Centre for Internet and Society

CPDP (Computers, Privacy and Data Protection) 2017

praskrishna — 2017-02-03T02:02:05Z

Amber Sinha participated as a panelist in a panel on 'EU Adequacy Status for International Data Transfers' in Brussels, Belgium on January 26, 2017. The event was organized by Privacy International.

EU Adequacy Status for International Data Transfers

According to EU data protection laws, countries only have blanket freedoms to receive and process personal data from the EU if they have been awarded an adequacy status by the Commission. Given the vital importance of data transfers between countries in the global economy, having such a status is a valuable asset, as other available legal means of transfer are more limited. India, for e.g. is said to be losing in excess of Euro 30 billion per year through lost trade with the EU, as it lacks such adequacy status. In the 20+ years since the data protection Directive was passed, only 11 states have been decided to be ‘adequate’ by the Commission – which include the US with its recently awarded Privacy Shield. The Commission methodology and procedures for granting adequacy to countries is increasingly under scrutiny – for e.g. a recent study found that the way it makes adequacy decisions for its trade partners could be accused of being obscure, inconsistent and without clear criteria or rules or timeframes. This also makes EU data protection laws vulnerable to challenge under world trade rules. This panel will address the following questions:

Questions to be considered:

On what basis does the EU and the Commission make decisions on whom to grant adequacy status?

In the light of the Schrems judgement defining adequacy as ‘essentially equivalent’, should all past decision be revised?

Given that more than 100 countries now have general data protection laws, how should countries be chosen for adequacy judgements?
What criteria and methodologies should be used to ensure all countries are treated equally, to ensure fundamental rights are equally upheld, and to avoid possible challenge under WTO rules?
(New) What are your views on the EC proposal to facilitate international transfers of personal data, recently published?

Panel:

Chair: Jan Albrecht MEP

Panel:

Kristina Irion, Institute of Information Law (IVIR), University of Amsterdam:

Kristina is expert academic in both data protection and related trade issues, author of recent study ‘Trade and Privacy: complicated bedfellows’

Amber Sinha, Centre for Internet and Society (CIS), India

Amber is policy researcher specialising in privacy and big data ; CIS is an India NGO and partner organisation of Privacy International.

Daniel Cooper, Covington and Burling ;

Dan is partner at this global law firm, which advises both business and government clients round the world ; he leads the data protection practice in London

Bruno Gencarelli, European Commission DG Justice ;

Bruno is the head of the new DG Justice unit on data flows and data protection, and as such the Commission boss of adequacy

Veronica Perez-Asinari, European Data Protection Supervisor (EDPS).

Veronica is the EDPS head of unit for supervision and enforcement; she has also recently spent some months working with the Argentina DPA (Argentina has EU adequacy).

Moderator: Anna Fielder, Privacy International

For more details visit http://editors.cis-india.org/internet-governance/news/cpdp-computers-privacy-and-data-protection-2017

WhatsApp forward promising PM Modi scheme for double recharge is a scam

praskrishna — 2017-01-25T02:13:18Z

Cashing on the ignorance of users, social media platforms are increasingly being used to scam people.

The blog post by Nandini Yadav was published by BGR on January 24, 2017. Pranesh Prakash was quoted.

Ever since demonetization, and the ruling government’s vow to digitize the Indian economy, several incidents of cyber criminals trying to trick users into sharing delicate information like bank details, have been reported. Since the sudden digitization is still new to the Indians, many of us also tend to fall prey to these scams easily. In series of such incidents, a new scam is being circulated on WhatsApp that involves a link to a fake website carrying the name and picture of Prime Minister Narendra Modi.

The link lures users to tap on it and claims that on a recharge of Rs 500 to Rs 1,000, users will get double the amount as top-up on by their telecom operators. The link also claims that this is a scheme run by the Prime Minister. Now, what really happens here is, that the website makes a user complete transactions and takes a whatever amount they do the recharge for.

While users don’t get any free recharge, the amount they pay for also does not get added to their mobile balance. But they do end of up losing the money entirely. Any time a user makes the payment for the recharge, at the end of the process the transaction shows failed on the website, but the money gets deducted from their account.

Here, not only do users lose their money, but they also end up sharing their bank details on a very unreliable website, which probably retrieves the data you feed in on the transaction gateways. A senior police officer of cyber cell told India Today that the amount of these top-ups are usually small and so people don’t turn up to register an FIR, but these hoax websites end up making huge profits.

“It is highly advised, that if any user receives such a message, they should immediately delete it so that even by mistake they don’t end up tapping on this and forwarding it to their contacts. Such malicious links not only can affect your device, but may also seep into your phone and steal data,” Kisalay Chaudhary, cyber crime expert told the publication.

“These bogus websites try to appear like an official Government of India website or related to telecom operators to trap gullible customers. Government website are .gov.in or .nic.in but fraud websites are -gov.in or _nic.in which may appear real but do not belong to government. So all people making online transaction should be very alert about the website they are browsing. WhatsApp has been a breeding ground for such activities and spreading malicious links,” he added.

This isn’t the first time such a hoax has been circulated. Earlier this month, a message on WhatsApp was circulating that claimed that the Prime Minister was offering a free Rs 500 recharge to all Indians. The message read, “Rs 500 balance for every Indians. Reforming India. Modiji giving free balance. Click here.” The words ‘click here’ were followed by a link to a new webpage, which once tapped on, asked a user to share their personal details like, their contact number, operator name and the state they live in.

And it’s not just through messages, these scams are being run on every possible platform. Late last year, Internet expert Pranesh Prakash pointed out a fake Narendra Modi app, which actually claimed to be from the Government of India and its interface looks almost identical to the original application. However, when he dug deep, he found out that the app developer of the purported Government of India Narendra Modi app was actually a person based out of Bangladesh, suggesting that the app was possibly hosted by a con artist.

Once downloaded, the ‘fake’ app, automatically got excessive permission including full network access and ability to take pictures and videos from a user’s device. The original Narendra Modi app, on the other hand, only gets access to read, modify and delete user’s media files. Also, the original app was published by Narendramodi.in and the fake one shows under the name of Government Of India.

And this isn’t the only fake Narendra Modi app, if you launch the Google Play Store right now, you would easily be able to spot a score of fake apps like this. Within a week of launch if the new UPI app BHIM, we spotted 40 odd apps that were claiming to be the original BHIM app.

For more details visit http://editors.cis-india.org/internet-governance/news/bgr-nandini-yadav-january-24-2017-whatsapp-forward-promising-pm-modi-scheme-for-double-recharge-is-a-scam

For India’s complaints department, visit Facebook Live

praskrishna — 2017-01-25T02:03:03Z

Notebook: Social media cuts through red tape in a country beset by inertia.

The article by Amy Kazmin was published in the Financial Times on January 23, 2017. Sunil Abraham was quoted.

Rarely has a soldier’s lament about bad food received such attention. But Tej Bahadur Yadav, of India’s Border Security Force, made national headlines with Facebook videos complaining about his rations along India’s tense line-of-control with neighbouring Pakistan.

Standing against a landscape of desolate, snow-covered mountains, Mr Yadav bemoaned the fried flatbread and tea that constitutes breakfast, and the watery lentils, seasoned only with salt and turmeric, of his lunch. It was unclear whether his main complaint was about the poor cooking quality or limited food quantity but the video of the offending meals, including a burnt chapati, suggested both.

“I do not want to blame the government,” he said calmly in Hindi. “The government provides everything for us but these higher officers sell everything. Sometimes, we soldiers go hungry.”

Reaction to the videos, which were covered widely by the mainstream media, came fast and furious. The BSF publicly accused Mr Yadav of indiscipline, saying he was a chronic malcontent previously subjected to a court martial for aiming his weapon at a superior. It also noted he was taking voluntary retirement soon.

But many Indians found it easy to believe that their country’s troops are short-changed on food and they rallied to the disgruntled soldier as a courageous whistleblower. Prime Minister Narendra Modi ordered an investigation, and a dietitian was reportedly sent to the border to assess the soldiers’ food.

Analysts pointed out that Mr Yadav’s gripe echoed official critiques of deficiencies in the army’s food procurement. “One can imagine the toil our jawans [junior soldiers] go through while guarding the border in chilling conditions. And the least they can expect is a good meal after long hours of hard duty,” an Indian Express editorial declared.

That a soldier posted in a remote border area could unleash such a kerfuffle via a video highlights how Indians armed with mobile phones are taking to social media to hold to account the traditionally non-responsive political and bureaucratic establishment.

Smartphones make up nearly 30 per cent of phones in use in India and that number is rising fast, according to the Asian research group CLSA. Sushma Swaraj, India’s foreign minister, has garnered attention for her rapid responses to individual Twitter pleas for help — whether from Indians in trouble abroad or those struggling to renew a passport or secure a visa for a visitor.

Now other ministers and government agencies, including local police forces, have begun to respond personally to pleas for help and public complaints on Twitter. It’s a big change from a time I recall well, when Indians tangled in red tape had no option but to find those with connections to try to influence, or prod, the seemingly impenetrable bureaucracy.

“Bureaucrats and politicians are now active and available on social media — ordinary citizens tweet politicians and there is a spectacle of immediate redress of complaints,” Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, told me. When New Delhi’s police department set up an office to receive complaints against corrupt officers, for example, many citizens provided audio or visual recordings of the alleged wrongdoing. It’s only a matter of time before such footage finds its way to social media — or beyond. Ironically, those whose plights gain traction on social media, and are then amplified by mainstream media, are sometimes low-ranking civil servants harassed by their superiors.

This week brought news of a female railway clerk punished for dereliction of duty after she refused to sing “one particular” duet with her senior manager at his farewell party. A friend who works for a major western social media platform here in India (who ironically can’t be identified as he wasn’t authorised to speak to me), tells me that “the power structures that governed who used to be heard and who wouldn’t be heard have changed”. As technology spreads further and deeper in India, we can expect that noise to amplify.

For more details visit http://editors.cis-india.org/internet-governance/news/financial-times-amy-kazmin-january-23-2017-for-indias-complaints-department-visit-facebook-live

Workplace Solutions Champions Consultative Workshop

praskrishna — 2017-02-03T01:23:38Z

A two day workshop was held on January 21 - 22 at Ecumenical Christian Centre in Bangalore. The workshop was organized by Enable India. Nirmita Narasimhan attended the workshop.

Agenda

Day 1: January 21, 2017

Sl. No.	Agenda Item	Description	Timings
1	Context Setting for the Workshop	What outcomes we hope to achieve during the workshop	9.30 - 10.00
2	Reflections and Sharing	Sharing on achievements and impact, through discussions and activities	10.00 - 10.45
	Tea Break		10.45 - 11.15
3	Reflections and Sharing (Continued)	Sharing on achievements and impact, through discussions and activities	11.15 – 12.45
	Lunch Break		12.45 - 13.45
4	Situational Context for WPS Champions Network	Understanding the background of workplace solutions and their critical role in shaping livelihoods for persons with vision impairment	13.45 - 14.30
5	Curriculum Development	Creation of curriculum for development of quality WPS Implementation professionals	14.30 - 16.30
	Tea Break		16.30 - 17.00
6	Curriculum Development	Creation of curriculum for development of quality WPS Implementation professionals	17.00 - 19.00

Day 2: January 22, 2017

Sl. No.	Agenda Item	Description	Timings
1	WPS Champions Network Long Term Vision and My Personal Vision	Understanding the future of WPS implementation, and personal vision alignment	9.00 - 10.00
	Tea Break		10.00 - 10.30
2	National track: Top Actions for the Year, and Who Will Do What	Understanding the roadmap for WPS across India	10.30 – 11.00
3	Regional Tracks for North, South and West regions: Top Actions for the Year, and Who Will do What	Preparing a region-specific roadmap for WPS in the north, south and west regions	11.00 - 12.00
4	Open Session on Employment	Group discussion on WPS in the context of employment and livelihoods	12.00 - 13.00
	Lunch Break		13.00 - 14.00
5	Logistics and communication channels for next steps	Service management tool demo, Whatsapp group and other information	14.00 - 15.00

For more details visit http://editors.cis-india.org/accessibility/news/workplace-solutions-champions-consultative-workshop

Odia Wikipedia and Orientation Training Programme

praskrishna — 2017-01-23T00:58:38Z

An Odia Wikipedia orientation and training programme is being organized by the Centre for Internet & Society's (CIS-A2K) team on 31 January 2017 at the Indian Institute of Mass Communication, Dhenkanal in Odisha.

Agenda

Bringing new editors on board.
Orientation programme for students of IIMC.
Finding possible partnership with the institute.

For more details visit http://editors.cis-india.org/a2k/events/odia-wikipedia-and-orientation-training-programme

Training programme for Chairs, Convenor and Experts for International Standardization Work

praskrishna — 2017-01-20T17:06:09Z

Udbhav Tiwari attended this programme organized by National Institute of Training for Standardization, under the Bureau of India Standards on the 19 and 20 of January, 2017 in Nodia, New Delhi.

Udbhav was invited due to CIS's membership at the LITD 17 at BIS and WG5 under ISO JTC 1 SC 27. For full schedule of the training programme click here.

For more details visit http://editors.cis-india.org/internet-governance/news/training-programme-for-chairs-convenor-and-experts-for-international-standardization-work

Training Programme Structure

praskrishna — 2017-01-20T17:05:16Z

For more details visit http://editors.cis-india.org/internet-governance/files/training-programme-structure

Govt should take a relaxed view of 'violations' of flag code in products sold in foreign countries: Experts

praskrishna — 2017-01-19T02:37:27Z

When it comes to products on sale in global ecommerce vendor sites that seem to violate India’s strict flag code, the government should take a more relaxed and less punitive approach.

The article by Neha Alawadhi was published in the Economic Times on 13 January 2017. Sunil Abraham was quoted.

That’s the view of industry observers and lawyers familiar with internal business practices and regulation.

India’s External Affairs Minister Sushma Swaraj had on Wednesday tweeted that India visas for Amazon executives may be withdrawn unless the America headquartered ecommerce giant apologised for its Canadian site selling doormats in India flag colours.

The point, lawyers and experts say, is that Indian law itself protects Amazon from being prosecuted in this case. India recognises companies like Amazon (whether in India or Canada), as intermediaries, who are exempt from liability under the IT (Information Technology) Act, because a third-party seller was selling those doormats.

Plus, Indian law does not apply outside the country, and a global ecommerce company has millions of products for sale in scores of marketplaces.

“Neither Prevention of Insults to National Honour Act, 1971nor the Flag Code applies outside India,” said Virag Gupta, a Supreme Court advocate specialising in cyber law.

The only thing the Indian government can do, said Sarvjeet Singh, programme manager, Centre for Communication Governance, National Law University, Delhi, is to ask the company to take down the listing.

That Amazon had already done, he noted. “Given the volume of traffic and usage and the number of sellers, it is impossible for a company to monitor all the goods listed,” Singh added, and said that’s why the IT Act recognises that companies like Amazon are intermediaries.

Many experts also wondered whether India’s flag code is ready for a reset, aligning it more with today’s less statist views on such matters.

The code calls for a three-year jail term, or a fine, or both for violations. In democracies such as the United States, Canada and the Netherlands, national flag colours in product design does not invoke legal punitive responses. “In a lot of these countries, where issues about Indian flag code violation have come up, these activities are legal and covered by freedom of expression guarantees and we should be aware of these cultural contexts before making statements,” Singh said.

Others feel the flag code smothers creativity. “Repealing most flag-related regulation will unlock creativity, encourage derivative works and remix and greatly increase the visibility of the Indian flag in public places. This in turn will foster a sense of community, national pride and social cohesion,” said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

For more details visit http://editors.cis-india.org/internet-governance/news/economic-times-neha-alawadhi-january-13-2017-govt-should-take-a-relaxed-view-of-violations-of-flag-code-in-products-sold-in-foreign-countries-experts

Sunil Abraham on Aadhaar's misuse during demonetisation

praskrishna — 2017-01-19T01:35:02Z

Sunil Abraham spoke to Economic Times on the misuse of Aadhaar during demonetisation.

Sunil Abraham said:

"We saw Aadhaar being misused at large-scale during the demonetization, criminals had created a black market in Aadhaar identity cards and photocopies of Aadhaar. Those interested in converting black money were purchasing these photocopies from the black market and giving them to bank officials so that they could maintain fake records that tried to prove that ordinary people came in photos' cash transactions.

Whenever we try to introduce technological measures we must always think of the human systems that are at work and the human procedures that are at work. Another example is today telcos giving sim cards based on Aadhaar authentication to meet their sales targets some of these telcos are giving multiple sim cards for a single Aadhaar based KYC. Those sim cards are often resold into black market or given to persons that are not familiar with the aadhaar number holder and this has only makes the security situation in the country worse. It has not improved." Watch the Video

For more details visit http://editors.cis-india.org/internet-governance/news/economic-times-january-14-2017-sunil-abraham-on-aadhaar-misuse-during-demonetisation

Lost your phone? Here's how you can make your mobile theft-proof

praskrishna — 2017-01-19T02:40:21Z

Losing a phone has become even more costly after the government's push for a cashless society.

The article by Sanjay Kumar Singh was published in the Business Standard on January 16, 2017. Udbhav Tiwari was quoted. Read the full article on Press Reader. Udbhav Tiwari was quoted.

Prime Minister Narendra Modi, while pitching for cashless transactions, has coined a new phrase — your mobile is a bank. If you really want to use your mobile phone as a bank, remember the costs of losing it are much higher. Earlier, if you lost your mobile phone, there was the risk of misuse of personal data. Now, with most gadgets also carrying mobile wallet apps, there is the added risk of serious financial loss. A number of security solutions, available in the form of external security software or in-built into the phone, can help you track the device, lock it and minimise the probability of misuse.

First, it should give you some satisfaction that if your device is of recent vintage, someone stealing your phone will not be able to use it. Earlier, thieves would wipe the data on the phone (if it had a pin), set up a new account, and use it. But if it is an Apple phone that came out after 2014 or a phone with Android 6.0 Marshmallow or higher operating system (OS), the server will ask for login information of the first account (with which the owner had initially set up the phone). Only then will it allow someone to set up a second account on the same device. Since that information is not likely to be available to the thief, the phone will be of little use to him.

Track your device

Both Apple and Android have in-built features that allow you to track your device if it gets lost. In Apple it is called 'Find my phone' and on Android, 'Android device manager'. When you log in through your Apple or Google account while setting up the phone, this feature gets enabled by default. After your phone is stolen, go online and type 'Find my phone' or 'Android device manager'. Use your account credentials to log in. As long as your phone is on and is connected to the Internet, it will broadcast its location. If it has been switched off or can't connect to the Internet, you will only be able to see the last location from where it transmitted.

Antivirus software for mobile phones also offer tracking features. "Using our mobile security software, users can locate their lost device on a map or receive the location coordinates through an SMS," says Ritesh Chopra, country manager, Norton by Symantec. These software also enable you to lock the lost device remotely either from the antivirus software's web site or by sending an SMS. Chopra informs that you can also remotely delete all the data stored either on the device or its memory card. Users can also trigger an alarm if they think their device is still in the vicinity. "Some antivirus software also allow you to take snapshots of the illegal user once the original user has reported it as stolen," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru.

Take preventive security measures

How well your phone and the data on it are protected after theft will, however, depend on the security measures you adopt proactively while the phone is in your possession.

Install a password: The first stage of protection you should adopt is a pin, pattern lock, or password for your mobile phone. If you don't set up a pin, everything that doesn't require a second level of authentication is available to anyone who gets possession of your device. If you lose your laptop but have logged out of your email or social networking account, the thief can't access them. But on mobile phones most of these services don't require a second level of authentication.

Most alarming from a financial standpoint is the fact that most mobile wallets don't ask for a password before allowing you to transact (Paytm has introduced one recently). "If you have a mobile wallet and don't have a pin on your phone and it gets stolen, the thief can easily transfer money from your wallet to another," says Tiwari. Most mobile and net banking apps, however, require a login and password every time you want to access them, and are hence safer.

Set a pin promptly--a strong one that can't be easily guessed. Numbers associated with you, such as your birthday, are a strict no-no. If your phone carries especially sensitive or important data, eschew pins altogether and use a detailed password with a diverse combination of characters.

Nowadays you can also deploy fingerprint-based unlocking feature on your phone. "By using Fonetastic for the Android platform, you can set the fingerprint unlock feature on your phone," informs Sanjay Katkar, managing director and chief technology officer, Quick Heal Technologies.

Encrypt data on your device: Even if you set up a pin or password, the data on your mobile phone is not protected. Hackers can bypass it and gain access to your files. To protect data, OS developers like Google and Apple encrypt data. The device encryption feature works using something unique on your device, such as its serial number, and your pin. Even if someone gets access to your files via a computer, they will not be able to open them. These files will open only on your phone, and for that they will need your pin, password or pattern lock (presuming you have set one).

In all iOS phones, the moment you set your pin, all files get automatically encrypted. In any Android phone purchased within the last one year (that runs on Android 6.0 Marshmallow by default), the same holds true. But if you have an older Android phone or OS version, you need to enable this feature manually. Go to Settings, then to Security, find an option called 'Encrypt phone' and click on it.

Install an app lock: Some security apps allow you to lock the apps on your phone and also encrypt the files produced by those apps. When you start an app, the security app will ask for a pin. And when you exit an app, it will encrypt the files stored within the app. Go to Google Play or iStore and type 'encrypted file storage' to get the most popular lock-and-encrypt apps. "If you use device-level encryption, you may not need these apps, as the former locks and encrypts the entire device," says Tiwari

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-january-16-2017-sanjay-kumar-singh-lost-your-phone-here-is-how-you-can-make-your-mobile-theft-proof

Demonetisation: Cost Vs Benefit

praskrishna — 2017-01-17T16:04:16Z

Sunil Abraham took part in a discussion on Demonetisation in NDTV's Big Fight programme aired on December 24, 2016.

Prime Minister's big post-demonetisation deadline of 50 days is coming to a close. Does this mean that people's ordeal with the currency ban will also come to an end? Will the government continue to have people's support and patience through its big bang reforms if they fail to achieve their original aim of retrieving black money? We ask, what lies ahead for India? How long will it take for India to become a cashless economy? What are the pitfalls? With a high bank dormancy rate of 43%, most Indians still prefer to make transactions through cash. Even if we are able to make that journey to becoming a cashless economy by 2020, does the government have the infrastructure to make online payments safe?

Sunil Abraham said that the trouble with the design of the Aadhaar project is that it makes citizens transparent to the state and does not make state transparent to the citizen. With every generation of corruption busting technology we see new ways of corruption being introduced into our society. For more watch the video

For more details visit http://editors.cis-india.org/internet-governance/news/ndtv-december-24-2016-demonetisation-cost-versus-benefit

India’s Digital ID Rollout Collides With Rickety Reality

praskrishna — 2017-01-17T15:35:04Z

India’s new digital identification system, years in the making and now being put into widespread use, has yet to deliver the new era of modern efficiency it promised for shop owner Om Prakash and customer Daya Chand.

The article by Gabriele Parussini was published in the Wall Street Journal on January 13, 2017. Hans Varghese Mathews was quoted.

At first, it drove both men up a tree.

The system, which relies on fingerprints and eye scans to eventually provide IDs to all 1.25 billion Indians, is also expected to improve the distribution of state food and fuel rations and eventually facilitate daily needs such as banking and buying train tickets.

But Mr. Prakash couldn’t confirm his customers’ identities until he dragged them to a Java plum tree in a corner of his village near New Delhi’s international airport. That was the only place to get the phone signal needed to tap into the government database.

“I hopped on a chair and put my finger in the machine,” said Mr. Chand, a 60-year-old taxi driver. Getting his state food ration “used to be much easier,” he said.

In a system so vast, even small glitches can leave millions of people empty-handed.

The government began building the system, called Aadhaar, or “foundation,” with great fanfare in 2009, led by a team of pioneering technology entrepreneurs. Since then, almost 90% of India’s population has been enrolled in what is now the world’s largest biometric data set.

Prime Minister Narendra Modi, who set aside early skepticism about the Aadhaar project after taking power in 2014, is betting that it can help India address critical problems such as poverty and corruption, while also saving money for the government.

But the technology is colliding with the rickety reality of India, where many people live off the grid or have fingerprints compromised by manual labor or age.

Panna Singh, a 55-year-old day laborer in the northwestern state of Rajasthan who breaks stones used to build walls, says the machine recognized his scuffed-up fingerprints only a couple of times.

“I’ve come twice today,” he said at a ration shop in the village of Devdungri. “That’s a full day of work, gone.”

Iris scans are meant to resolve situations where fingerprints don’t work, but shops don’t yet have iris scanners.

Ajay Bhushan Pandey, chief executive of the government agency that oversees Aadhaar, said kinks will be ironed out as the system is used, as is the case with software rollouts. It works 92% of the time, and that will rise to 95%, he said.

“On the scale of what [Aadhaar] has achieved, the rollout has been remarkably smooth,” said Nandan Nilekani, the Infosys co-founder who spearheaded the project. “I don’t see any issues that are disproportionate to the size of project.”

An Aadhaar ID is intended to be a great convenience, replacing the multitude of paperwork required by banks, merchants and government agencies. The benefits are only just beginning, backers say, as the biometric IDs are linked to programs and services.

But in rural areas, home to hundreds of millions of impoverished Indians dependent on subsidies, the impact of technical disruptions has already been evident.

After walking for two hours across rough underbrush in Rajasthan to get kerosene for the month, Hanja Devi left empty-handed because the machine couldn’t match her fingerprint with her Aadhaar number.

“It’s always so difficult” using the system, said Ms. Devi, who lives with her husband and a nephew on 1,500 rupees ($22) a month.

Ranjit Singh, who operates the shop, said five of the 37 customers before Ms. Devi also left the shop empty-handed, a failure rate of over 15%.

A shop manager in a neighboring village said identification had failed for a similar portion of his 500 customers.

Any biometric recognition system of Aadhaar’s size is bound to show duplicates, meaning some people’s biometric identifiers will match someone else’s when they try to enroll.The new system hasn’t eliminated attempts at fraud. In August, police in Rajasthan accused two shop managers of linking their fingerprints to a multitude of cards and stealing for months the rations of dozens of clients.

Hans Varghese Mathews, a mathematician at the Bangalore-based Center for Internet and Society, used the results of a test run by Aadhaar officials on a sample of 84 million people to extrapolate the figure for India’s total population. The error level is less than 1%, but in the world’s second-most populous country, the snag would still affect about 11 million people, he said.

Government officials disputed the calculation, saying the number of duplicates would be much smaller—and that it would take only seven analysts to manage the error caseload.

As for trouble connecting to the registry, better infrastructure, including steadier internet connections, will eventually also help, Mr. Pandey said.

For now, Mr. Prakash has found a way to cope without climbing trees. After scouring the village, he set up a shack in a spot with enough bandwidth for his fingerprint scanner to work. It is hardly efficient. He issues receipts in the morning at the shack, then goes back to his shop to hand out the grains. Customers have to line up twice, sometimes for hours.

Mr. Prakash has applied to the government to operate without biometric identification, but his request was turned down, he said. “They said: ‘You have to keep trying.’ ”

For more details visit http://editors.cis-india.org/internet-governance/news/wall-street-journal-gabriele-parussini-january-13-2017-indias-digital-id-rollout-collides-with-rickety-reality

Supreme Court issues notice to WhatsApp, Centre on data privacy

praskrishna — 2017-01-17T15:06:08Z

Analysts said India lacked data protection laws.

The article by MJ Antony, Ayan Pramanik and Apurva Venkat was published in the Business Standard on January 17, 2017. Sunil Abraham was quoted.

The Supreme Court on Monday issued notices to the Centre and WhatsApp over an appeal alleging the instant messaging service did not ensure the privacy of its users and seeking regulations to protect personal information.

Chief Justice J S Khehar granted urgent hearing when Harish Salve, counsel for the petitioner, submitted that the service provided free by the platform to 155 million subscribers violated constitutional provisions protecting privacy.

The government and WhatsApp would file their replies within two weeks, the court directed after Salve sought its intervention to protect consumer data till India enacted data protection laws.

The Supreme Court heard the petition after the Delhi High Court in September directed WhatsApp not to share its users’ data with its parent Facebook and asked it to provide users with the option to opt out. The court was hearing a public interest litigation over a change in WhatsApp’s user policies that explicitly allowed Facebook to access to WhatsApp users’ data.

A Facebook spokesperson said the company could not comment immediately.

Analysts said India lacked data protection laws that prohibit global Internet firms from harvesting user data for their business. “We used to think that we had some privacy jurisprudence in the country. If you asked a lawyer 1.5 years ago, he would say privacy in India was a constitutionally guaranteed right,” said Sunil Abraham, director of the Centre for Internet Society. “It is not explicitly referenced into the law.”

Saroj Kumar Jha, partner, SRGR Law Offices, said, “Along with the lack of policies and laws, there are very few judgments on privacy issues based on constitutional rights. Thus, it makes it very difficult to judge a case.”

Salve argued that till the government enacted legislation to protect user data, the court should provide protection. The Telecom Regulatory Authority of India should introduce a clause in telecom licences that if calls were intercepted the licence would be cancelled, he said.

The court sought the assistance of Attorney-General Mukul Rohatgi to sort out the issues.

Rohatgi, while arguing an earlier case related to alleged violation of privacy, had taken the stand that the Constitution did not protect the right to privacy. According to him, neither the fundamental rights nor Supreme Court judgments recognises a citizen’s right to privacy. The bench hearing that case referred the question to a constitution bench last year.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-mj-antony-ayan-pramanik-apurva-venkat-supreme-court-issues-notice-to-whatsapp-centre-on-data-privacy

The Dangers Of Aadhaar-Based Payments That No One Is Talking About

praskrishna — 2017-01-17T14:39:53Z

Less than three months ago, India’s banking sector was hit by a data breach which compromised 32 lakh debit cards and led to fraudulent transactions worth Rs 1.3 crore.

The article by Mayank Jain was published by Bloomberg on January 17, 2017. Sunil Abraham was quoted.

The incident started a debate around security of payment systems. But the debate had just about begun when the government’s demonetisation decision dragged attention away from it. Now as the dust settles and as the government starts to push newer means of digital payments, the focus is back on the security of systems being seen as an alternative to cash.

One such system is Aadhaar-based payments which could potentially allow citizens to pay anytime anywhere with the tap of a finger.

In theory, it sounds simple.

The Aadhaar-based payment system runs on the existing Aadhaar infrastructure through which a person’s biometrics are used to authenticate the user. Once authenticated, the user can transfer funds directly from one bank account to another without going through a mobile wallet or a card.

The payment system requires a smartphone, a working internet connection and a biometric authentication device with the merchant. The customer needn’t have a card or a phone as long as he or she has an Aadhaar-seeded bank account.

National Payments Corporation of India has developed this payments infrastructure over the existing Aadhaar-Enabled Payments System, the railroad on which the public distribution system has been functioning for years now.

Amitabh Kant, chief executive officer of the government policy think tank NITI Aayog said, earlier this month, that all cards and point-of-sale machines will become redundant in the country in the next two-and-a-half years as Aadhaar-based payments become popular.

A Double-Edged Sword

While payments authenticated by biometrics sound like a good idea in a country where less than one in three people actually own a smartphone, there are fears that integrating biometrics with digital payments could prove to be a security headache.

The first part of the problem is that Aadhaar, while effective, is not a fool-proof method of authentication and identification failures are not uncommon. Building a payment system atop the Aadhaar system will simply transfer some of these vulnerabilities.

The possibility of transaction failures due to a biometric mismatch are real, admitted a former high-ranking official from the Unique Identification Authority of India (UIDAI) who spoke to BloombergQuint on the condition of anonymity.

Officially, the false reject rate – rejection of a biometric when it’s actually correct – is set at a maximum of 2 percent for devices that get certified from the UIDAI. On the ground, however, failure rates vary widely, said the official quoted above.

According to the official statistics on UIDAI, more than 16 lakh Aadhaar-authentication requests failed in the past week. The type of errors encountered ranged from the biometric data not matching the database to demographic details not checking out.

The failure rates on Aadhaar Enabled Payment System for interbank transactions (which is a part of all Aadhaar authentication requests) were found to be as high as 60 percent by the Watal Committee on digital payments which published its report in December.

Additionally, newer security threats may also emerge if the scope of Aadhaar is widened. These include identity theft if a person’s biometrics are compromised from the payment system, phishing attempts, and the difficulty in revoking access once biometric information is compromised.

Biometrics aren’t an exact science, the official quoted above said, while adding that possible glitches have to be weighed against the benefits of offering a widely accessible non-cash mode of payment to citizens.

How Easy Is It To Beat The System?

Sunil Abraham, executive director of Bangalore based research organisation Center for Internet and Society (CIS) said that one way to assess how secure a system is to understand the cost and effort that goes into breaching it.

In the case of Aadhaar-based payment systems, the costs may not be high.

“There’s the gummy finger method which essentially requires some Fevicol or gum to duplicate someone’s fingerprint which can be enough to transact on someone’s behalf without them being there,” said Abraham in a phone conversation with BloombergQuint. “An average person can’t clone a smart card. Just fevicol and glue can help you make a gummy finger. The biometric lobby will say that advanced scanners defeat the gummy finger attack but more advanced scanners are also more expensive.”

Also, using more sensitive devices could push up the instance of false rejection of transactions, said Abraham.

There are other concerns. Like the fact that devices used for Aadhaar identification could store personal information, which, in turn, could be susceptible to a breach.

There are five main components in an Aadhaar app transaction – the customer, the vendor, the app, the back-end validation software, and the Aadhaar system itself. There are also two main external concerns – the security of the data at rest on the phone and the security of the data in transit. At all seven points, the customer’s data is vulnerable to attack.
Bhairav Acharya, Program Fellow, New America

Acharya, who works at a U.S.-based think tank called New America and focuses on cyber-law, said the key concern is that Aadhaar data can be stolen and misused.

“The app and validation software are insecure, the Aadhaar system itself is insecure, the network infrastructure is insecure, and the laws are inadequate.”

The biometric data collected on the authentication device at a merchant location can potentially be stored on the device as well as the smartphone of a merchant for a long time. Abraham added that there is a possibility that non-certified devices will enter the market, which can store data and use it in the future to do fraudulent transactions.

The concerns over potential misuse of biometric data by private agencies has also been highlighted by the Supreme Court of India. Earlier this month, the apex court refused to expedite the hearing on a petition regarding Aadhaar being utilised for multiple use cases by private companies. It, however, observed that private agencies collecting biometric data “is not a great idea”.

Deficient Privacy Laws

Apar Gupta, a Delhi-based lawyer working on cyber security, says that the lack of strong privacy protecting provisions is another concern that should be kept in mind while moving towards an Aadhaar-based payment system.

“The data stays for a long time with the stakeholders in the system. The requesting agency can keep it for seven years and the UIDAI can store it for five years. There are insufficient safeguards and there’s an absence of privacy law and an independent privacy regulator,” he said.

Acharya agreed.

India does not have the necessary laws to deal with a decentralised, biometrically-authenticated, mobile payments system, according to Acharya.

“Moreover, current laws and policies regarding the Aadhaar project, particularly the centralised database, are inadequate from the point of view of data security and end-user privacy,” he said.

Abraham of CIS said the issue is wider than Aadhaar. The problem is the lack of a strong data security law.

We only have a minimal data security law under the Section 43A of the Information and Technology Act which only applies to the private sector. There’s no law that applies to the government. Even 43A has not been applied consistently. There’s no place for you to go and complain if your identity has been compromised.
Sunil Abraham, Executive Director, Centre for Internet & Society

Gupta noted that, in the event of an identity threat, avenues of recourse are also limited. He said the best option is an appeal in the civil court, which is a long drawn out process.

In final analysis, according to Abraham, credit and debit cards are easier to secure as access can be revoked quickly.

“The trouble with biometrics is that the chain of trust is harder to establish because too many people can get access to biometrics and then you need to devise these convoluted solutions like hardware secure zones,” Abraham said.

“So the advantage of going with a smart card is that it can be easily re-secured, but with biometrics, once I compromise it, it’s lifelong.”

For more details visit http://editors.cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about

The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint

praskrishna — 2017-01-16T03:14:22Z

Paying for your groceries and other goods by using your biometrics instead of an e-wallet, debit card or cash seems to be the next phase in the Centre’s ambitious push to shift the country to a “less cash” economy, as its mandarins term it.

The article by Indulekha Aravind was published in the Economic Times on 15 January 2017. Sunil Abraham was consulted for this.

Ajay Bhushan Pandey, CEO of the Unique Identification Authority of India (UIDAI), says it will be rolling out Aadhaar-enabled payment system, or Aadhaar Pay, for merchants in the next few weeks. This will be an app for merchants that enables them to receive payments through biometric authentication of the customer, provided their bank accounts are linked to their Aadhaar number. "A pilot is under way in fair price shops in Andhra Pradesh where shopkeepers are accepting payments from PDS beneficiaries. The results are very encouraging," says Pandey.

The idea takes off from the existing Aadhaar-enabled payment system (AEPS) used by bank business correspondents (BCs) in rural areas to disburse and accept cash, using micro ATMs. "We are trying to tweak this so that a similar device can be used by a local merchant," says Pandey. Adoption will depend on two factors: merchants’ acceptance of it and whether they can use an app rather than a micro ATM. The biggest advantage through this method of payment, says Pandey, is that the customer will not need a credit or debit card, or even a smartphone.

The limits for transactions using AEPS, such as the number of daily transactions, will be left to the discretion of the banks. In the long term, the AEPS will be migrated to the BHIM (Bharat Interface for Money) platform but the rollout of Aadhaar Pay will happen before that. Post demonetisation, banking BC’s number of transactions using AEPS has leapt from 4-5 lakh to 14-15 lakh, says Pandey. According to Reserve Bank of India data on electronic payment systems, the total volume of such transactions jumped from 671 million in November 2016 to 957 million in December. USSD-based payments, which can be done using a basic feature phone, are among the biggest beneficiaries: the volume rose from just 7,000 in November to 1,02,000 in December, and value of transactions from over Rs 7,000 to over Rs 1 lakh. Prepaid payment instruments — mainly mobile wallets — rose from 59 million to 88 million in the same period (and value from Rs 1,300 crore to Rs 2,100 crore).

While Aadhaar Pay is likely to ride the demonetisation wave if it is launched soon, certain concerns remain, as the list is how secure such a payment system will be. The UIDAI CEO says it is a paramount concern for the organisation, too. "We are using the latest technology to ensure the information stays encrypted end to-end, so that information is not leaked or misused. In the months to come, we will strengthen the security."

Wary About Security
Sunil Abraham, executive director of the Centre for Internet and Society, a think tank that has been analysing the Aadhaar project for six years, outlines several reasons why Aadhaar-based biometrics is inappropriate for authentication in payments, unlike card-based payments that use cryptography.

"With biometrics, there is always an error ratio. It is imprecise matching, whereas with cryptography (smart cards), there is no false positive or negative. You either have the key (PIN) or you don’t. It is also very cheap to defeat biometric authentication — even an unlettered person can do it," says Abraham. It would be easy enough, he says, to replicate someone else’s fingerprint by pressing it against lukewarm wax and filling the mould with glue to get a dummy finger. In contrast, compromising a smart card requires more cost and effort, from tech-savviness to machines such as a skimmer that will read the card. "And once you are compromised,you are compromised forever. You can’t change it, like a debit card PIN."

Using Aadhaar for authentication had proved to be a failure during the exchange of currency notes following demonetisation, he adds, pointing to how the poor and the middle class stood in queues for money while stacks of new currency were recovered from the homes of businessmen and bureaucrats. "When you have bank officials who are corrupt, giving them your biometrics is giving them more ammunition for corruption." To catch the criminals, law enforcement agencies had to resort to CCTV footage,a relatively older technology, he says. Others point out that while it may be secure, certain factors stand in the way of making biometrics-based payment authentication a large-scale success. Amrish Rau, CEO of PayU India, a payment gateway provider, cites a list of reasons why it would inevitably take off but only in 5-10 years.

"For one, the technology is not yet good enough. There are also bandwidth and data constraints in sending biometric data," says Rau. Even in more mature markets, it has yet to find widespread acceptance, he says, pointing to the slow adoption of Apple Pay and Samsung Pay in the US. "It’s not the answer today.” This is in contrast to NITI Aayog CEO Amitabh Kant’s recent remarks that cards and PoS machines would become redundant by 2020 because Indians would be making payments using their thumb (biometrics). "... my view is that in the next two and a half years, India will make all its debit cards, credit cards, all ATM machines, all PoS machines totally irrelevant,” Kant had said at a Pravasi Bharatiya Divas session in Bengaluru.

UIDAI’s Pandey is more circumspect. “I wouldn’t say who would replace what. But from the government’s side we are encouraging all modes of digital payment. India has a diverse population and some people might prefer using a card, others a wallet. Collectively, they will contribute to a less-cash society.”

For more details visit http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint