The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 3.
(Updated) Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information
http://editors.cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1
<b>Since its inception in 2009, the Aadhaar project has been shrouded in controversy due to various questions raised about privacy, technological issues, welfare exclusion, and security concerns. In this study, we document numerous instances of publicly available Aadhaar Numbers along with other personally identifiable information (PII) of individuals on government websites. This report highlights four government projects run by various government departments that have made sensitive personal financial information and Aadhaar numbers public on the project websites.
</b>
<p> </p>
<h4>Read the updated report: <a class="external-link" href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof/" target="_blank">Download</a> (pdf)</h4>
<h4>Read the first statement of clarification (May 16, 2017): <a class="external-link" href="https://cis-india.org/internet-governance/clarification-on-information-security-practices-of-the-aadhaar-report/" target="_blank">Download</a> (pdf)</h4>
<h4>Read the second statement of clarification (November 05, 2018): <a class="external-link" href="https://cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report" target="_blank">Link to page</a> (html)</h4>
<hr />
<p><em>We are grateful to Yesha Paul and VG Shreeram for research support.</em></p>
<hr />
<p>In the last month, there have been various reports pointing out instances of the public disclosure of Aadhaar number through various databases, accessible easily on Twitter under the hashtag #AadhaarLeaks. Most of these public disclosures reported contain personally identifiable information of beneficiaries or subjects of the non UIDAI databases containing Aadhaar numbers of individuals along with other personal identifiers. All of these public disclosures are symptomatic of a significant and potentially irreversible privacy harm, however we wanted to point out another large fallout of such events, those that create a ripe opportunity for financial fraud. For this purpose, we identified benefits disbursement schemes which would require its databases to store financial information about its subjects. During our research, we encountered numerous instances of publicly available Aadhaar Numbers along with other PII of individuals on government websites. In this paper, we highlight four government projects run by various government departments with publicly available financial data and Aadhaar numbers. Our research is focussed largely on the data published by or pertaining to where Aadhaar data is linked with banking information. We chose major government programmes using Aadhaar for payments and banking transactions. We found sensitive and personal data and information very easily accessible on these portals.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1'>http://editors.cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1</a>
</p>
No publisherAmber Sinha and Srinivas KodaliDigital IDPrivacyNDSAPData ProtectionAccountabilityFeaturedData GovernanceAadhaarDigitisationHomepageInternet GovernanceData Management2019-03-13T00:29:01ZBlog EntrySubmitted Comments on the 'Government Open Data Use License - India'
http://editors.cis-india.org/openness/submitted-comments-on-the-government-open-data-use-license-india
<b>The public consultation process of the draft open data license to be used by Government of India has ended yesterday. Here we share the text of the submission by CIS. It was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay.</b>
<p> </p>
<p><em>The following comments on the 'Government Open Data Use License - India' was drafted by Anubha Sinha, Pranesh Prakash, and Sumandro Chattapadhyay, and submitted through the <a href="https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/">MyGov portal</a> on July 25, 2016. The original submission can be found <a href="https://www.mygov.in/sites/default/files/mygov_146946521043358971.pdfh">here</a>.</em></p>
<hr />
<h2>I. Preliminary</h2>
<ol>
<li>This submission presents comments by the Centre for Internet and Society (“<strong>CIS</strong>”) <strong>[1]</strong> on the draft Government Open Data Use License - India (“<strong>the draft licence</strong>”) <strong>[2]</strong> by the Department of Legal Affairs.<br /><br /></li>
<li>This submission is based on the draft licence released on the MyGov portal on June 27, 2016 <strong>[3]</strong>.<br /><br /></li>
<li>CIS commends the Department of Ministry of Law and Justice, Government of India for its efforts at seeking inputs from various stakeholders prior to finalising its open data licence. CIS is thankful for the opportunity to have been a part of the discussion during the framing of the licence; and to provide this submission, in furtherance of the feedback process continuing from the draft licence.</li></ol>
<h2>II. Overview</h2>
<ol start="4">
<li>The Centre for Internet and Society is a non-governmental organisation engaged in research and policy work in the areas of, inter alia, access to knowledge and openness. This clause-by-clause submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved. Accordingly, the comments in this submission aim to further these principles and are limited to those clauses that most directly have an impact on them.</li></ol>
<h2>III. Comments and Recommendations</h2>
<ol start="5">
<li><strong>Name of the Licence:</strong> CIS recommends naming the licence “Open Data Licence - India” to reflect the nomenclature already established for similar licences in other nations like the UK and Canada. More importantly, the inclusion of the word ‘use’ in the original name “Government Open Data Use License” is misleading, since the licence permits use, sharing, modification and redistribution of open data.<br /><br /></li>
<li><strong>Change Language on Permissible Use of Data:</strong> The draft licence uses the terms “Access, use, adapt, and redistribute,” which are used in UNESCO’s definition of open educational resources, whereas, under the Indian Copyright Act <strong>[4]</strong>, it should cover “reproduction, issuing of copies,” etc. To resolve this difference, we suggest the following language be used: “Subject to the provisions of section 7, all users are provided a worldwide, royalty-free, non-exclusive licence to all rights covered by copyright and allied rights, for the duration of existence of such copyright and allied rights over the data or information.”<br /><br /></li>
<li><strong>Add Section on the Scope of Applicability of the Licence:</strong> It will be useful to inform the user of the licence on its applicability. The section may be drafted as: “This licence is meant for public use, and especially by all Ministries, Departments, Organizations, Agencies, and autonomous bodies of Government of India, when publicly disclosing, either proactively or reactively, data and information created, generated, collected, and managed using public funds provided by Government of India directly or through authorized agencies.”<br /><br /></li>
<li><strong>Add Sub-Clause Specifying that the Licence is Agnostic of Mode of Access:</strong> As part of the section 4 of the draft licence, titled ‘Terms and Conditions of Use of Data,’ a sub-clause should be added that specifies that users may enjoy all the freedom granted under this licence irrespective of their preferred mode of access of the data concerned, say manually downloaded from the website, automatically accessed via an API, collected from a third party involved in re-sharing of this data, accessed in physical/printed form, etc.<br /><br /></li>
<li><strong>Add Sub-Clause on Non-Repudiability and Integrity of the Published Data:</strong> To complement the sub-clause 6.e. that notes that data published under this licence should be published permanently and with appropriate versioning (in case of the published data being updated and/or modified), another sub-clause should be added that states that non-repudiability and integrity of published data must be ensured through application of real/digital signature, as applicable, and checksum, as applicable. This is to ensure that an user who has obtained the data, either in physical or digital form, can effectively identify and verify the the agency that has published the data, and if any parts of the data have been lost/modified in the process of distribution and/or transmission (through technological corruption of data, or otherwise).<br /><br /></li>
<li><strong>Combine Section 6 on Exemptions and Section 7 on Termination:</strong> Given that the licence cannot reasonably proscribe access to data that has already been published online, it is suggested that it would be better to simply terminate the application of the licence to that data or information that ought not to have been published for grounds provided under section 8 of the RTI Act, or have been inadvertently published. It should also be noted that section 8 of the RTI Act cannot be “violated” (as stated in Section 6.g. of the draft licence), since it only provides permission for the public authority to withhold information, and does not impose an obligation on them (or anyone else) to do so. The combined clause can read: “Upon determination by the data provider that specific data or information should not have been publicly disclosed for the grounds provided under Section 8 of the Right to Information Act, 2005, the data provider may terminate the applicability of the licence for that data or information, and this termination will have the effect of revocation of all rights provided under Section 3 of this licence.”<br /><br /></li>
<li>It will be our pleasure to discuss these submissions with the Department of Legal Affairs in greater detail, supplement these with further submissions if necessary, and offer any other assistance towards the efforts at developing a national open data licence.</li></ol>
<hr />
<p><strong>[1]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[2]</strong> See: <a href="https://www.mygov.in/sites/default/files/mygov_1466767582190667.pdf">https://www.mygov.in/sites/default/files/mygov_1466767582190667.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/">https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/</a>.</p>
<p><strong>[4]</strong> See: <a href="http://www.copyright.gov.in/Documents/CopyrightRules1957.pdf">http://www.copyright.gov.in/Documents/CopyrightRules1957.pdf</a>.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/openness/submitted-comments-on-the-government-open-data-use-license-india'>http://editors.cis-india.org/openness/submitted-comments-on-the-government-open-data-use-license-india</a>
</p>
No publishersinhaOpen Government DataOpen LicenseOpen DataNDSAPFeaturedOpennessHomepage2016-07-26T09:23:48ZBlog EntryPublic Consultation for the First Draft of 'Government Open Data Use License - India' Announced
http://editors.cis-india.org/openness/public-consultation-for-the-first-draft-of-government-open-data-use-license-india-announced
<b>The first public draft of the open data license to be used by Government of India was released by the Department of Legal Affairs earlier this week. Comments are invited from general public and stakeholders. These are to be submitted via the MyGov portal by July 25, 2016. CIS was a member of the committee constituted to develop the license concerned, and we contributed substantially to the drafting process.
</b>
<p> </p>
<h4>Please read the call for comments <a class="external-link" href="https://www.mygov.in/group-issue/public-consultation-government-open-data-use-license-india/">here</a>.</h4>
<h4>The PDF version of the draft license document can be accessed <a class="external-link" href="https://www.mygov.in/sites/default/files/mygov_1466767582190667.pdf">here</a>.</h4>
<h4><em>Comments are to be submitted by July 25, 2016.</em></h4>
<hr />
<h4 style="text-align: center;"><strong>Government Open Data Use License - India</strong></h4>
<h4 style="text-align: center;"><strong>National Data Sharing and Accessibility Policy</strong></h4>
<h4 style="text-align: center;"><strong>Government of India</strong></h4>
<h2>1. Preamble</h2>
<p style="text-align: justify;">Structured data available in open format and open license for public access and use, usually termed as “Open Data,” is of prime importance in the contemporary world. Data also is one of the most valuable resources of modern governance, sharing of which enables various and non-exclusive usages for both commercial and non-commercial purposes. Licenses, however, are crucial to ensure that such data is not misused or misinterpreted (for example, by insisting on proper attribution), and that all users have the same and permanent right to use the data.</p>
<p style="text-align: justify;">The open government data initiative started in India with the notification of the National Data Sharing and Accessibility Policy (NDSAP), submitted to the Union Cabinet by the Department of Science and Technology, on 17th March 2012 <strong>[1]</strong>. The NDSAP identified the Department of Electronics & Information Technology (DeitY) as the nodal department for the implementation of the policy through National Informatics Centre, while the Department of Science and Technology continues to be the nodal department on policy matters. In pursuance of the Policy, the Open Government Data Platform India <strong>[2]</strong> was launched in 2012.</p>
<p style="text-align: justify;">While, the appropriate open formats and related aspects for implementation of the Policy has been defined in the “NDSAP Implementation Guidelines” prepared by an inter- ministerial Task Force constituted by the National Informatics Centre <strong>[3]</strong>, the open license for data sets published under NDSAP and through the OGD Platform remained unspecified till now.</p>
<h2>2. Definitions</h2>
<p style="text-align: justify;">a. <strong>“Data”</strong> means a representation of Information, numerical compilations and observations, documents, facts, maps, images, charts, tables and figures, concepts in digital and/or analog form, and includes metadata <strong>[4]</strong>, that is all information about data, and/or clarificatory notes provided by data provider(s), without which the data concerned cannot be interpreted or used <strong>[5]</strong>.</p>
<p style="text-align: justify;">b. <strong>“Information”</strong> means processed data <strong>[6]</strong>.</p>
<p style="text-align: justify;">c. <strong>“Data Provider(s)”</strong> means person(s) publishing and providing the data under this license.</p>
<p style="text-align: justify;">d. <strong>“License”</strong> means this document.</p>
<p style="text-align: justify;">e. <strong>“Licensor”</strong>means any data provider(s) that has the authority to offer the data concerned under the terms of this licence.</p>
<p style="text-align: justify;">f. <strong>“User”</strong> means natural or legal persons, or body of persons corporate or incorporate, acquiring rights in the data (whether the data is obtained directly from the licensor or otherwise) under this licence.</p>
<p style="text-align: justify;">g. <strong>“Use”</strong> includes lawful distribution, making copies, adaptation, and all modification and representation of the data, subject to the provisions of this License.</p>
<p style="text-align: justify;">h. <strong>“Adapt”</strong> means to transform, build upon, or to make any use of the data by itsre-arrangement or alteration <strong>[7]</strong>.</p>
<p style="text-align: justify;">i. <strong>“Redistribute”</strong> means sharing of the data by the user, either in original or in adapted form (including a subset of the original data), accompanied by appropriate attribute statement, under the same or other suitable license.</p>
<p style="text-align: justify;">j. <strong>“Attribution Statement”</strong> means a standard notice to be published by all users of data published under this license, that contains the details of the provider, source, and license of the data concerned <strong>[8]</strong>.</p>
<p style="text-align: justify;">k. <strong>“Personal Information”</strong> means any Information that relates to a natural person,which, either directly or indirectly, in combination with other Information available or likely to be available with a body corporate, is capable of identifying such person <strong>[9]</strong>.</p>
<h2>3. Permissible Use of Data</h2>
<p style="text-align: justify;">Subject to the conditions listed under section 7, the user may:</p>
<p style="text-align: justify;">a. Access, use, adapt, and redistribute data published under this license for all lawful and non-exclusive purposes, without payment of any royalty or fee;</p>
<p style="text-align: justify;">b. Apply this license worldwide, and in perpetuity;</p>
<p style="text-align: justify;">c. Access, study, copy, share, adapt, publish, redistribute and transmit the data in any medium or format; and</p>
<p style="text-align: justify;">d. Use, adapt, and redistribute the data, either in itself, or by combining it with other data, or by including it within a product/application/service, for all commercial and/or non-commercial purposes.</p>
<h2>4. Terms and Conditions of Use of Data</h2>
<p style="text-align: justify;">a. <strong>Attribution:</strong> The user must acknowledge the provider, source, and license of data by explicitly publishing the attribution statement, including the DOI (Digital Object Identifier), or the URL (Uniform Resource Locator), or the URI (Uniform Resource Identifier) of the data concerned.</p>
<p style="text-align: justify;">b. <strong>Attribution of Multiple Data:</strong> If the user is using multiple data together and/or listing of sources of multiple data is not possible, the user may provide a link to a separate page/list that includes the attribution statements and specific URL/URI of all data used.</p>
<p style="text-align: justify;"> c. <strong>Non-endorsement:</strong> The User must not indicate or suggest in any manner that the data provider(s) endorses their use and/or the user.</p>
<p style="text-align: justify;">d. <strong>No Warranty:</strong> The data provider(s) are not liable for any errors or omissions, and will not under any circumstances be liable for any direct, indirect, special, incidental, consequential, or other loss, injury or damage caused by its use or otherwise arising in connection with this license or the data, even if specifically advised of the possibility of such loss, injury or damage. Under any circumstances, the user may not hold the data provider(s) responsible for: i) any error, omission or loss of data, and/or ii) any undesirable consequences due to the use of the data as part of an application/product/service (including violation of any prevalent law).</p>
<p style="text-align: justify;">e. <strong>Permanent Disclosure and Versioning:</strong> The data provider(s) will ensure that a data package once published under this license will always remain publicly available for reference and use. If an already published data is updated by the provider, then the earlier appropriate version(s) must also be kept publicly available with accordance with the archival policy of the National Informatics Centre.</p>
<p style="text-align: justify;">f. <strong>Continuity of Provision:</strong>The data provider(s) will strive for continuously updating the data concerned, as new data regarding the same becomes available. However, the data provider(s) do not guarantee the continued supply of updated or up-to-date versions of the data, and will not be held liable in case the continued supply of updated data is not provided.</p>
<h2>5. Template for Attribution Statement</h2>
<p style="text-align: justify;">Unless the user is citing the data using an internationally accepted data citation format <strong>[10]</strong>, an attribution notice in the following format must be explicitly included:</p>
<p>“Data has been published by [Name of Data Provider] and sourced from Open Government Data (OGD) Platform of India: [Name of Data]. ([date of Publication: dd/mm/yyyy]) .[DOI / URL / URI]. Published under Open Government Data License - India: [URL of Open Data License – India].”</p>
<p>For example, “Data has been published by Ministry of Statistics and Programme Implementation and sourced from Open Government Data (OGD) Platform of India: Overall Balance of Payments. (08/09/2015). <a href="https://data.gov.in/catalog/overall-balance-payments">https://data.gov.in/catalog/overall-balance-payments</a>. Published under Open Government Data License - India: [URL of Open Data License - India].”</p>
<h2>6. Exemptions</h2>
<p style="text-align: justify;">The license does not grant the right to access, use, adapt, and redistribute the following kinds of data:</p>
<p style="text-align: justify;">a. Personal information;</p>
<p style="text-align: justify;">b. Data that the data provider(s) is not authorised to licence;</p>
<p style="text-align: justify;">c. Names, crests, logos and other official symbols of the data provider(s);</p>
<p style="text-align: justify;">d. Data subject to other intellectual property rights, including patents, trade-marks and official marks;</p>
<p style="text-align: justify;">e. Military insignia;</p>
<p style="text-align: justify;">f. Identity documents; and</p>
<p style="text-align: justify;">g. Any data publication of which may violate section 8 of the Right to Information Act, 2005 <strong>11</strong>.</p>
<h2>7. Termination</h2>
<p style="text-align: justify;">a. Failure to comply with stipulated terms and conditions will cause the user’s rights under this license to end automatically.</p>
<p style="text-align: justify;">b. Where the user’s rights to use data have terminated under the aforementioned clauses or any other Indian law, it reinstates:</p>
<p style="text-align: justify;">i. automatically, as of the date the violation is cured, provided it is cured within 30 days of the discovery of the violation; or</p>
<p style="text-align: justify;">ii. upon express reinstatement by the Licensor.</p>
<p style="text-align: justify;">c. For avoidance of doubt, this section does not affect any rights the licensor may have to seek remedies for violation of this license.</p>
<h2>8. Dispute Redressal Mechanism</h2>
<p style="text-align: justify;">This license is governed by Indian law, and the copyright of any data shared under this license vests with the licensor, under the Indian Copyright Act.</p>
<h2>9. Endnotes</h2>
<p><strong>[1]</strong> Ministry of Science and Technology. 2012. National Data Sharing and Accessibility Policy (NDSAP) 2012. Gazette of India. March 17. <a href="http://data.gov.in/sites/default/files/NDSAP.pdf">http://data.gov.in/sites/default/files/NDSAP.pdf</a>.</p>
<p><strong>[2]</strong> See: <a href="https://data.gov.in/">https://data.gov.in/</a>.</p>
<p><strong>[3]</strong> See section 3.2 of the Implementation Guidelines for National Data Sharing and Accessibility Policy (NDSAP) Version 2.2. <a href="https://data.gov.in/sites/default/files/NDSAP_Implementation_Guidelines_2.2.pdf">https://data.gov.in/sites/default/files/NDSAP_Implementation_Guidelines_2.2.pdf</a>.</p>
<p><strong>[4]</strong> See section 2.1 of NDSAP 2012.</p>
<p><strong>[5]</strong> See section 2.6 of NDSAP 2012.</p>
<p><strong>[6]</strong> See section 2.7 of NDSAP 2012.</p>
<p><strong>[7]</strong> See section 2 (a) of Indian Copyright Act 1957. <a href="http://copyright.gov.in/Documents/CopyrightRules1957.pdf">http://copyright.gov.in/Documents/CopyrightRules1957.pdf</a>.</p>
<p><strong>[8]</strong> The template of the attribution statement is given in section 5 of the license.</p>
<p><strong>[9]</strong> See section 2 (i) of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf">http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511%281%29.pdf</a>.</p>
<p><strong>[10]</strong>For example, those listed in the DOI Citation Formatter tool developed by DataCite, CrossRef and others: <a href="http://crosscite.org/citeproc/">http://crosscite.org/citeproc/</a>.</p>
<p><strong>[11]</strong> See: <a href="http://rti.gov.in/webactrti.htm">http://rti.gov.in/webactrti.htm</a>.</p>
<div> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/openness/public-consultation-for-the-first-draft-of-government-open-data-use-license-india-announced'>http://editors.cis-india.org/openness/public-consultation-for-the-first-draft-of-government-open-data-use-license-india-announced</a>
</p>
No publishersinhaOpen Government DataOpen LicenseOpen DataNDSAPFeaturedOpenness2016-06-30T09:41:07ZBlog Entry