Centre for Internet and Society

Govt tweaks enforcement of IT Act after spate of arrests

praskrishna — 2012-11-30T08:27:01Z

The government on Thursday tweaked the law to make it tougher for citizens to be arrested for online comments that are deemed offensive after recent arrests came in for heavy criticism by Internet activists, the media and other groups.

Surabhi Agarwal's article was published in LiveMint on November 29, 2012. Pranesh Prakash is quoted.

This took place just before the Supreme Court was to hear a public interest litigation seeking an amendment to the Information Technology (IT) Act.

Complaints under the controversial Section 66A of the IT Act, which criminalizes “causing annoyance or inconvenience” online or electronically, can be registered only with the permission of an officer of or above the rank of deputy commissioner of police, and inspector general in metro cities, said a senior government official.

The government, however, has not amended the terms in the section that are said to be vague and subject to interpretation.

The public interest litigation against Section 66A filed by student Shreya Singhal came up in chief justice Altamas Kabir’s court on Thursday. The matter will be heard on Friday.

Two girls near Mumbai were arrested last week for criticizing on Facebook the shutdown in the city for Shiv Sena chief Bal Thackeray’s funeral. Earlier in November, a businessman in Puducherry was arrested for comments made on Twitter against finance minister P. Chidambaram’s son Karti Chidambaram.

According to people present at the meeting of the cyber regulatory advisory committee on Thursday, the Union government will issue guidelines to states with respect to the compliance of the new enforcement rules soon. The people didn’t want to be named. An official said the move was not related to the case.

Pranesh Prakash, policy director at the Centre for Internet and Society think tank, said that while the change in the law is a step in the right direction and will eliminate a lot of frivolous complaints, more needs to be done to make the legislation specific.

Chief justice Kabir said the apex court was considering taking suo motu cognisance of recent incidents.

Singhal contended in her plea that “the phraseology of section 66A of the IT Act, 2000, is so wide and vague and incapable of being judged on objective standards, that it is susceptible to wanton abuse and, hence, falls foul of Article 14, 19 (1)(a) and Article 21 of the Constitution.”

She submitted that “unless there is judicial sanction as a prerequisite to the setting into motion the criminal law with respect to freedom of speech and expression, the law as it stands is highly susceptible to abuse and for muzzling free speech in the country.”

The PIL was argued by Mukul Rohatgi, who said in his opening remarks that Section 66A was vague. Terms such as “offensive” and “annoyance” should be clearly defined as the section is part of criminal law, he said.

Senior advocate Harish Salve, who was also present during the hearing, said India guaranteed the right to “annoy” and there was no need to have a separate law.

Salve, who is in the process of filing an intervention on behalf of some technology companies, added that the section needed to be narrowed to specifically cater to private messages sent electronically and not social media communications.

He said the existing law of defamation should suffice and could be extended to include electronic communications. According to a lawyer who is part of the team representing Singhal, the petition also demanded that the law be made non-cognisable so that the police can’t make an arrest without an order from a magistrate.

“There has been a lot of misuse and abuse of the law recently and we want it to be struck down absolutely and also the court to issue guidelines,” he said.

Apart from the incident at Palghar in Thane district involving the two girls, Singhal’s PIL referred to an April incident in which a professor of chemistry from Jadavpur University in West Bengal, Ambikesh Mahapatra, was arrested for posting a cartoon concerning chief minister Mamata Banerjee on a social networking site.

She also referred to the Puducherry case as well as the May arrests of two Air India Ltd employees, V. Jaganatharao and Mayank Sharma, by the Mumbai Police under the IT Act for posting content on Facebook and Orkut against a trade union leader and some politicians.

Singhal has sought guidelines from the apex court to “reconcile Section 41 and 156 (1) of the Criminal Procedure Code (CPC) with Article 19 (1)(a) of the Constitution” and that offences under the Indian Penal Code and any other legislation, if they involve the freedom of speech and expression, be treated as a non-cognizable offences for the purposes of Sections 41 and 156 (1).

Section 41 of CPC empowers the police to arrest any person without an order from a magistrate and without a warrant in the event that the offence involved is a cognizable offence. Section 156 (1) empowers the investigation by the police into a cognizable offence without an order from a magistrate.

The government official present at the cyber regulatory advisory committee said the expressions used in Section 66A had been taken from different statutes around the world, including the UK and the US.

“There has been a broad consensus that the parameters of the law concerned might be in order but from a procedural standpoint there might be difficulty,” the official said.

Prakash said that while some of the terms in the section may be taken from legislation overseas, the penalty imposed under the Indian law is far more stringent at three years of imprisonment than, for instance, six months under the UK law. “Criminal offences can’t be put at the same level as something which causes insult.”

The cyber regulatory advisory committee meeting was attended by minister for communications and information technolgy Kapil Sibal, and secretaries of the department of telecommunications and information technology, besides representatives of technology companies such as Google and Facebook, industry associations and civil society.

The official also said that the situation will be reviewed every three to four months based on “ground realities”.

A government official said on condition of anonymity that the decision to revive the cyber regulatory advisory committee had been taken at a meeting in August. Section 66A was put on the agenda since it was the subject of much debate, he said. The meeting, however, was not a pre-emptive measure ahead of the PIL that was taken up in the Supreme Court. The official also said that the government will spell out its position in court in favour of the legislation.

For more details visit http://editors.cis-india.org/news/livemint-politics-november-29-2012-surabhi-agarwal-govt-tweaks-enforcement-of-it-act-after-spate-of-arrests

Govt to U

praskrishna — 2012-06-25T05:17:29Z

For more details visit http://editors.cis-india.org/home-images/GovttoU.jpg

Govt to keep Aadhaar record for 7 years, activists worried

praskrishna — 2016-10-17T01:53:24Z

The government will keep for seven years a record of all the services and benefits availed using the Aadhaar number, say new rules, prompting fears that the database could be used for surveillance.

The article by Aloke Tikku was published in the Hindustan Times on October 17, 2016. Sunil Abraham was quoted.

The Unique Identification Authority of India (UIDAI), which issues the 12-digit biometric identity to all Indian residents, will be required to preserve its record of verification of an Aadhaar number for the duration.

“This is an unprecedented centralised data retention provision,” said Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society.

UIDAI chief executive officer ABP Pandey said the concerns were exaggerated. The agency was keeping records in case a dispute arose over a transaction.

The information will be retained online for two years and another five years in the offline archives, say the rules notified in September.

Users will be able to check the records but only for two years.

This restriction won’t apply to security agencies. Pandey, however, said the records would not be available to them without a district judge’s permission.

But, HT found that the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.

“Once Aadhaar becomes mandatory for all services, it can be used by benign and malignant actors to conduct a 360-degree surveillance on any individual,” Abraham said.

This is how the system, which will need millions of fingerprint-reading machines, works.

Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.

The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail LPG subsidy, cheap ration and even passport, a day against a capacity to verify 100 million requests daily.

“You can think of it as Natgrid Plus,” Abraham said, a reference to the National Intelligence Grid being built by the government.

A one-stop database for counter-terrorism agencies, Natgrid will collate information real time from databases of various agencies such as bank, rail and airline networks.

“…we do not record the purpose for which an authentication request was received but only the details of the agency that sent it,” UIDAI’s Pandey said.

But seven years is a long time. Only a select category of government files are kept for longer than five years.

Asked about two-year deadline for users, Pandey said it would have been a logistic nightmare to let people access the records once the information was offline.

The Supreme Court has a ruled that Aadhaar is not a must for availing welfare schemes and is to decide if collecting biometric data for the 12-digit number infringed an individual’s privacy.

For more details visit http://editors.cis-india.org/internet-governance/news/hindustan-times-aloke-tikku-october-17-2016-govt-to-keep-aadhaar-record-for-seven-years-activitsts-worried

Govt should take a relaxed view of 'violations' of flag code in products sold in foreign countries: Experts

praskrishna — 2017-01-19T02:37:27Z

When it comes to products on sale in global ecommerce vendor sites that seem to violate India’s strict flag code, the government should take a more relaxed and less punitive approach.

The article by Neha Alawadhi was published in the Economic Times on 13 January 2017. Sunil Abraham was quoted.

That’s the view of industry observers and lawyers familiar with internal business practices and regulation.

India’s External Affairs Minister Sushma Swaraj had on Wednesday tweeted that India visas for Amazon executives may be withdrawn unless the America headquartered ecommerce giant apologised for its Canadian site selling doormats in India flag colours.

The point, lawyers and experts say, is that Indian law itself protects Amazon from being prosecuted in this case. India recognises companies like Amazon (whether in India or Canada), as intermediaries, who are exempt from liability under the IT (Information Technology) Act, because a third-party seller was selling those doormats.

Plus, Indian law does not apply outside the country, and a global ecommerce company has millions of products for sale in scores of marketplaces.

“Neither Prevention of Insults to National Honour Act, 1971nor the Flag Code applies outside India,” said Virag Gupta, a Supreme Court advocate specialising in cyber law.

The only thing the Indian government can do, said Sarvjeet Singh, programme manager, Centre for Communication Governance, National Law University, Delhi, is to ask the company to take down the listing.

That Amazon had already done, he noted. “Given the volume of traffic and usage and the number of sellers, it is impossible for a company to monitor all the goods listed,” Singh added, and said that’s why the IT Act recognises that companies like Amazon are intermediaries.

Many experts also wondered whether India’s flag code is ready for a reset, aligning it more with today’s less statist views on such matters.

The code calls for a three-year jail term, or a fine, or both for violations. In democracies such as the United States, Canada and the Netherlands, national flag colours in product design does not invoke legal punitive responses. “In a lot of these countries, where issues about Indian flag code violation have come up, these activities are legal and covered by freedom of expression guarantees and we should be aware of these cultural contexts before making statements,” Singh said.

Others feel the flag code smothers creativity. “Repealing most flag-related regulation will unlock creativity, encourage derivative works and remix and greatly increase the visibility of the Indian flag in public places. This in turn will foster a sense of community, national pride and social cohesion,” said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

For more details visit http://editors.cis-india.org/internet-governance/news/economic-times-neha-alawadhi-january-13-2017-govt-should-take-a-relaxed-view-of-violations-of-flag-code-in-products-sold-in-foreign-countries-experts

Govt set to gain ‘back-door’ access to corporate email

praskrishna — 2012-02-14T12:55:53Z

The government is just a step away from gaining access to RIM’s widely used BlackBerry Messenger (BBM) service, writes Shauvik Ghosh in an article published in LiveMint on 14 February 2012.

In a move that may raise serious questions regarding the privacy of corporate emails exchanged between individuals and employees, the Indian government is all set to gain “back-door” access to emails sent and received over Research In Motion Ltd’s (RIM) BlackBerry Enterprise Server (BES) within the next two-three months.

“There was a meeting last month with DoT (department of telecommunications) on the issue and the concerned security agencies and some home ministry officials,” a senior DoT official said requesting anonymity. “DoT has to furnish a list of enterprises from whom the key has to be acquired.”

The number of such firms is contained in an internal DoT note that was reviewed by Mint.

“There are about 5,000 enterprises using BES in India,” the note said. “These are communications between the employees of the enterprise only and therefore are not of high concern for security or intelligence agencies.”

However, the capability of using the key to access the communications when needed is still being developed.

Meanwhile, the government is just a step away from gaining access to RIM’s widely used BlackBerry Messenger (BBM) service.

“RIM has set up the necessary infrastructure in Mumbai to enable real-time access to BBM, as they had said they would,” said the official cited above. “They had provided for interception via the telecom service providers, but the intelligence agencies wanted direct access and so a server has been set up in Mumbai.”

The note said: “The company had installed the server in Mumbai. This has been inspected by a team of officers and permission for direct linkage for lawful interception was expected to be issued shortly.”

The move has raised red flags among privacy advocates over the motives of the government.

“There is no reason given by them on why they need to do this. There are no allegations of terrorists using BES or any indication that any of the 5,000 enterprises have any links to terrorists or other banned outfits in India,” said Pranesh Prakash, programme manager with digital media watchdog Centre for Internet and Society. “What is worrisome is that it is mainly commercial information that is shared on BES and in a large number of cases, this includes dealings with the government of India that they should not be privy to—things like auction bids, etc.”

Such powers can’t be used to pursue offences of financial nature, he said. “There cannot be economic reasons like tax evasion and such for intercepting such communications as the agencies that look into such offences are not authorized to or do not qualify to tap phones, etc.,” Prakash added.

On being asked about the development, an RIM spokesperson responded by citing the company’s January statement. This said RIM had provided a solution that enables India’s wireless carriers to address lawful access requirements for consumer messaging services, which include BBM and BlackBerry Internet Service email.

“The lawful access capability now available to RIM’s carrier partners meets the standard required by the government of India for all consumer messaging services offered in the Indian marketplace,” the company said in that note. “While the details of our regulatory discussions with the government of India remain confidential, we have been assured that all of RIM’s competitors must provide a lawful access capability to this same standard if they have not done so already.”

Mint reported last month that in order to prevent leakage of information, the government was proposing a legal provision, referred to as mandated local server hosting. This would put the onus on companies such as Skype and Google to locate the relevant part of their infrastructure within the country to allow investigative agencies ready access to encrypted communications on their servers.

Apart from leakage of data, the move is also expected to serve security interests and enable law enforcement agencies gain real-time access to information stored on servers and resolve jurisdictional ambiguity.

The original article was published in Livemint. Pranesh Prakash has been quoted in it.

For more details visit http://editors.cis-india.org/news/govt-set-to-gain-2018back-door2019-access-to-corporate-email

Govt proposal to muzzle bloggers sparks outcry

praskrishna — 2011-04-01T15:46:23Z

A government proposal seeking to police blogs has come in for severe criticism from legal experts and outraged the online community. The draft rules, drawn up by the government under the Information Technology Amendment Act, 2008, deal with due diligence to be observed by an intermediary. This article was published in the Times of India on March 10, 2011.

Under the Act, an 'intermediary' is defined as any entity which on behalf of another receives, stores or transmits any electronic record. Hence, telecom networks, web-hosting and internet service providers, search engines, online payment and auction sites as well as cyber cafes are identified as intermediaries. The draft has strangely included bloggers in the category of intermediaries, setting off the online outcry.

Blogs are clubbed with network service providers as most of them facilitate comment and online discussion and preserve the traffic as an electronic record, but equating them with other intermediaries is like comparing apples with oranges, says Pavan Duggal, advocate in the Supreme Court and an eminent cyber law expert.

'This will curtail the freedom of expression of individual bloggers because as an intermediary they will become responsible for the readers' comments. It technically means that any comment or a reader-posted link on a blog which according to the government is threatening, abusive, objectionable, defamatory, vulgar, racial, among other omnibus categories, will now be considered as the legal responsibility of the blogger," he explains.

Even Google, the host of Blogger, among India's most popular blogging sites, expressed displeasure at the proposal. "Blogs are platforms that empower people to communicate with one another, and we don't believe that an internet middlemen should be held unreasonably liable for content posted by users," a spokesperson told TOI.

Blogs, which are typically maintained and updated by individuals, have showcased their political importance in recent times and the internet community views these rules as a lopsided attempt to curtail an individual's right to expression.

"If individual blogs are an intermediary, then why can't Facebook and Twitter also be classified as such, as they too receive, store and transmit electronic records and facilitate online discussions," retorts the spokesperson of the Centre for Internet and Society (CIS), a Bangalore-based organization, which works on digital pluralism. "These rules will not only bring bloggers and the ISP provider on the same platform, but the due diligence clause will also result in higher power of censorship to the larger player. Imagine your ISP provider blocking your blog because it finds that certain user-comments fit these omnibus terms," the CIS spokesperson added.

Most experts, including Duggal, see these rules as the outcome of the government's one-size-fits-all approach — at least in regulating online activities — and ask for an amendment to the IT Act.

Read the original article in the Times of India here

For more details visit http://editors.cis-india.org/news/govt-proposal

Govt presses 'undo' button on draft encryption policy

praskrishna — 2015-09-25T01:55:57Z

The decision came a day before PM embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla.

The article was published in Business Standard on September 23, 2015. Sunil Abraham gave inputs.

The government on Tuesday scrapped a draft national encryption policy that mandated firms and individuals to allow authorities access to all encrypted information on email, apps, websites and business servers.

The decision came a day before Prime MinisterNarendra Modi embarked on a visit to the US, where he is expected to meet leaders of firms such as Apple, Facebook, Google and Tesla. Activists and executives from technology firms had expressed outrage on the draft policy, saying the move would have taken India a step back in technology adoption.

At a meeting of the Union Cabinet on Tuesday, Modi was livid at the controversy generated by the draft policy and directed officials to withdraw it ahead of his US trip, sources said.

The draft had global ramifications, as Facebook,Twitter and messaging apps such as WhatsApp were named in it.

Ravi Shankar Prasad, Union minister for communications and information technology, distanced the government from the draft hosted on the IT department site, but admitted it gave “uncalled-for misgivings”. He directed officials to rework the draft but did not set a timeframe for seeking feedback from the public.

“Yesterday (Monday), it was brought to our notice that the draft had been put in the public domain for, seeking comment. I read the draft. I understand that the manner in which it was written could lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded. I personally feel some of the expressions used in the draft are giving rise to uncalled-for misgivings,” Prasad said. “Experts had framed the draft policy. It is not the government’s final view.”

According to the original draft, the encryption policy sought every message sent by a user, be it through services such as WhatsApp, an SMS or an email, be mandatorily stored in plain text format for 90 days and made available on demand to security agencies. Failure to do so, it added, would draw legal action.

This was because typically, all messaging apps and services such as WhatsApp, Viber, Line, Google Chat and Yahoo! Messenger have high levels of encryption, which security agencies find hard to crack and intercept.

Early on Tuesday, before Prasad announced the withdrawal of the draft policy, the government had issued an addendum to keep social media and web applications such as WhatsApp, Twitter and Facebook out of its purview.

In a three-point clarification, the Department of Electronics and Information Technology (DeitY) said some encryption products were exempt. “Mass-use encryption products, currently being used in web applications, social media sites and social media applications, such as WhatsApp, Facebook and Twitter…SSL/TLS encryption products being used in internet banking and payment gateways, as directed by the Reserve Bank of India”, and SSL/TLS encryption products being used for e-commerce and password based transactions,” it said.

“Ideally, the new policy should only focus on two objectives: It should mandate encryption standards within the government, military, law enforcement and intelligence agencies. It shouldn’t regulate the use of encryption by the private sector; the private sector should be allowed to use whatever it believes is appropriate, as long as it is considered a reasonable security measure by courts, under section 43A of the IT Act,” said Sunil Abraham, director,Centre for Internet and Society (CIS).

Prasad reiterated the government, under the leadership of Prime Minister Narendra Modi, had promoted social media activism. “The right of articulation and freedom we fully respect. But at the same time, we need to acknowledge that cyber space transaction is rising enormously for individuals, businesses, the government and companies,” he said.

Opposition parties slammed the Draft policy. Congress communications in-charge Randeep Surjewala said, “Subjugation of individual freedom, surveillance of the citizen and suppression of dissent have emerged as the DNA of the Narendra Modi-led BJP government. The draft policy on encryption, first circulated, then amended and now, withdrawn with a rider for re-issuing it, is a totalitarian, misconceived and a failed attempt of the Modi government to override all sense of individual freedom of speech and expression and encroach upon the right to privacy of communication…With 243.1 million internet users in India at the end of 2014 (173 million being mobile internet users), 112 million Facebook users, 80 million WhatsApp users, 22 million Twitter users and 950 million mobile connections, the intrusion of individual liberty is fraught with dangerous dimensions under the Modi government.”

Aam Aadmi Party spokesperson Raghav Chadha said, “Only a fascist government can bring such a policy. The draft policy was in violation of the right to personal liberty and the fundamental tenets of freedom of speech and expression…the draft policy was for snooping. It presupposes the 1.2 billion people of India are potential criminals. It reflects the inclination of the government and its intention to turn India into a totalitarian state.”

ABOUT THE NATIONAL ENCRYPTION POLICY

Five things the government draft policy wanted

Information security for individuals, businesses and government agencies
Development of indigenous encryption standards
Use of digital signatures to authenticate transactions
Legal interception and data retention
Service providers to register under appropriate government agency

Things that caused outrage

Regulation of private sector encryption
Storage of all encrypted communications for

90 days

Gaining backdoor into private communications of users

Amendment & withdrawal

Omission of mass encryption products such as those used by social networks
Withdrawal of draft policy following Ravi Shankar Prasad’s statement

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-september-23-2015-govt-presses-undo-button-on-draft-encryption-policy

Govt plans inter-ministerial panel on Internet policy

praskrishna — 2012-09-25T10:28:08Z

The government may set up an inter-ministerial panel to improve coordination among the various arms of the government on Internet-related issues such as governance, commerce and security, according to a senior government official who didn’t want to be named.

Surabhi Agarwal's article was originally published in LiveMint on September 19, 2012. Sunil Abraham is quoted.

The panel will have representation from government departments including information technology, telecom, home, external affairs and commerce among others. The proposal is being considered because there are multiple stakeholders involved, said the official. The panel will be most likely be headed by the department of electronics and information technology, which is currently the policymaking body on the Internet.

Over the past year, the government has been criticized over several Internet-related issues, all of them to do with censorship. It received flak recently for the way it sought to contain the spread of hate messages over the Internet that had led to communal violence and a panic exodus by people from the north-eastern states in some cities.

Moreover, with the underlying aim of having a bigger say in global policymaking pertaining to the Internet, the government had proposed the establishment of the United Nations Committee on Internet Related Policy (UN-CIRP). The agency’s mandate will include developing and establishing international public policies relating to the Internet; coordinating and overseeing bodies responsible for the technical and operational functioning of the Internet; facilitating negotiation of treaties; undertaking arbitration and dispute resolution; and crisis management, among others.

The government has said that the intent behind proposing such a body was not to control the Internet but to develop a mechanism for globally acceptable and harmonized policy making. The move though has largely been construed as an effort by governments to regulate the Internet.

Currently, the Internet is largely governed by the not-for-profit Internet Corporation for Assigned Names and Numbers (ICANN). However, the government says ICANN is dominated mostly by the US, explaining the need for a body such as UN-CIRP.

Another government official confirmed that an inter-ministerial panel is currently being “mulled” over. This official, who also did not want to be identified, said the Internet governance policy is increasing in importance and there was a need to discuss whether the current global policymaking structure would be relevant in the next five years.

“We need to firm up the country’s stand at international forums of the Internet and an inter-ministerial committee will aid in bringing some kind of clarity,” he said.

Any proposal for better coordination between different wings of the government would be welcome, said Sunil Abraham, executive director of Bangalore-based research organization Centre for Internet and Society.

“The thumb rule with governance, be it international or national, is that coordination policy formulation bodies is a good idea, but we can’t damn or praise them over the process,” he said. “We have to see what coordination results out of the body.”

Rajya Sabha member of Parliament Rajeev Chandrasekhar, who wrote to Prime Minister Manmohan Singh opposing UN-CIRP, had said that India’s proposal was made without much discussion and stakeholder consultation.

There wasn’t enough clarity about what the government trying to regulate through the body, Abraham said.

“Is it to regulate citizens or industry or government activity or for regulation around IP (intellectual property), competition, data protection, crime or tax, we don’t know,” he said.

The problem with UN-CIRP is that India would be supported by countries that are against free access to the Internet such as Cuba, China and Russia to name a few, Naresh Ajwani, a member of the Asia Pacific Network Information Center (APNIC) said on Wednesday on the sidelines of a meet in Delhi on the issue.

However, the government feels that not only will UN-CIRP lead to India having a bigger role in global policymaking for the Internet, it will also help in dealing with crises better as it will lead to enhanced cooperation between nations.

Photo: Aniruddha Chowdhury/Mint

For more details visit http://editors.cis-india.org/news/www-livemint-com-sep-19-2012-surabhi-agarwal-govt-plans-inter-ministerial-panel-on-internet-policy

Govt panel wants curbs on phone taps

praskrishna — 2012-10-22T09:57:05Z

A government-appointed panel on Thursday recommended several measures, including guidelines on interception of telephonic conversations, video and audio recordings, use and storage of data as well as setting up of dispute resolution entities at Centre and state-level to protect the privacy of individuals.

Read the original published in the Times of India on October 19, 2012.

The group led by former Delhi High Court chief justice A P Shah was set up by the Planning Commission to identify privacy issues and prepare a document to facilitate the proposed Privacy Act.

The group was set after concerns were raised about the impact on privacy of individuals with the emergence of several national programmes such as Unique Identification number, NATGRID, DNA profiling, Reproductive Rights of Women, privileged communications and brain mapping, most of which will be implemented through information and communication technology (ICT) platforms.

The panel recommended that reasons for interception must be specified and be recorded in writing and the provisions establish conditions for authorization by the competent authority. It said that all interceptions can be in force for 60 days and renewed for not more than 180 days. The panel said records of interception be destroyed by the security agencies after six months or nine months and service providers must destroy records after two months or six months. It also said that intermediaries must provide an internal check to ensure the security, confidentiality and privacy of intercepted material, and intermediaries would be held legally responsible for any unauthorized access or disclosure of intercepted materials.

The panel said the proposed Act should extend the right of privacy to individuals and bring under its regulation data controllers, which includes all corporates, public/ governmental bodies and organizations. Minister of State for Planning Ashwani Kumar said, "The group has evaluated what is happening in the other country and what is the constitutional position in India... how imperatives of national security and right to privacy of individual can be harmonized."

It said the Act should clarify that publication of personal data for artistic and journalistic purposes in public interest, use of personal information for household purposes and disclosure of information as required by the RTI Act should not constitute an "infringement of privacy".

The proposed Privacy Act should also articulate national privacy principles. The principles will extend and be binding to all private/ public data controllers. It said the principles must establish safeguards and procedures over the collection, processing, storage, retention, access, disclosure, destruction of sensitive personal information, personal identifiable information and identifiable information.

The Act should establish the Central office of the privacy commissioner, regional level privacy commissioner, self regulating organizations at the industry level and data controllers and privacy officers if required at the organization level, the report recommended.

The panel also recommended that the infringement of any provision under the Act should constitute as an "offence" and individuals may seek "compensation" from organizations/ bodies held accountable.

The group agreed that any proposed framework for privacy legislation must be technologically neutral and interoperable with international standards. "Specifically, the Privacy Act should not make any reference to specific technologies and must be generic enough such that principle and enforcement mechanisms adaptable to changes in society, the market place, technology and government," the report said.

Note: The Centre for Internet & Society was part of the expert committee even though not explicitly mentioned.

For more details visit http://editors.cis-india.org/news/times-of-india-october-19-2012-govt-panel-wants-curbs-on-phone-taps

Govt orders blocking of 300 specific URLs including 16 Twitter accounts

praskrishna — 2012-08-24T13:29:40Z

The government stepped up its efforts to stop what it feels is an online campaign of misinformation and rumour mongering in the wake of lower Assam riots and ordered blocking of 16 Twitter accounts, including two belonging to journalists, considered sympathetic to the right in India.

Published in the Times of India on August 24, 2012. Pranesh Prakash is quoted.

The department of telecommunications (DoT) ordered blocking of the accounts on August 20. The blocked accounts include those maintained by a columnist and a journalist working for a TV channel. Twitter accounts @sanghparivar, @drpraveentogadia and @i_panchajanya are also mentioned.

The 16 Twitter accounts are part of a list containing over 300 specific URLs that internet service providers (ISPs) in India have been told to block. The list is dominated by URLs belonging to Facebook and Youtube. Indian government allegedly found 102 URLs on Facebook and 85 URLs on YouTube where communally sensitive content was posted. According to a blogpost at Centre for Internet and Society (CIS), a non-profit organization that got hold of the list on Wednesday, almost "all of the blocked items have content that are related to communal issues and rioting".

At the same time, Pranesh Paraksh, a CIS official, noted on the blog that it was unclear if the government exercised its powers responsibly in this case. "The blocking of many of the items on the list are legally questionable and morally indefensible, even while a large number of the items ought to be removed," he wrote.

According to the leaked list, Indian government also blocked 30 Twitter URLs, 3 Wikipedia URLs, 11 Blogger URLs and 8 Wordpress URLs. Some URLs belong to Pakistani websites. The list also contained URLs belonging to several mainstream media websites, including The Telegraph and Al Jazeera.

The blocking of Twitter accounts was partial due to technical challenges. The accounts have been blocked with the help of ISPs and not Twitter. Accessing them from India shows web users a message, saying "This website/URL has been blocked until further notice either pursuant to Court orders or on the Directions issued by the Department of Telecommunications". Also, the block works only if the accounts are accessed using HTTP and not HTTPS protocol. Twitter allows users to force HTTPS, which is a secure protocol and doesn't let ISPs see the content that a user is accessing.

Due to the partial block, accounts remained active. When Nirupama Rao, India's ambassador to the US, talked on Twitter about a discussion on a news channel on the subject of social media and government's current policy, one of the "blocked" accounts tweeted back to her saying, "@NMenonRao Is that why UPA Govt has blocked my Twitter handle? Is that the reason? A reply would help." Following the Twitter profile ban, which was reported around midnight on Wednesday, several Twitter users in India started hashtag #Emergency2012. A few hours later, #Emergency2012 and #GOIBlocks were among the top trending topics on Twitter for India.

For more details visit http://editors.cis-india.org/news/times-of-india-aug-24-2012-govt-orders-blocking-of-300-specific-urls-including-16-twitter-accounts

Govt orders blocking

praskrishna — 2015-02-10T02:20:09Z

Govt orders

For more details visit http://editors.cis-india.org/home-images/Govtordersblocking.png

Govt narrative on Aadhaar has not changed in the last six years: Sunil Abraham

praskrishna — 2016-03-16T16:37:19Z

The bill is basically the same as the UPA version, with some cosmetic changes, and some tokenism towards the right to privacy, says Abraham.

Shreeja Sen interviewed Sunil Abraham. The article was published in Livemint on March 8, 2016.

The government’s bid to push financial inclusiveness and access to government services has received a fresh boost, with finance minister Arun Jaitley introducing a proposed law to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

This project, which uses a person’s biometric data like fingerprints and iris scans to authenticate identity of people receiving subsidies and other state benefits, will move India towards a cashless economy and help digital initiatives such as biometric attendance, Pradhan Mantri Jan Dhan Yojana, digital certificates, pension payments and the proposed introduction of payments banks.

Sunil Abraham, 42

Abraham is executive director of Centre for Internet and Society, a Bengaluru-based think tank focusing on accessibility, access to knowledge, telecom and Internet governance. He has written extensively on the UID scheme, and the intersection of privacy and security. He founded Mahiti—an enterprise that aims to reduce the cost and complexity of information and communications technology for the voluntary sector by using free software.

The Aadhaar project has faced its share of roadblocks with cases challenging it pending before the Supreme Court. A constitution bench of the court will decide whether the right to privacy is a fundamental right and if Aadhaar violates it.

Sunil Abraham, the executive director of Centre for Internet and Society, a Bengaluru-based policy research institute, is a critic of Aadhaar for several reasons. He explained his concerns in an interview. Edited excerpts:

Have any of the concerns regarding the Aadhaar project since its inception in 2009 been addressed?

Whatever we complained about six or seven years ago, whatever complaints were made by the civil society...all of those complaints remain in the exact same situation.

Nothing has changed.

What kind of concerns?

The first thing to remember is that privacy and security are just two sides of the same coin. You cannot have one without the other.

Our first concern with the project is centralization. Whenever you build an information system, and you create a central point of failure, then it will fail because the possibility of failure exists. The Internet has no central point of failure. That is why it is so difficult for you to bring the Internet down. Complaint number 2 is the opaque technology.

UIDAI keeps saying that “we have built a technology using a free software and open standard stack”. The first is a de-duplication software and the second one is the authentication software—those are the most important pieces of software.

This software is proprietary and nobody knows how they work and nobody can independently audit them.

The third complaint is the use of an irrevocable and non-consensual authentication factor. In the UID scheme, the biometrics serve two purposes: it can be used to identify a citizen and it can be used to authenticate a transaction. Authentication factors, commonly known as passwords, should always be revocable. That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid. The use of biometrics eliminates those two important requirements.

Further, in most other authentication, the process of authentication ensures that you are consenting. For example, PIN (personal identity number) authentications. But suppose I am authenticating you through your irises, then as long as your eyes are open, the machine will think you’re authenticating. There’s no way of saying I don’t want to authenticate. Or if you’re sleeping, somebody can hold your fingers over a biometric reader and open your iPhone. So that’s complaint number three.

The fourth complaint from the privacy perspective is: there is a very important database that they don’t talk about. I call it the transactions database. Suppose there is somebody who is using the UIDAI service to authenticate a transaction, then UIDAI should keep a record of that successful or unsuccessful transaction authentication. That means you have been registered into the database.

You go to a fair price shop to purchase subsidized grain and at that fair price shop or ration shop, you use your finger on the biometric reader, and then the UIDAI system says “yes you are indeed who you say you are”.

So, at that point, later the shop should not be able to say X never came here, or X came twice. So, in order for them to not say all those things, a record should be made on the UID database, that on this day, from this geographical location, this particular biometric reader sent us X’s biometric template and asked if the template matched against X’s UID number...the transaction database can be used for profiling. They never talk about it.

They never tell us what that database holds and how long they’re keeping all those records. None of that is clear.

Does Aadhaar bill help assuage your doubts about the project?

The government narrative has not changed in the last six years; the bill is basically the same as the UPA (United Progressive Alliance) version, with some cosmetic changes, and some tokenism towards the right to privacy. The proof that the technology is fallible is in the bill.

If the technology was infallible, as the UIDAI would like us to believe, then the bill would not criminalize the following: (1) impersonation at the time of enrolment; (2) unauthorized access to the Central Identities Data Repository.

Imagine that the bill admits that every Indian’s biometric can be stolen from one single centralized database. Now why don’t we have a similar offence for stealing all private keys from the Internet—we don’t because that is technical impossibility thanks to decentralization.

Therefore we don’t need a law to make (it) illegal. We’ve suggested changes to both the technology and the law. We’ve written seven open letters to the UIDAI, and we’ve never gotten any response. Very few of our concerns have been addressed. We’ve seen dogs getting UID, various other things getting UID, so there’s a lot of evidence that the system does not work. From Kerala we have stories of one person getting several UIDs, so we have no idea about technological feasibility of the project.

One of our distinguished fellows, Hans Varghese Mathews, has published an academic paper in the latest EPW (Economic and Political Weekly), by extrapolating UIDAI field trial data to national scale. He predicts that by the time the number crosses 1 billion, every time UIDAI tries to register someone new, they will match with about 850 people already in the database positively. So, the unique identification capability of the UIDAI will not scale above the billion. The consequence of the technology failing is not trivial. If someone replaces your biometrics in the central database, then the onus is on you to prove that you are a resident of India.

Previously, human beings determined the answer to this question, and they had to find proof that you were not a resident. Now, a fallible technology will be asked to answer this important question.

Isn’t the basic function of the Aadhaar project to ensure that benefits reach the person they are meant for, and it’s easier for people to get an identity proof for those who have no other ID, like migrant workers?

Two responses: is it good anti- corruption technology? Unfortunately not, because it is intended at retail fraud. The person under surveillance is very poor. But the person responsible for corruption is not poor. So, I believe you should be surveilling those responsible for corruption.

What I had said is UID should be first given to every single bureaucrat and every single politician in the country. From Delhi till the Panchayat office, till the ration shop in the village, that supply chain must be monitored and documented using cryptography, so that nobody can deny anything. We need non-repudiatable audit trail from New Delhi to the village because according to all analyses, that is where the theft is happening—in the supply chain. The villager who is taking false benefits, that is called retail fraud.

The bulk of the fraud is actually wholesale fraud. Please tackle wholesale fraud using non-repudiatable public audit trail from New Delhi to the village first, before you start surveilling the poor.

The second point is that people find it easy to get the UID. That is fine, but there is a problem; that it’s not uniquely identifying anybody. So, people will keep registering and the UID system will keep giving them more and more UIDs because there are no human checks and balances. Because you’ve gone with a pure technological solution, it’s very easy to fool (the system).

So, the ease of registration has not served the purpose.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-march-8-2016-shreeja-sen-govt-narrative-on-aadhaar-has-not-changed-in-last-six-years-sunil-abraham

Govt mulls advisory on privacy issues related to Google, Facebook

praskrishna — 2013-07-02T14:31:48Z

The Government is set to harden its stand against foreign Internet firms in asking them to comply with Indian laws.

The article by Thomas K Thomas was published in the Hindu Business Line on June 10, 2013. Sunil Abraham is quoted.

According to a top Government source, an advisory may be issued in the interest of general public to make them aware of the privacy issued while using services offered by foreign Internet companies such as Google and Facebook.

This follows an international media expose on how US agencies were getting access to user data from Internet companies such as Google and Facebook.

Final Strategy Soon

Top official in the Ministry of Telecom and IT told Business Line that the National Security Advisor, under the Prime Minister’s Officer, is discussing the issue and will outline the final strategy on Wednesday.

The key concern is that the US security agencies may have collected data from key Indian accounts using services from any of the Internet companies. A number of Government officials also use email service from Google and MS Outlook, which may have been accessed by the US agencies.

The other major concern is that Indian security agencies have also been seeking access to data from these foreign companies but so far they have not obliged on grounds that they do not come under the purview of Indian laws.

“If the US Government can get access to data from these companies, why can’t the Indian Government be given access,” posed a top functionary of the telecom ministry.

While Google and other companies have denied knowledge to how the US agencies got access to their networks, industry experts said that it’s time India starts taking concrete steps to address the issue.

B.K. Syngal, Former Chairman, Videsh Sanchar Nigam Ltd, said, “If we believed that our privacy is sacred then we would have taken effective domestic measures, years ago, to ensure that the information of our citizens remains private. To now say that multiple US companies have betrayed our trust is meaningless.”

Double Standards

Syngal said that there are double standards in the way organisations and Government is handling the issue. “As a start, lets stop giving too much time and space to the so called “Foreign Funded NGOs” teaching us on privacy. Our problem is that we are not China. We are so ill equipped that the third party interests aided and abetted by these NGOs would prevail,” said Syngal.

According to Sunil Abraham, Executive Director, Centre for Internet and Society, companies such as Google and Facebook are foes when it comes to privacy issues and friends when it comes to freedom of speech. “An Indian consumer using any of these foreign websites has no privacy rights whatsoever. The Indian Government also cannot force these companies to follow Indian laws,” said Abraham.

For more details visit http://editors.cis-india.org/news/hindu-businessline-thomas-k-thomas-june-10-2013-govt-mulls-advisory-on-privacy-issues-related-to-google-facebook

Govt may turn to supercomputing for better use of Aadhaar database

praskrishna — 2015-03-08T05:53:03Z

Technology experts working with the Aadhaar project have spotted other potential uses for it, all to be powered by a string of supercomputers.

The article by Moulishree Srivastava was published in Livemint on February 10, 2015. Sunil Abraham is quoted.

When India launched a scheme in 2009 to give every one of its residents a unique identity number called Aadhaar, there were two main objectives: an efficient delivery of welfare services, and a tool for monitoring government schemes.

Six years on, as the government moves a step closer to covering all 1.25 billion citizens with Aadhaar, technology experts working with the project have spotted other potential uses, all to be powered by a string of supercomputers. With Aadhaar having crossed the 700 million milestone in 2014, the government is preparing to launch supercomputing applications to make more sense of the scheme’s massive database. These will help link the database to public services by running data analytics, which in turn will throw up trends that can help promote better-informed policy-making.

“We are talking about the Aadhaar database and the huge population data associated with it. Right now it is only a collection of data, but once we start rolling out applications, the amount of information that will be generated and the amount of usage that will happen will be enormous,” said Rajat Moona, director general of the Pune-based Centre for Development of Advanced Computing (CDAC), the research and development arm of the department of electronics and information technology responsible for the National Supercomputing Mission.

“Big data analysis and big data visualization, these are supercomputing problems. It (handling Aadhaar database) is actually visualization of huge data that can help in the planning,” he added. “When you have that much amount of information, you can do a lot of data analysis and figure out trends. We can thus see what are the policies needed to be defined. Therefore proactive policymaking based on previous trends is possible provided we have data,” he said.

Aadhaar is being used by the government for transferring cash subsidies directly into the bank accounts of beneficiaries in order to plug leakages. It is used to identify beneficiaries for transferring funds under scholarship schemes, pension money, cooking gas subsidy as well as seeding of bank accounts to weed out multiple beneficiaries under the government’s financial inclusion programme.

There are also plans to use Aadhaar to curb black money in real estate transactions. Developing these applications further, says Moona, needs supercomputers, which will give far better results. “In order to develop these applications we need to understand supercomputing and use of supercomputing,” he said. “We don’t have such applications developed…we usually take larger applications developed elsewhere and customize it according to our needs. So applications that are developed for solving India-centric problems will actually give a better output,” he said.

“We are talking about creating related applications that can run on supercomputing cloud of million cores (cloud supported by million-core supercomputers),” he added. “It will be a platform, where we can solve a large number of problems using shared model.” “It (supercomputing cloud) will not be a public cloud. There will be research institutes, research organizations, security agencies, government departments and each of them will have its own data and access pattern.

This is going to be a part of our application-centric usage of (the proposed) supercomputing (grid).” The million-core supercomputing cloud is a part of the government’s Rs.4,500 crore project aimed at setting up a grid of more than 70 supercomputers to be hooked up across these institutions and organizations over the next five to seven years. This will enable Indian researchers to build applications on the network, as well as to harness the power of supercomputers for research and development. India has 12 of the world’s 500 most powerful supercomputers, the largest currently deployed being a 500 teraflops (equivalent to half a petaflop) computer, administered by the CDAC. To work on supercomputing applications in areas such as the Aadhaar database, terrorism, advanced weather monitoring— including cyclone and flood prediction—and geo exploration, the government plans to train 22,000 high-quality professionals over 5-7 years.

Some experts point out that a centralized Aadhaar database faces cybersecurity risks that can threaten people’s privacy. Centralization is a terrible idea from the perspective of cybersecurity, said Sunil Abraham, executive director of the Bengaluru-based research organization Centre for Internet and Society. “This is a honeypot (a computer system that is set up to attract and trap people who attempt to penetrate other people’s computer systems) and variety of bad actors, i.e. criminals, terrorists, as well as states and corporations, will target this database hoping to compromise it.”

A petition filed by former Justice K.S. Puttaswamy in 2012 said that Aadhaar scheme infringes citizens’ privacy as applicants need to provide personal information on biometrics, iris and fingerprints, which infringes their right to privacy that is a part of the fundamental right to life under Article 21 of the Constitution. Security experts have been raising concerns about lack of secure and foolproof system to ensure that all the data will be safe and will not be misused. “How do we address the security and innovation imperative without compromising on the right to privacy? We must build individual transaction databases for each government department/ministry and (have) decentralised authentication. Only anonymized dataset should be made available to the supercomputing applications that are being built,” Abraham said. “For innovation and improved e-governance, anonymized data is sufficient.”

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-february-10-2015-moulishree-srivastava-govt-may-turn-to-supercomputing-for-better-use-of-aadhaar-database

Govt may have made 135 million Aadhaar numbers public: CIS report

praskrishna — 2017-05-03T15:43:37Z

CIS report says Aadhaar numbers leaked through government databases could be 100-135 million and bank accounts numbers leaked about 100 million.

The article by Komal Gupta was published in Livemint on May 2, 2017.

A central government ministry and a state government may have made public up to 135 million Aadhaar numbers, according to a research report issued by Bengaluru-based think tank Centre for Internet and Society (CIS) late on Monday.

The report titled Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information studied four government databases.

The first two belong to the rural development ministry—the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act’s (NREGA) portal.

The other two databases deal with Andhra Pradesh—the state’s own NREGA portal and the online dashboard of a government scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” said Amber Sinha and Srinivas Kodali, the authors of the research report.

The report claims these government dashboards and databases revealed personally identifiable information (PII) due to a lack of proper controls exercised by the departments.

“While the availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” said the report.

The report said the NSAP portal lists 94,32,605 bank accounts and 14,98,919 post office accounts linked with Aadhaar.

“While the UIDAI (Unique Identification Authority of India) has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data,” said the report.

UIDAI did not respond to an email from Mint seeking comments.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-may-2-2017-komal-gupta-govt-may-have-made-135-million-aadhaar-numbers-public-cis-report