Centre for Internet and Society

Aadhaar Card: One Identity, Multiple Disorders

praskrishna — 2017-05-26T00:01:54Z

It is still hazy to see the desperation of the union government to imposing the Aadhaar Card mandatory when matters related to Aadhaar Card are already sub judice.

This was blog post by Gaurav Raj was published by India Saga on May 25, 2017.

The constitutionality of Aadhaar is yet to be decided by the Supreme Court, however, the enrolment of Aadhaar has reached the mark of more than one billion. Recently, the government declared Aadhaar mandatory to file Income Tax Return (ITR) while the Supreme Court is opined not to treat Aadhaar mandatory, but voluntarily. Now it is imperative of the government to confide the citizens that the Aadhaar information- demography and biometrics-are in safe hands, a debate which has been heating up, and the contempt of the court’s decision by the government is for greater good. But the uproar against the speculation of identity revelation threat and possible misuse of Aadhaar details by the government-corporate nexus, plausible reasons to doubt the security of privacy, which is a fundamental right of Indian citizen. Ironically, after the Finance Minister Arun Jaitley defended the ‘Aadhaar Money Bill controversy’ filed by former congress MP Jairam Ramesh in the court, the Supreme Court is in dilemma and yet to decide whether ‘Right to Privacy' is a fundamental right or not.

Why Aadhaar Card Mandatory?

Nandan Nilekani, the co-founder of Infosys and the ideologue of Aadhaar, said that Aadhaar will change the PDS system in India since it ensures no ghost or fake beneficiaries to avail unentitled benefits of the various welfare schemes and subsidies. Nilekani also says that there might be margin of error up to 5 per cent in distributing the subsidies or benefits of various welfare schemes to the masses. The top-honcho technocrat has also defended Aadhaar that any breach of privacy of citizens is not possible as the Unique Identification Authority of India (UIDAI) is efficient to secure the public data under CIDR.

The government claims that the corruption-mounted Public Distribution System (PDS) in India is reformed due to the introduction of the 12 digit unique identification number. More than 40000 crore have been saved in the form of exchequer due to curb of fake and ghost beneficiaries in the PDS system. Now if we believe Nilekani claim of 5% error, then more than 5 crore beneficiaries would be losing their benefits due the error in the biometric identification. The Infosys co-founder later said that if there is a margin of error then ‘One Time Password’ (OTP) comes in. However, he didn’t define what if there is a congestion of network in the remotest Indian villages where phone signals are rare? Standing on the PDS shop waiting for food grains and network, is certainly not an ideal way to avail the benefits of the government welfare schemes. In 2011, activist and writer Ruchika Gupta said in an interview to Tahalka, “The UID cannot address the bulk of delivery problems in the two of the biggest social sectors programmes like MGNREGA and PDS. Linking UID with social sector legislation is completely baseless.”

PAN Card Linked with Aadhaar Card?

The government has directed the Reserve Bank of India to make Aadhaar mandatory for Income Tax Return filing. Currently, there are approximately 24.37 crores PAN holders in India, however 3.8 crore people file income tax return every year. There have been cases of people owned not more than one but 100 PAN Cards with them. PAN cards in India are mostly used by the citizens as a proof of identity. The government believes that PAN card linking with Aadhaar will curb the tax evasion.

How Safe Is Your Data In This Panopticon Model Of Mass Surveillance?

In the late 18th century, the well-known English social reformer and jurist Jeremy Bentham wanted to build a ‘panoptican’ for a mass surveillance of the prisoners in England. He advocated designing an institutional building be used to keep an eye on all the jail inmates by a single watchman. Very similarly, India is witnessing the biggest surveillance program ever under the name of single identity and availing benefits of governments’ schemes. Another logic behind enrolment of Aadhaar is the ‘national security’. National security? How can any government ensure national security backing Aadhaar, when international companies have been hired in consortium to collect residents’ biometric and demography details? In 2010, Accenture, Mahindra-Satyam Morpho and L1 identity solutions were pooled in by UIDAI for leveraging de-duplication exercise of Aadhaar and data collection. L1 Identity Solutions’ top brasses are the former Director CIA George Tenet and former Homeland Security deputy secretary Adm James. With its headquarters in Connecticut, this company is one of the biggest defence contractors specialised in facial recognition and biometrics. L1 Identity Solutions and Accenture work in a close affinity to US intelligence agencies. This is an age of information. Corporate houses and big telecom players are dying to get details of consumers. Obvious are the concerns about the safety and security of the people’s data. It is feared that the database can be used for various marketing and business purposes.

CIDR, A Single Database Of People’s Data

Central Identities Data Repository (CIDR) is a data management and storing agency in India which is initiated for the Aadhaar project. It is regulated by the statutory body of Unique Identification Authority of India (UIDAI). This centralised database is probably one of the biggest repositories on this planet.

In 2010, experts had claimed that more than a thousand government sites and portals were attacked more than 4000 times by China alone in one year. In April 2011, 77 million Sony Playstations and digital media delivery service Qriocity were hacked which resulted into a shutdown of the network for a week. The London School of Economics also reported that a central database of vulnerable to hacking and other terrorist and cyber crime activities. Recently Wannacry Ransomware virus hits the globe. More than 99 countries were affected.

Building one single repository for billions of Aadhaar Card data seems to be a big risk in the most vulnerable country where dat breach is at most.

Data Leak Crisis

UIDAI has so far spent approximately 5982.62 crores for more than a billion enrolments of Aadhaar Cards. 1615.34 crores have been spent between the financial year 2015-2016. Centre for Internet and Society, Bengaluru-based organization (CIS) has learned that data of more than 130 million Aadhaar card holders has been leaked from four government websites. They are National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme and Daily Online Payments Reports of NREGA. It also includes Bank details and other confidential details of millions of residents.

What is Next?

The Lok Sabha has passed the Aadhaar Bill as Money Bill. Mukul Rohatgi said in the Supreme Court that according to Article 110 of the constitution, there is use of consolidated funds of India so the bill is a Money bill. Chief Justice Khehar said, “Your object might be good but whether it is a ‘Money Bill’ or not is the question.” Justice Ramana referred to a 2014 judgment passed by the Apex court that courts had no jurisdiction over procedurals matters of legislative.” In response P. Chidambram, the counsel for Jairam Ramesh said, “This petition is not about a procedural matter. There has been substantive infraction.”

For more details visit http://editors.cis-india.org/internet-governance/news/the-indiasaga-may-25-2017-aadhaar-card-one-identity-multiple-disorders

Sharad Sharma's case shows how rampant troll culture has become under Modi

praskrishna — 2017-06-07T12:29:18Z

Sharad Sharma's case shows how rampant troll culture has become under Modi.

This was published by Catch News on May 25, 2017.

Noam Chomsky once said: “Propaganda is to a democracy what violence is to a dictatorship”.

This couldn't be more true than in the Indian context. Abusive right-wing trolls, in this sense, can be seen as stormtroopers of the Narendra Modi government.

They are no different from political goons, using every means at their disposal – intimidation, abuse, hacking attempts, sexual harassment – to silence voices that speak against the regime.

Try tweeting about human rights violations in Kashmir or police atrocities against in Bastar, invariably an anonymous troll will appear and call you “anti-national”. Even criticising government schemes or raising questions about industrial houses supposedly close to the government, can invite abuse.

Some of the trolls are paid, some are ideologically driven while many are just plain frustrated.

But what happens when you come to know that the anonymous troll calling you an ISI agent, is actually the high profile founder of a company working with the government?

Meet Sharad Sharma, co-founder of iSpirt, a think tank that closely worked with Aadhaar. Sharma has been exposed as the man behind the twitter-handle @confident_India- that used to troll all Aadhar critics on the micro-blogging website.

He has apologised from his original twitter account, calling it “a lapse of judgment” and that 'anonymity seemed easier than propriety'.

Through his anonymous twitter handle, Sharma constantly accused Center for Internet and Society (CIS), of being foreign-funded and violating the FCRA (Foreign Contribution Regulation Act) laws, without giving any proof.

In a recently published study, CIS had alleged that Aadhaar numbers of over 13 crore people and bank account details of about 10 crore people were leaked through government portals due to to poor security measures, putting them at risk of financial fraud and identity theft.

accepted the data breach in the Supreme Court." data-reactid="36">Later, the government accepted the data breach in the Supreme Court.

Given Sharma's proximity with the government, it is quite possible that he was aware of the leaks himself. Yet to defend the government on social media, he chose the FCRA card against CIS, providing a hint of what could be in store for the public advocacy group.

Kiran Jonnalagadda, founder of the Freedom Foundation, who first exposed that it was Sharad Sharma anonymously using the @Confident_ India handle, says that “FCRA threats are a way to stop people from questioning Aadhar".

FCRA seems to have been a useful tool for the NDA government against organisations that question government policies. In April this year, the government suspended registration of environmental advocacy NGO Greenpeace. While the government is well within its right to use the FCRA law against those who violate it, but if a law is used only against those who speak against the regime, questions are likely to be raised.

While Sharma has apologised for trolling the government's critics by accusing them of foreign exchange violations and being CIA stooges, there are several handles that go to the extent of giving giving rape and death threats to those who dare to speak against the establishment.

When PM follows trolls

Recently, Trinamool Congress MP, Derek O’Brien accused Prime Minister Narendra Modi of encouraging hatred by following people who run hate campaigns on social media.

“26 Twitter handles that give out rape threats, communal threats are followed by the Prime Minister (Narendra Modi),” O‘Brien said in the Rajya Sabha.

In a recently published book, “ I am a troll” journalist Swati Chaturvedi has given an account of a former BJP volunteer Sadhavi Khosla who alleged that the BJP's social media cell was responsible for putting pressure on e-commerce company Snapdeal to drop actor Aamir Khan as its brand ambassador after the latter made strong comments on the intolerance issue.

It would be wrong to say that only BJP and Modi have (mis)used social media trolls to harass their critics. Parties like AAP and Congress also have a significant presence of anonymous twitter handles as well. But pro-Modi trolls are unmatched in the kind of threats and abuse they indulge in.

Unfortunately, trolls aren't taken to task for their behaviour. Even Sharma, after being caught, received a pat on the back from none less than Nandan Nilekani, for coming clean.

For more details visit http://editors.cis-india.org/internet-governance/news/catch-news-may-25-2017-sharad-sharma-apos-case-shows-how-rampant-troll-culture-has-become-under-modi

Zomato hack: You need to enhance online security with a password manager

praskrishna — 2017-05-23T15:54:50Z

Hacking incident at Zomato underlines need to employ different passwords for different accounts.

The article by Sanjay Kumar Singh was published in the Business Standard on May 23, 2017.

Recently, food-tech company Zomato suffered a security breach where 17 million user records were stolen, including email addresses and passwords. Such hacking incidents can have wider consequences, including, in the gravest of scenarios, financial losses. They emphasise the need for people to adopt newer protection mechanisms, such as password managers.

In Zomato's case, the passwords are said to be hashed, which means they were converted into unintelligible characters. However, experts say that depending on the hashing protocol used, hashes can be re-engineered to generate the password.

The hacking of one account can have wider ramifications. "By hacking one account, hackers get access to your email ID and password. To save themselves the bother of remembering many passwords, users often use the same password in all their accounts. So, the hackers get access to your email and other accounts. Sometimes, they use your email account to reset the passwords in your other accounts," explains Shomiron Das Gupta of NetMonastery, a threat management provider. He adds that people often store sensitive information, including their net banking and credit card numbers and passwords within their email accounts. Also, on a website like Amazon, you can only view the last four digits of your credit card number. Other websites may not blur this information, in which case hackers would get access to this and other sensitive information.

Experts recommend you create complex passwords and use different ones for different accounts. Since generating complex passwords and remembering them all is difficult, you should use a password manager. Some of the good ones are LastPass, 1Password, Dashlane and TrueKey.

Password managers can generate long and complex passwords that are difficult to replicate. They also remember on your behalf the passwords on all the sites and apps you use. Also, hackers sometimes steal passwords by inserting a malware that copies keystrokes. Since a password manager inputs the password, you don't have to type them in, thereby doing away with the risk of your keystrokes being captured and stolen.

A password manager is a secure vault that stores all your passwords. You get access to the vault with a master password. Instead of remembering many passwords, you have to remember just one.

Browsers like Google Chrome and Mozilla Firefox also offer password managers. However, if you wish to use your password manager across browsers and apps, use a third-party one like those mentioned above. And while a password manager that is stored locally is safer, one that is cloud-based is more convenient, since you can use it across devices having internet connection. Password managers also offer two-factor authentication. They either send a password to your phone or generate it on your device. Unless your device also gets stolen, the password manager is difficult to break into.

As for whether password managers are themselves safe, experts concede they are a prime target for hackers who know that the information stored within will be valuable. "The password manager is safe provided you set a strong master password. Your password should have at least 13 characters of which two should be small, two should be in capital, two should be random numbers, and two should be special characters. Using a word that is not there in the dictionary will enhance its strength. Keep changing your master password every three-six months," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru. Since their primary job is to provide security, most password managers do have strong security practices, he adds.

Most password managers offer a free account but you have to pay to use their advanced security features.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager

Chinese state media says U.S. should take some blame for cyber attack

praskrishna — 2017-06-07T01:12:27Z

"WannaCry is far and away the most severe malware attack so far in 2017, and the spread of this troubling ransomware is far from over". Since the global attack was launched on Friday, several thousand more computers were discovered to be infected, particularly in Asia as the work day began on Monday. "We've seen that the slowdown of the infection rate over Friday night, after a temporary fix around it, has now been overcome by a second variation the criminals have released".

The article by Ellis Neal was published in the Villages Suntimes on May 21, 2017.

Microsoft called the incident a "wake-up" call for governments and customers to take security seriously, but in a letter to the Times Sir David Omand, GCHQ director from 1996 to 1997, pins the blame squarely on the technology firm for failing to maintain support for its ageing Windows XP platform. If they wanted their files decrypted, the program said all they had to do was pay $300 worth of Bitcoin to the specified address.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

When Microsoft sells its operating system software it does so through a licence agreement that states the company is not liable for any security breaches, thus shielding it from any legal complaints, points out Michael Scott, a professor at Southwestern Law School.

Microsoft has blamed the U.S. government for creating the software code that was used by hackers to launch the cyber-attacks. USA and European officials did not rule out North Korea as a possible suspect in the cyberattack.

In a blog post, Microsoft admonished governments around the world for keeping software vulnerabilities to themselves, instead of reporting them to the developers. EternalBlue and DoublePulsar, two tools the NSA used to infiltrate computer networks, were stolen from the agency and leaked online in April as part of a massive data dump by the Shadow Brokers hacker group. An investigation is on-going regarding how the codes got out.

The cyber experts have warned of a huge risk in near future as most institutions and individuals in Bangladesh use pirated software. We can not expect criminal hackers to be held accountable for their actions, but we should hold our government agencies accountable.

Since China and Russian Federation are two of the countries where a major share of computers are running pirated Windows, these are also the countries with the biggest rate of WannaCry infections, as stated by F-Secure.

Malware cases have been spreading in recent years as the malicious software trend has been gaining ground, with new forms of ransomware hitting the scene.

For more details visit http://editors.cis-india.org/internet-governance/news/villages-suntimes-may-21-2017-ellis-neal-chinese-state-media-says-us-should-take-some-blame-for-cyber-attack

Noida cyber cell gives tips on preventing WannaCry attack

praskrishna — 2017-06-07T01:18:22Z

The attackers targeted a weakness found in older versions of Microsoft Windows.

The article by Juana McKenzie was published in the World News Journal on May 20, 2017.

Since late last week, the WannaCry cyber scourge has blocked customers the world over from accessing their data - unless they paid a ransom using Bitcoin. Here's what you should do to protect yourself.

Third, and perhaps more important: like the emperor's new clothes, even this new-fangled ransomware isn't as sophisticated as it's cracked up to be. If you're unsure about the legitimacy of something, delete it.

When Microsoft sells software it does so through a licensing agreement that states the company is not liable for any security breaches, said Michael Scott, a professor at Southwestern Law School.

It pays to know the proper file extensions that are available.

If you happen to come across files such as worklog.doc.exe, or financial_statement.xls.scr, do not open them as the files are most likely malicious.

'And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today - nation-state action and organised criminal action'.

Then there's the USA government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals.

No. This strain of ransomware was spread from device to device by taking advantage of an old security hole in some versions of Microsoft's Windows operating system.

Microsoft released a patch for this vulnerability in March and, on the heels of the attack Friday, even took the unusual step of releasing fixes for older versions of Windows that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8. This included the release of the patch in March and an update on Friday to Windows Defender to detect the WannaCrypt attack.

As there are different types of ransomware, there is no single, easy solution to restore your computer if it has been infected. Enterprises need to test patches before installing them to ensure that they don't have compatibility issues with existing applications and break existing workflows.

Security experts have hailed Microsoft's decision to publicly call out the U.S. government and the NSA's decision to stockpile cyberweapons.

"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable", Gates wrote in an email to employees identifying trustworthy computing as Microsoft's top priority. Such software will act as the first line of defence by blocking auto downloads and actively scan for suspected threats on the PC.

The culprit was "ransomware" known as WanaCryptOr 2.0, or WannaCry.

Europol said a special task force at its European Cybercrime Centre was "specially created to assist in such investigations and will play an important role in supporting the investigation".

Kaspersky said it was seeking to develop a decryption tool "as soon as possible". If the ransomware has locked your entire PC, as WannaCry has done, combating it is more hard. Backups often are also out of date and missing critical information.

Cloud storage services such as Google Drive, Microsoft OneDrive, Dropbox and Box offer large amount of storage space for a monthly or yearly subscription fee.

For more details visit http://editors.cis-india.org/internet-governance/news/world-news-journal-juana-mckenzie-may-20-2017-noida-cyber-cell-gives-tips-on-preventing-wannacry-attack

Consilience 2017 - A Conference on Artificial Intelligence & Law

praskrishna — 2017-06-07T01:47:07Z

The Law and Technology Society, NLSIU organized their annual conference, Consilience, on the theme 'Artificial Intelligence and the Law' on May 20, 2017 in Bengaluru. Vidushi Marda took part in the event as a panelist.

The panel consisted of the following speakers:

Arun S. Prabhu (Moderator) Partner, Cyril Amarchand Mangaldas,Bangalore)
Chinmayi Arun (Faculty Associate, Berkman Klein Centre for Internet and Society)
Amlan Mohanty (Founder, Techlawtopia)
Vidushi Marda (Programme Officer, Centre for Internet and Society)
Anirudh Rastogi (Partner, TRA Law)

For more information, click here

For more details visit http://editors.cis-india.org/internet-governance/news/consilience-2017-a-conference-on-artificial-intelligence-law

Consultative Meeting for a Digital Archive Lab

praskrishna — 2017-06-08T13:07:57Z

A meeting for a digital archive lab was held at the Centre for Community Knowledge, Ambedkar University in New Delhi on May 20, 2017. P.P. Sneha participated in the meeting.

The proposed Digital Archive initiative at AUD will work as an interdisciplinary archive, working across schools and divisions. There is a need to create a specialized set of skills within AUD for archiving, cataloguing, digitization and conservation. This consultative meeting is envisaged for identifying skills and staff needs, timeframe, direction, outreach and a support network. Outcomes of this consultative meeting will help to finalise the resources required for setting up an online archival platform on the AUD server. Click to see the agenda.

For more details visit http://editors.cis-india.org/raw/consultative-meeting-for-a-digital-archive-lab

April 2017 Newsletter

praskrishna — 2017-05-20T12:59:17Z

Welcome to the CIS newsletter for April 2017.

Dear readers,

Previous issues of the newsletters can be accessed here.

Highlights
In a report on the information security practices of Aadhaar, Amber Sinha and Srinivas Kodali documented numerous instances of publicly available Aadhaar numbers along with other personally identifiable information of individuals on government websites. CIS along with like minded organizations made a submission to the Government of India to frame a feasible accessibility guidelines for mobile apps since there is no single standard in existence at the moment. A two-day 100 Women Edit-a-thon was held in March 2017 by CIS-A2K team along with Odisha's biggest newspaper Sambad. The event was inspired by BBC’s 100 Women series and edit-a-thons with the same name in December 2016. More than 20 female journalists participated and registered as new Odia Wikipedians. On March 31, 2017, the Ministry of Personnel, Public Grievances and Pensions, Department of Personnel and Training released a Circular framing rules under the Right to Information Act, 2005 (“RTI Rules”). The Ministry invited comments on on the RTI Rules. CIS submitted its comments. In an article originally published in Hindu Businessline on March 31, Sunil Abraham lists out 11 reasons why Aadhaar is not just non-smart but also insecure. Shuttleworth Foundation has announced Sunil Abraham as Honorary Steward for its September 2017 fellowship round. CIS worked on a three part case study. The first case study on digital protection of traditional knowledge was published by GIS Watch in December 2016. The other two case studies along with the synthesis overview has also been published.

CIS in the news:

NGOs, individuals urge state CMs to curb Internet shutdown (The Times of India; April 4, 2017).
India’s National ID Program May Be Turning The Country Into A Surveillance State (Pranav Dixit; BuzzFeed News; April 4, 2017).
Privacy, what? Bengaluru police leaks 46,000 phone numbers on Twitter (Neha Vashishth; India Today; April 6, 2017).

Bengaluru cops' twitter handle in ethical storm (Umesh Yadav; The Times of India; April 6, 2017).

Opposition questions govt move to make Aadhaar must (Komal Gupta; Livemint; April 12, 2017).
Aadhaar: A widening net (Komal Gupta, Apurva Vishwanath and Suranjana Roy; Livemint; April 21, 2017).
Chemistry research in India 'still not in big league' (IANS and India Online News Portal; April 24, 2017).
Stop the Haphazard Internet Shutdown Says MP Jay Panda (Regina Mihindukulasuriya; Businessworld; April 26, 2017).
Now, Aadhaar details displayed in Mizoram too (Sebastian P.T.; National Herald; April 26, 2017).
After SPB-Ilaiyaraaja, Sony Music and Sun Network lock horns over copyrights (Priyanka Thirumurthy; Newsminute; April 26, 2017).
Analysis: Data Protection in India - Getting It Right (Suparna Goswami and Varun Haran; Info Risk Today; April 26, 2017).
India bans social media in Kashmir for one month (Telegraph; April 27, 2017).
J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say experts (Shruti Dhapola; Indian Express; April 28, 2017).

CIS members wrote the following articles:

How Aadhaar compromises privacy? And how to fix it? (Sunil Abraham; Hindu; April 1, 2017).
Digital native: You can check out, you can never leave (Nishant Shah; Indian Express; April 2, 2017).
Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’ (Pranesh Prakash; Hindustan Times; April 3, 2017).
It’s the technology, stupid (Sunil Abraham; Hindu Businessline; April 7, 2017).
Privacy in the Age of Big Data (Amber Sinha; Asian Age; April 10, 2017).
Digital native: Are You Still Having Fun? (Nishant Shah; Indian Express; April 17, 2017).
Digital native: Snap out of outrage mode (Nishant Shah; Indian Express; April 30, 2017).

-------------------------------------
Accessibility & Inclusion
-------------------------------------
India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities, we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

Submission

Mobile Accessibility Practices (Nirmita Narasimhan; April 12, 2017).

Event

Global Accessibility Awareness Day 2017 (Organized by Prakat Solutions, Mithra Jyothi and CIS; Bengaluru; May 18, 2017).

-----------------------------------

Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Blog Entries

Note: All the following events were held earlier but the reports were published in the month of April:

Women's Day Edit-a-thon at Jeewan Jyoti Women's Empowerment Centre, Pune (Subodh Kulkarni; April 10, 2017).
Marathi Wikipedia Edit-a-thon at Savitribai Phule Mahila Ekatma Samaj Mandal, Aurangabad (Subodh Kulkarni; April 13, 2017).
Google-translated Telugu articles prioritisation exercise: January iteration (Pavan Santhosh; April 15, 2017).
Telugu Wikipedia stall at Vijayawada Book Festival (Pavan Santhosh; April 15, 2017).
Women's Day Edit-a-thon at Jnana Prabodhini (Subodh Kulkarni; April 15, 2017).
Bargarh Manuscript Digitisation Project (Sailesh Patnaik; April 16, 2017).
Imperial College Orientation Program, Bargarh (Sailesh Patnaik; April 16, 2017).
Orientation & Training session for Environmental Activists in Satara (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Rajarshi Chhatrapati Shahu College, Kolhapur (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Shivaji University, Kolhapur (Subodh Kulkarni; April 16, 2017).
Marathi Wikipedia Edit-a-thon at Sangli, Maharashtra (Subodh Kulkarni; April 16, 2017).
Orientation & Training session of Jalbiradari Activists (Subodh Kulkarni; April 16, 2017).
"Free-license Wings To Your Books" in Guntur (Pavan Santhosh; April 16, 2017).
"Free-license Wings To Your Books" in Vijayawada (Pavan Santhosh; April 16, 2017).
Adikavi Nannaya University Telugu Wikipedia Workshop (Pavan Santhosh; April 16, 2017).
Odia Wikipedia Workshop in IIMC, Dhenkanal (Sailesh Patnaik; April 17, 2017).
Sambad 100 Women Edit-a-thon (Ting Yi Chang and Sailesh Patnaik; April 18, 2017).
Google-translated Telugu articles prioritisation exercise: February iteration (Pavan Santhosh; April 18, 2017).

►Copyright and Patent

National Conference on Intellectual Property Rights and Public Interest (Organized by Indian Law Institute; New Delhi; April 7 - 8, 2017). Maggie Huang took part in the event.

►Openness

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Publication

Economic, Social and Cultural Rights in India: Opportunities for Advocacy in Intellectual Property (Sunil Abraham and Vidushi Marda; GIS Watch and Association for Progressive Communications; April 23, 2017). Total 4 reports: Synthesis Overview, Access to Mobile Technology, Traditional Knowledge Digital Library, and FOSS and Open Standards.

Submission

Comments on the Right to Information Rules, 2017 (Amber Sinha; April 27, 2017).

Event Organized

NASA Space Apps Challenge 2017 (CIS, Bengaluru, April 22, 2017).

-----------------------------------

Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on restrictions that the Indian government has placed on freedom of expression online.

►Privacy

Blog Entries

Analysis of Key Provisions of the Aadhaar Act Regulations (Amber Sinha; April 3, 2017).
Right to be Forgotten: A Tale of Two Judgements (Amber Sinha; April 7, 2017).

►Free Speech and Expression

Blog Entries

Killing of Yameen Rasheed Reveals Worsening Human Rights Situation in the Maldives (Pranesh Prakash; April 25, 2017).
Internet Shutdowns in 2016 (Japreet Grewal; April 27, 2016).

►Miscellaneous

Blog Entry

Regulating Bitcoin in India (Vipul Kharbanda; April 20, 2017).

Event

Amutha Arunachalam - Stand Shielded of Digital Rights (CIS; New Delhi; May 5, 2017).

Participation in Event

ISO/IEC JTC1/SC 27 Meetings (Organized by Bureau of Indian Standards; University of Waikato and Novotel; New Zealand; April 18 - 25, 2017). Udbhav Tiwari attended the meetings.

►Cyber Security

Event Organized

Dr. Madan M. Oberoi - Digital Forensics and Cyber Investigations (CIS; New Delhi; April 7, 2017).

Participation in Event

Brainstorming Session on the Global Conference on Cyberspace (GCCS 2017) (Organized by the Ministry of Electronics & Information Technology; New Delhi; April 12, 2017). Japreet Grewal attended the session.

-----------------------------------

About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer and citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit http://editors.cis-india.org/about/newsletters/april-2017-newsletter

February 2017 Newsletter

praskrishna — 2017-05-20T12:46:41Z

Welcome to the February 2017 newsletter of the Centre for Internet & Society (CIS).

Dear readers,

We are pleased to bring you the Centre for Internet & Society's February newsletter. Previous issues of the newsletters can be accessed here.

Highlights
Submitted comments on the Vision Document 2030 published by the Department of Empowerment of Persons with Disabilities in February 2017. Our submission recommended that the vision articulate more clearly in terms of quantifiable targets what it seeks to achieve at different points of time and that these targets are not so minimally set as to undermine the aims of the Act and the national commitments outlined therein. Ting-Yi Chang wrote an article on the state of women editors in Wikipedia. In a write-up published by Your Story on February 7, Ting-Yi explored the reasons for the low percentage of women centric articles on the social media platform and how could the gender gap be bridged. In a research paper Anisha Gupta has assessed the privacy protections under 15 e-governance schemes. The paper analysed the schemes rolled out by the government, starting from 2010. Amber Sinha, Vanya Rakesh and Vidushi Marda authored a research paper that has sought to understand the most effective way of researching Big Data in the Global South. The second edition of the Internet Researchers' Conference, an annual conference initiated by CIS to bring researchers, academicians and others on a common platform to share insights and chart the way foreword was held in Bengaluru. Divij Joshi and Aditya Chawla in a report studied five Indian telecommunication companies and three Indian online service providers. The report has evaluated the practices and policies of companies which provide internet infrastructure or internet services, and are integral intermediaries to the everyday experience of the internet in India. General Data Protection Regulation (EU) 2016/679 was passed, which shall replace the present Data Protection Directive DPD 95/46/EC. This step is likely to impact the way of working for many organisations. In this light CIS requests you to take part in a survey aimed at understanding how various organisations view the changes in the Data Protection Regime in the European Union.

CIS in the news:

India WhatsApp Privacy Fight May Affect Multinationals (Nayanima Basu; Bloomberg BNA; February 1, 2017).
Crowdsourced innovation for government projects and services is easier said than done (Kunal Talgeri; The Times of India; February 3, 2017).
Giving out your fingerprint for Aadhar payments is as bad as telling the seller your banking password (Nimish Sawant; First Post Tech 2; February 3, 2017).
Don't dive headlong into money-making schemes on the internet (Sanjay Kumar Singh; Business Standard; February 7, 2017).
Indian public concerned about fingerprint payment scheme (Rawlson King; Biometricupdate.com; February 9, 2017).
India's Aadhaar with biometric details of its billion citizens is making experts uncomfortable (Mashable India; February 14, 2017).
No Genie At Your Fingertips (Arindam Mukherjee; Outlook; February 20, 2017).
LinkedIn will help people in India train for semi-skilled jobs (John Riberio; IDG News Service and mirrored on CIO Blog; February 21, 2017).
India To Let Private Companies Access Citizens’ Biometric Data (Joshua Kopstein; Vocativ; February 21, 2017).
Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally (Outlook; February 24, 2017).

CIS members wrote the following articles:

Digital Native: Do not go Gently into the Good Night (Nishant Shah; Indian Express; February 9, 2017).
Digital Native: Who will Watch the Watchman? (Nishant Shah; Indian Express; February 19, 2017).
Can the Judiciary Upturn the Lok Sabha Speaker’s Decision on Aadhaar? (Amber Sinha; Wire; February 21, 2017).

Jobs

Policy Officer (Cyber Security)
Senior Policy Officer (Cyber Security)
Internship - Application accepted throughout the year
Survey Participants for Research on Musician Livelihood

Submission

Comments on Department of Empowerment of Persons with Disabilities 'Vision Document 2030' (Nirmita Narasimhan; February 28, 2017).

-----------------------------------
Access to Knowledge
-----------------------------------
Our Access to Knowledge programme currently consists of two projects. The Pervasive Technologies project, conducted under a grant from the International Development Research Centre (IDRC), aims to conduct research on the complex interplay between low-cost pervasive technologies and intellectual property, in order to encourage the proliferation and development of such technologies as a social good. The Wikipedia project, which is under a grant from the Wikimedia Foundation, is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Wikipedia

Blog Entries

Marathi Wikipedia Edit-a-thon (Subodh Kulkarni; February 8, 2017)
Only 8.5pc of Wikipedia Editors are Women. How do we fix the Gender Gap on the Internet? (Ting-Yi Chang; February 9, 2017).
WikiTungi: Bhubaneswar City Wiki Community Turns 1 (Sailesh Patnaik; February 27, 2017).

Event Organized

Marathi Wikisource & Digitisation Workshop (Organized by CIS, Maharashtra Granthottejak Sanstha, Maharashtra Knowledge Corporation Limited and Jnana Prabhodini; Jnana Prabodhini, Sadashiv Peth, Pune; February 17, 2017 and C Trade Tower, Senapati Bapat Road, Pune; February 18, 2017).

-----------------------------------
Internet Governance
-----------------------------------

►Privacy

Research Papers

Comparison of General Data Protection Regulation and Data Protection Directive (Aditi Chaturvedi and Edited by Leilah Elmokadem; February 7, 2017).
Ranking Digital Rights in India (Divij Joshi and Aditya Chawla; February 12, 2017).

Privacy Gaps in India's Digital India Project (Anisha Gupta; edited by Amber Sinha; February 21, 2017).

Survey

Survey on Data Protection Regime (Aditi Chaturvedi and Elonnai Hickok; February 10, 2017).

Participation in Events

Surveillance in India: Policy and Practice (Organized by National Institute of Public Finance and Policy; New Delhi; February 9, 2017). Pranesh Prakash was a speaker.
T20 Mumbai 2017: Dialogue on the Emerging World Economy (Organized by Gateway House, Indian Council on Global Relations; Mumbai; February 13 - 14, 2017). Elonnai Hickok attended the event.

►Big Data

Research Paper

Big Data in Governance in India: Case Studies (Amber Sinha, Vanya Rakesh and Vidushi Marda and Edited by Elonnai Hickok, Sumandro Chattapadhyay and Sunil Abraham; February 19, 2017).

►Freedom of Expression and Cyber Security

Participation in Event

Digital Security for Journalists (February 2 and 3, 2017). Pranesh Prakash conducted two workshops on consecutive days. The first one organized by IndiaSpend was held in their office. The second one organized by a fellow with the International Center Journalists was held in the Hindustan Times office.
Securing Digital Payments: Imperatives for a Growing Ecosystem (Organized by ORF and Koan Advisory; The Claridges, New Delhi; February 3, 2017). Udbhav Tiwari attended the round-table conference.
Fake News, Rumors & Online Content Regulation (Organized by Medianama and Mint; India Habitat Centre; February 22, 2017). Japreet Grewal and Amber Sinha attended the event.

-----------------------------------
Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources, and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Article

A Pathfinding Approach for Digital India (Shyam Ponappa; Business Standard; January 31, 2017 and Organizing India Blogspot; February 1, 2017).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by an emerging need to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It aims to produce local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Event Organized

Internet Researchers' Conference 2017 (Organized by the Centre for Information Technology and Public Policy and CIS; International Institute of Information Technology, Bengaluru; March 3 - 5, 2017).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

► Request for Collaboration

For more details visit http://editors.cis-india.org/about/newsletters/february-2017-newsletter

Microsoft says WannaCry ransomware must be a wake-up call for governments

praskrishna — 2017-06-07T00:55:40Z

Computer security experts said the current attack could have been much worse but for the quick action of a young researcher in Britain who discovered a vulnerability in the ransomware itself, known as WanaCryptor 2.0. It has, however, retweeted a blog post by Brad Smith, president and chief legal officer at Microsoft, who directs much of the blame toward the USA government, arguing that it should have alerted the $524 billion tech titan about the problem.

The article was published in Journaldu Maghreb on May 20, 2017

"This is an emerging pattern in 2017", he continued. "We have seen vulnerabilities stored by the Central Intelligence Agency show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world", wrote Smith in a blog post on Sunday. Then there's the US government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals.

"An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen", Mr Smith wrote. Brad Smith, Microsoft's top lawyer, criticized US intelligence agencies for "stockpiling" software code that can be used by hackers. In February, Smith first called for the creation of what he has dubbed a Geneva Convention for cyberspace, which would outlaw nation-state cyberattacks on critical infrastructure and tech companies.

Cyber-security firm HumanFirewall said that on account of high use of pirated Windows operating system in India, it was more susceptible to the attack. Microsoft has connected previous exploits of its products released by the mysterious Shadow Brokers group to tools which were stolen from NSA cyber warfare operations. "All our systems are updated as required". This sophisticated, self-propagating malware was created to spread to all other computers on the same network after infecting one machine.

Estimates by law enforcement agency Europol estimated yesterday that more than 200,000 computers in 150 countries were infected, but with the worm continuing to spread to vulnerable Windows machines, that number will surely rise. When 22 year olds are the heroes of the anti-cyber attack fight, rather than the agencies tasked to defend countries against these types of threats, it is perhaps time to question what these organisations have been doing all this time? NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer. That dump included a vulnerability codenamed EternalBlue, which preys on a flaw in Microsoft Word to transmit malicious software from one Windows Computer to another. Usually used by cyber criminals, ransomware is a popular means of making illicit money from victims who have to pay the criminals in order to have their data decrypted.

Today is likely to be painful for many organizations all over the world that took the weekend off and are returning to the work-week to find hundreds or thousands of computers on their networks encrypted by WannaCry ransomware, which surfaced Friday and has been propagating ever since. It was a stress-filled weekend for many IT workers this past weekend as the WannaCry ransomware attack spread, crippling Windows systems worldwide.

Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems that have the SMB service exposed to the internet. "Otherwise they're literally fighting the problems of the present with tools from the past", he said. However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised. This allowed users of the older systems to secure their computers without requiring an upgrade to the latest operating software.

For more details visit http://editors.cis-india.org/internet-governance/news/journaldu-maghreb-may-20-2017-microsoft-says-wannacry-ransomware-must-be-a-wake-up-call

4th National Standards Conclave Evolving a Comprehensive National Strategy for Standards Sectoral and Regional Inclusiveness

praskrishna — 2017-05-20T08:06:15Z

Udbhav Tiwari represented CIS in the 4th National Standards Conclave held on the May 1 and 2, 2017 at The Lalit, New Delhi. The event was organized by the Ministry of Commerce and Industry and the Confederation of Indian Industry.

The event looked at creating a National Standards Strategy to focus on India's standardisation efforts in the global stage. The event also focused on the release on the National Standards Portal, a website that creats a one stop access of standards, technical regulations and TBT information. There were a few sessions that were useful in particular - the IT Standardisation, the Standards Portal and the theme paper for National Standards Strategy.

Download the Agenda

For more details visit http://editors.cis-india.org/internet-governance/news/4th-national-standards-conclave-evolving-a-comprehensive-national-strategy-for-standards-sectoral-and-regional-inclusiveness

Fourth National Standards Conclave

praskrishna — 2017-05-20T08:05:19Z

For more details visit http://editors.cis-india.org/internet-governance/files/fourth-national-standards-conclave.pdf

Aadhaar assurances fail to assuage privacy concerns

praskrishna — 2017-05-20T06:23:32Z

While Aadhaar may be secure from external attacks, a failsafe system hasn’t been developed to protect it from Edward Snowden-style leakages and hacks.

The article by Anirban Sen was published by Livemint on May 5, 2017. Pranesh Prakash was quoted.

As calls for a privacy and data protection law grow louder with each passing day amid reports of a central government ministry having made up to 130 million Aadhaar numbers public on its website, widespread concerns continue to emerge over loopholes in the security of the unique identification programme, though the man who created the system continues to defend the security and integrity of the system.

Most worryingly, a consensus is emerging among security and privacy experts, who have argued that while the Aadhaar system may be secure from external attacks, a failsafe system has not been developed to protect it from Edward Snowden-style internal leaks or hacks.

“(What has been suggested by the Unique Identification Authority of India and Nandan Nilekani) is that there will never be a data breach like what we saw in the US with the National Security Agency, Central Intelligence Agency, or Office of Personnel and Management breaches (data of federal government personnel, including more than 5.6 fingerprints, was leaked), or in Mexico or Turkey, or even in India when the department of defence was breached for cyber-espionage for multiple years without detection,” said Pranesh Prakash, policy director at the Centre for Internet and Society.

“While the system may be secure from external attacks, there is no failsafe system to make it invulnerable to Snowden-style breaches,” he added.

In an interview, former UIDAI chairman and Infosys Ltd co-founder Nandan Nilekani continued to defend the security of the system and said steps are being taken everyday to enhance the failsafe processes surrounding the system.

“I think the Aadhaar system is extremely well-designed. It’s not an online system that is exposed to the Internet. When enrolment happens, the packet is encrypted at source and sent, so that there can’t be a man-in-the-middle attack. And when the authentication happens, that is also encrypted—not compared to the original data, but to a digital minutiae. The point is that the system is very, very secure. So, if the objection is to centralization, then you should not have clouds. Clouds are also centralized,” said Nilekani. He added that Aadhaar was also safe from internal breaches, an assumption that is being challenged by security experts all across.

“Within seven years of its launch, the Aadhaar system has made a remarkable leap in terms of its security and privacy and it will keep improving things. Technology does not come through immaculate conception, where one morning some perfect technology is born. It has to evolve. It’s called learning by doing,” added Nilekani. He added that improving the security of the system is an ongoing process and conceded that a data protection and privacy law needs to be in place to supplement the current Aadhaar law.

“I know the government has sent a notice to everyone. If somebody has done it; they ought not to have done it—there’s a law for that,” said Nilekani when asked about recent instances of Aadhaar numbers being made public by government departments.

“We should have a data protection and privacy law which is an umbrella law, which looks at all these phenomena and certainly Aadhaar should be part of that. That’s perfectly fine—but people are behaving as if Aadhaar is the only reason why we should have a privacy law,” added Nilekani.

The last few weeks and months have witnessed a steady stream of negative news surrounding Aadhaar and three main cases are currently being fought in the Supreme Court, including one challenging the government’s decision to make the 12-digit ID mandatory for filing income tax returns as well as for obtaining and retaining a PAN Card.

Meanwhile, as Mint reported in April, questions are being raised on the Aadhaar biometric authentication failure rate in the rural job guarantee scheme in areas such as Telangana.

The report of Aadhaar numbers being listed on the government ministry website has caused widespread uproar, although a lawyer pointed out that it is not due to a breach in the Aadhaar system.

“It’s a misnomer to say this a leak because this was voluntarily, very actively put up there. A leak is when some information being kept securely gets breached somehow and comes out. Now, why is this information up on government websites? This is the problem of our government’s perception of transparency...The fact that the Aadhaar numbers are on the government website is not a flaw of the Aadhaar system, but it is a flaw of the understanding of what needs to be done to demonstrate transparency,” said Rahul Matthan, partner at Trilegal.

In a column in Mint, Matthan had also pointed out that while Aadhaar has been a transformative project, there remains enough scope of misusing the database.

“There is a legitimate fear that this identity technology will open us all up to discrimination, prejudice and the risk of identity theft,” Matthan wrote. “Aadhaar has given us the tools to harness data in large volumes. If used wisely, this technology can transform the nation. If not, it can cause us untold harm. We need to be prepared for the impending flood of data—we need to build dams, sluice gates and canals in its path so that we can guide its flow to our benefit.”

Even as both sides debate the issue of Aadhaar’s security, calls are getting louder to revamp the unique identification database.

“The point is that the UIDAI knows the device ID of the machine with which the biometric transaction took place along with the time and date, which means that by just using basic data analytics, any one with access to the transaction logs from the UIDAI (which have to be kept for a period of 5 years and 6 months) can have a complete view of a person’s Aadhaar-based interactions that are increasing day by day.”

“Further, the UIDAI has built up a biometric profile of the entire country. This means that courts can order UIDAI to provide law enforcement agencies the biometrics for an entire state (as the Bombay high court did) to check if they match against the fingerprints recovered from a crime scene. This too is surveillance, since it collects biometrics of all residents in advance rather than just that of criminal suspects,” said Prakash of CIS.

“The UIDAI could have chosen to derive unique 16 digit numbers from your Aadhaar number and provide a different one to each requesting entity. That would have prevented much of these fears. But the UIDAI did not opt for that more privacy-friendly design,” he added.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-may-5-2017-anirban-sen-aadhaar-assurances-fail-to-assuage-privacy-concerns

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

Suicide videos: Facebook beefs up team to monitor content

praskrishna — 2017-05-20T02:59:14Z

Responding to the spate of suicides being livestreamed, social media giant Facebook has announced it will add another 3,000 people to its 4,500-strong review team that moderates content. The review team will also work in tandem with law enforcement agencies on this issue.

The article by Kim Arora was published in the Times of India on May 5, 2017.

"Over the last few weeks, we've seen people hurting themselves and others on Facebook, either live or in video posted later. It's heartbreaking, and I've been reflecting on how we can do better for our community," Facebook co-founder and CEO Mark Zuckerberg wrote in a status update and added, "Over the next year, we'll be adding 3,000 people to our community operations team around the world, on top of the 4,500 we have today, to review the millions of reports we get every week, and improve the process for doing it quickly."

"...we'll keep working with local community groups and law enforcement who are in the best position to help someone if they need it, either because they're about to harm themselves, or because they're in danger from someone else," Zuckerberg added announcing the move.

Over the last year, several violent incidents and suicides have been streamed live on Facebook. In India last April, a young student went live on Facebook minutes before he jumped off the 19th floor of Taj Lands End hotel in Mumbai. The same month saw similar news coming out of the US and Thailand as well. A 49-year-old from Alabama went live on Facebook before shooting himself in the head. Another man from Bangkok made a video of hanging his 11-month-old daughter, and uploaded it to Facebook. He was later discovered to have killed himself too.

"It's a positive development that Facebook is adding human power and tools for dealing with hate speech, child abuse and suicide attempts. It would be interesting to see how Facebook coordinates with the Indian police departments to get an emergency response to a potential suicide attempt or attempt to harm someone else," says Rohini Lakshane, program officer, Center for Internet and Society, though she warns against false reports clogging up reviewers' feeds and police notifications.

On Facebook, a video, picture or any other piece of content reaches the review team after it is reported by users for flouting its "community guidelines".

Chinmayi Arun, research director at the Centre for Communication Governance, National Law University, Delhi, says Facebook must be transparent about this process. "Facebook should also announce how it is keeping this process accountable. It is a public platform of great importance which has been guilty of over-censorship in the past. It should be responsive not just to government censorship requests but also to user requests to review and reconsider its blocking of legitimate content," she says.

For more details visit http://editors.cis-india.org/internet-governance/news/the-times-of-india-kim-arora-may-5-2017-suicide-videos-facebook-beefs-up-team-to-monitor-content