompanying information was false.</p>
<p style="text-align: justify; ">Third, more complicated cases of misinformation involve the primary content itself not being false or manipulated, but the facts when they are reported may be quoted out of context. Most examples of misinformation spread by mainstream media, which has more evolved systems of fact checking and verification, and editorial controls, would tend to fall under this.</p>
<p style="text-align: justify; ">Finally, there are instances of lack of diligence in fully understanding the issues before reporting. Such misrepresentations are often encountered while reporting in fields that require specialised knowledge, such as science and technology, law, finance etc. Such forms of misinformation, while not suggestive of malafide intent can still prove to be quite dangerous in shaping erroneous opinions.</p>
<p style="text-align: justify; ">While the widespread dissemination of fake news contributes greatly to its effectiveness, it also has a lot to do with the manner in which it is designed to pander to our cognitive biases. Directionally motivated reasoning prompts people confronted with political information to process it with an intention to reach a certain pre-decided conclusion, and not with the intention to assess it in a dispassionate manner. This further results in greater susceptibility to confirmation bias, disconfirmation bias and prior attitude effect.</p>
<p style="text-align: justify; ">Fake news is also linked to the idea of “naïve realism,” the belief people have that their perception of reality is the only accurate view, and those in disagreement are necessarily uninformed, irrational, or biased. This also explains why so much fake news simply does not engage with alternative points of view.</p>
<p style="text-align: justify; ">A well-informed citizenry and institutions that provide good information are fundamental to a functional democracy. The use of the digital medium for fast, unhindered and unchecked spread of information presents a fertile ground for those seeking to spread misinformation. How we respond to this issue will be vital for democratic societies in our immediate future. Fake news presents a complex regulatory challenge that requires the participation of different stakeholders such as the content disseminators, platforms, norm guardians which include institutional fact checkers, trade organisations, and “name-and-shaming” watchdogs, regulators and consumers.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-december-3-2017-'>http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-december-3-2017-</a>
</p>
No publisheramberInternet GovernancePrivacy2017-12-08T02:24:29ZBlog EntryAadhaar linking deadline approaches: Here are all the myths and facts
http://editors.cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts
<b>Love it or hate it, you just can't escape it. We're talking about Aadhaar, which is a bigger buzzword than usual in the face of the looming end-December deadline for linkages with bank accounts, PPF, insurance policies, ration card and perhaps even PAN. As India rushes to comply, there are a number of myths and half-truth making the rounds. </b>
<p style="text-align: justify; ">The article was published by <a class="external-link" href="http://www.businesstoday.in/current/policy/aadhar-linking-deadline-last-day-uidai-bank-account/story/265465.html">Business Today</a> on December 7, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The official website of the Unique Identification Authority of India (UIDAI), the body issuing the biometrics-based Aadhaar number, helpfully lists out some of them, while others came to light when activists took up cudgels on behalf of Aadhaar-harassed citizens. But, either ways, you need to know the hard truth behind them.</p>
<p style="text-align: justify; "><strong>Myth:</strong> Aadhaar-linkage is not only mandatory for every Indian citizen but also every person residing in the country.<br /><strong>Fact:</strong> In a notification dated May 11, 2017, the Central Board of Direct Taxes exempted the following categories from mandatory Aadhaar enrolment: <br />Those who are not citizens of India, non-resident Indians as per Income Tax Laws, those aged over 80 years at any time during the tax year, and the residents of Assam, Meghalaya and Jammu & Kashmir.</p>
<p style="text-align: justify; ">The UIDAI has also made it clear that NRIs and those holding the Overseas Citizen of India (OCI) card are not eligible to obtain Aadhaar as per the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. "NRI/OCI need not verify their bank account or SIM or PAN with Aadhaar. If required, they may inform the service provider(s) that they being NRI/OCI are exempted from Aadhaar verification," the UIDAI had said on Twitter way back in October, and followed it up with a circular in mid-November.</p>
<p style="text-align: justify; ">As per the Aadhaar Act, only a "resident" is entitled to obtain Aadhaar, which refers to an individual, irrespective of nationality, who has resided in India for a period aggregating 182 days or more in the year immediately preceding the date of application for enrolment. So, this means that even NRIs and expats fulfilling the above criteria can apply for Aadhaar, but they cannot be forced to link their Indian bank accounts with it.<br /><strong><br />Myth:</strong> I had to give my fingerprints to get a SIM card and now the telecom company will keep my biometrics for future use<br /><strong><br />Fact:</strong> According to UIDAI, a telecom company cannot store your biometrics at its end. All the biometrics collected should be encrypted by the service provider and sent to UIDAI at that instant itself. Any storage of biometric by any agency is a serious crime punishable with up to three years of imprisonment under the Aadhaar Act.</p>
<p style="text-align: justify; "><strong>Myth:</strong> Aadhaar is prone to data breaches and leaks<strong><br />Fact: </strong>Yes, there have been at least two serious leaks reported in the media, but the UIDAI has denied both of them.</p>
<p style="text-align: justify; ">In May 2017, The Centre for Internet and Society, a Bangalore-based non-profit research organisation, had reportedly investigated three government portals linked with social welfare schemes that together leaked Aadhaar information of around 1.3 crore people. Then, two months later, came news about over 200 government websites Aadhaar information public. This raised a lot of concerns and detractors cried themselves hoarse.</p>
<p style="text-align: justify; ">According to the UIDAI, some agencies of central or state governments had been proactively putting up details of their beneficiaries as required under the RTI Act. While the said information was promptly removed from the offending websites, the authority points out that no biometrics were displaced.</p>
<p style="text-align: justify; ">"Therefore to say that Aadhaar has been breached, data has been leaked, is completely incorrect and misleading," it says.</p>
<p style="text-align: justify; ">Moreover, the Aadhaar Act and IT Act are now in place, which impose restrictions on publication of Aadhaar numbers, bank account, and other personal details.</p>
<p style="text-align: justify; "><strong>Myth:</strong> Aadhaar has a poorly verified database.<br /><strong>Fact:</strong> Several security measures are in place to ensure that Aadhaar enrolment system is secure. It is done through registrars-credible institutions like state government, banks, Common Service Centres which employ enrolment agencies empanelled by UIDAI. The latter, in turn, employ operators certified by the authority. Aadhaar enrolments are done only through customized software developed and provided by UIDAI. Every day, the operators have to log into the enrolment machine through their Aadhaar number and fingerprints. Once an enrolment is done, the operator is required to sign through his/ her biometrics. Moreover, at the time of enrolment itself, the captured data is encrypted and can't be read by anyone other than the UIDAI server.</p>
<p style="text-align: justify; "><strong>Myth:</strong> People are being denied benefits and rations because they don't have Aadhaar or because of biometrics issues<strong><br />Fact:</strong> UIDAI CEO Ajay Bhushan Pandey has clarified to the media that though Section 7 of the Aadhaar Act stipulates that benefits and subsidies from the Consolidated Fund of India shall be given on the basis of Aadhaar or proof of possession of an Aadhaar number, the lack of it cannot be grounds for denial. "Section 7 specifies that till Aadhaar number is prescribed, the benefits should be given through alternate means of identification," Pandey said to The Hindu.</p>
<p style="text-align: justify; ">The Act also provides for statutory protection to those who are unable to authenticate because of worn-out fingerprints, medical conditions like leprosy or other reasons such as technical faults. "The field agencies have been accordingly instructed through the notifications issued by the government. In spite of this, if a person is denied because he does not have Aadhaar or he is unable to biometrically authenticate, it is undisputedly a violation of instructions issued by the government and such violators have to be punished," added Pandey.</p>
<p style="text-align: justify; "><strong>Myth:</strong> Publicly sharing the Aadhaar number, to track a lost Amazon package, for instance, makes one susceptible to identity fraud<br /><strong>Fact:</strong> Your Aadhaar number, just like your mobile phone number or bank account number, is not a secret though it is certainly sensitive personal information. Just as no one can hack into your bank account using just the account number, identity theft is impossible using the Aadhaar number alone.</p>
<p style="text-align: justify; ">What you need to assiduously protect are things like passwords, including OTPs, and PINs. A prudent practice would be to never put up any sensitive personal information on websites or social media platforms.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts'>http://editors.cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-01T16:04:25ZNews ItemIndia’s Data Protection Regime Must Be Built Through an Inclusive and Truly Co-Regulatory Approach
http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-december-1-2017-inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime
<b>We must move India past its existing consultative processes for rule-making, which often prompts stakeholders to take adversarial and extremely one-sided positions.
</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="https://thewire.in/201123/inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime/">Wire</a> on December 1, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Earlier this week, the Ministry of Electronics and Information Technology released <a title="a white paper" href="http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited" target="_blank"><span style="text-decoration: underline;">a white paper</span></a> by a “committee of experts” appointed a few months back led by former Supreme Court judge, Justice B.N. Srikrishna, on a data protection framework for India. The other members of the committee are Aruna Sundararajan, Ajay Bhushan Pandey, Ajay Kumar, Rajat Moona, Gulshan Rai, Rishikesha Krishnan, Arghya Sengupta and Rama Vedashree.</p>
<p style="text-align: justify; ">With the exception of Justice Srikrishna and Krishnan, the rest of the committee members are either part of the government or part of organisations that have worked closely with the government on separate issues relating to technology, with some of them also having taken positions against the fundamental right to privacy.</p>
<p style="text-align: justify; ">Refreshingly, the committee and the ministry has opted for a consultative process outlining the issues they felt relevant to a data protection law, and espousing provisional views on each of the issues and seeking public responses on them. The paper states that on the basis of the response received, the committee will conduct public consultations with citizens and stakeholders. Legitimate concerns <a title="were raised earlier" href="http://indianexpress.com/article/india/citizens-group-questions-data-privacy-panel-composition-aadhaar-4924220/" target="_blank"><span style="text-decoration: underline;">were raised earlier</span></a> about the constitution of the committee and the lack of inclusion of different voices on it. However, if the committee follows an inclusive, transparent and consultative process in the drafting of the data protection legislation, it would go a long way in addressing these concerns.</p>
<p style="text-align: justify; ">The paper seeks response to as many as 231 questions covering a broad spectrum of issues relating to data protection – including definitions of terms such as personal data, sensitive personal data, processing, data controller and processor – the purposes for which exemptions should be available, cross border flow of data, data localisation and the right to be forgotten.</p>
<p style="text-align: justify; ">While a thorough analysis of all the issues up for discussion would require a more detailed evaluation, at this point, the process of rule-making and the kind of governance model envisaged in this paper are extremely important issues to consider.</p>
<p style="text-align: justify; ">In part IV of the paper on ‘Regulation and Enforcement’, there is a discussion on a co-regulatory approach for the governance of data protection in India. The paper goes so far as to provisionally take a view that it may be appropriate to pursue a co-regulatory approach which involves “a spectrum of frameworks involving varying levels of government involvement and industry participation”.</p>
<p style="text-align: justify; ">However, the discussion on co-regulation in the white paper is limited to the section on regulation and enforcement. A truly inclusive and co-regulatory approach ought to involve active participation from non-governmental stakeholders in the rule-making process itself. In India, unfortunately, we lack a strong tradition of lawmakers engaging in public consultations and participation of other stakeholders in the process of drafting laws and regulation. One notable exception has been the Telecom Regulatory Authority of India (TRAI), which periodically seeks public responses on consultation papers it releases and also holds open houses occasionally. It is heartening to see the committee of experts and the ministry follow a similar process in this case.</p>
<p style="text-align: justify; ">However, these are essentially examples of ‘notice and comment’ rulemaking where the government actors stand as neutral arbiters who must decide on written briefs submitted to it in response to consultation papers or draft regulations that it notifies to the public.</p>
<p style="text-align: justify; ">This process is, by its very nature, adversarial, and often means that different stakeholders do not reveal their true priorities but must take extreme one-sided positions, as parties tend to at the beginning of a negotiation.This also prevents the stakeholders from sharing an honest assessment of the actual regulatory challenge they may face, lest it undermine their position.</p>
<p style="text-align: justify; ">This often pits industry and public interest proponents against each other, sometimes also leading to different kinds of industry actors in adversarial positions. An excellent example of this kind of posturing, also relevant to this paper, is visible in the responses submitted to the TRAI on the its recent consultation paper on ‘Privacy, Security and Ownership of data in Telecom Sector’. One of the more contentious issue raised by the TRAI was about the adequacy of the existing data protection framework under the license agreement with telecom companies, and if there was a need to bring about greater parity in regulation between telecom companies and over-the-top (OTT) service providers. Rather than facilitating an actual discussion on what is a complex regulatory issues, and the real practical challenges it poses for the stakeholders, this form of consultation simply led to the telecom companies and OTT services providers submitting contrasting extreme positions without much scope for engagement between two polar arguments.</p>
<p style="text-align: justify; ">A truly co-regulatory approach which also extends to rulemaking would involve collaborative processes which are far less adversarial in their design and facilitate joint problem solving through multiple face to face meetings. Such processes are also more likely to lead to better rule making by using the more specialised knowledge of the different stakeholders about technology, domain-specific issues, industry realities and low cost solutions. Further, by bringing the regulated parties into the rulemaking process, the ownership of the policy is shared, often leading to better compliance.</p>
<p style="text-align: justify; ">Within the domain of data protection law itself, we have a few existing models of robust co-regulation which entail the involvement of stakeholders not just at the level of enforcement but also at the level of drafting. The oldest and most developed form of this kind of privacy governance can be seen in the study of the Dutch privacy statute. It involved a central privacy legislations with broad principles, sectoral industry-drafted “codes of conduct”, government evaluations and certifications of these codes; and a legal safe harbour for those companies that follow the approved code for their sector. Over a period of 20 years, the Dutch experience saw the approval of 20 sectoral codes across a variety of sectors such as banking, insurance, pharmaceuticals, recruitment and medical research.</p>
<p style="text-align: justify; ">Other examples of policies espousing this approach include two documents from the US – first, a draft bill titled ‘Commercial Privacy Bill of Rights Act of 2011’ introduced before the Congress by John McCain and John Kerry, and second, a White House Paper titled ‘Consumer Data Privacy In A Networked World: A Framework For Protecting Privacy And Promoting Innovation In The Global Digital Economy’ released by the Obama administration. Neither of these documents have so far led to a concrete policy. Both of these policies envisioned broadly worded privacy requirements to be passed by the Congress, followed by the detailed rules to be<span> drafted</span>. The Obama administration white paper is more inclusive in mandating that ‘multi-stakeholder groups’ draft the codes that include not only industry representatives but also privacy advocates, consumer groups, crime victims, academics, international partners, federal and state civil and criminal law enforcement representatives and other relevant groups.</p>
<p style="text-align: justify; ">The principles that emerge out this consultative process are likely to guide the data protection law in India for a long time to come. Among democratic regimes with a significant data-driven market, India is extremely late in arriving at a data protection law. The least that it can do at this point is to learn from the international experience and scholarship which has shown that merits of a co-regulatory approach which entails active participation of the government, industry, civil society and academia in the drafting and enforcement of a robust data protection law.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-december-1-2017-inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime'>http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-december-1-2017-inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime</a>
</p>
No publisheramberAadhaarInternet GovernancePrivacy2018-01-01T16:18:54ZBlog Entry