Centre for Internet and Society

Unable to read Odia on your android device? Don’t fret!

praskrishna — 2015-12-15T08:04:39Z

If you get only boxes in place of Odia fonts in your Android device then it does not support the language. So you need to install Odia font in your smart phone; one way is to root it, but it’s not without cons.

The article by Ruby Nanda was published in Odisha Sun Times on September 28, 2015. Subhashish Panigrahi was quoted.

Rooting means breaking and getting full rights into the entire operating system of your Android. If done right it can turn you into a super user and open a wealth of opportunities with your handheld device. But, rooting is a complex process and definitely not for a newbie, as rooting leads to loss of warranty, security issues and a wrong move can turn it into a paperweight.

“Rooting is not advisable as it is bit complicated and turns your phone warranty void”, says Subhashish Panigrahi, Programme Officer at the Centre for Internet and Society, an NGO. By far the easiest way to read Odia is by installing Firefox Browser for your android mobile, he added.

Nihar Kumar Dalai, IT professional, has found an easy hack and with Panigrahi, he has designed a free licensed tutorial by which one can easily read Odia language in their smart phones.

“Odia fonts are supported only in the latest android 5.1.1 update, but people using android devices with older version may not have Odia fonts and can see only the boxes. We see many people seeking help to resolve this problem on Twitter and Facebook. With missing Odia fonts, people may end up writing Odia in Roman script, said Dalai.

“There has been very positive response from people who have tried this method. I’m happy to play a very small part for this cause, the IT professional added.

So if you are unable to read or write Odia in your android handheld then no sweat, just try out these simple steps and enjoy the fun of reading and writing Odia in your mobile.

Install Mozilla Firefox browser for Android on your phone from Google Play.
Launch Firefox and go to the Oriya fonts package Add-Ons page and select “Add to Firefox”
Click on Install
Eureka! Now Odia fonts appear on your android device instead of unrecognizable boxes.

Click here to watch the tutorial:

https://or.wikipedia.org/s/ucf

Once you’re able to read and write Odia, you can use any online Odia transliteration service e.g. TypeOdia (on Firefox browser), iBUS on Linux, Microsoft’s Indic language Input Tool, Google Input Tool.

P.S: This method only works on Firefox Browser for Android and not on any other Apps. Android jellybean 4.3 version also supports Odia but there might be issues which are fixed by 5.1.1.

For more details visit http://editors.cis-india.org/openness/news/odisha-sun-times-september-28-2015-ruby-nanda-unable-to-read-odia-on-your-android-device

UN Regional Representation

praskrishna — 2015-08-24T14:56:30Z

UN regional representation

For more details visit http://editors.cis-india.org/home-images/UNRegional.png

UN Mission Geneva

praskrishna — 2012-06-28T05:39:47Z

For more details visit http://editors.cis-india.org/home-images/unmision.jpg

UN agrees to review agencies governing Internet

praskrishna — 2012-12-31T02:40:20Z

Although India’s proposal has been criticized as an effort to control the Net, govt says this will ensure it has more say in policymaking.

The article by Surabhi Agarwal was published in Livemint on December 27, 2012. Pranesh Prakash is quoted.

In the fierce debate on who governs the Internet, the Indian government can claim a small victory of sorts after the UN decided to establish a working group to review the mandate of agencies administering the worldwide network of computers.

India last year proposed creating an UN agency, dubbed the Committee on Internet-Related Policies (CIRP), that would decide on issues related to the Internet, including control of resources such as domain names and Internet Protocol (IP) addresses. The Internet Corporation for Assigned Names and Numbers (Icann), a non-governmental organization based in the US, currently administers these.

The US, the UK and Canada refused to sign a new communications treaty proposed at the 3-14 December Dubai conference of the International Telecommunications Union (ITU), which sets global telecom technical standards, on fears that it will give national governments greater control over the Internet and may restrict free speech. India, too, hasn’t signed the pact.

“Even though the United Nations has not yet accepted India’s proposal for constituting CIRP, it (the formation of a working group) is a step forward, as now the working group on enhanced cooperation will deliberate on the need for CIRP,” a government official said, requesting anonymity.

Although India’s proposal has been criticized as an effort to control the Internet, the government has said this will ensure it has a greater say in Internet policymaking.

The Commission on Science and Technology for Development, a UN body, has been asked to establish a working group on enhanced cooperation to examine the mandate of the World Summit on the Information Society, which issues non-binding guidelines on the Internet, “through seeking, compiling and reviewing inputs from all member states and all other stakeholders,” according to a 12 December letter from the UN to the Indian government. The working group has been asked to submit its report to the commission in 2014.

Mint has reviewed a copy of the letter and also India’s response to the UN welcoming the move.

The UN’s move reflected India’s growing influence in multilateral policymaking bodies, according to Rajat Kathuria, chief executive and director of Indian Council for Research on International Economic Relations, a think tank.

“India’s increasing clout not only in the WTO (World Trade Organisation) but also in these kinds of forums is fairly obvious,” he said. The country should be able to stand its ground and use its negotiating powers well, he added. “Everybody is looking at India now and it should not be forced into getting into things it doesn’t want to.” Kathuria also agreed with India’s decision to consider in detail the new global telecom pact, which contains a resolution on the Internet, before signing it.

“We don’t have enough information on the impact of signing this treaty,” Kathuria said. “I agree with what India has done. We need to do our homework and understand clearly what it means.”

Although the treaty is restricted to telecom standards, it contained a non-binding resolution on the Internet. The treaty stated that its purview doesn’t include content over telecommunications networks or the Internet.

However, there have been divergent views on its implications. While some have argued that signing it would mean giving the ITU dominance over Internet governance, others dismiss it as harmless.

“This wasn’t an ITU takeover of the Internet and India’s signing of the treaty will not make it one,” said Pranesh Prakash, policy director at Centre for Internet Studies, a Bangalore-based think tank.

However, India’s cautious approach is a good sign, he said. “I hope civil society is consulted before the decision is taken whether to support ITR (International Telecommunication Regulations) and the resolutions which were passed in Dubai.”

Critical Internet resources such as domain names and IP addresses are like natural resources and no one country should monetize them or have control over them, said another government official.

“It is of utmost importance for India to have a say in the matters of the Internet as the country has huge untapped potential in the area of Internet and technology,” said the official, who too declined to be named.

A white paper on Internet governance by Research and Information System for Developing Countries, chaired by Shyam Saran, former Indian diplomat, has said the Internet continues to be managed by private entities such as Icann “under contractual arrangements with the US government”.

Icann is not controlled by the US government, an official of the Internet administrator said on condition of anonymity. It follows a multi-stakeholder model.

The paper on Internet governance argued against the allegation that India’s proposal of CIRP will lead to government’s control of the Internet.

“India’s proposal for CIRP, a multilateral and multi-stakeholder mechanism, is not intended to control content,” it said. “It does not insist that the governments have the last word in regulating the Internet.”

The paper had argued that India should pursue the establishment of a working group on enhanced cooperation, which will pave the way for further consideration of India’s proposal for the establishment of CIRP.

For more details visit http://editors.cis-india.org/news/livemint-december-27-2012-surabhi-agarwal-un-agrees-to-review-agencies-governing-internet

UK DNA Database and the European Court of Human Rights: Lessons that India can Learn from Its Mistakes

praskrishna — 2012-09-17T03:40:07Z

On September 24, 2012, the Centre for Internet & Society in collaboration with the Alternative Law Forum invites the public to a talk with international experts, Helen Wallace from GeneWatch, UK and Jeremy Gruber from the Council for Responsible Genetics in the United States. The meeting will be held at the Centre for Internet & Society office in Bangalore from 5.00 p.m. to 7.30 p.m.

The UK National DNA Database was the first to be established, in 1995, and is the largest per capita in the world. A major DNA expansion programme began in 2000 but is now being rolled back by the implementation of a new Protection of Freedoms Act, following a judgment against the UK government by the European Court of Rights. The lessons for the UK experience for the DNA Bill in India will be discussed, including the need for safeguards to protect privacy and rights, maintain public trust in police use of DNA, and prevent miscarriages of justice.

Dr. Helen Wallace

Dr. Helen Wallace is Director of GeneWatch UK, a not-for-profit organisation which aims to engage members of the public in ensuring that genetic science and technologies are used in the public interest. She is the author of numerous articles and book chapters on the social and ethical issues raised by DNA databases and is widely quoted in the UK press. Helen provided expert evidence to the applicants in the case of S. and Marper v. the UK at the European Court of Human Rights, in which the Court ruled unanimously that the indefinite retention of innocent people's DNA database records was in breach of the European Convention on Human Rights. She has supplied both oral and written evidence on this issue to numerous parliamentary committees including the Scottish Parliament’s Justice Committee and the UK Science and Technology, Home Affairs and Constitutional Committees, as well as the scrutiny committee for the Protection of Freedoms Act, 2012. This new Act requires the removal of about a million innocent people's records from the UK National DNA Database and the destruction of all stored biological samples.

Jeremy Gruber

Jeremy Gruber is the President and Executive Director of Council for Responsible Genetics. Jeremy joined CRG in March 2009. Previously he served as the legal director of the National Workrights Institute, a human rights organization dedicated to the rights of American workers. Prior to that he served as the field director for the ACLU’s National Taskforce on Civil Liberties in the Workplace. Jeremy has worked for over a decade on genetic non-discrimination legislation at the state and Federal level. He helped author and pass numerous state laws on genetic non-discrimination. Jeremy is a founder and executive committee member of the Coalition for Genetic Fairness, a group of 500 organizations that advocated for genetic non-discrimination legislation on Capitol Hill and played a major role in the recently passed Genetic Information Non-Discrimination Act (GINA) by Congress. He worked closely with members of Congress and staff on GINA language as well as strategy and support. He is a prolific writer on privacy issues and is often consulted by state legislatures. He is regularly featured in print, radio and television. Jeremy holds a Juris Doctor (J.D.) from St. John’s University School of Law and a B.A. in Politics from Brandeis University.

Overview and Concerns Regarding the Indian Draft DNA Profiling Act

Forensic DNA: A Human Rights Challenge

The above video was originally posted in YouTube

For more details visit http://editors.cis-india.org/internet-governance/uk-dna-database-and-european-court-of-human-rights-lessons-that-india-can-learn-from-mistakes

UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

praskrishna — 2017-05-20T11:06:16Z

As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

Is UIDAI investigating the 13 crore Aadhaar leaks?

The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.

For more details visit http://editors.cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals

UIDAI puts posers to CIS over Aadhaar data leak claim

praskrishna — 2017-05-19T09:28:33Z

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.

The article originally published by PTI was also published by the Financial Express on May 19, 2017.

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.

Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.

Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.

The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.

The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.

However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.

For more details visit http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim

UIDAI declining multiple requests by police to share Indian citizens’ biometrics

praskrishna — 2017-07-06T15:25:32Z

The Unique Identification Authority of India (UIDAI), the governing agency in charge of Aadhaar, has declined multiple requests from all law enforcement agencies, including the Delhi Police, for biometrics of citizens for criminal investigations, according to a report by The Indian Express.

The blog post by Justin Lee was published by Biometric Update on July 4, 2017.

Investigating agencies such as CBI and NIA have been repeatedly requesting the details of Aadhaar cardholders including their biometrics, UIDAI said.

UIDAI Deputy Director General Rajesh Kumar Singh has written to the heads of each agency, ordering them to stop asking for such details.

“This is regarding requests frequently received by the UIDAI from police and other law enforcement agencies, seeking demographic and biometric information of residents for facilitating identification of individuals in different cases,” Singh said in his letter. “In this regard, I would like to draw your kind attention to provisions under Sections 28 and 29 of the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Act, 2016, which prohibits sharing of core biometric and identity related information with other authorities.”

Rather than asking forensic labs to match fingerprints, state police and investigating agencies are requesting biometrics data from UIDAI.

“Identity information cannot be shared by UIDAI,” Singh said. “The requests received from law enforcement agencies lead to avoidable delays in investigation by the police authorities and unnecessary increase in the workload of subordinate authorities.”

UIDAI is also concerned about data potentially leaking as the central government has confirmed that identities of individuals, including Aadhaar numbers and other private information, has been leaked to the public.

In May, the Centre for Internet and Society published a report that claimed between 130 to 135 million numbers in India’s Aadhaar biometric registry system, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries, have been leaked online by four key government programs.

For more details visit http://editors.cis-india.org/internet-governance/news/biometric-update-july-4-2017-justin-lee-uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics

UIDAI asks Centre for Internet & Society to provide hacker details

praskrishna — 2017-06-07T12:21:47Z

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.
The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit http://editors.cis-india.org/internet-governance/news/economic-times-may-18-2017-mahendra-singh-uidai-asks-centre-for-internet-and-society-to-provide-hacker-details

UID: The World’s Largest Biometric Database

praskrishna — 2011-07-23T02:04:45Z

At the start of his presentation, Sunil Abraham pointed to two aerial drawings of cybercafes: one where each computer was part of a private booth, and one where the computers were in the open so the screens would be visible to any one. Which layout would be more friendly to women, and why, Abraham wanted to know. Some participants selected the first option, liking the idea of the privacy, while others liked the second option so that the cybercafe owner would be able to monitor users’ activities.

Abraham said he was surprised no one said option one looked like masturbation booths, adding that in May, India passed rules prohibiting the first design option to avoid just such an issue. This is despite a survey conducted of female college students, who liked the idea of privacy in cybercafés that typically are male-dominated.

Cybercafes are just one of the areas impacted by India’s plan for collecting and using biometrics to create unique individual identification cards.

Abraham focused his presentation on activists’ efforts to counter the government’s myths about a unique identification (UID) program.

One campaign image showed two soldiers on the border asking for an east-Asian looking person’s identification. The way to balance, or rectify, the drawing, Abraham said, would be to allow citizens to be able to ask the soldiers for the identification information.

The campaign, “Rethink UID Project,” included several images illustrating various problems with the plan. For example, one said: “Central storage of keys is a bad idea, so is central storage of our biometrics.” As Abraham explained, if storing a copy of your housekey at the police station does not make us feel more secure, then why wouldn’t storing our biometrics with the government also make us a little more scared?

In the Indian scheme, Abraham said, the government says biometrics will be used as an authentication factor in order to prove your identity, but from a computer science perspective, it’s a bad idea because it is so easy to steal biometrics. And, as Abraham pointed out, if your biometrics are stolen, it’s not possible for you to re-secure it—it’s not like getting a new ATM card and password, he said.

If this system of national UID was designed using digital keys instead of biometrics, then we would have a completely different configuration, Abraham said.

Centralized storage is nonnegotiable, and therefore the process of authentification is done through a centralized database, but with digital keys or digital signatures, authentification could be done on a peer basis, so citizen could authenticate border guards and vice versa.

Another image from the “Rethink UID Project” campaign pointed out that “Technology cannot solve corruption.” As Abraham said, problems of corruption in the subsidy system (food, loans, education, employment guarantee act in rural India, etc) won’t be fixed with biometrics. For example, if biometric equipment is installed at fair-price shops, before the shop owner gives the grain, the citizen would have to present biometrics, which would go through a centralized server and be authenticated, then the citizen would get the grain, and ultimately there would be a record saying this particular citizen collected this amount of subsidized grain at this particular time.

But there are a whole range of ways shop owners can compromise the system, Abraham said.

The first way: 30-50 percent of India is illiterate, so shop owner can say the biometrics were rejected by the server and the citizen would not know better. Or, the owner can say there was no connectivity so authentification didn’t go through, or the owner could say there was no electricity so the system won’t work, or the shop owner could give just part of the grain that the citizen is due.

Corruption innovates and terrorism innovates—if technology innovates, so does corruption, as it is not a static phenomenon, Abraham said. You can’t wish away human beings from technological configurations.

One village will have multiple biometric readers.

Abraham said they have proposed an alternative schema: remove readers from the shop, school, hospital, bank, etc., and have only one scanner at the local governance hall. Instead of the citizen becoming transparent to the government, the government should become transparent to the citizen. The shop owners should make transparent which IDs they have given how much grain to, and only if they are going to dispute the ID of a citizen, can they go to the local government administrative office to prove the ID.

Another image from the “Rethink UID Project” campaign said, “The poor and the rich: who do we track first?”

Abraham explained that one problem in India is “black money,” or money for which you don’t pay taxes because the accounts are in fake names in order to store money. Like creating fake bank accounts, he said it also would be easy to create fake biometrics by combining the handprints and eyes of multiple people to get a second fake ID. Also the system could be hacked into and iris images Photoshopped. Ghost ideas also could be created and then sold off. Because the rich will get their IDs behind closed doors, Abraham said, it will be easy for them to get multiple IDs, but the poor will not be able to.

Referring to “tailgating,” or when one ID is card swiped to gain entrance for multiple people, such as swiping one metro card and then two people walking through, Abraham noted that the problem is that the tailgating only is seen as a problem when it’s at the bottom of the pyramid, such as one woman goes to the fair-price shop to collect grain for five or six families so only one person has to lose a day’s wage instead of all five or six losing a day’s wages. Tailgating at the bottom if the pyramid is usually a question of survival, he said.

Thus, another image from the campaign showed a pyramid and said, “Transparency at the top first…before transparency at the bottom.”

The first principle is that expectations of privacy should be inversely proportional to power, so people who are really powerful, like NGOs, politicians, or heads of corporations, should have less privacy, and people who have very little power should have more privacy, Abraham said.

Also, from a business perspective, the nation gets greater return on its investment if surveillance equipment is trained on people at the top of the pyramid to catch big-time corruption, he said.

Most of the panic around the UID is over the transaction database. Beyond a databse storing everyone’s biometrics, another database will track transactions: every time you buy a mobile phone or purchase a ticket or access a cyber cafe or subsidies, thanks to UID, there will a record made in the transaction database, Abraham said.

Abraham said it is important to note that surveillance is not an intrinsic part of information systems, but once surveillance is engineered into information systems, both those with good intentions or bad intentions can take advantage of that surveillance capability.

The UID means there will be 22 databases available to 12 intelligence agencies, he said.

So when a girl enters into a cybercafé, first she will have to provide her UID, and then the café owner will photocopy the card, then the owner has the right to take a photo of the girl using his own camera, then the owner is supposed to maintain browser logs of her computer for a period of one year.

So the question then is how to assure accountability without surveillance?

The first possibility, Abraham said, is partial storage. The transaction database could store half the data, and the central database could store the other half, so the full 360-view of the data would not be available without a court order.

The second solution is a transaction escrow, where every time a record is put into the main database, it will be encrypted using 2-3 keys, and only if 3 agencies cooperate with keys, can the information be decrypted. Thus, it is targeted surveillance, not blanket surveillance.

To conclude his presentation, Abraham divided participants into four groups in order to design surveillance systems for internet surveillance, mobile technologies, CCTVs, and border control.

Sharon Strover spoke on behalf of the CCTV group, saying they ended up with more questions than anything else. They agreed there should be notices when cameras are in use, there should be public knowledge of who is doing surveillance and who has access to the footage, and the data shouldn’t be sold. But the group couldn’t decide which spaces warranted CCTVs and which not.

Abraham then pointed out that the next generation of CCTVs can read everybody’s irises as they pass the cameras—it’s in the lab now, and 2-3 years from the market, he said.

Next, Andy Carvin spoke on behalf of the mobile technologies surveillance group. Whether or not capturing metadata or content as well, the mobile phone company can collect it, but it shouldn’t be able to keep any identifiable information for the person – it should only be able to look at information in the aggregate. The rest of the information should be shipped to a non-governmental organization or government agency specialized in privacy, and 2 keys would be required: one from the judiciary and one from the NGO or governmental agency.

Smári McCarthy reported back for the Internet surveillance group, pointing out that data retention has been useful in criminal cases less than 0.2 percent of the time in one study, and another showed there has been no statistically significant increase in the number of criminal cases solved because of data retention. So, he said, the group concluded there should be no blanket surveillance, only court orders in certain criminal cases that define who will be under surveillance and for how long. Also, they wanted to see a transparency register available so the public could be informed about how many people are under surveillance currently and throughout year and other general information, such as the success rate—how many of these surveillances have led to criminal convictions or similar.

Finally, Summer Harlow spoke on behalf of the border control group, which said scanning of checked- and carry-on luggage is acceptable, but there should be no luggage searches without specific probable cause from intelligence agencies or if the scans pick up weapons or other contraband. Similarly, people could be subject to spectrum scans and drug/bomb sniffing dogs for weapons and contraband, but again they would not be physically searched by border agents without probable cause. Also, people and luggage could not randomly be searched based on the country of their passport or their flight destination or origin.

In summary, Abraham said, surveillance is like salt in food: it is essential in small amounts, but completely counter-productive if even slightly excessive.

Download Sunil's presentation here [PDF, 1389 kb]
Sunil Abraham made the presentation at the Gary Chapman International School on Digital Transformation on 21 July 2011. The original news published by International School on Digital Transformation can be read here
Read the schedule here

For more details visit http://editors.cis-india.org/news/uid-worlds-largest-database

UID: Are your biometric I-cards stacked against you?

praskrishna — 2012-06-26T09:33:51Z

Imagine a rural family of five. Mom. Dad. Two kids. And Grandma. Assume too that they are below the poverty line. The day is coming when this family will have to give its biometrics out to myriad agencies.

This article by M Rajshekhar was published in the Economic Times on June 24, 2012

You know that Nandan Nilekani's Unique Identification Authority of India (UIDAI) or the Registrar General's National Population Register (NPR) has been collecting biometrics for a while now.

But a set of other departments have entered the fray. This ranges from the PDS department, ministry of rural development (MoRD), states' education departments, the Rashtriya Swasthya Bima Yojana (RSBY), banks, the department of social welfare, the post office...they are all collecting biometrics (see Agencies Collecting Biometrics Right Now).

This is the latest iteration in India's tryst with biometrics. From a beginning where only the NPR — and, a little later, the UIDAI — were to capture biometrics, we have now reached a point where myriad departments and ministries are camping in India's villages and towns, capturing fingerprints and iris images.

Identity Thieves

There was to be one large database. Now, we are moving to a system where multiple agencies capture and store biometrics data in myriad servers. This is amplifying the risk of biometric theft.

As Sunil Abraham, the head of Bangalore-based Centre for Internet and Society says, "If biometrics is used as authentication factor then it would be possible for a criminal to harvest your biometrics — such as using a glass to collect fingerprints — without your conscious cooperation. Or the registrar can cache your biometrics and duplicate transactions."

As the number of databases containing biometrics rises, the risk of this information leaking out increases. There have been complaints against an UIDAI enrolment agency called Madras Security Printers that it had sold data to private companies. There were also charges that enrolment agencies had outsourced the enrolment work to other companies, which they are not allowed to do.

What complicates matters further is there are not many safeguards. The country doesn't have a policy on how biometrics can be captured, used, stored and destroyed. But before we get deeper into that story, it is useful to understand why multiple departments have begun collecting biometrics.

Biometric Rush

According to a senior bureaucrat who recently retired from the ministry of planning, the answer lies in the 2014 elections. "For the government, cash transfers are the large reforms that they think UPA 2 can point towards in the next elections. For this reason, they need all this up and running before 2014."

However, over the past few months, parts of the government are increasingly unsure if UIDAI and NPR will meet their targets. "I do not think the 2014 target can be met at all," says a senior official in the National Informatics Centre (NIC). "We have to enroll another 800 million people. Then, we have to deduplicate them. Then, we have to make the cards and distribute them."

This is one reason why a set of government departments are configuring their own alternatives. Take the Department of Financial Services (DFS). It has been testing an online, biometric system for cash payments in Haryana's Mewat district for months now. Here, each bank will store its customers' biometric information in its own servers.

If a customer of bank A goes to a banking correspondent (BC) agent of bank B, his biometrics would be forwarded by bank B to bank A for authentication. Once authenticated, the transaction will be completed. "We should be rolling the new system out nationally from July or August," says the bureaucrat.

The rural development ministry is also testing its payment system. Once the local administration tells the ministry about who worked how many days, the ministry will be able to put money into their accounts automatically via a payment gateway. Right now, this is done manually with the block development officer and sarpanch making out the cheques.

This pilot, says DK Jain, joint secretary, MoRD, started 3-4 months ago in parts of Gujarat, Karnataka, Odisha and Rajasthan. In another six months, it will be available across the country. And then, there is the PDS.

Here, different states are putting different systems in place. Andhra, says a senior mandarin in the food ministry, is going with UID, Haryana is looking at smart cards, Jharkhand is going with Aadhaar, MP and Gujarat are testing food coupons, while Chhattisgarh has decided to use RSBY and Orissa has chosen NPR.

Apart from this, data is also being collected by the RSBY and BC companies on behalf of the banks handling welfare payments, or scrambling to meet their financial inclusion targets.

Sunil Abraham is quoted in this article.

For more details visit http://editors.cis-india.org/news/are-your-biometric-i-cards-stacked-against-you

UID project draws flak from civil rights activists

praskrishna — 2011-04-02T12:26:20Z

The unique identification project is drawing a flak from civil rights activists.

The unique identification project drew flak from civil liberties activists in the city on Wednesday. "Unique identification is an encroachment of privacy. With the new technology, it will be easy to track people," members of Citizens Against UID / Aashar, a forum floated by those opposing the project, including PUCL and SICHREM, said. They said the project should not be implemented until people's participation was ensured.

Read the original article in DNA

For more details visit http://editors.cis-india.org/news/UID-project-draws-flak

UID Poster 2

praskrishna — 2013-09-24T10:17:09Z

For more details visit http://editors.cis-india.org/internet-governance/blog/uid-2.pdf

UID Poster 1

praskrishna — 2013-09-24T10:15:30Z

For more details visit http://editors.cis-india.org/internet-governance/blog/uid-1.pdf

UID New Grid

praskrishna — 2011-07-25T06:10:36Z

new grid summary

For more details visit http://editors.cis-india.org/internet-governance/publications/uid-new-grid