Centre for Internet and Society

Watch: Aadhaar has become a whipping boy: Nandan Nilekani

praskrishna — 2017-05-19T09:54:52Z

India certainly needs a modern data privacy and protection law, Nilekani said in an interview.

The Alnoor Peermohamed and Raghu Krishnan was published in the Business Standard on May 13, 2017.

As debate rages over Aadhaar being a privacy and surveillance liability, its architect Nandan Nilekani says the unique identity programme has become a “whipping ward”. In an interview with Alnoor Peermohamed and Raghu Krishnan, he says we need a data protection and privacy law with adequate judicial and parliamentary oversight. Edited excerpts:

There is concern we are losing our privacy because of Aadhaar...

Privacy is an issue the whole world is facing, thanks to digitisation. The day you went from a feature phone to a smartphone the amount of digital footprint you left behind went up dramatically. The phone records your messages, it knows what you are saying, it has a GPS so it can tell anybody where you are, the towers can tell anybody where you are because they are constantly pinging the phone. There are accelerometers and gyroscopes in the phone that detect movement.

Internet companies essentially make money from data. They use data to sell you things or advertisements. And that data is not even in India, it is in some country in some unaccountable server and accessible to the government of that foreign country, not ours.

Then increasingly there is the Internet of Things. Your car has so many sensors, wearables have sensors and all of them are recording data and beaming it to somebody else. Then there are CCTV cameras everywhere, and today they are all IP-enabled.

So privacy is a global issue, caused by digitisation. Aadhaar is one small part of that. The system is designed not to collect information, because the first risk to privacy is if someone is collecting information. Aadhaar is a passive ID system, it just sits there and when you go somewhere and invoke it, it authenticates your identity. By design itself, it is built for privacy. I believe India needs a modern data privacy and protection law.

Why is Aadhaar being used as a proxy for the privacy and data protection issues?

It is a motivated campaign by people who are trying to find different ways to say something about it. Privacy is a much bigger issue. I have been talking about privacy much before anyone else. In 2010, when it was not such a big issue, I had written to Prime Minister Manmohan Singh saying we needed a data protection law. You could see what was happening, the iPhone came out on June 30, 2007, Android phones came around the time we started Aadhaar, so we could see the trend. I asked Rahul Matthan, a top intellectual property and data lawyer, to help and we worked with the government to come out with a draft law. And then there was the AP Shah Committee. The UIDAI’s DDG Ashok Pal Singh was a part of that committee, so we helped shape that policy.

When a banking application uses Aadhaar, the system does not know what the bank does. It is deliberately designed so that data is kept away from the core system.

I am all for a data protection law but we should look at it in context, look at the big picture. If people want to work together to create a data privacy law then it is a great thing. But if they want to use it to just attack Aadhaar, then there is some other interest at work.

Now that the government is linking Aadhaar to PAN and driver’s licences, will that not lead to Aadhaar being used as a surveillance tool?

Surveillance is conducted through a 24x7 system that knows what you are doing, so from a technology perspective the best surveillance device is your phone. The phone is the device you should worry about.

Aadhaar is not a 24x7 product. I buy one SIM card a year and do an e-KYC, the driver’s licence sits in my pocket and only sometimes someone asks for it. With the PAN card I file my returns only once a year.

But with all that data being linked, can the government not use it?

It is a valid concern and has to be addressed through a legal and oversight process. Aadhaar is just one technology. You do not attack the technology, you look at the overall picture.

The US has the Foreign Intelligence Surveillance Act under which special courts issue warrants to the FBI for surveillance. This is absolutely required and it should be a part of the data protection law (in India) which says under what circumstances the government can authorise surveillance.

Today mobile phones are being tapped by so many agencies. In the US, the FBI is under the oversight of the Senate. In India, Parliament does not have oversight of any intelligence agency. I remember (former Union minister) Manish Tewari had introduced a Bill six or seven years ago saying Intelligence agencies needed to be under the oversight of the Parliament, but nothing happened.

Is there any way to stop Aadhaar being used as a surveillance tool?

Today a person can be identified with or without Aadhaar. US systems can identify a person in a few milliseconds using big data. All that is part of what we have to protect. Aadhaar by itself is not going to add anything to that. What is important is that the infrastructure of surveillance comes under judicial oversight as well as parliamentary oversight.

Would the Aadhaar narrative have been different if this were a Congress-led government?

I think most people making this noise are against the government, so it is a political argument and Aadhaar has become a convenient whipping ward. Lots of different agendas are at work here. But my understanding is this - whether it is data protection and privacy, surveillance or security, these are all broad issues that apply to technology in general and if you are serious about solving the issues you should fix it at the highest level and have a data protection and privacy law which includes, mobile phones, CCTV cameras and Aadhaar.

A report by the Centre for Internet and Society says 130 million Aadhaar identities have been leaked...

It is because of the transparency movement in the last 10 years. In 2006, we passed the RTI Act and MNREGA Act. Section 4 of the RTI Act says that data about benefits should be made public. At that time it was all about transparency. Since then, governments have been publishing lists of MNREGA beneficiaries and how much money is being put into their bank accounts. At that time it was applauded. Now the same thing is coming back as privacy being affected.

These are not leaks; governments have been consciously putting out the data in the interest of transparency. The message from this is we have to strike a balance between transparency and privacy. And that is a difficult balance because Section 4 of the RTI Act says if a benefit is provided by the government it is public information, so the names of beneficiaries should be published because it is taxpayers’ money.

There is something called personally identifiable information. You should strike a balance between transparency and not revealing personally identifiable information. That is a delicate balance, and people will have to figure this out. The risk you have now is governments will stop publishing data - look, you guys have made a big fuss about privacy, we will not publish. In fact, the transparency guys are now worried that all the gains are being lost.

If Aadhaar is voluntary, why is the government forcing it on to various schemes?

There are two things, benefits and entitlements and government-issued documents. There the government has passed a law, the Aadhaar Bill of 2016, which is signed by the President. In that, there is a clear protocol that the government can use Aadhaar for benefits and what process they should follow.

The second thing is Aadhaar for government documents. There are three examples - PAN cards, driver’s licences and SIM cards.

The government has modified the Finance Bill and made Aadhaar mandatory for a PAN card. Why has it done that? Because India has a large number of duplicate PAN cards. India has something like over 250 million PAN cards and only 40 million taxpayers. Some of those may be people who have taken PAN cards just as ID but not for tax purposes, but frankly it is also because a lot of people have duplicate PAN cards. Why do people have duplicates? That is a way of tax evasion. The only way you can eliminate duplicate PAN cards is by having Aadhaar as a way of establishing uniqueness.

The second thing is mobile phones. Here the mobile phone requirement came from the Supreme Court, where somebody filed a PIL saying so many mobile phones are being given to terrorists and therefore you need to do an e-KYC when the SIM is cut and the government said they would use Aadhaar and they have been asked to do it by 2018.

The third thing is driver’s licences. As (Union Transport Minister Nitin Gadkari has said, 30 per cent of all driver’s licences are fakes. Now why is this important? Because when you have fake driver’s licences or multiple drivers’ licences, even if you are caught, you can give your fake licence and continue to drive. Today India is the country with the largest number of deaths on highways. Lack of enforcement, fake licences are all a problem. So in the latest Motor Vehicle Bill which was passed the government said Aadhaar was necessary to get a licence. So that you have just one driver’s licence, whether it is issued in Karnataka or Bihar, you have just one.

The government is also talking about using Aadhaar for the mid-day meal scheme...

If you talk to people on the ground, and I have spoken to people on the ground, a big part of the leakage is mid-day meals. It is not reaching children. So it is important that all this has to happen so children get what they need.

You engaged with governments and civil servants when you initiated the Aadhaar process. In hindsight, would you say you should have also engaged with civil society?

I do not think there is any other programme in history which reached out to every stakeholder in the country. When we started Aadhaar we met governments, regulators and even parliamentarians. I gave a talk in Parliament and we engaged deeply with civil society. In fact, we had one volunteer only to engage with civil society.

You said you were engaged with the previous government about the data protection law. Are you engaging with the current one too?

I am not really engaging. I know that people are working on it and recently the attorney-general has made a statement in the Supreme Court that the government will bring in a data protection law by Diwali.

We have heard of several instances of people not being able to get their biometric authentication done. Is there a problem with Aadhaar?

The seeding of data in the Aadhaar database has to be done properly and that is a process. Authentication has been proven at scale in Andhra Pradesh. Millions of people receive food with Aadhaar authentication in 29,000 PDS outlets. In fact, now they have portability -- a person from Guntur can go to Vijayawada and get his rations. It is empowering. We keep forgetting about the empowering value.

What has the Andhra Pradesh government done? They have used fingerprints, but they also have used iris scans, OTP on phone, and they have a village revenue officer if none of the above works. When you design the system, you have to design it in a way that 100 per cent of the beneficiaries genuinely get the benefit. Andhra Pradesh has shown it can be done.

The government needs to package the learning and best practices of Andhra Pradesh and take it to every other state. It is an execution issue.

Activists have raised concerns over the centralised Aadhaar database...

How else would you establish uniqueness? If you are going to give a billion people a number, how else would you do it? Is there any other way of doing it? Every cloud is centralised, then we should not have cloud systems.

How do you ensure security standards and software are updated?

There are very good people there. The CEO is very good. There is a three-member executive board with chairman Satyanarayana and two members, Anand Deshpande and Rajesh Jain. I have no doubt that they will continue to improve things.

On security, you keep improving. It is a constant race everywhere in the world. They are now coming out with registered devices that will make it more difficult to spoof.

But without a centralised database, how do you establish that an identity is not two people? If you look at the team that designed this, cumulatively they have a few hundred years of experience of designing large systems around the world. Every design decision has been taken consciously looking at the pros and cons. Why did we have both fingerprints and iris scans? There are two reasons. One is to ensure uniqueness. The second is inclusion. We knew that fingerprints in India do not work all the time because of age and manual labour. So we included iris scans. I can give you a document from 2009 that says all of this. All of these things were thought through.

If you are given a chance to design Aadhaar today what would you do differently?

I would do exactly the same thing. Go back and look at the design document. Every design has been articulated, the pros and cons are written down, published on our website, and it is a highly transparent exercise. It is the appropriate design for the problem we are trying to solve. We are forgetting about the huge benefits people are getting. Crores of people are getting direct benefit transfer without hassle. They can go to a village business correspondent and withdraw money using Aadhaar. They can get their SIM card and open a bank account using e-KYC.

You are also forgetting that people are getting empowered. That portability has ensured the bargaining power has shifted from the PDS shop owner to the individual. If a PDS guy treats him badly, the individual can choose another shop, earlier he could not do that. The empowerment of millions of people to buy rations at the shop of their choice is extraordinary.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-may-13-2017-alnoor-peermohamed-and-raghu-krishnan-aadhaar-has-become-a-whipping-boy-nandan-nilekani

Third Multistakeholder Consultation on Encryption

praskrishna — 2017-05-19T09:42:49Z

Udbhav Tiwari represented CIS at the Third and Final Multistakeholder Consultation on Encryption held at the Taj Palace, New Delhi on May 11, 2017. The event was organised by the Observer Research Foundation, New Delhi. Saikat Dutta and Japreet Grewal were also present at the round-table discussion.

The discussion centred around issues such as trust between the government and citizens, key lengths, standards for device encryption and sector-specific security regulations. The primary goal of the meeting was to influence the second iteration of the draft encryption policy, expected soon, which will have bearing on data protection policies, access of law enforcement agencies to electronic information, and the ease of doing business in India's digital economy.

The main questions in the discussion were:

Should the National Encryption policy mandate key lengths for encryption of communications?
Should the policy require the registration of encryption service providers to operate in the Indian market?
What are the challenged faced in the enforcement of the policy?
What steps can the Indian government take to encourage R&D in domestic cryptographic services and products?

Dr. Gulshan Rai, the National Cyber Security Coordinator, was also present in the meeting and provided valuable inputs.

For more details visit http://editors.cis-india.org/internet-governance/news/third-multistakeholder-consultation-on-encryption

Here’s what everyone is saying in TRAI’s latest Net Neutrality consultation

praskrishna — 2017-05-19T09:35:35Z

Last year’s highly public and widely discussed TRAI consultation resulted in Internet providers being barred from charging differently for different parts of the Internet. This time around, the telecom regulator’s newest consultation on Net Neutrality is significantly more business-as-usual, and much more muted.

The blog post by Aroon Deep was published by Medianama on May 15, 2017.

Now that the consultation has finished accepting responses and counter-responses, here are some of the most significant themes to watch out for from telecom operators, Internet companies and advocacy groups.

1. “Same service, same rules”

Telecom operators have long complained that many apps like WhatsApp and Skype eat into their revenue by replacing the non-Internet access services that they charge for, like SMS and calling. Curiously, Indian telecom operators, instead of arguing that they should face less regulation, have called for these “over the top” (OTT) services to face more regulation instead. They argue that unlike so-called OTT apps, telcos face several regulatory constraints that put them in an uneven playing field. As such, they argue that there needs to be “same services, same rules”, a framework where OTT apps and telcos compete fairly, without regulatory imbalance.

Multiple stakeholders, such as the Broadband India Forum and Hotstar, pointed out that unlike OTT services, telecom providers held a monopoly on providing access to the Internet, mooting the argument that apps and ISPs need to be treated similarly.

Broadband India Forum’s curious reversal

In this consultation’s initial stages, the Broadband India Forum, an association of telecom operators, argued (pdf) that “OTT Communication players need to be brought under the same regulatory regime as the ISP/TSPs.” In an apparent reversal, the BIF made the opposite argument towards the end of the process (pdf), saying that “The so-called “Same Service, Same Rules” argument is flawed”. Further contradicting its earlier position, the association went on to say, “Rather than attempting to increase the regulatory burden of OTTs by applying telecom regulations to online services, there should be consideration given to reducing the regulatory burden of TSPs.”

2. What is an enterprise service?

Practically every Internet provider wants an exception on “enterprise services” or “specialized services”, like dedicated video calling services that some organizations subscribe to. For example, Reliance Jio argued that since enterprise services were “tailored” to specific business requirements, they did not affect Net Neutrality. The Centre for Internet and Society, an advocacy group and think tank, also said (pdf) that enterprise services should be exempted (from Net Neutrality restrictions), but only if i) access to the rest of the Internet is priced similarly, and ii) if the enterprise service in question cannot be served over the regular Internet in the required level of “delivery guarantee”.

Hotstar‘s submission was far more blunt. “The definition of Internet traffic should not exclude … Internet services masquerading as ‘specialized services’,” the streaming service argued. It went on to say that any specialized service seeking an exemption from Net Neutrality rules “should not be usable to provide general access to the Internet”, and must fulfil a very narrow function.

3. “Don’t touch CDNs!”

Content Delivery Networks (CDNs) are so-called “middle-mile” networks, which content providers use to distribute their traffic globally in a decentralized and efficient manner. CDNs typically host copies of content in servers around the world and connect directly with Internet providers, so that there is less latency when sites are accessed, and less distance between the content and the end-user. Content providers, CDN providers, and Internet providers strongly opposed CDNs from being regulated. In fact, Netflix dedicated much of its submission arguing against CDNs coming under regulatory purview, whereas TRAI itself only touched on the possibility passingly in its consultation paper.

Akamai, a large CDN provider, argued that “[A]ny net neutrality principles or rules adopted in India should apply only to Internet access service, which should refer to a publicly available electronic communications service provided by a telecommunications service provider (TSP) in India that is offered to end users on a retail basis”. To some extent, advocacy groups also argued that CDNs should largely be left out of Net Neutrality regulations. The Internet Democracy Project argued (pdf): “Since deploying high traffic content closer to the edges eases up the load on the network as a whole, [CDNs] need not be treated as violating discriminatory access to the internet.”

4. “Can we even detect Net Neutrality violations?”

Some telcos argued that detecting whether some Internet traffic was being slowed down or sped up would be next to impossible, and would require access to an ISP’s confidential internal traffic data. The GSMA, an international association of telecom operators, said (pdf) “monitoring and detecting [unfair traffic management] practices is challenging,” and that any detection framework should be highly robust. Spectranet, a broadband provider, said that it would be difficult to detect practices like throttling and paid prioritization, unless there’s a “neutral network” that is outside an ISP’s network which works with end-users to measure speeds of different applications and services to see if there’s any discriminatory traffic management.

The Measurements Lab said (pdf) that detecting unfair traffic management was very much possible. “Academic researchers and national regulatory authorities have been actively engaged in measuring traffic management practices for well over a decade to considerable success,” M-Lab said. “The adoption of TMP measurement tools by TRAI would build on a rich history of research and implementation, and align with the current agenda of BEREC and other regulators.”

5. “Device neutrality”

Multiple operators are arguing that since the fair treatment of all data depends on the end-user’s Internet browser and device, Net Neutrality should apply to those as well. Airtel, for example, argued (pdf) that device manufacturers and content providers should also be regulated under Net Neutrality rules (Airtel cited Netflix allegedly “slowing down” data for mobile data users as an example; Netflix denied Airtel’s allegation in a counter-filing). The Internet Freedom Foundation* argued strongly against such a framework, saying that “the focus of network neutrality as a regulatory concept has been to ensure that TSPs [don’t] misuse their unique, license-enabled position” which gives them monopoly over Internet access, unlike device manufacturers and OTT services. Similarly, Hotstar argued that “Independent devices, browsers or operating systems themselves do not constitute a network and are not the subject matter of the net neutrality debate.” (emphasis theirs)

For more details visit http://editors.cis-india.org/internet-governance/news/medianama-aroon-deep-may-15-2017-here-s-what-everyone-is-saying-in-trais-latest-net-neutrality-consultation

UIDAI puts posers to CIS over Aadhaar data leak claim

praskrishna — 2017-05-19T09:28:33Z

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.

The article originally published by PTI was also published by the Financial Express on May 19, 2017.

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.

Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.

Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.

The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.

The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.

However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.

For more details visit http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim

What’s Hard To Digest About The Zomato Hacking

praskrishna — 2017-05-19T09:22:37Z

Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.

The blog post by Aayush Ailawadi was published by Bloomberg Quint on May 19, 2017. Pranesh Prakash was quoted.

The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in its blog that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.

Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.

In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”

But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.

Late on Thursday night, the story took an interesting turn when the company updated its blog post yet again. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.

Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.

But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.

Disclose To Confuse?

Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.

What’s So Scary About The Zomato Hacking?

Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.

What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.

Genuine Disclosures Vs False Promises

Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.

Where’s My Privacy And Security?

Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.

Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”

For more details visit http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts

IT companies in Bengaluru on high alert over WannaCry ransomware

praskrishna — 2017-05-19T09:05:46Z

In the wake of the ransomware attack triggered by WannaCry virus, IT firms in Bengaluru are racing against time to updating their security systems. At some firms, employees have been asked to stay away from work for a few hours, while many other companies have declared holiday for a day or two for their employees.

The article by Kiran Parashar K M & Shruthi H M was published in the New Indian Express on May 17, 2017. Pranesh Prakash was quoted.

Sources said IT teams in many firms are working overtime to ensure such attacks do not harm their systems. Employees have been communicated to be aware of unsolicited emails and were asked to stay away from work at a few places where the security systems update was in progress.

A network engineer of a secondary source software firm, who provides security solutions, said, “We were asked to work on weekend and monitor the servers. The monitoring process is likely to continue. Some of the outsourcing companies have declared holiday as network engineers are flooded with work.”
“Recent developments have affected work at IT firms but there is no report of any company getting affected,” a techie said.

Wipro Ltd officials told Express: “Wipro has not seen any impact. However, we remain vigilant and have strengthened security controls at all layers to detect and mitigate any such threat.”

Companies providing financial technology are struggling to ensure that all ATMs are running on updated software. “We are in touch with the original equipment manufacturers for the patches that may be required to be rolled out on the ATMs running on Windows XP and Windows 7, to make them additionally secure,” said Radha Rama Dorai (Country Head - ATM & Allied Services), FIS, a financial technology provider.
“Fortunately ATMs in India have not been affected by WannaCry ransomware,” said Dorai.

Sudesh Shetty, Partner, Forensics, KPMG in India, said: “Banks need to apply the patch which Windows has released for outdated operating systems. Organisations need to make use of it.”

WannaCry under reported

The Indian Cyber Army sources said that there has been under reporting of such incidents as many individuals use pirated version of the Windows software. Also, people have no idea whom to report if they fall prey to WannaCry.

For more details visit http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware

Google, Facebook's AI group adds new members

praskrishna — 2017-05-19T08:56:31Z

CIS is one of the organizations.

Written by Jens Meyer from AP this was mirrored by Axios on May 16, 2017.

A group trying to demystify artificial intelligence with backing from companies like Google, Facebook, Apple and Microsoft is bolstering its ranks with 22 organizations in total.

New members in the Partnership on AI include:

Companies like Salesforce, Sony and Intel.
Non-profit advocacy groups including the Electronic Frontier Foundation, the Center for Democracy and Technology and the Future of Privacy Forum.
The list also includes Washington-based consultancy Upturn, which has worked on issues related to how big data collides with civil rights. The ACLU was already involved as a partner in the group.

Why it matters: The new corporate members of the partnership show how widespread interest in AI has become. And the high-level advocacy non-profits joining the partnership shows how AI is on a collision course with questions about privacy and discrimination.

For more details visit http://editors.cis-india.org/internet-governance/news/axios-may-16-2017-google-and-facebook-artificial-intelligence-group-adds-new-members

22 nieuwe leden voor Partnership on AI

praskrishna — 2017-05-19T06:54:20Z

Partnership on AI, een non-profit organisatie ter bevordering van het algemeen begrip van kunstmatige intelligentie en de ontwikkeling van best practices, heeft 22 nieuwe leden aangekondigd.

The news was published by Telecom Paper on May 17, 2017.

Tot de nieuwe leden behoren eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, Zalando, Cogitai, Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, en de XPRIZE Foundation. Partnership on AI werd vorig jaar september opgericht. Tot de oprichters behoren onder meer Amazon, Facebook, IBM, Microsoft, Google DeepMind en Apple.

For more details visit http://editors.cis-india.org/internet-governance/news/telecom-paper-may-17-2017-22-nieuwe-leden-voor-partnership-on-ai

Intel, eBay, SAP, Salesforce y Sony colaborarán en inteligencia artificial

praskrishna — 2017-05-19T06:50:06Z

Junto a otras empresas como Zalando, McKinsey & Company o Cogitai han decidido unirse a la asociación Partnership on AI impulsada por Amazon, Google, Facebook, IBM y Microsoft.

The blog post by Monica Tilves was published by Silicon on May 17, 2017.

El año pasado, Amazon, Google, Facebook, IBM y Microsoft dieron vida a Partnership on AI, una organización “para avanzar en la comprensión pública de las tecnologías de inteligencia artificial” y “formular las mejores prácticas sobre los desafíos y oportunidades en el campo”.

A esta iniciativa se han ido uniendo con el paso del tiempo compañías como Apple, que se sumó en enero a Partnership on AI. Ahora sus responsables han anunciado la incorporación de nada más y nada menos que veintidós nuevos nombres.

Por un lado trabajarán con esta asociación las firmas tecnológicas Cogitai, eBay, Intel, Salesforce, SAP y Sony. Además de McKinsey & Company y Zalando.

Cabe destacar que por parte de Intel, Salesforce, SAP y Sony participarán, respectivamente, el responsable del AI Products Group formado hace unos meses en la compañía de Santa Clara, Yinyin Liu; el vicepresidente de Machine Learning, Markus Noga, el científico jefe Richard Socher; y el director de Sony Computer Science Laboratories, Hiroaki Kitano.

En la lista de nuevos socios también aparecen los nombres de catorce entidades sin ánimo de lucro como UNICEF. El resto serían: Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, Upturn y XPRIZE Foundation.

Se espera que nuevas compañías se vayan uniendo a Partnership on AI en el futuro para ahondar en el pujante tema de la inteligencia artificial.

Partnership on AI se encuentra en estos momentos en plena búsqueda de un director ejecutivo que se encargue de supervisar las operaciones de la organización.

For more details visit http://editors.cis-india.org/internet-governance/news/silicon-monica-tilves-may-17-2017-intel-ebay-sap-salesforce-sony-collaboration-aritificial-intelligence

Partnership on AI adds new organizations to its network

praskrishna — 2017-05-19T06:40:08Z

The Partnership on AI to Benefit People and Society (Partnership on AI) is strengthening its network of partners by welcoming new organizations to share their diverse, unique perspectives on AI.

The blog post by Madison Moore was published in Software Development Times on May 17, 2017.

Earlier in the year, Partnership on AI brought in Apple and six nonprofit board members to serve on the board of directors. This week, the partnership announced that 22 new organizations will join the Partnership on AI, and these organizations will work and support the board of directors.

The Partnership on AI is welcoming eight new for-profit partners, including eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, and Zalando, along with the start-up Cogitai.

The fourteen non-profit Partners that joined include: Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, and the XPRIZE Foundation.

Some of the representatives from these newly added organizations include Dr. Hiroaki Kitano, who is the head of Sony Computer Science Laboratories. Other collaborators include Chris Fabian, who leads the Ventures team in UNICEF’s Office of Innovation. SAP’s Dr. Markus Noga, who has led efforts applying machine learning to business problems, is also joining the partnership.

Additionally, the partnership will move forward with one other initiative, and that is to form a cross-conference “AI, People, and Society” Best Paper Award, and start an AI Grand Challenge series, which will focus on addressing long-term social and societal issues around artificial intelligence.

The partnership is also in the process of finding an executive director, and that person will oversee day-to-day operation of the organization.

For more details visit http://editors.cis-india.org/internet-governance/news/sd-times-may-17-partnership-on-ai-adds-new-organizations-to-its-network

WannaCry: ATMs not to shut down, clarifies RBI, but how safe are our machines?

praskrishna — 2017-05-19T06:30:49Z

SBI has denied there was any compromise in its ATMs.

The blog post by Soumya Chatterjee was published by Newsminute on May 16, 2017. Udbhav Tiwari was quoted.

In the wake of the onslaught by ransomware WannaCry across the globe, the Reserve Bank of India has denied that it has asked banks in the country to shut down ATMs despite multiple conflicting reports on the same.

Speaking to The News Minute, the central bank’s spokesperson clarified, “The RBI has not passed any circulars to banks on the issue. All circulars sent to banks by the RBI is on the official website if it’s not on the website that means there is no such circular.”

The State Bank of India, the largest consumer bank of India also denied any compromise in its ATMs.

“All our systems are updated as required. Some of those, we do it daily. There are two types of updates, one is at the server level and one at the machine level. Generally, server level updates are done on a daily basis because patches are released and these are managed centrally in addition to local firewalls. The ATM machines are updated typically once in 15 days that is when the maintenance engineers visit the sites, they carry the latest software patch with them. So, everything is updated, there is no problem regarding this. We have additional surveillance but none of the ATM networks in the world has been impacted," Mrityunjoy Mahapatra, CIO of SBI told TNM.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

“This particular vulnerability was exposed by the WikiLeaks in March saying that the US' NSA was using this vulnerability in Windows operating systems to target individuals. Following this, Microsoft had sent patches in its update in March itself to counter this particular form of threats,” Udhav told TNM.

Udhav said WannaCry is one of the viruses which exploits this vulnerability adding,"No operating system is completely secure be it Windows, Mac or Linux or others, but there are certain OSs that are more susceptible to such attacks due to their popular usage and subsequent research carried on them. Once such attacks come out in the public domain and they usually get patched by the maintainers of the OS."

“In my personal experience, I have come across that most of the ATMs run on customised versions/ embeds of Windows XP or better Windows 7 which came out in 2001 and 2009 respectively. The support period for XP has already lapsed which means that it is more susceptible to malicious attacks than patched versions of other OSs,” Udhav said.

"However, Microsoft made an exception for this current threat and issued patches just for this,” added Udhav, noting if the patches were not installed they remain open to the WannaCry threat.

He also says that as there is no central repository to know what operating system many ATMs run, it would be hard to get the number of machines which are prone to this particular attack.

The cyber security expert draws parallels with the data security breaches last September and October, where a malware attack forced Indian banks to replace or request users to change the security codes of 3.2 million debit cards.

Udhav explained, “The malware had propagated in a very similar manner, they propagated via the internal networks of the bank because of a vulnerability of the ATM machines and then started recording details stored in the magnetic strips of the card."

Apart from invading some systems in departments of some state government in India, WannaCry has penetrated high profile systems across the globe including UK’s health services, Germany’s railway.

For more details visit http://editors.cis-india.org/internet-governance/news/newsminute-may-16-2017-soumya-chatterjee-wannacry-atms-not-to-shut-down-clarifies-rbi

Intel, Salesforce, eBay, Sony and others join the grand AI partnership club

praskrishna — 2017-05-19T06:25:24Z

Adding more ammunition to the grand AI alliance, Intel, Salesforce, eBay, Sony, SAP, McKinsey & Company, Zalando and Cogitai are joining the Partnership on AI, a collection of companies and non-profits that have committed to share best practices and communicating openly about the prospects and challenges of artificial intelligence research.

This was published by CIOL on May 17, 2017.

The new members expand a group that already counts heavyweights like Facebook, Amazon, Google, IBM, Microsoft and Apple.

The platform will be hosting a series of AI Grand Challenges to encourage and incentivize researchers working on AI. It has also announced an award for best paper on the topic of “AI, People, and Society” to aid in addressing a similar goal.

The partnership group also said that it will create working groups to research and define best practices for specific topics and sectors within the field. It’s also creating a fellowship to assist nonprofits and nongovernmental organisations looking to participate in AI issues.

Interestingly, the group is still open which means the list will only get longer in the coming months.

For more details visit http://editors.cis-india.org/internet-governance/news/ciol-may-17-2017-intel-salesforce-ebay-sony-and-others-join-the-grand-ai-partnership-club

Partnership on AI Adds Corporate, NGO Members, Charts Initial Course

praskrishna — 2017-05-19T06:00:15Z

Artificial intelligence is a booming business in 2017, but one that also comes with significant baggage in the form of public misunderstanding, potential job losses, and fear.

The blog post by Benjamin Roman was published by Xconomy on May 16, 2017.

Last fall, A.I. competitors Amazon, Microsoft, Facebook, IBM, and Google banded together to form the Partnership on AI to Benefit People and Society, an industry-led attempt to get ahead of the many social, ethical, and economic issues presented by the advent of technology with increasingly human-like capabilities. Apple joined the group as another founding member earlier this year.

On Tuesday, the Partnership on AI (PAI) announced nearly two dozen new members, including more of the tech industry’s biggest names—Intel, eBay, Salesforce, and SAP among them—and many of the world’s foremost A.I. research institutions, such as the Seattle-based Allen Institute for Artificial Intelligence. Also joining are nonprofits focused on digital privacy, human rights, and freedom. The full list of members is below.

The organization also outlined its initial plan of action, organized around seven “thematic pillars” (several of which hew closely to the AI principles agreed on by a gathering of researchers at the Asilomar conference earlier this year). The PAI pillars include safety, transparency, human-A.I. collaboration, economic and workforce impacts, and social and societal impacts.

After a recent board of directors retreat, the PAI plans: working groups to develop best practices by topic and sector; a fellowship for individuals at nonprofits and non-governmental organizations; an “AI, People, and Society” Best Paper Award; and a series of A.I. Grand Challenges aimed at “some of the most pressing long-term social and societal issues.”

The PAI is finding its organizational footing, but still has some big pieces missing: an executive director, for one.

While it was organized by the biggest names in technology and business, the PAI also aspires to be a “multi-stakeholder” organization and has welcomed into its fold the likes of the American Civil Liberties Union, Center for Democracy & Technology, Electronic Frontier Foundation, and Human Rights Watch.

It will be interesting to watch the degree to which these groups and their representatives to the PAI have sway over the organization’s direction, and the policy positions and best practices it puts forth—particularly on issues that could conflict with the business interests of its for-profit member companies.

PAI founding partners: Amazon, Apple, DeepMind, Google, Facebook, IBM, Microsoft

Other for-profit partners: eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, Zalando, Cogitai

Nonprofit partners: Association for the Advancement of Artificial Intelligence, ACLU, Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society—India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, OpenAI, UNICEF, Upturn, the XPRIZE Foundation.

For more details visit http://editors.cis-india.org/internet-governance/news/x-conomy-benjamin-romano-may-16-2017-partnership-on-ai-adds-corporate-ngo-members-charts-initial-course

The Partnership on AI has Intel, SalesForce, Ebay and others as its newest members

praskrishna — 2017-05-19T05:36:30Z

A slew of industry heavyweights have decided to augment the ranks of the Partnership on AI. New joiners to the group, which includes companies and non-profits, include names like Intel, Salesforce, eBay, Sony, SAP, McKinsey & Company, Zalando and Cogitai.

The blog post by Mudit Mohilay was published in the Tech Portal on May 16, 2017.

The group also announced a slew of non-profit partners including the Allen Institute for Artificial Intelligence, the AI Forum of New Zealand, the Centre for Democracy & Technology, the Centre for Internet and Society (India), Data & Society Research Institute, the Digital Asia Hub, the Electronic Frontier Foundation, the Future of Humanity Institute, the Future of Privacy Forum, the Human Rights Watch, the Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, and the XPRIZE Foundation.

The new members are a late addition to a group which already consists of many of their industry peers including Facebook, Amazon, Google, IBM, Microsoft and Apple. The companies will be sharing the platform with several non-profit organizations and the overall aim will be promoting best practices while using AI and discussing the benefits and the dangers associated with the same. Considering the rapid race at which AI is encroaching in our daily lives, this is a highly relevant platform.

The platform will also be hosting a whole bunch of AI Grand Challenges with the aim of providing financial and motivational incentives to researchers working with AI. The group will also be working with researchers who are studying the effects of AI on the human social structure. A best paper award for the greatest contribution to “AI, People, and Society,” has already been announced and is open.

The group will also be working on establishing a series of groups that are topic or sector specific. These groups will be working to generate best practices for various niches. The aim here is to build a community that can deal and even forestall the problem which may arise as Artificial Intelligence is inducted into our society at a deeper level.

For more details visit http://editors.cis-india.org/internet-governance/news/the-tech-portal-may-16-2017-mudit-mohilay-partnership-on-ai-intel-sales-force-ebay-and-others-as-its-newest-members