Centre for Internet and Society

Around 130-135M Aadhaar Numbers published on 4 sites alone

praskrishna — 2017-05-20T10:52:26Z

“Therefore, there is no data leak, there is no systematic problem, but, if any one tries to be smart, the law ignites into action.” – Ravi Shankar Prasad, IT Minister, in the Rajya Sabha, on 10th April 2017.

The blog post by Nikhil Pahwa was published by Medianama on May 4, 2017.

Details of around 130-135 million Aadhaar Numbers, and around 100 million bank numbers have been leaked online by just four government schemes alone: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme (NREGA), Daily Online Payments Reports under NREGA (Govt of Andhra Pradesh), and the Chandranna Bima Scheme (Govt of Andhra Pradesh), as per a research report from the Centre for Internet and Society.

Download the report here. Read full story on Medianama website.

For more details visit http://editors.cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-4-2017-around-130-135-m-aadhaar-numbers-published-on-four-sites-alone

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T11:10:37Z

The article was published by DNA on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit http://editors.cis-india.org/internet-governance/news/dna-may-2-2017-report-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

১৩ কোটি আধার তথ্য ফাঁস চার সরকারি পোর্টাল থেকে! বিস্ফোরক দাবি রিপোর্টে

praskrishna — 2017-05-20T11:45:42Z

খোদ সরকারি পোর্টাল থেকে কয়েক কোটি আধার নম্বর ও যাবতীয় তথ্য ‘ফাঁস’!

This was published by Amar Bazar Patrika on May 2, 2017.

অভিযোগ, গত কয়েক মাসে প্রায় ১৩ কোটি আধার নম্বরের যাবতীয় ব্যক্তিগত ও সংবেদনশীল তথ্য ফাঁস হওয়ার ঘটনা ঘটেছে। আর এসবই হয়েছে চারটি সরকারি পোর্টাল থেকে তথ্যপ্রযুক্তি সুরক্ষার ঘাটতির জেরে! যা ঘিরে এখন তোলপাড় দেশ।

সম্প্রতি, এমনই বিস্ফোরক রিপোর্ট প্রকাশ করেছে অলাভদায়ক সংগঠন সেন্টার ফর ইন্টারনেট অ্যান্ড সোসাইটি (সিআইএস)। তাদের আশঙ্কা, চারটি সরকারি পোর্টালের মাধ্যমে ১০ কোটি মানুষের ব্যাঙ্ক অ্যাকাউন্ট নম্বরও ফাঁস হয়ে থাকতে পারে।

সংস্থার দাবি, যে চারটি পোর্টাল থেকে এই সব তথ্য ফাঁসের অভিযোগ, তার মধ্যে দু’টি অন্ধ্রপ্রদেশ সরকারের ওয়েবসাইট। বাকি দুটি পোর্টাল হল ন্যাশনাল সোশ্যাল অ্যাসিস্ট্যান্স প্রোগ্রাম এবং ন্যাশনাল রুরাল এমপ্লয়মেন্ট গ্যারান্টি স্কিম-এর।

এই গোটা ঘটনার জন্য ইউনিক আইডেন্টিফিকেশন অথরিটি অফ ইন্ডিয়া বা ইউআইডিএআই–কেই দায়ী করেছে সিআইএস। তাদের দাবি, আধার নিয়ন্ত্রক সংস্থার ‘দায়িত্বজ্ঞানহীনতার’ জন্যই এই উদ্ভুত পরিস্থিত সৃষ্টি হয়েছে।

সিএনআই-এর আরও দাবি, বিভিন্ন সরকারি ও বেসরকারি পোর্টাল—যারা আধার তথ্য ব্যবহার করে থাকে, তাদের নিজস্ব সুরক্ষা-ব্যবস্থা খতিয়ে দেখেনি ইউআইডিএআই। ফলত, এই বিপত্তির সম্মুখীন কয়েক কোটি মানুষ।

যদিও, ইউআইডিএআই -এর দাবি, তাদের ডেটাবেস থেকে কোনও তথ্য ফাঁস হয়নি।

For more details visit http://editors.cis-india.org/internet-governance/news/amar-bazar-patrika-may-2-2017-13-crore-aadhaar-leaked-due-to-poor-security-in-4-govt-websites

UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

praskrishna — 2017-05-20T11:06:16Z

As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

Is UIDAI investigating the 13 crore Aadhaar leaks?

The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.

For more details visit http://editors.cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals

Details of 135 million Aadhaar card holders may have leaked, claims CIS report

praskrishna — 2017-05-20T08:42:57Z

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

The news from the Press Trust of India was published in the Hindustan Times on May 2, 2017.

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS said.

Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

“Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number,” it cautioned.

The disclosure came as part of a CIS report titled ‘Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information’.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of “proper controls” in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

“The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern,” the report added.

For more details visit http://editors.cis-india.org/internet-governance/news/hindustan-times-may-2-2017-details-of-135-million-aadhaar-card-holders-may-have-leaked-claims-cis-report

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T10:42:59Z

The news was published by the Press Trust of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit http://editors.cis-india.org/internet-governance/news/pti-news-may-2-2017-aadhaar-numbers-of-135mn-may-have-leaked-claims-cis-report

Aadhaar Details Of 13.5 Crore People Available On Government Sites

praskrishna — 2017-05-20T11:00:55Z

Up to 13.5 crore Aadhaar numbers can be easily accessed through government portals and nearly three-fourths of these are linked to bank accounts, said non-profit research organisation the Centre For Internet & Society (CIS).

Calling the Unique Identification Authority of India (UIDAI) “extremely irresponsible” in maintaining privacy standards, CIS blamed the Aadhaar governing body for turning a "blind eye" to the lack of standards regarding use of Aadhaar data by private and public bodies

"It is staggering that while these databases have existed in the public domain for months, while framing the Aadhaar Act Regulations in late 2016, the UIDAI did not even deem these as important matters to be addressed by way of regulations or standards," CIS said in a report titled ‘Information Security Practices of Aadhaar (or lack thereof)’.

The CIS report points out several government sites which showcase inefficiently masked Aadhaar codes with sensitive personally identifiable information, also available for download as spreadsheets.

Read the full story on Bloomberg Quint

For more details visit http://editors.cis-india.org/internet-governance/news/bloomberg-quint-may-2-2017-mahima-kapoor-aadhaar-details-of-people-available-on-govt-sites

Chemistry research in India 'still not in big league'

praskrishna — 2017-04-28T02:03:26Z

Despite an increase in research output and international collaboration, chemistry research, "the central science", in India is "still not in the big league", an analysis has revealed.

Originally published by IANS on April 24, 2017, the news was carried on the India Online news portal

Researchers Subbiah Arunachalam, Muthu Madhan and Subbiah Gunasekaran carried out a scientometric analysis of contributions from India in leading multidisciplinary chemistry journals over the 25-year period 1991-2015.

The study of measuring and analysing science research is called scientometrics.

"Chemistry is the 'central science'. Whether it is drugs and pharmaceuticals, materials, or several other areas, chemistry plays a key role. In times past, say till about four decades ago, there was a strong tradition of natural products chemistry in India, but later on the emphasis moved to other branches of chemistry," the authors told IANS when asked why is it important for India to take a lead in chemistry research.

But, as modern chemical research depends more and more on information technology - computer-based data collection and processing - India has to "try hard to keep pace" with progress worldwide, they said.

The study comes against the backdrop of comments on chemistry research in India made in three recent reports prepared by Nature Index, Elsevier and Thomson Reuters.

According to the Nature Index report, chemistry is doing well in India and it is the top performer, while the Thomson Reuters report, prepared for the Department of Science and Technology, says research in the field is growing rapidly in the country.

However, India, despite its huge share of the world's population (about 17 per cent), continues to be poorly represented in the top journals, the study revealed.

The country's share of papers in the Journal of the American Chemical Society is 0.7 per cent compared to 58.4 per cent for US, 7.6 per cent for Germany and 5.1 per cent for China, and its share in Angewandte Chemie International Edition is 1.2 per cent, compared to 28 per cent for Germany, 25.3 per cent for US and 9.9 per cent for China.

This could be due to the fact that till recently, Indian universities did not encourage mobility across disciplines.

"That only a small number of Indian researchers and institutions publish in leading journals is also a matter for concern. India accounts for only a small number of papers in the top one percentile of the most highly cited chemistry papers, whereas China leads the world," the study pointed out.

Chemistry research in India is still not in the big league, the authors said.

"If we look at chemistry worldwide, what we do in India does not make big news among chemists and other scientists," they said.

The researchers compared India's performance with that of China as a benchmark.

"Overall, the number of chemistry papers from India increased steadily between 2007 and 2014. We have not compared India and China in this study but have merely highlighted a couple of points to emphasise how far we have to go," the authors clarified.

China is way ahead not only in chemistry but in all sciences. In terms of number of papers and average citations, they have been ahead of India for several years, they said.

To address the gaps, the authors suggest that researchers and funders need to identify important questions and areas of research and focus their attention on those areas.

"At the practical level, we should have many summer schools and winter schools for young researchers, encourage collaboration, invite overseas researchers, and so on. Accountability and time-bound completion of projects are a must," the authors added.

Of the study authors, Arunachalam and Madhan are in the DST Centre for Policy Research, Indian Institute of Science, Bengaluru while Arunachalam is also associated with the Centre for Internet and Society, Bengaluru. Gunasekaran is in the Knowledge Resources Centre, Central Electrochemical Research Institute, Karaikudi.

For more details visit http://editors.cis-india.org/openness/news/ians-april-24-2017-chemistry-research-in-india-still-not-in-big-league

Analysis: Data Protection in India - Getting It Right

praskrishna — 2017-04-28T01:42:42Z

Indian Government Plans Ambitious Data Protection Legislation Rollout by October

The blog post by Suparna Goswami and Varun Haran was published by Info Risk Today on April 26, 2017. Pranesh Prakash was quoted.

The government of India recently informed the Supreme Court of India that it expects to put in place a comprehensive data protection framework by October. The Telecom Regulatory Authority of India will be heading up the initiative and has already started consultations for preparing a draft framework.

The government on April 5 acknowledged that there was no proper regulatory framework to deal with privacy concerns of citizens arising out of "over-the-top" popular messaging services such as Whatsapp, Facebook and Skype. Consequently, the Department of Telecommunications is exploring creating a "regulatory framework" through legislation to address data protection and citizens' privacy concerns.

With the European Union already preparing to enforce its General Data Protection Regulation next year, India may be late to the party. But the need for a data protection and privacy law in India is pressing. And when it's enacted, it will define provisions for protecting sensitive personally identifiable information and spell out liabilities in the event PII gets breached.

Many security practitioners, however, say the government's goal of having a law by October seems aggressive.

Shivangi Nadkarni, co-founder & CEO at Arrka Consulting, points out that once the government publishes a draft regulation for public comment, it must allow two months for gathering feedback. "It has to align with the schedule of the Monsoon Session of Parliament if it has to meet the October deadline," Nadkarni says (see: It's Time to get Serious About Privacy).

Existing Provisions

India already has some data protection and privacy provisions in the Information Technology Act 2000, amended in 2008 and the subsequent IT rules defined in 2011. But the IT Act 2000/8 doesn't define sensitive personal information directly and only provides guidance for reasonable security practice and due diligence - the actual implementation standards have not been explicitly prescribed, says Bengaluru-based Na. Vijayashankar, a cyber law expert and information risk consultant.

The current data protection regime is under section 43A of the IT Act 2000/8, and the regulations made thereunder, says Pranesh Prakash, policy director at Bengaluru-based research think tank the Center for Internet and Society. He contends those regulations are weak, do not specify any governmental agency, and do not lay out penalties for violations. Other relevant provisions, such as section 72A, are also far too onerous and aren't ever applied in practice to such cases, he says (see: Pavan Duggal on Why India's Cyberlaw Must Rapidly Evolve).

"Section 43A and the 'reasonable security rules' didn't change much, given the lack of teeth in the regulations, and the onerous job of proving "wrongful gain or wrongful loss" of property due to data breaches," Prakash says. In addition, as a complement to a strong, yet flexible, data protection/data security regime, the government also needs to put in a privacy regime that covers both the private and public sectors, he adds.

Right to Privacy

India lacks a clear framework that categorically recognizes the sanctity of privacy, says J. Sai Deepak, an independent cyber law expert and arguing counsel at the Delhi High Court. Because the status of the fundamental right to privacy is yet to be adjudicated upon by the Supreme Court, Sai Deepak is uncertain of the basis on which the regulatory mechanism that the government is developing, would function (see: Why India Needs Comprehensive Privacy Law).

"This is important because if you treat privacy as a fundamental right, then the mechanism has to take into account the constitutional obligations and limitations that come with such treatment," Sai Deepak says. A telecom-centric or a single sector-centric approach to privacy as a reaction to a particular litigation may do more harm than good, he adds (see: Re-Evaluating Privacy in India).

"I hope the government goes beyond this context and addresses privacy comprehensively. It is for this reason that I am not sure TRAI is the best entity to vest this mandate with," he says. "After all, we are looking at safeguarding privacy even outside the telecom sphere" he adds.

The government needs to clearly spell out all principles and rights of individuals in the context of privacy as a foundation, experts say.

"Declare that privacy is a right of an Indian citizen and is protected by law," Vijayashankar says. The law should apply to protection of data in any form and require appropriate security measures to be adopted by anyone who collects, processes and manages PII, he adds (see: Privacy: Why India Inc. Needs It).

Viable Roadmap

Vinayak Godse, senior director at Data Security Council of India, says Indian companies, including IT services and outsourcing firms, are losing in European markets because of the high data protection standards followed in those countries.

"We have already been struggling in some markets as our data protection mechanisms don't match to the evolving global expectations for privacy," Godse says. "Questions have been raised by several geographies especially EU on India's regulatory posture in terms of data protection." (See: India's 2015 Data Privacy Agenda)

Vijayashankar says India needs to immediately appoint a data commissioner to efficiently address data privacy violations, which are currently being judged under ITA 2000/8. This will also help Indian enterprises that conduct business with the EU when the GDPR is enforced starting May 25, 2018 (see: How Will Europe's GDPR Affect Businesses Worldwide?).

Nadkarni of Arrka says the framework should:

Clearly define and articulate what qualifies a personal information.
Clearly spell out all principles and rights of individuals in the context of privacy and elaborate on specific aspects as required within each principle/ right.

The Justice AP Shah committee report of 2012 which proposed comprehensive set of data privacy principles and measures had a wide acceptance by various stakeholders, and should be a good starting point to draft an omnibus data privacy law in India, says Srinivas Poosarla, vice president and head (global), privacy & data protection at Infosys.

While the way the enforcement of any such law enacted, would differ at the center and at state level, some of the areas that Poosarla contends need attention are:

Mandating that organizations appoint data privacy officers;
Providing platforms to report grievances and receive compensation from organizations in a timely manner;
Ensuring accountability of organizations for data privacy and to have them promptly report any data breach to affected individuals where there is likely to be material impact;
Identifying and empowering a body at national or state level to enforce implementation of the law.

GDPR as a Model

Nadkarni suggests that the EU's GDPR would be a good benchmark for India. Poosarla and others also agree that the EU GDPR is a good template to draw from. Most importantly, the government should involve all stakeholders, especially privacy and data security advocates, in the drafting of the law, they say.

The best practices and principles from GDPR should be adopted, keeping the cultural and demographic needs of Indian society in mind, Vijayshankar adds.

Prakash of CIS notes: "Any law must keep the evolution of technology in mind. The law can't be so rigid that technological developments are prevented, nor can it be so flexible that technology defeats the basic guarantees provided by the law. For instance, the role of "consent" in a world where indefinite consent is easily obtained by inserting a clause in a long standard-form contract that no one reads, must be taken into account."

For more details visit http://editors.cis-india.org/internet-governance/news/inforisk-today-april-26-2017-suparna-goswami-varun-haran-analysis-data-protection-in-india-getting-it-right

Now, Aadhaar details displayed in Mizoram too

praskrishna — 2017-04-27T16:59:37Z

Contrary to the Centre’s assurances, government websites are revealing digital details of the poor, leaving them vulnerable to financial frauds and identity theft.

The article by Sebastian PT was published in the National Herald on April 26, 2017. Sunil Abraham was quoted.

Could there be a method to the madness? Or is it just carelessness? From the Jharkhand Government to the Union Territory of Chandigarh to the Union Ministry of Water and Sanitation to even Mizoram’s Food and Civil Supplies Department, government websites are found to have displayed Aadhaar details of citizens, a crime under the law.

In Jharkhand, details of 16 lakh beneficiaries – their bank account details, ration card and the 12-digit Aadhaar number – were displayed on the website of the Directorate of Social Security. Similar blunders were witnessed from different corners of the country from Chandigarh to Kerala, where details of 35 lakh people have been breached. This flies in the face of the Government’s repeated claims on data privacy, that Aadhaar details are completely safe.

The law doesn’t allow this. The displaying of the Aadhaar data, for instance, is in clear violation of Section 29 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The provision clearly says that “no” Aadhaar number or core biometric information of an Aadhaar number holder shall be “published, displayed or posted publicly”.

“There appears to be no regulation worth the name as far as the Aadhaar project is concerned,” says economist Reetika Khera from IIT Delhi.

So, will these officials responsible be punished according to the Act? More importantly, what about the damage of leaking such sensitive, apparently confidential data?

Irreparable Damage

Several cyber security experts have been warning of the possibility of precisely such leaks and Opposition parties were vociferously pointing this out while the Centre was brazenly violating the Supreme Court’s orders and forcibly extending Aadhaar to almost everything – including it being linked to one’s Permanent Account Number (PAN), used for filing income tax.

“What has been broken through technology, can’t be fixed with the law,” says Sunil Abraham, Executive Director of Bangalore-based research organisation, the Centre for Internet and Society.

The data breach just made it easy for players in the black market for ID (identification) documents to be lapped up to create false ID cards, for instance.

When demonetisation was being implemented, sources say that black money hoarders apparently bought fake IDs which were made from stolen Aadhaar details to get the old notes exchanged – one way for doing this was perhaps by opening new bank accounts or to, say, utilise unused Jan Dhan accounts to deposit the money. Now, one can only imagine what terrorists can do with these details.

So far, perhaps, the only solace is that the biometric details of the beneficiaries weren’t leaked. But, in the backdrop of the lax attitude of the various government departments, even that too is just waiting to happen, fear experts.

Abraham warns that Aadhaar was always a risky proposition as it was based on biometrics, which “made it very insecure”. He terms it as a “mass surveillance technology” – that too a poorly-designed technology – which, in fact, “undermines security”. Once biometric data are compromised, it cannot be secured again. Instead of biometrics, he suggests the UIDAI shift to using smart cards.

The unfettered forcible linking of almost everything – from bank accounts to one’s PAN card – to Aadhaar only makes things worse. “The Centre is ‘seeding’ the various data bases with the Aadhaar number, which is a very bad move. And, involving various private and public agencies in this only makes the entire thing very precarious,” warns Abraham. He points out that, for instance, when the PAN cards are linked with the Aadhaar number, breach made possible.

Instead, he says, the government should adopt the ‘tokenisation approach’, instead of the ‘seeding approach’. What this means is that, say, if the PAN card is to be linked to Aadhaar, then UIDAI issues a token number and not the original 12-digit Aadhaar number. So, even if a breach happens, the hacker will not be able to get all the Aadhaar details, he says.

However, the government does not seem to be taking the issue of privacy very seriously. What perhaps is not being understood is that this is not just a privacy issue, but making the masses vulnerable to frauds. Instead of treading cautiously in implementing Aadhaar, the government seems to be in a hurry to extend it to almost every possible silo in an individual’s life.

“Given the callous attitude of central and state governments, I hope that the Supreme Court will stop the government from a forced linking of Aadhaar, on the one hand, and bank accounts and PAN numbers on the other hand,” says Khera.

For more details visit http://editors.cis-india.org/internet-governance/news/national-herald-sebastian-pt-april-26-2017-now-aadhaar-details-displayed-in-mizoram-too

After SPB-Ilaiyaraaja, Sony Music and Sun Network lock horns over copyrights

praskrishna — 2017-04-27T16:49:53Z

In what seems to be the latest in an increasing number of cases of copyright violations, Sun Network on Friday was banned by the Madras High Court from using Sony Music copyrighted work.

This was published by the News Minute on April 26, 2017. Pranesh Prakash was quoted.

The order comes, despite Sun Network's claim that “it was the absolute copyright holder of films under the South Indian Cinematograph films". This instance, according to experts is yet another case that highlights the complex nature of copyrights and the need for reform in the act itself.

According to reports, Sony Music said it was forced to send a cease and desist notice to Sun Network on July 27 last year. This was after an exchange of letters between the two parties and meetings with councillors did not lead to a settlement. Sony reportedly wanted Sun to take prior licences before its works are either aired or adapted by artists to be recorded and aired. Sun Network, which has 33 TV channels in various south Indian languages, however, believed that it had the right to air this music owing to previous agreements that it had signed. The matter escalated over the last three years, where multiple warnings were issued.

"The problem here is that nobody is clear about exactly what rights they have. For a long time, the industry in the south was working with agreements that were not drafted properly. It was ambiguous and now when it comes under scrutiny, several problems arise," explains Swaroop Mumidipudi, an advocate.

"Sun Network’s case is actually not very weak. There are two competing copyrights here. The cinematograph film is one right where you get the image and sound together. Sony on the other hand could have the music rights. So in such a case it wouldn't have seemed wrong to Sun that they were playing the music. But if they changed the visuals that would be a problem," he adds.

Sony when contacted by The News Minute claims in addition to using the music, Sun was synchronising it with different visuals. "Approvals from music rights owners are mandatory before using (synchronization) songs with new visuals. The music could be existing songs, versions or underlying works," says Sridhar Subramanium, President - India and middle east - Sony Music Entertainment. "TV broadcasters, advertisers, film producers and internet companies who use existing music will now need to seek prior permission from copyright owners before communicating to the public including broadcasters," he adds.

Experts at the Centre for Internet and Society, however, claim, the issue is not that simple. "Figuring out who owns copyrigths and who licensed whom is complicated. You need to be cautious before you assume you have rights over something," says Pranesh Prakash, Policy Director, CIS. He also comments that it must be a rude shock to think certain music comes under the realm of your agreement, only to be questioned later. "The Copyright Act that was last amended in 2012 does not address lot of practical problems. If even a low barrier of marking copyright somehow existed, then this confusion can be avoided," he adds.

This latest clash between two media giants, comes close on the heels of the tensions between music director Ilaiyaraaja and singer SP Balasubrahmanyam (SPB). The composer sent a legal notice to SPB, who was singing his songs in a tour abroad. The singer had claimed that he was not aware that prior permission was required but was forced to stop performing Ilaiyaraaja's songs for the rest of the tour.

For more details visit http://editors.cis-india.org/a2k/news/the-news-minute-priyanka-thirumurthy-april-26-2017-after-spb-ilaiyaraaja-sony-music-and-sun-network-lock-horns-over-copyrights

Stop the Haphazard Internet Shutdown Says MP Jay Panda

praskrishna — 2017-04-27T16:44:27Z

In just one year India lost $968M due to Internet shutdowns; “Cops may not be the right decision makers when it comes to imposing what is a digital curfew,” added an entrepreneur journalist.

The article by Regina Mihindukulasuriya was published in the Businessworld on April 26, 2017.

An entrepreneur from the troubled state of Kashmir, Muheet Mehraj, is cofounder and CEO of Kashmirbox.com. He said that businesses that run on the Internet are crippled by Internet shutdowns. “A lot of people's livelihood depends on the Internet. If you shut down the Internet, you shut down their lives. Also, hospitals and academic institutes need constant Internet access and a way must be found to ensure they are never impacted by a shutdown.”

In 2016, Brookings Institution released a survey of 19 countries and the Internet shutdowns each of them experienced. India was in that list and according to the century old research institute, suffered the biggest economic loss to GDP at 968 million dollars all due to Internet shutdowns.

The general secretary of Maha Gujarat Bank Employees Association was quoted in 2016 as saying that an Internet shutdown for 6 days across Gujarat culminated in a loss of rupees 7000 crore for banks in the state.

The Brookings survey recorded the maximum number of disruptions in India at 22. According to IndiaSpend.org, The Centre for Communication Governance at the National Law University of Delhi counts 37 shutdowns across 11 states since 2015 and 22 of them happened in the first 9 months of 2016.

The Software Freedom Law Centre (SFLC) claims there have been 72 instances of Internet shutdown in India since 2012 and that not all of them are justified.

The SFLC.in along with other civil society organizations addressed the increasing frequency of Internet shutdowns in the country. Baijayant 'Jay' Panda, Member of Parliament said that India needs effective checks and balances on the process and power to order Internet Shutdowns in India. He added that, “The power to shut Internet should be exercised by the district's Superintendent of Police only in rare cases when there is imminent threat to breakdown of law and order, and risk of loss of life and property".

He was speaking at a public discussion organized by SFLC.in, in association with Digital Empowerment Foundation (DEF); IT for Change, Internet Democracy Project (IDP); Centre for Internet and Society (CIS), and Foundation for Media Professionals (FMP).

Mr Panda remarked that this power should be limited to 24 or 48 hours. “If Internet must be shut down for a longer duration, the decision must be taken by Director General of Police or the chief secretary of state”, he said.

Abhinandan Sekhri, cofounder and CEO of Newslaundry raised concerns that there is a fundamental flaw in how Indians approach law making, in that they first look at the worst case scenario before taking a liberal and democratic point of view. “Cops may not be the right decision makers when it comes to imposing what is a digital curfew,” Mr. Sekhri said.

Snehashish Ghosh, associate manager for public policy at Facebook said, “Even though we may not have ready data to measure the impact of shutdowns, there is no denying that businesses suffer.” The Facebook Inc. – owned, WhatsApp is often reported as one of the most missed services whenever the Internet is shutdown in Kashmir during days of social unrest.

Mishi Choudhary, president and legal director of SFLC.in said, “According to our Internet Shutdown Tracker, India has experienced at least 72 instances of Internet Shutdowns since 2012. Several communities and states have suffered irreversible socioeconomic losses because they were denied Internet access for extended durations.”

Mishi continued, “The shutdown of Internet not only restrains basic human rights such as the right to freedom of speech and expression, but also cripples activities like e-commerce, e-governance, e-health and e-learning, entirely reliant on the Internet.”

For more details visit http://editors.cis-india.org/internet-governance/news/business-world-regina-mihindukulasuriya-april-26-2017-stop-the-haphazard-internet-shutdown-says-mp-jay-panda

ISO/IEC JTC1/SC 27 Meetings

praskrishna — 2017-04-27T16:38:46Z

Udbhav Tiwari represented the Centre for Internet & Society in a series of meetings held at University of Waikato and Novotel in Hamilton, New Zealand between April 18 and 25, 2017.

The participation was by the virtue of our institutional membership in Information Systems Security Sectional Committee (LITD 17) at the Bureau of Indian Standards.

The first 5 days of the meetings (18 to 23 April, 2017) were the working group meetings, where Udbhav participated in Working Group 1 - Information security management systems and Working Group 5 - Identity management and privacy technologies. Udbhav's participation in WG1 was largely exploratory, where I made some connections and tagged projects for us to comment on prior to the next set of meetings. These projects were Cyber Security, Cyber Insurance, Government Use of the ISO 27001 Standards, International Framework for Cyber Security and the Standing Document on Regulatory Use of 27001.

In WG5, Udbhav was appointed as Co-Rapporteur in the Study Period on Smart Cities, which will go on for another 6 months. The plenary of SC 27 was held on April 24 and 25, 2017. The final resolutions from the Working Groups plenary can be accessed below:

WG1 Recommendations and Resolutions

WG5 Resolutions

For more details visit http://editors.cis-india.org/internet-governance/news/iso-iec-jtc1-sc-27-meetings

WG 5 Resolutions

praskrishna — 2017-04-27T16:26:32Z

For more details visit http://editors.cis-india.org/internet-governance/files/wg-5-resolutions

WG 1 Recommendations and Resolutions

praskrishna — 2017-04-27T16:24:37Z

For more details visit http://editors.cis-india.org/internet-governance/files/wg-1-recommendations-and-resolutions