Centre for Internet and Society

Partnership on AI adds new organizations to its network

praskrishna — 2017-05-19T06:40:08Z

The Partnership on AI to Benefit People and Society (Partnership on AI) is strengthening its network of partners by welcoming new organizations to share their diverse, unique perspectives on AI.

The blog post by Madison Moore was published in Software Development Times on May 17, 2017.

Earlier in the year, Partnership on AI brought in Apple and six nonprofit board members to serve on the board of directors. This week, the partnership announced that 22 new organizations will join the Partnership on AI, and these organizations will work and support the board of directors.

The Partnership on AI is welcoming eight new for-profit partners, including eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, and Zalando, along with the start-up Cogitai.

The fourteen non-profit Partners that joined include: Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society – India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, and the XPRIZE Foundation.

Some of the representatives from these newly added organizations include Dr. Hiroaki Kitano, who is the head of Sony Computer Science Laboratories. Other collaborators include Chris Fabian, who leads the Ventures team in UNICEF’s Office of Innovation. SAP’s Dr. Markus Noga, who has led efforts applying machine learning to business problems, is also joining the partnership.

Additionally, the partnership will move forward with one other initiative, and that is to form a cross-conference “AI, People, and Society” Best Paper Award, and start an AI Grand Challenge series, which will focus on addressing long-term social and societal issues around artificial intelligence.

The partnership is also in the process of finding an executive director, and that person will oversee day-to-day operation of the organization.

For more details visit http://editors.cis-india.org/internet-governance/news/sd-times-may-17-partnership-on-ai-adds-new-organizations-to-its-network

WannaCry: ATMs not to shut down, clarifies RBI, but how safe are our machines?

praskrishna — 2017-05-19T06:30:49Z

SBI has denied there was any compromise in its ATMs.

The blog post by Soumya Chatterjee was published by Newsminute on May 16, 2017. Udbhav Tiwari was quoted.

In the wake of the onslaught by ransomware WannaCry across the globe, the Reserve Bank of India has denied that it has asked banks in the country to shut down ATMs despite multiple conflicting reports on the same.

Speaking to The News Minute, the central bank’s spokesperson clarified, “The RBI has not passed any circulars to banks on the issue. All circulars sent to banks by the RBI is on the official website if it’s not on the website that means there is no such circular.”

The State Bank of India, the largest consumer bank of India also denied any compromise in its ATMs.

“All our systems are updated as required. Some of those, we do it daily. There are two types of updates, one is at the server level and one at the machine level. Generally, server level updates are done on a daily basis because patches are released and these are managed centrally in addition to local firewalls. The ATM machines are updated typically once in 15 days that is when the maintenance engineers visit the sites, they carry the latest software patch with them. So, everything is updated, there is no problem regarding this. We have additional surveillance but none of the ATM networks in the world has been impacted," Mrityunjoy Mahapatra, CIO of SBI told TNM.

However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised.

“This particular vulnerability was exposed by the WikiLeaks in March saying that the US' NSA was using this vulnerability in Windows operating systems to target individuals. Following this, Microsoft had sent patches in its update in March itself to counter this particular form of threats,” Udhav told TNM.

Udhav said WannaCry is one of the viruses which exploits this vulnerability adding,"No operating system is completely secure be it Windows, Mac or Linux or others, but there are certain OSs that are more susceptible to such attacks due to their popular usage and subsequent research carried on them. Once such attacks come out in the public domain and they usually get patched by the maintainers of the OS."

“In my personal experience, I have come across that most of the ATMs run on customised versions/ embeds of Windows XP or better Windows 7 which came out in 2001 and 2009 respectively. The support period for XP has already lapsed which means that it is more susceptible to malicious attacks than patched versions of other OSs,” Udhav said.

"However, Microsoft made an exception for this current threat and issued patches just for this,” added Udhav, noting if the patches were not installed they remain open to the WannaCry threat.

He also says that as there is no central repository to know what operating system many ATMs run, it would be hard to get the number of machines which are prone to this particular attack.

The cyber security expert draws parallels with the data security breaches last September and October, where a malware attack forced Indian banks to replace or request users to change the security codes of 3.2 million debit cards.

Udhav explained, “The malware had propagated in a very similar manner, they propagated via the internal networks of the bank because of a vulnerability of the ATM machines and then started recording details stored in the magnetic strips of the card."

Apart from invading some systems in departments of some state government in India, WannaCry has penetrated high profile systems across the globe including UK’s health services, Germany’s railway.

For more details visit http://editors.cis-india.org/internet-governance/news/newsminute-may-16-2017-soumya-chatterjee-wannacry-atms-not-to-shut-down-clarifies-rbi

Intel, Salesforce, eBay, Sony and others join the grand AI partnership club

praskrishna — 2017-05-19T06:25:24Z

Adding more ammunition to the grand AI alliance, Intel, Salesforce, eBay, Sony, SAP, McKinsey & Company, Zalando and Cogitai are joining the Partnership on AI, a collection of companies and non-profits that have committed to share best practices and communicating openly about the prospects and challenges of artificial intelligence research.

This was published by CIOL on May 17, 2017.

The new members expand a group that already counts heavyweights like Facebook, Amazon, Google, IBM, Microsoft and Apple.

The platform will be hosting a series of AI Grand Challenges to encourage and incentivize researchers working on AI. It has also announced an award for best paper on the topic of “AI, People, and Society” to aid in addressing a similar goal.

The partnership group also said that it will create working groups to research and define best practices for specific topics and sectors within the field. It’s also creating a fellowship to assist nonprofits and nongovernmental organisations looking to participate in AI issues.

Interestingly, the group is still open which means the list will only get longer in the coming months.

For more details visit http://editors.cis-india.org/internet-governance/news/ciol-may-17-2017-intel-salesforce-ebay-sony-and-others-join-the-grand-ai-partnership-club

Partnership on AI Adds Corporate, NGO Members, Charts Initial Course

praskrishna — 2017-05-19T06:00:15Z

Artificial intelligence is a booming business in 2017, but one that also comes with significant baggage in the form of public misunderstanding, potential job losses, and fear.

The blog post by Benjamin Roman was published by Xconomy on May 16, 2017.

Last fall, A.I. competitors Amazon, Microsoft, Facebook, IBM, and Google banded together to form the Partnership on AI to Benefit People and Society, an industry-led attempt to get ahead of the many social, ethical, and economic issues presented by the advent of technology with increasingly human-like capabilities. Apple joined the group as another founding member earlier this year.

On Tuesday, the Partnership on AI (PAI) announced nearly two dozen new members, including more of the tech industry’s biggest names—Intel, eBay, Salesforce, and SAP among them—and many of the world’s foremost A.I. research institutions, such as the Seattle-based Allen Institute for Artificial Intelligence. Also joining are nonprofits focused on digital privacy, human rights, and freedom. The full list of members is below.

The organization also outlined its initial plan of action, organized around seven “thematic pillars” (several of which hew closely to the AI principles agreed on by a gathering of researchers at the Asilomar conference earlier this year). The PAI pillars include safety, transparency, human-A.I. collaboration, economic and workforce impacts, and social and societal impacts.

After a recent board of directors retreat, the PAI plans: working groups to develop best practices by topic and sector; a fellowship for individuals at nonprofits and non-governmental organizations; an “AI, People, and Society” Best Paper Award; and a series of A.I. Grand Challenges aimed at “some of the most pressing long-term social and societal issues.”

The PAI is finding its organizational footing, but still has some big pieces missing: an executive director, for one.

While it was organized by the biggest names in technology and business, the PAI also aspires to be a “multi-stakeholder” organization and has welcomed into its fold the likes of the American Civil Liberties Union, Center for Democracy & Technology, Electronic Frontier Foundation, and Human Rights Watch.

It will be interesting to watch the degree to which these groups and their representatives to the PAI have sway over the organization’s direction, and the policy positions and best practices it puts forth—particularly on issues that could conflict with the business interests of its for-profit member companies.

PAI founding partners: Amazon, Apple, DeepMind, Google, Facebook, IBM, Microsoft

Other for-profit partners: eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, Zalando, Cogitai

Nonprofit partners: Association for the Advancement of Artificial Intelligence, ACLU, Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society—India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, OpenAI, UNICEF, Upturn, the XPRIZE Foundation.

For more details visit http://editors.cis-india.org/internet-governance/news/x-conomy-benjamin-romano-may-16-2017-partnership-on-ai-adds-corporate-ngo-members-charts-initial-course

The Partnership on AI has Intel, SalesForce, Ebay and others as its newest members

praskrishna — 2017-05-19T05:36:30Z

A slew of industry heavyweights have decided to augment the ranks of the Partnership on AI. New joiners to the group, which includes companies and non-profits, include names like Intel, Salesforce, eBay, Sony, SAP, McKinsey & Company, Zalando and Cogitai.

The blog post by Mudit Mohilay was published in the Tech Portal on May 16, 2017.

The group also announced a slew of non-profit partners including the Allen Institute for Artificial Intelligence, the AI Forum of New Zealand, the Centre for Democracy & Technology, the Centre for Internet and Society (India), Data & Society Research Institute, the Digital Asia Hub, the Electronic Frontier Foundation, the Future of Humanity Institute, the Future of Privacy Forum, the Human Rights Watch, the Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, and the XPRIZE Foundation.

The new members are a late addition to a group which already consists of many of their industry peers including Facebook, Amazon, Google, IBM, Microsoft and Apple. The companies will be sharing the platform with several non-profit organizations and the overall aim will be promoting best practices while using AI and discussing the benefits and the dangers associated with the same. Considering the rapid race at which AI is encroaching in our daily lives, this is a highly relevant platform.

The platform will also be hosting a whole bunch of AI Grand Challenges with the aim of providing financial and motivational incentives to researchers working with AI. The group will also be working with researchers who are studying the effects of AI on the human social structure. A best paper award for the greatest contribution to “AI, People, and Society,” has already been announced and is open.

The group will also be working on establishing a series of groups that are topic or sector specific. These groups will be working to generate best practices for various niches. The aim here is to build a community that can deal and even forestall the problem which may arise as Artificial Intelligence is inducted into our society at a deeper level.

For more details visit http://editors.cis-india.org/internet-governance/news/the-tech-portal-may-16-2017-mudit-mohilay-partnership-on-ai-intel-sales-force-ebay-and-others-as-its-newest-members

22 companies join Partnership on AI, begin to study AI's impact on work and society

praskrishna — 2017-05-19T05:26:09Z

The non-profit artificial intelligence organization added new groups into its fold, and announced initiatives on developing AI best practices and harnessing the technology for social good.

The blog post by Alison DeNisco was published in TechRepublic on May 17, 2017.

As artificial intelligence (AI) increasingly enters every part of our lives, from chatbots to self-driving cars to office data analysis programs, questions remain about how this technology will impact our future in terms of jobs, safety, and society.

In September 2016, Facebook, Microsoft, IBM, Amazon, and Google announced the creation of a "Partnership on AI to Benefit People and Society" (Partnership on AI), a nonprofit formed to "study and formulate best practices on AI technologies, to advance the public's understanding of AI, and to serve as an open platform for discussion and engagement about AI and its influences on people and society." Apple joined the partnership as a founding member in January 2017.

On Tuesday, the Partnership on AI shared a blog post with updates on the group's progress. Some 22 new organizations are joining the partnership, and more are expected to join in the future, according to the post. Eight are for-profit partners: eBay, Intel, McKinsey & Company, Salesforce, SAP, Sony, Zalando, and Cogitai.

Meanwhile, 14 are non-profits: The Allen Institute for Artificial Intelligence, AI Forum of New Zealand, Center for Democracy & Technology, Centre for Internet and Society-India, Data & Society Research Institute, Digital Asia Hub, Electronic Frontier Foundation, Future of Humanity Institute, Future of Privacy Forum, Human Rights Watch, Leverhulme Centre for the Future of Intelligence, UNICEF, Upturn, and the XPRIZE Foundation.

"Together with the founding companies and our existing non-profit Partners (AAAI, ACLU, and OpenAI), these new Partners strengthen and broaden our representation, helping to fulfil our goal to build a diverse, balanced, and global set of perspectives on AI," the post stated.

Notable representatives from these organizations include Dr. Hiroaki Kitano, head of Sony Computer Science Laboratories and a world expert on AI robotics and human-AI collaboration, and Chris Fabian of UNICEF's Office of Innovation, who leads a group of technologists who apply machine learning, data science, and AI to societal problems.

Partnership on AI also announced plans to launch a set of initiatives based on its thematic pillars: Safety-critical AI; fair, transparent, and accountable AI; collaboration between people and AI systems; AI, labor, and the economy; social and societal influences of AI; AI and social good; and special initiatives. These early programs will focus on:

Topic-specific and sector-specific Working Groups to research and formulate best practices
The creation of a Civil Society Fellowship program aimed at assisting people at non-profits and NGOs who wish to collaborate on topics in AI and society
The formation of a cross-conference "AI, People, and Society" Best-Paper Award
The start of an AI Grand Challenges series to stimulate aspirational efforts in harnessing AI to address some of the most pressing long-term social and societal issues

The partners will work together to shape each initiative, and the group will share more information about each project soon, according to the blog post. The group also announced that it is in the process of appointing an executive director, who will oversee the organization's day-to-day operations.

Partnership on AI is not the only group examining the impact AI will have on our world. Elon Musk founded an $11 million AI safety program for funding researchers, and Eric Horvitz of Stanford University is leading the One Hundred Year Study on Artificial Intelligence. The White House released two reports in 2016 on preparing for the future of AI, and the effect of AI and automation on the economy. And a US Senate Committee also met last year to discuss the current state of AI, and its potential impact on policy and commerce.

The 3 big takeaways for TechRepublic readers

The nonprofit Partnership on AI, founded by Facebook, Microsoft, IBM, Amazon, Google, and Apple, recently announced that it was adding 22 new organizations to its ranks to research AI and formulate best practices around the technology.
The partnership also announced several initiatives, including working groups to research and create best practices, and a challenge series to inspire people to use AI to address social issues.
Partnership for AI is expected to release more information on each initiative soon, as well as appoint an executive director.

For more details visit http://editors.cis-india.org/internet-governance/news/tech-republic-may-17-2017-22-companies-join-partnership-on-ai

UIDAI asks Centre for Internet & Society to provide hacker details

praskrishna — 2017-06-07T12:21:47Z

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.
The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit http://editors.cis-india.org/internet-governance/news/economic-times-may-18-2017-mahendra-singh-uidai-asks-centre-for-internet-and-society-to-provide-hacker-details

Provide hacker details, outfit that claimed data leak told

praskrishna — 2017-06-07T12:14:13Z

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.

The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit http://editors.cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told

Plug data leak before imposing Aadhaar

praskrishna — 2017-05-17T02:10:37Z

As the Central government continues to expand the scope and boundaries of the applicability of Aadhaar, the unique identification number, even before the Supreme Court’s verdict on its constitutional validity, reports suggesting that millions of Aadhaar numbers may have been leaked deliberately or inadvertently are a matter of grave concern.

The article was published in the Deccan Herald on May 11, 2017.

The Centre for Internet and Society, a Bengaluru-based organisation, has claimed that close to 135 million Aadhaar numbers and 100 million bank account numbers have been exposed by government portals dealing with pension, social welfare and employment guarantee schemes. The report says that with Aadhaar being used or planned to be used for authenticating and authorising several transactions, the financial risks of the disclosure of such data are greatly exacerbated. Virtually confirming that some ‘over-enthusiastic’ government agencies have been making the Aadhaar data public, Aruna Sundararajan, secretary, Union Electronics and Information Technology Ministry, has said that the Centre is in the process of ‘educating officials’ about the sanctity of the material collected, besides drafting amendments to the Information Technology Act to ensure data protection and secrecy. That’s indeed a late realisation, and hopefully, not a case of locking the stables once the horses have bolted.

The Supreme Court is also rightly concerned about the invasion of a citizen’s body in obtaining fingerprints and iris impressions for Aadhaar and the violation of an individual’s privacy. Attorney General Mukul Rohatgi raised several eyebrows by arguing that “citizens don’t have an absolute right over their own bodies” and there was nothing illegal about obtaining biometric details. He may be legally right, but as the court pointed out, it is the duty of the state to maintain the liberty and dignity of all individuals. As almost 98% of the population has already been covered by Aadhaar, the question of privacy is now more academic, though making Aadhaar mandatory for the filing of income tax along with PAN card is not. As the government is unable to come to grips with millions of benami transactions and largescale evasion of income tax in the country, if the linking of Aadhaar is going to bring down such cases, it needs to be welcomed.

However, Aadhaar is not a magic bullet that has a solution for every problem. The government shoulddrop the idea of making it mandatory for social welfare programmes such as children availing midday mealsin schools, supply of nutrition under ICDS programme and provision of scholarship for the disabled. The government certainly has a responsibility to prevent misuse of the schemes, while making sure that welfare measures are not denied to the needy on technical grounds.

For more details visit http://editors.cis-india.org/internet-governance/news/deccan-herald-may-11-2017-plug-data-leak-before-imposing-aadhaar

Clarification on the Information Security Practices of Aadhaar Report

praskrishna — 2017-05-16T16:41:58Z

For more details visit http://editors.cis-india.org/internet-governance/files/clarification-on-the-information-security-practices-of-aadhaar-report

Updated Aadhaar Report

praskrishna — 2017-05-16T16:37:30Z

For more details visit http://editors.cis-india.org/internet-governance/files/updated-aadhaar-report.pdf

Indian Government says it is still drafting privacy law, but doesn’t give timelines

praskrishna — 2017-05-15T02:10:26Z

Read the original published by Medianama here

The Government is drafting a legislation to protect privacy of individuals breached through unlawful means in consultation with stakeholders, the minister for communications and information technology Ravi Shankar Prasad said in the Rajya Sabha. However, no timeline was provided, which is really the problem: Is the Indian government even interested in a privacy law?

In August last year, the Government of India had said in the Supreme Court of India that had said that “violation of privacy doesn’t mean anything because privacy is not a guaranteed right”, actually arguing that the citizens of India do not have a fundamental right to privacy.
In September last year, the DeitY had also sought to make encryption (and personal and business security) weaker via a draft policy on encryption, requiring all users to store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable plain-text to Law and Enforcement Agencies if required. After a public outcry, the paper was withdrawn.
Last month, the DoT made it mandatory to have GPS on all phones by 2018.

We’re in a situation where the country doesn’t have a privacy law on one hand, and is setting up surveillance systems like the Centralized Monitoring System, NETRA, NATGRID (for collecting data from across databases), and linking citizens and databases across the unique identity number in Aadhaar on the other.

What happened to the old Privacy bill?

While India does not yet have a comprehensive privacy policy, back in 2014, the Centre for Internet and Society received a leaked version of the draft Privacy Bill 2014 that the Department of Personnel and Training, Government of India had drafted. A comparison of the draft bill from 2014 and the draft privacy bill of 2011 can be found here.

As per Prasad, as of now, the Section 43, 43A and 72A of the IT Act of 2000 provide the legal framework for digital privacy and security, mandating that agencies collecting personal data must provide a privacy policy, and compensations must be paid to the victim in case of unauthorized access or leakage of information.

Questions asked in Rajya Sabha:

Whether Government intends to bring a specific legislation to address the concerns regarding privacy in the country, if so, the details thereof, if not, the reason therefore; and

Whether the legislation would provide for protection of ‘personal data’ along the lines of the European Union’s Data Protection Directive, if so, the details thereof, if not, the reasons therefor

EU Privacy Bill

Interestingly, the question posed to the minister asked if the legislation would provide for protection of personal data along the lines of European Union’s General Data Protection Directive (GDRP), which were approved just last month. EU’s directive defines “any information relating to an identified or identifiable natural person directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”, as personal data.

The GDRP has a pretty wide scope and is pretty consumer friendly. The laws require users to provide explicit consent for data collection, companies to report as soon as they have a data breach, and a ‘right to erasure’ that lets users request all personal data related to them to be deleted. It also imposes a significant fine of up to 4% of annual worldwide turnover of a company in the previous financial year, in case of non compliance. For a comprehensive overview of the policy read handbook on European data protection law (pdf).

Email privacy bill US

The US does not have a comprehensive digital privacy law like the EU and mostly relies on the the privacy act of 1974. However, recently the US House of Representatives unanimously passed the Email Privacy Act that would require investigators to get a warrant before forcing companies to hand over customer email or other electronic communications, no matter how old the communication.

For more details visit http://editors.cis-india.org/internet-governance/news/medianama-vivek-pai-may-4-2017-indian-govt-says-it-is-still-drafting-privacy-law

India is building a biometric database for 1.3 billion people — and enrollment is mandatory

praskrishna — 2017-05-12T16:22:35Z

Inside the buzzing enrollment agency, young professionals wearing slim-fitting jeans and lanyards around their necks tapped away at keyboards and fiddled with fingerprint scanning devices as they helped build the biggest and most ambitious biometric database ever conceived.

The article by Shashank Bengali was published in the Los Angeles Times on May 12, 2017.

Into the office stepped Vimal Gawde, an impoverished 75-year-old widow dressed in a floral print sari. She had come to secure her ticket to India’s digital future — to enroll in the identity program, called Aadhaar, or “foundation,” that aims to record the fingerprints and irises of all 1.3 billion Indian residents.

Nearly 9 out of 10 Indians have registered, each assigned a unique 12-digit number that serves as a digital identity that can be verified with the scan of a thumb or an eye. But Gawde came to the enrollment office less out of excitement than desperation: If she didn’t get a number, she worried that she wouldn’t be able to eat.

Designed as a showcase of India’s technological prowess — offering identity proof to the poor and reducing waste in welfare programs — Aadhaar’s grand promises have been muddied by controversy as the government makes enrollment mandatory for a growing number of essential services.

Indians now need an Aadhaar number to pay taxes, collect pensions and obtain certain welfare benefits. The rapid expansion of a program that was originally described as voluntary has sparked criticism that India is vacuuming up citizens’ personal information with few privacy safeguards and creating hardship for the very people the initiative was supposed to help.

Like many Indians living in poverty, Gawde uses a ration card to purchase her monthly allotment of subsidized rice and cooking gas. But the shopkeeper told her that starting next month, he would sell to her only if she produced an Aadhaar number.

She had visited the enrollment agency three times but had yet to be approved, for reasons she did not understand. (Enrollment agents would not comment on individual cases.)

Reaching into her canvas bag, Gawde pulled out the familiar panoply of documents — ration card, voter card, electricity bill, income tax ID — that Indians use to navigate a dizzying bureaucracy. Aadhaar, she was told, would supplant all these papers.

But she had to get the number first.

“I’m nervous,” Gawde said outside the enrollment office on a sweltering morning. “I first applied three years ago and submitted all my documents, but didn’t follow up. Now that it’s becoming compulsory, I’m doing everything I can to get it.”

Indian Prime Minister Narendra Modi, who had criticized Aadhaar as a “political gimmick” before he took office, has embraced the futuristic idea of an all-in-one digital identity. His party pushed through a law last year that paved the way for a dramatic expansion of Aadhaar, allowing government entities and private businesses wide latitude to access the database, which collects not just people’s names and birth dates but also phone numbers, email addresses and other information.

Soon, as more private companies use the database, it could become difficult to open a bank account, get a new cellphone number or buy plane or train tickets without being enrolled.

Supporters say the program, which has cost about $1 billion to implement, will save multiples of that by curbing tax evasion and ensuring that welfare subsidies are not stolen by middlemen.

“Aadhaar was always meant to be an instrument of inclusion,” Nandan Nilekani, a tech billionaire and the program’s first chairman, said in an interview. “I’m really happy that the current government is completely endorsing Aadhaar and using it for a wide variety of services that will transform governance.”

Nilekani calls Aadhaar “hugely empowering” for the poor, but not long ago even he argued that enrollment should remain optional so that no Indians were prevented from accessing essential services. India’s Supreme Court agreed, ruling in 2015 that the government could not require Aadhaar for any benefit to which a person was otherwise entitled, as long as they could prove their identity by some other means.

Yet the court has stayed silent as Aadhaar creeps into every facet of Indian life, even for children.

A 12-year-old girl named Saiba is a case in point. After the girl’s grandmother passed away in their family’s ancestral village in northern India, Saiba’s mother moved her and her four siblings to a crowded neighborhood on the rough fringes of New Delhi, near a car parts market thick with the smell of grease.

When Saiba’s mother, Rani, went to the local school in April to register her for the sixth grade, administrators turned her down, saying every student must have an Aadhaar number.

But to get a number, a child usually needs a birth certificate — and like one-quarter of children born in this country, Saiba and her siblings did not have them because their village did not routinely register births.

Sitting with her mother in the cramped offices of the local advocacy group Pardarshita, above a noisy street lined with vegetable sellers, the girl puffed her round cheeks in an expression of helplessness.

“I don’t know anything about this,” said Saiba, who, like many Indians, has only one name. “I just want to go to school.”

Rakesh Thakur, a board member of Pardarshita, is trying to obtain Aadhaar numbers for dozens of children barred from Delhi schools. He called the policy “a clear violation” by the municipal government of both the Supreme Court order and India’s Right to Education Act, which guarantees every child younger than 14 free schooling.

A Twitter account called “Rethink Aadhaar” logs new instances almost daily of Indians who have suffered because scanners couldn’t read their fingerprints or because of errors in the database.

In Jawhar, a forested zone about 60 miles north of Mumbai, administrators have told local tribal communities that they will soon use Aadhaar to distribute welfare rations and school lunches. But the area lies outside cellphone range, leading residents to wonder how scanners will connect to the Internet to verify their identities.

“The idea of Aadhaar and the technology may be good, but do we have the infrastructure to make it mandatory?” said Vivek Pandit, a former lawmaker who runs a nonprofit group in the area. “The law is city-centric, and it would only lead to the social exclusion of rural India.”

This month lawyers opposing Aadhaar argued before the Supreme Court that the government could not force Indians to share their biometric data. Atty. Gen. Mukul Rohatgi countered that Indians had no constitutional right to privacy and could not claim an “absolute right” over their bodies.

Without privacy protections, activists worry that as Aadhaar numbers are linked to more and more services, intelligence agencies could use the database to more easily track Indians’ calls, travels and purchases.

“It’s become very clear that this is not a project about the poor,” said Usha Ramanathan, a lawyer and anti-Aadhaar activist. “The government’s ambitions have gotten greater over time.”

This month, the Center for Internet and Society, a New Delhi think tank, reported that federal and state agencies had published up to 135 million Aadhaar numbers — some including sensitive information such as a person’s caste and religion, or details of pension payments — on unsecured websites accessible through just a few clicks.

It’s become very clear that this is not a project about the poor. — Usha Ramanathan, a lawyer and anti-Aadhaar activist

Pranesh Prakash, the center’s policy director, said that when Indian authorities can’t even keep Aadhaar numbers private, as the law requires, it suggests the entire database is vulnerable — particularly after sensitive information involving 22 million Americans was exposed when federal databases were hacked in 2015.

“When these kinds of leaks are happening, it’s rather foolhardy to maintain a database of 1.2 billion people’s biometrics, because once this gets breached, it becomes completely unusable,” Prakash said.

“If your PIN number or password leaks, you can change it. You can’t change your fingerprints.”

Praveen Chakravarty, a former investment banker who worked with Nilekani to launch Aadhaar, believes the lack of safeguards undermines the project’s ideals of efficiency and empowerment. He said many Indians were right to worry that Modi’s government, which has cracked down on political activists and nonprofit groups it opposes, could use Aadhaar to snoop on citizens.

“Maybe Aadhaar didn’t need to be this big,” Chakravarty said, adding that the government could simply have worked to fix inefficiencies in individual welfare programs.

“People could ask, ‘Did we need this at all?’” he said. “It’s a good question.”

For Gawde, the widow, Aadhaar remained an idea of the future. She left the enrollment agency that day empty-handed, told by a young employee that her number had not been assigned. But she retained hope that the new ID would make life easier.

“We are just poor people,” she said. “We have to trust what the government tells us.”

For more details visit http://editors.cis-india.org/internet-governance/news/los-angeles-times-shashank-bengali-may-12-2017-india-is-building-a-biometric-database-for-1.3-billion-people-and-enrollment-is-mandatory

Aadhaar: Are a billion identities at risk on India's biometric database

praskrishna — 2017-05-20T06:38:26Z

"My fingerprints and iris are mine and my own. The state cannot take away my body," a lawyer told India's Supreme Court last week.

The article by Soutik Biswas was published by BBC News on May 4, 2017. Also see the blog post by Rawlson King published by Biometric Update.com on May 5, 2017.

Shyam Divan was arguing a crucial petition challenging a new law that makes it compulsory for people to submit a controversial biometric-based personal identification number while filing income tax returns.

Defending this law, the government's top law officer told the court on Tuesday that an individual's "right to body is not an absolute right".

"You can have right over your body but the state can restrict trading in body organs, so the state can exercise control over the body," Attorney General Mukul Rohatgi said.

At the heart of the latest challenge are rising concerns over the security of this mega biometric database and privacy of the number holders. (The government says it needs to link the identity number to income tax returns to improve compliance and prevent fraud.)

India's biometric database is the world's largest. Over the past eight years, the government has collected fingerprints and iris scans from more than a billion residents - or nearly 90% of the population - and stored them in a high security data centre. In return, each person has been provided with a randomly generated, unique 12-digit identity number.

For a country of 1.2 billion people with only 65 million passport-holders and 200 million with driving licenses, the portable identity number is a boon to the millions who have long suffered for a lack of one.

States have been using the number, also called Aadhaar (Foundation), to transfer government pensions, scholarships, wages for a landmark rural jobs-for-work scheme and benefits for cooking fuel to targeted recipients, and distribute cheap food to the poor.

Over the years, the number has taken a life of its own and begun exerting, what many say, is an overweening and stifling control over people's lives. For many like political scientist Pratap Bhanu Mehta, Aadhaar has transmuted from a "tool of citizen empowerment to a tool of state surveillance and citizen vulnerability".

People will soon need the number to receive benefits from more than 500 of India's 1,200-odd welfare schemes. Even banks and private firms have begun using it to authenticate consumers: a new telecom company snapped up 100 million subscribers in quick time recently by verifying the customer's identity through the number.

'Forcibly linked'

People are using the number to even get their marriages registered. The number, says Nikhil Pahwa, editor and publisher of Indian news site MediaNama, is "being forcibly linked to mobile numbers, bank accounts, tax filings, scholarships, pensions, rations, school admissions, health records and much much more, which thus puts more personal information at risk".

Some of the fears are not without basis.

The government has assured that the biometric data is "safe and secure in encrypted form", and anybody found guilty of leaking data can be jailed and fined.

But there have already been a number of leaks of details of students, pensioners and recipients of welfare benefits involving a dozen government websites. Even former Indian cricket captain MS Dhoni's personal information was mistakenly tweeted by an overzealous enrolment service provider.

Now a disturbing report by The Centre for Internet and Society claims that details of around 130-135 million Aadhaar numbers, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries have been leaked online by four key government schemes.

More than 230 million people nationwide are accessing welfare benefits using their numbers, and potentially, according to the report, "we could be looking at a data leak closer to that number". And linking the number to different databases - as the government is doing - is increasing the risk of data theft and surveillance.

The chief law officer believes that the outrage over the leaks is "much ado about nothing".

"Biometrics were not leaked, only Aadhaar numbers were leaked. It is nothing substantial. The idea is biometrics should not be leaked," Mukul Rohtagi told the Supreme Court on Tuesday.

The government itself has admitted that it has blacklisted or suspended some 34,000 service providers for helping create "fake" identification numbers or not following proper processes. Two years ago, a man was arrested for getting an identification number for his pet dog. The government itself has deactivated 8.5 million numbers for incorrect data, dodgy biometrics and duplication. Last month, crop loss compensation for more than 40,000 farmers was delayed because their Aadhaar numbers were "entered incorrectly by banks".

'Mass surveillance'

There are also concerns that the number can be used for profiling. Recently, authorities asked participants at a function in a restive university campus in southern India to provide their Aadhaar identity numbers. "This is not only a matter of privacy. The all pervasiveness of the Aadhaar number is a threat to freedom of expression, which is a constitutional right," Srinivas Kodali, who investigated the latest report on data leaks, told me.

Critics say the government is steaming ahead with making the number compulsory for a range of services, violating a Supreme Court order which said enrolment would be voluntary. "The main danger of the number," says economist Jean Dreze, "is that it opens the door to mass surveillance."

Nandan Nilekani, the technology tycoon who set up the programme popularly known by its acronym UIDAI, believes concerns about the safety of the biometric database are exaggerated.

He says the identity number has cut wastage, removed fakes, curbed corruption and made substantial savings for the government. He insists that the programme is completely encrypted and secure. "It's like you are creating a rule-based society," he told Financial Times recently, "it's the transition that is going on right now."

Abused

More than 60 countries around the world take biometric data from its people, says Mr Nilekani. But then there are nagging concerns worldwide about these databases being abused by hackers and state intelligence.

In 2016, personal details of some 50 million people in Turkey were reportedly leaked. (Turkey's population is estimated at 78 million.) In 2015, hackers stole more than five million fingerprints after breaching US government networks. In 2011, French experts discovered a hack involving the theft of millions of people's data in Israel.

Pratap Bhanu Mehta has written that the lack of a "clear transparent consent architecture, no transparent information architecture, no privacy architecture worth the name [India doesn't have a privacy law], and increasingly, no assurance about what exactly you do if the state decides to mess with your identity" could easily make Aadhaar a "tool of state suppression".

So a lot of lingering doubts remain. How pervasive should an identity number be? What about the individual freedom of citizens? How do you ensure the world's biggest biometric database is secure in a country with no privacy laws and a deficient criminal justice system?

In many ways, the debate about Aadhaar is also a debate about the future of India. As lawyer Shyam Divan argued forcefully in the top court, "people are reduced to vassals" when the state controls your body to this extent.

For more details visit http://editors.cis-india.org/internet-governance/news/bbc-news-soutik-biswas-may-4-2017-aadhaar-are-a-billion-identities-at-risk-on-indias-biometric-database

In The Biggest Data Leak, Info Of 13 Crore Aadhaar Card Holders Has Been Compromised And Is Available Online

praskrishna — 2017-05-12T15:59:31Z

The Modi government has been trying to make Aadhaar mandatory for everything from Income Tax return, buying a SIM card, bank transaction, train ticket, air travel, mid-day meal government subsidies etc.

The blog post by Bobins Abraham was published by India Times on May 3, 2017.

While the government claims that the move will increase security and ensure that the benefits are reaching to real people and not syphoned off. But security experts have been pointing out the possibility of security breach in the system resulting in the sensitive biometric data reaching in the hands of those, who could misuse them.

A study by Bengaluru-based think tank, Centre for Internet and Society has once again cemented these concerns. According to its report titled, "Information Security Practices of Aadhaar (or lack thereof): A documentation of the public availability of Aadhaar Numbers with sensitive personal financial information," Aadhaar data of as many as 13.5 crore card holders have already leaked online.

The study revealed that the mass data leak happened due to security flaws in four government websites:

National Social Assistance Programme
National Rural Employment Guarantee Act (NREGA)
Daily Online Payment Reports under NREGA (Govt. of Andhra Pradesh)
Chandranna Bima Scheme run by Government of Andhra Pradesh

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” the report said.

The report was published even as the government continue to defend Aadhaar in the Supreme Court saying that the move to link Aadhaar with PAN cards was meant to put a stop on the number of individuals in possession of multiple PAN cards by putting a robust identification system in place. Attorney General Mukul Rohatgi said that this will help in curbing money laundering, the flow of black money and controlling the funding of terror.

For more details visit http://editors.cis-india.org/internet-governance/news/india-times-bobin-abraham-may-3-2017-in-the-biggest-data-leak-info-of-13-crore-aadhaar-card-holders-has-been-compromised-and-is-available-online