Centre for Internet and Society

How the world’s largest democracy is preparing to snoop on its citizens

praskrishna — 2013-07-15T09:41:21Z

Monitoring system will allow govt to snoop on voice calls, SMSes, and access Internet data.

The article by Leslie D' Monte and Joji Thomas Philip was published in Livemint on July 3, 2013. Sunil Abraham is quoted.

Nothing will be secret or private.

Every conversation on landlines and mobile phones will be heard; some will be recorded. Every move you make on the Internet will be tracked.

Fiction?

By December, when the Nanny State goes live, it will be fact.

Once the government’s innocuously named CMS (communication monitoring system) is in place, the state will be able to snoop on your voice calls, fax messages, SMSes and MMSes, across all phone networks. It will be able to access your Internet data, and see not just what sites you visit but even build a cache of your inbox, to decrypt at leisure.

The process began more than a couple of years ago.

On 29 April 2011, India’s home ministry called for bids to set up communications monitoring systems in all state capitals. The notice, which was published on its website and went almost unnoticed, specified that the system should be able to monitor voice calls, fax messages, SMSes and MMSes, and work across terrestrial networks, GSM and CDMA (the dominant mobile telephony platforms), and the Internet.

	The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”. The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT). A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

The tender specified that the system should be able to listen in live, and be able to analyse intercepted data. It should have the ability to record, store and playback, without interfering “with the operation of telecommunication network or make the target aware that he is being monitored”.

The CMS is no longer a concept. It has undergone successful pilots and is likely to be commissioned by the year-end, according to an internal note dated 10 June from the department of telecommunications (DoT).

A top government official, who did not want to be named, said the CMS centralized data centre is likely to be ready by July and commissioned by October. The official also added that the Centre for Development of Telematics (C-DoT), the government’s telecom technology arm, has “signed an agreement with the Centre for Artificial Intelligence and Robotics (CAIR) for Internet Service Provider integration”. This agreement will allow monitoring agencies to track an individual’s Internet use.

Subsequent media reports, which have cited internal government documents, peg the cost of the CMS at around Rs.400 crore, but there is hardly any official data from the government about the implementation of the CMS.

In its 2012-13 annual report, DoT said the government has decided to set up the CMS for lawful interception and monitoring by law enforcement agencies, “reducing the manual intervention at many stages as well as saving of time”.

The system, according to the report, was to be installed by C-DoT after which the Telecom Enforcement, Resource and Monitoring (TERM) cells would take over. As on 31 March, there were 34 such TERM cells in the country. The current number could not be ascertained.

How does the government justify this invasive system? Its purpose is unclear, but national security is always a handy spectre. And so what if such a system can be misused to bully, spy and curtail the freedom of individuals? Indeed, India’s track record of using existing laws doesn’t inspire confidence.

Student Shaheen Dhada was arrested (under the law) for criticizing the shutdown of Mumbai after the death of Shiv Sena supremo Bal Thackeray on her personal Facebook account. Her friend, Renu Srinivasan, who had “liked” the comment was also arrested. The two were later freed, on bail.

No known safeguards

But how does the CMS work? According to the government official cited above, the Central Bureau for Investigation (CBI), for instance, is likely to be provided interception facilities through the CMS in Delhi initially.

“CBI shall enter data related to target in the CMS system and approach the telecom services provider”, at which point the process is automated, and the provider simply sends the data to a server which forwards the requested information, he explained.

He didn’t mention any safeguards, nor have any been made public, which means that there are likely none. In a Q&A session on the popular social network Reddit on Tuesday, academic and activist Lawrence Lessig, the co-founder of Creative Commons, wrote on the subject of snooping in the US, “I’m really troubled by national security programmes. We don’t know what protections are built into the system.”

That has become the subject of much debate following the leaks by whistleblower Edward Snowden about the US National Security Agency’s surveillance programme.

Lessig pointed out that protection based on code is the only real protection from misuse, as other safeguards are dependent on people choosing not to violate reasonable expectations of privacy.

Which is the heart of the problem. From what we know, the list of agencies with access to data in India is already large: the Research and Analysis Wing, CBI, the National Investigation Agency, the Central Board of Direct Taxes, the Narcotics Control Bureau, and the Enforcement Directorate. More may be added.

For the system to be useful in any practical fashion, access will have to be given to a large number of officials in each of these agencies. And in the absence of safeguards, one must assume that all data is accessible to all officials.

To be sure, some of this information is already being tracked by Internet companies.

Ravina Kothari, a 22-year-old student at Cardiff University, said she learnt a bitter lesson “last year when I Googled my name”. “It revealed all the personal details I had put up on social media sites. My childhood school photos popped up on Google image search results. Worse, I had not put them there. My friends had tagged me in—all so scary. And I can’t do anything about it.”

She has since stopped uploading personal details such as videos, pictures or telephone numbers.

Twenty-one-year-old Shruti Lodha, studying to be a chartered accountant, feels a similar discomfort.

“I am definitely not comfortable with Google, and how every time I Google myself it reveals my identity and shows information that is on social media sites.”

In 2011, 24-year-old Max Schrems of Vienna, Austria, asked the world’s largest social networking site Facebook Inc. for a copy of every piece of information it had collected on him since he had created an account with it two years earlier.

Schrems was delivered a CD packing a 1,222-page file that included information he had deleted, but had been stored on Facebook’s servers, according to ThreatPost, a publication on information technology (IT) security run by Kaspersky Lab, a leading maker of antivirus software.

Had Schrems been a resident of India, he could not have known how much personal information Facebook had on him. Every person in the European Union (EU) has the right to access all the data that a company holds on him or her.

With the CMS, all this information, and much more, can be called up by just about anyone—the taxman, CBI officials, Assam Police (which will also monitor the network according to some reports)—and the old bogey of national security may not even be raised.

Need for a privacy law

Publicly at least, companies agree that the new monitoring systems infringe on our rights. Subho Ray, president, Internet and Mobile Association of India said, “Without any prior permission, government should not take or use any information which is considered private. The biggest challenge for us is that we do not have a privacy law in India.”

Cyber law experts and privacy lobby groups caution that the world’s largest democracy’s attempt to snoop on its citizens with the CMS, ostensibly for security reasons, could be abused in the absence of a transparent process and a privacy law.

The issue has become alarming, they add, with the US admitting to be collecting billions of pieces of information on immigrants—6.3 billion from Indian citizens alone under the Foreign Intelligence Surveillance Act, according to an 8 June report in the UK-based The Guardian newspaper.

“We don’t know much about the CMS, except that when implemented, it could be plugged directly into telecom nodes and lead to widespread tapping,” said Apar Gupta, a partner at law firm Advani and Co. specializing in IT law.

“There’s no legal sanction as of now for any type of mass surveillance, such as the one that the CMS suggests,” said Pavan Duggal, a Supreme Court lawyer and cyberlaw expert.

Gupta added that since India lacks privacy legislation, which obliges companies to maintain privacy standards when they export the data which they’ve gathered in India overseas, “this poses a problem”.

N.S. Nappinai, a Bombay high court advocate, said, “India has lived without any codified laws to protect privacy all these years and has relied primarily on Article 21 of the Constitution. Protecting privacy has just become more complicated with the humongous quantity of data being uploaded online. People seem totally unaware of the trouble they are inviting upon themselves.”

Current laws are already compromised

The lack of a privacy law makes it easier for the government to take such extreme steps. The Indian Telegraph Act and the IT Act, 2008 (amendments introduced in the IT Act, 2000), already gives the government the power to monitor, intercept and even block online conversations and websites. The addition of the CMS will greatly widen the number of sources and could simplify access to these records as well.

On 25 April 2011, the government admitted that the existing laws include provisions for interception and pointed out that the Supreme Court had, on 18 December 1996, upheld the constitutional validity of interceptions and monitoring.

While the court had added that telephone tapping infringes on the right to life and the right to freedom of speech and expression, unless permitted under special procedures, these guidelines are not usually implemented, according to activists.

The shortcomings of the existing laws already make it possible to misuse the vast amount of information that is available today. These laws were written at a time when the Internet was not a fact of life, and where the lines between public and private were not already blurred. Given that, the perspectives on privacy can be worrisome.

In a report presented to the Lok Sabha on 13 December 2011, the ministry of planning said, “Collection of information without a privacy law in place does not violate the right to privacy of the individual…There is no bar on collecting information, the only requirement to be fulfilled with respect to the protection of the privacy of an individual is that care should be taken in collection and use of information, consent of individual would be relevant, information should be kept safe and confidential.”

This proposed Right to Privacy Bill was leaked to the public, and eventually nothing came of it.

On 16 October 2012, a commission headed by justice (retired) A.P. Shah issued a report that included the study of privacy laws and related Bills from around the world. The report noted that with the “increased collection of citizen information by the government, concerns have emerged on their impact on the privacy of persons”.

Despite the report being given to the Planning Commission, the government has continued with its plans.

Early this year, a privacy lobby body, the Centre for Internet and Society (CIS) drafted the Privacy (Protection) Bill 2013, with the objective of contributing to privacy legislation in India.

CIS worked with the Federation of Indian Chambers of Commerce and Industry and the Data Security Council of India and held round table meetings around the country to bring about a privacy law.

Sunil Abraham, executive director, CIS, said, “While the government sets out to protect national interests, it’s also very important to protect the rights of individuals.”

The way ahead

Human Rights Watch, in a 7 June media release, described the CMS as “chilling, given its (India’s) reckless and irresponsible use of sedition and Internet laws”.

According to Freedom on the Net 2012, released on 24 September, India—which scored 39 points out of 100—was termed “partly-free”. But India is not alone. Around 40 countries filter the Internet in varying degrees, including democratic and non-democratic governments.

YouTube and Gmail (both owned by Google Inc.), BlackBerry, WikiLeaks, Skype (owned by Microsoft Corp.), Twitter and Facebook have all been censored, at different times, in countries such as China, Iran, Egypt and India.

European Union countries have strong privacy laws as is evident from the Schrems case.

Australia is engaged in putting similar safeguards in place. On 24 June, a Senate committee recommended that Australia’s proposed data retention scheme only be considered if it just collected metadata, avoided capture of browser histories and contained rigorous privacy controls and oversight.

Indian politicians could take a cue from such countries when balancing national interest with protecting the privacy of individuals.

Gopal Sathe in New Delhi and Zahra Khan in Mumbai contributed to this story.

For more details visit http://editors.cis-india.org/news/livemint-leslie-d-monte-joji-thomas-philip-july-3-2013-how-the-worlds-largest-democracy-is-preparing-to-snoop-on-its-citizens

How the UID project can be a cause for concern

praskrishna — 2018-04-09T12:59:02Z

The Unique Identification Authority of India (UIDAI), headed by Nandan Nilekani, is the UPA government's most ambitious project, where one billion Indians are branded with a unique identity number.

Prime Minister Manmohan Singh handed over the first of the Aadhaar cards at Tembhli village in Nandurbar district of Maharashtra. This mammoth project aims to provide Indian residents with a unique 12-digit identification number that will serve multiple purposes.

Given the reach and the impact of such an exercise there is much excitement around the Unique Identity (UID) number (also known as Aadhaar) drive, along with some confusion.

However, there remains some concerns of identity theft.

For example, the number is linked to their fingerprints and the patterns in their eyes. Since those markers are unique to each of us, no one will steal their rations and wages again. They will be issued only after verification. But our eye's Iris patterns change, with age, disease or malnourishment. Fake fingerprints can very easily be made. Hence, the unique element of these numbers can be tampered.

Sunil Abraham, Director, Centre for Internet and Society said, “If I leave my fingerprints around, my identity can be stolen and transactions done on my behalf.”

Activists claim that in a few years, banks, insurance companies, cell phone providers and hospitals will demand UID number before doing business with you. They could use that number, to share information about anybody.

Hence, Abraham said, “An insurance company and a hospital can merge databases. If you have AIDS or TB, they can bump up your premium, or refuse you cover.”

Usha Ramanathan, lawyer said, “Say I go to Srinagar six times in a month. That information could be accessed by the government because the airlines asked for my number before booking a ticket. And that could make me a suspect. There's something wrong in being treated as a suspect for no other reason, than state paranoia.”

Interestingly, even though India seems excited about this project, Britain recently stopped attempts at biometric based identification systems, after warnings that such a database could easily be hacked.

See the video here.
See the original coverage in IBN Live

For more details visit http://editors.cis-india.org/news/uid-project-concern

How The U.K. Got A Better Deal From Facebook Than India Did

praskrishna — 2016-11-18T01:56:49Z

The U.K.’s Information Commissioner’s Office (ICO) and India’s Karmanya Sareen shared a similar concern – how messenger application WhatsApp’s decision to share user data with parent Facebook is a violation of the promise of privacy.

The blog post by Payaswini Upadhyay was published in Bloomberg Quint on November 17, 2016. Sunil Abraham was quoted.

Last week, Facebook agreed to address the concerns of the ICO; in India, it didn’t have to.

WhatsApp: New Privacy Policy

In August 2016, WhatsApp issued a revised privacy policy that allowed it to share user information with parent company Facebook. Any user who didn’t want her information to be shared with Facebook had a 30-day period to opt out of the policy. Opting out meant that a user’s account information would not be shared with Facebook to improve ads and product experiences. But, there was a caveat.

The Facebook family of companies will still receive and use this information for other purposes such as improving infrastructure and delivery systems, understanding how our services or theirs are used, securing systems, and fighting spam, abuse, or infringement activities.
WhatsApp Support Team statement on its website

Facebook’s Commitment To ICO

The ICO decided to delve deeper into what Facebook intended to do with the WhatsApp user data. Elizabeth Denham, Information Commissioner, ICO stated in her blog that users haven’t been given enough information about what Facebook plans to do with the information, and WhatsApp hasn’t got valid consent from users to share the information.

I also believe users should be given ongoing control over how their information is used, not just a 30-day window.
Elizabeth Denham, Information Commissioner, ICO

Denham further elaborated ICO’s stand - that it’s important users have control over their personal information, even if services don’t charge them a fee.

We’ve set out the law clearly to Facebook, and we’re pleased that they’ve agreed to pause using data from U.K. WhatsApp users for advertisements or product improvement purposes.
Elizabeth Denham, Information Commissioner, ICO

The ICO has now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to users how their data will be used, and to giving users ongoing control over that information. Additionally, the ICO also wants WhatsApp to give users an unambiguous choice before Facebook starts using that information and for them to be given the opportunity to change that decision at any point in the future. Facebook and WhatsApp are yet to agree to this, Denham stated.

If Facebook starts using the data without valid consent, it may face enforcement action from my office.
Elizabeth Denham, Information Commissioner, ICO

In the U.K., protections in the European Data Protection Directive have been incorporated into local law via the Data Protection Act 1998. The ICO is both the privacy regulator and the transparency (right to information) regulator, Sunil Abraham, executive director at the Centre for Internet and Society pointed out. The regulator can issue enforcement notices and also fine errant actors in the market place, he said.

This is a regulator with expertise, experience and teeth. Come May 25, 2018, the General Data Protection Regulation will come into force and this will give more comprehensive powers to the regulator to investigate and remedy cases like this. The regulator will take each principle from the Directive or Regulation and examine Facebook’s actions comprehensively before deciding on a response.
Sunil Abraham, Executive Director, Centre for Internet and Society

For example, if the regulator determines that the principle of choice and consent has not been complied with, it can force Facebook to reverse its decisions and provide greater transparency and clearer choices, Abraham added.

Karmanya Sareen’s Grievance

Back home in India, just two months ago, Karmanya Sareen, a WhatsApp user, argued before the Delhi High Court against the company’s new privacy policy. The argument was that WhatsApp’s August 2016 notice to its users about the proposed change in the privacy policy violated the fundamental rights of users under Article 21 of the Constitution. Article 21 promises protection of life and personal liberty.

Proposed change in the privacy policy of WhatsApp would result in altering/changing the most valuable, basic and essential feature of WhatsApp i.e. the complete protection provided to the privacy of details and data of its users.
Karmanya Sareen vs Union of India

The Delhi High Court struck down the Article 21 argument saying that the Supreme Court was still deliberating over including right to privacy as a fundamental right. It also pointed to WhatsApp’s 2012 Privacy Policy that allowed the company to transfer user information in case of an acquisition or merger with a third party. The 2012 policy also allowed WhatsApp to change the terms periodically.

Consequently, the Delhi High Court held that it is not open to the users now to contend that WhatsApp should be compelled to continue the same terms of service. However, the court gave WhatsApp two directions to protect users.

WhatsApp to delete from its servers and not share with Facebook or its group companies any information belonging to users who delete their account.

Users who continue to be on WhatsApp, their existing information up to September 25, 2016 cannot be shared with Facebook or any of its group companies.

Did The Delhi High Court Go Easy On Facebook And WhatsApp?

Apar Gupta, an advocate specializing in information technology, points out that the directions given by the Delhi High Court to WhatsApp did not contemplate any additional protection to a user than what was already provided by WhatsApp.

The Delhi Court essentially reproduced WhatsApp’s privacy policy. It did not compel or provide any additional safeguard.
Apar Gupta, Lawyer

Apar attributes this to the absence of a regulatory framework.

The lack of substantive safeguard and enforcement framework in India led to the Delhi High Court upholding WhatsApp’s new privacy policy.
Apar Gupta, Lawyer

Abraham added that the court did not examine the privacy policy from the perspective of data protection principles as would have been the case in EU or any other jurisdictions with a proper data protection law.

The court too admitted this in its order that there existed a regulatory vacuum in India and asked TRAI to look into the matter. Facebook did not respond to BloombergQuint’s query on whether it would implement its U.K. commitments in India as well.

For more details visit http://editors.cis-india.org/internet-governance/news/bloomberg-quint-november-17-2016-payaswini-upadhyay-how-the-uk-got-a-better-deal-from-facebook-than-india-did

How the government gains when private companies use Aadhaar

praskrishna — 2016-04-01T15:58:38Z

This blog post by M. Rajshekhar and Anumeha Yadav was published in Scroll.in on March 24, 2016. Sunil Abraham was quoted.

Last week, Rajya Sabha made a last-ditch attempt to modify the contentious Aadhaar legislation introduced by the Modi government. Since the legislation was introduced as a Money Bill, the Upper House had no powers to amend it. It could only send back the bill with recommended amendments.

One of the clauses which Rajya Sabha wished to amend related to the use of the Aadhaar number, the 12-digit unique identification number assigned after the collection of an individual’s biometrics in the form of fingerprints and iris scans.

Clause 57 said that anyone, whether an individual or a public or private organisation, could use the Aadhaar number. Rajya Sabha voted to restrict the use of the number to the government. After all, the government had justified introducing Aadhaar legislation as a Money Bill by stating that it would be used for delivering government subsidies and benefits funded out of the Consolidated Fund of India. If the delivery of government welfare is the aim of Aadhaar, why should private companies be allowed to use it?

The Rajya Sabha recommended dropping clause 57 to limit the use of Aadhaar to government agencies. But the Lok Sabha rejected its recommendation, and cleared the Bill in its original form, paving the way for private companies to use Aadhaar.

Strikingly, however, well before the Bill was cleared, a private company started advertising its services as “India’s 1st Aadhaar based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone else instantly”. In an article for Scroll.in, legal researcher Usha Ramanathan said, “A private company is advertising that it can use Aadhaar to collate information about citizens at a price. It says this openly, even as a case about the privacy of the information collected for the biometrics-linked government database is still pending in the Supreme Court.”

LinkedIn for plumbers

The company that owns the mobile app called TrustID believes it is not doing anything wrong.

Monika Chowdhry, who heads the marketing division of Swabhimaan Distribution Services, the company that created TrustID, defended the app, saying it offers the valuable service of verifying people's identities. “In our day to day life, we do a lot of transactions with people – like maids or plumbers. Till now, you would have to trust them on what they said about themselves and what others said about the quality of their work.” The company is solving that problem, she said. “We are saying ask the person for their Aadhaar number and name and we will immediately tell you if they are telling the truth or not,” Chowdhry said.

Chowdhry said that over time, the Aadhaar number of individuals will be used to create a private verified database of TrustIDs. “Our plan is to create a rating mechanism,” she said. Referring to the option for maid, plumbers and other service providers on the app, she added: “People like you and me, we have Linkedin and Naukri. What do these people have?”

How does the company use Aadhaar for verification and is there a reason to be concerned?

Aadhaar authentication

After you have logged into the TrustID app, you can choose from a dropdown menu of categories. You can send anyone's Aadhaar number, gender and name – or even biometrics – and the app claims it can verify their identity.

The app performs Aadhaar authentication – which means it matches an Aadhaar number with the information stored against that number in the servers of the Unique Identification Authority of India. At the time an individual enrols for an Aadhaar number, they disclose their name, gender, address and give biometric scans. This information is held in a database maintained by the UID authority.

One of the criticisms of Aadhaar has been that the database of millions of people could be misused in the absence of a privacy law in India. First, there is the question about whether the biometrics are secure. Second, there are risks that accompany the uncontrolled use of unique numbers.

In response, the proponents of Aadhaar have said that the data is encrypted and secure, and can be accessed only by the authority. Those wanting to authenticate – or match – the Aadhaar number cannot directly access the database. They can simply make requests to the authority which authenticates the number for them.

So far, it appeared that the authority was taking Aadhaar authentication requests solely from government agencies. For instance, to pay wages to workers of the rural employment guarantee programme.

But TrustID’s example showed that private companies too have been sending authentication requests to the authority. This is not entirely surprising for those who have followed the blueprint for Aadhaar as envisioned by Nandan Nilekani, its founder. In an interview in 2012, Nilekani spoke about creating a "thriving application system" using Aadhaar for both the public and private sector.

Chowdhary said Swabhimaan Distribution Services registered as an Aadhaar authentication agency in November 2015, and the app was launched in January 2016.

TrustID, or Swabhimaan, is not the only private company that has signed up as an authentication agency for Aadhaar. A quick Google search throws up the name of Alankit, which wants to “provide Aadhaar Enabled Services to its beneficiaries, clients and customers and can further verify the correctness of the Aadhaar numbers provided ” .

This shows the authority entered into agreements with private companies well before the Aadhaar law was passed in Parliament. The companies were running ahead of legislation in a space unbounded by law, and the UIDAI supported them in this.

It is unclear how many private companies were sending requests for Aadhaar authentication. Scroll's questions to Harish Agrawal, the deputy director general of Aadhaar's Authentication and Application Division, remained unanswered.

In an interview to Business Standard, ABP Pandey, the director general of the UIDAI, said, "Usually what happens is that first a law is passed and thereafter the institutions are built and operations start. Here it has happened the other way around. The operations – the enrolment – is almost complete. The organisation is also there and has been working under executive orders. Now everything has to be kind of retrofitted in to the acts and the regulations."

Why is this problematic?

For one, allowing private companies to use the Aadhaar number shows that the government’s stated aims of Aadhaar are misleading.

Both in the Supreme Court and in Parliament, the government has pushed for the use of Aadhaar as an instrument of welfare delivery. It justified passing Aadhaar legislation as a Money Bill by emphasising its importance to its welfare schemes. But as the case of Swabhimaan shows, Aadhaar's uses clearly go well beyond what the Bill's preamble describes as the “targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India.”

Two, biometrics and unique identification numbers are a qualitatively new form of private information. As such, they bring unknown risks. India does not have a privacy law, and a law defining the use of biometrics and unique numbers is yet to be created. Delhi-based lawyer Apar Gupta said, “Even the Aadhaar Bill is yet to be approved by the president. Its rules are yet to be drafted. There is not enough legal guidance on its use.”

Three, companies like Swabhimaan would be in a position to construct databases of their own. Take TrustID. When it starts retaining Aadhaar numbers, and adds ratings to them, it creates a database of its own, which amounts to creating profiles of people.

Here, as Ramanathan said, the analogy with the networking site LinkedIn doesn't work. “When I have an account on LinkedIn, I update my data,” she said. But the TrustID app generates profiles out of the ratings that others give. Even if a prospective employee shares his/her Aadhaar number, it does not amount to free consent since getting a job hinges on giving that number.

In the future, companies could use Aadhaar numbers in unknown ways, for instance, to combine multiple databases – banks, telecom companies, hospitals – to create detailed profiles of you and me that they can monetise. In effect, Aadhaar becomes a commercial instrument for private companies, and not just a mechanism for the delivery of government welfare.

Gains for the government

Sunil Abraham, the executive director of the Centre for Internet and Society, further explained the risks that arise when databases are combined. He cited the example of OCEAN, the system created by researchers at the Indraprastha Institute of Information Technology to raise privacy awareness. OCEAN used publicly available information held by the government (voter identity card, PAN card, driving licence) to access details about citizens in Delhi. This public data was combined with people's Facebook and Twitter accounts, and the aggregated results were visualised as a family tree which showed information extending to a person’s parents, siblings and spouse.

"If a company like TrustID tied up with OCEAN, it can create a very detailed profile of an individual," said Abraham. "To continue with the example of a job-seeker, if a employer uses TrustID to verify applicants' identity or profiles, the App may combine a database like OCEAN to track that you logged into Twitter at, say 2 am on most nights. It can profile you as someone who might not turn up at work on time in the morning."

Abraham pointed out that the government too stands to gain by allowing private companies to use Aadhaar for authentication. "Use of authentication by private companies will mean UIDAI can have information on authentications performed on you, or by you, over time in the private sphere as well, say during such a job search," he said. For instance, when TrustID runs a search for your prospective employers using your Aadhaar number, the government knows you have applied for a job at certain companies. "This is unnecessary involvement of the government, giving it access to information in an area that it should not have access to."

Over time, such Aadhaar authentication for private services in companies, hospitals, or hotels will "help the government gain granular data on citizens", he said.

Perhaps that explains why the government rushed the Aadhaar Bill through Parliament, allowing little time and room for public debate.

For more details visit http://editors.cis-india.org/internet-governance/news/scroll.in-march-24-2016-rajshekhar-anumeha-yadav-how-the-govt-gains-when-private-companies-use-aadhaar

How Technology Is and Isn't Helping Fight Corruption in India

praskrishna — 2013-06-05T06:43:43Z

I recently sat down with Sunil Abraham, the founder and executive director of the Center for Internet & Society (CIS) in Bangalore to talk about the center, and his views on the role of technology and openness in politics and society.

The blog post by David Eaves was published in Techpresident on May 28, 2013. Sunil Abraham was interviewed by the author.

Abraham, who founded the CIS in 2008, has been active in the open source and technology space for almost two decades, constantly balancing research and theory, with a strong desire to get his hands dirty and actually make things happen. Prior to starting CIS he held both a Sarai FLOSS fellowship and Ashoka fellowship in which he explored the democratic potential of the Internet. However, before this he worked as a social entrepreneur and free software advocate, founding Mahiti, a company that implemented free software solutions for volunteer organizations. The company continues to thrive today employing over 50 engineers.

Today the Center for Internet and Society serves as a non-profit think tank and advocacy organization that research and explores policy options on freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness. Over the past five years it has seen its influence grow as it becomes increasingly recognized for its expertise and critical view, within both government and the media, in India.

For part of the conversation I asked Abraham his thoughts on I Paid a Bribe, a website launched in August 2010 that allows users to report when and where they were asked to pay a bribe to a public official.

What follows is a fascinating critique of not just I Paid a Bribe but the UID (biometric ID program being rolled out across India):

Sunil Abraham:

The first complication with I Paid A Bribe is it is a quantitative approach to the problem.

Second, it assumes that those reporting the bribes are honest and don't have any other agendas.

Third, it also depends on the novelty effect. People can get bored when there is no feedback. The loop is not closed. To close the loop, some of the things that go on with anonymous reporting cannot happen, and to close the loop it almost needs to become a paralegal infrastructure. It has to talk to law enforcement and people have to be arrested, prosecuted and put away. To really address a problem like that is complex.

So it fails at each of those challenges.

The real challenge in India is high-ticket bribes that happen at the top of the pyramid. And those bribes are done in a very sophisticated fashion. Ordinarily minds cannot understand those transactions. Take the 2G spectrum scam. [the 2G spectrum scam was a significant scandal in India involving a shortfall of hundreds of millions of dollars in the licenses fees Indian telecom companies were supposed to pay the government for their 2G cellphone spectrum licenses. It is believed that officials were paid off so that lower license fees could be paid]. People still don't know what was the bribe and who paid who the bribe. Nobody knows! There are now 8 or 9 books on the scam and none of these books will tell you who did what. There are lots of charts about where money flowed but what component of that was the bribe and what component of that was legit … why none of these money trails link back to the primary accused … nobody can explain.

[And the big challenge with these high-ticket bribes is that…] The rate of evolution in corruption keeps pace with the rate of innovation in anti-corruption. It will always innovate and modify to protect itself against new approaches.

There are many honest people in government, otherwise this country would be in tatters! If everyone in government was corrupt … but what the system does is almost assume everyone within government is corrupt but that everyone outside of government is innocent. But this is not true at all.

The government represents a sample of the population, so if half the population is corrupt then half the people in government will probably be corrupt, it is not dramatically different. So how does one prevent potential witch hunts or the waste of law enforcement resources following false leads?

With the novelty effect – it feels very difficult to maintain the volume [of complaints] and make grand claims like place "A" is more corrupt than place "B". After some time there will be regional difference and the data will no longer even sound credible to the people involved and its credible will collapse. There is no easy answer this.

So the most effective use of technology in fighting corruption [in India] has been in sting operations.

There you go after high value targets, you don't go after petty corruption at the bottom of the pyramid. You use a competent team, people that know the technology and know the evidentiary value of the technology in a court, you work within the immunity afforded by law to media organizations. Then you build a proper case. Unfortunately the last case that strikes at the heart of corruption in India – the corporate post – you saw how it was crushed by mainstream media because it was not run by a main stream media outfit. And the enemies were too big: the banks that are money laundering. And all banks are money laundering. This is the most fundamental problem to address really because when the bulk of society is outside the tax bracket or the bulk of their transactions are outside the tax bracket then you have normalized criminal behavior in society. It means it is accepted that the average person will engage in tax reduction or tax avoidance. Those type of really high ticket targets – and there are ways to use technology to address issues like this – it needs champions. What "I Paid a Bribe" is trying to do is say that a particular configuration of technology is going to be the solution and that the crowd will address its own problem. This is the assumption there.

That is very different than saying that the solution is never technology, the solution is always people and we need people to drive this, and ethical institutions that are created by these people to drive this. Than what your story of change automatically takes for granted is every time the technology innovates around your current technology fix your going to innovate also. With the other narrative since your technology configuration IS your solution then somehow you hold it sacrosanct and you assume that the corruption is never going to innovate around your fix.

David Eaves: So I think the hope of I Paid a Bribe - right or wrong - was that you could have a radically scaling solution…

Abraham:

If you are going after high-ticket forms of corruption you have to be sophisticated. If you are going after low ticket, bottom of the pyramid forms of corruption you may not have to be.

Take the UID project (biometric ID).

In order to crack bottom of the pyramid corruption, one way to do this is by using biometrics so that the actual recipient who IS supposed to get subsidy or welfare actually gets the subsidy or welfare. But if you just think that through you realize there are so many problems with that.

When the intended beneficiary goes to collect he could be told there is no connectivity, or there is no electricity, or even if the authentication system answered a yes he could be told it was in fact a no. Or even if the authentication system answers a yes he could be given half his entitlement instead of his full entitlement.

And even if the authentication system says yes he may have not been eligible in the first place but could be a local elite who is taking the entitlement.

But on the other hand if we had a system through which there was necessary disclosure of everybody receiving the entitlement and their details were published on a public notice board in the village… then people in the village themselves could tell if those people were the right people to get these subsidies. The local media could come and inspect this, civil society organizations could inspect this. So it is the government becoming more transparent to the citizen rather than the other way around, which with the UID is what happens – the citizen becomes more transparent to the state.

Technology has to be configured in a very careful way at each stage in order to address different types of corruption, and each of those specific technologic choices you make can either increase corruption or decrease corruption or increase the power asymmetry or make it more equitable.

Eaves:So what are the conditions in which I Paid a Bribe might work more effectively?

Abraham:

It might be that I Paid a Bribe only allows for one type of participation. If you look at other forms of commons based peer production projects. I think they offer many types of contributions to the project. So if through the examination of a particular government budget a platform identifies all the public works that are going to be constructed using that budget and then allows state or town or even a locality to monitor the progress on those works then it allows for contributions that are necessarily antagonistic but it also allows for contributions that are antagonistic. So it allows for a conversation with a much more diverse set of people participating.

With I Paid a Bribe, because they want the scale they have taken the simplification very seriously. And it is a light touch transaction – which means once you register a bribe you can more or less forget about it. I think other peer production projects, even Wikipedia, once you start editing a particular page, you may develop an interest in that page. You can set a notification system that will notify you every time that page is edited. It is like the same story on a mailing list, that the rules that existed during the initial days when the mailing list was very small change and get more sophisticated as the mailing list scales. The technological solution has to grow to compliment the age of the community and the community has to be gardened very carefully to retain members. I Paid a Bribe risk ending up being a venting mechanism for the post bribe trauma moment. Which is fine! That is useful in of itself. But if your vision is more than that, if you want to have a movement which is an anti-corruption movement then it cannot be just be a venting mechanism for the anti-bribe trauma.

This is the complication. I'm not dismissing I Paid a Bribe. All I'm saying is, in order to build a community and take it along with you, you cannot keep anything sacred. Not your technological configuration, not how you message, address and bring people into the community, not even your target community – that might change – so it is just like the challenge we have in growing Wikipedia in India. If you were that simple we would the same solution for the different language wikipedias and we would do one homogenous thing across the nation. But the Kannada Wikipedia has only seven active editors, as does the Punjabi Wikipedia, the Hindi Wikipedia has hundreds of editors but they don't like each other and they don't meet in real life. Very unlike the Maleren Wikipedia. So the strategy that needs to be employed is very different for each of these communities. There is almost an automatic tension between simple, scalable and authentic bottom up movement forces.

So as the number of bribes reported on I Paid a Bribe increase – what do you do to ensure that the quality of those reports gets better? And how do you move people from being anonymous reporters to the system to becoming more and more identified? How does a senior cohort of the community get created? I don't know – these things may exist but I don't see it from the outside.

Look at the different in other peer production projects. The brand of the individual and the attribution afforded to each individual is quite explicit and public. I Paid a Bribe is mostly anonymous although I think some of them choose to be public.

Eaves: And you need to feel incredibly confident in your personal security and status to be public in I Paid a Bribe.

Abraham:

Exactly.

This post has been corrected to fix a transcription error. Sunil Abraham said the Kannada Wikipedia has only seven active editors.

For more details visit http://editors.cis-india.org/news/techpresident-david-eaves-may-28-2013-how-technology-is-and-isnt-helping-fight-corruption-in-india

How tech brings self-reliance to students with disabilities

praskrishna — 2016-05-29T07:47:30Z

Rakshit Malik, 18, has every reason to be pleased with himself. He just scored 96.4% in his Class 12 exam -the third-highest score in CBSE's disabled category.

The article was published by the Times of India on May 29, 2016. Nirmita Narasimhan gave inputs.

He treats his visual impairment matter-of-factly: "My ability is stronger than my disability". A humanities student who wants to specialize in history, Malik learns by listening. He hears the material, pauses, and assimilates it. "While we found audio versions of NCERT textbooks in Classes 9 and 10, they are not available for Classes 11 and 12," says Malik, who then used his own method. "Mama recorded herself reading out my textbooks".

This year, there was merely a 12-mark difference between the student who topped the disabled category and the highest scorer in the exam. In many cases, learning outcomes are aligning, and advances in assistive technology have something to do with the trend. While it is still essential to know Braille, the system of reading raised dots by touch is falling out of use in many parts of the world. In the US, fewer than 10% of the visually impaired read Braille. Now, digital screen readers and magnifiers, and text-tospeech apps make sure that a blind student and a sighted one are on the same page. "Tactile diagrams can be used to teach geography , science and other subjects that require visual aids," explains Nirmita Narasimhan, accessibility expert and policy director at the Centre for Internet and Society , Bangalore.

As more learning material is put online, students have it much easier than they did a generation ago. They also get study notes from peer-to-peer forums.

According to the 2011 census, 2.21% of the Indian population -around 26.8 million -have some form of disability . On paper, the state is committed to supporting these students, and to providing aids and appliances, access to material, scribes and readers; and easing exam processes.In practice, it is far from smooth, explains Diana Joseph of the Fourth Wave Foundation, a Karnataka NGO that bridges the gap between government and students with the Nanagu Shaale programme."Each integrated education resource trainer has to oversee 30 schools. So it's often perfunctory . For example, they may supply hearing tools, without explaining that the battery must be replaced."

Over the last five years, there has been progress in both technology and policy. Copyright restrictions have been lifted for the use of the disabled. Textbooks have been proactively digitized. But ultimately , success depends on the mundane but critical matter of the right standards, explains Dipendra Manocha, who leads the DAISY for All project in India. DAISY, or Digital Accessible Information System, is an international standard for printed material that can be read in Braille, large print, audio, etc on a computer or mobile phone. By contrast, something scanned as an image file can't be read.

For more details visit http://editors.cis-india.org/accessibility/news/the-times-of-india-may-29-2016-how-tech-brings-self-reliance-to-students-with-disabilities

How private companies are using Aadhaar to try to deliver better services (but there's a catch)

praskrishna — 2016-12-23T02:04:59Z

They are gathering more information on you.

The article by M. Rajshekhar was published in Scroll.in on December 22, 2016. Sunil Abraham was quoted.

In 2006, Ajay Trehan set up AuthBridge, a background verification company in Gurgaon. That was a time when business process outsourcing was booming. Global companies like Citibank were relocating back-office functions to India. Outfits like AuthBridge sprang up in response to help these companies find qualified staffers. They vetted applicants by running identity checks, verifying education and employment records, doing reference checks and more.

Ten years later, AuthBridge’s client profile has changed. With rising insecurity over crimes in India’s cities, like the December 2012 gangrape in Delhi, or the rape of a young woman in an Uber taxi in 2014, local companies – sizeably from e-commerce and businesses with delivery services – have also started vetting employees and partners to check if they have any criminal history. “Now, we have about 700-800 clients,” said Trehan. “Of them, just 20%-30% are foreign companies.”

AuthBridge’s verification process has changed too. Earlier, its employees used to physically verify the credentials of an applicant by travelling to her school or college, meeting her previous employer, vetting her identity papers with the government department that issued them, and so on.

Now they simply run a query on an electronic database.

Aadhaar enters the private sector

Aadhaar, as India’s Unique Identity Project is called, aims to give a 12-digit unique identity number to all residents by collecting their fingerprint and iris scans. As of September, its database, maintained by the Unique Identity Authority of India, held the names, addresses and biometric information of more than 105 crore people.

The project was created by the United Progressive Alliance government in 2009 to reduce leakages in the country’s welfare programmes.

But, quietly, a range of private sector companies have started using it. This includes verification firms like Authbridge, banks like HDFC, telecommunications companies like Reliance Jio, among others.

So far, most discussions on Aadhaar have focused on its utility for welfare delivery and the risk of government surveillance. But as private sector companies incorporate Aadhaar into their systems, fresh questions and concerns are emerging about what this means. A recent tweet by a journalist that went viral encapsulated these concerns.

To understand the rewards and risks of the use of Aadhaar by private companies, here is a detailed look at how they are using it.

Five ways of using Aadhaar

The first way in which companies are using Aadhaar is pure authentication. This is how Authbridge uses Aadhaar. It sends a name and Aadhaar number to the Unique Identity Authority’s server, which responds to say whether they have matched.

Apart from background verification companies, Aadhaar-based authentication can also be used by employers. “A factory hiring women or a security agency hiring guards and wanting to be sure these people are who they claim to be,” said Pramod Varma, the chief architect and technology advisor for the Aadhaar project.

It could also be used by regulated entities with strong Know Your Customer or KYC norms like banks or telecommunications companies. In the old days of branch-based banking, KYC was not a problem, said Varma, since “the bank manager knew all his customers”. But now, KYC is much harder since banks have moved to “core banking with millions of accounts in the server”. Instant Aadhaar-authentication, he said, is useful for verifying customers.

The second is authentication plus. Here, at the time of authentication, a company also downloads the customer’s data from the Aadhaar database. This is what companies like Reliance Jio are doing.

When a customer provides his Aadhaar number to the company, the company not only runs a query on the Aadhaar database to verify the name and number, it also downloads other information about the customer held on the server, like address, date of birth and gender.

This data can be used to electronically fill out the Know Your Customer forms, replacing what is right now a manual process, said Anupam Varghese, the head (products) of Eko India Financial Services, a financial services startup in the phone banking and remittances segment.

It is a disruptive proposition that companies find useful. In India, the cost of enrolling customers is so high, said Abhishek Sinha, the founder of Eko, that it prices a set of financial products beyond the reach of most Indians. “Authenticating a credit card customer and vetting her identity papers will cost anywhere between Rs 150-Rs 200,” he said. A company can recover that investment only if the customer racks up at least Rs 10,000 on the card, assuming a 2% margin on card transactions.

With its instant authentication and automatic form filling, Aadhaar-based electronic Know Your Customer, said Sinha, slashes those costs and makes it easier for companies to offer financial products which become viable even with a smaller volume of transactions. This allows the growth of financial products for less affluent customer segments.

Subsequently, these companies might pad up those databases by adding their own data. This is a third model of using Aadhaar: authentication plus private database.

For instance, TrustID, a mobile app which claims it can verify “your maid, driver, electrician, tutor, tenant and all service professionals” using Aadhaar, wants users to rate the services of the people they eventually employ. In effect, it is creating a private database.

Others, like Eko, are adding financial transaction histories to the Aadhaar data.

While these three uses are built around Aadhaar-based authentication, the remaining three uses – database sharing, data broking, deduplication – pivot around use of just the Aadhaar number. They are based on recent changes in how companies use customer data.

The customer data boom

Customer data has acquired centrality for several Indian companies, particularly startups in e-commerce and financial services.

In some sectors, Varma said, “the cost of switching [between rival companies] is very low,” which heightens the need for customisation. “The better you can serve, they more sticky you get for a customer.” In other sectors, said Varghese, competition chips away at margins. Which is another reason to try and come up with better services and products.

This is where data can help.

In a conversation in October, Nandan Nilekani, software entrepreneur and the first chairperson of the Unique Identity Authority of India, explained why. “Companies like Ola compete with global companies like Uber which have a tremendous advantage in that they have more data – more customers globally – and better algorithms,” he said. If Ola has 5 million customers, Uber has 100 million. Which means Uber’s algorithms – thanks to pattern recognition and machine learning – will be more accurate.

For all these reasons, said Varma, companies in a handful of business verticals are trying to create “a 360 degree view of their customer”.

What has enabled this is a couple of technological trends. The ability to store and process data, said Nilekani, has gone up enormously in the last 15 years. At the same time, data itself has proliferated as electronic devices like mobile phones create records of voice, photos, messages and the locations of customers.

“All this is realtime data. So, on scale, speed and frequency, we have seen a jump,” said Nilekani.

This rising appetite for data is resulting in a couple of novel outcomes.

Enter, the sharing of customer data

Indian companies have begun sharing databases.

A good example is an experimental partnership between Eko, the banking and remittances company, and Capital Float, a financial services startup which gives short term loans.

The two companies worked out an arrangement where Eko shared a part of its database about its distributors with Capital Float. This shared information contained aggregated and anonymised information on distributors and their working capital positions, said Varghese. Capital Float evaluated the database and came back with a list of distributors it could lend to. Eko, then, forwarded these offers to the distributors. After taking their consent, data about the distributors who were interested in the loans was shared with Capital Float.

On the surface, this is a counter-intuitive development: if customer data holds the key to competitive advantage, companies should closely safeguard their data.

But as it turns out, there are strong reasons to share data.

Both Eko and Capital Float, for instance, are small, specialised players in the financial services market which is dominated by banks. Data sharing is one way to compete with banks by offering complementary services to customers.

It is not clear how endemic data-sharing will get. According to Varma, it will be used selectively. “I cannot see organisations sharing databases at will,” he said. “They will be shared only if they can be used to offer an additional service to the client.”

But a programmer who works at iSpirt, a product software evangelising association based in Bangalore, and who did not want to be identified, said the trend will grow. In the financial sector, as new players like mobile wallet companies acquire more customers, banks that refuse to share data will miss out on emergent markets, he said. “Keeping everything behind closed doors – not participating in data exchanges – is now harmful,” he said.

Sunil Abraham, who heads the Centre For Internet and Society, foresees the rise of another kind of data-sharing – by companies that aggregate customer data from multiple sources and market that to clients. These could be data brokers like US-based Acziom, he said. These could also be more specialised firms like medical transcription companies, which simultaneously serve hospitals, insurance and pharmaceutical companies.

The question is: what does all this have to do with Aadhaar?

The utility of Aadhaar

Aadhaar makes it easier to compare and combine diverse databases.

This is what India’s microfinance companies are doing. As Scroll.in reported recently, Microfinance Institutions Network, an association of microlenders, has told its member companies to seed the Aadhaar numbers of their borrowers into their databases. By searching the databases for the Aadhaar number of a prospective borrower, it will be possible to identify if she has already taken too many loans.

This is a scenario Nilekani bristles at. “You do not need Aadhaar for that,” he said. “You can triangulate databases using email or phone number or name.”

But the iSpirt programmer said, “With Aadhaar, the level of certainty is higher than what you would get by using name, phone number or email.” Between databases, the spelling of names might vary. Phone numbers change, especially in a country like India where prepaid mobile connections outnumber postpaid connections. Only a small part of the country’s population uses email. With Aadhaar, said the programmer, it gets easier to correlate databases.

Aadhaar, added Varma, can also be used to clean up databases. Banks, he said, can use the Aadhaar number to create better customer profiles by identifying all accounts owned by a person. This is the fifth use – deduplication.

What it all means

The implications are obvious. A lot of companies already had databases about their customers. Now, as Nilekani said, technology is allowing the collection of ever greater amounts of information about us. The sharing of databases means companies will have ever more detailed customer profiles.

In a sense, we are entering a future where multiple databases – including several that we are not even aware of – will contain information about us. A hospital and an insurance company might share their records. Or intermediary companies, which service both of them, might create their own databases.

This information will materially affect our lives. As already happens online, companies will increasingly base their products on algorithms that parse data about our behaviour and then offer a customised price – which could be geared to serve or exploit us.

These algorithms, as Propublica reported, can be opaque.

In a sense, much of this is a familiar trajectory. The United States too, as the iSpirt programmer said, “saw a lot of irresponsible data sharing without enough control for civilians”.

That is where India is heading as well. As Scroll noted in its article about TrustID, when the company creates scores for the workers who use its app, they might not always be aware of that rating – or be in a position to challenge that rating.

There are large questions here. Who owns the data about you in a company’s database? Take your information in, say, Ola’s database – the address from where you get picked up or dropped, the phone number, the places you visit most often. Is the data owned by you, Ola or the driver? Should you have a say if a company wants to share this data? If you grant permission, how does one ensure it is used correctly?

Right now, as the next story in this series will show, this is a poorly regulated landscape.

This is the third part in a series on the expansion of Aadhaar and the concerns around it. The first two parts can be read here.

We welcome your comments at letters@scroll.in.

For more details visit http://editors.cis-india.org/internet-governance/news/scroll-m-rajshekhar-how-private-companies-are-using-aadhaar-to-deliver-better-services-but-theres-a-catch

How Next-Gen Smartphone Users are Being Bought and Sold

praskrishna — 2013-09-05T10:48:18Z

After facebook and google, Twitter became the latest to buy millions of Indian smartphone users in July.

This article by Rohin Dharmakumar was published by Forbes India Magazine on August 13, 2013, and later mirrored in IBN Live on August 19, 2013. Sunil Abraham is quoted.

Now, the actual announcement was about how Twitter had partnered with Vodafone India to offer its services ‘free of cost’ to mobile subscribers for three months. It had already inked similar deals with Airtel and Reliance, according to Medianama, a digital media news site. Google and Facebook, too, announced such agreements during the past year, whereby mobile subscribers could use their service ‘free of cost’ through their phones.

Nothing is really ‘free’ on the web, which is why we have the adage: “If you’re not paying for it, you are the product”. So these large web companies are actually buying millions of first-time mobile internet users by paying off their respective mobile operators. Of India’s 137 million internet users, roughly 120 million access mobile internet.

Sunil Abraham, director of the Centre for Internet & Society in Bangalore, thinks India could be going down the Indonesia route. “If you ask the average Indonesian mobile user if he or she has internet access, they might say no. Ask them if they have Facebook or Twitter, and they’ll say yes!” Incidentally, 96 percent of Indonesians use social media, mostly from their phones.

Smaller competitors to Facebook, Google and Twitter who can’t afford to pay mobile operators on similar terms will find their competitiveness shrinking. Meanwhile, a large number of Indians will balk at paying for internet usage on their phones because the social networks are all ‘free’.

For more details visit http://editors.cis-india.org/news/forbesindia-august-13-2013-rohin-dharmakumar-how-nextgen-smartphone-users-are-being-bought-and-sold

How ISPs block websites and why it doesn’t help

praskrishna — 2012-08-25T06:56:41Z

Banning websites is ineffective against malicious users as workarounds are easy and well known.

Gopal Sathe's article was published by LiveMint on August 24, 2012. Pranesh Prakash is quoted.

India blocked 245 web pages for provocative content on Monday in an effort to prevent the spread of hate messages and lessen communal tensions in the country, and suggested via an official release on the website of the Press Information Bureau that more could follow.

As was widely reported in the days that followed, most websites blocked were not related to the ethnic clashes in Assam.

Pranesh Prakash, programme manager with the Bangalore-based Centre for Internet and Society, analysed the sites which were listed by the government. In his analysis, 33% of all blocked addresses were on Facebook, 27.8% on YouTube, 9.7% on Twitter and the rest were spread over a number of different websites including Wikipedia, Firspost.com and TimesofIndia.Indiatimes.com.

Prakash says, “I don’t believe that the decision to block sites was politically motivated, but I do believe that in trying to prevent harm, the government has gone overboard.”

He also writes in his analysis, “Even though many of the items on that list do deserve (in my opinion) to be removed [...] the people and companies hosting the material should have been asked to remove it, instead of ordering the ISPs to block them.”

Prakash also pointed out, “There are numerous egregious mistakes. Even people and posts debunking rumours have been blocked, and it is clear that the list was not compiled with sufficient care.”

Of course, India’s overall record on Internet censorship isn’t great, with the current laws encouraging Internet service providers (ISPs) to take down content without investigating individual cases properly. And that is not even taking into consideration official government orders, such as this decision to block websites.

The process of blocking content for an ISP is very simple. After all, any content that is coming from a website to your computer has to travel through the ISP, giving it ample opportunity to observe and censor banned content.

Think of it like this—you’re on an island, with no way to reach the mainland (Internet) where all the websites are. The ISP builds a bridge connecting you to the mainland, and charges you to let cars (data) from the sites come to you, by opening the road. Each web page has a unique ID, like a licence plate. If the government tells the ISP to block a specific page, it’s added to the blacklist, and isn’t allowed on the bridge. The government could also block a full domain, such as Facebook.com, which would be like blocking all cars with DL plates, instead of specific numbers.

New Delhi based cyber security consultant Dominic K. says, “The content is still there and can be accessed from outside India, so these measures are really very ineffective. People can use proxies or a virtual private network (VPN) to circumvent these measures with ease, by appearing to be a different site; so banning sites does nothing to deter malicious users.”

Proxies are websites that load blocked sites for you—if the proxy is not using the ISP doing the block, they can still load the content from the blocked site and present it to the users, since the blocklists simply block websites, and not their content.

VPNs work in a similar fashion, creating a virtual presence for the user outside of their own country. This can be done to circumvent blocks and access region-specific content, but is also a perfectly legitimate tool, and can increase your security greatly.

It’s a pretty crude system but it’s used around the world. In Australia, for example, the government has a page that directly lists their web censorship activities. It wants to block material that includes child sexual abuse imagery, bestiality, sexual violence, detailed instruction in crime, violence or drug use and/or material that advocates the doing of a terrorist act. However, as noted on the same page, these measures can be easily circumvented. Since the content remains on the Internet, and is only blocked, it can be accessed by “any technically competent user”.

China, meanwhile, is frequently criticized for what is called, tongue-in-cheek, “the great firewall of China”. Reporters without Borders, a French organization that works for freedom of the press, has a list of countries that are “enemies of the Internet”. China, Iran, North Korea and Burma are some of the worst offenders, but Australia, India, Egypt, France and South Korea are also on the watchlist as “countries under surveillance”.

Saudi Arabia and the UAE publish detailed information on their filtering practices but other countries such as China return connection errors, and fake “file not found” errors.

There is a long history of Internet censorhip in India, and a perception that the laws have been used for political ends. Net censorship has been around for a while—in 1999, VSNL blocked access to Pakistani newspapers. Later, in 2006 the government wanted to block certain separatist groups of the Yahoo! Groups platform. While the government issued specific pages for the ban, initially, the whole Yahoo! Groups domain was blocked by ISPs. In 2007, Orkut was told to remove “defamatory” pages created by users.

Cartoon pornography website Savitabhabi.com was also blocked in 2009, while several blogging services such as Typepad were blocked last year for a few weeks, and then the block was lifted, with no explanations.

Like Australia, in the UK too, child pornography is filtered by the government, though users there have to opt-in for this filtering. Other countries such as Denmark, Norway and Sweden also see such content being filtered. The Indian IT Act also notes various kinds of illegal content which is not permissible, such as child pornography and hate speech.

Other countries, such as the US, also have aggressive Internet censorship of copyrighted content. Prakash says, “Internet censorship is not restricted to India alone. Every country in the world has been doing this in different ways. The United States, for example, has even seized domains in copyright cases, which were legally hosted in other countries. With regards to political censorship, which some feel is a concern now, I don’t think that the Indian government is doing that. I believe that they are sincerely trying to address a serious issue, but people are going overboard.”

He adds, “The biggest concern is that there is no transparency about what is being blocked, or why, and this leaves things open for active misuse in the future.”

In Google’s 2011 Transparency Report, released in June this year, India did not feature very favourably. According to Google, the number of content removal requests the company received increased by 49% from 2010. There were five court orders from India ordering the Internet giant to remove content and there were 96 other requests by Indian government agencies for 246 individual items.

In comparison, the US made only 77 requests in the same period. They also revealed that 70% of the content removal requests from India were related to defamation. National security and religious offence attracted far fewer removal requests. Google received only one request from Indian agencies from July to December 2011 for removal of pornographic content.

Our government might not be politically motivated in this instance—however, the possibility for abuse is high, and what’s more, the measures that are being taken are limited at best. Instead of ordering ISPs to block content directly, the government should be working with the content owners and platforms offering the content to have it taken down properly. Instead, we get crude measures which do nothing to deter malicious users, and only serve to inconvenience the general users.

For more details visit http://editors.cis-india.org/news/www-livemint-com-aug-24-2012-gopal-sathe-how-isps-block-websites-and-why-it-doesnt-help

How India’s top firms fare in employing women and persons with disabilities

praskrishna — 2016-08-10T14:27:18Z

It is generally believed that the growth of the corporate sector in India has increased employment avenues for historically deprived sections of our society.

The article by Sachin P. Mampatta, Amritha Pillay and Ritika Mazumdar was published in Livemint on August 9, 2016. Nirmita Narasimhan was quoted.

However, an examination of employment data for India’s top 100 companies by market capitalization shows that there is much scope for improvement when it comes to employment of women and persons with disabilities (PWD). In fact, the share of women and disabled employees in India’s top companies is lower than the national average for non-agricultural workers.

The analysis is based on data culled out from Business Responsibility Reports (BRR) that companies are required to file since FY13, which seeks information on the number of permanent women and PWD employees. After factoring in consistency requirements and availability of data, 60 among top 100 companies have been used to calculate these results. This is what the analysis shows.

Is women and PWD employment increasing in corporate India?

Companies did not show marked improvement in the disclosures across the three years (FY13 to FY15). In fact, they showed a slight decline in the number of women employees. Women employees as a percentage of total employees dropped from 19.62% in FY13 to 18.51% in FY15. The number was better for PWD, though only marginally so. The share of PWD employees rose from 0.73% to 0.76% of the total workforce from 2012-13 to 2014-15. Data had limited granularity. So it is difficult to tell if there were overlaps between women and PWD employees. However such overlaps, if any, are expected to be limited.

Is corporate India better than the economy at large in employing women and PWD?

How does India’s corporate sector fare in employing women compared with the rest of the economy? We used data on other workers category from census to compare this. The category of other workers includes people who are not agricultural labourers, cultivators or people who are working in an industry run from home or within the village. Broadly speaking it gives an idea about the non-agricultural workforce in the economy. Data shows that the percentage share of women in corporate India’s workforce is lower than the share of women in other categories. The gap is even bigger in case of the share of PWD. The census data is for 2011, whereas for companies, the year which had the highest percentage share among FY13, FY14 and FY15 was taken.

What explains this gap?

Nirmita Narasimhan, policy director at The Centre for Internet and Society, a non-governmental organisation that works on issues affecting the differently abled, said that skilling is one of the hurdles that affects employment for the differently abled. While skilling of PWDs is a necessary condition for employability, it is not a necessary condition. For example, a visually impaired person may not be able to use a firm’s internal software if there is no compatible screen-reader to help them know what’s on the screen. Companies feel that they would have to spend a lot of money to procure infrastructure. However, technology now often makes it fairly inexpensive to do so. There is huge lack of awareness among employers. They often believe that this would affect the bottom line, Narasimhan added.

In case of women, larger factors could be at play. Women employment in India is still subject to continuing stereotypes which sees them as homemakers, triggering results such as a decline in employment of women with increase in household incomes, as was pointed out in a 2013 Mint piece.

However, there also exists evidence to show that discrimination might be at play even within companies. For example, women and PWD employees have a lower than median share in training received at workplace in these economies. As much as 69% of the permanent work-force received training in 2014-15, according to median figures for the sample set. The number for permanent women employees is 58.76%, and 49.79% for persons with disabilities. Training included skills upgrading and safety training. Skills was given priority where available, else safety training figures were used. Not all companies provided the figures. The above figures are based on the median value for the available set.

Interestingly, there are very few cases of discrimination filed against the companies. The total number filed for all 60 companies was four in 2012-13. It dropped to one in 2013-14, and was zero in 2014-15.

People are said to be reluctant to move the courts on a large scale in such matters. They are unsure of the outcome and cases tend to drag on.

Does this mean increasing private sector dominance in the economy is retrograde?

That said, the picture is not entirely gloomy. The Centre for Monitoring Indian Economy (CMIE) database shows that the share of women in private sector employment has been increasing since the 1990s. It has increased by almost 6 percentage points since 1990. However, more needs to be done. And top companies should take the lead.

For more details visit http://editors.cis-india.org/accessibility/news/livemint-august-9-2016-sachi-p-mampatta-amritha-pillay-ritika-mazumdar-how-indias-top-firms-are-faring-in-employing-women-and-persons-with-disabilities

How does the government track all its legal cases?

praskrishna — 2016-09-14T10:17:07Z

The Legal Information Management and Briefing System , an integral part of the digital India initiative, aims to be a database of all the ongoing cases with the government.

The article by Shreeja Sen published by Livemint on September 13, 2016 has quoted Sunil Abraham.

More than one lakh cases currently exist on a law ministry platform curated in the last 13 months.The Legal Information Management and Briefing System (LIMBS), aimed to be a database of all the ongoing cases with the government as a party, is part of the government’s push towards digital India.

Law secretary Suresh Chandra said this is a big step under the Digital India project, intended to monitor and ultimately reduce spending on government litigation.

“The aim is to conduct cases properly. If our system works, along with the national litigation policy, we will be able to prevent 50% cases before they are even filed,” Chandra said.

According to the government, the project will help reduce delays in filing responses in cases , contempt notices because of such delays and consequent monetary penalties.

The website has also undergone the required security audit under the NIC (national informatics centre), to ensure the data is safe and protected. However, a database like this on the internet comes with its challenges.

“To ensure client confidentiality, communication should be bilateral between lawyer and client and should be encrypted and even watermarked. If this project allows access to documents by multiple stakeholders without encrypting it for the recipient, then if there is any leak, the documents cannot be traced back to the person who was responsible,” said Sunil Abraham, executive director at Centre for Internet and Society, a non-profit research organisation.

The LIMBS project began internally at the ministry of railway sometime in 2013, but was soon expanded as a single platform across ministries. In July 2015, it was hosted on the NIC server. The law ministry, by a gazette notification on 8 February, formally launched LIMBS to monitor cases filed against the Union government.

As of now, there is no special budget allocated for this project, which is being handled in house with a team of eight people – four developers on the technology side and four implementers for the case details. The development of the website is being handled by Ajay Gupta, deputy chief vigilance officer, northern railway. From the law ministry, Spriha Johari is the project director responsible for the website.

As of 12 September, the five ministries with the most uploads on the website were railways (69,469 cases), communications and information technology (7,830), finance (4452), environment (3,189) and defence (2,565).

Every day, nearly 400-500 cases are added to the portal. In all 58 ministries and their 202 departments have been brought under the LIMBS project.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-september-13-2016-shreeja-sen-how-does-govt-track-all-its-legal-cases

How ‘private-censorship’ is making online content disappear, quietly

praskrishna — 2011-12-19T05:31:50Z

If only Kapil Sibal knew how successful his ministry has already been in making online content quietly disappear and how pliant Internet companies can be in India when it comes to requests to remove content, thanks in some part to the rules notified by IT ministry in April 2011.

The Union Minister for Communication and Information Technology, days after an avalanche of bad press fell upon him after his reported warning to Google and Facebook to 'pre-screen content', is due to meet Internet companies today, in an attempt to put the recent past behind.

A display of Facebook's homepage on a computer monitor at an Internet cafe in Delhi, India. Ruth Fremson/The New York Times
Known as the Information Technology (Intermediaries Guidelines) Rules 2011, they are quite the magic wand when it comes to making online information disappear.

In what should deeply worry users of the Internet, an under-cover investigation by an Internet research company reveals how privately administered censorship – prescribed under the IT rules to intermediaries to limit their liability – is having a "chilling effect on free speech." The yet-t0-be published investigative report by Bangalore-based Centre for Internet and Society (CIS) is available with Firstpost.

As part of the under-cover investigation a CIS researcher sent ‘takedown notices’ (requests to remove content online) to seven major websites quoting liberally from the IT rules.

The seven websites (the draft report does not name them) comprised two search engines, an online shopping portal, a website which disseminates news, two websites that disseminate news and allows user-generated comments to be published below articles, a website which offers multiple services such as news, search and shopping.

Note that each of the seven websites is an intermediary – merely receiving, storing or transmitting information. Disturbingly, of the seven websites to which takedown notices were sent, "six over-complied despite there being apparent flaws in the notices."

Here is how a website that disseminates news (identified as Intermediary B in the draft report) responded to the request to remove content on its site.

The researcher, who is also a lawyer, issued a takedown notice for the removal and disablement of one user-generated comment published below a news article on the Telangana movement.

The comment in question read as follows: "Telangana cause is justified, no one is denying that. But have you come to the point, you want to burn India? This is what I am opposing, burning demolition, killing, etc. is the hidden agenda of vested interests. And we Hyderabadis (Hindus and Muslims) will not allow anyone to burn our homeland. I have seen this movement since 1968. These leaders who are leading the agitation are selfish, short sighted and they hav no vision and mission. can any of Telangana leaders answer to the following?" The author of the comment goes on to raise eight questions on water-sharing, tourism, education, displacement and reservation.

While the comment condemns violence in the Telangana movement, blames politicians for being selfish and raises questions, the takedown notice brought to the knowledge of the intermediary that the comment was "racially and ethnically objectionable", "hateful" , "disparaging" "defamatory" – as provided in Rule 3(2)(b) of the IT Rules – and "violates any law for the time being in force" as provided in 3(2)(e) of the IT Rules read with Sections 124A, 153A, 153B, 292A, 295A and 499 of the Indian Penal Code 1860."

The terms such as 'objectionable', 'hateful', 'disparaging' and 'defamatory' are not defined anywhere in the Rules.

The takedown notice did not state the cause of action or establish the author of the takedown notice as an affected person. "After approximately 72 hours, it was noticed that instead of removing just the one comment as identified in the takedown notice, Intermediary-B had removed all 15 comments published below the newspaper article," states draft report.

The search engines (identified as Intermediary A and Intermediary E) didn’t disappoint either. They were sent takedown notices to remove 'three communication links' (base URLs of three websites) provided in its search engine results on searching for 'online gambling'.

According to the draft report, the three communication links and, additionally, all other URLs of the three websites, including sub-domains were removed – after 120 hours on Intermediary A and after seven days on Intermediary E. Even though Intermediary A in response to the takedown notice claimed being exempt under IT rules, they "still removed the three communication links mentioned in the takedown notice (and additionally all other URL’s of the 3 websites, including sub-domains), presumably to avoid legal risk and to err on the side of caution," reveals the report.

The only defender of Internet democracy, who would have guessed, was the online shopping portal. And for what? Baby diapers. The takedown notice to the portal without any supporting document or medical report claimed that a certain brand of diapers caused rashes. "Thankfully, the takedown notice was rejected…. Unlike all other intermediaries, Intermediary-F recognised that the takedown notice of the author was completely frivolous."

Unfortunately, in the other six cases, to paraphrase the famous statement, when they were asked to bend, they chose to crawl.

Should they not have acted more responsibly by rejecting flawed takedown notices and defended the freedom of expression of their users?

Speaking to Firstpost, Pranesh Prakash, Programme Manager, CIS, said, "They should have. Google’s self-reported compliance rate of 51 per cent shows that they are probably over-stepping the law in order to appease the Indian government’s requests. Given that 71 per cent of the requests were for ‘government criticism’, their removal of 51 per cent of the material indicates that they removed at least some of the requests they received for ‘government criticism’. While it is impossible to say more without having greater details about the requests, I believe it is fair to say that requests for removal of ‘government criticism’ should generally not be acted upon."

Going by the pliancy shown by the six websites in removing online content, all Sibal had to do was to shoot off takedown notices. And quietly and, most likely, the images that caused him so much heartache would have disappeared. Right?

"Most definitely. And this points to a problem with the current regulations. While it is difficult for government officials and police, etc., to remove content in books, it is very easy for them to remove content from the web. Should web content be this much easier for the government to censor than content in books, movies, etc.?" asks Pranesh.

This article by Pallavi Polanki was published in Firstpost.com on December 15, 2011. Pranesh Prakash was quoted in it. Read the original here

For more details visit http://editors.cis-india.org/private-censorship-making-online-content-disappear-quietly

Hosadhigantha

praskrishna — 2013-12-31T09:43:28Z

Hosadigantha

For more details visit http://editors.cis-india.org/home-images/HosadiganthaMangaloreDec222013.jpg

Hook

praskrishna — 2012-05-02T06:30:50Z

For more details visit http://editors.cis-india.org/home-images/copy_of_hook.jpg

Honorable CJI please answer some easy questions

praskrishna — 2016-05-29T08:27:25Z

Living in democracy has been blessing to all of us born post 1947 but certain questions keep surfacing. Since you are the highest seat in the hierarchy of judicial system therefore the onus lies with you to clear the haze and allow the citizens respite from their doubts.

The article by Alka Vasudeva was published in State Times on May 19, 2016. Pranesh Prakash's blog post was mentioned.

First of all you make us understand the benefit of archaic laws established by imperialist mindset of British. The recent judgment regarding the defamation law is really upsetting. The bench feels that a person is half dead when defamed where as in our country the life of dignity cease to exist for 25% of the population.

The particular case of keeping Article 499 saves the honor of the elite. As per this judgment anyone is not free to express the discontentment with the system. Moreover it is leaving a loophole in the judicial system as in 2015 the honorable court struck off Article 66A.

When I was reading a blog post by Pranesh Prakash, who is a Policy Director with the Centre, and is a graduate of the National Law School of India University, Bangalore, with a degree in Arts and Law, I realized that 499 is very similar in nature to 66A.

For reference some part of his post is copied and pasted as such with no editing as the sole purpose has been to re confirm the reasons as to why clinging on to this Defamation law is futile exercise as its twin has already been scrapped.

“Section 66A which punishes persons for sending offensive messages is overly broad, and is patently in violation of Art. 19(1) (a) of our Constitution. The fact that some information is “grossly offensive” (s.66A(a)) or that it causes “annoyance” or “inconvenience” while being known to be false (s.66A(c)) cannot be a reason for curbing the freedom of speech unless it is directly related to decency or morality, public order, or defamation (or any of the four other grounds listed in Art. 19(2)). It must be stated here that many argue that John Stuart Mill’s harm principle provides a better framework for freedom of expression than Joel Feinberg’s offence principle. The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial if an explanation could be added to s.66A(c) to make clear what “origin” means in that section. Because depending on the construction of that word s.66A(c) can, for instance, unintentionally prevent organizations from using proxy servers, and may prevent a person from using a sender envelope different from the “from” address in an e-mail (a feature that many e-mail providers like Gmail implement to allow people to send mails from their work account while being logged in to their personal account). Furthermore, it may also prevent remailers, tunneling, and other forms of ensuring anonymity online. This doesn’t seem to be what is intended by the legislature, but the section might end up having that effect. This should hence be clarified.”

It is pertinent to mark that “what statements are defamatory and the span of defenses varies from jurisdiction to jurisdiction but there is common agreement in all jurisdictions that statements that are unflattering, annoying, irksome, embarrassing or hurt one’s feelings are not actionable.”

Court in various cases held that for proving the clause of defamation it is pertinent to prove the means read of the defendant. Here, it is to be taken into consideration “that if a statement is made with a good intent and is for a good purpose, it cannot be said to be a case of defamation even if it contains allegations against a party”.

Across the countries Defamation law protects an individual’s reputation or feelings from unwarranted attacks. There is little dispute that defamation laws can serve a legitimate purpose and it is recognized internationally as a valid grounds for restricting freedom of expression. A good defamation law – one which lays the groundwork for striking a proper balance between the protection of individuals’ reputation and freedom of expression – aims to protect people against false statements of fact which cause damage to their reputation.

Surely the bench of learned judges might have some considerations other than the dignity of human being. The logic to use such words rest in the fact that as per this law a person can be penalized with financial fine or prison term.

Can reputation be purchased with money? No is the immediate and firm replying when this question is tossed among the scholars. Can the dent on the image of a person repaired by sending the accuser behind the bars? Can the damages claimed in terms of money establish the image again?

If the courts think that only rich spare the time to sue someone using defamation case then there is going to be need of separate courts only to deal with huge pile of such cases almost every day.

Spending eight years in prison with label of MACOCA offence Sadhvi Pragya Singh has been acquitted of the charges. Now it means that the entire list of officers engaged in the exercise to falsely implicate her in Malegaon bomb blast case is either going to be put behind the bars or forced to shell out some whopping amount as penalty. Practically both the measures are going to prove futile as those who believed in her innocence they continue to do so even today and those who heard her name for the first time through news channel debates are either unconcerned or they may keep the suspicion intact.

For elaboration let us talk about Hindi cine star Salman Khan and Sanjay Dutt. Both had been in the limelight for wrong reasons but it hardly reflected on their fan following.

Rajiv Gandhi died in 1991 but people have not been able to give him the clean chit in Bofors deal case. Lalu Yadav might have been instrumental in winning the elections for Bihar but his reputation is associated with fodder scam.

If the law is sustained then greater injustice is done towards millions who keep waiting for dates as these rich influential class keeps the courts busy with their bundles of defamation suits.

Here in our country where cases of physical abuse are very high and ignored the continuity of this law seems to be mockery. In our society there is reluctance to accept the survivor of a sexual assault and character assassination is handy how come the monitory compensation restores the lost self esteem? It is a big question.

Though under pressure of public outrage the Nirbhaya Fund was constituted but even today the conservative think tanks exist that do not talk with respect about the brave girl Jyoti. Her rapists are behind bars and one of them freed too. Does it mean the half population of fairer sex does not count when it comes to Reputation? Why the rapists are not held accused and tried under Article 499?

The civil courts are also brimming with cases as every now and then in the offices the employees are put under suspension or terminated citing ” verbal brawl ” as violation of code of conduct . In certain cases the employees daring to seek information using RTI law are also implicated with charges of defamation. Is it acceptable in the democratic set up? Is it not encroaching by legal force the employees’ right to express resentment at work place? Is this law not entangling the procedure?

For more details visit http://editors.cis-india.org/internet-governance/news/news-state-times-may-19-2016-alka-vasudeva-honorable-cji-please-answer-some-easy-questions