Centre for Internet and Society

Experts stress on need for enhanced security

praskrishna — 2017-05-20T06:13:19Z

With more and more people falling prey to phishing scams, experts believe that lack of adequate security features in online payment systems will only increase the number of such cases in the coming days. While admitting that the rise in such crimes would be hard to stop or control, cyber security consultants also blame the lack of preparedness before taking the digital economy route as a cause for such problems.

The article was published in the New Indian Express on May 6, 2017. Pranesh Prakash was quoted.

Speaking to Express, Dr A Nagarathna of the Advanced Centre on Cyber Law and Forensics, National Law School of India University, said that apart from the push for digital payment solutions, the merger of various State Bank entities also provided chances for criminals to exploit gullible people.

“People tend to give away critical information since cyber criminals seem so convincing. But they should remember that banks never collect such information over phone,” she said.

The cyber security features of banks and e-wallets are also questionable. Banks and e-wallet service providers should be held accountable for such crimes, so that they make an effort to ensure necessary safety measures, she said.

Pranesh Prakash, Policy Director at the Centre for Internet and Society, noted that there were security concerns with e-wallets. “Many e-wallet apps compromise on security in favour of convenience, but, at the same time, have terms of service that hold customers liable for financial losses. There have been many reports of criminals working with rogue telecom company employees to clone SIM cards and steal money via UPI and BHIM,” he said.

He also criticised the use of biometrics as the only factor for authorising payments to merchants using Aadhaar Pay. He noted, “Your fingerprints cannot be changed, unlike a PIN. So, if a merchant clones your fingerprint, you cannot revoke it or replace it the way you can with a debit card and a PIN.”

Another activist said the recommendations of Watal Committee, which looked into digital payments, should be implemented. “As of now, the law does not focus on the need for consumer protection in digital payments. The Payment and Settlement Systems Act, 2007, needs to be updated,” he said.

For more details visit http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security

IT Accessibility for People with Disabilities Policy and Guidelines

praskrishna — 2017-05-19T15:25:49Z

For more details visit http://editors.cis-india.org/accessibility/files/policy-and-guidelines.pdf

Expert Comments on CDAC document

praskrishna — 2017-05-19T15:17:58Z

For more details visit http://editors.cis-india.org/accessibility/files/expert-comments-on-cdac-document.pdf

Aadhaar data leak: Take precautions while sharing info on websites, MEITy tells all depts

praskrishna — 2017-05-19T14:59:38Z

‘Publishing identity info is in clear contravention of the provisions of the Aadhaar Act, 2016’

The article was published in the Indian Express on May 11, 2017.

In light of various Central and state government departments making public Aadhaar information of several users on their websites, the Ministry of Electronics and Information Technology (MEITy) has written to secretaries of all government departments asking them to sensitise the officials and take precautions while publishing or sharing data on their websites.

“It has come to notice that there have been instances wherein personal identity or information of residents, alongwith Aadhaar numbers and demographic information and other sensitive personal data such as bank details collected by ministries/departments, state departments for administration of welfare schemes etc. have been
published online,” IT secretary Aruna Sundararajan wrote in the letter dated April 24.

“Publishing identity information i.e. Aadhaar number along with demographic information is in clear contravention of the provisions of the Aadhaar Act, 2016 and constitutes an offence punishable with imprisonment up to three years. Further, publishing of financial information including bank details, being sensitive personal data, is also in contravention of provision under IT Act, 2000 with violations liable to pay damages by way of compensation to persons affected,” she noted.

According to media reports, Aadhaar numbers of hundreds of thousands of pension beneficiaries were published on a state government website, and was followed by Chandigarh’s Food and Civil Supplies Department revealing the Aadhaar information of beneficiaries of public distribution system. Following Sundararajan’s letter, various central government ministries have issued advisories to sensitise the officials and the web information managers to comply with the IT Act.

Earlier this month, a report by non-profit organisation The Centre for Internet and Society noted that up to 13.5 crore Aadhaar numbers were exposed and were publicly available on government websites, with about 10 crore of these being linked to bank account details. The 27-paged report — Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information — has collected Aadhaar data from four government portals.

Two of these are national portals: National Social Assistance Programme and Mahatma Gandhi National Rural Employment Guarantee Act, both under the rural development ministry. The other two studied by the report’s authors, Srinivas Kodali and Amber Sinha, are run by the AP government: a daily online payments report under MGNREGA by the state government, and Chandranna Bima Scheme.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million (13-13.5 crore) and the number of bank accounts numbers leaked at around 100 million (10 crore) from the specific portals we looked at,” the report stated.

The letter

“It has come to notice that there have been instances wherein…information of residents, alongwith Aadhaar numbers and demographic information…have been published online,” IT secretary Aruna Sundararajan wrote in the letter dated April 24

For more details visit http://editors.cis-india.org/internet-governance/news/the-indian-express-may-11-2017-aadhaar-data-leak-take-precautions-while-sharing-info-on-websites-meity-tells-all-depts

Taking Cognisance of the Deeply Flawed System That Is Aadhaar

praskrishna — 2017-05-19T14:52:58Z

Aadhaar and its many connotations have grown to be among the most burning issues on the Indian fore today, that every citizen aware of their rights should be taking note of.

The article by Shreyashi Roy was published in the Wire on May 10, 2017.

With the leak of 130 million Aadhaar numbers recently coming to light, several activists, lawyers and ordinary citizens are up in arms about what is increasingly being viewed as a government surveillance system. Keeping this in mind, on Tuesday, May 9, Software Freedom Law Centre India (SFLC) hosted an event that brought together a panel to clearly articulate the dangers of Aadhaar and to discuss whether the biometric identification system is capable of being reformed.

SFLC is a donor-supported legal services organisation that calls itself a protector of civil liberties in the digital age.

Titled ‘Revisiting Aadhaar: Law, Tech and Beyond’, the discussion, with several eminent personalities who have in-depth knowledge of Aadhaar and its working, threw light on the various problems that have cropped up with regard to India’s unique identification system. The discussion was moderated by Saikat Datta, policy director at Centre for Internet and Society, which published the report that studied the third-party leaks of Aadhaar numbers and other personal data.

The leaks

The discussion took off from the point of the leaks, with Srinivas Kodali, a panelist and one of the authors of the report, explaining his methodology for the study that proved that the Aadhaar database lacked the security required when dealing with private information of people. He highlighted the fact that during the course of his research, he had noticed several leaks from government websites and notified the Unique Identification Authority of India (UIDAI) about the same. Yet, at every step, UIDAI continued to deny and reject the possibility of this happening. Kodali says, however, that he had noticed that the websites that were unknowingly leaking data were, in fact, fixing the leaks after being notified without acknowledging that the leak had happened in the first place. Kodali reiterated at the discussion, as in his report, that a simple tweaking of URL query parameters of the National Social Assistance Programme website could unmask and display private information. Unfortunately, UIDAI cannot be brought to task for unknowingly leaking information because there is no such provision.

He also addressed the question of the conflict of interest that existed in the entire system of building Aadhaar, which was created by developers who later left the UIDAI and built their own private companies, monetising the mine of private information that they were sitting on. Kodali blames UIDAI for this even being allowed, since the developers, though clearly lacking ethics, were in fact, merely volunteers.

The system

One of the glaring issues with the technology behind Aadhaar is that the software is not open source. Anivar Aravind, a panelist, called it “defected by design” and “bound to fail” because not only is the technology completely untested but there are very obvious leaks that are taking place. Moreover, UIDAI does not allow any third-party audits or any other persons to look at the technology. Datta pointed to the fact that this is unheard of in other nations, where software is routinely subjected to penetration testing and hacking experts are called upon to check how secure a database is.

Anupam Saraph, another panelist and future designer, illuminated the creation of the Aadhaar database, pointing out that this is a system less about identification and more about verification. All of the verification, moreover, has been done by private parties, making the database itself suspect and leaving everyone’s private information loose at the time of enrolment. In addition, Aadhaar was meant for all residents and not just citizens. But now there is a mix of both, creating confusion in many aspects. Saraph also brought up how one rogue agency with access to all this information could pose an actual national security threat, unlike all the requests for information on breaches that the government keeps pointing fingers at. Referring to Nandan Nilekani’s statement about Aadhaar not being like AIDS, Saraph pointed out that it was exactly like it because much like the body, which cannot distinguish between an invasion and itself, the Aadhaar system is not being able to distinguish between aliens and citizens and has begun denying the latter benefits.

The Supreme Court has declared time and again that Aadhaar cannot be made mandatory, but the government continues to – in complete disregard of the apex court’s judgment – insist on Aadhaar for a multitude of schemes. More and more schemes are being made unavailable without the existence of an Aadhaar number as the government continues to function in a complete lack of cognisance of the fact that the poor are losing out on something as basic as their food because of a number. Prasanna S., an advocate and a panelist, called it a “voluntary but mandatory” system that is becoming an evidence collection mechanism. Moreover, everything is connected through this one number, making many options like financial fraud, selective treatment of citizens and other horrors possible. The collection of all this information is not dangerous, screams the government. Maybe not in the hands of this one. But what of the next? What of rogues?

The legal aspect

One of the panelists was Shyam Divan, a senior advocate of the Supreme Court, who has represented petitioners fighting against Aadhaar. Divan spoke about how along with a group of advocates he has been trying to get the apex court to rule on the issue but has been met with long queues before a ruling can be procured. He addressed the right to privacy aspect of the system and the recent declaration that the citizen does not have the absolute right to the body. He emphasised that the government cannot own the body and that for a free and democratic society, a limited government, instead of an all-knowing and all-seeing government, is essential. Unfortunately for India, there is no express right to privacy in the constitution, but that does not mean that rights can be taken away in exchange for a fingerprint. It is the government’s duty to respect privacy. For him, Aadhaar has become an instrument of oppression and exclusion, a point that Prasanna also agreed with, calling it a “systematic attack on consent”.

There is complete agreement that there has been a railroading of consent in this entire matter if Aadhaar being passed forcibly through the Lok Sabha as a money bill is anything to go by. If parliament’s consent can be disregarded in that fashion, what is an ordinary citizen to do in the face of this complete imbalance of power in the state’s hand?

Usha Ramanathan, a legal researcher and a long-time critic of Aadhaar, spoke about how India has turned into a state where there are more restrictions than fundamental rights, rather than the other way around. She related how there was no clarity at the beginning of Aadhaar of how it would be a card or a number and was never a government project in the first place. This is a private sector ambition that the government has jumped on board with, without considering that the private sector does not concern itself with civil liberties. As other panelists also pointed out, the private sector cannot and will not protect public interest. This is the job of the government, especially in an age of digitisation. But Aadhaar compromises the ability of the state to stand up for its citizens.

With June 30 approaching fast, many of those who have so far abstained from enrolling in the system are considering giving up their rebellion and going like sheep to get themselves registered in the database. In the words of Divan, they will have to “volunteer compulsorily for an Aadhaar”. The government is probably counting on this. Turning to the Supreme Court has been of no help, although a verdict can be hoped for in a couple of weeks. But what can we do if they rule for the government?

Some of the panelists are on board with the idea of a civil disobedience movement, a kind of a rebellion against Aadhaar. Some suggested thinking of out-of-the-box ways to register one’s protest and dissent against what is clearly becoming the architecture of a surveillance state. Saraph was particularly vehement about the need to completely destroy the Aadhaar database – “shred it”.

What all the panelists emphasised repeatedly was that there can be no improvements to a system that is so deeply flawed and that has had so many “teething problems” that are making millions suffer. The main takeaway from the discussion was that Aadhaar must see a speedy demise because it cannot be saved and cannot persist in its current state.

For more details visit http://editors.cis-india.org/internet-governance/news/the-wire-may-10-2017-shreyashi-roy-taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar

Revisiting Aadhaar: Law, Tech and Beyond

praskrishna — 2017-05-19T14:47:32Z

Udbhav Tiwari attended a panel on "Revisiting Aadhaar: Law, Tech and Beyond" held at the India International Centre Annexe on May 9, 2017 in New Delhi, organised by the Software Freedom Law Centre (SFLC.in) in collaboration with Digital Empowerment Foundation and IT for Change.

The panel consisted of:

Saikat Datta; Policy Director, Centre for Internet and Society (Moderator)
Anivar Aravind; Founder/Director at Indic Project
Anupam Saraph; Professor and Future Designer
Prasanna S; Advocate
Shyam Divan; Senior Advocate, Supreme Court
Srinivas Kodali; Co-founder at Open Stats
Osama Manzar; Founder and Director, Digital Empowerment Foundation
Usha Ramanathan; Legal Researcher

The panel was quite enlightening (and Saikat was a stellar moderator), with Mr. Divan's elucidation on the arguments made in the court for the Aadhaar case in particular being a great learning experience. Benjamin and Sheetal (both interns in the Delhi office) along with Sumandro also attended the event.

The other learning was that for people who have attended multiple such panels/seminars and meetings on Aadhaar, they can have a lot of repeated content. I passed on the feedback to SFLC about how they could possibly include a small 10 to 15 minute session in future such panels on developments since the previous such event on the Aadhaar and include practical aspects about what people can do about minimising the harms that we are all slowly being co opted into facing with the system.

More info about the event here.

For more details visit http://editors.cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond

Faking it on WhatsApp: How India's favourite messaging app is turning into a rumour mill

praskrishna — 2017-05-19T14:44:05Z

Spreading fast and wild on WhatsApp fake news about riots, ‘miracle’ currency

The article by Samarth Bansal was published in the Hindustan Times on May 19, 2017. Pranesh Prakash was quoted.

It didn’t take long after demonetisation for almost everyone to hear about the ‘special properties’ of the new Rs 2000 note, which was said to include a ‘built-in GPS-enabled nano-chip’. News of this high-tech feature spread rapidly, even though there was no notification about it from the Reserve Bank of India or any other government department. What there was, instead, was a popular WhatsApp message.

WhatsApp messages were involved in another fake-news controversy the very same month, when word of a salt shortage in North India spread widely. The fake news unleashed panic, and in Hyderabad, among other places, salt prices increased by a factor of four. It even extracted a victim, a woman died in Bakarganj Bazaar, Kanpur, when she slipped and fell into a drain in a panicked buying melee.

This isn’t the only time that fake news that circulated on WhatsApp led to violence. In 2013, messages sent on WhatsApp helped to incite riots in Muzaffarnagar. A two-year old video of a lynching in Pakistan was mischievously promoted as an attack on two Hindu boys by Muslims in Kawal village of Muzaffarnagar. The video, in turn, provoked calls for revenge. Though the police blocked the video on the internet, its spread could not be stopped on the app.

Facebook, WhatsApp’s parent company, has faced much flak for not curbing the circulation of fake news. On its part, Facebook has now said it will try to flag questionable news stories with the help of users and external fact checkers to cope with this problem.

But the instant messaging app poses similar challenges in a particularly intractable form. WhatsApp offers a particularly private medium of communication, something many people like about it. A case currently being heard at the Supreme Court of India concerns the protection of this very quality — while WhatsApp would like to allow Facebook to access its user data, a PIL contends that this move would be a violation of privacy.

The same factors of WhatsApp’s design that protect its users also make it difficult or impossible to study many aspects of communication on the platform. Even as anecdotal evidence piles up that WhatsApp is being used to distribute fake news, then, it remains hard to know just what is happening or what can be done in response.

Facebook vs WhatsApp

The differences between WhatsApp and Facebook dictate the ways people share news on each platform. “Facebook is a social platform where people express their concerns, react, and build perceptions based on an individual’s posts,” says Anoop Mishra, a digital marketing and social media consultant. “However, on WhatsApp, which is an end-to-end messaging platform, people share content in a more personal and closed way.”

It is because the primary mode of sharing on instant messaging apps is one-to-one, as opposed to the one-to-many relationship on Facebook, that the former feels more personal. This personal quality of most of the content shared directly or on small groups via WhatsApp carries with it the implicit endorsement of people you know. Given that the app is now a large and growing part of people’s lives on mobile devices, the way it influences news consumption demands more attention. “Lack of content moderation and privacy controls gives WhatsApp an edge over Facebook for sharing any type of multimedia content,” says Mishra.

For instance, to get your friends’ attention on Facebook, you need to tag them. Not every post by every friend shows up on your news feed; what you see is dictated by an algorithm. WhatsApp has a big advantage here since it works like a text message. You know that your message will be received by everyone you send it to.

A black hole for content

There is no non-anecdotal way to track the spread of content on WhatsApp. Facebook, for instance, is compatible with analytics tools capable of determining that a particular news report has been shared 7,000 times, say, or viewed 20,000 times.

Such analysis is not feasible with WhatsApp, which offers no way to mine social media data to understand the patterns, trends, or reach of any given message. Even its original source is completely opaque. What is true of particular texts also applies to the total sum of activity on WhatsApp: it is impossible to determine what kinds of messages the public is sharing most, what sorts of conditions people are sharing these messages in, or where in the world they are spreading.

Surpassing one billion

WhatsApp arrived in India at the beginning of the decade. At that time, chat apps were generally considered to be interchangeable with text messages. Today they’re widely understood to support sharing of all forms of multimedia content — photos, videos, audio files and even text documents.

Simplicity is one of WhatsApp’s signature virtues. All you need to do is download it: the programme automatically scans your phone book and links up with your contacts who are also users. Crucially, you don’t even need a password. According to Guide to Chat Apps, a report by the Tow Center for Digital Journalism at Columbia University, the requirement of a password is “a significant barrier to entry for many people in emerging markets when it comes to other apps and social media platforms.”

In February 2016, WhatsApp crossed the one billion mark for active users worldwide. India is its largest market, with about 160 million active users.

WhatsApping the news

WhatsApp’s reach and growing role in the consumption of photos and videos has prompted media companies to take it seriously as a distribution channel. A report by the Reuters Institute for the Study of Journalism highlights the increasing adoption of new social networks among young people and the growing importance of recommendations as a gateway to news. “The digital generation expects the news to come to them,” says the report’s author journalist Nic Newman in a press release. “Young people rarely go directly to a mainstream news website anymore.”

But unlike apps like WeChat and Snapchat, which are gaining currency among millennials, WhatsApp hasn’t positioned itself as a media distribution platform. Media organisations have been experimenting nonetheless. For instance, the BBC ran pilots on WhatsApp and WeChat for the Indian elections in 2014. Users subscribed to the BBC news service on WhatsApp by adding a number to their contacts and sending a request message to join. They were then put on a broadcast list that sent them up to three updates a day in Hindi and English. Many media outlets, including ours, now have a WhatsApp sharing icon on their mobile websites.

For all its susceptibility to the dissemination of fake news, WhatsApp presents unique challenges to the mass sharing of content, just as it does for the mass tracking of it. It has no official application program interface (API), the service which allows programmers to build applications that automate the functions of a platform. “An official WhatsApp API release could spawn an entirely new industry of startups, in much the same way that the release of Twitter’s API did,” says the Tow Center report. “Except this time, it could be even bigger, given WhatsApp’s near-billion account user base.” Reaching out to a wider audience on WhatsApp — with either fake or authentic news — needs to be performed manually, via broadcast lists, which allow you to send the same message to many people at once, and groups.

State of control

Fake news might lead only to harmless speculation or minor inconvenience, as it did with rumours about the Rs 2000 note, or it could be dangerous, as was the case during the Muzaffarnagar riots. Pranesh Prakash, a policy director at the Centre for Internet and Society, a research and advocacy group focused on digital technology, believes that social media rumours gain potency after the imposition of censorship, under which people begin to wonder what the government is trying to conceal. “There is no way rumours can be completely quelled,” he says, “but the state can act against rumours through clear communication that calls out particular rumours, and tells people not to believe them.”

For more details visit http://editors.cis-india.org/internet-governance/news/hindustan-times-samarth-bansal-faking-it-on-whatsapp-how-india-s-favourite-messaging-app-turned-into-a-rumour-mill

A 13-year-old's rape in TN highlights the major threat online sexual grooming poses to children

praskrishna — 2017-05-19T10:16:40Z

Predatory paedophiles online pose a major threat to children who form 7% of internet users in India.

The blog post by Priyanka Thirumurthy was published by News Minute on May 6, 2017. Pranesh Prakash was quoted.

It was a usual practice, for 13-year-old Meena* from Tirupur to log into her father's Facebook account when she came home from school. While she was scrolling through his timeline one day, she received and accepted a friend request from a profile named Siva Idiot on Facebook. When this 'new friend' sent her a “hi” on chat, the young girl found no reason to ignore this message. Over the next 10 days, they chatted incessantly and she revealed all her personal details - where she lived, studied, who her parents were and even her phone number. Siva Idiot then proceeded to begin calling her on a mobile phone and their conversations lasted hours.

Meanwhile, miffed by her lack of focus on her studies, Meena's parents often chastised her and threatened to take away her laptop and mobile phone. An upset Meena proceeded to complain to Siva Idiot about the 'problems' she faced, who provided emotional support to the teenager. He even offered to come meet her outside her home.

Meena's parents were out in their offices till 8pm every day and Siva Idiot knew this. He met Meena outside her home, when she was still upset about her parents' advice. Her 'friend' then convinced the teenager to leave her house and marry him. Fifteen days after she first spoke to him on Facebook, 13-year-old Meena ran away from home to 'get married' to 22-year-old Ibrahim.

Online sexual grooming

"This is a classic case of sexual grooming," says Vidya Reddy, of Tulir, Centre for Prevention and Healing of Child Sexual Abuse. "Abusers study a situation carefully to understand what a child's Achilles heel is and then exploit the situation. Now, with almost every child having accesses to technology and internet in the form of a laptop or phone, these criminals have found new platforms to target children," she adds.

What Vidya explains is called online sexual grooming, a worldwide phenomenon, that has spread along with the speed and easy access to the internet. According to UNICEF, it can be defined as preparing a child or adult for sexual abuse, exploitation or ideological manipulation. A report released by the organisation in 2014 states that the surge in mobile and internet usage in India had brought 400 million people online. Of this, seven percent of internet users in the country are reportedly children.

"Phones are now an extension of our hands and it has completely changed the way crime is committed and presented, " Vidya notes.

Even a report of the Parliamentary Committee on Information Technology in 2014 recognized the threat posed to children by predatory paedophiles online. It emphasises how these predators "conceal their true identity whilst using the internet to ‘groom’ potential victims for sexual purposes."

From home to horror

Meena too was unaware about the identity of the person she was chatting with. In fact, an officer told The News Minute, that it was only when Ibrahim called her on the phone that she even realised she had compromised all her data to an unknown man. But Ibrahim, as the police put it, was too smart for the girl.

"He spoke to her very nicely and formed an emotional connect before she even realised the dangers of the situation," a police officer told The News Minute. "He was just somebody who did odd jobs for a living but his real life was on Facebook. He has close to 5000 friends and they are all young girls," she admits.

On April 27, Ibrahim and Meena made their way to Puducherry, where they took shelter at his friend Prabhakar’s motel. That very night, Meena was allegedly raped. The next morning, Ibrahim's phone somehow came into her possession and when the child surfed through the picture gallery, fresh horror awaited her. It was filled with obscene pictures and videos of young women and children. Shocked, Meena confronted Ibrahim about this and the two got into a loud fight. An angry Ibrahim then abused the teenager who refused to leave with him and abandoned her in the lodge.

When the hotel manager and Ibrahim's friend Prabhakaran came to investigate the source of commotion, he found a devastated Meena alone in the room. In an effort to ‘cheer her up’ he took her out to eat and bought her clothes. As Meena changed in the room, Prabhakaran allegedly waited outside to make his move. He went into the room with a yellow thread in hand, and when she was ready, tied it around her neck and declared that they were married. He then proceeded, according to officials, to sexually assault the girl.

Prabhakaran had even mortgaged all her jewellery, given her some money and pocketed the rest. On April 29, the frightened and devastated teenager managed to escape from the lodge and make a call to her house from a nearby bus stop. By then, her parents had already filed a missing girl complaint with the Tirupur North police and were frantically searching for her.

The need to intervene

According to the UNICEF report, India falls largely short in terms of awareness about online child sexual abuse and exploitation. Parents, it claims, are not aware of the risks the internet poses and therefore do not respond effectively to this form of harassment.

"This case shows that parents and schools have to spend more time educating their wards on online safety. In many schools, non- digital safety lessons are imparted such as good touch and bad touch. But when it comes to the internet, they don't even impart basic lessons," says Pranesh Prakash, Director of the Centre for Internet and Society.

Pranesh argues that while parents cannot monitor children's activity on the internet the whole day, they can ensure they have a trusting relationship with their children. This he claims will create dialogue on the child's activity on the internet or social media and create awareness.

"In this crime, details shared online, led to an offline meeting. So, children must be taught to not share addresses, personal details or meet such 'friends' without their parents' knowledge." he adds.

In India, two major challenges are the lack of a uniform terminology and lacunae in law as far as sexual grooming of children is concerned. Some key legal instruments meant to protect children, predate technological advances. For example, the Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution and child pornography does not criminalize online sexual grooming.

Establishing the criminality of sexual grooming or even sexting is difficult in view of the potential for misuse of the law, states the UNICEF report.

Back home and healing

Following her desperate phone call, Tirupur police rescued Meena, and went on to arrest Ibrahim in Pondicherry on April 30. Prabhakaran was arrested on May 2. They have been booked under the Protection of Children from Sexual Offences Act (POCSO) and other sections of the Indian Penal Code. Police are now investigating if Ibrahim and Prabahakaran have been involved in crimes of this nature in the past as well.

"There is only so much parents can do. They work till eight in the night and children who come back from school at 4pm, have four unsupervised hours to themselves. The only thing they can do is keep a password and stop children from using social media accounts," says the investigating officer, who observes that a number of children chat with strangers, making it difficult to keep track.

Vidya Reddy too expresses shock at sheer number of teenagers who chat with strangers online. The Tulir Director recounts horrific cases, including one where a 16-year-old girl was sexually assaulted and then blackmailed with videos of the abuse. The perpetrator allegedly threatened to leak the images if girl did not bring another child for him to rape.

While sexual grooming and other forms of online sexual abuse are common across the world, in India it takes a unique shape in South Asia. "Our society creates a repressive atmosphere, as far as engagement with the other gender is concerned. So, when the conversation is online, teenagers will risk their safety to push boundaries and the anonymity the internet provides has made this whole set up even more dangerous," concludes Vidya Reddy.

*Name changed

For more details visit http://editors.cis-india.org/internet-governance/news/newsminute-may-6-2017-a-13-year-olds-rape-in-tn-highlights-the-major-threat-online-sexual-grooming-poses-to-children

Why Does Mainstream Indian Discourse On Digital Inclusion Leave Out Disability?

praskrishna — 2017-05-19T10:10:26Z

India’s crusade for digitisation and digital inclusion has failed millions of Indians with disabilities. Will the Rights of Persons with Disabilities Act change that?

The article by Dorodi Sharma was published in the Wire on May 9, 2017.

One of the strongest mandates of the newly enacted Rights of Persons with Disabilities Act, 2016 is on the issue of accessibility. The public discourse around accessibility for persons with disabilities has more or less been limited to the physical environment – ramps and a disable-friendly toilet. The issue of digital inclusion – be it websites, technology, information and media, which is equally critical, has not found much traction.

Therefore, it is perhaps not surprising that the buzz around the new disability rights law – whether welcoming or critical – hardly mentions the new provisions for information and communication technologies (ICT) and digital inclusion for persons with disabilities.

The new law requires all content available in audio, print and electronic media to be in an accessible format; electronic goods and equipment that are meant for everyday use to be made available in universal design and ensuring access to television programmes with sign language interpretation or subtitles. Additionally, all service providers – whether government or private – will have to provide accessible services within a period of two years from the notification of the law.

This is significant on several levels. While globally the World Wide Web Consortium (W3C) published the Web Content Accessibility Guidelines (WCAG) in 1999 to make web browsers more accessible to persons with disabilities, it was only in 2009 that India got its own policy on this issue. In January 2009, the Guidelines for Indian Government Websites (GIGW) were formulated to require all government websites to comply with WCAG 2.0. It may be mentioned that the new law also comes at an opportune time as the W3C is now working on WCAG 2.1.

Then in October 2013, the central government came out with the ‘National Policy on Universal Electronic Accessibility’ to facilitate equal access to electronics and ICTs for persons with disabilities. It covered the entire gamut of software as well as hardware.

Implementation of both these policies, however, leave a lot to be desired. In 2012, a survey of ten government websites by the National Centre for Promotion of Employment for Disabled People and BarrierBreak revealed none met even the basic accessibility standards. A recent audit of 22 of the most popular Indian applications by the Centre for Internet and Society found that they were not fully compliant with web accessibility guidelines. What this basically means is that while a majority of the population can file their income tax returns online, make online transactions, book flight tickets and order food, millions of people with disabilities still cannot.

Digital inequalities

These findings are important particularly when seen in light of the rapid movement towards digitisation of services and opportunities. By 2050, 70% of the world’s population will live in cities. By 2020, 50 billion devices will be connected to the ‘Internet of Things’. Technology is changing how citizens interact with their environments. Our services – education, employment, health, recreation and commerce – is moving towards digital platforms. There is a proliferation of smart cities worldwide. But the discourse, astonishingly, excludes the impact these developments will have on the lives of persons with disabilities. A survey of about 250 global experts on smart cities conducted by the Global Initiative for Inclusive ICTs and World Enabled revealed that while a majority recognise the benefits of accessible smart cities, more than half do not know of any smart city initiative with an explicit focus on ICT accessibility. If this is not rectified immediately, all our future cities risk excluding millions of persons with disabilities.

India’s Internet growth rate was four times the global rate in 2015. There is also a huge rush towards creating a digital ecosystem for citizen engagement – be it the Digital India campaign, the Startup India campaign or even the recent move towards a cashless and digital economy. But these campaigns also need to ensure that persons with disabilities are benefited as well. It is thus important for policymakers, technology giants and citizens to talk about digital inclusion for persons with disabilities.

India is home to 26.8 million persons with disabilities. With the increase in the number of specified disabilities from the previous seven to 22, this number is expected to grow manifold.

With the Rights of Persons with Disabilities Act, 2016, increasing the number of specified disabilities from the previous seven to 21, this number is expected to grow manifold. Digital inclusion of persons with disabilities not only stands to benefit the millions living with disabilities but also older persons and persons with limited language skills. It is not common knowledge but several popular mainstream technologies were actually developed for persons with disabilities. For instance, predictive text on cell phones was developed as a solution for people with communication difficulties. Today, it is a feature enjoyed across all segments of the population.

But the strongest motivation should be that access to ICTs is a human right and excluding an entire population group will hinder millions of people from being equal citizens. The Rights of Persons with Disabilities Act can very well be the first step towards ensuring that equality is ensured in the digital realm as well.

For more details visit http://editors.cis-india.org/accessibility/news/the-wire-may-9-2017-dorodi-sharma-why-does-mainstream-indian-disclosure-on-digital-inclusion-leave-out-disability

Aadhaar security: Here's how your private information can be protected

praskrishna — 2017-05-19T10:05:25Z

Lock Aadhaar, and notify UIDAI if you get a one-time-password for a transaction you did not initiate

The article by Sanjay Kumar Singh was published in the Business Standard on May 11, 2017. Udbhav Tiwari was quoted.

The linking of Aadhaar — the 12-digit unique identification number for Indian residents — across various benefits is going through a roller-coaster ride. On one hand, the government, keen to make it mandatory, is linking it with filing of income-tax returns and benefits. But, on the other, many are uncomfortable with it because of privacy issues and leakages that have been reported recently. The Supreme Court, on Tuesday, referred another fresh plea challenging the Aadhaar Act and its mandatory use in government schemes to a larger Constitution bench.

There has been several reports that say that Aadhaar numbers and other personal data are being leaked. Bengaluru-based Centre for Internet and Society (CIS) has published a report (titled Information security practices of Aadhaar, or lack thereof) where it lists four government departments that have posted Aadhaar numbers and other personal information of people. According to the report, an estimated 130-135 million Aadhaar numbers and 100 million bank account numbers were posted on the four portals that the CIS researchers checked. Normally such data should be kept on the government’s intranet, where only authorised people can access it. However, a few government departments have uploaded this data on their websites. In many cases, the data was in excel format, making it all the more easy for people to download and misuse it. The worst part: If your data is stolen, you cannot file even a First Information Report with the police. Only the nodal body, the Unique Identification Authority of India (UIDAI), can file a police complaint.

Your data can be misused: Experts say that leakage of Aadhaar numbers and other personal information into the public domain violates peoples’ privacy. “Your name, phone number, address, bank account number and Aadhaar number are personal information. Only you have the right to decide whether to release such information to others. Such data shouldn’t be complied in excel sheets in large numbers and be freely accessible on the internet to everyone," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru.

Tele-marketers and advertisers will have access to the personal information of all those people. More serious problems such as identity theft can occur. Says Smitha Krishna Prasad, project manager, Centre for Communication Governance at National Law University, Delhi: “The more sensitive information a person has about you, the easier it becomes to impersonate you when that person is speaking to, say, a bank." The impersonator could open a bank account or even take a loan in your name.

Suppose a hacker gets your email ID. “He will use the ‘password reset or forgot password’ feature to change your password and get access to your account. This feature poses questions based on personal info about you. Any such data collected about you comes useful here. Such hackers mine a lot of data about potential victims from all possible sources," says Shomiron Das Gupta of NetMonastery, a threat management provider. In the email, he could find info about your bank account, credit card account, etc, and cause financial losses to you.

Serious risks can also arise if someone manages to breach the biometric authentication or one-time password (OTP) required for using the Aadhaar system. “It is possible to copy an individual’s fingerprints, and replicate them using very commonly available resins. It is also possible for hackers to capture the data being communicated between a telephone tower and a mobile phone, especially if it is poorly encrypted. This will allow the hacker to see the OTP. Admittedly, this does require expertise and a targeted effort vis-a-vis an individual," says Tiwari. Now that the Aadhaar numbers of so many people have been divulged, someone could utilise their identities to steal their government-granted benefits, or obtain a SIM card, which could then be misused. Raman Jit Singh Chima, policy director, Access Now, says at many places where the Aadhaar number is required today, no biometric authentication is done. So just the number can be used to impersonate you.

Lock your biometrics: If your Aadhaar number and other personal information have been leaked, here are a few steps you can take to safeguard yourself. One, be wary of any calls you receive asking for additional details, which may not have been leaked already. Be equally wary if you receive a call wherein someone rattles off your personal data and asks you to verify it. The caller could pretend to be calling from your bank. It is best not to reveal or confirm any information over the phone at all. Two, you have the option to lock your biometric data online. Even if someone manages to steal your fingerprint, he will not be able to use it if you have locked your biometric data (see table). Also, if you get an OTP on your phone for an Aadhaar utilisation that you did not initiate, notify the UIDAI, and thus ensure that no transaction is carried out using your Aadhaar account.

Need for a privacy law: To prevent data leaks in the future, the government needs to sensitise state government officials who work with Aadhaar data about the need to protect the its privacy. More importantly, India needs a comprehensive data protection law. At present, there is limited provision in the Information Technology Act of 2008 under which you can file a civil case against a corporate that has leaked your personal information. “The person affected by data leakage has to show that he has suffered wrongful loss, or somebody else has enjoyed a wrongful gain, and then claim compensation," says Prasad.

After the Radia tapes incident, the government had said it would pass a comprehensive privacy law. “This law would lead to the creation of a data protection authority with enforcement powers, which would be able to penalise both companies and government bodies violating privacy principles. Despite the process beginning in 2012-13, and multiple drafts being leaked into the public domain, there has not been much progress on this count," says Chima. He adds that when the privacy law becomes a reality, any part of the Aadhaar Act that is contrary to it should also be amended.

How to lock your biometric data online

Go to the UIDAI web site: https://uidai.gov.inGo to Aadhaar services, then Lock/Unlock Biometrics Enter Aadhaar number Enter security code that appears below the Aadhaar numberYou will receive an OTP on your registered mobile number. Enter it Click ‘Verify’Click box against ‘Enable biometric lock’Click on Submit buttonSame procedure can be repeated to disable biometric lock.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-aadhaar-security-here-is-how-your-private-information-can-be-protected

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

Third Multistakeholder Consultation on Encryption

praskrishna — 2017-05-19T09:42:49Z

Udbhav Tiwari represented CIS at the Third and Final Multistakeholder Consultation on Encryption held at the Taj Palace, New Delhi on May 11, 2017. The event was organised by the Observer Research Foundation, New Delhi. Saikat Dutta and Japreet Grewal were also present at the round-table discussion.

The discussion centred around issues such as trust between the government and citizens, key lengths, standards for device encryption and sector-specific security regulations. The primary goal of the meeting was to influence the second iteration of the draft encryption policy, expected soon, which will have bearing on data protection policies, access of law enforcement agencies to electronic information, and the ease of doing business in India's digital economy.

The main questions in the discussion were:

Should the National Encryption policy mandate key lengths for encryption of communications?
Should the policy require the registration of encryption service providers to operate in the Indian market?
What are the challenged faced in the enforcement of the policy?
What steps can the Indian government take to encourage R&D in domestic cryptographic services and products?

Dr. Gulshan Rai, the National Cyber Security Coordinator, was also present in the meeting and provided valuable inputs.

For more details visit http://editors.cis-india.org/internet-governance/news/third-multistakeholder-consultation-on-encryption

Here’s what everyone is saying in TRAI’s latest Net Neutrality consultation

praskrishna — 2017-05-19T09:35:35Z

Last year’s highly public and widely discussed TRAI consultation resulted in Internet providers being barred from charging differently for different parts of the Internet. This time around, the telecom regulator’s newest consultation on Net Neutrality is significantly more business-as-usual, and much more muted.

The blog post by Aroon Deep was published by Medianama on May 15, 2017.

Now that the consultation has finished accepting responses and counter-responses, here are some of the most significant themes to watch out for from telecom operators, Internet companies and advocacy groups.

1. “Same service, same rules”

Telecom operators have long complained that many apps like WhatsApp and Skype eat into their revenue by replacing the non-Internet access services that they charge for, like SMS and calling. Curiously, Indian telecom operators, instead of arguing that they should face less regulation, have called for these “over the top” (OTT) services to face more regulation instead. They argue that unlike so-called OTT apps, telcos face several regulatory constraints that put them in an uneven playing field. As such, they argue that there needs to be “same services, same rules”, a framework where OTT apps and telcos compete fairly, without regulatory imbalance.

Multiple stakeholders, such as the Broadband India Forum and Hotstar, pointed out that unlike OTT services, telecom providers held a monopoly on providing access to the Internet, mooting the argument that apps and ISPs need to be treated similarly.

Broadband India Forum’s curious reversal

In this consultation’s initial stages, the Broadband India Forum, an association of telecom operators, argued (pdf) that “OTT Communication players need to be brought under the same regulatory regime as the ISP/TSPs.” In an apparent reversal, the BIF made the opposite argument towards the end of the process (pdf), saying that “The so-called “Same Service, Same Rules” argument is flawed”. Further contradicting its earlier position, the association went on to say, “Rather than attempting to increase the regulatory burden of OTTs by applying telecom regulations to online services, there should be consideration given to reducing the regulatory burden of TSPs.”

2. What is an enterprise service?

Practically every Internet provider wants an exception on “enterprise services” or “specialized services”, like dedicated video calling services that some organizations subscribe to. For example, Reliance Jio argued that since enterprise services were “tailored” to specific business requirements, they did not affect Net Neutrality. The Centre for Internet and Society, an advocacy group and think tank, also said (pdf) that enterprise services should be exempted (from Net Neutrality restrictions), but only if i) access to the rest of the Internet is priced similarly, and ii) if the enterprise service in question cannot be served over the regular Internet in the required level of “delivery guarantee”.

Hotstar‘s submission was far more blunt. “The definition of Internet traffic should not exclude … Internet services masquerading as ‘specialized services’,” the streaming service argued. It went on to say that any specialized service seeking an exemption from Net Neutrality rules “should not be usable to provide general access to the Internet”, and must fulfil a very narrow function.

3. “Don’t touch CDNs!”

Content Delivery Networks (CDNs) are so-called “middle-mile” networks, which content providers use to distribute their traffic globally in a decentralized and efficient manner. CDNs typically host copies of content in servers around the world and connect directly with Internet providers, so that there is less latency when sites are accessed, and less distance between the content and the end-user. Content providers, CDN providers, and Internet providers strongly opposed CDNs from being regulated. In fact, Netflix dedicated much of its submission arguing against CDNs coming under regulatory purview, whereas TRAI itself only touched on the possibility passingly in its consultation paper.

Akamai, a large CDN provider, argued that “[A]ny net neutrality principles or rules adopted in India should apply only to Internet access service, which should refer to a publicly available electronic communications service provided by a telecommunications service provider (TSP) in India that is offered to end users on a retail basis”. To some extent, advocacy groups also argued that CDNs should largely be left out of Net Neutrality regulations. The Internet Democracy Project argued (pdf): “Since deploying high traffic content closer to the edges eases up the load on the network as a whole, [CDNs] need not be treated as violating discriminatory access to the internet.”

4. “Can we even detect Net Neutrality violations?”

Some telcos argued that detecting whether some Internet traffic was being slowed down or sped up would be next to impossible, and would require access to an ISP’s confidential internal traffic data. The GSMA, an international association of telecom operators, said (pdf) “monitoring and detecting [unfair traffic management] practices is challenging,” and that any detection framework should be highly robust. Spectranet, a broadband provider, said that it would be difficult to detect practices like throttling and paid prioritization, unless there’s a “neutral network” that is outside an ISP’s network which works with end-users to measure speeds of different applications and services to see if there’s any discriminatory traffic management.

The Measurements Lab said (pdf) that detecting unfair traffic management was very much possible. “Academic researchers and national regulatory authorities have been actively engaged in measuring traffic management practices for well over a decade to considerable success,” M-Lab said. “The adoption of TMP measurement tools by TRAI would build on a rich history of research and implementation, and align with the current agenda of BEREC and other regulators.”

5. “Device neutrality”

Multiple operators are arguing that since the fair treatment of all data depends on the end-user’s Internet browser and device, Net Neutrality should apply to those as well. Airtel, for example, argued (pdf) that device manufacturers and content providers should also be regulated under Net Neutrality rules (Airtel cited Netflix allegedly “slowing down” data for mobile data users as an example; Netflix denied Airtel’s allegation in a counter-filing). The Internet Freedom Foundation* argued strongly against such a framework, saying that “the focus of network neutrality as a regulatory concept has been to ensure that TSPs [don’t] misuse their unique, license-enabled position” which gives them monopoly over Internet access, unlike device manufacturers and OTT services. Similarly, Hotstar argued that “Independent devices, browsers or operating systems themselves do not constitute a network and are not the subject matter of the net neutrality debate.” (emphasis theirs)

For more details visit http://editors.cis-india.org/internet-governance/news/medianama-aroon-deep-may-15-2017-here-s-what-everyone-is-saying-in-trais-latest-net-neutrality-consultation

UIDAI puts posers to CIS over Aadhaar data leak claim

praskrishna — 2017-05-19T09:28:33Z

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.

The article originally published by PTI was also published by the Financial Express on May 19, 2017.

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.

Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.

Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.

The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.

The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.

However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.

For more details visit http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim

What’s Hard To Digest About The Zomato Hacking

praskrishna — 2017-05-19T09:22:37Z

Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.

The blog post by Aayush Ailawadi was published by Bloomberg Quint on May 19, 2017. Pranesh Prakash was quoted.

The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in its blog that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.

Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.

In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”

But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.

Late on Thursday night, the story took an interesting turn when the company updated its blog post yet again. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.

Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.

But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.

Disclose To Confuse?

Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.

What’s So Scary About The Zomato Hacking?

Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.

What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.

Genuine Disclosures Vs False Promises

Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.

Where’s My Privacy And Security?

Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.

Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”

For more details visit http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking